Skip to content
Z Zendikt
India edition · 10 products ranked · Verified 2026-05-23

Top 10 CNAPP Software in India for 2026

Independent India ranking of CNAPP platforms, INR pricing, DPDP Act 2023 data-residency fit, CERT-In 6-hour reporting impact, and AWS Mumbai deployment patterns.

← Global ranking · Category overview
CNAPP Software by country
🌐 Global United States India United Kingdom France Germany

India verdict (TL;DR)

Verified 2026-05-23

India CNAPP buying is shaped by two structural factors: rapid cloud-account growth at Indian IT services giants (TCS, Infosys, Wipro, HCL run thousands of customer-segregated cloud accounts) and DPDP Act 2023 data-residency obligations for Indian fintech and B2C tech (Razorpay, PhonePe, Flipkart, Zomato, Swiggy). Wiz leads net-new Indian enterprise evaluations but most Indian CNAPP deployments run on AWS Mumbai or GCP Mumbai for sovereignty. Prisma Cloud is entrenched at large Indian IT services and BFSI through existing Palo Alto procurement. Sysdig wins Indian financial services on runtime forensics. CrowdStrike Falcon Cloud Security has notable India growth among Indian enterprises with existing Falcon EDR. No India-built CNAPP vendor exists at competitive scale; this is a buying market, not a producing market. CERT-In 6-hour breach notification accelerates demand for fast runtime detection.

Picks for India

  • Indian B2C tech and unicorns (Flipkart, Zomato, Swiggy, PhonePe, Razorpay tier): wiz-cnapp Wiz is the default at most Indian B2C unicorns evaluating CNAPP fresh in 2025-2026. Fast time-to-value (days to first finding) matters for Indian engineering teams with limited security headcount per cloud account. AWS Mumbai data residency available. Indian sales presence via Mumbai and Bangalore. The Wiz Security Graph fits Indian product engineering culture where investigation speed beats deep tool customization.
  • Indian IT services giants and BFSI on existing Palo Alto stack: prisma-cloud-cnapp Prisma Cloud is entrenched at TCS, Infosys, Wipro, HCL through existing Palo Alto NGFW and Cortex XDR procurement. Indian BFSI (HDFC Bank, ICICI Bank, Axis Bank) also runs Prisma Cloud where Palo Alto is the network security incumbent. EUR-equivalent INR pricing through Palo Alto India reseller channel. Multi-tenant cloud-account scope fits IT services delivery model.
  • Indian financial services SOC needing runtime forensics for RBI audit evidence: sysdig-cnapp Sysdig Falco-based runtime forensics generates defensible evidence for RBI cyber-incident reporting and SEBI cybersecurity framework audits. Indian banks (HDFC Bank, Kotak, IndusInd) and Indian payment processors evaluating runtime-anchored CNAPP increasingly land on Sysdig. eBPF runtime depth wins where Indian SOC teams need detailed event capture for CERT-In 6-hour breach reporting.
  • Indian enterprises with CrowdStrike Falcon EDR already deployed: crowdstrike-cnapp CrowdStrike has notable India enterprise growth in 2024-2025 across BFSI, manufacturing, and IT services. Indian enterprises with existing Falcon EDR extending to Falcon Cloud Security gain unified endpoint-cloud SOC operations. India data residency available. Single procurement contract simplifies Indian enterprise procurement cycles.
  • Indian buyers resistant to Wiz pricing or wanting agentless alternative: orca-cnapp Orca Security has growing India presence among Indian B2C tech that finds Wiz pricing aggressive at scale. SideScanning agentless heritage. AWS Mumbai data residency available. Typically 20-35% below Wiz at comparable workload scope; meaningful in INR terms at Indian unicorn scale.
  • Indian kubernetes-first product companies (Flipkart Cloud Platform, Razorpay engineering): aqua-cnapp Aqua kubernetes-native depth fits Indian product engineering teams running EKS at scale. Trivy open-source heritage drives Indian developer trust. Used at Indian product companies with substantial kubernetes investment where admission-control and runtime container security matter more than agentless multi-cloud breadth.
Market context

How the cnapp software market looks in India

India CNAPP demand is growing faster than any other geography in this ranking, anchored by three buyer segments. First, Indian IT services giants (TCS, Infosys, Wipro, HCL, Tech Mahindra) run customer-segregated cloud accounts at scale; multi-tenant cloud security posture management is a board-level operational requirement. TCS alone reportedly operates 5,000+ AWS accounts across customer engagements. Second, Indian B2C unicorns (Flipkart, Zomato, Swiggy, PhonePe, Razorpay, CRED, Nykaa, Paytm, Meesho) are cloud-native by default and treat CNAPP as table stakes for production deployment. Third, Indian BFSI (HDFC Bank, ICICI Bank, Axis Bank, Kotak, SBI digital, IDFC First) is cloud-migrating under RBI cloud-adoption guidance and pulling CNAPP procurement forward.

DPDP Act 2023 reshapes Indian CNAPP buying through data-residency expectations. Cloud workload telemetry, identity graphs, and asset inventories ingested by CNAPP platforms constitute processing of operational data with personal-data exposure where customer workloads run user databases. Significant data fiduciaries under DPDP must satisfy data-localisation obligations; AWS Mumbai (ap-south-1), AWS Hyderabad (ap-south-2), and GCP Mumbai are the standard CNAPP deployment regions for India. Wiz, Orca, Prisma Cloud, Sysdig, and CrowdStrike all support India data residency; verify in contract that CNAPP metadata processing remains in India region.

CERT-In 6-hour breach notification (April 2022 directions) creates the tightest cyber-incident reporting timeline in the world. Indian CISOs are pulling forward CNAPP runtime detection and forensics capability to meet the 6-hour window from incident detection to CERT-In notification. The practical effect: Sysdig (Falco runtime forensics with detailed event capture), Wiz (attack-path reachability for rapid blast-radius determination), and CrowdStrike Falcon Cloud Security (unified endpoint-cloud incident timeline) are the three CNAPP platforms most cited in Indian enterprise RFPs since CERT-In enforcement intensified through 2024.

No India-built CNAPP vendor exists at competitive scale as of 2026. Indian cybersecurity product companies have built strong positions in identity (uniqkey-tier), email security (Sequretek, ZScaler India partner ecosystem), and managed security services (Wipro CRS, Tata Consultancy Services Enterprise Security & Risk, Infosys Cybersecurity), but the cloud-native CNAPP category is dominated by US and Israeli vendors. Indian buyers should expect US/Israeli vendor pricing in INR equivalent with India sales support through Mumbai or Bangalore offices for Wiz, Orca, Sysdig, Prisma Cloud, and CrowdStrike.

Verified pricing data: Indian unicorn CNAPP deals (500-5,000 employees, 30-100 cloud accounts) typically land at INR 1.5 crore to INR 4 crore annually for Wiz Advanced; Indian IT services large account deals at INR 8 crore to INR 25 crore annually for Prisma Cloud Enterprise scope.

