Multi-cloud honesty

Service coverage

Every individual service across Azure, AWS, GCP, Kubernetes, identity systems, and hybrid connectivity — with a fully / partially / planned / not-supported grade per capability. We do not pretend coverage we haven't built. See the guide.

Executive Engineer Architect

Cloud:all azure aws gcp kubernetes saas onprem

Status:all Production-quality Common case covered Synthesised from adjacent data Planned Not in scope

Enhanced by:all wiz dynatrace datadog crowdstrike veracode

Legend:●Production-quality◐Common case covered◔Synthesised from adjacent data○Planned✕Not in scope

Service	Cloud	Disc	Inv	Topo	Sec	Net	IAM	Obs	$	Recs	Notes
Azure Container Instances azure.compute.aci	azure	●	●	○	◐	✕	◐	◐	●	○
Azure Functions azure.compute.functions	azure	●	●	○	◐	✕	◐	◐	●	○
Azure Batch azure.compute.batch	azure	●	●	○	◐	✕	◐	◐	●	○
Managed Disks azure.compute.disks	azure	●	●	○	◐	✕	◐	◐	●	○
Azure Spring Apps azure.compute.springapps	azure	●	●	○	◐	✕	◐	◐	●	○
Service Fabric azure.compute.servicefabric	azure	●	●	○	◐	✕	◐	◐	●	○
Public IP azure.network.publicip	azure	●	●	○	◐	✕	◐	◐	●	○
Azure Front Door azure.network.frontdoor	azure	●	●	○	◐	✕	◐	◐	●	○
Azure CDN azure.network.cdn	azure	●	●	○	◐	✕	◐	◐	●	○
Private DNS Zone azure.network.privatedns	azure	●	●	◐	◐	✕	◐	◐	●	○
Azure DNS azure.network.publicdns	azure	●	●	○	◐	✕	◐	◐	●	○
ExpressRoute azure.network.expressroute	azure	●	●	◐	◐	✕	◐	◐	●	●	Circuit + peering visible. Has a hybridConnectivity playbook for chain validation.
VPN Gateway azure.network.vpngateway	azure	●	●	○	◐	✕	◐	◐	●	○
Virtual WAN azure.network.virtualwan	azure	●	●	○	◐	✕	◐	◐	●	○
Route Table / UDR azure.network.routetable	azure	●	●	◐	◐	✕	◐	◐	●	○
Network Watcher azure.network.networkwatcher	azure	●	●	○	◐	✕	◐	◐	●	○	Flow logs + topology snapshots + IP flow verify. Used as evidence source by NSG playbooks.
Azure Bastion azure.network.bastion	azure	●	●	○	◐	✕	◐	◐	●	○
DDoS Protection azure.network.ddos	azure	●	●	○	◐	✕	◐	◐	●	○
Azure NetApp Files azure.storage.netapp	azure	●	●	○	◐	✕	◐	◐	●	○
Data Box Edge azure.storage.databoxedge	azure	●	●	○	◐	✕	◐	◐	●	○
SQL Managed Instance azure.db.sqlmi	azure	●	●	○	◐	✕	◐	◐	●	○
Azure Database for PostgreSQL azure.db.postgres	azure	●	●	○	◐	✕	◐	◐	●	○
Azure Database for MySQL azure.db.mysql	azure	●	●	○	◐	✕	◐	◐	●	○
Azure Database for MariaDB azure.db.mariadb	azure	●	●	○	◐	✕	◐	◐	●	○
Azure Cosmos DB azure.db.cosmos	azure	●	●	○	◐	✕	◐	◐	●	○
Azure Cache for Redis azure.db.redis	azure	●	●	○	◐	✕	◐	◐	●	○
Azure Synapse Analytics azure.db.synapse	azure	●	●	○	◐	✕	◐	◐	●	○
Azure Data Explorer azure.db.kusto	azure	●	●	○	◐	✕	◐	◐	●	○
Azure AI Search azure.db.search	azure	●	●	○	◐	✕	◐	◐	●	○
Microsoft Entra ID azure.identity.entraid	azure	●	●	○	◐	✕	●	◐	●	●	Users, groups, app regs, service principals, role assignments via Graph + ARM RBAC.
