Google Cloud

Welcome to the first Cloud CISO Perspectives for August 2025. Today, our Office of the CISO’s Bob Mechler and Anton Chuvakin dive into the key trends and evolving threats that we tracked in our just-published Cloud Threat Horizons report.

As with all Cloud CISO Perspectives, the contents of this newsletter are posted to the Google Cloud blog. If you’re reading this on the website and you’d like to receive the email version, you can subscribe here.

New Cloud Threat Horizons details evolving threats — and defenses

By Bob Mechler, director, Office of the CISO, and Anton Chuvakin, security advisor, Office of the CISO

These findings closely mirror our observations in previous Cloud Threat Horizons Reports, emphasizing the critical need for robust identity and access management and proactive vulnerability management.

The new report takes stock of the state of cloud security, and focuses on actionable recommendations for leaders and practitioners. As threat actors advance their methods for data exfiltration, identity compromise, supply chain attacks, and improving evasion and persistence techniques, Google Cloud security experts offer four critical insights into these evolving risks, supported by threat intelligence and risk mitigations.

1. Foundational vulnerabilities persist

A persistent challenge is the continued exploitation of basic security weaknesses in the cloud. Despite defensive advancements, the primary entry points for threat actors — credential compromise and misconfiguration — are driven by a lack of attention to cloud security fundamentals.

As we noted, these foundational issues accounted for a significant portion of incidents in the first half of 2025. Too many organizations struggle with these basics and we can not emphasize enough the importance of robust identity and access management and proactive vulnerability management — reach out to your cloud provider to ensure your metaphorical windows and doors are locked.

2. Attacking backups to pressure victims

Threat actors are increasingly targeting backup infrastructure to hinder recovery efforts. Financially-motivated attackers are now routinely compromising backup systems to ensure that organizations can’t restore data after a ransomware attack and coerce them into capitulating.

This shift emphasizes the critical importance of business continuity. Our report highlights the need for solutions, including Cloud Isolated Recovery Environment (CIRE), to provide a secure restore point. A robust disaster recovery plan, rooted in layered security, should go beyond relying solely on cloud backups.

3. MFA is effective, but not invulnerable

Multi-factor authentication (MFA) is a highly effective security measure. However, threat actors are developing more sophisticated methods to bypass it, particularly through social engineering to steal credentials and session cookies.

For example, the North Korean threat actor group UNC4899 used social media to trick employees into running malicious Docker containers and then steal the victim’s credentials and session cookies to gain access to cloud environments. In some instances, they used credential and cookie theft to bypass weaker MFA methods to avoid detection.

As Google Cloud and Workspace take steps to add additional layers of protection to the MFA process with passkeys and device-bound session credentials, cloud customers should also adopt a comprehensive defense-in-depth strategy. Robust session management and enhanced user awareness training can prove vital to mitigating MFA threats.

4. Evolving supply chain attacks

The supply chain continues to be a significant area of risk, and we’ve observed threat actors using trusted cloud services to host decoy files and payloads. The new Cloud Threat Horizons report details campaigns where seemingly-benign PDFs on legitimate cloud platforms were used to distract victims while malicious payloads were downloaded — a classic trust-exploitation attack.

It shouldn’t come as a surprise that adversaries are evolving their tactics to target personnel, recovery plans, and the inherent trust in platforms. CISOs and security leaders should encourage their organizations to evolve as well, from addressing individual vulnerabilities to building a resilient, end-to-end security program prepared for today’s threat landscape.

Level up your cloud security today

Effectively navigating today’s threats means that organizations should prioritize a defense-in-depth strategy that prioritizes identity security, robust recovery mechanisms, continuous vigilance against sophisticated social engineering and deception tactics, and supply chain integrity.

For more details on the threats facing cloud providers and users, and mitigations for those risks, you can download the new Cloud Threat Horizons report here.

In case you missed it

Here are the latest updates, products, services, and resources from our security teams so far this month:

• Your guide to Security Summit 2025: AI can help empower defenders, and also create new security challenges. Join us for this year’s Security Summit as we focus on those themes. Read more.
• Complex, hybrid manufacturing needs strong security. Here’s how CISOs can get it done: Our Office of the CISO has developed actionable security guidance for hybrid manufacturing OT networks. Here’s what you need to know. Read more.
• Forrester study: Customers cite 240% ROI with Google Security Operations: A new Forrester Consulting study on Google Security Operations found a 240% ROI over three years, with a net present value (NPV) of $4.3 million. Read more.
• Google Cloud’s commitment to EU AI Act support: We intend to sign the European Union AI Act Code of Practice. Here’s what our European customers should know. Read more.
• Introducing audit-only mode for Access Transparency: Introducing a new, lightweight audit-only mode for Access Approval to enable access approvals in an “on demand only” model. Read more.
• Best practices to prevent dangling bucket takeovers: Storage buckets are where your data lives in the cloud, but sometimes they get forgotten. Here’s how to secure them against dangling bucket attacks. Read more.
• New patch rewards program for OSV-SCALIBR: Participants in the program will be eligible to receive a financial reward for providing novel OSV-SCALIBR plugins for inventory, vulnerability, and secret detection. Read more.
• Android’s pKVM first globally-certified software to earn SESIP Level 5: With this level of security assurance, Android is now positioned to securely support the next generation of high-criticality isolated workloads. This includes vital features, such as on-device AI workloads that can operate on ultra-personalized data, with the highest assurances of privacy and integrity. Read more.

Please visit the Google Cloud blog for more security stories published this month.

Threat Intelligence news

• Exposing the risks of VMware vSphere Active Directory integration: The common practice of directly integrating vSphere with Microsoft Active Directory can simplify administration tasks, but also creates an attack path frequently underestimated due to misunderstanding the inherent risks. Read more.
• Defending your VMware vSphere estate from UNC3944: Take a deep dive into the anatomy of UNC3944’s vSphere-centered attacks, and study our fortified, multi-pillar defense strategy for risk mitigation. Read more.
• Ongoing SonicWall SMA exploitation campaign using the OVERSTEP backdoor: Google Threat Intelligence Group (GTIG) has identified an ongoing campaign by a suspected financially-motivated threat actor we track as UNC6148, targeting fully patched end-of-life SonicWall Secure Mobile Access (SMA) 100 series appliances. Read more.

Please visit the Google Cloud blog for more threat intelligence stories published this month.

Now hear this: Podcasts from Google Cloud

• Google lessons for using AI agents to secure our enterprise: What can AI agents do for your organization’s security? Dominik Swierad, product development and strategy lead, AI and Sec-Gemini, joins hosts Anton Chuvakin and Tim Peacock for a lively chat on the state of using AI agents to improve security. Listen here.
• Making security personal, the TikTok way: Kim Albarella, global head of security, TikTok, discusses security strategies, appropriate metrics, and balancing the need for localized compliance with the desire for a consistent global security posture with Anton and Tim. Listen here.
• Defender’s Advantage: Securing protection relays in modern substations: Host Luke McNamara is joined by members of Mandiant Consulting’s Operational Technology team to discuss securing assets in the energy grid. Listen here.

To have our Cloud CISO Perspectives post delivered twice a month to your inbox, sign up for our newsletter. We’ll be back in a few weeks with more security-related updates from Google Cloud.

Keeta Network is a layer‑1 blockchain that unifies transactions across different blockchains and payment systems, eliminating the need for costly intermediaries, reducing fees, and enabling near‑instant settlements. By facilitating cross‑chain transactions and interoperability with existing payment systems, Keeta bridges the gap between cryptocurrencies and fiat, enabling a secure, efficient, and compliant global financial ecosystem.

