Abstract: A system and method for executing mitigation actions in a cloud computing environment based on a severity of a detected cybersecurity risk is presented. The method includes detecting a cybersecurity risk based on an enriched event record from a cloud log, the enriched event record including runtime data from a resource deployed in a cloud computing environment and a state of an entity detected in the runtime data; determining a severity score for the detected cybersecurity risk of the enriched event record; prioritizing a plurality of mitigation actions based on the severity score; and executing at least a mitigation action in the cloud computing environment based on the prioritization.

Abstract: A system and method for detecting cybersecurity threats in a cloud computing environment utilizing runtime data is presented. The method includes: receiving runtime data from a runtime sensor deployed on a resource in a cloud computing environment, wherein the runtime sensor is configured to detect runtime events on the resource; generating an event log in an inspection environment based on the received runtime data, each event in the event log generated by extracting data from the runtime data; detecting in the event log a software application identifier of a software application; querying a security database based on the software application identifier; determining, based on a result of querying, that the software application was not previously detected on the resource; and initiating inspection of the resource in response to determining that the software application corresponding to the software application identifier was not previously detected on the resource.

Abstract: A system and method for detecting endpoint exposures in a cloud computing environment is presented. The method includes detecting a plurality of endpoints in a cloud computing environment, inspecting each of a plurality of resources deployed in the cloud computing environment to detect an endpoint; associating the endpoint to another object, wherein the another object is an entity of the cloud computing environment; generating a representation of the endpoint in a security database, wherein the security database includes a representation of the cloud computing environment; detecting a network path between the another object and an external network; determining that the endpoint is an exposed endpoint in response to detecting the network path; and initiating a remediation action based on the exposed endpoint.

Abstract: A system and method for cybersecurity threat investigation using sensor-based runtime execution data is presented. The method includes receiving aggregated runtime data from a sensor deployed on a resource in a cloud computing environment; generating an event log based on the aggregated runtime data, each event in the event log generated by extracting data from the aggregated runtime data; detecting in the event log a new software application identifier based on an event in the event log; and initiating inspection of the resource to detect a cybersecurity object, the cybersecurity object indicating the new software application.

Abstract: A system and method for inspecting private code repositories for cybersecurity issues is presented. The method includes accessing a private code repository, the private code repository including a plurality of code objects; generating a pull request including code for an inspector, the inspector configured to detect a cybersecurity object in a code object of the plurality of code objects; initiating the pull request in the private code repository; and receiving a result from the inspector, wherein the result includes an identifier of the code object and an identifier of a detected cybersecurity object, wherein the cybersecurity object indicates a cybersecurity issue.

Abstract: A system and method for self-injecting inspection workloads for cybersecurity inspection is presented. The method includes receiving access to a managed code repository including a plurality of code objects, each code object utilized to deploy a resource in a cloud computing environment; generating code for an inspector workload for deploying in a computing environment of the managed code repository; injecting the generated code in the managed code repository; initiating deployment of the inspector workload; and initiating a remediation action in the managed code repository based on a result received from the inspector workload.

Abstract: A system and method for cybersecurity remediation prioritization in a cloud computing environment is presented. The method includes inspecting a development pipeline of a production cloud computing environment for a cybersecurity issue; detecting the cybersecurity issue in the development pipeline; generating an alert based on the detected cybersecurity issue, the alert including a first priority indicator; determining an impact of the cybersecurity issue on the production cloud computing environment; updating the first priority indicator to a second priority indicator based on the determined impact; and initiating a remediation action in the cloud computing environment based on the second priority indicator.

Abstract: A system and method for initiating a remediation action based on an End-Of-Life (EOL) date of a software component deployed in a cloud computing environment is presented. The method includes inspecting resources of a cloud computing environment for a plurality of software components, each software component deployed on at least a resource; detecting software components from the inspection of resources deployed in the cloud computing environment; generating a software bill of materials (SBOM) for the cloud computing environment based at least on a detected software component, wherein the SBOM includes an identifier of the software component; determining for the detected software component an end of life (EOL) date, wherein the EOL date is determined based on vendor data; applying a policy including a conditional rule to the EOL date; and initiating a remediation action for the detected software in response to determining that the conditional rule is satisfied.

Abstract: A system and method for dynamically applying controls on a representation of a computing environment utilizing a language model is presented. The method includes generating a representation of the computing environment using a predefined data schema; receiving a natural language query based on the computing environment; generating a first prompt for the language model (LM), which when processed outputs an identifier of a policy; generating a second prompt for the LM, which when processed outputs a generated policy, based on: the data schema, and the natural language query; and applying the generated policy on the representation of the computing environment.

Abstract: A system and method for generating a cybersecurity policy for a computing environment is presented. The method includes generating a representation of a computing environment in a security database having a predefined data schema; receiving a natural language query; matching the natural language query to a preexisting policy of a policy engine, the policy engine configured to apply a policy on the representation; generating a prompt for a large language model (LLM) based on the natural language query and the preexisting policy; applying a first policy to the representation, the first policy extracted from a result of executing the prompt utilizing the LLM.

