Enterprise CNAPP

HarborGuard vs Aqua Security

Aqua is a full Cloud-Native Application Protection Platform — runtime, network, IaC, and supply chain. HarborGuard is intentionally narrower: it does container scanning, patching, and compliance reporting extremely well, and integrates with the rest of your stack instead of replacing it.

Aqua's strength is its breadth — it spans build, deploy, and runtime. That's also its tax: you adopt the whole platform or you don't. HarborGuard is the focused option for teams that already have runtime tooling and just want best-in-class container scanning + workflow.

When Aqua Security wins

You want one vendor across build, deploy, and runtime.
You need Aqua's runtime drift detection and network policies.
You're already paying for and standardized on the Aqua platform.

When HarborGuard wins

You only need scanning, patching, and compliance — not runtime or network.
You want open source, not vendor-locked.
Your runtime stack is Falco / Sysdig / Datadog and you don't want to swap.
Procurement needs transparent per-user pricing.

Capability matrix

Capability	HarborGuard	Aqua Security
Scope	Image scan + patch + compliance	Full CNAPP (image, runtime, network, IaC)
License	AGPL-3.0	Commercial
Self-hosted	Yes	Yes (Aqua Enterprise)
Bundled scanners	6 open-source scanners	Aqua Trivy + commercial engine
Patching	Buildah / Copa	Aqua vShield
Pricing	Public per-user	Sales-led, enterprise quotes

Frequently asked questions

Aqua acquired Trivy. Are HarborGuard and Aqua running the same scanner?

Yes — Trivy is one of the six scanners HarborGuard runs. The difference is what's around it: HarborGuard adds Grype, Syft, Dockle, OSV, and Dive deduplicated into one triage queue, plus patching, SLAs, and compliance evidence.

Can HarborGuard replace Aqua entirely?

Only if your scope is image scanning, patching, and compliance. For runtime drift detection, network policies, and forensics you'd still need a runtime tool — Falco, Sysdig, or Datadog work well alongside HarborGuard.