Agentless scanning

Agentless scanning lets you inspect the risks and vulnerabilities of a virtual machine without having to install an agent or affecting the execution of the instance. Prisma Cloud gives you the flexibility to choose between agentless and agent-based security using Defenders. Currently, Prisma Cloud supports agentless scanning on AWS hosts for vulnerabilities. Agentless capabilities will continue to be enhanced over future releases in parallel with Defender capabilities.


  • Before configuring agentless scanning for your cloud accounts, ensure you have added an access key with the required permissions to Prisma Cloud.
    1. Navigate to
      System > Authentication > Credential store
    2. Click on
      button in the right corner where you can download the list of required agentless permissions.
      You can also manually download the file from here.
  • Ensure you have connectivity to Prisma Cloud Console over HTTPS from your cloud account.
    By default, Prisma Cloud uses the default security group with default VPC for connection back to Console. Optionally, you can specify a custom security group to use for connection to Console by providing security group name in the configuration settings. Prisma Cloud will automatically lookup VPC assigned, from the provided security group.


There are two ways you can set up agentless scanning with Prisma Cloud.
  • Scan all hosts of a cloud account within the same cloud account (called 'target' account which is independent), or
  • Scan all hosts of a cloud account (target account which is dependent on another account) in another dedicated cloud account (called 'scan hub account').
Option 1: Scan within the same account
  1. Onboard cloud accounts inside Prisma Cloud Compute with specific permissions required for agentless setup. These permissions can be downloaded from UI during agentless scan setup.
  2. Prisma Cloud enumerates instances in each account and creates snapshots for each instance.
  3. Prisma Cloud starts spot instances within the customer’s accounts, attaches snapshots, injects twistcli, performs analysis. These instances will be referred to as "scanners".
  4. Scanners send results to Console and then get deleted.
  5. Process repeats for periodic scans.
In the downloaded tarball, the cloud formation template that applies to this setup has the suffix
Option 2: Scan within a dedicated cloud account
  1. Onboard accounts with different permissions for dedicated scan hub account which will perform all scans vs other target accounts that have hosts to be scanned.
  2. Prisma Cloud only spins up scanners in the dedicated scan hub cloud account and attaches snapshots of instances from other accounts to the scanners in this account.
  3. Scanners send results to Console and then get deleted.
  4. Process repeats for periodic scans.
In the downloaded tarball, the cloud formation template that applies to the target account (account that needs to be scanned) has the suffix
and the cloud formation template that applies to the scan hub account (account that is dedicated for scanning all other accounts) has the suffix

Configure a scan

  1. After ensuring you have the required permissions added to your cloud accounts, go to
    Manage > Cloud accounts tab > Add Account
  2. Select the accounts that you would like to scan.
    The wizard lets you set up other optional features, such as cloud discovery, VM tags discovery, and serverless radar. Thus, you see see all three cloud providers - AWS, GCP, Azure. However, agentless scanning currently only supports AWS.
  3. Optional configuration settings:
    • Regions: By default all regions are selected for scanning. You can customize Prisma Cloud to scan pecific regions in a cloud account.
    • Exclude VMs by tags: You can choose to exclude certain VMs by tags, such as test VMs, that you do not want included in scanning.
    • Scanner’s security group name (optional): By default Prisma Cloud uses the AWS default security group for connecting to Console. If you have specific security group created to be used for connection to Console, enter the name of the security group here.
    • Auto-scale: When
      Auto-scale scanners
      is enabled, Prisma Cloud automatically spins up additional scanners per region in the cloud account according to the number of hosts to be scanned, in order to deliver scan results faster.
    • Scanners: You can manually enter the number of scanners you would like dedicated to scan hosts in your cloud accounts.
    • Scan non running hosts: You can scan hosts that are currently not running. By default, this feature is disabled.


Navigate to
Monitor > Vulnerabilities > Hosts
to view agentless scan results. You can see a column named
in the results page. On the rows where agentless is
, scan results are provided by agentless scanning.
Agentless scans provide risk factors associated with each vulnerability such as package in use, exposed to internet, etc (learn more here). You can add tags and create policies in alert mode for exceptions. Agentless scanning is integrated with Vulnerability Explorer and Host Radar.
Scan Settings:
Periodic scans occur every 24 hours by default. You can change the scan interval under
Manage - System > Scan - Agentless
setting. You can also perform on-demand scans by clicking the
Agentless scan
button on the
Monitor > Vulnerabilities >