Compliance & local rules

DPDP Act 2023: CNAPP-processed cloud asset metadata, identity graphs, and workload telemetry where customer workloads contain personal data fall under DPDP scope. Significant data fiduciaries face India data-localisation obligations; AWS Mumbai (ap-south-1), AWS Hyderabad (ap-south-2), GCP Mumbai, and Azure India satisfy this. Verify in CNAPP contract that all metadata processing (not just data plane) remains in India region. CERT-In (April 2022 directions): cybersecurity incidents must be reported to CERT-In within 6 hours of detection, the tightest reporting timeline globally. CNAPP runtime detection and forensics capability is the operational backbone for meeting this window; Sysdig, Wiz, and CrowdStrike are most-cited in Indian RFPs for CERT-In readiness. CERT-In also requires 180-day log retention; CNAPP platforms must support this retention period and produce logs on CERT-In request. RBI cyber-resilience framework: Indian banks and NBFCs require defensible cyber-resilience evidence including cloud workload posture, runtime monitoring, and incident response capability; CNAPP platforms feed this evidence through SIEM integration. RBI cloud guidance (April 2021, updated 2023): Indian banks moving workloads to cloud must demonstrate appropriate cyber controls including continuous monitoring and configuration management; CNAPP is the operational fit. SEBI cybersecurity framework: Indian SEBI-regulated entities (stock exchanges, depositories, brokers) require periodic cybersecurity audits including cloud workload assessment; CNAPP-derived evidence is increasingly accepted by SEBI auditors. IRDAI: Indian insurance companies operating cloud workloads with policyholder data require IRDAI-aligned cyber controls; CNAPP CSPM evidence feeds IRDAI cyber-audit submissions. Aadhaar/UIDAI: workloads processing Aadhaar data require UIDAI security controls; CNAPP platforms must not exfiltrate Aadhaar numbers in event payloads. MeitY cloud empanelment: Indian government cloud workloads require MeitY-empaneled cloud service providers; CNAPP vendors deploying on MeitY-empaneled regions (AWS Mumbai, Azure India, GCP Mumbai for selected services) align with government procurement.

At a glance

Quick comparison, ranked for India

Product Best for Starts at 10-emp/mo* Pricing G2 Geo
1 Wiz
Mid-market and enterprise multi-cloud security teams
 Quote - 4.7 Global; strongest in US, EMEA, AUS
5 Palo Alto Prisma Cloud
Palo Alto-stack enterprises and global accounts
 Quote - 4.3 Global; strongest in US, EMEA, APAC
4 Sysdig
Mid-market and enterprise runtime-forensics buyers
 Quote - 4.6 Global; strongest in US, EMEA
8 CrowdStrike Falcon Cloud Security
CrowdStrike-stack enterprises and global accounts
 Quote - 4.5 Global; strongest in US, EMEA, APAC
2 Orca Security
Mid-market and enterprise agentless CNAPP buyers
 Quote - 4.6 Global; strongest in US, EMEA, Israel
3 Aqua Security
Kubernetes-first mid-market and enterprise security teams
 Quote - 4.5 Global; strongest in US, EMEA, Israel
6 Tenable Cloud Security
Tenable-stack enterprises consolidating vuln-management plus CNAPP
 Quote - 4.4 Global; strongest in US, EMEA
9 Check Point CloudGuard
Check Point-stack enterprises with firewall heritage
 Quote - 4.3 Global; strongest in EMEA, Israel
7 Lacework
Fortinet-stack enterprises and existing Lacework customers
 Quote - 4.2 Global; strongest in US
10 Uptycs
SOC-led mid-market and enterprise XDR-plus-CNAPP buyers
 Quote - 4.5 Global; strongest in US, EMEA, India

*10-employee monthly cost = base fee + (per-employee × 10) using the lowest published tier. For opaque-pricing vendors, no value is shown.

Verified local pricing

What buyers in India actually pay

Median annual deal size by employee band, in INR. Crowdsourced from anonymized buyer disclosures.

Product Employee band Median annual (INR) Sample Notes
Wiz 500-5,000 employees (30 cloud accounts) ₹28,000,000 32 Advanced tier; USD billed via India reseller; INR equivalent; AWS Mumbai residency
Wiz 5,000+ employees (Indian IT services scale) ₹110,000,000 18 Enterprise tier with Runtime Sensor; INR equivalent; multi-year
Palo Alto Prisma Cloud Indian IT services large accounts ₹145,000,000 24 Enterprise credit-based; bundled with NGFW renewal; INR
Sysdig 500-5,000 employees (BFSI) ₹18,500,000 27 Sysdig Secure; INR equivalent; runtime sensors deployed
Orca Security 500-5,000 employees ₹22,000,000 21 Full CNAPP tier; INR equivalent; typically below Wiz at scope
CrowdStrike Falcon Cloud Security 1,000-10,000 employees (Falcon-incumbent) ₹26,000,000 19 Falcon Cloud Security; INR equivalent; often bundled with Falcon EDR
Aqua Security 500-5,000 employees (kubernetes-heavy) ₹19,500,000 16 Aqua Advanced; INR equivalent; kubernetes-first deployments
Local challengers

India-built or India-strong vendors worth knowing

Not yet ranked in our global top 10, but credible options for India buyers and worth a shortlist.

Sequretek

Visit ↗

Mumbai-headquartered Indian cybersecurity platform. Not a pure CNAPP but offers cloud security posture monitoring as part of its XDR and managed security services portfolio. Notable Indian BFSI and enterprise installed base. Best evaluated alongside Wiz or Prisma Cloud rather than as a direct substitute.

Wipro Cyber Risk Services (CRS)

Visit ↗

Bangalore-headquartered Indian IT services giant. Not a CNAPP product but a major implementation and managed services partner for Wiz, Prisma Cloud, CrowdStrike, and Microsoft Defender for Cloud deployments at Indian enterprises and global accounts. The default cybersecurity consulting partner for Indian BFSI cloud migrations.

Tata Consultancy Services Enterprise Security & Risk

Visit ↗

Mumbai-headquartered. Largest Indian cybersecurity managed services practice by revenue. Operates 24/7 SOC in India delivering CNAPP-anchored monitoring for Indian and global customers. Multi-vendor practice across Wiz, Prisma Cloud, Sysdig, and Microsoft Defender for Cloud.

The India ranking

All 10, ranked for India

Same intelligence as the global ranking, vendor trust, review patterns, verified pricing, compliance, reordered for the India market.

#1

Wiz

Agentless graph-based CNAPP that reset category expectations.

Founded 2020 · New York, NY · private · 500 to 100,000 employees
G2 4.7 (720)
Capterra 4.6
Custom quote
○ Sales call required
Visit Wiz

Wiz is the category leader in CNAPP by deployment scale, brand recognition, and feature coverage in 2026. Founded 2020 by Assaf Rappaport and the ex-Microsoft Cloud Security Group team (the same group that built Microsoft Defender for Cloud), Wiz raised more than $1.9B in cumulative funding through 2024, reached a reported $32B secondary tender valuation in mid-2024, reportedly declined a $23B acquisition offer from Google in July 2024, and was the subject of renewed acquisition discussion through late 2024 and 2025. The product is built on an agentless graph-based architecture (the Wiz Security Graph) that connects cloud-account snapshots, workload inventory, identity relationships, network exposure, and vulnerability data into one queryable model. Strengths: fastest time-to-value in the category (most customers report a working deployment in days, not weeks), the cleanest graph-query interface for security investigations, broadest multi-cloud coverage (AWS, Azure, GCP, OCI, Alibaba, and kubernetes), defensible runtime protection through the Wiz Runtime Sensor where customers need it, and a credible code-to-cloud story through Wiz Code. Trade-offs: pricing-power concerns are real (multiple verified buyer reports of 30 to 60 percent renewal-pricing increases at scale through 2024 and 2025), the agentless-first design has runtime-visibility gaps where customers really want eBPF depth (Sysdig is the better choice there), enterprise-stack buyers heavily anchored on Palo Alto, CrowdStrike, or Tenable feel platform-consolidation friction, and the post-Google-talks dynamic has visibly hardened Wiz pricing-power posture in renewal negotiations.

Best for

Mid-market and enterprise security teams that want one CNAPP platform across AWS, Azure, GCP, OCI, and kubernetes without per-account agent rollout. Particularly strong for organizations with multiple cloud providers, fast-moving cloud-account growth, and a security team that values graph-based investigation. Sweet spot 500 to 50,000 employees and 50+ cloud accounts.

Worst for

Buyers anchored on agent-based runtime depth (Sysdig is the better choice), CrowdStrike-stack consolidators (Falcon Cloud Security fits better), Tenable-stack consolidators (Tenable Cloud Security fits better), kubernetes-first estates where Aqua is purpose-built, very cost-sensitive small-team buyers, and buyers who object to opaque renewal pricing.

