VM Prioritisation

Prioritise VMs by attacker reachability.

Focus on workloads on real paths to impact.

Alma combines sensors, cloud context, and runtime telemetry.

It builds a reachability graph and ranks VMs by likely impact.

What “reachability” means

Reachability is the likelihood an attacker can reach a VM and cause impact.

Alma bumps priority when a VM is:

• internet reachable (direct or via ingress/LB)

• a strong pivot for lateral movement

• on a path to sensitive systems (DB, identity, secrets, CI/CD)

• confirmed by observed runtime flows

Signals Alma uses

Alma combines cloud posture with runtime telemetry.

• Cloud: security groups/firewalls, routes/peering, gateways, LBs/ingress, tags and roles

• Runtime: observed inbound/outbound flows, service call patterns, protocol visibility, workload role

What drives the score

• Exposure: internet/ingress reachable. Weak network boundaries.

• Lateral movement: hub position. Many reachable internal systems.

• Criticality: prod vs dev. Crown-jewel labels. Ownership tags.

• Data + identity: paths to sensitive stores. Elevated roles. Risky integrations.

• Runtime confidence: observed flows raise confidence. Stale/noisy signals drop it.

What you see in Alma

• Ranked VM list with “why prioritised” highlights

• Clickable inbound/outbound paths

• “If compromised → then what?” path simulation

• Next actions: tighten ingress, segment paths, lock down identity, patch high-impact nodes first

Example: same VM build, different risk

• VM-1 (high): behind an internet LB. Talks to auth. Path to a prod DB.

• VM-2 (low): no inbound flows. Isolated subnet. Only talks to non-prod logging.

FAQ

Is this just exposure? No. Exposure is one signal. Alma prioritises end-to-end paths, confirmed by runtime.

Does priority change? Yes. Routing, services, traffic, and identities change. Priorities update automatically.