You’re reading an issue of "The AI Economy," my newsletter exploring the forces shaping the AI era—tracking how AI is rewriting business, work, technology, and culture. Subscribe to get expert insights and curated updates delivered straight to your inbox.
AWS’s “Frontier Agents,” autonomous programs capable of building, securing, and operating software, have launched—well, two of them, at least. Coming nearly five months after their introduction at last year’s re:Invent conference, developers can use the AWS DevOps and Security agents to automate their delivery pipelines and protect their apps from vulnerabilities. But, for those hoping to use the Kiro autonomous agent, they’ll have to wait—AWS has yet to announce a launch date.
The general availability of these two Frontier Agents also brings a slate of new capabilities, including expanded use cases, additional integrations, and enterprise-ready features.
But what constitutes a Frontier Agent? AWS points out that they have three defining characteristics: they can run autonomously without a human babysitter, they can work on multiple tasks simultaneously, and they can operate 24/7/365.
Subscribe to The AI Economy
“With greater change velocity comes the need for a lot more to improve and operate and pentest. It’s just that change velocity is what we really need that makes these autonomous DevOps and security agents even more important,” David Yanacek, senior principal engineer for AWS agentic AI, tells The AI Economy in an interview.
AWS DevOps Agent
The AWS DevOps Agent is designed to eliminate the infamous emergency pager—freeing on-call developers from firefighting alerts so they can focus on more meaningful work. AWS claims its agent can investigate incidents just as well as an experienced DevOps engineer would, analyzing observability tools, runbooks, code repositories, and CI/CD pipelines. As soon as an alert is received, the DevOps Agent gets to work—no matter the time of day—to quickly restore applications to optimal performance.
Initially, this DevOps Agent supported two types of operational work: reactive and proactive. With the former, the program responded to alarms and provided mitigation recommendations, while with the latter, it scanned all past incidents and identified “systemic things to improve” in the app’s operational posture. “We talked to customers and heard them say, ‘That’s great, now you are helping with that tactical pain of incident response…but operations is a lot more than just alarms going off. It’s customer support, needing to do periodic things, of digging in, and doing…weekly audits,” Yanacek states.
New Capabilities Added to DevOps Agent
Based on those conversations, these are the new capabilities that have been added to AWS DevOps Agent:
Azure and On-Premises Support
AWS DevOps Agent can provide a unified incident response no matter where applications run, whether across multiple cloud platforms like AWS and Azure or on-premises environments (connected via Model Context Protocol).
On-Demand SRE Tasks
Developers can communicate with a conversational AI assistant to ask questions about their app’s architecture and assess their system’s health. Yanacek describes this as more than a chat feature: “It’s really the place where you can do any operational, automate any task you want.” He adds that this has traditionally been the role of DevOps engineers, and now the AWS DevOps Agent will “automate the pain away,” eliminating the need to write a script or a tool for every use case.
Triage Agent
This new agent will assess the severity of an incident and identify duplicate tickets. Once duplications have been found, this program will link them to the main probe, consolidating efforts to mitigate issues.
Learned and Custom Skills
The DevOps Agent will learn from an organization’s investigation patterns, tool use, and topology. From this, it will develop skills specific to a company’s team based on how they resolve specific incidents. Developers can be proactive on this front, adding investigation procedures, best practices, and organizational knowledge to create reusable workflows for the AWS DevOps Agent to follow. These custom skills can be targeted to different agent types, such as on-demand, incident triage, incident RCA, incident mitigation, and evaluation.
Code Indexing
AWS DevOps Agent will index the entire application codebase, enabling it to understand code structure, detect potential bugs, and suggest code-level fixes.
New Third-Party Integrations
The agent previously supported Datadog, Dynatrace, New Relic, Splunk, GitHub, GitLab, and ServiceNow. With today’s launch, AWS is adding PagerDuty, Grafana, Azure DevOps, and Amazon EventBridge to that roster—and extending support to AWS CLI, SDK, and MCP Server APIs.
Now More Enterprise-Friendly
AWS DevOps Agent is launching in six AWS regions, including the US East, US West, Europe (Frankfurt and Ireland), and Asia Pacific (Sydney and Tokyo). Not only does this provide the flexibility of having the agent operate closer to an organization’s workload, but it’ll also allow developers to adhere to data residency requirements.
For developers wanting to securely connect the DevOps Agent to their internal tools, data, and workflows, AWS has added private MCP servers. And to enhance security, it uses Okta and Microsoft Entra ID for operator portal access.
How Much Does AWS DevOps Agent Cost?
Yanacek reveals that AWS DevOps Agent is billed per second and only when the program is “actively running” (e.g., doing an investigation or responding to a chat). He estimates it at around 50 cents per minute. That said, he points out that “generous” credits are distributed based on a developer’s AWS premium support tier. “If you’re a unified operations support customer, 100 percent of your spend on that is in credits into DevOps Agent…if you have enterprise support, then it’s 75 percent of your spend is also then a credit to DevOps Agent…30 percent of business support plus.”
AWS discloses that it will begin charging for DevOps Agent starting April 10, 2026.
AWS Security Agent
Security is the other frontier AWS is targeting. The Security Agent brings expert-level oversight to every stage of software development—reviewing design documents, scanning pull requests, and automatically enforcing an organization’s security policies while surfacing the risks that matter most. Among its most critical capabilities is penetration testing.
“Traditional penetration testing creates a fundamental constraint,” Ayush Singh, an AWS senior product manager, writes in a blog post. “Most organizations limit manual penetration testing to their most critical applications and conduct these tests periodically due to time and cost limitations. This approach can leave the majority of their application portfolio exposed to vulnerabilities in the periods between tests.”
AWS’s Security Agent automates this security process 24/7 at a much lower cost. The company states that the agent will perform penetration testing at a rate of $50 per task-hour, metered per second. What is a task-hour? It’s the time the Security Agent is actively working to test the app. And it’s estimated that an average evaluation that lasts 24 task-hours could cost up to $1,200.
But AWS is doing more than launching its Security Agent—it’s adding on a few more capabilities. For starters, AWS is expanding availability to five more regions, so it’s now available in US East and West, Europe (Dublin and Frankfurt), and Asia Pacific (Sydney and Tokyo). Developers can connect their GitHub repositories and tailor their code review findings and steering documents to their organization’s security and coding standards. And to improve penetration testing, AWS’s Security Agent supports 2FA/MFA login and cross-account virtual private clouds and can generate and export test reports for distribution to all stakeholders.
Some AWS customers have reported saving between 70 and 90 percent on penetration testing costs using the Security Agent compared to traditional manual approaches.
“When I talk to customers and, especially when I show them, ‘here is it adapting to some random application, and here it is finding some random answer of some bespoke outage or failure that we injected,’ they’re pretty blown away,” Yanacek says. “I can just see the wheels turning of how this actually changes everything when it comes to DevOps. I think I see people looking at the possibilities of, ‘I could automate this and [it] would free me up so that I can get to that other thing on my backlog that I’ve always wanted to get to’…They seem pretty excited about that.”
To Yanacek, Frontier Agents represent a new way of developing software. It moves developers away from “nannying” systems, leaving setup, fine-tuning, alarms, synthetic monitoring, and other tedious ops work to agents. And in the next 20 years, he believes people will look back and be surprised that it took so much effort to conduct well-architected reviews and operational tuning, rather than having an AI agent handle it automatically.
Featured Image: AWS CEO Matt Garman introduces Frontier Agents at re:Invent 2025. Credit: YouTube screenshot
Subscribe to “The AI Economy”
Exploring AI’s impact on business, work, society, and technology.
Leave a Reply
You must be logged in to post a comment.