Skip to main content



The English user guide is currently in beta preview. Most of the documents have been automatically translated from the Japanese version. Should you find any inaccuracies, please reach out to Flatt Security.

📝 November 2023

Shisho Cloud Projects with Fine-Grained Permission Control (GA)

Enhancements will be introduced to facilitate distributed status monitoring, action confirmation, and triage within an organization. Specifically, we plan to make the following improvements:

  • Binding Google Cloud projects and AWS accounts to "Shisho Cloud Projects" for dashboard integration.
  • Granting individual users, who do not have global organization permissions, with read or read + triage permissions for specific "Shisho Cloud Projects."

The Shisho Cloud service and its provider, Flatt Security, will continue to support collaboration between security and product teams through the provision of such features.

Security Lake (Beta)

While we currently offer managed integration with external APIs (AWS / Google Cloud / GitHub) we have received numerous requests for the ability to feed non-API generated security events into Shisho Cloud for evaluation.

In response, we are developing a feature that temporarily stores externally sourced structured data to make it accessible from Rego policies. This feature, provisionally named Security Lake, will be gradually rolled out to customers.

Other Updates

We plan to gradually roll out comprehensive updates to search and sorting operations.

📝 December 2023

Scanning Rule Expansion on Google Cloud (GA)

We plan to launch managed inspection rules equivalent to the Security Health Analytics feature in the Google Cloud Security Command Center.

Scanning Rule Expansion on AWS (GA)

We plan to provide managed inspection rules equivalent to the Foundational Security Best Practices (FSBP) of the AWS Security Hub.

Other Updates

We plan to:

  • Provide a feature to visualize resources surrounding a particular one (Resource Map feature)
  • Offer an API for outputting evaluation result summaries
  • Manage the activation and deactivation of workflows (units of rule execution) for each Shisho Cloud Project

📝 January ― March 2024

Even beyond January, we will continue to advance the provision of features aimed at helping PSIRT(/CSIRT) organizations identify risks and explain them to various stakeholders. In particular, we're considering the following functionality for the period from January to March:

  • Mechanisms to grasp a wider range of risks: Identifying resources exposed to the internet + preliminary network/Web app scanning
  • Mechanisms to assist triage and remediation stakeholders with where to start?: Response recommendations on the dashboard
  • Mechanisms connecting security engineers with their supervisors: Visualize status and progress against various standards on the dashboard

In addition, while aiming for a balance with the status management and communication assistance mechanisms within Shisho Cloud, we will also gradually advance integration with external ticket management systems, such as Jira.

📝 Experimental Updates

TypeScript/JavaScript Support in Workflows

We plan to support TypeScript/JavaScript execution in Shisho Cloud workflows. This will allow you to take advantage of the flexible and delicate behavior customization of Shisho Cloud, even if you are facing challenges with the running cost of Rego. This is extremely helpful in maintaining consistency between the content of security inspections and the content of your organization's security policy.