{"id":2882,"date":"2025-04-23T07:00:00","date_gmt":"2025-04-23T07:00:00","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=2882"},"modified":"2025-04-23T07:00:00","modified_gmt":"2025-04-23T07:00:00","slug":"cnapp-buyers-guide-top-cloud-native-app-protection-platforms-compared","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=2882","title":{"rendered":"CNAPP buyer\u2019s guide: Top cloud-native app protection platforms compared"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

Cloud security continues to be a vexing situation, and the tool set continues to become more complex, riddled with acronyms representing possible solutions. Now there\u2019s another: the cloud-native application protection platform, or CNAPP. This tool combines the coverage of four separate products<\/a>:<\/p>\n

A cloud infrastructure entitlements manager (CIEM) that manages overall access controls and risk management tasks<\/p>\n

A cloud workload protection platform (CWPP) that secures code across all kinds of cloud-based repositories and provides runtime protection across the entire development environment and code pipelines<\/p>\n

A cloud access security broker<\/a> (CASB) that handles authentication and encryption tasks<\/p>\n

A cloud security posture\u00a0manager<\/a> (CSPM) that combines threat intelligence and remediation<\/p>\n

From these \u201cclassic\u201d four elements, CNAPP \u2014 or at least its moniker \u2014 has expanded to secure other arenas, including:<\/p>\n

API, scripting, supply chain and infrastructure-as-code (IaC) security.<\/p>\n

Container and serverless security.<\/p>\n

Other posture management tools, including data and SaaS applications.<\/p>\n

That makes CNAPP \u201ca mouthful to put into one sentence and even more burdensome to evaluate and buy,\u201d according to Andras Cser, a principal analyst for Forrester, as he wrote in May of 2023<\/a>. End users \u201chave to evaluate way too many characteristics and features of many different disciplines, limiting their choices.\u201d It also bundles non-cloud security options, such as IaC scripts and APIs, together with more cloud-oriented ones, making any purchase more of a group, cross-departmental effort. \u201cCNAPP is evolving rapidly,\u201d wrote GigaOm analyst Chris Ray in a 2024 report. \u201cIt is driven by the complexity of cloud-native architectures and the need for more integrated security approaches.\u201d<\/p>\n

IT and security managers are looking for a few basic elements from these products<\/a>, including more accurate threat detection, support for all workloads across multiple cloud deployments, and ways to implement preventable controls.<\/p>\n

That is a lot of software to manage, integrate, and understand. However, almost none of the products that claim to be CNAPP have a full set of features that incorporate all four of these categories. What follows is an overview of the landscape and advice on how to navigate amongst the contenders.<\/p>\n

[ Learn what cloud providers can and can\u2019t do to protect your data<\/a> and follow these 5 tips for better cloud security<\/a>. | Get the latest from CSO by signing up for our newsletters<\/a>. ]<\/p>\n

Two approaches to CNAPP<\/h2>\n

There are two ways to approach CNAPP: from the DevSecOps perspective or from traditional IT security practices. The former means more of a focus on protecting the apps themselves (the first two product categories mentioned above), the latter more on expanding traditional network-level protections (the last two product categories mentioned above). Since we began examining CNAPP, all vendors have moved towards mixing agents and agentless across their products to add more scrutiny and provide wider and more scalable coverage.<\/p>\n

The CNAPP vendor landscape has shifted, most notably around Wiz, recently purchased by Google, who will maintain it as a separate division. Check Point Software has formed a strategic\u00a0partnership with Wiz<\/a>, and has discontinued selling its own CloudGuard CNAPP and will migrate its customers to Wiz. Lacework has been purchased by Fortinet and is now called Lacework Fortinet FortiCNAPP. Palo Alto Networks has rebranded and reconstituted its CNAPP offering as part of its Cortex Cloud product line.<\/p>\n

The summary chart below notes which of these two directions each vendor is coming from, other notable and integration features, whether they offer a complete CNAPP solution, and what little information is available about their pricing strategy.<\/p>\n

I interviewed the following vendors and summarized the results in the chart below:<\/p>\n

Aqua Security Platform<\/p>\n

CrowdStrike Cloud Security<\/p>\n

Data Theorem<\/p>\n

Lacework\/Fortinet FortiCNAPP<\/p>\n

Palo Alto Networks Cortex Cloud<\/p>\n

Qualys Total Cloud CNAPP v2<\/p>\n

Sysdig<\/p>\n

Tenable Cloud Security<\/p>\n

Tigera Calico Cloud<\/p>\n

Uptycs<\/p>\n

Wiz<\/p>\n

The following vendors did not respond to requests for information: jFrog, McAfee, Snyk, and Trend Micro.<\/p>\n

