Pressure arrives.
SOC 2 deadline, buyer security review, disaster recovery gap, or Terraform drift the team can no longer defend.
how it works
Methodical cloud work, scoped before production changes.
The operating model is simple: inspect first, scope second, remediate with infrastructure code, then hand over evidence and the next queue. A skeptical CTO should grasp the engagement in under sixty seconds.
vishcore [how it works]
client@discovery:~$ vishcore delivery --mode evidence-first
→ read‑only review before any recommendation
→ rollout order matched to production risk
→ auditor-readable handoff after changes land
delivery workflow
Six steps. One engagement, end to end.
Each step shows who owns the decision and what artifact comes out of it.
Vishcore starts read‑only.
Client-created cross-account role with External ID, scoped to the scanner allowlist. No writes, no Terraform, no secret values read.
Scan and report.
Controls evaluated, gaps classified into confirmed fix, owner context, permission-limited, or not observed.
Decision call.
The client confirms what should be fixed, what is intentional, and what stays out of scope. Vishcore does not decide alone.
Approved remediation.
Terraform pull requests or scoped manual changes only after written approval. Rollout order matched to production risk.
Evidence packet.
Before/after report, screenshots and API evidence, owner-context worksheet, and the auditor handoff.
safety boundary
Three rules that hold from first message to handoff.
Read‑only by default.
Discovery uses a client-created cross-account role with External ID, scoped to the Vishcore scanner allowlist. No writes, no Terraform, no secret values read, no remediation during discovery.
policy · scanner allowlist + deny guardsNo secrets in the first message.
Inquiry email and fit-check exchange happen before any AWS access. No portal login, no access request, no secret values, no production credentials.
boundary · fit-check before accessRemediation requires written approval.
Every change ships as a reviewable Terraform pull request or scoped manual ticket, after the client confirms rollout order and exclusions. Discovery does not change production.
contract · signed scope · no auto-fixwhat discovery produces
A buyer-reviewable report, not a sales pitch.
The discovery scan returns a counts strip, a triage of every gap, a remediation queue sorted by production risk, and an owner-context worksheet for the items where business intent matters more than the control state alone.
The buyer sees the shape of the deliverable before approving paid work.
See the full sample scanIllustrative example based on the current Vishcore scanner report shape. The example is sanitized, client-safe, and not presented as a client endorsement.
Discovery uses read-only cloud metadata. It does not create, change, delete, remediate, or read secret values.
This is not an audit opinion, compliance certification, or guarantee that an environment will meet SOC 2 requirements.
~ $ vishcore report --input scan-result.json --format html
client@discovery:~$ vishcore report --input scan-result.json --format html
control counts
- evaluated controls
- 147
- OK
- 79
- observed gaps
- 39
- blocked or explicit approval
- 6
- not observed
- 23
remediation queue · first 3
- P1 S3 public-access guardrails owner: aws account owner plus application owner
- P1 Root and IAM access hygiene owner: aws account owner
- P1 Default security group posture owner: network or platform owner
real engagements
Where each step has shown up in actual client work.
Every row links to an approved client story on the work page. Same six steps, four named teams.
- 01 intake
Fieldsafe Modernization pressure while legacy production had to stay up.
read full case - 02 read‑only discovery
Forcify Datacenter-to-AWS migration started with a read-only environment map, not a write.
read full case - 03 scope
mfIQ Carve-out into a fresh Control Tower org, scoped before a single production change landed.
read full case - 04 decision call
XPAN Five-account structure and Vanta integration confirmed with the client before remediation began.
read full case - 05 remediate
XPAN Cross-region failover workflow driven by a single Terraform-controlled change.
read full case - 06 evidence + support
mfIQ SOC 2 evidence packets and CI/CD handed over for repeatable audit cycles.
read full case
Start with context, not a generic audit checklist.
Send the pressure point, cloud provider, audit timeline, and where Terraform is trusted or not trusted. Vishcore replies with focused next-step questions, not a sales pitch.