content(what-is): expand the cloud security explainer

[alexleventer]

Summary

Rewrites content/what-is/what-is-cloud-security.md from a general overview into a deeper, more practical explainer that engineers and security teams can actually use as a reference. Body grows from ~280 lines to ~140 well-structured lines.

What changed

• Opening definition — quotable one-paragraph definition followed by a short "what this means in practice" lead-in.
• Why it matters — three concrete drivers (attack surface growth, misconfiguration as the dominant failure mode, regulation catching up).
• On-prem vs. cloud comparison table — perimeter, infrastructure, responsibility, pace of change, primary risk, inventory.
• Shared responsibility model table — IaaS / PaaS / SaaS columns showing exactly what shifts as you climb the abstraction stack.
• CIA triad + principles — confidentiality, integrity, availability, plus defense in depth, least privilege, zero trust, secure by default.
• Six domains — IAM, data protection, network, app/workload, posture management, detection & response.
• Top-10 risk list — keyed to OWASP Cloud-Native Top 10 and CSA Top Threats categories.
• Nine best practices — concrete, with internal links to IaC, ESC, CrossGuard, and Pulumi components.
• IaC + cloud security section — explains how PRs, policy as code, runtime secrets, and drift detection reduce the misconfiguration class of breaches.
• FAQ — ten doubt-removers: shared responsibility, common breach causes, CSPM, zero trust, compliance, and a getting-started checklist.
• Learn more — cross-links to IaC, secrets management, configuration management, SOC 2, HIPAA, HITRUST.

Test plan

• make serve; visit /what-is/what-is-cloud-security/ and confirm tables, headings, and internal links render correctly
• Spot-check the cross-links resolve (/what-is/what-is-soc-2/, /product/esc/, /docs/insights/policy/, etc.)
• CI lint + pinned review

🤖 Generated with Claude Code

[pulumi-bot]

Your site preview for commit 92d0ef1 is ready! 🎉

http://www-testing-pulumi-docs-origin-pr-19141-92d0ef1b.s3-website.us-west-2.amazonaws.com

[alexleventer]

@claude - review this pr please

[pulumi-bot]

Claude finished @alexleventer's task in 2m 15s —— View job

---

PR Review: content(what-is): expand the cloud security explainer

Tasks:

• Gather context and read changed files
• Analyze diff against origin/master
• Review content quality, accuracy, and style
• Check internal links and references
• Post review findings

---

Summary

Scope: content/what-is/what-is-cloud-security.md (+129 / −208)
Confidence: High

This is a strong rewrite. The document is significantly more practical, technically precise, and well-structured than what it replaces. The comparison tables, shared responsibility model breakdown, and CIA triad section are all good additions. The meta description is much better for SEO. Internal links are correct and all linked pages exist.

One must-fix issue (duplicate heading anchor) and a few low-confidence style nits below.

Bucket	Count
🚨 Must fix	1
⚠️ Low-confidence	4
✅ No issues found	Links, frontmatter, factual accuracy

---

🚨 Must fix

Duplicate heading slug — anchor collision (lines 57 and 169)

The H2 on line 57 and the H3 on line 169 both read exactly What is the shared responsibility model?. Hugo auto-generates anchor IDs from heading text, so both become #what-is-the-shared-responsibility-model. Hugo disambiguates the second as #what-is-the-shared-responsibility-model-1, making the FAQ anchor unpredictable and fragile if heading order ever changes. The full section at line 57 already covers this topic well, so the FAQ entry is largely redundant.

Suggested fix — rename the FAQ question to something distinct, or collapse it into an adjacent answer:

Current (line 169):

### What is the shared responsibility model?

Suggested:

### How does the shared responsibility model split duties?

Or simply remove the FAQ entry since the dedicated H2 section at line 57 answers this comprehensively. Fix this →

---

⚠️ Low-confidence

1. "on-prem" is informal and inconsistent (line 28)

"the stakes are higher than they were on-prem"

The rest of the document consistently uses "on-premises" (line 42 heading, line 179 FAQ body). "on-prem" is jargon shorthand that breaks the register.