User-Assigned Managed Identity azure.identity.uami	azure	●	●	○	◐	✕	●	◐	●	○
Privileged Identity Management azure.identity.pim	azure	●	●	○	◐	✕	◐	◐	●	○
Azure AD B2C azure.identity.b2c	azure	●	●	○	◐	✕	◐	◐	●	○
Microsoft Defender for Cloud azure.security.defender	azure	●	●	○	●	✕	◐	◐	●	●	Findings + secure score + plans. Defender for Servers/Containers/Storage/SQL all surface via assessments.
Microsoft Sentinel azure.security.sentinel	azure	●	●	○	◐	✕	◐	●	●	○
Azure Policy azure.security.policy	azure	●	●	○	●	✕	◐	◐	●	○
App Configuration azure.security.appconfig	azure	●	●	○	◐	✕	◐	◐	●	○
Application Gateway WAF v2 azure.security.appgateway_waf	azure	●	●	○	◐	✕	◐	◐	●	○
Front Door WAF azure.security.frontdoor_waf	azure	●	●	○	◐	✕	◐	◐	●	○
Cognitive Services azure.ai.cognitiveservices	azure	●	●	○	◐	✕	◐	◐	●	○
Azure Machine Learning azure.ai.ml	azure	●	●	○	◐	✕	◐	◐	●	○
Azure Bot Service azure.ai.bot	azure	●	●	○	◐	✕	◐	◐	●	○
Azure Monitor azure.obs.monitor	azure	●	●	○	◐	✕	◐	●	●	○
Log Analytics azure.obs.loganalytics	azure	●	●	○	◐	✕	◐	●	●	○
Application Insights azure.obs.appinsights	azure	●	●	○	◐	✕	◐	◐	●	○	Trace data only if the app is instrumented. Service map from App Insights is partial; full topology benefits from Dynatrace/Datadog.
Activity Log azure.obs.activitylog	azure	●	●	○	◐	✕	◐	●	●	○
Azure Service Health azure.obs.servicehealth	azure	●	●	○	◐	✕	◐	●	●	○
Azure DevOps azure.devops.devops	azure	●	●	○	◐	✕	◐	◐	●	○
Azure Container Registry azure.devops.acr	azure	●	●	○	◐	✕	◐	◐	●	○
Service Bus azure.integration.servicebus	azure	●	●	○	◐	✕	◐	◐	●	○
Event Hubs azure.integration.eventhub	azure	●	●	○	◐	✕	◐	◐	●	○
Event Grid azure.integration.eventgrid	azure	●	●	○	◐	✕	◐	◐	●	○
Logic Apps azure.integration.logicapps	azure	●	●	○	◐	✕	◐	◐	●	○
API Management azure.integration.apim	azure	●	●	○	◐	✕	◐	◐	●	○
Notification Hubs azure.integration.notificationhubs	azure	●	●	○	◐	✕	◐	◐	●	○
Azure Relay azure.integration.relay	azure	●	●	○	◐	✕	◐	◐	●	○
Azure Resource Manager azure.mgmt.arm	azure	●	●	○	◐	✕	◐	◐	●	○
Azure Policy azure.mgmt.policy	azure	●	●	○	●	✕	◐	◐	●	○
Blueprints (legacy) azure.mgmt.blueprints	azure	●	●	○	◐	✕	◐	◐	●	○
Cost Management azure.mgmt.cost	azure	●	●	○	◐	✕	◐	◐	●	○
Automation Account azure.mgmt.automation	azure	●	●	○	◐	✕	◐	◐	●	●	Has a deep playbook (automationHybridWorker) for hybrid worker + module CVE analysis.
