docs: workshop as docs PoC

2025-12-19 05:17:47 +00:00 · 2025-10-28 08:13:44 +01:00
10 changed files with 2951 additions and 0 deletions
--- a/docs/docs.json
+++ b/docs/docs.json
@@ -251,6 +251,25 @@
          }
        ]
      },
+      {
+        "tab": "Workshop",
+        "groups": [
+          {
+            "group": "Hands-On Labs",
+            "pages": [
+              "workshop/introduction",
+              "workshop/lab-01-getting-started",
+              "workshop/lab-02-threat-detection",
+              "workshop/lab-03-custom-checks",
+              "workshop/lab-04-azure-multicloud",
+              "workshop/lab-05-gcp-multicloud",
+              "workshop/lab-06-compliance-as-code",
+              "workshop/lab-07-integrations",
+              "workshop/lab-08-prowler-saas"
+            ]
+          }
+        ]
+      },
      {
        "tab": "Developer Guide",
        "groups": [
--- a/docs/workshop/introduction.mdx
+++ b/docs/workshop/introduction.mdx
@@ -0,0 +1,54 @@
+---
+title: "Workshop Introduction"
+description: "Hands-on labs to master Prowler's cloud security capabilities across AWS, Azure, and GCP"
+---
+
+# Prowler Workshop
+
+Welcome to the Prowler Workshop. This hands-on training provides practical experience with Prowler's cloud security monitoring and compliance automation capabilities across multiple cloud platforms.
+
+## Workshop Overview
+
+This workshop consists of eight progressive labs designed to guide you through Prowler's core features and advanced capabilities:
+
+* **Lab 1:** Getting Started with Prowler CLI
+* **Lab 2:** Threat Detection with Prowler
+* **Lab 3:** Custom Checks with Prowler
+* **Lab 4:** Multi-Cloud Security with Prowler (Azure)
+* **Lab 5:** Multi-Cloud Security with Prowler (GCP)
+* **Lab 6:** Compliance as Code with Prowler
+* **Lab 7:** Integrations with Prowler (AWS Security Hub)
+* **Lab 8:** Prowler SaaS Platform
+
+## Lab Structure
+
+Each lab is self-contained and includes:
+
+* **Prerequisites:** Required cloud accounts, tools, and prior lab dependencies
+* **Objectives:** Clear learning goals for the lab
+* **Step-by-step instructions:** Detailed guidance through each task
+* **Expected outcomes:** What you should achieve by completing the lab
+* **Verification steps:** How to confirm successful completion
+
+## Prerequisites Approach
+
+Each lab specifies its own prerequisites, as different labs require different cloud provider accounts, tools, and access levels. Review the prerequisites section at the beginning of each lab before starting.
+
+## How to Use This Workshop
+
+* Labs are designed to be completed sequentially, as later labs may build on concepts from earlier ones
+* Estimated time to complete varies by lab (typically 30-60 minutes each)
+* You can pause between labs and resume later
+* Some labs can be completed independently if you have the necessary prerequisites
+
+## Getting Help
+
+If you encounter issues during the workshop:
+
+* Refer to the [Troubleshooting](/troubleshooting) guide
+* Join the [Prowler Slack community](https://goto.prowler.com/slack)
+* Visit the [Prowler GitHub repository](https://github.com/prowler-cloud/prowler) for documentation and issues
+
+## Ready to Start?
+
+Begin with [Lab 1: Getting Started with Prowler CLI](/workshop/lab-01-getting-started) to set up your environment and run your first security scan.
--- a/docs/workshop/lab-01-getting-started.mdx
+++ b/docs/workshop/lab-01-getting-started.mdx
@@ -0,0 +1,203 @@
+---
+title: "Lab 1: Getting Started with Prowler CLI"
+description: "Install Prowler CLI and run your first cloud security assessment on AWS"
+---
+
+<Note>
+**Tags:** `workshop` `aws` `getting-started` `beginner` `cli`
+</Note>
+
+# Lab 1: Getting Started with Prowler CLI
+
+Learn to install Prowler CLI and perform your first cloud security assessment on AWS.
+
+## Prerequisites
+
+* AWS account with active resources
+* AWS CLI installed and configured
+* IAM credentials with appropriate permissions (see [AWS Authentication](/user-guide/providers/aws/authentication))
+* Python 3.9 or higher
+* Basic command-line experience
+
+**Estimated Time:** 30 minutes
+
+## Lab Objectives
+
+By completing this lab, you will:
+
+* Install Prowler CLI using pip
+* Configure AWS credentials for Prowler
+* Execute your first security scan
+* Understand Prowler's output formats
+* Review security findings
+
+## Step 1: Install Prowler CLI
+
+Install Prowler using pip:
+
+```bash
+pip install prowler
+```
+
+Verify the installation:
+
+```bash
+prowler -v
+```
+
+Expected output:
+```
+Prowler X.X.X
+```
+
+<Tip>
+For alternative installation methods (Docker, from source), see [Prowler CLI Installation](/getting-started/installation/prowler-cli).
+</Tip>
+
+## Step 2: Configure AWS Credentials
+
+Ensure AWS credentials are configured. Prowler uses the same credential chain as AWS CLI.
+
+Verify credentials:
+
+```bash
+aws sts get-caller-identity
+```
+
+Expected output:
+```json
+{
+    "UserId": "AIDACKCEVSQ6C2EXAMPLE",
+    "Account": "123456789012",
+    "Arn": "arn:aws:iam::123456789012:user/username"
+}
+```
+
+<Note>
+[Note: Screenshot of slide 8 showing AWS credential verification - to be added]
+</Note>
+
+## Step 3: Run Your First Scan
+
+Execute a basic Prowler scan:
+
+```bash
+prowler aws
+```
+
+This command:
+* Scans all enabled AWS regions
+* Runs all available security checks
+* Generates output in the current directory
+
+<Note>
+The scan may take 5-15 minutes depending on the number of resources in your AWS account.
+</Note>
+
+## Step 4: Understanding the Output
+
+Prowler generates multiple output formats in the `output` directory:
+
+* **CSV:** Detailed findings (`prowler-output-*.csv`)
+* **JSON:** Machine-readable format (`prowler-output-*.json`)
+* **HTML:** Human-readable report (`prowler-output-*.html`)
+
+Review the HTML report:
+
+```bash
+open output/prowler-output-*.html
+```
+
+<Note>
+[Note: Screenshot of slide 10 showing HTML report - to be added]
+</Note>
+
+## Step 5: Analyze Security Findings
+
+Examine the findings structure in the HTML report:
+
+* **Status:** PASS, FAIL, or MANUAL
+* **Severity:** critical, high, medium, low, informational
+* **Service:** AWS service affected (e.g., S3, IAM, EC2)
+* **Check ID:** Unique identifier for each check
+* **Region:** AWS region where the resource exists
+* **Resource:** Specific resource ARN or identifier
+
+Example finding structure:
+
+```json
+{
+  "Status": "FAIL",
+  "Severity": "high",
+  "Service": "s3",
+  "CheckID": "s3_bucket_public_access",
+  "Region": "us-east-1",
+  "Resource": "arn:aws:s3:::my-bucket"
+}
+```
+
+## Step 6: Filter Scan by Service
+
+Run a targeted scan for specific AWS services:
+
+```bash
+prowler aws --services s3 iam
+```
+
+This scans only S3 and IAM services, reducing execution time.
+
+## Step 7: Run Checks by Severity
+
+Scan for critical and high-severity findings only:
+
+```bash
+prowler aws --severity critical high
+```
+
+This focuses on the most important security issues.
+
+<Note>
+[Note: Screenshot of slide 13 showing severity filtering - to be added]
+</Note>
+
+## Verification Steps
+
+Confirm successful lab completion:
+
+1. Prowler CLI installed and version verified
+2. AWS credentials properly configured
+3. First scan completed successfully
+4. Output files generated in the `output` directory
+5. HTML report reviewed and findings understood
+6. Filtered scans executed by service and severity
+
+## Expected Outcomes
+
+After completing this lab, you should have:
+
+* Working Prowler CLI installation
+* Understanding of basic Prowler commands
+* Knowledge of output formats
+* Ability to run targeted scans
+* Familiarity with finding severity levels
+
+## Troubleshooting
+
+**Issue:** `prowler: command not found`
+* **Solution:** Ensure Python's bin directory is in your PATH, or use `python3 -m prowler`
+
+**Issue:** AWS credentials error
+* **Solution:** Run `aws configure` to set up credentials, or use environment variables
+
+**Issue:** Scan takes too long
+* **Solution:** Use `--services` to scan specific services or `--regions` to limit regions
+
+## Next Steps
+
+Continue to [Lab 2: Threat Detection with Prowler](/workshop/lab-02-threat-detection) to learn about identifying security threats in your AWS environment.
+
+## Additional Resources
+
+* [Prowler CLI Documentation](/getting-started/basic-usage/prowler-cli)
+* [AWS Authentication Methods](/user-guide/providers/aws/authentication)
+* [Output Formats](/user-guide/cli/tutorials/reporting)
--- a/docs/workshop/lab-02-threat-detection.mdx
+++ b/docs/workshop/lab-02-threat-detection.mdx
@@ -0,0 +1,263 @@
+---
+title: "Lab 2: Threat Detection with Prowler"
+description: "Identify and analyze security threats in AWS environments using Prowler's threat detection capabilities"
+---
+
+<Note>
+**Tags:** `workshop` `aws` `threat-detection` `intermediate` `security`
+</Note>
+
+# Lab 2: Threat Detection with Prowler
+
+Learn to identify security threats, exposed resources, and potential attack vectors in AWS environments using Prowler's threat detection features.
+
+## Prerequisites
+
+* Completion of [Lab 1: Getting Started with Prowler CLI](/workshop/lab-01-getting-started)
+* AWS account with resources (EC2 instances, S3 buckets, security groups)
+* Prowler CLI installed and configured
+* Basic understanding of AWS security concepts
+
+**Estimated Time:** 45 minutes
+
+## Lab Objectives
+
+By completing this lab, you will:
+
+* Understand Prowler's threat detection capabilities
+* Identify publicly exposed resources
+* Detect insecure configurations
+* Analyze CloudTrail events for suspicious activity
+* Prioritize security findings by risk
+
+## Step 1: Understanding Threat Detection Checks
+
+Prowler includes checks that identify:
+
+* Public exposure (S3 buckets, EC2 instances, RDS databases)
+* Insecure network configurations (security groups, NACLs)
+* Weak encryption settings
+* Suspicious IAM permissions
+* CloudTrail anomalies
+
+List threat detection checks:
+
+```bash
+prowler aws --list-checks | grep -i "public\|exposed\|open"
+```
+
+## Step 2: Scan for Publicly Exposed Resources
+
+Run a scan focusing on public exposure:
+
+```bash
+prowler aws --checks s3_bucket_public_access ec2_instance_public_ip rds_instance_publicly_accessible
+```
+
+This identifies:
+* S3 buckets with public access
+* EC2 instances with public IPs
+* RDS databases accessible from the internet
+
+<Note>
+[Note: Screenshot of slide 17 showing public exposure findings - to be added]
+</Note>
+
+## Step 3: Analyze Security Group Misconfigurations
+
+Security groups control network access. Scan for insecure rules:
+
+```bash
+prowler aws --services ec2 --checks ec2_securitygroup*
+```
+
+Look for findings related to:
+* `0.0.0.0/0` ingress rules (any IP can connect)
+* Open high-risk ports (22, 3389, 3306, 5432)
+* Overly permissive egress rules
+
+Example vulnerable security group:
+```
+Port 22 (SSH) open to 0.0.0.0/0
+Port 3389 (RDP) open to 0.0.0.0/0
+```
+
+<Warning>
+Security groups with `0.0.0.0/0` on sensitive ports expose resources to the entire internet and should be restricted immediately.
