Forem: Lorcan O'Flynn

Why We’re Building PostureX, and How It Works

Lorcan O'Flynn — Thu, 18 Dec 2025 13:40:44 +0000

This article is intentionally a little technical. It’s written for founders, CTOs, and security leads who want to understand how PostureX works in practice.

Why PostureX exists
Alternative options on the market
How our approach is different
Under the hood
Using AI thoughtfully
Final thoughts and how to try PostureX

1. Why PostureX exists

If you work at a startup, you’ve likely faced security questions before knowing what really needs fixing. Most issues are already out there, spread across your AWS accounts, regions, and connected systems. The challenge is bringing all those signals together, figuring out what matters most, and deciding what to fix first. This often happens when you’re already busy with customers, investors, or a big review.

We built PostureX to help you get ahead of these problems. It gives teams, using AWS as their core cloud, a clear, early view of their security, shows what needs fixing, helps you set priorities, and makes security reviews less stressful, all without slowing down your product work.

2. Alternative options on the market

There are already some great tools available, and we want to mention them.

For example, many teams are familiar with Prowler. It’s an excellent tool and is especially good at a few things:

Multi-cloud coverage
Open source at its core
A growing paid SaaS with Prowler Hub and Lighthouse

These tools are powerful and give teams a lot of flexibility, especially if you work with different environments or are building your own security setup and programme.

PostureX is more focused and emphasises keeping your data under your control. Our setup and features are designed for teams selling to enterprises that want simple, actionable insights instead of a large, general-purpose toolkit.

Once findings are known and remediations are required, we offer optional foundations and remediation services to accelerate your time to pass a security review.

3. How our approach is different

PostureX was designed for AWS from the beginning, along with the systems startups usually use with it.

Our checks follow industry standards and cover areas like identity and access management, logging, networking, encryption, key management, storage rules, compute exposure, guardrails, and overall organisational posture. You can adjust how strict the scans are by setting the criticality level, helping you balance thoroughness and noise.

Here are a few key ideas that shaped how we built PostureX:

Local execution and data control

PostureX runs on your own machine by default. Your findings and evidence stay with you unless you choose to share them.

Clear split between app and engine

The desktop app shows you your results and gives context. The command-line engine runs the checks and creates the findings.

Actionable findings

Each finding is connected to the affected resources, matched to the right controls, given a severity level, and explained in plain English so you know why it matters.

Practical remediation guidance

Currently, our remediation advice helps teams decide what to fix and how to fix it. As we grow, we’ll add advice focused on code as well.

Multi-region, multi-account enabled by default

You can invoke a scan across multiple accounts and regions during our early access programme, all from your local device. Findings are browsable and visible via your locally hosted desktop. We offer a global map view to break down findings by region.

PostureX works well on its own. Some teams use it to fix issues or improve their AWS setup, but you don’t need to buy anything extra to get value from it.

4. Under the hood

PostureX has two main parts: a desktop app and a command-line tool.

The desktop app lets you see scan history, findings, trends, and advice on what to fix. The command-line tool runs the checks using read-only access to your setup.

When PostureX connects to AWS, it uses only read-only access. We recommend using SSO for better security. We provide a sample permission set to run tasks safely across multiple AWS accounts. Scanning across accounts in AWS Organisations is supported, and you can enable it in different regions if needed. Currently, we support commercial AWS regions.

You can also connect third-party systems like GitHub and Google Workspace using OAuth with read-only permissions. This gives more context on access, admin settings, and CI/CD setup. AWS remains the main focus, but these extra checks help complete the picture where it matters.

Your findings and evidence are saved locally by default and linked to each scan with timestamps. If needed, you can export evidence in structured formats. We also support integration with AWS Audit Manager to help with audits.

PostureX only connects to our systems for two things:

Authentication with our identity service
Checking your licence from time to time

If your team needs more collaboration, you can deploy our optional customer-hosted backend directly in your own cloud environment.

This backend adds features like shared scans, scheduled scans, team-wide visibility, and secure collaboration, while keeping your data under your control. You choose when and how to use it, and you never have to send data outside your environment.

5. Using AI thoughtfully

PostureX comes with optional AI features that are still in alpha.

These tools help teams understand findings, evidence, and other data by offering guidance and insights. We don’t use AI to make decisions or fix things automatically.

If you turn on these features, we can set up your own AI backend for team collaboration, sharing context, and deeper analysis of your results. You choose your model and control what’s logged, so your data stays yours and follows your rules.

AI is there to help your team, not do the job for you.

6. Final thoughts and how to try PostureX

We’re offering early access to PostureX, and some teams can start for free to install, run scans, and see their findings.

If you’re a startup using AWS and want to find security issues early, decide what to fix first, and prepare for security reviews, this programme is for you.

If you’re interested, you can sign up for early access on our here.

Not sure if PostureX is right for your team?

ICYMI - pre:Invent announcements 2025

Lorcan O'Flynn — Thu, 27 Nov 2025 20:49:27 +0000

AWS re:Invent 2025 — What We’re Watching

AWS re:Invent runs next week, December 2–6, 2025, in Las Vegas.

In the weeks leading up to pre-re:Invent announcements, staying up to speed is a challenge. With the constant stream of AWS news, even those of us embedded in the ecosystem struggle to keep up.

To stay on top of announcements year-round, check out aws-news.com. It has become the de facto place to track what’s new across AWS.

In this article, we’re sharing 10 announcements across Governance, Risk, Compliance, Security, Organisation Management, and AI that matter for building resilient, well-governed, secure systems, as well as responsible AI systems.

