CNAPP Software

Agentless graph-based CNAPP that reset category expectations.

Wiz is the category leader in CNAPP by deployment scale, brand recognition, and feature coverage in 2026. Founded 2020 by Assaf Rappaport and the ex-Microsoft Cloud Security Group team (the same group that built Microsoft Defender for Cloud), Wiz raised more than $1.9B in cumulative funding through 2024, reached a reported $32B secondary tender valuation in mid-2024, reportedly declined a $23B acquisition offer from Google in July 2024, and was the subject of renewed acquisition discussion through late 2024 and 2025. The product is built on an agentless graph-based architecture (the Wiz Security Graph) that connects cloud-account snapshots, workload inventory, identity relationships, network exposure, and vulnerability data into one queryable model. Strengths: fastest time-to-value in the category (most customers report a working deployment in days, not weeks), the cleanest graph-query interface for security investigations, broadest multi-cloud coverage (AWS, Azure, GCP, OCI, Alibaba, and kubernetes), defensible runtime protection through the Wiz Runtime Sensor where customers need it, and a credible code-to-cloud story through Wiz Code. Trade-offs: pricing-power concerns are real (multiple verified buyer reports of 30 to 60 percent renewal-pricing increases at scale through 2024 and 2025), the agentless-first design has runtime-visibility gaps where customers really want eBPF depth (Sysdig is the better choice there), enterprise-stack buyers heavily anchored on Palo Alto, CrowdStrike, or Tenable feel platform-consolidation friction, and the post-Google-talks dynamic has visibly hardened Wiz pricing-power posture in renewal negotiations.

Agentless cloud security pioneer with deep SideScanning IP.

Orca Security is the agentless CNAPP pioneer, founded 2019 in Tel Aviv by Avi Shua and a team that filed the foundational SideScanning patent in 2019 for reading cloud-workload disk snapshots out-of-band rather than via in-workload agents. The product reached a $1.8B valuation in late 2021 and has since maintained an independent path through the CNAPP consolidation cycle. Strengths: longest agentless track record in the category (the SideScanning patent predates Wiz), strong EMEA presence and Tel Aviv-anchored engineering talent, defensible workload coverage including VMs, containers, serverless, and managed services, transparent platform-team-friendly deployment (no agent rollout negotiation), and a credible competitive challenger position to Wiz on agentless-only ground. Trade-offs: brand recognition and momentum trail Wiz in 2026 (the Wiz secondary at $32B has compressed Orca mindshare in net-new evaluations), runtime-protection story depends on optional sensor deployment, and some kubernetes-first buyers prefer Aqua or Sysdig for depth on container admission-control and runtime forensics. Orca remains a legitimate Wiz alternative for buyers who want agentless CNAPP without the platform-leader pricing-power dynamic.

The kubernetes-native original; container security extended to full CNAPP.

Aqua Security is the original kubernetes-native container security company, founded 2015 in Israel before CNAPP existed as a Gartner category. The product extended over the last decade from image scanning and runtime container protection into a full CNAPP including CSPM, CIEM, KSPM, and code-to-cloud posture. Aqua sponsors the popular open-source Trivy vulnerability scanner (acquired with Argon in 2021) and remains the deepest kubernetes-native CNAPP in the category. Strengths: longest kubernetes track record in the category, deepest admission-control and runtime container security, defensible open-source heritage through Trivy and Tracee, strong container-image and supply-chain security story, and credible standalone platform position through 2025 without acquisition pressure. Trade-offs: agentless multi-cloud breadth trails Wiz and Orca for buyers whose primary need is cloud-account posture rather than kubernetes depth, brand momentum has slowed since Wiz reset category expectations in 2020 to 2022, and the platform breadth (CSPM, CIEM) added to compete with Wiz feels less mature than the kubernetes-native core. Aqua remains a strong default for kubernetes-first estates and a defensible Wiz challenger for buyers prioritizing container-native depth.

Runtime visibility leader; Falco creator extended into full CNAPP.