Founded in 2022 and backed by Eric Schmidt, the former CEO of Google, Keeta has engineered its network to meet the stringent regulatory and operational requirements of financial institutions. Its on‑chain compliance protocols, including Know Your Customer (KYC) and Anti-Money Laundering (AML), ensure security and regulatory adherence. Keeta’s architecture also natively supports asset tokenization and digital identity, making it an ideal platform for stablecoins and real‑world asset transfers.

Recently, the company conducted a public, verified stress test of its network, which runs on Spanner, Google Cloud’s horizontally scalable, highly available operational database. The test demonstrated Keeta Network is capable of over 11 million transactions per second (TPS), significantly outperforming traditional layer-1 blockchains and opening new opportunities for what is possible with blockchain technology.

Keeta chose Spanner to power its distributed ledger due to its availability and elastic scalability, allowing the team to scale up or down as needed without downtime, costly over-provisioning, or risky manual administration. Google Cloud was also instrumental in helping to prepare and execute Keeta’s stress test, providing world-class infrastructure and technical guidance that helped validate the network’s real-world performance.

With Spanner’s fully managed operations and familiar relational developer experience, Keeta was able to focus on its network — not database infrastructure or distributed systems. At peak, Spanner handled 300,000 queries per second, reading and writing durable state to read balances, check permissions, resolve conflicts, and publish votes.

Building one network, ready for anything

On its mission to be the blockchain that connects all networks, Keeta created a unified platform that serves as a common ground for all payment networks and assets. Keeta Network’s underlying architecture is built on a directed acyclic graph (DAG) structure. Unlike traditional blockchain architecture, a DAG can process transactions in parallel across many individual accounts, reducing latency and avoiding common bottlenecks that plague other existing solutions.

The network utilizes a two-step voting process to approve or deny operations. Each transaction must be verified by a set of voting representatives, which occurs prior to updating any ledger. Individual steps rely on Spanner’s ACID (atomicity, consistency, isolation, durability) transactions and strict external consistency to ensure correctness as well as durability in the event of an outage or a network partition.

Keeta Network is unbounded by design, enabling it to scale horizontally to handle the increasing demand of participants. Similarly, Spanner’s scale-out architecture allows for linear read and write scaling in dozens of regions globally, all while maintaining consistency and latency.

Furthermore, representatives can be configured to scale down as throughput requirements decrease. Spanner ensures that scaling up or scale down are always online operations, even under the heaviest load. By dynamically adjusting the size of its Spanner instances based on actual demand, Keeta saves money.

Testing Keeta’s performance in the real world

Keeta’s Test Network consisted of four representative nodes, each issuing votes on the network. To process the targeted number of transactions, more than 30 million synthetic accounts generated over 25 billion transactions, reading and writing data to Spanner instances in four separate regions. It’s important to note that adding additional representative nodes did not materially change the complexity of the confirmation process.

In order to put the network through its paces, the stress test utilized a “fan out” approach to demonstrate its parallel throughput and immense scale. One account was used to begin the process of distributing funds to every account. This initial source account created numerous blocks, each containing 20 transactions each, which were then used to fund an additional 60,000 to 120,000 accounts. Each of these accounts, in turn, sent additional transactions. This process was repeated many times to reach the 30 million total accounts used during the test.

Verified independently by Chainspect, the network successfully reached 11,122,116 transactions per second (TPS), far exceeding Keeta’s targeted goal of 10 million TPS.

Taking blockchain technology to new heights

By showcasing this scalability, Keeta is one step closer to its vision – connecting the fragmented global economy. Existing solutions lack the scalability required for traditional financial traffic, making it impossible to connect global finance. Spanner and Google Cloud provide Keeta peace of mind and a significant technical leg up, delivering an infrastructure that can grow at the same pace as its network without significant rebuilding or unpredictable costs.

Keeta shows that blockchain technology is now capable of improving critical operations like cross-border payments, point-of-sale transactions, and asset transfers of all types. To put the addressable market into perspective, consider this: Tens of trillions of dollars worth of value are transferred across outdated financial systems daily — and Keeta Network has proven it has the speed, scale, and security to be the foundation for a new, interconnected ecosystem.

Leaders in industries like financial services, retail, and entertainment and media already rely on Spanner to power their most critical operational workloads. Learn more about how Spanner can help take the stress out of your organization’s next growth milestone and set your development teams up for success.

We are pleased to announce the preview of multi-subnet support for Google Kubernetes Engine (GKE) clusters. This enhancement removes single-subnet limitations, increasing scalability, optimizing resource utilization, and enhancing flexibility of your GKE clusters.

Multi-subnet support for GKE clusters allows you to add additional subnets to an existing GKE cluster, which can then be utilized by new node pools. This functionality is supported for all clusters, using GKE version 1.30.3-gke.1211000 or greater.

Benefits

• Increased scalability: Clusters can now scale beyond the limits of a single subnets primary IP range.
• Optimized resource utilization: IP addresses can be allocated more efficiently across multiple subnets, which reduces IP waste.
• Enhanced flexibility: Adding subnets provides more flexibility in managing IP ranges for pods and services. Subnets can be updated without recreating the cluster so you can easily expand beyond initial cluster configurations.

Use case: Node IP exhaustion

Historically, GKE clusters are created on a single subnet, using its primary IP range. Once all the IPs in the primary range are used, the cluster can no longer add more nodes, and hence cannot expand or autoscale.

The IP exhaustion errors look something like this:

To fix this error, we can now use the new multi-subnet feature to add subnets to the cluster. New node pools can use the new subnet and continue to grow the cluster. You can add multiple secondary ranges in the new subnets, in addition to the existing ability to add additional pod ranges to the default subnet. GKE will automatically pick a subnet during node pool creation based on the IP availability in the subnets.

Getting started

To take control of your GKE cluster’s growth, try adding subnets on-demand and scale fearlessly. Use your preferred method to start using multi-subnet support today!

• CLI: For a complete list of CLI commands and options, check out the documentation.
• API: To learn more about how to use the API, check the API documentation.
• Terraform and UI support are coming soon!

In today’s hyper-competitive telecommunications landscape, understanding and maximizing the Customer Lifetime Value (CLV) metric isn’t just a nice-to-have, it’s a strategic imperative. For Deutsche Telekom, accurate CLV calculations are the bedrock of informed decisions, driving crucial initiatives in customer acquisition, retention, and targeted marketing campaigns. The ability to predict and influence long-term customer relationships directly translates to sustained profitability and a competitive edge.

Initially, Deutsche Telekom’s Data Science team processed data within an on-premises data lake environment, leveraging Jupyter notebooks and PySpark. However, this reliance on legacy on-prem data lake systems was creating significant bottlenecks. These systems, designed for a different era of data volume and complexity, struggled to handle the massive datasets required for sophisticated CLV modeling. The result? Extended processing times, limited agility in data science experiments, and a growing gap between potential insights and actionable results.

This challenge demanded a transformative solution, leading Deutsche Telekom to embrace the power of modern cloud infrastructure, specifically Google Cloud’s BigQuery, to unlock the full potential of their data and accelerate their journey towards data-driven innovation.The core of this transformation was the migration of critical data science workloads, beginning with the CLV calculations, to BigQuery.

Deutsche Telekom decided that for distributed Python data processing, they wanted to move off of PySpark-based code and adopt BigQuery DataFrames a.k.a. BigFrames. BigFrames is an open-source Python library offered by Google that scales Python data processing by transpiling common Python data science APIs to BigQuery SQL. You can read more about BigFrames in the official introduction to BigFrames and can refer to the public git repository.

