Cloud security continues to be a vexing situation, and the tool set continues to become more complex, riddled with acronyms representing possible solutions. Now there’s another: the cloud-native application protection platform, or CNAPP. This tool combines the coverage of four separate products:
A cloud infrastructure entitlements manager (CIEM) that manages overall access controls and risk management tasks
A cloud workload protection platform (CWPP) that secures code across all kinds of cloud-based repositories and provides runtime protection across the entire development environment and code pipelines
A cloud access security broker (CASB) that handles authentication and encryption tasks
A cloud security posture manager (CSPM) that combines threat intelligence and remediation
From these “classic” four elements, CNAPP — or at least its moniker — has expanded to secure other arenas, including:
API, scripting, supply chain and infrastructure-as-code (IaC) security.
Container and serverless security.
Other posture management tools, including data and SaaS applications.
That makes CNAPP “a mouthful to put into one sentence and even more burdensome to evaluate and buy,” according to Andras Cser, a principal analyst for Forrester, as he wrote in May of 2023. End users “have to evaluate way too many characteristics and features of many different disciplines, limiting their choices.” It also bundles non-cloud security options, such as IaC scripts and APIs, together with more cloud-oriented ones, making any purchase more of a group, cross-departmental effort. “CNAPP is evolving rapidly,” wrote GigaOm analyst Chris Ray in a 2024 report. “It is driven by the complexity of cloud-native architectures and the need for more integrated security approaches.”
IT and security managers are looking for a few basic elements from these products, including more accurate threat detection, support for all workloads across multiple cloud deployments, and ways to implement preventable controls.
That is a lot of software to manage, integrate, and understand. However, almost none of the products that claim to be CNAPP have a full set of features that incorporate all four of these categories. What follows is an overview of the landscape and advice on how to navigate amongst the contenders.
[ Learn what cloud providers can and can’t do to protect your data and follow these 5 tips for better cloud security. | Get the latest from CSO by signing up for our newsletters. ]
Two approaches to CNAPP
There are two ways to approach CNAPP: from the DevSecOps perspective or from traditional IT security practices. The former means more of a focus on protecting the apps themselves (the first two product categories mentioned above), the latter more on expanding traditional network-level protections (the last two product categories mentioned above). Since we began examining CNAPP, all vendors have moved towards mixing agents and agentless across their products to add more scrutiny and provide wider and more scalable coverage.
The CNAPP vendor landscape has shifted, most notably around Wiz, recently purchased by Google, who will maintain it as a separate division. Check Point Software has formed a strategic partnership with Wiz, and has discontinued selling its own CloudGuard CNAPP and will migrate its customers to Wiz. Lacework has been purchased by Fortinet and is now called Lacework Fortinet FortiCNAPP. Palo Alto Networks has rebranded and reconstituted its CNAPP offering as part of its Cortex Cloud product line.
The summary chart below notes which of these two directions each vendor is coming from, other notable and integration features, whether they offer a complete CNAPP solution, and what little information is available about their pricing strategy.
I interviewed the following vendors and summarized the results in the chart below:
Aqua Security Platform
CrowdStrike Cloud Security
Data Theorem
Lacework/Fortinet FortiCNAPP
Palo Alto Networks Cortex Cloud
Qualys Total Cloud CNAPP v2
Sysdig
Tenable Cloud Security
Tigera Calico Cloud
Uptycs
Wiz
The following vendors did not respond to requests for information: jFrog, McAfee, Snyk, and Trend Micro.
Why CNAPP exists
The key to understanding this product category is that it is all about integration challenges. In VMware’s 2022 State of Observability report, 57% of the respondents claimed up to 50 different technologies were used in a typical cloud app and used 10 monitoring tools to manage this collection. Dynatrace, in its 2024 Observability report, says on average, 12 different cloud platforms comprise the typical enterprise environment — moving beyond running their legacy applications across the big three PaaS providers (AWS, Google and Azure) and employing a mixture of private, public and hybrid cloud strategies. This motley collection also includes various virtual machine instances, Kubernetes containers and using serverless and microservices too. The net result means more of a burden placed on tool integration. That could be one reason why the Dell’Oro Group’s 2024 Cloud Workload Security Quarterly Report found that enterprise CNAPP spending skyrocketed from approximately $81 billion in 2020 to an estimated $285 billion in 2024, representing an impressive five-year compounded annual growth rate of 29%.
