Skip to main content
Kestrel monitors your AWS and OCI cloud accounts for security events, misconfigurations, and anomalous activity. When an incident is detected — an IAM policy violation, an S3 bucket made public, a VPC route change, a database misconfiguration — Kestrel runs root cause analysis and generates Terraform, CloudFormation, Pulumi, or CLI fixes.

Prerequisites

AWS Account

Connect an AWS account with CloudTrail enabled.

OCI Tenancy

Connect an OCI tenancy with Audit logging enabled.

Slack (optional)

Receive cloud incident notifications in your team’s channels.

PagerDuty (optional)

Route cloud incidents to your on-call team.

GitHub / GitLab (optional)

Enable IaC remediation workflows with PR-based fixes.

How Detection Works

AWS

Kestrel analyzes your AWS environment through:
  • CloudTrail events — API call analysis for IAM changes, security group modifications, S3 policy changes, VPC route changes, KMS key operations, Secrets Manager events, and other security-relevant actions
  • Resource monitoring — Continuous assessment of EC2 instances, S3 buckets, RDS databases, DynamoDB tables, Lambda functions, ECS/EKS containers, and other AWS resources
  • VPC Flow Logs — Ingestion and analysis of network traffic patterns from VPC Flow Logs in CloudWatch for detecting suspicious traffic, unauthorized access attempts, and network anomalies
  • CloudWatch Alarms — Integration with CloudWatch alarms for metric-based incident detection
  • Cost anomalies — Detection of unusual spend patterns across services and accounts via AWS Cost Anomaly Detection
  • AWS Config — Monitoring for compliance rule violations across your resources
  • Security Hub — Integration with AWS Security Hub for aggregated security findings
  • PagerDuty signals — If PagerDuty is connected, Kestrel enriches PagerDuty alerts with cloud context and AI analysis

OCI

Kestrel analyzes your OCI environment through:
  • Audit log events — API call analysis for IAM policy changes, compartment modifications, network security changes, and other security-relevant actions
  • Cloud Guard problems — Integration with OCI Cloud Guard for threat detection
  • VCN Flow Logs — Ingestion and analysis of network traffic from VCN Flow Logs for detecting suspicious traffic patterns and network anomalies
  • Resource monitoring — Continuous assessment of compute instances, object storage buckets, databases, networking configurations, load balancers, and DNS records

Root Cause Analysis

When a cloud incident is detected, Kestrel’s AI investigates:
  1. API event history — The sequence of CloudTrail or OCI Audit events that led to the incident
  2. Resource configuration — Current and previous state of the affected resource
  3. IAM context — Who performed the action, what role they assumed, and whether it was authorized
  4. Network context — VPC/VCN, subnet, security group, and route table configurations
  5. Network traffic — VPC/VCN Flow Logs analysis for suspicious traffic patterns related to the incident
  6. Knowledge sources (if connected) — Historical incidents, runbooks, and organizational context from Confluence, Jira, Slack, Glean, or Linear
The AI produces:
  • Investigation summary — What happened, who was involved, and the blast radius
  • Root cause — The specific API call or configuration change that caused the incident
  • Timeline — Chronological sequence of events with timestamps and principals
  • Affected resources — All cloud resources impacted
  • Severity assessment — Severity and potential downstream impact

Fix Generation

Kestrel generates infrastructure-as-code fixes for cloud incidents. The fix format depends on your infrastructure tooling:
Fix TypeDescription
TerraformHCL resource definitions ready to apply or commit
CloudFormationCloudFormation template changes
PulumiPulumi code changes
AWS CLIAWS CLI commands to remediate the issue directly
OCI CLIOCI CLI commands for OCI resource remediation
Each fix includes:
  • Diff view — Before and after comparison of the resource configuration
  • Explanation — Why this change resolves the issue
  • Apply options — Create a PR to your IaC repository, apply directly via CLI, or copy to apply manually

IaC Remediation Workflow

When a GitHub or GitLab integration is connected along with an IaC repository configuration, Kestrel can open pull requests with IaC fixes directly in your infrastructure repository:
1

Incident detected

Kestrel detects a cloud security event (e.g., S3 bucket made public).
2

AI generates fix

Root cause analysis runs and a Terraform/CloudFormation/Pulumi fix is generated.
3

PR created

Kestrel opens a pull request in your configured IaC repository with the fix, targeting the exact file managing the resource.
4

Review and merge

Your team reviews the PR. Merging applies the fix through your existing GitOps pipeline.
Configure IaC repositories from Integrations → CI/CD by selecting your connected GitHub or GitLab repo, the IaC type (Terraform, CloudFormation, or Pulumi), and the target directory.

