Enhancing Security Incident Response with AWS Partners: Program updates and capabilities

By: Dean Lawrence, Security Partner Lead, Incident Response – AWS

We’ve seen it time and time again since launching the AWS Security Incident Response service in 2025—a swift, coordinated response that includes people, process, and technology is how teams successfully resolve security incidents. We’re continuing to enhance the capabilities of the service based on customer feedback, and we’re strengthening our collaboration with AWS Security Partners, helping to bring their deep expertise in incident response detection and recovery to our customers.

What is AWS Security Incident Response?

AWS Security Incident Response helps customers accelerate each phase of the incident response lifecycle: preparation, detection and analysis, containment and recovery, and post-incident learning. Our approach focuses on helping customers improve their ability to respond to and recover from security incidents while reducing impact to their organization.

Customers can customize incident response across accounts with centralized team coordination, permission management, and communication channels for faster resolution. This helps organizations strengthen their processes before security events occur and optimize the use of Amazon Web Services (AWS) security capabilities during an active event.

From automated monitoring and triage of security findings to automated containment, the service streamlines every step of the security incident response lifecycle. When expert assistance is needed, customers have direct around-the-clock access to AWS security experts, who can investigate and coordinate response efforts across multiple providers and even perform containment actions on behalf of the customer.

AWS Security Incident Response partners play a crucial role in this journey by helping customers implement these capabilities effectively. Partners provide incident response expertise, managed security services, and proven methodologies that help organizations accelerate their security incident response programs. Through the AWS Security Incident Response Partner Specialization Program, customers can access validated partner solutions that integrate seamlessly with AWS services while meeting rigorous technical standards.

Recent enhancements to these workflows have focused on improving customer experience through simplified automation setup, expanded detection capabilities, and more flexible response options. These improvements help security teams work more efficiently while maintaining the security controls needed to protect their AWS environments.

We’ve recently enhanced these capabilities to provide improved playbook customization options, making it easier for security teams to tailor their response procedures. The expanded service integrations and streamlined automation setup workflows help teams respond faster and more effectively to potential incidents, reducing mean time to resolution.

Recent enhancements include AI-powered capabilities that reduce security event investigation time. The new AI investigative agent delivers the speed and efficiency of AI-powered automation, backed by the expertise and oversight of AWS security experts. The investigative agent is included at no additional cost with Security Incident Response, which now offers metered pricing with a free tier covering your first 10,000 findings ingested per month. Beyond that, findings are billed at rates that decrease with volume. This consumption-based approach means you can scale usage as your needs grow, reflecting our commitment to helping customers of all sizes get value from Security Incident Response more easily while maintaining the same trusted service and support.

AWS Partners enhance customer incident response capabilities

AWS Security Incident Response provides the foundation for resolving security incidents, and our AWS Partners are essential collaborators in helping customers strengthen their security posture, and respond to incidents collaboratively.

Today, we’re announcing additional partner integrations through the AWS Security Incident Response Partner Specialization Program. Customers can use these integrations to build automated operational and technology processes to drive further efficiencies in incident detection and response.

New partner integrations and capabilities with AWS Security Incident Response

Read on to learn about specific cases of AWS Partners integrating with Security Incident Response.

CrowdStrike
Falcon for AWS Security Incident Response strengthens cyber resilience for AWS customers with industry-leading protection from the AI-native CrowdStrike Falcon® platform. This delivers AI-powered incident response to help organizations respond to incidents faster, reduce risk, and strengthen their cloud security posture. Available in the AWS Marketplace, the Falcon platform’s advanced threat detection capabilities complement AWS Security Incident Response’s automated triage and investigation workflow, creating a comprehensive solution that spans the entire security incident lifecycle.

Cyber Security Cloud
Cyber Security Cloud provides CloudFastener, a fully managed service for AWS environments. CloudFastener helps customers centrally manage alerts from AWS security services and identify high-risk findings, while providing flexible support tailored to each customer’s cloud environment and organizational structure. It supports a broad range of cloud security operations, from governance and policy development to remediation and recovery activities. By combining CloudFastener’s fully managed security operations with AWS Security Incident Response, customers can quickly surface actionable insights from their AWS environments and accelerate remediation while reducing the operational burden on in-house teams. Learn more and get started with CloudFastener.

Elastio
Elastio is proud to join the AWS Security Incident Response initiative, helping customers strengthen cyber resilience and accelerate recovery across AWS environments. Through this integration, Elastio validates recovery points, quarantines compromised data, and confirms the integrity of backups. Incident Response teams can investigate safely and recover fast, and chief information security officers (CISOs) gain measurable, auditable proof of recovery readiness. This comprehensive approach to security reduces downtime, risk, and uncertainty after an incident. Learn more about Elastio for AWS Security Incident Response.

Fortinet
Fortinet FortiCNAPP integrates with AWS Security Incident Response, delivering unified visibility and control across AWS environments through a single platform for threat detection, risk assessment, and remediation. Complementing this integration, Fortinet offers specialized cloud consulting and FortiGuard incident response services—empowering AWS customers with end-to-end security expertise. From proactive risk assessments to rapid incident response, these services are powered by FortiGuard AI-driven threat intelligence and deep integration with AWS tools. Backed by proven methodologies and expert guidance, Fortinet helps organizations prepare for, respond to, and recover from security incidents faster and more effectively. AWS Security Incident Response customers can now effortlessly engage Fortinet’s services directly in AWS Marketplace.

Palo Alto Networks
Palo Alto Networks Unit 42 and AWS Security Incident Response partner to deliver seamless, end-to-end incident response services. The partnership provides customers with rapid access to Unit 42’s world-class investigative expertise and dramatically minimizes the critical time between an alert and full containment. Unit 42 offers qualified customers a No Cost Incident Response Retainer, available in AWS Marketplace. The No Cost Incident Response Retainer includes 250 hours of incident response services, a 2-hour response time agreement and 24/7/365 access to the Unit 42 team. Additionally, customers receive preferred pricing for Unit 42 proactive services through paid retainer offerings in the AWS Marketplace.

SentinelOne
Accelerate incident response from hours to seconds by moving from reactive investigation to autonomous response with SentinelOne’s native integration with AWS Security Incident Response. SentinelOne’s Singularity platform’s agentic workflow automation capabilities (Singularity Hyperautomation) integrate with AWS Security Incident Response to deliver automation and playbooks that orchestrate response actions like isolating impacted resources, generating notifications, and triggering containment. This eliminates manual work and handoffs during investigations to amplify human efforts, scale teams and dramatically reduce mean time to remediation (MTTR). To explore this automation-first approach, visit SentinelOne in AWS Marketplace.

Get started with AWS Security Incident Response partners

To learn more about working with AWS Security Incident Response partners, visit the AWS Security Incident Response partner page. By working together, AWS and our Security Incident Response partners help customers build robust, scalable security incident response capabilities that meet today’s challenging security requirements.