Azure Arc azure.mgmt.arc	azure	●	●	○	◐	✕	◐	◐	●	○
Azure Lighthouse azure.mgmt.lighthouse	azure	●	●	○	◐	✕	◐	◐	●	○
Azure Advisor azure.mgmt.advisor	azure	●	●	○	◐	✕	◐	◐	●	●
Resource Graph azure.mgmt.resourcegraph	azure	●	●	○	◐	✕	◐	◐	●	○
IoT Hub azure.iot.hub	azure	●	●	○	◐	✕	◐	◐	●	○
IoT Central azure.iot.central	azure	●	●	○	◐	✕	◐	◐	●	○
Azure Digital Twins azure.iot.digitaltwins	azure	●	●	○	◐	✕	◐	◐	●	○
Device Provisioning Service azure.iot.dps	azure	●	●	○	◐	✕	◐	◐	●	○
Azure Sphere azure.iot.sphere	azure	●	●	○	◐	✕	◐	◐	●	○
Azure Communication Services azure.media.acs	azure	●	●	○	◐	✕	◐	◐	●	○
Azure Maps azure.media.maps	azure	●	●	○	◐	✕	◐	◐	●	○
Recovery Services Vault azure.migration.recoveryvault	azure	●	●	○	◐	✕	◐	◐	●	○
Azure Migrate azure.migration.databoxedge	azure	●	●	○	◐	✕	◐	◐	●	○
Database Migration Service azure.migration.dms	azure	●	●	○	◐	✕	◐	◐	●	○
EC2 aws.compute.ec2	aws	◐	◐	○	○	✕	○	○	◐	○
Auto Scaling Groups aws.compute.asg	aws	◐	◐	○	○	✕	○	○	◐	○
ECS aws.compute.ecs	aws	◐	◐	○	○	✕	○	○	◐	○
EKS aws.compute.eks	aws	◐	◐	○	○	✕	○	○	◐	○	Gap: In-cluster object inventory needs the Kubernetes connector with kubeconfig.
Fargate aws.compute.fargate	aws	◐	◐	○	○	✕	○	○	◐	○
Lambda aws.compute.lambda	aws	◐	◐	○	○	✕	○	○	◐	◐	awsLambdaVpc playbook exists for VPC + IAM posture.
Batch aws.compute.batch	aws	◐	◐	○	○	✕	○	○	◐	○
App Runner aws.compute.apprunner	aws	◐	◐	○	○	✕	○	○	◐	○
VPC aws.network.vpc	aws	◐	◐	○	○	✕	○	○	◐	○
Subnet aws.network.subnet	aws	◐	◐	○	○	✕	○	○	◐	○
Security Group aws.network.sg	aws	◐	◐	○	○	✕	○	○	◐	◐	awsSgBroadSource playbook computes SG tier + flags 0.0.0.0/0 ingress.
Network ACL aws.network.nacl	aws	◐	◐	○	○	✕	○	○	◐	○
Route Table aws.network.routetable	aws	◐	◐	○	○	✕	○	○	◐	○
Internet Gateway aws.network.igw	aws	◐	◐	○	○	✕	○	○	◐	○
NAT Gateway aws.network.natgw	aws	◐	◐	○	○	✕	○	○	◐	○
Transit Gateway aws.network.tgw	aws	◐	◐	○	○	✕	○	○	◐	○
VPN Gateway aws.network.vpngw	aws	◐	◐	○	○	✕	○	○	◐	○
Direct Connect aws.network.directconnect	aws	◐	◐	○	○	✕	○	○	◐	○
ELB (classic) aws.network.elb	aws	◐	◐	○	○	✕	○	○	◐	○
Application Load Balancer aws.network.alb	aws	◐	◐	○	○	✕	○	○	◐	○
Network Load Balancer aws.network.nlb	aws	◐	◐	○	○	✕	○	○	◐	○
CloudFront aws.network.cloudfront	aws	◐	◐	○	○	✕	○	○	◐	○
Route 53 aws.network.route53	aws	◐	◐	○	○	✕	○	○	◐	○
PrivateLink aws.network.privatelink	aws	◐	◐	○	○	✕	○	○	◐	○
S3 aws.storage.s3	aws	◐	◐	○	○	✕	○	○	◐	◐	awsS3CrossAccount playbook computes cross-account access + Block Public Access posture.
EBS aws.storage.ebs	aws	◐	◐	○	○	✕	○	○	◐	○
EFS aws.storage.efs	aws	◐	◐	○	○	✕	○	○	◐	○
FSx aws.storage.fsx	aws	◐	◐	○	○	✕	○	○	◐	○
S3 Glacier aws.storage.glacier	aws	◐	◐	○	○	✕	○	○	◐	○
RDS aws.db.rds	aws	◐	◐	○	○	✕	○	○	◐	◐	awsRdsPublic playbook detects publicly-accessible instances.
