This article is intentionally a little technical. It’s written for founders, CTOs, and security leads who want to understand how PostureX works in practice.
Table of contents
- Why PostureX exists
- Alternative options on the market
- How our approach is different
- Under the hood
- Using AI thoughtfully
- Final thoughts and how to try PostureX
1. Why PostureX exists
If you work at a startup, you’ve likely faced security questions before knowing what really needs fixing. Most issues are already out there, spread across your AWS accounts, regions, and connected systems. The challenge is bringing all those signals together, figuring out what matters most, and deciding what to fix first. This often happens when you’re already busy with customers, investors, or a big review.
We built PostureX to help you get ahead of these problems. It gives AWS teams a clear, early view of their security, shows what needs fixing, helps you set priorities, and makes security reviews less stressful, all without slowing down your product work.
2. Alternative options on the market
There are already some great tools available, and we want to mention them.
For example, many teams are familiar with Prowler. It’s an excellent tool and is especially good at a few things:
- Multi-cloud coverage
- Open source at its core
- A growing paid SaaS with Prowler Hub and Lighthouse
These tools are powerful and give teams a lot of flexibility, especially if you work with different environments or are building your own security setup and programme.
PostureX is more focused and emphasises keeping your data under your control. Our setup and features are designed for teams selling to enterprises that want simple, actionable insights instead of a large, general-purpose toolkit.
Once findings are known and remediations are required, we offer optional foundations and remediation services to accelerate your time to pass a security review.
3. How our approach is different
PostureX was designed for AWS from the beginning, along with the systems startups usually use with it.
Our checks follow industry standards and cover areas like identity and access management, logging, networking, encryption, key management, storage rules, compute exposure, guardrails, and overall organisational posture. You can adjust how strict the scans are by setting the criticality level, helping you balance thoroughness and noise.
Here are a few key ideas that shaped how we built PostureX:
Local execution and data control
PostureX runs on your own machine by default. Your findings and evidence stay with you unless you choose to share them.
Clear split between app and engine
The desktop app shows you your results and gives context. The command-line engine runs the checks and creates the findings.
Actionable findings
Each finding is connected to the affected resources, matched to the right controls, given a severity level, and explained in plain English so you know why it matters.
Practical remediation guidance
Currently, our remediation advice helps teams decide what to fix and how to fix it. As we grow, we’ll add advice focused on code as well.
Multi-region, multi-account enabled by default
You can invoke a scan across multiple accounts and regions during our early access programme, all from your local device. Findings are browsable and visible via your locally hosted desktop. We offer a global map view to break down findings by region.
PostureX works well on its own. Some teams use it to fix issues or improve their AWS setup, but you don’t need to buy anything extra to get value from it.
4. Under the hood
PostureX has two main parts: a desktop app and a command-line tool.
The desktop app lets you see scan history, findings, trends, and advice on what to fix. The command-line tool runs the checks using read-only access to your setup.
When PostureX connects to AWS, it uses only read-only access. We recommend using SSO for better security. We provide a sample permission set to run tasks safely across multiple AWS accounts. Scanning across accounts in AWS Organisations is supported, and you can enable it in different regions if needed. Currently, we support commercial AWS regions.
You can also connect third-party systems like GitHub and Google Workspace using OAuth with read-only permissions. This gives more context on access, admin settings, and CI/CD setup. AWS remains the main focus, but these extra checks help complete the picture where it matters.
Your findings and evidence are saved locally by default and linked to each scan with timestamps. If needed, you can export evidence in structured formats. We also support integration with AWS Audit Manager to help with audits.
PostureX only connects to our systems for two things:
- Authentication with our identity service
- Checking your licence from time to time
If your team needs more collaboration, you can deploy our optional customer-hosted backend directly in your own cloud environment.
This backend adds features like shared scans, scheduled scans, team-wide visibility, and secure collaboration, while keeping your data under your control. You choose when and how to use it, and you never have to send data outside your environment.
5. Using AI thoughtfully
PostureX comes with optional AI features that are still in alpha.
These tools help teams understand findings, evidence, and other data by offering guidance and insights. We don’t use AI to make decisions or fix things automatically.
If you turn on these features, we can set up your own AI backend for team collaboration, sharing context, and deeper analysis of your results. You choose your model and control what’s logged, so your data stays yours and follows your rules.
AI is there to help your team, not do the job for you.
6. Final thoughts and how to try PostureX
We’re offering early access to PostureX, and some teams can start for free to install, run scans, and see their findings.
If you’re a startup using AWS and want to find security issues early, decide what to fix first, and prepare for security reviews, this programme is for you.
If you’re interested, you can sign up for early access on our here.
Not sure if PostureX is right for your team?
Contact us, and we’ll be happy to talk about your setup.
Top comments (0)