Send a read-only CloudTrail export. Gideon investigates every notable event against your account’s own history — the context that tells a real attack from your normal — then returns the short list that needs you, and dismisses the rest with reasons.
Read-only export / no agent, no access to your environment / logs deleted after the report
A sample run on a public attack dataset — an S3 data-exfiltration intrusion mixed with routine activity. 131 events, 4 actors, 7 notable actions triaged. Here are two of them.
Part of a multi-stage intrusion: an external IP enumerated the environment as user pedro, then pivoted through an assumed role to read S3 — a classic SSRF → exfiltration chain.
The same API call — opposite verdict. This one runs on a fixed weekly cadence from an internal IP, consistent with the account’s eight-week history.
Same action, opposite verdict — because Gideon judges each event against your normal, not a generic rule.
A read-only export covering the last 30–90 days. No agent to install, no role in your account.
Every notable action is triaged against your account’s own baseline — pulling timelines, checking IPs, reconstructing what happened — not matched to a generic rule.
A report: what needs you, with explanations and fixes — and what we safely dismissed, and why.
In scope: AWS CloudTrail management events from the window you send — a focused triage of the notable actions, not a full audit and not a replacement for monitoring. Each verdict is a real investigation — timeline, enrichment, and reasoning against your own history, with the evidence shown — automated end to end and a starting point you can verify. We never touch your environment.
The hard part is knowing what’s normal for your account — so it can safely dismiss the 90% that’s noise and stand behind the few things it won’t. That’s what we built, and it’s why pasting logs into a chatbot doesn’t hold up.
90 days of CloudTrail is millions of events — far past any chat window. Gideon queries your full history instead of reading it all at once.
Without your baseline, an AI flags everything as suspicious. Gideon knows what’s normal for you — so it can safely dismiss the noise.
Each alert gets a real workup — timeline, enrichment, related events — not one shallow pass over a truncated paste.
No detection engineering, no analyst, no daily log-wrangling. Connect once; the short list lands in your inbox.
No usage meters, no per-GB ingest, no surprise bill at the end of the month — the thing you’re probably trying to get away from. The price is the price.
All prices in USD, billed monthly per AWS account; cancel anytime — see our Refund Policy. Payments and tax are handled by Paddle.com, our Merchant of Record. A fraction of what MDR or a SIEM seat costs — and you’ll never get a usage-based surprise. Need a fully managed, analyst-in-the-loop tier? Talk to us.
Send a read-only CloudTrail export and we’ll send back what actually matters — within one business day. Free, no commitment.
Upload your CloudTrail → get your report…or just email audit@gideonhq.io
A read-only export of your AWS CloudTrail for the last 30–90 days. Nothing else — no agent, no role in your account.
The history is what lets Gideon tell routine activity from a real attack. A short snapshot makes everything look suspicious.
We use them only to generate your report, then delete them within 7 days. We never share them. We’re early — happy to talk through specifics before you send anything.
The first report is free — one per company. Continuous monitoring is flat-rate from $249/mo per AWS account — no usage meters, no surprise bill. You only move to paid once you’ve seen the value.
Easiest path, no setup: AWS Console → CloudTrail → Event history → set the time range as wide as available (up to 90 days) → Download events → Download as JSON. That single file is exactly what we need — upload it on the report page.
Prefer the CLI? aws cloudtrail lookup-events over your date range works too. Already deliver CloudTrail to an S3 bucket? Send a 30–90 day range of those .json.gz files. Any standard CloudTrail JSON is fine — no reformatting.