Demand-Driven Vulnerability Detection for Cloud Security Posture Management: Removing Human Rule Authoring from the Disclosure-to-Protection Critical Path
Pith reviewed 2026-06-30 11:34 UTC · model grok-4.3
The pith
Vulnerability detection rules can be derived continuously inside a cloud tenant from the intersection of public catalogues and the live asset graph.
A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.
Core claim
The architecture derives the rule set within the customer's tenant from public catalogue feeds and the live asset graph. A rule comes into existence when a catalogue entry and an applicable asset are simultaneously present, and goes out of existence when either input ceases to support it. Derivation is bidirectional, incorporates the full structured-field content of catalogue entries, and produces a live rule set bounded by environment diversity rather than catalogue breadth. Prior systems incrementally evaluate a static rule set; this approach incrementally derives the rule set itself.
What carries the argument
Demand-driven rule derivation, in which rule existence is defined by the simultaneous presence of a matching catalogue entry and an asset in the live graph, with derivation triggered by changes in either input.
If this is right
- The active rule set at any moment is limited by the number and diversity of assets present in the tenant rather than the full breadth of public catalogues.
- Changes to catalogues or to the asset graph immediately create or remove rules without waiting for a vendor release cycle.
- Detections can incorporate richer predicates from catalogue structured fields without separate human authoring steps.
- Resource consumption for rule evaluation scales with environment size instead of catalogue size.
Where Pith is reading between the lines
- Maintaining an accurate and complete live asset graph becomes the dominant factor determining detection coverage.
- The approach could be combined with continuous asset-discovery tools to further compress the remaining latency to collection intervals.
- Security operations effort could shift from rule maintenance toward ensuring asset inventory fidelity.
Load-bearing premise
That the full structured-field content of public catalogue entries can be used directly to produce correct detection rules without any additional human authoring or environment-specific tuning.
What would settle it
A published CVE whose detection requires configuration predicates absent from the catalogue's structured fields, so that an automatically derived rule either misses the vulnerability or generates incorrect alerts on the tenant's assets.
read the original abstract
Cloud Security Posture Management (CSPM) systems detect known vulnerabilities by maintaining a rule set, distributing it to customers, and evaluating it against periodically-collected asset inventories. To our knowledge, in publicly documented architectures the rule set is environment-agnostic and curated centrally by the vendor; updates are batched into release cycles and shipped on a cadence ranging from hours to days depending on detection severity. The disclosure-to-protection window -- from a CVE being published to the customer's system being capable of detecting affected assets -- is therefore bounded by the vendor's release cadence for version-match detections, and by additional human authoring time for richer detections incorporating configuration predicates beyond the affected-software string. We propose an architecture in which the rule set is not vendor-distributed but continuously derived, within the customer's tenant, from the intersection of public catalogue feeds and the live asset graph. A rule comes into existence when a catalogue entry and an applicable asset are simultaneously present, and goes out of existence when either input ceases to support it. Derivation is bidirectional: new catalogue entries and new assets both trigger it. It incorporates the full structured-field content of catalogue entries, not only the affected-software predicate. The live rule set is bounded by environment diversity rather than catalogue breadth. Prior systems incrementally evaluate a static rule set; we incrementally derive the rule set itself. We present the threat model, the architecture, formal semantics with an equivalence theorem, complexity analysis, a worked example, and an evaluation methodology. The contribution is the architectural shift and its latency and resource consequences; rule correctness and alert prioritization are out of scope.
Editorial analysis
A structured set of objections, weighed in public.
Referee Report
Summary. The paper proposes a demand-driven architecture for Cloud Security Posture Management (CSPM) in which detection rules are not statically authored or vendor-distributed but are instead continuously derived inside the customer's tenant from the intersection of public vulnerability catalogue feeds and the live asset graph. A rule exists precisely when both a catalogue entry and an applicable asset are present; derivation is bidirectional and incorporates the full structured fields of catalogue entries. The manuscript presents a threat model, the architecture, formal semantics together with an equivalence theorem, complexity analysis, a worked example, and an evaluation methodology. The central contribution is the architectural shift and its consequences for latency and resource use; rule correctness is stated to be out of scope.
