Whocan · private beta

IAM controls your cloud. Who controls IAM?

Ask your cloud
who can
access your data.

One Whocan query. Every principal that can actually perform the action — evaluated through every policy layer, every condition, every role chain.

See plans →

15-min deploy Read-only access No agents

All policy layers

SCP · RCP · boundary · identity · resource · condition

Deep condition keys

MFA · IP · VPC · tags · encryption context

Up-to-date catalog

New services update indexed same day

whocan — query console
412ms
5 principals matchedscanned 3,184 principals · 6 layers

who-can() factors in SCPs, RCPs, identity policies, permission boundaries, resource policies and 50+ conditions — the answer your cloud would give.

§ 01 — The problem

Five documented public breaches. Each began as a permission that was already in place.

IAM is the only
control plane
nobody can audit.

Recent breach ledger

↓ each had one Whocan query that would have surfaced the gap

01

SCARLETEEL — 8 Minutes to Admin

Full admin access, backdoor user created, GPU instances launched for LLMjacking

Sysdig, 2025 02

LexisNexis — One ECS Task Role, 3.9M Records

536 Redshift tables, 53 secrets in plaintext, 3.9M records, .gov email users including federal judges

BleepingComputer, March 2026 03

S3 Ransomware — 100 GB in Under 2 Minutes

2,000 files (~100 GB) encrypted in 1 minute 47 seconds

Rhino Security Labs, 2025 04

Capital One — 100M+ Customer Records

100M+ records: names, addresses, credit scores, SSNs

Capital One, 2019 05

Serverless Token Abuse — 10,000% Increase

10,000% increase in serverless token abuse, 305% increase in bulk downloads

Palo Alto Unit 42, 2025

6

policy layers, silently interacting

SCPs, RCPs, identity policies, permission boundaries, resource policies, and session conditions. The intersection is non-linear and no human can audit it manually.

catalog shifting under you

AWS releases new actions every week. Each one is a potential escalation vector your service:* policy silently matches. Benchmarks catch up weeks later.

0

humans who can audit the result

Shadow admins, cross-env leaks, open trust policies, and privilege-escalation chains accumulate silently. Alerts push noise — nobody ever gets to pull the truth.

Browse every attack scenario with its prevention query →

§ 02 — How it works

Whocan returns the same authorization answer your cloud would — not a rule-pack approximation.

Four pillars.
One answer — the real one.

/ 01

Entitlements

The map of risky permissions — already there.

Every permission a principal could exploit — assume-role chains, pass-role paths, escalation sequences, multi-hop cross-account access — laid out as a browsable graph, kept current with new attack patterns. The terrain of risk, ready before you ask.

iam-admincredentials-accessprivilege-escalationdomain-takeover
users where
  self.Entitlements.Abilities
  includes "iam-admin"

/ 02

Data perimeter

Your data can’t leave through the seams.

Validates resource policies, cross-account trust, and condition gaps against your intended perimeter — continuously, not on the quarter.

Cross-env isolationMFA enforcementExternal access
who-can(
  action: "s3:GetObject"
  resource: prod-buckets
)

/ 03

Who can?

The runtime proof.

The map shows what could go wrong. Whocan proves what would. Given an action, a resource, and the context you supply, which principals actually can — factored through every policy layer and every condition, deterministically, not heuristically.

env:always-ok-vars:among:
who-can(
  action: "kms:Decrypt"
  resource: var:prod-kms
)

/ 04

Full decision chain

Every layer, every condition, the way AWS does it.

SCPs at every OU level. RCPs. Permission boundaries. Resource policies. 50+ condition keys — MFA, IP, VPC, tags, time, encryption context. When Whocan says allowed, AWS agrees.

SCPsRCPsBoundariesConditions
env: {
  "aws:mfa": "true"
  "aws:vpce": "vpce-abc"
}

the promise

When Whocan says allowed, AWS agrees.

§ 03 — Watch the critical

Most tools scan all your assets and drown you in findings. Whocan inverts it: pick the assets that matter, and watch the paths to them.

Guard the crown jewels.
Ignore the noise.

/ 01 · One query

Put a watch on the asset that matters.

One watch who-can(...) around your critical server. That’s the whole setup. No rule packs, no asset inventory project, no severity triage backlog.

/ 02 · The graph, diffed

Whocan re-evaluates the paths on your cadence.

Policy edits, new roles, new cloud services — drift never stops. Daily, or triggered by your CI’s webhook on any change, the graph around your asset is recomputed and diffed against the last run.

/ 03 · Only new paths surface

A new link appears. The next diff tells you.

