Skip to main content

Your First Scan

Your first scan is the moment Guardian Pro transforms from a connected platform into an active governance engine. This page explains what happens during a scan, how to trigger one, how to monitor progress, and how to interpret the results.

What Happens During a Scan

A Guardian Pro scan is a two-phase process that runs entirely within your connected AWS accounts using the IAM roles deployed during onboarding.

Phase 1: Resource Discovery

In the first phase, Guardian Pro discovers every resource across your connected AWS accounts:

  • Multi-region scanning -- Guardian Pro scans all enabled AWS regions in each account to ensure complete coverage, including resources in regions you might have forgotten about.
  • Service coverage -- Dozens of AWS services are scanned, including compute (EC2, Lambda, ECS, EKS), storage (S3, EBS, EFS), databases (RDS, DynamoDB, ElastiCache), networking (VPC, ALB, CloudFront), security (IAM, KMS, WAF), and many more.
  • Relationship mapping -- As resources are discovered, Guardian Pro builds a dependency graph that shows how resources relate to one another. This graph powers the Architecture Map and Failure Simulator features.
  • Configuration capture -- The full configuration of each resource is recorded, including security settings, tags, encryption status, network configuration, and access policies.
info

Resource discovery is read-only. Guardian Pro uses Describe and List API calls exclusively during this phase. No resources are modified.

Phase 2: Security and Cost Checks

Once discovery is complete, Guardian Pro evaluates the discovered resources against hundreds of automated checks:

  • Security checks -- Identify misconfigurations, vulnerabilities, and deviations from security best practices (encryption, access controls, network exposure, logging, backup configuration).
  • Cost checks -- Flag idle resources, oversized instances, missing reservations, and other optimization opportunities.
  • Best practice checks -- Evaluate operational excellence patterns like tagging, monitoring, high availability, and disaster recovery.
  • Compliance mapping -- Each check is mapped to one or more compliance framework controls, so findings automatically feed into your compliance posture.

Each check produces one of four outcomes for every evaluated resource:

OutcomeMeaning
PassThe resource meets the requirement
FailThe resource has an issue that should be addressed (this becomes a "finding")
Not ApplicableThe check does not apply to this resource's configuration
ErrorThe check could not be evaluated (permissions issue, API error, etc.)

How to Trigger a Scan

Automatic First Scan

After completing the onboarding wizard, Guardian Pro automatically triggers your first full scan. You do not need to do anything -- just wait for the results.

Manual Scan

You can trigger a scan at any time from the Dashboard:

  1. Navigate to the Dashboard.
  2. Click the Run Scan button.
  3. Guardian Pro initiates the scan across all connected accounts and regions.
tip

You do not need to select which accounts or regions to scan. Guardian Pro automatically scans all connected accounts across all enabled regions. If you want to customize scan scope, you can configure region preferences in Settings > Scan Preferences.

Scheduled Scans

After your first scan, Guardian Pro runs scans automatically on a configurable schedule. You can adjust the frequency in Settings > Scan Preferences. Options include:

  • Every 6 hours
  • Every 12 hours
  • Daily (default)
  • Weekly
  • Custom schedule
note

Scans are incremental after the first full scan. Guardian Pro detects which resources have changed and focuses evaluation there, making subsequent scans faster than the initial run.

Monitoring Scan Progress

When a scan is running, a progress banner appears at the top of the Dashboard showing:

  • Current phase -- Discovery or Security Checks
  • Progress percentage -- Overall completion
  • Region status -- Which regions are currently being scanned
  • Resources discovered -- Running count of resources found
  • Estimated time remaining -- Based on environment size

The progress updates in real time -- no need to refresh the page.

Typical Scan Duration

Scan times vary based on the size of your environment:

Environment SizeApproximate Duration
Small (1 account, < 100 resources)1-2 minutes
Medium (5-10 accounts, 500-2,000 resources)3-5 minutes
Large (20+ accounts, 5,000+ resources)5-10 minutes
Very large (50+ accounts, 10,000+ resources)10-15 minutes
info

Scan performance scales with the number of resources, not just accounts. An account with thousands of EC2 instances takes longer than one with a handful of Lambda functions. Guardian Pro parallelizes scanning across regions to minimize total time.

Understanding Your Results

After the scan completes, you will see results across several areas.

Dashboard Updates

The Dashboard immediately reflects the scan results:

  • Health score updates to reflect your current posture
  • Active findings count shows how many issues were identified
  • Cost summary updates with any new cost optimization opportunities
  • Compliance scores recalculate based on the latest findings

Findings in the Action Centre

Navigate to the Action Centre to see the full list of findings. This is where you will spend most of your time evaluating and addressing issues.