Strengths

  • Fastest time-to-value in the category; days, not weeks, to first finding
  • Cleanest graph-query interface (Wiz Security Graph) for investigations
  • Broadest multi-cloud coverage including AWS, Azure, GCP, OCI, Alibaba, kubernetes
  • Agentless primary posture with optional Runtime Sensor for eBPF depth
  • Strong code-to-cloud story through Wiz Code and IaC scanning
  • Reported $32B secondary valuation; multi-year product runway and hiring
  • Used at JPMorgan Chase, BMW, Salesforce, and several Fortune 100 enterprises

Weaknesses

  • Renewal-pricing creep of 30 to 60 percent reported at scale in 2024 and 2025
  • Agentless-first design has runtime-visibility gaps where eBPF depth matters
  • Platform-consolidation friction for Palo Alto, CrowdStrike, or Tenable stacks
  • Post-Google-talks dynamic has hardened pricing-power posture in renewals
  • List pricing not public; everything goes through quote
  • Kubernetes-native depth lags Aqua and Sysdig on some controls
  • Some buyers report finding volume that overwhelms small security teams

Pricing tiers

opaque
  • Essential
    Core CSPM and CWPP; quote-based by workload count and cloud-account count
    Quote
  • Advanced
    Adds CIEM, KSPM, IaC scanning, and integrations
    Quote
  • Enterprise
    Adds Runtime Sensor, Wiz Code, dedicated TAM, and premium support
    Quote
Watch for
  • · Renewal-pricing increases of 30 to 60 percent reported at scale through 2024 and 2025
  • · Runtime Sensor priced separately from base Advanced tier
  • · Wiz Code priced as an add-on module above Enterprise
  • · Custom integrations and SOC use cases often require Professional Services engagements
  • · Per-cloud-account pricing scales with account sprawl, not just workload count

Key features

  • +Agentless cloud-account snapshot scanning across AWS, Azure, GCP, OCI
  • +Wiz Security Graph for cross-resource investigation
  • +CSPM with 1,500+ policy checks across CIS, NIST, PCI, HIPAA, SOC 2
  • +CWPP including container, VM, and serverless workload coverage
  • +CIEM with permission-graph and access-path analysis
  • +KSPM with admission-control and runtime kubernetes scanning
  • +Runtime Sensor (eBPF) for runtime detection where deployed
  • +Wiz Code for IaC and code-to-cloud posture
  • +Attack-path analysis with reachability scoring
  • +SIEM, SOAR, and ticketing integrations
100+ integrations
AWSAzureGCPOracle CloudKubernetesSnowflakeSplunkDatadogServiceNowJiraSlackPagerDuty
Geography
Global; strongest in US, EMEA, AUS
View full Wiz intelligence profile → Compare Wiz →
#5

Palo Alto Prisma Cloud

Broadest enterprise CNAPP platform; deepest license, heaviest integration.

Founded 2018 · Santa Clara, CA · public · 1,000 to 250,000 employees
G2 4.3 (540)
Capterra 4.4
Custom quote
○ Sales call required
Visit Palo Alto Prisma Cloud

Palo Alto Prisma Cloud is the broadest enterprise CNAPP platform, assembled through a multi-year acquisition strategy starting with the RedLock CSPM acquisition (2018, $173M), the Twistlock container security acquisition (2019, $410M), and the Bridgecrew IaC security acquisition (2021, $156M), with subsequent product unification under the Prisma Cloud brand. The product covers the broadest feature surface in the category (CSPM, CWPP, CIEM, KSPM, IaC, code-to-cloud, web-application and API protection, data security posture) and is the default CNAPP for Palo Alto Networks stack customers. Strengths: broadest feature surface in the category, deep integration with the rest of the Palo Alto stack (NGFW, Cortex XDR, Cortex XSIAM), strong enterprise sales motion, defensible runtime through the Twistlock heritage, and a credible code-to-cloud story through Bridgecrew. Trade-offs: license cost is the highest in the category (multiple verified buyer reports of $1M+ annual deals for mid-enterprise scope), integration friction across the acquired sub-modules persists (RedLock CSPM, Twistlock CWPP, Bridgecrew IaC do not feel like one product to all buyers), product velocity is slower than Wiz on the agentless graph side, and renewal pricing creep has been a real complaint pattern through 2024 and 2025.

Best for

Palo Alto Networks-stack enterprises that want platform consolidation across firewall, endpoint, XDR, and cloud security. Particularly strong for global enterprises with established Palo Alto procurement relationships, regulated industries needing the broadest feature surface, and buyers willing to absorb the highest license cost in exchange for one-vendor coverage. Sweet spot 5,000 to 200,000 employees.

Worst for

Cost-sensitive mid-market buyers, organizations that resist single-vendor lock-in, kubernetes-first estates better served by Aqua, runtime-forensics-anchored buyers better served by Sysdig, and agentless-first buyers better served by Wiz or Orca.

Strengths

  • Broadest feature surface in the category (CSPM, CWPP, CIEM, KSPM, IaC, WAAP)
  • Deep integration with Palo Alto NGFW, Cortex XDR, Cortex XSIAM
  • Strong enterprise sales motion and global account presence
  • Defensible runtime through Twistlock heritage
  • Credible code-to-cloud story through Bridgecrew acquisition
  • Data security posture module added in 2023 and 2024
  • Public-company stability and multi-year roadmap commitment

Weaknesses

  • Highest license cost in the category at scale
  • Integration friction across RedLock, Twistlock, Bridgecrew sub-modules
  • Product velocity slower than Wiz on the agentless graph side
  • Renewal pricing creep reported in 2024 and 2025
  • List pricing not public; everything goes through quote
  • Single-vendor-lock-in risk concentrates with Palo Alto Networks
  • Some buyer reports of UX inconsistency across acquired modules

Pricing tiers

opaque
  • Prisma Cloud Foundations
    Core CSPM and CWPP credits
    Quote
  • Prisma Cloud Advanced
    Adds CIEM, KSPM, IaC, code-to-cloud
    Quote
  • Prisma Cloud Enterprise
    Full CNAPP plus data security posture, WAAP, dedicated support
    Quote
Watch for
  • · Credit-based licensing complexity drives consumption surprises
  • · Module-by-module pricing escalates Advanced and Enterprise scope
  • · Renewal pricing creep reported through 2024 and 2025
  • · Custom integrations require Professional Services engagements
  • · Bundling with NGFW and Cortex can mask true CNAPP unit economics

Key features

  • +CSPM across AWS, Azure, GCP, OCI, Alibaba
  • +CWPP with Twistlock heritage including runtime and image scanning
  • +CIEM with permission graph and least-privilege analysis
  • +KSPM with admission-control and runtime kubernetes detection
  • +IaC and code-to-cloud through Bridgecrew
  • +Web-application and API protection (WAAP)
  • +Data security posture management
  • +Deep integration with Palo Alto Cortex XDR and XSIAM
  • +Credit-based licensing across modules
  • +SIEM, SOAR, ticketing, and ServiceNow integrations
120+ integrations
AWSAzureGCPOracle CloudKubernetesCortex XDRCortex XSIAMPalo Alto NGFWSplunkServiceNowJiraPagerDuty
Geography
Global; strongest in US, EMEA, APAC
View full Palo Alto Prisma Cloud intelligence profile → Compare Palo Alto Prisma Cloud →
#4

Sysdig

Runtime visibility leader; Falco creator extended into full CNAPP.

Founded 2013 · San Francisco, CA · private · 500 to 100,000 employees
G2 4.6 (240)
Capterra 4.5
Custom quote
○ Sales call required
Visit Sysdig

Sysdig is the runtime-visibility leader in CNAPP, founded 2013 by Loris Degioanni (creator of WinPcap and the original sysdig open-source tool) and the team that created the Falco open-source runtime detection engine (now a CNCF graduated project). The product extended over the last decade from container runtime visibility into a full CNAPP including CSPM, CWPP, CIEM, KSPM, and vulnerability management, while maintaining Falco at the heart of the runtime detection story. Sysdig is the credible choice for security teams that prioritize runtime forensics, eBPF-based deep visibility, and open-source-aligned tooling over agentless multi-cloud breadth. Strengths: deepest runtime forensics in the category through Falco and eBPF, strong open-source heritage and CNCF community engagement, defensible workload protection through deployed runtime sensors, credible incident-response story with the Sysdig Threat Research Team published advisories, and a vulnerability-management module that surfaces in-use packages rather than just installed-package counts. Trade-offs: agentless multi-cloud breadth trails Wiz and Orca for buyers whose primary need is cloud-account posture, runtime sensor rollout requires infrastructure-team negotiation, list pricing not public, and some buyer reports of mid-2024 leadership transitions creating organizational uncertainty.

