Kubescape → Prisma Cloud

Kubescape ↔ Prisma Cloud: integration to migration path.

Kubescape deploys alongside Prisma Cloud first, scanning every cluster in parallel while your Prisma Defenders stay authoritative — no gating, no alert changes, nothing to break. Only once posture parity is proven does Kubescape take over Kubernetes scope in phases, each one reversible in minutes.

The honest framing up front: this is a partial migration. Kubescape owns Kubernetes posture; Prisma Cloud is retained for CSPM, CIEM, WAAS and the unified cross-cloud risk score. We never recommend full Prisma retirement.

Map my migration with an engineer →

The idea

Run in parallel, prove parity, then transfer Kubernetes scope.

The topology that makes this zero-downtime: the Kubescape Operator runs continuous in-cluster posture scans next to your existing Prisma Defenders, publishing to Prometheus and JSON only. Both tools observe the same clusters at once, so Kubescape can be diffed against Prisma finding-for-finding before anything production trusts it. Alerting and admission move to Kubescape only after a 90%-agreement parity window holds; Defenders are removed only after an independent runtime sensor is at parity; and Prisma's cloud-account CSPM, CIEM and WAAS keep running throughout. You are never betting cluster security on one cutover.

The phases

Six steps. Each one reversible.

Baseline & inventory

We map every cluster, every Prisma Defender, and every active Kubernetes posture policy — then cross-reference your SIEM to kill dead policies before we migrate anything. Read-only.

Users see: No user impact.

Rollback: N/A — nothing changed.

Kubescape goes live in parallel

The Kubescape Operator installs into every cluster and runs continuous posture scans alongside your Prisma Defenders. Findings publish to Prometheus and JSON only — no gating, no alerts. Defenders stay authoritative.

Users see: No user impact.

Rollback: helm uninstall kubescape per cluster. Under 15 minutes.

Parity validation

We diff Kubescape findings against Prisma's K8s posture policies, control by control, until agreement holds at 90% or above for two weeks. Genuine gaps get a custom control or Kyverno overlay; enterprise-only checks are documented and accepted in writing.

Users see: No user impact.

Rollback: helm uninstall. Under 15 minutes.

Cut alerting and admission to Kubescape

Kubescape findings now drive Slack, JIRA and PagerDuty alerts and gate admission via Kyverno. Prisma's K8s posture alerts are muted at the console — silenced, not deleted, so the audit trail survives. Defenders still run for runtime.

Users see: Engineers see Kubescape control IDs in failed-deploy messages instead of Prisma policy names — communicated two weeks ahead with a translation cheat sheet.

Rollback: Un-mute Prisma alerts; remove the Kyverno policy. Under 15 minutes.

Decommission Defenders; keep CSPM/CIEM

Once a Falco or Tetragon runtime workstream is independently at parity, the Prisma Defenders are uninstalled per cluster in waves. Prisma's K8s compute panes go dark; CSPM, CIEM, Code Security and WAAS remain fully active.

Users see: Posture alerts unchanged. Runtime alerts now come from the replacement sensor.

Rollback: Re-install Defenders and un-mute alerts — a planned rollback of up to 2 hours per cluster, not an emergency flip.

Steady state — Prisma retained

Kubescape owns K8s posture, admission and IaC scanning; Falco or Tetragon owns runtime; Prisma Cloud stays for CSPM, CIEM, Code Security, WAAS and the unified score. At renewal we true-up the Compute SKU down — the contract is not cancelled.

Users see: No user impact at steady state.

Rollback: N/A — steady state. The Phase 4 rollback path stays tested.

Feature parity

Where Kubescape matches Prisma — and where it cannot.

Capability	Kubescape	Prisma Cloud	Parity
K8s posture (KSPM)	Controls C-0001…C-0270 plus NSA, MITRE, cis-v1.10.0 and SOC2 frameworks	Prisma Compute K8s compliance checks	At parity
Control-plane scanning	kubescape scan control-plane (apiserver, kubelet, etcd)	Defender host scan	At parity
RBAC analysis	kubescape scan rbac — role-to-subject-to-resource graph	Prisma RBAC analysis	At parity
IaC / manifest scan (Helm/Kustomize/CFN)	kubescape scan framework against a chart, SARIF output	Prisma Code Security (separate scope)	At parity
Admission control	Kubescape webhook or Kyverno consuming Configuration CRs	Prisma Defender admission control	Partial
Image / vuln scan	Operator vulnerabilityScan plus relevancy	Prisma Compute registry / image scan	Partial
Runtime detection (eBPF/syscall)	None — pair with Falco or Tetragon	Prisma Defender runtime	SaaS only
Cloud posture (CSPM)	None — cluster API-server lens only	Prisma CSPM (config, network, audit_event)	SaaS only
CIEM (IAM exposure / role-chaining)	None — in-cluster RBAC only	Prisma CIEM anomaly over IAM	SaaS only
Attack-path / cross-domain risk	MITRE attack-chain view (K8s only)	Unified cross-domain risk score	SaaS only
WAAS (web app / API protection)	None	Prisma WAAS	SaaS only
Compliance evidence packaging	Raw JSON per framework	Vendor Compliance Standards PDFs	Partial
Cost model	Helm install plus scan compute	Per-Defender plus per-account plus per-MAU	At parity
Compliance boundary (SOC 2 / FedRAMP)	Self-operated, your audit scope	Vendor SOC 2 / FedRAMP boundary	SaaS only

What we're honest about

The scope limits most vendors leave out.

This is a partial migration — Prisma stays

Kubescape scores Kubernetes, full stop. It cannot replace Prisma's cloud-account-wide CSPM, its CIEM IAM-exposure and role-chaining analysis, its WAAS, or its unified cross-domain risk score. Those are SaaS-only by design, so Prisma Cloud is retained indefinitely for cloud scope. Anyone who hears 'we replaced Prisma' and assumes CSPM and CIEM came with it is wrong — we say so in every status update.

Kubescape has no runtime sensor

There is no syscall or eBPF observation of a running container. If your Prisma Defender runtime rules fire today — container drift, suspicious process, cryptominer, reverse shell — Kubescape will not replace them. Runtime is a separate Falco or Tetragon workstream, and Phase 4 cannot start until that replacement is independently at parity.

Compliance evidence changes shape

Prisma auto-generates auditor-ready Compliance Standards PDFs. Kubescape emits raw JSON per framework. Post-migration the evidence workflow becomes Kubescape JSON into your own report template — a one-time pipeline we build and pilot in Phase 2 before any external audit cycle.

Self-hosting moves the boundary to you

A self-hosted Kubescape Operator sits inside your SOC 2 boundary: patching, log retention and incident response become yours, not Palo Alto's. That is exactly why we run it as a managed operator with version pinning and a tested upgrade path — managed, not just installed.

Why this beats a flag day

Reversible in minutes, retired only after a soak.

Every integration phase rolls back in under 15 minutes — a single helm uninstall or an un-mute of the Prisma alerts while both tools still run. We never remove Prisma Defenders until a replacement runtime sensor has held parity for at least 30 days, and the Phase 4 decommission itself is a planned, tested rollback rather than an emergency. The Prisma contract is never cancelled — only the Compute SKU is trued-up at renewal, after the Kubernetes scope has fully soaked.

See whether your Kubernetes scope migrates cleanly.

A 30-minute call with a senior container-security engineer. We map your clusters, your Prisma Defenders and your active posture policies, find the runtime gap that gates Phase 4, and show you exactly which Prisma SaaS modules stay — before you commit to anything.

Map my migration →