Our findings said 'this bucket is public.' Users asked 'what do I change to fix it?' We derived the answer mechanically from the predicate AST — no per-rule authoring needed.
Here's how counterfactual reasoning turns detection output into actionable fixes. The finding that doesn't help Finding: CTL.S3.PUBLIC.001 Asset: arn:aws:s3:::prod-assets Severity: high DEFECT: The bucket's ACL grants read