Amazon Web Services
24x7 detection and response for AWS workloads and custom apps using AWS native services
Managed detection and response for AWS
(delivered by a team that knows AWS instances are cattle, not pets)
When you’re growing, security can take a back seat to the needs of your engineers. That makes sense. After all, you want your engineers focused on coding. Expel helps your security strategy keep up by detecting and chasing down security risks unique to Amazon Web Services.
Detections designed
for your AWS environment
Our AWS detection strategy uses native AWS services:
- Analyzes GuardDuty and Macie alerts
- Adds custom detections for high-risk activities
- Then, we tune our detections to match your apps and workloads

What we do
24x7 AWS monitoring
Our analysts chase down your AWS alerts so you can focus on building new features, products and services.
Investigations in AWS
We’ll connect the dots from suspicious AWS alerts back to their root cause and tell you what they mean.
Fixes “written in cloud”
Whenever possible, our analysts will recommend configuration changes to address activities we tell you about.
What we look for
(updated at AWS speed)
AWS rolls out nifty new services and capabilities at a dizzying pace. As you add new AWS services, we’ll evaluate them and update our detection and response strategy where it makes sense so your security strategy can stay in synch with your engineering team. Here are a few examples of things we’ll look for:
How we use native AWS services
(hint: GuardDuty is just a starting point)
Expel uses API integrations to connect directly to the AWS platform. We support authentication via an AWS IAM Role (recommended) or IAM User with a set of read-only permissions. To collect data, Expel communicates directly with APIs for services like GuardDuty and Amazon Inspector, and pulls CloudTrail data from S3.

How Expel uses AWS services for detection, investigation and response
AWS service | Examples of how we use them | Detect | Investigate | Remediate |
---|---|---|---|---|
Detection signalThings that ring the bell and tell us there’s something to look for |
||||
Amazon GuardDuty | To find things that go bump in your VPC | |||
AWS Identity & Access Management | Monitor who’s accessing your environment | |||
Amazon Inspector | Know when config changes are putting you at risk | |||
AWS Key Management Service | Monitor who’s touching your encrypted data | |||
Amazon RDS | Know when your data goes for a walk | |||
Amazon Redshift | Know when your data goes for a walk | |||
AWS Security Hub | Unified view and compliance checks | |||
Investigative supportWhat our SOC uses to determine if there’s a real threat and determine the scope and intent |
||||
AWS CloudTrail | The API audit log you’ve been waiting for | |||
Amazon CloudWatch | Operational monitoring, FTW! | |||
Amazon Detective | Decision support that turns frowns upside down | |||
Remediation toolsWe don't kill or isolate production services but we can talk about how to use these services |
||||
AWS Lambda | Make fixes to give you that 'post' breach touch-up look | |||
AWS Systems Manager | Automation to restore you to know-good |

Blog
Making sense of
Amazon GuardDuty alerts
What is AWS GuardDuty and how can you make sense of all the signals? Here are our pro tips.

Blog
Following the
CloudTrail: Generating strong AWS security signals with Sumo Logic
Looking to get more or better security signals out of AWS? Then you’ll wanna read our pro tips on making the most of Amazon Cloud Trail.
Trial
Put us to the test
with a two-week free trial
Looking to strengthen your cloud security? Then try Expel Workbench™ for AWS to get Expel validated alerts and a chance to automate your investigations.
Give us 30 minutes to show you how we can protect your data and workloads in AWS.
Thanks for clicking submit. Your message is now being directed to a real person.