Aurora aws.db.aurora	aws	◐	◐	○	○	✕	○	○	◐	○
DynamoDB aws.db.dynamodb	aws	◐	◐	○	○	✕	○	○	◐	○
ElastiCache aws.db.elasticache	aws	◐	◐	○	○	✕	○	○	◐	○
DocumentDB aws.db.documentdb	aws	◐	◐	○	○	✕	○	○	◐	○
Neptune aws.db.neptune	aws	◐	◐	○	○	✕	○	○	◐	○
Redshift aws.db.redshift	aws	◐	◐	○	○	✕	○	○	◐	○
OpenSearch aws.db.opensearch	aws	◐	◐	○	○	✕	○	○	◐	○
IAM aws.identity.iam	aws	◐	◐	○	○	✕	◐	○	◐	◐	Role/Policy/User enumeration native via IAM API; least-privilege analyzer roadmap.
Cognito aws.identity.cognito	aws	◐	◐	○	○	✕	○	○	◐	○
AWS SSO / IAM Identity Center aws.identity.sso	aws	◐	◐	○	○	✕	○	○	◐	○
Secrets Manager aws.identity.secretsmanager	aws	◐	◐	○	○	✕	○	○	◐	○
KMS aws.identity.kms	aws	◐	◐	○	○	✕	○	○	◐	○
Security Hub aws.security.securityhub	aws	◐	◐	○	◐	✕	○	○	◐	○	Finding ingestion stub exists; full enrichment roadmap.
GuardDuty aws.security.guardduty	aws	◐	◐	○	○	✕	○	○	◐	○
Inspector aws.security.inspector	aws	◐	◐	○	○	✕	○	○	◐	○
Macie aws.security.macie	aws	◐	◐	○	○	✕	○	○	◐	○
Detective aws.security.detective	aws	◐	◐	○	○	✕	○	○	◐	○
AWS Config aws.security.config	aws	◐	◐	○	◐	✕	○	○	◐	○
CloudTrail aws.security.cloudtrail	aws	◐	◐	○	○	✕	○	○	◐	○
WAF aws.security.waf	aws	◐	◐	○	○	✕	○	○	◐	○
Shield aws.security.shield	aws	◐	◐	○	○	✕	○	○	◐	○
Firewall Manager aws.security.firewallmgr	aws	◐	◐	○	○	✕	○	○	◐	○
CloudWatch Metrics aws.obs.cloudwatch	aws	◐	◐	○	○	✕	○	◐	◐	○
CloudWatch Logs aws.obs.cwlogs	aws	◐	◐	○	○	✕	○	◐	◐	○
X-Ray aws.obs.xray	aws	◐	◐	○	○	✕	○	○	◐	○
EventBridge aws.obs.eventbridge	aws	◐	◐	○	○	✕	○	○	◐	○
SQS aws.integration.sqs	aws	◐	◐	○	○	✕	○	○	◐	○
SNS aws.integration.sns	aws	◐	◐	○	○	✕	○	○	◐	○
Step Functions aws.integration.stepfn	aws	◐	◐	○	○	✕	○	○	◐	○
API Gateway aws.integration.apigw	aws	◐	◐	○	○	✕	○	○	◐	○
AppSync aws.integration.appsync	aws	◐	◐	○	○	✕	○	○	◐	○
Organizations aws.mgmt.organizations	aws	◐	◐	○	○	✕	○	○	◐	○
Control Tower aws.mgmt.controltower	aws	◐	◐	○	○	✕	○	○	◐	○
Service Catalog aws.mgmt.servicecatalog	aws	◐	◐	○	○	✕	○	○	◐	○
CloudFormation aws.mgmt.cfn	aws	◐	◐	○	○	✕	○	○	◐	○
Systems Manager aws.mgmt.ssm	aws	◐	◐	○	○	✕	○	○	◐	○
ECR aws.devops.ecr	aws	◐	◐	○	○	✕	○	○	◐	○
CodeBuild aws.devops.codebuild	aws	◐	◐	○	○	✕	○	○	◐	○
CodePipeline aws.devops.codepipeline	aws	◐	◐	○	○	✕	○	○	◐	○
CodeArtifact aws.devops.codeartifact	aws	◐	◐	○	○	✕	○	○	◐	○
Compute Engine gcp.compute.gce	gcp	◐	◐	○	○	✕	○	○	◐	○
GKE gcp.compute.gke	gcp	◐	◐	○	○	✕	○	○	◐	◐	gcpGkeNetworking playbook for control-plane + nodepool posture.