Significance. If the formal semantics and derivation operator can be shown to translate arbitrary catalogue structured fields into executable predicates without any human-authored mapping logic (even if fixed at design time), the architecture would meaningfully shorten the disclosure-to-protection window and bound the active rule set by environment diversity rather than catalogue size. The equivalence theorem, if rigorously established, would be a notable strength supporting the claim that incremental derivation preserves detection capability while eliminating vendor release cycles.
major comments (2)
- Formal Semantics section (equivalence theorem): the theorem is asserted to establish equivalence between the demand-driven rule set and a conventional static rule set, yet the definition of the derivation operator is presented only at a high level. If the operator presupposes a fixed, human-authored schema-to-predicate mapping (even if not re-authored per CVE), the claim that human rule authoring has been removed from the critical path is not supported; the paper must exhibit the operator definition and show that no such mapping is required.
- Architecture section (rule derivation process): the claim that 'the full structured-field content of catalogue entries' can be used directly to derive correct detection rules without additional human authoring or environment-specific tuning is load-bearing. The manuscript provides no concrete translation function or proof that arbitrary fields beyond the affected-software string yield sound predicates; without this, the removal of human authoring does not hold.
minor comments (2)
- The evaluation methodology is described at a high level; concrete metrics for measuring derivation latency versus conventional release cadence would strengthen the presentation.
- Notation for the asset graph and catalogue intersection could be introduced earlier to improve readability of the worked example.
Simulated Author's Rebuttal
We thank the referee for the thoughtful report and the opportunity to clarify the manuscript's scope and contributions. The paper focuses on the architectural shift to demand-driven, tenant-local rule derivation and its consequences for latency and rule-set size; rule correctness is explicitly out of scope. We respond to each major comment below.
read point-by-point responses
-
Referee: [—] Formal Semantics section (equivalence theorem): the theorem is asserted to establish equivalence between the demand-driven rule set and a conventional static rule set, yet the definition of the derivation operator is presented only at a high level. If the operator presupposes a fixed, human-authored schema-to-predicate mapping (even if not re-authored per CVE), the claim that human rule authoring has been removed from the critical path is not supported; the paper must exhibit the operator definition and show that no such mapping is required.
Authors: The formal semantics section defines the derivation operator as a bidirectional function over catalogue entries and the asset graph that produces a rule precisely when both inputs are present, with the equivalence theorem proving that the resulting rule set detects the same asset-vulnerability pairs as a static superset. A fixed, design-time schema-to-predicate mapping is a system constant, not per-disclosure authoring; the critical-path removal concerns the absence of vendor release cycles and per-CVE rule writing. We can expand the operator definition with additional formal detail or pseudocode in revision to make the high-level presentation more explicit. revision: partial
-
Referee: [—] Architecture section (rule derivation process): the claim that 'the full structured-field content of catalogue entries' can be used directly to derive correct detection rules without additional human authoring or environment-specific tuning is load-bearing. The manuscript provides no concrete translation function or proof that arbitrary fields beyond the affected-software string yield sound predicates; without this, the removal of human authoring does not hold.
Authors: The manuscript states that rule correctness is out of scope; the architecture claim is that derivation occurs on-demand inside the tenant from live catalogue and asset data, eliminating vendor-side rule authoring and release cadence. Any fixed translation component is part of the one-time system design rather than the disclosure-to-protection path. We do not provide a concrete translation function or soundness proof because that would require entering the correctness scope we have deliberately excluded. revision: no
- Provision of a concrete translation function together with a proof that arbitrary catalogue fields produce sound predicates (this would require expanding the paper into the rule-correctness scope that the manuscript explicitly excludes).
Circularity Check
No significant circularity; architectural proposal is self-contained
full rationale
The paper advances an architectural proposal for demand-driven rule derivation from catalogue feeds and asset graphs, with formal semantics and an equivalence theorem presented as part of the contribution. No equations, fitted parameters, or derivation steps are shown that reduce by construction to the inputs (e.g., no self-definitional mapping where the derivation operator presupposes the output rules). The central claim is the shift away from vendor-distributed static rules, and rule correctness is explicitly scoped out. No self-citations are invoked as load-bearing for uniqueness or ansatz. The derivation chain is therefore independent of the patterns that would trigger circularity findings.
