What your team experiences

The view from the security desk

01

Signal fires. Ira starts correlating.

When GuardDuty fires, a Config rule flags, or a CloudTrail anomaly appears, Ira begins watching all five control layers for matching signals — automatically, before any analyst has opened a ticket.

02

Gaps align. Your team is told.

Within minutes, your team receives a scored gap alignment report: which controls flagged, which resources are exposed, how serious the alignment is, and what to do about it. You decide. Ira waits.

03

Every alignment logged. Always.

Every correlation Ira runs is stored in your account — signals ingested, gaps identified, scores calculated, recommendations generated. Queryable, exportable, and board-ready without additional configuration.

Architecture Overview

System architecture

Example Scenario

Gap alignment in practice — a walkthrough

This is what the Swiss cheese model looks like in a real AWS environment. Four independent control layers each had a gap. None of them could see the others. When their gaps aligned, the path was open. Here’s how Ira detected the alignment before the damage compounded.

  1. Gap 1: GuardDuty flags an external credential use

    EventBridge routes the GuardDuty finding to the Step Functions orchestrator. The finding includes the affected IAM principal, the external IP, and the GuardDuty confidence score (HIGH).

  2. Ira begins correlating all five layers

    The orchestrator initiates parallel execution of the CloudTrail Agent and VPC Flow Agent, scoped to the affected principal and instance respectively. The Config Agent is also initiated to assess the affected IAM role and instance profile.

  3. Gap 2: CloudTrail shows the role was never used this way before

    CloudTrail shows the IAM user assumed OrganizationAccountAccessRole from a Tor exit node IP — a role it has never assumed before. Two sensitive API calls (DescribeInstances, ListBuckets) followed immediately. The agent returns three correlated signals with HIGH severity.

  4. Gap 3: VPC Flow shows data leaving the environment

    VPC Flow shows 2GB of outbound traffic from the affected EC2 instance to the same external IP over 5 minutes, on port 443. No matching inbound session exists. The agent flags this as a potential data exfiltration pathway.

  5. Gap 4: Config shows the role gained AdminAccess 6 hours prior — unreviewed

    AWS Config history shows a managed policy was attached to the affected instance role 6 hours prior — AdministratorAccess. This drift event was not reviewed. Config Agent classifies this as HIGH severity drift.

  6. Four gaps. One alignment. Score: 94 CRITICAL.

    All sub-agent results converge. Composite risk score: 94 (CRITICAL). Two containment recommendations are generated: (1) Revoke active IAM session for the affected user — risk reduction 87. (2) Detach AdministratorAccess policy from the instance role — risk reduction 72. Both are presented to the operator for approval.

Deployment

Single-tenant, AWS-native, Terraform-provisioned

Your account, your data

Ira deploys entirely within your AWS account. There is no shared data plane, no multi-tenant backend, and no call home. Your telemetry never leaves your account boundary.

IAM-scoped read access

The system uses IAM roles with read-only access scoped to the telemetry sources it analyses. It does not require write access to your environment to generate recommendations.

Terraform-provisioned

The complete infrastructure stack — Lambda functions, Step Functions orchestrator, EventBridge rules, DynamoDB state store — is provisioned via Terraform. Reproducible from a fresh account.

No internet egress required

All API calls are to AWS service endpoints within the same account. VPC endpoints are used where available. No data is transmitted to external services during analysis.

Design Principles

Why Ira is designed to never act alone

The core constraint of Ira's design is this: the agent never takes external actions. Every containment action is presented as a recommendation — a structured, ranked, human-readable output — and requires explicit operator approval before anything in your environment changes.

This is not a limitation of the technology. It is the design. A security system that acts autonomously introduces a new attack surface: the system itself. If an adversary can trigger the agent into taking a containment action, they can use that action as a weapon. Human-in-the-loop is the right architecture for this domain.

The audit trail is equally important. Every analysis Ira runs produces a complete, queryable log: the signals it ingested, the scores it calculated, the recommendations it generated, and — after operator approval — the actions taken. That record exists regardless of whether a recommendation is accepted or rejected.

Get started

See gap alignment in your own environment.

30 minutes. We run Ira across your control layers and walk through what your team would see — from the first signal to the ranked alignment report — and answer every question.