Suggested rewrite:

"the stakes are higher than they were on-premises"

---

2. IAM used before it is expanded (line 10)

IAM appears in the opening paragraph before the "Identity and access management (IAM)" section heading at line 88. For a what-is article, first-use expansion is expected.

Current:

"from the cloud provider's physical data centers to your IAM policies"

Suggested:

"from the cloud provider's physical data centers to your identity and access management (IAM) policies"

---

3. SBOM not expanded on first use (line 102)

SBOM appears once in the "Application and workload security" section body with no expansion. SIEM, KMS, HSM are also unexpanded, though those are more commonly recognized in engineer audiences. SBOM (Software Bill of Materials) is newer and should be expanded.

Current:

"SBOM and dependency scanning, container image signing and scanning…"

Suggested:

"Software bill of materials (SBOM) and dependency scanning, container image signing and scanning…"

---

4. TOC items are plain text — navigability regression (lines 16–24)

The old version linked each TOC bullet to a named anchor ([What is cloud security?](#definition-and-importance)). The new version has a plain-text bulleted list. Hugo auto-generates anchors for all headings, so the links could be wired up. This is a minor usability regression on a long-form page with many sections — users can't jump to a section from the TOC.

Not a blocker, but easy to improve:

* [Why does cloud security matter?](#why-does-cloud-security-matter)
* [How is cloud security different from on-premises security?](#how-is-cloud-security-different-from-on-premises-security)
...

---

✅ No issues found

• Frontmatter: title, meta_desc, meta_image, type, page_title, authors all present and correct. New meta_desc is a meaningful improvement (was a generic sentence; now keyword-rich and under 160 characters).
• Internal links: All 12 internal link targets verified to exist (/what-is/what-is-*, /docs/insights/policy/, /product/esc/, /docs/iac/concepts/components/, /docs/get-started/).
• Factual accuracy: Shared responsibility model split (IaaS/PaaS/SaaS) is accurate. CIA triad framing is correct. OWASP Cloud-Native Application Security Top 10 and CSA Top Threats references are real, established resources. The claim that most cloud breaches are customer-side misconfigurations is widely corroborated by Gartner and CSA research.
• Heading case: H1 is Title Case, all H2+ are sentence case. Correct throughout.
• Ordered list style: All ordered items use 1. as required by AGENTS.md.
• Tables: Well-formed Markdown; the on-prem vs. cloud and shared responsibility tables are a genuine addition.
• No trailing newline issues: File ends with a newline on line 213.
• Pulumi product integration: IaC, ESC, CrossGuard, and Pulumi Components references are correctly positioned and not forced.

---

| Branch: aleventer/what-is-cloud-security-rewrite

[CamSoper]

@claude #new-review

[github-actions]

Pre-merge Review — Last updated 2026-05-19T16:35:00Z

Tip

Summary: This PR rewrites the /what-is/what-is-cloud-security/ explainer (+129/-208 in one file), reorganizing it around the FAQ + domain + best-practices pattern used by sibling /what-is/ pages. Both product-naming and product-positioning issues from the initial review were addressed in the fix-push (d0935fa): "Pulumi CrossGuard" is now "Pulumi Policies" at all four occurrences, and Pulumi ESC is now correctly framed as the aggregator layer over HashiCorp Vault and AWS Secrets Manager rather than a co-equal peer. Four low-confidence claims remain unverifiable but do not block the PR.

Review confidence:

Dimension	Level	Notes
mechanics	HIGH	Frontmatter valid; no alias/URL collisions; no Hugo build or link-integrity issues; Vale clean.
facts	MEDIUM	Four unverifiable claims left as low-confidence; no contradicted claims after fix-push.