These were chosen because we believe they will have a meaningful impact for our customers and the broader ecosystem.

Creating this post also helps us research each announcement and unpack its implications for the products we build and the teams we work with.

If there are any inaccuracies at the time of writing, please reach out and we’ll update the reference article.

AWS IAM Temporary Delegation
Amazon CloudWatch Logs Centralisation
AWS IAM Outbound Identity Federation
Amazon Bedrock Guardrails for Code Security
AWS Secrets Manager Managed External Secrets
AWS Organizations Direct Account Transfer
CloudTrail Aggregated Events
Amazon Inspector Organization-Wide Management
AWS PrivateLink Cross-Region Connectivity
AWS WAF Web Bot Auth Support
What’s Next

1. AWS IAM Temporary Delegation

The announcement

AWS introduces IAM temporary delegation, allowing SaaS partners to automate customer onboarding by requesting time-limited, scoped permissions to deploy resources in customer AWS accounts. Customers review and approve the request in the AWS console, and access automatically expires.

Who it’s for & real-world scenario

For SaaS and security vendors that need to deploy infrastructure during customer onboarding.

Scenario: Your SIEM platform needs to configure data sources across a customer’s AWS account. Instead of asking for a long-lived IAM role, the customer approves a short-lived delegation in their console. You get scoped access for 30 minutes, complete setup, and access expires automatically. Vendors such as CrowdStrike, HashiCorp, and Databricks are already using this.

Availability

Available now for AWS ISV Accelerate Program partners. Broader GA expected.

Pricing

Free, built into AWS IAM.

2. Amazon CloudWatch Logs Centralisation

The announcement

CloudWatch now supports cross-account and cross-region log centralisation, allowing log data from multiple AWS accounts and regions to be copied into a single destination account.

Who it’s for & real-world scenario

For organisations managing logs across multiple accounts and regions that want centralised visibility without custom pipelines. Scope rules across your organisation or selected OUs. Logs are enriched with account and region metadata. Note that only new log data is centralised.

Availability

Available in 17 regions globally.

Pricing

First copy is free. Additional copies cost $0.05/GB. Standard storage pricing applies.

3. AWS IAM Outbound Identity Federation

The announcement

AWS IAM now supports outbound identity federation, enabling AWS workloads to authenticate with external services using short-lived JWTs instead of long-term credentials.

Who it’s for & real-world scenario

For teams accessing third-party SaaS or cloud platforms from AWS. A Lambda function can authenticate to an external service using a signed JWT rather than stored secrets.

Availability

Generally available across all AWS commercial, GovCloud, and China regions.

Pricing

No additional cost.

4. Amazon Bedrock Guardrails for Code Security

The announcement

Bedrock Guardrails now extend to code generation, detecting malicious injections, prompt leakage, and PII in code across 12 programming languages.

Who it’s for & real-world scenario

For teams building AI-powered coding tools. Guardrails prevent sensitive data from being introduced into generated code.

Availability

Generally available where Bedrock Guardrails is supported.

Pricing

Included in standard Guardrails pricing.

5. AWS Secrets Manager Managed External Secrets

The announcement

Secrets Manager now supports managed rotation for third-party SaaS credentials without custom Lambda functions.

Who it’s for & real-world scenario

For organisations integrating SaaS platforms like Salesforce or Snowflake that require regular credential rotation.

Availability

Generally available for supported SaaS providers.

Pricing

Standard Secrets Manager pricing applies.

6. AWS Organizations Direct Account Transfer

The announcement

AWS Organizations now supports direct account transfers between organisations without accounts becoming standalone.

Who it’s for & real-world scenario

For enterprises handling M&A or internal restructures. Accounts retain governance and billing throughout the transfer.

Availability

Generally available.

Pricing

No additional cost.

7. CloudTrail Aggregated Events

The announcement

CloudTrail introduces aggregated data events, summarising high-volume API activity into five-minute windows.

Who it’s for & real-world scenario

For security and compliance teams managing high-volume environments who need trend visibility without processing millions of events.

Availability

Available in all CloudTrail regions.

Pricing

Charged per data event analysed.

8. Amazon Inspector Organization-Wide Management

The announcement

Amazon Inspector now supports organisation-wide enablement and configuration using AWS Organizations policies.

Who it’s for & real-world scenario

For large organisations needing consistent vulnerability scanning across many AWS accounts.

Availability

Generally available across commercial, China, and GovCloud regions.

Pricing

Included in standard Inspector pricing.

9. AWS PrivateLink Cross-Region Connectivity for AWS Services

The announcement

PrivateLink now supports cross-region connectivity to AWS-managed services.

Who it’s for & real-world scenario

For organisations with strict data residency requirements that need private cross-region access without public internet exposure.

Availability

Generally available in commercial regions.

Pricing

Standard PrivateLink and inter-region data transfer pricing applies.

10. AWS WAF Web Bot Auth Support

The announcement

AWS WAF now supports Web Bot Auth, enabling verification of legitimate AI agents and automated tools.

Who it’s for & real-world scenario

For teams running public applications that want to allow verified bots while blocking malicious automation.

Availability

Available for AWS WAF-protected applications.

Pricing

No additional charge beyond standard WAF pricing.

What’s Next

These announcements represent only a fraction of what’s coming at re:Invent. Whether you’re building infrastructure, improving security, preparing for compliance, or exploring AI, there’s something here that likely impacts your roadmap.

For a complete list of announcements, visit aws-news.com.

If we’ve missed something important, reach out and we’ll update this reference.