Secrets & Exposure Scanning

NuboVault

68 checks across 12 AWS services. Hardcoded API keys, private keys sitting in S3, passwords in Lambda env vars, credentials in user data — found, flagged, and remediated before an attacker finds them first.

Get a free vault audit → See Sample Report

Read-only access only. We never touch your infrastructure.

68
checks run
32
critical findings
12
AWS services
<5m
scan duration
What we scan

Every place a secret can hide.

Most breaches start with an exposed credential. NuboVault finds them across every AWS service before an attacker does.

Lambda & ECS
Env var secrets
Hardcoded passwords & API keys
Stripe, Twilio, SendGrid live keys
JWT secrets & auth tokens
Suspicious variable names
Deprecated runtimes
🪣
S3 Buckets
File & content scanning
.env files with live credentials
Private keys (.pem, id_rsa, .p12)
terraform.tfstate (infrastructure secrets)
AWS credentials files
Database dumps & kubeconfigs
Config files with embedded secrets
🖥️
EC2 & User Data
Instance secret scanning
Credentials in user data scripts
AWS keys bootstrapped at launch
Sensitive data in instance tags
Instances running 180+ days
Database connection strings
🔧
SSM & Secrets Manager
Secret store hygiene
SSM String params that should be SecureString
Secret values scanned for patterns
Secrets with no rotation configured
Secrets not rotated in 90+ days
Orphaned secrets (unused 90+ days)
No resource policy (over-accessible)
⚙️
CodeBuild & CloudFormation
Build & infra secrets
Plaintext env vars in build projects
CFN parameters without NoEcho
Secrets in stack outputs
Build logs exposing credentials
Stacks in ROLLBACK state
💡
Advisory Checks
Not harmful, not standard
No AWS Budgets configured
Orphaned SNS topics
Log groups with no retention
No IAM Identity Center (SSO)
Single-account AWS setup
Expiring ACM certificates
25+ secret pattern types detected
We scan file contents against patterns for AWS keys, GitHub tokens, Stripe, Twilio, SendGrid, Slack, MongoDB, PostgreSQL, MySQL, Redis, JWT, private keys, PGP keys, and more.
AWS Keys GitHub Tokens Stripe Live Keys Slack Tokens Private Keys JWT Secrets DB Connections Twilio SendGrid Terraform State Kubeconfigs PGP Keys
Case study

68 findings. 32 CRITICAL. Under 5 minutes.

Here's exactly what NuboVault found on a live AWS account in a single scan.

NuboVault v1.0 — Audit Report
⚠ Critical — 32 findings
LambdaStripe live key in env varCRITICAL
LambdaGitHub token in env varCRITICAL
S3.env file with AWS keys + DB passwordCRITICAL
S3terraform.tfstate with credentialsCRITICAL
S3id_rsa private key in bucketCRITICAL
EC2AWS keys + DB password in user dataCRITICAL
High — 23 · Medium — 7 · Advisory — 6
SSM5 secrets stored as plaintext StringHIGH
CloudFormationDB password without NoEchoHIGH
LambdaDeprecated Python 3.8 runtimeADVISORY
Total findings
68 findings · 12 services · <5 minutes
68
32
critical findings
68
total findings
<5m
scan duration
12
services scanned

A Stripe live key was found in a Lambda environment variable. Anyone with AWS console access to that function — or any IAM user with lambda:GetFunction — could have been charging cards or accessing customer payment data.

A terraform.tfstate file was sitting in a public-readable S3 bucket. That file contained database credentials, API keys, and infrastructure passwords for the entire production environment.

Get your free secrets audit →
Pricing

Transparent pricing

One-off Audit
Full 68-check scan across 12 services with prioritised report.
£600 one time
  • 68 checks across 12 services
  • CRITICAL / HIGH / MEDIUM / ADVISORY
  • File content scanning for 25+ patterns
  • Exact remediation per finding
  • 48 hour turnaround
Get started
Most popular
Monthly Retainer
Continuous scanning — catch new secrets the moment they appear.
£450/month
  • Everything in one-off audit
  • Weekly automated rescans
  • New secret alert within 24 hours
  • Remediation implementation included
  • Monthly exposure report
Get started

Where are your secrets hiding?

Most startups have at least one exposed credential. A Stripe key in an env var. An AWS key in a .env file. A database password in user data. Find yours before someone else does.

Get your free secrets audit →