Cloud Security Scanners
Built for AI Agents
Static binaries that AI agents can discover, download, and run autonomously. No SDKs, no dependencies, no containers — just curl, verify, execute.
How It Works
1. Discover
Agent calls search("s3 encryption") via MCP to find the right scanner.
2. Get
Agent calls get("kloudle-aws-s3") and receives a ready-to-run command with SHA256 verification.
3. Run
Agent downloads the ~2MB static binary, verifies the checksum, and executes the security scan.
7 AWS Security Scanners
Each scanner is a self-contained static binary (~2MB). No runtime dependencies, no containers, no SDK installation. Works on any Linux x86_64 host.
S3
kloudle-aws-s3 Bucket encryption, public access blocks, versioning, logging, lifecycle policies
IAM
kloudle-aws-iam Root account MFA, stale access keys, password policy compliance
EC2
kloudle-aws-ec2 Public SSH access, security group rules, EBS encryption, IMDSv2 enforcement
EKS
kloudle-aws-eks Public endpoint access, control plane logging, secrets encryption
RDS
kloudle-aws-rds Public accessibility, storage encryption, automated backup retention
CloudTrail
kloudle-aws-cloudtrail Multi-region trails, log file validation, KMS encryption
CloudWatch Logs
kloudle-aws-cloudwatch-logs Log group retention, encryption at rest, metric filter coverage
Connect via MCP
Add the Kloudle MCP server to any MCP-compatible AI agent or IDE.
{
"mcpServers": {
"kloudle": {
"url": "https://mcp.kloudle.dev/mcp"
}
}
}Built for Agents, Not Humans
Static Binaries
Compiled with Rust + musl for zero external dependencies. No glibc, no shared libraries, no Docker required.
SHA256 Verified
Every binary ships with a checksum. The MCP server returns a command that downloads, verifies, and runs in a single pipeline.
Structured Exit Codes
0 = all clear, 1 = misconfigurations found, 2 = auth failure, 3 = network error. Agents can branch logic without parsing output.
JSON Output
Machine-readable results with severity levels, resource identifiers, and remediation hints that agents can act on directly.
Minimal IAM Permissions
Each scanner declares exactly which read-only IAM permissions it needs. No admin access, no write permissions.
CDN-Delivered
Binaries served from Cloudflare R2 with immutable caching. Fast downloads worldwide, versioned paths for reproducibility.
Frequently Asked Questions
What is the MCP server?
Kloudle's MCP server at mcp.kloudle.dev lets AI agents discover and download cloud security scanners. Agents call search() to find available tools and get() to download verified binaries — no human intervention needed.
What agents are compatible?
Any MCP-compatible agent works: Claude, Cursor, Windsurf, Continue, and custom agents built with the MCP protocol. The server speaks standard JSON-RPC over HTTP.
How do agents run security scans?
Agents download a verified binary via get(), execute it with AWS credentials, and parse the structured JSON output. Each binary is a single static executable with zero dependencies — no runtime, no containers, no package managers.
Are the binaries safe to run?
Every binary is cosign-signed via GitHub Actions OIDC (keyless signing), with SHA256 checksums published alongside. Agents can verify signatures before execution. The binaries are static musl-linked executables with no external dependencies.
What security checks do the agent tools cover?
Seven AWS scanners covering S3, IAM, EC2, EKS, RDS, CloudTrail, and CloudWatch Logs — 681 checks total. Each scanner runs independently and produces structured JSON output with pass/fail status, severity, and remediation steps.
Is there a cost per API call?
search() is free and unlimited. get() is rate-limited to 50 calls per day per IP address. The binaries themselves are free to download and run.
Can I self-host the scanners?
Yes. The binaries are standalone executables. Download them once, host them on your own infrastructure, and run them without any connection back to Kloudle. The MCP server is just a discovery and distribution layer.
Let Your AI Agent
Secure Your Cloud
Point any MCP-compatible agent at mcp.kloudle.dev and start scanning. 50 free scans per day, no signup required.