Severity Levels

Findings are categorized by severity to help you prioritize:

SeverityDescriptionExamples
CriticalImmediate risk to security or availability. Address these firstPublicly accessible databases, root account without MFA, unencrypted sensitive data stores
HighSignificant risk that should be addressed promptlyMissing encryption at rest, overly permissive security groups, no backup configuration
MediumModerate risk worth planning to resolveMissing access logging, non-optimized storage classes, absent monitoring
LowMinor improvements and best-practice suggestionsMissing tags, informational recommendations, optimization hints

Finding Details

Each finding includes:

  • Title and description -- What the issue is and why it matters
  • Affected resource -- The specific AWS resource with the issue, including its ARN, region, and account
  • Severity and category -- How urgent the issue is and which domain it falls under (security, cost, operational excellence)
  • Remediation guidance -- Step-by-step instructions for fixing the issue, both manual and automated
  • Compliance impact -- Which compliance framework controls are affected by this finding
  • Risk level -- The potential impact of the issue, accounting for factors like whether the resource is publicly accessible or part of a critical dependency chain
tip

Use the Quick Wins lens in the Action Centre to find findings that are low-risk to fix but deliver meaningful improvement. These are a great place to start building confidence with the platform.

Smart Grouping

When the same issue appears across multiple resources (for example, 15 S3 buckets without versioning enabled), Guardian Pro groups these into a smart group. You can:

  • View the group as a single item for faster triage
  • Expand to see individual affected resources
  • Apply a bulk fix to remediate all instances at once

Cost Recommendations

Cost-related findings appear both in the Action Centre and on the Cost Analysis page. Common first-scan cost findings include:

  • Idle resources -- Running instances, unattached EBS volumes, or unused Elastic IPs that are costing money without serving a purpose
  • Oversized resources -- Instances or databases provisioned with more capacity than utilization data suggests they need
  • Storage optimization -- EBS volumes using older generation types, S3 buckets without lifecycle policies
  • Missing reservations -- Steady-state workloads that would benefit from Reserved Instances or Savings Plans

Architecture Risks

Navigate to the Architecture page to see structural risks identified during the scan:

  • Single points of failure -- Critical resources without redundancy
  • Availability zone concentration -- Workloads concentrated in a single AZ
  • High blast radius -- Resources whose failure would cascade to a large portion of your infrastructure
  • Missing redundancy -- Compute resources without load balancing or auto-scaling

Compliance Status

If you have subscribed to compliance frameworks, the Compliance Dashboard now shows your posture:

  • Overall score -- Percentage of controls passing across your subscribed frameworks
  • Control-by-control status -- Detailed pass/fail status for every control
  • Gap analysis -- Which controls are failing and what you need to do to close the gaps

What to Do Next

After reviewing your first scan results, here is a recommended path forward:

1. Address Critical Findings First

Start with Critical severity findings. These represent the highest-risk issues in your environment. Many critical findings can be fixed with Guardian Pro's automated remediation -- click Fix on the finding card to preview the remediation action before applying it.

warning

Always review the remediation preview before applying an automated fix, especially during your first scan. The preview shows exactly what will change, which resources are affected, and whether the action is reversible.

2. Explore the AI Assistant

Open the AI Assistant and ask questions about your results:

  • "Summarize my scan results"
  • "What should I fix first?"
  • "Explain why public S3 buckets are a risk"
  • "What is my biggest cost optimization opportunity?"

The AI Assistant has full context of your scan results and can provide personalized guidance.

3. Set Up Ongoing Monitoring

Configure the features that keep Guardian Pro working for you continuously:

  • Scan schedule -- Set up automatic recurring scans in Settings > Scan Preferences
  • Notifications -- Configure alerts for new critical findings and cost anomalies in Settings > Notifications
  • Budgets -- Set spending thresholds on the Cost Analysis page to catch unexpected cost increases
  • Compliance frameworks -- Subscribe to the frameworks relevant to your organization in Settings > Frameworks

4. Invite Your Team

If you have not already, invite team members in Settings > Users so they can view findings relevant to their areas of responsibility and collaborate on remediation.

5. Run a Failure Simulation

Visit the Architecture page and try the Failure Simulator. Select a critical resource in your infrastructure and see what would happen if it failed. This is one of the most powerful ways to identify architectural risks that are not visible from individual resource configurations alone.

Frequently Asked Questions

How often should I run scans?

Daily scans are recommended for most environments. This frequency catches new issues promptly without generating unnecessary noise. For high-compliance environments, consider scanning every 6 or 12 hours.

Will scanning affect my AWS resources?

No. Scanning is entirely read-only. Guardian Pro uses Describe and List API calls that do not modify any resources. The API calls appear in your CloudTrail logs for auditability.

What about API rate limits?

Guardian Pro includes built-in throttling and adaptive retry logic to avoid hitting AWS API rate limits. In very large environments with heavy existing API usage, contact support to discuss scan scheduling options.

Can I exclude specific resources or checks?

Yes. After your first scan, you can configure exclusions in Settings > Scan Preferences. You can exclude specific regions, resource types, or individual checks.

My scan found hundreds of findings. Is that normal?

Yes, this is common, especially for environments that have not been governed by an automated tool before. Focus on Critical and High severity findings first, and use the Quick Wins lens to identify easy improvements. Most environments see significant score improvement within the first few weeks of active remediation.

Further Reading