This decision was driven by three factors:

1. Keep it simple: By moving all the data processing to BigQuery, the company would be standardizing on a single data processing technology. This helps in administration and standardization across the organization.
2. Bet on universal skills: Python and Pandas are universal data science skills, but bringing in Spark would introduce additional learning. BigFrames is Pandas-like — it pushes processing to BigQuery. The move reduces the upskilling required to work on data science tasks.
3. Focus on business logic: Data science teams can focus on core business logic and less on the infrastructure required to make that logic work.

In other words, this move was not just a technical upgrade — it was a strategic shift towards a more agile, efficient, and insight-driven future. By leveraging BigQuery’s ability to process massive datasets quickly and efficiently, along with the tight integration of BigQuery DataFrames and its compatibility with familiar pandas and scikit-learn APIs, Deutsche Telekom aimed to eliminate the bottlenecks that had hindered their data science initiatives. This solution, centered around BigQuery and BigQuery DataFrames, provided the foundation for faster insights, improved decision-making, and ultimately, enhanced customer experiences.

The migration journey

To realize these benefits, Deutsche Telekom meticulously planned a two-phase technical migration strategy, designed to minimize disruption and maximize the speed of achieving tangible business results.

The actual effort required to execute the two phases above was one person-week. Conversion with Gemini was 95% accurate and worked as expected. In the first phase, the most time was spent on manual data validation. Furthermore, around 70% of the pandas code automatically functioned as BigQuery DataFrames code as well. Some adjustments were required for data types and scalar functions.

Phase 1: Accelerated transition with AI-powered code conversion
The initial phase focused on rapidly converting existing code to a format compatible with Google Cloud’s environment. This was significantly accelerated by leveraging advanced AI tools like Gemini, which streamlined the code conversion process. This allowed the team to focus on validating results and ensuring business continuity, rather than getting bogged down in lengthy technical rewrites.

Phase 2: Optimizing for cloud scalability and performance
The second phase involved adapting the data processing to fully leverage BigQuery. This step was crucial for eliminating the performance bottlenecks they had experienced with the legacy systems. By aligning the data processing with BigQuery’s capabilities, Deutsche Telekom was able to unlock significant improvements in processing speed and scalability, allowing for faster and more insightful data analysis.

Key business benefits of the technical approach:

Deutsche Telekom’s technical migration strategy was not just about moving data; it was about strategically enabling faster, more scalable, and more reliable data-driven decisions. Among the benefits that they saw from this approach were:

• Faster time to insight: The accelerated code conversion, powered by AI, significantly reduced the time required to migrate and validate the data, enabling quicker access to critical business insights.
• Improved scalability and performance: The transition to BigQuery’s cloud-native architecture eliminated performance bottlenecks and provided the scalability needed to handle growing data volumes.
• Reduced operational risk: The structured, two-phase approach minimized disruption and ensured a smooth transition, reducing operational risk.
• Leveraging existing expertise: The use of familiar tools and technologies, combined with AI-powered assistance, allowed the team to leverage their existing expertise, minimizing the learning curve.

Of course, a project of this scale presented its own set of unique challenges, but each one was addressed with solutions that further strengthened Deutsche Telekom’s data capabilities and delivered increased business value.

Challenge 1: Ensuring data accuracy at scale
Initially, the test data didn’t fully represent the complexities of their real-world data, potentially impacting the accuracy of critical calculations like CLV.

Solution: During the test phase, they relaxed the filters on the data sources to overcome the data size problem. They implemented the changes in both old and new versions of the code to reliably compare the outputs.

Challenge 2: Maintaining robust security and compliance
Balancing the need for data access with stringent security and compliance requirements was an important consideration. BigQuery DataFrames documentation highlights the need for admin-level IAM privileges for some tasks like Remote Functions, which may not be possible in enterprise environments.

Solution: Deutsche Telekom developed customized IAM roles that met its security standards while enabling data access for authorized users. This helped ensure data security and compliance while supporting business agility.

By addressing these challenges strategically, Deutsche Telekom not only had a successful migration, but it also delivered tangible business benefits. Deutsche Telekom now has a more agile, scalable, and secure data platform, enabling them to make faster, more informed decisions and ultimately enhance their customer experience. This project demonstrates the power of cloud transformation in driving business value.

Deutsche Telekom’s successful migration to BigQuery was a strategic transformation, not just a technical one. By overcoming the limitations of their legacy systems and embracing cloud-based data processing, they’ve established a robust foundation for future innovation. This project underscores the power of strategic partnerships and collaborative problem-solving, showcasing how Google Cloud’s cutting-edge technologies and expert consulting can empower businesses to thrive in the data-driven future.

Ready to unlock the full potential of your data?

Whether you’re facing similar challenges with legacy systems or seeking to accelerate your data science initiatives, Google Cloud’s data platform can provide the solutions you need. Explore the capabilities of BigQuery and DataFrames, and discover how our expert consultants can guide you through a seamless cloud migration.

Contact Google Cloud Consulting today to discuss your specific needs and embark on your own journey towards data-driven innovation.

_{A special thanks to Googler Rohit Naidu, Strategic Cloud Engineer, for his contributions to this post.}

With Windows 10 end of life on the horizon, many businesses are getting more familiar with Windows 11. While your organization might be migrating, or perhaps has already migrated, to the latest Windows OS, many of your users might still prefer the familiarity and ease of Chrome as they spend more time working on the web.

But Chrome isn’t just the browser that users prefer—it’s a trusted browser used by hundreds of millions of business users, many of them working in Microsoft environments. No matter the operating system type or version, with Chrome Enterprise, IT teams get a full set of controls and customizations to meet their organization’s specific needs.

Let’s explore five key ways Chrome Enterprise is bringing more productivity and security to your Windows and Microsoft 365 environments:

1. Fast Calendar and File Access with New Tab Page Integrations for M365

Checking your Outlook Calendar, finding that crucial file in OneDrive, or viewing the latest updates on SharePoint just got streamlined. Chrome Enterprise offers seamless New Tab Page integrations that bring these essential Microsoft 365 tools front and center. When users open a new tab they instantly see upcoming meetings, recently accessed files, and SharePoint updates–all without having to click through any tabs. IT teams can easily configure these settings for their users, so they automatically get easy access to the information they need to work quickly.

2. Flexible Identity Management

Chrome Enterprise offers a wide range of identity integrations, making it easier than ever to manage Chrome using your existing Microsoft (or other third-party) identity solutions. Our Microsoft Entra integration allows your users to sign into Chrome using your existing Entra identity. You can even enforce the usage of a signed in Chrome profile by creating access policies in Microsoft Conditional Access. Once enabled, your enterprise resources will only be accessible from profiles managed by your organization.

Our new Universal Enrollment integration streamlines the process of letting users sign into Chrome with any third-party identity, without needing to sync identities with Google. We’re focused on making identity management seamless, so IT teams can get the security and personalization benefits of a managed browser, even if their organization isn’t using Google identities.

3. Easy Access to Chrome on Windows 11

A big challenge for employees after an OS migration is that their common workflows get disrupted, and they often need to spend time manually updating the OS and re-setting new defaults and preferences. As your users navigate the updated interface of Windows 11, IT teams can help ensure Chrome is right where they need it. With Chrome Enterprise, you can easily configure policies to pin Chrome to the Windows 11 taskbar, making it readily accessible. Similarly, re-setting Chrome as the default browser across your organization can be managed centrally, ensuring a consistent and familiar experience for everyone no matter what OS version they are running on.

