Multi-cloud honesty

Service coverage

Every individual service across Azure, AWS, GCP, Kubernetes, identity systems, and hybrid connectivity — with a fully / partially / planned / not-supported grade per capability. We do not pretend coverage we haven't built. See the guide.

Executive Engineer Architect

Cloud:all azure aws gcp kubernetes saas onprem

Status:all Production-quality Common case covered Synthesised from adjacent data Planned Not in scope

Enhanced by:all wiz dynatrace datadog crowdstrike veracode

Legend:●Production-quality◐Common case covered◔Synthesised from adjacent data○Planned✕Not in scope

Service	Cloud	Disc	Inv	Topo	Sec	Net	IAM	Obs	$	Recs	Notes
Microsoft Entra ID identity.entra	saas	○	○	○	○	✕	○	◐	✕	○	Discovery: MS Graph + ARM. Auth: OAuth client credentials + User-Assigned Managed Identity. Reads: Users, groups, app regs, service principals, role assignments, group memberships, sign-in logs.
Microsoft Entra B2C identity.entra_b2c	saas	○	○	○	○	✕	○	◐	✕	○	Discovery: Graph. Auth: OAuth. Reads: Custom policies, user flows, tenant config.
Entra Domain Services identity.entra_ds	saas	○	○	○	○	✕	○	◐	✕	○	Discovery: ARM. Auth: OAuth (UAMI). Reads: Domain config, replication state.
Okta identity.okta	saas	○	○	○	○	✕	○	◐	✕	○	Discovery: Okta Management API. Auth: API token (read scopes: users:read, groups:read, apps:read, logs:read). Reads: Users, groups, apps, role assignments, MFA enrollments, system log, policies.
Ping Identity identity.ping	saas	○	○	○	○	✕	○	◐	✕	○	Discovery: PingOne API. Auth: OAuth client credentials. Reads: Users, populations, applications, role assignments, MFA.
OneLogin identity.onelogin	saas	○	○	○	○	✕	○	◐	✕	○	Discovery: OneLogin API. Auth: API credentials. Reads: Users, apps, roles, sign-in events.
ForgeRock Identity Cloud identity.forgerock	saas	○	○	○	○	✕	○	◐	✕	○	Discovery: AM/IDM REST. Auth: Service account / OAuth client credentials. Reads: Users, identities, journeys, federation config.
Auth0 (Okta) identity.auth0	saas	○	○	○	○	✕	○	◐	✕	○	Discovery: Management API. Auth: M2M token (audience: management API). Reads: Users, applications, connections, rules/actions, logs.
JumpCloud identity.jumpcloud	saas	○	○	○	○	✕	○	◐	✕	○	Discovery: JumpCloud API. Auth: API key (read scopes). Reads: Users, systems, system bindings, SSO apps, MFA enrollment.
Google Cloud Identity identity.gcp_identity	saas	○	○	○	○	✕	○	◐	✕	○	Discovery: Google Admin SDK Directory API. Auth: OAuth (workforce identity federation preferred). Reads: Users, groups, OUs, role assignments, sign-in events.
Amazon Cognito identity.cognito	saas	○	○	○	○	✕	○	◐	✕	○	Discovery: AWS SDK (Cognito IDP). Auth: Cross-account IAM role (read-only). Reads: User pools, app clients, identity providers, federation config.
SailPoint IdentityNow identity.sailpoint	saas	○	○	○	○	✕	○	◐	✕	○	Discovery: IdentityNow API. Auth: OAuth client credentials (read scopes). Reads: Identities, entitlements, access reviews, certifications, sources.
Saviynt Identity Cloud identity.saviynt	saas	○	○	○	○	✕	○	◐	✕	○	Discovery: Saviynt REST. Auth: Service account. Reads: Users, accounts, entitlements, requests, certifications.
CyberArk identity.cyberark	saas	○	○	○	○	✕	○	◐	✕	○	Discovery: Conjur API + EPM API + Privilege Cloud API. Auth: API authentication. Reads: Safes, accounts, applications, privileged session audit. Gap: Session recordings stay on CyberArk side; we ingest metadata only.
Delinea (Thycotic + Centrify) identity.delinea	saas	○	○	○	○	✕	○	◐	✕	○	Discovery: Secret Server REST + Privilege Manager API. Auth: API key + service account. Reads: Secret templates, folders, permissions, audit logs.
Duo Security (Cisco) identity.duo	saas	○	○	○	○	✕	○	◐	✕	○	Discovery: Duo Admin API. Auth: hostkey + skey + IKey (read). Reads: Users, integrations, authentication logs, enrollment status, policies.
RSA SecurID identity.rsa_securid	saas	○	○	○	○	✕	○	◐	✕	○	Discovery: SecurID Cloud Authentication API. Auth: service account. Reads: Users, tokens, authentication policies, sign-in events.
Keycloak identity.keycloak	saas	○	○	○	○	✕	○	◐	✕	○	Discovery: Keycloak Admin REST API. Auth: OIDC client_credentials. Reads: Realms, users, groups, clients, role mappings, identity providers.

Read-only and advisory by design — we never modify cloud resources. The grades describe what we can observe, not what we can change.