Abstract: A system and method provide detection of a malware attack path. The method includes detecting at a first time a malware object on a first workload deployed in the compute environment, wherein the first workload is represented by a first node in a security graph, the security graph including a representation of the compute environment; querying the security graph to detect a second node connected to the first node, wherein the connection indicates that the first workload represented by the first node can access a second workload represented by the second node; and generating an instruction to inspect the second workload represented by the second node at a second time, occurring after the first time.

Abstract: A system and method for inspecting a resource in an on-premises environment for a cybersecurity threat are disclosed. According to an embodiment, the method includes initiating a network communication between an on-premises environment and an inspection environment; scanning the on-premises environment for a workload, the workload including a disk; generating an inspectable disk based on the disk; providing access to an inspector deployed in the inspection environment to inspect the inspectable disk for a cybersecurity object; and releasing a resource allocated to the inspectable disk in response to detecting that inspection of the inspectable disk is complete.

Abstract: A system and method for inspecting virtual instances in a cloud computing environment for cybersecurity threats utilizing disk cloning. The method includes: selecting a virtual instance in a cloud computing environment, wherein the virtual instance includes a disk having a disk descriptor with an address in a cloud storage system; generating an instruction to clone the disk of the virtual instance, the instruction when executed causes generation of a cloned disk descriptor, the cloned disk descriptor having a data field including the address of the disk of the virtual instance; inspecting the cloned disk for a cybersecurity threat; and releasing the cloned disk in response to completing the inspection of the cloned disk.

Abstract: A system and method for parsing. A method includes querying a language model based on a code sample in order to obtain a second file, wherein outputs of the language model are refined based on a comparison between a set of expected results output by the language model for at least one set of example code and at least one first parser output obtained by inputting at least one first file to a parser; providing the second file to the parser in order to obtain a second parser output; and identifying at least one endpoint based on the second parser output.

Abstract: A system and method for agentless detection of sensitive data in a cloud computing environment is presented. The method includes inspecting a disk for a cybersecurity object, the cybersecurity object indicating sensitive data, wherein the disk is deployed in a cloud computing environment; extracting a data schema from the cybersecurity object, in response to detecting the cybersecurity object on the disk; generating a classification of the data schema; determining that the data schema corresponds to sensitive data based on the generated classification; detecting in the disk a plurality of data files, each data file including the data schema; generating in a security database: a representation of the data schema, and a representation of each data file; and rendering a visual representation of the cloud computing environment including a representation of the data schema based on a query result of the security database.

Abstract: A system and method for cybersecurity threat detection using an activity baseline generated based on sensor-detected runtime execution data is presented. The method includes: receiving aggregated runtime data from a sensor deployed on a resource in a cloud computing environment; generating an event log based on the aggregated runtime data, each event in the event log generated by extracting data from the aggregated runtime data; generating an activity baseline for a process executed on the resource based on the event log; receiving a new event from the sensor; and determining that the new event is anomalous based on the generated activity baseline.

Abstract: A system and method for reducing redundancy in inspecting container layers for cybersecurity objects includes: a processing circuitry; and a memory, the memory containing instructions that, when executed by the processing circuitry, configure the system to: generate a diff output between a first container layer and a second container layer, wherein the second container layer is previously generated based off of the first container layer, wherein the diff includes at least an object; inspect the first container layer for a cybersecurity object; inspect the object for the cybersecurity threat; associate the cybersecurity object with the first container layer in response to detecting the cybersecurity object in the first container layer and not in the at least an object; and associate the cybersecurity object with the second container layer in response to detecting the cybersecurity object in the at least an object and not in the first container layer.

Abstract: A system and method for detecting a cybersecurity object in an operating system-level virtualization is presented. The method includes detecting an identifier of a code object in a software artifact, wherein the software artifact represents a software container deployed in a cloud computing environment; determining a location of the code object based on the software artifact; inspecting the code object for a cybersecurity object, wherein the cybersecurity object indicates a cybersecurity threat; detecting a cybersecurity object in the code object; and initiating a remediation action based on the cybersecurity object in response to detecting the cybersecurity object in the code object.

Abstract: A system and method for improving inspection of software containers deployed in a cloud computing environment is presented. The method includes detecting a plurality of configuration files, each configuration file corresponding to a software container deployed in the cloud computing environment; detecting a first plurality of commands in a first configuration file; generating a first fingerprint based on the first plurality of commands; detecting a second plurality of commands in a second configuration file; generating a second fingerprint based on the second plurality of commands; detecting a match based on the first fingerprint and the second fingerprint; and inspecting the first configuration file for a cybersecurity object in response to determining that the first configuration file matches the second configuration file.

Abstract: A method for detecting escalation paths in a cloud environment is provided. The method includes accessing a security graph representing cloud objects and their connections in the cloud environment; analyzing each cloud object to detect an escalation hop from a current cloud object to a next cloud object, wherein the analysis is based, in part, on a plurality of risk factors and reachability parameters determined for each cloud object; and marking the security graph with each identified escalation path in the security graph, wherein an escalation path is a collection of escalation hops from a source cloud object to a destination cloud object.