GertinAI
Documentation

Gertin AI Documentation

Everything you need to deploy Gertin AI and integrate its compliance engines into your security workflows.

Quick Start

Deploy Gertin AI in your AWS account in under 15 minutes using the included CDK stack.

1

Subscribe via AWS Marketplace

Navigate to the Gertin AI listing on AWS Marketplace and subscribe. Pull the container image from the provided ECR registry URI.

# Authenticate and pull the container image
aws ecr get-login-password --region us-east-1 \
  | docker login --username AWS --password-stdin \
    ACCOUNT_ID.dkr.ecr.us-east-1.amazonaws.com

docker pull ACCOUNT_ID.dkr.ecr.us-east-1.amazonaws.com/gertinai/gateway:1.0.0
2

Quick evaluation with Docker Compose

For local testing, use the included Docker Compose file. Requires PostgreSQL and Redis.

export DATABASE_URL="postgres://user:pass@localhost:5432/gertinai"
export REDIS_URL="redis://localhost:6379/0"
export SENTINEL_MASTER_KEY="your-secure-master-key"
export BEDROCK_BEARER_TOKEN="ABSK..."
export AWS_REGION="us-east-1"

docker compose up -d

# Verify
curl http://localhost:8080/healthz
curl http://localhost:8080/readyz
3

Deploy to AWS with CDK (production)

The included CDK TypeScript stack provisions all required AWS infrastructure in one command.

cd infra
npm install
npx cdk bootstrap
DOMAIN_NAME=gertinai.com npx cdk deploy --all --require-approval never
4

Create your first API key

Once the gateway is running, create an API key using your master key.

curl -X POST https://gateway.gertinai.com/v1/admin/keys \
  -H "x-master-key: your-master-key" \
  -H "Content-Type: application/json" \
  -d '{
    "org_name": "acme-corp",
    "key_name": "production",
    "plan": "business"
  }'

# Response — store the key securely, shown only once
{
  "key": "snt_sk_...",
  "key_prefix": "snt_sk_abc12",
  "plan": "business",
  "rpm_limit": 300,
  "daily_limit": 50000
}

API Reference

POST/v1/compliance/iam/analyze

Analyze an IAM policy for security risks and compliance violations.

Request Body

{
  "policy": "{"Version":"2012-10-17","Statement":[...]}",
  "account_id": "123456789012",       // optional
  "resource_arn": "arn:aws:iam::...", // optional
  "frameworks": ["SOC2", "PCI-DSS"]   // optional
}

Response

{
  "request_id": "uuid",
  "risk_score": 0-100,
  "risk_level": "CRITICAL|HIGH|MEDIUM|LOW",
  "findings": [
    { "severity", "rule_id", "title", "description", "remediation", "framework" }
  ],
  "summary": "string",
  "analyzed_at": "ISO8601"
}
POST/v1/compliance/cloud/scan

Scan a cloud resource configuration for misconfigurations.

Request Body

{
  "provider": "aws",
  "resource_type": "s3|ec2|rds|vpc|cloudtrail|kms",
  "config": { ...resource configuration... },
  "region": "us-east-1",
  "frameworks": ["CIS"]
}

Response

{
  "request_id": "uuid",
  "risk_score": 0-100,
  "risk_level": "...",
  "passed": 8, "failed": 4,
  "findings": [
    { "severity", "check_id", "title", "impact", "remediation", "compliance_links" }
  ],
  "summary": "string",
  "scanned_at": "ISO8601"
}
POST/v1/compliance/soc2/evidence

Evaluate evidence against a SOC2 Trust Services Criteria control.

Request Body

{
  "control_id": "CC6.1",
  "control_name": "Logical and Physical Access Controls",
  "evidence": "...raw evidence text...",
  "period": "2024-Q4"
}

Response

{
  "request_id": "uuid",
  "control_id": "CC6.1",
  "status": "PASS|FAIL|NEEDS_REVIEW",
  "narrative": "Auditor-ready narrative...",
  "gaps": ["list of missing artifacts"],
  "artifacts": ["suggested_filename.pdf"],
  "auditor_notes": "string",
  "generated_at": "ISO8601"
}
POST/v1/compliance/logs/summarize

Summarize and analyze security logs for anomalies and threats.

Request Body

{
  "logs": "...raw log content...",
  "log_source": "cloudtrail|vpc_flow|guardduty|alb|application",
  "time_range": "2025-01-15 00:00 - 06:00 UTC",
  "focus": "security|errors|performance"
}

Response

{
  "request_id": "uuid",
  "summary": "string",
  "key_events": [{ "timestamp", "level", "message", "source" }],
  "anomalies": ["string"],
  "security_alerts": ["string"],
  "recommendations": ["string"],
  "total_logs_analyzed": 14280
}
POST/v1/compliance/threat/explain

Explain a threat, CVE, or security alert with MITRE ATT&CK context.

Request Body

{
  "threat": "CVE-2024-21626",
  "threat_type": "CVE|IOC|TTPs|ALERT",
  "context": "Running Kubernetes 1.28 on EKS",
  "audience_level": "executive|analyst|technical"
}

Response

{
  "request_id": "uuid",
  "threat_name": "string",
  "severity": "CRITICAL|HIGH|MEDIUM|LOW",
  "explanation": "audience-tailored text",
  "technical_detail": "string",
  "attack_vector": "string",
  "affected_systems": ["string"],
  "immediate_actions": ["string"],
  "mitigations": ["string"],
  "references": ["CVE-...", "T1611"]
}
POST/v1/chat/completions

OpenAI-compatible chat completions endpoint. Routed to AWS Bedrock.

Request Body

{
  "model": "claude-sonnet",
  "messages": [{"role": "user", "content": "..."}],
  "max_tokens": 4096,
  "stream": false
}

Response

// Standard OpenAI ChatCompletion response format

Deployment

ECS Fargate

Recommended for production. Uses the CDK stack for fully managed container orchestration.

Amazon EKS

Kubernetes deployment with the included Helm chart and K8s manifests.

EC2 + Docker

Self-managed with Docker Compose for teams managing their own EC2 fleet.

Secrets Manager

All credentials injectable via AWS Secrets Manager. No plaintext secrets in task definitions.

Changelog

v1.0.02025-01-15
  • +Initial release — all five compliance AI engines
  • +AWS Bedrock integration with bearer token support (ABSK keys)
  • +OpenAI-compatible /v1/chat/completions with SSE streaming
  • +API key management with per-org rate limiting (Starter/Business/Enterprise)
  • +Immutable audit log in PostgreSQL
  • +Redis-backed per-minute rate limiting
  • +Prometheus /metrics endpoint
  • +CDK TypeScript stack for one-command AWS deployment
  • +ECS task definition, Kubernetes manifests, Docker Compose included