A big challenge for employees after an OS migration is that their common workflows get disrupted, and they often need to spend time manually updating the OS and re-setting new defaults and preferences. As your users navigate the updated interface of Windows 11, IT teams can help ensure Chrome is right where they need it. With Chrome Enterprise, you can easily configure policies to pin Chrome to the Windows 11 taskbar, making it readily accessible. Similarly, re-setting Chrome as the default browser across your organization can be managed centrally, ensuring a consistent and familiar experience for everyone no matter what OS version they are running on.

4. Customize Chrome for your Organization

With so much work happening in the browser, it’s helpful for employees to have the ability to log into a dedicated enterprise experience that is configured to help them get access to the right apps and data, while keeping the organization’s data safe and policies enforced.

Organizations can make this separation of work and personal profiles clear to employees by branding Chrome with your company logo and colors. Additionally, IT admins will now be able to customize the entire browser with the company name and logo on the New Tab page footer. This reinforces the work context and reminds users that their corporate profile or browser is for work-related activities.

Plus, you can apply other useful customizations, like centrally managed bookmarks, so users have quick access to important internal resources.

5. Gain Broader Visibility and Security Insights

Understanding your organization’s browser landscape is crucial for security and planning. Chrome Enterprise provides reporting capabilities, offering broader visibility and security insights across platforms and operating systems. This includes making it easier to identify Windows 10 machines that may still need to be migrated, helping you stay ahead of the curve. These insights empower you to make informed decisions, improve security posture, and ensure a smooth transition as your environment evolves.

As you navigate the changing landscape with Windows 11 and beyond, Chrome Enterprise continues to invest in offering a secure enterprise browsing experience in Microsoft environments. It offers a familiar and loved user experience, paired with the advanced management and data protections that IT and security teams need. Get started with Chrome Enterprise Core or Chrome Enterprise Premium today.

Haven’t quite made the move to Windows 11 yet? Check out how easy it is to flex out your devices to ChromeOS using ChromeOS Flex from anywhere, so you can get your users on a supported and secured operating system quickly.

Picture this: You’re ordering an Uber in Lisbon, but your request takes a scenic tour through Madrid, London, and Virginia before confirming your ride. That was the case for millions of users until Uber and Google Cloud set out on an even bigger journey: redesigning how global edge networks should work.

Operating across six continents, Uber connects millions of riders and drivers while handling more than 100,000 concurrent trips and more than a million HTTP requests per second.

At this scale, every millisecond matters. When Uber’s existing edge architecture had sub-optimal routing paths, the company partnered with Google Cloud to redesign their global network approach. The results: substantial latency improvements and millions of dollars in cost savings.

The challenge: Sub-optimal routing, inefficient architecture with operational overhead

Uber’s previous Google Cloud edge used the open source Envoy proxy instances running on virtual machines across 16 regions. While designed to reduce latency by bringing services closer to users, this architecture often created sub-optimal routing paths with multiple unnecessary hops through different regions before reaching Uber’s data centers. The additional network transit increased latency and degraded the user experience that Uber’s customers expect.

This setup presented several challenges:

• Operational complexity: Managing and orchestrating a large fleet of virtual machines (VM) was cumbersome and deviated from Uber’s internal standards.
• Diminishing returns on latency: Contrary to initial assumptions, running Envoy in numerous global regions did not consistently improve latency for all users. In fact, for some, it introduced unnecessary network hops.
• High operational costs: Maintaining a large, globally distributed infrastructure incurred significant costs.

The solution: Direct routing with Hybrid NEGs

The goal was straightforward: create the most direct path from the user to Uber’s backend services across on-premises and various cloud environments. The approach involved moving away from the distributed Envoy VMs and using Google Cloud’s Hybrid Network Endpoint Groups (NEGs) instead.

This new architecture, developed through a 10-month collaboration between Uber and Google engineers, directs traffic from Google’s Global External Application Load Balancer — fronted by Google Cloud Armor for DDoS protection and Cloud CDN for caching — directly to Uber’s on-premises infrastructure via Cloud Interconnect.

The results of migrating to Hybrid NEG-based load balancers were immediate. By removing all edge VMs, the traffic path became significantly more efficient, allowing Google’s global network to handle the long-haul transit over optimized channels. This shift delivered a 2.6% latency improvement at the 50th percentile and 10% at the 99th percentile, directly improving service responsiveness.

The results: impactful improvement

The migration delivered substantial improvements across three key areas. After validating the design and shifting 99% of edge traffic, the project achieved:

• Significant cost reduction: Removing the entire fleet of edge Envoy VMs resulted in a significant cost savings.
• Improved performance and user experience: The streamlined traffic flow improved latency for Uber’s mobile app users by 2.6% at p50 and 10% at p99.
• Simplified operations: Decommissioning the edge VMs reduced operational overhead and improved reliability through more standardized tooling.

“At Uber, every millisecond defines the user experience for millions of people. By re-architecting our global edge with Google Cloud and Hybrid NEGs, we’ve created a more direct, lower-latency path for our services. This not only enhances today’s user experience but also provides the high-performance foundation necessary for our next generation of AI applications, all while significantly reducing operational overhead for our engineering teams.” – Harry Liu, Director of Networking, Uber.

Key takeaways for enterprise teams

Uber’s edge architecture transformation demonstrates what focused technical collaboration can achieve. By replacing a distributed Envoy VM fleet with a streamlined architecture using Google’s global network and Hybrid NEGs, Uber achieved significant improvements in performance, cost, and reliability.

This migration succeeded in under a year through close collaboration between Uber and Google engineers. Key success factors included:

• Architectural validation: Google’s insights into its load balancer architecture helped validate that fewer proxy locations would improve performance, reduce operational overhead.
• Performance modeling: Google engineers modeled production-scale results from Uber’s initial tests, saving benchmarking time and providing the confidence to proceed.
• Simplified design: Hybrid NEGs eliminated the need for Envoy proxy VMs in Google edge.

Multi-tenant GKE platform characteristics

As outlined in Google’s public documentation, there are multiple considerations that need to be addressed when running and operating a GKE cluster. The platform team worked diligently to address the following considerations and satisfy various tenant team’s requirements:

• Workload placement: The platform team assigns labels to node pools to support workload affinity, and tenants use a combination of taints and tolerations to ensure workloads are scheduled on the right node pools. This is necessary as each node pool has distinct firewall requirements based on the type of traffic it handles (HTTPS, POPS, etc). Additionally, Resource Manager Tags are used to govern firewall rules and associate the node pool with the applicable firewall rule.
• Access control: Kubernetes Role-based Access Control (RBAC) is the primary mode of governing and restricting user access to cluster resources. Each tenant has one or more namespaces within their cluster and the cluster is bootstrapped with standard policies during the tenant onboarding process.
• Network policies: All clusters are provisioned under dataplane v2, and Yahoo Mail uses the standard Kubernetes Network Policy to control traffic flow. Under the hood, this uses Cilium, an open-source solution for providing, securing, and observing network connectivity between workloads.
• Resource quotas: To optimize resource utilization and prevent overconsumption, the platform team enforces resource quotas for cpu/memory within a namespace.
• Scaling: This is determined by the platform team based on the tenant’s quota requests during onboarding. Due to certain feature limitations associated with node auto-provisioning around usage of secure tags for firewall rules and defining a specific machine type and shapes, it could not be utilized, but we worked with the engineering team to develop feature requests to address this gap.

