Today, ControlMonkey is proud to announce the launch of the IaC Risk Index.
The IaC Risk Index transforms the dialogue surrounding cloud security between DevOps and Security teams by highlighting the security discrepancies between infrastructure deployment and cloud-related risks. It provides a comprehensive perspective that correlates Terraform coverage with security vulnerabilities, enabling teams to identify weaknesses, comprehend their origins, and implement measures for remediation.
Introducing the IaC Risk Index
The IaC Risk Index enhances cloud security by providing clarity and control in five key aspects:
IaC-Aware Risk Scoring
A color-coded benchmark that helps teams assess risk posture by environment. In production, green is the goal—anything less is exposure:
- 🔴 Red (<50% coverage): High risk. Most infrastructure is unmanaged.
- 🟠 Orange (50–80%): Medium risk. Some governance, but critical gaps remain.
- 🟡 Yellow (80–90%): Low risk. Strong coverage, not yet complete.
- 🟢 Green (90–100%): Full control. Infrastructure is governed by code, policy, and pipeline.
Vulnerability Mapping by Delivery Method
See whether a vulnerable resource was created manually, drifted from code, or fully governed:
- Unmanaged: ControlMonkey imports the resource into Terraform, remediates with a secure-by-default fix, and enforces governance policies.
- Managed but Drifted: Drift is resolved first, then an IaC-based security patch is applied with proactive policies.
- Managed and In-Sync: ControlMonkey patches directly in Terraform and ensures compliance is maintained.
Coverage Gap Detection
Instantly identify which resources fall outside Terraform governance—and why.
One-Click Remediation
Import unmanaged resources, generate compliant code, and resolve risk at the source.
Shared Dashboard for Cloud & Security
Align both teams around a single, real-time view of infrastructure coverage and risk exposure.
What’s behind IaC Risk Index
“We found that unmanaged infrastructure—resources not governed by Terraform or delivered through a secure pipeline – carry up to 2x the security risk of governed resources,” said Aharon Twizer, CEO and co-founder of ControlMonkey.
“And yet, most enterprises can’t answer a basic question: What percentage of our infrastructure is governed by code? Our research shows actual coverage is typically 30–40% lower than teams assume—highlighting significant hidden risk.”
IaC Risk Index from a CISO Perspective
“More IaC coverage means fewer security issues – period,” said ,Rapyd CISO, Nir Rothenberg”. What stood out with ControlMonkey was how easy it became to do things the right, modern way. When infrastructure and security teams can finally collaborate by design, that’s when security actually works.”
What’s in It for Me? Why look into Cloud Risk Now?
The IaC Risk Index empowers cloud and security leaders to:
- Improve visibility into unmanaged or drifted infrastructure
- Reduce risk by exposing vulnerabilities at their origin – delivery
- Strengthen IaC alignment with secure-by-default remediation
- Scale confidently with a governance model that’s measurable and proactive
Explore the IaC Risk today
The IaC Risk Index is available now to all ControlMonkey customers at no additional cost.
New to ControlMonkey? Access a IaC Risk Assessment as part of our onboarding and discovery process. Learn more and request a meeting
FAQs
It provides visibility into IaC coverage gaps, correlates those gaps with active security vulnerabilities, and guides precise, state-aware remediation. This enables security and DevOps teams to reduce risk before it reaches production.
Also support OpenTofu, Terragrunt, CloudFormation.,
The IaC Risk Index is available to all ControlMonkey customers at no additional cost. New users can also access it as part of a free IaC Risk Assessment during onboarding.
