Operational Telemetry Layer

Proof that your controls are actually working.

A security control on paper is not a security control in practice. MFA is configured but not enforced. A network security group has the right rules but an exception was added six months ago. A logging policy exists but the log sink has been paused.

SPNT's Operational Telemetry Layer takes a different approach. It ingests cloud-audit and identity-platform events, classifies each event against the controls those events should be enforcing, and writes a control-health assessment to the substrate. A control that fails enforcement validation immediately affects the priority of every finding it would have mitigated.

The eight telemetry sources

• AWS CloudTrail — API activity, administrative actions, privilege escalation attempts, enforcement failures.
• Kubernetes audit log — cluster-level activity, pod creation, role-binding changes, admission control outcomes. Supports webhook delivery and pull-mode for major managed Kubernetes platforms.
• Microsoft Entra ID — Azure AD sign-in events, conditional access policy outcomes, MFA enforcement records, role assignment changes.
• GitHub audit log — repository events, organisation policy changes, secret scanning alerts, app installation activity.
• Okta — identity and access events, MFA bypass attempts, session anomalies, policy enforcement records.
• Azure Activity Log — resource management operations, policy assignments, subscription-level administrative actions.
• GCP Cloud Audit Logs — API calls against GCP projects, IAM changes, storage access, compute operations.
• GitHub Enterprise Server — on-premises GitHub instance audit events for self-hosted deployments.

What "control validation" actually means

The telemetry layer does more than collect events. It evaluates each event against the control model in the substrate.

Example: a conditional access policy is configured to require MFA for all sign-ins to privileged accounts. The classifier checks each sign-in event against that policy. If a privileged sign-in shows MFA was not enforced, the classifier writes a control-health failure to the substrate.

That failure immediately:

• Affects the priority score of findings that depended on that control as a mitigation.
• Surfaces in the governance module as an obligation impact — for frameworks that require evidence of enforcement, the failure is recorded.
• Becomes a signal for the autonomous research engine — a cluster of failures suggests a systemic problem worth investigating.

What SPNT does not do

The telemetry layer is not a SIEM. It does not ingest raw logs at petabyte scale. It does not provide custom correlation-rule authoring or full-text log search.

It normalises selected cloud-audit and identity events into structured substrate records. Organisations with regulatory requirements for raw log retention at scale will run a dedicated log platform alongside SPNT. The two coexist — SPNT handles structured control validation; the log platform handles search and retention.

This is an architectural choice, not a roadmap gap. SPNT trades raw-data breadth for structured-substrate depth.

Tier availability

The Operational Telemetry Layer is available on Enterprise and Sovereign tiers.