Request Demo

Get your free Risk Assessment.

We connect to your AWS account with read-only IAM access, run a full attack graph analysis using 1,000+ attack patterns, and show you the exact paths that reach your crown-jewel assets. You keep the validated report — no commitment required.

Read-only IAM only
No agents installed
Report delivered in 30 min
Live environment analysis
We run live analysis on your actual AWS environment using our full attack pattern library — not a staged walkthrough.
Zero-touch access
Read-only IAM role — no agents, no code deployment, nothing installed. Works in under 2 minutes.
Full report delivered
Validated attack graph + ranked exposures + fix recommendations + evidence packages. Yours, no strings.
Zero-trust access model

Read-only by default.
Write access only when you approve it.

XSEE uses two separate IAM roles with completely different permission scopes. You create both. You control both. You can revoke either in 10 seconds.

Role 1 — XSEE Scanner

Always active · Always read-only

Uses AWS ReadOnlyAccess managed policy. Discovers assets, validates attack paths, reads IAM policies and security group rules. Cannot write, delete, or modify anything in your environment. Ever.

# Permissions: ReadOnlyAccess (AWS managed)
# Actions: Describe*, List*, Get*
# Excludes: ALL write, delete, create actions

You create this role. You can delete it anytime and XSEE goes dark immediately.

Role 2 — Remediation Agent

Optional · Human-gated

Only activated when you choose automated remediation. You define exactly which write actions it can perform — nothing else. Every fix requires your explicit approval. Every action is logged, timestamped, and signed with your identity.

✓ ec2:RevokeSecurityGroupIngress
✓ iam:DetachRolePolicy
✓ s3:PutBucketPublicAccessBlock
✗ DeleteRole ✗ CreateUser ✗ DeleteBucket

Never auto-applied. One click to approve. One click to rollback. Full audit trail.

How to connect your AWS account (2 minutes)

1

Create read-only IAM role

  • In your AWS Console, go to IAM → Roles → Create Role
  • Select Another AWS account
  • Account ID to trust: 722375386510
  • Attach policy: ReadOnlyAccess (AWS managed)
  • Role name: xsee-free-scan-role
2

Copy the Role ARN

After creating the role, click on it and copy the Role ARN. It looks like:

arn:aws:iam::YOUR_ACCOUNT_ID:role/xsee-free-scan-role
3

Paste below and run

Paste your Role ARN in the form below and we'll start the scan.

Optional — Enable one-click remediation

4

Enable one-click remediation

Want XSEE to apply fixes automatically after you approve them? Create a second scoped role with write permissions.

Instructions:

  • In AWS Console → IAM → Roles → Create Role
  • Select: Another AWS account
  • Account ID: 722375386510
  • Attach a custom inline policy (below)
  • Role name: xsee-remediation-role

Custom policy (copy and paste):

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ec2:RevokeSecurityGroupIngress",
        "iam:DetachRolePolicy",
        "s3:PutBucketPublicAccessBlock"
      ],
      "Resource": "*"
    }
  ]
}

After creating the role, copy the ARN. Add it to the form below as Remediation Role ARN (optional).

Important
  • XSEE never executes fixes automatically.
  • Every fix requires your explicit approval.
  • You can revoke access at any time by deleting the IAM role in your AWS console.
  • Full audit log of every action applied.

Request Your Free Risk Assessment

We'll reach out within one business day to schedule the scan.

No commitment · Read-only IAM · Report delivered in 30 min