Axiom & Free-Parameter Ledger
axioms (1)
- standard math Equivalence theorem relating the derived rule set to the intersection of catalogue and asset graph
invented entities (1)
-
Demand-driven rule derivation process
no independent evidence
Reference graph
Works this paper leans on
-
[1]
A graph-based system for network-vulnerability analy- sis,
C. Phillips and L. P. Swiler, “A graph-based system for network-vulnerability analy- sis,” inProc. 1998 Workshop on New Security Paradigms (NSPW’98), Sep. 1998, pp. 71–79
1998
-
[2]
MulV AL: A logic-based network security analyzer,
X. Ou, S. Govindavajhala, and A. W. Appel, “MulV AL: A logic-based network security analyzer,” inProc. 14th USENIX Security Symp., Aug. 2005, pp. 113–128. 15
2005
-
[3]
Automated generation and analysis of attack graphs,
O. Sheyner, J. Haines, S. Jha, R. Lippmann, and J. M. Wing, “Automated generation and analysis of attack graphs,” inProc. IEEE Symp. on Security and Privacy (S&P), May 2002, pp. 273–284
2002
-
[4]
A scalable approach to attack graph generation,
X. Ou, W. F. Boyer, and M. A. McQueen, “A scalable approach to attack graph generation,” inProc. 13th ACM Conf. on Computer and Communications Security (CCS), Oct. 2006, pp. 336–345
2006
-
[5]
Scalable, graph-based network vul- nerability analysis,
P. Ammann, D. Wijesekera, and S. Kaushik, “Scalable, graph-based network vul- nerability analysis,” inProc. 9th ACM Conf. on Computer and Communications Security (CCS), Nov. 2002, pp. 217–224
2002
-
[6]
Before we knew it: An empirical study of zero-day attacks in the real world,
L. Bilge and T. Dumitra¸ s, “Before we knew it: An empirical study of zero-day attacks in the real world,” inProc. 2012 ACM Conf. on Computer and Communications Security (CCS), Oct. 2012, pp. 833–844
2012
-
[7]
CloudStrike: Chaos engineering for security and resiliency in cloud infrastructure,
K. A. Torkura, M. I. H. Sukmana, F. Cheng, and C. Meinel, “CloudStrike: Chaos engineering for security and resiliency in cloud infrastructure,”IEEE Access, vol. 8, pp. 123044–123060, 2020
2020
-
[8]
Continuous auditing and threat detection in multi-cloud infrastructure,
K. A. Torkura, M. I. H. Sukmana, F. Cheng, and C. Meinel, “Continuous auditing and threat detection in multi-cloud infrastructure,”Comput. Secur., Art. no. 102124, 2021
2021
-
[9]
Differential Dataflow,
F. McSherry, D. G. Murray, R. Isaacs, and M. Isard, “Differential Dataflow,” inProc. 6th Biennial Conf. on Innovative Data Systems Research (CIDR), Jan. 2013
2013
-
[10]
Naiad: A timely dataflow system,
D. G. Murray, F. McSherry, R. Isaacs, M. Isard, P. Barham, and M. Abadi, “Naiad: A timely dataflow system,” inProc. 24th ACM Symp. on Operating Systems Principles (SOSP), Nov. 2013, pp. 439–455
2013
-
[11]
Foundations of differential dataflow,
M. Abadi, F. McSherry, and G. D. Plotkin, “Foundations of differential dataflow,” in Proc. Int. Conf. on Foundations of Software Science and Computation Structures (FoSSaCS), Springer LNCS, Apr. 2015
2015
-
[12]
Incremental view maintenance with triple lock fac- torization benefits,
M. Nikoli´c and D. Olteanu, “Incremental view maintenance with triple lock fac- torization benefits,” inProc. ACM Int. Conf. on Management of Data (SIGMOD), Jun. 2018, pp. 365–380
