Ephemera k8s·audit
private beta · EU · US coming soon

A Kubernetes security audit. Delivered in minutes. Ephemeral. Join the private beta.

Ephemera is a read-only posture and compliance audit for your Kubernetes clusters. No agent to install. Processing stays inside the region you pick, and raw sensitive data (cluster dumps, findings, PDFs) self-deletes in 24 hours. Scores, trends, and compliance metrics stay so your dashboard keeps improving. Most audits finish in a couple of minutes.

  • Two paths. Upload a cluster dump, or run our read-only CLI against a live cluster.
  • One executive-ready PDF. Findings mapped to ISO 27001, NIS2, NIST CSF, EU CRA, and GDPR, with remediation drafts.
  • Proof, not promises. Data plane stays in your chosen region. Raw data auto-deletes in 24 hours, aggregate stats and trends are kept permanently.
Preview the demo dashboard → PDF Download sample audit report
12 frameworks · 10+ best-practice categories · 60+ canonical checks · 160+ best-practice items · 800+ mapped rules
🌍 ISO 27001:2022 🇺🇸 NIST CSF v2.0 🇺🇸 SOC 2 AICPA TSC 🇪🇺 NIS2 Dir. 2022/2555 🌍 CIS K8s v2.0 🛡️ MITRE ATT&CK Containers / K8s 📋 OWASP K8s Top 10 2022 🇪🇺 GDPR Reg. 2016/679 🇺🇸 NSA/CISA K8s Hardening v1.2 🇪🇺 DORA Reg. 2022/2554 🇪🇺 CRA Reg. 2024/2847 🇪🇺 CER Dir. 2022/2557 📘 Best practices 160+ items / 13 cat and also: MITRE ATT&CK, OWASP K8s Top 10, GDPR, NSA/CISA, DORA, CRA, CER.
What you get

Six things that land in your inbox on day one.

Every audit produces the same artifacts. No tiers, no locked features during the beta. We just want your honest feedback.

01

Executive-ready PDF

One PDF with an executive summary, full technical findings with remediation drafts, and a compliance control mapping - all in one signed, downloadable file.

See a sample report →
02

Remediation drafts, not just findings

Every critical comes with a suggested YAML patch, a kubectl command, or a policy snippet you can paste. Ephemera drafts, you review. Nothing is applied automatically.

03

Compliance mapping

Findings are cross-referenced with ISO/IEC 27001 Annex A, NIS2 art. 21, NIST CSF 2.0, the EU Cyber Resilience Act (CRA articles 13 and 14), GDPR art. 32, DORA Chapter II, CER art. 13, SOC 2 CC6, and CIS Kubernetes v2.0. Filter by framework in the dashboard.

04

Best practices coverage

160+ engineering best practices across 13 categories, distilled from kubernetes.io guides, OWASP, CNCF / vendor production checklists. Each gap links back to a concrete finding with a remediation draft.

05

Live dashboard

Track score trends, cluster-by-cluster diffs, scheduled scans, and the retention clock. Slack, email, and webhook delivery on every completed audit.

Open the demo dashboard →
06

Proof, not promises

A signed retention receipt is generated when every artifact is deleted. The append-only retention log is part of your audit trail. Show it to your auditor, don't just tell them.

How it works

Three steps. Sensitive data never stays.

Data flow is deliberately short. Nothing crosses a region boundary. Raw cluster data is gone in 24 hours — scores and trends stay so you can track progress.

  1. step 01

    Pick your path

    Upload a cluster dump through the browser, or install the ephemera CLI (one command, signed, open source) and point it at your cluster. Either way you pick the data region (EU or US) before anything moves.

  2. step 02

    We redact, scan, analyse

    The job lands in a region-pinned worker. Secrets are scrubbed at ingest (regex + entropy). Policy, capacity, images, and compliance checks run in parallel. Ephemera drafts remediations from redacted findings only. No raw manifests ever leave the data plane.

  3. step 03

    Report delivered, clock starts

    You get the PDF by email (plus Slack / webhook if configured), and a dashboard link. A 24-hour countdown begins on all raw data. When it hits zero the cluster dump, raw findings, and PDF are deleted. A signed retention receipt is added to your permanent audit trail. Aggregate scores, severity counts, compliance coverage, and trend metrics are kept permanently, your dashboard tracks posture over time without ever storing sensitive cluster data.

Verifiable redaction · in your browser

Redaction runs in your browser, before the upload starts. We show you the SHA-256 of the file before and after redaction, so you have cryptographic proof that what we received is exactly the redacted file — re-run sha256sum locally and check. No competitor shows you this.

original  sha256: 9f2c4a8e…71b3  — your raw dump (stays on your machine)
redacted  sha256: b7e1d0f6…9c  ← this is what uploads
Signed deletion receipt · cryptographically verifiable

The whole lifecycle is provable, not promised. When the retention cron deletes your data it appends an ed25519-signed entry to a separate, write-only log — listing every deleted object with its SHA-256. Re-verify it against our public key; change one byte and the signature fails.

  1. in your browser

    Redact & upload

    Secrets are stripped client-side, then the redacted dump uploads over TLS to the region you picked.

  2. region-pinned storage

    Versioned, with a deadline

    Stored in your region — EU uploads under Object Lock (WORM). A delete_at of upload + 24h is set immediately.

  3. retention-cron · * * * * *

    Delete & hash

    Every minute, past-deadline jobs are purged — each object version deleted and its SHA-256 recorded.

  4. write-only log · kept forever

    Signed receipt

    An ed25519-signed record is appended to a separate, private log bucket — Scaleway in the EU, DigitalOcean in the US, replicated to a second region in the same jurisdiction for DR — and retained permanently.

