Connectors — how ZEUS reads the environment
ZEUS does not install agents everywhere and does not open inbound ports. It reads the environment through connectors — always read-only and outbound-only, authenticated through your existing identity provider.
Connector matrix
| Category | Connector | Auth method | What it reads |
|---|---|---|---|
| Cloud | Microsoft Azure | Service Principal | ARM + Resource Graph + Defender |
| Cloud | AWS | IAM Role / AccessKey | Boto3: EC2 · S3 · IAM · GuardDuty |
| Cloud | Google Cloud | Workload Identity | Asset Inventory + Security Center |
| Identity | Microsoft Entra ID | Service Principal | Users · groups · MFA · sign-ins |
| Identity | Active Directory | LDAP bind | Forest + users + GPOs |
| SCM | GitHub / GitLab | GitHub App / OAuth2 | Repos · branches · SCA · secrets |
| SIEM/EDR | Wazuh | API key | Alerts · SCA · agents · vulns |
| SIEM/EDR | Microsoft Defender | OAuth2 | Alerts · recommendations · incidents |
| Containers | Kubernetes | ServiceAccount | Pods · workloads · RBAC · network |
| On-prem | Wazuh / WinRM / vCenter | reverse-SSH tunnel | tunneled SIEM · Windows · vSphere |
Principles worth knowing
- Read-only — the Service Principal/IAM has read-only permissions (Reader + Security Reader). Auto-remediation requires a separate, conscious decision.
- Outbound-only — it is the customer environment that initiates the outbound connection (443/tunnel). No inbound rules on the customer side.
- Secrets at the customer — credentials are kept in the customer's private Key Vault, the connector fetches them at startup (Managed Identity).
- New connectors without redeploy — adding a connector does not require rebuilding ZEUS.
What crosses the environment boundary
ZEUS sends to the tenant only metadata: resource names/types/tags, deduplicated CVEs + CVSS, compliance control statuses, correlated SIEM alerts (MITRE tactic, severity), agent heartbeats.
Never leaving the environment: raw credentials/secrets, database contents, raw network packets, database schemas and business data, end-user PII.
Tip: this is the slide that reassures the customer's DPO. The data boundary is clear — "what goes out" vs "what stays forever in the DC".
Each connector is a read-only window into one system. Together they provide a normalized, unified picture of the entire environment — and modify nothing.