Most healthcare security tools surface findings. Few close them. Mensah is the third agent of the trio — the one that ships the fix.
It generates infrastructure-as-code patches, IAM corrections, secret rotations, and HIPAA control fixes — in your repository, as a pull request, with reviewer-ready diffs and tests. Your team approves and merges. The graph re-validates the fix automatically.
Four categories of remediation, each producing reviewable changes against your existing systems — never silent edits.
Generates Terraform, CloudFormation, Pulumi, or Bicep diffs against your existing IaC repository to fix misconfigurations gura surfaces.
resource "aws_s3_bucket_public_access_block" "emr" { bucket = aws_s3_bucket.emr_backup.id- block_public_acls = false+ block_public_acls = true+ block_public_policy = true+ ignore_public_acls = true+ restrict_public_buckets = true}Identifies over-privileged roles, stale credentials, and policy violations against least-privilege principles. Generates revised policies as Git-tracked diffs.
"Statement": [{ "Effect": "Allow",- "Action": "s3:*",+ "Action": [+ "s3:GetObject",+ "s3:PutObject"+ ],- "Resource": "*"+ "Resource": "arn:aws:s3:::ehr-prod/*"}]When gura flags hard-coded secrets or exposed API keys, mensah issues rotation calls to your secret manager and produces a PR replacing literals with references.
// payment_processor.ts- const stripeKey = "sk_live_4eC39Hq..."+ const stripeKey = await secrets.get(+ "stripe/live/api_key"+ )// Old key revoked: T+8min// New key in vault: ref/2026-05-10-r1Generates corrections to access logging, retention rules, audit-trail config, and BAA-required controls against detected gaps under the HIPAA Security Rule.
# retention_policy.yaml- table: ehr_records- retain_days: indefinite+ retain_days: 2190 # 6yr — HIPAA § 164.530(j)+ purge_after: archive_to_cold+ audit_log_retention_days: 2190+ review_cadence_days: 365Mensah never executes silently. Every change passes through a configurable approval gate calibrated to your risk tolerance.
Mensah classifies every proposed remediation by blast radius — how much production traffic, how many patient records, how reversible. Each blast-radius class maps to an approval gate you configure during onboarding.
For low-risk, fully-reversible changes, you can opt to auto-approve. For changes touching production PHI, IAM, or anything affecting more than 1,000 patient records, the agent waits — even when an engineer could technically merge it.
Audit trail: every PR carries the agent's reasoning chain, the originating gura finding, the pin classification, and the human signoff. HIPAA-attestable end-to-end.
What a remediation actually looks like in your engineers' GitHub — continuation of the 40K-patient EHR-bucket exposure surfaced by gura.
gura surfaced the public bucket. pin classified it as critical, breach-notifiable under § 164.408, with 40,213 affected patients. Mensah opened the pull request — Terraform diff, two AWS CLI commands for immediate-action containment, and a smoke test verifying the bucket was no longer publicly resolvable.
The customer's engineering lead approved at 03:48 AM, the auto-merge fired at 03:49, the bucket was private by 03:51, and the graph re-validated the fix at 03:54. Total: 14 minutes from finding to merged-and-verified, while pin was still drafting the breach notification draft in parallel.
The CISO had a closed exposure to point to inthe OCR notification, not just an exposure that needed closing — which materially altered the regulator's risk classification.
# SecUnit · critical exposure remediation# Source finding: SU-EXP-2026-05-08-0014# Subjects affected: 40,213 patient records (PHI)# Approval gate: L3 (CISO + Eng Lead) ✓ ✓ --- terraform/storage/emr.tf ---resource "aws_s3_bucket_public_access_block" "emr_backup" { bucket = aws_s3_bucket.emr_backup.id- block_public_acls = false+ block_public_acls = true+ block_public_policy = true+ ignore_public_acls = true+ restrict_public_buckets = true} --- ops/immediate-action.sh ---+ aws s3api put-public-access-block \+ --bucket prod-emr-backup-2024 \+ --public-access-block-configuration ...+ aws s3api put-bucket-encryption ... --- tests/exposure_smoketest.py ---+ assert public_reachable(BUCKET) == False+ assert encryption_at_rest(BUCKET) == TrueMensah is included on Pro and above. Starter customers receive findings only — fixes are produced manually or via per-action credits.
Mobile note: scroll table horizontally for full tier matrix.