+</Warning>
+
+## Step 4: Check for Unencrypted Data
+
+Scan for unencrypted storage and data transmission:
+
+```bash
+prowler aws --checks s3_bucket_default_encryption ebs_volume_encryption rds_instance_storage_encrypted
+```
+
+Key checks:
+* S3 bucket default encryption disabled
+* EBS volumes without encryption
+* RDS instances with unencrypted storage
+
+<Note>
+[Note: Screenshot of slide 20 showing encryption findings - to be added]
+</Note>
+
+## Step 5: CloudTrail Threat Detection
+
+Enable CloudTrail event analysis to detect suspicious activity:
+
+```bash
+prowler aws --services cloudtrail
+```
+
+Prowler checks for:
+* CloudTrail disabled in regions
+* Log file validation disabled
+* S3 bucket not encrypted
+* CloudWatch logging not configured
+
+<Tip>
+CloudTrail provides audit logs of API calls. Proper configuration is essential for threat detection and incident response.
+</Tip>
+
+## Step 6: Analyze IAM Security Risks
+
+Identify IAM misconfigurations that could lead to privilege escalation:
+
+```bash
+prowler aws --services iam --severity critical high
+```
+
+Look for:
+* Root account usage
+* IAM users without MFA
+* Overly permissive IAM policies (e.g., `*:*`)
+* Inactive credentials not rotated
+
+Example critical finding:
+```
+IAM user with administrative privileges without MFA enabled
+```
+
+## Step 7: Generate a Threat-Focused Report
+
+Create a filtered report with only security threats:
+
+```bash
+prowler aws --severity critical high --status FAIL -o html json
+```
+
+This generates reports containing only:
+* Critical and high-severity findings
+* Failed checks (PASS checks excluded)
+
+Review the HTML report:
+
+```bash
+open output/prowler-output-*.html
+```
+
+<Note>
+[Note: Screenshot of slide 25 showing threat-focused report - to be added]
+</Note>
+
+## Step 8: Prioritize Findings
+
+Categorize findings by risk level:
+
+**Critical Priority (Address Immediately):**
+* S3 buckets with public write access
+* Root account without MFA
+* Database instances publicly accessible
+* Security groups open to `0.0.0.0/0` on sensitive ports
+
+**High Priority (Address Soon):**
+* Unencrypted storage volumes
+* CloudTrail logging disabled
+* IAM users without MFA
+* Overly permissive IAM policies
+
+**Medium Priority (Address as Resources Allow):**
+* Old access keys not rotated
+* S3 bucket logging disabled
+* VPC flow logs not enabled
+
+## Step 9: Export Findings for Remediation
+
+Export findings to CSV for tracking:
+
+```bash
+prowler aws --severity critical high --status FAIL -o csv
+```
+
+Share the CSV with your security team for remediation tracking.
+
+## Verification Steps
+
+Confirm successful lab completion:
+
+1. Identified publicly exposed resources
+2. Detected insecure security group configurations
+3. Found unencrypted data storage
+4. Reviewed CloudTrail security settings
+5. Analyzed IAM security risks
+6. Generated threat-focused reports
+7. Prioritized findings by risk level
+
+## Expected Outcomes
+
+After completing this lab, you should:
+
+* Understand common AWS security threats
+* Know how to identify exposed resources
+* Be able to prioritize security findings
+* Have generated threat detection reports
+
+## Remediation Examples
+
+**Example 1: Remove public access from S3 bucket**
+```bash
+aws s3api put-public-access-block \
+    --bucket my-bucket \
+    --public-access-block-configuration \
+    "BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true"
+```
+
+**Example 2: Restrict security group rule**
+```bash
+aws ec2 revoke-security-group-ingress \
+    --group-id sg-12345678 \
+    --protocol tcp \
+    --port 22 \
+    --cidr 0.0.0.0/0
+```
+
+**Example 3: Enable S3 bucket encryption**
+```bash
+aws s3api put-bucket-encryption \
+    --bucket my-bucket \
+    --server-side-encryption-configuration \
+    '{"Rules":[{"ApplyServerSideEncryptionByDefault":{"SSEAlgorithm":"AES256"}}]}'
+```
+
+## Troubleshooting
+
+**Issue:** Too many findings to review
+* **Solution:** Use `--severity critical high` to focus on the most important issues first
+
+**Issue:** Don't understand a finding
+* **Solution:** Use `--describe-check <check-id>` to get detailed information
+
+**Issue:** Need to share findings with team
+* **Solution:** Export to CSV or JSON and use collaboration tools
+
+## Next Steps
+
+Continue to [Lab 3: Custom Checks with Prowler](/workshop/lab-03-custom-checks) to learn how to create organization-specific security checks.
+
+## Additional Resources
+
+* [AWS Threat Detection Guide](/user-guide/providers/aws/threat-detection)
+* [Security Best Practices](/user-guide/providers/aws/getting-started-aws)
+* [Prowler Check Reference](https://hub.prowler.com)
--- a/docs/workshop/lab-03-custom-checks.mdx
+++ b/docs/workshop/lab-03-custom-checks.mdx
@@ -0,0 +1,359 @@
+---
+title: "Lab 3: Custom Checks with Prowler"
+description: "Create organization-specific security checks and customize Prowler for your security requirements"
+---
+
+<Note>
+**Tags:** `workshop` `aws` `custom-checks` `advanced` `development`
+</Note>
+
+# Lab 3: Custom Checks with Prowler
+
+Learn to create custom security checks tailored to your organization's specific security policies and compliance requirements.
+
+## Prerequisites
+
+* Completion of [Lab 1: Getting Started with Prowler CLI](/workshop/lab-01-getting-started)
+* Prowler CLI installed from source (for custom check development)
+* Python 3.9 or higher
+* Basic Python programming knowledge
+* Understanding of AWS SDK (boto3)
+* Text editor or IDE (VS Code, PyCharm)
+
+**Estimated Time:** 60 minutes
+
+## Lab Objectives
+
+By completing this lab, you will:
+
+* Understand Prowler's check structure
+* Create a custom security check
+* Test and validate custom checks
+* Use custom check metadata
+* Integrate custom checks into scans
+
+## Step 1: Install Prowler from Source
+
+To develop custom checks, install Prowler from source:
+
+```bash
+git clone https://github.com/prowler-cloud/prowler
+cd prowler
+pip install poetry
+poetry install
+```
+
+Activate the virtual environment:
+
+```bash
+poetry shell
+```
+
+Verify installation:
+
+```bash
+prowler -v
+```
+
+<Note>
+[Note: Screenshot of slide 29 showing source installation - to be added]
+</Note>
+
+## Step 2: Understand Check Structure
+
+Prowler checks are Python files located in:
+```
+prowler/providers/<provider>/services/<service>/
+```
+
+Example check structure:
+```
+prowler/providers/aws/services/s3/s3_bucket_custom_check/
+├── s3_bucket_custom_check.py           # Check logic
+└── s3_bucket_custom_check.metadata.json # Check metadata
+```
+
+## Step 3: Create a Custom Check Directory
+
+Create a custom check to verify S3 buckets have specific naming conventions:
+
+```bash
+mkdir -p prowler/providers/aws/services/s3/s3_bucket_naming_convention
+cd prowler/providers/aws/services/s3/s3_bucket_naming_convention
+```
+
+## Step 4: Write the Check Logic
+
+Create `s3_bucket_naming_convention.py`:
+
+```python
+from prowler.lib.check.models import Check, Check_Report_AWS
+from prowler.providers.aws.services.s3.s3_client import s3_client
+
+class s3_bucket_naming_convention(Check):
+    def execute(self):
+        findings = []
+        # Define your organization's naming pattern
+        naming_pattern = "company-"
+
+        for bucket in s3_client.buckets:
+            report = Check_Report_AWS(self.metadata())
+            report.region = bucket.region
+            report.resource_id = bucket.name
+            report.resource_arn = bucket.arn
+            report.resource_tags = bucket.tags
+
+            # Check if bucket name follows naming convention
+            if bucket.name.startswith(naming_pattern):
+                report.status = "PASS"
+                report.status_extended = f"S3 bucket {bucket.name} follows naming convention."
+            else:
+                report.status = "FAIL"
+                report.status_extended = f"S3 bucket {bucket.name} does not follow naming convention (should start with '{naming_pattern}')."
+
+            findings.append(report)
+
+        return findings
+```
+
+<Tip>
+Customize the `naming_pattern` variable to match your organization's requirements (e.g., "prod-", "dev-", "projectname-").
+</Tip>
+
+## Step 5: Create Check Metadata
+
+Create `s3_bucket_naming_convention.metadata.json`:
+
+```json
+{
+  "Provider": "aws",
+  "CheckID": "s3_bucket_naming_convention",
+  "CheckTitle": "Check if S3 buckets follow naming convention",
+  "CheckType": ["Software and Configuration Checks"],
+  "ServiceName": "s3",
+  "SubServiceName": "",
+  "ResourceIdTemplate": "arn:aws:s3:::bucket_name",
+  "Severity": "low",
+  "ResourceType": "AwsS3Bucket",
+  "Description": "Ensure S3 buckets follow the organization's naming convention for consistency and management.",
+  "Risk": "S3 buckets not following naming conventions may lead to management difficulties and confusion.",
+  "RelatedUrl": "https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucketnamingrules.html",
+  "Remediation": {
+    "Code": {
+      "CLI": "",
+      "NativeIaC": "",
+      "Other": "Rename the S3 bucket to follow the organization's naming convention or update bucket policies.",
+      "Terraform": ""
+    },
+    "Recommendation": {
+      "Text": "Ensure all S3 buckets follow the defined naming convention for your organization.",
+      "Url": "https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucketnamingrules.html"
+    }
+  },
+  "Categories": [
+    "forensics-ready"
+  ],
+  "DependsOn": [],
+  "RelatedTo": [],
+  "Notes": "This is a custom check created for organization-specific requirements."
