Agent Overview
How the Bluebricks agent uses the context layer to discover, secure, and manage your infrastructure
Overview
The agent uses Bluebricks' context layer to discover, reason about, and take action across your infrastructure through natural conversation. It sees every resource, relationship, and dependency in your connected cloud accounts, whether managed by code or not.
You can reach the agent in the Bluebricks app, from Slack, or programmatically via the Bluebricks MCP server.
Use cases
The agent handles workflows across three areas: security, infrastructure operations, and cost optimization. In each case, it can both discover the current state and take action to change it.
Security
Identify configuration risks, compliance gaps, and remediate them through code.
The agent queries the context layer for security-relevant configuration across all connected accounts. When it finds an issue, it can open a pull request to fix it, so remediation follows the same governed, auditable workflow as any other change.
"Which S3 buckets are publicly accessible?"
Queries the context layer for bucket ACLs and policies
"Are there any security groups allowing inbound traffic from 0.0.0.0/0?"
Scans security group rules across all VPCs
"Which RDS instances don't have encryption at rest?"
Checks encryption configuration across accounts
"Open a PR to enforce encryption at rest on all RDS instances"
Generates Terraform changes and opens a pull request
You can also point the agent at findings from your existing security tools. Paste a finding or describe the issue, and the agent maps it to the affected resources in the context layer and proposes a fix.
Infrastructure
Discover what is running, identify drift, and manage resources across accounts.
The agent can answer questions about resource inventory, ownership, and code coverage. It can also codify unmanaged resources, scale infrastructure, and deploy changes.
"Show me all EKS components across my AWS accounts"
Cross-account resource discovery
"List all databases tagged as 'legacy'"
Filtered resource search by tags
"Which resources in production aren't managed by code?"
Identifies unmanaged resources (drift and coverage analysis)
"What percentage of my infrastructure is codified?"
Calculates managed vs. unmanaged ratio
"Codify the unmanaged S3 buckets in production"
Generates Terraform code and opens a PR to bring resources under IaC
"Scale the EKS cluster in staging to 5 nodes"
Modifies Terraform and opens a PR with the change
To bring unmanaged resources under code control, see Codifying Infrastructure.
FinOps
Find cost savings and act on them.
The agent analyzes resource configuration to surface optimization opportunities. It can identify orphaned resources, recommend rightsizing, and open PRs to implement the changes.
"Show me unattached EBS volumes across all accounts"
Finds orphaned storage still incurring costs
"Which Elastic IPs aren't associated with a running instance?"
Identifies unused IPs incurring charges
"What would it save to downsize all gp2 volumes to gp3?"
Estimates savings from a specific optimization
"Compare RDS instance counts between production and staging"
Cross-account comparison for right-sizing
Narrowing scope
The agent queries across all connected cloud providers by default. Add an account or provider name to narrow the results:
Prefer a visual interface? You can also explore your infrastructure through the Cloud Graph, which shows resources, relationships, and managed vs. unmanaged status across all your collections.
How it works
The agent has two classes of tools:
Read tools query the context layer without modifying anything: resource discovery, environment listing, deployment outputs, and package inspection. You can ask questions freely without side effects
Write tools create or modify infrastructure: opening pull requests, deploying environments, and approving or rejecting plans. Every write operation requires your explicit approval before it executes
Responses reflect what is actually running in your accounts, not what a language model was trained on. For details on how the context layer is built and why it matters, see What is Bluebricks?
Safety and governance
Infrastructure changes go through a plan-and-approve workflow. The agent always presents the plan and waits for your confirmation before applying.
Read-only by default: inspection tools never modify your infrastructure. Write operations require you to take explicit action
All changes go through IaC: the agent codifies changes in Terraform and routes them through pull requests, rather than making direct cloud API calls
Organization-scoped: all queries are scoped to your organization. The agent cannot access resources outside your org
RBAC: the agent respects your organization roles and permissions
Transparent execution: the agent shows its reasoning step by step. Tool calls, query results, and logs are visible in the chat
Audit trail: every message and action is logged and stored in your task history
For roles and permissions, see Roles and Permissions.
Agent and orchestration
If your team uses the Bluebricks orchestration platform, the agent can manage blueprints, environments, and approval flows through conversation. The same governance policies, RBAC rules, and audit trails apply whether you work through the agent or the app.
For details on how approval flows, collection policies, and permissions work in conversation, see Agent Governance. For the orchestration concepts themselves, see Collections, Packages, and Environments.
The chat interface
From the agent page, click New task to open a fresh conversation. Type your question or request and press Enter to send. The agent begins working immediately, and your task auto-titles based on your first message.
Your recent tasks appear in the sidebar. Click any task to resume where you left off. To rename a task, click the title at the top of the conversation. To archive it, open the menu next to the title and select Archive.
Resource graphs
When you ask about relationships or dependencies, the agent returns an interactive resource graph. Nodes represent cloud resources and edges show how they connect. You can pan, zoom, and click nodes for detail.
Pull request blocks
When the agent opens a PR, the conversation shows a PR block with the title, branch names, and an expandable inline diff. You can review the proposed changes directly in the chat before navigating to GitHub.
For a full breakdown of PR structure, see Reading a Bluebricks PR.
Agent reasoning and logs
While the agent works, an expandable Working block shows the reasoning process in real time. Once complete, the block collapses to Worked with the total duration.
Agent logs show the tools called and their results. These are useful for understanding how the agent arrived at an answer, especially when troubleshooting unexpected results.
Programmatic access
Beyond the chat interface, you can interact with the agent from other tools:
Last updated
Was this helpful?