SubImage Maps Your Cloud So You Can Stop Guessing Where the Holes Are

The Macro: Cloud Security Is a Visibility Problem Before It Is a Security Problem

The average enterprise runs workloads across multiple cloud providers, a handful of SaaS tools, and probably some on-prem infrastructure that nobody wants to talk about in planning meetings. Each of those environments has its own identity system, its own permissions model, its own way of logging who did what and when. The result is that most security teams cannot answer a basic question: what do we have, and who can access it?

This is not a hypothetical problem. Cloud misconfigurations were responsible for a significant share of data breaches in recent years. Not sophisticated zero-days, not nation-state attackers. Misconfigured S3 buckets, overly permissive IAM roles, forgotten service accounts with admin privileges. The breaches that make headlines are usually the ones that should have been the easiest to prevent.

Wiz built a $32 billion company (before acquisition) largely by giving security teams a visual map of their cloud environment and highlighting the risky parts. That validated the core insight: you cannot secure what you cannot see. The problem with Wiz, and with Palo Alto’s Prisma Cloud and Orca Security and the other major players, is that they are all proprietary black boxes. You send them your cloud credentials, they scan everything, they show you a dashboard. What happens inside the box stays inside the box.

For security teams that care about understanding their own infrastructure rather than just renting someone else’s understanding of it, that is a real limitation. Open-source tooling in this space has been growing for exactly this reason.

The Micro: Cartography With a Business Model

SubImage is built on top of Cartography, an open-source infrastructure mapping tool originally created at Lyft. Cartography connects to your cloud providers via read-only API access, pulls in data about every asset, permission, and relationship, and builds a graph database you can query. It has been used by security teams at major companies for years. The problem is that running Cartography well requires meaningful engineering investment. You need to deploy it, maintain it, tune it, and build your own detection rules on top of it.

Alex Chantavy and Kunaal Sikka are the original creators of Cartography, and they founded SubImage to turn that open-source project into a managed product. That lineage is important. They are not building on someone else’s open-source project. They built the project. They know where the edges are, what breaks at scale, and what security teams actually need that the raw tool does not provide out of the box.

The team also includes people from Anthropic, Lyft, NSA, and Microsoft, which is the kind of resume stack that makes enterprise security buyers feel comfortable. Coming through YC’s Winter 2025 batch added a different kind of credibility.

SubImage integrates with over 50 platforms: AWS, Azure, GCP, Okta, GitHub, and a long tail of SaaS tools. The deployment is agentless, meaning you give it read-only API access rather than installing anything in your environment. That is a meaningful selling point for security teams that are (understandably) paranoid about adding new software to their infrastructure.

The product surfaces CVE vulnerabilities with context, identifies misconfigurations using AI-generated rules, maps attack paths through graph analysis, and audits IAM permissions. The attack path visualization is probably the most compelling feature because it answers the question security teams actually care about: “If this one thing gets compromised, what else can the attacker reach?”

Pricing is not listed publicly, which is standard for enterprise security tools that sell through demos and sales calls.

The Verdict

I think SubImage has one of the clearest founder-market fits I have seen in a while. Building the managed version of your own widely-used open-source project is a playbook that works. Elastic did it. HashiCorp did it. Confluent did it. The pattern is proven, and the fact that Chantavy and Sikka are the original Cartography creators gives them technical credibility that no competitor can replicate.

The challenge is competing against Wiz’s distribution machine, even post-acquisition. Wiz has thousands of enterprise customers and a sales team that knows how to close seven-figure deals. SubImage’s counter-positioning as the open-core alternative is smart because it appeals to the segment of the market that distrusts vendor lock-in, and that segment is large enough to build a real business on.

In 30 days, I would want to see how many Cartography users convert to the managed product. In 60 days, the question is whether the AI-generated detection rules are actually better than the hand-written ones that teams build themselves. In 90 days, I would want to know if any customer has replaced Wiz or Orca with SubImage. That first displacement deal would be a strong signal. The open-source foundation is a real moat, and the team knows the domain cold. This is one to watch.