Performance planning

This article describes the run-time characteristics of a typical Prisma Cloud deployment. This information is provided for planning and estimation purposes.
System performance depends on many factors outside of our control. For example, heavily loaded hosts have fewer available resources than hosts with balanced workloads.

Scale

Prisma Cloud has been tested and optimized to support up to 5,000 Defenders per Console. If you have an environment that requires more than 5,000 Defenders, deploy a scale project.

Scanning performance

This section describes the resources consumed by Prisma Cloud Defender during a scan. Measurements were taken on a test system with 1GB RAM, 8GB storage, and 1 CPU core.

Host scans

Host scans consume the following resources:
Resource
Measured consumption
Memory
10-15%
CPU
1%
Time to complete a host scan
1 second

Container scans

Container scans consume the following resources:
Resource
Measured consumption
Memory
10-15%
CPU
1%
Time to complete a container scan
1-5 seconds per container

Image scans

When an image is first scanned, Prisma Cloud caches its contents so that subsequent scans run more quickly. The first image scan, when there is no cache, consumes the following resources:
Resource
Measured consumption
Memory
10-15%
CPU
2%
Time to complete an image scan.
1-10 seconds per image. (Images are estimated to be 400-800 MB in size.)
Scans of cached images consume the following resources:
Resource
Measured consumption
Memory
10-15%
CPU
2%
Time to complete an image scan
1-5 seconds per image. (Images are estimated to be 400-800 MB in size.)

Real-world system performance

Each release, Prisma Cloud tests performance in a scale out environment that replicates a real-world workload and configuration. The test environment is built on a Kubernetes cluster with the following properties:
  • Hosts:
    ≥ 900
  • Hardware:
    1 vCPU, 3.75 GB memory
  • Operating system:
    Container-Optimized OS
  • Images:
    6000
  • Containers:
    6000 (density of 6.7 containers per host)
The results are collected over the course of a day. The default vulnerability policy (alert on everything) and compliance policy (alert on critical and high issues) are left in place. CNNF is enabled.
Resource consumption:
The following table shows normal resource consumption.
Component
Memory (RAM)
CPU (single core)
Console
550 MB
<2%
Defender
53 MB
<2%
Scan times:
The following table shows scan performance.
Scan type
Resource count
Scan time
Image scan
5762 images
150 seconds
Host scan
900 hosts
5 seconds
Container scan
5751 containers
18 seconds

Recommended For You