AWS secures the cloud. You secure what's in it. Security Groups allow traffic on ports 22, 80, and 443 — but they cannot detect SSH brute force patterns, SQL injection in allowed traffic, or malware on your instance. Defensia fills every gap the shared responsibility model leaves to you.
Secure your EC2 instance in 30 seconds →AWS operates under a shared responsibility model: they secure the infrastructure (physical data centers, hypervisor, network fabric, managed services) while you are responsible for everything running inside your EC2 instances. This includes operating system patches, application security, access management, firewall rules, malware detection, and intrusion monitoring. Most AWS customers understand this in theory — but in practice, their EC2 instances run with nothing more than a Security Group and an SSH key.
sshd[4821]: Failed password for root from 185.220.101.7 port 43992 ssh2
sshd[4823]: Invalid user admin from 45.83.64.11 port 55120 ssh2
sshd[4825]: pam_unix(sshd:auth): authentication failure; rhost=103.145.13.90
sshd[4827]: Failed password for invalid user ec2-user from 92.118.39.18 port 22180
sshd[4830]: Disconnected from authenticating user ubuntu 45.83.64.11 port 38204 [preauth]
... thousands more today. Security Groups allow port 22. That's all they do.
A Security Group is a stateful firewall that controls which ports are open. It is essential — but it only decides whether a connection is allowed at all. Once traffic reaches port 22 or 443, the Security Group has done its job. It cannot inspect the content of that traffic, detect brute force patterns, identify SQL injection payloads, or notice that someone uploaded a PHP shell to your WordPress site. AWS provides additional security services — GuardDuty, Inspector, WAF, Shield — but each comes with its own pricing model and none of them provide host-level intrusion detection on your EC2 instance.
AWS has a massive security portfolio — over 30 services. The problem is not a lack of options. The problem is cost, complexity, and coverage gaps. Here is how each relevant AWS security service compares to what Defensia provides on the instance itself.
| Security layer | AWS | Defensia |
|---|---|---|
| Network firewall | Security Groups (free, stateful) | iptables/ipset (automatic, unlimited) |
| Firewall logs / traffic visibility | VPC Flow Logs ($0.50/GB) | Full event log + dashboard |
| SSH brute force detection | ✗ | 15 patterns, auto-ban |
| Web Application Firewall (WAF) | AWS WAF ($5/mo + per-rule + per-request) | 15+ OWASP types from nginx/Apache logs |
| Malware scanning on instance | ✗ | 64K+ hash signatures + 684 patterns |
| CVE / vulnerability scanning | Inspector (~$0.15/instance/mo) | NVD + EPSS + CISA KEV |
| Threat detection | GuardDuty (~$4/GB logs) | Real-time from auth + web logs |
| DDoS protection | Shield Standard (L3/L4, free) | L7 via WAF log analysis |
| Host-level IDS/IPS | ✗ | SSH + WAF + malware + posture |
| Geoblocking | WAF geographic rules ($1/rule) | 200+ countries at firewall level |
| Bot management | WAF Bot Control ($10/mo + per-request) | 70+ fingerprints, per-policy |
| Real-time attack dashboard | SecurityHub (aggregator, $0.0010/event) | ✓ |
| OS patching | Systems Manager (free for EC2) | ✗ |
| IAM / access control | ✓ | ✗ |
| Encryption (KMS) | ✓ | ✗ |
Credit where it is due: AWS provides world-class infrastructure security. IAM is the most granular access control system in any cloud. VPC networking, KMS encryption, CloudTrail audit logging, and Systems Manager patching are all excellent. Security Groups are free and effective at the network layer. Defensia does not replace any of these — it adds the host-level detection layer that AWS intentionally does not provide on EC2 instances.
AWS security services are powerful but expensive, and costs scale unpredictably with usage. Here is what a basic security setup costs for a single EC2 instance running a web application.
| Service | AWS cost | What it covers |
|---|---|---|
| Security Groups | Free | Port-level firewall only. No logs, no detection. |
| AWS WAF | $5/mo + $1/rule + $0.60/M requests | HTTP filtering. Only works with CloudFront, ALB, API Gateway — NOT directly on EC2. |
| GuardDuty | ~$4/GB CloudTrail + $1/GB VPC Flow | Threat detection from metadata. Does not read auth.log or web logs. |
| Inspector | ~$0.15/instance/month | CVE scanning for installed packages. No malware scanning. |
| Shield Advanced | $3,000/month | L7 DDoS + dedicated response team. Massive overkill for most. |
| Defensia Pro | €9/month flat | SSH + WAF + malware + CVE + geoblocking + bots + alerts + dashboard. |
GuardDuty alone costs approximately $4 per GB of CloudTrail logs analyzed, plus $1 per GB of VPC Flow Logs, plus $1.50 per million DNS queries. For a moderately busy EC2 instance, that is $10-30/month — and GuardDuty analyzes metadata, not your auth.log or web server logs. It cannot detect an SSH brute force attack or a SQL injection attempt. AWS WAF costs $5/month base plus $1 per rule plus $0.60 per million requests, and it only works with CloudFront, ALB, or API Gateway — not directly on an EC2 instance. Defensia is a flat €9/month per instance with no usage-based pricing surprises.
