← Blog/Blockchain Security Operations with Agentic AI on AWS: Detect, Triage,…
Blockchain

Blockchain Security Operations with Agentic AI on AWS: Detect, Triage, and Respond

May 07, 2026·7 min read

A fintech security team monitors high-volume on-chain events and cannot manually triage every alert. They need an agentic system that reduces noise while preserving human control for high-risk actions.

AWSAgentic AIBlockchainSecurity

Blockchain Security Operations with Agentic AI on AWS: Detect, Triage, and Respond

Scenario

A fintech security team monitors high-volume on-chain events and cannot manually triage every alert. They need an agentic system that reduces noise while preserving human control for high-risk actions.

Business objective

  • reduce mean time to triage
  • classify risk faster
  • automate low-risk responses
  • keep high-risk actions human-approved

Architecture

graph TD Chain[On-chain Events] --> Ingest[Kinesis / EventBridge] Ingest --> Analyze[Agentic Analysis Service] Analyze --> Risk[Risk Classifier] Risk --> SOAR[Step Functions SOAR Workflow] SOAR --> Auto[Low-risk Auto Actions] SOAR --> HITL[Human Approval Queue] SOAR --> Ticket[Ticketing/SIEM] Analyze --> Bedrock[Bedrock Reasoning Layer] Analyze --> DDB[(Incident State)] Analyze --> CW[CloudWatch + Alarms]

Trade-offs

  • more automation improves speed but can increase false-positive actions if not bounded
  • tighter approval controls improve safety but reduce response speed

Step-by-step tutorial

1) Create incident table and queues

export AWS_REGION=us-east-1
export PROJECT=chain-secops

aws dynamodb create-table \
  --table-name ${PROJECT}-incidents \
  --attribute-definitions AttributeName=pk,AttributeType=S AttributeName=ts,AttributeType=S \
  --key-schema AttributeName=pk,KeyType=HASH AttributeName=ts,KeyType=RANGE \
  --billing-mode PAY_PER_REQUEST \
  --sse-specification Enabled=true

aws sqs create-queue --queue-name ${PROJECT}-approvals
$env:AWS_REGION = "us-east-1"
$env:PROJECT = "chain-secops"

aws dynamodb create-table `
  --table-name "$($env:PROJECT)-incidents" `
  --attribute-definitions AttributeName=pk,AttributeType=S AttributeName=ts,AttributeType=S `
  --key-schema AttributeName=pk,KeyType=HASH AttributeName=ts,KeyType=RANGE `
  --billing-mode PAY_PER_REQUEST `
  --sse-specification Enabled=true

aws sqs create-queue --queue-name "$($env:PROJECT)-approvals"

2) Define risk classification service (FastAPI)

from fastapi import FastAPI
from pydantic import BaseModel

app = FastAPI(title="Chain SecOps Agent")

class Event(BaseModel):
    tx_hash: str
    amount_usd: float
    protocol: str
    anomaly_score: float


@app.post("/classify")
def classify(event: Event):
    if event.anomaly_score > 0.9 or event.amount_usd > 100000:
        risk = "critical"
    elif event.anomaly_score > 0.7:
        risk = "high"
    elif event.anomaly_score > 0.4:
        risk = "medium"
    else:
        risk = "low"

    return {"tx_hash": event.tx_hash, "risk": risk}

3) Human-in-the-loop workflow sketch

{
  "Comment": "Chain SecOps Orchestration",
  "StartAt": "Classify",
  "States": {
    "Classify": {"Type": "Task", "Resource": "arn:aws:lambda:...:function:classify", "Next": "RiskDecision"},
    "RiskDecision": {
      "Type": "Choice",
      "Choices": [
        {"Variable": "$.risk", "StringEquals": "low", "Next": "AutoContain"},
        {"Variable": "$.risk", "StringEquals": "medium", "Next": "NotifyOnly"}
      ],
      "Default": "RequireApproval"
    },
    "AutoContain": {"Type": "Task", "Resource": "arn:aws:lambda:...:function:auto_contain", "End": true},
    "NotifyOnly": {"Type": "Task", "Resource": "arn:aws:lambda:...:function:notify", "End": true},
    "RequireApproval": {"Type": "Task", "Resource": "arn:aws:lambda:...:function:approval_gate", "End": true}
  }
}

4) Alerting and metrics

aws sns create-topic --name ${PROJECT}-alerts
aws cloudwatch put-metric-alarm \
  --alarm-name ${PROJECT}-critical-events \
  --namespace ChainSecOps \
  --metric-name CriticalEventCount \
  --statistic Sum --period 60 --evaluation-periods 1 --threshold 1 \
  --comparison-operator GreaterThanOrEqualToThreshold \
  --alarm-actions arn:aws:sns:us-east-1:123456789012:${PROJECT}-alerts

Security controls

  • all outbound actions are allowlisted
  • separate execution roles by action criticality
  • sign and store incident decisions for audit
  • strict approval for high-risk actions

Monitoring

  • risk-classification distribution over time
  • false positive and false negative rates
  • auto-action success/failure rates
  • time-to-ack and time-to-resolution

Cost optimization

  • batch low-priority event enrichment
  • sample low-risk telemetry for cheaper storage
  • keep expensive model reasoning for medium/high/critical events only

Pricing note: verify Bedrock, Kinesis, EventBridge, Lambda, and Step Functions pricing before rollout.

Production checklist

  • clear risk taxonomy approved by security and compliance
  • auto-action blast radius bounded and tested
  • approval workflows tested under pager load
  • incident evidence retention and export policy documented
  • tabletop exercises completed quarterly

References

  • https://docs.aws.amazon.com/managed-blockchain/latest/ambq-dg/key-concepts.html
  • https://docs.aws.amazon.com/prescriptive-guidance/latest/agentic-ai-security/introduction.html
  • https://docs.aws.amazon.com/prescriptive-guidance/latest/govern-architect-agentic-ai/introduction.html
Source
platform/archive/articles/blockchain-security-operations-agentic-ai-aws.md

Related Articles

Blockchain

Top 10 Community GitHub Repositories (Last 30 Days) for AWS + AI + Agentic + Blockchain

May 14, 2026 · 11 min read
MCP

Governing MCP and Agentic AI on AWS: Identity, Permissions, Observability, and Audit at Scale

May 13, 2026 · 11 min read
SEO

SEO in the Agentic Search Era: AWS-Based GEO/SEO Operations for AI Overviews and Copilot Citations

May 12, 2026 · 8 min read
Blockchain

GraphRAG + Blockchain Provenance on AWS: Relationship-Aware and Tamper-Evident QA

May 03, 2026 · 8 min read