Running AWS GuardDuty is easy; closing what it finds before it becomes an incident is the hard part. AgenticOps wires AWS GuardDuty into an autonomous Detect → Analyze → Remediate → Verify loop so cloud security findings get triaged, fixed, and proven closed under your team's policy — with engineers on the loop, not lost in a backlog.
CloudThinker investigates the signal, proposes or executes the safe action your policy allows, then verifies the outcome.
$ cloudthinker remediate --source AWS GuardDuty --finding SEC-4471
Detect AWS GuardDuty · SEC-4471 · CRITICAL · CIS 1.16 / SOC2 CC6.1
IAM role "ci-deploy" has AdministratorAccess (standing)
Root-caused 12 related findings to this one policy
Analyze Reachability: assumable by 3 CI principals
Used actions (90d CloudTrail): 41 of 8,000+ granted
Exploitability: HIGH (broad blast radius, no MFA gate)
Blast radius: 3 pipelines · rollback: policy-version pin
Remediate Plan: replace AdministratorAccess with generated
least-privilege policy scoped to 41 observed actions
Autonomy: L2 (change exceeds auto-apply threshold)
Credentials: brokered, 15-min TTL, sandbox dry-run OK
-> Awaiting approval from engineer on the loop
Verify [after approval] re-scan SEC-4471 ....... CLEARED
12 linked findings ..................... CLEARED
CI smoke test (3 pipelines) ............ PASS
Audit: signed, mapped to SOC2 CC6.1 evidenceAWS GuardDuty finding analysis, detector management, suppression rule review, and member account oversight. Covers threat detection summary, finding severity distribution, finding type breakdown, trusted IP lists, and organization-wide security posture.
More automations in the same category.
Connect CloudThinker to map the signals, tools, and runbooks already in your environment. You choose the approval level; every action stays attributable and auditable.