English | 简体中文
Multi-cloud defensive validation toolkit for CSPM / CNAPP detection, telemetry, and investigation workflows in authorized environments.
CloudToolKit gives security teams a practical way to verify whether cloud controls are discoverable, detectable, alertable, and investigable before those gaps matter in production.
| Advantage | What it gives defenders |
|---|---|
| 9-cloud coverage | One workflow across major global and China cloud providers. |
| Asset-first inventory | Hosts, databases, buckets, domains, accounts, logs, SMS assets, and billing-plane signals where supported. |
| Validation payloads | Focused checks for identity lifecycle, credential lifecycle, role bindings, storage exposure, audit events, instance command telemetry, and database account changes. |
| Replay mode | demo drives providers against in-memory replay fixtures, so detection logic can be tested without live cloud calls. |
| Conservative claims | Capabilities are advertised only when drivers, replay paths, and focused tests are in place. |
Every provider supports cloudlist asset enumeration. Asset categories include host / database / bucket / domain / account / log / sms / balance where the cloud has a native equivalent.
Validation payload coverage:
| Cloud | iam | bucket | event | cmd | rds | role | acl | cred |
|---|---|---|---|---|---|---|---|---|
 AWS |
✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
 Azure |
✓ | — | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
 GCP |
✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
 Alibaba |
✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
 Tencent |
✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
 Huawei |
✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
 Volcengine |
✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
 JDCloud |
✓ | ✓ | — | ✓ | — | ✓ | ✓ | — |
 UCloud |
✓ | ✓ | ✓ | — | ✓ | ✓ | ✓ | — |
Legend: iam = user lifecycle · bucket = object visibility · event = audit log review · cmd = instance command telemetry · rds = database account lifecycle · role = privilege binding change · acl = storage exposure · cred = long-lived credential lifecycle. — = no native equivalent or pending validation.
go build --ldflags "-s -w" -trimpath -o ctk cmd/main.go
./ctk # interactive REPL
./ctk <provider> <action> [args] [flags] # headless one-shotTry demo inside the REPL to drive any provider against an in-memory replay (no live cloud calls).
Use only on owned, lab, internal, or explicitly authorized customer environments to verify detection coverage, telemetry quality, investigation workflow, and control effectiveness. CloudToolKit is not a stealth, bypass, or unauthorized intrusion utility and must not be used against third-party environments without permission.
- Wiki — usage, payload references, replay walkthroughs