Vendor<\/strong>Integration\/product makeup<\/strong>DevSec or ITSec focus?<\/strong>Pricing details<\/strong>Notable features\/integrations<\/strong>Aqua SecuritySingle platform\/multiple productsDevSecFree trial, starts at $850\/mthBreach guaranteeCrowdstrike Falcon Cloud SecuritySingle Falcon platform\/multiple productsBothSubscription-based pricing based on products chosenCDR, AppSec integrationData TheoremSeparate products for cloud, web, supply chainDevSecComplex and expensiveHeadliner Attack policiesLacework Fortinet FortiCNAPPSingle platform\/multiple productsITSecFree trial, priced on vCPUs and durationBehaviour-based protection rules, SOAR and Appsec integrationOrca CNAPPSingle platform\/multiple productsITSecPriced per workload, storage bucket & DB scanned, plus per Sensors deployedSideScanning, risk prioritization, AppSec pipelinesPalo Alto Networks Cortex CloudSingle platform\/multiple productsITSecComplex and expensiveCDR, AppSec integration, runtime protection, DSPMQualys Total Cloud CNAPP v2Single platformITSecFree trial, per workload subscriptionCDR, container and IaC security, SaaS posture managementSysdigSingle productDevSecFixed price per host modelUnified data and platform coverage, Next-gen CDR, Prioritize active risk, Ability to take action\/remediation, Sysdig Sage AITenable Cloud SecuritySingle productITSecFree trial, complex pricing per node or workloadExposure management, DSPM, AU securityTigera Calico CloudSingle productDevSecfree and subscription plan per node hourContainer securityUptycsSingle platformITsecVarious bundles start at $5,000\/yrIntegrated XDR, AppSec and DSPMWizSingle platform\/multiple productsITsecTwo plans priced per workloadRisk prioritization with graph visualization and analysis from code to cloud to runtime <\/div>\n

Why CNAPP exists<\/h2>\n

The key to understanding this product category is that it is all about integration challenges. In VMware\u2019s 2022 State of Observability report<\/a>, 57% of the respondents claimed up to 50 different technologies were used in a typical cloud app and used 10 monitoring tools to manage this collection. Dynatrace, in its 2024 Observability report,<\/a> says on average, 12 different cloud platforms comprise the typical enterprise environment \u2014 moving beyond running their legacy applications across the big three PaaS providers (AWS, Google and Azure) and employing a mixture of private, public and hybrid cloud strategies. This motley collection also includes various virtual machine instances, Kubernetes containers and using serverless and microservices too. The net result means more of a burden placed on tool integration. That could be one reason why the Dell\u2019Oro Group\u2019s 2024 \u00a0Cloud Workload Security Quarterly Report<\/a>\u00a0found that enterprise CNAPP spending skyrocketed from approximately $81 billion in 2020 to an estimated $285 billion in 2024, representing an impressive five-year compounded annual growth rate of 29%.<\/p>\n

Organizations will need to control cloud-native application risks, identify weak areas, and remove vulnerabilities. Sysdig in its 2022 cloud-native security report<\/a> found that 73% of cloud accounts contained exposed Amazon S3 buckets. Is it any mystery that more breaches haven\u2019t happened because of this?<\/p>\n

What is working against securing clouds is their success: They have become the de facto computing layer for businesses. They are also in a state of flux. In Cisco\u2019s 2022 Hybrid Cloud report<\/a>, nearly 60% of respondents said they are moving workloads between on- and off-premises every week. Some of these apps are running on open-source code repositories and some use in-house code. That is a lot of different use cases to protect.<\/p>\n

What is motivating this product category can be traced to Gartner, which first used the CNAPP moniker when it issued its \u201cInnovation Insight\u201d report<\/a> in August 2021. They said that \u201ccontainers and serverless functions are the primary building blocks of cloud-native applications and are becoming increasingly granular with shorter life cycles.\u201d This means that any protection needs to act quickly and unobtrusively. They also found a shift from protecting infrastructure to protecting cloud-based workloads, and the apps that run them. They found many of their corporate clients have stitched together \u2014 meaning with little to no automation \u2014 ten or more disparate security tools, including dynamic application security testing, web app firewalls, and the four cloud protection platforms mentioned at the start of this post. This one-off, crazy patchwork quilt approach isn\u2019t working<\/a>.<\/p>\n

