3 Best Cloud, Container, & Data Lake Vulnerability Scanning Tools

eSecurity Planet content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

As organizations move to the cloud and implement virtualized infrastructure, IT and security teams need to scan those assets for vulnerabilities. This article will highlight three specialized tools that can be considered for any organization’s vulnerability scanning tool arsenal.

Additionally, this article will provide the Best Cloud, Container, and Data Lake Vulnerability Scanning Tool Criteria. That section explains what research went into creating this list of tools and how many other technologies that include vulnerability scanning features did not make the list.

AWS Vulnerability Scanning Tool: Amazon Inspector

Organizations using Amazon Web Services can consider using Amazon Inspector as a specialty tool to scan their AWS workloads.

Amazon Inspector dashboard

Key Features

  • Ongoing automated and continuous vulnerability scanning for AWS Elastic Compute Cloud (EC2), Lambda functions, and container images
  • Discovers and scans workloads
  • Checks for vulnerabilities and network exposure
  • Assigns a highly accurate risk score to help prioritize remediation
  • Integrates with Amazon EventBridge and AWS Security Hub


  • One consolidated scan for an entire AWS infrastructure
  • Easy to implement and use


  • Does not enable users to ignore findings
  • Billing can become tricky when integrated with other AWS tools
  • Does not aggregate findings across accounts
  • Does not scan other cloud instances


New accounts can try Amazon Inspector for 15 days to evaluate the service and estimate ongoing costs. AWS also provides a cost calculator and potential customers will need to know their region (US East (Ohio), etc.) and the number of instances. As a representative cost, in US East (Ohio):

  • $1.2528 / instance for Amazon EC2 instances scanned per month
  • $0.09 / image for Amazon ECR container images per month
  • $0.01 / rescan for automated rescans of Amazon ECR containers per month
  • $0.30 / Lambda function scanned per month

AWS bases the cost on the number of workloads scanned in a given month, with no minimum fees and no upfront commitments. Many instances and functions will be intermittent and AWS prorates the price based on the total time for that month. Container pricing is based on the initial number of containers in the month and the number of rescans made on those images.

Cloud & Kubernetes Specialist: Wiz

Wiz developed their cloud-native Cloud Infrastructure Security Platform to focus on the needs of virtualized infrastructure, containers, and the cloud. Wiz scans multi-cloud, Platform-as-a-Service (PaaS), virtual machine, containers, serverless functions, and other cloud infrastructure without affecting business operations or stealing resources from active workloads and processes.

Wiz dashboard

Key Features

  • Native connections to AWS, Azure, Google Cloud, Oracle Cloud and Alibaba Cloud
  • Built-in support for Kubernetes on multiple platforms
  • Can scan infrastructure-as-code and cloud infrastructure entitlement management
  • Incorporates zero-day risks sourced from the Wiz research team



  • Users report setup can be cumbersome and tedious
  • Integrations can be difficult or incomplete
  • Actions must be established for each project for scanning they cannot be cloned


Wiz does not list pricing, but does offer custom pricing for customers. A 12-month contract for the Cloud Infrastructure Security Platform is listed on the AWS marketplace as $300,000 for all five product levels (Standard, Essential, Essential Plus, Advanced, Advanced Plus).

Data Lakes and Large-Scale Data Storage Vulnerabilities: IBM Guardium Vulnerability Assessment

IBM developed their portfolio of Guardium products to provide data security for the modern, large-scale data storage environment. Guardium Vulnerability Assessment tool scans the databases, data warehouses, data lakes, and other components of big data infrastructure to detect vulnerabilities based on Security Technical Implementation Guides (STIG), Center for Internet Security (CIS), CVE, and other standards.

IBM Guardium interface

Key Features

  • Scans for missing patches, weak passwords, unauthorized changes, misconfigured privileges, excessive administrative logins, and behavioral anomalies such as after-hours activities
  • Recommends steps to harden database security


  • Discovers databases automatically
  • Automatically locates vulnerabilities and suggests remediations
  • Sends real time alerts and notifications
  • Available as part of Guardium Data Protection or as a stand-alone tool


  • Complex to deploy and may require expert consulting to implement
  • Error logs can be confusing


IBM does not publish pricing but notes that the cost will vary depending on the environment and configuration. Potential customers are encouraged to contact IBM or IBM resellers for a formal discussion and quotation.

Best Cloud, Container, and Data Lake Vulnerability Scanning Tool Criteria

To create this list, we surveyed a broad array of websites, vendor materials, and customer reviews to create a pool of qualified candidates based upon capabilities and reputation. We then filtered the list specifically for vendors that provide vulnerability scanning for cloud, container, and data lake infrastructure.

A large number of open-source vulnerability scanners exist for containers, however, there does not seem to be much consensus regarding the best tools. Three tools under consideration, Clair, Dagda, and OpenSCAP have only GitHub repositories and basic documentation. All also seem to require heavy programming experience to use them and significant limitations to what and how they scan so we did not select any for this best-of list.

Many highly-reputable or capable tools were excluded from consideration from this list because they did not fit the vulnerability scanner or specialized tool criteria:

Each of these tools can deliver vulnerability scanning capabilities, and should be considered for adoption — but only if an organization needs to use the other associated capabilities of these more comprehensive tools. This article assumes that the reader already has capabilities for other infrastructure and is seeking a specialty tool for specialized vulnerability scanning.

Bottom Line: Cloud, Container and Data Lake Vulnerability Scanners

The small number of specialty scanning tools for the cloud, containers, and data lakes suggests that this category may become absorbed as features of other tools in the near future. Still, any organization using this infrastructure will continue to need to scan the assets for potential vulnerabilities.

Regardless of whether an organization determines that a specialty tool or a more comprehensive solution provides the best fit for the organization’s needs, the scans must be performed. Cloud, container, and data lake infrastructure can be more difficult to configure and more easily exposed to remote attack than many other assets. Identifying potential security vulnerabilities before an external attacker provides a foundational step in every security process.

For more information on Vulnerability Scanning Options see:

Get the Free Cybersecurity Newsletter

Strengthen your organization’s IT security defenses by keeping up to date on the latest cybersecurity news, solutions, and best practices. Delivered every Monday, Tuesday and Thursday

Chad Kime Avatar

Subscribe to Cybersecurity Insider

Strengthen your organization’s IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices.

Top Cybersecurity Companies

Top 10 Cybersecurity Companies

See full list

Get the Free Newsletter!

Subscribe to Cybersecurity Insider for top news, trends & analysis