Diagrams — SDD-04: Prowler


Diagram 1 — Prowler's Multi-Cloud Architecture (Provider-Agnostic Core)

flowchart TB
    CREDS([cloud credentials]) --> ADAPTERS
    subgraph ADAPTERS["Per-Cloud Provider Adapters"]
        AWS[AWS adapter]
        AZURE[Azure adapter]
        GCP[GCP adapter]
        K8S[Kubernetes adapter]
        GH[GitHub adapter]
        M365[Microsoft 365 adapter]
    end
    ADAPTERS --> CORE
    subgraph CORE["Provider-Agnostic Check Engine"]
        CHECKS[600+ AWS checks<br/>+ per-cloud checks<br/>CIS · GDPR · HIPAA · ISO · PCI]
        NORM[Findings Normalization<br/>→ OCSF / ASFF / JSON / CSV / HTML]
        CHECKS --> NORM
    end
    NORM --> OUT
    subgraph OUT["Three-Tier Output"]
        CLI[CLI<br/>operator output]
        API[API<br/>programmatic integration]
        GH_ACTION[GitHub Action<br/>CI/CD creation-time guardrail]
        UI[UI<br/>Prowler Cloud dashboard]
    end

    style CORE fill:#0d1b2a,stroke:#5eead4,color:#5eead4
    style ADAPTERS fill:#1a1015,stroke:#5eead4,color:#e4e4e8

Reading: Prowler's architecture is the provider-agnostic core (teal) fed by per-cloud adapters (the extensibility seam). The core runs checks and normalizes findings. The same findings surface through four output tiers. Adding a cloud means writing an adapter — the engine does not change. This is why Prowler covers seven surfaces where single-cloud tools cover one.


Diagram 2 — Prowler vs Scout Suite (Continuous CSPM vs Point-in-Time Audit)

flowchart LR
    subgraph PROWLER["Prowler — Continuous CSPM"]
        P1[600+ checks, multiple clouds]
        P2[CI-integrated (GitHub Action)]
        P3[Structured output (OCSF/ASFF)]
        P4[Attack-path correlation]
        P5[Read-only, operational]
    end
    subgraph SCOUT["Scout Suite — Point-in-Time Audit"]
        S1[Rule-based findings, multi-cloud]
        S2[Offline HTML report]
        S3[Manual assessment baseline]
        S4[No CI integration]
        S5[Assessment, not operational]
    end
    PROWLER -.complementary, not competitive.-> SCOUT

    style PROWLER fill:#0d1b2a,stroke:#5eead4,color:#5eead4
    style SCOUT fill:#0d1b2a,stroke:#1b4f72,color:#85c1e9

Reading: Prowler and Scout Suite are different tools for different jobs, often used together. Prowler is the operational CSPM: continuous, CI-integrated, structured for downstream tooling, runs constantly. Scout Suite is the assessment baseline: point-in-time, offline HTML, a snapshot a human reviews during an audit. Prowler answers "is my cloud compliant right now, continuously?"; Scout answers "what does my cloud look like at this moment, in a report I can hand to a client?"


Diagram 3 — The Three-Tier Layering (Same Findings, Three Surfaces)

flowchart TB
    FINDINGS[(Normalized Findings<br/>OCSF / ASFF)] --> CLI
    FINDINGS --> API
    FINDINGS --> UI
    CLI["CLI<br/>operators run scans<br/>terminal output + files"]
    API["API<br/>programmatic integration<br/>SIEM · ticketing · Security Hub"]
    UI["UI (Prowler Cloud)<br/>managed dashboard<br/>trends · prioritization · team view"]

    style FINDINGS fill:#1a1015,stroke:#5eead4,color:#e4e4e8
    style CLI fill:#0d1b2a,stroke:#5eead4,color:#5eead4
    style API fill:#0d1b2a,stroke:#5eead4,color:#5eead4
    style UI fill:#0d1b2a,stroke:#5eead4,color:#5eead4

Reading: Prowler's three tiers are not three products — they are three surfaces over the same normalized findings. CLI for operators (run a scan, read the output). API for integration (findings flow to SIEM, ticketing, Security Hub). UI for the managed dashboard (trends, prioritization, team visibility). The normalization to OCSF/ASFF is what makes all three possible from one findings stream.