2018
-
[13]
On Fast Large-Scale Program Analysis in Datalog,
B. Scholz, H. Jordan, P. Suboti ´c, and T. Westmann, “On Fast Large-Scale Program Analysis in Datalog,” inProc. 25th Int. Conf. on Compiler Construction (CC), Mar. 2016, pp. 196–206
2016
-
[14]
Differential Datalog,
L. Ryzhyk and M. Budiu, “Differential Datalog,” inProc. 3rd Int. Workshop on the Resurgence of Datalog in Academia and Industry (Datalog 2.0), CEUR Workshop Proc., vol. 2368, Jun. 2019, pp. 56–67
2019
-
[15]
DBSP: Automatic Incremental View Maintenance for Rich Query Languages,
M. Budiu, T. Chajed, F. McSherry, L. Ryzhyk, and V . Tannen, “DBSP: Automatic Incremental View Maintenance for Rich Query Languages,”Proc. VLDB Endow., vol. 16, no. 7, pp. 1601–1614, 2023
2023
-
[16]
Cloud Property Graph: Connecting Cloud Security Assessments with Static Code Analysis,
C. Banse, I. Kunz, A. Schneider, and K. Weiss, “Cloud Property Graph: Connecting Cloud Security Assessments with Static Code Analysis,” inProc. IEEE 14th Int. Conf. on Cloud Computing (CLOUD), 2021, pp. 13–19
2021
-
[17]
Towards a Security Stress-Test for Cloud Configurations,
F. Minna, F. Massacci, and K. Tuma, “Towards a Security Stress-Test for Cloud Configurations,” inProc. IEEE 15th Int. Conf. on Cloud Computing (CLOUD), 2022, pp. 191–196
2022
-
[18]
Enabling Multi-Layer Threat Analysis in Dynamic Cloud Environments,
S. Manzoor, A. Gouglidis, M. Bradbury, and N. Suri, “Enabling Multi-Layer Threat Analysis in Dynamic Cloud Environments,”IEEE Trans. Cloud Comput., vol. 12, no. 1, pp. 319–336, 2024
2024
-
[19]
A survey of au- tomatic generation of attack trees and attack graphs,
A.-M. Konsta, B. Spiga, A. Lluch Lafuente, and N. Dragoni, “A survey of au- tomatic generation of attack trees and attack graphs,”Comput. Secur., vol. 137, Art. no. 103602, 2024
2024
-
[20]
Exploit Predic- tion Scoring System (EPSS),
J. Jacobs, S. Romanosky, B. Edwards, M. Roytman, and I. Adjerid, “Exploit Predic- tion Scoring System (EPSS),”Digital Threats: Research and Practice, vol. 2, no. 3, pp. 1–17, 2021
2021
-
[21]
Expected Exploitability: Predicting the Development of Functional Vulnerability Exploits,
O. Suciu, C. Nelson, Z. Lyu, T. Bao, and T. Dumitra¸ s, “Expected Exploitability: Predicting the Development of Functional Vulnerability Exploits,” inProc. 31st USENIX Security Symp., 2022, pp. 377–394
2022
-
[22]
Vulnerable Open Source Dependencies: Counting Those That Matter,
I. Pashchenko, H. Plate, S. E. Ponta, A. Sabetta, and F. Massacci, “Vulnerable Open Source Dependencies: Counting Those That Matter,” inProc. 12th ACM/IEEE Int. Symp. on Empirical Software Engineering and Measurement (ESEM), 2018
2018
-
[23]
A Comparative Study of Vulnerability Reporting by Software Composition Analysis Tools,
N. Imtiaz, S. Thorne, and L. Williams, “A Comparative Study of Vulnerability Reporting by Software Composition Analysis Tools,” inProc. 15th ACM/IEEE Int. Symp. on Empirical Software Engineering and Measurement (ESEM), 2021
2021
-
[24]
Identifying Challenges for OSS Vulnerability Scanners—A Study & Test Suite,
A. Dann, H. Plate, B. Hermann, S. E. Ponta, and E. Bodden, “Identifying Challenges for OSS Vulnerability Scanners—A Study & Test Suite,”IEEE Trans. Softw. Eng., vol. 48, no. 9, pp. 3613–3625, 2022
