Security & compliance for Apache Kafka

Know your Kafka is secure.

Name: KafkaGuard
Author: KafkaGuard

KafkaGuard scans every broker, topic, and ACL against PCI-DSS, SOC 2, and ISO 27001 — 55 controls, in under 90 seconds, not weeks.

Download free scan →Read the docs

curl -LO github.com/KafkaGuard/kafkaguard-releases/releases/latest/download/kafkaguard_Linux_x86_64.tar.gz

Security controls

Compliance frameworks

< 90s

Full cluster scan

v2.6–4.x

Kafka versions

How it works

From zero to audit-ready in three steps

Run the scan

One command. Point it at your Kafka bootstrap address. KafkaGuard connects with read-only credentials — no agents, no data leaves your network.

See your issues

Get a prioritised list of misconfigurations: missing TLS, wildcard ACLs, unencrypted inter-broker traffic. Severity-ranked so you fix the right things first.

Hand over the report

HTML, JSON, PDF, or CSV — with exact PCI-DSS 4.0, SOC 2, and ISO 27001 control IDs pre-filled. Ready to give directly to your auditor.

Step 3 output

Team tier · 55 controls · SOC 2 / PCI-DSS / ISO 27001 mapped

This is what your auditor receives

A real scan of a Kafka 3.9 cluster. Community edition shows 55 controls (finance-iso) without compliance framework IDs — upgrade to Starter for PCI-DSS, SOC 2, and ISO 27001 mappings — upgrade to Starter for the full compliance mapping.

kafkaguard-compliance-report.html

88.4%

Compliance Score

controls evaluated55

passed48

failed — with fixes7

Frameworks mapped

✓PCI-DSS 4.0

✓SOC 2 Type II

✓ISO 27001

Open full HTML report →

Free to download · No signup

Common risks we detect

Do you have any of these in production right now?

These are the most common findings in clusters we scan — most teams discover at least 3.

🔓

No SASL authentication on brokers

KG-001

🕳️

Wildcard ACLs giving unrestricted access (User:*)

KG-004

📡

TLS not enforced between brokers

KG-007

⚠️

Under-replicated partitions causing data loss risk

KG-018

🔑

ZooKeeper accessible without authentication

KG-008

🗓️

TLS certificates expiring within 30 days

KG-005

Use cases

Built for teams under compliance pressure

📋

Platform Engineer / CTO

Preparing for a SOC 2 audit

Auditors will ask for evidence that your Kafka clusters meet security controls. KafkaGuard generates the exact evidence — with SOC 2 control IDs pre-mapped — in under 90 seconds. Hand it directly to your auditor.

🔍

CISO / VP Security

New CISO reviewing Kafka security posture

Joining a new company or inheriting a Kafka cluster? Get a full security posture report in minutes. Know exactly what's misconfigured, what compliance frameworks are affected, and what to fix first.

🔁

DevSecOps / Security Engineer

DevSecOps — Kafka in CI/CD pipelines

Run KafkaGuard as a CronJob or CI step. Fail the pipeline on HIGH severity findings. Get Slack alerts when a misconfiguration slips into production. Shift Kafka security left.

New

Run KafkaGuard from inside your AI agent

Install the official skill in OpenClaw, Claude Code, or Gemini CLI and ask in plain English: “Audit our prod Kafka cluster against the enterprise policy.” The agent runs the scan, parses the report, and hands back the headline.

$ openclaw skills install kafkaguard-scan

OpenClawOfficial

Claude CodeVia superpowers

Gemini CLIVia activate_skill

CursorManual

Read the launch post →View on GitHub

📋

Free Kafka Security Checklist

55 controls auditors check — mapped to PCI-DSS 4.0, SOC 2, and ISO 27001. Get the PDF free.

Used by 200+ platform and security engineers

Compliance

Every check mapped to the controls auditors ask about

PCI-DSS 4.0

controls mapped to PCI-DSS 4.0 requirement IDs

Every report includes PCI-DSS 4.0 IDs alongside each finding for direct audit evidence.

SOC 2 Type II

controls mapped to SOC 2 Type II requirement IDs

Every report includes SOC 2 Type II IDs alongside each finding for direct audit evidence.

ISO 27001

controls mapped to ISO 27001 requirement IDs

Every report includes ISO 27001 IDs alongside each finding for direct audit evidence.

Coverage

54 controls across security, reliability, and operations

Authentication

SASL authentication enabled

Client authentication required

SASL mechanism secure (SCRAM)

No default passwords

Authorization

ACL authorization enabled

No wildcard ACLs

ZooKeeper ACLs enabled

SSL endpoint identification

Encryption

SSL/TLS encryption enabled

TLS protocol ≥ 1.2

Inter-broker encryption enabled

TLS certificate expiry > 30 days

Reliability

Replication factor ≥ 3

Min in-sync replicas ≥ 2

Unclean leader election disabled

No under-replicated partitions

Monitoring

Monitoring endpoint security

No offline partitions

Disk usage < 90%

Heap usage < 85%

Operational

Auto-create topics disabled

Log retention configured

GC logging enabled

Network threads appropriate

Compatibility

Apache Kafka 2.6 through 4.x — ZooKeeper and KRaft

Auto-detects cluster mode. No extra configuration needed.

Kafka 2.6 – 3.8

ZooKeeper

Full control suite including ZooKeeper health checks.

ZK / KRaft

Kafka 3.9.x

ZK or KRaft

Last ZooKeeper release. Both modes auto-detected.

KRaft

Kafka 4.0+

KRaft only

ZK controls auto-skip. Three KRaft-specific controls activate.

Confluent Platform

7.x – 8.x

CP version detected and validated against Kafka release.

Designed to work with Amazon MSK, Aiven, and Redpanda — any distribution using the standard Kafka Admin API.

Full compatibility table →

Get started

Run your first scan in 90 seconds.

Free, open-source, agentless. No agents to install. No data leaves your network.

Download free →View pricing →

No signup required · 55 controls · air-gapped · no phone home