SubImage is a cloud-native application protection platform (CNAPP) built on Cartography, an open-source security graph project originally developed at Lyft. The company offers a fully managed, agentless SaaS product that maps cloud, SaaS, and on-premises assets into a unified, queryable graph to help security teams identify and prioritize vulnerabilities, misconfigurations, and access risks. SubImage connects to customer environments via read-only APIs, requiring no agent installation and no ongoing maintenance from customers. It supports major cloud providers (AWS, Azure, GCP, Oracle Cloud, DigitalOcean), identity platforms (Okta, Microsoft Entra, Duo, Keycloak), SaaS tools (GitHub, GitLab, Slack, PagerDuty), endpoint/MDM solutions (Jamf, Kandji, BigFix), and security tools (CrowdStrike, SentinelOne, Semgrep, Trivy), among others. The platform builds a continuously updated asset inventory and relationship graph, exposing "toxic combinations" — chained risks such as a publicly accessible storage bucket linked to sensitive database credentials. An AI-powered conversational interface allows teams to query the graph in plain English and receive prioritized, context-aware remediation guidance. Key platform capabilities include: - Agentless, read-only data collection via API - Asset discovery across cloud, SaaS, and on-prem environments - Identity and access visibility (covering IAM roles, service accounts, and human users) - CVE and misconfiguration prioritization based on environmental context - Open API access for SIEM, SOAR, and ticketing system integrations - RBAC and SSO support SubImage positions itself as an open-core alternative to Wiz and similar CNAPPs, differentiating through transparency (open-source Cartography foundation), no pay-to-play integrations, and direct graph queryability. The team includes alumni from Anthropic, Lyft, NSA, and Microsoft.