Introducing Sonde: AI That Understands Your Cloud

Cloud operations tooling has a fundamental problem: it alerts, but it doesn't understand.

You get hundreds of findings from Security Hub, GuardDuty, and Config. Each one tells you something is wrong, but none of them tell you why it matters. Who actually has access to this resource? What changed to cause this? What's the blast radius if something goes wrong?

You're left stitching together context across dozens of tabs, mentally tracing IAM policy chains, and hoping you haven't missed a permission boundary somewhere.

What is Sonde?

Sonde is an AI-native cloud operations platform. Named after a radiosonde — a weather probe that ascends through the atmosphere measuring every layer — sonde lives inside your cloud and continuously measures your entire environment.

Unlike traditional tools that scan and report, sonde reasons about your infrastructure. It builds a connected model of your environment and uses multi-LLM reasoning to answer the questions that actually matter.

The Knowledge Graph

At sonde's core is a knowledge graph powered by Neo4j. Everything in your AWS environment becomes a connected node: accounts, IAM identities, resources, policies, CloudTrail events, Config changes, deployments.

The graph isn't just a data store — it's a reasoning substrate. When you ask "who can access the production database?", sonde doesn't hand you a list of policies to read. It traverses the full permission chain and gives you a concrete answer:

3 identities have effective access to prod-db:

1. deploy-role (via AssumeRole → prod-admin-policy)
   - Full access (rds:*)
   - Used 847 times in the last 30 days

2. sarah@company.com (via group:platform → managed-policy)
   - Read/write (rds:Describe*, rds:Modify*)
   - Last used 3 days ago

3. legacy-lambda-role (via inline policy)
   - Full access (rds:*)
   - Last used 8 months ago ⚠️

That third one — the stale Lambda role with full database access — is the kind of thing that slips through every compliance scan but shows up immediately in a graph.

IAM Intelligence

IAM is where sonde really shines. AWS IAM is notoriously complex — permissions are determined by the intersection of identity policies, resource policies, permission boundaries, service control policies, and session policies. No human can reliably evaluate this full chain across hundreds of identities.

Sonde resolves effective permissions by evaluating the complete policy chain. It detects privilege escalation paths — sequences of permissions that allow an identity to grant itself higher access. It identifies toxic permission combinations — pairs of permissions that are safe individually but dangerous together (like iam:PassRole + lambda:CreateFunction). And it generates least-privilege recommendations based on actual usage patterns from CloudTrail.

Change Intelligence

Every change across every account feeds into a unified timeline. But raw CloudTrail events are noise — sonde uses AI to correlate events into coherent narratives.

Instead of 47 individual API calls, you see:

Production deployment by CI/CD pipeline (2:34 PM) Updated Lambda function payment-processor with new code package. Modified DynamoDB table transactions capacity from 100 to 500 WCU. Risk: Medium — capacity change may affect billing.

Changes are scored for risk and linked to the identities and resources involved. When something breaks at 3 AM, you don't grep through CloudTrail — you ask sonde what happened.

Natural Language Interface

The graph and AI layers come together in a natural language interface. You talk to your cloud the way you'd talk to an engineer who knows every detail:

• "What changed in the payments service in the last 24 hours?"
• "Show me all cross-account access paths to production"
• "Which IAM roles haven't been used in 90 days?"
• "What would happen if I removed this policy?"

Each answer comes with context — not just what, but why, and what it connects to.

What's Next

Sonde is still early. The roadmap includes multi-cloud support (Azure and GCP), automated remediation workflows, deeper compliance framework mapping (SOC 2, PCI-DSS, HIPAA), and a plugin system for custom graph enrichment.

The goal is simple: make your cloud as understandable as your codebase. Infrastructure shouldn't be a black box that only three people on the team can reason about.

Sonde is open source. Check it out on GitHub if you're interested in following along or contributing.