Threat Reaction Documentation
Threat Reaction is a self-hosted, serverless AWS security platform. It sits on top of Amazon GuardDuty and adds a real-time policy engine, an anomaly detector for S3 data exfiltration, and a full audit trail of every containment action — all running inside your own AWS account with no data leaving your infrastructure.
What does it do?
- Ingests GuardDuty findings via EventBridge and lets you configure a response (IGNORE, REPORT, BLOCK, REVOKE, or SAVE) per finding type and severity.
- Detects S3 anomalies using a sliding-window detector watching CloudTrail data events for exfiltration, ransomware writes, mass deletes, and enumeration sweeps.
- Executes containment actions automatically: blocking attacker IPs via WAF / Security Groups, revoking compromised IAM credentials, and publishing findings to SNS for downstream alerting.
- Provides a single-page management UI accessible via CloudFront — no servers to manage, no VPN required.
Browse Documentation
Dashboard
Real-time security posture at a glance.
Threats
Configure response policies for every GuardDuty finding type.
Events
Browse every security event captured by the system.
Actions
Audit trail of every containment action taken.
Accounts
Manage monitored AWS accounts.
Notifications
Route alerts to SNS, email, or webhooks.
Buckets
S3 anomaly and ransomware detection.
Application
Stack settings and template updates.
Entities
Asset inventory of all tracked AWS resources.
License
License status, trials, and key management.
Architecture
How all services connect and data flows.
Cost Estimation
What it costs to run Threat Reaction in AWS.
🚀 New to Threat Reaction?
Start with the Architecture page to understand how all AWS services connect, then read Threats to learn how to configure your first response policies.