SubImage is a fully managed, agentless cloud-native application protection platform (CNAPP) built on Cartography, an open-source security graph originally developed at Lyft. It connects to cloud, SaaS, and on-prem environments via read-only APIs to continuously discover and map assets, relationships, access paths, and risks into a unified, queryable graph. What it does: - Performs continuous asset inventory across cloud providers, SaaS tools, identity systems, and on-premises infrastructure - Detects misconfigurations, vulnerabilities (CVEs), and risky access combinations across the environment - Maps relationships between identities, roles, resources, and services to surface exploitable access paths - Prioritizes findings based on relevance to the organization's architecture and risk profile, rather than raw alert volume - Provides a conversational AI interface for querying the security graph in plain English - Exposes raw graph data via open APIs for integration with SIEM, SOAR, and ticketing systems Deployment & Architecture: - Agentless: connects via read-only API, no agents or software installed on customer systems - Fully managed: SubImage operates the infrastructure, handles updates and scaling - On-premises and hybrid support available via a customer-controlled proxy over encrypted tunnels - Built on Cartography (CNCF project), making underlying rules, relationships, and schemas transparent and customizable SubImage positions itself as an open-core alternative to commercial CNAPPs like Wiz, with no gated integrations or pay-to-play ecosystem restrictions. The team has backgrounds from Anthropic, Lyft, NSA, and Microsoft.