What does the AWS DevOps Agent do?

The AWS DevOps Agent is an autonomous incident response tool that investigates and diagnoses production incidents without continuous human oversight. It correlates telemetry from CloudWatch, Datadog, Dynatrace, New Relic, Splunk, and Grafana, identifies root causes, and generates mitigation plans. Preview customers reported 75% lower mean time to resolution (MTTR) and 94% root cause accuracy. It costs $0.50 per minute, billed per second when active.

What does the AWS Security Agent do?

The AWS Security Agent performs autonomous penetration testing. It ingests source code, architecture diagrams, and documentation to understand application design, identifies vulnerabilities, and attempts exploitation with targeted payloads. It can chain vulnerabilities into higher-severity attack paths. It compresses pen testing timelines from 2–6 weeks to 1–2 days and costs $50 per task-hour, versus $10,000–$50,000 for traditional manual testing.

Can the AWS DevOps Agent fix production issues automatically?

No. The AWS DevOps Agent investigates and diagnoses incidents and generates mitigation plans, but it has limited write capabilities. A human engineer must still implement the remediation. It automates the diagnostic and root cause analysis work, not the fix deployment.

AI Agents

AWS Deploys Autonomous AI Agents to Replace DevOps and Security Teams

April 4, 2026 · Happycapy Guide

TL;DR

AWS launched two autonomous AI agents in general availability on March 31, 2026. The AWS DevOps Agent ($0.50/min) acts as an always-on SRE — it investigates production incidents, correlates telemetry across CloudWatch, Datadog, and Splunk, and cuts MTTR by 75%. The AWS Security Agent ($50/task-hr) performs autonomous penetration testing, compressing timelines from weeks to 1–2 days at 70–90% lower cost than manual pen testing firms. Both are live in six AWS regions.

Amazon Web Services is no longer just a platform for building AI agents. It is now competing directly with the humans those agents are designed to replace.

On March 31, 2026, AWS launched two "frontier agents" in general availability — the AWS DevOps Agent and the AWS Security Agent — pricing them aggressively enough to challenge the economics of traditional DevOps and security staffing. A Forbes analysis from April 1 called the move "the most direct challenge yet to white-collar technical labor from a hyperscaler."

AWS DevOps Agent: The Always-On SRE

The DevOps Agent is built to handle what on-call engineers dread most: the 2 a.m. production incident with no obvious root cause and five different monitoring tools giving contradictory signals.

The agent correlates telemetry, code, and deployment data across the major observability platforms simultaneously: CloudWatch, Datadog, Dynatrace, New Relic, Splunk, and Grafana. It maps application resource dependencies, identifies root causes, and generates a mitigation plan — all without waiting for a human to log in and start clicking through dashboards.

Preview results: Western Governors University reduced a production incident's resolution time from an estimated two hours to 28 minutes using the DevOps Agent during the preview period.

Capability	Detail
Telemetry sources	CloudWatch, Datadog, Dynatrace, New Relic, Splunk, Grafana
Root cause accuracy	94% (preview customers)
MTTR reduction	75% lower (preview customers)
Write access	Limited — human must implement fixes
Pricing	$0.50/minute, billed per second
Free trial	Free until April 10, 2026

The agent does not have full write access. It investigates and diagnoses, but a human engineer must still implement the remediation. This constraint is deliberate — AWS is marketing this as augmentation, not autonomous infrastructure modification.

Explore how AI agents are transforming DevOps, security, and every other workflow

Try Happycapy — Multi-model AI from $17/mo →

AWS Security Agent: Autonomous Penetration Testing

The Security Agent attacks a different problem: most organizations cannot keep up with pen testing their own applications. The average enterprise has hundreds of production applications; manual penetration testing firms charge $10,000 to $50,000 per engagement and take 2 to 6 weeks to deliver results.

The Security Agent ingests source code, architecture diagrams, and documentation to build a contextual model of the application. It then identifies vulnerabilities and — critically — attempts actual exploitation to validate whether they represent real risks. Unlike traditional scanners that flag potential issues, the Security Agent chains vulnerabilities into higher-severity attack paths the way a human attacker would.

Metric	Traditional Pen Testing	AWS Security Agent
Timeline	2–6 weeks	1–2 days
Cost per engagement	$10,000–$50,000	~$1,200 (24-hour eval)
Cost savings	—	70–90% vs. manual
Context awareness	High (human judgment)	High (reads source + architecture)
Vulnerability chaining	Yes	Yes
Speed of continuous testing	Not feasible at scale	Can run on every deployment

The pricing model is $50 per task-hour. An average 24-hour evaluation costs approximately $1,200 — a fraction of what traditional firms charge. The economic implication is that organizations can now run pen testing on every major deployment rather than annually or quarterly.

How AWS Compares to Azure and Google

Microsoft Azure launched its Azure SRE Agent on March 10, 2026 — about three weeks before AWS's GA. The Azure agent includes a built-in Code Interpreter and a memory system that retains context across incidents. Microsoft is positioning it as tightly integrated with Azure Monitor and GitHub Copilot workflows.

Google Cloud does not currently offer a first-party autonomous operations agent. Instead, Google provides the Agent Development Kit (ADK) for customers to build their own. This positions Google as more of a platform play and AWS and Azure as direct competitors for the $50B annual SRE and security services market.

AWS's differentiation is its Security Agent — Azure has no comparable autonomous pen testing product. AWS is the only hyperscaler offering both an autonomous DevOps agent and a dedicated autonomous security testing agent in GA.

Limitations and Risks

AWS acknowledges two notable risks with these agents. First, custom Model Context Protocol (MCP) server connections can introduce prompt injection vulnerabilities — a concern that applies to any MCP-connected agentic system.

Second, the DevOps Agent processes inference requests across US AWS regions regardless of the customer's selected region. Organizations under strict data residency regulations — GDPR in Europe, healthcare data rules in the US — may face compliance complications.

Both agents are currently available in only six regions: US East, US West, Europe (Frankfurt and Ireland), and Asia Pacific (Sydney and Tokyo). Global enterprises in other regions cannot yet access them in production.

The Bigger Picture: AI Replacing Technical Labor

AWS launching these agents is a data point in a larger trend: the agentic AI wave is moving beyond productivity tools into direct substitution of skilled technical roles. The DevOps Agent doesn't just help an SRE work faster — it handles the diagnostic workflow an SRE would otherwise perform.

For enterprises, this is a cost equation. An SRE fully loaded costs $250,000–$400,000 per year. The DevOps Agent at $0.50/minute costs less than $10,000 per year for routine on-call coverage of incidents that average 30 minutes each. The economics only need to work for a subset of incidents to justify deployment.

Happycapy's multi-model platform lets you use the same underlying models powering AWS's frontier agents — Claude, GPT-5.4, and Gemini — for your own DevOps and engineering workflows without the lock-in of a single cloud provider.

Use Claude, GPT-5.4, and Gemini — the models powering enterprise AI agents — in one place

Start Free on Happycapy →

Sources: