Every AWS control has a gap.
Ira watches for when they align.
Defence in depth isn't about finding every gap in your stack. It's about having a layer that sees when your existing controls are failing together — before an AI-powered attacker exploits the path they've just mapped.
The Problem
Security controls don't fail alone. They fail together.
The Swiss cheese model has one uncomfortable truth: every control in your AWS environment — your IAM policies, your GuardDuty alerts, your CloudTrail logs, your VPC flow data — has gaps. That's not a design flaw. It's the nature of layered defence.
The design flaw is assuming those layers don't need to be watched against each other. AI-assisted threat actors don't need a zero day no one has seen before. They need your misconfigured IAM role, your unreviewed GuardDuty finding, your open egress path, and your unmonitored S3 bucket — in the same environment, at the same moment. They enumerate attack surfaces at machine speed. Your gaps were always there. What's changed is how fast someone can find the alignment.
Ira is the correlation layer your stack is missing. It watches all five AWS control layers simultaneously — and fires when your gaps are aligning, before the path is fully exploitable.
- 5 layers Independent AWS controls watched simultaneously
CloudTrail, VPC Flow, S3, GuardDuty, and Config — each with their own gaps, each blind to the others without correlation.
- Minutes How fast AI tooling maps your attack surface
Automated enumeration finds misconfigured roles, open egress paths, and exploitable drift faster than any human triage queue.
- 1 alignment Is all it takes — one gap reinforcing another
Ira fires when signals across multiple layers point at the same target, before that alignment becomes an exploitable path.
Core Capabilities
Ira core capabilities
-
No single layer sees what the others see. Ira reads all five at once.
CloudTrail sees API activity. VPC Flow sees network behaviour. GuardDuty sees threat signals. S3 sees access patterns. Config sees what changed. Ira sees what happens when all five are telling the same story at the same time.
-
Config drift is how your gaps widen silently. Ira catches it before the path opens.
Every configuration change widens or closes a gap in your defence stack. When a security group opens, a policy weakens, or a role gains permissions — Ira classifies the drift and tells your team whether a gap just got exploitable.
-
One score that tells you when gap alignment becomes a threat worth acting on.
Not every gap alignment is critical. Ira calculates a 0–100 score from signal severity, blast radius, and lateral movement indicators — so your team knows immediately whether this alignment needs urgent action or just monitoring.
-
Correlation without action is noise. Ira tells your team exactly what to do — they decide.
A ranked containment plan surfaces to your team with full context: which gaps aligned, which resources are exposed, what to do, in what order. Your team approves. Nothing changes in your environment without that approval.
How It Works
From gap alignment to human-approved response — in minutes.
-
Detect
A signal fires across one of your control layers. Ira begins correlating immediately — no manual triage required to start watching the other four layers for matching signals.
-
Correlate
Five layers read in parallel. What CloudTrail, VPC Flow, S3, GuardDuty, and Config each see about the same event is assembled into a single picture — the work that takes analysts hours, done in minutes.
-
Score
Gap alignment gets a severity rating. A composite 0–100 score tells your team how serious this alignment is, how many layers are involved, and whether the path is actively being probed.
-
Recommend
Your team gets a clear next move. Ranked containment actions surface with full context. Your team approves. Nothing in your environment changes without that decision.
For Your Board
What gap alignment costs when no one is watching.
A defence-in-depth failure isn't a single vulnerability. It's four controls each doing their job — and none of them aware that their individual gaps have aligned into an open path. By the time a human analyst assembles the full picture from scattered logs, the path has been used.
The regulatory consequence is immediate: APRA CPS 230 requires notification within 24 hours of a material operational risk event. Most serious AWS incidents now qualify. The financial consequence compounds: organisations that contain quickly spend significantly less than those that don't — the difference between a contained incident and a disclosed breach is measured in millions and in board credibility.
Ira gives your board one defensible answer: we have a layer that watches all five control layers simultaneously, it fires when gaps align, and every response your team approves is logged and queryable. That record exists regardless of outcome.
APRA CPS 230
24-hour notification window for material operational risk events. Gap alignment detection has to happen before the clock starts — not after hours of manual log correlation.
Faster containment, lower cost
IBM 2025: organisations that contain quickly save over $1.1M compared to those that don't. The correlation layer is the difference between a rapid response and a prolonged investigation.
A defensible position
A board-ready audit trail of every alignment event, every score, every recommendation, and every action taken. The record your directors need to say, truthfully, that controls were in place and operating.