Pricing FAQ About
Book a scoping call
Compliant but still vulnerable

Find the AWS attack paths
your compliance tool misses.

Before they hit production. Built for engineers, priced for startups, works alongside Vanta and Drata.

Powered by agents I built. Shipped by someone who actually reads your Terraform.

Book a scoping call See a sample report
Devon Booker
Devon Booker - security engineer, AWS-native
kumo-assess  ·  AWS attack-path scan  ·  aws/us-east-1
35
Score
3
Critical paths
1
Path to root
7
Total findings
CRITICAL PATH-01 developer-role → iam:PassRole → admin-role (CC6.3)
HIGH PATH-02 ec2-instance-profile → s3:* on cust-data-prod (CC6.7)
HIGH PATH-03 ci-deploy-role → AssumeRole * → unrestricted (CC6.3, CC7.2)
35
/ 100
From the field

I ran this on my own AWS account.

It scored 35 out of 100. I wrote up every finding, the remediation, and what it cost to fix - Terraform diffs included. If you want to see what an honest AWS attack-path scan actually looks like, read the writeup.

Read the writeup
The problem

There's a gap between
compliance and security.

$5k-$30k/yr

Compliance tools

Vanta and Drata get you to SOC 2. Necessary - and they don't see your AWS attack surface. That's by design; they're audit infrastructure.

$50k-$200k+/yr

Enterprise CNAPP

Wiz and Orca find the paths. Priced for security teams with the headcount and budget you don't have yet.

The wedge

What's missing

A scan a startup CTO can act on - alongside the compliance tool you already pay for. That's where I sit.

The approach

Scan. Review. Remediate.

01 · SCAN

Agent-driven attack-path scan

I run a read-only scan that maps your IAM graph and surfaces the paths an attacker could actually chain. Thirty minutes. You approve the IAM role before anything starts.

02 · REVIEW

Walk every path on a call

We go through every path together, prioritized by blast radius. You get the full markdown report with evidence citations and severity scored against your audit timeline.

03 · REMEDIATE

Terraform, not slide decks

I deliver the Terraform modules and IaC changes that close the gaps as PRs against your repo. Fixed scope, fixed price, no surprise invoices.

What's covered

What kumo-assess looks for.

CC6 Privilege escalation IAM · MFA · least privilege · PassRole abuse
CC6.6 Audit trail integrity CloudTrail coverage · tamper resistance
CC6.7 Data exposure paths S3 · KMS
CC6.8 Change detection coverage Config · Security Hub
CC7 Detection & response monitoring · incident response
CC1, CC2, CC8, A1, C1 Additional families expanding quarterly

Built on direct AWS API calls, not heuristics. Five collectors today: IAM, CloudTrail, S3, Security Hub, Config. Read-only by construction. Methodology documented in the sample report.

Packaging

Three tiers. Fixed scope, fixed price.

Tier 1
Attack-path scan
$2,500
Delivered in 48 hours
  • Full read-only scan of your AWS environment
  • Markdown report with every path scored and prioritized
  • 1-hour walkthrough call
  • 48-hour turnaround
Tier 2 · Most common
Scan + remediation roadmap
$5,000
2-week engagement
  • Everything in the attack-path scan
  • Detailed remediation plan with effort estimates per path
  • IaC recommendations with Terraform module references
  • 2-week engagement
Tier 3
Full remediation engagement
From $15,000
4 to 6 weeks
  • Everything in Tier 2
  • I write the Terraform and deliver PRs to your repo
  • Follow-up scans to verify remediation
  • Fixed price after scoping call

Not sure which fits? Book a 30-minute scoping call and I'll tell you straight.

Why me

Built by an engineer.
Not a compliance
checkbox factory.

I built the tool I use. Four tiers of Claude agents plus a deterministic rules engine, read-only by construction. If you want to verify the methodology before trusting me with your environment, the sample report shows every step.

4 years in IT, security analyst today

Hands-on with AWS, Terraform, and cloud security day-to-day. I'm not a consultant watching from the outside.

Built the whole tool solo

Go-based read-only collectors, deterministic scoring engine, agent-driven analysis. Built by one engineer who reads code, not status reports.

Read-only by construction

Zero mutating API calls exist in any collector. The tool can only observe your environment. I'll send you the IAM Terraform for the read-only role before the engagement starts so you can audit exactly what I can do.

14 automated tests on the rules engine

The methodology is in the sample report. Every finding shows the underlying API call, the resource, and why it's a path. Show your work, not a black box.

Devon Booker
About

I'm Devon Booker.

I'm a security engineer based in the Bay Area, focused on AWS-native startups working toward audit-ready security. I've spent the last four years in IT and security, and I'm currently a security analyst. On the side I build the tools I'd want to use in that role - like kumo-assess, the analysis engine I use on every engagement.

I'd rather ship Terraform than slide decks. If you're past the "do we need SOC 2" conversation and want someone who can actually close the gaps, we should talk.

GitHub LinkedIn Email
FAQ

The questions I actually get.

Is this a replacement for Vanta or Drata?

No, and that's the point. Vanta and Drata are how you prove SOC 2 to auditors - they weren't built to find graph-based AWS attack paths. I work alongside them: I find the IAM and infrastructure paths an attacker could chain; you keep using Vanta/Drata for evidence collection and policy management.

How is this different from hiring a traditional compliance consultant?

Speed and focus. A traditional readiness assessment takes 2 to 6 weeks and produces slide decks. My scan takes 30 minutes and produces Terraform. The agent-driven tool handles the data collection and analysis that consultants do manually, which means I can spend my time on the remediation work that actually matters.

How do I know I can trust you with read-only AWS access?

Two ways. First, the sample report shows every step of the methodology end-to-end - I ran it on my own AWS account and wrote up every finding. Second, you create a read-only IAM role and I send you the Terraform for it before the engagement starts. The tool can only observe your environment; zero mutating API calls exist in any collector.

Do you have access to my AWS account?

You create a read-only IAM role. The tool cannot modify anything in your environment - zero mutating API calls exist in any collector. I send you the Terraform for the role before the engagement starts so you can audit exactly what I can see.

What happens if I need a framework other than SOC 2?

AWS attack paths are framework-agnostic - they're real risk regardless of what you're certifying. Findings map to SOC 2 (CC6, CC7), PCI, ISO 27001, and CMMC controls. If you have a specific framework need, email me directly.

What environments do you support?

AWS today. GCP and Azure are planned for H2 2026.

Can I see a sample report?

Yes - I ran kumo-assess against my own AWS account and wrote up every finding. Read the case study.

How do I get started?

Book a 30-minute scoping call. I'll ask about your environment, target audit date, and current state. You'll leave the call with a fixed price and a start date.

Ready to see your AWS attack paths?

Book a 30-minute scoping call. I'll tell you straight where you stand and what it'll cost to close.

Book a scoping call