Full Report
Tenable Cloud Security continues to expand the technical depth of our Tenable One exposure management platform. Our latest enhancements include unified multi-cloud exploration, high-fidelity network validation, and expanded entitlement visibility across infrastructure and identity providers.Key takeawaysGraph-based multi-cloud exploration: We’ve leveraged our unified data model to provide deep visibility across all cloud environments. You can now easily explore cloud risks and resources using an advanced query builder to build and save queries, and switch to Graph view to instantly visualize complex asset relationships and blast radius.Outside-In network attack surface validation: A new external network scanner probes environments to confirm reachability, allowing teams to prioritize vulnerability mitigation based on verifiable external exposureComprehensive identity inventory: We’ve expanded our identity inventory to unify entitlement tracking across cloud platforms, including Microsoft Entra ID and Google Workspace. This allows teams to instantly pinpoint overprivileged roles and unused policies to enforce least privilege at scale.Explorer: Unified query and relationship mapping Fragmentation of data across disconnected tools is a primary hurdle in multi-cloud security, often forcing teams to pivot between siloed views to find context. To address this, we have introduced Explorer, a unified interface for deep-dive analysis into resources and findings across your cloud estate. This capability moves beyond static views, allowing security teams to precisely identify risk by querying across objects using granular filters, logical operators, and relationship-based joins.With the Explorer, you can:Perform complex correlations: Use advanced query logic and joins to connect disparate data points, such as linking specific vulnerabilities to their underlying cloud identities or identifying storage buckets that contain sensitive data and are being used for training by AI models.Streamline operations: Leverage saved query configurations to standardize repetitive auditing tasks and ensure consistency across compliance reviews.Visualize the blast radius: Utilize the Graph view to map asset dependencies, providing a clear visual understanding of how vulnerabilities can propagate through your environment. The Explorer unifies multi-cloud resources into a single interface, allowing teams to query complex asset relationships and instantly visualize the potential blast radius via Graph view.Network security: High-fidelity exposure validationTo improve prioritization accuracy, we have enhanced Tenable’s network scanner to perform outside-in probing of your cloud environments' attack surface. Rather than relying solely on static cloud configuration analysis of publicly exposed cloud resources – which can often lead to false positives — this tool conducts an external reachability analysis to confirm whether an endpoint is actually accessible from the internet. By validating real-world exposure, security teams can filter out noise and surface the small percentage of vulnerabilities that pose a genuine external threat.To translate this validation into action, you can now filter exposed network endpoints by resource type (such as EC2 instances, S3 buckets, and databases), specific ports, host IPs, and other properties. This granularity makes it easier to isolate specific segments of your infrastructure and accelerate targeted remediation of your most critical external exposures. The Tenable network scanner actively verifies external reachability to confirm internet-exposed workloadsIAM security: Expanded entitlement visibility and insightManaging identity risk requires deep visibility into both cloud infrastructure and identity providers (IdPs). We have expanded our cloud infrastructure entitlement management (CIEM) capabilities to provide a comprehensive inventory of entitlements across AWS, Azure, GCP, Microsoft Entra ID, and Google Workspace. The Inventory view now displays all roles and identity-based policies—regardless of whether they are currently active. This technical baseline is essential for identifying "ghost" identities and stale permissions that increase the attack surface. Furthermore, administrators can now define custom security policies for any role category, including those not yet deployed in the environment. This enables the establishment of proactive governance and least-privilege guardrails that scale automatically as new resources are provisioned.Comprehensive posture: Public AMI scanningOur AWS coverage now includes support for public Amazon Machine Image (AMI) scanning. This allows organizations to assess the security posture of vendor-provided and AWS-published images within their own environment. By analyzing these images for vulnerabilities and misconfigurations, teams can mitigate supply chain risks before they are integrated into production workloads. Audit-vendor and AWS-published images in your posture assessments to mitigate supply chain riskGuided use cases: Solve real problems, fastThis month, we’ve added two high-impact use-case packages to help you build an exposure management foundation:Prioritize cloud risk that matters most. Use AI-Powered VPR and toxic combination analysis to cut through the noise, reducing remediation time by 80%. See a demo. Secure AI workloads. Discover and protect sensitive data powering AI workloads while continuously assessing the underlying AI infrastructure and configurations. Learn more by reading a solution overview. Advance your security maturityMaturing a cloud security program requires a shift from managing individual findings to understanding functional resilience. By unifying visibility, validating network reachability, and auditing identity, organizations build the foundation to manage exposure at scale. Tenable Cloud Security is the critical pillar of the Tenable One exposure management platform that provides these comprehensive CNAPP capabilities. Reflecting the real-world value delivered to users, Tenable was recently recognized as a 2025 Customers’ Choice in the Gartner® Peer Insights™ 'Voice of the Customer': Cloud-Native Application Protection Platforms (CNAPPs). Frequently Asked QuestionsWhich identity platforms are now included in the expanded inventory? Coverage has expanded beyond standard cloud providers to include Microsoft Entra ID and Google Workspace, providing visibility into the full "identity-to-data" path.What is the primary technical advantage of the Explorer Graph view? It replaces isolated alerts with a visual map of asset relationships, helping teams visualize how a single vulnerability could impact adjacent resources.How does the network scanner differ from standard configuration checks? It actively probes the environment from an external perspective to confirm service reachability – assessing exposure more accurately than static code analysis alone.Why scan public AMIs? This ensures that third-party images, often used as base layers for workloads, are audited for vulnerabilities within the context of your specific security requirements.Learn more:What is CTEM?Tenable Cloud SecurityIdentify and secure AI workloads demoGartner, Voice of the Customer for Cloud-Native Application Protection Platforms, 24 December 2025, By Peer Community ContributorGartner and Peer Insights are trademarks of Gartner, Inc. and/or its affiliates. Gartner Peer Insights content consists of the opinions of individual end users based on their own experiences with the vendors listed on the platform, should not be construed as statements of fact, nor do they represent the views of Gartner or its affiliates. Gartner does not endorse any vendor, product or service depicted in this content nor makes any warranties, expressed or implied, with respect to this content, about its accuracy or completeness, including any warranties of merchantability or fitness for a particular purpose.
