● TLP:GREEN · DISTRIBUTABLEvault security · ops console v8.4

OPS / 01 · platform · architectureRead-only

Platform · the four pillars

The infrastructure for security across every surface area.

Cloud, code, identity, SaaS, endpoint — held in one platform with a shared event bus and a shared evidence store. Read top-to-bottom; each pillar drills into its capability surface.

OPS / 02 · architecture · simplifiedRead-only

  ┌─────────────────────────────────────────────────────────────────────┐
  │                     YOUR INFRASTRUCTURE                              │
  │   AWS · GCP · Azure · GitHub · Okta · Slack · Datadog · 180+ SaaS    │
  └────────┬─────────────────────────────────────────────────────┬──────┘
           │ event ingest (no agent on workload)                 │
           ▼                                                     ▼
  ┌───────────────────────────┐                    ┌────────────────────┐
  │   VAULT EVENT BUS          │  ◄─── threat ────┤   Threat intel       │
  │   ( 4M events / sec p95 )  │       intel       │   40+ feeds          │
  └────────┬───────────────────┘                    └────────────────────┘
           │
           ▼
  ┌────────────────────────────────────────────────────────────────────┐
  │                    THE FOUR PILLARS                                  │
  │  ┌──────────┐  ┌──────────┐  ┌──────────┐  ┌────────────────────┐  │
  │  │ Posture  │  │Detection │  │ Response │  │   Compliance       │  │
  │  └────┬─────┘  └────┬─────┘  └────┬─────┘  └──────────┬─────────┘  │
  │       └─────────────┴──────────────┴──────────────────┘             │
  │                            │                                         │
  │                            ▼                                         │
  │           ┌──────────────────────────────────┐                       │
  │           │   shared evidence store           │                       │
  │           │   ( immutable · time-stamped )    │                       │
  │           └────────────┬──────────────────────┘                       │
  └────────────────────────┼─────────────────────────────────────────────┘
                           ▼
                ┌─────────────────────────────┐
                │  YOUR SIEM · TICKET · SOAR   │
                │  Splunk · Jira · ServiceNow  │
                │  Datadog · Tines · Torq      │
                └──────────────────────────────┘

Vault sits between your infrastructure and your downstream tools. Events flow in from native cloud APIs (no agents on workloads); the four pillars share a single event bus and evidence store; outputs route to whichever SIEM, ticketing, or SOAR you already use.

OPS / 03 · pillar · postureAll clear

Posture

Continuous discovery, not annual scans.

CSPM + CIEM + SSPM + ASPM in one platform. Map every cloud asset, every SaaS app, every identity, every code repo to its owner, its blast radius, and its compliance footprint. Updated continuously, not on a quarterly cron.

Capability

Notes

Cloud (AWS, GCP, Azure)

Real-time inventory · drift detection · IaC scan

Identity graph

All identities · all permissions · transitive paths

SaaS posture

180+ SaaS apps · auto-discovered configurations

Application security

SCA + SAST + secrets · pre-merge + continuous

Asset attribution

Owner, business unit, criticality on every finding

OPS / 04 · pillar · detectionAction req

Detection

Behavior-based, not signature-based.

ML baselining tuned to your environment. Bring your own Sigma rules. Threat intel from 40+ feeds. The output is a triage queue — median 6 alerts/day per analyst, p95 alert quality > 0.91.

Capability

Notes

Behavior baselining

Per identity, per workload, per data flow

Sigma + Lacework rules

Bring your own; we ship 4,200+

Threat intel

Mandiant, Recorded Future, abuse.ch + 38 more

Cloud detection

Native event ingestion · no agent on workloads

Triage queue

Auto-grouped, auto-deduped, auto-enriched

OPS / 05 · pillar · responseRead-only

Response

Pre-approved playbooks. One-click contain.

Customer-controlled response. Pre-approved playbooks let an analyst with the right RBAC role isolate a host, revoke a credential, roll a key, or freeze a build pipeline — with full audit trail streamed to your SIEM.

Capability

Notes

Playbook library

80+ shipped · custom playbooks supported

One-click actions

Contain, revoke, roll, freeze, quarantine

Per-action RBAC

No shared admin · break-glass with approval

Audit log streaming

OTLP to Splunk, Datadog, Sumo, Elastic

SOAR integrations

Native Tines, Torq, Cortex XSOAR

OPS / 06 · pillar · complianceAll clear

Compliance

Audit-ready every day.

Continuous control monitoring mapped to SOC 2, ISO 27001, PCI DSS, HIPAA, FedRAMP Moderate, DORA. Auditor read-only access is time-bounded and logged. Evidence is collected automatically.

Capability

Notes

Frameworks shipped

6 out-of-the-box; custom mappings supported

Evidence collection

Continuous, time-stamped, immutable

Auditor access

Read-only, time-bounded, fully logged

Findings → ticketing

Native Jira / ServiceNow integration

Reporting

Auditor-ready PDFs · CSV exports · API

OPS / 07 · annex a · scope boundariesAction req

Three things on every other security platform. Not on Vault.

Endpoint detection.

EDR is its own product category and CrowdStrike + SentinelOne are excellent at it. We integrate; we don't compete. Bring your existing EDR or pick one we recommend during scoping.

Network firewall.

Layer-3/4 firewalling sits in your cloud or hardware appliance. We see network telemetry, we don't replace the firewall. Native integrations with Palo Alto, Fortinet, Zscaler.

Vulnerability scanning at endpoint.

We do code-level + cloud-config scanning. For OS-level CVE scanning on every laptop, use Tenable, Qualys, or Rapid7. We pull their findings into the same view as ours.

OPS / 08 · next stepAll clear

See it on your environment.

A 30-minute scoping call with a security engineer. We'll outline what coverage looks like in your stack and what the deployment plan is. No slide deck.

Request a demo →Trust posture