How Amazon uses agentic AI for vulnerability detection at global scale

Amazon has developed RuleForge, a sophisticated agentic-AI system that revolutionizes how security teams respond to vulnerabilities. Facing over 48,000 new CVEs published annually, Amazon's security engineers needed a way to translate vulnerability disclosures into detection rules faster than human analysts could manage manually. RuleForge addresses this by automating the entire rule creation pipeline, from downloading proof-of-concept exploit code to generating production-ready JSON detection rules for systems like MadPot (Amazon's global honeypot) and Sonaris (their internal detection system).

The system employs a multi-agent architecture where specialized AI agents handle different stages of the workflow, mirroring how human security experts operate. A generation agent proposes multiple candidate detection rules, while a separate judge model with domain-specific prompts and negative phrasing evaluates them, reducing false positives by 67% while maintaining true positive rates. This human-in-the-loop design ensures production-ready quality while achieving a 336% productivity advantage over traditional manual methods.

RuleForge represents a significant advancement in applying agentic AI to real-world security challenges. By decomposing complex security tasks into specialized AI agents that collaborate, Amazon has created a system that can keep pace with the exponential growth of vulnerabilities. The architecture runs on AWS Fargate with Amazon Bedrock, demonstrating how cloud-native AI infrastructure can be leveraged for mission-critical security operations at global scale.