What is our primary use case?
Basically, what Bridgecrew does is scan our policy configurations inside of our public cloud provider. We were scanning for security misconfigurations and vulnerabilities in our packages to ensure that we had locked down everything as needed in terms of IM permissions and VPC access and things like that.
What is most valuable?
The software itself is good software and does great things. It's really useful.
In terms of what it provides, it'll scan your services, it'll tell you what's misconfigured according to best practices. In cases where they have automatic remediations, you can click a button and it'll just fix the configuration for you. And then, in the cases where it doesn't have automated remediations, it has extensive guides walking you through step by step what you have to do to fix things. It's excellent in that regard.
It's multi-cloud. If you have a multi-cloud environment, it's going to do that for you across all your cloud platforms. That's a wonderful thing. That's really useful.
What needs improvement?
The challenge is that they charge you per resource. We had an issue where Google Cloud was generating secrets for our application configurations by the hundreds, which we would be charged by Bridgecloud. Our price would have surged to an insane amount due to the automatically generated secrets that we don't even use for anything, which isn't part of our security concern.
What we would like to know is if there is a way that we could exclude those from our resources so that we're not billed for that. We don't monitor that. They ignored me for a month through four emails asking about that.
They were just totally unresponsive. Then after a month, I said, "I guess you don't want our business." And they responded, "Oh, we're sorry to hear that." I'd say "You're sorry to hear that? Why didn't you respond to any of my emails?"
If you're trying to pay them less money, then they want to get rid of you. They don't want to talk to you. That's what it came across as. It's not like we weren't looking at spending thousands of dollars a month with them. We just weren't looking at spending $8,000 versus $2,000.
That was a bit frustrating. Generally, I do like their product. It's a useful product. It's good. We wanted to use it. However, since they blew us off, it left a bad taste in our mouths.
Their sales team needs a little bit of a jostle to get themselves together.
We'd like to see better monitoring and the ability to deny certain resources from being scanned.
For how long have I used the solution?
We did a trial of Bridgecrew at my new company within the last 12 months.
What do I think about the stability of the solution?
The solution is stable. There are no bugs or glitches. It doesn't crash or freeze.
That said, I'd say that their web interface in and of itself can be a little slow - particularly the more resources that you have. There could be some improvements made in that department.
What do I think about the scalability of the solution?
It is a scalable product.
I've only worked for relatively small reliability teams.
How are customer service and support?
Before, when I worked with them previously in my last employer, they were really good about being in touch and following up and helping us clear things up. However, in my new organization, they've been unresponsive to our queries, and it hasn't been a pleasant experience.
A lot of the customer support with a wide range of companies has just been on the decline for the last year or so. I don't know why, however, it seems to be a common theme with people I speak to. Support isn't what it used to be.
I wasn't trying to bother somebody who would have to deal with my questions for extended hours. I just wanted a simple question answered. That's pretty fundamental stuff for business.
How would you rate customer service and support?
Which solution did I use previously and why did I switch?
We did not previously use a different solution.
How was the initial setup?
The solution is fairly simple. You basically give them some API keys with some advanced access to your system so that it can review all of the different settings. They just use those API keys to access information from within the cloud and then provide you with a dashboard with recommendations for how to resolve everything.
In terms of getting up and running, it's very straightforward and simple. Then deleting access later is also very simple. It's just removing their IM permissions and killing the API. That's it.
I'd rate it a five out of five in terms of the ease of implementation.
In terms of deployment, to get up and running, it's just a few hours.
What about the implementation team?
We handled the setup in-house.
What was our ROI?
In terms of ROI,
I can't name anything specific. However, I could foresee a situation in which a hack can be costly, and this software would put you in a position to prevent that. By helping you to secure your environment, it reduces the likelihood of your exposure.
What's my experience with pricing, setup cost, and licensing?
It's the pre-resource cost. So it's X number of dollars per number of resources, depending on how many VMs you have, how many services are running, how many cloud functions, how many IMs are used, et cetera. It tallies up all those different things and then bases the problem on that. So it's relative to how big your project is, and that will be very specific to each use case. I don't know the specific pricing.
I would say for a smaller company; it's an affordable solution.
The thing that makes Bridgecrew super attractive is that for half the price of what it costs to hire a full-time security person, this will provide you with a whole lot of security coverage. Somebody still needs to go in there and do the work of securing things.
In terms of doing a full-scale analysis of your platform, it's worth the money since you would have to pay another person full-time to do the work it would do. It would also go way slower than the software. In that way, it's a really good investment.
Which other solutions did I evaluate?
The other one we came really close to using in my last job and now look at in this job is ORCA.
It does similar things. However, instead of them looking through all of your policies, they do what's called side scanning, which is a different way of checking your security posture that I don't entirely understand. It's apparently a little more efficient than just the policy stuff because it monitors activities on an ongoing basis.
Bridgecrew is a policy analysis platform more than anything else. At the same time, ORCA is actively monitoring your traffic and things like that. So it's a little more in-depth and advanced - and more expensive.
What other advice do I have?
We're a customer.
It's not run on different versions. It's a cloud software, so you are always using the latest deployed version.
I'd rate the solution eight out of ten. The product is a good product. There's room for improvement, however, I like the product. I just wish I liked them more.
Which deployment model are you using for this solution?
Public Cloud
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Google
*Disclosure: My company does not have a business relationship with this vendor other than being a customer.
