CGPulse
Sign In

Documentation

Everything you need to get started with CGPulse and maintain cloud compliance.

Getting Started

1. Connect your cloud account

Navigate to Cloud Accounts and connect your Azure tenant or AWS account. CGPulse uses read-only access to scan your infrastructure - it never modifies resources during scanning.

  • Azure: Sign in with Microsoft Entra ID. CGPulse needs Reader role on the subscription.
  • AWS: Create a cross-account IAM role with ReadOnlyAccess policy. CGPulse uses STS AssumeRole.

2. Run your first scan

Go to Scan, select one or more accounts, and click Scan Now. The scan takes 1-5 minutes depending on resource count. Scans check resource configurations against policy rules.

3. Track compliance initiatives

In Track & Evaluate, select the compliance frameworks relevant to your organization (SOC 2, ISO 27001, HIPAA, etc.) and click Track. CGPulse will evaluate your resources against the tracked initiatives and show compliance scores.

4. Review results and remediate

Results shows all findings grouped by initiative or resource type. Each finding shows: the affected resource, the rule violated, severity, and recommended fix. Use one-click Fix, Resolve (mark as Fixed, Accepted Risk, or Not Applicable) for each finding.

Who uses CGPulse?

Real workflows for real teams. See how each role gets value from day one.

🛡

Cloud Security Engineer

Find misconfigurations before attackers do

“We went from manually checking 200 resources in spreadsheets to scanning 2,500 resources across 12 subscriptions in under 3 minutes. Found 47 critical misconfigs on day one.”
3 min
Full environment scan
1-click
Auto-remediation
621
Policy rules
24/7
Scheduled monitoring
Your workflow: Connect all tenants Schedule daily scans Dashboard shows drift overnight One-click fix for storage & NSG issues Export Terraform for complex fixes Weekly PDF to leadership
📋

Compliance Officer / GRC Manager

Prove compliance with evidence, not promises

“Our SOC 2 audit prep went from 3 months of chasing engineers for evidence to 2 weeks of reviewing automated reports. The auditor loved the per-control evidence trail.”
75%
SOC 2 coverage
76%
HIPAA coverage
58%
ISO 27001 coverage
19
Frameworks supported
Your workflow: Track SOC 2 + HIPAA Automated checks run daily Resolve manual controls with evidence Mark accepted risks with reasons Export compliance PDF for auditor Full audit trail in Audit Log

DevOps / Platform Engineer

Compliance as code, in your pipeline

“We added a 3-line API call to our GitHub Actions workflow. Now every PR that touches infra gets a compliance check, and failing deploys get a Terraform fix file attached automatically.”
# GitHub Actions - fail if critical findings
curl -s -H "X-API-Key: $CGP_KEY" \
  $CGP_URL/api/v1/scans -X POST \
  -d '{"subscriptionId":"$SUB_ID"}'
# Poll → check criticalCount → fail or pass
REST API
Full CI/CD integration
MCP
Claude AI in your IDE
Terraform
+ Bicep + CLI export
📊

CTO / VP Engineering

One dashboard, all clouds, real-time posture

“Board asked ‘what’s our security posture?’ - I opened the dashboard on my phone and showed them 87% compliance across Azure and AWS in real time. Conversation over in 30 seconds.”
You see: Aggregate compliance % across all cloud accounts Severity breakdown (critical/high/medium/low) Worst subscriptions highlighted in Heatmap Trend over time Weekly PDF auto-emailed to leadership Team RBAC - engineers fix, you oversee
🏥

HIPAA Privacy Officer

ePHI protection with evidence checklists

“CGPulse covers 76% of HIPAA controls - both the technical safeguards (automated) and the administrative ones (manual with verification checklists). Our annual assessment prep is now a week, not a quarter.”
Covered: Security Officer designation Risk analysis BAA inventory Contingency plan testing Breach notification Facility access controls Encryption & access control checks Audit logging verification
🔒

Data Protection Officer (GDPR)

Technical + organizational data protection in one place

“Finally a tool that tracks both the encryption settings AND whether we’ve done our DPIAs. The verification checklists for ROPA, consent management, and breach procedures save us hours of spreadsheet work.”
Covered: ROPA (Art.30) Lawful basis documentation DPIA process Consent management Data subject rights (access, erasure, portability) 72-hour breach notification DPA agreements International transfer safeguards Privacy by design verification

Scanning

What does a scan check?