Diagram 4 — Attack-Path Correlation vs Full Graph Traversal (the Prowler to SDD-06 Gap)

flowchart TB
    subgraph PROWLER_AP["Prowler Attack-Path (correlation)"]
        PA1[public S3 finding]
        PA2[over-permissioned role finding]
        PA3[network path finding]
        PA1 --> PA_REL[correlate related findings]
        PA2 --> PA_REL
        PA3 --> PA_REL
        PA_REL --> PATH1[these findings are related<br/>= an attack path EXISTS]
    end
    subgraph FULL_GRAPH["SDD-06 Full Graph Traversal (pmapper/BloodHound)"]
        FG1[IAM principals as nodes]
        FG2[permissions as edges]
        FG3[traverse: shortest escalation path]
        FG1 --> FG_TRAVERSE[graph traversal]
        FG2 --> FG_TRAVERSE
        FG3 --> FG_TRAVERSE
        FG_TRAVERSE --> PATH2[shortest path from A to B<br/>= the actual escalation chain]
    end
    PROWLER_AP -.gap: correlation is not traversal.-> FULL_GRAPH

    style PA_REL fill:#0d1b2a,stroke:#5eead4,color:#5eead4
    style FG_TRAVERSE fill:#0d1b2a,stroke:#5eead4,color:#5eead4

Reading: Prowler's attack-path support correlates related findings ("these three findings together form a path"). SDD-06's tools (pmapper, BloodHound) traverse a graph ("the shortest escalation from this low-privilege principal to admin is these three edges"). The difference is the depth of reasoning. Prowler's correlation is valuable because the findings are already collected; bridging to full graph traversal is the harness builder's opportunity — and the subject of SDD-06.

# Diagrams — SDD-04: Prowler

---

## Diagram 1 — Prowler's Multi-Cloud Architecture (Provider-Agnostic Core)

```mermaid
flowchart TB
    CREDS([cloud credentials]) --> ADAPTERS
    subgraph ADAPTERS["Per-Cloud Provider Adapters"]
        AWS[AWS adapter]
        AZURE[Azure adapter]
        GCP[GCP adapter]
        K8S[Kubernetes adapter]
        GH[GitHub adapter]
        M365[Microsoft 365 adapter]
    end
    ADAPTERS --> CORE
    subgraph CORE["Provider-Agnostic Check Engine"]
        CHECKS[600+ AWS checks<br/>+ per-cloud checks<br/>CIS · GDPR · HIPAA · ISO · PCI]
        NORM[Findings Normalization<br/>→ OCSF / ASFF / JSON / CSV / HTML]
        CHECKS --> NORM
    end
    NORM --> OUT
    subgraph OUT["Three-Tier Output"]
        CLI[CLI<br/>operator output]
        API[API<br/>programmatic integration]
        GH_ACTION[GitHub Action<br/>CI/CD creation-time guardrail]
        UI[UI<br/>Prowler Cloud dashboard]
    end

    style CORE fill:#0d1b2a,stroke:#5eead4,color:#5eead4
    style ADAPTERS fill:#1a1015,stroke:#5eead4,color:#e4e4e8
```

**Reading**: Prowler's architecture is the provider-agnostic core (teal) fed by per-cloud adapters (the extensibility seam). The core runs checks and normalizes findings. The same findings surface through four output tiers. Adding a cloud means writing an adapter — the engine does not change. This is why Prowler covers seven surfaces where single-cloud tools cover one.

