Privilege Guardrail Cuts MTTR for Global SaaS Provider

Executive Summary 

A fast-growing SaaS company needs to curb risky privilege escalation while accelerating releases. Manual IAM reviews, siloed logs, and fragmented tooling stretched mean-time-to-respond (MTTR) hours. MetaSecure Autonomous SOC —an LLM-powered, policy-as-code SOC built entirely on AWS—automated detection, triage, and containment. Within eight weeks, the customer cut MTTR by 80%, blocked 100% of unauthorized admin grants, and freed analysts for higher-value threat hunting. 

Customer Challenge 

Business Challenges 

A customer—an established SaaS provider processing millions of collaboration events per day— faces a widening gap between release velocity and security assurance. Every request for Administrator Access in the AWS production account triggered a manual, two-stage approval queue that averaged two weeks, delaying feature rollouts and frustrating engineers. A string of incidents traced to stale admin credentials exposed deficiencies in privileged-access governance and jeopardised an upcoming SOC 2 Type II audit. 

The existing ELK-based SIEM flooded analysts with non-contextual alerts, forcing them to stitch together insights from CloudTrail, Meraki, and Cloudflare logs. Analysts spent 40% of their week pivoting between dashboards and spreadsheets, inflating operational costs. Leadership mandated reducing mean-time-to-respond (MTTR) by 75% without adding headcount, while strategic customer renewal depended on demonstrable improvements to privileged access control within the next quarter. 

Budget constraints ruled out large-scale hardware upgrades or additional licenses. What the customer needed was an autonomous yet explainable solution that could: 

• Enforce least-privilege in real time 

• Deliver human-readable context through a single chat interface 

• Integrate seamlessly with Atlassian workflows 

• Scale natively on AWS without architectural upheaval 

Technical Challenges 

Telemetry was fragmented: Meraki switches emitted raw syslog, Cloudflare logs streamed via S3, and CloudTrail captured IAM activity—none shared a common query layer. Custom Python scripts detached IAM policies but lacked idempotency, produced no audit artefacts, and frequently broke with SDK changes, creating technical debt. 

The ELK cluster had reached shard limits; scaling required larger EC2 nodes outside the budget. There was no AI reasoning layer, forcing brittle Lucene queries for basic anomaly detection. Jira integration relied on unidirectional webhooks, leaving ticket status isolated from remediation workflows.

Reliability and security concerns compounded the problem: microservices communicated over plain HTTP, conflicting with zero-trust guidelines and complicating SOC 2 evidence collection. The customer required a cloud-native solution that could: 

• Handle > 10k log lines/s with sub-second ingestion 

• Provide bidirectional Jira interaction and full audit trails 

• Encrypt data at rest and in transit using AWS KMS and TLS 1.3 

• Deploy via infrastructure-as-code without introducing proprietary runtimes 

Only an AWS-native, agent-centric architecture with shared LLM intelligence could satisfy these requirements while meeting aggressive timeline and budget constraints. 

Partner Solution 

Solution Overview 

etaSecure deployed Autonomous SOC, a multi-agent SOC platform that runs natively on Amazon EKS Fargate and uses Amazon Bedrock (Gemini 1.5-Flash) as the shared reasoning engine for every agent. Security events enter the cluster through Amazon Event Bridge (filtered IAM and GuardDuty feeds) and two Model-Context-Protocol (MCP) gateways—Loki MCP for log search and Meraki MCP for network telemetry.

An easy-to-use UI connects to the Orchestration Agent, decomposing analyst questions into A2A calls to Triage, Investigation, Correlation, Runbook, Containment, Remediation, Learning, and Case-Manager agents. All long-term knowledge is stored in Amazon Aurora Serverless v2, while policies and runbooks live in Amazon S3. Containment actions are executed through IAM, AWS WAF, and AWS SSM Run Command. The result is an autonomous, policy-controlled SOC that delivers sub-minute MTTR, full auditability, and zero-trust communication, without introducing non-AWS infrastructure. 

