fwd:cloudsec Europe 2025

Detection engineering in the cloud is often hobbled by poor telemetry documentation and vague, static log-to-MITRE mappings. In this talk, we will share Cloudots - a research system that shifts this paradigm by empirically constructing and maintaining a technical knowledge layer over cloud telemetry.

Cloudots runs autonomous AI agents to simulate adversarial scenarios on AWS, Azure, and GCP. Our agents take high-level objectives like “exfiltrate data” or “achieve persistence via IAM abuse,” and break them down into low-level API call graphs through goal-oriented planning and domain specific introspection. Each simulation executes within sandbox cloud accounts, utilizing actual APIs (no mocks) gathering full telemetry, timing behavior, and resource transitions. Afterwards, the system observes which telemetries are actually being triggered and are relevant to detect the attack.

The result is a structured, queryable knowledgebase that maps specific log entries (CloudTrail, VPC Flow Logs, GCP Audit Logs, etc.) to MITRE tactics and techniques, with context on signal fidelity, timing, and trigger conditions. In addition to that, we wrapped this knowledgebase with an MCP and then built a chat interface so analysts can ask cloud security questions in natural language, and the results are relevant and backed by the Cloudots knowledgebase.

In this session, we’ll share architecture lessons, failure modes, signal insights across platforms, and practical use cases like coverage validation and detection prioritization. We are hoping to make the audience and cloud security community rethink how we can leverage AI to empower cloud defenders, because attackers are already using it to their advantage.