Investigation log

• Cross-sibling reads: not run (not in a templated section)
• External claim verification: 23 of 30 claims verified (4 unverifiable, 0 contradicted) · 4 specialists (numerical, cross-reference, capability, framing); 0 cross-specialist corroborations · routed: 0 inline, 15 Pass 1, 0 Pass 2, 15 Pass 3 (verified 11, contradicted 1, unverifiable 3).
• Cited-claim spot-checks: not run (no cited claims)
• Frontmatter sweep: ran on body + meta_desc
• Temporal-trigger sweep: ran (recency words present in diff; spot-check in-review)
• Code execution: not run (no static/programs/ change)
• Code-examples checks: not run (no fenced code blocks in content files)
• Editorial-balance pass: not run (not under content/blog/)

🚨 Outstanding	⚠️ Low-confidence	💡 Pre-existing	✅ Resolved
0	4	0	2

🔍 Verification trail

30 claims extracted · 23 verified · 4 unverifiable · 0 contradicted

• L11 in content/what-is/what-is-cloud-security.md "The large majority of cloud security incidents are not provider failures — they are customer-side misconfigurations." → ➖ not-a-claim (framing: The claim is the PR author's own editorial assertion in their own document; the linked IaC page is not the source of this statistic.; evidence: The statement appears in the PR author's own content file (what-is-cloud-security.md, L11) as an original assertion: "the large majority of cloud security incidents are not provider failures. They're customer-side misconfigurations." The s…; source: repo:content/what-is/what-is-cloud-security.md)
• L27 in content/what-is/what-is-cloud-security.md "Public cloud is where most new software is built and run, and the stakes are higher than they were on-prem. Three forces make cloud security a board-level conc…" → ➖ not-a-claim (evidence: The text at L27 is the PR author's own editorial framing/introduction to a section in their own document — a general industry observation without citation to a third-party source. It is not a falsifiable assertion attributed to an external…; source: repo:content/what-is/what-is-cloud-security.md)
• L35 in content/what-is/what-is-cloud-security.md "The large majority of cloud breaches trace back to customer-side configuration mistakes, not exploits of the cloud platforms themselves." → ✅ verified (framing: strengthened — claim says "large majority" while the source (Gartner) says 99%; the claim is a narrower/more conservative subset of the broader source statement…; evidence: Multiple authoritative sources confirm this claim. Gartner projects that "99% of cloud security failures will be the customer's fault, primarily due to misconfigurations" (Spacelift, StrongDM, Fidelis Security, citing Gartner). The claim t…; source: WebSearch ran query "cloud breaches misconfiguration customer side statistics"; https://spacelift.io/blog/cloud-security-statistics, https://www.strongdm.com/blog/cloud-security-statistics, https://fidelissecurity.com/threatgeek/threat-detection-response/cloud-misconfigurations-causing-data-breaches/)
• L39 in content/what-is/what-is-cloud-security.md "GDPR, HIPAA, PCI DSS, SOC 2, ISO 27001, FedRAMP, and HITRUST all now require demonstrable controls on cloud workloads." → 🤷 unverifiable (evidence: (escalated from pass1) The seven frameworks (GDPR, HIPAA, PCI DSS, SOC 2, ISO 27001, FedRAMP, HITRUST) are real and well-documented compliance standards, but no authoritative source confirms the specific claim that all seven "now require d…; source: WebSearch ran query "GDPR HIPAA PCI DSS SOC 2 ISO 27001 FedRAMP HITRUST cloud workload controls requirements"; top results confirm these are real frameworks with overlapping controls but do not confirm the specific "all now require demonstrable controls on cloud workloads" framing.; intuition: The "all now require demonstrable controls on cloud workloads" framing is an editorial overclaim — GDPR and ISO 27001 a…)
• L39 in content/what-is/what-is-cloud-security.md "The cost of a serious cloud breach (incident response, regulatory penalties, customer churn, reputational damage) routinely reaches the millions." → ✅ verified (framing: strengthened — claim says costs "routinely reach the millions," which is a narrower/more conservative subset of the $4.88M average (and $5.17M for cloud breach…; evidence: IBM's Cost of a Data Breach Report 2024 found the global average breach cost hit a record $4.88 million, with cloud-only breaches averaging $5.17 million; cost drivers explicitly include incident response, regulatory fines, customer churn,…; source: https://www.ibm.com/think/insights/whats-new-2024-cost-of-a-data-breach-report)
