Chat with your cloud in Turbot Pipes →
HomeHomeHow We Prevent: The Five Practices2. Analyze

2. Analyze

Not all prevention opportunities are created equal. Some controls eliminate thousands of findings with minimal effort. Others require months of coordination for limited impact. Analysis transforms discovery data into actionable prevention priorities by identifying which gaps create the most risk and which opportunities deliver maximum value.

Effective analysis connects preventive controls (from Discovery) with detection findings (from your CNAPP or CSPM), revealing which issues appear repeatedly despite being preventable, where prevention coverage gaps create persistent risk, and which new controls would reduce findings most dramatically.

Start here: Prioritize by impact

  1. Correlate prevention and detection data Match detection findings against prevention coverage. Which high-volume finding types could be prevented at earlier layers? What percentage of findings would be eliminated through prevention at each layer? The overlap reveals your highest-impact opportunities.

  2. Rank by risk reduction potential Prioritize controls based on volume reduction (how many findings eliminated), severity reduction (what risk level prevented), exposure elimination (production versus test), and compliance impact (audit requirements satisfied). Controls that eliminate critical findings in production provide maximum risk reduction.

  3. Consider feasibility alongside impact Not all high-impact controls are equally achievable. Assess deployment complexity, team coordination requirements, exception management needs, testing scope, and organizational resistance. Plot opportunities on impact versus feasibility to identify quick wins versus strategic investments.

Then strengthen: Create actionable roadmaps

  1. Focus on quick wins first Start with high-impact, high-feasibility controls that deliver immediate value with minimal friction. Organization policies blocking clearly risky actions, encryption defaults for new accounts, and high-confidence IaC scanning rules build momentum and demonstrate prevention value quickly.

  2. Plan strategic investments carefully High-impact, low-feasibility controls require significant effort but deliver major risk reduction. Comprehensive IaC scanning across all repositories, organization-wide runtime auto-remediation, and multi-cloud policy standardization need careful planning, executive sponsorship, and sufficient time allocation.

  3. Avoid low-value complexity Some opportunities look appealing but deliver limited benefit relative to effort required. Complex prevention for rare edge cases, controls requiring extensive exception management for minimal risk reduction, and prevention for issues better handled through detection consume resources without commensurate value.

Ongoing improvement: Refine priorities

  1. Balance severity with volume High-severity findings feel urgent but may appear rarely. Low-severity findings may appear thousands of times. Sometimes preventing 1,000 medium findings delivers more value than preventing 10 critical findings. Consider both dimensions when prioritizing.

  2. Set time limits on analysis Analysis paralysis prevents action. Some organizations analyze endlessly, refining prioritization matrices and debating scoring criteria rather than deploying preventive controls. Perfect prioritization matters less than directionally correct action. Deploy something, measure results, iterate.

  3. Update priorities based on results As prevention coverage expands, priorities shift. Measurement from deployed controls reveals which approaches work best in your environment, which gaps remain most critical, and where to focus next. Use metrics to guide each iteration of analysis rather than relying on assumptions.

Analysis produces clear, actionable outputs: prioritized prevention roadmaps specifying which controls to deploy and why, expected impact metrics projecting finding reductions and capacity freed, and deployment requirements identifying cloud access needed and team coordination required. These outputs guide the next practice: Simulate, where you validate impact predictions before enforcement.