Closing the State Gap

The State Gap Problem

Modern cloud security faces a fundamental architectural problem: the tools designed to protect dynamic environments operate on static assumptions.

Consider the typical security stack. Your SIEM ingests logs and tells you what happened. Your CNAPP scans configurations and tells you what is misconfigured. Your EDR monitors endpoints and tells you what executed. But none of these tools can answer the question that matters most during an incident:

How do these layers interact in real time, and what can an attacker actually reach?

This is the state gap—the chasm between what your security tools see and what your environment actually looks like at any given moment.

Four Symptoms of the State Gap

1. Visibility Delays

Most cloud security posture management (CSPM) platforms scan once or twice daily. In a cloud environment where infrastructure changes continuously—auto-scaling groups spinning up instances, IAM policies being modified, network rules being updated—any configuration change between scans creates a blind spot.

The math is unforgiving: with a 12-hour scan interval, you have no visibility into what happens during 95% of the day.

2. Fragmented Context

Security teams operate across disconnected tools, each with its own data model and vocabulary. The identity team sees users and permissions. The cloud team sees resources and configurations. The SOC sees alerts and incidents. But when an attacker moves laterally from a compromised identity to a misconfigured S3 bucket containing sensitive data, no single tool captures that attack path.

3. Speed-Detection Mismatch

Adversary metrics tell a stark dispatch: e-crime breakout times average 48 minutes, while median dwell time remains 7 days. Attackers move at machine speed through environments that defenders can only inspect through periodic snapshots. By the time a daily scan detects a misconfiguration, an attacker may have already exploited it, established persistence, and exfiltrated data.

4. Alert Fatigue Without Insight

Security teams are drowning in alerts—but almost 40% of that data lacks enough context to be actionable. A finding that says "S3 bucket is publicly accessible" is meaningless without knowing: Does this bucket contain sensitive data? Who has access to modify its permissions? What identity paths lead to it? Without exploitability context, teams waste cycles investigating theoretical risks while actual exposures go unaddressed.

The Solution: Continuous Cloud Context

Closing the state gap requires a fundamental shift from periodic scanning to continuous awareness—what industry analysts call a Cloud Twin Architecture. This is a stateful, continuously-updated model that maintains real-time awareness of configuration, identity, and network reachability across your cloud environment.

Setu implements this architecture through four core capabilities:

1. Live Graph Updates

Instead of periodic scans that create blind spots, Setu maintains a continuously-updated graph of your cloud environment using distributed Durable Objects at the edge. Each tenant has an isolated graph database that processes changes in real-time, tracking:

• Identities: Users, service accounts, roles, API keys, and their relationships across AWS IAM, Azure AD, Okta, and other identity providers
• Resources: Compute instances, databases, storage buckets, network configurations, and their security posture
• Relationships: Who can access what, through which paths, with what permissions

Graph updates flow through an event-driven pipeline, ensuring that permission changes, resource modifications, and configuration drift are reflected within minutes—not hours or days.

2. Impact Analysis and ECI

Every finding in Setu includes exploitability context through automated ECI analysis. When a vulnerability or misconfiguration is detected, the platform immediately calculates:

• Reachable resources: What assets can be accessed if this identity is compromised?
• Attack paths: What sequence of permissions and relationships enables lateral movement?
• Business impact: Which crown-jewel systems fall within the impact zone?

This transforms raw findings into prioritized risks. A misconfigured IAM role with access to 3 non-production resources is very different from one with paths to production databases containing customer PII—even if both trigger the same CSPM rule.

3. ML-Driven Triage and Anomaly Detection

Setu's ML analytics layer processes behavioral signals continuously, building per-entity baselines and detecting anomalies that indicate compromise or policy violation:

• Behavioral baselines: Normal login patterns, access patterns, and resource usage for each identity
• Anomaly detection: Statistical and ML-based detection running every 15 minutes, with automatic MITRE ATT&CK mapping
• Toxic combination detection: Identification of dangerous permission combinations that enable privilege escalation
• Risk scoring: Multi-factor scoring that combines behavioral, vulnerability, compliance, and threat intelligence signals

This shifts the SOC from reactive alert triage to proactive threat hunting, focusing attention on actual anomalies rather than theoretical findings.

