> ## Documentation Index
> Fetch the complete documentation index at: https://docs.cloudthinker.io/llms.txt
> Use this file to discover all available pages before exploring further.
# Oliver
> Security Professional - Compliance, vulnerability assessment, threat detection, IAM
Oliver is CloudThinker's security expert, specializing in compliance auditing, vulnerability assessment, threat detection, and identity management across cloud environments.
***
## The Problem Oliver Solves
Cloud security posture is invisible until it isn't. Security groups get opened to `0.0.0.0/0` during debugging and never closed. IAM roles accumulate permissions across months of tickets. S3 buckets get misconfigured. Compliance frameworks like SOC 2 and HIPAA require evidence collection that takes security teams weeks to assemble manually.
The result: most teams discover misconfigurations from breach notifications, failed audits, or penetration test reports — not proactive monitoring. And when a compliance audit arrives, engineers spend 2–4 weeks collecting screenshots and writing evidence docs instead of fixing actual security gaps.
***
## How Existing Tools Compare
| Tool | What It Does | What's Missing |
| --------------------------- | ---------------------------------------------------------------- | --------------------------------------------------------------------------------------------- |
| **AWS Security Hub** | Aggregates findings from GuardDuty, Inspector, Config | No remediation guidance, no compliance narrative, no cross-cloud |
| **Wiz / Orca** | Cloud security posture management (CSPM) with risk visualization | Reporting-focused, requires dedicated security analyst to interpret, no AI-driven remediation |
| **Prowler / ScoutSuite** | Open-source security scanners | Manual runs, raw output, no prioritization or remediation guidance |
| **AWS Config** | Tracks resource configuration drift against rules | Rules-based, no AI analysis, no compliance framework mapping |
| **Lacework / Prisma Cloud** | Comprehensive CSPM + CWPP | Expensive, complex, still requires security expertise to act on findings |
Oliver goes further: it explains *why* a finding matters in your specific context, maps it to your compliance frameworks, and generates the exact remediation steps for your environment.
***
## How Oliver Works
1. **Scans continuously** — reads IAM policies, security group rules, CloudTrail logs, GuardDuty findings, and resource configurations
2. **Prioritizes by context** — not just severity scores, but actual blast radius: is this finding on a production database or a dev sandbox?
3. **Maps to frameworks** — automatically maps findings to SOC 2 controls, HIPAA requirements, PCI-DSS clauses, or whatever you're being audited against
4. **Generates evidence** — produces compliance documentation with the exact format auditors need, including timestamps, configurations, and remediation proofs
5. **Tracks over time** — remembers past findings so you can show compliance trend improvement, not just point-in-time snapshots
***
## Capabilities
| Domain | Capabilities |
| ---------------------------- | ----------------------------------------------------------------------------- |
| **Compliance** | SOC 2, ISO 27001, GDPR, HIPAA, PCI-DSS auditing and evidence collection |
| **Vulnerability Assessment** | Security scanning, misconfiguration detection, risk prioritization |
| **Threat Detection** | Incident investigation, forensics, anomaly detection, security monitoring |
| **Identity & Access** | IAM policy review, privilege analysis, permission optimization, access audits |
***
## Prompt Patterns
### Security Audits
```bash theme={null}
# Security group review
@oliver audit security groups for overly permissive rules
# Scoped audit
@oliver audit production security groups for public access on ports 22, 3389, 3306
# Multi-cloud audit
@oliver perform unified security audit across AWS, Azure, and GCP
# Configuration review
@oliver identify misconfigurations that could expose customer data
```
### Compliance Assessment
```bash theme={null}
# Framework-specific
@oliver perform SOC 2 Type II compliance assessment
# Multi-framework
@oliver evaluate infrastructure against SOC 2, ISO 27001, and GDPR
# Evidence generation
@oliver #report HIPAA compliance audit with evidence documentation
# Gap analysis
@oliver identify compliance gaps in IAM, logging, and access control
```
### Vulnerability Management
```bash theme={null}
# Vulnerability scanning
@oliver scan infrastructure for security vulnerabilities with remediation timeline
# Priority assessment
@oliver identify critical and high-risk vulnerabilities requiring immediate action
# Public exposure
@oliver find all public-facing resources and assess exposure risk
```
### Access Control
```bash theme={null}
# IAM audit
@oliver audit IAM roles and policies for privilege escalation risks
# Permission review
@oliver identify over-privileged users and recommend least-privilege changes
# Access review
@oliver perform quarterly access review: unused accounts, stale permissions
# Certificate management
@oliver scan for expired or expiring SSL certificates
```
***
## Tool Usage
| Tool | Oliver Use Case |
| ------------ | ----------------------------------------------------------------- |
| `#dashboard` | Compliance status, security posture, finding trends |
| `#report` | Audit documentation, compliance evidence, incident analysis |
| `#recommend` | Remediation actions, security hardening, policy changes |
| `#alert` | Security group changes, policy violations, certificate expiration |
| `#chart` | Vulnerability trends, compliance scores, risk distribution |
### Examples with Tools
```bash theme={null}
@oliver #dashboard compliance status across all frameworks
@oliver #report SOC 2 assessment with gap analysis and remediation timeline
@oliver #recommend security hardening prioritized by risk and effort
@oliver #alert on security group changes allowing 0.0.0.0/0 access
```
***
## Effective Prompts
```bash theme={null}
# Good
@oliver audit production security groups
for public access on database ports
(3306, 5432, 1433)
# Avoid
@oliver find security issues
```
```bash theme={null}
# Good
@oliver assess infrastructure for
SOC 2 Type II compliance
with evidence documentation
# Avoid
@oliver help with compliance
```
***
## Connection Requirements
Oliver requires cloud and security service access:
| Provider | Required Access |
| --------- | ------------------------------------------------ |
| **AWS** | IAM, Security Hub, GuardDuty, CloudTrail, Config |
| **Azure** | Security Center, Azure AD, Policy, Monitor |
| **GCP** | Security Command Center, IAM, Cloud Audit Logs |
***
## Common Workflows
### Security Audit Workflow
```bash theme={null}
# Step 1: Scan
@oliver scan infrastructure for security vulnerabilities
# Step 2: Prioritize
@oliver categorize findings by severity and exploitability
# Step 3: Remediate
@oliver #recommend remediation actions with implementation order
# Step 4: Verify
@oliver rescan to verify remediation effectiveness
```
### Compliance Assessment Workflow
```bash theme={null}
# Step 1: Assess
@oliver perform SOC 2 Type II compliance assessment
# Step 2: Document
@oliver #report findings with evidence for each control
# Step 3: Remediate
@oliver create remediation plan for gaps
# Step 4: Monitor
@oliver #schedule weekly compliance status check
```
### Incident Investigation
```bash theme={null}
# Step 1: Scope
@oliver identify affected resources from security incident
# Step 2: Analyze
@oliver analyze CloudTrail logs for suspicious activity
# Step 3: Document
@oliver #report forensic analysis with timeline and root cause
# Step 4: Prevent
@oliver #recommend controls to prevent recurrence
```
***
## What's Next
Configure [SecurityOps](/guide/infrastructure/cloudkeepers) pilots for continuous 24/7 security guardrails
Run a Well-Architected assessment with the Security pillar
How Oliver assists with security incident investigations
Coordinate Oliver with other agents for enterprise-wide security reviews