+}
+```
+
+<Note>
+[Note: Screenshot of slide 33 showing metadata structure - to be added]
+</Note>
+
+## Step 6: Test the Custom Check
+
+Run only your custom check:
+
+```bash
+prowler aws --checks s3_bucket_naming_convention
+```
+
+Review the output to verify:
+* Check executes without errors
+* Findings are generated for each S3 bucket
+* Status is correct (PASS/FAIL) based on naming convention
+
+## Step 7: Create a Custom Check for EC2 Instance Tags
+
+Create another custom check to enforce EC2 tagging policies:
+
+```bash
+mkdir -p prowler/providers/aws/services/ec2/ec2_instance_required_tags
+cd prowler/providers/aws/services/ec2/ec2_instance_required_tags
+```
+
+Create `ec2_instance_required_tags.py`:
+
+```python
+from prowler.lib.check.models import Check, Check_Report_AWS
+from prowler.providers.aws.services.ec2.ec2_client import ec2_client
+
+class ec2_instance_required_tags(Check):
+    def execute(self):
+        findings = []
+        # Define required tags
+        required_tags = ["Environment", "Owner", "CostCenter"]
+
+        for instance in ec2_client.instances:
+            report = Check_Report_AWS(self.metadata())
+            report.region = instance.region
+            report.resource_id = instance.id
+            report.resource_arn = instance.arn
+            report.resource_tags = instance.tags
+
+            # Get instance tag keys
+            instance_tag_keys = [tag["Key"] for tag in instance.tags] if instance.tags else []
+
+            # Check if all required tags are present
+            missing_tags = [tag for tag in required_tags if tag not in instance_tag_keys]
+
+            if not missing_tags:
+                report.status = "PASS"
+                report.status_extended = f"EC2 instance {instance.id} has all required tags."
+            else:
+                report.status = "FAIL"
+                report.status_extended = f"EC2 instance {instance.id} is missing required tags: {', '.join(missing_tags)}."
+
+            findings.append(report)
+
+        return findings
+```
+
+Create `ec2_instance_required_tags.metadata.json`:
+
+```json
+{
+  "Provider": "aws",
+  "CheckID": "ec2_instance_required_tags",
+  "CheckTitle": "Check if EC2 instances have required tags",
+  "CheckType": ["Software and Configuration Checks"],
+  "ServiceName": "ec2",
+  "SubServiceName": "",
+  "ResourceIdTemplate": "arn:aws:ec2:region:account-id:instance/instance-id",
+  "Severity": "medium",
+  "ResourceType": "AwsEc2Instance",
+  "Description": "Ensure EC2 instances have required tags for proper resource management and cost allocation.",
+  "Risk": "EC2 instances without required tags may lead to difficulties in cost tracking, ownership identification, and resource management.",
+  "RelatedUrl": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Using_Tags.html",
+  "Remediation": {
+    "Code": {
+      "CLI": "aws ec2 create-tags --resources <instance-id> --tags Key=Environment,Value=<value> Key=Owner,Value=<value> Key=CostCenter,Value=<value>",
+      "NativeIaC": "",
+      "Other": "",
+      "Terraform": "resource \"aws_ec2_tag\" \"example\" {\n  resource_id = aws_instance.example.id\n  key         = \"Environment\"\n  value       = \"Production\"\n}"
+    },
+    "Recommendation": {
+      "Text": "Add the required tags (Environment, Owner, CostCenter) to all EC2 instances.",
+      "Url": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Using_Tags.html"
+    }
+  },
+  "Categories": [
+    "tagging"
+  ],
+  "DependsOn": [],
+  "RelatedTo": [],
+  "Notes": "Customize the required_tags list in the check code to match your organization's tagging policy."
+}
+```
+
+## Step 8: Test Multiple Custom Checks
+
+Run both custom checks together:
+
+```bash
+prowler aws --checks s3_bucket_naming_convention ec2_instance_required_tags
+```
+
+## Step 9: Create a Custom Checks Group
+
+Create a file to group your custom checks:
+
+Create `prowler/config/custom_checks.yaml`:
+
+```yaml
+custom-checks:
+  - s3_bucket_naming_convention
+  - ec2_instance_required_tags
+```
+
+Run all custom checks:
+
+```bash
+prowler aws --checks-file prowler/config/custom_checks.yaml
+```
+
+<Note>
+[Note: Screenshot of slide 38 showing custom checks output - to be added]
+</Note>
+
+## Step 10: Validate Check Metadata
+
+Prowler includes metadata validation. Ensure your metadata follows guidelines:
+
+```bash
+python -m prowler.lib.check.check_metadata_validator
+```
+
+This validates:
+* Required metadata fields are present
+* Severity values are valid
+* URLs are properly formatted
+* JSON structure is correct
+
+## Verification Steps
+
+Confirm successful lab completion:
+
+1. Prowler installed from source
+2. Custom S3 naming convention check created
+3. Custom EC2 tagging check created
+4. Both checks execute successfully
+5. Metadata files are properly formatted
+6. Custom checks grouped for easy execution
+
+## Expected Outcomes
+
+After completing this lab, you should:
+
+* Understand Prowler's check architecture
+* Be able to create custom security checks
+* Know how to write check metadata
+* Be capable of testing and validating checks
+* Have created reusable custom security policies
+
+## Best Practices for Custom Checks
+
+1. **Follow naming conventions:** Use descriptive check IDs (e.g., `service_resource_requirement`)
+2. **Set appropriate severity:** Match severity to the security impact
+3. **Provide clear descriptions:** Help users understand what the check validates
+4. **Include remediation guidance:** Provide actionable steps to fix findings
+5. **Test thoroughly:** Verify checks work across different AWS regions and account configurations
+6. **Document assumptions:** Note any specific requirements or limitations
+
+## Troubleshooting
+
+**Issue:** Check not found when running
+* **Solution:** Ensure the check directory and files follow the correct naming convention and location
+
+**Issue:** Import errors in check code
+* **Solution:** Verify you're using the Poetry virtual environment (`poetry shell`)
+
+**Issue:** Metadata validation fails
+* **Solution:** Review the metadata format against Prowler's schema requirements
+
+**Issue:** Check returns no findings
+* **Solution:** Add print statements or use a debugger to verify the service client has data
+
+## Next Steps
+
+Continue to [Lab 4: Multi-Cloud Security with Prowler (Azure)](/workshop/lab-04-azure-multicloud) to extend security monitoring to Azure environments.
+
+## Additional Resources
+
+* [Custom Checks Development Guide](/developer-guide/checks)
+* [Check Metadata Guidelines](/developer-guide/check-metadata-guidelines)
+* [Prowler Development Documentation](/developer-guide/introduction)
+* [Prowler Check Kreator](/user-guide/cli/tutorials/prowler-check-kreator)
--- a/docs/workshop/lab-04-azure-multicloud.mdx
+++ b/docs/workshop/lab-04-azure-multicloud.mdx
@@ -0,0 +1,346 @@
+---
+title: "Lab 4: Multi-Cloud Security with Prowler (Azure)"
+description: "Extend security monitoring to Azure environments using Prowler's multi-cloud capabilities"
+---
+
+<Note>
+**Tags:** `workshop` `azure` `multi-cloud` `intermediate` `authentication`
+</Note>
+
+# Lab 4: Multi-Cloud Security with Prowler (Azure)
+
+Learn to secure Azure environments using Prowler's multi-cloud security assessment capabilities.
+
+## Prerequisites
+
+* Prowler CLI installed ([Lab 1](/workshop/lab-01-getting-started))
+* Active Azure subscription
+* Azure CLI installed
+* Azure account with appropriate permissions (Reader role minimum)
+* Basic understanding of Azure services
+
+**Estimated Time:** 45 minutes
+
+## Lab Objectives
+
+By completing this lab, you will:
+
+* Configure Azure authentication for Prowler
+* Run security assessments on Azure subscriptions
+* Understand Azure-specific security checks
+* Compare security findings across cloud providers
+* Implement multi-cloud security strategies
+
+## Step 1: Install Azure CLI
+
+Install Azure CLI if not already present:
+
+**macOS:**
+```bash
+brew install azure-cli
+```
+
+**Linux:**
+```bash
+curl -sL https://aka.ms/InstallAzureCLIDeb | sudo bash
+```
+
+**Windows:**
+```powershell
+winget install Microsoft.AzureCLI
+```
+
+Verify installation:
+```bash
+az --version
+```
+
+## Step 2: Authenticate to Azure
+
+Sign in to Azure:
+
+```bash
+az login
+```
+
+This opens a browser window for authentication.
+
+Verify authentication:
+```bash
+az account show
+```
+
+Expected output:
+```json
+{
+  "id": "12345678-1234-1234-1234-123456789012",
+  "name": "My Subscription",
+  "tenantId": "87654321-4321-4321-4321-210987654321",
+  "state": "Enabled"
+}
+```
+
+<Note>
+[Note: Screenshot of slide 43 showing Azure authentication - to be added]
+</Note>
+
+## Step 3: List Azure Subscriptions
+
+If you have multiple subscriptions, list them:
+
+```bash
+az account list --output table
+```
+
+Set the active subscription:
+```bash
+az account set --subscription "subscription-id"
+```
+
+## Step 4: Configure Azure Service Principal (Optional)
+
+For automated scans, create a service principal:
+
+```bash
+az ad sp create-for-rbac --name "prowler-scanner" --role Reader --scopes /subscriptions/{subscription-id}
+```
+
+This returns:
+```json
+{
+  "appId": "app-id",
+  "displayName": "prowler-scanner",
+  "password": "password",
+  "tenant": "tenant-id"
+}
+```
+
+<Warning>
+Store service principal credentials securely. These provide programmatic access to your Azure subscription.
+</Warning>
+
+Export credentials as environment variables:
+```bash
+export AZURE_CLIENT_ID="app-id"
+export AZURE_CLIENT_SECRET="password"
+export AZURE_TENANT_ID="tenant-id"
+export AZURE_SUBSCRIPTION_ID="subscription-id"
+```
+
+## Step 5: Run Your First Azure Scan
+
+Execute Prowler against Azure:
+
+```bash
+prowler azure
+```
+
+This command:
+* Uses Azure CLI credentials (or service principal if configured)
+* Scans the active subscription
+* Runs all Azure security checks
+* Generates output in multiple formats
+
+<Note>
+Azure scans typically take 5-10 minutes depending on resource count.
+</Note>
+
+<Note>
+[Note: Screenshot of slide 47 showing Azure scan execution - to be added]
+</Note>
+
+## Step 6: Scan Specific Azure Services
+
+Run targeted scans for specific services:
+
+```bash
+prowler azure --services storage network
+```
+
+This focuses on:
+* Azure Storage accounts
+* Virtual networks
+* Network security groups
+
+## Step 7: Analyze Azure Security Findings
+
+Review Azure-specific security checks:
+
+**Storage Account Security:**
+* Public blob access disabled
+* Secure transfer required (HTTPS)
+* Storage encryption enabled
+* Soft delete enabled
+
+**Network Security:**
+* Network security groups properly configured
+* No overly permissive rules
+* DDoS protection enabled
+* Network watcher enabled
+
+**Identity and Access:**
+* Multi-factor authentication enabled
+* Conditional access policies configured
+* Privileged identity management enabled
+
+Open the HTML report:
+```bash
+open output/prowler-output-azure-*.html
+```
+
+<Note>
+[Note: Screenshot of slide 50 showing Azure findings report - to be added]
+</Note>
+
+## Step 8: Compare AWS and Azure Security Posture
+
+If you completed Lab 1, compare security findings:
+
+**AWS findings:**
+```bash
+cat output/prowler-output-aws-*.csv | wc -l
+```
+
+**Azure findings:**
+```bash
+cat output/prowler-output-azure-*.csv | wc -l
+```
+
+Key comparison metrics:
+* Total findings by severity
+* Service coverage
+* Compliance status
+* Resource exposure
+
+## Step 9: Multi-Cloud Security Dashboard
+
+Generate a combined security view:
+
+Create a directory for multi-cloud reports:
+```bash
+mkdir -p multi-cloud-reports
+cp output/prowler-output-aws-*.json multi-cloud-reports/
+cp output/prowler-output-azure-*.json multi-cloud-reports/
+```
+
+<Tip>
+Use Prowler Cloud or custom dashboards to visualize multi-cloud security posture in a unified interface.
+</Tip>
+
+## Step 10: Azure-Specific Remediation
+
+Example remediations for common Azure findings:
+
+**Enable secure transfer for storage account:**
+```bash
+az storage account update \
+    --name mystorageaccount \
+    --resource-group myresourcegroup \
+    --https-only true
+```
+
+**Enable storage encryption:**
+```bash
+az storage account update \
+    --name mystorageaccount \
+    --resource-group myresourcegroup \
+    --encryption-services blob
+```
+
+**Disable public blob access:**
+```bash
+az storage account update \
+    --name mystorageaccount \
+    --resource-group myresourcegroup \
+    --allow-blob-public-access false
+```
+
+**Update network security group rule:**
+```bash
+az network nsg rule update \
+    --resource-group myresourcegroup \
+    --nsg-name mynsg \
+    --name mynsgrule \
+    --source-address-prefixes 10.0.0.0/16
+```
+
+## Step 11: Scan Multiple Azure Subscriptions
+
+Scan all subscriptions in your tenant:
+
+```bash
+prowler azure --subscription-ids subscription-id-1 subscription-id-2
+```
+
+Or scan all accessible subscriptions:
+```bash
+prowler azure --az-cli-auth
+```
+
+<Note>
+[Note: Screenshot of slide 56 showing multi-subscription scan - to be added]
+</Note>
+
+## Verification Steps
+
+Confirm successful lab completion:
+
+1. Azure CLI installed and authenticated
+2. First Azure scan completed successfully
+3. Azure security findings reviewed
+4. Service-specific scans executed
+5. Multi-cloud comparison performed
+6. Azure-specific remediations understood
+
+## Expected Outcomes
+
+After completing this lab, you should:
+
+* Be able to authenticate Prowler with Azure
+* Understand Azure security checks
+* Know how to scan multiple subscriptions
+* Have compared security posture across AWS and Azure
+* Be familiar with Azure-specific remediation commands
+
+## Common Azure Security Findings
+
+**Storage Accounts:**
+* Public blob access enabled
+* Secure transfer (HTTPS) not required
+* Storage encryption disabled
+* Logging not configured
+
+**Virtual Networks:**
+* Network security groups allow 0.0.0.0/0 access
+* DDoS protection not enabled
+* Network watcher not configured
+
+**Identity:**
+* MFA not enabled for all users
+* Guest users have excessive permissions
+* Password policies are weak
+
+## Troubleshooting
+
+**Issue:** Azure authentication fails
+* **Solution:** Run `az login` and ensure you have the correct subscription selected
+
+**Issue:** Permission errors during scan
+* **Solution:** Ensure your account or service principal has Reader role at subscription level
+
+**Issue:** Subscription not found
+* **Solution:** Verify subscription ID with `az account list` and check it's enabled
+
+**Issue:** Slow scan performance
+* **Solution:** Use `--services` flag to scan specific services instead of all
+
+## Next Steps
+
+Continue to [Lab 5: Multi-Cloud Security with Prowler (GCP)](/workshop/lab-05-gcp-multicloud) to add Google Cloud Platform to your multi-cloud security monitoring.
+
+## Additional Resources
+
+* [Azure Getting Started Guide](/user-guide/providers/azure/getting-started-azure)
+* [Azure Authentication Methods](/user-guide/providers/azure/authentication)
+* [Create Prowler Service Principal](/user-guide/providers/azure/create-prowler-service-principal)
+* [Azure Subscriptions Management](/user-guide/providers/azure/subscriptions)
--- a/docs/workshop/lab-05-gcp-multicloud.mdx
+++ b/docs/workshop/lab-05-gcp-multicloud.mdx
@@ -0,0 +1,377 @@
+---
+title: "Lab 5: Multi-Cloud Security with Prowler (GCP)"
+description: "Complete your multi-cloud security coverage by adding Google Cloud Platform assessments"
+---
+
+<Note>
+**Tags:** `workshop` `gcp` `multi-cloud` `intermediate` `authentication`
+</Note>
+
+# Lab 5: Multi-Cloud Security with Prowler (GCP)
+
+Learn to secure Google Cloud Platform environments and achieve comprehensive multi-cloud security coverage with Prowler.
+
+## Prerequisites
+
+* Prowler CLI installed ([Lab 1](/workshop/lab-01-getting-started))
+* Active GCP project
+* Google Cloud SDK (gcloud) installed
+* GCP account with appropriate permissions (Viewer role minimum)
+* Basic understanding of GCP services
+
+**Estimated Time:** 45 minutes
+
+## Lab Objectives
+
+By completing this lab, you will:
+
+* Configure GCP authentication for Prowler
+* Run security assessments on GCP projects
+* Understand GCP-specific security checks
+* Achieve comprehensive multi-cloud security coverage (AWS, Azure, GCP)
+* Implement unified security policies across cloud providers
+
+## Step 1: Install Google Cloud SDK
+
+Install gcloud CLI if not already present:
+
+**macOS:**
+```bash
+brew install google-cloud-sdk
+```
+
+**Linux:**
+```bash
+curl https://sdk.cloud.google.com | bash
+exec -l $SHELL
+```
+
+**Windows:**
+Download and install from: https://cloud.google.com/sdk/docs/install
+
+Verify installation:
+```bash
+gcloud --version
+```
+
+## Step 2: Authenticate to GCP
+
+Initialize gcloud and authenticate:
+
+```bash
+gcloud init
+```
+
+This prompts you to:
+1. Log in to your Google account
+2. Select or create a GCP project
+3. Configure default region/zone (optional)
+
+Verify authentication:
+```bash
+gcloud auth list
+```
+
+Display active project:
+```bash
+gcloud config get-value project
+```
+
+<Note>
+[Note: Screenshot of slide 60 showing GCP authentication - to be added]
+</Note>
+
+## Step 3: Configure Application Default Credentials
+
+Prowler uses Application Default Credentials (ADC):
+
+```bash
+gcloud auth application-default login
+```
+
+This creates credentials file at:
+* **Linux/macOS:** `~/.config/gcloud/application_default_credentials.json`
+* **Windows:** `%APPDATA%\gcloud\application_default_credentials.json`
+
+## Step 4: Set Up Service Account (Optional)
+
+For automated scans, create a service account:
+
+```bash
+# Create service account
+gcloud iam service-accounts create prowler-scanner \
+    --display-name="Prowler Security Scanner"
+
+# Get project ID
+PROJECT_ID=$(gcloud config get-value project)
+
+# Grant Viewer role
+gcloud projects add-iam-policy-binding $PROJECT_ID \
+    --member="serviceAccount:prowler-scanner@${PROJECT_ID}.iam.gserviceaccount.com" \
+    --role="roles/viewer"
+
+# Generate key file
+gcloud iam service-accounts keys create ~/prowler-credentials.json \
+    --iam-account=prowler-scanner@${PROJECT_ID}.iam.gserviceaccount.com
+```
+
+<Warning>
+Store service account key files securely. These provide programmatic access to your GCP project.
+</Warning>
+
+Use service account credentials:
+```bash
+export GOOGLE_APPLICATION_CREDENTIALS=~/prowler-credentials.json
+```
+
+## Step 5: Run Your First GCP Scan
+
+Execute Prowler against GCP:
+
+```bash
+prowler gcp
+```
+
+This command:
+* Uses Application Default Credentials (or service account)
+* Scans the active project
+* Runs all GCP security checks
+* Generates output in multiple formats
+
+<Note>
+GCP scans typically take 5-10 minutes depending on resource count.