Cloud Run gcp.compute.cloudrun	gcp	◐	◐	○	○	✕	○	○	◐	○
Cloud Functions gcp.compute.functions	gcp	◐	◐	○	○	✕	○	○	◐	◐	gcpCloudFunctionIngress playbook checks ingress posture.
App Engine gcp.compute.appengine	gcp	◐	◐	○	○	✕	○	○	◐	○
GCP Batch gcp.compute.batch	gcp	◐	◐	○	○	✕	○	○	◐	○
VPC gcp.network.vpc	gcp	◐	◐	○	○	✕	○	○	◐	○
Subnetwork gcp.network.subnet	gcp	◐	◐	○	○	✕	○	○	◐	○
Firewall Rule gcp.network.firewall	gcp	◐	◐	○	○	✕	○	○	◐	○
Routes gcp.network.routes	gcp	◐	◐	○	○	✕	○	○	◐	○
Cloud NAT gcp.network.cloudnat	gcp	◐	◐	○	○	✕	○	○	◐	○
Cloud Load Balancing gcp.network.lb	gcp	◐	◐	○	○	✕	○	○	◐	○
Cloud CDN gcp.network.cdn	gcp	◐	◐	○	○	✕	○	○	◐	○
Private Service Connect gcp.network.psc	gcp	◐	◐	○	○	✕	○	○	◐	○
Cloud DNS gcp.network.dns	gcp	◐	◐	○	○	✕	○	○	◐	○
Cloud Armor gcp.network.cloudarmor	gcp	◐	◐	○	○	✕	○	○	◐	○
Interconnect gcp.network.interconnect	gcp	◐	◐	○	○	✕	○	○	◐	○
Cloud VPN gcp.network.vpn	gcp	◐	◐	○	○	✕	○	○	◐	○
Cloud Storage gcp.storage.gcs	gcp	◐	◐	○	○	✕	○	○	◐	◐	gcpCloudStoragePublicAccess playbook detects publicly-accessible buckets.
Persistent Disk gcp.storage.disk	gcp	◐	◐	○	○	✕	○	○	◐	○
Filestore gcp.storage.filestore	gcp	◐	◐	○	○	✕	○	○	◐	○
Cloud SQL gcp.db.cloudsql	gcp	◐	◐	○	○	✕	○	○	◐	◐	gcpCloudSqlPublic playbook detects publicly-accessible instances.
Spanner gcp.db.spanner	gcp	◐	◐	○	○	✕	○	○	◐	○
Firestore gcp.db.firestore	gcp	◐	◐	○	○	✕	○	○	◐	○
Bigtable gcp.db.bigtable	gcp	◐	◐	○	○	✕	○	○	◐	○
AlloyDB gcp.db.alloydb	gcp	◐	◐	○	○	✕	○	○	◐	○
Memorystore gcp.db.memorystore	gcp	◐	◐	○	○	✕	○	○	◐	○
Cloud IAM gcp.identity.iam	gcp	◐	◐	○	○	✕	◐	○	◐	○
Identity-Aware Proxy gcp.identity.iap	gcp	◐	◐	○	○	✕	○	○	◐	○
Secret Manager gcp.identity.secretmanager	gcp	◐	◐	○	○	✕	○	○	◐	○
Cloud KMS gcp.identity.kms	gcp	◐	◐	○	○	✕	○	○	◐	○
Cloud Identity gcp.identity.cloudidentity	gcp	◐	◐	○	○	✕	○	○	◐	○
Security Command Center gcp.security.scc	gcp	◐	◐	○	◐	✕	○	○	◐	○
Binary Authorization gcp.security.binaryauth	gcp	◐	◐	○	○	✕	○	○	◐	○
Access Context Manager gcp.security.accesscontext	gcp	◐	◐	○	○	✕	○	○	◐	○
VPC Service Controls gcp.security.vpcsc	gcp	◐	◐	○	○	✕	○	○	◐	○
Chronicle gcp.security.chronicle	gcp	◐	◐	○	○	✕	○	○	◐	○
Cloud Logging gcp.obs.logging	gcp	◐	◐	○	○	✕	○	◐	◐	○
Cloud Monitoring gcp.obs.monitoring	gcp	◐	◐	○	○	✕	○	◐	◐	○
Cloud Trace gcp.obs.trace	gcp	◐	◐	○	○	✕	○	○	◐	○
Error Reporting gcp.obs.errorrep	gcp	◐	◐	○	○	✕	○	○	◐	○
BigQuery gcp.analytics.bigquery	gcp	◐	◐	○	○	✕	○	○	◐	○
Dataflow gcp.analytics.dataflow	gcp	◐	◐	○	○	✕	○	○	◐	○
Dataproc gcp.analytics.dataproc	gcp	◐	◐	○	○	✕	○	○	◐	○
