What is the difference between AWS GuardDuty and AWS Inspector?

AWS GuardDuty is a threat detection service — it continuously analyses VPC Flow Logs, CloudTrail events, DNS logs, EKS audit logs, and S3 events using machine learning to detect compromised credentials, crypto-mining, port scanning, and known-bad IP communications. AWS Inspector is a vulnerability scanner — it scans EC2 instances, container images in ECR, and Lambda functions against the CVE database to find unpatched software. They are complementary, not competitive. Most AWS Security Specialist exam workflows use both: GuardDuty for runtime threats, Inspector for known vulnerabilities.

Do I need both GuardDuty and Inspector?

Yes for production workloads. GuardDuty catches what is actively happening (an attacker exfiltrating data right now); Inspector catches what could be exploited (a vulnerable openssl version on your EC2). One is detection of attacks, the other is detection of attack surface.

How much do GuardDuty and Inspector cost in 2026?

GuardDuty bills per ingested log event — roughly $0.10-$1.20 per million events depending on type, with VPC Flow Log analysis being the most expensive. A mid-size workload (10 EC2 + 100 GB/month logs) runs $50-$150/month. Inspector EC2 scanning bills per instance per month (~$1.25), ECR container scanning per image (~$0.09), Lambda per function-month (~$0.30). Both have free tiers.

Which AWS certification covers GuardDuty and Inspector?

AWS Certified Security – Specialty (SCS-C02). Both GuardDuty and Inspector are exam topics under Domain 1 (Threat Detection and Incident Response). Networkers Home runs the AWS Security Specialist programme on real AWS sandbox environments — both services covered with live console walk-throughs.

AWS GuardDuty vs Inspector — Threat Detection vs Vulnerability Scanning (2026)

Last updated 2026-05-17 · Reviewed by the Networkers Home technical writing team

Short answer: AWS GuardDuty is a threat-detection service that uses ML to spot active attacks (crypto-mining, credential abuse, exfiltration) by analysing VPC Flow Logs, CloudTrail, DNS, and EKS logs. AWS Inspector is a vulnerability-scanning service that checks EC2 instances, ECR images, and Lambda functions against the CVE database. They are complementary — most production AWS workloads run both.

Feature-by-feature comparison

Feature	GuardDuty	Inspector
Purpose	Threat detection (active attacks)	Vulnerability scanning (attack surface)
Detection method	ML + threat intel feeds	CVE database matching
Data sources	VPC Flow Logs, CloudTrail, DNS, EKS audit, S3 data events	EC2 instances, ECR container images, Lambda functions
Runtime	Continuous (real-time)	Continuous + on-demand scans
Output	Findings with severity (Low / Medium / High / Critical)	CVE-mapped findings with CVSS scores
Best for	Detecting compromised IAM credentials, crypto-mining, data exfiltration	Patch management, container image hygiene, software supply chain
Pricing model	Per-event analysed	Per-instance / per-image / per-function-month
Integration	EventBridge, Security Hub, SNS, S3	EventBridge, Security Hub, SBOM exports

When to use GuardDuty

Use GuardDuty when you need to know what is happening right now in your AWS account. Typical signals it catches:

An IAM access key is being used from an unexpected geography (credential compromise)
An EC2 instance is making DNS queries to known crypto-mining pools
A workload is scanning ports on other AWS accounts (lateral movement)
S3 data events show unusual high-volume reads (data exfiltration)
EKS audit logs show suspicious kubectl exec activity (container breakout)

When to use Inspector

Use Inspector when you need to know what could be exploited. Typical signals it catches:

An EC2 instance is running OpenSSL 1.1.1, missing CVE-2023-XXXX patches
A container image in ECR has a Log4Shell-vulnerable log4j version
A Lambda function pulls in an npm package with a known critical CVE
Software supply-chain visibility (SBOM export to JFrog / Snyk / Wiz)

Cost estimate for a mid-size workload

Sample workload: 20 EC2 instances · 100 ECR images · 30 Lambda functions · 200 GB/month VPC Flow Logs · 50 GB/month CloudTrail.
GuardDuty: ~$80-$120/month (VPC Flow Log analysis dominates).
Inspector: ~$25-$45/month (20 EC2 × $1.25 + 100 ECR × $0.09 + 30 Lambda × $0.30).
Combined: ~$105-$165/month — typically < 2% of total AWS spend for a workload this size.

Both services are covered in AWS Security Specialty (SCS-C02)

The AWS Certified Security – Specialty exam covers GuardDuty (Domain 1: Threat Detection) and Inspector (Domain 2: Logging and Monitoring + Domain 3: Vulnerability Management). Networkers Home runs the AWS Security programme on a real AWS sandbox — students enable both services live in console and trigger sample findings.