Cloud Architecture Canvas
Overview
Section titled “Overview”The Cloud Architecture canvas renders your environment as an interactive, editable diagram — projects/accounts as boxes, resources as cards, and the relationships between them as edges. It’s comparable to Wiz, Orca, Cloudcraft, or draw.io, but with security and cost context overlaid directly on the map.
Key benefits
Section titled “Key benefits”| Benefit | Capability | Business value |
|---|---|---|
| Shared picture | One diagram of the whole environment | Engineers, security, and leadership read the same map |
| Security in context | Attack paths, threats, and compound risk overlaid on the topology | See where risk lives, not just a list |
| Real cost | Actual GCP spend on each project/resource | Tie security hygiene to FinOps |
| Shareable | Export to HTML, draw.io, SVG, PDF | Hand a living diagram to anyone |
How it works
Section titled “How it works”You build the canvas from a scan’s inventory (Reports → Architecture, or the Cloud Architecture screen). It lays out projects and resources automatically, and you can edit, annotate, and save layouts.
Analysis overlays
Section titled “Analysis overlays”Toggle overlays to see different lenses on the same topology:
| Overlay | What it shows |
|---|---|
| Attack paths | The attack chains running through the topology |
| Heatmap | Risk concentration across resources |
| Cost | Real GCP spend per project (from BigQuery Billing Export) and a sizing-proportional split per resource — ? when data isn’t available (never invented) |
| Service mesh | Live request volume per service (from Cloud Monitoring), with hot/warm/cold tiers |
| Compliance | Which resources fall in scope for PCI/HIPAA/SOC 2 and other frameworks |
| Threats | A STRIDE + MITRE heuristic threat model across edges |
| Toxic combinations | Wiz-style compound-risk patterns (e.g. internet → privileged SA, internet → sensitive data) |
| Region lanes | Resources grouped by region |
| Cross-project SA | Service accounts shared across projects |
Interactive analysis
Section titled “Interactive analysis”- What-if blast radius — click any node to see what a compromise of it could reach.
- Time travel + Replay drift — slide between historical scans and replay how the architecture changed.
- Compare scans (diff overlay) — added/changed resources and edges highlighted on the canvas.
- Smart search — describe what you want in plain English (“all SAs that can read PII”) and AI translates it into a graph filter.
- AI explain — get a natural-language summary of any project’s resources, risk, and exposure.
- Simulate traffic — animate flows through the topology.
Editing & export
Section titled “Editing & export”Edit mode lets you add resources, notes, and custom edges; reroute any edge by dragging a bend point; move labels; and save multiple named layouts as tabs. Export to HTML (fully interactive), draw.io, SVG, PDF, or JSON.
Implementation / workflow
Section titled “Implementation / workflow”- Run a scan (GCP gives the richest canvas, including cost and mesh).
- (Optional, for real cost) Configure BigQuery Billing Export for the customer and run a billing scan.
- Build the architecture from the scan and explore with the overlays above.
- Save your layout, or export the diagram to share.
Best practices
Section titled “Best practices”- Start from the Attack paths and Toxic combinations overlays to find the most dangerous topology, then drill in.
- Use Compare scans / time travel after a change window to see exactly what drifted.
- Configure billing export so the Cost overlay shows real numbers instead of
?.