AI/ML●●●Banger
DashClaw – intercept and audit AI agent decisions before they execute
Governance before execution solves the black-box agent problem observability tools ignore.
Zero to OneBig BrainBold Bet
ucsandman
222mo ago
Back to browse
Qarapace – GCP IAM reviews with persistent decisions and audit trails
by gjanvier·Mar 7, 2026·1 point·0 comments
AI Analysis
●●SolidSolve My ProblemNiche Gem
Persistent IAM review with audit trails beats one-shot scanners, but GCP-only limits reach.
Strengths
- •Decision persistence + delta-based workflow solves the real pain: 'reviewers forget why they accepted risk,' missing audit rationale that auditors actually want.
- •Blast-radius ranking + business context reduces noise vs. legacy scanners (1000+ findings → prioritized decisions).
- •Human-in-the-loop AI review (no auto-remediation) keeps security reasoning documented and defensible.
Weaknesses
- •GCP-only positioning in a multi-cloud world; AWS and Azure teams have Ermetic, Wiz, Lacework already solving this.
- •Early-stage traction unclear: 'trusted by scaling startups' is vague; no public customer logos or usage metrics visible.
Category
Target Audience
GCP teams managing IAM sprawl who need documented security decisions for compliance audits (ISO 27001, SOC 2, GDPR).
Similar To
Ermetic (now CloudGuard) · Wiz · Lacework
Post Description
Hey HN, I built this because I kept postponing my own IAM reviews.
The pattern is always the same: open the GCP console, stare at 200+ bindings, feel overwhelmed, close the tab, promise to do it next month. Repeat.
Scanners exist, but they give you 500 findings and no workflow. You could paste your IAM config into ChatGPT and get a decent analysis, but next month you start from zero. No memory of what you decided, what you accepted, what you flagged.
Qarapace does two things:
1. Structured review workflow. It ranks identities by blast radius and lets you go through them one by one: validate, flag, annotate. Think inbox zero for IAM risks.
2. AI-assisted analysis. Like a code review but for permissions. It flags issues against best practices and explains why something is risky.
The key difference from a one-shot AI analysis: decisions persist. Each monthly review works on the delta. Over time you get an audit trail of security reasoning, not just a snapshot.
Stack: Angular, Firebase, Cloud Functions. Each client provides their own read-only service account key (encrypted with Cloud KMS, never stored in plaintext).
It's early and I'm the only user. Looking for feedback, especially from anyone who does (or avoids) periodic IAM reviews.
Similar Projects
Infrastructure●●Solid
Air – Open-source black box for AI agents (tamper-evident audit trails)
Cryptographic audit chain for agents, but lacks observability dashboards competing tools provide.
Big BrainWizardry
shotwellj
213mo ago
Infrastructure●●Solid
ExoArmur – Deterministic governance runtime for autonomous systems
Verifiable decision replay for autonomous systems, but execution complexity limits adoption beyond safety-critical domains.
Big BrainNiche Gem
slucerodev
102mo ago
SaaS●●Solid
Dilly Labs – structured vendor selection for banks and credit unions
Regulated finance procurement with compliance scoring when Coupa exists for everyone else.
Niche GemSolve My Problem
reallykanishka
102mo ago
AI/ML●●●Banger
DashClaw – Intercept AI agent actions before they execute
Control before execution beats observability after—HITL with 10-min replay window.
Solve My ProblemBig BrainSlick
ucsandman
112mo ago
Security●●Solid
CEL v0.2 Pro – cryptographic black box recorder for AI systems (Python)
SHA-256 hash-chained AI audit log, but only 9 commits and ko-fi upsell.
Big BrainBold Bet
GhurtSky
102mo ago