guides
Your Kafka Clusters Deserve More Than a Spreadsheet
If you're running Kafka in production, you already know the drill: a compliance audit comes around, and someone spends a week pulling broker configs, cross-referencing ACLs, and building a spreadsheet that's outdated by the time it's reviewed.
KafkaGuard On-Prem replaces that entire workflow. It gives your team a self-hosted platform where every Kafka cluster gets scanned automatically, findings are tracked with remediation guidance, and compliance reports are one click away.
No data leaves your network. No SaaS dependency. No internet required.
What You Get
KafkaGuard On-Prem ships as a single bundle that runs entirely inside your infrastructure:
- Web Dashboard — Multi-cluster view with compliance scores, findings, and remediation
- REST API — Programmatic access for CI/CD integration
- Scan Worker — Background processing with compliance scoring
- 50+ Security Controls — Across three policy tiers (baseline, enterprise, finance-iso)
- Team Management — Role-based access with audit logging
- Offline Licensing — RSA-signed keys bound to your machine, no phone-home
Everything runs in Docker containers behind an nginx reverse proxy with TLS.
Prerequisites
You'll need one Linux server (or macOS for evaluation) with:
- Docker 24+ with the Compose plugin
- 10 GB free disk space
- Ports 80 and 443 available (or 3000/3001 for dev mode)
That's it. No Kubernetes, no cloud account, no external database.
Step 1: Install (5 Minutes)
Download and extract the on-prem bundle:
tar -xzf kafkaguard-onprem-v2.0.0.tar.gz
cd kafkaguard-onprem
Run the interactive installer:
./installer/install.sh
The installer handles everything:
- Preflight checks (Docker version, available ports, disk space)
- Generates JWT signing keys and service secrets
- Sets up TLS certificates (self-signed or bring your own)
- Pulls and starts all services via Docker Compose
- Creates your admin account
When it finishes, you'll see:
KafkaGuard On-Prem is ready!
Dashboard: https://your-server
API: https://your-server:3001
Open the dashboard URL in your browser and log in with the admin credentials you set during installation.
Step 2: Activate Your License (2 Minutes)
Navigate to Settings in the dashboard. You'll see your machine fingerprint — a unique identifier for this installation.
Send the fingerprint to your KafkaGuard account manager to receive a license key. Paste it into the Settings page and save.
Licenses are validated entirely offline using RSA signature verification. KafkaGuard never contacts an external server.
Evaluating? The installer supports a
LICENSE_KEY=skipmode for trial use with no restrictions.
Step 3: Run Your First Scan (2 Minutes)
Install the KafkaGuard CLI on any machine that can reach your Kafka brokers:
curl -LO https://github.com/KafkaGuard/kafkaguard-releases/releases/latest/download/kafkaguard_Linux_x86_64.tar.gz
tar -xzf kafkaguard_Linux_x86_64.tar.gz
sudo mv kafkaguard /usr/local/bin/
Create an API key in the dashboard (API Keys > Create Key), then scan and upload in one command:
export KAFKAGUARD_API_KEY="kg_onprem_your_key_here"
kafkaguard scan \
--bootstrap kafka1:9092,kafka2:9092,kafka3:9092 \
--policy policies/enterprise-default.yaml \
--upload https://your-kafkaguard-server
Within seconds, your cluster appears in the dashboard with a compliance score, findings broken down by severity, and actionable remediation for every issue found.
Step 4: Review Findings and Fix Issues (10 Minutes)
Open the cluster in the dashboard. You'll see:
Compliance Score — A single number (0-100) showing your cluster's security posture. This is the number your auditors will ask for.
Findings by Severity — Critical, High, Medium, and Low issues with clear descriptions. Click any finding to expand it and see step-by-step remediation:
KG-028: Auto-create topics disabled
Severity: Medium
Status: FAIL
Remediation:
Set auto.create.topics.enable=false in server.properties.
This prevents unauthorized topic creation which can lead to
data leakage and resource exhaustion.
