You Ship. Docs Write Themselves.
Read-only scan. Self-hosted LLM. Anti-hallucination validation. Beautiful diagrams, SOC 2 / ISO 27001 evidence and cost analysis — generated from your live AWS account in minutes, not weeks.
Built for DevOps, SRE and security teams who don't trust “magic AI”. Every claim in every document is cross-checked against your actual metadata before you ever see it.
Everything Your Team Needs to Stay Documented
From architecture diagrams to compliance reports — DoksOps generates and maintains all your cloud documentation automatically.
Auto-Generated Diagrams
Beautiful, accurate architecture diagrams generated directly from your AWS infrastructure. Always reflects reality — not someone's memory of last quarter's setup.
- VPC, subnet, and service topology maps
- Network flow and data path diagrams
- Auto-updated on every scan
Security & Compliance
Automated security posture analysis and compliance reports mapped to SOC 2, ISO 27001, and SOX frameworks. Generate audit-ready documentation automatically.
- SOC 2 Type I & II evidence collection
- IAM & exposure risk analysis
- Drift alerts and change tracking
Cost Analysis
Understand where your AWS spend is going. Cost heatmaps, optimization recommendations, and trend analysis — all tied to your actual infrastructure.
- Per-service cost attribution
- Rightsizing recommendations
- Monthly trend tracking
Multi-Audience Docs
Generate tailored documentation for every stakeholder — technical deep-dives for engineers, executive summaries for leadership, audit packages for compliance teams.
- Engineer, CTO, auditor views
- AI-enriched narrative
- Export to PDF, Confluence, Notion
What DoksOps Actually Finds
Not vague “AI insights”. Concrete findings, with the specific resource, the framework control it breaks, and a fix you can paste into Terraform.
RDS instance unencrypted at rest
Found prod-orders-db running PostgreSQL 15 without storage encryption.
Breaks: SOC 2 CC6.7, ISO 27001 A.10.1.1, PCI DSS 3.4
Fix: Snapshot → copy with storage_encrypted = true → restore.
Database port open to internet
Security Group sg-default-db allows 5432/tcp from 0.0.0.0/0.
Breaks: CIS AWS 4.1, SOC 2 CC6.6, NIS2 Art. 21
Fix: Restrict ingress to the application SG only; remove the public CIDR.
Production RDS not Multi-AZ
prod-orders-db has no standby. RTO/RPO claims in your DR doc cannot be met.
Breaks: SOC 2 A1.2, ISO 27001 A.17.1.2
Fix: Enable Multi-AZ. Cost delta calculated in your cost report: +$68/mo.
3 idle NAT Gateways
Detected in unused private subnets across eu-west-1 and us-east-1.
Why it matters: NAT GWs cost ~$32/mo each + data processing.
Saving: ~$1,150/year with zero risk.
IAM user with stale access keys
User deploy-ci has an access key not rotated in 412 days, with AdministratorAccess.
Breaks: SOC 2 CC6.1, CIS AWS 1.14, ISO 27001 A.9.2.6
Fix: Migrate CI to OIDC + IAM Role (GitHub Actions / GitLab); revoke key.
SOC 2 CC7.2 — covered
CloudTrail multi-region, log file validation on, KMS-encrypted, delivered to S3 with bucket policy denying public access.
Evidence: Trail ARNs, S3 ARN, KMS key ARN exported to the audit package.
Status: Hand directly to auditor.
A typical first scan surfaces 40–120 findings across security, compliance, resilience and cost — each one tied to a specific resource ARN, a framework control, and a remediation step.
500+
Infrastructure scans run
120+
AWS resource types supported
3
Compliance frameworks
Minutes
To first document
From AWS to Docs in Three Steps
No complex setup. No agents to deploy. Just connect, scan, and ship.
Add Read-Only Credentials
Attach our pre-built IAM policy to a read-only AWS role. We never write to your account — ever.
Scan Your Infrastructure
We scan 120+ AWS resource types across all regions. Plus GitHub repos, Jenkins pipelines, and DNS discovery.
Get Beautiful Documentation
Diagrams, security posture report, compliance mapping, cost analysis — all ready in minutes, AI-enriched.