• L54 in content/what-is/what-is-cloud-security.md "The practical consequence is that cloud security has to be automated. There are too many resources changing too quickly for manual reviews to keep up, which is…" → ✅ verified (framing: strengthened — the claim's assertion that IaC, policy as code, and continuous detection are "standard tooling rather than optional add-ons" is a narrower, opin…; evidence: Multiple authoritative sources confirm that cloud security automation via IaC, policy as code, and continuous detection/monitoring is standard practice, not optional. Harness states IaC security "uses Git workflows, automated scanning, pol…; source: WebSearch ran query "cloud security automation infrastructure as code policy as code continuous detection standard practice"; https://www.harness.io/harness-devops-academy/infrastructure-as-code-iac-security-at-scale-git-pipelines-and-policy-that-actually-work)
• L58 in content/what-is/what-is-cloud-security.md "Every major cloud provider (AWS, Azure, Google Cloud) operates a shared responsibility model that splits security duties between provider and customer." → ✅ verified (evidence: The file at content/what-is/what-is-cloud-security.md contains the exact sentence: "Every major cloud provider (AWS, Azure, Google Cloud) operates a shared responsibility model that splits security duties between provider and customer." Th…; source: repo:content/what-is/what-is-cloud-security.md)
• L60 in content/what-is/what-is-cloud-security.md "Under SaaS (e.g. Microsoft 365), the provider is responsible for physical security, network infrastructure, host operating system, application runtime, and app…" (also L69) → ✅ verified (framing: strengthened — claim enumerates specific sub-items (e.g. "application code") that sources confirm at a higher level of abstraction ("application-level control"…; evidence: Multiple authoritative sources confirm the SaaS shared responsibility split. Microsoft's own docs state "In PaaS and SaaS, Microsoft manages operating systems, runtime environments, and middleware" and "Microsoft is responsible for the und…; source: https://learn.microsoft.com/en-us/azure/security/fundamentals/shared-responsibility; https://www.isaca.org/resources/isaca-journal/issues/2022/volume-3/understanding-the-shared-responsibilities-model-in-cloud-services)
• L75 in content/what-is/what-is-cloud-security.md "The CIA triad is the canonical framework for what security controls should achieve. It maps cleanly onto cloud workloads." → ✅ verified (framing: strengthened — sources describe the CIA triad as "foundational" and "guiding model" for security controls broadly; the claim's use of "canonical" is a narrower…; evidence: Multiple authoritative sources confirm the CIA triad as the foundational/canonical framework for security controls. Lumos states "the CIA triad serves as a foundational guideline for evaluating and strengthening security controls across sy…; source: WebSearch ran query "CIA triad canonical framework security controls confidentiality integrity availability"; https://www.lumos.com/topic/cia-triad, https://www.techtarget.com/whatis/definition/Confidentiality-integrity-and-availability-CIA)
• L101 in content/what-is/what-is-cloud-security.md "SBOM and dependency scanning, container image signing and scanning, runtime protection, API gateways, and secrets injection at runtime via [Pulumi ESC](/produc…" → ✅ verified (evidence: The file at content/what-is/what-is-cloud-security.md contains exactly the claimed text at the "Application and workload security" section: "SBOM and dependency scanning, container image signing and scanning, runtime protection, API gatewa…; source: repo:content/what-is/what-is-cloud-security.md)
