Skip to main content

Discover

New here? Start with the three questions everyone asks first.

1. What is it?

Stave is an offline configuration-safety evaluator for cloud infrastructure. You feed it a point-in-time snapshot of your config (S3, IAM, EC2, …) plus a set of controls (safety invariants), and it proves which resources are unsafe — now and latently (safe today, one setting-change from exposed).

It is a reasoning engine, not a scanner: it evaluates how settings combine (a permissive policy neutralised by a Public Access Block; an exposure that needs two independent paths closed; a compound attack chain across resources) — the edges, not just the nodes.

2. Can it solve my problem?

Use Stave if you need to:

  • Prove a bucket / role / key is safe from static config alone — no credentials, no live account, no network.
  • Catch latent exposure (safe now, unsafe after the next terraform apply).
  • Find compound risk a single-setting scanner misses.
  • Produce deterministic, reproducible evidence for audits and CI gates.

If you only need a one-setting "is this flag on?" check, a conventional scanner may be enough. Stave's wedge is the reasoning across settings, time, and resources.

3. Is it credible?

  • Validated against real breaches and bug bounties — see the case studies (30 real HackerOne reports reconstructed as reasoning challenges).
  • Deterministic & auditable — same input, same verdict, byte-for-byte; every finding carries an evidence line and a reasoning trace.
  • Open source — read the engine, the controls, and the test corpus yourself.

Keep going

  • 📝 Blog — the thinking behind the approach.
  • 🧪 Case studies — real incidents, what a reasoning engine finds.
  • Ready to kick the tyres? → Evaluate.