Overview
Prowler Overview Dashboard 1/3
Prowler Overview Dashboard 1/3
Prowler Overview Dashboard 2/3
Prowler Overview Dashboard 3/3
Prowler Compliance Dashboard

Product video
Prowler Cloud makes AWS Security easy and enables your team to build trusted applications. With Prowler Cloud, you will get the benefits of Prowler Open Source and you will get continuous monitoring, faster execution, personalized support, and visualization of your data with customizable dashboards.
READ THIS TO COMPLETE YOUR ONBOARDING PROCESS
After you have subscribed to the Prowler Cloud product, you will need to set up your Prowler Cloud account. Please refer to the following guide to complete the registration process: https://docs.prowler.com/cloud/aws-marketplace/
Highlights
- Get results in minutes: Prowler gives you continuous monitoring and parallel scans per account which means you get data faster.
- Get the best of Prowler Open Source plus enterprise-grade support and dashboards for compliance and security: By going with Prowler Cloud, you can visualize your data in a variety of easy-to-read, customizable dashboards and receive personalized support and training.
Details
Introducing multi-product solutions
You can now purchase comprehensive solutions tailored to use cases and industries.
Features and programs
Trust Center
Buyer guide

Financing for AWS Marketplace purchases
Security credentials achieved
(1)

Pricing
Free trial
Dimension | Description | Cost/unit |
|---|---|---|
Only for legacy Prowler SaaS. | Legacy customers only | $0.01 |
Number of resources monitored monthly by Prowler Cloud (legacy only). | Legacy customers only | $0.30 |
Number of resources scanned monthly by Prowler Cloud (legacy only). | Legacy customers only | $0.03 |
Cloud accounts monitored monthly by Prowler Cloud. | For all new subscriptions. Upto 50K resources per subscription. | $99.00 |
Resources greater than 50K per subscription. | For all new subscriptions | $0.30 |
Vendor refund policy
Custom pricing options
How can we make this page better?
Legal
Vendor terms and conditions
Content disclaimer
Delivery details
Software as a Service (SaaS)
SaaS delivers cloud-based software applications directly to customers over the internet. You can access these applications through a subscription model. You will pay recurring monthly usage fees through your AWS bill, while AWS handles deployment and infrastructure management, ensuring scalability, reliability, and seamless integration with other AWS services.
Resources
Vendor resources
Support
Vendor support
AWS infrastructure support
AWS Support is a one-on-one, fast-response support channel that is staffed 24x7x365 with experienced and technical support engineers. The service helps customers of all sizes and technical abilities to successfully utilize the products and features provided by Amazon Web Services.
FedRAMP
GDPR
HIPAA
ISO/IEC 27001
PCI DSS
SOC 2 Type 2
Standard contract
Customer reviews
Using automated compliance checks has improved cloud audits and keeps proof‑of‑concepts ready
What is our primary use case?
I recently used Prowler for a POC use case rather than a production environment. Prowler enables me to keep my POC environment secure so it is ready for promotion to next environments like production or staging.
I primarily use Prowler on my local machine via CLI to scan my platform, mostly for AWS . I use AWS credentials to scan my entire environment. Previously, I ran Prowler on CI/CD by executing the Prowler command in the GitLab runner to scan the whole environment as a pre-scan before deployment to ensure compliance.
What is most valuable?
I appreciate Prowler because when compared to AWS Security Hub , Prowler covers more checks than Security Hub has. Previously, Security Hub only had CIS and some very basic security frameworks, but Prowler offers more. However, there are pros and cons to this. The pro is that Prowler has more checks, but the con is that sometimes the new checks come as a surprise because all these configurations are too new and my team needs more time to review them. They might initially flag as false positives before my team reviews them internally to determine whether the findings are applicable to our environment.