Sysdig is the runtime-visibility leader in CNAPP, founded 2013 by Loris Degioanni (creator of WinPcap and the original sysdig open-source tool) and the team that created the Falco open-source runtime detection engine (now a CNCF graduated project). The product extended over the last decade from container runtime visibility into a full CNAPP including CSPM, CWPP, CIEM, KSPM, and vulnerability management, while maintaining Falco at the heart of the runtime detection story. Sysdig is the credible choice for security teams that prioritize runtime forensics, eBPF-based deep visibility, and open-source-aligned tooling over agentless multi-cloud breadth. Strengths: deepest runtime forensics in the category through Falco and eBPF, strong open-source heritage and CNCF community engagement, defensible workload protection through deployed runtime sensors, credible incident-response story with the Sysdig Threat Research Team published advisories, and a vulnerability-management module that surfaces in-use packages rather than just installed-package counts. Trade-offs: agentless multi-cloud breadth trails Wiz and Orca for buyers whose primary need is cloud-account posture, runtime sensor rollout requires infrastructure-team negotiation, list pricing not public, and some buyer reports of mid-2024 leadership transitions creating organizational uncertainty.

Broadest enterprise CNAPP platform; deepest license, heaviest integration.

Palo Alto Prisma Cloud is the broadest enterprise CNAPP platform, assembled through a multi-year acquisition strategy starting with the RedLock CSPM acquisition (2018, $173M), the Twistlock container security acquisition (2019, $410M), and the Bridgecrew IaC security acquisition (2021, $156M), with subsequent product unification under the Prisma Cloud brand. The product covers the broadest feature surface in the category (CSPM, CWPP, CIEM, KSPM, IaC, code-to-cloud, web-application and API protection, data security posture) and is the default CNAPP for Palo Alto Networks stack customers. Strengths: broadest feature surface in the category, deep integration with the rest of the Palo Alto stack (NGFW, Cortex XDR, Cortex XSIAM), strong enterprise sales motion, defensible runtime through the Twistlock heritage, and a credible code-to-cloud story through Bridgecrew. Trade-offs: license cost is the highest in the category (multiple verified buyer reports of $1M+ annual deals for mid-enterprise scope), integration friction across the acquired sub-modules persists (RedLock CSPM, Twistlock CWPP, Bridgecrew IaC do not feel like one product to all buyers), product velocity is slower than Wiz on the agentless graph side, and renewal pricing creep has been a real complaint pattern through 2024 and 2025.

Vulnerability-management heritage bolted into CNAPP via the Ermetic acquisition.

Tenable Cloud Security is the CNAPP arm of public-company vulnerability-management leader Tenable (NASDAQ: TENB), built primarily on the foundation of the October 2023 Ermetic acquisition ($265M). Ermetic was a credible standalone CIEM and CNAPP startup, and the acquisition gave Tenable a path to extend its Nessus and Tenable.io vulnerability-management franchise into multi-cloud posture and entitlement management. Strengths: defensible vulnerability-management heritage with deep CVE coverage, public-company stability, strong CIEM through the Ermetic-acquired engineering team, broad cloud-account coverage across AWS, Azure, and GCP, and credible platform consolidation for Tenable-stack buyers who want vuln-management plus CNAPP from one vendor. Trade-offs: post-acquisition integration risk is real (the Ermetic-Tenable platform unification is still in progress 18 months after the deal closed), CNAPP feature breadth trails Wiz and Prisma Cloud, runtime protection story is thinner than Sysdig and Aqua, brand recognition in CNAPP buying committees trails the pure-plays, and some buyer reports of Ermetic-era roadmap commitments slipping under Tenable ownership.

Polygraph-based CNAPP now operating as a Fortinet subsidiary after a sharp 2024 down round.

Lacework is the Polygraph-based CNAPP product founded in 2015 that reached an $8.3B valuation at its 2022 funding peak before announcing layoffs in 2023 and ultimately being acquired by Fortinet in August 2024 at a reported sharp down round from the 2022 peak (terms not publicly disclosed but widely reported as a fraction of the 2022 valuation). The product is built around the Polygraph behavioral analytics engine that builds an automated baseline of cloud-account behavior and detects anomalies, plus CSPM, CWPP, KSPM, and vulnerability management. Strengths: defensible Polygraph behavioral analytics technology, deep AWS coverage, established enterprise customer base, and Fortinet acquisition provides parent-company stability and integration with the Fortinet Security Fabric. Trade-offs: post-acquisition integration risk is significant (Fortinet absorbing a once-independent CNAPP pure-play is a multi-quarter project), product velocity has visibly slowed since the 2023 layoffs and 2024 acquisition, multiple verified buyer reports of customer churn through 2024 and 2025, and the Fortinet stack is not the natural consolidation point for CNAPP buying committees that did not previously favor Fortinet. Most buyers should treat Lacework as a high-risk choice in 2026 unless they are committed Fortinet-stack consolidators.

