Last updated: May 23, 2026
Guara Shield Overview
Guara Shield is included on every Guara Cloud account. Every account, every project, every service. No add-on to buy, no paywall, no upgrade. The full Shield product is available the moment you sign up: findings, scans, flow logs, runtime risk signals, secret exposure detection, reports, and posture.
What Guara Shield does
Guara Shield watches your workloads, deployments, public exposure, and service configuration for security-relevant conditions and helps you triage them in one place. It is built on three honest claims:
- Surface what we can already see. Guara Cloud already knows about your services, deployments, public endpoints, network traffic between services, container image vulnerabilities, and platform events. Guara Shield turns that knowledge into actionable security signals.
- One inbox, every source. Vulnerability scans, service posture checks, flow summaries, secret exposure detections, and runtime risk signals all converge on the same Security Finding primitive. There are no per-feature silos.
- Precise scope per capability. Each capability does exactly what it says it does, with the coverage and bounds spelled out on its page.
What’s inside Shield
| Capability | What it does |
|---|---|
| Security Findings | The unified triage inbox. Every signal opens, updates, or resolves a finding here. |
| Security Events | A chronological timeline of security-relevant occurrences across your account. |
| Vulnerabilities | Known vulnerabilities found in your container images, account-wide and per service. |
| Service Scans | Bounded posture checks on your public service endpoints for common exposure and misconfiguration. |
| Flow Logs | Aggregated, passive summaries of network traffic between your services. No payloads, no IPs, no ports. |
| Secret Exposure Detection | Detects likely secret leaks in your service configuration. Raw secret values are never stored. |
| Runtime Risk Signals | Curated risk signals derived from observed runtime state, covering resource abuse, exposed-and-vulnerable workloads, risky exposure changes, and risky deployment context. |
| Explain This Threat | An AI-assisted explanation for any finding or event, in plain language. |
| Reports & Posture | A posture score and policy summary derived from your findings and events. |
Where to find Shield
Guara Shield lives under the Security section in the main sidebar. The free baseline pages, Vulnerabilities and Security Events, sit at the top of that section. Guara Shield itself is its own leaf below them, and clicking it reveals a secondary sidebar with every Shield surface.
You’ll also find security tabs at every scope:
- Account scope: the
Securitygroup in the main sidebar. - Project scope: a
Securitytab on every project page, scoped to that project’s findings and posture. - Service scope: a
Securitytab on every service page, beside the freeVulnerabilitiestab. See Project & Service Security for the full wayfinding map.
Scope of each capability
Guara Shield is precise about what each feature covers:
- Service Scans are bounded posture checks for common exposure and misconfiguration on your public service endpoints.
- Flow Logs are passive, aggregated traffic summaries between your services, scoped to your own projects.
- Runtime Risk Signals are curated, named signals with concrete evidence, derived from observed runtime state.
- Secret Exposure Detection identifies likely exposure in your own service configuration. Raw secret values are redacted before storage, and Guara never logs, persists, or displays the secret itself.
Each capability page names its exact coverage and points you to the right tool for anything beyond it.
The Security Finding primitive
Every Shield capability writes to the same Security Finding model. A finding represents a current or historical security-relevant condition you can review, suppress, resolve, or act on. Each finding carries severity, confidence, structured evidence, remediation guidance, and a status that moves through open → acknowledged → resolved (or suppressed / false_positive).
This is the most important design decision in Shield: once you’ve learned how to triage a vulnerability finding, you’ve learned how to triage a service scan finding, a flow log finding, a secret exposure finding, and a runtime risk signal. They all behave the same way in the same inbox.
Read Security Findings next.
How Shield interacts with your traffic
Shield observes and reports. It runs outside the request path of your services, so it never delays a request, mutates a response, or inserts itself between your users and your workloads. Any future request-time capability would arrive as a separate, explicit, opt-in product that you turn on yourself.
Free baseline vs. Shield-expanded
Although every Shield capability is included for every account, two pages are intentionally framed as free baseline so they remain available even if Shield itself is ever rolled back or paused:
- Vulnerabilities, known CVEs in your container images.
- Security Events, the chronological event timeline.
Shield expands what these surfaces show (correlation, explanation, broader event coverage), and the baseline pages exist outside Shield to guarantee a free floor for every account.
Where to go next
- New to Shield? Start with Security Findings, it’s the surface you’ll use most.
- Want to see what Guara Shield observes for you right now? Open the Reports & Posture page in your dashboard.
- Curious about a specific capability? Pick any source page from the table above.