Using Prowler scans is definitely very helpful. Normally when I POC my platform and push to production, we need to go through auditing or external security assessments such as VAPT , which stands for vulnerability assessment penetration testing. Before I go for external assessment, I use Prowler as a threshold to ensure my security is in compliance, so that when I go for external assessment, I am already at least 80% to 90% compliant. This makes my auditing life and assessment life much easier to resolve all findings before pushing to higher environments.
I do have one pain point using Prowler. Every time I use Prowler to output results, they have three formats available: CSV, HTML, and JSON. Whenever I open the CSV file, it is always nested, which makes it very hard to read. For people like product managers who do not code much, it is even more painful to read. I always have to write an automation script using their JSON file to massage the data so it is readable in an Excel file. I do not understand why this is a new issue because way back, their Excel output did not have this problem, but after mid 2023 or 2024, when they started with the new version of Prowler, this issue tends to appear where nested cells in Excel are very painful for us to break down or even filter.
What needs improvement?
Prowler is open source and easy for me to access. I know there are many other tools such as Trend Micro or Trivy . Trivy is open source as well, but because I always use it for my POC environment, I definitely want a route that does not require spending money and at the same time can perform well as a compliance tool compared to the rest of the tools that have to be purchased.
I understand that Prowler updates their checks quite frequently. Sometimes it might be a user issue because we always pull from the latest version. However, because we are using the latest version, it involves issue fixes for existing checks and also new introduced checks. All these new introduced checks sometimes come as a surprise for us because all these configurations might be new and we have to take time to review whether they are applicable to us or not. If a check is not applicable to us, we spend more time to review all these configurations that are not for us. For example, if Prowler released 10 to 20 checks, we have to spend more time to analyze if each one is applicable to us or not.
For how long have I used the solution?
I first used Prowler in 2020, but I am not a very consistent user. I use it on and off, once in a while, approximately once every three to six months on average.
What do I think about the stability of the solution?
I have never encountered downtime with Prowler. It is always available unless they do some feature upgrades. Based on what I know, they previously had a Python library for Prowler, but after some version, they removed the Python feature. I had to look for an alternative which I am trying to use now, but this is a small issue.
What do I think about the scalability of the solution?
I have no scalability issues. The scan is actually pretty fast. I have never encountered any scalability issues, and because I run it on serverless as well, it definitely does not take that much compute.
How are customer service and support?
Prowler's team is quite responsive. I still recall the first time I used it and always raised requests in the GitHub issue page. Sometimes, because it is open source, if I found findings that could be fixed, I also tried to commit some of the changes and let them get reviewed and pulled into the repo. The team is actually quite responsive.
Which solution did I use previously and why did I switch?
Initially I used Scout Suite, but I realized that the number of checks is not as much as Prowler and it is not as granular as Prowler. Scout Suite definitely has some checks that Prowler does not have, but if I do a comparison, Prowler is more detailed with more checks covered as compared to Scout Suite. Definitely for me to be more compliant, I would choose a tool that has more checks. It is better to be safe by doing more.
Previously I used Scout Suite which has lesser checks. Trivy is a tool that recently I realized my organization is using, and I also use Security Hub. However, maybe I am someone who likes to see all these findings in an Excel sheet, which is easier for me to clean up using Excel functions and features. There are quite a number of tools that I know about, and they do output the findings for you, but you cannot really export everything in one shot. A good example is Security Hub. I can actually call CLI or API to gather all the findings for me, but Prowler is just a one click and I can get the output already. I think it is convenient for us to access the output and results compared to the rest. Also, the granular findings that Prowler has compared to the rest covers quite a lot when I compare it to the other tools that I use.
How was the initial setup?
That is why I love Prowler because it is very straightforward and very easy to set up. It is like within three minutes, you can set it up already.
What other advice do I have?
Metrics are not tracked intensely. I do not use metrics to track Prowler's effectiveness, but I just scan, mediate, ensure we are compliant, and then send our product to an external assessment. Whenever we do external assessment, we realize that there are quite a lot of checks that are overlapping.
A complex environment is not very applicable to me because I only use Prowler on my AWS platforms. My infrastructures are pretty straightforward, and I have not encountered any complex situation between Prowler and my AWS platform.
