MDR · 4 MIN READ · SARAH CRONE AND ETHAN CHEN · DEC 2, 2025 · TAGS: AWS / Partnership
TL;DR
- Expel is a partner for the new AWS Security Hub. We’re helping customers turn Security Hub’s comprehensive visibility into actionable intelligence and faster response.
- We layer detection engineering on top of Security Hub findings to solve the prioritization problem. Our high-fidelity detections and investigative workflows help you focus on what matters with smarter alerting.
- Get Expel MDR for your entire AWS estate in one click. Available on AWS Marketplace with streamlined deployment—no complex integration projects required.
AWS just announced a major evolution of Security Hub with enhanced correlation, contextualization, and visualization capabilities, and we’re proud to be a partner. This integration means customers get Expel’s detection engineering and cross-surface intelligence layered on top of Security Hub’s comprehensive AWS visibility—turning findings into prioritized action.
All of your AWS data in one place
Security Hub prioritizes your critical security issues and helps you respond at scale. It simplifies and unifies security operations through centralized management to protect your cloud environment. It detects critical issues by correlating signals into actionable insights, enabling streamlined response. Security Hub aggregates findings from GuardDuty, Inspector, Macie, CSPM, and other AWS services into organized categories. Bringing this data together not only streamlines detection and response but helps to eliminate silos where attackers can hide.
Most teams drowning in alerts are in that predicament because they don’t have the context to know which ones require immediate action, versus which ones can wait.
“The new AWS Security Hub represents a significant step forward in helping customers understand their security posture,” said Brian Menderhall, WW Head, Security Partners. “We’re excited to work with partners like Expel who bring deep security expertise to help customers turn these insights into action. This integration allows Expel to achieve automated AI detections for our customers while leveraging the Open Cybersecurity Schema Framework.
How Expel adds value to each type of Security Hub finding
When Security Hub findings flow into Expel Workbench™, we layer detection engineering, cross-surface correlation, and analyst expertise on top of each category. Here’s what that looks like in practice.
Exposure findings: From possibility to probability
Security Hub’s exposure findings identify resources that could potentially be accessed from outside your environment—misconfigurations, overly permissive permissions, publicly accessible resources.
Expel adds the “what’s actually happening” layer. When we see an exposure finding, we correlate it with active reconnaissance attempts, suspicious authentication patterns, and related activity across your email, SaaS, and endpoint telemetry. Our attack surface-specific detections distinguish between theoretical exposures and ones actively being targeted.
You’re not just looking at every misconfiguration—you’re seeing which exposures represent actual risk right now.
Threat findings: Beyond AWS boundaries
Security Hub consolidates GuardDuty threat findings—suspicious API calls, unusual network traffic, potential credential compromises. We’ve specialized in GuardDuty detections for years and have hundreds of Expel-written detections built specifically for AWS.
For example, GuardDuty might flag unusual API activity in your AWS environment, but our detections are asking whether this came from a compromised identity we’re tracking elsewhere, if it’s part of a broader attack sequence that started in your email or SaaS environment, and whether we’ve seen this technique in similar attacks across our customer base.
Threats don’t respect boundaries. Our investigative workflows make it easy to pivot between related findings and understand the full scope of an incident across your entire attack surface.
Vulnerability findings: Context-based prioritization
Amazon Inspector, a vulnerability management service, surfaces software vulnerabilities and network exposure risks. Security Hub helps you see which vulnerabilities have known exploits and need urgent updates.
But vulnerability prioritization can’t just be about CVSS scores. Our notification system ensures you’re alerted to vulnerabilities that matter—not just everything Inspector finds.
Expel enriches our findings with intelligence from Amazon Inspector—with information like internet exposure status, vulnerability details, active exploitation attempts, and exploitability information—to help analysts understand the full risk picture during threat investigations. This context enables faster, more informed decisions when responding to security alerts, ensuring your team knows which threats pose the greatest real-world risk to your environment.
Posture management: Connecting compliance to risk
Security Hub’s Cloud Security Posture Management (CSPM) pinpoints where your configuration deviates from security best practices and compliance requirements.
Expel transforms these posture findings into actionable investigative context, enabling us to uncover and quantify risk across your environment. For instance, when findings indicate missing controls—such as disabled encryption or logging—we proactively search for active incidents that these gaps might have allowed or prevented. This context also helps us identify broader patterns of configuration drift or critical security coverage gaps that require immediate attention.
Sensitive data findings: Discovery meets threat intelligence
Amazon Macie, a data security and privacy service, discovers and protects sensitive information in your AWS environment—PII, financial data, credentials, intellectual property, and so on.
Expel layers threat intelligence on top of that discovery. When Macie identifies sensitive data, we’re asking whether anyone has tried to access it inappropriately, if there are exposure findings showing it could be accessed externally, if we’ve seen lateral movement toward this data, and whether this represents a new location that might indicate exfiltration.
“Security teams don’t have a visibility problem—they have a prioritization problem,” said Justin Bajko, Chief Strategy Officer at Expel. “Security Hub gives customers comprehensive visibility into their AWS environment. We layer detection engineering on top of that to answer the question every security team is really asking: what should I work on right now? That’s the difference between data and action.”
What this means for your security team
The enhanced Security Hub gives you unprecedented visibility into your AWS security posture. When you integrate Security Hub with Expel, that visibility becomes actionable intelligence—you get smart notifications about what matters, investigative workflows that connect the dots across your attack surface, and clear guidance on what to do next.
If you’re evaluating MDR providers, here’s the question to ask: “What value do you add to my Security Hub findings beyond just showing them to me in your console?”
And the best part is getting started is remarkably simple. Get Expel MDR for your entire AWS estate in one click. Expel is available on AWS Marketplace, streamlining procurement and deployment. You can connect Security Hub and start getting high-fidelity detections, cross-surface correlation, and expert-led investigations immediately.
Building better security outcomes
AWS’s enhancements to Security Hub represent a meaningful step forward in helping security teams organize and understand their security findings. We’re excited to be a partner and to bring Expel’s detection and response expertise to AWS’s enhanced platform.
Because at the end of the day, the goal isn’t to have more security data—it’s to have better security outcomes. And that happens when you combine powerful tools like Security Hub with the kind of cross-surface correlation, detection engineering expertise, and human-led analysis that Expel brings to the table.
Want to see how Expel turns your Security Hub findings into action? Let’s talk. Learn more about our partnership with AWS.
