Your Cloud Security.
Your Infrastructure.
Your Data.
A complete, self-hosted CSPM that runs on your VMs, stores results in your PostgreSQL, and never sends data outside your network. 1,800+ security checks. Unlimited scans. No vendor lock-in.
What You Deploy
Two VMs on your VPC. Docker Compose stack. No cloud dependencies after bootstrap. Data never leaves your network.
Scanning Engine (ETL VM)
16 Docker containers — Go scanner, NATS messaging, Redis cache, SeaweedFS object store, credential verification, misconfig detection, report generation. All orchestrated via Docker Compose.
4+ vCPU · 8+ GB RAM · Ubuntu 22.04+
Data & Frontend (Backend VM)
PostgreSQL stores all scan data — assets, misconfigurations, compliance evidence. FastAPI backend handles auth and workspace management. SvelteKit dashboard for your team. Caddy reverse proxy with auto-TLS.
4+ vCPU · 8+ GB RAM · Ubuntu 22.04+
Sovereign vs Hosted
| Sovereign | Hosted (SaaS) | |
|---|---|---|
| Infrastructure | Your VMs, your VPC | Kloudle-managed on GCP |
| Data residency | Your PostgreSQL, never leaves your network | Kloudle-managed, GCP |
| Scans | Unlimited | 1 credit per scan |
| Concurrent scans | Up to 10 | Unlimited (auto-scales) |
| Security checks | 1,800+ (same engine) | 1,800+ (same engine) |
| Encryption keys | Customer-managed | Kloudle-managed |
| Deployment | ~20 min first build, scripted | Instant (sign up and scan) |
| Pricing | Fixed deployment + support | Pay as you go, 1st scan free |
What We Check
Every check is a SQL query you can read and audit. No black-box scoring.
AWS
S3, IAM, EC2, EKS, RDS, Lambda, CloudTrail, and 60+ more
Google Cloud
Compute, IAM, Cloud SQL, GKE, Storage, Functions, and more
Kubernetes
API Server, RBAC, Pod Security, Network Policies, and more
Azure
Compute, Storage, SQL, AKS, Key Vault, App Service, and more
DigitalOcean
Droplets, Spaces, Databases, Kubernetes, VPCs, and more
What Sovereign Actually Means
Keep using global hyperscalers for compute. But retain control over your cloud security posture management. Four control boundaries that matter.
Policy Sovereignty
Security policies, exceptions, and approval history live in your systems — not locked in vendor UIs.
Execution Sovereignty
Scans run from your VMs, on your VPC. No data flows through external infrastructure.
Telemetry Sovereignty
Raw security snapshots land in your PostgreSQL, encrypted with your keys. SeaweedFS replaces cloud object storage.
Evidence Sovereignty
Compliance reports generated from your systems of record. Hand them to auditors without depending on vendor uptime.
The asymmetric risk: the cost of sovereignty is visible and budgetable. The cost of lacking it is hidden — until policy shocks force expensive, high-pressure responses.
Deployment in a Day
Scripted deployment. No Kubernetes required. Two VMs and you're running.
Provision two VMs on your VPC
Ubuntu 22.04+, 4 vCPU / 8 GB RAM each. Any cloud or on-prem.
Run the bootstrap script
Installs Docker, PostgreSQL, NATS, and all dependencies. ~15-20 minutes first build.
Configure auth and domains
Point your domains, set up OAuth, configure TLS. Caddy handles certificate provisioning automatically.
Start scanning
Grant read-only access to your cloud accounts. Unlimited scans, all data stays on your VPC.
Frequently Asked Questions
What is Sovereign CSPM?
Sovereign CSPM means your infrastructure runs the security scans and your database stores the results. Unlike SaaS CSPM tools where your posture data lives in a vendor's cloud, Kloudle Sovereign keeps everything under your control — your keys, your data, your evidence chain.
What cloud providers does Kloudle support?
AWS (681 checks), Google Cloud (338 checks), Kubernetes (306 checks), Azure (292 checks), and DigitalOcean (273 checks) — 1,890 security checks total. All checks are SQL-based and auditable.
How long does a scan take?
5 to 25 minutes depending on the number of resources in your cloud account. Scans run in parallel across services for faster results.
What access does Kloudle need to my cloud account?
Read-only access via an IAM role. Kloudle never writes to or modifies your infrastructure. No agents are deployed on your servers.
Can I run scans entirely from my own infrastructure?
Yes. With a Sovereign deployment, the scanner runs on your infrastructure, connects to your cloud accounts via read-only credentials, and writes results to your PostgreSQL database. Nothing leaves your network.
What compliance frameworks are covered?
CIS Benchmarks, NIST, PCI-DSS, SOC 2, and Facebook DPA. Reports export as PDF, JSON, and CSV — generated from your own systems of record, not reconstructed from a vendor dashboard.
How is this different from Wiz, Prowler, or other CSPM tools?
Most CSPM tools are SaaS — your posture data lives in their cloud. Kloudle Sovereign runs on your infrastructure so you own the evidence chain. The same engine powers the hosted dashboard, CLI, and MCP server for AI agents.
Start Scanning. Keep Control.
1,800+ checks. 5 providers. First scan free. No credit card required.
Or explore Sovereign deployment and Agent tools