Risky Business - Risky Biz Soap Box: Prowler, the open cloud security platform
Episode Date: July 14, 2025In this sponsored Soap Box edition of the Risky Business podcast Patrick Gray chats with Toni de la Fuente, founder of open source multi-cloud security product Prowler. ... Toni explains how Prowler came to be, and how its journey followed his own learning about the cloud. The pair also discuss Prowler’s successful transition from an open-source project into a community, and now a growing business with an as-a-service platform. This episode is also available on Youtube. Show notes
Transcript
Discussion (0)
Hey everyone and welcome to this special Soapbox edition of the Risky Business Podcast.
My name's Patrick Gray.
For those who don't know, every single edition of Soapbox is wholly sponsored and that means
everyone you hear in one of these Soapbox editions paid to be here.
Today we are speaking with Tony Della Fuente who is the founder of Prowler.
Now Prowler is a really interesting open source project and now company that was founded nearly
a decade ago.
So it's cloud security, a cloud security platform that really has nearly been around for 10
years and it is very popular.
Has a million contributors, a million stars on github sort of thing, and yeah,
works really well. It's multi-cloud, covers off everything, started as an AWS project, but now
kind of covers everything. So in this interview with Tony, we really just talked about the origins
of Prowler. He created it to solve a problem. He's a security practitioner, he's worked as a cloud
security architect, he's worked as a cloud security architect, he's worked as a
pen tester and yeah as you're going to hear, Prowler really just was born of necessity. He needed
to create something to just get his job done and then it just sort of went from there.
So here is a nice half-hour conversation with Tony Della Fuente where we talk all about Prowler,
you know, where it came from, where it's going. It's all very interesting stuff and I do hope you enjoy it. Cheers.
So in 2016, I had out of the sudden like 30 AWS accounts to manage and to assess, and
I had no idea what to do. By that time, I think there were a couple of tools, but not
very comprehensive tools
or not very easy for me at least.
And also I wanted to learn how to perform the assessment,
but also the hardening of initially AWS,
30 AWS accounts.
So what I did was I started reading about hardening S3,
EC2 and RDS.
And I said, okay, I'm going to do this just once.
I'm going to automate everything with the AWS CLI.
And I started writing probably without even knowing it,
a wrapper of the CLI to check only security configurations,
misconfigurations basically related to security, right?
And I started with S3, S2,
and everything for the first CIS AWS security benchmark.
And that was what I released.
The first version of Proler was a basic way of assessing AWS,
all regions and all the supported services in just one line in a bash script.
The point is, whatever you run, Prowler always went through all the regions and all the supported
services. So you don't
have to configure anything that was the good thing and using the same credentials
and the same pattern patterns as in the AWS CLI that everybody is
familiar with right so it was very easy to use because you get red if you have
something to fix and green if it's well-computed.
So very, very straightforward.
And in a matter of weeks or months,
I did a couple of conferences
talking about cloud security, hardening,
because I've been doing also digital forensics.
And I started some articles
about digital forensics and I started some articles about digital forensics in the cloud and how
to perform incident response and forensics.
Talking also about Prowler because Prowler has categories.
One of the categories of Prowler is forensics readiness.
So do you have all the logging enabled and all that stuff. So, Proler became, started becoming popular by that time
and started getting more and more GitHub stars.
And over the years was getting more developers,
community contributions, many different companies using
using Proler and asking me for new features.
And it was my pet project because I started something for my needs, but I realized that
I needed to put many more hours than just work hours, right?
Because I have many other things to do, of course.
And many years later, I joined AWS.
And was it the fact that you were the P prowler guy that got you the job at AWS?
I can't imagine it hurt.
Um, it helped a lot.
Yeah.
Yeah.
It helped a lot by that, by that time because I tried to join AWS many times
that I never worked out.
Probably because I wasn't ready, probably because I didn't prepare the interviews
very well back in the days, or probably because my English wasn't very good, or everything
together.
But at some point when Brawler was way more popular, everything went very well in the
hiring process and I ended up joining AWS.
Just to step back there for a moment, right?
So you said like all of a sudden, you know, you've written this one thing
that's like command line, very simple, very easy.
You don't have to configure it to look specifically anywhere because it looks everywhere
and you just get green or red, right?
Like I 100% understand how you get up at a conference and say,
I built this like single line tool,
you know, that you just feed it a cred and it will go and do this for you.
I can understand why people are going to start using that.
But like everybody talks about how they'll contribute to open source software, but nobody
ever actually does.
Right?
So I'm wondering how did this, who was it who was jumping on this?
