Note: I am a current NCC Group employee.

It does one thing very well: quickly grabbing a snapshot of the security posture of a public cloud account's resources with little fuss. It's an ideal solution as an outsider looking in at someone's account. But, I wouldn't use it as-is for other needs (say, those of in-house security folks) like continuous monitoring. That would be like using a Polaroid camera to create a movie.

We also offer a SaaS version (https://cyberstore.nccgroup.com/our-services/service-details...), which includes persistent monitoring as well as support for additional services and rules.

I find it disruptive as a developer in an organization that used to run it very frequently. It aggressively crawls your infrastructure and blows up AWS API calls with low rate limits, like the EMR cluster description operations.

note - I'm the project's maintainer

Have a look at the `--max-workers` and `--max-rate` arguments, which allow controlling the rate of API calls made against the cloud environment. You can use these to tweak executions against environments and ensure you don't hit API caps.

Note that this isn't a Scout Suite issue per se, but the consequence of how AWS implements rate limiting (i.e. it's account-wide, not per-principal). Any AWS tool will face the same limitations / hurdles.

I apologize for the uncharitable description. It was more of an organizational issue. They could have picked any other tool to execute a self-inflicted DoS and I would have been upset with that instead.

;-)

Scout is basically to AWS assessments what Burp is to web assessments; the baseline standard tool. It's a consultant's tool, though.