AWS and Cloudanix team co-authored this blog: Real-Time Threat and Anomaly Detection for Workloads on AWS
← Coding Agent Guard

Capability · Triage

Every detection becomes
a triageable issue

On-device detections don't vanish into a log. Each one surfaces as a severity-scored issue in the Cloudanix Console — a triage queue for security and audit-ready evidence of every agent action that mattered.

Triage + compliance evidence
Book a demo All capabilities →
console · issues 
AGENT GUARD ISSUES     open · last 24h

CRIT  secret/cloud-access-key   block
      dev-04 · claude-code · 17:22
CRIT  file/dotenv-read          block
      dev-12 · cursor · 16:48
HIGH  injection/override        warn
      dev-09 · codex · 15:30
HIGH  mcp/broadly-mounted       open
      dev-21 · cursor · 14:11

triage queue · severity-scored
who / what / when / why — value stays on device

The risk

A local block isn't enough

Stopping the action on the device is the point — but security still needs to see it, prioritise it, and prove it later. A raw log on a laptop does none of that.

Invisible detections

A block or warning that only exists on one developer's machine can't be triaged, trended or reviewed by the security team.

No prioritisation

Without severity and context, every event looks the same — and the one that matters gets lost in the noise.

Weak evidence

Auditors increasingly want the who / what / when / why for AI actions that touched a secret, ran a command, or wrote code.

Mechanics

From detection to issue

01

Detect on-device

Any axis — egress, ingress, output, action — or a static MCP / instruction-file finding produces a categorical detection locally.

02

Ship privately

The finding's category, severity, agent, device and decision ship to the Console. The matched secret value never leaves the device.

03

Score & open an issue

The Console turns it into a severity-scored issue, correlated with the developer, device and the rest of your posture.

04

Triage & retain

Security triages from one queue; the record is retained as tamper-evident evidence for the board and for auditors.

Inside the capability

What an issue carries

Enough context to act now and to prove later — without ever exposing the sensitive value itself.

Severity score

Critical / high / medium / low, so the queue sorts itself and the dangerous events rise to the top.

Category & rule

The finding type and the specific rule that matched — secret, PII, injection, code or file — not a generic alert.

Who & where

The developer, device and agent involved, and the decision the guard took: allow, redact, warn or block.

Privacy-first

Categorical evidence only — the matched credential or PII value stays on the device (NF-PRIV-1).

Posture-correlated

Issues sit alongside your cloud, identity and CNAPP findings — agent risk in the same place as the rest.

Tamper-evident trail

Backed by the hash-chained local audit log, so the evidence holds up under scrutiny.

Outcomes

What you get

  • One triage queue for everything the guard detects across the fleet
  • Severity scoring so the events that matter surface first
  • The who / what / when / why auditors ask for on AI usage
  • Privacy-first evidence — categorical findings, never the secret value
  • Correlation with your broader cloud and identity posture
  • Compliance evidence for SOC 2, ISO 27001, HIPAA, PCI-DSS and more

Explore the guard

More capabilities

5-axis inspection View → Shadow-AI discovery View → MCP risk detection View → Prompt-injection scan View → Fleet observability View → Findings as issues You are here Self-updating fleet View →

Ready to see your graph?

Connect a cloud account in under 30 minutes. See every finding rooted in identity, asset, and blast radius — with a fix path attached.

Book a Demo