u/Routine_Day8121

we’re getting thousands of findings daily across AWS, Azure, and GCP. the problem isn’t detection, it’s deciding what actually matters. some of these have been sitting there for months. high severity on paper, but no clear exposure. others look minor but end up tied to internet-facing assets or shared roles.
we tried layering in exploitability and asset criticality. helped a bit, but still inconsistent. depending on who reviews it, the same finding gets treated differently .at this point it feels like we don’t have a stable way to separate “needs action now” from “can wait”.
for teams dealing with this at scale, what made prioritization actually consistent for you?

We run services across AWS (us-east-1, us-west-2) and GCP (us-central1), plus a bit of Azure for a partner integration. Traffic moves over public internet with VPNs between providers.

The issue is hidden dependencies. we have had outages where one region goes down and things cascade because of something we didn’t realize that it was critical.

Example from last month: a cert rotation in AWS IAM broke access to a shared S3 bucket that GCP workloads depend on for config. Took hours to trace because nothing made that dependency obvious.

observability is decent with Datadog, but it doesn’t surface cross-provider issues well. Things like DNS resolution failures or auth chains slipping don’t show up clearly.

we tried some chaos testing, but it’s expensive and doesn’t really expose these quieter SPOFs. looked at service mesh options, but they feel heavy for a mixed k8s + EC2 setup.

How are you identifying and protecting against these kinds of hidden SPOFs in multi cloud setups?