Why We Built KafkaGuard
Apache Kafka powers mission-critical data pipelines at thousands of companies. But securing Kafka clusters remains largely manual — engineers spend days reviewing configurations, checking ACLs, and mapping settings to compliance requirements.
KafkaGuard automates this entirely.
What KafkaGuard Does
KafkaGuard is a CLI tool that scans your Kafka clusters and evaluates them against security, reliability, and operational controls:
- 54 production-ready controls across SASL, SSL/TLS, ACLs, replication, retention, and more
- 3 policy tiers — baseline-dev (21 controls), enterprise-default (45 controls), finance-iso (55 controls)
- 4 report formats — JSON, HTML, PDF, CSV
- Enterprise authentication — SASL (PLAIN, SCRAM-SHA-256/512), SSL/TLS, mTLS, Kerberos
- KRaft & Confluent Platform — auto-detects cluster mode, activates the right controls
A full scan completes in under 90 seconds.
Getting Started
Install KafkaGuard and scan your first cluster:
# Download the binary
curl -L https://github.com/KafkaGuard/kafkaguard-releases/releases/latest/download/kafkaguard_Linux_x86_64.tar.gz | tar xz
sudo mv kafkaguard /usr/local/bin/
# Scan your cluster
kafkaguard scan \
--bootstrap localhost:9092 \
--policy policies/enterprise-default.yaml \
-f html,json \
--out ./reports
The HTML report includes an executive summary, compliance score, detailed findings with remediation guidance, and PCI-DSS / SOC 2 / ISO 27001 requirement IDs mapped to each finding.
On-Prem Platform
Beyond the CLI, KafkaGuard On-Prem gives teams a self-hosted dashboard for centralized scan tracking, trend analysis, multi-cluster comparison, and Slack/Teams alerting — deployed with a single Docker Compose installer, no internet required.
Download KafkaGuard v2.3.0 | Read the Docs | On-Prem Setup Guide