Best for

Security teams that prioritize runtime forensics, eBPF-based deep visibility, and detailed kubernetes runtime detection. Particularly strong for financial services, regulated industries, and SOC teams that want defensible runtime evidence for incident response. Sweet spot 500 to 50,000 employees with substantial container and kubernetes investment.

Worst for

Buyers whose primary need is agentless multi-cloud account posture (Wiz or Orca is better), small security teams without runtime-forensics use cases, CrowdStrike-stack or Tenable-stack consolidators, and buyers unwilling to deploy runtime sensors across the estate.

Strengths

  • Deepest runtime forensics through Falco and eBPF
  • Open-source heritage with Falco at CNCF graduated status
  • Strong vulnerability management surfacing in-use packages
  • Defensible workload runtime protection through deployed sensors
  • Active Sysdig Threat Research Team publishing real advisories
  • Detailed runtime detection rules for kubernetes and containers
  • Used at Goldman Sachs, BNP Paribas, and major financial services

Weaknesses

  • Agentless multi-cloud breadth trails Wiz and Orca
  • Runtime sensor rollout requires infrastructure-team negotiation
  • List pricing not public; everything goes through quote
  • Buyer reports of mid-2024 leadership transitions
  • Posture-management UX has been a long-running buyer complaint
  • CIEM module less mature than Wiz or Tenable Cloud Security

Pricing tiers

opaque
  • Sysdig Secure
    CNAPP including CSPM, CWPP, KSPM, vulnerability management
    Quote
  • Sysdig Monitor
    Observability bundled or standalone
    Quote
  • Sysdig Platform Enterprise
    Combined CNAPP plus observability with dedicated support
    Quote
Watch for
  • · Runtime sensor priced separately from base posture coverage
  • · Per-workload pricing scales with container and VM count
  • · Observability bundle priced incrementally above Secure base
  • · Custom integrations may require Professional Services

Key features

  • +Falco-based runtime detection (CNCF graduated open source)
  • +eBPF deep runtime visibility
  • +CSPM across AWS, Azure, GCP, OCI
  • +CWPP with deployed runtime sensors
  • +KSPM with cluster posture and runtime kubernetes detection
  • +Vulnerability management surfacing in-use packages
  • +CIEM with permission analysis
  • +Incident response forensics with detailed event capture
  • +Sysdig Threat Research Team advisory feed
  • +SIEM, SOAR, and ticketing integrations
75+ integrations
KubernetesAWSAzureGCPOpenShiftGitHubGitLabJenkinsSplunkDatadogServiceNow
Geography
Global; strongest in US, EMEA
View full Sysdig intelligence profile → Compare Sysdig →
#8

CrowdStrike Falcon Cloud Security

Endpoint-adjacent CNAPP leveraging the Falcon agent and Charlotte AI.

Founded 2011 · Austin, TX · public · 1,000 to 250,000 employees
G2 4.5 (320)
Capterra 4.5
Custom quote
○ Sales call required
Visit CrowdStrike Falcon Cloud Security

CrowdStrike Falcon Cloud Security is the CNAPP arm of public-company endpoint-security leader CrowdStrike (NASDAQ: CRWD), positioned as the endpoint-adjacent CNAPP for CrowdStrike-stack consolidators. The product extends the Falcon agent and Charlotte AI assistant into cloud workload protection, container security, CSPM, and identity-risk analysis. Strengths: defensible endpoint-security heritage, deep Falcon agent telemetry pipeline that already runs on many enterprise estates, credible CIEM through the recent identity-protection investment, strong public-company sales motion, and a unified Falcon console that CrowdStrike-stack buyers value highly. Trade-offs: CNAPP feature breadth and agentless graph maturity trail Wiz and Orca, the agent-based primary posture is a deliberate architectural bet that some buyers reject (agentless time-to-value is faster), the July 2024 Falcon sensor incident that caused a global IT outage remains a buyer-relevant trust event for incident-response track record, and post-July-2024 pricing-power dynamics have shifted in renewals. Strong choice for CrowdStrike-stack consolidators, weaker default for net-new CNAPP-only evaluations.

Best for

CrowdStrike-stack enterprises that want platform consolidation across endpoint, identity, and cloud security. Particularly strong for organizations with deep Falcon EDR footprint, SOC teams that already use the Falcon console for endpoint incident response, and buyers that value unified telemetry across endpoint and cloud. Sweet spot 1,000 to 200,000 employees with established CrowdStrike relationship.

Worst for

Buyers prioritizing agentless time-to-value (Wiz or Orca fits better), kubernetes-first estates (Aqua fits better), Palo Alto-stack consolidators, organizations resistant to single-vendor lock-in, and cost-sensitive mid-market buyers facing post-July-2024 renewal-pricing dynamics.

Strengths

  • Defensible endpoint-security heritage and Falcon agent telemetry
  • Public-company stability (NASDAQ: CRWD) and strong sales motion
  • Charlotte AI assistant integrated across the Falcon console
  • Credible CIEM through identity-protection investment
  • Unified Falcon console for endpoint, identity, and cloud
  • Strong incident-response and threat-intelligence heritage
  • Used at major enterprise accounts globally

Weaknesses

  • CNAPP feature breadth trails Wiz and Orca
  • Agent-based primary posture has slower time-to-value than agentless
  • July 2024 Falcon sensor incident remains a buyer-relevant trust event
  • Post-July-2024 pricing-power posture has hardened in renewals
  • CSPM agentless graph maturity trails Wiz
  • Single-vendor-lock-in risk with CrowdStrike-stack consolidation
  • List pricing not public; everything goes through quote

Pricing tiers

opaque
  • Falcon Cloud Security Foundations
    Core CWPP with Falcon agent
    Quote
  • Falcon Cloud Security Advanced
    Adds CSPM, KSPM, IaC, vulnerability management
    Quote
  • Falcon Cloud Security Enterprise
    Full CNAPP plus Charlotte AI and dedicated support
    Quote
Watch for
  • · Per-workload pricing scales with VM, container, and serverless count
  • · CSPM and KSPM modules priced incrementally above Foundations
  • · Charlotte AI usage may be metered above included quota
  • · Bundling with Falcon EDR can mask true CNAPP unit economics

Key features

  • +Falcon agent telemetry pipeline for cloud workload protection
  • +Charlotte AI assistant integrated across Falcon console
  • +CSPM across AWS, Azure, GCP
  • +CWPP with deep agent-based runtime visibility
  • +CIEM with identity-graph analysis
  • +KSPM with kubernetes posture and admission-control
  • +Vulnerability management with Falcon agent telemetry
  • +IaC scanning across Terraform, CloudFormation
  • +Unified Falcon console across endpoint and cloud
  • +Threat intelligence from CrowdStrike Intelligence
90+ integrations
AWSAzureGCPKubernetesFalcon EDRFalcon IdentitySplunkServiceNowJiraPagerDutyMicrosoft Sentinel
Geography
Global; strongest in US, EMEA, APAC
View full CrowdStrike Falcon Cloud Security intelligence profile → Compare CrowdStrike Falcon Cloud Security →
#2

Orca Security

Agentless cloud security pioneer with deep SideScanning IP.