See What DoksOps Generates
Actual output from a real AWS infrastructure scan — not mockups. One scan, multiple tailored documents ready in minutes.
One scan generates seven document types — each tailored for a different audience. Engineers, executives, auditors, and more.
Built for Teams That Don’t Trust Magic AI
Your infrastructure metadata is sensitive. We treat it that way. Here is exactly what DoksOps does — and crucially, what it does not do — with your data.
Read-only access. Always.
You attach our published IAM policy to a role you create and own. DoksOps holds no AWS credentials and has no *:Create, *:Update or *:Delete permission — only Describe, Get, List. Revoke at any time from your AWS console.
Self-hosted LLM. No third parties.
Document enrichment runs on a self-hosted Ollama / Mistral model inside our own EU AWS infrastructure. No third-party LLM API is ever called — your metadata stays within DoksOps. Nothing is used as training data — not now, not ever.
EU data residency
All scans, processing, LLM inference, and document storage happen in AWS EU (Stockholm, eu-north-1). GDPR-aligned. No transfers to the US for processing. The only exception is read-only API calls to your own AWS regions, which leave your account only at your instruction.
Secrets never leave AWS
Secret values from Secrets Manager, SSM Parameter Store, environment variables and IAM policy documents are never read by our scanner. Only resource metadata — names, configuration flags, ARNs — is collected. Our IAM policy literally cannot read secret material.
Reproducible & auditable
Every document carries a manifest: the scan ID, timestamp, the exact metadata snapshot used, and the model version. Two scans of the same infrastructure produce documents that differ only in their narrative wording — never in their findings.
Your data, your control
You can export and delete any scan, document or account at any time. We support BYOK (Bring Your Own KMS Key) for document encryption at rest on Enterprise. We sign a DPA on request and publish a sub-processor list.
What we send to the LLM, and what we never touch
Full transparency. If a field is on the “never” side, it is technically impossible for our scanner to read it — our IAM policy excludes the API call.
Sent to the (self-hosted) model
- • Resource names & IDs (e.g.
prod-orders-db) - • Configuration flags (encrypted? multi-AZ? public?)
- • Counts and aggregate summaries
- • Security Group rules & CIDR blocks
- • Resource ARNs and tags
- • Secret names from Secrets Manager (never values)
Never read, never sent
- • Secret values (Secrets Manager / SSM)
- • Application data (S3 object contents, DB rows)
- • Environment variable values
- • Private keys, passwords, API tokens
- • CloudTrail event payloads & log contents
- • Any third-party LLM API (OpenAI, Anthropic, Google…)
Why this isn’t just another “AI wrapper”
The most common failure mode of AI documentation tools is fluent, confident text that says things that are not true: “3 CloudWatch alarms configured” when there are zero. Auditors notice. Engineers lose trust. The tool becomes worse than no tool.
DoksOps is engineered specifically around this problem. The LLM never decides whether a resource exists, what it does, or whether it is compliant. Those answers come from deterministic analysis of your actual metadata. The model contributes explanatory narrative only — and that narrative is verified against your metadata before it reaches you.
Engineering guarantees
Findings are computed, not generated
Compliance scores, cost numbers, connectivity maps and IAM analysis are produced by code from your metadata — not by a language model.
Reproducible
Two scans of the same infrastructure produce identical findings. Wording of the narrative may vary; the facts do not.
Every reference is validated
Resource names, counts and statuses that appear in any document are cross-checked against your actual metadata before delivery.
LLM is optional
Turn off the model and you still get structurally complete documents — same findings, fact-only descriptions. Useful for the most regulated environments.
Auditable
Every document ships with a manifest: scan ID, timestamp, model version, source metadata snapshot. Your auditor can verify provenance independently.
The specific techniques behind these guarantees are the subject of a pending patent (INPI FR2604006).
Common questions from DevOps, SRE and security teams
“What permissions exactly do you need on my AWS account?”↓
A scoped IAM policy with only Describe*, List* and Get* actions across the AWS services you want documented. No secretsmanager:GetSecretValue, no s3:GetObject, no write or delete anywhere. The exact JSON is published before you grant access — review it line by line.
