Home

HCLTech WAFER: From findings backlog to Agentic remediation on AWS

WAFER is HCLTech's agent-based remediation platform that turns AWS Well-Architected findings into guided remediation.
5 min read
Ong Jun Hao

Author

Ong Jun Hao
AWS Solutions Architect, HCLTech AWS Ecosystem
5 min read
HCLTech WAFER

Executive summary

WAFER (Well-Architected Framework for Enterprise Remediation) is HCLTech's customer-hosted, agent-based remediation platform that turns AWS Well-Architected findings into guided, accountable remediation. Instead of giving enterprises a static report, WAFER provides a private, enterprise-ready operating model for reviewing findings, aligning decisions and moving toward action within their own AWS environment.

The platform is designed to combine governed workflow orchestration, supervisor-led agentic reasoning, customer-grounded knowledge retrieval, Well-Architected MCP-based security context and enterprise-grade persistence, security and observability. The result is a solution built not just to surface issues, but to help organizations act on them in a way that is usable, traceable and aligned to enterprise control requirements.

Introduction

Cloud teams are not short on visibility. They are short on momentum. Most enterprises can already produce findings, risk reports and review outputs. The harder problem is turning those outputs into decisions and remediation without losing context, ownership, or governance along the way.

That is where WAFER stands out. HCLTech has designed WAFER as a customer-hosted, agent-based application on that keeps the experience within the customer's own environment while combining workflow discipline with AI-led reasoning, creating a structured intelligence layer that moves teams from findings to action. A practical operating model for reviewing findings, aligning decisions and driving remediation in a way that fits the real enterprise world.

The need

The real problem starts after the assessment. Findings are produced, but remediation slows down as teams debate priorities, reconcile internal standards, wait on multiple approvals and hand work across architecture, platform, security and delivery teams. What should be a straight line from issue to action becomes fragmented and slow.

WAFER is built to fill the gap between findings and action. Instead of stopping at reporting, it gives enterprises a customer-hosted platform that can receive requests, coordinate long-running workflows and apply agentic reasoning with customer-specific context. This makes cloud remediation operationally usable, governed and aligned to how large organizations work.

Solution architecture

WAFER transforms traditional findings review into a private, governed remediation operating model on AWS. The solution combines customer-hosted application access with asynchronous orchestration and Bedrock-powered reasoning to separate user interaction from long-running analysis, decision support and remediation workflows.

WAFER serves as an enterprise remediation control plane. Three core operational pillars define its unique edge:

  • Private-by-design enterprise adoption: WAFER is deployed inside the customer's existing AWS environment and accessed through an approved internal path. This removes a common barrier to adoption for enterprises that want AI-assisted workflows without introducing a new external control surface
  • Decoupled workflow execution: The platform separates the user experience from the heavy lifting. Teams interact through the UI and backend while AWS Step Functions manages long-running orchestration in the background. This creates a more scalable operating model for review and remediation than a synchronous, dashboard-bound application pattern
  • Governed persistence and traceability: Findings, workflow state and generated artifacts are durably stored in Amazon DynamoDB and Amazon S3, providing a strong reporting and audit foundation for the solution. Supporting services such as AWS Secrets Manager, Amazon CloudWatch and AWS KMS reinforce the security, observability and encryption model expected in enterprise environments

The AI intelligence layer

At the core of WAFER's agentic architecture is its AI intelligence layer, built on Amazon Bedrock AgentCore Runtime and Amazon Bedrock Knowledge Bases:

  • Specialized agent coordination with Amazon Bedrock AgentCore Runtime: WAFER does not depend on a single general-purpose agent to handle every task. A supervisor agent coordinates specialized agents for analysis, negotiation, compliance and remediation, creating a more modular and explainable execution model for enterprise workflows
  • Customer-grounded reasoning with Amazon Bedrock Knowledge Bases: By connecting Bedrock Knowledge Bases to customer content synchronized through Amazon S3 and indexed in Amazon S3 Vectors, while also incorporating security posture context from the AWS Well-Architected Security Assessment Tool MCP Server, WAFER can reason with internal standards, prior findings, organization-specific remediation patterns and live security signals. This makes the system materially more credible than generic AI outputs that are disconnected from the enterprise context
  • Decision support that is closer to real operations: The AI layer is designed not only to summarize findings, but also to help teams navigate interpretation, trade-off evaluation, compliance alignment and remediation guidance. That makes WAFER more than a findings assistant. It becomes a structured intelligence layer for enterprise decision-making

Technical implementation

Technical implementation
  • Corporate users access WAFER through a customer-approved internal access path
  • The internal ALB routes approved traffic to the WAFER UI inside the customer VPC
  • The WAFER Backend API receives user actions and manages application workflow state
  • The WAFER Backend API submits long-running analysis and remediation requests to AWS Step Functions for asynchronous workflow orchestration
  • Step Functions invokes the Bedrock AgentCore Runtime for supervisor-led agent execution
  • The supervisor agent coordinates the specialized agent fleet, while Amazon Bedrock Knowledge Bases and the AWS Well-Architected Security Assessment Tool MCP Server provide contextual grounding through retrieval-augmented generation and security posture context to improve relevance and accuracy
  • Findings, artifacts and workflow state are stored in Amazon S3 and Amazon DynamoDB for retrieval, traceability and reporting
  • Bedrock Knowledge Bases manages an event-driven sync of data from Amazon S3 into Amazon S3 Vectors to support RAG
  • AWS Secrets Manager, Amazon CloudWatch and AWS KMS provide security, observability and encryption

The HCLTech solution goes beyond simple monitoring, deploying a modular "Remediation Operating System" that handles the nuances of complex cloud engineering.