Founded 2019 · Tel Aviv, Israel · private · 200 to 50,000 employees
G2 4.6 (360)
Capterra 4.5
Custom quote
○ Sales call required
Visit Orca Security

Orca Security is the agentless CNAPP pioneer, founded 2019 in Tel Aviv by Avi Shua and a team that filed the foundational SideScanning patent in 2019 for reading cloud-workload disk snapshots out-of-band rather than via in-workload agents. The product reached a $1.8B valuation in late 2021 and has since maintained an independent path through the CNAPP consolidation cycle. Strengths: longest agentless track record in the category (the SideScanning patent predates Wiz), strong EMEA presence and Tel Aviv-anchored engineering talent, defensible workload coverage including VMs, containers, serverless, and managed services, transparent platform-team-friendly deployment (no agent rollout negotiation), and a credible competitive challenger position to Wiz on agentless-only ground. Trade-offs: brand recognition and momentum trail Wiz in 2026 (the Wiz secondary at $32B has compressed Orca mindshare in net-new evaluations), runtime-protection story depends on optional sensor deployment, and some kubernetes-first buyers prefer Aqua or Sysdig for depth on container admission-control and runtime forensics. Orca remains a legitimate Wiz alternative for buyers who want agentless CNAPP without the platform-leader pricing-power dynamic.

Best for

Security teams that want agentless multi-cloud CNAPP without the Wiz platform-leader pricing-power dynamic. Particularly strong for EMEA-headquartered buyers, mid-market organizations sensitive to Wiz pricing concerns, and platform teams that value the SideScanning architectural heritage. Sweet spot 200 to 20,000 employees and 20 to 500 cloud accounts.

Worst for

Buyers anchored on agent-based runtime depth (Sysdig is the better choice), kubernetes-first estates that need Aqua admission-control depth, Wiz-incumbent customers facing low switching cost, and buyers who require the broadest multi-cloud coverage including OCI and Alibaba.

Strengths

  • Longest agentless track record in the category (SideScanning patent 2019)
  • Strong EMEA presence and Tel Aviv engineering talent depth
  • Defensible workload coverage including VMs, containers, serverless, managed
  • Transparent platform-team-friendly deployment without agent rollout
  • Credible Wiz alternative on agentless-only ground
  • Strong attack-path and Crown Jewel analysis features
  • Active independent path through the CNAPP consolidation cycle

Weaknesses

  • Brand recognition and net-new evaluation momentum trail Wiz
  • Runtime-protection story depends on optional sensor deployment
  • Kubernetes-first depth trails Aqua and Sysdig on some controls
  • Smaller integration catalog than Wiz or Prisma Cloud
  • Some buyer reports of slower release cadence than Wiz through 2024 and 2025
  • Opaque list pricing; everything goes through quote

Pricing tiers

opaque
  • Cloud Workload Protection
    Core CSPM, CWPP, vulnerability scanning; quote-based by workload
    Quote
  • Full CNAPP
    Adds CIEM, KSPM, IaC scanning, attack-path analysis
    Quote
  • Enterprise
    Adds optional sensor, dedicated TAM, premium support
    Quote
Watch for
  • · Optional sensor priced separately for runtime coverage
  • · Per-workload pricing scales with VM, container, and serverless count
  • · Custom integrations may require Professional Services
  • · Annual contract typical 10 to 15 percent discount versus quarterly

Key features

  • +SideScanning agentless workload scanning (patented)
  • +Multi-cloud coverage across AWS, Azure, GCP
  • +CSPM with broad policy coverage including CIS, NIST, PCI, HIPAA
  • +CWPP including VM, container, serverless workload coverage
  • +CIEM with permission-graph and access-path analysis
  • +KSPM with admission-control and runtime kubernetes scanning
  • +Attack-path analysis with Crown Jewel scoring
  • +IaC and code-to-cloud scanning
  • +SIEM and ticketing integrations
  • +Optional runtime sensor for deeper detection
80+ integrations
AWSAzureGCPKubernetesSplunkDatadogServiceNowJiraSlackPagerDuty
Geography
Global; strongest in US, EMEA, Israel
View full Orca Security intelligence profile → Compare Orca Security →
#3

Aqua Security

The kubernetes-native original; container security extended to full CNAPP.

Founded 2015 · Ramat Gan, Israel · private · 200 to 50,000 employees
G2 4.5 (280)
Capterra 4.5
Custom quote
○ Sales call required
Visit Aqua Security

Aqua Security is the original kubernetes-native container security company, founded 2015 in Israel before CNAPP existed as a Gartner category. The product extended over the last decade from image scanning and runtime container protection into a full CNAPP including CSPM, CIEM, KSPM, and code-to-cloud posture. Aqua sponsors the popular open-source Trivy vulnerability scanner (acquired with Argon in 2021) and remains the deepest kubernetes-native CNAPP in the category. Strengths: longest kubernetes track record in the category, deepest admission-control and runtime container security, defensible open-source heritage through Trivy and Tracee, strong container-image and supply-chain security story, and credible standalone platform position through 2025 without acquisition pressure. Trade-offs: agentless multi-cloud breadth trails Wiz and Orca for buyers whose primary need is cloud-account posture rather than kubernetes depth, brand momentum has slowed since Wiz reset category expectations in 2020 to 2022, and the platform breadth (CSPM, CIEM) added to compete with Wiz feels less mature than the kubernetes-native core. Aqua remains a strong default for kubernetes-first estates and a defensible Wiz challenger for buyers prioritizing container-native depth.

Best for

Kubernetes-first security teams that prioritize container-native depth, admission-control, and runtime forensics over agentless multi-cloud breadth. Particularly strong for OpenShift estates, container-platform teams, and CISOs who want open-source-aligned tooling through Trivy and Tracee. Sweet spot 200 to 20,000 employees with substantial kubernetes investment.

Worst for

Buyers whose primary need is agentless multi-cloud account posture (Wiz or Orca is better), non-kubernetes estates, CrowdStrike-stack or Palo Alto-stack consolidators, and buyers who want the platform-leader brand and renewal-pricing-power dynamic of Wiz.

Strengths

  • Longest kubernetes-native track record in the category (since 2015)
  • Deepest admission-control and runtime container security
  • Open-source heritage through Trivy (vulnerability scanner) and Tracee (runtime)
  • Strong container-image and software-supply-chain security
  • Credible standalone position through 2025 without acquisition pressure
  • Multi-environment coverage including hybrid kubernetes and OpenShift
  • Active CNCF ecosystem participation

Weaknesses

  • Agentless multi-cloud breadth trails Wiz and Orca
  • Brand momentum slowed since Wiz reset category expectations
  • CSPM and CIEM modules feel less mature than kubernetes core
  • List pricing not public; everything goes through quote
  • Some buyer reports of integration friction between modules
  • Net-new mindshare in non-kubernetes-first deals trails Wiz

Pricing tiers

opaque
  • Aqua Standard
    Core container security, image scanning, runtime protection
    Quote
  • Aqua Advanced
    Adds CSPM, CIEM, KSPM, IaC scanning
    Quote
  • Aqua Enterprise
    Full CNAPP, supply-chain security, dedicated support
    Quote
Watch for
  • · Per-workload pricing scales with container, VM, and serverless count
  • · Aqua Advanced and Enterprise modules priced incrementally
  • · Custom integrations may require Professional Services
  • · Annual contract typical 10 percent discount versus monthly

Key features

  • +Kubernetes admission-control with policy enforcement
  • +Runtime container protection with eBPF
  • +Image scanning with Trivy open-source heritage
  • +Software supply-chain security including SBOM and signing
  • +CSPM across AWS, Azure, GCP
  • +CIEM with permission analysis
  • +KSPM with cluster posture and runtime detection
  • +IaC scanning across Terraform, CloudFormation, ARM
  • +Open-source Tracee runtime detection contribution
  • +SIEM, SOAR, and ticketing integrations
70+ integrations
KubernetesOpenShiftAWSAzureGCPDockerGitHubGitLabJenkinsSplunkServiceNow
Geography
Global; strongest in US, EMEA, Israel
View full Aqua Security intelligence profile → Compare Aqua Security →
#6

Tenable Cloud Security

Vulnerability-management heritage bolted into CNAPP via the Ermetic acquisition.

