Security Hub aggregates the findings. Basirah closes and proves them.
AWS Security Hub pulls findings from Inspector, GuardDuty, Config, and the rest into one normalized view through ASFF, which is a real convenience. Aggregation is where its job ends. It doesn't remediate, it doesn't price the risk in business terms, and it doesn't re-check a resource that's been replaced by the next deploy.
How Basirah works with AWS Security Hub
Basirah ingests Security Hub findings in ASFF and reconciles them across AWS sources and your non-AWS scanners, so the same exposed resource is one owned work item rather than several. It puts a dollar figure on the exposure with FAIR and carries the account, region, and resource ARN through to the evidence.
Many AWS sources into one work item
Findings that Inspector, GuardDuty, and Config report on the same resource collapse into a single item, so the aggregation Security Hub starts actually shortens your queue.
Account and region context drive priority
The ARN, account, and region travel into prioritization and into the evidence, so a production-account resource is weighted accordingly and the proof names exactly what was fixed.
Verification on the live resource
An Inspector re-scan or a live API probe checks the actual resource at verification time, which is the only check that holds up against infrastructure that changes constantly.
Proof the fix held
In AWS, the resource you fixed might be torn down and rebuilt by the next pipeline run, so a closed Security Hub finding can describe something that no longer exists. Basirah re-checks the live resource at verification time — an Inspector re-scan or an API probe — and seals a signed evidence package reflecting that moment. When resources churn, you re-verify against current state, so closure tracks reality instead of a stale finding.
Common questions
Which AWS finding sources are supported?
Anything Security Hub normalizes into ASFF — Inspector, GuardDuty, Config, and other integrated sources — deduplicated alongside findings from non-AWS scanners.
Does this work across multiple AWS accounts?
Yes. Findings carry their account and region context, and the same resource across sources is correlated into one work item with that context preserved.
How do you verify a fix on ephemeral cloud resources?
Verification probes the live resource at the moment it runs. If the resource has been replaced, you re-verify against the current state rather than trusting an earlier finding.
See it run on your AWS Security Hub setup
We'll wire the demo around the scanners and tickets you already use, then close the loop on a real finding.
Book a demo