+</Note>
+
+<Note>
+[Note: Screenshot of slide 65 showing GCP scan execution - to be added]
+</Note>
+
+## Step 6: Scan Specific GCP Projects
+
+Scan a specific project:
+
+```bash
+prowler gcp --project-id my-project-id
+```
+
+Scan multiple projects:
+```bash
+prowler gcp --project-id project-1 project-2 project-3
+```
+
+## Step 7: Scan Specific GCP Services
+
+Run targeted scans for specific services:
+
+```bash
+prowler gcp --services storage compute iam
+```
+
+This focuses on:
+* Cloud Storage buckets
+* Compute Engine instances
+* IAM policies and permissions
+
+## Step 8: Analyze GCP Security Findings
+
+Review GCP-specific security checks:
+
+**Cloud Storage Security:**
+* Buckets not publicly accessible
+* Uniform bucket-level access enabled
+* Encryption at rest enabled
+* Versioning enabled
+
+**Compute Engine Security:**
+* OS Login enabled
+* Serial port access disabled
+* Shielded VMs enabled
+* IP forwarding disabled
+
+**IAM Security:**
+* Service accounts with minimal permissions
+* No primitive roles (Owner, Editor, Viewer) assigned to users
+* Service account keys rotated regularly
+* Cloud Identity-Aware Proxy (IAP) enabled
+
+Open the HTML report:
+```bash
+open output/prowler-output-gcp-*.html
+```
+
+<Note>
+[Note: Screenshot of slide 69 showing GCP findings report - to be added]
+</Note>
+
+## Step 9: Multi-Cloud Security Overview
+
+You now have security coverage across three major cloud providers:
+
+Create a comprehensive multi-cloud report directory:
+
+```bash
+mkdir -p multi-cloud-security-reports
+cp output/prowler-output-aws-*.json multi-cloud-security-reports/
+cp output/prowler-output-azure-*.json multi-cloud-security-reports/
+cp output/prowler-output-gcp-*.json multi-cloud-security-reports/
+```
+
+Compare security posture metrics:
+
+```bash
+# Count findings by provider
+echo "AWS findings:"
+jq '.findings | length' multi-cloud-security-reports/prowler-output-aws-*.json
+
+echo "Azure findings:"
+jq '.findings | length' multi-cloud-security-reports/prowler-output-azure-*.json
+
+echo "GCP findings:"
+jq '.findings | length' multi-cloud-security-reports/prowler-output-gcp-*.json
+```
+
+## Step 10: GCP-Specific Remediation
+
+Example remediations for common GCP findings:
+
+**Enable uniform bucket-level access:**
+```bash
+gsutil uniformbucketlevelaccess set on gs://bucket-name
+```
+
+**Disable public access to bucket:**
+```bash
+gsutil iam ch -d allUsers gs://bucket-name
+gsutil iam ch -d allAuthenticatedUsers gs://bucket-name
+```
+
+**Enable OS Login on project:**
+```bash
+gcloud compute project-info add-metadata \
+    --metadata enable-oslogin=TRUE
+```
+
+**Disable serial port access:**
+```bash
+gcloud compute instances add-metadata instance-name \
+    --metadata serial-port-enable=FALSE
+```
+
+**Remove primitive role binding:**
+```bash
+gcloud projects remove-iam-policy-binding PROJECT_ID \
+    --member='user:email@example.com' \
+    --role='roles/editor'
+```
+
+## Step 11: Scan GCP Organization
+
+If you have organization-level access:
+
+```bash
+prowler gcp --organization-id org-id
+```
+
+This scans all projects within the organization.
+
+<Tip>
+Organization-level scanning requires `resourcemanager.organizations.get` permission at the organization level.
+</Tip>
+
+<Note>
+[Note: Screenshot of slide 74 showing organization scan - to be added]
+</Note>
+
+## Step 12: Multi-Cloud Security Strategy
+
+Establish consistent security controls across clouds:
+
+**Identity and Access:**
+* Enforce MFA across all providers
+* Implement least privilege access
+* Regular access reviews
+* Centralized identity management
+
+**Data Protection:**
+* Encryption at rest and in transit
+* Regular backups
+* Data retention policies
+* Access logging enabled
+
+**Network Security:**
+* Zero-trust network architecture
+* Network segmentation
+* DDoS protection
+* Traffic inspection
+
+**Monitoring and Compliance:**
+* Centralized logging
+* Security information and event management (SIEM)
+* Regular compliance scans
+* Automated remediation where possible
+
+## Verification Steps
+
+Confirm successful lab completion:
+
+1. Google Cloud SDK installed and authenticated
+2. First GCP scan completed successfully
+3. GCP security findings reviewed
+4. Service-specific scans executed
+5. Multi-cloud reports collected (AWS, Azure, GCP)
+6. GCP-specific remediations understood
+
+## Expected Outcomes
+
+After completing this lab, you should:
+
+* Be able to authenticate Prowler with GCP
+* Understand GCP security checks
+* Know how to scan multiple projects and organizations
+* Have achieved multi-cloud security coverage
+* Be familiar with GCP-specific remediation commands
+
+## Common GCP Security Findings
+
+**Cloud Storage:**
+* Buckets with public access
+* Uniform bucket-level access not enabled
+* Versioning disabled
+* Logging not configured
+
+**Compute Engine:**
+* OS Login not enabled
+* Legacy metadata endpoints enabled
+* Serial port access enabled
+* IP forwarding enabled on instances
+
+**IAM:**
+* Primitive roles assigned to users
+* Service account keys not rotated
+* Over-permissive service accounts
+* No organization policies enforced
+
+## Troubleshooting
+
+**Issue:** GCP authentication fails
+* **Solution:** Run `gcloud auth application-default login` and ensure project is set
+
+**Issue:** Permission errors during scan
+* **Solution:** Ensure account has Viewer role at project or organization level
+
+**Issue:** Project not found
+* **Solution:** Verify project ID with `gcloud projects list` and check it's active
+
+**Issue:** API not enabled errors
+* **Solution:** Enable required APIs: `gcloud services enable cloudresourcemanager.googleapis.com`
+
+## Next Steps
+
+Continue to [Lab 6: Compliance as Code with Prowler](/workshop/lab-06-compliance-as-code) to learn how to automate compliance reporting across all cloud providers.
+
+## Additional Resources
+
+* [GCP Getting Started Guide](/user-guide/providers/gcp/getting-started-gcp)
+* [GCP Authentication Methods](/user-guide/providers/gcp/authentication)
+* [GCP Projects Management](/user-guide/providers/gcp/projects)
+* [GCP Organization Scanning](/user-guide/providers/gcp/organization)
--- a/docs/workshop/lab-06-compliance-as-code.mdx
+++ b/docs/workshop/lab-06-compliance-as-code.mdx
@@ -0,0 +1,465 @@
+---
+title: "Lab 6: Compliance as Code with Prowler"
+description: "Automate compliance reporting and validation against industry standards and regulatory frameworks"
+---
+
+<Note>
+**Tags:** `workshop` `aws` `compliance` `intermediate` `automation` `frameworks`
+</Note>
+
+# Lab 6: Compliance as Code with Prowler
+
+Learn to automate compliance validation and reporting against industry standards such as CIS, PCI-DSS, HIPAA, and custom compliance frameworks.
+
+## Prerequisites
+
+* Completion of [Lab 1: Getting Started with Prowler CLI](/workshop/lab-01-getting-started)
+* AWS account with resources
+* Prowler CLI installed and configured
+* Understanding of compliance frameworks (CIS, PCI-DSS, HIPAA)
+
+**Estimated Time:** 50 minutes
+
+## Lab Objectives
+
+By completing this lab, you will:
+
+* Understand compliance frameworks in Prowler
+* Generate compliance reports for industry standards
+* Validate compliance status programmatically
+* Create custom compliance frameworks
+* Automate compliance reporting in CI/CD pipelines
+
+## Step 1: List Available Compliance Frameworks
+
+View all supported compliance frameworks:
+
+```bash
+prowler aws --list-compliance
+```
+
+This displays frameworks such as:
+* CIS AWS Foundations Benchmark (multiple versions)
+* PCI-DSS v4.0
+* HIPAA
+* SOC2
+* GDPR
+* ISO 27001
+* NIST 800-53
+* AWS Foundational Security Best Practices
+* Custom frameworks
+
+<Note>
+[Note: Screenshot of slide 78 showing compliance frameworks list - to be added]
+</Note>
+
+## Step 2: Run CIS Benchmark Compliance Scan
+
+Execute a CIS AWS Foundations Benchmark scan:
+
+```bash
+prowler aws --compliance cis_2.0_aws
+```
+
+This command:
+* Runs only checks mapped to CIS Benchmark v2.0
+* Generates a compliance report
+* Shows compliance percentage
+* Identifies non-compliant controls
+
+Review compliance summary:
+```bash
+open output/compliance/prowler-compliance-cis_2.0_aws-*.html
+```
+
+<Note>
+[Note: Screenshot of slide 80 showing CIS compliance report - to be added]
+</Note>
+
+## Step 3: Analyze Compliance Requirements
+
+Understanding compliance report structure:
+
+**Requirement ID:** Control identifier (e.g., 1.1, 1.2)
+**Requirement Description:** What the control validates
+**Status:** PASS or FAIL
+**Related Checks:** Prowler checks that map to this requirement
+**Resources Affected:** Specific resources that failed
+
+Example CIS requirement:
+
+```
+ID: 1.4
+Description: Ensure no root account access key exists
+Status: FAIL
+Checks: iam_root_user_no_access_keys
+Resources: Root account has 1 active access key
+```
+
+## Step 4: Generate Multiple Compliance Reports
+
+Run scans for multiple frameworks:
+
+```bash
+prowler aws --compliance cis_2.0_aws pci_dss_v4.0_aws hipaa_aws
+```
+
+This generates three separate compliance reports:
+* `prowler-compliance-cis_2.0_aws-*.html`
+* `prowler-compliance-pci_dss_v4.0_aws-*.html`
+* `prowler-compliance-hipaa_aws-*.html`
+
+Compare compliance posture across frameworks:
+```bash
+grep "Compliance Status" output/compliance/*.html
+```
+
+## Step 5: Export Compliance Data
+
+Export compliance results to JSON for automation:
+
+```bash
+prowler aws --compliance cis_2.0_aws -o json-ocsf
+```
+
+The JSON output includes:
+* Compliance score (percentage)
+* Passed requirements
+* Failed requirements
+* Resource-level details
+* Remediation guidance
+
+Query compliance status programmatically:
+```bash
+jq '.compliance.cis_2.0_aws.score' output/prowler-output-*.json-ocsf
+```
+
+<Note>
+[Note: Screenshot of slide 84 showing JSON compliance output - to be added]
+</Note>
+
+## Step 6: Create a Custom Compliance Framework
+
+Create a custom framework for organization-specific requirements:
+
+Create `custom_compliance.json`:
+
+```json
+{
+  "Framework": "custom_security_baseline",
+  "Version": "1.0",
+  "Provider": "aws",
+  "Description": "Organization Security Baseline Requirements",
+  "Requirements": [
+    {
+      "Id": "1.1",
+      "Description": "S3 buckets must have encryption enabled",
+      "Attributes": [
+        {
+          "Section": "Data Protection",
