Scan. Understand. Fix.
In minutes, not days.
Remedi is an autonomous security agent that audits your AWS account across 8 services, explains every finding in plain English, and fixes everything automatically — after you approve.
The problem
Most AWS accounts are misconfigured from day one
IAM users with admin access, public S3 buckets, security groups open to the world, databases reachable from the internet — these aren't rare edge cases. They're the default state of accounts that grew without a security process.
Security audits are expensive, slow, and produce reports that sit unread. Remedi replaces that cycle with a fully automated agent that finds issues and fixes them in a single session.
of cloud breaches involve misconfiguration
average days to identify a cloud breach
average cost of a cloud data breach in 2024
time for Remedi to audit and fix your account
How it works
Five stages, fully automated
Parallel discovery
LangGraph + ThreadPoolExecutorEight specialist sub-agents fire simultaneously — one per AWS service. Each runs its own tool-call loop against live AWS APIs via boto3. They complete in parallel, not sequentially, so the full audit takes the same time as the slowest single service.
Structured report
Gemini 3.0 FlashA report generator synthesises all findings into a structured remediation plan. Every finding maps to a specific tool call. The report uses a strict machine-readable format so the remediator can parse it without an additional LLM call.
Human approval gate
Hard interrupt — no auto-proceedThe agent pauses. You see every finding explained in plain English with a risk description pulled from the live scan. You approve or skip each fix individually — or approve all at once. Nothing is changed without your explicit sign-off.
Parallel remediation
MCP protocol over stdioOnly the fixes you approved are executed, in parallel. Each tool call goes through a dedicated MCP server running as a subprocess — a clean boundary between the agent and the AWS API layer. Progress streams to your dashboard in real time.
Verification pass
Post-remediation auditAfter remediation, a verifier re-audits only the resources that were changed. It confirms each fix held — no regressions, no half-applied remediations. The scan is only marked complete when every fix is verified.
Coverage
8 AWS services, fully automated
Every service is audited and remediated by a dedicated specialist agent.
Flags users with AdministratorAccess or PowerUserAccess.
Detaches all policies, removes from groups, applies ReadOnlyAccess.
Checks all buckets for missing or incomplete public access blocks.
Enables all four public access block settings on the vulnerable bucket.
Checks every VPC for disabled flow logs.
Creates a CloudWatch log group and an IAM role (AegisFlowLogRole), then enables flow logs. Both resources persist in your account — the role is required for flow logs to keep delivering.
Flags any inbound rule allowing 0.0.0.0/0 on any port.
Revokes the offending ingress rule — leaves all other rules intact.
Flags instances with IMDSv1 enabled or unencrypted root volumes.
Enforces IMDSv2 via metadata options. Instances with unencrypted root volumes are hard-stopped as a quarantine measure — running workloads on those instances will be interrupted.
Flags any RDS instance with PubliclyAccessible set to true.
Sets PubliclyAccessible to false — no data is touched.
Checks execution role policies for AdministratorAccess or wildcard Action.
Detaches over-permissioned policies from the execution role.
Flags accounts with no trails, or trails with logging disabled.
Creates a trail named remedi-audit-trail and a dedicated S3 bucket for log delivery. Both persist after the scan. The S3 bucket will accumulate CloudTrail log files over time.
Security model
Your credentials, handled correctly
Encrypted at rest
AWS credentials are encrypted with AES-256 (Fernet) before being written to the database. The encryption key is stored separately in the environment — never alongside the data.
Auto-expire after 30 minutes
A background job checks every 5 minutes and deletes credentials that haven't been used in 30 minutes. Inactivity means automatic revocation — no manual cleanup required.
Deleted on sign-out
Signing out immediately deletes your credentials from the database before the Clerk session is cleared. There is no retention window — they're gone the moment you leave.
Least-privilege IAM user
The CloudFormation template creates a purpose-built IAM user with only the specific actions Remedi needs. No AdministratorAccess, no wildcards beyond what each operation requires.
Credential user auto-protected
Remedi calls STS GetCallerIdentity on every scan to identify whose credentials it's running with. That user is automatically added to the protected list — Remedi will never lock you out.
Human approval is a hard gate
The agent process literally blocks on stdin — it cannot proceed without a signal from your browser. There is no timeout, no fallback, no auto-approve. The graph is frozen until you act.
Technical architecture
Built on modern AI infrastructure
LangGraph
Agent orchestration with persistent graph state, human-in-the-loop interrupts, and parallel node execution. Each scan gets its own thread — no state bleed between concurrent users.
Gemini 3.0 Flash
Powers all LLM calls — audit analysis, report synthesis, and verification. Flash provides the latency profile required for real-time streaming without sacrificing reasoning quality.
Model Context Protocol (MCP)
All AWS API calls live in a dedicated MCP server subprocess. The agent communicates via JSON-RPC over stdio — a clean boundary that keeps tool execution separate from agent logic.
FastAPI + streaming
The backend serves a StreamingResponse for each scan — the frontend reads it line by line. Structured events prefixed with [SCAN], [EXEC], and [ACTION_REQUIRED] drive the real-time UI without WebSockets.
Next.js 15 + Clerk
App Router frontend with Clerk JWT authentication. Every API call carries a signed JWT verified by the backend against Clerk's JWKS endpoint. No session cookies, no server state.
PostgreSQL on Railway
Scan history, remediation logs, compliance check statuses, and encrypted credentials all live in a single Postgres instance. Schema migrations run on startup via ALTER TABLE IF NOT EXISTS.
Ready to secure your account?
Connect your AWS account in 2 minutes. The first scan is free and finds issues most teams don't know they have.
Get started free