Organizations will need to control cloud-native application risks, identify weak areas, and remove vulnerabilities. Sysdig in its 2022 cloud-native security report found that 73% of cloud accounts contained exposed Amazon S3 buckets. Is it any mystery that more breaches haven’t happened because of this?
What is working against securing clouds is their success: They have become the de facto computing layer for businesses. They are also in a state of flux. In Cisco’s 2022 Hybrid Cloud report, nearly 60% of respondents said they are moving workloads between on- and off-premises every week. Some of these apps are running on open-source code repositories and some use in-house code. That is a lot of different use cases to protect.
What is motivating this product category can be traced to Gartner, which first used the CNAPP moniker when it issued its “Innovation Insight” report in August 2021. They said that “containers and serverless functions are the primary building blocks of cloud-native applications and are becoming increasingly granular with shorter life cycles.” This means that any protection needs to act quickly and unobtrusively. They also found a shift from protecting infrastructure to protecting cloud-based workloads, and the apps that run them. They found many of their corporate clients have stitched together — meaning with little to no automation — ten or more disparate security tools, including dynamic application security testing, web app firewalls, and the four cloud protection platforms mentioned at the start of this post. This one-off, crazy patchwork quilt approach isn’t working.
Ideally, a CNAPP solution should reduce misconfiguration errors, improve security of the development pipeline (commonly called shifting left), and use effective automation. To do that requires having all those acronyms firing on all cylinders. You want to be able to scan for various code elements and vulnerabilities, catch cloud configuration and application coding errors quickly (ideally, when the apps run) and still do the basic security blocking and tackling (like identity and network management). Orca says that “CNAPPs exhibit their real value by intelligently combining data points from different layers in the technology stack to highlight critical security issues instead of just sending thousands of meaningless disconnected alerts.”
Questions to ask when considering CNAPP
Before you try out any of the vendors’ products, think about these questions:
What cloud artifacts can you discover and then regularly scan? Some products (like Lacework) don’t go much beyond the big three IaaS players. Some (like Tigera) just support the Kubernetes services of the big three. Others (like Sysdig) take a deeper dive into containers and the various Linux servers that run them. The real issue is can you continuously monitor all these artifacts in near real time?
How are incidents reported? Are there discrete access rules so that various staffers can focus on specific parts of the overall picture? Are there separate or combined pre-built security policies for collecting agent and agentless data? How actionable are your dashboards and its visualizations in showing you the current state of your overall cloud security?
Are all four management tools covered? Some of the vendors, such as Microsoft Defender for Cloud, have CWPP and CSPM elements and you will have to add other components to protect Kubernetes and non-Azure clouds. Tigera comes from the opposite direction, focusing more on containers and their infrastructure.
If you have been involved with infrastructure-as-code to manage your cloud deployments, what DevOps frameworks are supported (like Terraform, Azure Blueprints, AWS Cloudformation, Demisto)? How does this work with shifting left (in other words, do you scan open-source code repositories)?
Finally, what is the price? Very few vendors are transparent about pricing. Data Theorem, Qualys and Orca tie for the prize for the most complex, with different calculations for how many APIs, web and mobile apps, and cloud resources are consumed, with Orca publishing a three-page “pricing guide” with not an actual dollar sign anywhere to be found. Qualys has its web-based pricing calculator that is only available to customers. Tenable’s calculator is a slight improvement but still complex. Aqua and Tigera have the most transparent pricing. Sysdig has the simplest, with a fixed price per host. Others create synthetic units or bundle various elements that obscure the details.
CNAPP vendors
Aqua Security Platform
Aqua Security has had a series of products (such as for supply chain and workload protection and a CSPM) that it has rolled up into a central hub. The company offers a unique $1 million USD guarantee (and FAQ on its specifics here) if a “proven successful attack” happens under its watch. Aqua has transparent pricing, including a free version for smaller installations and plans that start at $849/month for the smallest accounts (using a complex online calculator to estimate your bill). In addition to the big three IaaS, it supports Alibaba, Oracle Cloud, Mirantis, VMware Tanzu, and OpenShift. Multiple levels of workload protection are available.
