# Beruni

> The AWS scan for startups, not enterprises. Beruni connects read-only to your AWS account via a CloudFormation IAM role, scans the five services behind most AWS breaches (IAM, S3, EC2, VPC, RDS), and surfaces misconfigurations in a table — each finding cites the CIS, FSBP, PCI, or GDPR control it traces to. Just an IAM role — read-only, scoped, revocable. No enterprise pricing.

Beruni is a cloud security posture management (CSPM) product for AWS, positioned as a Wiz alternative for SMB SaaS startups (roughly 10–200 employees) that can't justify enterprise security pricing. The marketing site is at https://beruni.app/; the authenticated product surface is at https://console.beruni.app/.

- **Status**: Closed beta. Access is invite-only via the waitlist at https://beruni.app/.
- **Scope**: IAM, S3, EC2, VPC, RDS. Five services where most AWS breaches happen — roughly the entire stack a SaaS startup is running on day one. More services as the beta runs.
- **Frameworks**: CIS AWS Foundations, AWS FSBP, PCI DSS, GDPR. Every finding cites the controls it traces to.
- **Pricing**: Free during beta. Public pricing announced before GA.
- **Built by**: [ByteOrb](https://byteorb.org). Two engineers who couldn't justify a Wiz quote.
- **Contact**: contact@beruni.app.

## How it works

1. Deploy a CloudFormation template that creates a read-only IAM role with an ExternalId in your AWS account.
2. Beruni's scanner calls STS AssumeRole with your ExternalId. AWS returns a short-lived session token. The scanner walks the resources it has read permission on and evaluates them against the rule library.
3. Findings land in a table — each one cites the CIS, FSBP, PCI, or GDPR control it traces to.

The scanner is strictly read-only — AWS's `SecurityAudit` managed policy: `List*`, `Describe*`, `Get*` only. No write, modify, or delete permissions. Nothing is deployed inside the customer's AWS account beyond the read-only IAM role itself; the scanner runs on Beruni's infrastructure and calls in via STS AssumeRole. We never see customer AWS access keys; only short-lived STS session tokens issued per scan.

## What beta members get

- **Manual onboarding**: Two engineers walk you through the CloudFormation step ourselves. Not a Discord support queue.
- **Direct founder line**: Every email gets a personal reply.
- **Free during beta**: No credit card. No payment info collected.
- **Open rule library**: Rules are JSON. Spot a check we're missing — open a PR; we'll merge it.

## Frequently asked questions

**What does the read-only role actually grant?**
AWS's `SecurityAudit` managed policy. `List*`, `Describe*`, `Get*` on the five services we scan — no write, no modify, no delete. The trust policy on your role only accepts our scanner principal when called with your ExternalId; rotating that ExternalId revokes us instantly.

**How do you handle our AWS credentials?**
There aren't any to handle. Beruni uses STS AssumeRole — your CloudFormation deploys the role, we call AssumeRole with your ExternalId, AWS returns a short-lived session token scoped to that one scan. We never see your access keys, and the token expires when the scan finishes.

**When does the beta end? Will pricing change?**
No date locked. The beta runs until we've cleared the waitlist, gathered usage data, and shipped the next four services on the roadmap. Pricing isn't set; we'll publish before GA. Beta members get a heads-up before any of that lands.

## Pages

- [Landing page](https://beruni.app/): Product description, screenshots of the console, waitlist signup.
- [Security policy](https://beruni.app/security): Placeholder; full policy ships before GA.
- [Privacy policy](https://beruni.app/privacy): Placeholder; full policy ships before GA.
- [Terms of service](https://beruni.app/terms): Placeholder; full terms ship before GA.

## Optional

- [ByteOrb](https://byteorb.org): Parent organization that builds Beruni.
- [Console sign-in](https://console.beruni.app/sign-in): Authenticated product surface, for waitlisted customers only — not browsable without an invitation.