+          "SubSection": "Encryption at Rest",
+          "Type": "automated",
+          "Service": "s3"
+        }
+      ],
+      "Checks": [
+        "s3_bucket_default_encryption",
+        "s3_bucket_secure_transport_policy"
+      ]
+    },
+    {
+      "Id": "1.2",
+      "Description": "CloudTrail must be enabled in all regions",
+      "Attributes": [
+        {
+          "Section": "Logging and Monitoring",
+          "SubSection": "Audit Logging",
+          "Type": "automated",
+          "Service": "cloudtrail"
+        }
+      ],
+      "Checks": [
+        "cloudtrail_multi_region_enabled",
+        "cloudtrail_log_file_validation_enabled"
+      ]
+    },
+    {
+      "Id": "2.1",
+      "Description": "IAM users must have MFA enabled",
+      "Attributes": [
+        {
+          "Section": "Identity and Access Management",
+          "SubSection": "Multi-Factor Authentication",
+          "Type": "automated",
+          "Service": "iam"
+        }
+      ],
+      "Checks": [
+        "iam_user_mfa_enabled_console_access",
+        "iam_root_mfa_enabled"
+      ]
+    },
+    {
+      "Id": "3.1",
+      "Description": "Security groups must not allow unrestricted access",
+      "Attributes": [
+        {
+          "Section": "Network Security",
+          "SubSection": "Firewall Rules",
+          "Type": "automated",
+          "Service": "ec2"
+        }
+      ],
+      "Checks": [
+        "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22",
+        "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_3389"
+      ]
+    }
+  ]
+}
+```
+
+Save to `prowler/compliance/aws/`:
+```bash
+cp custom_compliance.json ~/.prowler/compliance/aws/
+```
+
+## Step 7: Run Custom Compliance Framework
+
+Execute scan against custom framework:
+
+```bash
+prowler aws --compliance-framework custom_compliance.json
+```
+
+Or if placed in Prowler's compliance directory:
+```bash
+prowler aws --compliance custom_security_baseline
+```
+
+Review custom compliance report:
+```bash
+open output/compliance/prowler-compliance-custom_security_baseline-*.html
+```
+
+<Note>
+[Note: Screenshot of slide 88 showing custom compliance report - to be added]
+</Note>
+
+## Step 8: Compliance Reporting for Audits
+
+Generate audit-ready compliance reports:
+
+```bash
+prowler aws \
+    --compliance cis_2.0_aws \
+    -o html csv json \
+    --output-directory ./audit-reports-$(date +%Y%m%d)
+```
+
+This creates:
+* HTML report for human review
+* CSV for spreadsheet analysis
+* JSON for programmatic processing
+
+Package for auditors:
+```bash
+tar -czf compliance-audit-$(date +%Y%m%d).tar.gz audit-reports-*
+```
+
+## Step 9: Automate Compliance Validation
+
+Create a compliance validation script:
+
+Create `compliance-check.sh`:
+
+```bash
+#!/bin/bash
+
+# Configuration
+COMPLIANCE_FRAMEWORK="cis_2.0_aws"
+REQUIRED_SCORE=85
+OUTPUT_DIR="./compliance-reports"
+
+# Run Prowler
+prowler aws \
+    --compliance $COMPLIANCE_FRAMEWORK \
+    -o json \
+    --output-directory $OUTPUT_DIR
+
+# Extract compliance score
+SCORE=$(jq -r ".compliance.${COMPLIANCE_FRAMEWORK}.score" \
+    $OUTPUT_DIR/prowler-output-*.json | head -1)
+
+echo "Compliance Score: ${SCORE}%"
+
+# Validate compliance threshold
+if (( $(echo "$SCORE >= $REQUIRED_SCORE" | bc -l) )); then
+    echo "✓ Compliance check PASSED (score: ${SCORE}% >= ${REQUIRED_SCORE}%)"
+    exit 0
+else
+    echo "✗ Compliance check FAILED (score: ${SCORE}% < ${REQUIRED_SCORE}%)"
+    exit 1
+fi
+```
+
+Make executable:
+```bash
+chmod +x compliance-check.sh
+```
+
+Run validation:
+```bash
+./compliance-check.sh
+```
+
+## Step 10: Integrate with CI/CD Pipeline
+
+Example GitHub Actions workflow:
+
+Create `.github/workflows/compliance-check.yml`:
+
+```yaml
+name: Compliance Validation
+
+on:
+  schedule:
+    - cron: '0 0 * * *'  # Daily at midnight
+  workflow_dispatch:
+
+jobs:
+  prowler-compliance:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v3
+
+      - name: Set up Python
+        uses: actions/setup-python@v4
+        with:
+          python-version: '3.11'
+
+      - name: Install Prowler
+        run: pip install prowler
+
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@v2
+        with:
+          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
+          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          aws-region: us-east-1
+
+      - name: Run compliance scan
+        run: |
+          prowler aws \
+            --compliance cis_2.0_aws \
+            -o html json \
+            --output-directory ./reports
+
+      - name: Upload compliance reports
+        uses: actions/upload-artifact@v3
+        with:
+          name: compliance-reports
+          path: ./reports/
+
+      - name: Check compliance threshold
+        run: |
+          SCORE=$(jq -r '.compliance.cis_2.0_aws.score' reports/prowler-output-*.json)
+          if (( $(echo "$SCORE < 85" | bc -l) )); then
+            echo "Compliance score ${SCORE}% is below threshold"
+            exit 1
+          fi
+```
+
+<Note>
+[Note: Screenshot of slide 92 showing CI/CD integration - to be added]
+</Note>
+
+## Step 11: Continuous Compliance Monitoring
+
+Implement continuous compliance monitoring:
+
+**Daily Scans:**
+* Schedule automated scans
+* Track compliance trends over time
+* Alert on compliance score drops
+
+**Drift Detection:**
+* Compare current state vs. baseline
+* Identify new non-compliant resources
+* Generate remediation tickets automatically
+
+**Compliance Dashboard:**
+* Visualize compliance status
+* Track remediation progress
+* Generate executive reports
+
+## Verification Steps
+
+Confirm successful lab completion:
+
+1. Listed available compliance frameworks
+2. Generated CIS compliance report
+3. Created multiple framework reports
+4. Built custom compliance framework
+5. Automated compliance validation
+6. Integrated compliance checks in CI/CD
+
+## Expected Outcomes
+
+After completing this lab, you should:
+
+* Understand Prowler compliance capabilities
+* Be able to generate compliance reports
+* Know how to create custom frameworks
+* Have automated compliance validation
+* Be ready for audit processes
+
+## Compliance Framework Mapping
+
+Common frameworks supported:
+
+**AWS:**
+* CIS AWS Foundations Benchmark v1.4, v1.5, v2.0, v3.0
+* AWS Foundational Security Best Practices
+* PCI-DSS v4.0
+* HIPAA
+* SOC2
+* GDPR
+* ISO 27001
+* NIST 800-53
+* FedRAMP
+* ENS (Spanish National Security Scheme)
+
+**Azure:**
+* CIS Microsoft Azure Foundations Benchmark
+* Azure Security Benchmark
+
+**GCP:**
+* CIS Google Cloud Platform Foundation Benchmark
+
+## Troubleshooting
+
+**Issue:** Compliance framework not found
+* **Solution:** Use `--list-compliance` to see exact framework names
+
+**Issue:** Low compliance score
+* **Solution:** Review failed checks and prioritize remediation by severity
+
+**Issue:** Missing compliance report
+* **Solution:** Check `output/compliance/` directory for framework-specific reports
+
+**Issue:** Custom framework not loading
+* **Solution:** Validate JSON syntax and ensure file is in correct directory
+
+## Next Steps
+
+Continue to [Lab 7: Integrations with Prowler](/workshop/lab-07-integrations) to learn how to integrate Prowler with AWS Security Hub and other security tools.
+
+## Additional Resources
+
+* [Compliance Reporting Guide](/user-guide/cli/tutorials/compliance)
+* [Compliance Frameworks Documentation](/user-guide/cli/tutorials/compliance)
+* [Custom Compliance Framework Guide](/developer-guide/security-compliance-framework)
+* [Prowler Hub Compliance Frameworks](https://hub.prowler.com/compliance)
--- a/docs/workshop/lab-07-integrations.mdx
+++ b/docs/workshop/lab-07-integrations.mdx
@@ -0,0 +1,425 @@
+---
+title: "Lab 7: Integrations with Prowler"
+description: "Integrate Prowler findings with AWS Security Hub and other security tools for centralized security management"
+---
+
+<Note>
+**Tags:** `workshop` `aws` `integrations` `intermediate` `security-hub` `automation`
+</Note>
+
+# Lab 7: Integrations with Prowler
+
+Learn to integrate Prowler with AWS Security Hub and other security tools to centralize security findings and automate remediation workflows.
+
+## Prerequisites
+
+* Completion of [Lab 1: Getting Started with Prowler CLI](/workshop/lab-01-getting-started)
+* AWS account with Security Hub enabled
+* IAM permissions for Security Hub operations
+* Prowler CLI installed and configured
+* Basic understanding of AWS Security Hub
+
+**Estimated Time:** 45 minutes
+
+## Lab Objectives
+
+By completing this lab, you will:
+
+* Enable AWS Security Hub integration
+* Send Prowler findings to Security Hub
+* Understand finding formats and mapping
+* Configure automated finding synchronization
+* Integrate with third-party security tools
+* Implement centralized security dashboards
+
+## Step 1: Enable AWS Security Hub
+
+Enable Security Hub in your AWS account:
+
+**Via AWS Console:**
+1. Navigate to AWS Security Hub
+2. Click "Go to Security Hub"
+3. Click "Enable Security Hub"
+
+**Via AWS CLI:**
+```bash
+aws securityhub enable-security-hub
+```
+
+Verify Security Hub is enabled:
+```bash
+aws securityhub get-enabled-standards
+```
+
+<Note>
+[Note: Screenshot of slide 96 showing Security Hub enablement - to be added]
+</Note>
+
+## Step 2: Configure IAM Permissions
+
+Ensure your IAM role/user has Security Hub permissions:
+
+Required permissions:
+```json
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Action": [
+        "securityhub:BatchImportFindings",
+        "securityhub:GetFindings"
+      ],
+      "Resource": "*"
+    }
+  ]
+}
+```
+
+Create and attach policy:
+```bash
+aws iam create-policy \
+    --policy-name ProwlerSecurityHubIntegration \
+    --policy-document file://securityhub-policy.json
+
+aws iam attach-user-policy \
+    --user-name prowler-user \
+    --policy-arn arn:aws:iam::ACCOUNT_ID:policy/ProwlerSecurityHubIntegration
+```
+
+## Step 3: Run Prowler with Security Hub Integration
+
+Execute Prowler and send findings to Security Hub:
+
+```bash
+prowler aws --security-hub
+```
+
+This command:
+* Runs all security checks
+* Transforms findings to AWS Security Finding Format (ASFF)
+* Sends findings to Security Hub via `BatchImportFindings` API
+* Generates local reports
+
+<Warning>
+Security Hub has API rate limits. For large environments, findings are sent in batches automatically.
