Open source · v0.1.0 · Research preview

Find every machine identity
before they do.

45 machine identities for every 1 human. IAM roles, API keys, AI agents — almost none governed. AgentSentry audits your cloud, scores every NHI by blast radius, and maps attack paths to your crown jewels.

Quick start:
$pip install agentsentry
agentsentry — bash
0+
CVEs in CISA KEV catalog
Updated daily. Free.
0:1
Machine to human identity ratio
Almost none governed.
0+
KEV entries linked to ransomware
Active campaigns. Right now.
How it works

From zero to attack graph
in under three minutes.

No agents to deploy. No SaaS data upload. Runs entirely local — your cloud credentials never leave your machine.

01

Discover

Point AgentSentry at your AWS account. It enumerates every IAM role, access key, service account, OAuth token, and AI agent in minutes — including ones you forgot existed.

02

Score

Each identity gets a P×R×E×A risk score: Privilege × Reachability × Exposure × AI-Amplification. Critical identities surface immediately. CISA KEV enrichment flags active CVEs.

03

Visualize

An interactive attack graph shows every identity and the access paths between them. See exactly what an attacker could reach if any given identity is compromised.

Providers

Not just AWS.
Everywhere you deploy.

Six independent providers — install only what you need. Each one checks its own permissions before touching a single API. Start with local — it needs nothing and finds more than you expect.

Amazon Web Services
agentsentry scan aws
  • IAM Roles & Access Keys
  • Lambda execution roles
  • S3, RDS, Secrets Manager
$ pip install agentsentry[aws]
$ aws configure
Microsoft Azure
agentsentry scan azure
  • Managed Identities
  • Service Principals
  • Role assignments (Owner/Contributor)
$ pip install agentsentry[azure]
$ az login
Google Cloud
agentsentry scan gcp
  • Service Accounts
  • User-managed SA keys
  • Project IAM bindings
$ pip install agentsentry[gcp]
$ gcloud auth application-default login
GitHub
agentsentry scan github
  • Personal Access Tokens
  • Deploy Keys & SSH Keys
  • Actions Secrets
$ export GITHUB_TOKEN=<pat>
Kubernetes
agentsentry scan k8s
  • ServiceAccounts & RBAC
  • ClusterRoleBindings
  • Automount token exposure
$ pip install agentsentry[k8s]
$ kubectl config use-context <cluster>
Local Environment
agentsentry scan local
No credentials needed
  • Env vars & .env files
  • SSH keys & credential files
  • Docker socket & git tokens
AUTO-DETECT & SCAN EVERYTHING
$agentsentry scan all
Detects which providers are configured and scans them all in one pass.
Live Demo

Explore a real attack graph.

Drag to rotate · Scroll to zoom · Click a node to inspect

CRITICAL
HIGH
MEDIUM
LOW
Click any node
Select an identity to see its risk score, MITRE techniques, and remediation steps.
3 critical · 4 high · 12 total
What it does

Every attack surface.
One scanner.

The only open-source tool that audits machine identities across every cloud and environment — with the same risk model, in the same scan.

Multi-Cloud NHI Discovery

Finds every IAM role, API key, service account, Managed Identity, and OAuth token — across AWS, Azure, GCP, GitHub, Kubernetes, and your local machine. One command. Every environment.

AI Agent Scanner

Statically analyzes LangChain, CrewAI, and AutoGen codebases. Extracts tool permissions. Computes the AI-Amplification Factor.

CISA KEV Enrichment

Correlates every finding against 1,610+ actively exploited CVEs. Flags ransomware-linked vulnerabilities in real time.

Attack Graph

Cross-provider attack graph. Computes blast radius: if this identity is compromised, what does the attacker reach — regardless of which cloud it lives in?

MITRE ATT&CK Mapping

Every finding maps to ATT&CK techniques. T1078.004, T1528, T1552, T1611 — the language your SOC already speaks.

Risk Scoring: P×R×E×A

Privilege × Reachability × Exposure × AI-Amplification. Consistent across all providers — the same score model whether the identity lives in AWS, K8s, or a local .env file. Novel academic contribution.

P×R×E×A Calculator

Compute any NHI's risk score.

Drag the sliders or pick a preset to see how Privilege, Reachability, Exposure, and AI-Amplification combine into a real risk score.

PPrivilege (0–10)
7
RReachability (0–10)
6
EExposure (0–5)
3
AAI-Amplification (1–3×)
1.5
7×6×3×1.5=189.0
CRITICAL
189.0
threshold: >100 CRITICAL · >50 HIGH · >20 MEDIUM
Real-world presets
Research

Peer-reviewed.
Production-validated.

The mathematical model behind AgentSentry is published as a research paper. Real scan results. Real AWS environments. Novel metric introduced.

IEEE Format · 2026 · Research Preview

AgentSentry: A Risk Quantification Framework for Non-Human Identities and AI Agents in Cloud Environments

Abhiram Lanka · 2026

Novel contribution
AI-Amplification Factor — no prior paper defines this metric
IEEE format, 4 pages
Mathematical framework, real AWS scan results as validation
PXRXA scoring model
First model to account for autonomous AI agent blast radius
Core formula
Risk Score = P × R × E × A
Privilege × Reachability × Exposure × AI-Amplification Factor
View on GitHub
arXiv submission — coming soon
Pricing

Free forever.
Pro when you need it.

The core scanner is free and always will be. Pro unlocks continuous governance for enterprise teams.

Free
$0
Open source · MIT license
Clone on GitHub
  • AWS IAM role & access key scanner
  • LangChain / CrewAI / AutoGen agent scanner
  • P×R×E×A risk scoring engine
  • CISA KEV threat intel enrichment
  • Interactive NHI attack graph
  • MITRE ATT&CK mapping
  • CLI — runs locally, no data leaves you
  • Open source — MIT license
Coming soon
Pro
$49/mo
Per workspace · cancel anytime
  • Everything in Free
  • Continuous monitoring — alerts on new NHIspro
  • Remediation workflows — auto Jira/ServiceNow ticketspro
  • Audit-grade PDF reports — SOC 2, ISO 27001, NIS 2pro
  • Azure AD + GCP scanner
  • GitHub Actions secrets scanner
  • Priority support
  • Early access to new features
BLAST RADIUS BY AGENTSENTRY

Stay ahead of machine identity threats

Weekly intel on NHI security and AI agent risks — real findings, practical commands, no fluff. Get it before it hits the feeds. Every Tuesday, free.

No spam. Unsubscribe anytime. Every Tuesday.

SUPPORT

Contact the developer

Found a bug? Want to contribute? Just have a question? Pick whichever channel works best.

X / Twitter
@AgentSentryApp

Fastest response. DM us for support, bugs, or feature requests.

Open DM
GitHub Issues
agent-sentry

Bug reports, feature requests, and pull requests welcome.

Open Issue
Email
agentsentry.tool@gmail.com

For partnership, research collaboration, or anything else.

Send Email