Was it other practitioners?
Was it pen testers?
Like how did you actually get people to put time into this as a project?
Because that's like so hard.
Well, the goal was to not to make this hard because cloud security is hard already, right?
So and to create Prower checks and Prower categories and compliance frameworks in Prower
from the day one was very easy.
Very easy.
So, and I wanted also to add good documentation.
I always loved to write blog posts, documentation, et cetera.
So that helped a lot.
Yeah.
Okay.
So you're like the one guy on the planet who likes writing documentation, but yeah, cool.
Go on.
I mean, I wouldn't say I love writing documentation, but I, I've been
writing in my blog, in my personal blog posts many, many years.
Um, so, and it's something that I mean, I like to communicate what is needed
and the how-tos and, and, you know, uh, tutorials and all that stuff.
So I wanted to help myself first to learn hardening
and assessment of the cloud security,
but also I wanted to help others.
Basically that is the key of open source, right?
And challenging myself every time that there is a new threat
in the cloud or new service for AWS back in the days.
Now it's pretty much any cloud.
Um, so that was very, very good because I am vulnerabilities were everywhere, right?
Um, insecure API's or API calls, all that stuff.
So that was a way for me to stay up to date with all that was happening,
everything that was happening in the cloud.
Yeah. up to date with all that was happening, everything that was happening in the cloud. Yeah, so it sort of became a way for you to, you know,
a sort of cornerstone of your way to understand
what was happening in your field, I guess, is like,
well, I have to learn about this new thing
that we need to check for.
And the best way to do that is by writing a check
for this framework that I've got.
Yep, basically when I started with computers, that was when I was 19,
I got amazed within the internet, right? And the different protocols. And I started learning
internet protocols. Do you remember that there are really books that for SNMP or
there are really books that for SNMP or POP3, IMAP, all that stuff. I have all those books because I love to learn from the very basic or the foundation of the internet.
With the cloud, what I did with Proler was more or less the same but for services.
For example, SQS. Okay, let's learn about SQS security and everything
that you can do to secure SQS is something that I implemented in Prower.
Then SNS, then S3, everything related to VPCs, everything related to security
groups, all that stuff. Or then AWS released the Elasticsearch service
that is now open source, right?
I did all the security checks for them
because I wanted to know all the security misconfigurations
and threats and the hardening of that service.
So that was a way for me to become kind of an expert.
I don't consider myself an expert
because the cloud is very,
very, very broad, right? But it helped me a lot to learn how to do different configurations in the
cloud and understand the APIs and how all that stuff works in the cloud.
Just going back though, because we've established how you are able to flush out contributors.
Going back though, because we've established how you are able to flush out contributors. What's the loose demographic info for a Prowler contributor?
Are they also just like cloud security architects or admins or just a whole mix?
Because you've got quite a few contributors now, right?
So I'd imagine it's pretty broad now, but...
250 or almost 300 in global contributors?
The point of the cloud is that everybody
that moves to the cloud has at some point,
or realize at some point, how important security is.
So we have, of course, the cloud security practitioners,
pen testers, cloud architects, not cloud security architects, but also cloud
security architects.
Yeah.
The ones who get given big binders full of compliance requirements and are told by the
board that they have to meet them.
Infrastructure developers, because they are writing code and they are deploying code and
they want to make sure that in runtime their code is working fine and also at some
point the technical you know the VPS of IT or CISOs that they have some sort
of techie skills they can run Power very well as well and now it's even
easier because we have the web UI,
the SaaS platform.
But yeah, cloud security engineers, architects,
compliance auditors, if you see it's very broad
because when you move to the cloud, as I said,
at some point you realize, hey, I have something to do here.
You know?
Now, you just mentioned the SaaS thing, right?
So I've seen you've demoed to me both.
People can click through to the demo you and I have already published on the YouTube channel.
But you've got this command line one, which is great.
You can throw like a cred into it or an API key or whatever and get it to actually go
and fix stuff, which I really like
because for a lot of these SaaS platforms, right,
that do security, they're like, yeah, sure,
give us an API key and like, we'll totally take care of it
and go and use this privileged access to only do good stuff
in your environment.
So one thing I really like about Prowler
is you can actually use the SaaS platform
for the discovery part, just with read-only access. And then if you actually want to about Prowler is you can actually use the SaaS platform for the discovery part
Just with read-only access and then if you actually want to get Prowler to go and fix stuff just spin it up on a laptop
You know give it a credential do the thing and then burn the credential. That's fine. You can do that
So I really dig that but it strikes me like I know you a little bit right and you're like old-school
Security person did it break your soul a
little bit having to make a pointy clicky like SAS version of this? Did it make you
sad?
