Cost Estimation
Threat Reaction runs on pay-per-use AWS services. For most organizations, monthly costs are well under $10 — often within the AWS Free Tier. Below is a breakdown of each service and the factors that drive cost.
Overview
All costs scale with your GuardDuty finding volume and S3 event volume. A typical small-to-medium AWS environment (50–500 GuardDuty findings per day, moderate S3 usage) runs Threat Reaction for $2–8 / month excluding the GuardDuty service itself.
Note: GuardDuty pricing is separate and based on data volume analyzed (VPC flow logs, DNS logs, CloudTrail). GuardDuty typically costs $20–$200/month for a small organization depending on the services monitored. Check the GuardDuty pricing page for current rates.
AWS Lambda
Five Lambda functions run on-demand. The bulk of invocations come from the EventsProcessor handling GuardDuty findings and SQS messages.
| Function | Trigger | Estimated monthly calls |
|---|---|---|
| EventsProcessor | EventBridge + SQS | = GuardDuty finding count + S3 events |
| FindingsAPI | API Gateway (user actions) | 100–5,000 |
| LicenseValidator | API Gateway (per request) | Same as FindingsAPI |
| ActionsProcessor | On containment action | Low (0–100) |
| DeployAndSeed | CloudFormation (once) | 1 per deployment |
AWS Free Tier includes 1M Lambda invocations and 400,000 GB-seconds per month. Threat Reaction stays within the free tier for most environments. Estimated cost above free tier: $0.10–$0.50/month.
Amazon DynamoDB
Single table, on-demand capacity mode. Reads/writes scale directly with finding volume. TTL is used to expire old event records automatically at no charge.
- Free Tier: 25 GB storage, 200M requests/month.
- Typical usage: 5–50 MB storage, 500K–5M requests/month.
- Estimated cost: $0–$2/month for most organizations.
Amazon API Gateway (HTTP API v2)
HTTP API v2 is ~70% cheaper than REST API. Pricing is $1.00 per million API calls received.
- Free Tier: 1M HTTP API calls/month for 12 months.
- Typical usage: 10K–500K calls/month (dominated by the SPA polling the API).
- Estimated cost: $0–$0.50/month.
Amazon CloudFront
Serves the Svelte SPA. The SPA is cached aggressively; most user sessions require only a handful of origin requests.
- Free Tier: 1 TB data transfer out + 10M HTTP requests/month (always free).
- Typical usage: well within the always-free tier for a small team.
- Estimated cost: $0/month for most teams.
Amazon SQS
Used for S3 data event batching. Pricing is $0.40 per million requests.
- Free Tier: 1M SQS requests/month (always free).
- Estimated cost: $0–$0.50/month even at high S3 event volume.
Amazon SNS
Used for outbound notifications. Pricing: $0.50 per million publishes, plus delivery fees per channel (email: $2.00/100K, HTTP: $0.60/million).
- Free Tier: 1M publishes + 1,000 email deliveries/month.
- Estimated cost: $0/month for typical alert volumes.
Amazon Cognito
Used for management UI authentication. Pricing is per monthly active user (MAU).
- Free Tier: 50,000 MAUs/month.
- Threat Reaction typically has 1–10 admin users.
- Estimated cost: $0/month.
Amazon S3 (Storage)
Two buckets: the SPA bucket (a few MB, static assets) and the findings export bucket (used only when the SAVE action is configured).
- Free Tier: 5 GB storage, 20K GET requests, 2K PUT requests/month.
- Estimated cost: $0/month for most deployments.
- If SAVE action exports many large findings, S3 costs scale with export volume at $0.023/GB.
Total Monthly Estimate
| Scenario | Estimated monthly cost |
|---|---|
| Small environment (<500 findings/day) | $0–$2 / month |
| High volume (>10,000 findings/day) with S3 anomaly detection | $8–$20 / month |
These are Threat Reaction infrastructure costs only and do not include the GuardDuty service fee, which varies based on the volume of logs analyzed.
💡 Tip
Use the AWS Cost Explorer and set a billing alarm (e.g., $20/month) when you first deploy. The alarm ensures unexpected cost spikes — perhaps from a misconfigured CloudTrail data event setting — are caught immediately.
ℹ️ Note
AWS Free Tier limits reset monthly. New AWS accounts get 12 months of Free Tier on most services, during which Threat Reaction effectively costs $0.
⚠️ Warning
CloudTrail data events (needed for S3 anomaly detection) can be expensive if you have high-volume buckets. Data events are priced at $0.10 per 100,000 events — monitor CloudTrail costs separately from Threat Reaction costs.