Ideally, a CNAPP solution should reduce misconfiguration errors, improve security of the development pipeline (commonly called shifting left<\/a>), and use effective automation. To do that requires having all those acronyms firing on all cylinders. You want to be able to scan for various code elements and vulnerabilities, catch cloud configuration and application coding errors quickly (ideally, when the apps run) and still do the basic security blocking and tackling (like identity and network management). Orca says<\/a> that \u201cCNAPPs exhibit their real value by intelligently combining data points from different layers in the technology stack to highlight critical security issues instead of just sending thousands of meaningless disconnected alerts.\u201d \u00a0<\/p>\n

Questions to ask when considering CNAPP<\/h2>\n

Before you try out any of the vendors\u2019 products, think about these questions:<\/p>\n

What cloud artifacts can you discover and then regularly scan<\/strong>? Some products (like Lacework) don\u2019t go much beyond the big three IaaS players. Some (like Tigera) just support the Kubernetes services of the big three. Others (like Sysdig) take a deeper dive into containers and the various Linux servers that run them. The real issue is can you continuously monitor all these artifacts in near real time?<\/p>\n

How are incidents reported?<\/strong> Are there discrete access rules so that various staffers can focus on specific parts of the overall picture? Are there separate or combined pre-built security policies for collecting agent and agentless data? How actionable are your dashboards and its visualizations in showing you the current state of your overall cloud security?<\/p>\n

Are all four management tools covered<\/strong>? Some of the vendors, such as Microsoft Defender for Cloud,<\/a> have CWPP and CSPM elements and you will have to add other components to protect Kubernetes and non-Azure clouds. Tigera comes from the opposite direction, focusing more on containers and their infrastructure.<\/p>\n

If you have been involved with infrastructure-as-code<\/a> to manage your cloud deployments, what DevOps frameworks are supported<\/strong> (like Terraform, Azure Blueprints, AWS Cloudformation, Demisto)? How does this work with shifting left (in other words, do you scan open-source code repositories)?<\/p>\n

Finally, what is the price?<\/strong> Very few vendors are transparent about pricing. Data Theorem, Qualys and Orca tie for the prize for the most complex, with different calculations for how many APIs, web and mobile apps, and cloud resources are consumed, with Orca publishing a three-page \u201cpricing guide\u201d with not an actual dollar sign anywhere to be found. Qualys has its web-based pricing calculator that is only available to customers. Tenable\u2019s calculator is a slight improvement but still complex. Aqua and Tigera have the most transparent pricing. Sysdig has the simplest, with a fixed price per host. Others create synthetic units or bundle various elements that obscure the details.<\/p>\n

CNAPP vendors<\/h2>\n

Aqua Security Platform<\/h3>\n

Aqua Security<\/a> has had a series of products (such as for supply chain and workload protection and a CSPM) that it has rolled up into a central hub. The company offers a unique $1 million USD guarantee<\/a> (and FAQ on its specifics here<\/a>) if a \u201cproven successful attack\u201d happens under its watch. Aqua has transparent pricing, including a free version for smaller installations and plans that start at $849\/month for the smallest accounts (using a complex online calculator to estimate your bill). In addition to the big three IaaS, it supports Alibaba, Oracle Cloud, Mirantis, VMware Tanzu, and OpenShift. Multiple levels of workload protection are available.<\/p>\n

<\/a>\n

Aqua shows the results of its code scan, such as this screen listing various misconfiguration errors.<\/p>\n<\/div>\n

CrowdStrike Falcon Cloud Security<\/h3>\n

CrowdStrike Falcon Cloud Security<\/a> is a unified cloud security platform that protects infrastructure, applications, data, AI, and SaaS across hybrid and multi-cloud environments. It enables organizations to consolidate tools, reduce complexity, and stop breaches wherever they occur, including within code through runtime protection and native Cloud Detection and Response (CDR) to stop breaches in real time and across cloud and on-premises. It also has an interesting container image vulnerability analysis service.<\/p>\n

\n

CloudStrike Cloud security\u2019s main dashboard shows vulnerabilities by various detection metrics that shows the main incidents and cloud assets.<\/p>\n

David Strom<\/p>\n<\/div>\n

Data Theorem<\/h3>\n

Data Theorem\u2019s platform<\/a> covers five separate products that work together to offer CNAPP. These include specialized protection for cloud, mobile, API and web apps as well as a supply chain protection product. It has a central analysis engine and dashboard that provides some integration. Data Theorem supports all the big three IaaS players along with Kubernetes. It has expanded its attack path analysis of APIs and supply chain exploits and has integrated application security posture management. One notable feature is what it calls \u201cheadliner policies\u201d that are constructed to prevent historical breaches. It has both agents and agentless methods. Its pricing structure is complex, with different plans for each product.<\/p>\n