Analysis Summary
This summary analyzes the capabilities described in the article, focusing on the enhancement of the Tenable One exposure management platform regarding multi-cloud security, attack surface validation, and identity governance. Since the article describes features within a security platform designed to *detect and manage* risks rather than describing known malicious tools or malware, the analysis will focus on the **attack tools and techniques** the platform addresses or validates against.
# Tool/Technique: External Network Attack Surface Validation Scanner
## Overview
A component integrated into the Tenable platform that actively probes cloud environments from an external perspective to confirm the actual internet reachability of exposed endpoints. Its purpose is to move beyond static configuration analysis to accurately validate the external attack surface and filter out false positives, ensuring vulnerability mitigation prioritizes genuinely exposed threats.
## Technical Details
- Type: Attack Tool (Defensive Tooling utilized for offensive posture validation)
- Platform: Cloud Environments (AWS, Azure, GCP via infrastructure exposure)
- Capabilities: External reachability testing, verification of accessibility from the internet, filtering exposed endpoints by resource type, ports, and IPs.
- First Seen: Part of recent Tenable One enhancements.
## MITRE ATT&CK Mapping
This feature directly addresses adversary techniques related to reconnaissance and initial access through external exposure checks.
- **TA0043 - C2 Channel** (While not C2, probing confirms external access required for C2)
- T1071 - Application Layer Protocol
- **TA0011 - Command and Control** (Related to verifying access that could host C2)
- **TA0001 - Initial Access** (Validating paths an attacker might use)
- T1133 - External Remote Services (Indirectly, by confirming external connectivity)
## Functionality
### Core Capabilities
- **Outside-In Probing:** Conducts active scans from outside the environment to confirm if a resource is truly reachable via the internet.
- **Exposure Confirmation:** Validates reachability, contrasting with static analysis which may flag internal resources as exposed.
- **Granular Filtering:** Allows isolation and focus on valid external exposures based on protocol (ports), IP, and resource type (EC2, S3 database).
### Advanced Features
- **Noise Reduction:** Filters out vulnerabilities on resources that are misconfigured as public but are not actually reachable, allowing teams to focus on genuine external threats.
- **Real-World Validation:** Translates static configuration findings into verifiable attack paths.
## Indicators of Compromise
(Not applicable for a defensive validation tool feature)
## Associated Threat Actors
(Not applicable, as this is a defensive posture validation capability)
## Detection Methods
(Not applicable, as this is a defensive validation tool feature)
## Mitigation Strategies
- **Disable Unnecessary External Services/Ports:** Reducing the number of discoverable and reachable endpoints.
- **Network Segmentation:** Ensure internal services are not mistakenly accessible from the internet perimeter.
- **Configuration Review:** Use platform output to remediate false positives where internal resources are incorrectly exposed.
## Related Tools/Techniques
- External vulnerability scanners (e.g., Shodan, Censys analogs, used offensively).
- Static cloud configuration checks (which this tool aims to enhance).
***
# Tool/Technique: Cloud Infrastructure Entitlement Management (CIEM) Capability
## Overview
An expanded identity inventory system within the CNAPP designed to unify and scrutinize entitlement tracking across multiple cloud service providers (AWS, Azure, GCP) and Identity Providers (Microsoft Entra ID, Google Workspace). Its primary goal is to identify legacy, overprivileged, or unused identities and roles to enforce the principle of least privilege at scale.
