From connecting your cloud to fixing your first finding — the full flow.
Deploy a read-only IAM role in AWS via CloudFormation, or authorize via OAuth for Azure and GCP. AWS connections use short-lived STS tokens with no stored credentials; OAuth tokens are encrypted at rest. Write access is opt-in and only used for remediation you explicitly approve.
Learn about AWS, Azure, and GCP integrationsOnce connected, vul.ninja inventories every resource across your clouds and runs automated security checks covering IAM permissions, network exposure, encryption gaps, and misconfigured storage. Critical findings surface first, ranked by exploitability — not just severity score. Most environments see their first results within 5–15 minutes.
Beyond cloud misconfigurations, vul.ninja catalogs OS-level packages on every compute instance that has an agent — AWS Systems Manager on EC2, Azure Monitor Change Tracking on VMs, and OS Config on GCP Compute. Every package is matched against the full CISA KEV catalog and NVD CVE database.
So when CVE-2024-X drops and it affects openssl 1.1.1k, you see exactly which instances need patching — not a list of CVEs detached from your infrastructure.
The Shadow SOC agent automatically reviews every finding as it comes in, marks false positives so your queue stays clean, and groups related issues by root cause. You see a curated, prioritised list — not 47 raw alerts demanding individual attention.
Shadow SOC is one of six AI agents — learn more about our AI agents
Four agents run in sequence with your approval gating every fix.
For every critical finding, the Investigation Agent goes beyond the surface alert. It checks blast radius, traces the step-by-step attack path an adversary could follow, and delivers a plain-language brief — so you understand the actual risk, not just the misconfiguration. No more Googling CVE IDs at 11pm.
Free-tier users get detailed step-by-step remediation guides for every finding. Paid plans add the Remediation Agent: it generates a before/after diff, waits for your explicit approval, then applies the change — with a 30-day rollback window so you can undo anything with a single click. Your infrastructure, your sign-off, every time.
The six steps above run on their own — on a schedule you pick, triggered from CI/CD, or both.
From every 5 minutes to weekly. Pick a cadence per agent — Shadow SOC on every scan, Monitoring every hour, Compliance Evidence once a week.
Monday-morning email summarising agent activity, new findings, what's still open, and exactly how much AI spend you incurred last week.
Trigger any agent from your pipeline with a scoped API token. Fail a deploy on a critical KEV hit. Kick off a Strike Team on merge to main.
And if your agent is the one shipping the infra…
The pipeline above runs the same way for human operators and AI agents. The difference is the surface.
vul.ninja's MCP server exposes assess_iac_change, evaluate_iam_policy, and get_remediation as tools your coding agent calls inline — so a misconfiguration is caught before the apply, not after.
$ claude commit infra/iam/deploy-role.tf→ vulninja.evaluate_iam_policy(role)HIGH iam:* on Resource:* — wildcard privilege escalationfinding overprivileged_deploy_rolesuggest scope to s3:PutObject on arn:aws:s3:::deploys/*✗ Commit blocked. Apply scoped policy? (y/N)
Not point-in-time audits. vul.ninja scans on schedule and alerts on drift — so you're never surprised by a new misconfiguration.
Every finding comes with context. No more Googling CVE IDs at 11pm — Shadow SOC and Investigation Agent tell you what matters and why.
AWS, Azure, and GCP in one view. One remediation workflow. SOC 2 and ISO 27001 evidence packs ready for your auditor.
Read-only cloud access by default. AWS connections use short-lived STS tokens; Azure and GCP refresh tokens are encrypted at rest. Every agent action is recorded to an audit log you can export.
See our full security postureSign up, connect your cloud, and see your first findings in minutes.
Start freeNo credit card required