How it works

The Agent learns your security context, then acts on it.

Amnify Agent runs scans, reads useful context from existing tools, and builds a knowledge graph across cloud, code, Kubernetes, containers, pentests, docs, tickets, and chat. It asks for missing context when needed and acts only within the limits you set.

Agent intelligence

The knowledge graph is the working memory.

Amnify does not treat findings as isolated alerts. It builds a connected graph across scan results, cloud, code, owners, policies, open work, chat context, and remediation history.

Runs scans and reads context

Cloud accounts, code repositories, SAST, DAST, Kubernetes, containers, pentests, tickets, docs, chat, runbooks, and deployment history become shared context.

Asks for missing context

When ownership, intent, exception rationale, or business impact is unclear, the Agent can ask the right person instead of guessing.

Improves with every decision

Approvals, disputes, fixes, and ignored recommendations become feedback that helps the Agent act more precisely over time.

Amnify mark

Amnify Agent

Security knowledge graph

One connected model for reasoning across risk, ownership, and remediation.

SignalsGraphActions

Code

GitHub logoGitLab logoTerraform logo

Repos, dependencies, secrets, and infrastructure-as-code.

Signals indexed
ReposDependenciesSecretsIaC

Runtime

Docker logoKubernetes logoServerless logoDatadog logo

Containers, pods, services, and live operational signals.

Signals indexed
ContainersPodsServicesTelemetry

Cloud

AWS logoAzure logoGoogle Cloud logoMicrosoft 365 logo

Accounts, identities, networks, data stores, and configuration.

Signals indexed
AWSAzureGCPMicrosoft 365

Knowledge

Notion logoConfluence logoJira logoLinear logo

Docs, tickets, chats, policies, ownership, and runbooks.

Signals indexed
DocsTicketsChatPolicies

Cloud connections

Azure, AWS, and GCP connect through native cloud access.

Amnify uses provider credentials and least-privilege read access for scanning. You choose which subscriptions, accounts, and projects are enabled.

Azure

Service principal

Azure logo

Create an Azure app registration, grant the service principal Reader access to the subscriptions you want scanned, then add the tenant, application, and client secret in Amnify.

  • Reader access
  • Subscription discovery
  • No workload agent

AWS

IAM user or assume role

AWS logo

Connect AWS with static credentials or an assume-role setup. The docs use read-only scanning permissions such as SecurityAudit and validate the role before accounts are enabled.

  • SecurityAudit policy
  • Assume-role option
  • Account toggles

GCP

Service account

GCP logo

Create a dedicated service account with Viewer access, provide its JSON credentials, and choose the projects Amnify should scan.

  • Viewer role
  • Project discovery
  • JSON key

Deploy workflows

Approved templates, checked before they run.

Deploy turns approved cloud patterns into repeatable requests. Built-in checks cover common controls, while custom checks let operators enforce the rules that matter to your environment.

Predefined checks

Enable ready-made checks for the cloud and infrastructure patterns your team already reviews.

Custom checks

Add your own policy gates for ownership, regions, tags, exposure, approval rules, and business-specific requirements.

Reusable templates

Template-based deployments come from a GitHub-backed library, with variables rendered in the Amnify UI for repeatable requests.

Approval before execution

Plans are reviewed and approved before infrastructure changes are applied, with run history preserved for follow-up.