Ephemera k8s·audit
private beta · EU + US regions

A Kubernetes security audit. Delivered in minutes. Ephemeral. Join the private beta.

Ephemera is a read-only posture and compliance audit for your Kubernetes clusters. No agent to install. No data kept. Processing stays inside the region you pick, and every artifact self-deletes in 24-hour. Most audits finish generally in a couple of minutes.

  • Two paths. Upload a cluster dump, or run our read-only CLI against a live cluster.
  • One executive-ready PDF. Findings mapped to ISO 27001, NIS2, NIST CSF, EU CRA, and GDPR, with remediation drafts.
  • Proof, not promises. Data plane stays in your chosen region. Every job self-deletes on a clock you can audit.
Preview the demo dashboard → PDF Sample audit report
What you get

Six things that land in your inbox on day one.

Every audit produces the same artifacts. No tiers, no locked features during the beta. We just want your honest feedback.

01

Executive-ready PDF

One PDF with an executive summary, full technical findings with remediation drafts, and a compliance control mapping - all in one signed, downloadable file.

See a sample report →
02

Remediation drafts, not just findings

Every critical comes with a suggested YAML patch, a kubectl command, or a policy snippet you can paste. Ephemera drafts, you review. Nothing is applied automatically.

03

Two paths in

Export a cluster dump with kubectl cluster-info dump and upload it through the browser, or run our signed, read-only CLI against a live cluster and point it at your cluster. Either way you get the same report.

04

Compliance mapping

Findings are cross-referenced with ISO/IEC 27001 Annex A, NIS2 art. 21, NIST CSF 2.0, the EU Cyber Resilience Act (CRA articles 13 and 14), GDPR art. 32, DORA Chapter II, CER art. 13, SOC 2 CC6, and CIS Kubernetes 1.8. Filter by framework in the dashboard.

05

Live dashboard

Track score trends, cluster-by-cluster diffs, scheduled scans, and the retention clock. Slack, email, and webhook delivery on every completed audit.

Open the demo dashboard →
06

Proof, not promises

A signed retention receipt is generated when every artifact is deleted. The append-only retention log is part of your audit trail. Show it to your auditor, don't just tell them.

How it works

Three steps. Your data never stays.

Data flow is deliberately short. Nothing crosses a region boundary. Nothing survives past 24 hours.

  1. step 01

    Pick your path

    Upload a cluster dump through the browser, or install the ephemera CLI (one command, signed, open source) and point it at your cluster. Either way you pick the data region (EU or US) before anything moves.

  2. step 02

    We redact, scan, analyse

    The job lands in a region-pinned worker. Secrets are scrubbed at ingest (regex + entropy). Policy, capacity, images, and compliance checks run in parallel. Ephemera drafts remediations from redacted findings only. No raw manifests ever leave the data plane.

  3. step 03

    Report delivered, clock starts

    You get the PDF by email (plus Slack / webhook if configured), and a dashboard link while the artifact still exists. A 24-hour countdown begins. When it hits zero the raw dump, findings, and PDF are deleted. A signed retention receipt is added to your permanent audit trail - aggregate scores and finding counts are kept for trend charts, but no raw finding data survives.

Read-only

No install required. CLI is signed, RBAC is published, only needs get/list.

Region-pinned

Your cluster dump, derived findings, and PDF live in Paris (EU). Pick one at upload time and your data stays there, never replicated across regions.

Auto-wipe

Every job has a countdown. After 24 hours every artifact is gone - confirmed by a signed entry in the retention log. Download the log to verify each deletion against its SHA-256.

Questions we hear a lot

Frequently asked, honestly answered.

What does Ephemera actually see in my cluster?

The output of roughly kubectl get all,cm,secret,netpol,role,rolebinding -A -o yaml, plus cluster and node metadata. Secret values are stripped at the edge before anything is analysed. We only ever see that a Secret exists, its name, and its mount points. Image digests are kept; image contents are never pulled.

Is it safe to run on production?

The CLI is read-only: it binds to a dedicated ClusterRole with get, list, and watch on core resources, and nothing else. No mutating API calls, no exec, no port-forward. You can audit the RBAC manifest yourself before running it (it's about 110 lines).

How does the auto-wipe work, and how do I verify?

Belt and suspenders: the object storage bucket has a 24-hour lifecycle rule (hard floor), a per-minute cron checks every job's tombstone and deletes on schedule, and the append-only retention log records every delete with a SHA-256 of the original artifact. You can download the log for any audit and confirm the hashes match what you uploaded.

Where does my cluster data go?

Into the region you picked (EU or US) and nowhere else. The control-plane database holds metadata only (job id, finding counts, retention log entries) and is sharded per region too. There is no cross-region replication of anything derived from a customer cluster. The only external hop is the Anthropic API call for remediation drafting, which only sees already-redacted, anonymized finding descriptions.

How is this different from kube-bench / Trivy / Kubescape?

Those are excellent open-source scanners and Ephemera actually uses several of them under the hood. The difference is packaging: you get one report instead of five JSON blobs, LLM-drafted remediations instead of raw rule IDs, a data-residency and retention model you can hand to a compliance team, and a dashboard for trends over time. If you want the raw scanner output, it's included in the download.

Can I self-host it?

Not during the private beta. We want to iterate fast without fragmenting support across deployment targets. The CLI itself is open source, and a self-hosted option is something we're planning.

When does the public beta open, and how do you pick?

We invite in small batches as capacity grows (usually weekly). Priority goes to teams running multi-cluster production workloads in regulated industries (CRA / NIS2 / DORA / SOC 2 / CIS K8s timelines coming up), because that's the use case we're building against. If that's you, mention it in the why field on the form and you'll jump the queue.

Do you replace a compliance consultant or auditor?

No. Ephemera surfaces technical findings and maps them to framework control IDs, which saves hours of manual cross-referencing. It does not render legal opinions, certify conformance, or replace the human review a certification body, DPO, or internal auditor performs. Treat the output as evidence for their review, not as a sign-off.

Still have a question we didn't answer?

Request beta access Email us →
Pricing

Simple, transparent pricing.

Beta participants keep their entry price for 12 months from sign-up. All tiers bill monthly; an annual plan is available at a discount equivalent to two months free.

free

Try it

€0forever
  • 1 cluster
  • 2 audits / month
  • Upload path only
  • Full PDF report
Join the beta
most popular

Team

€29/ month
  • Up to 5 clusters
  • 25 audits / month
  • CLI + scheduled scans
  • All framework mappings
  • Slack, email, webhook
  • 90-day audit history
    • Join the beta
    growth

    Business

    €99/ month
  • Up to 5 clusters
  • Up to 20 clusters
  • Unlimited audits
  • SSO (OIDC / SAML)
  • Dedicated worker pool
  • Signed retention exports
    • Join the beta
    custom

    Enterprise

    Talk to us
    • Unlimited clusters
    • Named SLA & DPA
    • Self-hosted (roadmap)
    • Custom regions
    • Dedicated CS contact
    Get in touch

    Prices in EUR, exclusive of VAT. USD shown with a live FX conversion from EUR. Beta pricing is locked in for 12 months.