by alexchantavy on 2/24/25, 4:22 PM with 31 comments
SubImage is our hosted offering built on top of Cartography (https://github.com/cartography-cncf/cartography), the open source security graph that we created at Lyft in 2019, originally shared on HN here: https://news.ycombinator.com/item?id=19517977. You can think of us as an open-core Wiz alternative.
In 2016, I worked on Microsoft’s Azure Red Team, where we built an infra mapping service to find the shortest paths to exploit our targets. We were so effective that the Blue Team wanted it too. In 2019, I joined Lyft, where we applied the same ideas to AWS and beyond, helping build and open-source Cartography. Over the past six years, it’s been incredible to grow the community and see over 70 companies (that I know of) use it.
Kunaal and I first worked closely together in 2020 when we helped bootstrap Lyft’s vulnerability management program and used Cartography as its backbone: https://eng.lyft.com/vulnerability-management-at-lyft-enforc.... This is actually where the name SubImage comes from: Lyft services are made up of one or more “SubImages”, and modeling this properly was such a memorable engineering challenge that we decided to name our company after it.
Cartography pulls metadata from multiple sources -- SaaS, cloud service providers, a company’s internal services -- and writes it to a graph database. This simple technique is incredibly powerful in modeling otherwise unseen misconfigurations and attack paths in areas like access permissions, networking, and software vulnerabilities.
SubImage picks up where Cartography leaves off: it’s a fully-hosted solution that provides specific recommendations for the problems it finds. The fix-action depends on company size: small teams might run AWS CLI commands, while larger orgs require automated infrastructure-as-code pull requests.
Here’s a video demo showing how we can use SubImage to understand and take action if our Stripe API key is unexpectedly used: https://www.youtube.com/watch?v=RBCr35hb5Hk.
SubImage also provides a natural language interface to quickly answer questions about our infra: https://imgur.com/a/subimage-natural-language-interface-quer....
Security is a competitive space, but we have a few differentiators:
First, we allow a very deep level of customization where the security team can enrich their graph with their own internal data, not just data from the major cloud providers. If it can be expressed as structured JSON, you can graph it; here’s a demo: https://www.youtube.com/watch?v=rvwDJoZaO_w. This flexibility is needed to answer questions like: Which storage buckets contain PII? Who owns them? Who’s on-call for https://example.com/api/payment? Which company director owns the most risk?
Since it’s built on Cartography, teams can also just write custom plugins in Python if they’d like: https://cartography-cncf.github.io/cartography/dev/writing-i....
Second, our core principle is actionability. Security teams drown in alerts. SubImage traces paths from critical assets to the most exploitable misconfigurations, helping teams cut through the noise and prioritize real threats.
Finally, we’re built on open source. We created Cartography and as it improves, so does SubImage. Cartography is a CNCF project (https://eng.lyft.com/cartography-joins-the-cncf-6f6b7be099a7), which means that it is full open source and will remain so.
Going forward, we’re maintaining Cartography while launching SubImage as a fully managed offering. Our roadmap includes Access Management (prune excessive permissions and enforce security invariants, Change Tracking (detect and alert on infra changes that introduce risk), and Cloud & SaaS Misconfigurations (expand visibility, including vulnerability management).
Thanks for reading! If this sounds interesting, try out https://github.com/cartography-cncf/cartography.
It’s an honor to share SubImage with HN, especially having followed projects here for over a decade. We’d love to hear your questions, feedback, and the challenges you face in security and infra!
by bavarianbob on 2/24/25, 5:21 PM
As someone deeply familiar with this problem (ex-JupiterOne), I'd caution against asserting that 'deep level of customization' is a differentiator. Your buyer (CISO) and userbase (Sec Engs) are drowning. They (and I) don't want yet another product to build on top of. This is a key reason why Wiz is so successful -- an operator can turn Wiz on and immediately receive value, no adjustments or additions needed.
I'd strategically focus on making the 'actionability' part the cornerstone of the product and really become obsessed with making that part of your product incredible. The Goliath-killing story you need will be formed by figuring out how to get your product to the point where someone can turn it on and immediately receive value for the most impactful security problems first (ex: Log4J) and the total surface area of problems the product solves for second.
by mdaniel on 2/24/25, 8:43 PM
Do you have similar plans or are those kinds of things left as an "exercise to the reader" via your Intel Plugins link? I do see https://cartography-cncf.github.io/cartography/modules/aws/s... but I also see https://github.com/cartography-cncf/cartography/blob/0.100.0... so it's hard to know what level of insight one wishes to support out of the box versus the localstack model of "open core, advanced features are $$$" type deal
by nodesocket on 2/24/25, 5:19 PM
by 1899-12-30 on 2/24/25, 5:01 PM
website(on firefox) nitpicks
- The handle_complexity.png image is too small to read and can't be zoomed unless opened in another tab.
- The background effect is in the foreground of chatbot_cropped_gif.gif
- The yaml schema text should have a background like the rest of the text boxes
by asaiyer on 2/24/25, 5:45 PM
by jvstokes on 2/24/25, 5:45 PM
by tsunego on 2/24/25, 9:24 PM
If you can pull this off, you will have a great time
by jc_811 on 2/24/25, 4:56 PM
by financetechbro on 2/25/25, 5:12 AM
by newgo on 2/24/25, 8:05 PM
by needHackerNews on 3/1/25, 3:34 AM
by lobster2342 on 2/25/25, 8:23 AM
Working in a huge enterprise, I see a clear benefit for this kind of product, as we are really struggeling to keep track.
I understand that you are very early in boot-strapping, but what I was missing while skimming over the videos and links and webpage is a better high-bird view or contextualization of the apporach.
I was considering a demo, but the two options (chat and quick chat) were a bit unclear to me what they would archive / how they are structured.
Again, I have full understanding that you are still working on this. Good luck with this project.
by aghilmort on 2/24/25, 5:32 PM
by pcgubi98 on 2/24/25, 8:36 PM
by badmonster on 2/24/25, 7:59 PM