2022
-
[25]
Software Composition Analysis for Vulnerability Detection: An Empirical Study on Java Projects,
L. Zhao, S. Chen, Z. Xu, C. Liu, L. Zhang, J. Wu, J. Sun, and Y . Liu, “Software Composition Analysis for Vulnerability Detection: An Empirical Study on Java Projects,” inProc. 31st ACM Joint European Software Engineering Conf. and Symp. on the Foundations of Software Engineering (ESEC/FSE), 2023, pp. 960–972
2023
-
[26]
Innovation Insight for Cloud-Native Application Protection Platforms,
N. MacDonald and T. Croll, “Innovation Insight for Cloud-Native Application Protection Platforms,” Gartner, Research Note G00742263, Aug. 2021
2021
-
[27]
Security Guidance for Critical Ar- eas of Focus in Cloud Computing v4.0,
Cloud Security Alliance, “Security Guidance for Critical Ar- eas of Focus in Cloud Computing v4.0,” 2017. [Online]. Avail- able: https://cloudsecurityalliance.org/artifacts/ security-guidance-v4
2017
-
[28]
What is Amazon Inspector?
Amazon Web Services, “What is Amazon Inspector?” Amazon Inspector User Guide, accessed Jun. 2026. [Online]. Available: https://docs.aws.amazon. com/inspector/latest/user/what-is-inspector.html
2026
-
[29]
Detection services,
Google, “Detection services,” Security Command Center Documentation, ac- cessed Jun. 2026. [Online]. Available: https://docs.cloud.google.com/ security-command-center/docs/concepts-security-sources
2026
-
[30]
Introduction to AWS Security Hub CSPM,
Amazon Web Services, “Introduction to AWS Security Hub CSPM,” AWS Security Hub User Guide, accessed Jun. 2026. [Online]. Avail- able: https://docs.aws.amazon.com/securityhub/latest/ userguide/what-is-securityhub.html
2026
-
[31]
Plugin and Software Updates,
Tenable, “Plugin and Software Updates,” Nessus User Guide, accessed Jun. 2026. [Online]. Available: https://docs.tenable.com/nessus/Content/ PluginAndSoftwareUpdates.htm
2026
-
[32]
Vulnerability Detection Pipeline,
Qualys, “Vulnerability Detection Pipeline,” accessed Jun. 2026. [Online]. Available: https://www.qualys.com/ vulnerability-detection-pipeline
2026
-
[33]
Security Misconfigurations in Open Source Kubernetes Manifests: An Empirical Study,
A. Rahman, S. I. Shamim, D. B. Bose, and R. Pandita, “Security Misconfigurations in Open Source Kubernetes Manifests: An Empirical Study,”ACM Trans. Softw. Eng. Methodol., vol. 32, no. 4, 2023
2023
-
[34]
Assessing the Adoption of Security Policies by Developers in Terraform Across Different Cloud Providers,
A. Verdet, M. Hamdaqa, L. M. P. da Silva, and F. Khomh, “Assessing the Adoption of Security Policies by Developers in Terraform Across Different Cloud Providers,” Empirical Softw. Eng., vol. 30, no. 3, 2025
2025
-
[35]
Mapping the Cloud: A Mixed-Methods Study of Cloud Security and Privacy Configuration Challenges,
S. I. Hashmi, S. Kashif, L. Gröber, K. Krombholz, and M. Javed, “Mapping the Cloud: A Mixed-Methods Study of Cloud Security and Privacy Configuration Challenges,” inProc. Netw. Distrib. Syst. Secur. Symp. (NDSS), 2026
2026
-
[36]
Detecting Multi-Step IAM Attacks in AWS Envi- ronments via Model Checking,
I. Shevrin and O. Margalit, “Detecting Multi-Step IAM Attacks in AWS Envi- ronments via Model Checking,” inProc. 32nd USENIX Security Symp., 2023, pp. 6025–6042
