flowchart TB
CREDS([cloud credentials]) --> ADAPTERS
subgraph ADAPTERS["Per-Cloud Provider Adapters"]
AWS[AWS adapter]
AZURE[Azure adapter]
GCP[GCP adapter]
K8S[Kubernetes adapter]
GH[GitHub adapter]
M365[Microsoft 365 adapter]
end
ADAPTERS --> CORE
subgraph CORE["Provider-Agnostic Check Engine"]
CHECKS[600+ AWS checks<br/>+ per-cloud checks<br/>CIS · GDPR · HIPAA · ISO · PCI]
NORM[Findings Normalization<br/>→ OCSF / ASFF / JSON / CSV / HTML]
CHECKS --> NORM
end
NORM --> OUT
subgraph OUT["Three-Tier Output"]
CLI[CLI<br/>operator output]
API[API<br/>programmatic integration]
GH_ACTION[GitHub Action<br/>CI/CD creation-time guardrail]
UI[UI<br/>Prowler Cloud dashboard]
end
style CORE fill:#0d1b2a,stroke:#5eead4,color:#5eead4
style ADAPTERS fill:#1a1015,stroke:#5eead4,color:#e4e4e8
Reading: Prowler's architecture is the provider-agnostic core (teal) fed by per-cloud adapters (the extensibility seam). The core runs checks and normalizes findings. The same findings surface through four output tiers. Adding a cloud means writing an adapter — the engine does not change. This is why Prowler covers seven surfaces where single-cloud tools cover one.
flowchart LR
subgraph PROWLER["Prowler — Continuous CSPM"]
P1[600+ checks, multiple clouds]
P2[CI-integrated (GitHub Action)]
P3[Structured output (OCSF/ASFF)]
P4[Attack-path correlation]
P5[Read-only, operational]
end
subgraph SCOUT["Scout Suite — Point-in-Time Audit"]
S1[Rule-based findings, multi-cloud]
S2[Offline HTML report]
S3[Manual assessment baseline]
S4[No CI integration]
S5[Assessment, not operational]
end
PROWLER -.complementary, not competitive.-> SCOUT
style PROWLER fill:#0d1b2a,stroke:#5eead4,color:#5eead4
style SCOUT fill:#0d1b2a,stroke:#1b4f72,color:#85c1e9
Reading: Prowler and Scout Suite are different tools for different jobs, often used together. Prowler is the operational CSPM: continuous, CI-integrated, structured for downstream tooling, runs constantly. Scout Suite is the assessment baseline: point-in-time, offline HTML, a snapshot a human reviews during an audit. Prowler answers "is my cloud compliant right now, continuously?"; Scout answers "what does my cloud look like at this moment, in a report I can hand to a client?"
flowchart TB
FINDINGS[(Normalized Findings<br/>OCSF / ASFF)] --> CLI
FINDINGS --> API
FINDINGS --> UI
CLI["CLI<br/>operators run scans<br/>terminal output + files"]
API["API<br/>programmatic integration<br/>SIEM · ticketing · Security Hub"]
UI["UI (Prowler Cloud)<br/>managed dashboard<br/>trends · prioritization · team view"]
style FINDINGS fill:#1a1015,stroke:#5eead4,color:#e4e4e8
style CLI fill:#0d1b2a,stroke:#5eead4,color:#5eead4
style API fill:#0d1b2a,stroke:#5eead4,color:#5eead4
style UI fill:#0d1b2a,stroke:#5eead4,color:#5eead4
Reading: Prowler's three tiers are not three products — they are three surfaces over the same normalized findings. CLI for operators (run a scan, read the output). API for integration (findings flow to SIEM, ticketing, Security Hub). UI for the managed dashboard (trends, prioritization, team visibility). The normalization to OCSF/ASFF is what makes all three possible from one findings stream.
flowchart TB
subgraph PROWLER_AP["Prowler Attack-Path (correlation)"]
PA1[public S3 finding]
PA2[over-permissioned role finding]
PA3[network path finding]
PA1 --> PA_REL[correlate related findings]
PA2 --> PA_REL
PA3 --> PA_REL
PA_REL --> PATH1[these findings are related<br/>= an attack path EXISTS]
end
subgraph FULL_GRAPH["SDD-06 Full Graph Traversal (pmapper/BloodHound)"]
FG1[IAM principals as nodes]
FG2[permissions as edges]
FG3[traverse: shortest escalation path]
FG1 --> FG_TRAVERSE[graph traversal]
FG2 --> FG_TRAVERSE
FG3 --> FG_TRAVERSE
FG_TRAVERSE --> PATH2[shortest path from A to B<br/>= the actual escalation chain]
end
PROWLER_AP -.gap: correlation is not traversal.-> FULL_GRAPH
style PA_REL fill:#0d1b2a,stroke:#5eead4,color:#5eead4
style FG_TRAVERSE fill:#0d1b2a,stroke:#5eead4,color:#5eead4
Reading: Prowler's attack-path support correlates related findings ("these three findings together form a path"). SDD-06's tools (pmapper, BloodHound) traverse a graph ("the shortest escalation from this low-privilege principal to admin is these three edges"). The difference is the depth of reasoning. Prowler's correlation is valuable because the findings are already collected; bridging to full graph traversal is the harness builder's opportunity — and the subject of SDD-06.