{ "seq": 4217, // position in the append-only chain "prev_hash": "a3f0…1d", // entry_hash of seq 4216 "entry_hash": "c81b…7e", "timestamp": "2026-04-19T17:42:03+00:00", "job_id": "EPH-2026-0418-7742", "tenant_id": "8f1c…e2", "region": "eu", // data-residency region · eu / us "verb": "DELETE", "age_seconds": 0, "deleted_objects": [ "jobs/<tenant>/EPH-…7742/report.pdf:b7e1d0f6…9c", "jobs/<tenant>/EPH-…7742/dump.zip:9f2c4a8e…71b3" ], "signature": "5c1e9b…a0" // ed25519 over the canonical message }
Read-only

No install required. CLI is signed, RBAC is published, only needs get/list.

Region-pinned

Your cluster dump, derived findings, and PDF live in Paris (EU). Pick one at upload time and your data stays there, never replicated across regions.

Auto-wipe

Raw cluster data, findings, and PDFs are deleted after 24 hours, confirmed by a signed retention log entry. Aggregate scores and trend metrics stay permanently. Download the log to verify each deletion against its SHA-256.

Questions we hear a lot

Frequently asked, honestly answered.

What does Ephemera actually see in my cluster?

The output of roughly kubectl get all,cm,netpol,role,rolebinding -A -o yaml, plus cluster and node metadata. Secret values are stripped at the edge before anything is analysed. We only ever see that a Secret exists, its name, and its mount points. Image digests are kept; image contents are never pulled.

Is it safe to run on production?

The CLI is read-only: it binds to a dedicated ClusterRole with get, list, and watch on core resources, and nothing else. No mutating API calls, no exec, no port-forward. You can audit the RBAC manifest yourself before running it (it's about 110 lines).

How does the auto-wipe work, and how do I verify?

Belt and suspenders: the object storage bucket has a 24-hour lifecycle rule (hard floor), a per-minute cron checks every job's tombstone and deletes on schedule, and the append-only retention log records every delete with a SHA-256 of the original artifact. Only raw data (cluster dumps, findings, PDFs) is wiped, aggregate scores, severity counts, and compliance metrics are kept permanently so your dashboard shows trends over time. You can download the log for any audit and confirm the hashes match what you uploaded.

Where does my cluster data go?

Into the region you picked (EU or US) and nowhere else. The control-plane database holds metadata only (job id, finding counts, retention log entries) and is sharded per region too. There is no cross-region replication of anything derived from a customer cluster.

How is this different from kube-bench / Trivy / Kubescape?

Those are excellent open-source scanners and Ephemera actually uses several of them under the hood. The difference is packaging: you get one report instead of five JSON blobs, LLM-drafted remediations instead of raw rule IDs, a data-residency and retention model you can hand to a compliance team, and a dashboard for trends over time. If you want the raw scanner output, it's included in the download.

Can I self-host it?

Not during the private beta. We want to iterate fast without fragmenting support across deployment targets. The CLI itself is open source, and a self-hosted option is something we're planning.

When does the public beta open, and how do you pick?

We invite in small batches as capacity grows (usually weekly). Priority goes to teams running multi-cluster production workloads in regulated industries (CRA / NIS2 / DORA / SOC 2 / CIS K8s timelines coming up), because that's the use case we're building against. If that's you, mention it in the why field on the form and you'll jump the queue.

Do you replace a compliance consultant or auditor?

No. Ephemera surfaces technical findings and maps them to framework control IDs, which saves hours of manual cross-referencing. It does not render legal opinions, certify conformance, or replace the human review a certification body, DPO, or internal auditor performs. Treat the output as evidence for their review, not as a sign-off.

Still have a question we didn't answer?

Request beta access Email us →
Pricing

Simple, transparent pricing.

First 3 users get the Starter plan free for life. The next 50 get 50% off locked for 12 months. After that, list price. All tiers bill monthly; annual plans get two months free.

🎟 Founding offer
First 3 users get Starter free for life.
Next 50: 50% off Starter & Business locked for 12 months. Early users shape the roadmap.
free

Free

€0forever

See your real posture in under 10 minutes.

  • 1 cluster · 2 audits / month
  • Browser upload
  • All framework mappings
  • All best-practice items
  • Full PDF + remediation runbook
Join the beta
starter

Starter

€49 50% off · beta
€25/ month
first 50 beta testers · 50% off locked 12 months

Continuous posture, on a schedule, for a small team.

  • 5 clusters · 50 audits / month
  • CLI + scheduled scans
  • Slack + webhook + email
  • 30-day audit history
  • 3 team seats
Claim beta price
most popular

Business

€199 50% off · beta
€100/ month
first 50 beta testers · 50% off locked 12 months

Posture across your whole org, evidence your auditor accepts.

  • 20 clusters · unlimited audits
  • SSO + in-product RBAC
  • AI explanations & remediation drafts
  • 90-day history
  • 10 seats · priority support
Claim beta price
custom

Enterprise

Talk to us

Run Ephemera the way your CISO needs it.

  • Unlimited clusters & audits
  • SSO / SAML 2.0 + SCIM provisioning
  • Self-hosted / BYO-cloud worker
  • Custom region · custom retention
  • Custom DPA + named SLA
  • Dedicated CS + Slack channel
Talk to us
41 capabilities · 4 plans

Prices in EUR, exclusive of VAT. USD shown with a live FX conversion from EUR. Beta pricing is valid for 12 months. Annual = 2 months free.