GrandLine Request a demo →
Features

One product. Three pillars. Every cloud.

A single platform for architecture, security, and cost. integrated, contextual, and presentation-ready.

AWS

IAM cross-account roles, AWS Organizations onboarding, Cloud WAN, TGW, VPC peering, DX, Route 53, IAM trust graphs, CUR cost ingestion, CloudWatch-based rightsizing.

Azure

Microsoft Entra ID Workload Identity Federation with federated credentials on an app registration, Management Group onboarding, VNet / Azure Virtual WAN (VWAN), ExpressRoute, NSG / Azure Firewall, Azure RBAC role assignments & PIM inspection, Microsoft Cost Management + Billing ingestion, Azure Monitor metrics.

GCP

Workload Identity Federation, Organization/Folder onboarding, VPC, NCC hub, Cloud Router, IAM bindings, Billing-BQ export, Cloud Monitoring metrics.

Architecture discovery

Automatic, relationship-aware, presentation-grade.

Topology-first

Resources are nodes; relationships are typed edges. Zoom from executive view to single-resource drill-down.

Auto-split

Dense views split into logical subviews by VPC, env, app, and tier. with a mini-map to tie them together.

Snapshot & diff

Every scan snapshots the topology. Compare two snapshots to see what changed.

Security scanning

Every finding anchored to the resource it affects. and highlighted on the diagram.

Public exposure

Public S3 buckets, public Storage Account blob containers, public GCS buckets; AWS security groups, Azure NSGs, and GCP VPC firewall rules on risky ports; unrestricted IAM.

Encryption gaps

Unencrypted disks, RDS, buckets; missing CMEK; unrotated keys.

Remediation guidance

Each rule includes actionable remediation and links to provider documentation.

Cost optimization & FinOps

Trends, anomalies, rightsizing, idle detection. Cost seen through the architecture.

Trends & anomalies

Daily / MoM / YoY trends. EWMA anomaly detection flags >2σ shifts per service/account.

Rightsizing

Instance sizing recommendations using 14-day utilization from CloudWatch, Azure Monitor, and Cloud Monitoring.

Idle candidates

Workloads with <5% avg CPU and <1 GB of network traffic over 14 days are flagged for review.

Reporting

Monthly and on-demand. Executive and technical. PDF and DOCX.

Scheduled

Monthly reports are generated automatically per tenant and per scope. Delivered to the inbox with signed URLs.

Access-controlled

Viewers only see reports on accounts they're scoped to. Reports redact restricted data at generation time.

What GrandLine is not

We are deliberately narrow. Here is what we don't do. and what you should pair us with.

Not runtime security

No agents, no eBPF, no container-escape detection. Pair GrandLine with a CWPP (Wiz Runtime, Sysdig, Aqua, Falco) if you need that.

Not write-back automation

We do not close S3 buckets, rotate keys, or restart workloads. Every finding has a concrete remediation you apply. The only write paths are webhooks, ticket integrations, and report exports you configure.

Not application data

We ingest provider-metadata only. resource config, IAM, billing, native-scanner findings. We do not list object contents in S3, Azure Storage, or GCS. We do not ingest app logs or traces.

Not DLP or packet inspection

We do not proxy, capture, or inspect network traffic. No classification of payloads inside object storage. Cloud DLP is a separate purchase.

Not an IdP or MDM

We federate with your IdP (OIDC/SAML/Entra/Okta/Workspace) but we do not manage users, devices, or session tokens.

Not a GRC platform

We produce evidence (reports, immutable audit logs) that you publish into ServiceNow GRC, Drata, Vanta, or OneTrust via webhook and export. We are not those systems.

See the security page and the security white paper section 14 ("Out of scope for GrandLine") for the authoritative list.