Overview
Exaforce connects to AWS GuardDuty to ingest findings and wrap them in investigation ready context from across your AWS environment. The platform looks at the principal behind the activity, the full trail of API events, impacted resources such as S3 buckets, and related activity for the same user, role, or account. GuardDuty detections become narrative style assessments that explain what happened, why it matters, and what to do next, which lets analysts move from an alert to a decision in minutes instead of hours.
How it works
Exaforce ingests AWS GuardDuty findings, along with CloudTrail logs and configuration data from connected AWS accounts, using the GuardDuty finding stream as the starting point for each investigation. Once a new finding arrives, the Exabot Triage agent pulls together identity attributes, session details, source locations, services involved, and resource metadata. It then generates a human readable assessment that summarizes the situation, highlights supporting evidence, and proposes mitigation options.
In Exaforce, analysts can see a dedicated view of enriched findings. Opening a finding launches the Exabot Assessment view, which shows a structured summary, supporting analysis, and a timeline of events that contributed to the detection. A Command Center view shows which steps the agent took, which workflows ran, and what notifications or confirmations were sent over Slack or Microsoft Teams.
Continuous triage and validation
GuardDuty runs continuously across your AWS accounts, and Exaforce layers continuous triage on top of that signal, so every finding is rapidly categorized as a True Positive, False Positive, or Needs Investigation.
When a finding is ingested, Exabot immediately performs its analysis and assigns a recommended classification. If the recommendation is Needs Investigation, or if analysts want to validate a potential False Positive, they can drill into rich contextual details using the Investigate view.
Within the Investigate view, analysts can expand the time window to look for additional suspicious activity, review identity chains and session trees to confirm the correct principal, and compare historical and current location data to evaluate the significance of geographic signals. They can also use Exabot’s question and answer interface to ask follow up questions, such as what other Put operations occurred on a specific bucket, and receive precise answers grounded in the same underlying evidence.
This closed loop process, reinforced by confirmations from users and managers, continuously improves triage accuracy and reduces mean time to response.
Core capabilities
Exaforce treats Amazon GuardDuty as a signal for suspicious AWS activity and augments it with additional context and analytics to streamline investigation and response.
Each GuardDuty finding is automatically triaged by Exabot, which analyzes identities, roles, session chains, locations, VPN usage, and the sequence of API calls involved. This activity is compared against historical behavior to determine whether it is normal, unusual, or likely malicious.
Investigations are organized to reflect how a SOC analyst works, with a question-and-answer style interface that enables fast pivots across related user, resource, and activity context without custom queries. Visual timelines and event-level evidence provide clarity into what happened and when, with access to raw JSON for verification.
Exaforce also supports identity- and resource-centric analysis, built-in collaboration through Slack and Microsoft Teams, and flexible response options. Its automation capabilities enable both human-in-the-loop and fully automated mitigations, as well as integration with SOAR workflows.
Examples of attacks and alerts handled
GuardDuty findings range from clear attacks to benign tests. Exaforce helps teams quickly tell the difference and respond appropriately.
Typical scenarios include:
- Suspicious S3 access that turns out to be a test
GuardDuty flags a configuration change or access pattern on an S3 bucket that could indicate preparation for data exfiltration. Exaforce reconstructs the sequence of operations, shows the Put or Get events on the bucket, and overlays data in and data out over time. In cases where there are no spikes in data transfer and the user reports a controlled test, Exabot classifies the finding as a false positive so the SOC can close it with confidence. - Unusual access from new locations
A principal that usually operates from a single region or country suddenly accesses AWS from an unexpected location. Exaforce compares historical locations, highlights other anomalous geographies, correlates VPN usage, and shows whether similar actions were taken from typical locations around the same time. - Privilege or policy changes preceding risky activity
GuardDuty may detect suspicious API usage against identity or storage services. Exaforce surfaces prior API calls that created, modified, or attached policies and roles, which helps analysts understand if the finding is part of a broader privilege escalation or account takeover sequence.
Benefits
Exaforce improves the quality of GuardDuty triage by providing each alert with narrative context, supporting evidence, and recommended actions, reducing time spent on manual log analysis.
By evaluating user history, VPN usage, resource behavior, and confirmations from users and managers, Exaforce significantly reduces false positives so analysts can focus on real threats.
Analysts can investigate findings more quickly by pivoting between identity, activity, and resource views within a single console, while GuardDuty remains the authoritative detection source.
Structured investigations, automation, and collaboration integrations create repeatable workflows that scale across SOC teams and shifts.