unusd.cloudunusd.cloud
// Deterministic scans · AI insights

Find the resources
no one is using.
Before finance does.

AWS cost optimization and FinOps without guesswork: deterministic rules on read-only AWS APIs, Navi in the dashboard, weekly digest in your inbox. Find AWS waste and idle resources before finance does. Read-only. 5-minute setup.

Start free scanSee what we detect
700+ AWS orgs47 detection rulesstandard AWS read-only APIs
inbox · weekly digest (summary)delivered · 09:00 CET
unusd.cloud<digest@unusd.cloud>to amelie@acme.io
Weekly scan · acme · $4,812/mo of waste detected
6 accounts · 14 regions · 47 detection rules · scan id 3f7a
Top findings this week$/month
EBS
unattached volumes · 37
$1204
EC2
idle instances · 14
$968
RDS
stopped > 7d · 4
$312
NAT
low throughput · 2
$134
SM
idle endpoints · 1
$480
NAVI·insight
93% of this week's waste lives in acme-staging. Most of it is EBS volumes detached > 30 days. One whitelist rule could cut your digest noise by half.
next scan: Mon 09:00

Sample digest (summary by email). Full web report and Navi live in the app. Delivered Monday 09:00 in your timezone.

trusted by teams scanning 2,400+ AWS accounts · 30k+ scans run · $2.8M+ waste surfaced · listed on AWS Marketplace
// navi · agent

An agent over your scans and web report.

Navi is the AI layer on top of your deterministic scans. Threaded chats and optional memory, with answers grounded in real findings and in-app report context, not the open web, not guesswork. Read-only. Nothing runs in AWS without you.

  • Grounded in deterministic scan findings: no hallucinations, no random web search
  • Threads and memory (confirm in Settings) for continuity across sessions
  • Custom Instructions: org context applied across the product
  • Your prompts are not used to train foundation models
Navi
acme · 8 connected accounts
online
Y
What's costing me the most this week and why?
N
Your top 3 cost drivers (week 16):
m5.4xlarge i-0a1b2…acme-prod / eu-west-1$6123% CPU · idle 10d
40 unattached gp3acme-staging$498last attached > 30d
2 NAT gatewaysacme-dev$134< 1MB egress/day
Source: scan 3f7a · cited rules: ec2/idle-instance, ebs/unattached-volume, nat/low-throughput
Y
Draft a Slack message I can send to the staging owner
N
draft · for #platform
hey @amelie - heads up: 40 unattached gp3 volumes in acme-staging eu-west-1 are costing us ~$498/mo. last attached > 30 days. safe to delete?
details: app.unusd.cloud/scan/3f7a
Ask Navi about your AWS bill…
// Detections

47 rules. Real ones. Battle-tested.

47 deterministic rules running over standard AWS read-only API calls. Refined across hundreds of real AWS environments. Not just idle detection, waste, drift, RI/SP coverage, and Cost Optimization Hub recommendations. AI summarizes; the rules decide.

// new rules ship monthly
// changelog →
#
rule
condition
01
ec2/idle-instance
multi-metric inactivity, extended window
02
ec2-other/breakdown
decomposes the EC2-Other line item
03
ebs/unattached-volume
volume in available state
04
ebs/gp2-to-gp3
outdated type, online migration
05
ebs/io1-to-gp3
io1 cheaper as gp3 at current iops
06
ebs/idle-volume
attached to long-stopped instance
07
snapshots/old
ec2 / rds snapshots beyond useful life
08
rds/idle-instance
no connections, extended window
09
rds/storage-migration
gp2 → gp3 / io1 → gp3 storage swap
10
rds/extended-support
engine version on ES surcharge
11
elasticache/idle-node
no meaningful activity, extended window
12
elasticache/redis-to-valkey
redis OSS → valkey, ~20% cheaper
13
elb/unused
no listeners / no targets / no traffic
14
nat/low-throughput
minimal data processed, extended window
15
vpc-endpoints/idle
interface endpoint, no traffic
16
vpc-endpoints/missing-gw
vpc without free s3 / dynamodb gateway
17
eip/unattached
elastic ip not associated
18
sagemaker/idle
endpoints / notebooks / studio apps idle
19
lambda/arm-candidate
x86 in graviton-supported region
20
lambda/over-memory
allocated memory above peak usage
21
dynamodb/unused-table
zero read AND write activity
22
dynamodb/orphaned-gsi
global secondary index with no reads
23
cloudwatch/no-retention
log group set to never expire
24
secrets/unused
no access events, extended window
+ 23 more - see full catalog →
// Delivery

Digest in your inbox.
Full web report and Navi in the app.