\n

Data Theorem flow chart showing some of its security features and exploit path.<\/p>\n

David Strom<\/p>\n<\/div>\n

Lacework Fortinet FortiCNAPP<\/h3>\n

Lacework sold its Polygraph<\/a> to Fortinet, and it has now been integrated into that company\u2019s existing security solutions and products. It continuously scans various cloud artifacts, including workloads and container images (using agentless methods) as well as IaC security, to enhance security and compliance. It integrates with major cloud providers such as AWS, Azure, and Google Cloud Platform to monitor configurations, services, and activities within these as well as hybrid environments, identifying misconfigurations and potential vulnerabilities. I can scan both build and code deployment pipelines. It has a pricing model based on resources consumed.<\/p>\n

\n

FortiCNAPP shows the risk scoring of various entitlements scanned.<\/em><\/p>\n

David Strom<\/p>\n<\/div>\n

Orca<\/h3>\n

Orca\u2019s CNAPP <\/a>supports the big three PaaS providers along with Kubernetes. It can detect risks across the entire cloud estate and can integrate runtime protection with various appdev pipelines and more than 185 compliance frameworks. It leverages AI to simplify tasks and improve and reduce the time to remediate threats. It also integrates with other Orca tools including DSPM and API security and has a natural query language Discovery module. It supports Amazon Web Services, Microsoft Azure, Google Cloud, Oracle Cloud, and Alibaba Cloud providers. Orca has a complex pricing scheme based on several factors including workloads, storage buckets and databases scanned, along with number of sensors deployed. Its agentless SideScanning tool can be used to provide near-real-time analysis of containers, VMs and other cloud objects that combine workload and metadata gathered from cloud services provider APIs for quicker and comprehensive and risk-specific deployments.<\/p>\n

\n

Orca dashboard shows alert status (including those identified by AI routines), vulnerabilities classified by urgency, and various cloud accounts.<\/p>\n

David Strom<\/p>\n<\/div>\n

Palo Alto Networks Cortex Cloud<\/h3>\n

Palo Alto Networks built up Cortex Cloud<\/a> through a series of acquisitions including Redlock (cloud threat defense), Twistlock (container security), and Bridgecrew (developer-oriented cloud security) but it has a completely new code base that has 16 different tools well integrated with a unified data model. Palo Alto Networks allows customers to gradually adopt a full CNAPP solution by selling Cortex Cloud on a modular basis or in bundles. Pricing is based on which modules and protected workloads are consumed. Cortex Cloud integrates AI-driven risk prioritization, automation-first remediation, and continuous monitoring. It brings together code, pipelines, runtime, and third-party insights under a single security framework, bridging the gap between AppSec, various security posture management tools, vulnerability management and to leverage the SOC. The tool can scan the big three providers along with Oracle Cloud and eventually will include IBM and Akamai clouds.<\/p>\n

\n

Cortex Cloud\u2019s dashboard, showing various issues and posture cases.<\/p>\n

David Strom<\/p>\n<\/div>\n

Qualys Total Cloud CNAPP v2<\/h3>\n

Qualys has long defined the vulnerability management universe and it has combined this strength \u2014 along with its threat intelligence group \u2014 into a fully-featured CNAPP offering<\/a> that adds SaaS posture management, IaC and container security, application runtime protection and CDR into a very feature-rich platform. Like the other leading CNAPP tools it combines agents and agentless approaches and enriches things further with additional network and API scans across your infrastructure. It offers an AI tool to further suss out threats. It also includes built-in automated remediation via TruRisk Eliminate and customizable no-code workflows. It has a single license to cover this entire feature set, but pricing this out will require its web-based calculator that turns \u201cqualys units\u201d into dollars depending on your corporate contract.<\/p>\n

\n

Qualys main dashboard shows various vulnerabilities and misconfigurations, risk scores and failed security controls.<\/p>\n

David Strom<\/p>\n<\/div>\n

Sysdig Secure<\/h3>\n

Sysdig Secure<\/a>, which follows the 2021 acquisition of Apolicy, spans prevention, detection, and response so customers can confidently secure containers, Kubernetes, hosts\/servers, and cloud services. The tool eliminates blind spots by providing real-time visibility at scale across the big three IaaS players, along with IBM, Oracle and VM Tanzu clouds as well as Red Hat OpenShift. It has a pricing page that lacks specifics, but Sysdig told us that plans start at $500\/month based on your AWS EC2 storage repositories. Notable features include a prioritization module and the ability to automatically suggest least privilege access rules, integration with CDR and its separate Sage product which includes AI-based analytics to provide contextual awareness.<\/p>\n

