Permiso has launched P0LR Espresso, an open source tool that unifies inconsistent cloud logs across AWS, Google Cloud, Azure, Okta and GitHub — giving security teams faster, clearer insights during identity threat investigations.
Permiso Security Inc., an identity threat detection and response startup, has released P0LR Espresso, an open-source framework designed to address one of cloud security’s most persistent challenges: inconsistent logging across platforms. The tool, short for P0 Labs Live Response, normalises cloud runtime logs to give defenders faster and clearer insights during live investigations.
Cloud providers such as Amazon Web Services, Google Cloud Platform, Microsoft Azure, Okta and GitHub all log activity differently, often labelling identical fields with distinct names. For example, AWS uses eventName while Google Cloud uses protoPayload.methodName. Analysts investigating suspicious activity must repeatedly adapt to each structure, wasting valuable time and risking missed indicators.
P0LR Espresso solves this by unifying critical fields — including identity, IP address, user agent and action — into a consistent schema. This allows analysts to focus directly on the story in the data, rather than deciphering vendor-specific formats. The framework is especially valuable during Priority-0 Live Response investigations, where speed is critical to determine if an identity has been compromised. By ‘pulling shots’ of normalised context, it reduces the risk of overlooking key evidence.
The platform features three key interface components: an event list that provides normalised views with filters and IOC counts, an IOC panel for exploring triggered alerts, and an identity activity analysis view that plots behaviour across timelines to highlight anomalies. Normalisation occurs at the ingestion stage, simplifying all downstream log analysis, whether manual or automated.
By making P0LR Espresso freely available, Permiso is positioning the tool as a community-driven open source solution to unify logging standards. The initiative enables faster, more effective cross-cloud investigations and strengthens collective defences against identity-driven threats.