Not really, not really. Because I mean, I started prior from the CLI because I love
the CLI, you know?
Yeah, because you're an old school turbo geek, right? Yeah, I get it.
Exactly. There is a book that I love that is at the beginning was the command line.
And I love doing that and the power of doing that for one point in time
assessments. But at some point I realized that we need to offer a platform,
the whole platform, as you said.
The whole enchilada, yeah.
Yeah, from the CLI to detect, but also remediate,
to the continuous monitoring.
Because one-time security is not security, and not even in the cloud.
One-time assessment is fine.
You get a photo of your status,
but in the cloud, everything is changing. All the time, you get a photo of your status.
But in the cloud that everything is changing all the time, you need continuous monitoring.
And that is why we started building the application.
Parallel the application, parallel the platform.
And we have from the CLI also local dashboards,
because if you are a practitioner
and you are assessing something today for a customer
or for your own company, you want to see data straight away.
You can do that as well from the CLI
with the local dashboards.
But if you are maintaining an infrastructure over the time
and you want to see also how you have been improving
or the other way around with your infrastructure, you need something else. infrastructure over the time and you want to see also how you have been improving or
the other way around with your infrastructure, you need something else. So that is why we started
Proudly Cloud or the application that is available open source but is in our SaaS,
where you can see the progress that you are building the cloud, if anything new is happening, you can see that very quickly.
We are adding new checks and new features all the time.
And that is one of the reasons also that we created Prowler Hub.
It's a way for everybody to see everything that you can do with Prowler
and also to learn how to do everything with Prowler.
Yeah, because I mean, previously you
would have a situation where someone might write a check,
they don't really describe it very well,
it's just sitting there in GitHub.
What does it do?
Who can say, right?
And so you fix that with Prowler Hub,
where you could really go in there now
and actually know what you can expect from a particular check.
You can learn all the metadata, all the attributes that that check is doing,
but also see the code and understand everything.
And the same for remediations that we call fixers.
So you can learn cloud security
for any of our supported cloud providers
from the very, very beginning.
And also the compliance part, because at the end of the day,
we do the mapping between the technical checks
and the compliance requirements.
And that is also available to consume in the web UI,
but also via an API in Proler Hub.
That is hub.proler.com.
Yeah, now let's talk about the hosted SAS version,
because it's interesting.
You're really committed to the open source thing.
I think it's cool.
You are 100% committed to making all of this stuff available,
both command line and the SAS platform.
If you want to spin it up yourself,
run your own web server with the Pralate SAS platform on it,
you can absolutely do that.
As far as I know, at the moment, the only thing that you're charging for
is actually the hosted version. Like you could just go do it with a credit card, which is quite nice.
But then that begs the question, right? So let's talk about for a moment Prowler, the business,
because we've been talking about Prowler, the platform. What's the play here? What are you cooking up Tony de la Fuente?
Well the point of cloud security is
I think we said this at the beginning is that to access a proper cloud security platforms is hard
our black boxes
They're fine they they they have a lot of controls and and sometimes you don't even have that visibility.
So what I wanted to do is, hey, don't worry because since you have the need and you have
the solution, instead of going through procurement processes, black boxes solutions, go get an open source, an open platform.
And in five minutes you get the results.
And if, if the value is enough, you pay us.
Yeah.
And is that, and is that for the, for the, for the hosted version, you mean they pay you?
Yeah.
So, I mean, we, uh, our pricing model is, is based on resources, but also we are,
we are adding a new pricing model
based on accounts or subscriptions or projects,
depending on the cloud provider you use,
which is even easier.
And we want, so the easy that problem is,
it has to be also easy to consume and easy to buy.
And that is what we are building in the platform.
So we want you to have the solution as soon as possible
and pay for it if it gives you value.
And we are sure that Prauler is giving you value
because we have more controls
than most of the cloud security vendors
and growing all the time
because we have an incredible community
that is helping us improving controls, adding new controls.
And of course now with AI is even giving us a big push
to improve everything that we do
and help also our customers and users
with everything that an LLM can do for cloud security.
For example, I mean, we call our AI capabilities
is Prowler Lighthouse.
You can ask Prowler Lighthouse pretty much anything
that is going on in your cloud security.
And also ask Lighthouse to give you any template
to prevent anything new to happen, all the guardrails. So you can create a very nice service control policies
or cloud formation or Terraform templates
to prevent resource exposure or to have, for example,
a database properly configured.
That is now easier than ever.
