Appearance

Quickstart

From zero to your first cloud estate scan and Finding in under 10 minutes.

Prerequisites

  • macOS (Apple Silicon or Intel), Windows, or Linux
  • AWS/Azure CLI installed and at least one profile configured (aws configure,az login)
  • Node.js 18+ and Rust (latest stable) — only required if building from source

The path through the app

This guide walks you through each screen in order.

Step 1 — Install the Escher desktop app

Download the latest release for your platform from the internal release channel or build from source.

Option A — Pre-built binary (recommended)

bash
# macOS — download the .dmg from the release channel
# Open Escher.dmg → drag to Applications → launch Escher

Option B — Build from source

bash
# Prerequisites: Node.js 18+, Rust stable, Xcode CLT (macOS)
git clone https://github.com/escher-dbai/v2-desktop-app-tauri
cd v2-desktop-app-tauri

# Configure GitHub Package Registry access (private packages)
export NPM_TOKEN=your_github_pat_here

npm install
npm run tauri:build

WARNING

The NPM_TOKEN must have read:packages scope on the escher-dbai org. Never commit this token.

Expected output after first launch:

Escher v2.x.x
Initialising local estate store...
No profiles found. Connect a cloud account to get started.

You are now on Screen 0 — Estate Overview. The estate graph is empty until you connect a cloud account and run a scan.

Step 2 — Connect your AWS account

Escher discovers profiles from your local AWS CLI configuration. It does not create new cloud connections — it reads what you've already configured.

2a. Confirm your AWS CLI profile exists:

bash
aws configure list-profiles
# Expected: at least one profile name, e.g. "prod-admin", "default"

aws sts get-caller-identity --profile prod-admin
# Expected:
# {
#   "UserId": "AIDAXXXXXXXXXXXXXXXXX",
#   "Account": "123456789012",
#   "Arn": "arn:aws:iam::123456789012:user/prod-admin"
# }

If this fails, run aws configure --profile prod-admin or aws configure sso to set up the profile first.

2b. Discover profiles in Escher:

  1. On Screen 0 — Estate Overview, click Add Account (top-right)
  2. Click Discover Profiles — Escher scans ~/.aws/credentials and ~/.aws/config
  3. Your profiles appear listed with status Discovered

2c. Enable the profile:

Select the profile → click Enable → click Test Access

Profile: prod-admin
Provider: AWS
Account: 123456789012
Status: ✓ Connected
Permissions: Sufficient for estate scan

TIP

Escher requires read-only IAM permissions. See AWS Connection for the exact IAM policy to attach.

Step 3 — Run your first estate scan

An estate scan reads the current state of all resources across enabled profiles and builds your EstateView.

On Screen 0 — Estate Overview:

  1. Select profile and Click Start Scan
  2. Escher scans all enabled profiles in parallel
  3. Each service domain (EC2, S3, RDS, IAM, VPC...) completes independently — progress shows per-domain

Expected output:

Estate refresh started
  prod-admin (AWS 123456789012)
    ✓ EC2 — 48 instances
    ✓ S3 — 22 buckets
    ✓ RDS — 6 instances
    ✓ IAM — 142 users, 38 roles
    ✓ VPC — 4 VPCs, 16 subnets
    ✓ Lambda — 31 functions
  Snapshot committed: v3 (prev: v2)
  Changes since last refresh: +3 / -0 / ~12

Estate refresh complete — 5m 14s
Resources observed: 380

The estate is now stored locally in your EstateView. Queries run offline from this point — no cloud calls until the next refresh.

Explore the estate graph: On Screen 0, click App Lens (top-left dropdown) to switch between estate views:

  • All resources — full topology
  • Security lens — surfaces exposure risks
  • Cost lens — highlights idle and oversized resources
  • Compliance lens — maps resources to control requirements

Step 4 — Ask a question

Type a natural-language question in the chat interface at the bottom of Screen 0:

How many EC2 instances in us-east-1 are running without a Name tag?

What happens internally:

  1. Escher classifies the intent → routes to the Analysis Agent
  2. Analysis Agent resolves the matching skill from the Context Engine
  3. Context Manager assembles estate context from local RAG (no new cloud calls)
  4. Tools extract structured data (inspect_schema, compute_stats)
  5. Response streams back to the chat panel

Expected response (streamed):

Found 12 EC2 instances in us-east-1 without a Name tag.

Breakdown by instance type:
  t3.medium   — 7 instances
  m5.large    — 3 instances
  c5.xlarge   — 2 instances

All 12 are in the prod-core account (123456789012).
The oldest untagged instance has been running for 847 days.

Recommendation: These instances should be tagged for cost allocation and
compliance. Would you like me to create a Finding for this?

Step 5 — Create your first Finding

Reply: Yes, create a finding

Escher creates a Finding and opens Screen 1 — Finding:

Finding: EC2 Instances Missing Name Tag
  Severity: Medium
  Affected resources: 12
  Account: 123456789012 (prod-core)
  Region: us-east-1
  Evidence: attached (instance IDs, ages, types)
  Status: Open

The Finding detail panel on Screen 1 shows:

  • Summary — what was detected and why it matters
  • Affected resources — the 12 instances, with ID, age, and type
  • Evidence — the structured data captured during analysis
  • Linked plans — empty for now

Navigate to Findings in the left nav to see all open Findings in your triage view.

Step 6 — Generate a Plan

From Screen 1 — Finding, click Create Plan (or ask in chat: Create a plan to tag all 12 instances).

Escher opens Screen 2 — Plan with a draft ChangeSet showing:

Plan: Tag Untagged EC2 Instances
  Status: Draft → Proposed
  Target: 12 EC2 instances in us-east-1
  Operation: Apply Name tag (tag-only, no restart)
  Blast radius: 0 restarts · 0 downtime · reversible

  Steps in Bundle:
    Step 1: aws ec2 create-tags
            --resources i-0abc123... (12 instances)
            --tags Key=Name,Value=${instance_id}

  Estimated duration: < 30 seconds

Review the Plan on Screen 2 → click Approve Bundle when ready.

Step 7 — Bundle Review and Execution

Clicking Approve Bundle moves you to Screen 3 — Bundle Review:

  • Each step is listed with its exact API call, parameters, and expected outcome
  • Expand any step to see the full before-state snapshot
  • Click Approve per step (or Approve All for low-risk operations)

After approval, Escher moves to Screen 4 — Run Execution:

Run: Tag Untagged EC2 Instances — prod-core
  Status: Running
  ✓ Step 1: create-tags (12 instances) — 1.4s
  Run complete — Duration: 1.4s

Evidence captured:
  Before state: 12 instances with no Name tag
  After state:  12 instances tagged
  API calls: 1 (create-tags, 12 resources)

The Finding status automatically updates to Closed. The Evidence is attached to the Run and available for audit export.

What's next

  • Core Concepts — Understand Estate, Finding, Plan, Bundle, Run, and Evidence
  • AWS Connection — Attach the right IAM policy for full estate visibility
  • Skills Overview — What the seven skill verticals can do for you
  • Playbooks — Automate multi-step write operations with safety guarantees

Escher — Agentic CloudOps by Tessell

© 2026 Tessell, Inc.