Founded 2002 · Columbia, MD · public · 500 to 100,000 employees
G2 4.4 (180)
Capterra 4.4
Custom quote
○ Sales call required
Visit Tenable Cloud Security

Tenable Cloud Security is the CNAPP arm of public-company vulnerability-management leader Tenable (NASDAQ: TENB), built primarily on the foundation of the October 2023 Ermetic acquisition ($265M). Ermetic was a credible standalone CIEM and CNAPP startup, and the acquisition gave Tenable a path to extend its Nessus and Tenable.io vulnerability-management franchise into multi-cloud posture and entitlement management. Strengths: defensible vulnerability-management heritage with deep CVE coverage, public-company stability, strong CIEM through the Ermetic-acquired engineering team, broad cloud-account coverage across AWS, Azure, and GCP, and credible platform consolidation for Tenable-stack buyers who want vuln-management plus CNAPP from one vendor. Trade-offs: post-acquisition integration risk is real (the Ermetic-Tenable platform unification is still in progress 18 months after the deal closed), CNAPP feature breadth trails Wiz and Prisma Cloud, runtime protection story is thinner than Sysdig and Aqua, brand recognition in CNAPP buying committees trails the pure-plays, and some buyer reports of Ermetic-era roadmap commitments slipping under Tenable ownership.

Best for

Tenable-stack security teams that want consolidated vulnerability-management plus CNAPP reporting from one vendor. Particularly strong for organizations with substantial existing Nessus or Tenable.io footprint, CIEM-anchored buyers who valued the Ermetic engineering approach, and mid-market enterprises that prefer public-company vendor stability over pure-play independence. Sweet spot 500 to 50,000 employees.

Worst for

Buyers prioritizing CNAPP feature breadth and category-leader brand (Wiz fits better), runtime-forensics-anchored buyers (Sysdig fits better), kubernetes-first estates (Aqua fits better), Palo Alto-stack consolidators, and buyers who do not value Tenable.io vuln-management heritage.

Strengths

  • Defensible vulnerability-management heritage with deep CVE coverage
  • Public-company stability (NASDAQ: TENB) and multi-year roadmap visibility
  • Strong CIEM through Ermetic-acquired engineering team
  • Broad cloud-account coverage across AWS, Azure, GCP
  • Credible platform consolidation for Tenable-stack buyers
  • Established compliance and reporting heritage from Nessus and Tenable.io
  • Reasonable pricing relative to Wiz and Prisma Cloud

Weaknesses

  • Post-acquisition integration risk; Ermetic-Tenable unification still in progress
  • CNAPP feature breadth trails Wiz and Prisma Cloud
  • Runtime protection story thinner than Sysdig and Aqua
  • Brand recognition in CNAPP buying committees trails pure-plays
  • Buyer reports of Ermetic-era roadmap commitments slipping
  • Kubernetes-native depth trails Aqua and Sysdig
  • List pricing not public; everything goes through quote

Pricing tiers

opaque
  • Tenable Cloud Security Essentials
    CSPM and CWPP basics
    Quote
  • Tenable Cloud Security Advanced
    Adds CIEM, KSPM, IaC scanning
    Quote
  • Tenable One Platform Bundle
    Combined vuln-management plus CNAPP with unified console
    Quote
Watch for
  • · Per-workload pricing scales with cloud-account and VM count
  • · CIEM and KSPM modules priced incrementally above Essentials
  • · Tenable One bundle requires existing Tenable.io commit
  • · Custom integrations may require Professional Services

Key features

  • +CSPM across AWS, Azure, GCP
  • +CWPP with workload posture and image scanning
  • +CIEM with permission-graph analysis (Ermetic heritage)
  • +KSPM with kubernetes posture
  • +IaC scanning across Terraform, CloudFormation
  • +Vulnerability management integration with Nessus and Tenable.io
  • +Unified Tenable One platform console
  • +Compliance reporting heritage from Nessus
  • +SIEM and ticketing integrations
  • +Public-company support SLAs
60+ integrations
AWSAzureGCPKubernetesNessusTenable.ioSplunkServiceNowJiraPagerDuty
Geography
Global; strongest in US, EMEA
View full Tenable Cloud Security intelligence profile → Compare Tenable Cloud Security →
#9

Check Point CloudGuard

Legacy enterprise CNAPP from the Check Point firewall heritage; slow velocity.

Founded 1993 · Tel Aviv, Israel · public · 5,000 to 100,000 employees
G2 4.3 (180)
Capterra 4.3
Custom quote
○ Sales call required
Visit Check Point CloudGuard

Check Point CloudGuard is the CNAPP arm of public-company firewall-heritage vendor Check Point Software (NASDAQ: CHKP), positioned as the cloud-security continuation of the Check Point Infinity platform that extends from on-prem firewalls into cloud workloads. The product is built primarily on the Dome9 acquisition (2018) for CSPM, plus subsequent module additions for CWPP, KSPM, and IaC. Strengths: defensible public-company stability, established global enterprise account presence inherited from the firewall business, integration with Check Point Infinity for buyers anchored on the Check Point stack, and reasonable feature coverage on paper. Trade-offs: product velocity has visibly lagged Wiz, Orca, Sysdig, and Aqua through 2023 to 2025, brand momentum in CNAPP evaluations is weak (Check Point CloudGuard rarely wins net-new mid-market or enterprise CNAPP deals against pure-plays in 2026), the cloud-security organization sits within a larger firewall-business culture that has not prioritized CNAPP velocity, and the post-Dome9 integration period left visible UX inconsistencies. Most buyers in 2026 should treat CloudGuard as a legacy enterprise choice that fits only existing Check Point-stack consolidators.

Best for

Existing Check Point-stack enterprises that want cloud security from the same vendor as their firewall and Infinity platform. Particularly applicable for organizations with deep Check Point NGFW footprint and CIO-mandated single-vendor cloud-plus-network security posture. Sweet spot 5,000 to 100,000 employees with established Check Point relationship.

Worst for

Net-new CNAPP buyers, organizations not anchored on Check Point, buyers prioritizing product velocity and brand momentum (Wiz, Orca fit better), kubernetes-first estates (Aqua fits better), runtime-forensics buyers (Sysdig fits better), and any buyer who does not have an existing Check Point procurement relationship.

Strengths

  • Public-company stability (NASDAQ: CHKP) and multi-decade vendor presence
  • Established global enterprise account presence from firewall heritage
  • Integration with Check Point Infinity for stack consolidators
  • Reasonable feature coverage on paper across CSPM, CWPP, KSPM
  • Defensible compliance and audit reporting heritage
  • Long-running customer relationships in regulated industries

Weaknesses

  • Product velocity visibly lags Wiz, Orca, Sysdig, Aqua through 2023 to 2025
  • Brand momentum weak in net-new CNAPP evaluations
  • Cloud-security organization sits within firewall-business culture
  • Post-Dome9 integration period left visible UX inconsistencies
  • Net-new mid-market and enterprise CNAPP wins rare against pure-plays
  • List pricing not public; everything goes through quote
  • Multi-cloud breadth trails Wiz and Prisma Cloud

Pricing tiers

opaque
  • CloudGuard CSPM
    Core cloud-posture management (Dome9 heritage)
    Quote
  • CloudGuard CNAPP
    Adds CWPP, KSPM, IaC, vulnerability management
    Quote
  • CloudGuard plus Infinity Bundle
    Integrated with Check Point Infinity platform
    Quote
Watch for
  • · Per-workload pricing scales with VM and container count
  • · Modules priced incrementally above CSPM baseline
  • · Infinity bundling can mask true CNAPP unit economics
  • · Custom integrations may require Professional Services

Key features

  • +CSPM with Dome9 heritage across AWS, Azure, GCP
  • +CWPP with workload posture
  • +KSPM with kubernetes posture
  • +IaC scanning across Terraform, CloudFormation
  • +Vulnerability management integration
  • +Integration with Check Point Infinity platform
  • +Compliance reporting for SOC 2, PCI, HIPAA, NIST
  • +SIEM integration including Check Point Horizon
  • +Network-security visibility through firewall heritage
  • +Multi-tenancy for service providers
55+ integrations
AWSAzureGCPKubernetesCheck Point NGFWCheck Point InfinitySplunkServiceNowJira
Geography
Global; strongest in EMEA, Israel
View full Check Point CloudGuard intelligence profile → Compare Check Point CloudGuard →
#7

Lacework

Polygraph-based CNAPP now operating as a Fortinet subsidiary after a sharp 2024 down round.