Technical architecture and AWS services

AWS services used in the solution:

  • WAFER UI (Amazon ECS on AWS Fargate): Hosts the customer-facing WAFER UI as a containerized service inside the customer VPC. This gives the platform a managed, serverless container runtime for presenting findings, collecting user actions and initiating workflow steps without requiring customers to manage the underlying compute infrastructure
  • WAFER Backend API (Amazon ECS on AWS Fargate): Hosts the WAFER Backend API as a separate containerized service that receives actions from the UI, manages application workflow state and controls downstream orchestration. This separation of UI and backend responsibilities supports cleaner scaling, clearer service boundaries and a more production-ready application design
  • AWS Step Functions: Provides asynchronous workflow orchestration from backend initiation through agent execution and persistence
  • Amazon Bedrock AgentCore Runtime: Hosts the supervisor-led agent execution model for analysis, negotiation, compliance and remediation workflows
  • Amazon Bedrock Knowledge Bases: Supplies retrieval-augmented context by grounding agent outputs in customer-specific documents, prior findings and remediation patterns
  • Amazon S3 Vectors: Stores indexed context used by Amazon Bedrock Knowledge Bases
  • Amazon DynamoDB: Persists workflow state, findings metadata and processing status
  • Amazon S3: Stores artifacts, outputs and synchronized source content
  • AWS Secrets Manager, Amazon CloudWatch and AWS KMS: Provide secrets handling, monitoring and encryption

Value for users:

  • Up to 90% faster review cycles: The combination of workflow orchestration, supervisor-led agent execution and customer-grounded reasoning helps teams move more quickly from assessment output to remediation guidance, reducing the delay between visibility and action
  • Private-by-design deployment for enterprise environments: Because WAFER is customer-hosted inside the customer's AWS environment and accessed through an approved internal path, the platform is easier to position for organizations with stricter security expectations, internal network controls and data residency concerns
  • Instant engineering (IaC on Demand): The system generates ready-to-deploy Infrastructure as Code. Engineers stop writing boilerplate fixes and start reviewing high-value architectural changes
  • Relevant remediation guidance: By grounding responses in customer-specific content through Amazon Bedrock Knowledge Bases and Well-Architected security posture context through MCP, WAFER produces outputs that are more aligned to internal standards, prior findings and real delivery constraints than generic AI-generated guidance
  • 100% resource coverage:
    Unlike manual sampling, which covers ~20% of critical workloads, WAFER scans 100% of the estate, uncovering "Shadow IT" risks in forgotten regions or dev accounts
  • Compliance as code:
    Transform your compliance binder into active logic. Every remediation aligns your estate closer to regulatory standards (PCI-DSS, HIPAA, NIST) automatically, reducing the stress of external audits

Call to action: Stop reviewing, start repairing!

Assess in days:

Our Zero-Day Discovery creates a high-fidelity Risk Scorecard and Remediation Roadmap in under 96 hours, giving teams a faster path from visibility to action.

Zero-cost entry:

Leverage our Complimentary Professional Service model. WAFER is designed to uncover savings opportunities that can help fund the transformation while accelerating executive buy-in.

"From backlog to breakthrough: Audit, Agent, Action."

  • Audit (discover): Generate a high-fidelity risk view through a customer-hosted workflow that keeps the experience inside the customer's AWS environment
  • Agent (analyze): Use Amazon Bedrock AgentCore Runtime and Amazon Bedrock Knowledge Bases to coordinate specialized agents and produce grounded remediation guidance with customer-specific context
  • Action (fix): Move from findings to governed remediation through a traceable, enterprise-ready workflow designed for real operational follow-through

Ready to turn remediation backlog into governed action?

Enterprises and AWS partners can engage HCLTech to schedule a WAFER briefing or demo and explore how a private, AgentCore-powered remediation workflow can accelerate action on AWS.

Karthik Annamalaisamy

Co-author

Karthik Annamalaisamy
Senior Solutions Architect, AWS
Karthik Rajan

Co-author

Karthik Rajan
AWS APAC Practice Head, HCLTech AWS Ecosystem
Puvaneswaran Arumugam

Co-author

Puvaneswaran Arumugam
AWS Solutions Architect, HCLTech AWS Ecosystem

Related Content

AMD
How HCLTech, Nutanix and AMD are redefining enterprise infrastructure for the AI-driven future
Learn more
Europe and Africa
AI at scale demands more than innovation, it demands control
Learn more
VMware
HCLTech’s AI factory - infrastructure services powered by vmware private AI foundation
Learn more
Tags:
AI and GenAI
Cloud
Share On
copy-link Copy link copied!
Cloud and Ecosystem Cloud Blogs HCLTech WAFER: From findings backlog to Agentic remediation on AWS