u/Curious-Cod6918

sales forecasting has been such a pain lately. weve got all this data, but manually calculating forecasts is taking forever and its never 100% accurate. theres gotta be a way to automate this and save time.

i need something that pulls all the data together and gives us real time insights based on buyer activity and past sales. basically, i want a tool that does the heavy lifting and gives us reliable forecasts without the stress.

anyone got any recommendations for a tool that can automate sales forecasts without making it feel like extra work?

we’ve got container workloads spinning up and dying faster than we can track, but security wants agentless scanning across everything.

we're running heavy autoscaling on Kubernetes. pods live ~30 minutes during peak. some jobs are gone before you even notice them. agentless works fine when infrastructure sticks around long enough to be discovered, but these workloads barely exist.

i’ve tried a few approaches:

- runtime scanning from the cluster level. catches things once they're running, but the window is already tight  
- scanning at build time. helps for the image, doesn’t reflect runtime config  
- pushing agents into the pod lifecycle. defeats the whole point  
- admission webhooks. good for policy, doesn’t show what actually happens at runtime  

compliance still wants coverage across everything, not just long-lived workloads.

at this point it feels like you either get coverage or stay agentless, not both.

anyone found a way to handle this without breaking one side of that tradeoff?

Just got out of a compliance audit and I'm still a bit stunned. First question was whether we have SBOMs for what's running in production. We had one Syft export from 6 weeks ago on one image. That was it. 34 services.

CVE counts are genuinely low, we've been working on that for months. Didn't matter. Auditor wanted signed artifacts tied to deployed digests, not scanner scores. Spent the next 3 weeks trying to generate SBOMs retroactively and half of them didn't even match what was running because images had been rebuilt in between and nobody was tracking which digest was  live.

Is there a workflow people are running where SBOMs get generated automatically at build time and stay tied to whatever lands in production? The manual process falls apart the second someone does a hotfix outside the normal pipeline

Deployed a hotfix to an ECS service in AWS earlier this week. Skipped a full security scan in staging due to time constraints. Internal checks passed and the deploy went through

A few hours later an unusual activity showed up. CloudTrail logs showed access using an IAM role that was not expected to be reachable

Tracked it back to a Lambda function. The assumed role policy was broader than intended. A related security group also allowed inbound access that exposed the endpoint

Requests reached the service and used that role to list S3 buckets across accounts. Rolled back the change and updated the policies. Everything looked correct during validation. Runtime behavior showed the exposure.

What are teams using to catch IAM exposure before deployment when policies look correct during checks?

CVSS 9.1 in a networking library. Trivy flagged it Tuesday. Release was Thursday. Upstream hadn't patched. We shipped it anyway because nothing in the pipeline stops a deploy, it just warns.

That decision to use warn only gates was made 18 months ago because blocking on every finding was halting releases constantly and engineering pushed back hard. I get it. But what we have now is a scanner that everyone has learned to ignore under deadline pressure.

CVE sat in the backlog 11 days before upstream moved. We documented everything, added compensating controls. Still can't guarantee the next one is also only 11 days.

Tried Kyverno. Teams found workarounds within 2 weeks. Once that happens the gate is gone in practice even if it's technically still there. Anyone running hard blocks in production without it becoming a political problem every release cycle?