Skip to content
Home Container Security Tools Aqua Security
AQ

Aqua Security

Category: Container Security
License: Commercial
GitHub
Visit Website →
Suphi Cankurt
Suphi Cankurt
AppSec Enthusiast
Updated February 25, 2026
2 min read
Key Takeaways
  • Creators of Trivy (32.2k GitHub stars), Tracee (4.4k stars), kube-bench (7.9k stars), and kube-hunter (5k stars) — four of the most adopted open-source cloud native security tools.
  • Enterprise CNAPP platform covering the full lifecycle: code scanning, image analysis, runtime protection, Kubernetes security, and cloud posture management.
  • Protects 500+ enterprise customers with both agent-based runtime enforcement and agentless scanning deployment options.
  • FedRAMP High authorized (April 2025), SOC 2 Type II and ISO 27001 certified — meets federal and enterprise compliance requirements.

Aqua Security is an enterprise cloud native application protection platform (CNAPP) vendor that provides full-lifecycle security from code to cloud to runtime. The company is headquartered in Burlington, MA and Ramat Gan, Israel, and develops both commercial products and open-source tools that protect over 500 enterprise customers.

Most people know Aqua as the company behind Trivy, the most-starred open-source security scanner on GitHub (32.2k stars). The commercial platform adds runtime protection, policy enforcement, and centralized management on top of what Trivy offers.

What does Aqua Security do?

Aqua Security provides container image scanning, runtime protection, Kubernetes security posture management, and compliance reporting in a single CNAPP platform. It supports containers, Kubernetes, serverless functions, and cloud infrastructure across AWS, Azure, and GCP. The platform protects workloads from build through production with both pre-deployment scanning and real-time runtime enforcement.

There are two deployment modes. Agentless scanning covers cloud workloads and images without installing anything on hosts. Agent-based deployment adds runtime protection with real-time enforcement, drift prevention, and behavioral monitoring using eBPF technology through the Tracee engine.

Image & Code Scanning
Scans container images, code repositories, and IaC templates for vulnerabilities, misconfigurations, and embedded secrets before deployment.
Runtime Protection
Monitors running containers and Kubernetes workloads with eBPF-based detection (via Tracee), policy enforcement, and drift prevention.
Cloud Posture Management
Assesses cloud infrastructure configurations across AWS, Azure, and GCP against security benchmarks and compliance frameworks.

What open-source tools does Aqua Security maintain?

Aqua runs a dedicated open-source team separate from commercial engineering. Four projects have significant community adoption, making Aqua one of the largest contributors to open-source cloud native security:

ProjectGitHub StarsPurpose
Trivy32.2kVulnerability scanner for containers, IaC, code, and Kubernetes
kube-bench7.9kCIS Kubernetes Benchmark compliance checks
kube-hunter5kKubernetes cluster penetration testing
Tracee4.4keBPF-based Linux runtime security and forensics

Trivy is the default scanner in Harbor (CNCF container registry) and integrates with GitLab, GitHub Actions, and AWS Security Hub. The commercial Aqua platform builds on these open-source projects.

Who should use Aqua Security?

Aqua Security is designed for enterprises running containerized workloads at scale, particularly organizations with Kubernetes clusters spread across multiple clouds. The FedRAMP High authorization (granted April 2025) makes it one of few CNAPP vendors available to U.S. federal agencies. The platform also holds SOC 2 Type II and ISO 27001 certifications.

If your team already uses Trivy in CI/CD, the Aqua platform is the natural next step when you need centralized policy management, runtime enforcement, and compliance reporting across hundreds of clusters.

Considerations

Aqua is enterprise-priced with no self-serve pricing page. Deployment typically involves working with the Aqua sales team. If you want free or open-source only, use Trivy, Falco, or kube-bench directly.

The platform covers containers, serverless, VMs, and cloud posture, which means it overlaps with point solutions you likely already have. Figure out which capabilities you actually need before committing to a full CNAPP deployment.

For other container security options, browse our container security tools category.

Frequently Asked Questions

What is Aqua Security?
Aqua Security is a cloud native application protection platform (CNAPP) vendor headquartered in Burlington, MA and Ramat Gan, Israel. The company develops both commercial security products and widely-used open-source tools including Trivy (vulnerability scanner, 32.2k GitHub stars), Tracee (runtime security with eBPF, 4.4k stars), kube-bench (CIS Kubernetes benchmarks, 7.9k stars), and kube-hunter (Kubernetes penetration testing, 5k stars). The commercial platform provides full-lifecycle security from code to cloud to runtime.
What is the difference between Aqua Security and Trivy?
Trivy is a free, open-source vulnerability scanner maintained by Aqua Security under the Apache 2.0 license. It scans container images, filesystems, IaC, and Kubernetes clusters for vulnerabilities and misconfigurations. Aqua Security’s commercial CNAPP platform extends beyond scanning with runtime protection, policy enforcement, cloud posture management, compliance reporting, and enterprise support. Trivy handles detection; the Aqua platform adds prevention, enforcement, and centralized management.
Does Aqua Security support agentless scanning?
Yes. Aqua Security supports both agent-based and agentless deployment modes. Agentless scanning covers cloud workloads, container images, and infrastructure without deploying agents. Agent-based deployment provides runtime protection with real-time enforcement, drift prevention, and behavioral monitoring using eBPF technology through the Tracee engine.
What compliance frameworks does Aqua Security support?
Aqua Security holds SOC 2 Type II and ISO/IEC 27001 certifications and achieved FedRAMP High authorization in April 2025. The platform provides compliance checks and audit reports mapped to frameworks including CIS Benchmarks, PCI DSS, HIPAA, NIST, and GDPR. The open-source kube-bench tool specifically checks Kubernetes clusters against CIS Kubernetes Benchmark standards.
How does Aqua Security compare to Sysdig Secure?
Both are enterprise CNAPP platforms focused on Kubernetes and container security. Aqua Security maintains a larger open-source portfolio (Trivy, Tracee, kube-bench, kube-hunter) and offers both agent-based and agentless deployment. Sysdig Secure is built on the open-source Falco project for runtime threat detection and emphasizes cloud detection and response (CDR). Both serve Kubernetes-heavy enterprises with runtime monitoring, vulnerability scanning, and posture management.
How we review tools Suggest an edit

Other Container Security Tools

CL
Clair

Open-source container image vulnerability scanner

DO
Docker Scout

Docker-Native Security Scanning

HA
Harbor

CNCF Graduated, 30.5k Stars

kube-bench
kube-bench

CIS Benchmark Compliance, 7.9k Stars

NE
NeuVector

Full-lifecycle container security with Layer 7 firewall

See all Container Security tools

Learn More

OWASP Top 10 Secure SDLC Application Security Tool Pricing Guide DAST Benchmark Project Kubernetes Security Tools Open-Source SCA Tools