ControlMonkey, the only fully end-to-end Terraform automation platform delivering Total Cloud Control, announced the launch of its IaC Risk Index, the first security dashboard purpose-built to measure cloud risk at its root: infrastructure delivery.
While most security dashboards focus on misconfigurations after they happen, ControlMonkey’s IaC Risk Index reframes the problem. It gives cloud and security teams visibility into how infrastructure was delivered, whether it’s governed by code, and where active vulnerabilities exist. By connecting IaC coverage with active security risks, the Index reveals which vulnerable resources are unmanaged, drifted, or governed and sets the stage for precise, state-aware remediation.
Cyber Technology Insights : U.S. Enterprises Strengthen Cybersecurity for Enhanced Resilience
IaC Risk Index: Connecting Visibility to Remediation
ControlMonkey’s research shows that unmanaged infrastructure, resources not governed by Terraform or delivered through a secure pipeline, carry up to 2x the security risk of those that are. Yet, most enterprises can’t answer a critical question, ‘What percentage of our infrastructure is actually governed by code?’ According to ControlMonkey’s research, most coverage is 30-40% lower than first estimation, highlighting the hidden risk.
The IaC Risk Index solves that visibility & security gap. It delivers a single, unified view that maps infrastructure coverage to security exposure so teams can see what’s vulnerable, understand how it got there and take action through remediation.
Key capabilities include:
The Index’s dashboard gives both cloud and security teams a powerful common view to assess and map risk; plan remediation strategies; and quickly take action, in a coordinated, collaborative way:
Risk Scoring
A color-coded benchmark that helps teams quickly assess risk posture by environment. In production environments, green is the goal. Anything less is exposure.
Red (<50% coverage): High risk. Most infrastructure is unmanaged.
Orange (50–80%): Medium risk. Some governance exists, but major gaps remain.
Yellow (80–90%): Low risk. Strong coverage, but not yet complete.
Green (90–100%): Full control. Infrastructure is governed by code, by policy, by design.
IaC Vulnerability Visualization and Prioritization
See exactly which parts of your infrastructure are unmanaged by Terraform and how those resources align with active security vulnerabilities. The Index intelligently maps and ranks the most critical areas to help teams prioritize problem-solving.
Cyber Technology Insights : Centex Technologies Appoints John Sharp as Strategic Advisor
Change Attribution & Risk Mapping
For every vulnerable resource, the Index identifies how it was delivered (manual, drifted, or governed) and what state it’s in. This context sets up the right remediation flow for each case:
Unmanaged: ControlMonkey brings the resource under Terraform governance, remediates the vulnerability with a secure-by-default fix, and enforces policies to prevent future issues.
Managed but Drifted: Drift is resolved first to restore alignment with code. Then, ControlMonkey delivers an IaC-based security fix and applies proactive policies to the stack.
Managed and In-Sync: ControlMonkey applies a compliant Terraform patch to fix the vulnerability and enforces policies to keep the stack secure going forward.
One-Click Remediation
Import unmanaged resources into Terraform with one click, generate security-aligned code, and fix issues at the source before they reach production.
“Security begins with delivery,” said Aharon Twizer, CEO and co-founder of ControlMonkey. “When infrastructure is created outside of IaC pipelines, it bypasses every control we rely on – validation, policy, versioning, everything. That’s where risk lives. And until now, no one was measuring it. We’re thrilled to release this critical new lens on security so cloud teams everywhere can get ahead of risk.”
“More IaC coverage means fewer security issues, period,” said Nir Rothenberg, CISO of Rapyd. “What stood out with ControlMonkey was how easy it became to do things the right, modern way. When infrastructure and security teams can actually cooperate by design, that’s when security really works.”
From Delivery Visibility to Risk Elimination
The IaC Risk Index does more than surface vulnerabilities, it changes how cloud and security teams work together to solve them. By establishing IaC coverage as a shared security metric, it gives both teams a common language, a common baseline, and a common goal. Instead of debating risk or passing tickets, they align around exposure and fix issues at the source. It’s not just about visibility, it’s about a shared vision for security.
“The IaC Risk Index is a bridge between security and cloud teams,” said Ori Yemini, CTO and co-founder. “IaC coverage gives both sides a shared metric, a shared objective, and a shared way to reduce risk at the source. This kind of alignment is long overdue, and much needed.”
Cyber Technology Insights : Data Pros Recognized for Excellence with Microsoft AI Cloud SECURITY Designation
To participate in our interviews, please write to our CyberTech Media Room at sudipto@intentamplify.com
Source: globenewswire
