What is Threat Reaction?

Threat Reaction is a self-hosted, serverless AWS security platform that helps security teams manage AWS GuardDuty threat configurations, monitor real-time security events, detect S3 data exfiltration, and identify ransomware-like behaviors — all within their own AWS account.

Does my security data leave my AWS account?

No. Threat Reaction is deployed entirely within your own AWS account. All GuardDuty findings, S3 events, and security data remain in your environment. Threat Reaction does not collect, transmit, or have access to any of your data.

How much does Threat Reaction cost?

Threat Reaction is free and open-source. You pay only for the AWS infrastructure costs consumed by the deployment (Lambda invocations, DynamoDB storage, API Gateway requests, etc.). Because it is fully serverless, idle time costs nothing.

What AWS services does Threat Reaction use?

Threat Reaction uses AWS GuardDuty, EventBridge, Lambda (Python 3.12), DynamoDB, S3, CloudFront (with Origin Access Control), Cognito, API Gateway v2, SQS, and SNS. All resources are provisioned via a single CloudFormation template.

How do I deploy Threat Reaction?

Deployment requires a single AWS CLI command: 'aws cloudformation deploy --template-file infrastructure/customer_template.yaml --stack-name threat-reactions --capabilities CAPABILITY_NAMED_IAM'. The CloudFormation template provisions all required AWS resources automatically.

Is multi-factor authentication required?

Yes. Threat Reaction enforces mandatory TOTP (Time-based One-Time Password) multi-factor authentication for all users via AWS Cognito. Self-signup is disabled — only administrator-provisioned accounts can log in. Sessions expire after 5 minutes of inactivity.

What types of threats does Threat Reaction detect?

Threat Reaction covers three categories: (1) AWS GuardDuty findings — all finding types, individually configurable; (2) S3 data exfiltration — detected via a sliding-window anomaly detector on S3 access events; (3) Ransomware-like behaviors — including mass S3 object encryption and unusual IAM credential use patterns.

Does Threat Reaction work in all AWS regions?

Threat Reaction must be deployed in the same AWS region as your GuardDuty detector, because GuardDuty events flow via EventBridge within the same region. Each region requires its own deployment of the CloudFormation stack.

AWS Security · Serverless · Self-Hosted

React to Threats. Not Incidents.

Threat Reaction is a self-hosted, serverless AWS platform that puts you in control of GuardDuty findings — configure responses, detect S3 exfiltration, and block threats before they escalate.

Get Started Explore Features

$aws cloudformation deploy --template-file customer_template.yaml

Security that lives in your account

No agents. No SaaS lock-in. No data leaving your perimeter.

GuardDuty Native

Deep integration with AWS GuardDuty. Every finding type is surfaced, configurable, and actionable.

Real-Time Response

EventBridge-driven pipeline delivers findings to your dashboard in seconds, not minutes.

Fully Self-Hosted

Deployed entirely within your AWS account. Your security data never leaves your infrastructure.

Zero Trust Auth

Cognito-backed login with mandatory TOTP MFA. Every session is short-lived and auditable.

S3 Exfiltration Detection

Sliding-window anomaly detection flags unusual data access patterns before damage is done.

Ransomware Detection

Identifies ransomware-like behaviors such as mass encryption or unusual IAM credential use.

Up and running in minutes

One CloudFormation template. No third-party dependencies.

01
Deploy to Your AWS Account
A single CloudFormation template provisions everything: Cognito, API Gateway, Lambda, DynamoDB, CloudFront, and EventBridge rules.
02
Connect GuardDuty
GuardDuty findings flow automatically via EventBridge into Threat Reaction's processing pipeline — no agents, no polling.
03
Configure & React
Enable or disable finding types, set actions to BLOCK or REPORT, and monitor your security posture from a clean dashboard.

Everything your security team needs. Nothing you don't.

Threat Reaction is purpose-built for AWS-native security teams who want full control without the overhead of a commercial SIEM or third-party SaaS.

No third-party SaaS — your data stays in your account
Serverless — pay only for what you use
Covers GuardDuty, S3 exfiltration, and ransomware patterns
MFA-enforced web dashboard
Configurable per finding type
One-command CloudFormation deployment

100%

Self-hosted

<2s

Finding latency

Agents required

MFA

Enforced auth

Frequently asked questions

Common questions about Threat Reaction.

What is Threat Reaction?: Threat Reaction is a self-hosted, serverless AWS security platform that helps security teams manage AWS GuardDuty threat configurations, monitor real-time security events, detect S3 data exfiltration, and identify ransomware-like behaviors — all within their own AWS account.
Does my security data leave my AWS account?: No. Threat Reaction is deployed entirely within your own AWS account. All GuardDuty findings, S3 events, and security data remain in your environment. Threat Reaction does not collect, transmit, or have access to any of your data.
How much does Threat Reaction cost?: Threat Reaction is free and open-source. You pay only for the AWS infrastructure costs consumed by the deployment (Lambda invocations, DynamoDB storage, API Gateway requests, etc.). Because it is fully serverless, idle time costs nothing.
What AWS services does Threat Reaction use?: Threat Reaction uses AWS GuardDuty, EventBridge, Lambda (Python 3.12), DynamoDB, S3, CloudFront (with Origin Access Control), Cognito, API Gateway v2, SQS, and SNS — all provisioned via a single CloudFormation template.
Is multi-factor authentication required?: Yes. Threat Reaction enforces mandatory TOTP multi-factor authentication for all users via AWS Cognito. Self-signup is disabled — only administrator-provisioned accounts can log in. Sessions expire after 5 minutes of inactivity.
Does Threat Reaction work in all AWS regions?: Threat Reaction must be deployed in the same AWS region as your GuardDuty detector, because GuardDuty events flow via EventBridge within the same region. Each region requires its own deployment.

Stop threats before they stop you

Deploy Threat Reaction into your AWS account today. No subscription. No vendor lock-in. Just control.