MCMMCMBy Revdau
Why MCM
v1.1 is unreleased — see v1.0 for the current stable release.

Why MCM SecOps

The problems with managing cloud security per provider and how MCM SecOps solves them.

Why MCM SecOps

Security threats do not respect provider boundaries. A misconfigured S3 bucket, a vulnerable container image in Docker Hub, a hardcoded secret in a GitHub repository, and an unpatched Ubuntu host can all exist simultaneously — each detected by a different tool with its own alerting format, dashboard, and workflow. Without a unified layer, teams spend more time correlating alerts than fixing them.


Challenges & How MCM Solves Them

Each challenge below is a real friction point teams face when managing security across providers and toolchains without a unified layer.

1. Fragmented Visibility

AWS GuardDuty, Azure Defender, Docker Hub scanners, and GitHub security alerts each live in separate consoles with no shared view. Answering "are we secure right now?" requires logging into every tool individually.

How MCM solves it: All findings from all sources are normalised into a single dashboard with unified severity, status, category, and contextual details. Teams work from one queue rather than many.

2. Alert Fatigue

Different tools produce different alert formats with no correlation. Teams struggle to prioritise what matters across dozens of simultaneous findings.

How MCM solves it: MCM normalises every finding into a consistent format with severity (Critical/High/Medium/Low) and status (Open/In Progress/Resolved), making it straightforward to triage and prioritise across sources.

3. Incomplete Coverage

Cloud-native tools cover cloud resources but ignore container images, source code, and host machines — leaving large attack surfaces unmonitored.

How MCM solves it: MCM integrates multiple scanning engines to cover every layer: AWS CloudTrail via Wazuh for cloud activity, Trivy for container images across Docker Hub, ECR, and GitHub Container Registry, Trivy SAST for Git repositories, and Wazuh agents on Ubuntu hosts.

4. No Compliance Baseline

Organisations need a minimum baseline of security controls, but there is no cross-provider standard for what "secure" looks like.

How MCM solves it: MCM enforces a Minimum Baseline Security Standard (MBSS) across 7 domains — Identity & Access, Network, Logging, Encryption, Configuration, Vulnerability Management, and Governance — automatically, across all connected providers.

5. Manual Scanning

Container registries and code repositories require separate tool configurations, credentials, and schedules per source.

How MCM solves it: All scan sources — registries, repositories, and hosts — are configured once in MCM. A unified daily or weekly schedule runs across all of them, or any scan can be triggered on demand from the same interface.

6. No Unified Audit

Producing evidence for security audits means pulling reports from multiple tools and manually assembling a compliance picture.

How MCM solves it: All findings are centralised in MCM with full status tracking. Audit evidence is a single export rather than a manual assembly job across multiple tool dashboards.


MCM vs Managing Security Individually

AspectIndividual ToolsMCM SecOps
CoverageSeparate tools per layer (cloud, container, code, host)Unified scanning across all layers
OnboardingPer-tool credentials and API configurationSingle UI for registries, repos, and hosts
FindingsSeparate alert streams, different formatsCorrelated dashboard with unified severity and status
ComplianceAd-hoc, manual mapping to frameworksMBSS framework enforced automatically
SchedulingDifferent cadences per toolUnified daily/weekly schedule or on-demand
Audit evidencePull reports from multiple tools manuallyCentralised findings with status tracking

Features

FeatureDescription
Cloud resource scanningMonitor AWS CloudTrail for IAM changes, root access, policy violations, and suspicious activity via Wazuh
Container image scanningScan images across Docker Hub, AWS ECR, and GitHub Container Registry for CVEs, secrets, and misconfigurations via Trivy
Host scanningAgent-based scanning on Ubuntu hosts for file integrity, malware, CVEs, and CIS benchmark compliance via Wazuh
Git repository scanningSAST scanning across GitHub repositories for secrets, dependency vulnerabilities, and IaC misconfigurations via Trivy
Container orchestration scanningMonitor Docker Compose and Kubernetes environments for suspicious behaviour and configuration violations
MBSS complianceAutomated enforcement of the Minimum Baseline Security Standard across 7 security domains
Unified findings dashboardAll findings normalised into a single view with severity (Critical/High/Medium/Low) and status (Open/In Progress/Resolved)
Scheduled and on-demand scansConfigure daily or weekly scan schedules, or trigger a scan manually at any time
Finding categoriesClassify findings as Misconfiguration, Secrets, CVE, Best Practice violation, or other categories
Rich contextual detailEach finding includes source context: repo branch, image tag, file path, CVE reference, or CVSS score

Code Scanning

MCM SecOps scans your GitHub repositories using Trivy SAST to detect security issues directly in source code. Scans cover:

  • Hardcoded secrets — API keys, passwords, tokens, and certificates committed to the repository
  • Dependency vulnerabilities — known CVEs in package.json, requirements.txt, go.mod, and other manifest files
  • IaC misconfigurations — insecure settings in Terraform, CloudFormation, and Dockerfile definitions

Each finding includes the file path, line number, severity, CVE reference (where applicable), and the branch it was found on. Scans run on a configurable schedule or can be triggered manually from the MCM interface.

What you get: Security visibility into the code your team ships — catching secrets and vulnerabilities before they reach production, without adding a separate SAST tool to your pipeline.


Audit Log Scanning

MCM ingests AWS CloudTrail and Azure Activity Logs and passes them through Wazuh rules to detect suspicious or policy-violating activity. Detections include:

  • Root account usage and failed login attempts
  • IAM policy changes and privilege escalation
  • Unusual API call patterns and geographic anomalies
  • Security group or firewall rule modifications

Findings are normalised into the unified SecOps findings dashboard with the same severity levels and status workflow as all other finding types.

What you get: Continuous monitoring of cloud control-plane activity that would otherwise require a dedicated SIEM — surfacing insider threats, credential compromise, and misconfiguration changes as they happen.


Container Scanning

MCM scans container images across Docker Hub, AWS ECR, and GitHub Container Registry using Trivy to identify vulnerabilities and misconfigurations before containers run in production. Scans cover:

  • OS package CVEs — known vulnerabilities in base image packages (e.g. OpenSSL, glibc)
  • Application dependency CVEs — vulnerable libraries bundled in the image layers
  • Secrets in layers — credentials or tokens accidentally included in image build steps
  • Dockerfile misconfigurations — running as root, exposed sensitive ports, missing security options

Each finding includes the image name, tag, layer, CVE ID, CVSS score, and fix version where available.

What you get: A clear picture of the vulnerability surface of your container fleet before images are deployed — prioritised by severity so teams focus on what matters most first.


Runtime & Network Security of Host

MCM deploys Wazuh agents on Ubuntu hosts to provide continuous runtime and network security monitoring. Coverage includes:

  • File integrity monitoring — alerts when critical system files or configurations are modified unexpectedly
  • Malware detection — rootkit and malicious pattern detection on running processes and file system
  • CVE assessment — identifies unpatched packages on the host against the NVD vulnerability database
  • CIS benchmark compliance — evaluates the host configuration against CIS Ubuntu benchmark controls
  • Network anomaly detection — monitors outbound connections and flags unusual traffic patterns

All host findings flow into the same unified SecOps dashboard, giving you a consolidated view of cloud, code, container, and host security in one place.

What you get: Operating system-level security visibility for Linux hosts that cloud provider tools cannot reach — detecting threats and misconfigurations on the actual machines running your workloads.

On this page