AithrexAithrex
Infratrix · An Aithrex product · Available on AWS

Find cloud cost and security gaps, in the graph.

Infratrix reads your AWS account as a connected graph, studies how your infrastructure actually relates, and surfaces cost and security gaps a per-resource tool would miss, each proposed as a Terraform change your team can read, reverse, and own.

Cloud today
AWS · all regions
Cloud next
GCP · in parallel
Action shape
Terraform / CDK · review-first
Control
Customer-held kill switch
Infratrix · live
acme-prod · us-east-1
CUSTOMER · AWS · ACCOUNTVPC10.0.0.0/16IAM47 rolesEKS3 clustersRDSaurora-pgS3212 bucketsEC2118 nodescm-collectorevery 5 min · read-onlySIGNED · DELTAS ONLYINFRATRIX · REASONINGindexingACCOUNT STATEliveWORKLOAD WINDOW30 / 90 dPATTERNS CONSIDERED312ACTIONS DRAFTED07REVIEW-READY · TERRAFORMACTION · 01Replace NAT egress → S3 endpointin-stack · gateway endpoint−27 % · costLOWACTION · 02Right-size aurora-pg writer30 / 90 d workload-window−18 % · costLOWACTION · 03Karpenter consolidation · runnersspot · burst-aware−11 % · costMEDVERIFIED · LAST CYCLEinverse armed · audit posted
Inverse attached · rollback ready
07 actions drafted · awaiting review

From a NAT line item to a Terraform plan, in one hop.

When Infratrix sees traffic leaving your private subnet through NAT to reach a bucket in the same region, it reads the path, workload, route table, IAM, endpoints, flow logs, as a single graph in your account.

The deliverable is not a chart. It is a Terraform plan adding the missing gateway endpoint, the route table and IAM changes that make it safe, an explicit dollar baseline, and the inverse the actor will run if a watcher trips.

Engineering work, scoped to your stack, handed back as a PR your team merges on its own terms.

Lands as
Terraform PR · your IaC repo
Carries
Inverse · watcher · audit
Anchored to
Your CUR · 30-day baseline
Applies behind
Your IAM kill switch
BEFORE · CURRENTAFTER · PROPOSEDVPC · 10.0.0.0/16workloadec2 · eksNAT GW0.045 / GB egressS3 bucketin-region · us-east-1EGRESS LEAVES + RE-ENTERS AWSVPC · 10.0.0.0/16workloadec2 · eksVPC Endpointgateway · com.amazonaws.s3S3 bucketin-region · us-east-1TRAFFIC STAYS IN-STACK

Worked example · NAT egress → VPC endpoint · in-stack, reversible

02 · End-to-end · onboard → verified change

From terraform apply to a reviewed, reversible change in production.

Five stages. Your cloud never leaves your account, every change is reviewed before it lands, and an inverse is attached so it can be reversed. Hover to pause. Click a stage to step through.

Infratrix · pipeline
stage 01 / 05
01

Onboard

terraform apply · in your AWS account

One module, under 200 lines. It provisions a least-privilege collector, a scoped actor, and an audit destination in your own account.

~/acme-platform · terraform
module "infratrix" {
  source  = "aithrex/infratrix/aws"
  version = "~> 1.0"

  organization = "acme"
  trust_tier   = "review"
}

$ terraform apply
+ aws_iam_role.collectorcreated
+ aws_iam_role.actorcreated
+ aws_lambda_function.cm_collectorcreated
+ aws_s3_bucket.cm_auditcreated
Apply complete · 4 added · 0 changed · 0 destroyed · 8m 12s
Data crossing the boundary
Signed deltas only
Action surface
Reviewable PR · Terraform / CDK
Default trust tier
Review-first
Customer kill switch
One IAM role · revocable

Three systems. One reasoning loop.

Infratrix is built around three coordinated layers: a collector that reads your account, a brain that reasons about it as a graph, and an actor that proposes safe, reviewable change.

