Hi HN! I’m Alex, and along with my co-founder Kunaal, we are thrilled to introduce SubImage (<a href="https://subimage.io">https://subimage.io</a>): a tool that lets your security team fix issues before they’re found by attackers. Teams use SubImage to map their infrastructure and emulate adversary behavior. Here’s a video of how I would use it to hack our own company: <a href="https://www.youtube.com/watch?v=P_meu4_aIVA" rel="nofollow">https://www.youtube.com/watch?v=P_meu4_aIVA</a>.<p>SubImage is our hosted offering built on top of Cartography (<a href="https://github.com/cartography-cncf/cartography">https://github.com/cartography-cncf/cartography</a>), the open source security graph that we created at Lyft in 2019, originally shared on HN here: <a href="https://news.ycombinator.com/item?id=19517977">https://news.ycombinator.com/item?id=19517977</a>. You can think of us as an open-core Wiz alternative.<p>In 2016, I worked on Microsoft’s Azure Red Team, where we built an infra mapping service to find the shortest paths to exploit our targets. We were so effective that the Blue Team wanted it too. In 2019, I joined Lyft, where we applied the same ideas to AWS and beyond, helping build and open-source Cartography. Over the past six years, it’s been incredible to grow the community and see over 70 companies (that I know of) use it.<p>Kunaal and I first worked closely together in 2020 when we helped bootstrap Lyft’s vulnerability management program and used Cartography as its backbone: <a href="https://eng.lyft.com/vulnerability-management-at-lyft-enforcing-the-cascade-part-1-234d1561b994" rel="nofollow">https://eng.lyft.com/vulnerability-management-at-lyft-enforc...</a>. This is actually where the name SubImage comes from: Lyft services are made up of one or more “SubImages”, and modeling this properly was such a memorable engineering challenge that we decided to name our company after it.<p>Cartography pulls metadata from multiple sources -- SaaS, cloud service providers, a company’s internal services -- and writes it to a graph database. This simple technique is incredibly powerful in modeling otherwise unseen misconfigurations and attack paths in areas like access permissions, networking, and software vulnerabilities.<p>SubImage picks up where Cartography leaves off: it’s a fully-hosted solution that provides specific recommendations for the problems it finds. The fix-action depends on company size: small teams might run AWS CLI commands, while larger orgs require automated infrastructure-as-code pull requests.<p>Here’s a video demo showing how we can use SubImage to understand and take action if our Stripe API key is unexpectedly used: <a href="https://www.youtube.com/watch?v=RBCr35hb5Hk" rel="nofollow">https://www.youtube.com/watch?v=RBCr35hb5Hk</a>.<p>SubImage also provides a natural language interface to quickly answer questions about our infra: <a href="https://imgur.com/a/subimage-natural-language-interface-query-graph-QL2ico5" rel="nofollow">https://imgur.com/a/subimage-natural-language-interface-quer...</a>.<p>Security is a competitive space, but we have a few differentiators:<p>First, we allow a very deep level of customization where the security team can enrich their graph with their own internal data, not just data from the major cloud providers. If it can be expressed as structured JSON, you can graph it; here’s a demo: <a href="https://www.youtube.com/watch?v=rvwDJoZaO_w" rel="nofollow">https://www.youtube.com/watch?v=rvwDJoZaO_w</a>. This flexibility is needed to answer questions like: Which storage buckets contain PII? Who owns them? Who’s on-call for <a href="https://example.com/api/payment" rel="nofollow">https://example.com/api/payment</a>? Which company director owns the most risk?<p>Since it’s built on Cartography, teams can also just write custom plugins in Python if they’d like: <a href="https://cartography-cncf.github.io/cartography/dev/writing-intel-modules.html" rel="nofollow">https://cartography-cncf.github.io/cartography/dev/writing-i...</a>.<p>Second, our core principle is actionability. Security teams drown in alerts. SubImage traces paths from critical assets to the most exploitable misconfigurations, helping teams cut through the noise and prioritize real threats.<p>Finally, we’re built on open source. We created Cartography and as it improves, so does SubImage. Cartography is a CNCF project (<a href="https://eng.lyft.com/cartography-joins-the-cncf-6f6b7be099a7" rel="nofollow">https://eng.lyft.com/cartography-joins-the-cncf-6f6b7be099a7</a>), which means that it is full open source and will remain so.<p>Going forward, we’re maintaining Cartography while launching SubImage as a fully managed offering. Our roadmap includes Access Management (prune excessive permissions and enforce security invariants, Change Tracking (detect and alert on infra changes that introduce risk), and Cloud & SaaS Misconfigurations (expand visibility, including vulnerability management).<p>Thanks for reading! If this sounds interesting, try out <a href="https://github.com/cartography-cncf/cartography">https://github.com/cartography-cncf/cartography</a>.<p>It’s an honor to share SubImage with HN, especially having followed projects here for over a decade. We’d love to hear your questions, feedback, and the challenges you face in security and infra!