---

## Diagram 2 — Prowler vs Scout Suite (Continuous CSPM vs Point-in-Time Audit)

```mermaid
flowchart LR
    subgraph PROWLER["Prowler — Continuous CSPM"]
        P1[600+ checks, multiple clouds]
        P2[CI-integrated (GitHub Action)]
        P3[Structured output (OCSF/ASFF)]
        P4[Attack-path correlation]
        P5[Read-only, operational]
    end
    subgraph SCOUT["Scout Suite — Point-in-Time Audit"]
        S1[Rule-based findings, multi-cloud]
        S2[Offline HTML report]
        S3[Manual assessment baseline]
        S4[No CI integration]
        S5[Assessment, not operational]
    end
    PROWLER -.complementary, not competitive.-> SCOUT

    style PROWLER fill:#0d1b2a,stroke:#5eead4,color:#5eead4
    style SCOUT fill:#0d1b2a,stroke:#1b4f72,color:#85c1e9
```

**Reading**: Prowler and Scout Suite are different tools for different jobs, often used together. Prowler is the operational CSPM: continuous, CI-integrated, structured for downstream tooling, runs constantly. Scout Suite is the assessment baseline: point-in-time, offline HTML, a snapshot a human reviews during an audit. Prowler answers "is my cloud compliant right now, continuously?"; Scout answers "what does my cloud look like at this moment, in a report I can hand to a client?"

---

## Diagram 3 — The Three-Tier Layering (Same Findings, Three Surfaces)

```mermaid
flowchart TB
    FINDINGS[(Normalized Findings<br/>OCSF / ASFF)] --> CLI
    FINDINGS --> API
    FINDINGS --> UI
    CLI["CLI<br/>operators run scans<br/>terminal output + files"]
    API["API<br/>programmatic integration<br/>SIEM · ticketing · Security Hub"]
    UI["UI (Prowler Cloud)<br/>managed dashboard<br/>trends · prioritization · team view"]

    style FINDINGS fill:#1a1015,stroke:#5eead4,color:#e4e4e8
    style CLI fill:#0d1b2a,stroke:#5eead4,color:#5eead4
    style API fill:#0d1b2a,stroke:#5eead4,color:#5eead4
    style UI fill:#0d1b2a,stroke:#5eead4,color:#5eead4
```

**Reading**: Prowler's three tiers are not three products — they are three surfaces over the same normalized findings. CLI for operators (run a scan, read the output). API for integration (findings flow to SIEM, ticketing, Security Hub). UI for the managed dashboard (trends, prioritization, team visibility). The normalization to OCSF/ASFF is what makes all three possible from one findings stream.

---

## Diagram 4 — Attack-Path Correlation vs Full Graph Traversal (the Prowler to SDD-06 Gap)

```mermaid
flowchart TB
    subgraph PROWLER_AP["Prowler Attack-Path (correlation)"]
        PA1[public S3 finding]
        PA2[over-permissioned role finding]
        PA3[network path finding]
        PA1 --> PA_REL[correlate related findings]
        PA2 --> PA_REL
        PA3 --> PA_REL
        PA_REL --> PATH1[these findings are related<br/>= an attack path EXISTS]
    end
    subgraph FULL_GRAPH["SDD-06 Full Graph Traversal (pmapper/BloodHound)"]
        FG1[IAM principals as nodes]
        FG2[permissions as edges]
        FG3[traverse: shortest escalation path]
        FG1 --> FG_TRAVERSE[graph traversal]
        FG2 --> FG_TRAVERSE
        FG3 --> FG_TRAVERSE
        FG_TRAVERSE --> PATH2[shortest path from A to B<br/>= the actual escalation chain]
    end
    PROWLER_AP -.gap: correlation is not traversal.-> FULL_GRAPH

    style PA_REL fill:#0d1b2a,stroke:#5eead4,color:#5eead4
    style FG_TRAVERSE fill:#0d1b2a,stroke:#5eead4,color:#5eead4
```

**Reading**: Prowler's attack-path support correlates related findings ("these three findings together form a path"). SDD-06's tools (pmapper, BloodHound) traverse a graph ("the shortest escalation from this low-privilege principal to admin is these three edges"). The difference is the depth of reasoning. Prowler's correlation is valuable because the findings are already collected; bridging to full graph traversal is the harness builder's opportunity — and the subject of SDD-06.