+</Warning>
+
+<Note>
+[Note: Screenshot of slide 99 showing Prowler sending findings to Security Hub - to be added]
+</Note>
+
+## Step 4: View Findings in Security Hub
+
+Navigate to AWS Security Hub console and review Prowler findings:
+
+**Filter by Product:**
+1. Go to "Findings" in Security Hub
+2. Add filter: `Product name is Prowler`
+3. Review findings by severity
+
+**View Finding Details:**
+* Severity (CRITICAL, HIGH, MEDIUM, LOW, INFORMATIONAL)
+* Affected resource
+* Compliance framework mapping
+* Remediation guidance
+* Workflow status
+
+<Note>
+[Note: Screenshot of slide 101 showing Security Hub findings view - to be added]
+</Note>
+
+## Step 5: Understanding ASFF Mapping
+
+Prowler findings are mapped to AWS Security Finding Format:
+
+**Prowler Status → Security Hub Compliance Status:**
+* PASS → PASSED
+* FAIL → FAILED
+* MANUAL → NOT_AVAILABLE
+
+**Prowler Severity → Security Hub Severity:**
+* critical → CRITICAL (90-100)
+* high → HIGH (70-89)
+* medium → MEDIUM (40-69)
+* low → LOW (1-39)
+* informational → INFORMATIONAL (0)
+
+Example ASFF finding structure:
+```json
+{
+  "SchemaVersion": "2018-10-08",
+  "Id": "prowler-aws/account/region/check/resource",
+  "ProductArn": "arn:aws:securityhub:region::product/prowler/prowler",
+  "GeneratorId": "prowler-check-id",
+  "AwsAccountId": "123456789012",
+  "Types": ["Software and Configuration Checks"],
+  "CreatedAt": "2024-01-01T00:00:00.000Z",
+  "UpdatedAt": "2024-01-01T00:00:00.000Z",
+  "Severity": {
+    "Label": "HIGH"
+  },
+  "Title": "Check title",
+  "Description": "Check description",
+  "Resources": [
+    {
+      "Type": "AwsS3Bucket",
+      "Id": "arn:aws:s3:::bucket-name"
+    }
+  ],
+  "Compliance": {
+    "Status": "FAILED"
+  }
+}
+```
+
+## Step 6: Update Existing Findings
+
+Run subsequent scans to update Security Hub findings:
+
+```bash
+prowler aws --security-hub
+```
+
+Prowler automatically:
+* Updates existing findings (same resource, same check)
+* Marks remediated issues as PASSED
+* Creates new findings for new resources
+* Archives findings for deleted resources
+
+## Step 7: Regional Security Hub Integration
+
+Send findings to Security Hub in specific regions:
+
+```bash
+prowler aws --security-hub --region us-east-1 us-west-2
+```
+
+Or enable aggregation in a single region:
+
+```bash
+# Configure finding aggregator in Security Hub
+aws securityhub create-finding-aggregator \
+    --region-linking-mode ALL_REGIONS
+```
+
+<Tip>
+Use Security Hub finding aggregation to centralize findings from multiple regions in a single dashboard.
+</Tip>
+
+## Step 8: Filter Findings Sent to Security Hub
+
+Send only critical and high-severity findings:
+
+```bash
+prowler aws --security-hub --severity critical high
+```
+
+Send findings for specific compliance frameworks:
+
+```bash
+prowler aws --security-hub --compliance cis_2.0_aws
+```
+
+## Step 9: Integrate with S3 for Long-Term Storage
+
+Store Prowler reports in S3 alongside Security Hub integration:
+
+```bash
+prowler aws \
+    --security-hub \
+    -o html json csv \
+    --output-bucket-no-assume s3://my-security-reports-bucket
+```
+
+This enables:
+* Long-term retention of historical reports
+* Compliance audit trails
+* Trend analysis over time
+* Cost-effective storage
+
+Configure S3 bucket lifecycle policies:
+```bash
+aws s3api put-bucket-lifecycle-configuration \
+    --bucket my-security-reports-bucket \
+    --lifecycle-configuration file://lifecycle.json
+```
+
+`lifecycle.json`:
+```json
+{
+  "Rules": [
+    {
+      "Id": "ArchiveOldReports",
+      "Status": "Enabled",
+      "Transitions": [
+        {
+          "Days": 90,
+          "StorageClass": "GLACIER"
+        }
+      ],
+      "Expiration": {
+        "Days": 365
+      },
+      "Filter": {
+        "Prefix": "prowler-reports/"
+      }
+    }
+  ]
+}
+```
+
+<Note>
+[Note: Screenshot of slide 107 showing S3 integration - to be added]
+</Note>
+
+## Step 10: Integrate with Third-Party Tools
+
+**Send to Slack:**
+```bash
+prowler aws --security-hub | \
+    jq -r '.findings[] | select(.status=="FAIL" and .severity=="critical")' | \
+    curl -X POST -H 'Content-type: application/json' \
+    --data @- https://hooks.slack.com/services/YOUR/WEBHOOK/URL
+```
+
+**Send to Jira:**
+Create Jira tickets for critical findings using Jira API:
+
+```bash
+#!/bin/bash
+JIRA_URL="https://your-domain.atlassian.net"
+JIRA_API_TOKEN="your-api-token"
+JIRA_PROJECT="SEC"
+
+# Extract critical findings
+FINDINGS=$(prowler aws -o json-ocsf | \
+    jq '.findings[] | select(.status=="FAIL" and .severity=="critical")')
+
+# Create Jira tickets
+echo "$FINDINGS" | jq -c '.' | while read finding; do
+    TITLE=$(echo $finding | jq -r '.check_title')
+    DESCRIPTION=$(echo $finding | jq -r '.status_extended')
+
+    curl -X POST "$JIRA_URL/rest/api/2/issue" \
+        -H "Authorization: Bearer $JIRA_API_TOKEN" \
+        -H "Content-Type: application/json" \
+        -d "{
+            \"fields\": {
+                \"project\": {\"key\": \"$JIRA_PROJECT\"},
+                \"summary\": \"$TITLE\",
+                \"description\": \"$DESCRIPTION\",
+                \"issuetype\": {\"name\": \"Task\"}
+            }
+        }"
+done
+```
+
+**Send to Splunk:**
+```bash
+prowler aws -o json-ocsf | \
+    curl -k https://splunk-server:8088/services/collector/event \
+    -H "Authorization: Splunk YOUR-HEC-TOKEN" \
+    -d @-
+```
+
+## Step 11: Automate Security Hub Updates
+
+Create a Lambda function to run Prowler periodically:
+
+**Lambda Function (Python):**
+```python
+import subprocess
+import boto3
+
+def lambda_handler(event, context):
+    # Run Prowler with Security Hub integration
+    result = subprocess.run(
+        ['prowler', 'aws', '--security-hub'],
+        capture_output=True,
+        text=True
+    )
+
+    return {
+        'statusCode': 200,
+        'body': f'Prowler scan completed. Output: {result.stdout}'
+    }
+```
+
+**Schedule with EventBridge:**
+```bash
+aws events put-rule \
+    --name DailyProwlerScan \
+    --schedule-expression "cron(0 2 * * ? *)"
+
+aws events put-targets \
+    --rule DailyProwlerScan \
+    --targets "Id"="1","Arn"="arn:aws:lambda:region:account:function:ProwlerScanFunction"
+```
+
+<Note>
+[Note: Screenshot of slide 111 showing automated integration - to be added]
+</Note>
+
+## Verification Steps
+
+Confirm successful lab completion:
+
+1. AWS Security Hub enabled
+2. Prowler findings sent to Security Hub
+3. Findings visible in Security Hub console
+4. Subsequent scans update existing findings
+5. S3 integration configured for report storage
+6. Third-party integration examples tested
+
+## Expected Outcomes
+
+After completing this lab, you should:
+
+* Understand Security Hub integration
+* Know how to send findings to Security Hub
+* Be able to configure automated synchronization
+* Have integrated with S3 for storage
+* Be familiar with third-party tool integrations
+
+## Security Hub Benefits
+
+**Centralized Security:**
+* Aggregate findings from multiple tools
+* Unified view across AWS accounts and regions
+* Compliance dashboard
+
+**Automated Workflows:**
+* Trigger remediation workflows
+* Create incidents automatically
+* Integrate with SIEM tools
+
+**Prioritization:**
+* Filter by severity and compliance status
+* Track remediation progress
+* Generate executive reports
+
+## Troubleshooting
+
+**Issue:** Security Hub not enabled
+* **Solution:** Run `aws securityhub enable-security-hub` to enable
+
+**Issue:** Permission denied sending findings
+* **Solution:** Ensure IAM role has `securityhub:BatchImportFindings` permission
+
+**Issue:** Findings not appearing in Security Hub
+* **Solution:** Check Prowler output for errors, verify region configuration
+
+**Issue:** Rate limit errors
+* **Solution:** Prowler batches findings automatically; retry if transient failures occur
+
+## Next Steps
+
+Continue to [Lab 8: Prowler SaaS Platform](/workshop/lab-08-prowler-saas) to explore the managed Prowler Cloud platform with advanced features.
+
+## Additional Resources
+
+* [Security Hub Integration Guide](/user-guide/providers/aws/securityhub)
+* [S3 Integration Guide](/user-guide/providers/aws/s3)
+* [Integrations Documentation](/user-guide/cli/tutorials/integrations)
+* [AWS Security Hub Documentation](https://docs.aws.amazon.com/securityhub/)
--- a/docs/workshop/lab-08-prowler-saas.mdx
+++ b/docs/workshop/lab-08-prowler-saas.mdx
@@ -0,0 +1,440 @@
+---
+title: "Lab 8: Prowler SaaS Platform"
+description: "Explore Prowler Cloud's managed platform with advanced features, team collaboration, and continuous monitoring"
+---
+
+<Note>
+**Tags:** `workshop` `prowler-cloud` `saas` `intermediate` `platform` `collaboration`
+</Note>
+
+# Lab 8: Prowler SaaS Platform
+
+Learn to use Prowler Cloud, the managed SaaS platform that provides advanced security monitoring, team collaboration, compliance dashboards, and AI-powered security insights.
+
+## Prerequisites
+
+* Completion of previous labs (recommended but not required)
+* Prowler Cloud account (free trial available)
+* Cloud provider accounts (AWS, Azure, or GCP)
+* Basic understanding of Prowler concepts
+
+**Estimated Time:** 60 minutes
+
+## Lab Objectives
+
+By completing this lab, you will:
+
+* Set up Prowler Cloud account
+* Connect cloud providers to Prowler Cloud
+* Navigate the Prowler Cloud interface
+* Use team collaboration features
+* Leverage AI-powered security insights
+* Configure continuous monitoring and alerts
+* Generate executive compliance reports
+
+## Step 1: Create Prowler Cloud Account
+
+Sign up for Prowler Cloud:
+
+1. Visit [https://cloud.prowler.com](https://cloud.prowler.com)
+2. Click "Start Free Trial"
+3. Choose authentication method:
+   * Email/password
+   * Google authentication
+   * GitHub authentication
+   * SSO (for enterprise plans)
+4. Verify email address
+5. Complete onboarding wizard
+
+<Note>
+[Note: Screenshot of slide 115 showing Prowler Cloud signup - to be added]
+</Note>
+
+## Step 2: Connect Your First Cloud Provider
+
+**Connect AWS Account:**
+
+1. Navigate to "Providers" in Prowler Cloud
+2. Click "Add Provider"
+3. Select "AWS"
+4. Choose connection method:
+   * **CloudFormation Stack** (recommended)
+   * **Manual IAM Role**
+5. Deploy CloudFormation template
+6. Copy Role ARN and External ID
+7. Test connection
+8. Click "Save"
+
+**CloudFormation Stack Deployment:**
+```bash
+aws cloudformation create-stack \
+    --stack-name prowler-integration \
+    --template-url https://prowler-public.s3.amazonaws.com/prowler-role.yaml \
+    --parameters ParameterKey=ExternalId,ParameterValue=<your-external-id> \
+    --capabilities CAPABILITY_NAMED_IAM
+```
+
+<Note>
+[Note: Screenshot of slide 118 showing provider connection - to be added]
+</Note>
+
+<Tip>
+The CloudFormation template creates a read-only IAM role with the minimum permissions required for Prowler scans.
