Cloud security stopped being a perimeter problem years ago. The hard part now is governance at speed: thousands of services, ephemeral infrastructure, sprawling identities, and misconfigurations that can become exploitable in minutes.

Prowler’s trajectory tracks that reality. It began as a practical AWS auditing tool and expanded into a multi-cloud, agentless posture platform with attack-path context and AI-assisted remediation workflows.

The people and operating philosophy

Prowler started in 2016 as a practitioner-built tool by Toni de la Fuente, shaped by hands-on security operations, incident response, and forensic realities inside cloud environments. The early design bias is still visible: fast scans, clear outputs, and checks that map to real-world failure modes.

In 2023, Prowler formalized into a company and widened its leadership bench. The partnership with Casey Rosenthal, known for shaping chaos engineering into an industry discipline, reflects a key idea that runs through the platform: cloud security and resilience are inseparable. The operational model is not “audit and forget,” but “measure continuously, reduce risk iteratively.”

The organization expanded with roles focused on scale, product execution, and customer adoption, including Rajiv Taori (COO), Amit Sharma (Head of Product), and Rosa Rivas (Customer Success), alongside continued community contribution.

What Prowler is today

Prowler is best understood as an agentless cloud security posture platform that validates configuration and control alignment across cloud and cloud-adjacent environments.

Its core capabilities sit across three practical domains:

• Posture management (CSPM): security baselines, framework alignment, misconfiguration discovery

• Entitlement awareness (CIEM-adjacent): identity permissions, risky access patterns, privilege paths

• Readiness for response: repeatable assessment outputs that support triage and remediation planning

A key differentiator is the “detections as code” nature of its checks. Teams can inspect, extend, and operationalize controls without waiting for a vendor roadmap.

Where it runs and what it can assess

Prowler’s footprint is shaped by cloud reality: it can be executed wherever teams work, as long as it can reach cloud APIs with appropriately scoped credentials.

Common execution patterns include:

• Local engineer workstation for targeted assessments

• Scheduled runs from a dedicated VM

• Kubernetes jobs for recurring posture validation

• CI/CD steps (GitHub Actions, GitLab CI) to prevent drift and risky infrastructure changes

By 2026, the scope spans major cloud platforms, Kubernetes, and a growing set of SaaS environments. The practical value is centralization: one assessment approach, multiple providers, consistent reporting concepts.

How it works in practice

Prowler’s workflow is most useful when it is understood as a pipeline, not a point-in-time scanner.

1) Agentless collection through cloud APIs

Prowler queries provider APIs using scoped identities (IAM roles, service principals, equivalent read-only audit permissions) to collect configuration state and security-relevant metadata. This avoids host agents and reduces operational overhead.

2) Control evaluation and prioritization

Collected data is evaluated against security checks aligned with common standards and frameworks. Findings are then prioritized using risk-weighting logic such as ThreatScore, which is intended to separate “fix soon” from “fix now.”

3) Context building with relationship mapping

For environments where it is enabled, graph-based modeling builds relationships between identities, permissions, and resources to surface likely escalation and lateral movement routes. This is where posture turns into adversary-relevant context.

4) Remediation workflows, increasingly inside developer systems

Modern cloud security succeeds when it closes the loop. Prowler’s direction leans into that by supporting guided remediation workflows, including PR-based fixes and AI-assisted explanations that translate findings into actionable changes.

Why teams keep adopting it

Prowler’s adoption story is fundamentally about trust and practicality.

• Transparency: checks can be inspected, tuned, and validated internally

• Speed to value: agentless scans reduce rollout complexity

• Developer fit: works in CLI and pipeline-first environments

• Cost curve: open-source access keeps posture validation reachable for smaller teams

• Breadth: multi-cloud and SaaS realities are treated as the default, not an add-on

It is also a response to two persistent operating constraints in cloud security:

• alert fatigue from noisy, context-poor findings

• skills scarcity that makes manual triage unsustainable at scale

The timeline that matters (2016–2026)

Prowler’s evolution can be tracked through its pivots:

• 2016: released as an open-source AWS auditing tool focused on best practices and CIS-aligned checks

• 2023: incorporated as a company; expanded scope beyond single-cloud posture

• 2024: funding and platform acceleration; launch of the next-generation managed offering (Prowler Cloud)

• 2025: deeper AI integration, including Lighthouse AI and MCP-based workflows

• 2026: guided remediation features such as an Autonomous Fixer and continued expansion into SaaS and supply-chain adjacent risk

The underlying theme is consistent: posture assessment moved from periodic audits to continuous, workflow-native governance.

AI features that matter, and what they are for

Prowler’s AI direction aligns with a practical constraint: teams want less toil, not blind automation.

The AI layer is most valuable when it:

• explains findings in plain operational terms

• proposes remediation options that reflect cloud context

• reduces time spent translating controls into actions

• supports human-in-the-loop workflows instead of autonomous changes

Two concepts are central here:

• Lighthouse AI: designed to interpret findings and recommend context-aware remediations

• MCP server integration: designed to let assistants and IDE workflows query posture context directly, so security data becomes usable where infrastructure is authored and reviewed

This is the “copilot” model: reduce cognitive load while keeping accountability with engineers.

How it sits against the market

The CSPM market is crowded, and many platforms lead with polished UX and deep SaaS telemetry. Prowler’s strategic posture is different:

• open-source credibility and inspectable checks

• workflow-first execution (CLI, pipelines, PRs)

• an agentless approach that reduces operational friction

• a managed SaaS path for teams that want hosted infrastructure, RBAC, and ongoing operations

That makes it a credible alternative in environments where “black box security” is a non-starter, or where cost and customization constraints block enterprise-only CSPM suites.

What to watch next

Prowler’s direction into 2026 emphasizes three pressure points in modern cloud security:

• supply chain and SaaS controls becoming first-class posture targets

• attack-path context replacing raw finding counts as the unit of decision-making

• remediation automation that stays supervised, auditable, and reversible

Version milestones and conference demos matter less than whether teams can operationalize posture continuously without overwhelming the people who have to fix it.

Built by, and still shaped by

Prowler is closely associated with Toni de la Fuente, whose original engineering decisions set the tool’s practitioner-first identity. As the platform expanded, Casey Rosenthal helped reinforce the resilience-driven framing that cloud security needs: systems must be designed to withstand failure modes, not just pass checks.

The current platform is also the result of sustained work from a broad contributor base that continues to expand coverage, improve checks, and keep the engine aligned with how cloud environments actually evolve.

Subscribe and Comment.

Copyright © 2026 911Cyber. All Rights Reserved.

Follow 911Cyber on:

LinkedIn, Substack, X, Instagram, Facebook