SECOPS

Who touched your data? Your access logs know.

Every read, by every identity, on every object is already recorded in your S3 access logs. reCost turns that record into security signal: exposed data, stale credentials in use, vulnerable SDKs, and anomalous access - without SIEM ingestion costs.

Book a Demo
DETECTION FROM ACCESS BEHAVIOR

Policy scanners check configuration. reCost checks what actually happened.

Exposed data detection

See which objects are being read by unfamiliar identities, from unfamiliar networks, at unfamiliar hours. Exposure shows up in access behavior long before it shows up in an audit.

Stale credentials in use

Credentials that were supposed to be retired but are still touching data are one of the most common findings in access logs. reCost surfaces every identity that reads data - including the ones IAM reviews miss.

Vulnerable SDK detection

End-of-life SDKs with published CVEs are still making requests to production buckets. reCost maps SDK versions in your logs to known CVEs and shows which buckets they touch.

Anomalous access patterns

Bulk reads, 403 storms, first-time access to sensitive prefixes, cross-account probing - request-level patterns that policy scanners were never designed to catch.

Without SIEM ingestion costs

S3 access logs are enormous. reCost analyzes them without routing them through your SIEM, so you get storage-layer detection without storage-layer ingestion bills.

PRIVACY AND ACCESS

Read-only. Metadata only. No data exposure.

reCost never reads your object contents. All signals are derived from S3 access log metadata: who, when, what operation, what response code, and how much. Your data stays in your account. We analyze the behavior, not the bytes.

Read-only IAM roleNo S3 object content accessMetadata onlyConnected in 5 minutes
FAQ

S3 security from access logs, answered

How does reCost detect threats in S3 without an agent?

reCost analyzes S3 server access logs - the request-level record AWS already writes for your buckets. Exposed data access, credential probing, vulnerable SDK usage, and anomalous read patterns are all visible in that metadata. Nothing is installed and object contents are never read.

How is this different from sending S3 logs to my SIEM?

S3 access logs at scale are expensive to ingest and noisy to query in a SIEM. reCost processes them outside your SIEM pipeline, applies storage-specific detection logic, and surfaces only the signals worth acting on - without per-GB ingestion costs.

Can reCost find stale credentials that are still in use?

Yes. Access logs show every credential that touches data. reCost highlights long-unused or supposedly-retired identities that are still actively reading objects - a common blind spot for IAM reviews that only look at policy configuration.

What access does reCost need?

A read-only IAM role with access to your S3 access logs and inventory. Setup takes about 5 minutes. reCost never reads object contents - metadata only.

See exactly what's happening in your S3 data layer

Works with your existing AWS setup. Read-only access. No agents. No data exposure.

Book a Demo