AnnouncementCase StudyCheckmarkcustomer-story-iconData Sheethow-to-logoposts
skip to Main Content

Q2 Threat Report. SOC trends to take action on | Vegas, baby! Let’s Connect at Black Hat


for AWS

Expel-validated security alerts with guided investigative actions

Expel Workbench for AWS

(‘cause who wants to play Where’s Waldo with AWS logs)

Spending hours (or days) digging through a monotonous pile of logs probably isn’t high on your to-do list. Expel Workbench for AWS helps you identify potential security incidents within minutes so you can fix them without investing in a squad of AWS security experts.

Become an expert AWS investigator overnight!

Our AWS detection strategy uses native AWS services to:

  • Analyze GuardDuty alerts
  • Add custom detections for high-risk activities
  • Enrich and validates alerts

What we do



Our bot, Ruxie, shrinks investigation time by automating investigative actions just like our SOC analysts would.


AWS security alerts

We cut through the noise and surface up the alerts that need your eyes on them.


Tell you
how to investigate

We’ll give you step-by-step guides on how to investigate the validated AWS alerts we serve up to you.

“The biggest value of Workbench is the automated correlation of ancillary data and information into the investigation. It’s both beautiful and accessible. Having that context at my fingertips is saving me hours of investigation that I would have had to do on my own.”

— Viren Shah, Director of Engineering

How it works

(spoiler alert: GuardDuty is just the starting point)

Expel Workbench uses API integrations to connect directly with your AWS instance to pull CloudTrail data from S3 and access services like GuardDuty and Amazon Inspector. Our bots, Josie™ and Ruxie™, get to work and automatically enrich and triage alerts, surfacing up Expel-validated alerts. When we notify you about an alert you’ll get step-by-step guides on how to investigate.

What you get

(a cloud SOC without the hassle of building one)

Expel Workbench provides AWS-specific detections based on the attacks our SOC sees and as new (or updated) AWS offerings roll out. We triage 100% of your GuardDuty alerts and serve up the alerts that require your attention.

AWS-specific detections straight from our SOC

Expel-validated alerts based on thousands of investigations we’ve done

Automated investigation of GuardDuty alerts

Visibility into your AWS alert signal quality

Metrics showing the work we take off your plate

Reduced time to detect and fix security issues

A few of the benefits

Reduce risk
Make sure all your GuardDuty alerts and CloudTrail logs get SOC-style review.

Maximize ROI
Get more out of the AWS services you already subscribe to.

Cut costs
Upskill your analysts into expert AWS investigators and avoid hiring an army to keep up with your alerts.

How Expel Workbench compares to our MDR service

It’s pretty simple. Expel Workbench tells you when alerts need your eyes on them. Then it’s up to you to chase them down. When you upgrade to our MDR service we’ll monitor your AWS instance 24x7 and do all of the investigations for you.

Expel Workbench for AWS Expel MDR for Cloud Infrastructure
Expel Workbench    
Expel detections for AWS powered by Josie    
Slack and email notifications    
Investigations powered by Ruxie    
Investigations by Expel SOC analysts  
Incident declaration  
Remediation recommendations  
Resilence recommendations  
24x7 Slack access to Expel SOC analysts  
Dedicated Expel Engagement Manager  
Support for Signal Sciences, Lacework  


Making sense of
Amazon GuardDuty alerts

What is AWS GuardDuty and how can you make sense of all the signals? Here are our pro tips.


How does your approach to
AWS security stack up?

Making sure you’re looking at the right things in your AWS environment is easier said than done. And when there are so many AWS services to get security signal from, it’s hard to know whether you have the right ones turned on and if you’re getting the insights you need.


Where does Amazon
Detective fit in your AWS
security landscape?

If you’re running workloads on AWS, then you’ll want to know all about the latest and greatest AWS-native security tools. We’ve got you covered in our latest post.

Ready to
talk to a human?

Give us 30 minutes to show you how we can protect your data and workloads in AWS.

Back To Top