Saner Cloud Security Posture Anomaly
Spot cloud risks, score anomalies, and fix misconfigurations with context
Saner Cloud Security Posture Anomaly, or CSPA, is built to identify deviations in cloud security posture that indicate misconfigurations, policy violations, unusual states, or operational drift across AWS, Azure, and GCP. It evaluates cloud posture data against predefined rules, thresholds, and confidence logic, then surfaces anomalies through a scan-updated dashboard that supports prioritization, detection, whitelisting, and remediation.
How it works
Powered by SecPod & USI
Saner Cloud Posture Anomaly is SecPod’s own cybersecurity innovation, built from years of security research, platform engineering, and real-world exposure analysis. Powered by SecPod’s AI, machine-learning and statistical compilation, it helps detect anomalous conditions, and eliminate them.
Your first 30 days with Saner
From deployment to measurable risk reduction — here is what to expect.
Immediate visibility into posture anomalies and confidence-scored risk
CSPA begins evaluating scan data for posture deviations and surfaces them through anomaly distribution, density, radar, and detailed anomaly views. Security teams gain an initial operational baseline that shows how many anomalies exist, how strongly the system believes they represent legitimate risk, which cloud categories are most affected, and which issues need immediate validation or response.
Faster triage through category, region, and anomaly-level context
With repeated scan cycles, teams can move beyond raw finding volume and begin prioritizing based on confidence level, anomaly concentration, affected-resource count, region, and category. This reduces alert fatigue and improves how quickly analysts separate critical posture failures from accepted exceptions or lower-priority drift.
Closed-loop remediation and stronger configuration hygiene
Over time, CSPA supports a tighter posture-management cycle by combining active anomaly monitoring, anomaly trend tracking, normalized-state visibility, whitelist management, and remediation handoff through CSRM. That enables teams to reduce recurring posture gaps, clean up noise, and maintain a more stable security baseline across cloud providers
Key Features
Everything you need to stay ahead of threats.
Cloud Security Posture Anomaly Detection
Detect cloud posture deviations using scan-driven anomaly computation across identities, compute, governance, networking, storage, and other control domains.
CSPA analyzes continuously scanned cloud datasets against predefined rules to detect anomalous states that may indicate misconfigurations, policy violations, risky drift, or operational inconsistencies. Instead of exposing teams only to static failed checks, it organizes deviations into investigation-ready anomaly records with confidence, category, resource, and regional context.
Confidence Level Based Prioritization
Assign anomaly confidence levels so remediation starts with issues most likely to represent real risk.
CSPA classifies anomalies into high, medium, and low confidence categories using machine-learning or pre-assigned severity logic. High-confidence anomalies indicate conditions that likely require immediate action, medium-confidence anomalies indicate cases that need further validation, and low-confidence anomalies represent lower-severity conditions. This confidence model makes anomaly triage faster and more defensible.
Posture Anomaly Distribution Dashboard
View total anomaly volume and confidence-tier distribution to quickly assess risk concentration across the environment.
The Posture Anomaly Distribution view summarizes the total number of detected anomalies and breaks them down into high-, medium-, and low-confidence scores. This gives security teams an immediate picture of the risk landscape and helps structure around likely business impact rather than raw finding count alone. The same view also supports organization-level understanding of anomaly distribution across AWS, Azure, and GCP.
Posture Anomaly Density Analysis
Identify clusters of posture issues using anomaly density visualizations that highlight concentration by category.
CSPA uses a bubble chart to show where posture anomalies are clustering. Each bubble represents a grouped anomaly set, and bubble size reflects the number of anomalies within that area. This makes it easier to detect concentration hotspots, identify domains with recurring control failures, and drill into anomaly parameters such as ID, title, and affected-resource count for focused remediation planning.
Category-Aware Radar Analysis
Analyze the categories that accumulate the highest posture anomaly volume across AWS, Azure, and GCP.
The Posture Anomaly Radar shows which cloud categories are contributing the most significant posture anomalies. The category model is provider-aware, with AWS, Azure, and GCP represented through different domain groupings. This allows teams to assess whether anomaly concentration is increasing in areas such as Security, Identity and Compliance, Compute, Management and Governance, Networking, Monitoring, Analytics, Storage, or Functions, depending on the provider in use.
Detailed Anomaly Investigation
Dig deep into structured anomaly records with ID, title, summary, profile, region, category, confidence, resource count, and fix action.
The Posture Anomaly Details view acts as the main investigation table for CSPA. Each anomaly record includes a structured rule ID, human-readable title, summary of evaluated versus affected resources, profile, region, category, confidence level, detected timestamp, and a fix action. Opening the anomaly ID or summary reveals deeper context such as anomaly data, anomaly status, trends over time, and region-wise mapping. The view also supports sorting, filtering, searching, pagination controls, CSV export, and toggling of whitelisted anomalies.
Detected and Remediated Anomaly Tracking
Track active anomalies and normalized states from the same operational view.
The All Anomalies view presents anomalous findings and normalized or remediated conditions in a tile-based format. Red tiles highlight currently anomalous states that need attention, while green tiles represent normalized conditions. Each anomaly tile includes the anomaly ID, a short description, and the rule-specific anomaly count. This gives teams a clearer understanding of remediation progress and helps distinguish current exposure from already corrected posture issues
Anomaly Trends Over Time
Track whether anomaly counts are increasing, stabilizing, or declining after scan cycles and remediation actions.
CSPA includes anomaly trend views that show the count of posture anomalies over time. Because this data is updated after each scan, teams can use it to identify risks, validate whether remediation efforts are reducing anomaly volume, detect spikes introduced by recent changes, and measure posture stability over longer periods. Organization-level views also show anomaly trends across AWS, Azure, and GCP.
Anomaly Whitelisting
Exclude accepted anomaly IDs or specific resources from ongoing scan attention without disabling broader posture analysis.
CSPA supports whitelisting at both the anomaly-rule and resource instance level. This helps teams suppress findings that are intentional, environment-specific, not applicable, or temporarily unavoidable. Examples in the guide include public S3 buckets used for public websites, MFA rules that do not apply in federated environments, and legacy systems that cannot yet adopt preferred cryptographic or control settings. Whitelisted items remain reviewable through the dashboard and can be toggled on or off in the details view.
Search and Retrieval of Anomaly Data
Query anomaly data using operational fields such as rule ID, CSPA ID, profile, region, category, and detection date.
CSPA supports direct retrieval of anomaly data through search fields that include Rule ID, CSPA ID, Profile Name, Region, Category, Creation Date, Detected Date, and Title. This makes the platform usable not only as a dashboard, but also as a targeted anomaly investigation surface for analysts who need to retrieve findings quickly during remediation, reporting, or validation workflows
Streamlined Remediation Workflows
Launch patching and corrective action directly from anomaly context through CSRM.
CSPA integrates remediation into the anomaly workflow through fix actions exposed in the dashboard. Selecting the wrench icon redirects users into CSRM, where the CSPA tabular listing opens to begin the patching sequence. This lets teams move directly from anomaly identification to response execution without manually recreating remediation scope in a separate workflow.