KafkaGuard
Get started
FeaturesDocsEnterprisePricingBlogToolsGet started
Features

Everything you need to audit,
prove, and defend.

One CLI. 55 security controls. PCI-DSS · SOC 2 · ISO 27001. Kafka 2.6 through 4.x — ZooKeeper and KRaft.

55
Security controls
3
Compliance frameworks
< 90s
Full cluster scan
v2.6–4.x
Kafka support
01 · Capability

Continuous scanning

Run one-shot audits from the CLI, or wire KafkaGuard into CI / cron for continuous verification. Every run produces a structured, diffable report.

Agentless · read-only principal
Runs in your network
YAML-driven policy
JSON · HTML · PDF · CSV output
$ kafkaguard scan --bootstrap kafka:9092 \
--policy enterprise-default.yaml -f json,pdf
✓ auto-detected PLAINTEXT · 3 brokers · 12 topics
✓ 30 / 45 controls passing
⚠ 15 controls failed (7 HIGH · 5 MEDIUM · 3 LOW)
compliance score: 64.5%
✓ reports saved → ./reports/scan-20260425.pdf
02 · Capability

Compliance mapping

Every check is mapped to the controls auditors actually ask about. Every report includes PCI-DSS, SOC 2, and ISO 27001 requirement IDs alongside each finding.

PCI-DSS 4.0 requirement IDs
SOC 2 Type II CC IDs
ISO 27001 Annex A control IDs
Compliance tab in every report
PCI-DSS 4.018 / 44
SOC 2 Type II44 / 44
ISO 2700144 / 44
included in every PDF · HTML · JSON report
03 · Capability

Drift & alerting

Know the moment a cluster leaves its baseline. KafkaGuard stores scan history and notifies on meaningful deltas — not every restart.

Baseline + drift diff
Slack · Teams · webhook
Configurable alert threshold
JSON output for custom routing
09:0030 / 44 passing · score 64.5%
09:1530 / 44 passing · score 64.5%
09:30DRIFT · KG-003 ACL auth disabled
09:30→ Slack alert sent · #sec-ops
09:4530 / 44 passing · remediated
04 · Capability

Enterprise controls

For fleets and regulated industries: centralize scanning, enforce policy, and satisfy auditors without a 50-tab spreadsheet.

Multi-cluster dashboard
Trend charts + fleet compare
Air-gapped Docker Compose install
Role-based access (admin · operator · readonly)
Multi-cluster
Fleet compare + trends
Alerting
Slack · Teams · webhook
Air-gapped
Docker Compose
RBAC
3 roles · admin · operator · readonly
Compatibility

Apache Kafka 2.6 through 4.x — ZooKeeper and KRaft

Auto-detects your cluster mode. ZooKeeper controls skip automatically on KRaft clusters. No configuration required.

Version rangeModeStatusNotes
Kafka 2.6 – 3.8.xZooKeeperFull support45 controls, ZK health checks included
Kafka 3.9.xZooKeeper or KRaftFull supportLast ZK release; KRaft also detected
Kafka 4.0+KRaft (no ZooKeeper)Full supportZK controls auto-skip; 3 KRaft controls activate
Confluent Platform 7.x – 8.xZK or KRaftFull supportCP version detected; KG-055 version consistency check

Designed to work with Amazon MSK, Aiven, and Redpanda — any distribution based on Apache Kafka 2.6+ using the standard Kafka Admin API.

Authentication

Every auth mode your cluster supports

Pass credentials via flags, environment variables, or a config file. No plaintext secrets in shell history.

SASL/PLAIN
SASL/SCRAM-SHA-256
SASL/SCRAM-SHA-512
Kerberos (GSSAPI)
SSL/TLS
Mutual TLS (mTLS)
PLAINTEXT (dev)
SASL_SSL
SASL_PLAINTEXT
Reports

Four output formats — one scan

Generate multiple formats in a single run. Regenerate any format later from stored scan JSON without re-scanning.

.json
JSON
Machine-readable output for CI/CD pipelines and scripting.
.html
HTML
Web-viewable report with findings and remediation steps.
.pdf
PDF
Audit-ready document with severity bars, compliance mapping, and optional sign-off page.
.csv
CSV
Tabular export for spreadsheet analysis and custom reporting.
PDF reports include a severity bar chart, compliance framework mapping, and an optional sign-off page (--sign-off "Name, Title") for audit sign-off requirements. Use kafkaguard report generate to regenerate any format from a stored scan.
Integrates with your stack
GitHub Actions
GitLab CI
Jenkins
Slack
Microsoft Teams
Webhook
Prometheus
MinIO / S3
SASL / SCRAM
SSL / TLS
Kerberos
KRaft
FAQ

Common questions

KafkaGuard vs DIY

Why not just use bash scripts + OPA?

Many teams try. Here's what DIY actually costs.

CapabilityBash + OPAKafkaGuard
Time to first security report2–3 weeks of engineering90 seconds
PCI-DSS / SOC 2 / ISO 27001 mappingManual — research each controlBuilt-in, pre-mapped
KRaft + ZooKeeper mode detectionWrite it yourselfAutomatic
SASL/SCRAM, mTLS, Kerberos authImplement each connectorAll supported out of the box
PDF/HTML report for auditorsBuild a report templateGenerated automatically
Drift alerting (Slack / Teams)Set up webhooks + cronOne flag: --alert-slack-webhook
Maintained as Kafka evolvesYour team's responsibilityWe track every Kafka release
CostEngineering hours ($50k+/year)From $0 (Community)
📋

Free Kafka Security Checklist

55 controls auditors check — mapped to PCI-DSS 4.0, SOC 2, and ISO 27001. Get the PDF free.

Used by 200+ platform and security engineers

No spam. Unsubscribe anytime.

Ready to run your first scan?
Free, agentless, under 90 seconds. No data leaves your network.
Download free →View pricing