One command. Works on every EC2 instance — Amazon Linux 2023, Ubuntu (the most popular AMI), Debian, RHEL, Rocky Linux, AlmaLinux, CentOS, and Fedora. No packages to install, no dependencies, no configuration files. The agent auto-detects your operating system, log paths, and running services.
# What happens on your EC2 instance:
1. Downloads the Go binary (~15MB) for your architecture (amd64 or arm64/Graviton)
2. Installs to /usr/local/bin/defensia-agent
3. Creates a systemd service unit
4. Auto-detects SSH log path (journald on Amazon Linux, /var/log/auth.log on Ubuntu)
5. Auto-detects nginx/Apache access logs if present
6. Starts protecting immediately — no config files to edit
Defensia works alongside AWS Security Groups — they complement each other. Security Groups filter traffic at the network level before it reaches your instance. Defensia detects attacks within the traffic that Security Groups allow through. Keep Security Groups tight to block unused ports, and let Defensia handle application-layer threats. The agent is a single Go binary with zero dependencies, uses under 30MB of RAM, and works on EC2 instances as small as t3.micro. Supports both x86_64 and ARM64 (Graviton) architectures.
Six detection engines cover every attack surface on your EC2 instance — from SSH to web applications to the filesystem.
GuardDuty detects "unusual API calls" but cannot see SSH brute force on your instance. Defensia reads /var/log/auth.log (Ubuntu) or journald (Amazon Linux 2023) and detects 15 SSH attack patterns: failed passwords, invalid users, pre-auth disconnects, PAM failures, and key exchange drops. Attackers are blocked within seconds via ipset.
Deep dive into SSH protection →AWS WAF requires CloudFront or ALB and costs $5/month plus per-rule and per-request charges. Defensia reads nginx and Apache access logs directly on the instance and detects SQL injection, XSS, path traversal, RCE, SSRF, shellshock, and 10+ more OWASP attack types. No proxy required, no per-request billing.
See WAF detection details →AWS has no malware scanning for EC2 instances. GuardDuty Malware Protection scans EBS volumes only when triggered by a finding — it is not continuous. Defensia scans the filesystem with 64,000+ hash signatures and 684 dynamic patterns. Detects PHP backdoors, obfuscated shells, cryptominers in /tmp and /dev/shm, and modified system binaries.
AWS Inspector scans for CVEs at approximately $0.15/instance/month. Defensia includes CVE scanning in Pro with no additional cost — matching installed packages (apt, rpm, yum) against the National Vulnerability Database. Each CVE is scored with EPSS exploit probability and flagged if it appears in the CISA Known Exploited Vulnerabilities catalog.
AWS WAF Bot Control costs $10/month plus per-request fees. Defensia includes bot management in Pro with 70+ bot fingerprints identified from User-Agent strings and request patterns. Legitimate bots (Googlebot, Bingbot) are allowed. Vulnerability scanners, credential stuffing bots, and scrapers are blocked or logged per your policy.
Continuous assessment of your EC2 instance security: SSH configuration, firewall rules, file permissions, world-readable credentials, exposed .git directories, and weak key permissions. Scored 0-100 with A-F grade. AWS Trusted Advisor checks some of this at the account level — Defensia checks it on every instance, continuously.
Running Amazon Elastic Kubernetes Service? Defensia deploys as a DaemonSet via Helm chart — one agent per worker node. The agent monitors ingress controller logs for web attacks, detects SSH brute force on nodes, and scans for malware across the cluster. EKS charges $0.10/hour for the control plane; Defensia adds the security layer that EKS does not include. See our full Kubernetes security guide for details on EKS, GKE, and self-managed clusters.
# Deploy on EKS:
$ helm repo add defensia https://defensia.cloud/charts
$ helm install defensia-agent defensia/defensia-agent \
--set apiKey=YOUR_API_KEY
Killer feature: Defensia reads ingress controller logs (ALB Ingress Controller, nginx-ingress, Traefik) and detects web attacks across all services behind the ingress — one agent protects your entire cluster. Read the full Kubernetes security guide.