Challenges

Through the course of this migration, both Yahoo Mail and Google faced technical constraints and challenges. Below, we outline some of the key challenges faced and the approaches taken to address them:

• Connecting to the control plane: As with most enterprise customers, Yahoo Mail provisioned private GKE clusters and needed connectivity between the control plane and its CI/CD tool (screwdriver) from outside the VPC network. The platform team deployed bastion hosts that were used to proxy the connection to the control plane, but it faced scalability challenges. Google worked with the customer to test out two solutions using Connect gateway and DNS-based endpoint to obviate the need for a bastion host.
• End-to-end mTLS: One of Yahoo Mail key security tenets was to ensure end-to-end mTLS, which the architecture’s overall design and underlying Google Cloud services should be able to accommodate. This resulted in significant problems as one of the key load balancing products (Application Load Balancer) did not offer end-to-end mTLS at the time. We explored alternative measures such as implementing a bespoke proxy application and using Layer 4 load balancers throughout the stack. Professional services also worked with Google Cloud engineering to define the requirements for mTLS support as part of Application Load Balancer.
• Integration with Athenz: Yahoo Mail used an internal tool for identity/access management, Athenz that all Google Cloud services needed to integrate with to perform workload identity federation. Within the Kubernetes context, this meant that users still needed to be authenticated via Athenz, but use workload identity federation as a mediator. As workload identity federation was also a fairly new feature, we needed to collaborate closely with Google Cloud engineering to implement successfully in the Yahoo Mail environment.
• Kubernetes externalTrafficPolicy: One of the distinct features that Yahoo Mail had been most vocal and excited for was weighted routing for load balancers. This feature would allow for optimal routing of incoming traffic to the backends. While this was supported for managed instance groups, there was no native integration with GKE at the time. In its absence, the platform team had to explore and experiment with externalTrafficPolicy modes such as local and cluster mode to determine its performance impact/limitations.
• Capacity planning: Last but not least, Google Professional Services performed capacity planning, a cornerstone of a successful cloud migration. Here, it entailed collaborating across multiple application teams to establish a baseline for capacity needs, making key assumptions, and estimating the resources required to meet both current and future demands. Capacity planning is a highly iterative activity that needs to evolve as workloads and requirements change. Thus, conducting regular reviews and maintaining clear communication with Google was paramount to ensure that the cloud provider could adapt to the customer’s needs.

Yahoo Mail’s next milestone

Migrating an application as big as the Yahoo Mail application is a huge endeavor. With its two-pronged approach — lift and shift for most services, and strategic rearchitecting for some — Yahoo is well on its way to setting its mail system up for the next generation of customers. While a small portion of the Yahoo Mail system is in production, the majority of its services are expected to be onboarded over the next year. For more information on how Google PSO can assist with other similar services, please refer to this page.

We would like to express our gratitude to the Yahoo Mail Compute Infra team for their cooperation in sharing details and collaborating with us on this blog post.

In today’s fast-paced cloud-native world, the speed at which your applications can start and scale is paramount. Faster pod startup times mean quicker responses to user demand, more efficient resource utilization, and a more agile development and deployment lifecycle overall. We’re continuously working to enhance the performance of Google Kubernetes Engine (GKE) to help you achieve these goals.

Previously we introduced container image streaming in GKE, a feature designed to significantly reduce image pull times and accelerate application startup. Today, we’re excited to announce a new set of performance improvements to GKE container image streaming.

These enhancements can help your GKE workloads start up faster and run more efficiently, particularly ones suffering from long startup times due to large container images. Specifically, AI/ML model serving applications will benefit from the improved startup times.

What’s new?

The performance boosts stem from a combination of targeted client-side innovations and ongoing optimizations to our image-streaming backend infrastructure.

A key improvement on the client-side is new intelligent read-ahead capabilities. These allow GKE to proactively fetch image data that is likely to be requested next, minimizing the time your applications spend waiting for data during startup. This works in concert with improvements to the image streaming backend, ensuring that your containers get the data they need, when they need it — just faster.

Alongside these client-side enhancements, we’ve made a number of improvements to our backend that help ensure that the image data is served efficiently and reliably, contributing to the overall speed and stability of the image streaming process.

Measuring the gains: Our benchmarking approach

We benchmarked the performance of image streaming to quantify its benefits, using an internal benchmarking suite to compare historical image streaming data versus the latest version. The benchmark is based on the popular Triton Inference Server image, which we use to measure image loading performance.

In general, we can see a up to ~30% improvement on the image streaming performance with the newly added enhancements. For large container images such as AI/ML models (e.g., vLLM-based containers, which often start at 8 GB and that can easily be as big as 100GB when you include model weights), this enhancement makes a big difference. By improving image pulling time, you get overall quicker container startup compared to non-streamed containers. These performance enhancements also play a big role in scaling out containers using horizontal pod autoscaler (HPA).

Get started with faster image streaming today

These image streaming performance improvements are automatically available to you when using GKE versions 1.32.1-gke.1729000 or newer. If you are already using container image streaming, there are no configuration changes you need to make to benefit from these enhancements. If you are not yet using image streaming, simply enable it on any new or existing GKE cluster to instantly get these benefits.

Improved image streaming performance marks another milestone on our journey to provide you with the fastest and most efficient container management platform. We will roll out further improvements to image streaming focused on image availability, usability, reliability, and integration with other GKE capabilities.

We encourage you to leverage these new enhancements to accelerate your application deployments on GKE. Check out the image streaming documentation to get started today and tap into a world of applications that start and scale faster!

What guides your approach to software development? In our roles at Google, we’re constantly working to build better software, faster. Within Google, our Developer Platform team and Google Cloud have a strategic partnership and a shared strategy: together, we take our internal capabilities and engineering tools and package them up for Google Cloud customers.

At the heart of this is understanding the many ways that software teams, big and small, need to balance efficiency, quality, and cost, all while delivering value. In our recent talk at PlatformCon 2025, we shared key parts of our platform strategy, which we call “shift down.”

Shift down is an approach that advocates for embedding decisions and responsibilities into underlying internal developer platforms (IDPs), thereby reducing the operational burden on developers. This contrasts with the DevOps trend of “shift left,” which pushes more effort earlier into the development cycle, a method that is proving difficult at scale due to the sheer volume and rate of change in requirements. Our shift down strategy helps us maximize value with existing resources so businesses can achieve high innovation velocity with acceptable quality, acceptable risk, and sustainable costs across a diverse range of business models. In the talk, we share learnings that have been really helpful to us in our software and platform engineering journey:

1. Work backwards from the business model: By starting with the business model, organizations can intentionally guide platform evolution and investment to align with desired margins, risk tolerance, and quality requirements. At Google, our central platform must support diverse business models, necessitating continuous strategic refinement and adaptation.
2. Focus on quality attributes for central software control: Quality attributes, such as reliability, security, efficiency, and performance, are emergent properties of software systems and are important for creating business value and managing risk. These are often referred to as “non-functional requirements” because they define how our software behaves, not what it functionally does. With a shift down strategy, we can embed the responsibility for assuring quality attributes directly into the underlying platform systems and infrastructure, thereby significantly reducing the operational burden on individual developers.
3. Abstractions and coupling are key technical tools to gain control of quality attributes: We define two key technical components in the way we build platforms: abstractions and coupling. In a shift down strategy, abstractions provide understandability, risk management levers, accountability, and cost control by encapsulating complexity. Coupling refers to the interconnectedness and interdependence of components within a system or development ecosystem. For a successful shift down strategy, the right degree of coupling is crucial because it allows the development platform and ecosystem design to directly implement and influence quality attributes. In fact, coupling is how we offer entire infrastructure and platform solutions as coherent services like Google Kubernetes Engine (GKE).
4. Shared responsibility, education, and policy are equally important social tools: Shared responsibility is a crucial social tool within software at scale. This is actively cultivated through education, such as training engineers on platform and AI usage, and fostering a “one team” culture that encourages a shift from artifact-bound identities to overarching mission goals and client-focused engagement. Furthermore, explicit policies like centrally enforced style guides and secure-by-design APIs are fundamental for embedding quality attribute assurance directly into the platform and infrastructure, significantly reducing the operational burden on individual developers by ensuring consistency and automated controls at scale.
5. Use a map. Supporting many business units with one platform is a vast and complex problem; we need a map. The ecosystem model is a framework that categorizes different types of software development environments, ranging from highly flexible, developer-controlled systems to highly opinionated, vertically integrated ones where the ecosystem itself assures quality attributes. Its critical purpose is to provide a visual and conceptual tool for evaluating how well our ecosystem controls match our business risk. This helps us ensure that the level of oversight and assurance of quality attributes aligns with the potential cost of mistakes. The goal is to be in the “ecosystem effectiveness zone,” where controls are balanced to mitigate significant risks from human error without imposing overly restrictive systems that negatively impact velocity and developer satisfaction.

