C6 SecOps AI Agent (AWS Edition)

7x24 AWS Private SecOps AI agent. Analyzing security issues with auto WAF blocking and incident escalation to ServiceNow for rapid triage, resolution, and reporting.

Comment

C6 SecOps AI Agent - 24/7 Resident SecOps AI Agent on AWS

C6 SecOps AI Agent is a 24/7 resident security operations agent deployed on AWS that automates security event analysis, triage, escalation and defence.

The AI agent runs continuously, analysing security alerts for my web application and providing real‑time investigation and response. I hope this capability helps more AWS customers receive round‑the‑clock security alert analysis and automatic block list update.

Login information has been provided to the judging panel so they can sign in and view live attack and analysis data.

Core AWS Cloud Technologies

Layer Key Technologies Description
AI Layer Amazon Bedrock (Nova Micro) Foundation Model for intelligent security analysis.
Bedrock AgentCore Runtime Manages the custom SecOps Agent logic.
Bedrock AgentCore Gateway Securely exposes agent functionalities for Lambda calls.
Strands SDK Python framework used for agent orchestration and complex workflows.
AWS CodeBuild, Amazon ECR Used for building and hosting the custom agent runtime container.
Database Layer Amazon RDS (PostgreSQL) Managed relational database for persistent storage of WAF events, analysis jobs, and escalations.
Application Layer Amazon S3, AWS CloudFront S3 hosts the static frontend application (SPA); CloudFront serves it globally via CDN.
AWS Lambda Serverless compute for all backend business logic and workers.
Amazon API Gateway Provides a secure, scalable entry point for the frontend to access the Lambda API.
Job Processing Layer AWS Lambda Dedicated worker functions for log ingestion, analysis, and escalation.
Amazon SNS Used to push immediate email notifications for critical escalations.
Amazon EventBridge Schedules recurring tasks (e.g., daily reports, log polling).
Amazon CloudWatch Used for logging, monitoring, and triggering the log ingestion Lambda function.
Security Layer AWS WAF Web Application Firewall used at the CloudFront edge for first-line defense and source of raw logs.
AWS IAM Manages fine-grained permissions and roles for all components and services.

Inspiration

Web App subjected to tons of CyberAttack event. AWS provided security systems helping to protect Web App or Backend API. Security event generated a lot of alerts and these alerts have to be reviewed by Security Analysts.

Not all customer using AWS has budget to hire Security Analysts to monitor and analysis these security alert.

This is the customer pain point even implemented different security systems.

So, I would like to use AWS AI technologies to develop autonomous AI agents running on AWS to do first tier security event review and analysis.

This is to offload tidious and routine security alert review and analysis. And improve the security escalation and response.

What It Does

The C6 SecOps AI Agent is a serverless, end-to-end security automation system that transforms raw AWS WAF logs into actionable, auto-defended incidents.

It delivers four core functions:

  1. Smart Analysis:
    The agent intelligently groups attack events to detect coordinated campaigns and assess true severity using Amazon Bedrock AgentCore powered by the Nova Micro AI model.

  2. Escalation:
    For critical threats (Severity 4–5), the system triggers three parallel responses:

    • Alert: Sends immediate notifications via Amazon SNS (Email).
    • Ticket: Automatically creates a high-priority incident in ServiceNow.
    • Auto-Block: Instantly blocks the malicious IP at the CDN level by adding it to the WAF IPSet.

  3. Unified Management:
    A custom React 19 frontend connects to a dedicated PostgreSQL RDS backend, offering a single-pane-of-glass view of WAF events, analysis jobs, and the live blocklist.

  4. Plugin Architecture:
    The escalation process runs as Lambda function, enabling the development of custom plugins that the AI agent can invoke to integrate with other systems and extend automation capabilities.

How I built it

I architected the solution on a aws-first architecture:

  • Frontend: I deployed the React/Vite application on S3 behind CloudFront.
  • Backend: API Gateway routes requests to AWS Lambda (Node.js 22) functions, which handle the core API and all automated tasks.
  • Intelligence: Amazon Bedrock AgentCore hosts the SecOps Agent, which uses code-based triage and the Nova Micro AI for deep, context-aware analysis.
  • Automation: I configured AWS EventBridge to schedule the worker Lambdas for log polling, analysis grouping, and the Triple-Track Escalation every 3-5 minutes.
  • Data: Amazon RDS for PostgreSQL provides persistent, structured storage for all logs, job queues, and IP blocklist status.

Challenges I ran into

As a newbie in AWS cloud technologies, a significant challenge was getting all these enterprise-grade services—from Bedrock AgentCore and IAM roles to Lambda VPC connectivity with RDS—to work together seamlessly. Setting up this complex, serverless, end-to-end system required intensive configuration and a steep learning curve. However, AWS is a proven enterprise cloud platform with comprehensive documentation. I was able to follow the guides and eventually complete the intricate setup, making the entire platform functional and robust.

Accomplishments that I'm proud of

  1. Full Cloud-Native SecOps Deployment: I successfully designed, configured, and deployed this entire Enterprise Grade Cloud Infrastructure on AWS, integrating the latest AI technology (Bedrock AgentCore/Nova Micro) to provide 7x24 autonomous security monitoring and analysis. This proved the platform's ability to operate around the clock without human intervention.
  2. Smart AI Automation & Attack Surface Reduction: I developed and implemented the Smart Analysis Architecture and Triple-Track Escalation logic. This system automatically conducts sophisticated event grouping analysis, provides a severity rating, and then instantly performs Auto-Blocking (WAF IPSet update) for critical threats. This solution saves security teams a huge amount of effort and dramatically increases the cybersecurity safety of the application with highly optimized AI costs.

What I learned

AWS Bedrock AgentCore and Lambda technologies are incredibly handy, making it easy to build scalable solutions. The most important lesson I learned was that I forgot to plan the deployment using CloudFormation. As a result, I now need to reverse-engineer the deployment package to streamline future deployments.

What's Next for C6 SecOps AI Agent (AWS Edition)

The next phase is to transition this tech preview into a commercial, enterprise-ready product for AWS customers:

  1. AWS Security Hub Integration:
    I will implement native integration to ensure all critical findings and auto-remediation actions are reported directly to AWS Security Hub as standardized security findings.

  2. Commercial AI Agent App:
    I plan to package and harden the C6 SecOps AI Agent into a deployable application, targeting publication on the AWS Marketplace to enable broader customer adoption.

  3. Security Hub Event Ingestion:
    I will extend the AI agent to ingest and analyze security events directly from AWS Security Hub, enabling broader visibility and deeper threat correlation across multiple AWS services.

  4. Plugin Ecosystem Expansion:
    I will develop additional plugins to support deeper system integration and enhanced automation across diverse platforms.

  5. Amazon Q Integration:
    I will explore integration with Amazon Q Business and Amazon Q Developer to provide interactive security insight consulting via chat, and enable automated takedown scripting for rapid threat mitigation.

Built With

  • agentcore
  • alb
  • bedrock
  • bedrock-agentcore.-eventbridge
  • bedrock-nova
  • cloudfront
  • cloudwatch
  • codebuild
  • ecr
  • eventbridge
  • express.js
  • iam
  • jwt
  • lambda
  • node.js
  • nova
  • python
  • rds
  • react
  • s3
  • sns
  • ssl
  • strands-sdk
  • waf
Share this project:

Updates