ChaosSec

ChaosSec uses AI-driven chaos engineering to continuously test AWS security. Unlike scanners that find issues, we validate your defenses actually work. Auto-generates SOC2/ISO 27001 evidence.

Comment 2

Inspiration

The inspiration for ChaosSec came from a simple but critical question: "How do we know our security controls actually work before we need them?"

After learning about Netflix's Chaos Monkey and how chaos engineering transformed reliability testing, I wondered why this approach wasn’t being used for security. Companies spend millions on monitoring, AWS Config rules, and CloudTrail logging—but only find out if these systems work after a breach.

ChaosSec was built to continuously validate security controls through controlled chaos, powered by AI to make intelligent test decisions. It’s an autonomous agent that proves your security works—not just that it exists.

What It Does

ChaosSec is an autonomous AI security testing platform that fuses chaos engineering and AI-driven reasoning to continuously validate AWS infrastructure security.

Core Workflow (8 Steps)

  1. SIMULATE – Create digital twins of infrastructure using System Initiative
  2. SCAN – Run Semgrep to find vulnerabilities in code and IaC
  3. REASON – Use AWS Bedrock (Claude AI) to analyze risk and prioritize tests
  4. INJECT – Safely inject chaos (e.g., make S3 bucket public)
  5. MONITOR – Track CloudWatch metrics and logs during chaos events
  6. VALIDATE – Check if AWS Config, CloudTrail, and Security Hub detect issues
  7. REPORT – Auto-generate compliance evidence (SOC2, ISO 27001, PCI-DSS, NIST)
  8. LEARN – Store results in DynamoDB for AI-driven improvement

Key Capabilities

  • Discovers 21+ misconfigurations automatically
  • AI prioritization with 95% confidence scoring
  • Tests detection systems without breaking production
  • Generates audit-ready documentation
  • Runs continuously and improves over time

How We Built It

Technology Stack:

  • Frontend: React 18 + Vite + Tailwind CSS + Framer Motion
  • Backend: Python 3.13 with Boto3, HTTPX, and subprocess modules
  • Infrastructure: AWS CDK (Infrastructure as Code)
  • AI/ML: AWS Bedrock (Claude)
  • Security Scanning: Semgrep
  • Integrations: System Initiative API, Vanta MCP

Architecture

  • Presentation Layer: React dashboard (localhost:5173) visualizing the 8-step workflow
  • Application Layer: Python orchestrator coordinating AI, AWS, and integrations
  • Integration Layer: Connects AWS Bedrock, System Initiative, Semgrep, Vanta, Config, CloudTrail, CloudWatch, and FIS
  • Target Layer: Vulnerable AWS e-commerce app with 21 intentional security flaws

Deployment

  • Created a demo app with intentional vulnerabilities (public S3, weak IAM, etc.)
  • Deployed via AWS CDK to account 042744890612 in us-east-1
  • ChaosSec autonomously finds and validates these vulnerabilities

Development Process

  1. Designed architecture and modules
  2. Built core modules (config, logger, AWS handler, Semgrep scanner, AI brain, orchestrator)
  3. Developed React dashboard with 7 custom components
  4. Created demo app with realistic vulnerabilities
  5. Integrated Bedrock AI and System Initiative
  6. Implemented OAuth2 for Vanta

Challenges We Faced

  1. AWS CDK Permissions – IAM bootstrap issues; required PowerUserAccess
  2. Bedrock API Key Confusion – Misunderstood credentials (uses AWS creds, not API key)
  3. RDS Reserved Username – “admin” blocked; switched to “dbadmin”
  4. System Initiative 404s – Optional integration due to endpoint issues
  5. Demo Script Input Handling – Replaced input() pauses for non-interactive runs
  6. Dashboard Animation Timing – Fixed final-step display bug in animation loop

Accomplishments

  • End-to-End System: Fully functional platform with frontend, backend, AI, and AWS
  • 🤖 Real AI Integration: AWS Bedrock-driven intelligent prioritization
  • 🎨 Professional UI/UX: Stunning React dashboard with glass morphism design
  • ☁️ Real AWS Deployment: Validated real vulnerabilities on live infra

  • 📊 4+ Real Findings:

    • Public RDS
    • Lambda with admin access
    • Hardcoded secrets
    • Unencrypted data

  • 🔄 Complete Workflow: 8-step autonomous security validation

  • Rapid MVP Delivery: From concept to working demo in record time

What We Learned

Technical Insights

  • AWS CDK Mastery: Multi-service IaC deployment
  • AWS Bedrock: Uses standard AWS credentials
  • System Initiative: Digital twins enable safe simulation
  • OAuth2: Proper client credentials flow with refresh logic
  • Chaos Engineering: Safety modes, audit trails, rollback systems

Security Learnings

  • Common AWS misconfigurations are widespread
  • Detecting issues is easy; validating detection is hard
  • Compliance evidence can be automated
  • The gap between having and knowing your security works is vast

Design Patterns

  • Modular, testable architecture
  • Mock modes for external APIs
  • Correlation IDs for complete traceability
  • .env.example config for simple setup

UX/UI Takeaways

  • Real-time visuals make complex workflows accessible
  • Severity color coding improves clarity
  • Smooth animations maintain engagement
  • Glass morphism creates a premium feel

Process Lessons

  • Break big goals into clear phases
  • Test each module independently
  • Document-driven development clarifies requirements
  • Mock + real modes accelerate parallel work

What’s Next for ChaosSec

Immediate (Post-Hackathon)

  • Deploy to AWS Lambda + Step Functions
  • Fix System Initiative integration
  • Enhance Bedrock prompt engineering
  • Add more chaos scenarios (EC2, IAM, network)

Short-Term (3 Months)

  • Real-time dashboard via WebSockets
  • Expand scanning to EC2/ECS/EKS/Terraform
  • Add HIPAA/FedRAMP frameworks
  • One-click automated remediation
  • Multi-account support

Medium-Term (6–12 Months)

  • ML-based risk scoring
  • Integration marketplace (Splunk, PagerDuty, Jira, Slack)
  • Policy-as-Code customization
  • Community chaos scenario library
  • Multi-step reasoning AI agents

Long-Term (12+ Months)

  • Multi-cloud (Azure, GCP) support
  • ChaosSec-as-a-Service offering
  • Security Copilot for AI-driven advice
  • Continuous compliance scoring
  • Enterprise features (RBAC, branding, SLA)

Business Growth & Vision

  • Beta Program: 10 enterprise customers (Q1 2026)
  • GA Launch: Q2 2026
  • Series A: Raise $3–5M
  • Market Expansion: Target 1000+ account enterprises
  • Exit Strategy: Potential acquisition by AWS, Palo Alto Networks, or CrowdStrike

Research & Community

  • Publish papers on AI-driven chaos engineering
  • Open-source the core chaos testing framework
  • Contribute to AWS Well-Architected Framework
  • Build community around Security Chaos Engineering

Built With

Share this project:

Updates