6. Divide up the problem space by identifying different platform and ecosystem types.

Because the developer experience and platform infrastructure change with scale and degree of shifting down, it’s not enough to just know where the ecosystem effectiveness zone is — you have to identify the ecosystem by type. We differentiate ecosystem types by the degree of oversight and assurance for quality attributes. As an ecosystem becomes more vertically integrated, such as Google’s highly optimized “Assured” (Type 4) ecosystem, the platform itself assumes increasing responsibility for vital quality attributes, allowing specialists like site reliability engineers (SRE) and security teams to have full ownership in taking action through large-scale observability and embedded capabilities. Conversely, in less uniform “YOLO,” “AdHoc,” or “Guided” (Type 0-2) ecosystems, developers have more responsibility for assuring these attributes, while central specialist teams have less direct control and enforcement mechanisms are less pervasive. It’s really important to note here that this is not a maturity model — the best ecosystem and platform type is the one that best fits your business need (see point #1 above!).

Intentional choices in platform engineering

The most important takeaway is to make active choices. Tailor platform engineering for each business unit and application to achieve the best outcomes. Place critical emphasis on identifying and solving stable sub-problems in reliable, reusable ways across various business problems. This approach directly underpins our “shift down” strategy, moving toward composable platforms that embed decisions and responsibilities for software quality directly into the underlying platform infrastructure, thereby improving our ability to maximize business value with the right resources, at the right quality level, and with sustainable costs.

Watch our full discussion for more insights on effective platform engineering.

As the Hawaiian Islands’ primary higher education resource, the University of Hawaii (UH) System faces a unique challenge among U.S. universities: many graduates–including those with deep family roots in Hawaii – are soon confronted with a competitive job market, and struggle to land a fulfilling entry-level role and starting salary commensurate with Hawaii’s higher-than-average cost of living. This risks a continued outflow of skilled young grads from the Islands as they explore other career options on the mainland.

To bolster its mission of career readiness and workforce development, the UH System collaborated with Google Public Sector to rapidly prototype a new platform for Hawaii Career Pathways. Leveraging Google Cloud’s unified AI platform Vertex AI and BigQuery to analyze vast labor market data, this innovative AI-powered tool evaluates a student’s qualifications–including prior experience, current skills, education and certifications–along with their personal interests and career aspirations. The output is a customized student profile, which, with additional personalized guidance from Gemini, aligns their academic paths with tangible career opportunities within Hawaii. This human-centered approach empowers students to define their career possibilities along with key factors toward securing local jobs, charting a course for them to begin their careers in the state. It’s about fostering talent retention by enhancing student productivity and creating a direct bridge for Hawaii employers to connect with a prepared, local talent pool, directly preparing students for the demands of the greater market and Hawaii’s evolving economy.

Embracing the future: AI integration for education and beyond

In today’s increasingly AI-driven world, preparing students for the workforce requires more than just traditional curricula. UH is proactively integrating artificial intelligence across its educational curriculum and campus operations. Powered by Google Cloud’s Vertex AI Model Garden, with 200+ foundation models, including the latest Gemini models, this integration enhances learning experiences, streamlines administrative tasks, and fosters innovation. As part of this commitment, UH launched Google AI Essentials, a free course for students and employees that teaches foundational knowledge, prompting techniques, and responsible AI practices. This comprehensive AI integration ensures students are not only learning about AI but are also using AI-powered tools, preparing them for jobs of today and tomorrow.

Ensuring digital access across a unique Island culture

A core tenet of the UH community is ensuring accessibility across the Islands’ broad cultural makeup. Google’s commitment to digital inclusion in Hawaii and the Pacific, highlighted by the Grow with Google partnership, strongly aligns with UH’s mission. Accommodating the unique demographics of its student body, UH has begun to leverage Google Translate to communicate to Pacific Islander students in their native languages, including Hawaiian, Māori, Samoan, Tongan, Cook Islands Māori, Cantonese and Marshallese. This directly benefits the diverse population of Hawaii, making communication more accessible. For the UH System, with its extensive engagement with U.S. territories and Pacific Island nations, this enhancement facilitates better communication, supports cultural preservation efforts, and bolsters academic and outreach programs.

Building upon a history of university innovation

This latest collaboration marks the latest chapter of Google’s integral relationship with the UH System. As a longtime Google for Education customer, UH Information Technology Services (ITS) was among the first universities in the U.S. to adopt Google Workspace for Education in the late 2000s. Today, Google Workspace for Education is used by more than 80 of the top 100 universities, as ranked by US News & World Report 2025, making it a leading collaboration and productivity suite for students, faculty, and staff.

Following this initial success, our partnership with UH expanded to include intelligence-driven security with Google Security Operations to deliver a full-stack IT platform. Additionally, Google Cloud plays a central role in UH’s AI-optimized High Performance Computing (HPC) infrastructure, enabling supercomputing-class performance and AI-intensive workloads, to maintain UH’s ranking among world class research universities.

By further equipping students with leading-edge tools like Google Workspace, Gemini, Vertex AI Platform, Google Security Operations, BigQuery, Google Translate and resources for academic achievement, UH ensures they have the opportunity to build successful lives and careers in their island home, strengthening the state’s community and economy for generations to come.

Learn more from Google Public Sector

Join us to learn how public sector organizations are leveraging Google Cloud’s AI and security solutions to achieve their goals at the Google Public Sector Summit 2025 on October 29. Sign up to receive our Google Public Sector newsletter for the latest updates, customer stories, announcements, and more.

The Gemini Multimodal Live API is a powerful tool that allows developers to stream data, such as video and audio, to a generative AI model and receive responses in real-time. Unlike traditional APIs that require a complete data upload before processing can begin, this “live” or “streaming” capability enables a continuous, two-way conversation with the AI, making it possible to analyze events as they unfold.

This real-time interaction unlocks a new class of applications, transforming AI from a static analysis tool into a dynamic, active participant in live workflows. The ability to process and reason over multiple data types (e.g., seeing video, reading text, understanding audio) simultaneously allows for complex, context-aware tasks that were previously impossible to automate.

An example of how the Live API can work is in high-speed manufacturing. This tutorial will show you how to leverage the Gemini API to build an automated quality inspection system that overcomes the common challenges of manual QA.

In this blog, you will learn how to create a system that uses a standard camera feed to:

• Analyze products on a production line in real-time.
• Identify products by reading barcodes or QR codes.
• Detects, classifies, and measures visual defects simultaneously.
• Generate structured reports for every defect.
• Trigger instant alerts for severe issues.