Endpoint-adjacent CNAPP leveraging the Falcon agent and Charlotte AI.

CrowdStrike Falcon Cloud Security is the CNAPP arm of public-company endpoint-security leader CrowdStrike (NASDAQ: CRWD), positioned as the endpoint-adjacent CNAPP for CrowdStrike-stack consolidators. The product extends the Falcon agent and Charlotte AI assistant into cloud workload protection, container security, CSPM, and identity-risk analysis. Strengths: defensible endpoint-security heritage, deep Falcon agent telemetry pipeline that already runs on many enterprise estates, credible CIEM through the recent identity-protection investment, strong public-company sales motion, and a unified Falcon console that CrowdStrike-stack buyers value highly. Trade-offs: CNAPP feature breadth and agentless graph maturity trail Wiz and Orca, the agent-based primary posture is a deliberate architectural bet that some buyers reject (agentless time-to-value is faster), the July 2024 Falcon sensor incident that caused a global IT outage remains a buyer-relevant trust event for incident-response track record, and post-July-2024 pricing-power dynamics have shifted in renewals. Strong choice for CrowdStrike-stack consolidators, weaker default for net-new CNAPP-only evaluations.

Legacy enterprise CNAPP from the Check Point firewall heritage; slow velocity.

Check Point CloudGuard is the CNAPP arm of public-company firewall-heritage vendor Check Point Software (NASDAQ: CHKP), positioned as the cloud-security continuation of the Check Point Infinity platform that extends from on-prem firewalls into cloud workloads. The product is built primarily on the Dome9 acquisition (2018) for CSPM, plus subsequent module additions for CWPP, KSPM, and IaC. Strengths: defensible public-company stability, established global enterprise account presence inherited from the firewall business, integration with Check Point Infinity for buyers anchored on the Check Point stack, and reasonable feature coverage on paper. Trade-offs: product velocity has visibly lagged Wiz, Orca, Sysdig, and Aqua through 2023 to 2025, brand momentum in CNAPP evaluations is weak (Check Point CloudGuard rarely wins net-new mid-market or enterprise CNAPP deals against pure-plays in 2026), the cloud-security organization sits within a larger firewall-business culture that has not prioritized CNAPP velocity, and the post-Dome9 integration period left visible UX inconsistencies. Most buyers in 2026 should treat CloudGuard as a legacy enterprise choice that fits only existing Check Point-stack consolidators.

XDR-CNAPP convergence with one osquery-based agent across the estate.

Uptycs is the XDR-CNAPP convergence bet, founded 2016 in Waltham, MA around the open-source osquery project (originally created at Facebook) and positioned as the unified telemetry platform that runs one agent across servers, containers, kubernetes, laptops, and cloud. The company has raised over $130M in cumulative funding and maintains an independent path through 2025. Strengths: defensible osquery open-source heritage, one-agent architecture removes the typical two-agent friction between endpoint and cloud security teams, credible CSPM, CWPP, KSPM, and CIEM coverage, strong forensic-evidence story through osquery telemetry, and active independent operation through the CNAPP consolidation cycle. Trade-offs: smaller vendor footprint than Wiz, Orca, Aqua, or Sysdig (multi-year runway is a real evaluation factor), brand momentum trails the pure-play CNAPP leaders, agentless multi-cloud breadth trails Wiz, the XDR-CNAPP convergence thesis is a strategic bet that not all security organizations buy (many keep endpoint and cloud security separate by design), and net-new evaluation wins remain modest. Strong choice for security teams that want one telemetry pipeline; weaker default for buyers that want clear category-leader status.