"What is the cloud security harness's first job, and why?"	"Know what is deployed (asset inventory) BEFORE assessing it. You cannot defend an asset you have not inventoried. Cloud posture tools fail at inventory first, then at assessment — the discovery layer is the load-bearing foundation for every downstream capability."	c2a::s09::recall
"What is the drift problem in cloud posture?"	"Cloud infrastructure changes constantly (Terraform apply, console clicks, autoscaling, Lambda deploys, IAM updates) and posture degrades SILENTLY. A snapshot at midnight is stale by morning. The inventory must be CONTINUOUSLY RECONCILED, not periodically snapshotted."	c2a::s09::recall
"Name the native discovery service for each cloud provider."	"AWS: Security Hub + AWS Config. Azure: Resource Graph + Defender for Cloud. GCP: Security Command Center (SCC). The harness wraps these as discovery tools and normalizes to a unified schema."	c2a::s09::recall
"What AI security posture capability does Microsoft Defender for Cloud now provide?"	"Native AI security posture: discovers AI workloads, builds an AI BOM (bill of materials), tracks externally reachable AI endpoints, and maps attack paths across Azure/AWS/GCP from a single pane. Built-in for AI-heavy estates rather than layered on."	c2a::s09::recall
"What three things does the harness add beyond native discovery services?"	"(1) Cross-provider normalization (AWS/Azure/GCP → one CloudAsset schema). (2) AI-specific asset tagging (model endpoints, agents, vector DBs, embedding services). (3) Structured output suitable for graph reasoning (attack-path analysis)."	c2a::s09::recall
"List the AI-specific assets a cloud discovery harness must inventory."	"Model endpoints (SageMaker/Vertex/Azure ML), AI agent deployments (Bedrock/OpenAI/custom), embedding services (text-to-vector), vector databases (Pinecone/pgvector/OpenSearch), training data stores (S3/blobs — crown jewels for AI adversaries)."	c2a::s09::recall
"What is the asset discovery reconciliation loop, and why continuous not one-shot?"	"Provider API → normalize to CloudAsset → diff vs last inventory → new/changed assets assessed, deleted marked stale → updated graph. Continuous because cloud drift makes a week-old inventory stale. A bucket created at 3AM is inventoried by 3:05, assessed by 3:06 — not next month."	c2a::s09::analysis
"What is the difference between a finding and an attack path?"	"Finding = single point of weakness (public S3 bucket). Attack path = the CHAIN that turns a weakness into a breach (public S3 → over-privileged role → Lambda → regulated DB). The harness finds PATHS, not just points."	c2a::s09::analysis
"How is the cloud attack surface modeled as a graph (nodes, edges, paths)?"	"Nodes = assets (resources, identities, data stores). Edges = access relationships (can-assume, can-invoke, can-read, can-write). Paths = traversals from entry points (publicly reachable) to high-value targets (sensitive data). Built from the asset inventory, not a separate scan."	c2a::s09::recall
"Name the three edge types that dominate cloud attack paths."	"(1) IAM escalation edges (identity assumes role → gains privilege → climbs ladder). (2) Public exposure chains (public service → internal service → sensitive data). (3) Lateral movement (compromised resource pivots cross-account/cross-service via trust relationships, shared VPCs, over-broad SGs)."	c2a::s09::recall
"How does the harness score an attack path's severity?"	"Weighted sum: sensitive target reached (+40), public entry point (+10), over-privileged IAM (+15), missing encryption (+5). Shorter paths are more exploitable (multiplied by 1 + 1/length). Capped 0-100. Deterministic and auditable. Context enrichment from threat intel adds external signals."	c2a::s09::application
"Why does attack-path analysis report PATHS not FINDINGS?"	"A finding list says '47 misconfigurations.' A path list says '3 of those 47 combine into a breach path.' Fixing one node on a critical path BREAKS the path; fixing 10 nodes not on any path changes nothing. Path analysis turns 47 findings into 3 priorities."	c2a::s09::analysis
"Why is event-driven monitoring superior to scheduled posture assessment?"	"Scheduled: assess nightly. Misconfig introduced 9AM, exploited 2PM = MISSED. Event-driven: subscribe to CloudTrail/Activity Log, security-relevant change → re-assess in SECONDS. Catches drift at change time, before it compounds into an exploitable path. Latency: days vs seconds."	c2a::s09::analysis
"How does the event-driven monitor scale efficiently (the filtering principle)?"	"Not every API call triggers re-assessment. Filter for security-relevant events: IAM changes, public exposure changes, AI workload changes. Everything else logged but not re-assessed. 50k-resource estate, 10k changes/day = 10k single-resource assessments, NOT 50k-resource scans."	c2a::s09::application
"Which CloudTrail events are security-relevant (trigger re-assessment)?"	"IAM changes: AttachRolePolicy, CreatePolicy, PutRolePolicy, AssumeRole. Public exposure: PutBucketAcl, PutBucketPolicy, AuthorizeSecurityGroupIngress. AI workloads: CreateEndpoint, CreateAgent. These shift privilege boundaries or exposure; other events are logged only."	c2a::s09::recall
"How does the harness triage posture findings by severity?"	"Scored by EXPLOITABILITY (on active attack path?), BUSINESS IMPACT (data classification), REACHABILITY (publicly exposed?). Critical on active path → page immediately. Medium → daily report batch. Low → weekly posture review. The discipline is ROUTING — surface what matters, suppress what doesn't."	c2a::s09::application
"What are the three multi-audience report views, and what does each contain?"	"Engineer: per-finding (ARN, control, current vs expected config, remediation command, attack-path membership). CISO: risk score, trend, top 5 attack paths, business-impact framing. Auditor: control → finding map, pass/fail, evidence timestamp, assessor identity. Same data, different projections."	c2a::s09::recall
"Why are the three report views generated from ONE finding store, not maintained separately?"	"Consistency. Engineer's findings, CISO's top paths, auditor's evidence are views over the SAME data — differ in projection, not storage. No drift between what the engineer fixes and what the CISO reports. The CISO's top 5 paths are the same paths the engineer sees in detail."	c2a::s09::analysis
"What is the approval gate rule for automated remediation in production?"	"Production ALWAYS requires human approval. The harness may generate the fix, attach it to a ticket, stage it — but does NOT apply without approval. No approver = propose only. Non-prod (staging/dev/sandbox) may auto-apply per policy. Automated remediation that breaks production is WORSE than the misconfig it fixes."	c2a::s09::recall
"Why is the snapshot-inventory anti-pattern harmful, and what is the cure?"	"A week-old inventory is stale due to cloud drift — new buckets, changed roles, deleted resources all missed. Posture assessed against stale data. Cure: the reconciliation loop (S09.1), event-driven and continuous — diff against last-known inventory on every change."	c2a::s09::analysis
