Can CISOs Trust Their Applications? TrustCloud Wants to Replace the Questionnaire
Security WeekArchived Jun 16, 2026✓ Full text saved
By continuously analyzing security, infrastructure, and governance data, TrustCloud aims to give CISOs a real-time view of application risk and board-ready assurance. The post Can CISOs Trust Their Applications? TrustCloud Wants to Replace the Questionnaire appeared first on SecurityWeek .
Full text archived locally
✦ AI Summary· Claude Sonnet
Where assessing whether production applications can be trusted is still a manual questionnaire, it may be time to automate.
For many CISOs, analyzing trust in enterprise production applications is still a manual process: questionnaires surveying the teams running the apps; chasing their return; collating them and then analyzing the content. The purpose is not to count vulnerabilities and threats, but to assess whether the company can trust the production applications it operates. It is important for the CISO and is demanded by the board.
It is tedious and time-consuming. At best, it can be done quarterly, but very often it is an annual task. The result is a point in time subjective judgment that does not reflect how the modern business changes from day to day. Where an enterprise might have operated a few hundred applications a decade ago, it now has thousands of applications in production and will have more tomorrow. Data gathering by manual questionnaires simply does not scale.
Image Credit: TrustCloud
“For years, CISOs have been forced to bring leadership point-in-time snapshots and call them a risk picture.,” comments Tejas Ranade, co-founder and CPO at TrustCloud. “They know it’s incomplete. Their boards know it’s incomplete, but the industry has had no better solution.”
TrustCloud has now developed a product designed to change this and bring an archaic practice into the age of AI-driven and -managed automation: Application Assurance. “We plug into the entire ecosystem that runs an application,” explains Ranade.
“This includes security tools that monitor the app, infrastructure tools that constitute the runtime, documentation repositories that store policies and procedures, ticketing systems, etcetera. We monitor all of this continuously for the CISO. We don’t look into the application; we monitor all the data about the application. This tells the CISO whether this application is adequately secure and what is the risk.”
The data is collected by hundreds of TrustCloud connectors throughout the enterprise plugging into the enterprise data sources, aggregating, normalizing and automatically analyzing that data. The process serves two purposes: it completely replaces the manual point-in-time collection of data with continuous automated monitoring, and it replaces subjective interpretation with objective AI-driven interpretation.
The automated collection, centralization and analysis of data does, however, create two new problems: data residency and trust in TrustCloud itself. For data residency, “We work with highly regulated enterprises across many industries: manufacturing, pharma, government, and so on,” says Ranade.,
“Some have very specific needs around data residency; so, we’re architected for a variety of different residency models. The data could live in a managed TrustCloud cloud as a secure managed service, but it can also live in the customer’s environment with selected data being pushed into TrustCloud for analysis. We support many data residency options to satisfy different customer requirements.”
Trust in TrustCloud itself is the second issue. TrustCloud collects and centralizes information about applications in production. Such information would be valuable to bad actors, so TrustCloud’s own security is a potential concern.
The firm understands this and attempts to be as transparent as possible. Its own security is frequently audited by prospective customers; everything operates at least privilege where it only uses and keeps the data it needs; it allows its customers to specify what data it can hold; and its security program adheres to all regulatory guidelines. “In the end,” says Ranade, “we are no different than our customers. They are in sensitive, highly regulated industries, and what they do for themselves, we do for TrustCloud, holding ourselves to the same or higher standard.”
There is a further advantage to using a third party to demonstrate trust in applications. Applications don’t simply grow in quantity and complexity; they change in type. What is already too complex to be handled by a manual process will only worsen in the future with the increasing use of new and easily generated vibe-coded in-house and third party production applications. Agentic systems bring new problems.
“A top of mind concern for CISOs today,” explains Ranade, “is understanding what agentic applications are being built in their enterprise – understanding what security guardrails should be put in place for those agentic apps; understanding what vendors they are bringing on board with agentic capabilities and how to assess these vendors. We already work with customers to do assessments of agentic applications to ensure the CISO knows what agents are in the environment, what security guardrails need to be put in place, and what data points can be monitored to show how each agent is being secured and governed by company policies. This is not simply something we can do, it is something we are already doing.”