A scan reads resource metadata via Azure ARM API or AWS APIs (read-only) and evaluates configurations against policy rules. Examples:

  • Storage accounts: HTTPS-only, TLS version, public access, encryption
  • Key Vaults: soft delete, purge protection, RBAC, private endpoints
  • VMs: managed identity, disk encryption, trusted launch, extensions
  • NSGs: open SSH/RDP/HTTP from internet
  • Databases: public access, TLS, backup retention, encryption
  • S3 buckets: versioning, encryption, public access block
  • EC2 instances: IMDSv2, monitoring, IAM roles

Scan frequency

Manual scans can be triggered anytime. Scheduled scans support Daily, Weekly (pick day), and Monthly (pick date) frequencies. Scans are queued via Service Bus and processed by Azure Functions for reliability.

Scan limits

Scan limits depend on your plan:

  • Free: 10 scans/month, 2 cloud accounts
  • Team: 50 scans/month, 10 cloud accounts
  • Business: Unlimited scans and accounts

Compliance Frameworks

CGPulse evaluates your infrastructure against 19 compliance frameworks. Each framework includes automated checks (infrastructure configuration) and manual controls (organizational/procedural - verified by your team via evidence checklists).

FrameworkCoverageAutomatedManualScope
Azure Foundations100%1770Azure infrastructure security
AWS Foundations100%1700AWS infrastructure security
Cloud Security Baseline83%1660Azure security recommendations
HIPAA76%2615Technical + administrative safeguards
SOC 2 Type II75%3216Trust Services Criteria CC1-CC9
CIS AWS Foundations v362%340CIS Benchmark automated checks
ISO 27001:202258%3420Annex A.5-A.8 + ISMS audit
GDPR40%2614Technical measures + data rights
CIS Controls v824%2214IG1-IG2 technical safeguards
PCI DSS v4.017%2816Network, encryption, access, testing
NIST 800-534%3218AC, AU, CM, IA, SC, SI families
Manual controls appear as findings with verification checklists. Your team marks them as “Mitigated”ldquo;Resolved“Mitigated”rdquo;ldquo;Resolved“Mitigated”ldquo;Resolved“Mitigated”rdquo;rdquo; by providing evidence (e.g., “BCP tested on 2026-03-15, results in Confluence”). This creates an audit trail visible in the compliance report.

Remediation

Auto-fix

For supported rules, click Fix on a finding to apply the remediation automatically. Dangerous fixes (e.g., disabling public access) show a warning and require confirmation. CGPulse supports auto-fix for Azure (Storage, KeyVault, NSG, VM, SQL, Redis, App Service) and AWS (S3, EC2, RDS).

IaC export

For complex remediations, generate infrastructure-as-code templates:

  • Terraform - per-resource-group modules with provider configuration
  • Bicep - ARM-compatible templates with subscription-scope deployment
  • CLI - Bash script with az / aws commands

Templates include real resource names and SKUs from your snapshot. AI review scores the template quality.

Resolving findings

  • Resolve - mark finding as Fixed, Accepted Risk, or Not Applicable with details and optional review expiry
  • Re-open - revert a resolved finding when conditions change

API & Integrations

REST API

Full REST API at /api/v1/ with endpoints for scans, compliance, policies, initiatives, evaluations, schedules, resolutions, and remediation. Authenticate with API keys created in Settings → API Keys.

API Reference (Scalar)

MCP Server (AI Integration)

CGPulse exposes an MCP server for AI assistants (Claude, Copilot). Connect from your IDE to query compliance data, list scans, resolve findings, or generate reports via natural language.