Every finding includes the specific config change needed, why it matters, and which compliance framework it maps to.
Step 5: Onboard Your Team (5 Minutes)
Go to Users in the dashboard and invite your team:
| Role | Can Do |
|---|---|
| Admin | Full access — manage users, API keys, clusters |
| Operator | Run scans, acknowledge/resolve findings |
| Read-only | View dashboards and reports |
Every action is tracked in the audit log — who ran which scan, who acknowledged which finding, and when. This is the trail your compliance team needs.
Step 6: Integrate with CI/CD (5 Minutes)
Add KafkaGuard to your deployment pipeline so every release gets a security check:
# GitLab CI example
kafka-security-scan:
stage: test
script:
- kafkaguard scan
--bootstrap $KAFKA_BOOTSTRAP
--policy policies/enterprise-default.yaml
--upload $KAFKAGUARD_URL
--format json --out scan-results/
artifacts:
paths:
- scan-results/
# GitHub Actions example
- name: Kafka Security Scan
run: |
kafkaguard scan \
--bootstrap ${{ secrets.KAFKA_BOOTSTRAP }} \
--policy policies/enterprise-default.yaml \
--upload ${{ secrets.KAFKAGUARD_URL }} \
--format json --out scan-results/
env:
KAFKAGUARD_API_KEY: ${{ secrets.KAFKAGUARD_API_KEY }}
Failed scans return a non-zero exit code, so your pipeline blocks on security regressions automatically.
Choosing the Right Policy Tier
KafkaGuard ships with three policy tiers. Pick the one that matches your environment:
| Policy | Controls | Best For |
|---|---|---|
| baseline-dev | 20 | Development, staging, testing |
| enterprise-default | 40 | Production workloads |
| finance-iso | 50 | Regulated industries (banking, healthcare, insurance) |
You can also create custom policies with your own controls and severity mappings.
Air-Gapped Deployment
For environments with no internet access:
- Build the image bundle on a connected machine:
./scripts/bundle-images.sh - Transfer the bundle via USB or secure file transfer
- On the air-gapped server:
./installer/install.sh --offline
All Docker images, the CLI binary, and documentation are included in the bundle. No external downloads during installation.
Backup, Restore, and Upgrades
KafkaGuard includes built-in operations tooling:
# Backup everything (database, configs, scan data)
./installer/backup.sh backup
# List available backups
./installer/backup.sh list
# Restore from a specific backup
./installer/backup.sh restore backup-2026-04-10.tar.gz
# Upgrade to a new version (automatically backs up first)
./installer/upgrade.sh
The upgrade script handles database migrations, rolling service restarts, and rollback if anything goes wrong.
What Makes This Different
No SaaS lock-in. Your data stays on your servers. Period. There's no telemetry, no usage tracking, no external API calls.
No Kubernetes required. Docker Compose on a single server handles clusters scanning thousands of topics. Scale up when you need to, not before.
No manual audit spreadsheets. One scan replaces days of manual configuration review. The reports are generated instantly in JSON, CSV, or HTML.
No compliance scrambles. Run scans continuously in CI/CD. When the auditor asks for evidence, export the report. When they ask who reviewed it, show the audit log.
Pricing
| Plan | Clusters | Users | Price |
|---|---|---|---|
| Starter | Up to 5 | Up to 10 | $4,999/year |
| Growth | Up to 25 | Up to 50 | $14,999/year |
| Enterprise | Unlimited | Unlimited | Custom |
All plans include the full platform, all policy tiers, email support, and product updates.
The CLI is free and open source — scan any cluster, generate any report, no account needed.
Get Started
Ready to try it? Three ways to get started:
- Download the CLI (free, no sign-up): kafkaguard.com/download
- Request an On-Prem trial: sales@kafkaguard.com
- Read the full setup guide: On-Prem Setup Documentation
Questions? Reach out at sales@kafkaguard.com — we typically respond within one business day.