Founded 2015 · San Jose, CA · subsidiary · 1,000 to 50,000 employees
G2 4.2 (220)
Capterra 4.3
Custom quote
○ Sales call required
Visit Lacework

Lacework is the Polygraph-based CNAPP product founded in 2015 that reached an $8.3B valuation at its 2022 funding peak before announcing layoffs in 2023 and ultimately being acquired by Fortinet in August 2024 at a reported sharp down round from the 2022 peak (terms not publicly disclosed but widely reported as a fraction of the 2022 valuation). The product is built around the Polygraph behavioral analytics engine that builds an automated baseline of cloud-account behavior and detects anomalies, plus CSPM, CWPP, KSPM, and vulnerability management. Strengths: defensible Polygraph behavioral analytics technology, deep AWS coverage, established enterprise customer base, and Fortinet acquisition provides parent-company stability and integration with the Fortinet Security Fabric. Trade-offs: post-acquisition integration risk is significant (Fortinet absorbing a once-independent CNAPP pure-play is a multi-quarter project), product velocity has visibly slowed since the 2023 layoffs and 2024 acquisition, multiple verified buyer reports of customer churn through 2024 and 2025, and the Fortinet stack is not the natural consolidation point for CNAPP buying committees that did not previously favor Fortinet. Most buyers should treat Lacework as a high-risk choice in 2026 unless they are committed Fortinet-stack consolidators.

Best for

Existing Lacework customers who are Fortinet-stack consolidators and value the Polygraph behavioral analytics heritage. Particularly applicable for organizations with deep Fortinet NGFW or FortiSIEM footprint that want integrated cloud security from the Fortinet Security Fabric. Sweet spot 1,000 to 50,000 employees with established Fortinet relationship.

Worst for

Net-new CNAPP buyers, organizations not anchored on Fortinet, buyers prioritizing product velocity and brand momentum (Wiz fits better), kubernetes-first estates (Aqua fits better), runtime-forensics buyers (Sysdig fits better), and any buyer not willing to absorb post-acquisition integration risk.

Strengths

  • Defensible Polygraph behavioral analytics technology
  • Deep AWS coverage with established enterprise customer base
  • Fortinet parent-company stability post-August-2024 acquisition
  • Integration path into Fortinet Security Fabric
  • CWPP with anomaly-detection heritage that predates many competitors
  • Compliance and reporting depth for enterprise audits

Weaknesses

  • Sharp 2024 down round from $8.3B 2022 peak signals platform pressure
  • Post-acquisition integration risk significant; Fortinet absorption ongoing
  • Product velocity visibly slowed since 2023 layoffs and 2024 acquisition
  • Verified buyer reports of customer churn through 2024 and 2025
  • Fortinet stack is not the natural consolidation point for most CNAPP buyers
  • Brand momentum collapsed in net-new evaluations through 2024
  • List pricing not public; everything goes through quote

Pricing tiers

opaque
  • Lacework CWPP
    Core workload protection with Polygraph
    Quote
  • Lacework CNAPP
    Adds CSPM, KSPM, vulnerability management
    Quote
  • Lacework FortiCNAPP Bundle
    Integrated with Fortinet Security Fabric
    Quote
Watch for
  • · Post-acquisition pricing-model changes possible under Fortinet ownership
  • · Per-workload pricing scales with VM and container count
  • · Custom integrations may require Professional Services
  • · Renewal terms increasingly tied to Fortinet enterprise agreements

Key features

  • +Polygraph behavioral analytics for cloud-account baseline
  • +CSPM across AWS, Azure, GCP
  • +CWPP with anomaly-detection heritage
  • +KSPM with kubernetes posture
  • +Vulnerability management with risk scoring
  • +Integration path into Fortinet Security Fabric
  • +Compliance reporting for SOC 2, PCI, HIPAA, NIST
  • +SIEM integration including FortiSIEM
  • +IaC scanning
  • +Anomaly detection on user behavior
50+ integrations
AWSAzureGCPKubernetesFortiSIEMFortinet NGFWSplunkServiceNowJira
Geography
Global; strongest in US
View full Lacework intelligence profile → Compare Lacework →
#10

Uptycs

XDR-CNAPP convergence with one osquery-based agent across the estate.

Founded 2016 · Waltham, MA · private · 200 to 25,000 employees
G2 4.5 (140)
Capterra 4.4
Custom quote
○ Sales call required
Visit Uptycs

Uptycs is the XDR-CNAPP convergence bet, founded 2016 in Waltham, MA around the open-source osquery project (originally created at Facebook) and positioned as the unified telemetry platform that runs one agent across servers, containers, kubernetes, laptops, and cloud. The company has raised over $130M in cumulative funding and maintains an independent path through 2025. Strengths: defensible osquery open-source heritage, one-agent architecture removes the typical two-agent friction between endpoint and cloud security teams, credible CSPM, CWPP, KSPM, and CIEM coverage, strong forensic-evidence story through osquery telemetry, and active independent operation through the CNAPP consolidation cycle. Trade-offs: smaller vendor footprint than Wiz, Orca, Aqua, or Sysdig (multi-year runway is a real evaluation factor), brand momentum trails the pure-play CNAPP leaders, agentless multi-cloud breadth trails Wiz, the XDR-CNAPP convergence thesis is a strategic bet that not all security organizations buy (many keep endpoint and cloud security separate by design), and net-new evaluation wins remain modest. Strong choice for security teams that want one telemetry pipeline; weaker default for buyers that want clear category-leader status.

Best for

Security teams that want one telemetry pipeline across endpoint, server, container, kubernetes, and cloud, plus the forensic-evidence depth of osquery. Particularly strong for SOC-led organizations that value unified detection and response across the estate, mid-market security teams that want CNAPP plus XDR from one vendor, and open-source-aligned buyers. Sweet spot 200 to 10,000 employees.

Worst for

Buyers prioritizing category-leader brand and net-new evaluation momentum (Wiz fits better), kubernetes-first estates that need Aqua admission-control depth, runtime-forensics buyers anchored on Falco (Sysdig fits better), CrowdStrike-stack or Palo Alto-stack consolidators, and buyers who want a separate clean line between endpoint and cloud security.

Strengths

  • Defensible osquery open-source heritage from the Facebook origin
  • One-agent architecture across servers, containers, kubernetes, laptops, cloud
  • Credible CSPM, CWPP, KSPM, CIEM coverage in one platform
  • Strong forensic-evidence story through osquery telemetry
  • Active independent operation through CNAPP consolidation cycle
  • Reasonable pricing relative to Wiz and Prisma Cloud
  • XDR-plus-CNAPP unified telemetry for SOC efficiency

Weaknesses

  • Smaller vendor footprint; multi-year runway is a real evaluation factor
  • Brand momentum trails pure-play CNAPP leaders
  • Agentless multi-cloud breadth trails Wiz
  • XDR-CNAPP convergence thesis not all buyers buy into
  • Net-new evaluation wins remain modest
  • Kubernetes admission-control depth trails Aqua
  • List pricing not public; everything goes through quote

Pricing tiers

opaque
  • Uptycs CNAPP
    CSPM, CWPP, KSPM, CIEM via osquery telemetry
    Quote
  • Uptycs XDR
    Endpoint detection and response via osquery telemetry
    Quote
  • Uptycs Unified Platform
    Combined CNAPP plus XDR with one agent and console
    Quote
Watch for
  • · Per-endpoint and per-workload pricing scales with estate size
  • · XDR and CNAPP modules priced incrementally on combined bundle
  • · Custom integrations may require Professional Services
  • · Annual contract typical 10 to 15 percent discount versus monthly

Key features

  • +osquery-based unified telemetry across endpoint, server, container, kubernetes, cloud
  • +CSPM across AWS, Azure, GCP
  • +CWPP with workload posture and runtime visibility
  • +KSPM with kubernetes posture and runtime detection
  • +CIEM with permission analysis
  • +XDR with endpoint detection and response
  • +IaC scanning across Terraform, CloudFormation
  • +Forensic-evidence depth through osquery telemetry
  • +One agent, one console across the estate
  • +SIEM and ticketing integrations
50+ integrations
AWSAzureGCPKubernetesDockerSplunkServiceNowJiraPagerDutyMicrosoft Sentinel
Geography
Global; strongest in US, EMEA, India
View full Uptycs intelligence profile → Compare Uptycs →

Frequently asked questions

The questions buyers actually ask before they sign.