I do not really use customizable checks. I do not know what customizable checks they have.
The only advice I always give to people who use Prowler is to always review the findings that Prowler flags because sometimes these findings might not be applicable to you. It is better to review them properly before you blindly remediate them. I would rate this product a 9 overall.
Which deployment model are you using for this solution?
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Centralized cloud posture has strengthened security and now needs richer AI remediation features
What is our primary use case?
My main use case for Prowler is cloud security posture, which involves testing our cloud infrastructure against different benchmarks. Along with cloud infrastructure, the recent updates in Prowler allow us to check Kubernetes-related vulnerabilities in a single place, helping us to optimize our cloud posture.
My main use case is covered, but we have similar checks in AWS and GCP . However, in Prowler, we have a centralized feature that maps multiple accounts and checks them from one place. Recently, Prowler also introduced AI features that can assist in remediation when allowed, which helps reduce our time to improve the cloud security posture.
What is most valuable?
Prowler offers real-time scanning, which is crucial when improving our cloud security posture, as updates can be immediately reflected on the scoreboard. After implementing Prowler's suggestions, a scan will yield results that demonstrate how much more secure our infrastructure is in the cloud posture.
The real-time scoreboard in Prowler helps us see where we lag and identify practices we aren't implementing, the upgrades we need, and the vulnerabilities present in the infrastructure. It guides us on improving cloud security by recommending best practices for various services, such as ensuring WAF is enabled and Cloud Config and CloudTrail are active for monitoring changes. For new users of Prowler or cloud services, it offers guidance on required monitoring capabilities within the AWS account.
Prowler positively impacts our product-based organization in BFSI by helping protect PII data and ensuring that sensitive information is secure and access is permitted only for authorized users. Prowler introduces security measures, such as recommending the rotation of access keys after 90 days, which we may forget otherwise. Prowler reminds us to rotate keys to minimize risk if the keys are compromised.
What needs improvement?
Prowler currently focuses on cloud services and big vendors, specifically AWS and GCP , but we can improve by including EC2-specific checks, such as identifying open RDP ports. While Prowler supports that, it lacks a suppress feature for false positives reported by users, so this is an area for improvement.
The flow of traffic information is vital, as Prowler requires read-only access to resources. Any user can pinpoint using the network and facilitate remediation. There should also be a dashboard for attack vectors to manage incoming traffic and enhance infrastructure security, making these enhancements beneficial for Prowler's future.
I give Prowler a score of seven or eight due to its inclusion of multiple security policies and the lack of a feature for adding false positives. Additionally, the network architecture features are incomplete even after recent revisions. Improving AI-sourced security posture features would enhance Prowler's value significantly, as would the option to allow automatic remediation for identified issues.
Prowler's AI capabilities are good but just starting, as significant improvements are still needed on that front.
I find the AI features reliable and accurate; we rely on the recommendations provided. However, if Prowler could also include remediation capabilities for users, it would significantly reduce manual efforts, showcasing the potential of AI. It currently summarizes data from Security Hub and AWS documentation, and improving this would be beneficial.
For how long have I used the solution?
We primarily use Prowler since 2022.
What do I think about the stability of the solution?
Prowler is stable in my experience.
What do I think about the scalability of the solution?
Scalability is not a relevant concern for us since we purchased the enterprise license, allowing us to add new capabilities as needed; the Prowler team handles the rest.
How are customer service and support?
The customer support for Prowler is good; due to our established relationship with the Prowler team, we can directly connect with their support for fast issue resolution.
Which solution did I use previously and why did I switch?
We did not use a different solution before Prowler; we have been using Prowler from the beginning, relying on Python libraries initially.
What was our ROI?
I have seen a return on investment with Prowler, as we directly communicated with the Prowler CEO for a discount. We manage over 20 AWS accounts with only two people handling them, and Prowler helps us manage these efficiently, resulting in a yearly cost saving of about $5,000 USD.