Prerequisites

• A Google Cloud Platform (GCP) account with billing enabled.
• Familiarity with basic cloud concepts and services like Cloud Run and BigQuery.
• Basic knowledge of Python.
• An enabled Gemini API key.

When a defect is found, Gemini doesn’t just flag it; it provides quantitative data (e.g., length of a scratch). This data can be used to calculate a severity score based on weighted parameters like defect size, type, and location, removing human subjectivity from the process.

Step 2: Configure the alerting & logging service

This second Cloud Run service acts on the data from the inspection service.

1. Logging: Upon receiving the structured JSON output from the first service, it immediately writes the full record to a BigQuery table. This creates a powerful, queryable history of all quality events.
2. Intelligent Alerting: For high-severity defects, the service uses a model like Gemini Flash to perform an additional reasoning step. It can summarize the technical data into a clear alert or even correlate events to identify trends.

Sample prompt:

Generated alert: CRITICAL ALERT: 3rd ‘Housing Crack’ defect detected on Line 4 in the last 10 minutes. Possible systemic issue with molding machine M-7. Based on the alert’s severity, the service calls the appropriate APIs (e.g., Gmail API, Google Chat API) to send the message to the right stakeholders instantly.

Get started

By leveraging Gemini’s multimodal capabilities on a scalable Google Cloud architecture, you can build a powerful quality intelligence platform. Check out these links to get started:

• Read the full Live API Capabilities guide for key capabilities and configurations; including Voice Activity Detection and native audio features.
• Read the Tool use guide to learn how to integrate Live API with tools and function calling.
• Read the Session management guide for managing long running conversations.

As part of Google Cloud’s fundamental belief that robust security can enable business resilience and innovation, we’re committed to empowering security operations teams with solutions that deliver measurable value and demonstrable return on investment (ROI).

That’s why we’re thrilled to announce a new, in-depth Forrester Consulting Total Economic Impact™ (TEI) study on Google Security Operations. Based on interviews with our global customers, Forrester’s analysis, which models a composite organization with $8 billion in annual revenue and a 25-person security operations team, found a 240% ROI over three years, with a net present value (NPV) of $4.3 million.

Forrester’s research found this value comes from:

• 70% reduction in the risk and cost of a breach by increasing event ingestion, onboarding more log sources, and implementing more detection rules.
• 50% faster mean time to respond and 65% faster in mean time to investigate for security operations teams.
• Empowering junior security analysts, shifting 35% of security operations work and reducing time to productivity by 70% with an easy-to-use platform and gen AI capabilities.
• Saving organizations $1.2 million over three years by providing a predictable cost model and enabling the decommissioning of legacy on-prem security tools.

“In simple terms, Google SecOps is a mass risk-reducer. Threats that would have impacted our business no longer do, because we have greater observability, better mean time to detect, and better mean time to respond,” said a CISO from an insurance company interviewed for the study.

Reducing risk with speed, scale and observability

In today’s threat landscape, getting ahead of threats means mastering both speed and scale. The Forrester TEI study highlights how Google Security Operations helps organizations tackle two critical needs: ingesting and analyzing massive volumes of security data to provide unfiltered visibility, and significantly reducing risk. Customers told Forrester their prior solutions simply couldn’t keep up with the evolving threat landscape or offered unsustainable cost models.

With Google Security Operations, the story changes dramatically. The study notes organizations achieved “near real-time” query results in “seconds.” This enhanced performance, combined with the platform’s ability to “scale and grow with our [customers’] business,” translated into tangible gains:

• 3x increase in event ingestion speed
• 5x more log sources onboarded
• 8x increase in detection rules implemented
• 10x increase in the number of cases managed with half the number of people

We believe the impact is clear: Google Security Operations can provide unparalleled observability, speed, and a significantly reduced risk profile, helping your team do more with less.

Using threat intelligence to shift from reactive to proactive defense

Staying one step ahead of attackers isn’t just an advantage — it’s a necessity. As threats get more sophisticated, integrating and operationalizing high-fidelity threat intelligence in your security operations platform is critical for a proactive defense.

The Forrester study highlights that Google Security Operations is one of the few platforms that truly understands the value of threat intelligence — and how to use it. Google Security Operations customers can access up-to-date, industry-specific, and frontline insights augmented with generative AI because we’ve integrated Google Threat Intelligence directly into the platform, including intelligence from active Mandiant incident response engagements, VirusTotal’s crowd-sourced threat intelligence, and threat insights by Google based on protecting billions of devices globally.

This deep, out-of-the-box integration means analysts can get the context they need without manual effort. It can also help them understand the impact of emerging threats on their environment before anyone else does, and lead to significant efficiency gains.

Customers saw a 50% reduction in mean time to investigate and a 65% reduction in mean time to respond, according to the Forrester study.

“The threat intel integration is a big deal, and having Mandiant as part of the integrated Google SecOps package is a huge differentiator,” said a director of cyber defense at a healthcare company.

The Forrester study found that these efficiencies can save organizations significant time and effort, contributing $1.5 million in value for the composite organization over three years.

Empowering analysts with AI to close the gap

The ongoing cybersecurity talent shortage demands tools that can empower existing teams and accelerate the productivity of new hires. AI and automation are crucial here, helping to alleviate tedious, manual work and reduce the risk of human error, leading to more efficient and accurate security operations teams.

Google Security Operations has been making significant strides in AI capabilities. We’ve expanded our Gemini AI features and introducing agentic AI to automate repetitive tasks and enhance analyst productivity. These innovations have led to a substantial $636,000 in value for the composite organization over three years, according to the study.

The recent Forrester Wave™: Security Analytics Platforms, Q2 2025, acknowledged Google Security Operations as a Strong Performer, and also pointed to Google’s heavy focus on AI.

We’re proud that direct customer feedback in this TEI study demonstrates our significant progress in enabling defenders with AI.

“Google has developed a very, very strong AI toolset. And from what I’ve seen, there’s an aggressive roadmap and I’m very comfortable that AI will only become more and more powerful on the Google SecOps platform,” said a security operations lead in professional services.

“[Google SecOps] empowers [our team] to investigate quickly and deeply so that no stone is unturned. Gemini obviously plays a large part in that,” said a CISO at an insurance company in Forrester’s report. “Our employees really love that Google SecOps has a context rich data set, along with Gemini which can give a really slick summary and really quickly. It’s a huge accelerator when investigating. You get everything that you need, and it can write complex queries for you. They absolutely love it.”

The tangible impact of these innovations demonstrates how Google Security Operations streamlines operations and actively cultivates a more skilled and empowered security workforce.

A partnership for success

For us, the Forrester TEI study for Google Security Operations underscores our commitment to delivering a powerful security operations platform that can drive a quantifiable competitive advantage. Investing in Google Security Operations can translate into significant financial and operational benefits, and help enable your team to focus on what matters most: securing your organization’s future.

You can get your copy of the Forrester Total Economic Impact™ of Google Security Operations study here to see how Google Security Operations can empower your organization.

Traditional lead generation often relies on brittle scrapers and static scripts that lack the ability to adapt or reason. What if we could architect an agent that doesn’t just fetch data, but emulates the analytical process of a market research team? An agent that can discover patterns, validate information, and generate qualified leads based on a dynamic understanding of success.

This guide details the architecture of such an agent, built using the Agent Development Kit (ADK). We will explore how to structure a complex task into a hierarchy of cooperative agents, manage state across interactions, and design for parallelism to create a system that is both powerful and efficient.

