Skip to main content

What is ChangeGuard?

ChangeGuard is a Kubernetes security platform that gives platform engineering teams complete visibility into the safety, compliance, and runtime health of every cluster. At its core is the Change Safety Confidence (CSC) score — a deterministic 0–100 metric that combines CIS benchmarks, CVE scanning, RBAC analysis, runtime threat detection, GitOps drift, and cluster health into a single deployment readiness number.

Core Capabilities

Security Scanning

CIS benchmarks (KubeBench), CVE scanning (Grype), runtime threat detection (Falco), deprecated API detection (Pluto), and SBOM generation (Syft) — all managed by the operator.

Identity & Access

RBAC analysis across every ServiceAccount, ClusterRole, and binding. Finds overprivileged identities, unused permissions, and privilege escalation paths.

Attack Path Analysis

Maps privilege escalation graphs showing how a compromised pod could reach cluster-admin. Prioritizes the shortest, highest-impact paths.

Compliance Automation

Maps controls to SOC 2, PCI DSS, HIPAA, FedRAMP, and EO 14028. Continuous evidence collection with exportable reports.

GitOps Intelligence

Deep integration with ArgoCD and Flux CD. Tracks sync status, drift, health, and sync history without requiring API tokens.

Fleet Management

Cross-cluster intelligence correlates risks, compares configurations, and detects patterns across your entire fleet.

Signed Supply Chain

The Helm chart, the operator and agent images, and a CycloneDX SBOM for each are cosign-signed (AWS KMS). Verify exactly what you run before it reaches a cluster.

AI Risk Analysis

Plain-English explanations and prioritized fixes for findings, powered by Claude on Amazon Bedrock — with optional self-hosted NVIDIA NIM.

How It Works

ChangeGuard architecture: a read-only agent and scanners in your Kubernetes cluster connect outbound over TLS to the ChangeGuard platform on AWS, which scores posture and serves your dashboard.
1

Install the operator

One command deploys the ChangeGuard operator to your cluster. The operator manages the data collector, security scanners, and runtime detection — all from a single ChangeGuardAgent custom resource.
2

Scans run automatically

KubeBench runs CIS benchmarks every 6 hours. Grype scans container images for CVEs every 4 hours and on every new deployment. Falco monitors syscalls on every node in real time. The collector pushes cluster state snapshots every 10 seconds.
3

View your dashboard

Log in at app.changeguard.ai to see scores, vulnerabilities, RBAC findings, attack paths, compliance posture, and audit trails — scoped to your tenant.

Quick Install

curl -sL https://install.changeguard.ai | \
  CG_API_KEY=YOUR_API_KEY CG_CLUSTER_NAME=production sh
Your dashboard populates within 60 seconds. Security scanning results appear within the first scan cycle.

Quickstart

Get running in 60 seconds

Operator Installation

Install via Helm or the one-liner

CRD Reference

Full ChangeGuardAgent spec reference

API Reference

Integrate with your CI/CD pipeline