> For the complete documentation index, see [llms.txt](https://docs.scanner.dev/scanner/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.scanner.dev/scanner/using-scanner-complete-feature-reference/mcp-and-ai-secops/deploying-agents.md).

# Deploying Agents

Once you have an agent pattern you like — alert triage, daily reporting, threat hunting — you need to deploy it somewhere it can run on a schedule or respond to webhooks.

The [`scanner-inc/agents`](https://github.com/scanner-inc/agents) public repository contains agents that are ready to import and run, in two runtimes: **n8n** (visual workflow automation) and **AWS** (Claude Agent SDK programs deployed via Terraform). Both draw on the same Scanner MCP and Detection Rules API; the difference is where the agent executes and who tends to maintain it.

## Choose a runtime

| If you want...                                                           | Use                     | See                                                                                                           |
| ------------------------------------------------------------------------ | ----------------------- | ------------------------------------------------------------------------------------------------------------- |
| A visual workflow editor and minimal platform engineering                | n8n                     | [Deploy via n8n](/scanner/using-scanner-complete-feature-reference/mcp-and-ai-secops/deploying-agents/n8n.md) |
| Full control over the runtime, with Terraform-managed AWS infrastructure | Claude Agent SDK on AWS | [Deploy via AWS](/scanner/using-scanner-complete-feature-reference/mcp-and-ai-secops/deploying-agents/aws.md) |

**n8n** is the faster on-ramp. Import a JSON workflow, configure credentials, activate. Good for teams that already run n8n, or want non-developers to read and modify agents.

**AWS (Claude Agent SDK)** gives you code, Terraform, and the agent runtime inside your own VPC. Good for teams with a platform engineering function, or compliance requirements that preclude running agents outside their own network.

The two runtimes are not mutually exclusive. A mature SOC often runs a mix: an n8n workflow for alert triage posting to Slack, and an AWS-hosted agent for response actions that must stay inside the VPC.

## What's in the repo

* `n8n/` — importable workflows
  * `alert-triage/` — webhook-triggered agent that investigates a Scanner detection alert, classifies it, and posts the finding to Slack
  * `daily-reporting/` — scheduled daily posture report; coverage and gap analysis posted to Slack
  * `threat-hunting/` — scheduled (every 6h) IOC sweep across historical logs, federating CISA KEV, ThreatFox, OTX, and Feodo Tracker
  * `slack-bot/` — interactive `@`-mention assistant in Slack, with a 3-phase Summarize → Plan → Execute chain
* `aws/` — Claude Agent SDK programs with Terraform
  * `alert-triage/` — container-image Lambda behind API Gateway + SQS; same triage behavior as the n8n version, deployed to AWS
  * `threat-hunting/` — scheduled ECS Fargate task that pulls threat intel (CISA KEV, ThreatFox, OTX, Feodo Tracker) and hunts across historical logs

Each workflow folder has its own README, a setup guide, and prompts version-controlled separately from the workflow JSON or source code.

For the SDK mechanics of writing your own agent from scratch (prompt structure, tool wiring, multi-MCP orchestration, examples), see [Autonomous Workflows](/scanner/using-scanner-complete-feature-reference/mcp-and-ai-secops/using-mcp-for-security-operations/autonomous-workflows.md).


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://docs.scanner.dev/scanner/using-scanner-complete-feature-reference/mcp-and-ai-secops/deploying-agents.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.