What compliance frameworks does KafkaGuard support?

KafkaGuard maps controls to PCI-DSS 4.0 (18 controls), SOC 2 Type II (44 controls), and ISO 27001 Annex A (44 controls). CIS Kafka Benchmark alignment is included.

Does KafkaGuard work with Confluent Platform?

Yes. KafkaGuard supports Confluent Platform 7.x–8.x in both ZooKeeper and KRaft modes, including the KG-055 CP version consistency check.

What Kafka versions are supported?

Apache Kafka 2.6 through 4.x (ZooKeeper and KRaft), Confluent Platform 7.x–8.x, Amazon MSK, Aiven, and Redpanda.

Does KafkaGuard require an agent on Kafka brokers?

No. KafkaGuard is agentless. It connects using a read-only principal over the standard Kafka admin API and JMX — nothing installed on brokers.

What output formats does KafkaGuard produce?

PDF, HTML, and JSON. PDF reports include compliance control mappings suitable for auditors. JSON output integrates with CI/CD pipelines and SIEM systems.

Features

Everything you need to audit,
prove, and defend.

One CLI. 54 security controls. PCI-DSS · SOC 2 · ISO 27001. Kafka 2.6 through 4.x — ZooKeeper and KRaft.

Security controls

Compliance frameworks

< 90s

Full cluster scan

v2.6–4.x

Kafka support

01 · Capability

Continuous scanning

Run one-shot audits from the CLI, or wire KafkaGuard into CI / cron for continuous verification. Every run produces a structured, diffable report.

Agentless · read-only principal

Runs in your network

YAML-driven policy

JSON · HTML · PDF · CSV output

$ kafkaguard scan --bootstrap kafka:9092 \

--policy enterprise-default.yaml -f json,pdf

✓ auto-detected PLAINTEXT · 3 brokers · 12 topics

✓ 30 / 44 controls passing

⚠ 14 controls failed (7 HIGH · 5 MEDIUM · 2 LOW)

compliance score: 64.5%

✓ reports saved → ./reports/scan-20260425.pdf

02 · Capability

Compliance mapping

Every check is mapped to the controls auditors actually ask about. Every report includes PCI-DSS, SOC 2, and ISO 27001 requirement IDs alongside each finding.

PCI-DSS 4.0 requirement IDs

SOC 2 Type II CC IDs

ISO 27001 Annex A control IDs

Compliance tab in every report

PCI-DSS 4.018 / 44

SOC 2 Type II44 / 44

ISO 2700144 / 44

included in every PDF · HTML · JSON report

03 · Capability

Drift & alerting

Know the moment a cluster leaves its baseline. KafkaGuard stores scan history and notifies on meaningful deltas — not every restart.

Baseline + drift diff

Slack · Teams · webhook

Configurable alert threshold

JSON output for custom routing

09:0030 / 44 passing · score 64.5%

09:1530 / 44 passing · score 64.5%

09:30DRIFT · KG-003 ACL auth disabled

09:30→ Slack alert sent · #sec-ops

09:4530 / 44 passing · remediated

04 · Capability

Enterprise controls

For fleets and regulated industries: centralize scanning, enforce policy, and satisfy auditors without a 50-tab spreadsheet.

Multi-cluster dashboard

Trend charts + fleet compare

Air-gapped Docker Compose install

Role-based access (admin · operator · readonly)

Multi-cluster

Fleet compare + trends

Alerting

Slack · Teams · webhook

Air-gapped

Docker Compose

RBAC

3 roles · admin · operator · readonly

Compatibility

Apache Kafka 2.6 through 4.x — ZooKeeper and KRaft

Auto-detects your cluster mode. ZooKeeper controls skip automatically on KRaft clusters. No configuration required.

Version range	Mode	Status	Notes
Kafka 2.6 – 3.8.x	ZooKeeper	Full support	44 controls, ZK health checks included
Kafka 3.9.x	ZooKeeper or KRaft	Full support	Last ZK release; KRaft also detected
Kafka 4.0+	KRaft (no ZooKeeper)	Full support	ZK controls auto-skip; 3 KRaft controls activate
Confluent Platform 7.x – 8.x	ZK or KRaft	Full support	CP version detected; KG-055 version consistency check

Designed to work with Amazon MSK, Aiven, and Redpanda — any distribution based on Apache Kafka 2.6+ using the standard Kafka Admin API.

Authentication

Every auth mode your cluster supports

Pass credentials via flags, environment variables, or a config file. No plaintext secrets in shell history.

SASL/PLAIN

SASL/SCRAM-SHA-256

SASL/SCRAM-SHA-512

Kerberos (GSSAPI)

SSL/TLS

Mutual TLS (mTLS)

PLAINTEXT (dev)

SASL_SSL

SASL_PLAINTEXT

Reports

Four output formats — one scan

Generate multiple formats in a single run. Regenerate any format later from stored scan JSON without re-scanning.

.json

JSON

Machine-readable output for CI/CD pipelines and scripting.

.html

HTML

Web-viewable report with findings and remediation steps.

.pdf

PDF

Audit-ready document with severity bars, compliance mapping, and optional sign-off page.

.csv

CSV

Tabular export for spreadsheet analysis and custom reporting.

PDF reports include a severity bar chart, compliance framework mapping, and an optional sign-off page (--sign-off "Name, Title") for audit sign-off requirements. Use kafkaguard report generate to regenerate any format from a stored scan.

Integrates with your stack

GitHub Actions

GitLab CI

Jenkins

Slack

Microsoft Teams

Webhook

Prometheus

MinIO / S3

SASL / SCRAM

SSL / TLS

Kerberos

KRaft

FAQ

Common questions

Ready to run your first scan?

Free, agentless, under 90 seconds. No data leaves your network.

Download free →View pricing

Everything you need to audit,prove, and defend.