Launch HN: SubImage (YC W25) – See your infra from an attacker's perspective
14 comments
·February 24, 2025bavarianbob
Awesome project!
As someone deeply familiar with this problem (ex-JupiterOne), I'd caution against asserting that 'deep level of customization' is a differentiator. Your buyer (CISO) and userbase (Sec Engs) are drowning. They (and I) don't want yet another product to build on top of. This is a key reason why Wiz is so successful -- an operator can turn Wiz on and immediately receive value, no adjustments or additions needed.
I'd strategically focus on making the 'actionability' part the cornerstone of the product and really become obsessed with making that part of your product incredible. The Goliath-killing story you need will be formed by figuring out how to get your product to the point where someone can turn it on and immediately receive value for the most impactful security problems first (ex: Log4J) and the total surface area of problems the product solves for second.
alexchantavy
Thank you, this is very helpful especially given your experience in the space. I intended to frame this like "there are many tools that let a security team can pull in data from the cloud providers and detect misconfigurations, but this becomes soo much more useful when they're able to contextualize it against their internal data". If I'm responding to log4j, I want to know all of the services that are running that affected library, which ones are internet open, and who in the organization owns it. That last part is key for actionability.
newgo
How come things like this are not built into most cloud providers?
1899-12-30
Given that this is a paid product, are you liable if the chatbot misrepresents the data?
website(on firefox) nitpicks
- The handle_complexity.png image is too small to read and can't be zoomed unless opened in another tab.
- The background effect is in the foreground of chatbot_cropped_gif.gif
- The yaml schema text should have a background like the rest of the text boxes
alexchantavy
> Given that this is a paid product, are you liable if the chatbot misrepresents the data?
Good question. Right now the chatbot is in preview and we're currently figuring that out. That said, we do have it provide the underling query that it used to answer the question so a user can double check with that.
Thanks for the comments on the landing page -- we're security nerds and definitely not great at frontend haha, will fix!
nodesocket
Looked at your video demo, does SubImage actually recommend changes and generate terraform? For example instead of exposing 80/443 to the EC2 instance, deploy a ELB in-front of it that listens on 80/443 publicaly and only allow the ELB to forward traffic to the ec2 instance. Also, utilize attach role to the ec2 instance to avoid storing AWS credentials in environment vars, though if the instance was compromised an attacker could still access the s3 bucket.
alexchantavy
> does SubImage actually recommend changes and generate terraform?
We recommend changes, though we don't generate Terraform just yet. Great feedback on the specific fixes for this case, thanks.
asaiyer
Wow this library has a lot of history being developed at Lyft! Have you seen a good response to the paid offering? I suppose all the OSS users self hosting will switch over!
badmonster
Congrats on the launch!
jvstokes
This is cool, and really makes sense for large organizations. Do you foresee a release for smaller enterprises (something as simple as a lightweight aws integration?)
alexchantavy
Depends on how small. Most seed stage and early companies are more worried about product-market fit and not security. For now, we're probably best fit for companies building out their first security teams, so that's _usually_ series A and later. That said, there might be something there, I'm open to figuring something out for a smaller company.
kunaals
Could definitely see us releasing some form of this for smaller companies as well, it's crazy how many vendors and how much infra even these 2 month old startups have
jc_811
Looks very cool! Wiz is a beast at the moment so I will be watching closely to see if you (or anyone else really) will be able to go up against them
aghilmort
absolutely awesome -- huge need
Hi HN! I’m Alex, and along with my co-founder Kunaal, we are thrilled to introduce SubImage (https://subimage.io): a tool that lets your security team fix issues before they’re found by attackers. Teams use SubImage to map their infrastructure and emulate adversary behavior. Here’s a video of how I would use it to hack our own company: https://www.youtube.com/watch?v=P_meu4_aIVA.
SubImage is our hosted offering built on top of Cartography (https://github.com/cartography-cncf/cartography), the open source security graph that we created at Lyft in 2019, originally shared on HN here: https://news.ycombinator.com/item?id=19517977. You can think of us as an open-core Wiz alternative.
In 2016, I worked on Microsoft’s Azure Red Team, where we built an infra mapping service to find the shortest paths to exploit our targets. We were so effective that the Blue Team wanted it too. In 2019, I joined Lyft, where we applied the same ideas to AWS and beyond, helping build and open-source Cartography. Over the past six years, it’s been incredible to grow the community and see over 70 companies (that I know of) use it.
Kunaal and I first worked closely together in 2020 when we helped bootstrap Lyft’s vulnerability management program and used Cartography as its backbone: https://eng.lyft.com/vulnerability-management-at-lyft-enforc.... This is actually where the name SubImage comes from: Lyft services are made up of one or more “SubImages”, and modeling this properly was such a memorable engineering challenge that we decided to name our company after it.
Cartography pulls metadata from multiple sources -- SaaS, cloud service providers, a company’s internal services -- and writes it to a graph database. This simple technique is incredibly powerful in modeling otherwise unseen misconfigurations and attack paths in areas like access permissions, networking, and software vulnerabilities.
SubImage picks up where Cartography leaves off: it’s a fully-hosted solution that provides specific recommendations for the problems it finds. The fix-action depends on company size: small teams might run AWS CLI commands, while larger orgs require automated infrastructure-as-code pull requests.
Here’s a video demo showing how we can use SubImage to understand and take action if our Stripe API key is unexpectedly used: https://www.youtube.com/watch?v=RBCr35hb5Hk.
SubImage also provides a natural language interface to quickly answer questions about our infra: https://imgur.com/a/subimage-natural-language-interface-quer....
Security is a competitive space, but we have a few differentiators:
First, we allow a very deep level of customization where the security team can enrich their graph with their own internal data, not just data from the major cloud providers. If it can be expressed as structured JSON, you can graph it; here’s a demo: https://www.youtube.com/watch?v=rvwDJoZaO_w. This flexibility is needed to answer questions like: Which storage buckets contain PII? Who owns them? Who’s on-call for https://example.com/api/payment? Which company director owns the most risk?
Since it’s built on Cartography, teams can also just write custom plugins in Python if they’d like: https://cartography-cncf.github.io/cartography/dev/writing-i....
Second, our core principle is actionability. Security teams drown in alerts. SubImage traces paths from critical assets to the most exploitable misconfigurations, helping teams cut through the noise and prioritize real threats.
Finally, we’re built on open source. We created Cartography and as it improves, so does SubImage. Cartography is a CNCF project (https://eng.lyft.com/cartography-joins-the-cncf-6f6b7be099a7), which means that it is full open source and will remain so.
Going forward, we’re maintaining Cartography while launching SubImage as a fully managed offering. Our roadmap includes Access Management (prune excessive permissions and enforce security invariants, Change Tracking (detect and alert on infra changes that introduce risk), and Cloud & SaaS Misconfigurations (expand visibility, including vulnerability management).
Thanks for reading! If this sounds interesting, try out https://github.com/cartography-cncf/cartography.
It’s an honor to share SubImage with HN, especially having followed projects here for over a decade. We’d love to hear your questions, feedback, and the challenges you face in security and infra!