Known, reviewed paths stay quiet. When a new path to your critical asset shows up — even an indirect one, three hops through a Lambda someone can rewrite and invoke — it surfaces with the full chain that allows it.

whocan — continuous watch
WATCHING
watch who-can(
  action: "*",
  resource: var:vault-prod // the one server that matters
) diff: daily
14,200 OTHER ASSETS — NOT YOUR PROBLEM TODAYvault-prodCRITICALrole/ops-oncallbreak-glass · revieweduser/aliceMFA-gated · reviewedrole/ci-deployerscoped · revieweduser/ops-test-prodlambda:UpdateFunctionCode+ lambda:InvokeFunctionλfn/data-exportruns as →role/lambda-execs3:GetObjectNEW PATH · 2H AGO
● 3 paths known & reviewed 1 new since yesterday — unreviewed inspect the chain →

§ 04 — Inside the product

Four screens from the app. Each answers a question a human would actually ask. Click any card to open it full-size.

See the answer
before you ask.

§ 05 — Impact

Cut access review time, reduce cost, and reveal invisible risks.

From weeks
to minutes.

Traditional Access Review

  • Export IAM policies to spreadsheets
  • Manually trace assume-role chains
  • Cross-reference SCPs with identity policies
  • Repeat for each account
  • 2–4 weeks per review cycle

With Whocan

  • Run one RQL query
  • Automatic transitive access graph
  • Full chain evaluation
  • All accounts in one query
  • Minutes
Weeks
Quarterly access review
Hours with Whocan
Days
Certification evidence
Pre-built queries, instant export
Hours
Incident blast radius
A single who-can query
Days
Vendor access assessment
Minutes with virtual roles

§ 06 — Where Whocan fits

Most teams already run a posture tool. Whocan answers a different kind of question — the one a human would actually ask.

Alerts find
what might be wrong.
Whocan answers what’s possible.

Conventional posture tools

Push thousands of alerts based on someone else’s rules.

  • Pre-compute findings at ingest, against a fixed rule pack.
  • Report what policy text looks dangerous — not what can actually happen.
  • Update their rule library weeks after new cloud actions ship.
  • Generate volume. You spend the quarter triaging low-signal alerts.

Whocan

Pulls the exact answer you asked for — noise-free by design.

  • Evaluate against the full decision chain your cloud would run, with the parameters you supply.
  • Answer concrete questions: who can, from where, under which conditions.
  • Track the cloud action catalog daily — new vectors appear in results, not in a roadmap.
  • Zero noise by architecture: you only see the principals your query returned.

Capability matrix

conventional posture tools vs. Whocan

01Evaluation modelStatic, pre-computedQuery-driven
02Full authorization chainPartial or skippedAll resolved
03Transitive role chains & cross-account pathsNot tracedFull graph
04Condition evaluation (MFA, IP, VPC, tags)Limited50+ keys, resolved
05Data-plane ABAC (object tags, encryption context)Reports “conditional”Resolved via env
06Query language for access questionsNot availableRQL
07Continuous monitoring on any questionVendor-defined onlyAny saved query
08Latency on new cloud actionsWeeks to monthsDaily
09Privilege-escalation detectionStatic checklistDynamic, graph-based
10Operating modelPush alertsPull answers

We’re not trying to win a feature checklist. These are the gaps our customers tell us they felt with whatever they had — and why they keep Whocan alongside it.

Integrations

Fits Into Your Workflow

API-first design, CI/CD integration, and multi-cloud support. Whocan meets you where you are.

REST API

Programmatic access with API tokens. Run queries, retrieve results, and automate security workflows.

Webhooks

Trigger Whocan project updates from your CI/CD pipeline on every infrastructure change.

Multi-Cloud

AWS today — Azure and GCP on the roadmap. One IAM model across cloud providers.

SSO / OIDC

Enterprise single sign-on with SAML or OIDC. Integrate with your identity provider.

Webhook-triggered updates

# GitHub Actions — trigger Whocan update after Terraform apply
- name: Update Whocan
  run: |
    curl -X POST https://api.whocan.cloud/v1/projects/${{ secrets.PROJECT_ID }}/update \
      -H "Authorization: Bearer ${{ secrets.WHOCAN_TOKEN }}"

Pre-built compliance queries

GDPRNIS2DORAISO 27001SOC 2

§ — Pricing

We’re in private beta, onboarding design partners 1:1. Join the waiting list and we’ll find the right plan together.

Simple now.
Self-serve later.

Check

Startups & small teams

from $200/month
  • Up to 10 accounts (AWS)
  • IAM dashboard
  • Query editor + RQL
  • 50+ query templates
  • Limited monitor queries
  • Weekly catalog updates

Pro

Best coverage

High-security & regulated teams

Custom
  • Up to 50 accounts (AWS)
  • Everything in Check
  • Continuous analysis
  • Alarms & notifications
  • Virtual Roles
  • Daily catalog updates
  • AI Assistant
  • Custom reports

Free

Q4 2026

Single-account, self-serve

$0coming Q4 2026
  • Single account (AWS)
  • Query editor + RQL
  • All 50+ query templates
  • Community support
  • Launching Q4 2026
Enterprise Unlimited accounts · SSO (SAML/OIDC) · BYO LLM · Self-host · Data-perimeter control · Tier-1 support
Talk to sales →