AWS has launched a new version of its Security Hub, aimed at addressing the significant workload involved in managing and correlating cross-domain security solutions.
The original AWS Security Hub was unveiled in 2018, with the purpose of aggregating and prioritizing alerts from both AWS and third-party security tools.
In late 2025, AWS introduced a revamped version of Security Hub that unified several of its security tools, including Inspector and GuardDuty, effectively creating a mini Security Operations Center (SOC). Inspector provides vulnerability scanning, while GuardDuty focuses on threat detection. This new iteration allows for integration under a single interface, enabling users to map activities against vulnerabilities. This highlights the most pressing threats and assists customers in prioritizing their responses to critical security risks.
Now, in early 2026, AWS has announced Security Hub Extended. This new feature allows customers to incorporate third-party solutions into the mini SOC. According to AWS, this plan simplifies the procurement, deployment, and integration of a comprehensive enterprise security solution that spans endpoint, identity, email, network, data, browser, cloud, AI, and security operations.
Currently, this full integration is limited to a selection of curated vendors, chosen based on feedback from AWS customers. The list of current vendors includes 7AI, Britive, CrowdStrike, Cyera, Island, Noma, Okta, Oligo, Opti, Proofpoint, SailPoint, Splunk, Upwind, and Zscaler. The goal is to provide an integrated full-stack security experience within the AWS environment.
Michael Fuller, director of security services at AWS, explains, “The selection was customer-driven. Over the last four months, we went directly to our largest and fastest-growing enterprise customers to identify which specific solutions they wanted us to prioritize for the initial launch. We are committed to listening to customers and expanding the partner set over time.”
This integration is facilitated by partner vendors who provide their findings using the Open Cybersecurity Schema Framework (OCSF). As a result, the data brought into the Security Hub Extended framework is pre-normalized, enabling instant and automatic cross-domain correlation that highlights more granular threats.
The new Security Hub not only simplifies the correlation of outputs but also streamlines product management when utilizing partner vendors. AWS will act as the seller of record, meaning that regardless of how many partner vendors are used, customers will receive a single invoice combined within their monthly AWS bill.
Fuller elaborates, “AWS is the seller of record, with pre-negotiated pricing and a single bill covering all selected curated partner solutions. Customers select only the solutions they need. A customer using multiple curated partner solutions would pay for each selected solution, but always within a single invoice.”
He continues, “The Security Hub Extended plan offers flexible pay-as-you-go pricing, with no upfront investments and no long-term commitments. Flat-rate pricing is also available.”
Customers are not limited to the curated partner list for third-party vendors. Fuller adds, “Security Hub already supports multiple third-party partner integrations through its standard program, so a customer’s existing vendor can send findings into Security Hub today.” However, this would require additional effort from the customer and would not qualify for the single invoice structure.
The triple benefit of Security Hub Extended aims to provide easier correlation of security findings within the Hub’s mini SOC, offering automated and improved full-stack security without requiring additional coding from the customer. It also significantly reduces the administrative overhead associated with finding, negotiating, and managing payments for multiple separate third-party solutions.
