Calma Cloud
ES Try Calma Studio
All in one platform

A complete suite for your Azure cloud

From posture auditing to designing brand-new architecture, plus threat hunting and cost savings.

Posture (CSPM)

Security audit of your Azure subscription from a scan of its inventory.

  • Interactive network topology and Internet-exposed resources.
  • Findings by severity and category, each with its remediation.
  • Compliance against CIS Azure, ISO 27001, NIST 800-53 and GDPR.
  • Complete, exportable inventory.
  • A copilot that knows that audit's data: 'what should I fix first?'.
Who it's for: Security leads, MSPs and consultancies auditing Azure subscriptions.
How it works, an example and FAQ

How it works

  1. You connect a Service Principal with the Reader role (read-only) and the subscription's inventory is scanned: network, identities, storage, encryption and logs.
  2. Calma Cloud applies its rule catalog and builds the dashboard: network topology, Internet-exposed resources, findings by severity and category, and compliance per framework.
  3. Each finding carries its severity, rule, affected resource and recommended remediation; the copilot answers questions about that specific data.

An example

You scan a subscription with 240 resources. In a couple of minutes you see that 3 SQL Servers accept 0.0.0.0/0, which CIS Azure controls are failing and, in compliance, exactly which ones fail. You ask the copilot 'what should I fix first?' and it prioritizes by severity and impact.

Frequently asked questions

Does it change anything in my Azure?

No. It's read-only (Reader role): it never modifies, deploys or deletes any resource.

What do I need to run a scan?

A Service Principal with the Reader role on the subscription. Nothing to install on your resources.

Which compliance frameworks does it cover?

CIS Azure Foundations, ISO 27001, NIST 800-53 and GDPR, mapped to each finding.

Where does my data stay?

The scan is processed in your own instance; credentials live in your local configuration and are never committed.

Insights

Answers questions and advisories about your infrastructure with a live report.

  • Paste an Azure advisory (retirement, health, recommendation) and see the real impact on your resources.
  • Ask in natural language and get a report of the affected resources.
  • Queries Azure Resource Graph live, exporting nothing.
Who it's for: Operations teams that need fast, well-grounded answers.
How it works, an example and FAQ

How it works

  1. Paste an Azure notice (service retirement, health advisory, recommendation) or type a question in plain language.
  2. Calma Cloud queries Azure Resource Graph live and cross-references the notice with your actual resources.
  3. You get a report with the affected resources and what to do — no exports, no dashboard to build.

An example

Azure announces the retirement of a TLS version. You paste the notice and, live, Insights lists the 7 App Services and 2 Storage Accounts still using it, with their resource group, so you act only where needed.

Frequently asked questions

Where does the data come from?

From Azure Resource Graph in real time (Reader role). It never works off a stale export.

Do I have to write queries?

No. You paste the notice or ask in plain language; the AI does the rest.

Does it work with any notice?

It's built for retirement, health and recommendation notices, plus questions about your inventory.

Optimize

Real savings: usage-based rightsizing, idle resources and tier-downgrade simulation.

  • Uses real Azure Monitor metrics, not just the declared SKU.
  • Detects idle resources (waste) and reservation opportunities.
  • Simulates tier downgrades with configurable safety margins.
  • Shows the estimated monthly savings.
Who it's for: FinOps and cloud-budget owners.
How it works, an example and FAQ

How it works

  1. It reads your resources' real usage via Azure Monitor (CPU, memory, activity), not just the declared SKU.
  2. It detects idle resources (waste) and downsizing candidates, applying the safety margins you configure.
  3. It simulates the change and shows the estimated monthly savings, resource by resource.

An example

A D8s_v5 VM has run below 12% CPU for weeks. Optimize suggests dropping to D4s_v5 with a 30% margin and estimates €156/mo in savings; it also flags 4 orphaned disks as waste.

Frequently asked questions

Does it recommend based on the SKU alone?

No. It relies on real Azure Monitor metrics; the declared SKU is only the starting point.