Which other solutions did I evaluate?
It wasn't well-known at that time, and while we explored Wiz for its extraordinary features, they were not suitable for our use case, which is why we chose to stick with Prowler.
What other advice do I have?
The flow of traffic information is vital, as Prowler requires read-only access to resources. Any user can pinpoint using the network and facilitate remediation. There should also be a dashboard for attack vectors to manage incoming traffic and enhance infrastructure security, making these enhancements beneficial for Prowler's future. I give Prowler an overall rating of 7.
Which deployment model are you using for this solution?
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Agentless checks have improved multi-cloud compliance and saved significant engineering time
What is our primary use case?
My main use case of Prowler 's is to make our cloud resources compliant and secure our cloud architecture. After setting up the cloud infrastructure, we connect it to Prowler via agentless credentials and conduct compliance checks, and based on those results, we make our cloud compliant. We use Prowler for security purposes, such as being able to see the attack map and all details for our cloud resources.
What is most valuable?
The best feature Prowler offers is agentless integration, so we do not need to deploy any agent in our cloud accounts, and we do not have to provide hard-coded access key and secret key; we just provide the external key and read-only credentials, and it fetches automatically by its schedule type. With an agent, it would be difficult for us, so agentless integration has made things much easier for our team compared to other solutions we have tried.
Prowler's attack map is very good, as we can see the vulnerabilities and unsecure cloud resources from there. Prowler has impacted our organization very positively; the improvements and benefits are that it provides reports agentlessly, we do not need to install any agent across our instancing server, and it is multi-cloud, so we can use it in all cloud resources.
We have different kinds of accounts such as AWS , Azure , and GCP , so we do not have to install multiple agents on multiple clouds; with a single Prowler deployment, we can configure it via agentless API permissions by creating permissions and roles in cloud accounts without doing anything extra for the multi-cloud environments. Prowler's AI capabilities are very good; I have used it many times and find it to be very secure and 99% reliable.
What needs improvement?
One limitation is that after scanning the cloud account, Prowler provides reports of compliance frameworks such as SOC 2 Type 2 and ISO certified, but we only receive an Excel sheet; I think a PDF report along with remediation steps is needed to help us improve our cloud accounts better.
Prowler has a central dashboard, but I believe they could create separate dashboards for each cloud, and cross-account asset discovery is not currently available in Prowler, which could be another improvement. Prowler has a few limitations, such as not being able to auto-remediate findings directly from Prowler and also not being able to download PDF reports; additionally, they only have a central dashboard for AWS , Azure , and GCP , which could be made separate for each cloud.
For how long have I used the solution?
I have been using Prowler for one year.
What do I think about the stability of the solution?
Prowler is 100% stable.
What do I think about the scalability of the solution?
Prowler's scalability is very high; we can use it for any scale of infrastructure, no matter how many cloud resources there are.
How are customer service and support?
Prowler's customer support is very good; we have raised tickets two or three times, and their support team is very responsive and provides excellent assistance. I would rate the customer support ten out of ten because I raised a ticket and they replied within a few minutes.
Which solution did I use previously and why did I switch?
We were not using any other solutions previously; we were just using Excel sheets and manual effort.
What was our ROI?
Prowler has saved us a lot of time, as our engineers previously wasted time manually checking all the configurations of cloud resources maintained in Excel sheets; after switching to Prowler, we save 60 to 70% of our engineers' time, as they no longer need to check each cloud account and resource individually.
What's my experience with pricing, setup cost, and licensing?
I have not deep dived into the pricing and setup cost, but the setup cost is very minimal, and using Prowler's cloud platform requires a small amount of money for securing and complying with our cloud.
Which other solutions did I evaluate?
Before Prowler, we did not evaluate any other options.
What other advice do I have?
The accuracy of Prowler is almost 90% and the reliability is also 95%. I advise teams currently struggling with securing their cloud resources and dealing with compliance auditors to use Prowler, as it requires a very minimal investment for the security and compliance of cloud resources. I gave this review a rating of eight out of ten.
