Deploying Agents
Deploy autonomous SOC agents to your infrastructure using pre-built, production-ready examples from the scanner-inc/agents repository.
Once you have an agent pattern you like — alert triage, daily reporting, threat hunting — you need to deploy it somewhere it can run on a schedule or respond to webhooks.
The scanner-inc/agents public repository contains agents that are ready to import and run, in two runtimes: n8n (visual workflow automation) and AWS (Claude Agent SDK programs deployed via Terraform). Both draw on the same Scanner MCP and Detection Rules API; the difference is where the agent executes and who tends to maintain it.
Choose a runtime
Full control over the runtime, with Terraform-managed AWS infrastructure
Claude Agent SDK on AWS
n8n is the faster on-ramp. Import a JSON workflow, configure credentials, activate. Good for teams that already run n8n, or want non-developers to read and modify agents.
AWS (Claude Agent SDK) gives you code, Terraform, and the agent runtime inside your own VPC. Good for teams with a platform engineering function, or compliance requirements that preclude running agents outside their own network.
The two runtimes are not mutually exclusive. A mature SOC often runs a mix: an n8n workflow for alert triage posting to Slack, and an AWS-hosted agent for response actions that must stay inside the VPC.
What's in the repo
n8n/— importable workflowsalert-triage/— webhook-triggered agent that investigates a Scanner detection alert, classifies it, and posts the finding to Slackdaily-reporting/— scheduled daily posture report; coverage and gap analysis posted to Slackthreat-hunting/— scheduled (every 6h) IOC sweep across historical logs, federating CISA KEV, ThreatFox, OTX, and Feodo Trackerslack-bot/— interactive@-mention assistant in Slack, with a 3-phase Summarize → Plan → Execute chain
aws/— Claude Agent SDK programs with Terraformalert-triage/— container-image Lambda behind API Gateway + SQS; same triage behavior as the n8n version, deployed to AWSthreat-hunting/— scheduled ECS Fargate task that pulls threat intel (CISA KEV, ThreatFox, OTX, Feodo Tracker) and hunts across historical logs
Each workflow folder has its own README, a setup guide, and prompts version-controlled separately from the workflow JSON or source code.
For the SDK mechanics of writing your own agent from scratch (prompt structure, tool wiring, multi-MCP orchestration, examples), see Autonomous Workflows.
Last updated
Was this helpful?