Skip to main content

Why GuardKite

Most AWS teams already have something watching their account — AWS Config, Security Hub, GuardDuty, IAM Access Analyzer, third-party CSPM tools, homegrown scripts. The question isn't whether you can see your security state. It's whether you can see it clearly enough to act, and whether what you pay is proportional to the value.

GuardKite is built for teams whose answer to those questions is "no" or "not really."

What you get

Security posture findings without the AWS Config bill. AWS Config charges per configuration item recorded and per evaluation — a non-trivial line on the AWS bill that grows with your resource count. GuardKite reads configuration directly through standard AWS APIs and runs its own evaluations, with no dependency on Config.

Identity risk that's actionable. Native AWS tools fragment the signal across Access Analyzer, IAM Access Advisor, and Trusted Advisor. GuardKite's IAM Risk view brings the signals together per principal: admin and wildcard permissions, services with access but no usage, identities idle for months, and escalation paths between identities.

Attack paths, not just findings. A finding tells you a resource is misconfigured. An attack path tells you that resource is reachable from the internet and connected to something sensitive — and the single change that would break the chain. GuardKite ranks fixes by how many paths each would close, so remediation effort goes where it eliminates the most risk.

One simple access model. Read-only IAM role, daily automatic scans. No agents, no per-resource pricing, no event-stream plumbing.

What's out of scope

GuardKite is a security posture and risk management product. It is not:

  • A runtime threat-detection service. GuardDuty, CloudTrail-based detection, and SIEMs handle that ground.
  • A vulnerability scanner for application code or container images. Inspector and dedicated SAST/SCA tools do.
  • A data-classification service. Macie classifies sensitive data inside S3 objects; GuardKite reads bucket configuration, not contents.
  • A response or automation platform. GuardKite tells you what's wrong and how to fix it; the fix happens in your normal change-management process.

For the AWS-native services covering these areas — GuardDuty, Inspector, Macie, and others — GuardKite surfaces findings when they aren't enabled, or when key protections within them are turned off (Inspector EC2 or ECR scanning, GuardDuty malware and runtime protection, and so on). GuardKite doesn't replicate what those services do; it makes sure you know when one of them isn't on for an area where it should be.

How it compares to AWS Config and Security Hub

The short version: GuardKite covers the security-posture ground those services cover, evaluates configuration directly through AWS APIs, and surfaces results in its own UI. It doesn't depend on either being enabled in your account. If you're paying for Config or Security Hub primarily for security findings, GuardKite is intended to replace that line item.

Next steps