AWS shipped two “frontier agents” to general availability this week: a Security Agent that runs autonomous penetration tests, and a DevOps Agent that triages and resolves production incidents. Both are now live in six regions. The early customer numbers are significant enough to take seriously: HENNGE reports penetration testing timelines compressed from weeks to hours, and Western Governors University cut mean time to resolution from roughly two hours to 28 minutes using the DevOps Agent.
The Security Agent’s model is meaningfully different from existing automated scanning tools. Traditional pen testing automation (Metasploit, Burp Suite integrations, managed vulnerability scanners) is scripted and signature-based. It finds what it knows to look for. The AWS Security Agent runs an agentic loop — it forms hypotheses about attack vectors, executes tests, interprets results, and adapts its approach. That changes the category from “vulnerability scanner” to something closer to a junior red teamer who can operate continuously rather than in periodic engagements. Pricing is $50 per task-hour, with an average 24-hour evaluation running up to $1,200. There is a two-month free trial.
The DevOps Agent integrates directly with the observability stack you probably already have: CloudWatch, Datadog, Dynatrace, New Relic, Splunk, and Grafana on the monitoring side; GitHub, GitLab, and Azure DevOps for code. When an alert fires, the agent correlates the signal against recent changes, forms a root cause hypothesis, and either resolves it directly or escalates with a diagnosis. The 77% reduction in MTTR at WGU is a compelling number, though it is worth noting that the improvement likely reflects both the speed of automated diagnosis and the elimination of on-call response latency, not just agent quality.
The broader pattern here is that AWS is productising agentic workflows for specific, high-value operational domains rather than offering a generic agent framework and asking customers to build use cases themselves. That is a different bet from what most platform vendors are making. The risk is vertical lock-in: an organisation that builds operational muscle around AWS Security Agent is in a difficult position if AWS changes pricing or the agent’s behaviour in a future model update. The benefit is that the integration surface is small and the time-to-value is fast.
The challenge for security teams is whether continuous automated pen testing changes their compliance posture. Most certification frameworks still require periodic human-led assessments. If AWS Security Agent outputs are not yet accepted as evidence for SOC 2 or ISO 27001 audits, the immediate use case is internal validation and shift-left security, not compliance automation. That will change, but it is not there yet.