PProfessNet Academy
ZEUS Platform — from zero to operator/05core12 min

SECURITY — find what is wrong

The SECURITY pillar overlays findings onto the assets and provides a single investigation surface. Six studios, one goal: find and close the problem faster.

CNAPP — 16 scanners

The Cloud-Native Application Protection Platform orchestrates 16 open-source scanners across code, IaC, containers and clouds (Trivy, Grype, Checkov, Kubescape, Bandit, Prowler, gitleaks and 9 others). All permissively licensed (Apache-2.0/MIT/BSD/ISC) — a clean re-sell story.

Note: after the 2026-05 licensing audit, 16 scanners remained (4 with GPL licenses were removed). If you see "18" somewhere — that is out of date.

ZEUS deduplicates findings across scanners: e.g. 71 unique critical CVEs from hundreds of raw hits.

Vulnerability Management

A central CVE inventory with SLA tracking and a finding state machine:

open → triaged → fix-in-progress → resolved → verified
  • scoring: severity × exploitability × asset criticality,
  • SLA per severity (Critical 7 days · High 30 · Medium 90),
  • auto-grouping: 1200 findings → ~50 workstreams,
  • escalation to Slack/Teams when the SLA is breached.

SIEM Aggregation

A single alert queue from multiple sources (Wazuh, Defender, GuardDuty, Sentinel...), severity normalization, MITRE ATT&CK mapping, auto-triage.

Custom Detection Rules (YAML DSL)

The operator writes detection rules in YAML — without deploying code. Threshold + group_by + a sliding window:

id: ssh-bruteforce
match:
  all:
    - field: rule.id
      in: [5710, 5712, 5760]
threshold: { count: 10, group_by: agent.ip, window_minutes: 5 }
then:
  emit_alert: { title: "SSH burst from {{ agent_ip }}", severity: high }

Forensic Timeline

A hash-chained (SHA-256, chained forward), tamper-evident reconstruction of every change on the platform — built with the auditor in mind.

SOAR-lite Playbooks

YAML playbooks that respond to alerts (triggered by rule_id/severity). Steps: notify · enrich · isolate · ticket, with conditions and safe evaluation.

trigger: { rule_id: ssh-bruteforce, severity_gte: high }
steps:
  - { action: threat_intel.enrich, params: { indicator: "{{ alert.group_value }}" } }
  - { action: defender.isolate_host, condition: "{{ steps.enrich.malicious }} == True" }

A detection rule emits an alert → a playbook responds. This is the full "find → respond" loop in a single platform.