ARMO CEO Shauli Rozen talks to Dan Raywood about why cloud security needs existing technologies to be connected for better understanding of threats and alerts.
“Cloud security is a top priority for every executive at large technology companies I speak with,” says Shauli Rozen, CEO and co-founder of ARMO. The current challenge is overcoming gaps in visibility.
In March, ARMO debuted its Cloud Application Detection and Response (CADR) platform. According to Rozen, too many organizations still rely on “very basic detection and response” in the cloud, which results in fragmented data sets and limited insight.
Rozen explains that although Cloud Detection and Response (CDR), Endpoint Detection and Response (EDR), and the emerging Application Detection and Response (ADR) all existed, these solutions operated in silos. The market needed a way to connect all these capabilities into a unified platform.
Attackers do not care whether a company’s security tools are focused on applications, cloud infrastructure, or Kubernetes—they are not limited by internal silos. They exploit vulnerabilities wherever they find them and move laterally across environments.
Fragmented security measures create gaps that attackers can exploit, so a unified, integrated approach is essential to defend against modern threats.
Multiple products generating different alerts lead to overload. Businesses need a more concise platform. The need for CADR is to connect cloud and application security, giving security teams a single story in a unified timeline. That’s the maturity level companies are reaching now.
Cloud Attack Surface
The CADR concept is to minimize the cloud attack surface and detect and respond to both unknown and known cyberattacks, while ensuring business continuity. Rozen says it is the first runtime security solution to provide a holistic view of a threat, linking high-level cloud activity to suspicious application-level behaviors and providing detailed visibility into compromised application functions and APIs.
CADR leverages Kubescape’s eBPF-based runtime sensor to establish baseline application behavior patterns. This open-source element is continuously enriched with contextual data from Kubernetes events, cloud infrastructure, and container metrics.
Rozen emphasizes the importance of correlating all findings from open source to provide a single story, explainability, and prevention policies.
A Safe Environment
A decade ago, the conversation was about whether the cloud was secure enough for sensitive data. By 2025, with the rise of Software and Security as a Service, that mindset has shifted.
Rozen attributes the belief in secure clouds to the introduction of Cloud Security Posture Management (CSPM), which focused on vulnerability and misconfiguration scanning. “It was a quick way to understand everything happening in your cloud and assess risk,” he says.
The next stage is understanding not just posture, but also what is running, how it’s running, and what threats exist—then detecting and responding to them.
“So businesses took care of the basic need of scanning, and are now looking into the next level: protecting, preventing, putting policies in place, and securing cloud environments against attackers. It’s a matter of maturity.”
Rozen notes that while attitudes to cloud security are changing, so are attackers. They increasingly target cloud workloads, and while major cloud breaches have been rare, awareness is growing.
“Honestly, people were not scared enough. Now, they’re starting to realize this is super important and an incident could happen any day. Many CISOs I speak with still say the cloud isn’t a big risk, but that’s changing rapidly, with more CISOs asking how to actively protect these environments.”
Explainability of Visibility
One of the key challenges of cloud security has been about visibility. If the concept of ‘deperimeterization’ is about using services outside of the network, is understanding it one of the problems? According to the Cloud Security Alliance, in order to strengthen cloud security and minimize risks, organizations should take a proactive approach to visibility, monitoring, and policy enforcement.
The CSA claims that cloud visibility is achieved “with a top-down approach, led by a cloud security architect integrating people, processes, and technology.” This is a lot of work, in both implementation, management, and maintenance.
Rozen suggests a different approach centered on explainability. He believes that “explainability is the new visibility.” In his view, today’s systems generate so many alerts that they overwhelm users with too much information. When there’s too much data coming in at once, the important details often get buried and overlooked, making it feel like there’s no useful visibility at all.
Alerts are critical because they serve as early warnings about potential problems, such as security threats, system failures, or other important events. They help entities respond quickly and effectively to issues before they escalate. However, when there are too many alerts, many of them false alarms or low-priority notifications, it becomes harder to spot the ones that matter.
Companies can have the best visibility in the world, with a dashboard of every system call, every network call, everything that every application is doing, but they will get nothing out of it, he says.
Instead of spending hours investigating false positives, explainability makes it clear when an alert is relevant.
Come with the Problem
From a user perspective, Rozen says customers often seek ARMO’s help to better understand incidents in their environment and gain more explainability.
“They get all kinds of alerts, but they need to prioritize them. When we show them the value of our detection rate, that’s where we can advise them and build partnerships.”
With the cloud visibility space now valued in the billions, especially after Google’s acquisition of Wiz, ARMO believes it offers a strong solution to a pressing problem.
Dan Raywood is a cybersecurity journalist, writing for several leading publications and regularly appears on TV and radio over the past 17 years. He has also spoken at industry events including 44CON, Irisscon and Infosecurity Europe, and has worked as both an analyst and a product marketing lead for a major vendor.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.