Flagship product · AI-nativeFor SREs & solution architects

Alerts that
know your
business.

BlueArch CLI pairs the world's largest AWS misconfiguration database with your business context — revenue tags, customer tiers, regional exposure — so the first alert you see is the one that actually matters. Notes, runbooks, and AI triage, one terminal away.

Install BlueArch →See it in action →

Self-hosted in your VPC · macOS · Linux · Windows · Docker · Read-only IAM by default

~/infra · bluearchprod · us-east-1, us-west-2, eu-west-1

$ bluearch scan --since 24h --business-contextLoading Governance Hub manifest… ✓ 2,147 rulesPairing with finops-tags.yml … ✓ 412 resources taggedScanning 6,182 resources across 3 regions…CRITICAL RDS-2025-007 · $182k ARR at risk Multi-AZ disabled on prod-orders-db (tier=tier-1) → business_impact: checkout flow · 4 enterprise customers → ai_summary: "A us-east-1a outage would block $182k/mo of order revenue for ~45 min. Fix is reversible and runs ~$340/mo extra. Recommended: enable today."HIGH S3-2024-118 · Compliance · SOC 2 Block Public Access off on shared-assets bucketNOTE IAM-2025-031 · snoozed by @rkapoor (3d ago) "Tracked in JIRA-4812; revisit after Q1 audit"───────────────────────────────────────────────────────── 2 critical · 7 high · 14 medium · 31 muted $284k ARR at risk · ↓ 38% week-over-week

What you get

Built for the on-call engineer who runs everything.

Three things every SRE and solution architect asks for, finally in one tool.

01 · Signal

Business-aware severity

Every finding is paired with your revenue tags, customer tiers, and regional exposure. The CLI sorts by dollars at risk — not by "high / medium / low." Critical means the order pipeline. Low means a dev sandbox.

2,147 rules · Hub-backed →

02 · Triage

AI-native notes & snoozes

Per-finding notes that travel with the engineer, not the resource. Snooze with reason, escalate to JIRA, or ask InfraGPT to draft the remediation PR. State is shared across your team, not stuck in someone's terminal history.

Notes · Snooze · Escalate · Draft PR →

03 · Action

Reversible fixes, suggested

Every finding ships with a tested remediation — Terraform, CDK, or raw AWS CLI. Apply it as a dry-run, review the diff, and ship. No SaaS in the loop; the CLI runs in your VPC and writes to your account.

terraform · cdk · awscli →

Faster mean-time-to-remediate

Median across 84 SRE teams running BlueArch for >90 days.

Findings auto-triaged

By business impact, before a human ever opens the terminal.

0 ×

Spend managed per SRE

Up from baseline 1× — one engineer can now cover 2–4× the footprint.

Rules out of the box

Sourced from the Governance Hub. New rules ship daily.

We went from triaging Security Hub findings on Mondays to a 9am Slack digest with three things to fix. BlueArch knows which of our buckets actually serve customer traffic — Security Hub never did.

J. Morales

Staff SRE · Logistics platform · $9M AWS / yr

30-day result

Critical alerts / week: ↓ 78%
Time on triage: −9.4 hrs
P1 incidents avoided: 3
ARR protected: $1.1M

Install · macOS / Linux · v3.4

One command. In your terminal.

brew install bluearchio/tap/bluearch

100% self-hosted. Runs on your laptop or in your VPC. No SaaS in the loop, no data leaves your account.Apple-notarized & AWS-vetted. Signed binaries from a verified developer. No security warnings, no surprises.Your IAM, your access. Uses your existing AWS credentials. Read-only by default — you opt in to writes.

FAQ

Common questions.

For deep technical details, see the docs. Or ask InfraGPT.

Does the CLI need access to my AWS account?+

Read-only IAM by default. Remediation actions require explicit per-action approval and a separate write role — you control which actions are pre-authorized vs. require a PR.

Where does the business context come from?+

A YAML file (finops-tags.yml) you keep in your infra repo. It maps AWS tags to revenue, tiers, and ownership. Tag Manager can generate it for you from existing tags.

Does data leave my VPC?+

No. The CLI runs entirely in your environment. The Governance Hub manifest is pulled over HTTPS at startup; everything else stays local. AI features call an LLM endpoint of your choice (Bedrock, Anthropic API, or your own).

How does it compare to Security Hub / Wiz / Prowler?+

Those tools are great at producing findings. BlueArch is built around what to do with findings — business-aware ranking, shared notes, AI-drafted remediation. It happily ingests Security Hub findings as one of its inputs.

Pricing?+

Free for individual SREs (limit: 1 account, 1k resources). Team plan starts at $1,200 / month per AWS organization. See the pricing page.

One brew install from a quieter on-call.

Install in five minutes. Get your first business-aware report on coffee #2.

Book a review →Browse the database →

Alerts thatknow yourbusiness.