PolicyCortex - AI cloud engineer that fixes security issues autonomously

Hey Product Hunt -- Leonard here, founder of PolicyCortex. Excited (and slightly terrified) to share what I've been building. The problem started 12 years ago. I spent over a decade working inside the Department of Defense and Department of Energy -- environments where a misconfigured storage bucket isn't a compliance footnote, it's a national security incident. Every day I watched the same scene play out: a SOC analyst gets an alert at 2am, opens five different dashboards (Wiz, Prisma, CloudHealth, Datadog, ServiceNow), tries to triangulate what actually happened, escalates to a cloud engineer, waits for a ticket, and finally -- three days later -- the vulnerability gets patched. Three days. In a federal environment with active threat actors. What killed me wasn't the attackers. It was the tooling. We had more security products than we had engineers to operate them. Each tool saw a slice of the picture. None of them acted. They just… screamed. I left with active clearances and one obsession: what if the tool fixed the problem instead of just finding it? What PolicyCortex does differently Most cloud security tools are detectors. They find the misconfiguration, assign it a severity score, and drop it in a queue. Someone still has to open a terminal and fix it. PolicyCortex is an autonomous cloud engineer -- it detects, analyzes, and remediates without waiting for a human to touch a keyboard. Here's what that looks like in practice. A public Azure storage account is created -- maybe by a developer spinning up a test environment, maybe by a Terraform drift. PolicyCortex's AI agent, Xovyr, picks it up within seconds and runs an 8-step autonomous remediation sequence: 1. Detects the public storage account via policy engine 2. Authenticates with Azure using scoped credentials 3. Analyzes the current configuration and blast radius 4. Disables public blob access 5. Creates a private endpoint 6. Updates the NSG rules accordingly 7. Verifies encryption is enforced 8. Runs a compliance check and generates a full audit trail Total elapsed time: under 3 minutes. End-to-end. No ticket, no on-call page, no bleary-eyed engineer at 2am. But we didn't remove the human from the loop -- we put them in the right place The thing I'm most proud of isn't the speed. It's Gated Mode. Any write operation -- anything that modifies infrastructure -- requires explicit human approval before Xovyr executes it. We call it a "safety sandwich": the AI does all the analysis, proposes the exact remediation steps, explains the business and security impact in plain English, and then pauses. A human reviews and approves. Then it executes. This is the design principle I wish more "autonomous" tools understood. Autonomy without oversight is just automation debt waiting to happen. Gated Mode means engineers stay in control of what changes, while Xovyr handles the cognitive load of figuring out what needs to change and why. What's in the platform today - AI Triage Engine: 155 governance issues across Azure (AWS coming soon) analyzed by AI with confidence scoring. Xovyr only auto-remediates when confidence is 85%+. Lower-confidence issues surface for human review. - FinOps Module: Real-time cost tracking, 30/60/90-day forecasting, anomaly detection. If a workload spikes 40% overnight, you know before the bill arrives. - AI Observability: Model cost tracking for teams running LLM workloads in production. First-class citizen, not an afterthought. - Natural Language Tagging: Type "Tag all Dev VMs with Environment=Development" -- Xovyr finds them, previews the change, and applies it after your approval. - ATO Evidence Collection: Automated evidence packs for CMMC Level 2/3, NIST 800-171, and FedRAMP Moderate. This one's personal -- I lived through ATO processes that took 18 months and generated thousands of pages of manual documentation. We generate audit trails automatically as a byproduct of every remediation. Who it's for Our early design partners are engineering teams at mid-market SaaS companies and defense contractors (GovCloud environments). If you're a 5-person security team trying to cover a 200-person engineering org, PolicyCortex is built for you. If you're a defense contractor chasing an ATO and drowning in evidence requests, PolicyCortex is especially built for you. What's next We're live with Azure today. AWS support is in active development and is our next major milestone. After that: GCP, multi-cloud policy correlation, and deeper integrations with CI/CD pipelines so we can catch misconfigurations before they hit production. We're also building out Xovyr's reasoning transparency -- so you can see exactly why the AI made a remediation decision, step by step, in language an auditor can read. An honest ask We're pre-revenue, early stage, and building in public. I'd genuinely love feedback from anyone who has lived through the tool-sprawl problem -- whether you're a cloud security engineer, a CISO, a DevSecOps lead, or someone who just got paged at 3am for a Terraform misconfiguration. What are we missing? What would make you trust an AI to execute write operations in your cloud? What does your current security stack look like, and which part makes you the most tired? If you want to see it live, request a demo at [policycortex.com](https://policycortex.com). I personally respond to every request. Thanks for reading -- and thank you Product Hunt for the platform. -- Leonard Founder, PolicyCortex Dallas, TX | 12 years DoD/DoE | leonardesere@gmail.com