GCP Cloud Operating System

Operate and secure
GCP with AI.

One platform for architecture intelligence, security posture, Terraform automation, and FinOps — built for teams running production GCP.

No credit card required Free GCP connection 5-min setup

cloudxero · GCP Operations Console

Findings

IAM risks

Drift items

$8.4k

Cost savings

Live Security Findings14 open

CRITICALService account with owner permissions at org level

HIGHPublic Cloud Storage bucket — no uniform access

HIGHAudit logging disabled for Cloud SQL

MEDIUMGKE cluster with legacy metadata endpoint enabled

3 drift items detected vs last Terraform state

View →

$8.4k

Monthly waste

Security findings

Drift items

128

Terraform drafts

Four pillars. One platform.

Each capability is context-aware of the others — findings link to IAM chains, drift links to Terraform, costs link to architecture.

Architecture Intelligence

Map, analyse, and visualise your entire GCP footprint.

Live topology mapping
Dependency tracing
Blast radius analysis
Environment import

Security & IAM

Detect risks, trace identity chains, enforce compliance.

Terraform & Drift

Generate, validate, and track infrastructure-as-code.

FinOps & Optimisation

Eliminate waste, forecast spend, prove savings.

Architecture Explorer · production-org● Live

🌐

VPC Network

☸

GKE Cluster

▶

Cloud Run

🗄

Cloud SQL

🪣

Cloud Storage

🔑

IAM

3 critical findings

drift detected

$2.3k/mo waste

6 resources7 connections3 risk paths1 IAM violation

Map your entire GCP footprint. Automatically.

Connect your organisation once. CloudXero imports every resource, traces every dependency, and builds a live topology map you can actually act on — not just look at.

Live topology mappingAll projects, services, and connections in one view
Blast radius analysisKnow exactly what breaks if a resource goes down
Risk overlaysSecurity findings, drift, and IAM violations on-graph
Cost attributionPer-resource spend linked directly to architecture

From raw GCP to operational control.

Seven steps. Everything automated.

Connect GCP

Org-level in 5 min

Import topology

Live environment map

Detect risks

SCC + IAM + compliance

Generate Terraform

AI-drafted, policy-gated

Fix drift

Delta vs declared state

Optimise costs

Waste detection & savings

Track changes

Audit trail + timeline

Terraform-aware cloud operations.

Generate production HCL from plain English, catch drift before it causes incidents, gate deployments with Rego policies.

AI Terraform Generator

main.tf — AI Generated✓ Policy validated

1resource "google_cloud_run_service" "api_service" {
name = "cloudxero-api"
project = var.project_id
location = "europe-west1"
5
template {
  spec {
    service_account_name = var.sa_email
    containers {
      image = var.image_uri
      resources {
        limits = { cpu = "1", memory = "512Mi" }
      }
    }
  }
}
17}

Live Drift Detection

drift — declared vs actual state2 resources drifted

google_cloud_run_service.api_service
  name     = "cloudxero-api"
  location = "europe-west1"
- min_instance_count = 0
+ min_instance_count = 3
- max_instance_count = 10
+ max_instance_count = 25
  image    = var.image_uri
google_storage_bucket.assets
  name          = "cx-assets-prod"
- uniform_bucket_level_access = false
+ uniform_bucket_level_access = true
- public_access_prevention = "inherited"
+ public_access_prevention = "enforced"

+6 additions-4 deletions2 of 3 drift items shown

Describe → HCL

Plain English input. Policy-validated Terraform output. Variables, outputs, and modules included.

Drift on every push

CloudXero compares declared state vs live GCP resources and surfaces deltas in real time.

Rego policy gates

Block deployments that violate your security or cost policies before they reach production.

Purpose-built for GCP

Features no generic cloud scanner has.

CloudXero is built from the ground up for GCP — not ported from AWS or Azure. That changes what's possible.

SecOps Hub — YARA-L Generation

Describe a threat in plain English. CloudXero generates production YARA-L detection rules for Google Chronicle — with MITRE ATT&CK mapping, severity, and GCP-specific event types built in. Your SecOps team stops writing rules by hand.

detect_sa_exfil.yaral — AI GeneratedChronicle-ready

1// CloudXero AI · generated YARA-L rule
2
3rule detect_sa_exfil {
4  meta:
5    severity = "CRITICAL"
6    mitre = "T1537 · Transfer Data to Cloud Account"
7
8  events:
9    $e.metadata.event_type = "USER_RESOURCE_ACCESS"
10    $e.principal.user.email = /.*iam\.gserviceaccount\.com/
11    $e.target.resource.type = "storage.googleapis.com/Bucket"
12    $e.target.resource.name = /.*prod.*/
13    not $e.principal.user.email in %allowlisted_sa
14
15  condition:
16    $e
17}

Google ChronicleMITRE ATT&CKYARA-L 2.0UDM eventsExplore SecOps Hub →

OPA Policy Engine — Compliance as Code

87 CIS GCP controls evaluated by Open Policy Agent — no Rego knowledge required. Write custom rules, gate Terraform deployments, and map findings to SOC 2, PCI-DSS, and ISO 27001. Live pass/fail per control, not just a score.

cis_gcp.rego — Policy EngineOPA evaluated

1# CIS GCP 1.5 — No service account keys
2package cloudxero.cis_gcp
3
4deny[msg] {
5  resource := input.resource
6  resource.type == "iam.ServiceAccountKey"
7  not data.allowlist[resource.name]
8  msg := sprintf(
9    "CIS 1.5: SA key found: %s",
10    [resource.name]
11  )
12}

CIS 1.1Root account MFA✓

CIS 1.4Separation of duties✓

CIS 1.5No SA keys✗

CIS 2.1Cloud audit logs enabled✓

CIS 3.1Default VPC not in use✗

CIS 4.2OS Login enforced✓

CIS GCP v2.0OPA / RegoSOC 2ISO 27001Explore Policy Engine →

Architecture → Terraform, instantly

Import your live GCP topology and export it as production Terraform — including variables, modules, and state files. No manual reverse-engineering.

Live importHCL exportState management

Attack path tracing

CloudXero doesn't just list IAM issues — it traces complete privilege escalation chains from service account to org-level resource, with blast radius scoring.

IAM chainsBlast radiusSCC integration

Root cause across domains

Correlate security findings, drift events, cost anomalies, and Cloud Run incidents into a single timeline. Know what changed, when, and why.

Cross-domainChange timelineIncident correlation

Every team running production GCP.

Platform Engineering

Terraform, drift, architecture governance

Cloud Security

SCC posture, IAM chains, YARA-L detection

FinOps

Waste hunting, spend forecasting, savings

DevOps / SRE

Root cause, Cloud Run, incident correlation

Consultants / MSPs

Multi-env reports, client architecture reviews

Proven at scale across GCP environments.

0.0k+

Security findings detected

0.0k+

Terraform resources analysed

$0k+

Monthly cost savings found

GCP environments mapped

Aggregated across CloudXero-connected GCP environments

Common questions

Your GCP estate, under control.

Connect your organisation. See your real findings, drift, and cost savings in under 5 minutes.

Free account · No credit card · GCP Workload Identity Federation supported

Operate and secure GCP with AI.