ThreatReaction
Full Feature Set

Built for AWS security teams

Threat Reaction covers the full lifecycle — detection, classification, configuration, and response — without any third-party dependencies.

Feature list

GuardDuty Threat Management

Core

Full coverage of AWS GuardDuty finding types. Enable or disable individual finding types and assign a BLOCK or REPORT action to each. Changes take effect immediately across your AWS environment.

  • All GuardDuty finding types supported
  • Per-finding enable/disable toggles
  • BLOCK or REPORT action per finding
  • Severity classification surfaced in the UI

S3 Data Exfiltration Detection

Detection

A sliding-window anomaly detector continuously evaluates S3 access patterns. Unusual spikes in object reads or cross-account access trigger findings without relying on GuardDuty's S3 protection tier.

  • Sliding-window analysis on S3 events
  • Anomaly scoring against a rolling baseline
  • Cross-account access pattern detection
  • Configurable sensitivity thresholds

Ransomware-Like Behavior Detection

Detection

Identifies early indicators of ransomware campaigns in your AWS environment: mass object encryption, unusual IAM credential use, and access pattern deviations that precede data destruction.

  • Mass S3 object encryption detection
  • Unusual IAM credential use patterns
  • Correlated multi-signal detection
  • Configurable action (BLOCK / REPORT)

Real-Time Event Pipeline

Infrastructure

GuardDuty findings and S3 events are ingested via EventBridge and processed by a Python Lambda in near real-time. The result is a live event feed with full actor and resource context.

  • EventBridge-native ingestion
  • Sub-2-second end-to-end latency
  • Actor IP, location, and ASN enrichment
  • Full resource details per event

Fully Self-Hosted on AWS

Architecture

Every component is deployed into your own AWS account via a single CloudFormation template. No data ever leaves your perimeter. No vendor has access to your findings.

  • One-command CloudFormation deploy
  • All resources in your VPC and account
  • CloudFront + S3 for static frontend
  • API Gateway + Lambda backend

Zero Trust Authentication

Security

Access to the dashboard requires a Cognito account with mandatory TOTP MFA. Sessions are short-lived (5 minutes of inactivity). Self-signup is disabled — only admin-provisioned accounts can log in.

  • Mandatory TOTP MFA for all users
  • 5-minute session inactivity timeout
  • Admin-only account provisioning
  • JWT-validated API Gateway authorizer

Configurable Threat Actions

Control

Each threat type can be individually tuned. Assign BLOCK for automated enforcement or REPORT for observation-only mode — giving you the flexibility to roll out responses incrementally.

  • BLOCK: automated enforcement action
  • REPORT: passive monitoring mode
  • Per-finding-type granularity
  • Instant configuration propagation

Events Dashboard

Visibility

A real-time events feed shows all processed findings with full context: actor details, resource identifiers, geographic location, severity, and timestamps.

  • Live event stream with auto-refresh
  • Actor IP, location, and ASN details
  • Resource identifiers and service context
  • Ignore, save, or revoke events

Serverless — Pay Per Use

Cost

Built entirely on AWS serverless primitives: Lambda, DynamoDB, API Gateway, and SQS. You pay only for actual usage. Idle time costs nothing.

  • Lambda-based processing (Python 3.12)
  • DynamoDB single-table design
  • SQS batching for S3 events
  • No always-on compute costs

Architecture at a glance

All serverless. All in your account. One CloudFormation template.

CloudFront + S3
Frontend delivery with OAC
Cognito
Auth with mandatory MFA
API Gateway v2
HTTP API with JWT authorizer
Lambda (×5)
Python 3.12 functions
DynamoDB
Single-table event store
EventBridge
GuardDuty event routing

Ready to take control?

Deploy Threat Reaction into your AWS account today and start reacting to threats — not incidents.

Get in Touch