Security Stack Logo
Aqua CNAPP logo

Cloud Security

Aqua CNAPP

CNAPP securing cloud-native and AI apps from code to cloud to prompt.

Cloud-Native Application Protection Platform (CNAPP)Cloud Security Posture Management (CSPM)

Aqua CNAPP Overview

What it does

Aqua Security is the pioneer and largest pure-play cloud-native security company, founded in 2015 by Dror Davidoff and Amir Jerbi with headquarters in Boston, MA and Ramat Gan, Israel. The Aqua Platform provides comprehensive Cloud Native Application Protection Platform (CNAPP) capabilities securing the entire application lifecycle from development to production with full prevention, detection, and response automation. Aqua protects over 40% of the Fortune 100 and 500+ large enterprise customers across financial services, government, retail, manufacturing, and media sectors, having raised $325 million in funding with a $1 billion valuation and achieving $89.9 million in revenue in 2024.

How it works

The platform delivers extensive container image scanning with vulnerability assessment, Kubernetes Security Posture Management (KSPM) for cluster configuration auditing, and runtime protection with behavioral profiling to detect anomalous activity, featuring unique Dynamic Threat Analysis (DTA) that sandboxes suspicious container images to identify advanced malware and behavioral anomalies before deployment. Aqua includes vShield technology that virtually patches unfixable vulnerabilities at runtime without modifying container images, network segmentation with microsegmentation policies, secrets management, CI/CD pipeline integration for shift-left security, and admission control to prevent deployment of non-compliant images across AWS, Azure, GCP, and on-premises environments supporting both Linux and Windows containers.

Credentials and traction

Aqua holds ISO 27001, ISO 27701, and SOC 2 Type II certifications. It was named a Leader and Outperformer in the GigaOm Radar for Container Security (January 2025) and a Leader in the GigaOm Radar for Software Supply Chain Security (January 2025), and was previously recognized as a Representative Vendor in the 2023 Gartner Market Guide for CNAPP. Recent awards include the 2025 CyberSecurity Breakthrough Award and placement on CRN's 2025 Cloud 100 and Security 100 lists. Aqua serves more than 500 enterprise customers.

Key Capabilities

mapped to solution categories
Cloud-Native Application Protection Platform (CNAPP)

Reads cloud volume snapshots out-of-band to assess workloads for vulnerabilities, secrets, and misconfigurations without agents or touching running instances.

Correlates individual misconfigurations and CVEs into chained attack scenarios showing lateral movement paths from exposed entry point to a target asset. Produces a prioritized list of attack paths rather than a flat CVE inventory.

Exports compliance evidence pre-mapped to framework control requirements (SOC 2, ISO 27001, PCI DSS), in formats auditors can consume directly: not raw CSV exports requiring manual assembly.

Instruments workload behavior at the kernel level via eBPF without a traditional user-space agent. Provides syscall-level visibility into process execution, network connections, and file access in running containers and VMs.

Monitors running pod and container behavior against policy, detecting unexpected process execution, network connections, and privilege escalation at runtime rather than at image scan time.

Enforces a single policy definition across AWS, Azure, and GCP resource types, translating to provider-native configurations rather than requiring separate policy sets per cloud.

Delivers scan results inside developer IDEs and pipeline stages so developers receive findings before code merges, reducing the cost and cycle time of remediation.

Analyzes container images and dependencies for CVEs, malicious or compromised packages, and SBOM generation across the build pipeline.

Analyzes IAM policies across AWS, Azure, and GCP to surface over-permissioned roles, unused permissions, and cross-account trust relationships that create lateral movement opportunities.

Supports on-premises or air-gapped artifact and workload inspection under customer control, so regulated or sovereign data never leaves the customer boundary.

Continuously audits cloud and Kubernetes configuration across AWS, Azure, and GCP against security benchmarks, flagging misconfigurations and identity-permission gaps that create exploitable exposures.

Scans infrastructure-as-code templates (Terraform, CloudFormation, Kubernetes manifests, and Helm charts) for misconfigurations and policy violations before deployment, so issues are caught in the pipeline rather than in production.

Enriches cloud misconfigurations, vulnerable workloads, and runtime detections with threat intelligence on active exploitation, prioritizing exposures attackers use over theoretical severity alone.

Cloud Security Posture Management (CSPM)

Continuously discovers and inventories cloud resources across accounts, subscriptions, and projects so posture assessment runs against a current, complete picture of the environment rather than a stale or partial asset list. Coverage of newer and less common resource types varies across products.

Maps detected misconfigurations to specific control requirements across CIS Benchmarks, NIST 800-53, SOC 2, PCI DSS, HIPAA, and ISO 27001 in a single assessment pass.

Evaluates Terraform, CloudFormation, ARM templates, and Pulumi configurations at PR or pipeline time, catching misconfigurations before deployment.

Audits cloud service configurations across AWS, Azure, and GCP against security best practices and benchmarks, flagging misconfigurations such as public storage, permissive network rules, and disabled logging. Coverage breadth and per-service depth vary significantly across products.

Aggregates posture findings and policy enforcement across multiple cloud accounts, subscriptions, and projects from a single control plane, critical for organizations with 10+ cloud accounts.

Compliance

certifications
ISO 27001ISO 27701SOC 2 Type II

Integrations

compatible tools
AWS Security HubAzure Security CenterCI/CD PipelinesCircleCIGitHub ActionsGitLabGoogle Cloud SCCJenkinsJiraPagerDutyServiceNowSlackSplunkTerraformWebhook

Implementation & support

Deployment model
CloudOn-PremisesSaaS
Pricing structure
Custom / EnterpriseUsage-based
Support channels
DocumentationEmail SupportKnowledge BasePhone SupportTicketing Portal

Info last updated on May 27, 2026

Vendors

Is this your product?

Claim your profile to connect with the teams looking for your solutions.

Security Stack Logo

The curated research platform for enterprise cybersecurity solutions.

All product and company names, logos, and brands are property of their respective owners and are used on this website for identification purposes only. Security Stack does not endorse any vendor, product, or service listed, and makes no warranties, express or implied, as to the accuracy or completeness of this content, including any warranties of merchantability or fitness for a particular purpose.

© 2026 Security Stack. All rights reserved.