Cloud Incident Types

AWS — Security & Identity

TypeDescription
IAM CompromisePotential IAM credential compromise detected
IAM Policy ViolationIAM policy change that violates security best practices
IAM Role AbuseSuspicious IAM role assumption patterns
Unauthorized AccessAPI calls from unauthorized principals
Credential LeakExposed credentials detected
Privilege EscalationAttempt to escalate IAM privileges
Root Account ActivityAWS root account used (critical security event)
KMS Key CompromiseKMS key deletion, disabling, or policy change
Secrets Manager EventSecret deletion, policy changes, or rotation changes
Security Hub FindingHigh or critical findings from AWS Security Hub
Config Compliance ViolationAWS Config rule non-compliance

AWS — Storage

TypeDescription
S3 Public AccessS3 bucket or object made publicly accessible
S3 Policy ModificationBucket policy changed in a security-relevant way
S3 Data ExfiltrationUnusual data access patterns on S3 objects
S3 Encryption DisabledBucket encryption configuration removed or weakened

AWS — Compute & Containers

TypeDescription
EC2 AnomalyUnusual EC2 instance behavior
EC2 Instance CompromisePotential EC2 instance compromise
EC2 Unauthorized AccessUnauthorized access to EC2 instances
Lambda Function IssueLambda function errors, configuration changes, or permission issues
ECS/EKS Container IssueContainer service task failures, cluster changes, or deployment issues

AWS — Database

TypeDescription
RDS Database IssueRDS database deletion, snapshot exposure, configuration changes, or security group modifications
DynamoDB IssueDynamoDB table deletion, backup issues, or policy changes

AWS — Network & VPC

TypeDescription
Security Group ModificationSecurity group rules changed
VPC ModificationVPC configuration changed
VPC Route ChangeRoute table entry added, modified, or deleted
VPC Route Table ChangeRoute table associated or disassociated
VPC Flow Logs DisabledVPC Flow Logs disabled
VPC Peering ChangeVPC peering connection modified
VPC Gateway ChangeInternet or NAT gateway configuration changed
VPC Subnet ChangeSubnet configuration changed
VPC DeletionVPC deleted
Network Traffic AnomalyUnusual network traffic patterns detected via VPC Flow Logs
Network Traffic BlockedTraffic blocked by security groups or NACLs

AWS — Service Health & Operations

TypeDescription
Service Health DegradationDegraded performance of AWS services
API ThrottlingAPI throttling across AWS services
Resource ExhaustionService limit or quota exhaustion
CloudWatch AlarmCloudWatch alarm entered ALARM state
Application Log ErrorsApplication errors detected in CloudWatch Logs

AWS — Cost & Billing

TypeDescription
Cost Anomaly DetectedAWS Cost Anomaly Detection identified unexpected spend increases
Budget Threshold ExceededAWS Budget threshold breached

OCI — IAM & Access

TypeDescription
OCI IAM CompromisePotential OCI IAM compromise detected
OCI IAM User ChangeIAM user created, modified, or deleted
OCI IAM Group ChangeIAM group membership changed
OCI Dynamic Group ChangeDynamic group matching rules changed
OCI Policy ChangeOCI IAM policy statement modified
OCI Compartment ChangeCompartment created, moved, or deleted
OCI Credential ChangeAPI key or auth token modified
OCI Privilege EscalationPrivilege escalation attempt detected
OCI IAM Security ChangeGeneral IAM security configuration change

OCI — Network

TypeDescription
OCI Security List ChangeSecurity list ingress/egress rules changed
OCI Network Security Group ChangeNetwork security group rules modified
OCI VCN ChangeVCN configuration changed
OCI Subnet ChangeSubnet configuration modified
OCI Route Table ChangeRoute table rules changed
OCI Internet Gateway ChangeInternet gateway created or modified
OCI NAT Gateway ChangeNAT gateway configuration changed
OCI Service Gateway ChangeService gateway configuration changed
OCI Load Balancer ChangeLoad balancer configuration modified
OCI Network Load Balancer ChangeNetwork load balancer modified
OCI DRG ChangeDynamic Routing Gateway modified
OCI DRG Attachment ChangeDRG attachment modified
OCI Local Peering Gateway ChangeLocal peering gateway modified
OCI Remote Peering Connection ChangeRemote peering connection modified
OCI Public IP ChangePublic IP address changed
OCI Private IP ChangePrivate IP address changed
OCI VNIC ChangeVirtual NIC configuration changed
OCI DHCP Options ChangeDHCP options modified
OCI WAF ChangeWeb Application Firewall configuration changed
OCI DNS ChangeDNS zone or record modified
OCI API Gateway ChangeAPI Gateway configuration changed
OCI Network Security ChangeGeneral network security configuration change

OCI — Storage

TypeDescription
OCI Bucket Public AccessObject Storage bucket made publicly accessible
OCI Bucket Policy ChangeBucket policy modified
OCI Object Storage ChangeObject Storage configuration changed

OCI — Compute

TypeDescription
OCI Compute AnomalyUnusual compute instance behavior
OCI Console ConnectionConsole connection to a compute instance

OCI — Database & KMS

TypeDescription
OCI Database Security ChangeDatabase security configuration changed
OCI KMS Key CompromisePotential KMS key compromise
OCI KMS Security ChangeKMS vault or key security configuration changed

OCI — Logging & Cloud Guard

TypeDescription
OCI Logging TamperingAudit or logging configuration tampered with
OCI Cloud Guard ProblemCloud Guard detected a security problem

Custom Workflows

Build custom cloud incident response workflows that trigger on cloud events. For example:
  • Notify a security channel when an S3 bucket is made public
  • Auto-create a Jira ticket for every IAM policy violation
  • Escalate VPC route changes to PagerDuty during change-freeze windows
  • Run a custom remediation script when a Security Hub finding is detected
See Workflows to build custom cloud incident response automation.

Next Steps