“Is my data used to train any model?”↓
No. The model is a fixed, self-hosted Mistral checkpoint running on our EU AWS infrastructure. There is no online training, no fine-tuning on your data, and no third-party API in the loop. Prompts and outputs are retained only for the lifetime of your scan record, which you can delete.
“How do I know the output isn’t plausibly-wrong garbage?”↓
Findings, counts and resource references are not generated by the model. They are computed by deterministic code from your metadata. The model contributes explanatory narrative only, and every reference that appears in the final document is validated against the metadata before delivery. You can run the same scan twice and diff the outputs — the facts will be identical.
“Does it work for hybrid / GCP / Azure / on-prem?”↓
AWS first, deeply. GitHub repos, Jenkins pipelines and public DNS are also scanned to enrich the picture. GCP and Azure connectors are on the roadmap. We’d rather do AWS exceptionally well than three clouds badly.
“Where exactly does my data live?”↓
Metadata, documents and model inference run in AWS Stockholm (eu-north-1). Encryption at rest with AWS KMS, in transit with TLS 1.2+. A handful of AWS managed services we depend on are only offered in us-east-1 (e.g. CloudFront control plane, ACM for us-east-1 certificates); those carry only operational metadata, never your infrastructure data. Full sub-processor list available on request.
“What if you go out of business or I want to leave?”↓
Every document is exportable as PDF, Markdown and JSON. Compliance evidence packages are exportable as a self-contained ZIP that your auditor can read without DoksOps ever again. There is no proprietary lock-in on the output.
Your Devs and DevOps Hate Writing Docs
And they shouldn't have to. Documentation written by humans gets stale within days. Meanwhile, auditors knock and you're scrambling to remember what changed six months ago.
10+ hours/month wasted
Senior engineers spending valuable time on documentation instead of shipping product.
Docs go stale within days
Infrastructure changes constantly. Manual docs can't keep up — and stale docs are worse than no docs.
Audits cost $15–50K
Traditional SOC 2 / ISO 27001 audits drain budget and take months. DoksOps slashes that to minutes.
DoksOps fixes this
Your infrastructure documents itself. Every scan. Every time.
Stop Burning Money on Manual Documentation
Traditional infrastructure audits cost thousands and take weeks. DoksOps delivers better results in minutes for a fraction of the price.
Traditional Approach
$15,000–$50,000
3–6 months
$5,000–$20,000
2–8 weeks
$8,000–$30,000
2–4 weeks
$2,000–$8,000
1–3 weeks
$3,000–$10,000/yr
Continuous
With DoksOps
Included
5 min
Included
3 min
Included
2 min
Included
Instant
Included
Every scan
120×
Faster than manual docs
97%
Cost reduction vs audits
40+
Hours saved per quarter
100%
Always current & accurate
Simple, Honest Pricing
One AWS account or fifty. Solo founder or regulated enterprise. Pick the tier that fits — upgrade or cancel anytime.
Starter
Solo founders & small teams getting audit-ready
$2,388/yr · billed monthly or annually
- 1 AWS account
- Monthly scans on demand
- Architecture, security & cost docs
- SOC 2 / ISO 27001 evidence pack
- Email support
Team
Engineering teams shipping multi-account infra
$7,188/yr · billed monthly or annually
- Up to 5 AWS accounts
- Weekly scheduled scans + on-demand
- Everything in Starter
- GitHub, Jenkins & DNS enrichment
- Custom branding on exported docs
- Priority support (24h response)
Enterprise
Regulated industries & complex AWS estates
Annual contract · volume & scope based
- Unlimited AWS accounts & organizations
- Everything in Team
- SSO (SAML / OIDC) & SCIM
- Custom DPA, security questionnaire
- Self-hosted deployment option
- Dedicated onboarding & named CSM
All plans include: self-hosted LLM (no third-party API calls), AWS EU hosting, anti-hallucination validation, full audit trail. No per-seat fees. No usage caps on scan output.
Join the Waitlist
DoksOps is battle-tested and ready. We're onboarding our first wave of teams who want to kill documentation debt for good.
Early access members get priority onboarding + locked-in early pricing.