Pub/Sub gcp.integration.pubsub	gcp	◐	◐	○	○	✕	○	○	◐	○
Cloud Tasks gcp.integration.cloudtasks	gcp	◐	◐	○	○	✕	○	○	◐	○
Workflows gcp.integration.workflows	gcp	◐	◐	○	○	✕	○	○	◐	○
Eventarc gcp.integration.eventarc	gcp	◐	◐	○	○	✕	○	○	◐	○
Cloud Endpoints gcp.integration.endpoints	gcp	◐	◐	○	○	✕	○	○	◐	○
Organization gcp.mgmt.org	gcp	◐	◐	○	○	✕	○	○	◐	○	gcpOrgHierarchy playbook walks org→folder→project tree.
Folder gcp.mgmt.folder	gcp	◐	◐	○	○	✕	○	○	◐	○
Project gcp.mgmt.project	gcp	◐	◐	○	○	✕	○	○	◐	○
Marketplace gcp.mgmt.marketplace	gcp	◐	◐	○	○	✕	○	○	◐	○
Pod k8s.workload.pod	kubernetes	●	●	◐	◐	◐	●	◐	✕	○
Deployment k8s.workload.deployment	kubernetes	●	●	◐	◐	◐	●	◐	✕	○
StatefulSet k8s.workload.statefulset	kubernetes	●	●	◐	◐	◐	●	◐	✕	○
DaemonSet k8s.workload.daemonset	kubernetes	●	●	◐	◐	◐	●	◐	✕	○
Job k8s.workload.job	kubernetes	●	●	◐	◐	◐	●	◐	✕	○
CronJob k8s.workload.cronjob	kubernetes	●	●	◐	◐	◐	●	◐	✕	○
ReplicaSet k8s.workload.rs	kubernetes	●	●	◐	◐	◐	●	◐	✕	○
ConfigMap k8s.config.configmap	kubernetes	●	●	◐	◐	◐	●	◐	✕	○
Secret k8s.config.secret	kubernetes	●	●	◐	◐	◐	●	◐	✕	○
Service k8s.net.service	kubernetes	●	●	●	◐	◐	●	◐	✕	○
Ingress k8s.net.ingress	kubernetes	●	●	●	◐	◐	●	◐	✕	○
NetworkPolicy k8s.net.netpol	kubernetes	●	●	◐	◐	●	●	◐	✕	○
Endpoints k8s.net.endpoint	kubernetes	●	●	◐	◐	◐	●	◐	✕	○
EndpointSlice k8s.net.endpointslice	kubernetes	●	●	◐	◐	◐	●	◐	✕	○
Role k8s.rbac.role	kubernetes	●	●	◐	◐	◐	●	◐	✕	○
ClusterRole k8s.rbac.clusterrole	kubernetes	●	●	◐	◐	◐	●	◐	✕	○
RoleBinding k8s.rbac.rb	kubernetes	●	●	◐	◐	◐	●	◐	✕	○
ClusterRoleBinding k8s.rbac.crb	kubernetes	●	●	◐	◐	◐	●	◐	✕	○
ServiceAccount k8s.rbac.sa	kubernetes	●	●	◐	◐	◐	●	◐	✕	○
PodSecurityAdmission k8s.policy.psp	kubernetes	●	●	◐	◐	◐	●	◐	✕	○
Namespace k8s.namespace	kubernetes	●	●	◐	◐	◐	●	◐	✕	○
Node k8s.node	kubernetes	●	●	◐	◐	◐	●	◐	✕	○
PersistentVolume k8s.storage.pv	kubernetes	●	●	◐	◐	◐	●	◐	✕	○
PersistentVolumeClaim k8s.storage.pvc	kubernetes	●	●	◐	◐	◐	●	◐	✕	○
StorageClass k8s.storage.sc	kubernetes	●	●	◐	◐	◐	●	◐	✕	○
HorizontalPodAutoscaler k8s.autoscaling.hpa	kubernetes	●	●	◐	◐	◐	●	◐	✕	○
VerticalPodAutoscaler k8s.autoscaling.vpa	kubernetes	●	●	◐	◐	◐	●	◐	✕	○
CustomResourceDefinition k8s.crd	kubernetes	●	●	◐	◐	◐	●	◐	✕	○
Microsoft Entra ID identity.entra	saas	○	○	○	○	✕	○	◐	✕	○	Discovery: MS Graph + ARM. Auth: OAuth client credentials + User-Assigned Managed Identity. Reads: Users, groups, app regs, service principals, role assignments, group memberships, sign-in logs.