Step 1: Find the root agent

At the core of any complex agentic system is what we call a “primary orchestrator”. In this architecture, the InteractiveLeadGenerator serves as this central hub. Its purpose is not to perform the low-level tasks itself, but to manage the workflow, delegate to specialized sub-agents, and interact with the user. Here’s the Python script:

Before initiating either workflow, the root agent must first understand the user’s specific requirements. This is delegated to a specialized intent_extractor_agent responsible for parsing the user’s initial request into structured data.

Step 3: The pattern discovery workflow

We need to find companies, validate them, and dig into their history. Doing this one by one is slow and inefficient.

Let’s have them work as a team, simultaneously. Our ResearchOrchestratorAgent dynamically creates a mini-pipeline for each company and runs them all in parallel. It’s a high-speed, multi-threaded research team managed by a single SequentialAgent.

The key agents in this sequence include:

• CompanyFinderAgent: Executes searches to find an initial list of companies based on the user’s specific industry and country.
• CompanyFormatterAgent: Takes the raw output from the finder agent and formats it into a standardized structure, ensuring the data is clean and ready for the next stages.
• ResearchOrchestratorAgent: Manages the parallel execution of the research phase. For each company found, it dynamically runs a validation pipeline (which uses the ValidatorAgent) to scrutinize the company against strict criteria.
• SynthesizerOrchestratorAgent: Gathers and consolidates all the validated data from the parallel research pipelines, preparing a unified dataset for the final analysis step.
• PatternSynthesizerAgent: Takes the aggregated data from the orchestrator. Its core instruction is to identify common threads and synthesize them into a clear, evidence-based report, citing the sources for every identified pattern.

Step 4: Control mechanisms and state management

To enable the root agent to manage these complex workflows and maintain a coherent conversation, two ADK features are critical.

1. AgentTool for delegation The SequentialAgent orchestrators are abstracted into a single, callable AgentTool. This allows the root agent to invoke an entire multi-step workflow as if it were a single function call.

2. Callbacks for state management Callbacks are essential for managing the session’s state across multiple turns.

• before_agent_run: Executes before each agent turns to initialize or update the session state.
• after_tool_run: Executes after any tool completes its run. It processes the tool’s output and updates a stage variable in the session state, which is crucial for guiding the root agent’s next decision.

Step 5: The lead generation workflow

Once success patterns are identified and confirmed, the InteractiveLeadGenerator deploys the second major workflow. This process mirrors the structure of the discovery phase, emphasizing consistency and reuse.

The key agents in this sequence are:

• LeadFinderAgent: Uses the previously synthesized patterns as a new search query to find companies that exhibit similar characteristics.
• LeadFormatterAgent: Standardizes and structures the raw data from the LeadFinderAgent for subsequent parallel processing.
• LeadResearchOrchestratorAgent: Manages the parallel execution of the core analysis tasks. For each potential lead, this agent simultaneously runs two critical sub-agents: the reusable ValidatorAgent and the LeadSignalAnalyzerAgent.

Get started

Ready to build? Here are the official resources and source code to help you on your journey.

• Google Agent Development Kit (ADK): Check out GitHub to explore all the features, tools, and configs the ADK offers.
• Project source code on GitHub: Access the complete working code for this agent. Clone the repo and use it as a foundation for your own creations.

We are pleased to share that IDC has named Google a Leader in the IDC MarketScape: Worldwide Business Intelligence and Analytics Platforms 2025 Vendor Assessment. We believe this position is a testament to our continued focus on delivering a modern, AI-infused business intelligence platform that empowers organizations to make data-driven decisions at scale. You can download our excerpt from the 2025 IDC MarketScape for Business Intelligence and Analytics Platforms here.

As noted in the IDC MarketScape, Looker is Google Cloud’s modern business intelligence platform designed to be a unified and trusted platform for the AI era, offering scalable, governed and embedded analytics, with advanced visualization capabilities. Looker’s cloud-native architecture is designed from the ground up with foundational Gemini models, offering native cutting-edge generative AI capabilities, including Conversational Analytics, automated insights and intelligent self-service.

A key strength of Looker is its semantic modeling layer (LookML), which provides the governance and data consistency that is crucial for delivering trusted data to generative AI models. This allows customers to query in natural language for both out-of-the-box and bring-your-own-model scenarios. Additionally, through deep integration of natural language capability, powered by Gemini, complex tasks and queries that traditionally required engaging with on-site data analysts are now in the hands of the broader organization.

Looker is designed for today’s workloads and tomorrow’s AI-powered innovations, including new capabilities in 2025 focused on developer tools. We recently introduced Looker MCP Server, which allows applications such as Gemini CLI, Claude, and other AI platforms to connect to trusted data from developer environments. With Looker MCP Server, AI agents can now directly query Looker’s semantic layer, receiving accurate and reliable data-driven insights without the risk of misinterpretation or outdated information.

Additionally, Looker Continuous Integration helps speed code development and catch data inconsistencies with automated testing and validation, ensuring your BI assets are accurate, reliable and secure. Looker CI proactively tests new code prior to it reaching production, increasing quality and developer confidence.

Companies across markets that are looking for deep integration with Google Cloud’s data, AI, and ML tools–or requiring multicloud flexibility–are selecting Looker for their AI and BI needs. Our open, composable platform supports semantic models and insights across diverse cloud configurations, giving our customers the freedom to innovate in their native environment. We remain dedicated to providing a powerful, flexible, and intelligent platform that helps organizations transform their data into a competitive advantage.

To download the 2025 IDC MarketScape for Business Intelligence and Analytics Platforms excerpt, click here, and for more information on Looker, see here.

_{IDC, IDC MarketScape: Worldwide Business Intelligence and Analytics Platforms 2025 Vendor Assessment, #US52034725, July 2025}

Google Cloud led the cloud-native and container technology charge when we introduced Kubernetes in 2014 and when we launched Google Kubernetes Engine (GKE), the first managed Kubernetes service, in 2015. We are proud and humbled to celebrate GKE’s 10th birthday this year, alongside our community, customers, and industry partners. Learn more and join the celebration by exploring the 10 years of GKE ebook. We‘ve distilled a decade of insights into what makes GKE so effective, how customers are using GKE to support their work at scale, and why we’re ready for everything AI has in store for the decade ahead.

With a goal to create the most scalable, secure, and simple Kubernetes service available, we’ve set the bar high for GKE. Gartner’s recognition of Google Cloud as the highest in Ability to Execute reflects and validates our commitment to improve customer experience. Here are three initiatives we’re focused on: enhancing GKE’s scalability, performance, and cost-efficiency with container-optimized compute, accelerating our customers’ path to AI value on GKE, and establishing Cloud Run as the fastest and simplest AI app and container hosting solution.

Container-optimized compute for every workload

Stop managing nodes and start managing applications with GKE Autopilot. Use Autopilot for up to 7x faster pod scheduling and intelligent, low-latency scaling with GKE’s container-optimized compute platform. With Autopilot’s fast node provisioning when you need it, you only have to pay for the pod resources you use, not idle VMs. This provides a true and unique “serverless Kubernetes” experience. GKE’s architectural scale (up to 65,000 nodes) helps ensure your platform doesn’t become an innovation bottleneck. Build a secure, governable multi-cluster platform out-of-the-box with fleet management, GitOps (Config Sync), and policy enforcement (Policy Controller) included at no extra cost, reducing the tooling sprawl and complexity inherent in competing services.

Leading customers like Signify and Toyota have shared how GKE powers their most business-critical apps and workloads at global scale.