UNCLASSIFIED. Open Brief. Surface Cut.
Field Signals
AWS FinOps MCP ships
Agents query cost data, budgets, anomalies, read-only.
Azure kills TLS 1.0/1.1
Deprecated policies break on next config change.
Cisco FMC RADIUS CVSS 10
Pre-auth RCE if RADIUS enabled, patch now.
🔒 Also Inside
— Playbook Drop: 5-minute FinOps agent flow
— Benchmark: TLS cutoff in six days
— Tool in Focus: AWS Billing & Cost MCP
— Role Intel: FMC RADIUS mitigation, regulated org
Don’t wait for someone to forward it.
Get the Edge →
🔒 CLASSIFIED. Operator Brief. Deep Cut.
Field Signals
AWS ships Billing and Cost MCP server
Impact: agents can query Cost Explorer, Optimisation Hub, Compute Optimizer, Savings Plans, Budgets, S3 Storage Lens, and Cost Anomaly Detection.
Action: add a read-only demo account and wire the server into your MCP client.
🔗 AWS Cloud Financial Management blog, 22 Aug 2025
Azure App Gateway retires TLS 1.0 and 1.1 on 31 Aug
Impact: gateways on deprecated SSL policies may fail on the next config change.
Action: move to AppGwSslPolicy20220101 or 20220101S and verify back ends accept 1.2+.
🔗 Managing your Application Gateway with TLS 1.0 and 1.1 retirement
Cisco FMC RADIUS bug, CVSS 10
Impact: pre-auth RCE if RADIUS is enabled for web or SSH admin.
Action: patch now; if blocked, disable RADIUS on FMC admin paths and switch to local or LDAP temporarily.
🔗 Cisco advisory and NVD
Playbook Drop
5-minute FinOps agent flow for AWS
Preconditions: enable Cost Explorer. Use least-privilege, time-bounded, read-only access to Cost Explorer, Budgets, Savings Plans, Compute Optimizer, and Cost Anomaly Detection in a non-production account. See official server post for exact permissions and setup.
Tooling: use your standard MCP client and follow its add-server workflow. Avoid hand-editing unless the client docs say so.
Scope: keep to descriptive queries only. Do not enable write tools. Start with cost by service and region, MoM variance by key tag, and anomalies over your threshold.
Governance: confirm your org policy allows MCP usage in demos. Log queries for audit. Use throwaway credentials.
For exact commands, config panels, and sample prompts, use the AWS announcement and linked documentation.
Benchmark Snap
6 days to TLS cutoff
As of 25 Aug 2025, there are 6 days until Azure Application Gateway removes TLS 1.0 and 1.1 on 31 Aug 2025. SE implication: schedule a TLS sweep this week.
🔗 Managing your Application Gateway with TLS 1.0 and 1.1 retirement
Tool in Focus
AWS Billing and Cost MCP Server
What it does: bridges assistants to AWS cost and optimisation services for natural-language analysis.
Where it fits: discovery and exec readouts to quantify ROI; mid-POC variance reviews.
15-minute test: register the server in your MCP client against a read-only profile. Ask for last month’s top three services by spend, the MoM variance by tag Environment, and open anomalies above 5 percent.
Pricing: standard AWS API request costs for the services it calls.
🔗 AWS Announces Billing and Cost Management MCP Server
Role Intel
Security SE, regulated enterprise
Blocked change window and FMC uses RADIUS. Mitigate by moving admin auth off RADIUS, document rollback, then patch in the next approved window. Send a one-liner to the CISO channel with asset scope and next slot.
🔗 Cisco advisory and NVD
If this helped, send it on. If it didn’t, delete it. Get the Edge →