Microsoft Entra B2C identity.entra_b2c	saas	○	○	○	○	✕	○	◐	✕	○	Discovery: Graph. Auth: OAuth. Reads: Custom policies, user flows, tenant config.
Entra Domain Services identity.entra_ds	saas	○	○	○	○	✕	○	◐	✕	○	Discovery: ARM. Auth: OAuth (UAMI). Reads: Domain config, replication state.
Active Directory Federation Services (ADFS) identity.adfs	onprem	○	○	○	○	✕	○	◐	✕	○	Discovery: Read Entra federation settings (we infer ADFS presence from external federation config). Auth: n/a — read Entra side only. Reads: Federation trust metadata, claim mappings. Gap: We do not read ADFS server directly; on-prem agent would be required for full posture.
Active Directory (on-prem) identity.active_directory	onprem	○	○	○	○	✕	○	◐	✕	○	Discovery: Azure AD Connect sync state via Entra; on-prem LDAP optional via agent. Auth: Read sync state from Entra; on-prem agent for direct read. Reads: Hybrid join state, sync errors, stale objects (via Entra sync metrics). Gap: Direct AD attribute read requires deploying an on-prem agent; not in Tranche A.
LDAP / OpenLDAP identity.ldap	onprem	○	○	○	○	✕	○	◐	✕	○	Discovery: LDAP bind (on-prem connector or jump host). Auth: Bind DN + service-account password. Reads: OU tree, user/group attributes. Gap: Requires network reachability + service account; reference-class only.
Okta identity.okta	saas	○	○	○	○	✕	○	◐	✕	○	Discovery: Okta Management API. Auth: API token (read scopes: users:read, groups:read, apps:read, logs:read). Reads: Users, groups, apps, role assignments, MFA enrollments, system log, policies.
Ping Identity identity.ping	saas	○	○	○	○	✕	○	◐	✕	○	Discovery: PingOne API. Auth: OAuth client credentials. Reads: Users, populations, applications, role assignments, MFA.
OneLogin identity.onelogin	saas	○	○	○	○	✕	○	◐	✕	○	Discovery: OneLogin API. Auth: API credentials. Reads: Users, apps, roles, sign-in events.
ForgeRock Identity Cloud identity.forgerock	saas	○	○	○	○	✕	○	◐	✕	○	Discovery: AM/IDM REST. Auth: Service account / OAuth client credentials. Reads: Users, identities, journeys, federation config.
Auth0 (Okta) identity.auth0	saas	○	○	○	○	✕	○	◐	✕	○	Discovery: Management API. Auth: M2M token (audience: management API). Reads: Users, applications, connections, rules/actions, logs.
JumpCloud identity.jumpcloud	saas	○	○	○	○	✕	○	◐	✕	○	Discovery: JumpCloud API. Auth: API key (read scopes). Reads: Users, systems, system bindings, SSO apps, MFA enrollment.
Google Cloud Identity identity.gcp_identity	saas	○	○	○	○	✕	○	◐	✕	○	Discovery: Google Admin SDK Directory API. Auth: OAuth (workforce identity federation preferred). Reads: Users, groups, OUs, role assignments, sign-in events.
