Why MCM SecOps
The problems with managing cloud security per provider and how MCM SecOps solves them.
Why MCM SecOps
Security threats do not respect provider boundaries. A misconfigured S3 bucket, a vulnerable container image in Docker Hub, a hardcoded secret in a GitHub repository, and an unpatched Ubuntu host can all exist simultaneously — each detected by a different tool with its own alerting format, dashboard, and workflow. Without a unified layer, teams spend more time correlating alerts than fixing them.
Challenges & How MCM Solves Them
Each challenge below is a real friction point teams face when managing security across providers and toolchains without a unified layer.
1. Fragmented Visibility
AWS GuardDuty, Azure Defender, Docker Hub scanners, and GitHub security alerts each live in separate consoles with no shared view. Answering "are we secure right now?" requires logging into every tool individually.
How MCM solves it: All findings from all sources are normalised into a single dashboard with unified severity, status, category, and contextual details. Teams work from one queue rather than many.
2. Alert Fatigue
Different tools produce different alert formats with no correlation. Teams struggle to prioritise what matters across dozens of simultaneous findings.
How MCM solves it: MCM normalises every finding into a consistent format with severity (Critical/High/Medium/Low) and status (Open/In Progress/Resolved), making it straightforward to triage and prioritise across sources.
3. Incomplete Coverage
Cloud-native tools cover cloud resources but ignore container images, source code, and host machines — leaving large attack surfaces unmonitored.
How MCM solves it: MCM integrates multiple scanning engines to cover every layer: AWS CloudTrail via Wazuh for cloud activity, Trivy for container images across Docker Hub, ECR, and GitHub Container Registry, Trivy SAST for Git repositories, and Wazuh agents on Ubuntu hosts.
4. No Compliance Baseline
Organisations need a minimum baseline of security controls, but there is no cross-provider standard for what "secure" looks like.
How MCM solves it: MCM enforces a Minimum Baseline Security Standard (MBSS) across 7 domains — Identity & Access, Network, Logging, Encryption, Configuration, Vulnerability Management, and Governance — automatically, across all connected providers.
5. Manual Scanning
Container registries and code repositories require separate tool configurations, credentials, and schedules per source.
How MCM solves it: All scan sources — registries, repositories, and hosts — are configured once in MCM. A unified daily or weekly schedule runs across all of them, or any scan can be triggered on demand from the same interface.
6. No Unified Audit
Producing evidence for security audits means pulling reports from multiple tools and manually assembling a compliance picture.
How MCM solves it: All findings are centralised in MCM with full status tracking. Audit evidence is a single export rather than a manual assembly job across multiple tool dashboards.
MCM vs Managing Security Individually
| Aspect | Individual Tools | MCM SecOps |
|---|---|---|
| Coverage | Separate tools per layer (cloud, container, code, host) | Unified scanning across all layers |
| Onboarding | Per-tool credentials and API configuration | Single UI for registries, repos, and hosts |
| Findings | Separate alert streams, different formats | Correlated dashboard with unified severity and status |
| Compliance | Ad-hoc, manual mapping to frameworks | MBSS framework enforced automatically |
| Scheduling | Different cadences per tool | Unified daily/weekly schedule or on-demand |
| Audit evidence | Pull reports from multiple tools manually | Centralised findings with status tracking |
Features
| Feature | Description |
|---|---|
| Cloud resource scanning | Monitor AWS CloudTrail for IAM changes, root access, policy violations, and suspicious activity via Wazuh |
| Container image scanning | Scan images across Docker Hub, AWS ECR, and GitHub Container Registry for CVEs, secrets, and misconfigurations via Trivy |
| Host scanning | Agent-based scanning on Ubuntu hosts for file integrity, malware, CVEs, and CIS benchmark compliance via Wazuh |
| Git repository scanning | SAST scanning across GitHub repositories for secrets, dependency vulnerabilities, and IaC misconfigurations via Trivy |
| Container orchestration scanning | Monitor Docker Compose and Kubernetes environments for suspicious behaviour and configuration violations |
| MBSS compliance | Automated enforcement of the Minimum Baseline Security Standard across 7 security domains |
| Unified findings dashboard | All findings normalised into a single view with severity (Critical/High/Medium/Low) and status (Open/In Progress/Resolved) |
| Scheduled and on-demand scans | Configure daily or weekly scan schedules, or trigger a scan manually at any time |
| Finding categories | Classify findings as Misconfiguration, Secrets, CVE, Best Practice violation, or other categories |
| Rich contextual detail | Each finding includes source context: repo branch, image tag, file path, CVE reference, or CVSS score |
Code Scanning
MCM SecOps scans your GitHub repositories using Trivy SAST to detect security issues directly in source code. Scans cover:
- Hardcoded secrets — API keys, passwords, tokens, and certificates committed to the repository
- Dependency vulnerabilities — known CVEs in
package.json,requirements.txt,go.mod, and other manifest files - IaC misconfigurations — insecure settings in Terraform, CloudFormation, and Dockerfile definitions
Each finding includes the file path, line number, severity, CVE reference (where applicable), and the branch it was found on. Scans run on a configurable schedule or can be triggered manually from the MCM interface.
What you get: Security visibility into the code your team ships — catching secrets and vulnerabilities before they reach production, without adding a separate SAST tool to your pipeline.
Audit Log Scanning
MCM ingests AWS CloudTrail and Azure Activity Logs and passes them through Wazuh rules to detect suspicious or policy-violating activity. Detections include:
- Root account usage and failed login attempts
- IAM policy changes and privilege escalation
- Unusual API call patterns and geographic anomalies
- Security group or firewall rule modifications
Findings are normalised into the unified SecOps findings dashboard with the same severity levels and status workflow as all other finding types.
What you get: Continuous monitoring of cloud control-plane activity that would otherwise require a dedicated SIEM — surfacing insider threats, credential compromise, and misconfiguration changes as they happen.
Container Scanning
MCM scans container images across Docker Hub, AWS ECR, and GitHub Container Registry using Trivy to identify vulnerabilities and misconfigurations before containers run in production. Scans cover:
- OS package CVEs — known vulnerabilities in base image packages (e.g. OpenSSL, glibc)
- Application dependency CVEs — vulnerable libraries bundled in the image layers
- Secrets in layers — credentials or tokens accidentally included in image build steps
- Dockerfile misconfigurations — running as root, exposed sensitive ports, missing security options
Each finding includes the image name, tag, layer, CVE ID, CVSS score, and fix version where available.
What you get: A clear picture of the vulnerability surface of your container fleet before images are deployed — prioritised by severity so teams focus on what matters most first.
Runtime & Network Security of Host
MCM deploys Wazuh agents on Ubuntu hosts to provide continuous runtime and network security monitoring. Coverage includes:
- File integrity monitoring — alerts when critical system files or configurations are modified unexpectedly
- Malware detection — rootkit and malicious pattern detection on running processes and file system
- CVE assessment — identifies unpatched packages on the host against the NVD vulnerability database
- CIS benchmark compliance — evaluates the host configuration against CIS Ubuntu benchmark controls
- Network anomaly detection — monitors outbound connections and flags unusual traffic patterns
All host findings flow into the same unified SecOps dashboard, giving you a consolidated view of cloud, code, container, and host security in one place.
What you get: Operating system-level security visibility for Linux hosts that cloud provider tools cannot reach — detecting threats and misconfigurations on the actual machines running your workloads.