AWS previews GuardDuty AI investigations in 10 regions

AWS is moving more of the first-hour investigation into GuardDuty itself. The preview feature analyzes GuardDuty findings and account context, looks back across related activity from the prior 90 days, and produces a disposition assessment with confidence scoring, MITRE ATT&CK classifications, supporting evidence and recommendations for suppression, containment or remediation.

For cloud security teams, that is a real workflow change if the evidence is good. GuardDuty already produces findings; the painful work is deciding whether a finding is noise, a contained event or the front edge of an incident. AWS says the new capability uses knowledge graphs and threat intelligence to do that work in minutes across individual accounts or AWS Organizations. That helps the security operations center, but it also creates a governance question: who is allowed to accept the AI-assisted disposition, and what record is retained when the answer drives containment or suppression?

The preview is also narrower than the announcement language may feel. AWS listed 10 commercial regions: US East in Northern Virginia and Ohio, US West in Oregon, Canada Central, five European regions and Tokyo. AWS GovCloud (US) is not on that list. Federal and defense-adjacent teams can watch the feature, test it where policy allows, and update incident-response runbooks later. They should not treat this as an immediate GovCloud control-plane change.