Is that part going to be open source, right?
Where you are shipping it with like
some open source model or something? Or like how does that work? That is exactly what you said. We
wanted also to have that open source because first, because it's very helpful. And second,
because nobody else is doing something like that open source. So you don't go to WIS or Prisma
Cloud, Palo Alto or anything and say, okay,
give me your chatbot that I want to learn about that.
So we are doing that to improve the product
and to improve also the user experience.
Because at the end of the day,
we are builders and we are practitioners
building something for our practitioners, right?
And is the way to learn.
And of course, if you come to our platform,
everything is already configured for you.
Yeah.
But if you get the open source option,
you have to maintain and configure everything by yourself,
which is fine if you want to,
but you don't have to if you come to our SaaS platform.
We have users and customers in any place in the planet
because at some point, any company, any organization
goes to the cloud or for some test or for some proof
of concepts, but also for production workloads.
And I'm talking from New Zealand to India to US, Argentina, Colombia, Brazil, pretty
much anywhere in Europe as well, has cloud security needs.
And if you have a cloud security need and you want a comprehensive platform that is
offering you a solution in minutes, that is Prouder.
Yeah.
So let me ask you a question though,
and this is more on the business side,
just cause I'm curious, right?
Like how much does the fact that all of this is available
as free and open source code,
how much does that complicate
how you calculate your pricing, right?
Cause there's gonna be that point where people are like,
that's too expensive.
I'm going to do it myself.
And you've chosen this path.
So how do you navigate that?
Because I've always wondered how you do that.
That is, I mean, the cloud paradigm is different to back in the days of Unix than Linux, but
it's kind of similar.
So not everybody wanted to admin and build everything by themselves.
And a lot of companies preferred and wanted to have Red Hat, for example,
because it was everything ready, because the enterprise storage management
that came with Red Hat was working way better and faster than
anything that you had to compile or build by yourself at the end of the day.
Yeah, and wind up in, you know, spending like 10 hours per box in dependency hell, right?
Yeah.
Exactly. If you have cheap resources, you are going to have, you will want to build that by
yourself and that is fine.
But not everybody has cheap resources,
not everybody has the time,
and not everybody has the knowledge.
So that is why the business model works.
And you can see Mongo, the same for MongoDB,
the same for Redis, the same for Elastic,
Elastic with Elasticse Elastic with Elastic Search is a very good
example of something that was very accessible for everybody. And everybody had the opportunity to
build their search capabilities, et cetera, with Elastic, but also building a company around that
for a massage, also, of course, different type of services, which is what we are doing.
We are building also business. We are doing business with OEM. So other platforms that
they are doing their security using Prowler, or covering the security part of different type
of platforms in the cloud with Prowler. Also, intelligence services, different governments using
Prowler and new cloud providers. There are new cloud providers, new players that we will see some
coming up soon and they don't have a third party companion for their security and they trust Prowler
and they pay us to support them. Now look, Tony, in the past, when I've spoken to you
and I'm like, wow, this kind of sounds a little bit
like an open source whiz.
You know, you've sort of resisted that characterization
but I've noticed you are resisting it
a little bit less these days.
I mean, is part of the vision here
to go after companies like that?
Are you seeing whiz customers churn onto Prowler?
In the cloud, if we talk about CSPM, KSPM, SSPM, whatever,
or CNAP, pretty much everything,
because Gartner and others,
they want to put everything in a box, that is fine.
But honestly, I don't care about that.
I do care about solving the problems that everybody has in the cloud, right?
Helping the cloud security engineers, the architects, et cetera.
And that looks like it's the dashboard solution that all those solutions are offering.
But there is a shift now that is changing everything.
Of course, that is AI.
Yeah.
So we want to be able to provide beyond the mapping with the...
I mean, finding that issue, but going beyond with Prower.
So the good thing of Prower being open source
that adopting new technologies is also very easy.
open source, that adopting new technologies is also very easy.
The example is now that we have released with a Prowler Lighthouse that is inside Prowler.
We want to be able to go from the detection,
plane detection, to being your engineer, your cloud engineer.
That is not easy nowadays because LLMs are working progress and
MCPs, et cetera, but you are going to come to Prowler that already has the access to all your
clouds to do whatever else you want to do because it's already built in Prowler.
Yeah. So this is less about the sort of whiz approach of, yeah, CNAPy kind of stuff and more about like,
if you want to have, you know, a securely administered cloud environment, I guess,
is more the thinking here, which is a different, it is coming at it from a different angle. So I
can see why you would resist the, you know, you would say that they're not really doing the same
thing. The point is, at the end of the day, people know about the big ones and they want to see
their mapping also in their heads.