Amazon Cognito identity.cognito	saas	○	○	○	○	✕	○	◐	✕	○	Discovery: AWS SDK (Cognito IDP). Auth: Cross-account IAM role (read-only). Reads: User pools, app clients, identity providers, federation config.
SailPoint IdentityNow identity.sailpoint	saas	○	○	○	○	✕	○	◐	✕	○	Discovery: IdentityNow API. Auth: OAuth client credentials (read scopes). Reads: Identities, entitlements, access reviews, certifications, sources.
Saviynt Identity Cloud identity.saviynt	saas	○	○	○	○	✕	○	◐	✕	○	Discovery: Saviynt REST. Auth: Service account. Reads: Users, accounts, entitlements, requests, certifications.
CyberArk identity.cyberark	saas	○	○	○	○	✕	○	◐	✕	○	Discovery: Conjur API + EPM API + Privilege Cloud API. Auth: API authentication. Reads: Safes, accounts, applications, privileged session audit. Gap: Session recordings stay on CyberArk side; we ingest metadata only.
Delinea (Thycotic + Centrify) identity.delinea	saas	○	○	○	○	✕	○	◐	✕	○	Discovery: Secret Server REST + Privilege Manager API. Auth: API key + service account. Reads: Secret templates, folders, permissions, audit logs.
Duo Security (Cisco) identity.duo	saas	○	○	○	○	✕	○	◐	✕	○	Discovery: Duo Admin API. Auth: hostkey + skey + IKey (read). Reads: Users, integrations, authentication logs, enrollment status, policies.
RSA SecurID identity.rsa_securid	saas	○	○	○	○	✕	○	◐	✕	○	Discovery: SecurID Cloud Authentication API. Auth: service account. Reads: Users, tokens, authentication policies, sign-in events.
Keycloak identity.keycloak	saas	○	○	○	○	✕	○	◐	✕	○	Discovery: Keycloak Admin REST API. Auth: OIDC client_credentials. Reads: Realms, users, groups, clients, role mappings, identity providers.
ExpressRoute (Azure) hybrid.azure.expressroute	onprem	◐	◐	◐	○	◐	✕	○	✕	○	Azure side discovered via Resource Graph; hybridConnectivity playbook validates the chain. On-prem peer + carrier device not visible.
VPN Gateway (Azure) hybrid.azure.vpngateway	onprem	◐	◐	◐	○	◐	✕	○	✕	○	Azure side discovered. On-prem peer requires CMDB or agent.
Direct Connect (AWS) hybrid.aws.directconnect	onprem	◐	◐	◐	○	◐	✕	○	✕	○	AWS side enumerable via aiobotocore. On-prem peer not visible.
Site-to-Site VPN (AWS) hybrid.aws.sitevpn	onprem	◐	◐	◐	○	◐	✕	○	✕	○	Tunnel state visible AWS-side.
Cloud Interconnect (GCP) hybrid.gcp.interconnect	onprem	◐	◐	◐	○	◐	✕	○	✕	○	GCP side enumerable via google-cloud-resource-manager.
Cloud VPN (GCP) hybrid.gcp.cloudvpn	onprem	◐	◐	◐	○	◐	✕	○	✕	○	GCP side enumerable.
Hybrid DNS resolution hybrid.dns.resolver	onprem	◐	◐	◐	○	◐	✕	○	✕	○	Private DNS Zones (Azure/AWS/GCP) plus conditional forwarders. Resolution chain validated end-to-end by privateEndpointImpact playbook for Azure only.
Identity federation hybrid.identity.federation	onprem	◐	◐	◐	○	◐	✕	○	✕	○	Entra ↔ ADFS / Entra ↔ Okta / Entra ↔ Ping. Discovery requires reading Entra federation settings + the peer IdP via its API.
ServiceNow CMDB hybrid.cmdb.servicenow	onprem	◐	◐	◐	○	◐	✕	○	✕	○	Business services from cmdb_ci_service ingested. Reconciliation against live cloud inventory is roadmap.
Webhook integration bridge hybrid.webhook.bridge	onprem	◐	◐	◐	○	◐	✕	○	✕	○	Outbound webhooks fire on recommendation status changes. Inbound webhooks (receiving from external systems) are roadmap.

Read-only and advisory by design — we never modify cloud resources. The grades describe what we can observe, not what we can change.