Email carries a concise weekly summary you can forward. The full web report (trends, drill-downs, management-style rollups) and Navi live in the dashboard. Want alerts in Slack or Teams? Add a channel.

inbox · weekly digest (summary)delivered · 09:00 CET
unusd.cloud<digest@unusd.cloud>to amelie@acme.io
Weekly scan · acme · $4,812/mo of waste detected
6 accounts · 14 regions · 47 detection rules · scan id 3f7a
Top findings this week$/month
EBS
unattached volumes · 37
$1204
EC2
idle instances · 14
$968
RDS
stopped > 7d · 4
$312
NAT
low throughput · 2
$134
SM
idle endpoints · 1
$480
NAVI·insight
93% of this week's waste lives in acme-staging. Most of it is EBS volumes detached > 30 days. One whitelist rule could cut your digest noise by half.
next scan: Mon 09:00

Email = digest summary · full report in app · daily option · per-account or org-wide

#finops · Slack
un
unusd.cloud APP · 09:14
Weekly scan complete - $4,812/mo of waste detected across 6 accounts.
37 unattached EBS · $1,204/mo
14 idle EC2 · $968/mo
2 NAT gateways · $134/mo
platform-team · Teams
DRIFTseverity HIGH
acme-prod spending ↑ 38% above baseline
last 24h: $1,420 · expected $1,030 ± $80
likely driver
EC2 (eu-west-1) +$340 · CloudWatch +$50
Dashboard
Web app · full web report, trends, drill-downs, multi-account roll-ups, Navi chat
SNS
Findings as JSON for Lambda remediation, ITSM, archive
enterprise
// Security

Boring on purpose.

hub-and-spoke
We never hold credentials. You deploy a role in your account, we sts:AssumeRole with a customer-unique ExternalId.
read-only
SecurityAudit + a small inline policy of standard, read-only AWS API calls. Inspectable in CloudFormation or Terraform before you deploy.
no data persistence
Report metadata only. We do not store your resource inventory. AES-256 at rest, TLS in transit.
no agents
No daemons in your VPC. Nothing to patch, nothing to break, no maintenance window.
unusd-spoke-role.ymlCloudFormation · excerpt
AssumeRolePolicyDocument:
  Statement:
    - Effect: Allow
      Principal:
        AWS: "arn:aws:iam::<unusd-hub>:role/scanner"
      Action: sts:AssumeRole
      Condition:
        StringEquals:
          sts:ExternalId: "<your-customer-id>"

ManagedPolicyArns:
  - arn:aws:iam::aws:policy/SecurityAudit

Policies:
  - PolicyName: unusd-cost-readonly
    PolicyDocument:
      Statement:
        - Effect: Allow
          Action:
            - ce:GetCostAndUsage
            - ce:GetCostForecast
            - cloudwatch:GetMetricData
            - cost-optimization-hub:ListRecommendations
            - pricing:GetProducts
          Resource: "*"
full template · CloudFormation, Terraform, StackSetsview docs →
// Pricing

Simple. Credit-based. Annual.

// 1 resource scanned = 1 credit
// billed annually · AWS Marketplace
plan
credits/mo
accounts
AI
drift
notify
$/mo
Individual
on-demand
1
-
-
Email
$0
Startup
15,000
unlimited
-
Email · Slack
$149
Businessmost teams
50,000
unlimited
+ MS Teams
$500
Enterprise
100,000
unlimited
● + custom
+ SNS · Cost-Hub
$1,000
Need a private offer, NDA, or invoicing terms?Talk to us →
// FAQ

Answers for security, FinOps, and AI.

Quick facts for procurement, platform teams, and anyone evaluating read-only AWS cost tooling.

Is unusd.cloud read-only on AWS?+

Yes. We use standard AWS read-only APIs and a read-only IAM role you deploy. Nothing is changed in your accounts unless you act on findings yourself.

What AWS services and regions do you scan?+

We run deterministic rules across 30+ services and every enabled region. The full catalog is documented at docs.unusd.cloud.

How is Navi different from a generic chatbot?+

Navi is grounded in your scan results and in-app report context, not open-web search. It threads optional memory and Custom Instructions so answers stay relevant to your org.

Is my data or my prompts used to train foundation models?+

Your prompts are not used to train foundation models. See our product settings and docs for the latest privacy and retention details.

How does pricing work?+

Plans are credit-based and billed annually, with options from a free tier through Enterprise. AWS Marketplace billing is available for simpler procurement.

What do I get in email vs the app?+

Email carries a concise weekly digest you can forward. The full web report, trends, drill-downs, and Navi live in the dashboard.

How fast can I get the first scan?+

Most teams connect a read-only role in about five minutes and get a first scan shortly after.

// get started

Connect an AWS account.
Digest in your inbox, full report in the app.

Deploy a read-only role with one click. We run your first scan right away: digest by email, full web report and Navi when you open the dashboard.

Start free scanAWS Marketplace
30 free scans · no credit card · 5-minute setup