Building DevSecOps solutions using AWS, Terraform and Kubernetes

Understanding Subagents

  • 8th March 2026
Orchestrator agent managing Kubernetes, Terraform and Python subagents

Introduction

A subagent is a specialised AI agent launched by a parent (orchestrator) agent to handle a discrete, bounded task. Rather than one agent trying to do everything, you delegate each to the right agent for the task.

This pattern is the same way we distribute work to employees in a company, only now we are distributing the work to automated agents.

What is a Subagent?

An orchestrator agent receives a goal, plans the work, and spawns one or more subagents. Each subagent:

  • Receives a scoped prompt and only the context it needs
  • Has access to a defined set of tools (e.g. kubectl, Terraform CLI, a Python script)
  • Returns a result to the orchestrator, which assembles the final output

The orchestrator does not need to know how to run Terraform - it delegates that to a Terraform subagent that does.

DevOps Use Cases

Kubernetes Agent

A Kubernetes subagent can be given access to kubectl and cluster credentials. Useful tasks:

  • Inspect failing pods and surface error logs
  • Apply or roll back manifests
  • Check resource quotas and HPA status
  • Validate that a deployment is healthy
Terraform Agent

A Terraform subagent wraps the Terraform CLI and can:

  • Run terraform plan and summarise the diff in plain English
  • Detect drift between state and actual infrastructure
  • Identify deprecated modules
  • Apply targeted changes within a defined scope
Python Agent

Python subagents are highly flexible. Common developer applications:

  • Run unit or integration tests and surface failures in plain English
  • Generate code from an OpenAPI spec
  • Analyse code coverage reports and highlight under-tested paths
  • Scaffold boilerplate for new services or endpoints following project conventions

Orchestrating Subagents

An orchestrator coordinates subagents through a defined lifecycle.

A simple example: an on-call triage agent receives a PagerDuty alert. It spawns:

  • A Kubernetes subagent to check pod health
  • A Terraform subagent to check for recent infra changes
  • A Python subagent to pull the last 50 lines of application logs from CloudWatch

The orchestrator combines all three reports into a single triage summary and recommends a course of action.

How Subagents Help with Context Rot

Context rot is the gradual decay of an AI agent’s effectiveness as the context becomes bloated with bad information.

Subagents are a structural fix for this problem:

  • Scoped context per agent - Each subagent receives only the context it needs for its specific task.
  • Fresh context on every invocation - Subagents are spawned for a task and then discarded. It starts clean every time.
  • Parallelism prevents cross-contamination - When multiple subagents run concurrently, their contexts are fully isolated.
  • The orchestrator stays lean - Rather than one agent holding every detail of a complex operation in memory, the orchestrator holds only summaries and decisions.

The result is a system where each subagent can focus on a narrow problem, and the orchestrator agent can focus on the bigger picture.

Summary

Subagents make AI automation practical at DevOps scale. Delegating specialised work like Kubernetes, Terraform, and Python tasks to specialised agents allows the orchestration agent to focus on solving a larger complex task without getting lost in the trees.

Rhuaridh

Please get in touch through my socials if you would like to ask any questions - I am always happy to speak tech!

Hello, I am a Principal DevSecOps Engineer working in the e-commerce and fintech space. I occassionally like to blog about stuff.

Disclaimer

Technology moves fast, and it's not always possible to keep blog posts up to date.

Please read the disclaimer.