Aqua Security is an enterprise cloud native application protection platform (CNAPP) vendor that provides full-lifecycle security from code to cloud to runtime. The company is headquartered in Burlington, MA and Ramat Gan, Israel, and develops both commercial products and open-source tools that protect over 500 enterprise customers.
Most people know Aqua as the company behind Trivy , the most-starred open-source security scanner on GitHub (32.2k stars). The commercial platform adds runtime protection, policy enforcement, and centralized management on top of what Trivy offers.
What does Aqua Security do?
Aqua Security spans the five CNAPP pillars in one console: container image scanning, cloud workload protection (CWPP), Kubernetes security posture management (KSPM), cloud security posture management (CSPM), and infrastructure-as-code scanning. Runtime protection ties them together with eBPF-based detection through the Tracee engine.
It covers containers, Kubernetes, serverless functions, and cloud infrastructure across AWS, Azure, GCP, on-prem Kubernetes, OpenShift, ECS, AKS, EKS, and GKE. The platform protects workloads from build through production with both pre-deployment scanning and real-time runtime enforcement.
There are two deployment modes. Agentless scanning covers cloud workloads and registry images by reading cloud APIs, with no software installed on hosts.
Agent-based deployment runs as a Kubernetes DaemonSet and adds runtime protection with real-time enforcement, drift prevention, and behavioral monitoring. SaaS and self-hosted air-gapped deployments are both supported, which matters for regulated environments that cannot route security telemetry through a vendor cloud.
What open-source tools does Aqua Security maintain?
Aqua runs a dedicated open-source team separate from commercial engineering. Four projects have significant community adoption, making Aqua one of the largest contributors to open-source cloud native security:
| Project | GitHub Stars | Purpose |
|---|---|---|
| Trivy | 32.2k | Vulnerability scanner for containers, IaC, code, and Kubernetes |
| kube-bench | 7.9k | CIS Kubernetes Benchmark compliance checks |
| kube-hunter | 5k | Kubernetes cluster penetration testing |
| Tracee | 4.4k | eBPF-based Linux runtime security and forensics |
Trivy is the default scanner in Harbor (CNCF container registry) and integrates with GitLab, GitHub Actions, and AWS Security Hub. The commercial Aqua platform builds on these open-source projects rather than competing with them.
A fifth project, Starboard, was deprecated in August 2023 and folded into Trivy as the Trivy Operator for Kubernetes. If you see Starboard referenced in older guides, the modern equivalent is trivy k8s or the Trivy Operator. Aqua’s open-source stewardship is a useful signal during evaluation: the same engineering team that ships Trivy sets the technical direction for the commercial platform, which keeps detection logic consistent across free and paid tiers.
Who should use Aqua Security?
Aqua Security is designed for enterprises running containerized workloads at scale, particularly organizations with Kubernetes clusters spread across multiple clouds.
The FedRAMP High authorization (granted April 2025) makes it one of few CNAPP vendors available to U.S. federal agencies. The platform also holds SOC 2 Type II and ISO 27001 certifications.
If your team already uses Trivy in CI/CD, the Aqua platform is the natural next step when you need centralized policy management, runtime enforcement, and compliance reporting across hundreds of clusters.
How does Aqua Security compare to Wiz, Sysdig, and Prisma Cloud?
The CNAPP shortlist usually narrows to four vendors. Here’s how Aqua sits against the alternatives I see in the same procurement reviews most often.
Wiz wins on agentless coverage breadth — its sidescanning model maps cloud assets across AWS, Azure, GCP, and Oracle in hours without touching workloads. Aqua wins on image-scan depth (Trivy heritage) and federal-grade compliance (FedRAMP High), and it offers in-container runtime detection that Wiz’s agentless approach cannot reach.
Sysdig Secure is built on the open-source Falco project for runtime threat detection and emphasizes cloud detection and response (CDR). Aqua’s runtime engine (Tracee) and Sysdig’s (Falco) are both eBPF-based, but Aqua bundles deeper image-scan tooling out of the box; Sysdig leans harder into runtime behavioral analytics.
Prisma Cloud is bundled with Palo Alto Networks’ broader security stack, which makes it the default pick for shops already standardized on Palo Alto for SASE and firewalls. Aqua is the better choice when you want a focused container-and-Kubernetes platform without the platform-wide consolidation push.
Across all three, Aqua’s single biggest differentiator is the open-source portfolio: teams already running Trivy , kube-bench , or kube-hunter find the upgrade path to the commercial platform short. None of the others maintain a comparable OSS footprint.
Considerations
Aqua is enterprise-priced with no self-serve pricing page. Deployment typically involves working with the Aqua sales team, and pricing scales with cluster count and protected workloads.
If you want free or open-source only, use Trivy , Falco , or kube-bench directly. Aqua’s commercial value-add is centralized policy management, runtime enforcement, and audit-grade compliance reporting — none of which Trivy alone provides.
Agent-based deployment requires DaemonSet privileges in your Kubernetes clusters, which some platform teams resist. Agentless mode covers cloud workloads and image registries but cannot see in-container process behavior, so the choice between modes is a real trade-off rather than a free upgrade.
The platform overlaps with point solutions you likely already run — image scanners in CI, K8s admission controllers, CSPM tooling. Map your existing stack against the five CNAPP pillars before committing, otherwise you end up paying for capabilities you have already deployed.
For other container security options, browse the container security tools category.