Aqua shows the results of its code scan, such as this screen listing various misconfiguration errors.
CrowdStrike Falcon Cloud Security
CrowdStrike Falcon Cloud Security is a unified cloud security platform that protects infrastructure, applications, data, AI, and SaaS across hybrid and multi-cloud environments. It enables organizations to consolidate tools, reduce complexity, and stop breaches wherever they occur, including within code through runtime protection and native Cloud Detection and Response (CDR) to stop breaches in real time and across cloud and on-premises. It also has an interesting container image vulnerability analysis service.
CloudStrike Cloud security’s main dashboard shows vulnerabilities by various detection metrics that shows the main incidents and cloud assets.
David Strom
Data Theorem
Data Theorem’s platform covers five separate products that work together to offer CNAPP. These include specialized protection for cloud, mobile, API and web apps as well as a supply chain protection product. It has a central analysis engine and dashboard that provides some integration. Data Theorem supports all the big three IaaS players along with Kubernetes. It has expanded its attack path analysis of APIs and supply chain exploits and has integrated application security posture management. One notable feature is what it calls “headliner policies” that are constructed to prevent historical breaches. It has both agents and agentless methods. Its pricing structure is complex, with different plans for each product.
Data Theorem flow chart showing some of its security features and exploit path.
David Strom
Lacework Fortinet FortiCNAPP
Lacework sold its Polygraph to Fortinet, and it has now been integrated into that company’s existing security solutions and products. It continuously scans various cloud artifacts, including workloads and container images (using agentless methods) as well as IaC security, to enhance security and compliance. It integrates with major cloud providers such as AWS, Azure, and Google Cloud Platform to monitor configurations, services, and activities within these as well as hybrid environments, identifying misconfigurations and potential vulnerabilities. I can scan both build and code deployment pipelines. It has a pricing model based on resources consumed.
FortiCNAPP shows the risk scoring of various entitlements scanned.
David Strom
Orca
Orca’s CNAPP supports the big three PaaS providers along with Kubernetes. It can detect risks across the entire cloud estate and can integrate runtime protection with various appdev pipelines and more than 185 compliance frameworks. It leverages AI to simplify tasks and improve and reduce the time to remediate threats. It also integrates with other Orca tools including DSPM and API security and has a natural query language Discovery module. It supports Amazon Web Services, Microsoft Azure, Google Cloud, Oracle Cloud, and Alibaba Cloud providers. Orca has a complex pricing scheme based on several factors including workloads, storage buckets and databases scanned, along with number of sensors deployed. Its agentless SideScanning tool can be used to provide near-real-time analysis of containers, VMs and other cloud objects that combine workload and metadata gathered from cloud services provider APIs for quicker and comprehensive and risk-specific deployments.
Orca dashboard shows alert status (including those identified by AI routines), vulnerabilities classified by urgency, and various cloud accounts.
David Strom
Palo Alto Networks Cortex Cloud
Palo Alto Networks built up Cortex Cloud through a series of acquisitions including Redlock (cloud threat defense), Twistlock (container security), and Bridgecrew (developer-oriented cloud security) but it has a completely new code base that has 16 different tools well integrated with a unified data model. Palo Alto Networks allows customers to gradually adopt a full CNAPP solution by selling Cortex Cloud on a modular basis or in bundles. Pricing is based on which modules and protected workloads are consumed. Cortex Cloud integrates AI-driven risk prioritization, automation-first remediation, and continuous monitoring. It brings together code, pipelines, runtime, and third-party insights under a single security framework, bridging the gap between AppSec, various security posture management tools, vulnerability management and to leverage the SOC. The tool can scan the big three providers along with Oracle Cloud and eventually will include IBM and Akamai clouds.
Cortex Cloud’s dashboard, showing various issues and posture cases.