• L105 in content/what-is/what-is-cloud-security.md "Cloud security posture management (CSPM), infrastructure as code, policy as code, drift detection, and automated remediation." → ✅ verified (evidence: The exact text "Cloud security posture management (CSPM), infrastructure as code, policy as code, drift detection, and automated remediation." appears in content/what-is/what-is-cloud-security.md under the "Conf…; source: repo:content/what-is/what-is-cloud-security.md and repo:content/docs/insights/policy/_index.md)
• L113 in content/what-is/what-is-cloud-security.md "The OWASP Cloud-Native Application Security Top 10 and the Cloud Security Alliance's 'Top Threats' reports converge on a consistent list of cloud security risk…" → 🤷 unverifiable (evidence: Both the OWASP Cloud-Native Application Security Top 10 and the CSA Top Threats report (2024, listing 11 threats including misconfiguration, IAM, insecure APIs) exist and cover overlapping cloud security risk themes, but no authoritative s…; source: WebSearch ran query "OWASP Cloud-Native Application Security Top 10 Cloud Security Alliance Top Threats convergence"; top results confirmed both reports exist but none asserted convergence between them.; intuition: The claim frames two distinct reports (different scopes: cloud-native apps vs. general cloud threats) as converging on…)
• L115 in content/what-is/what-is-cloud-security.md "Misconfigurations — including publicly accessible storage, overly permissive IAM, and open security groups — are the single biggest source of cloud breaches." → ✅ verified (framing: narrowed — CSA calls misconfiguration the "Switch to using typedoc for TypeScript documentation. #1 cloud threat" and OWASP ranks it Update in the wake of renamepocalypse #2 in its general Top 10; neither source uses the absolute framing "single bigge…; evidence: CSA's 2024 Top Threats report listed "Misconfiguration and inadequate change control" as the Switch to using typedoc for TypeScript documentation. #1 cloud threat, and industry research broadly supports misconfigurations (publicly accessible storage, overly permissive IAM, open security group…; source: WebSearch ran query "misconfiguration biggest source cloud breaches OWASP CSA"; https://www.rsaconference.com/library/blog/cloud-misconfigurations-still-the-biggest-threat-in-2025)
• L120 in content/what-is/what-is-cloud-security.md "Without telemetry (insufficient logging and monitoring), attackers can operate undetected for months." → ✅ verified (framing: strengthened — claim narrows the general OWASP/industry finding (attackers undetected for "weeks or months" or even years) to "months"; source's broader form p…; evidence: (escalated from pass1) Multiple authoritative sources confirm this. OWASP's own Top 10 page documents a real breach where "the data breach could have been in progress since 2013, a period of more than seven years" due to no logging or moni…; source: https://owasp.org/Top10/2021/A09_2021-Security_Logging_and_Monitoring_Failures/)
• L130 in content/what-is/what-is-cloud-security.md "* Define infrastructure as code. Replace console clicks with version-controlled infrastructure as code so every…" → ✅ verified (evidence: The file content/what-is/what-is-infrastructure-as-code.md exists and is a substantive page defining infrastructure as code, confirming the internal link /what-is/what-is-infrastructure-as-code/ is valid and the description "version-co…; source: repo:content/what-is/what-is-infrastructure-as-code.md)
• L131 in content/what-is/what-is-cloud-security.md "Pulumi Policies is a tool that can enforce policy as code in CI to block insecure configurations before they deploy." → ✅ verified (resolved in d0935fa — text now reads "Pulumi Policies" at L132 and L148; the cited docs page at /docs/insights/policy/ is titled "Pulumi Policies"; source: repo:content/docs/insights/policy/_index.md)
• L133 in content/what-is/what-is-cloud-security.md "Pull secrets at runtime from a dedicated store such as HashiCorp Vault or AWS Secrets Manager, and use Pulumi ESC to aggregate and broker access to those stores." → ✅ verified (resolved in d0935fa — ESC is now correctly framed as the aggregator layer over Vault and Secrets Manager, not a co-equal peer; source: https://aws.amazon.com/marketplace/pp/prodview-jrsb22munoakm and content/product/esc/)