AWS handles infrastructure — compute, networking, storage, IAM, managed databases, and global edge network. Defensia handles host-level security — attack detection, automated blocking, malware scanning, vulnerability management, and real-time monitoring. Together, they form a complete stack without the complexity and cost of assembling five different AWS security services.
Defensia is not a replacement for Security Groups or IAM — it is the security layer that sits on top. Security Groups decide which ports are open. IAM controls who can manage AWS resources. Defensia monitors what happens inside the instance: who is brute-forcing SSH, what SQL injection attempts are hitting your web app, whether a cryptominer was dropped in /tmp. GuardDuty analyzes VPC flow logs and CloudTrail metadata — Defensia reads auth.log and nginx access logs directly on the instance.
Yes. Security Groups are a network-level firewall that controls which ports are open. They are essential but they cannot inspect the content of allowed traffic. If port 22 is open (for SSH), Security Groups allow all SSH traffic — including brute force attacks. If port 443 is open (for HTTPS), Security Groups allow all HTTPS traffic — including SQL injection. Defensia detects and blocks malicious activity within the traffic that Security Groups allow through.
AWS WAF is a cloud-based HTTP filter that works only with CloudFront, Application Load Balancer, or API Gateway. It cannot be attached directly to an EC2 instance. It costs $5/month base plus $1 per rule plus $0.60 per million requests. Defensia reads nginx/Apache logs directly on the instance, detects 15+ OWASP attack types, and costs a flat EUR 9/month with no per-request billing. If you run a web server directly on EC2 without an ALB, AWS WAF simply does not work for you.
For most EC2 workloads, yes. GuardDuty costs approximately $4 per GB of CloudTrail logs plus $1 per GB of VPC Flow Logs. A moderately busy instance can generate $10-30/month in GuardDuty costs. More importantly, GuardDuty analyzes API calls and network metadata — it does not read SSH auth logs, web server logs, or scan for malware on the filesystem. Defensia costs EUR 9/month flat and covers host-level threats that GuardDuty cannot see.
Yes. Defensia supports Amazon Linux 2023, Amazon Linux 2, Ubuntu, Debian, RHEL, Rocky Linux, AlmaLinux, CentOS, and Fedora. The agent auto-detects the OS and configures itself — journald on Amazon Linux, /var/log/auth.log on Ubuntu/Debian. No manual configuration required.
Yes. Deploy Defensia via Helm chart as a DaemonSet on your EKS worker nodes. The agent monitors ingress controller logs for web attacks, detects SSH brute force on nodes, scans for malware, and checks for CVEs. One agent per node protects all services behind the ingress controller.
Defensia is free for 1 EC2 instance — includes SSH protection, the full real-time dashboard, and bot detection. Pro costs EUR 9/instance/month (EUR 7 billed annually) and adds WAF, malware scanning, CVE intelligence, geoblocking, and alerts. The agent uses under 30MB RAM and works on instances as small as t3.micro.
AWS Shared Responsibility Model based on official documentation: aws.amazon.com/compliance/shared-responsibility-model.
AWS Security Groups (stateful, port-level only, no logs) based on: docs.aws.amazon.com/vpc/latest/userguide/vpc-security-groups.html.
AWS WAF pricing ($5/month + $1/rule + $0.60/million requests, works only with CloudFront/ALB/API Gateway) based on: aws.amazon.com/waf/pricing.
AWS GuardDuty pricing (~$4/GB CloudTrail, $1/GB VPC Flow Logs) based on: aws.amazon.com/guardduty/pricing.
AWS Inspector pricing (~$0.15/instance/month for EC2 scanning) based on: aws.amazon.com/inspector/pricing.
AWS Shield Advanced pricing ($3,000/month) based on: aws.amazon.com/shield/pricing.
AWS market share (~31%) based on Synergy Research Group and Canalys cloud market reports.
Attack frequency and time-to-first-attack metrics based on Defensia telemetry data across production servers monitored from January to April 2026.
Amazon Linux 2023 is the default EC2 AMI.
EKS, DOKS, GKE — Helm chart DaemonSet.
Complete guide for all Linux distributions.
15 detection patterns, ipset blocking.
OWASP attack detection from server logs.
Docker, Swarm, and Kubernetes native.
One command. Under 30 seconds. Works on every EC2 instance from t3.micro to metal, x86_64 and Graviton.
No credit card required. Free for 1 server.