\n

Sysdig Secure attack path tracking\u00a0<\/p>\n

David Strom<\/p>\n<\/div>\n

Tenable.cs<\/h3>\n

Tenable.cs (Cloud Security<\/a>) secures every layer of the cloud, including infrastructure, workloads, identities, data, and AI resources. It brings together CSPM, CIEM, JIT access, CWPP, DSPM, AI-SPM, IaC scanning, and container security for Kubernetes. It comes with more than 1,400 pre-set policies and loads of default benchmarks. It integrates its Nessus vulnerability scanner, extending it to scan VMs and containers, along with its acquisition of Accurics and Cymptom and integration of its cloud path discovery and protection. It supports the big three IaaS platforms along with Oracle Cloud. It protects cloud, multi-cloud and hybrid environments and integrates with Tenable\u2019s AI-powered exposure management platform for enterprise-wide attack protection. It is available as part of Tenable One or standalone.<\/p>\n

\n

Tenable\u2019s dashboard shows a broad view of vulnerabilities, trends and compliance tasks.<\/p>\n

David Strom<\/p>\n<\/div>\n

Tigera Calico Cloud<\/h3>\n

Tigera Calico Cloud<\/a> comes from the CWPP perspective and integrates with lots of different Kubernetes platforms, including the big three IaaS vendors along with Red Hat\u2019s OpenShift and SUSE\u2019s Rancher. The container world is its focus and is more network focused than other CNAPP tools.It has a very transparent pricing page<\/a> and comes in a free open-source collection and a pro version that charges per node hour, which is also available on a subscription basis.<\/p>\n

\n

Tigera graph of discovered services and how they are connected.<\/p>\n

David Strom<\/p>\n<\/div>\n

Uptycs<\/h3>\n

Uptycs<\/a> delivers comprehensive cloud security through a unified platform that provides deep visibility and protection across cloud-native environments. The solution integrates CDR, DSPM and application posture management capabilities in one platform along with support for the classic CNAPP tools. By leveraging generative AI security agent and machine learning, Uptycs offers real-time risk detection, compliance monitoring, and threat prevention across multi-cloud and hybrid infrastructures. The platform supports major cloud providers like AWS, Azure, and Google Cloud, providing continuous monitoring of misconfigurations, vulnerabilities, and compliance violations. Its agentless and agent-based scanning technologies enable deep security insights, while its correlation engine helps security and DevOps teams prioritize and remediate critical risks efficiently across containers, Kubernetes, cloud services, and host environments. Uptycs has more than 1,100 behavioural rules mapped to the MITRE ATT&CK framework for container and cloud detections. Pricing starts at $5,000 per year for 200 cloud assets.<\/p>\n

\n

Uptycs risk details and flow chart showing.<\/p>\n

David Strom<\/p>\n<\/div>\n

Wiz<\/h3>\n

Wiz<\/a>\u00a0is\u00a0an\u00a0agentless\u00a0and agent-based platform\u00a0that\u00a0combines\u00a0misconfigurations, network exposure, secrets, vulnerabilities, malware, and overly permissive identities\u00a0into\u00a0a single risk prioritization queue. It combines CSPM, CWPP, vulnerability management, infrastructure-as-code (IaC) scanning, CIEM, and container and Kubernetes security capabilities. Notably, it\u00a0uses a graph-based approach to\u00a0analyze and\u00a0model the\u00a0interconnections between technologies running in the cloud environment and present the pathways to a breach, providing deep context\u00a0and helping users remediate the most critical risks. Wiz supports\u00a0AWS, Azure, GCP, Oracle Cloud Infrastructure, and Alibaba Cloud.\u00a0It\u00a0offers two pricing plans<\/a>, priced per workload.\u00a0There are two additional cost modules, Wiz Code and Wiz Defend that extend its security features.\u00a0<\/p>\n

<\/a>\n

Wiz Security Graph<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

Cloud security continues to be a vexing situation, and the tool set continues to become more complex, riddled with acronyms representing possible solutions. Now there\u2019s another: the cloud-native application protection platform, or CNAPP. This tool combines the coverage of four separate products: A cloud infrastructure entitlements manager (CIEM) that manages overall access controls and risk […]<\/p>\n","protected":false},"author":0,"featured_media":2883,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-2882","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/2882"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2882"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/2882\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/2883"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2882"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2882"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2882"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}