Skip to content(if available)orjump to list(if available)

Show HN: Kexa.io – Open-Source IT Security and Compliance Verification

Show HN: Kexa.io – Open-Source IT Security and Compliance Verification

13 comments

·April 30, 2025

Hi HN,

We're building Kexa.io (https://github.com/kexa-io/Kexa), an open-source tool developed in France (incubated at Euratech Cyber Campus) to help teams automate the often tedious process of verifying IT security and compliance. Keeping track of configurations across diverse assets (servers, K8s, cloud resources) and ensuring they meet security baselines (like CIS benchmarks, etc.) manually is challenging and error-prone.

Our goal with the open-source core is to provide a straightforward way to define checks, scan your assets, and get clear reports on your security posture. You can define your own rules or use common standards.

We are now actively developing our SaaS offering, planned for a beta release around June 2025. The key feature will be an AI-powered security administration agent specifically designed for cloud environments (initially targeting AWS, GCP, Azure). Instead of just reporting issues, this agent will aim to provide proactive, actionable recommendations and potentially automate certain remediation tasks to simplify cloud security management and hardening.

We'd love for the HN community to check out the open-source project on GitHub. Feedback on the concept or the current tool is highly welcome, and a star if you find it interesting helps others discover the project! If the upcoming AI-powered cloud security agent sounds interesting, we'd be particularly keen to hear your thoughts or if you might be interested in joining the beta (~June 2025).

thank you !!

Visit

ziddoap

Looks interesting, and I'll be diving into it a bit deeper, but I just wanted to mention that this quote:

"even non-experts can guarantee the security of their cloud environments"

Even though I understand that this is part of a marketing blurb, not a literal guarantee, it was an immediate yellow-flag for me. No tool can possibly guarantee the security of my cloud environment, so please don't imply/say your tool can. It reminds me of shady VPN companies guaranteeing my security by providing me with "military-grade encryption".

To be abundantly clear, I am not saying that this product is shady or anything -- I have not had the time to evaluate it in the depth needed -- but statements like that make the rest of the pitch an uphill battle. For me, at least.

sontek

Can you give a brief explanation of the benefits of your policy engine over using cloud custodian?

stego-tech

I’m always a fan of automated compliance and vulnerability management tooling - looking forward to giving this a spin at some point.

One bit of UX feedback: your “Offers” page isn’t rendering correctly on my iPhone (14 Pro) device. The text isn’t wrapping, graphics don’t seem to be scaling, and the columns are misaligned.

Once the current network rebuild is done, I’m looking forward to rolling this and Wazuh to try out both.

zufallsheld

Does this work without your SaaS component? Can I run it air-gapped?

mrbluecoat

An admittedly superficial comment: what is your logo supposed to be? A mouse? Reminds me of that famous young/old optical illusion: https://www.braingle.com/brainteasers/26745/old-or-young-wom...

Great job on the tool, by the way. Anything to improve the security posture of companies is a good thing!

patrick4urcloud

thanks ! yes it's a mouse looking everywhere :-) ( small, cheap, fast ) see more articles how to use kexa on medium ( kexa ): https://medium.com/@contact_52772

gitroom

this kinda stuff is right up my alley, love when folks make it easier to cut through all the security noise

shooker435

Wow, very cool. Would this replace a Vanta or complement it?

patrick4urcloud

We have to look and study this solution but maybe. We can define in a yaml a set of rules for a project and verify that no changes has been made cross platform with a cicd, docker, kub, script for compliance. we can discuss further on slack if you want.

szarapka

At best it would compliment Vanta.

Vanta handles/automates(ish) the compliance process for actual regulatory frameworks/programs (SOC2, ISO27001, GDPR, etc). From looking at their site/repo for Kexa, they don't have anything specific to this type of compliance.

In theory you could use Kexa to set up rules to help you achieve compliance, but you'd still need a Vanta or something else to help you understand if you're actually compliant with a given framework.

null

[deleted]

eszymko

[flagged]

eszymko

[flagged]