4. Attack Path Discovery

Using graph algorithms, Setu continuously discovers attack paths through your environment—the sequences of permissions and relationships that an attacker could chain together to reach critical assets. Each path is scored by:

• Attack difficulty: How hard is this path to exploit? (trivial, easy, medium, hard)
• Detection likelihood: What's the probability of detecting exploitation?
• Impact type: Does this path lead to data breach, privilege escalation, or service disruption?
• Mitigation options: What controls could block this path?

This enables response simulation—security teams can model the consequences of remediation actions before executing them, ensuring that fixes don't create new exposures.

Architecture: Built for Real-Time at Scale

Delivering continuous cloud context requires architecture that can process high-velocity change streams without introducing latency or reliability concerns. Setu achieves this through:

Edge-Native Processing

The platform runs on Cloudflare's global edge network, with specialized workers handling distinct processing tasks:

• Scanner workers: Cloud-native discovery for AWS, Azure, GCP, OCI, and Kubernetes
• Normalization workers: Transform vendor-specific data into unified schemas
• Graph workers: Maintain per-tenant graph state with sub-second update latency
• Analytics workers: Run behavioral analysis and anomaly detection continuously

Multi-Graph Context

Setu maintains multiple interconnected graphs that can be queried together:

• Identity Graph: Human and non-human identities across all providers
• Infrastructure Graph: Resources, services, and their dependencies
• Control Graph: Permissions, policies, and trust relationships
• NHI Graph: API keys, tokens, certificates, and service accounts

Cross-graph queries enable answers to questions that no single-domain tool can address: "Which non-human identities have paths to production databases through assume-role chains?"

Hierarchical Caching

To deliver query performance that enables interactive investigation, the platform implements hierarchical caching through Durable Objects:

This performance enables security teams to explore attack paths interactively during incident response, rather than waiting for batch reports.

Complementing Your Existing Stack

Continuous cloud context doesn't replace your SIEM, CNAPP, or EDR—it provides the missing layer that connects them. Setu integrates with existing security tools to:

• Enrich SIEM alerts with identity context and ECI
• Prioritize CNAPP findings based on actual exploitability
• Correlate EDR signals with cloud-layer attack paths
• Inform SOAR playbooks with real-time environment state

The goal is not another tool to manage—it's the connective tissue that makes your existing tools more effective.

What's Actually Novel Here (And What Isn't)

A fair reader will note that streaming CSPM and live-graph CNAPPs exist in 2026 — Wiz, Orca, and Sysdig all stream configuration updates. The claim worth making is narrower and more honest:

The temporally-unbounded entity graph is novel not because the storage architecture is clever in isolation, but because decoupling entity state from event TTL enables a class of detections that is mathematically undefined under conventional event-TTL retention — specifically dormancy-reawakening ("identity last seen 180 days ago just authenticated"), first-seen-in-tenant-lifetime ("this credential has never touched this resource in the two-year window we have data for"), and déjà-vu correlation across gaps longer than any single event's TTL. A SIEM with 90-day hot retention literally cannot answer these questions. A streaming graph that forgets events but remembers entities can.

The storage trick alone doesn't impress. The detection class it enables does. The rigor is in the Family XII patent filing for readers who want the formal treatment.

From Periodic Scanning to Continuous Awareness

The state gap is not a tool problem—it's an architecture problem. Periodic scanning made sense when cloud environments changed slowly and attack timelines were measured in weeks. Neither assumption holds today.

Modern cloud security requires continuous awareness: real-time visibility into configuration changes, unified context across identity and infrastructure, and automated prioritization based on actual exploitability. This is the foundation for security operations that can keep pace with both cloud-native development and modern adversaries.

---

Summary

The state gap emerges when static security tools attempt to protect dynamic environments. Closing it requires continuous cloud context—live graph updates, impact analysis, ML-driven triage, and attack path discovery operating as an integrated system.

Security teams that close the state gap shift from reactive alert triage to proactive exposure management, focusing resources on actual risks rather than theoretical findings.