Cloud Security Posture Management (CSPM)

CNAPP market leader on agentless scanning depth and time-to-value.

Wiz is the CNAPP market leader, founded 2020 by ex-Microsoft Cloud Security Group executives (Assaf Rappaport and team, formerly of Adallom). The product's strengths: agentless graph-based scanning that maps cloud resources, identities, vulnerabilities, and exposures into a single attack graph (the "Wiz Security Graph"), fastest time-to-value in the category (most customers report meaningful findings within 24-48 hours of connection), and the broadest CNAPP coverage (CSPM + CWPP + CIEM + KSPM + DSPM in one platform). Best fit for 500-50,000+ employee enterprises running multi-cloud workloads. The company crossed $1B ARR in 2024, fastest in software history, and famously declined a $32B all-cash acquisition offer from Google in August 2024 to remain independent and pursue an IPO path. Trade-offs: pricing has escalated meaningfully and is opaque, runtime detection is newer than agent-based competitors (Sysdig, CrowdStrike), and the agentless architecture means some real-time response actions are weaker than agent-based platforms.

CNAPP for Palo Alto network security stack consolidation.

Palo Alto Prisma Cloud is the CNAPP product from Palo Alto Networks, built primarily through the 2019 acquisitions of RedLock (CSPM) and Twistlock (container security), and expanded with PureSec (serverless), Bridgecrew (IaC scanning), and Cider (CI/CD security). The product's primary advantage: tight integration with Palo Alto firewalls, Prisma SASE, and Cortex XDR, making it the default for buyers consolidating around Palo Alto. Best fit for enterprises 1,000+ employees committed to Palo Alto network security. Trade-offs: outside the Palo Alto ecosystem the product is less compelling than Wiz on time-to-value, the multi-product heritage shows as integration friction inside Prisma Cloud itself, and pricing meaningful at scale. Distinct from Cortex XDR (covered separately in our EDR ranking), Cortex XDR covers endpoint, Prisma Cloud covers cloud workloads and posture.

De facto default for Azure-anchored organizations.

Microsoft Defender for Cloud (formerly Azure Security Center, with Azure Defender bundled in 2021 and rebranded fully in 2022) is the CNAPP product native to Azure and extending to AWS and Google Cloud. The product's strengths: bundled foundational posture management with any Azure subscription at no extra cost, native integration with Microsoft Sentinel SIEM and Entra ID, and per-resource pricing that scales smoothly. Best fit for any Azure-anchored organization. Distinct from Microsoft Defender for Endpoint (covered in our EDR ranking under `defender-endpoint`). Trade-offs: outside the Azure ecosystem the product is meaningfully weaker than Wiz / Prisma Cloud, multi-cloud (AWS, GCP) coverage less mature than Azure-native, and the management UX (Defender for Cloud blade in Azure Portal) is fragmented across multiple panes.

Polygraph data graph; post-Fortinet integration risk material.

Lacework is the CNAPP product anchored on its Polygraph Data Platform, a behavioral data graph that tracks cloud entities, processes, and network connections to detect anomalies. Founded 2015, the company peaked at an $8.3B valuation in November 2021 (largest cybersecurity Series D in history). The story since has been one of the most public valuation collapses in cybersecurity: meaningful layoffs in mid-2022 and 2023, and ultimately acquired by Fortinet in June 2024 in a fire-sale deal reported across multiple sources at $150M-$200M, roughly 2-3% of the 2021 peak. Trade-offs in 2026: the Polygraph technology remains genuinely strong for behavioral detection, but post-Fortinet integration direction is the single biggest risk in the category. Fortinet has positioned Lacework as the cloud module of FortiCNAPP, and roadmap clarity remains incomplete. Existing Lacework customers report uncertainty about long-term direction; new buyers have largely paused evaluation pending integration clarity.

Agentless CSPM pioneer with SideScanning architecture.

Orca Security is the agentless CSPM pioneer, founded 2019 by ex-Check Point executives. The product's primary differentiator: SideScanning, a patented agentless architecture that scans cloud workloads via runtime block storage snapshots without requiring agents or network connectors. Orca and Wiz are both agentless CNAPP, and the two have spent meaningful resources publicly contesting patent and architecture claims. Best fit for security teams resistant to agent rollouts and DevOps-heavy organizations wanting comprehensive coverage without endpoint friction. Trade-offs: Wiz has out-marketed Orca on time-to-value despite similar architectures, brand momentum has slowed relative to Wiz, runtime detection is newer than agent-based competitors, and pricing has crept up under growth pressure. Some customer churn to Wiz reported in 2024-2025.

