CloudGuard AI
Plain-English AWS Security Hub misconfiguration analyzer powered by Claude with ReAct agent reasoning. Looks up the real CVE, pulls the relevant AWS doc, and maps each finding to the compliance standard it violates - CIS, PCI DSS, SOC 2, NIST 800-53, and ISO 27001. Every answer is backed by authoritative citations, not guesses.
Architecture
How it works
Paste raw Security Hub JSON, upload a findings file, select one of the built-in sample findings, or connect directly to a live AWS account. The live mode uses boto3 to pull findings from Security Hub with severity filtering (CRITICAL, HIGH, MEDIUM, LOW) and handles pagination automatically. Per-session credential isolation ensures no server-side credential storage.
For HIGH and CRITICAL severity findings, the agent enrichment pipeline fires before the LLM call. Three tools run: a CVE lookup against NVD for exact vulnerability details, an AWS documentation retriever for the relevant service guide, and a compliance mapper that pulls the specific CIS/NIST/PCI controls. All context is assembled into a single enriched prompt - one LLM call, not a chain of calls.
sentence-transformers encodes the incoming finding into a dense vector. Cosine similarity search over the JSON vector store retrieves the top-K most similar past analyses from your organization's history. This gives the LLM context about how similar findings have been handled before - making each subsequent analysis better informed than the last.
Claude processes the enriched context with a "senior AWS security engineer" persona and a strict JSON output schema: TL;DR summary, severity rating, business impact, step-by-step remediation, compliance tags, and authoritative citations. Structured output prompting enforces the schema - every field is present, every citation links to a real source (AWS docs, NVD CVE entry, or CIS/NIST control). No hallucinated references.
Each analysis contributes to an organization-level risk profile. The score uses a weighted-average severity formula with a confidence scaling factor - a single CRITICAL finding doesn't falsely push the score to 100 when sample size is small. The analysis is stored back to the JSON vector store automatically, enriching future RAG retrievals. The Risk Profile page tracks trends across scans.
Every analysis can be exported as a Markdown report that includes the full remediation plan and all citations - formatted for sharing with engineering teams or compliance auditors. Rate limited to 20 analyses per hour per session to manage API costs. The Streamlit UI has four pages: Home, Manual Input, Live AWS Findings, and Risk Profile.