## Technical Details
- Type: Attack Tool (Defensive governance framework addressing identity sprawl and privilege abuse)
- Platform: Multi-Cloud (AWS, Azure, GCP) and Identity Providers (Entra ID, Google Workspace).
- Capabilities: Comprehensive entitlement tracking, identification of overprivileged roles, detection of stale/unused policies (ghost identities), and proactive governance policy definition.
- First Seen: Part of recent Tenable One enhancements.
## MITRE ATT&CK Mapping
This capability directly targets identity and access management weaknesses that are heavily exploited by adversaries.
- **TA0002 - Privilege Escalation**
- T1078 - Valid Accounts
- T1078.004 - Cloud Accounts
- **TA0005 - Defense Evasion**
- T1136 - Create Account
- **TA0003 - Persistence**
- T1556 - Compromise Software Supply Chain (Relevant when scanning base images)
## Functionality
### Core Capabilities
- **Entitlement Inventory:** Creates a unified view of all roles and identity-based policies, regardless of current activity status.
- **Least Privilege Enforcement:** Pinpoints roles that possess excessive rights beyond what is necessary for their function.
- **Stale Policy Identification:** Detects "ghost identities" and unused permissions that unnecessarily increase the attack surface (e.g., permissions that have never been used post-deployment).
### Advanced Features
- **Proactive Governance:** Allows administrators to define custom security policies for *any* role category, even those not yet implemented, establishing least-privilege guardrails automatically as new resources provision.
- **Cross-Platform Correlation:** Unifies identity data from major IdPs (Entra ID, Google Workspace) with infrastructure entitlements.
## Indicators of Compromise
(Not applicable for monitoring capabilities)
## Associated Threat Actors
(Not applicable, as this is a defensive identity management feature)
## Detection Methods
- **Policy Drift Analysis:** Comparing actual entitlements against defined least-privilege baselines.
- **Usage Telemetry Analysis:** Identifying roles/permissions with zero activity over a defined period.
## Mitigation Strategies
- **Regular Entitlement Review:** Continuous auditing of permissions.
- **Role Refinement:** Right-sizing permissions based on documented job functions.
- **Identity Lifecycle Management:** Ensuring unused accounts/roles are promptly deactivated or removed.
## Related Tools/Techniques
- Traditional Cloud Security Posture Management (CSPM) tools for basic configuration review.
- Cloud Infrastructure Entitlement Management (CIEM) solutions focused primarily on infrastructure rather than broad IdP integration.
***
# Tool/Technique: Graph-Based Multi-Cloud Exploration (Explorer)
## Overview
A unified interface feature leveraging a graph data model to map complex relationships between disparate cloud resources and security findings across multi-cloud environments. Its purpose is to enable security teams to move beyond siloed alert views to visualize the interconnected nature of risks and determine the true blast radius of a specific vulnerability or misconfiguration.
## Technical Details
- Type: Attack Tool (Analytical feature for threat correlation)
- Platform: Multi-Cloud Environments (AWS, Azure, GCP resources).
- Capabilities: Advanced query builder, relationship-based joins, visualization of asset dependencies, linking vulnerabilities to identities, and identifying data containment scenarios (e.g., sensitive data in AI training buckets).
- First Seen: Part of recent Tenable One enhancements.
## MITRE ATT&CK Mapping
This capability directly helps analysts visualize attack paths, relevant to techniques emphasizing interconnected systems.
- **TA0006 - Credential Access** (Mapping credentials to compromised resources)
- **TA0010 - Exfiltration** (Mapping data flows to potential exfiltration points)
- **TA0011 - Command and Control**
- T1505 - Server Software Compromise (Mapping C2 potential via dependency visualization)
## Functionality
### Core Capabilities
- **Complex Correlation:** Joining data points (e.g., linking a specific vulnerability to the identity that owns the resource).
- **Unified Querying:** Allowing granular filtering and logical operations across all cloud objects in one interface.
- **Standardized Auditing:** Saving query configurations for repetitive compliance and security checks.
### Advanced Features
- **Graph View Visualization:** Instantly mapping asset dependencies to visually represent the potential blast radius if one component is compromised.
- **Contextual Linkage:** Identifying specific, high-risk scenarios, such as storage buckets containing sensitive data being utilized by connected AI model training environments.
## Indicators of Compromise
(Not applicable)
## Associated Threat Actors
(Not applicable)
## Detection Methods
(Not applicable)
## Mitigation Strategies
- **Decoupling Asset Dependencies:** Strategically designing cloud environments to minimize blast radius linkages where possible (e.g., separating production access from development/AI experimentation resources).
- **Risk-Based Prioritization:** Utilizing path analysis to prioritize fixes that sever high-impact exposure chains.
## Related Tools/Techniques
- **Cyber Graph Technologies:** Tools that rely on graph databases to map connectivity and risk propagation.