March 2026 — A 3-person startup received an $82,000 Gemini API bill in 48 hours after their key was silently reauthorized by Google. Their normal monthly spend was $180. Read the incident →

Your GCP API keys have a kill switch.
One that can't be turned against you.

CloudSentinel monitors your Google Cloud API usage in real-time and auto-revokes keys the instant they breach your threshold — powered by a Revoke-Only IAM role that is structurally incapable of creating or modifying your infrastructure.

Request Early Access — 50% OffSee How It Works
No polling. Event-driven.
Revoke-Only IAM
Auto-revoke within minutes
Built for teams that can't afford downtime

THE PROBLEM

Google Cloud has no kill switch. Every second a leaked key runs costs you money.

Runaway bills before you even wake up

A single leaked key can rack up $10,000+ in charges overnight. Google's first alert arrives after the damage is done.

Quota tools don't revoke. They throttle.

Native GCP rate limits slow down requests — they don't kill the key. An attacker just keeps dripping through.

Manual monitoring means humans sleep.

By the time your on-call dev sees the alert, opens the console, and finds the key — you've already lost.

gcp-billing-monitor — live
[02:14:33] api_key: AIzaSy•••••••••
[02:14:33] requests_today: 1,240
[02:14:34] requests_today: 4,892
[02:14:35] requests_today: 19,442 ⚠ anomaly detected
[02:14:35] estimated_bill: $847.00
[02:14:36] estimated_bill: $3,291.00
[02:14:36] estimated_bill: $9,104.00
[02:14:37] STATUS: NO AUTOMATED RESPONSE
[02:14:37] STATUS: MANUAL INTERVENTION REQUIRED

HOW IT WORKS

Revoke-Only by architecture. Not by promise.

CloudSentinel doesn't poll your project every minute. It uses your Service Account to create Alerting Policies directly inside your GCP project. When a threshold is hit, Google pushes a Pub/Sub webhook to CloudSentinel. We receive it and fire the DeleteKey command automatically — within minutes of Google detecting the breach. No polling. No delay. No manual step.

01

Grant IAM Role

Assign CloudSentinel's read-and-revoke Custom IAM Role to your GCP project. Takes 60 seconds.

02

We Set the Sensors

CloudSentinel creates Alerting Policies inside your project. Google monitors your usage — we just listen.

03

Instant Revocation

Threshold crossed? Google's monitoring detects it and pushes a Pub/Sub alert to CloudSentinel. We call DeleteKey automatically — no human in the loop, no manual step.

Even in a full platform breach, an attacker inherits a role that can only remove access — never create infrastructure. This is not a policy. It is a structural absence of permission. Your key is dead before you even read the alert email.

WHAT YOU GET

Three guarantees. Zero surprises.

Zero-Liability Security

Our IAM role has a permission surface of exactly two actions: read usage metrics and revoke keys. That is the entire blast radius if we are ever compromised.

Request Volume Kill Switch

Set a max requests-per-minute or per-day limit. The moment Google detects the breach, CloudSentinel revokes the key automatically. No manual step, no waiting for a human to wake up and log in.

Budget Spend Kill Switch

Set a spend ceiling on any GCP project. CloudSentinel watches your burn rate via billing alerts and pulls the plug before a runaway key becomes a runaway bill.

PRICING

Simple pricing. No free tier.

A professional tool for teams that need it to work. Early access members get 50% off their first 3 months.

🎉 Early Access — 50% off first 3 months. Limited to first 100 teams.

Starter

$9/mo$19/mo
3 GCP projects
10 API keys monitored
Request volume kill switch
Budget spend kill switch
Email alerts
Request Early Access
Most Popular

Pro

$24/mo$49/mo
10 GCP projects
Unlimited API keys
Request + budget kill switches
Webhook event logs
Priority email support
Request Early Access

Business

$49/mo$99/mo
Unlimited GCP projects
Unlimited API keys
Full webhook event history
Slack + PagerDuty alerts
Dedicated support
Request Early Access

FAQ

The questions your security team will ask.

We built CloudSentinel for developers who are skeptical by default. Good. Here are the hard questions answered.

That's exactly the right question to ask. Most tools request broad OAuth access or Owner-level permissions. CloudSentinel requests a Custom IAM Role with a permission surface of exactly three things: read your API key list, read your usage metrics, and delete a key. The delete permission only works on existing keys — the role does not contain apikeys.create. This isn't a policy we promise to follow. It is a structural absence at the GCP permission level. Even if our entire platform was compromised, an attacker could only remove keys from your project — never create infrastructure, never access your data, never touch anything else.
No. CloudSentinel sits entirely outside your critical path. Your API keys work independently of our platform. If we go offline, your keys keep functioning exactly as they did before — we simply won't be monitoring them during that window. The Alerting Policies we create inside your GCP project are owned by your project, not ours. The only thing that stops working is the auto-revocation. We maintain 99.9% uptime SLA on the webhook receiver specifically because it is the one critical function.
No. The GCP IAM permissions we hold allow us to see that a key exists and its usage metrics — request counts and billing data. We cannot see the key's actual secret value after creation, and we have zero visibility into what your API keys are being used for or what data flows through them. We see a number go up. That is all.
You will receive an immediate alert when a key is revoked, including the exact metric that triggered it. You can then issue a new key from your GCP console and adjust the threshold. We are working on a one-click temporary suspension mode that pauses monitoring without revoking — this is on the Phase 2 roadmap. For now we recommend setting thresholds conservatively above your highest known peak traffic, with at least a 3x safety margin.
GCP budget alerts send you an email. They do not revoke keys. By the time you read the email, open the console, navigate to API keys, and delete the offending key — assuming you even know which one it is — significant damage may already be done. CloudSentinel receives the Pub/Sub alert programmatically and fires the DeleteKey command automatically — no human in the loop, no manual login, no finding which key caused it. GCP Monitoring evaluates thresholds on a 1-5 minute cycle. The gap between breach and revocation goes from hours (waiting for a human) to minutes (fully automated). While you're still asleep, the key is already dead.
We store the minimum required to operate: your GCP project ID, the key IDs you are monitoring, the thresholds you set, and a log of revocation events for your audit trail. We do not store usage metrics — those live in GCP. We do not store key values — those are never accessible to us. All stored data is encrypted at rest. You can delete your account and all associated data at any time.
Starter at $19/mo covers up to 3 GCP projects and 10 API keys. Pro at $49/mo covers 10 projects and unlimited keys. Business at $99/mo is unlimited everything with Slack and PagerDuty alerts. Early access members lock in 50% off their chosen plan for the first 3 months. There is no free tier — this is a professional security tool and we price it accordingly.

EARLY ACCESS

Get in before we launch.

50% off your first 3 months. Limited to the first 100 teams. We'll reach out personally before charging anything.