David Strom
Qualys Total Cloud CNAPP v2
Qualys has long defined the vulnerability management universe and it has combined this strength — along with its threat intelligence group — into a fully-featured CNAPP offering that adds SaaS posture management, IaC and container security, application runtime protection and CDR into a very feature-rich platform. Like the other leading CNAPP tools it combines agents and agentless approaches and enriches things further with additional network and API scans across your infrastructure. It offers an AI tool to further suss out threats. It also includes built-in automated remediation via TruRisk Eliminate and customizable no-code workflows. It has a single license to cover this entire feature set, but pricing this out will require its web-based calculator that turns “qualys units” into dollars depending on your corporate contract.
Qualys main dashboard shows various vulnerabilities and misconfigurations, risk scores and failed security controls.
David Strom
Sysdig Secure
Sysdig Secure, which follows the 2021 acquisition of Apolicy, spans prevention, detection, and response so customers can confidently secure containers, Kubernetes, hosts/servers, and cloud services. The tool eliminates blind spots by providing real-time visibility at scale across the big three IaaS players, along with IBM, Oracle and VM Tanzu clouds as well as Red Hat OpenShift. It has a pricing page that lacks specifics, but Sysdig told us that plans start at $500/month based on your AWS EC2 storage repositories. Notable features include a prioritization module and the ability to automatically suggest least privilege access rules, integration with CDR and its separate Sage product which includes AI-based analytics to provide contextual awareness.
Sysdig Secure attack path tracking
David Strom
Tenable.cs
Tenable.cs (Cloud Security) secures every layer of the cloud, including infrastructure, workloads, identities, data, and AI resources. It brings together CSPM, CIEM, JIT access, CWPP, DSPM, AI-SPM, IaC scanning, and container security for Kubernetes. It comes with more than 1,400 pre-set policies and loads of default benchmarks. It integrates its Nessus vulnerability scanner, extending it to scan VMs and containers, along with its acquisition of Accurics and Cymptom and integration of its cloud path discovery and protection. It supports the big three IaaS platforms along with Oracle Cloud. It protects cloud, multi-cloud and hybrid environments and integrates with Tenable’s AI-powered exposure management platform for enterprise-wide attack protection. It is available as part of Tenable One or standalone.
Tenable’s dashboard shows a broad view of vulnerabilities, trends and compliance tasks.
David Strom
Tigera Calico Cloud
Tigera Calico Cloud comes from the CWPP perspective and integrates with lots of different Kubernetes platforms, including the big three IaaS vendors along with Red Hat’s OpenShift and SUSE’s Rancher. The container world is its focus and is more network focused than other CNAPP tools.It has a very transparent pricing page and comes in a free open-source collection and a pro version that charges per node hour, which is also available on a subscription basis.
Tigera graph of discovered services and how they are connected.
David Strom
Uptycs
Uptycs delivers comprehensive cloud security through a unified platform that provides deep visibility and protection across cloud-native environments. The solution integrates CDR, DSPM and application posture management capabilities in one platform along with support for the classic CNAPP tools. By leveraging generative AI security agent and machine learning, Uptycs offers real-time risk detection, compliance monitoring, and threat prevention across multi-cloud and hybrid infrastructures. The platform supports major cloud providers like AWS, Azure, and Google Cloud, providing continuous monitoring of misconfigurations, vulnerabilities, and compliance violations. Its agentless and agent-based scanning technologies enable deep security insights, while its correlation engine helps security and DevOps teams prioritize and remediate critical risks efficiently across containers, Kubernetes, cloud services, and host environments. Uptycs has more than 1,100 behavioural rules mapped to the MITRE ATT&CK framework for container and cloud detections. Pricing starts at $5,000 per year for 200 cloud assets.
Uptycs risk details and flow chart showing.
David Strom
Wiz
Wiz is an agentless and agent-based platform that combines misconfigurations, network exposure, secrets, vulnerabilities, malware, and overly permissive identities into a single risk prioritization queue. It combines CSPM, CWPP, vulnerability management, infrastructure-as-code (IaC) scanning, CIEM, and container and Kubernetes security capabilities. Notably, it uses a graph-based approach to analyze and model the interconnections between technologies running in the cloud environment and present the pathways to a breach, providing deep context and helping users remediate the most critical risks. Wiz supports AWS, Azure, GCP, Oracle Cloud Infrastructure, and Alibaba Cloud. It offers two pricing plans, priced per workload. There are two additional cost modules, Wiz Code and Wiz Defend that extend its security features.
No Responses