KafkaGuard
Get started
FeaturesDocsEnterprisePricingBlogToolsGet started
Security & compliance for Apache Kafka

Know your Kafka is secure.

KafkaGuard scans every broker, topic, and ACL against PCI-DSS, SOC 2, and ISO 27001 — 55 controls, in under 90 seconds, not weeks.

Download free scan →Read the docs
curl -LO github.com/KafkaGuard/kafkaguard-releases/releases/latest/download/kafkaguard_Linux_x86_64.tar.gz
55
Security controls
3
Compliance frameworks
< 90s
Full cluster scan
v2.6–4.x
Kafka versions
How it works

From zero to audit-ready in three steps

01

Run the scan

One command. Point it at your Kafka bootstrap address. KafkaGuard connects with read-only credentials — no agents, no data leaves your network.

02

See your issues

Get a prioritised list of misconfigurations: missing TLS, wildcard ACLs, unencrypted inter-broker traffic. Severity-ranked so you fix the right things first.

03

Hand over the report

HTML, JSON, PDF, or CSV — with exact PCI-DSS 4.0, SOC 2, and ISO 27001 control IDs pre-filled. Ready to give directly to your auditor.

Step 3 output
Team tier · 55 controls · SOC 2 / PCI-DSS / ISO 27001 mapped

This is what your auditor receives

A real scan of a Kafka 3.9 cluster. Community edition shows 21 controls without compliance IDs — upgrade to Starter for the full compliance mapping.

kafkaguard-compliance-report.html
88.4%
Compliance Score
controls evaluated55
passed48
failed — with fixes7
Frameworks mapped
PCI-DSS 4.0
SOC 2 Type II
ISO 27001
Open full HTML report →

Free to download · No signup

Common risks we detect

Do you have any of these in production right now?

These are the most common findings in clusters we scan — most teams discover at least 3.

🔓
No SASL authentication on brokers
KG-001
🕳️
Wildcard ACLs giving unrestricted access (User:*)
KG-004
📡
TLS not enforced between brokers
KG-007
⚠️
Under-replicated partitions causing data loss risk
KG-018
🔑
ZooKeeper accessible without authentication
KG-008
🗓️
TLS certificates expiring within 30 days
KG-005
Use cases

Built for teams under compliance pressure

📋
Platform Engineer / CTO

Preparing for a SOC 2 audit

Auditors will ask for evidence that your Kafka clusters meet security controls. KafkaGuard generates the exact evidence — with SOC 2 control IDs pre-mapped — in under 90 seconds. Hand it directly to your auditor.

🔍
CISO / VP Security

New CISO reviewing Kafka security posture

Joining a new company or inheriting a Kafka cluster? Get a full security posture report in minutes. Know exactly what's misconfigured, what compliance frameworks are affected, and what to fix first.

🔁
DevSecOps / Security Engineer

DevSecOps — Kafka in CI/CD pipelines

Run KafkaGuard as a CronJob or CI step. Fail the pipeline on HIGH severity findings. Get Slack alerts when a misconfiguration slips into production. Shift Kafka security left.

📋

Free Kafka Security Checklist

55 controls auditors check — mapped to PCI-DSS 4.0, SOC 2, and ISO 27001. Get the PDF free.

Used by 200+ platform and security engineers

No spam. Unsubscribe anytime.

Compliance

Every check mapped to the controls auditors ask about

PCI-DSS 4.0
18
controls mapped to PCI-DSS 4.0 requirement IDs
Every report includes PCI-DSS 4.0 IDs alongside each finding for direct audit evidence.
SOC 2 Type II
44
controls mapped to SOC 2 Type II requirement IDs
Every report includes SOC 2 Type II IDs alongside each finding for direct audit evidence.
ISO 27001
44
controls mapped to ISO 27001 requirement IDs
Every report includes ISO 27001 IDs alongside each finding for direct audit evidence.
Coverage

54 controls across security, reliability, and operations

Authentication
SASL authentication enabled
Client authentication required
SASL mechanism secure (SCRAM)
No default passwords
Authorization
ACL authorization enabled
No wildcard ACLs
ZooKeeper ACLs enabled
SSL endpoint identification
Encryption
SSL/TLS encryption enabled
TLS protocol ≥ 1.2
Inter-broker encryption enabled
TLS certificate expiry > 30 days
Reliability
Replication factor ≥ 3
Min in-sync replicas ≥ 2
Unclean leader election disabled
No under-replicated partitions
Monitoring
Monitoring endpoint security
No offline partitions
Disk usage < 90%
Heap usage < 85%
Operational
Auto-create topics disabled
Log retention configured
GC logging enabled
Network threads appropriate
Compatibility

Apache Kafka 2.6 through 4.x — ZooKeeper and KRaft

Auto-detects cluster mode. No extra configuration needed.

ZK
Kafka 2.6 – 3.8
ZooKeeper
Full control suite including ZooKeeper health checks.
ZK / KRaft
Kafka 3.9.x
ZK or KRaft
Last ZooKeeper release. Both modes auto-detected.
KRaft
Kafka 4.0+
KRaft only
ZK controls auto-skip. Three KRaft-specific controls activate.
CP
Confluent Platform
7.x – 8.x
CP version detected and validated against Kafka release.

Designed to work with Amazon MSK, Aiven, and Redpanda — any distribution using the standard Kafka Admin API.

Full compatibility table →
Get started

Run your first scan in 90 seconds.

Free, open-source, agentless. No agents to install. No data leaves your network.

Download free →View pricing →
No signup required · 55 controls · air-gapped · no phone home