External Database

Sync scan results to your own Cosmos DB for custom analytics, Grafana dashboards, or data warehouse integration. Configure in Settings → External Database.

Changelog

Current version: v1.1.0

v1.1.0 - April 2026

Actionable feedback + hardening

  • Actionable user feedback — admins triage submissions through Open / InProgress / Closed / WontFix from /admin/feedback, with optional reply sent to the author by email.
  • Feedback reference codes — each submission gets a short handle (FB-XXXXXXXX) shown in the form success, email subject and body, and admin search.
  • AI scan summaries live on Business plan (Anthropic backend wired in production).
  • AWS cross-account hardening — prod credentials now bound unconditionally via Key Vault references; connection-test error path surfaces meaningful messages.
  • UI resilience — Copy buttons across the portal never throw regardless of browser clipboard state.
  • Infra regression tests — Bicep secret-binding and AI service gating pinned by xUnit tests to prevent silent wipes.

v1.0.0 - April 2026

Initial public release

  • Multi-cloud scanning - Azure (30+ enrichers) and AWS (S3, EC2, RDS, IAM, Lambda, CloudTrail)
  • 19 compliance frameworks - SOC 2, ISO 27001, HIPAA, GDPR, PCI DSS, NIST 800-53, CIS v8, CIS AWS v3, and more
  • 621 policy rules - 305 Azure, 175 AWS, 16 cross-cloud, 95+ manual controls
  • Auto-remediation - one-click fix for Azure and AWS resources
  • IaC export - Terraform, Bicep, and CLI remediation templates with AI quality scoring
  • Scheduled scans - daily, weekly, monthly, hourly (Business plan)
  • Compliance reports - PDF export for compliance, heatmap, audit readiness, and audit log
  • Resolve workflow - mark findings as Fixed, Accepted Risk, or Not Applicable with evidence trail
  • Custom initiatives - build your own compliance frameworks from the rule catalog
  • REST API - 26 endpoints with Scalar documentation
  • MCP server - 16 tools for AI-assisted governance (Claude, Copilot)
  • RBAC - Owner, Admin, Contributor, Viewer roles
  • External database sync - push results to your own Cosmos DB

FAQ

Does CGPulse make me SOC 2 / ISO 27001 compliant?

No. CGPulse is a posture assessment tool that checks technical and organizational controls against these frameworks. It helps you identify gaps and track remediation, but formal certification requires an accredited auditor. CGPulse reports can serve as supplementary evidence during an audit.

Does CGPulse modify my cloud resources?

Scanning is read-only. Auto-remediation (Fix button) does modify resources, but only when you explicitly click “Apply Fix” and confirm. Dangerous changes show a warning. You can always use the IaC export (Terraform/Bicep) to apply changes through your own change management process.

Where is my data stored?

All data is stored in Azure Cosmos DB in the EU (North Europe) region with encryption at rest. Each tenant’s data is isolated using per-tenant partition keys. See our Privacy Policy for full details.

What permissions does CGPulse need?

Azure: Reader role on subscriptions. For auto-remediation: Contributor on specific resources.
AWS: ReadOnlyAccess IAM policy via cross-account role. Auto-fix needs specific write permissions (S3, EC2, RDS).

Can I add custom compliance rules?

Yes. Go to Custom Rules to create rules via YAML editor or clone from the Rule Catalog. Custom rules support the same condition types (propertyPath, allOf, anyOf) and can be grouped into custom initiatives.

How do manual controls work?

Manual controls (e.g., “Organization should have an incident response plan”) appear as findings in Results. Each has a verification checklist. Your team clicks Resolve and provides evidence (description of what was verified). This creates an audit trail. Manual controls are re-evaluated each scan cycle.

How to report a security vulnerability?

Email cgpulse.security@smartspirit.eu. We commit to responding within 48 hours. See our security.txt for details.

Rejoining the server...

Rejoin failed... trying again in seconds.

Failed to rejoin.
Please retry or reload the page.

The session has been paused by the server.

Failed to resume the session.
Please reload the page.