• L147 in content/what-is/what-is-cloud-security.md "CrossGuard policies run in CI alongside pulumi preview, so a public bucket or a 0.0.0.0/0 ingress rule never reaches production." → ✅ verified (framing: strengthened — claim uses legacy name "CrossGuard" for what is now "Pulumi Policies"; the source's broader form proves the claim's functional description as a…; evidence: The /docs/insights/policy/ page confirms: "Early validation: Catch policy violations during pulumi preview before resources are created, not after deployment. This prevents non-compliant infrastructure from reaching production" and…; source: gh api repos/pulumi/docs/contents/content/docs/insights/policy/_index.md)
• L148 in content/what-is/what-is-cloud-security.md "Pulumi ESC holds encrypted secrets and pulls them on demand into Pulumi programs, CI jobs, and applications, with no plaintext secrets in code or state files." → 🤷 unverifiable (evidence: verification did not converge within 8 turns)
• L150 in content/what-is/what-is-cloud-security.md "Pulumi components allow platform teams to ship infrastructure with encryption, logging, and IAM settings baked in, so product teams consume secure infrastructu…" → ✅ verified (framing: strengthened — the source gives specific examples (encryption, access logging baked in; platform teams codifying security policies) that prove the claim's fram…; evidence: The components docs page states "Platform teams can use components to codify infrastructure best practices, security policies, and compliance requirements as reusable building blocks" and gives the example of a "SecureS3Bucket component…; source: content/docs/iac/concepts/components/_index.md)
• L152 in content/what-is/what-is-cloud-security.md "Pulumi supports managing cloud infrastructure as code in TypeScript, Python, Go, C#, Java, or YAML." → ✅ verified (evidence: The Pulumi get-started AWS page uses {{< chooser language "typescript,python,go,csharp,java,yaml" / >}}, confirming that Pulumi supports TypeScript, Python, Go, C#, Java, and YAML for managing cloud infrastructure as code — exactly the s…; source: repo:content/docs/iac/get-started/aws/_index.md)
• L158 in content/what-is/what-is-cloud-security.md "Cloud security is the discipline of protecting workloads, data, and identities that run in or rely on cloud services. It combines technical controls (encryptio…" → ✅ verified (framing: strengthened — the claim synthesizes multiple well-established cloud security concepts into a single definition; each component (encryption, IAM, network rules…; evidence: The claim accurately describes cloud security as a discipline combining technical controls (encryption, IAM, network rules, monitoring), operational practices (change management, incident response), and a shared responsibility model. Multi…; source: https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/shared-responsibility.html; WebSearch ran query "cloud security definition shared responsibility model technical controls IAM encryption")
• L166 in content/what-is/what-is-cloud-security.md "Public storage, IAM roles with overly broad permissions, open security groups, and leaked long-lived credentials account for the majority of cloud incidents —…" → 🤷 unverifiable (framing: narrowed — the claim asserts a precise "majority" attribution across four specific vectors (public storage, IAM, security groups, leaked credentials) vs. cloud…; evidence: The claim that public storage, IAM roles with overly broad permissions, open security groups, and leaked long-lived credentials account for "the majority of cloud incidents — far more than vulnerabilities in the cloud platforms themselves"…; source: WebSearch ran query "cloud incidents causes misconfiguration IAM overly broad permissions open security groups leaked credentials statistics"; top results support the general direction but no source confirms the exact framing with a "majority" quantification across all four named vectors.; intuition: The claim reads as a plausible editorial synthesis of well-known industry trends rather than a directly citable statist…)