So, as new application types evolve, a third-party assurance monitor can help CISOs rapidly understand what trust can be maintained. It doesn’t secure the apps themselves but helps the CISO ensure the right level of protection around them.
By automating the collection and analysis of data used for trust assessments, TrustCloud seeks to revolutionize the process for CISOs: less time-consuming effort, and more accurate objective assessments that can be used to both improve the security around applications in production and demonstrate trust in these applications to the board on demand.
Related: After AI Reaches Production: 12 Ways Security Teams Can Take Control
Related: Lema AI Emerges From Stealth With $24 Million to Tackle Third-Party Risk
Related: The New Rules of Engagement: Matching Agentic Attack Speed
Related: Caught Off Guard: Securing AI After It Hits Production
WRITTEN BY
Kevin Townsend
Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.
More from Kevin Townsend
French Government Messaging Platform Breached by Mysterious ‘Misere’ Hacker
Alert Fatigue Is Becoming a Security Threat of Its Own
OnyxC2 Stealer Offers Cybercriminals Enterprise-Grade Theft for $250 a Month
Infostealers Turn Millions of Devices Into Credential Theft Machines
New Platform Uses Cryptographic Invisibility to Protect AI-Built Applications
Will AI Kill the Bug Bounty Industry?
OWASP Incubator Project Helps Developers Find and Fix Vulnerable Dependencies in Seconds
Offroad Emerges From Stealth With $7 Million to Tackle Enterprise Identity Risk
Latest News
iRhythm Confirms Data Stolen in Hack
Hacker Conversations: Isira Adithya, the Evolution of an Ethical Hacker
Magnitude Emerges From Stealth Mode With $10 Million in Funding
AI and Cybersecurity – Everything You Wanted to Know, But Were Afraid to Ask
Endpoint Security Startup Ent Emerges From Stealth With $100 Million Seed Round
Cybercrime Group Claims Novo Nordisk Hack
Cal Water Investigating Iranian Hackers’ Claims
White House Issues Memo to Bolster NSS Cybersecurity
Trending
Webinar: How Modern Breaches Bypass MFA And Evade Detection
June 17, 2026
Today’s attackers are no longer breaking in — they’re logging in. Join this live webinar as we break down the modern identity attack chain and examine how recent breaches exploited weaknesses in authentication, identity verification, and access management processes.
Register
Webinar: Modern Exposure Validation In The AI Era
June 24, 2026
AI has accelerated both sides of the fight. Adversaries are weaponizing vulnerabilities faster, while defenders are racing to ship detections and configurations. Join this live webinar as we explore how to prove your controls actually hold against new threats, map your security maturity, and unite breach simulation with automated pentesting into a single, coordinated program.
Register
People on the Move
Stephen Garcia has been named Chief Information Security Officer at BreachRx.
Kasper Lindgaard has been appointed Vice President of Security Strategy at CoreView.
Chaim Mazal has been named Chief Information Security Officer at GitLab.
More People On The Move
Expert Insights
After AI Reaches Production: 12 Ways Security Teams Can Take Control
Security teams need more than visibility into AI applications, they need a repeatable framework for monitoring, investigating, and defending them in production. (Joshua Goldfarb)
Everybody Is Vibe Coding But Nobody Told The Security Team
AI-driven development is not something organizations can or should block. But it must be governed. (Danelle Au)
The Zero-Knowledge Threat Actor And The End Of Responsible Disclosure
AI can help attackers generate malware, create malicious payloads, bypass simple security checks, and convert vague malicious intent into functional code. (Etay Maor)
Raising The Cybersecurity Stakes: Ante Up For The Agentic Era
CISOs are now facing machine-speed attacks and asking, “How do I agent?” The industry must provide remediation at scale. (Nadir Izrael)
Caught Off Guard: Securing AI After It Hits Production
As enterprises rush AI projects into production, security teams are increasingly being forced into reactive mode. (Joshua Goldfarb)
Flipboard
Reddit
Whatsapp
Email