AWS Services Used 

• Amazon EKS Fargate: Runs stateless ADK agent pods with IRSA roles. 

• Amazon Bedrock: Provides LLM inference to every agent. 

• Amazon Event Bridge: Streams filtered CloudTrail & GuardDuty events to the cluster. 

• Amazon S3: Stores policy repo, runbooks, and cold log archives. 

• Amazon Aurora Serverless v2 (PostgreSQL): Knowledge base of incidents, trust scores, runbook metadata. 

• AWS IAM / WAF / SSM: Containment & remediation actions (detach policy, block IP, run patch). 

• AWS KMS: CMKs for Aurora, S3, Loki disks, and TLS certificates. 

Architecture Diagram

Implementation Details 

How the solution was implemented – The MetaSecure Autonomous Soc engineering team delivered AgentSOC as an Infrastructure-as-Code (IaC) stack using the AWS Cloud Development Kit (CDK). All nine ADK 1.5 agent containers were packaged into OCI images, stored in Amazon ECR, and deployed to an EKS Fargate profile. MCP gateways (Loki, Meraki, Jira) were added as sidecar deployments behind a Network Load Balancer. Aurora Serverless v2, S3 buckets, EventBridge rules, and IAM policies were provisioned in the same CDK app, ensuring deterministic, one-click environments for dev, staging, and prod. 

Methodology (Agile/DevOps): Work proceeded in two-week Scrum sprints with continuous delivery via GitHub Actions. Every pull request triggered unit tests, Bedrock local-mode checks, and CDK diff. Successful merges auto-promoted images to staging, and blue/green Fargate swaps provided zero-downtime rollouts. 

Migration approach – Existing ELK pipelines were redirected by: 

• Deploying Loki collectors in parallel; 

• Re-configuring syslog forwarders (Meraki, on-prem SIEM) to send to Loki MCP; 

• Using a Lambda fan-out to replay a week of historical CloudTrail data into EventBridge for backfill. 
  Cutover required no downtime and preserved legacy indices for audit purposes. 

Integrating existing systems—Jira MCP leverages an AWS-hosted Lambda proxy with OAuth2 to map Case-Manager events to Jira Cloud issues bidirectionally. Slack alerts are sent via Amazon SNS topics that analysts can mute during the maintenance window. Bedrock calls use VPC endpoints to keep LLM traffic inside the customer’s private address space. 

Security & compliance considerations – Every pod runs under an IRSA role with the minimum privileges defined in AWS Verified Permissions. S3 and Aurora use customer-managed CMKs; all inter-pod traffic is encrypted by Envoy sidecars, enforcing TLS 1.3. CloudTrail data events are enabled on S3 and ECR for complete visibility, and a GuardDuty detector scans the VPC for anomalous traffic.

Deployment & testing strategy – The pipeline executes chaos tests (forced IAM detaches) and load tests (15k logs/s via JMeter). Canary agents run synthetic queries every five minutes; failures auto-roll back the last deployment. 

Innovation and Best Practices 

• LLM-in-Every-Agent Pattern – Rather than a single “AI brain,” each agent invokes Amazon Bedrock directly, enabling parallel, domain-specific reasoning while centralising model governance. 

• Pure MCP Boundary—All external systems (logs, network gear, Jira) connect through Model-Context-Protocol, preserving the integrity of the A2A mesh and minimising custom code. 

• Policy-as-Code with Cedar + Rego—Verified Permissions handles high-level “who can act,” while OPA Rego expresses fine-grained containment triggers. Both are stored in Git and hot-reloaded. 

• Well-Architected Alignment – Principle of least privilege (IRSA), secure communications (TLS 1.3), reliability (Fargate auto-scale), cost optimisation (Serverless Aurora). 

• DevOps Excellence – CDK, GitHub Actions, and automated chaos tests ensure repeatable deployments and operational resilience.