Security & compliance for Apache Kafka

Know your Kafka is secure.

KafkaGuard scans every broker, topic, and ACL against PCI-DSS, SOC 2, and ISO 27001 — 54 controls, in under 90 seconds, not weeks.

Download free scan →Read the docs

curl -LO github.com/KafkaGuard/kafkaguard-releases/releases/latest/download/kafkaguard_Linux_x86_64.tar.gz

Security controls

Compliance frameworks

< 90s

Full cluster scan

v2.6–4.x

Kafka versions

Compliance

Every check mapped to the controls auditors ask about

PCI-DSS 4.0

controls mapped to PCI-DSS 4.0 requirement IDs

Every report includes PCI-DSS 4.0 IDs alongside each finding for direct audit evidence.

SOC 2 Type II

controls mapped to SOC 2 Type II requirement IDs

Every report includes SOC 2 Type II IDs alongside each finding for direct audit evidence.

ISO 27001

controls mapped to ISO 27001 requirement IDs

Every report includes ISO 27001 IDs alongside each finding for direct audit evidence.

Coverage

54 controls across security, reliability, and operations

Authentication

SASL authentication enabled

Client authentication required

SASL mechanism secure (SCRAM)

No default passwords

Authorization

ACL authorization enabled

No wildcard ACLs

ZooKeeper ACLs enabled

SSL endpoint identification

Encryption

SSL/TLS encryption enabled

TLS protocol ≥ 1.2

Inter-broker encryption enabled

TLS certificate expiry > 30 days

Reliability

Replication factor ≥ 3

Min in-sync replicas ≥ 2

Unclean leader election disabled

No under-replicated partitions

Monitoring

Monitoring endpoint security

No offline partitions

Disk usage < 90%

Heap usage < 85%

Operational

Auto-create topics disabled

Log retention configured

GC logging enabled

Network threads appropriate

Compatibility

Apache Kafka 2.6 through 4.x — ZooKeeper and KRaft

Auto-detects cluster mode. No extra configuration needed.

Kafka 2.6 – 3.8

ZooKeeper

Full control suite including ZooKeeper health checks.

ZK / KRaft

Kafka 3.9.x

ZK or KRaft

Last ZooKeeper release. Both modes auto-detected.

KRaft

Kafka 4.0+

KRaft only

ZK controls auto-skip. Three KRaft-specific controls activate.

Confluent Platform

7.x – 8.x

CP version detected and validated against Kafka release.

Designed to work with Amazon MSK, Aiven, and Redpanda — any distribution using the standard Kafka Admin API.

Full compatibility table →

Get started

Run your first scan in 90 seconds.

Free, open-source, agentless. No agents to install. No data leaves your network.

Download free →Talk to us

No signup required · 54 controls · air-gapped · no phone home