SOLUTIONS / SECURITY TEAMS

Find the attackers already inside your storage

Bucket policies and ACLs don't tell you what's actually happening at request level. reCost analyzes S3 access log behavior to surface exfiltration patterns, credential abuse, EOL SDKs with CVEs, and anomalous access, before you find out from a breach notification.

Book a Demo
THE PROBLEM

S3 security tools check policies. Attackers bypass policies.

Blind spot 1

Policy scanners miss behavior

A valid IAM role with correct permissions can still exfiltrate data. CSPM tools check configuration, not whether a principal is actively abusing its access right now.

Blind spot 2

EOL SDKs are a silent threat

End-of-life Python, Java, and Node.js SDKs with active CVEs are still making millions of requests to production buckets. Nobody has a view of which SDK versions are touching what.

Blind spot 3

Credential attacks are invisible

403 storms, repeated auth failures, and cross-account probing are visible in S3 access logs, but nobody is analyzing them at scale. GuardDuty catches some, but misses the slow and subtle patterns.

HOW RECOST HELPS

Behavioral threat detection at the S3 request layer

reCost reads your S3 access logs without touching your data. It correlates request patterns across all principals, buckets, and prefixes to surface signals that policy scanners and CloudWatch alarms were never designed to catch.

  • EOL SDK detection mapped to published CVEs and affected buckets
  • Exfiltration pattern detection: high-volume GetObject spikes by unfamiliar principals
  • Credential attack signatures: 403 storms, auth failures, brute-force timing patterns
  • Bucket configuration change feed correlated with access anomalies
  • PII path exposure detection in object key naming patterns
  • Browser user-agent alerts for non-programmatic access to data buckets
  • Cross-account access mapped to assuming principals and their behavior
Active threat signals
HIGHEOL SDK with CVE-2018-15869
boto3/1.9.x making 14K requests/day to pii-exports/ prefix. Patch available: upgrade to botocore >= 1.12.63.
HIGH403 storm: 4,218 denials in 6 min
arn:aws:iam::791... attempting access across 3 buckets. Pattern consistent with credential probing.
MEDExfiltration pattern detected
New principal downloaded 3.2GB via GetObject in 90 minutes. First seen 4 hours ago.
MEDBrowser UA on data bucket
Mozilla/5.0 UserAgent accessing analytics-parquet. No programmatic client ever used this bucket before.
LOWPII path exposure
Object keys in user-exports/ contain email addresses in plain text path segments.
PRIVACY AND ACCESS

Read-only. Metadata only. No data exposure.

reCost never reads your object contents. All signals are derived from S3 access log metadata: who, when, what operation, what response code, and how much. Your data stays in your account. We analyze the behavior, not the bytes.

Read-only IAM roleNo S3 object content accessMetadata onlyRuns in your AWS accountSOC 2 aligned
"

We had an EOL Lambda runtime making 2.3 million requests per month to our most sensitive bucket. GuardDuty didn't flag it. reCost found it in the first week.

Security Engineer, enterprise data platform

See exactly what's happening in your S3 data layer

Works with your existing AWS setup. Read-only access. No agents. No data exposure.

Book a Demo