Cloud native application protection platform delivering full-lifecycle container and Kubernetes security with AI-powered behavioral analytics for runtime threat detection. The dedicated Secure AI module extends protection to LLM workloads, detecting OWASP Top 10 for LLM risks, model poisoning, and prompt injection while maintaining supply chain integrity through SBOM generation.
Aqua Security is a cloud native application protection platform covering the full workload lifecycle from CI scanning to Kubernetes runtime enforcement. The Enforcer agent runs on every node, profiles baseline container behavior at the syscall level, and kills deviations — unexpected outbound connections, file writes outside expected paths, privilege escalation — in-line.
CI scanning analyzes container images for CVEs, misconfigurations, malware, and embedded secrets before they reach a registry. IaC and Kubernetes manifest scanning enforce policy before infrastructure is provisioned. The Secure AI module extends the same agent telemetry to LLM workload monitoring, watching for prompt injection, model poisoning, and OWASP LLM Top 10 abuse patterns at the pod network and filesystem level.
Three tiers (all contact-sales): Core, Advanced, and Enterprise. No free trial path.
Key Features
Runtime behavioral enforcement: Enforcer agent profiles baseline container behavior at the syscall level and kills deviations (unexpected network calls, file writes, privilege escalation) in-line without relying on CVE signature matching
Supply chain scanning: CI/CD image scanning covers CVEs, malware, embedded secrets, and misconfigurations before images reach a registry; integrates with Jenkins, GitHub Actions, GitLab CI, and others
Kubernetes admission control: policy-based admission controller blocks non-compliant workloads at deploy time before the runtime Enforcer agent sees them
Secure AI module: monitors LLM inference workloads for prompt injection, model poisoning, OWASP LLM Top 10 abuse patterns, and unexpected data exfiltration at the pod network and filesystem level
IaC and manifest scanning: Terraform, Helm, Kubernetes YAML, and CloudFormation scanned against CIS benchmarks and custom policies in the CI pipeline
Full lifecycle traceability: links each runtime alert back to the original image, the CI build that produced it, and the IaC that provisioned the workload
