selecting a live virtual instance in a production environment of a cloud computing environment, wherein the live virtual instance includes a disk having a disk descriptor with an address in a cloud storage system;

generating an instruction to clone the disk of the virtual instance, the instruction when executed causes generation of a cloned disk descriptor, the cloned disk descriptor having a data field including the address of the disk of the virtual instance wherein a cloned disk becomes substantially immediately available for inspection in its entirety upon its creation by the execution of the instruction without any copying of data of the disk of the virtual instance, the cloned disk not being associated for operation of any live virtual instance in the production environment;

inspecting the cloned disk for a cybersecurity threat by an inspector in an inspection environment that is at least logically distinct from the cloud computing environment without requiring resources of the cloud computing environment other than the cloned disk descriptor and while the while the live virtual instance remains live and unperturbed; and

releasing the cloned disk in response to completing the inspection of the cloned disk.