Falco-anchored runtime detection plus full CNAPP.

Sysdig is the CNAPP product anchored on Falco, the open-source runtime security project Sysdig created in 2016 and donated to the CNCF in 2018 (now graduated). The product's primary advantage: deepest runtime detection in the category, particularly for Kubernetes and container workloads, built on the same eBPF-based instrumentation that powers Falco. Founded 2013 by Loris Degioanni (creator of WinPcap and co-creator of Wireshark). Best fit for Kubernetes-heavy stacks where runtime detection is the primary use case and posture is secondary. Trade-offs: agent-based architecture means slower time-to-value than Wiz / Orca, posture (CSPM) capabilities less mature than runtime, and pricing meaningful at scale. Sysdig's 555-rule and "5/5/5" benchmark for cloud detection (5 seconds detect, 5 minutes triage, 5 minutes respond) is widely cited but operationally aggressive.

Container and Kubernetes-anchored CNAPP with Trivy heritage.

Aqua Security is the container and Kubernetes-anchored CNAPP product, founded 2015 in Israel. The product's strengths: deepest container and Kubernetes security heritage in the category (predates the CNAPP category itself), Trivy as the most-deployed open-source vulnerability scanner (Aqua acquired Trivy creator Aqua Open Source in 2020), and strong fit for buyers with container workloads as the primary attack surface. Best fit for Kubernetes-heavy and supply-chain-conscious organizations. Trade-offs: outside container and Kubernetes use cases the product is less compelling than Wiz / Orca, IPO talks reported in 2024-2025 have not yet materialized into a public listing, brand momentum has slowed relative to Wiz, and multi-cloud posture (CSPM) capabilities less mature than container-native features.

CIEM-led CNAPP built on Ermetic foundation.

Tenable Cloud Security is the CNAPP product from Tenable (the Nessus / Tenable.io vulnerability management leader), built primarily on the October 2023 acquisition of Ermetic for $265M. The product's primary advantage: deepest CIEM (cloud infrastructure entitlement management) capabilities in the category, Ermetic was the leading CIEM-pure-play before the acquisition, and Tenable has retained that strength. Best fit for buyers leading with cloud identity governance and entitlement risk. Trade-offs: outside CIEM-led use cases the product is less compelling than Wiz / Orca, posture (CSPM) and runtime (CWPP) capabilities less mature than CIEM, and integration with broader Tenable vulnerability management is a work in progress. Public company financial transparency and breadth of customer base (Tenable serves 65% of Fortune 500) are meaningful differentiators.

Cloud module of the Falcon platform, default for CrowdStrike-anchored buyers.

CrowdStrike Falcon Cloud Security is the cloud module of the Falcon platform, the EDR/XDR market leader covered separately in our [Top 10 EDR / Endpoint Security Software](/top-10-edr-software) ranking under `crowdstrike`. The product extends CrowdStrike's endpoint dominance into CNAPP, primarily through the 2021 Humio acquisition (data lake foundation) and the 2024 Flow Security acquisition for DSPM ($200M). Best fit for enterprises already running Falcon for endpoint who want cloud security on the same platform and console. Trade-offs: outside the CrowdStrike ecosystem the product is less compelling than Wiz / Orca, time-to-value slower than agentless competitors, the broader CrowdStrike trust impact from the July 2024 Falcon Sensor channel-file outage extends to customer perception of cloud security expansion, and pricing meaningful at scale. The cloud module is genuinely strong but rarely a standalone purchase decision, it sells via Falcon platform expansion.

CNAPP for Check Point-anchored network security stacks.

Check Point CloudGuard is the CNAPP product from Check Point Software, built primarily on the 2019 acquisition of Dome9 (CSPM) and extended with Protego (serverless security) and Spectral (developer security, 2023). The product's primary advantage: tight integration with Check Point firewalls and the broader Check Point Infinity platform, making it the default for buyers consolidating around Check Point network security. Founded 1993, public on NASDAQ ($21B+ market cap). Best fit for enterprises 1,000+ employees committed to Check Point network security. Trade-offs: outside the Check Point ecosystem the product is less compelling than Wiz / Orca, time-to-value slower than agentless leaders, brand momentum in CNAPP has lagged the Check Point firewall heritage, and innovation pace slower than category leaders.