Does it apply the changes for me?

No. It's a simulation: you decide what to apply. The safety margins prevent aggressive recommendations.

Does it also detect unused resources?

Yes: orphaned disks, unassociated IPs and idle resources all count as waste.

Observe

Speak in natural language and the AI writes the KQL, runs it and explains each step.

  • From question to KQL query over Log Analytics, automatically.
  • Shows schema, query, time range and results — didactic and auditable.
  • Live streaming of the answer.
Who it's for: SRE and observability/operations teams.
How it works, an example and FAQ

How it works

  1. You type the question in plain language, for example 'errors in the last 24h'.
  2. The AI reads the workspace schema, generates the KQL query and runs it against Log Analytics.
  3. You see every step — schema, query, time range and results — streamed live, auditable and didactic.

An example

You ask 'top 5 slowest operations this week'. Observe shows you the KQL it generated, the time range applied and the results table — and you can copy that query to reuse it.

Frequently asked questions

Do I need to know KQL?

No, but you'll see it: every answer shows the generated query so you can learn from it and audit it.

What permissions are required?

The Reader role and a Log Analytics workspace configured in settings.

Can I continue an investigation?

Yes: every conversation is saved automatically and there's a gallery to pick them back up.

Hunt

Threat hunting: security logs and LIVE posture with Resource Graph + Defender.

  • Combines sign-ins, identity and alerts with live posture.
  • Secure score, alerts and Defender recommendations integrated.
  • Works even without a workspace for posture queries.
Who it's for: SOC analysts and threat-hunting teams.
How it works, an example and FAQ

How it works

  1. You ask about security: 'storage with public access', 'failed sign-ins in 24h', 'Defender secure score'.
  2. The AI picks the source: Resource Graph + Defender for live posture, or the security logs (identity, sign-ins, alerts).
  3. Each step shows where the data comes from; you can enable blind AI so results never leave to OpenAI.

An example

You ask 'which storage has public blob access?'. Hunt queries Resource Graph live and lists the affected accounts; then you ask for the 'Defender secure score' and it brings the current posture, with no workspace needed.

Frequently asked questions

Do I need a workspace?

For posture and Defender, no; for the security logs (sign-ins, identity) you do need a Log Analytics workspace.

What is blind AI?

The AI generates the query, but the results are never sent to OpenAI: they're shown raw. For maximum privacy.

Where do the alerts come from?

From Microsoft Defender for Cloud and Azure Resource Graph, queried live.

Calma Studio

Design your Azure architecture on a canvas, with templates, official icons, transparent pricing and Bicep/Terraform export.

  • Visual drag-and-drop canvas: VNets, subnets, resources and connections.
  • 25+ reference templates ready to customize.
  • Full set of official Azure icons.
  • Transparent, real-time pricing while you design.
  • Export to Bicep or Terraform in one click.
  • With AI (in the full version): generate the architecture from a natural-language brief.
Who it's for: Cloud architects, presales and teams designing new infrastructure.
How it works, an example and FAQ

How it works

  1. Start in three ways: with AI from a brief, from a blank canvas, or from one of 25+ reference templates.
  2. Design on the canvas: drag resources, group them into Resource Group / VNet / Subnet, connect them and edit their tier, with official Azure icons.
  3. On top of the design: validate best practices, compute the monthly cost live and export to Bicep or Terraform.

An example

You start from the 'web + SQL' template, switch the region to West Europe and bump the database tier. The monthly cost recalculates instantly and you export the main.bicep ready to deploy.

Frequently asked questions

Can I try it for free?

Yes: Calma Studio is the free public demo, no sign-up, right in your browser.

Is the pricing real?

Yes: it uses the Azure price catalog (West Europe base + per-region factor), the same one as the product.

Is the AI included in the demo?

Manual design, cost and export work without sign-up; AI generation from a brief is in the full version.

Ready to see your cloud with fresh eyes?

Try the designer for free in Calma Studio, or book a guided demo with your own data.

Try Calma Studio Request a demo