"What is Prowler, and why is it the canonical CSPM?"	Prowler is the world's most widely used open-source cloud security platform (Apache-2.0). Multi-cloud CSPM: AWS, Azure, GCP, K8s, GitHub, M365, IaC. 600+ checks for AWS alone. It is the reference defensive cloud harness — read-only by default, CI-integratable, normalized to OCSF.	course2a::sdd04::recall
"Explain the provider-agnostic core + per-cloud adapter architecture."	The check engine does not know which cloud it scans — that is the adapter's job. Each adapter (AWS, Azure, GCP, etc.) implements auth + resource enumeration + a check catalog. Adding a cloud = 'write an adapter,' not 'rewrite the engine.' This is why Prowler covers 7 surfaces.	course2a::sdd04::analysis
"What is a 'check' in Prowler, and how does it differ from an 'action' in an offensive harness?"	A check is a control test — 'is this resource compliant with this policy?' (e.g., S3 buckets should not be public). It READS configuration. An offensive harness ACTION (SDD-01-03) ACTS against a target. Prowler reads; it does not mutate. This is the read-only safety property.	course2a::sdd04::analysis
"Why is Prowler read-only by default, and why is that its primary safety property?"	Read-only means a compromised or misconfigured Prowler cannot destroy cloud resources. The worst case is a noisy report. Remediation is a separate, gated step. This makes Prowler safe to run continuously in production — the property that makes it operational, not just an assessment tool.	course2a::sdd04::analysis
"What is OCSF normalization, and why does it matter?"	OCSF (Open Cybersecurity Schema Framework) is the standard schema Prowler normalizes findings to. It makes findings PORTABLE — they flow into any downstream tool (SIEM, ticketing, Security Hub) without per-tool adapters. This is the portability decision that makes Prowler the CSPM standard.	course2a::sdd04::analysis
"What is Prowler's GitHub Action role, and what Course 2A concept does it implement?"	Prowler ships a GitHub Action that runs in CI on IaC (Terraform/CloudFormation) or against a live account. This is a creation-time guardrail (Course 2A S08) — catch the misconfiguration BEFORE it reaches production, not after. It turns Prowler from a detector into an SDLC gate.	course2a::sdd04::analysis
"State Prowler's score on the 12-module rubric. Why are 3 modules n/a?"	35/45 (9 scored modules; 3 n/a). n/a: Context Mgmt (not conversational), Subagents (no agent), Prompt Assembly (no LLM). The rubric built for agent loops forces you to see the boundary: Prowler is a tool with no loop. Wrapping it in an agent loop is the opportunity.	course2a::sdd04::analysis
"What is the difference between Prowler's attack-path 'correlation' and SDD-06's 'graph traversal'?"	Prowler correlates related findings ('these 3 findings form a path EXISTS'). SDD-06 tools (pmapper, BloodHound) traverse a graph ('shortest escalation path from A to B IS these edges'). Correlation = 'related'; traversal = 'the actual chain.' Prowler's correlation is valuable because findings are already collected; full traversal is the gap.	course2a::sdd04::analysis
"Prowler vs Scout Suite (SDD-05): what is each one for?"	Prowler = continuous CSPM (operational, CI-integrated, structured output, runs constantly). Scout Suite = point-in-time audit baseline (offline HTML report, a snapshot a human reviews during assessment). Complementary, not competitive. Prowler answers 'compliant right now?'; Scout answers 'what does it look like at this moment?'	course2a::sdd04::analysis
"Name 3 things Prowler does BETTER than any other harness in the roster."	(1) Multi-cloud coverage via provider adapters (7 surfaces, adding a cloud = write an adapter). (2) Read-only safety (worst case = noisy report, not broken cloud). (3) OCSF/ASFF normalization + GitHub Action (portable findings + creation-time guardrail).	course2a::sdd04::recall
"Name 3 things you would fix if you built on Prowler."	(1) Add an approval-gated remediation loop (Prowler finds; a harness should fix with a human gate). (2) Add cross-scan diffing as first-class output (turn posture data into drift detection). (3) Deepen attack-path support into full graph traversal (bridge to SDD-06 tools for shortest-path escalation).	course2a::sdd04::application
"What are Prowler's two main risk surfaces (the security finding)?"	(1) The broad-read IAM credentials it holds (high value to an attacker if compromised). (2) The sensitivity of its output — a Prowler report is a roadmap of your misconfigurations. Read-only execution is a strength; credential scope and report handling are the surfaces to govern.	course2a::sdd04::analysis
"State Prowler's Architect's Verdict in one line."	The canonical open-source CSPM (provider-agnostic check engine, 600+ controls, 7 clouds, read-only, OCSF-normalized, CI-integratable); not an agent loop so it does not remediate, diff, or reason over graphs; build on it for posture detection and wrap it in an agent loop to turn it from detector into defensive harness.	course2a::sdd04::recall