# Diagrams — SDD-04: Prowler
---
## Diagram 1 — Prowler's Multi-Cloud Architecture (Provider-Agnostic Core)
```mermaid
flowchart TB
CREDS([cloud credentials]) --> ADAPTERS
subgraph ADAPTERS["Per-Cloud Provider Adapters"]
AWS[AWS adapter]
AZURE[Azure adapter]
GCP[GCP adapter]
K8S[Kubernetes adapter]
GH[GitHub adapter]
M365[Microsoft 365 adapter]
end
ADAPTERS --> CORE
subgraph CORE["Provider-Agnostic Check Engine"]
CHECKS[600+ AWS checks<br/>+ per-cloud checks<br/>CIS · GDPR · HIPAA · ISO · PCI]
NORM[Findings Normalization<br/>→ OCSF / ASFF / JSON / CSV / HTML]
CHECKS --> NORM
end
NORM --> OUT
subgraph OUT["Three-Tier Output"]
CLI[CLI<br/>operator output]
API[API<br/>programmatic integration]
GH_ACTION[GitHub Action<br/>CI/CD creation-time guardrail]
UI[UI<br/>Prowler Cloud dashboard]
end
style CORE fill:#0d1b2a,stroke:#5eead4,color:#5eead4
style ADAPTERS fill:#1a1015,stroke:#5eead4,color:#e4e4e8
```
**Reading**: Prowler's architecture is the provider-agnostic core (teal) fed by per-cloud adapters (the extensibility seam). The core runs checks and normalizes findings. The same findings surface through four output tiers. Adding a cloud means writing an adapter — the engine does not change. This is why Prowler covers seven surfaces where single-cloud tools cover one.
---
## Diagram 2 — Prowler vs Scout Suite (Continuous CSPM vs Point-in-Time Audit)
```mermaid
flowchart LR
subgraph PROWLER["Prowler — Continuous CSPM"]
P1[600+ checks, multiple clouds]
P2[CI-integrated (GitHub Action)]
P3[Structured output (OCSF/ASFF)]
P4[Attack-path correlation]
P5[Read-only, operational]
end
subgraph SCOUT["Scout Suite — Point-in-Time Audit"]
S1[Rule-based findings, multi-cloud]
S2[Offline HTML report]
S3[Manual assessment baseline]
S4[No CI integration]
S5[Assessment, not operational]
end
PROWLER -.complementary, not competitive.-> SCOUT
style PROWLER fill:#0d1b2a,stroke:#5eead4,color:#5eead4
style SCOUT fill:#0d1b2a,stroke:#1b4f72,color:#85c1e9
```
**Reading**: Prowler and Scout Suite are different tools for different jobs, often used together. Prowler is the operational CSPM: continuous, CI-integrated, structured for downstream tooling, runs constantly. Scout Suite is the assessment baseline: point-in-time, offline HTML, a snapshot a human reviews during an audit. Prowler answers "is my cloud compliant right now, continuously?"; Scout answers "what does my cloud look like at this moment, in a report I can hand to a client?"
---
## Diagram 3 — The Three-Tier Layering (Same Findings, Three Surfaces)
```mermaid
flowchart TB
FINDINGS[(Normalized Findings<br/>OCSF / ASFF)] --> CLI
FINDINGS --> API
FINDINGS --> UI
CLI["CLI<br/>operators run scans<br/>terminal output + files"]
API["API<br/>programmatic integration<br/>SIEM · ticketing · Security Hub"]
UI["UI (Prowler Cloud)<br/>managed dashboard<br/>trends · prioritization · team view"]
style FINDINGS fill:#1a1015,stroke:#5eead4,color:#e4e4e8
style CLI fill:#0d1b2a,stroke:#5eead4,color:#5eead4
style API fill:#0d1b2a,stroke:#5eead4,color:#5eead4
style UI fill:#0d1b2a,stroke:#5eead4,color:#5eead4
```
**Reading**: Prowler's three tiers are not three products — they are three surfaces over the same normalized findings. CLI for operators (run a scan, read the output). API for integration (findings flow to SIEM, ticketing, Security Hub). UI for the managed dashboard (trends, prioritization, team visibility). The normalization to OCSF/ASFF is what makes all three possible from one findings stream.
---
## Diagram 4 — Attack-Path Correlation vs Full Graph Traversal (the Prowler to SDD-06 Gap)
```mermaid
flowchart TB
subgraph PROWLER_AP["Prowler Attack-Path (correlation)"]
PA1[public S3 finding]
PA2[over-permissioned role finding]
PA3[network path finding]
PA1 --> PA_REL[correlate related findings]
PA2 --> PA_REL
PA3 --> PA_REL
PA_REL --> PATH1[these findings are related<br/>= an attack path EXISTS]
end
subgraph FULL_GRAPH["SDD-06 Full Graph Traversal (pmapper/BloodHound)"]
FG1[IAM principals as nodes]
FG2[permissions as edges]
FG3[traverse: shortest escalation path]
FG1 --> FG_TRAVERSE[graph traversal]
FG2 --> FG_TRAVERSE
FG3 --> FG_TRAVERSE
FG_TRAVERSE --> PATH2[shortest path from A to B<br/>= the actual escalation chain]
end
PROWLER_AP -.gap: correlation is not traversal.-> FULL_GRAPH
style PA_REL fill:#0d1b2a,stroke:#5eead4,color:#5eead4
style FG_TRAVERSE fill:#0d1b2a,stroke:#5eead4,color:#5eead4
```
**Reading**: Prowler's attack-path support correlates related findings ("these three findings together form a path"). SDD-06's tools (pmapper, BloodHound) traverse a graph ("the shortest escalation from this low-privilege principal to admin is these three edges"). The difference is the depth of reasoning. Prowler's correlation is valuable because the findings are already collected; bridging to full graph traversal is the harness builder's opportunity — and the subject of SDD-06.