+</Tip>
+
+## Step 3: Run Your First Cloud Scan
+
+Initiate a security scan:
+
+1. Go to "Scans" page
+2. Click "New Scan"
+3. Select provider(s) to scan
+4. Choose scan type:
+   * **Quick Scan:** Essential security checks
+   * **Full Scan:** Comprehensive assessment
+   * **Compliance Scan:** Framework-specific validation
+5. Click "Start Scan"
+
+Monitor scan progress:
+* Real-time progress indicator
+* Checks completed
+* Resources discovered
+* Findings identified
+
+<Note>
+[Note: Screenshot of slide 121 showing scan execution - to be added]
+</Note>
+
+## Step 4: Explore the Findings Dashboard
+
+Navigate findings dashboard:
+
+**Overview Statistics:**
+* Total findings by severity
+* Compliance score
+* Trend over time
+* Top affected services
+
+**Filtering Options:**
+* Severity (Critical, High, Medium, Low)
+* Status (Open, In Progress, Resolved)
+* Cloud provider
+* Service
+* Compliance framework
+* Resource tags
+
+**Finding Details:**
+* Detailed description
+* Affected resources
+* Risk assessment
+* Remediation steps
+* Related compliance requirements
+
+<Note>
+[Note: Screenshot of slide 124 showing findings dashboard - to be added]
+</Note>
+
+## Step 5: Use AI-Powered Security Insights
+
+Leverage Prowler Lighthouse AI features:
+
+**AI Security Assistant:**
+1. Click "Lighthouse" in navigation
+2. Ask questions about your security posture:
+   * "What are my critical security risks?"
+   * "Show me publicly exposed resources"
+   * "How can I improve my compliance score?"
+   * "What encryption issues exist?"
+
+**AI Remediation Guidance:**
+* Select any finding
+* Click "AI Remediation"
+* Review generated remediation steps
+* Get customized code/CLI commands
+* Apply fixes with confidence
+
+**AI Threat Analysis:**
+* Identifies attack patterns
+* Correlates related findings
+* Suggests priority order for remediation
+* Explains security impact
+
+<Note>
+[Note: Screenshot of slide 127 showing Lighthouse AI - to be added]
+</Note>
+
+## Step 6: Configure Team Collaboration
+
+Set up team access and workflows:
+
+**Invite Team Members:**
+1. Go to "Settings" → "Team"
+2. Click "Invite Member"
+3. Enter email address
+4. Assign role:
+   * **Admin:** Full access
+   * **Editor:** Scan and remediate
+   * **Viewer:** Read-only access
+5. Send invitation
+
+**Assign Findings:**
+1. Select findings
+2. Click "Assign"
+3. Choose team member
+4. Add due date
+5. Add comments/notes
+
+**Workflow States:**
+* Open → New finding
+* In Progress → Being investigated/fixed
+* Resolved → Remediated
+* False Positive → Not applicable
+* Risk Accepted → Acknowledged but not fixed
+
+<Note>
+[Note: Screenshot of slide 130 showing team collaboration - to be added]
+</Note>
+
+## Step 7: Configure Continuous Monitoring
+
+Set up automated scanning:
+
+**Scheduled Scans:**
+1. Go to "Scans" → "Schedules"
+2. Click "Create Schedule"
+3. Configure:
+   * Name: "Daily Security Scan"
+   * Frequency: Daily, Weekly, or Custom cron
+   * Time: 2:00 AM UTC
+   * Providers: Select all
+   * Notification preferences
+4. Save schedule
+
+**Real-Time Monitoring:**
+* Enable CloudTrail integration
+* Receive alerts for security events
+* Detect configuration drift
+* Identify new resources
+
+<Tip>
+Schedule scans during off-peak hours to minimize performance impact on your cloud APIs.
+</Tip>
+
+## Step 8: Configure Alerts and Notifications
+
+Set up security alerts:
+
+**Alert Rules:**
+1. Navigate to "Alerts"
+2. Click "Create Alert Rule"
+3. Define conditions:
+   * Finding severity ≥ High
+   * Compliance score drops below 80%
+   * New critical findings discovered
+   * Public exposure detected
+4. Choose notification channels:
+   * Email
+   * Slack
+   * Microsoft Teams
+   * PagerDuty
+   * Webhooks
+5. Save rule
+
+**Slack Integration:**
+1. Go to "Integrations" → "Slack"
+2. Click "Connect to Slack"
+3. Authorize Prowler app
+4. Select channel for notifications
+5. Configure alert preferences
+
+<Note>
+[Note: Screenshot of slide 134 showing alert configuration - to be added]
+</Note>
+
+## Step 9: Generate Compliance Reports
+
+Create compliance reports for auditors:
+
+**Compliance Dashboard:**
+1. Navigate to "Compliance"
+2. View compliance scores by framework:
+   * CIS Benchmarks
+   * PCI-DSS
+   * HIPAA
+   * SOC2
+   * ISO 27001
+3. Drill down into requirements
+4. View evidence for each control
+
+**Export Reports:**
+1. Select compliance framework
+2. Click "Generate Report"
+3. Choose format:
+   * PDF (executive summary)
+   * Excel (detailed findings)
+   * CSV (raw data)
+4. Schedule recurring reports:
+   * Weekly status updates
+   * Monthly compliance reports
+   * Quarterly audit packages
+
+**Report Customization:**
+* Add company logo
+* Include executive summary
+* Filter by business unit
+* Show remediation progress
+* Include trend analysis
+
+<Note>
+[Note: Screenshot of slide 137 showing compliance reports - to be added]
+</Note>
+
+## Step 10: Multi-Account and Multi-Cloud Management
+
+Manage multiple cloud environments:
+
+**Add Multiple Providers:**
+1. Connect AWS accounts (dev, staging, production)
+2. Connect Azure subscriptions
+3. Connect GCP projects
+4. Organize with tags/labels
+
+**Provider Groups:**
+1. Create provider groups:
+   * Production environments
+   * Development environments
+   * By business unit
+   * By geographic region
+2. Run group-wide scans
+3. Generate consolidated reports
+
+**Cross-Cloud Insights:**
+* Compare security posture across providers
+* Identify configuration inconsistencies
+* Standardize security policies
+* Track multi-cloud compliance
+
+<Note>
+[Note: Screenshot of slide 140 showing multi-cloud management - to be added]
+</Note>
+
+## Step 11: Advanced Features
+
+Explore advanced Prowler Cloud capabilities:
+
+**Custom Checks:**
+* Create organization-specific security policies
+* Define custom compliance requirements
+* Share with team
+
+**API Access:**
+* Programmatic access to findings
+* Integrate with internal tools
+* Automate workflows
+
+**RBAC (Role-Based Access Control):**
+* Fine-grained permissions
+* Provider-level access control
+* Audit logging
+
+**Security Integrations:**
+* AWS Security Hub
+* Jira
+* ServiceNow
+* Splunk
+* Custom webhooks
+
+## Verification Steps
+
+Confirm successful lab completion:
+
+1. Prowler Cloud account created
+2. Cloud provider(s) connected
+3. Security scan completed
+4. Findings dashboard explored
+5. AI insights leveraged
+6. Team collaboration configured
+7. Continuous monitoring set up
+8. Compliance reports generated
+
+## Expected Outcomes
+
+After completing this lab, you should:
+
+* Understand Prowler Cloud platform capabilities
+* Be able to connect and scan cloud providers
+* Know how to use AI-powered insights
+* Have configured team collaboration
+* Be able to generate compliance reports
+* Have set up continuous monitoring
+
+## Prowler Cloud vs. Prowler CLI
+
+**Prowler Cloud Advantages:**
+* Managed infrastructure (no installation)
+* Web-based interface
+* Team collaboration features
+* AI-powered insights (Lighthouse)
+* Continuous monitoring
+* Historical trend analysis
+* Executive dashboards
+* Built-in integrations
+* Scheduled scans
+* Role-based access control
+
+**Prowler CLI Advantages:**
+* Self-hosted (on-premises)
+* No data leaves your environment
+* Scriptable and automatable
+* Free and open source
+* Custom integrations
+* Offline scanning
+
+<Tip>
+Many organizations use both: Prowler CLI for automated CI/CD pipelines and Prowler Cloud for centralized visibility and team collaboration.
+</Tip>
+
+## Troubleshooting
+
+**Issue:** Cannot connect cloud provider
+* **Solution:** Verify IAM role permissions and trust relationship, check External ID
+
+**Issue:** Scan fails or times out
+* **Solution:** Check provider credentials are valid, ensure APIs are not rate-limited
+
+**Issue:** No findings appearing
+* **Solution:** Verify scan completed successfully, check filtering settings
+
+**Issue:** Alert notifications not received
+* **Solution:** Verify integration configuration, check notification channel settings
+
+## Workshop Completion
+
+Congratulations on completing the Prowler Workshop! You have learned:
+
+* Prowler CLI installation and basic usage
+* Threat detection techniques
+* Custom check development
+* Multi-cloud security (AWS, Azure, GCP)
+* Compliance automation
+* Security tool integrations
+* Prowler Cloud platform capabilities
+
+## Next Steps
+
+Continue your Prowler journey:
+
+* Join the [Prowler Community](https://goto.prowler.com/slack)
+* Contribute to [Prowler Open Source](https://github.com/prowler-cloud/prowler)
+* Explore [Prowler Hub](https://hub.prowler.com) for checks and frameworks
+* Read the [Prowler Documentation](https://docs.prowler.com)
+* Follow [Prowler on Twitter](https://twitter.com/prowlercloud)
+* Subscribe to [Prowler YouTube](https://www.youtube.com/@prowlercloud)
+
+## Additional Resources
+
+* [Prowler Cloud Documentation](/getting-started/products/prowler-cloud)
+* [Prowler Cloud Pricing](/getting-started/products/prowler-cloud-pricing)
+* [AWS Marketplace Listing](/getting-started/products/prowler-cloud-aws-marketplace)
+* [Prowler API Reference](/getting-started/goto/prowler-api-reference)
+* [Prowler Lighthouse AI](/user-guide/tutorials/prowler-app-lighthouse)