# Deploying Agents Once you have an agent pattern you like — alert triage, daily reporting, threat hunting — you need to deploy it somewhere it can run on a schedule or respond to webhooks. The [`scanner-inc/agents`](https://github.com/scanner-inc/agents) public repository contains agents that are ready to import and run, in two runtimes: **n8n** (visual workflow automation) and **AWS** (Claude Agent SDK programs deployed via Terraform). Both draw on the same Scanner MCP and Detection Rules API; the difference is where the agent executes and who tends to maintain it. ## Choose a runtime | If you want... | Use | See | | ------------------------------------------------------------------------ | ----------------------- | ------------------------------------------------------------------------------------------------------------- | | A visual workflow editor and minimal platform engineering | n8n | [Deploy via n8n](/scanner/using-scanner-complete-feature-reference/mcp-and-ai-secops/deploying-agents/n8n.md) | | Full control over the runtime, with Terraform-managed AWS infrastructure | Claude Agent SDK on AWS | [Deploy via AWS](/scanner/using-scanner-complete-feature-reference/mcp-and-ai-secops/deploying-agents/aws.md) | **n8n** is the faster on-ramp. Import a JSON workflow, configure credentials, activate. Good for teams that already run n8n, or want non-developers to read and modify agents. **AWS (Claude Agent SDK)** gives you code, Terraform, and the agent runtime inside your own VPC. Good for teams with a platform engineering function, or compliance requirements that preclude running agents outside their own network. The two runtimes are not mutually exclusive. A mature SOC often runs a mix: an n8n workflow for alert triage posting to Slack, and an AWS-hosted agent for response actions that must stay inside the VPC. ## What's in the repo * `n8n/` — importable workflows * `alert-triage/` — webhook-triggered agent that investigates a Scanner detection alert, classifies it, and posts the finding to Slack * `daily-reporting/` — scheduled daily posture report; coverage and gap analysis posted to Slack * `threat-hunting/` — scheduled (every 6h) IOC sweep across historical logs, federating CISA KEV, ThreatFox, OTX, and Feodo Tracker * `slack-bot/` — interactive `@`-mention assistant in Slack, with a 3-phase Summarize → Plan → Execute chain * `aws/` — Claude Agent SDK programs with Terraform * `alert-triage/` — container-image Lambda behind API Gateway + SQS; same triage behavior as the n8n version, deployed to AWS * `threat-hunting/` — scheduled ECS Fargate task that pulls threat intel (CISA KEV, ThreatFox, OTX, Feodo Tracker) and hunts across historical logs Each workflow folder has its own README, a setup guide, and prompts version-controlled separately from the workflow JSON or source code. For the SDK mechanics of writing your own agent from scratch (prompt structure, tool wiring, multi-MCP orchestration, examples), see [Autonomous Workflows](/scanner/using-scanner-complete-feature-reference/mcp-and-ai-secops/using-mcp-for-security-operations/autonomous-workflows.md). --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.scanner.dev/scanner/using-scanner-complete-feature-reference/mcp-and-ai-secops/deploying-agents.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.