2023
-
[37]
Using Constraint Programming and Graph Representation Learning for Generating Interpretable Cloud Security Policies,
M. Kazdagli, M. Tiwari, and A. Kumar, “Using Constraint Programming and Graph Representation Learning for Generating Interpretable Cloud Security Policies,” in Proc. 31st Int. Joint Conf. Artif. Intell. (IJCAI), 2022, pp. 1850–1858
2022
-
[38]
Automated Enrich- ment of Logical Attack Graphs via Formal Ontologies,
K. Saint-Hilaire, F. Cuppens, N. Cuppens, and J. García-Alfaro, “Automated Enrich- ment of Logical Attack Graphs via Formal Ontologies,” inProc. IFIP Int. Conf. ICT Syst. Secur. Privacy Protection (SEC), 2023
2023
-
[39]
A Run-Time Framework for Ensuring Zero-Trust State of Client’s Machines in Cloud Environment,
D. N. Jha, G. Lenton, J. Asker, D. Blundell, M. Higgins, and D. C. H. Wallom, “A Run-Time Framework for Ensuring Zero-Trust State of Client’s Machines in Cloud Environment,”IEEE Trans. Cloud Comput., vol. 13, no. 1, pp. 61–74, 2025
2025
-
[40]
SST-LOF: Container Anomaly Detection Method Based on Singular Spectrum Transformation and Local Outlier Factor,
S. Bu, M. Jin, J. Wang, Y . Xie, and L. Zhang, “SST-LOF: Container Anomaly Detection Method Based on Singular Spectrum Transformation and Local Outlier Factor,”IEEE Trans. Cloud Comput., vol. 13, no. 1, pp. 130–147, 2025
2025
-
[41]
EPScan: Automated Detection of Excessive RBAC Permissions in Kubernetes Applications,
Y . Gu, X. Tan, Y . Zhang, S. Gao, and M. Yang, “EPScan: Automated Detection of Excessive RBAC Permissions in Kubernetes Applications,” inProc. IEEE Symp. Security and Privacy (S&P), 2025, pp. 3199–3217
2025
-
[42]
Growlithe: A Developer-Centric Compliance Tool for Serverless Applications,
P. Gupta, A. Moghimi, D. Sisodraker, M. Shahrad, and A. Mehta, “Growlithe: A Developer-Centric Compliance Tool for Serverless Applications,” inProc. IEEE Symp. Security and Privacy (S&P), 2025, pp. 3161–3179
2025
-
[43]
E. Malul, Y . Meidan, D. Mimran, Y . Elovici, and A. Shabtai, “GenKubeSec: LLM- Based Kubernetes Misconfiguration Detection, Localization, Reasoning, and Reme- diation,” arXiv:2405.19954, 2024
-
[44]
CloudLens: Modeling and Detecting Cloud Security Vulnerabilities,
M. Kazdagli, M. Tiwari, and A. Kumar, “CloudLens: Modeling and Detecting Cloud Security Vulnerabilities,” arXiv:2402.10985, 2024
-
[45]
TAC: Hybrid IAM Privilege Escalation Detection,
Y . Hu and W. Wang, “TAC: Hybrid IAM Privilege Escalation Detection,” arXiv:2304.14540, 2023
-
[46]
LLM Agents can Autonomously Exploit One-day Vulnerabilities
R. Fang, R. Bindu, A. Gupta, and D. Kang, “LLM Agents can Autonomously Exploit One-day Vulnerabilities,” arXiv:2404.08144, 2024
work page internal anchor Pith review Pith/arXiv arXiv 2024
-
[47]
PentestGPT: Evaluating and Harnessing Large Language Models for Automated Penetration Testing,
G. Deng, Y . Liu, V . Mayoral-Vilches, P. Liu, Y . Li, Y . Xu, M. Pinzger, S. Rass, T. Zhang, and Y . Liu, “PentestGPT: Evaluating and Harnessing Large Language Models for Automated Penetration Testing,” inProc. 33rd USENIX Security Symp., 2024, pp. 847–864. 16
2024
discussion (0)
Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.