Aqua CNAPP

by Aqua

Cloud SecurityCloud-Native Application Protection Platform (CNAPP)Cloud Security Posture Management (CSPM)

Cloud-native security platform protecting containers, Kubernetes, and serverless workloads.

Vendor Information

Aqua

Boston, MA, United States

View Vendor Profile

Aqua CNAPP Overview

Aqua Security is the pioneer and largest pure-play cloud-native security company, founded in 2015 by Dror Davidoff and Amir Jerbi with headquarters in Boston, MA and Ramat Gan, Israel. The Aqua Platform provides comprehensive Cloud Native Application Protection Platform (CNAPP) capabilities securing the entire application lifecycle from development to production with full prevention, detection, and response automation. Aqua protects over 40% of the Fortune 100 and 500+ large enterprise customers across financial services, government, retail, manufacturing, and media sectors, having raised $325 million in funding with a $1 billion valuation and achieving $89.9 million in revenue in 2024.

The platform delivers extensive container image scanning with vulnerability assessment, Kubernetes Security Posture Management (KSPM) for cluster configuration auditing, and runtime protection with behavioral profiling to detect anomalous activity, featuring unique Dynamic Threat Analysis (DTA) that sandboxes suspicious container images to identify advanced malware and behavioral anomalies before deployment. Aqua includes vShield technology that virtually patches unfixable vulnerabilities at runtime without modifying container images, network segmentation with microsegmentation policies, secrets management, CI/CD pipeline integration for shift-left security, and admission control to prevent deployment of non-compliant images across AWS, Azure, GCP, and on-premises environments supporting both Linux and Windows containers.

Aqua maintains Trivy, the world's most popular open-source vulnerability scanner with over 27,000 GitHub stars, 100+ million annual downloads, and millions of active monthly users, adopted by leading platforms including GitLab, Artifact Hub, and Harbor. The company holds ISO 27001:2022, ISO 27017 (cloud security), ISO 27018 (privacy protection), and ISO 27701 certifications, undergoes annual SOC 2 Type II audits, and participates in CSA STAR Level 1, and was recognized as Best Vulnerability Scanner in the 2025 Cloud Security Awards, demonstrating comprehensive compliance for highly regulated industries.

Key Capabilities

Standardized capabilities mapped to this product's security niche

Reads cloud volume snapshots out-of-band to assess workloads without deploying agents or sending traffic to running instances. Enables coverage of systems that cannot run agents (mid-migration, locked-down, or legacy.

Correlates individual misconfigurations and CVEs into chained attack scenarios showing lateral movement paths from exposed entry point to a target asset. Produces a prioritized list of attack paths rather than a flat CVE inventory.

Exports compliance evidence pre-mapped to framework control requirements (SOC 2, ISO 27001, PCI DSS), in formats auditors can consume directly: not raw CSV exports requiring manual assembly.

Instruments workload behavior at the kernel level via eBPF without a traditional user-space agent. Provides syscall-level visibility into process execution, network connections, and file access in running containers and VMs.

Monitors running pod and container behavior against policy, detecting unexpected process execution, network connections, and privilege escalation at runtime rather than at image scan time.

Enforces a single policy definition across AWS, Azure, and GCP resource types, translating to provider-native configurations rather than requiring separate policy sets per cloud.

Delivers scan results inside developer IDEs and pipeline stages so developers receive findings before code merges, reducing the cost and cycle time of remediation.

Scans container base images and dependencies for packages with known malicious behavior or compromise (typosquatting, backdoored releases) beyond CVE matching on legitimate code.

Analyzes IAM policies across AWS, Azure, and GCP to surface over-permissioned roles, unused permissions, and cross-account trust relationships that create lateral movement opportunities.

Runs entirely within the customer's infrastructure with no data egress to the vendor's cloud. Addresses data residency and sovereignty requirements that a regional SaaS endpoint cannot satisfy.

Integrations

Compatible tools and platforms

AWS Security HubAzure Security CenterCI/CD PipelinesCircleCIGitHub ActionsGitLabGoogle Cloud SCCJenkinsJiraPagerDutyServiceNowSlackSplunkWebhook

Solution Details

Compliance & Certifications

Regulatory frameworks and security certifications

ISO 27001ISO 27701SOC 2 Type II

Deployment Options

Where and how this solution can be deployed

CloudHybridOn-Premises

Support Channels

Available support and communication options

Email SupportKnowledge Base

Pricing Model

How this solution is priced

Custom / EnterpriseUsage-based

How to buy

This profile hasn’t been claimed yet. Contact the vendor directly for pricing and purchasing options.

Is this your company?

Claim Your Profile