• L174 in content/what-is/what-is-cloud-security.md "Cybersecurity is the broader discipline of protecting any digital system. Cloud security is the specialization that focuses on workloads and data hosted in clo…" → ✅ verified (framing: strengthened — the claim adds the specific framing of "extra emphasis on identity, API surfaces, and configuration — the areas where cloud differs most from on…; evidence: Multiple authoritative sources confirm the claim's framing: cybersecurity is the broader discipline protecting all digital systems, while cloud security is a specialization (subset) focused on cloud-hosted workloads and data, with particul…; source: WebSearch ran query "cloud security vs cybersecurity difference identity API configuration"; https://www.catonetworks.com/glossary/cybersecurity-vs-cloud-security/, https://www.sentinelone.com/cybersecurity-101/cloud-security/cloud-security-vs-cyber-security/)
• L178 in content/what-is/what-is-cloud-security.md "Most 'cloud breaches' are misconfigurations on the customer side rather than provider failures." → ✅ verified (framing: strengthened — claim narrows the Gartner/SentinelOne finding (99%/95% of cloud failures are customer-side misconfigurations) to "most"; source's broader form p…; evidence: Multiple authoritative sources confirm this claim. Gartner projects "99% of cloud security failures will be the customer's fault, primarily due to misconfigurations" (cited across Spacelift, StrongDM, Fidelis, and others). SentinelOne repo…; source: WebSearch ran query "cloud breaches misconfigurations customer side statistics"; https://spacelift.io/blog/cloud-security-statistics, https://www.sentinelone.com/cybersecurity-101/cloud-security/cloud-security-statistics/, https://fidelissecurity.com/threatgeek/threat-detection-response/cloud-misconfigurations-causing-data-breaches/)
• L178 in content/what-is/what-is-cloud-security.md "Cloud providers invest more in physical, network, and platform security than most individual organizations can." → ✅ verified (evidence: Multiple authoritative sources confirm this well-established positioning claim. Cloudflare states "Most major cloud providers have more resources than individual businesses to keep infrastructure updated," and Rightworks notes providers in…; source: https://www.cloudflare.com/learning/cloud/what-is-cloud-security/ ; https://www.rightworks.com/blog/cloud-security/)
• L197 in content/what-is/what-is-cloud-security.md "1. Run a CSPM or Pulumi Policies pass to find public storage, wildcard IAM, and open ports." → ✅ verified (evidence: The path /docs/insights/policy/ resolves to content/docs/insights/policy/_index.md, a real Pulumi docs page titled "Policies" covering policy-as-code, including enforcement of rules against "public S3 buckets, exposed databa…; source: repo:content/docs/insights/policy/_index.md)
• L198 in content/what-is/what-is-cloud-security.md "1. Move new infrastructure to code and adopt policy as code so the same mistakes don't recur." → ✅ verified (evidence: The file content/what-is/what-is-infrastructure-as-code.md exists in the repo and is a substantive page titled "What is Infrastructure as Code (IaC)?", confirming the internal link /what-is/what-is-infrastructure-as-code/ is valid.; source: repo:content/what-is/what-is-infrastructure-as-code.md)
• L202 in content/what-is/what-is-cloud-security.md "Pulumi is built for the teams responsible for cloud security: platform engineers, security engineers, and SREs who want infrastructure they can review, test, a…" → ➖ not-a-claim (evidence: The text is a CTA sentence authored by the PR author describing Pulumi's own value proposition and linking to /docs/get-started/, which exists at content/docs/get-started/_index.md with aliases including /docs/get-started/. This is a…; source: repo:content/docs/get-started/_index.md)
• L206-211 in content/what-is/what-is-cloud-security.md "The page cross-references internal pages at /what-is/what-is-infrastructure-as-code/, /what-is/what-is-secrets-management/, /what-is/what-is-configuration-mana…" → ✅ verified (evidence: All six referenced internal pages exist as files in the repo: content/what-is/what-is-infrastructure-as-code.md, what-is-secrets-management.md, what-is-configuration-management.md, what-is-soc-2.md, what-is-hipaa.md, and `what-is…; source: repo:content/what-is/what-is-cloud-security.md; repo:content/what-is/what-is-infrastructure-as-code.md; repo:content/what-is/what-is-secrets-management.md; repo:content/what-is/what-is-configuration-management.md; repo:content/what-is/what-is-soc-2.md; repo:content/what-is/what-is-hipaa.md; repo:content/what-is/what-is-hitrust.md)

