Google Cloud integration
Cloud Providers
Google Cloud holds the assets attackers reach first — public IPs on Compute Engine, Cloud Storage buckets, GKE ingress, and Cloud SQL endpoints — and a single permissive firewall rule or bucket ACL can expose all of it to the open internet. FortWatch scans those resources the way an outsider sees them and reports what's actually reachable, not just what your config claims. The Google Cloud integration (currently in development) will push every external finding straight into Security Command Center, so your exposures land next to the rest of your GCP security posture instead of in a separate tool nobody checks.
Exposed Redis on 203.0.113.10:6379
Unauthenticated database reachable from the internet.
View finding & step-by-step fix →Google Cloud + FortWatch
FortWatch connects to your Google Cloud organization or project through a dedicated service account with read-only IAM roles (Security Center Findings Editor plus viewer roles for the resources you want correlated). It enumerates your public-facing GCP assets — external load balancer IPs, Compute Engine instances with public addresses, GKE ingress endpoints, Cloud SQL public IPs, and Cloud Storage buckets — then runs its 11 scanners against them from the outside. Each confirmed exposure is written as a finding into Security Command Center via the SCC Findings API, mapped to the underlying GCP resource so it shows up on the right asset. Severity (critical/high/medium/low) carries through, AI-triage notes and remediation steps ride along in the finding's source properties, and when a later scan confirms the issue is fixed FortWatch marks the SCC finding inactive — so the state stays in sync with reality.
FortWatch scans
Eleven scanners watch your external attack surface around the clock — ports, certs, DNS, cloud buckets, exposed files and more.
AI triages the finding
Each issue is scored by real-world impact and packaged with the affected asset and a one-line explanation of the risk.
Delivered to Google Cloud
The finding lands in Google Cloud, routed by severity — so the right people see the right alert, fast.
What you'll be able to do
Everything the Google Cloud integration will bring to your security workflow.
Public bucket exposure
surface Cloud Storage buckets with allUsers or allAuthenticatedUsers access as a finding in Security Command Center, scoped to the exact bucket resource.
Overly-permissive firewall reality check
when a VPC firewall rule leaves a sensitive port (database, Redis, RDP) reachable from 0.0.0.0/0, FortWatch confirms it from the outside and files it against the offending instance.
Unauthenticated databases on public IPs
catch a Cloud SQL or self-managed Redis/MongoDB/Elasticsearch instance answering on a public address before someone else does.
Expiring or weak TLS on GCP load balancers
track certificate expiry and weak cipher/protocol configurations on external HTTPS load balancers and report them well ahead of outage.
GKE ingress and edge exposure
scan public GKE ingress endpoints for missing security headers, exposed admin paths, and known-CVE components.
Multi-project rollup
monitor every project under your organization from one FortWatch account and route findings into each project's SCC instance.
What an alert looks like
Every finding arrives formatted for Google Cloud — severity up front, the affected asset, and a one-line explanation of why it matters, with a link straight to the step-by-step fix.
- Severity-tagged and color-coded
- The exact asset and port affected
- One click to the full finding & remediation
Google Cloud[FortWatch → Security Command Center] New finding · CRITICAL\nCategory: PUBLIC_STORAGE_BUCKET\nResource: //storage.googleapis.com/projects/_/buckets/acme-prod-backups\nFinding: Cloud Storage bucket grants read access to allUsers — 412 objects, including database dumps, are publicly downloadable.\nExternal verification: anonymous HTTP GET succeeded from outside GCP.\nRemediation: remove the allUsers IAM binding and enable uniform bucket-level access.\nState: ACTIVE · Source: FortWatch EASM · Detected: 2026-06-07 14:22 UTC
Set it up in minutes, once it lands
No agents, no infrastructure changes — just connect Google Cloud and choose where alerts go.
When it launches, open Settings → Integrations in FortWatch and choose Google Cloud.
Create a service account in your GCP project or organization and grant it the read-only roles FortWatch requests (Security Center Findings Editor plus resource viewers), then upload the key or authorize via workload identity federation.
Select which projects FortWatch should enumerate and confirm the external assets it discovers.
Map FortWatch severities to SCC finding severities and pick the SCC source where findings should be written.
Run a test scan to confirm a sample finding appears in Security Command Center, then enable continuous monitoring.
Why route FortWatch into Google Cloud?
GCP's own tooling sees your configuration; it doesn't always confirm what's truly reachable from the internet, and external exposures often hide in the gap between intended config and real-world routing. Writing FortWatch's outside-in findings into Security Command Center means your team triages real, verified exposures in the console they already use for GCP security — no extra dashboard, no context-switching, and no waiting on the next quarterly review to learn a bucket went public.
Frequently asked questions
Is the Google Cloud integration available now?
Not yet — it's in active development. Add your email on this page and we'll notify you the moment it ships.
What access does FortWatch need in GCP?
A read-only service account: viewer roles to enumerate your public-facing resources and Security Center Findings Editor to write findings into SCC. FortWatch never needs permission to modify your infrastructure.
Does this replace Security Command Center?
No — it complements it. SCC analyzes your GCP configuration from the inside; FortWatch verifies what's actually exposed from the outside and files those findings into SCC so both views live in one place.
Want the Google Cloud integration when it ships?
We'll email you the moment it goes live — no spam, just the launch.
Get notified
Secure your entire stack today
Start scanning in under 5 minutes. No credit card required. 14-day free trial included.