Which deployment model are you using for this solution?
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Automated checks have cut audit effort and ensure our cloud stays compliant and misconfigurations visible
What is our primary use case?
We are currently building a SaaS platform, and in production, we have integrated Prowler. When a CISO audit came for that SaaS platform, we downloaded the report from Prowler and sent it to that CISO. Through this approach, we have achieved compliance without logging into cloud accounts. At one time, we discovered that our public S3 buckets were publicly open; using Prowler, we found out that our public buckets were open, and after that, we disabled them to secure our cloud environment.
We are not using Prowler day-to-day, but we use it when creating a new cloud account or a new environment. After that, we integrate Prowler, check the configuration, and any time an audit comes, we go to Prowler, download any compliance report we need, and send it to the auditors.
What is most valuable?
The agent setup is very smooth; you don't have to do anything complicated. We got CloudFront and CloudStack script; we just have to deploy that and create the policies and roles by itself. After creating that, we just give the external ID for Prowler to access our cloud environment. It is very smooth and easy to set up. After checking all the configurations, Prowler builds the attack map, which shows how hackers might attack our resources using that map, making it very useful for us.
Before using Prowler, we were spending hours of our engineers' efforts on compliance and misconfiguration checks, saving that configuration in Excel sheets. After switching to Prowler, these processes are super smooth and easy, and we are currently saving our engineers' time. We can also do audits on time, ensuring we don't miss deadlines on audits.
Prowler definitely results in faster audits and eliminates human errors, with our engineers saving fifty to sixty percent of the time they previously spent on misconfiguration checks.
What needs improvement?
One feature Prowler can improve is providing PDFs for all the compliances, which would be very useful for users. Also, after identifying misconfigurations, Prowler should have a remediate button so that when using Prowler, we can apply those fixes automatically without going to the cloud and fixing them manually.
What other advice do I have?
The output from Prowler's AI is eighty to ninety percent accurate, and I find it to be ninety-five percent reliable.
My advice for those looking into using Prowler is that small teams or big teams dealing with compliance, or even teams spending hours of engineers' efforts or millions of dollars on compliance, can use Prowler and make their cloud compliant. Everyone can benefit from Prowler, whether you are a small team or a big team, especially if you are investing significant effort and resources in compliance. Prowler is a super useful open-source product to have. I rate this product a nine out of ten.
Which deployment model are you using for this solution?
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Continuous security scans have reduced vulnerabilities and improved compliance in our cloud workloads
What is our primary use case?
My main use case for Prowler is identifying the vulnerabilities in an infrastructure hosted on AWS .
A quick specific example of how I used Prowler to identify vulnerabilities is that in our code build hosted on AWS , we had secrets in plain text that should have been in secrets manager, so it helped us identify the vulnerability that could have caused major problems.
What is most valuable?
The best features Prowler offers include its ability to help us identify vulnerabilities first, which in turn helps us fix them frequently.
When it comes to identifying vulnerabilities, the specific scanning capabilities and reporting features in Prowler that stand out for me are that the findings are presented in a well-documented report.
Prowler has positively impacted my organization by helping us on the security front by improving compliance.
What needs improvement?
Some of the findings in Prowler are not that critical but come in the critical category, so that could be improved. The categorization of vulnerabilities could be improved.
For how long have I used the solution?
I have used Prowler for an extended period.
What do I think about the stability of the solution?
Prowler is stable.
What do I think about the scalability of the solution?
Prowler's scalability is good.
How are customer service and support?
Prowler's customer support is good.
What was our ROI?
I have seen a return on investment as compliance has been improved.
What's my experience with pricing, setup cost, and licensing?
My experience with pricing, setup cost, and licensing is positive.
What other advice do I have?
Prowler is a good software; I recommend it. It helps reduce vulnerabilities. On a scale of one to ten, I would rate Prowler an eight because of the features and limitations mentioned above. I give it this rating because it is a good software that helps reduce vulnerabilities.