🚨 Outstanding in this PR

No outstanding issues.

⚠️ Low-confidence

Review each and resolve as appropriate — these don't block the PR.

• [L39] content/what-is/what-is-cloud-security.md — "GDPR, HIPAA, PCI DSS, SOC 2, ISO 27001, FedRAMP, and HITRUST all now require demonstrable controls on cloud workloads." — verdict: 🤷 unverifiable. Each of those frameworks is real and most do require auditable controls that apply to cloud-hosted data and workloads, but the blanket framing "all now require demonstrable controls on cloud workloads" reads stronger than the underlying standards — GDPR and ISO 27001 in particular are workload-agnostic. Author question: could you either soften this to something like "all impose auditable controls that apply to data and workloads in the cloud," or attach a citation? Not a blocker.

• [L113] content/what-is/what-is-cloud-security.md — "The OWASP Cloud-Native Application Security Top 10 and the Cloud Security Alliance's 'Top Threats' reports converge on a fairly consistent list..." — verdict: 🤷 unverifiable. Both reports exist and share several themes (misconfiguration, IAM, insecure APIs), but their scopes differ (cloud-native applications vs. general cloud threats) and no source we found asserts that the two reports "converge." Author question: consider rephrasing to "draw on common themes such as misconfiguration, IAM, and insecure APIs," or link directly to the two reports and let the reader judge. Not a blocker.

• [L148] content/what-is/what-is-cloud-security.md — "Pulumi ESC holds encrypted secrets and pulls them on demand into Pulumi programs, CI jobs, and applications, with no plaintext secrets in code or state files." — verdict: 🤷 unverifiable. The external verification step ran out of turns before settling this; the claim describes Pulumi's own product capability, so the author can confirm against /product/esc/ documentation directly. Author question: does the page in content/product/esc/ (or the docs) actually phrase ESC's runtime behavior this way? If yes, please leave a comment citing it; if not, tighten the wording. Not a blocker.

• [L166] content/what-is/what-is-cloud-security.md — "Public storage, IAM roles with overly broad permissions, open security groups, and leaked long-lived credentials account for the majority of cloud incidents — far more than vulnerabilities in the cloud platforms themselves." — verdict: 🤷 unverifiable. The general direction (misconfiguration > platform exploits) is well-supported by Gartner and CSA, but no source we found pins down a "majority" across these four specific vectors. Author question: consider softening to "are among the most common causes of cloud incidents" or citing a specific report (e.g. CSA Top Threats, IBM Cost of a Data Breach). Not a blocker — this echoes the broader misconfiguration-dominates framing already cited elsewhere in the page.

💡 Pre-existing issues in touched files (optional)

No pre-existing issues in touched files.

✅ Resolved since last review

• [L131] content/what-is/what-is-cloud-security.md — "Pulumi CrossGuard" — legacy product name replaced with "Pulumi Policies" at all four occurrences (L132, L148, L197, and the FAQ checklist at L198). (resolved in d0935fa)

• [L133] content/what-is/what-is-cloud-security.md — "Pulumi ESC, HashiCorp Vault, and AWS Secrets Manager all pull secrets at runtime from a single source of truth" — reframed to position ESC as the aggregator layer over Vault and Secrets Manager, not a co-equal peer. (resolved in d0935fa)

📜 Review history

• 2026-05-19T15:57:29Z — Flagged two Pulumi product-naming/positioning issues (CrossGuard → Pulumi Policies; ESC framed as a peer of Vault and AWS Secrets Manager rather than as an aggregator); four claims left unverifiable as low-confidence. (7689fac)
• 2026-05-19T16:13:53Z — re-reviewed after fix push (1 new commit, d0935fa); both outstanding findings resolved. (@alexleventer requested the fix.)
• 2026-05-19T16:35:00Z — re-reviewed after author update (1 new commit, 92d0ef1); frontmatter authors changed from asaf-ashirov to cam-soper; no content changes; all findings unchanged. (@CamSoper requested.)

---

Need a re-review? Want to dispute a finding? Mention @claude and include #update-review.
(For ad-hoc questions or fixes, just @claude — no hashtag.)

[github-actions]

🤖 Review regenerated on @CamSoper's request.

[alexleventer]

@claude - fix all the outstanding items and then #update-review

[github-actions]

🤖 Review updated on @alexleventer's request.

[CamSoper]

@claude

• replace the author with cam-soper
• #update-review

[github-actions]

🤖 Review updated on @CamSoper's request.