Of course, there are some basic needs in any security platform, like the integrations,
alerts, this reporting, the compliance part.
That is fine.
That is something that we have in Prolet and we are adding more features.
But it's not what gets you going, right?
It's not what gets you excited.
Yeah, yeah, yeah.
I get it.
Exactly, exactly.
So let's have the basics, but let's go beyond that.
Let's fix the cloud security problems of tomorrow with tomorrow technology as well, right?
Or the current technology.
And AI is changing all that stuff. And we are, that is why we are so excited with Lighthouse is because we want to be also telling the people,
hey, before this is happening, do this, et cetera. So, and also with the MCPs and the agentic AI,
considering that we have at the problem, the access to all the clouds, so you can keep building the new way
of assessing the cloud, but also fixing the cloud.
Yeah.
So you talk about AI.
I recently caught up with an old friend in Melbourne who is just such an old school guy
and very much a cynic on all new technologies.
Just nothing impresses him.
And I caught up with him and I said,
what have you been up to?
He said, I've been playing around with AI.
It's amazing.
Right?
And this is the thing, like you're jazzed about this.
I can see why, like I work with a bunch of startups
and increasingly the interface
for a security product these days doesn't look
like a console with charts all over it.
It looks like the search box from Google 20 years ago.
You know what I mean? It's just like a blank page with a box in it and you just
tell it what you want to do. I mean, it does. And when you see that it works for a lot of
stuff, like I feel like the hype around stuff like chat GPT as like a general model has
distracted from the stuff where AI is actually really useful, which is for specific tasks, which can be mundane, but require a whole bunch of book knowledge,
like working in a sock, like sysadminning and whatnot. And that seems to be what you're
finding as well, right? Have you got demos of the AI stuff already? Yeah, I mean, we have been working on that in the last six months already.
Now it's in production, kind of in preview mode, like everything in AI is preview, right?
Are you surprised?
Let me just ask, like, are you surprised by how well that stuff works?
Because most founders I know, when they actually mess around with it, they say it's not perfect,
but they are surprised at just quite how much they can get done with it.
Yes and no. Let me explain.
It's very helpful and the AI and the gene AI is helping a lot to glue words and to put things together.
That is great to do a brief summary about an assessment, for example, for us, or tell me more about the risk of
this or how to break into that. All that stuff is very good. But when it comes to the integrations
and getting specific information with a vast amount of data, you have to fine tune prompts.
You have to do a lot of things.
Yeah, they do tend to fall over once you hit a certain level of complexity, right?
Yep, yeah, the point is that if you have a JSON file with 200 entries and you ask an AI to do
something with that based on whatever additional model is easy. But when you have a lot of files or database entries
and you want to put things together,
that is not that easy.
Yeah.
And the information you get, the advice that you get
is not always perfect.
What are people using it to do now?
Do they just turn up and ask the AI, hey, it's my first day using this tool. What are people using it to do like now? Like, do they just turn up and ask the AI,
hey, it's my first day using this tool, what should I do?
Like, do you sort of find people are using it
as like a bit of a coach?
Yeah, we do that with product like house.
So we tell you, hey, try to ask this or that.
And also we give you proactive information
every time that you do an assessment.
But the point is that when it comes to using an MCP
or the way we have it, it's like in top of our database,
there is a rollback access control,
and our AI is on top of our RBAC
to make sure there is no information leak.
Yeah. That is also key in any type of deployment of security tools with AI.
So to make sure that a user can access the information that that user has to access,
not more, not less. And that is key also. And that is a challenge. It's a huge challenge
now with MCPs because MCPs are something that are working very well,
but when you know what happens
when something is very helpful,
that is used widely and probably too much, right?
And without even having security into consideration.
We have also an MCP for Proudly Studio,
that is our platform to create new controls with AI.
And that is not a security problem because you are,
for example, you can install that MCP into Courser
with Courser to create your checks.
And that is working directly with our database of checks
and generating new checks.
But when it comes to customer data
or your own security data,
that is different. And that is what we build in Proudly Lighthouse on top of our Rbac.
Yeah.
So all those challenges are very important to take into account when you develop your AI strategy,
right?
Yeah, 100%. Well, that's all really interesting stuff. Tony de la Fuente, it's
fantastic to see you again and to, you know, hear about... I always like talking
to you about Prowler because you are so enthusiastic about it. It's always good
to hear what you've been up to. Great to see you my friend and we'll chat again soon.
Thank you, Bait. See you soon.