Home
Blog
Cloud Detection & Response
April 14, 2026
3
min

Stream Security Expands Beyond Cloud-Native: Full Hybrid Cloud Visibility with VMware, NSX, and On-Prem Network Support

The cloud security industry has a blind spot , and it's hiding in plain sight. Most cloud detection and response solutions were built for one world: public cloud. AWS, Azure, GCP. Clean APIs, structured logs, well-documented services. But that's not the world many enterprises actually live in. The reality? Your attack surface doesn't stop at your cloud boundary. Workloads run on VMware. Traffic routes through on-prem to cloud, And adversaries know that the seams between environments are where detection falls apart. Today, we're closing that gap. Stream Security now delivers full attack path analysis and runtime threat detection across hybrid cloud environments, starting with VMware (including NSX), on-premises routers, and network infrastructure.
Stav Sitnikov
CPO
CDR
CloudTwin
No items found.

TL;DR

Stream Security now extends CloudTwin beyond public cloud to VMware, NSX, and on-prem network devices. You get full attack path analysis, runtime threat detection, and real-time topology modeling across your entire hybrid environment - not just the cloud or on-prem part of it.

What We're Delivering

Complete, Real-time, Visibility Across Hybrid Environments

CloudTwin, Stream's real-time digital twin of your infrastructure, now models VMware environments, NSX network policies, and on-prem networking devices alongside your cloud resources. This means Stream can trace complete attack paths that cross environment boundaries such as a compromised VM instance that can reach an RDS in AWS through a misconfigured network segmentation

Vmware network architecture
Real-time system architecture visibility
Vmware to Cloud attack path
Hybrid Cloud Attack Paths
Vwmare configuration change impacts
Configuration Change Impact Analysis

Context Aware Threat Detection

Stream ingests and correlates native VMware audit logs, vCenter events, and ESXi system logs in real time. Combined with NSX network flow data, we detect threats that VMware-only and cloud-only tools miss:

  • Unauthorized vMotion and VM cloning — detecting potential data exfiltration through VM-level operations
  • ESXi host compromise indicators — suspicious SSH access, hypervisor configuration changes, and privilege escalations
  • NSX policy tampering — unauthorized micro-segmentation changes that open lateral movement paths
  • Anomalous east-west traffic — identifying lateral movement within VMware clusters using NSX distributed firewall logs
  • Anomalous control plane activity - Identify vcenter user activity anomalies

Vmware threat detection
Runtime Threat Detection

Deep Runtime Visibility with eBPF or your existing EDR

For workloads that need deeper inspection, Stream's eBPF-based runtime sensor extends into hybrid environments, delivering:

  • API-layer visibility —full L7 inspection o API traffic including complete payload for AI workloads.
  • File integrity and access monitoring — real-time detection of unauthorized file modifications, sensitive data access, and configuration tampering
  • Process-level telemetry — tracking process execution chains, privilege escalations, and suspicious binary execution across both cloud and VMware workloads
  • Integrate your existing EDR - Crowdstrike, SentinelOne, PaloAlto Cortex

This gives security teams the ability to detect threats at every layer — from network routing to API payloads to process execution — regardless of where the workload runs.

vmware threat investigation
Threat Investigation

AI Detection & Response

Detect and secure AI agents and workloads across your entire infrastructure, including both third-party services and self-hosted components.

Vmware AI Usage Discovery ant Threat Detection
AI Workload Discovery

On-Prem Network Device Coverage

Routers, switches, and firewall appliances are now first-class citizens in CloudTwin. Stream ingests device configurations, routing tables, and ACLs to:

  • Map network reachability between cloud VPCs and on-prem segments
  • Identify misconfigurations that create unintended connectivity
  • Detect configuration changes that weaken segmentation
  • Correlate network path data with cloud IAM and workload context for complete attack path modeling

The Stream Difference: Context, Not Just Coverage

Adding VMware and on-prem support isn't about checkbox compliance. It's about building the only security model that reflects how hybrid infrastructure actually works, and how attackers actually exploit it.

CloudTwin continuously maintains a living model of your entire environment: cloud resources, IAM relationships, network topology, VMware clusters, NSX policies, and on-prem routing. When something changes — a new firewall rule, a modified router ACL, a shifted NSX policy — Stream updates the model in real time and re-evaluates every attack path.

This is what allows Stream to go from alert to response in under 5 minutes — even when the attack spans three environments and six network boundaries.

What's Next

VMware and on-prem networking are the beginning. We're building toward a unified security model that covers every environment where enterprise workloads run, because attackers don't respect infrastructure boundaries, and your detection shouldn't either.

If your security team is struggling with visibility gaps between cloud and on-prem environments, we'd love to show you how we can help - Book a demo

About Stream Security

Stream Security is an AI Detection & Response (AI DR) company built for the era of AI-driven environments across cloud, on-prem, and SaaS. As AI agents operate with real permissions and attackers move at machine speed, Stream enables security teams to keep pace by continuously computing a real-time, deterministic model of their entire environment. Powered by its CloudTwin® technology, Stream instantly understands the full impact of every action across identities, permissions, networks, and resources, allowing organizations to detect, prioritize, and safely respond to threats before they propagate. This transforms security from reactive detection into a true control plane for modern infrastructure.

Stav Sitnikov
CPO
Related Articles
All
Cloud Detection & Response
articles >
Why CrowdStrike’s CDR Announcement Solves the Wrong Problem Faster
Cloud Detection & Response
Why CrowdStrike’s CDR Announcement Solves the Wrong Problem Faster
CrowdStrike’s latest announcement around “real-time Cloud Detection and Response” is an important signal. It confirms what the market already knows: cloud security can no longer tolerate multi-minute blind spots. Enabling detections inline, before logs are written to the database, is objectively and definitely progress. It means that detection is no longer dependent on storage or ingestion delays. ‍
Or Shoshani
Jan 30, 2026
5
min
Your SIEM Sees the Logs. It Misses the Risk.
Cloud Detection & Response
Your SIEM Sees the Logs. It Misses the Risk.
For years, SIEMs have been positioned as the “source of truth” for security operations. They ingest everything, correlate endlessly, and alert loudly. And yet, they consistently miss the most critical signal in modern cloud attacks: configuration change impact.This blog walks through how Stream.Security closes the gaps and turns config changes into impact-aware detections. ‍
Stav Sitnikov
Jan 12, 2026
4
min
Stream Security Now Supports MongoDB Atlas Log Ingestion for Comprehensive Cloud Threat Detection
Cloud Detection & Response
Stream Security Now Supports MongoDB Atlas Log Ingestion for Comprehensive Cloud Threat Detection
Stream.Security now supports native ingestion of MongoDB Atlas audit logs, extending real-time threat detection and response to the database layer. Security teams gain immediate visibility into suspicious database activity, including unauthorized access, privilege escalation, data exfiltration, and configuration changes correlated with full cloud context across AWS, Azure, and GCP. The integration is agentless, easy to enable, and delivers out-of-the-box detections so teams can investigate and respond faster, all from a unified cloud security platform.
Stream Team
Dec 15, 2025
2
min
We wouldn’t believe it either.
Schedule a live demo >