Layer 01

Collector

An in-account agent that gathers infrastructure state, usage signals, pricing, and cost telemetry. Scoped IAM, read-first by default, no writes during discovery.
Layer 02

Brain

A knowledge graph of cloud resources, relationships, pricing, and architectural patterns. Reasoning traverses real paths through your infrastructure, not isolated line items.
Layer 03

Actor

Turns safe recommendations into engineering-ready actions. Trust levels per change class, scoped permissions, and stored rollback inverses for every plan.
Infratrix · account graph2 findings · cost + posture
REGION · us-east-1VPC · 10.0.0.0/16public subnet · az-aprivate subnet · az-aprivate subnet · az-bregional servicesegress · reviewproposed endpoints3:* · scopeALBpublic lbIGWinternet gwNATnat-gw · az-aEKS3 nodesEC2m5.largeRDSaurora-pgVPC EPgateway → s3S3212 bucketsIAMapp-roleCloudWatchmetrics
cost pathproposed fixsecurity findingdata flowIAM / access
MEDCost

Same-region S3 traffic egresses through the NAT gateway. Propose an S3 VPC gateway endpoint to keep it on the AWS backbone.

HIGHSecurity

The app IAM role grants s3:* across the account. Propose scoping the policy to the buckets actually in use.

Designed to land as a Terraform diff your team reviews.

Speed without safety is how outages happen. Infratrix’s execution model is review-first by construction: a plan you can read, an apply you can scope, and an inverse you can run.

plan · vpc-endpoint.tf+ 5 / − 1
resource "aws_vpc_endpoint" "s3" {
+ vpc_id = aws_vpc.main.id
+ service_name = "com.amazonaws.${var.region}.s3"
+ route_table_ids = [aws_route_table.private.id]
+ vpc_endpoint_type = "Gateway"
}
resource "aws_nat_gateway" "main" {
- # egress for app-svc → s3 (in-region)
# remains for non-S3 egress only
}
How apply works
  1. 01

    Plan is rendered as a unified diff and reviewed by your team, no apply without explicit approval.

  2. 02

    Apply runs under a time-bounded, action-scoped IAM role you own and can revoke at any time.

  3. 03

    Every applied change writes an audit entry to your own log destination, Aithrex never keeps a side ledger.

  4. 04

    Each change carries its inverse, rollback is a known, tested operation, not a forensic exercise.

We start at AWS. The reasoning generalizes.

Infratrix begins where most architecture lives today, AWS. The collector / actor / review-first pattern is provider-agnostic by construction, so the same surface extends to Azure, GCP, Oracle and Alibaba. Multi-cloud reasoning is the destination, not the launch.

Shipping today
AWS
All regions · org-wide · review-first execution.
Q1-Q2 · in design
Azure
Subscription-scoped collector · ARM/Bicep PRs.
Q2-Q3 · in design
GCP
Project-scoped collector · Deployment Manager / Terraform PRs.
H2 · in research
Oracle · Alibaba
Provider plug-ins · same reasoning core, same review surface.
Horizon
Multi-cloud reasoning
Cross-cloud topology, posture, and migration, one account graph.
One reasoning core

The provider plug-in is what changes per cloud. The reasoning surface, the review-first execution, and the verified-savings billing stay the same.

Customer data stays put

Every cloud we add inherits the same boundary contract: live state stays in your account, only signed deltas cross. The kill switch is a single IAM role per provider.

No multi-cloud theatre

We refuse to ship a logo grid we can’t back with reasoning. When Azure, GCP, Oracle and Alibaba ship, each will land as a real optimisation surface, not a marketing wrapper.

Built so the customer always holds the kill switch.

Trust is an engineering property, not a marketing claim. Every layer of Infratrix is designed so the safe path is the default, and the unsafe path is the explicit, reviewed exception.

Boundary

In-account by default

Agents run inside your AWS account. No third-party data plane holds your resource state. Workload data never leaves the account that owns it.
Access

Scoped IAM, least privilege

Discovery is read-only. Writes use tightly-scoped roles per action class. Every role is documented, reviewable, and revocable from your end.
Control

Customer-held kill switch

A single IAM revocation halts every Aithrex action across the account. No bypass paths, no shadow credentials, tested in every onboarding.
Evidence

Audit trail, no surprises

Every plan and apply is written to your audit log. Inverse operations attach to each change. Outbound traffic is limited to what the action needs.

Engineering teams responsible for non-trivial cloud spend.

Infratrix is built for AWS platform engineers, SREs, FinOps partners working alongside engineering, and the infrastructure leaders who sign off on production change. Teams running real architecture, not demo accounts.

You should not need to integrate a new monitoring product, change your IaC, or hand over write access on day one. The expected starting point is a read-only conversation about your account, followed by review-ready proposals on the paths that matter.

08 · Book a Demo

See Infratrix against your own AWS environment.

We're onboarding early teams. If you're running a non-trivial AWS bill and want a serious second opinion on your architecture, we'd like to talk.