Md Samad
View GitHub
AI / Agentic Cloud Security RAG

CloudGuard AI

Plain-English AWS Security Hub misconfiguration analyzer powered by Claude with ReAct agent reasoning. Looks up the real CVE, pulls the relevant AWS doc, and maps each finding to the compliance standard it violates - CIS, PCI DSS, SOC 2, NIST 800-53, and ISO 27001. Every answer is backed by authoritative citations, not guesses.

5
Compliance Standards
20
Analyses / hr
4
Input Modes
System Design

Architecture

Input Layer Paste finding · Upload JSON · Live AWS Security Hub (boto3) Agent Enrichment Pipeline HIGH / CRITICAL findings only - pre-fetches context before LLM call CVE Lookup AWS Docs Compliance Mapping RAG Layer sentence-transformers · cosine similarity · JSON vector store Claude API - ReAct Analysis Structured JSON output · "senior AWS security engineer" persona · citations Output Risk Profile (0-100) · Remediation Steps · Compliance Tags · Markdown Export
End-to-End

How it works

1
Input - Four Ways to Get a Finding In

Paste raw Security Hub JSON, upload a findings file, select one of the built-in sample findings, or connect directly to a live AWS account. The live mode uses boto3 to pull findings from Security Hub with severity filtering (CRITICAL, HIGH, MEDIUM, LOW) and handles pagination automatically. Per-session credential isolation ensures no server-side credential storage.

2
Agent Enrichment - Pre-fetching Context for HIGH/CRITICAL

For HIGH and CRITICAL severity findings, the agent enrichment pipeline fires before the LLM call. Three tools run: a CVE lookup against NVD for exact vulnerability details, an AWS documentation retriever for the relevant service guide, and a compliance mapper that pulls the specific CIS/NIST/PCI controls. All context is assembled into a single enriched prompt - one LLM call, not a chain of calls.

3
RAG Retrieval - Organizational Context from Past Analyses

sentence-transformers encodes the incoming finding into a dense vector. Cosine similarity search over the JSON vector store retrieves the top-K most similar past analyses from your organization's history. This gives the LLM context about how similar findings have been handled before - making each subsequent analysis better informed than the last.

4
Claude Analysis - Structured Output with Citations

Claude processes the enriched context with a "senior AWS security engineer" persona and a strict JSON output schema: TL;DR summary, severity rating, business impact, step-by-step remediation, compliance tags, and authoritative citations. Structured output prompting enforces the schema - every field is present, every citation links to a real source (AWS docs, NVD CVE entry, or CIS/NIST control). No hallucinated references.

5
Risk Scoring - Confidence-Scaled 0-100 Profile

Each analysis contributes to an organization-level risk profile. The score uses a weighted-average severity formula with a confidence scaling factor - a single CRITICAL finding doesn't falsely push the score to 100 when sample size is small. The analysis is stored back to the JSON vector store automatically, enriching future RAG retrievals. The Risk Profile page tracks trends across scans.

6
Export - Markdown Report with Authoritative References

Every analysis can be exported as a Markdown report that includes the full remediation plan and all citations - formatted for sharing with engineering teams or compliance auditors. Rate limited to 20 analyses per hour per session to manage API costs. The Streamlit UI has four pages: Home, Manual Input, Live AWS Findings, and Risk Profile.

Stack

Technologies

Core
Python 3.11+ Streamlit
LLM / Agent
Claude API ReAct agent pattern Structured output
Cloud
boto3 AWS Security Hub
RAG
sentence-transformers cosine similarity JSON vector store
Compliance
CIS Benchmarks NIST 800-53 PCI DSS SOC 2 ISO 27001
Testing
pytest pytest-mock