AWS expanded Security Agent with threat modeling, pull request reviews, Confluence context, Kiro support, a Claude Code plugin and an MCP integration, giving developers one path for reviews and fixes inside their tools.
Service update
AWS has expanded AWS Security Agent with preview features for code review, design review and threat modeling, plus new developer-tool integrations for Kiro, Claude Code and Model Context Protocol clients.
The service sits inside AWS Continuum and covers three points in the application life cycle: design, development and deployment. Teams can use design review and threat modeling before they write code, pull request and repository reviews during development, and on-demand penetration testing before production release.
AWS made on-demand penetration testing generally available before this release. The new launch extends the preview side of the service, with full repository review, pull request scanning, security requirements packs and simulated validation. AWS added GitLab and Bitbucket beside GitHub. Teams can bring Confluence pages into the review context.
The code review update targets the gap between pattern scanning and application review. Developers can ask Security Agent to review a pull request or a full repository, compare the code with security requirements and return remediation guidance inside the same workflow. Security teams can select repositories, set requirements and intervene on high-risk findings.
AWS says Security Agent can validate findings in simulated environments and show proof of exploitability. That claim matters for security teams that spend time sorting scanner output. A scanner that points to a risky line helps. A review system that shows an exploit path, names the control gap and proposes a fix gives engineers a clearer next step.
AWS also added security requirements packs for AWS WAF, NIST Cybersecurity Framework, PCI DSS and AWS best practices. Teams can import their own requirements from internal documents or Confluence. Security Agent maps findings to those requirements, which helps teams connect design and code review with audit work.
Threat modeling enters preview in this release. Architects can give Security Agent design documents or source code, then ask it to build application context. The tool uses the STRIDE framework to identify spoofing, tampering, repudiation, information disclosure, denial of service and elevation of privilege risks.
A useful threat model needs more than a list of attack types. Architects need data flows, trust boundaries, entry points, dependencies and likely abuse paths. AWS says Security Agent builds that context from repository and design material, then ranks threats and recommends mitigations.
AWS added a Kiro power and announced a Claude Code plugin. Developers can run code reviews, generate threat models and remediate findings from an IDE or command line. Teams that use AI coding tools can connect through the open Model Context Protocol, which gives agents a common pattern for calling external tools and reading structured context.
Developers can start in Kiro by asking it to set up AWS Security Agent. Kiro checks for an Agent Space and guides the user through selection or creation. After setup, a developer can ask Kiro to run a full security scan on the repository or build a threat model for the application. Kiro saves the threat model at .security-agent/threat_model.md.
AWS points users to AWS Security Agent pricing and promotes a two-month free trial. The launch post does not list a new per-scan price, so buyers need to check Region, account terms and workload volume before they estimate cost. AWS says the features run in commercial Regions where Security Agent runs. Teams can check AWS Regional availability before rollout.
Use cases
Application teams can use the new code review path for pull requests that touch authentication, authorization, data access or network exposure. A normal review catches style and business logic issues. Security Agent can add exploit analysis, requirement checks and fix suggestions before a maintainer merges the change.
Platform teams can run full repository scans before a migration, major release or compliance review. Full scans help when a codebase has years of accumulated risk and few current owners. Security Agent can review the repository context, find risk clusters and give maintainers a ranked list of fixes.
Security teams can use requirements packs to turn policy into developer feedback. A PCI DSS requirement that lives in a document often reaches engineers late. A requirement that appears during design review or pull request review reaches the team while the code can still change.
Architects can use threat modeling before they commit to service boundaries. A payment system, customer data platform or internal admin tool needs a clear view of trust boundaries. Teams can give Security Agent diagrams, design notes or source code and ask for threats tied to each boundary.
Kiro and Claude Code users get a shorter path from finding to fix. A developer can request a scan, pull findings into the workspace and start a bugfix session against the top issue. That workflow suits teams that already use AI tools for code changes and want security context in the same place.
The MCP integration gives larger teams a broader option. A company that standardizes on another AI IDE can connect Security Agent without waiting for a custom extension. MCP also gives platform teams a cleaner way to expose security review as a tool that agents can call during development.
Trade-offs
Security Agent asks teams to put sensitive design and source context into an AWS-managed workflow. That can fit companies that already run code, build systems and security telemetry in AWS. Companies with strict source control boundaries need to review data handling, retention, access controls and Region support before adoption.
Preview status adds another constraint. AWS can change code review, design review, threat modeling and IDE integrations before general availability. Teams should start with a limited repository set, compare findings against existing tools and track false positives before they make the service part of release gates.
Simulated validation can reduce noise, but teams still need human review. A tool can show exploitability for a finding, yet developers know product context, compensating controls and rollout risk. Security teams should treat Security Agent output as expert input for review, not as an automatic merge blocker.
The IDE integration also changes developer experience. Inline findings help engineers fix issues in flow. Too much automated feedback can slow reviews or train teams to ignore alerts. Teams should tune requirements, start with high-severity classes and add broader checks after developers trust the signal.
Cost needs early modeling. Repository scans, pull request checks, threat models and penetration tests can hit budgets in different ways. A team that scans every pull request across many repositories may see a different cost profile than a team that runs full scans before quarterly releases.
AWS Security Agent gives AWS users a broader agentic security path across design, code and deployment. The value depends on how well teams connect it to their review habits, source systems and compliance needs. Used with clear scope and human ownership, it can move security review closer to the code and architecture decisions that create risk.
Comments
Please log in or register to join the discussion