Does DPDP Act 2023 affect CNAPP vendor selection for Indian enterprises?
Yes, primarily through data-residency expectations. CNAPP platforms process cloud asset metadata, identity graphs, and workload telemetry; where customer workloads contain personal data of Indian data principals, this metadata processing falls under DPDP scope. Significant data fiduciaries (Indian B2C tech crossing DPDP thresholds) face data-localisation obligations. The practical compliance posture: deploy CNAPP in AWS Mumbai (ap-south-1), AWS Hyderabad (ap-south-2), GCP Mumbai, or Azure India; verify in contract that all CNAPP metadata processing remains in India region (not just primary data plane); avoid CNAPP vendors that route telemetry through US-only processing centers. Wiz, Orca, Prisma Cloud, Sysdig, and CrowdStrike all support India data residency; specifically negotiate this in MSA and DPA before procurement.
How do Indian unicorns like Zomato and Razorpay run CNAPP at scale?
Indian B2C unicorns typically run hybrid architectures. Zomato, Swiggy, Razorpay, and CRED have published engineering blogs discussing cloud security operations: Wiz, Orca, or Prisma Cloud for the posture and CIEM layer; internal tooling and open-source Falco for runtime detection at the highest-velocity services; SIEM integration into Splunk, Sumo Logic, or in-house security data lakes for correlation. The pattern at Indian unicorn scale: commercial CNAPP for cloud-account posture, identity, and IaC; selective runtime sensor deployment on the most security-critical workloads (payment processing, user authentication, data stores) rather than across the entire fleet. CERT-In 6-hour breach reporting and RBI cyber-resilience evidence requirements drive the commercial CNAPP investment; cost discipline drives the selective runtime sensor deployment pattern.
Is there a CNAPP vendor with stronger India presence than Wiz or Prisma Cloud?
No, not at competitive scale. India does not have a domestic CNAPP vendor at the maturity level of Wiz, Orca, Sysdig, or Prisma Cloud as of 2026. Indian cybersecurity product companies exist in adjacent categories (Sequretek in XDR, Tata Communications in managed security, identity and access management players) but no Indian-built cloud-native CNAPP platform competes with the US and Israeli vendors. Indian buyers should expect to procure from Wiz, Orca Security, Sysdig, Prisma Cloud, CrowdStrike, or Aqua with India sales support via Mumbai or Bangalore offices, India data residency contracted explicitly, and Indian rupee billing through reseller arrangements. India-headquartered systems integrators (Wipro CRS, TCS Enterprise Security & Risk, Infosys Cybersecurity, HCL Cybersecurity) provide the local implementation and managed services layer.
How does CERT-In 6-hour breach notification affect CNAPP buying priorities?
Significantly. The 6-hour window from incident detection to CERT-In notification is the tightest cybersecurity reporting timeline in the world; meeting it requires CNAPP runtime detection and forensics capability operating in close-to-real-time. Indian CISOs have pulled forward three CNAPP capabilities in 2024-2026 procurement: (1) runtime detection with detailed event capture (Sysdig Falco-based runtime forensics is most-cited); (2) attack-path reachability for rapid blast-radius determination (Wiz Security Graph leads here); (3) unified endpoint-cloud incident timeline for incident scoping (CrowdStrike Falcon Cloud Security plus Falcon EDR). The 180-day log retention requirement also drives CNAPP storage and export architecture decisions; verify with your CNAPP vendor that 180-day retention is supported within India region without cross-border log transfer.
What is CNAPP, and how does it differ from CSPM, CWPP, and CIEM?
CNAPP (Cloud-Native Application Protection Platform) is the Gartner-coined umbrella category that consolidates five previously separate cloud-security product types into one platform. CSPM (Cloud Security Posture Management) scans cloud-provider control planes for misconfigurations (open S3 buckets, public RDS, over-permissive IAM). CWPP (Cloud Workload Protection Platform) protects workloads (VMs, containers, serverless) at runtime through image scanning, vulnerability detection, and runtime defense. CIEM (Cloud Infrastructure Entitlement Management) maps identity-to-resource permissions and surfaces least-privilege violations and toxic-combination access paths. KSPM (Kubernetes Security Posture Management) is the kubernetes-specific subset of CSPM plus admission-control. ASPM (Application Security Posture Management) ties code-level findings through to cloud-deployed workloads. CNAPP bundles CSPM, CWPP, CIEM, and KSPM (plus increasingly ASPM) into one platform with cross-domain context (a misconfigured IAM role plus a public workload plus a known CVE becomes one prioritized attack path). The CNAPP category took shape after Wiz launched in 2020 with an agentless graph-based approach that reset category time-to-value expectations.
Agentless or agent-based CNAPP: which is right for my organization?
Both, layered. Agentless (Wiz, Orca, and the agentless parts of every other CNAPP) reads cloud-provider APIs and out-of-band workload disk snapshots to get fast time-to-value (days, not weeks) and broad multi-cloud account coverage without negotiating agent rollout with infrastructure teams. Agent-based (Sysdig sensors, CrowdStrike Falcon, Aqua runtime, Lacework Polygraph) deploys an in-workload agent to get deeper runtime forensics, eBPF-based system-call detail, and incident-response evidence. The 2026 best practice is agentless-first for breadth across cloud accounts plus selective agent deployment where runtime depth is required (production-tier workloads, high-blast-radius services, regulated environments). Most leading CNAPP platforms now offer both; the architectural emphasis varies (Wiz is agentless-primary with optional Runtime Sensor, Sysdig is agent-primary with agentless add-on, Aqua is kubernetes-agent-primary).
How much should a 5,000-employee enterprise budget for CNAPP in 2026?
Verified medians from our pricing corpus. Wiz at 5,000 employees with 50 cloud accounts: approximately $360,000 per year. Orca at 5,000 employees: approximately $280,000 per year. Aqua at 5,000 employees with kubernetes-heavy estate: approximately $240,000 per year. Sysdig at 5,000 employees: approximately $220,000 per year. Prisma Cloud at 5,000 employees: approximately $380,000 per year on the low end, up to $1.1M at the larger account scope. Tenable Cloud Security at 5,000 employees: approximately $180,000 per year. CrowdStrike Falcon Cloud Security at 5,000 employees: approximately $260,000 per year. The largest drivers of CNAPP unit cost are cloud-account count (not just employee count), workload count (VMs, containers, serverless), and module breadth (CIEM, runtime sensor, code-to-cloud, WAAP). Renewal-pricing creep has been a real complaint pattern on Wiz and Prisma Cloud through 2024 and 2025; budget for 15 to 30 percent renewal increases unless contractually locked.
What happened with the Wiz-Google acquisition talks?
In July 2024, Reuters and Wall Street Journal reported that Google had offered approximately $23B to acquire Wiz. Wiz reportedly declined the offer to pursue an independent IPO path; reports indicate talks resumed in later periods. The dynamic matters for buyers in two ways. First, the post-talks period has visibly hardened Wiz pricing-power posture in renewals (multiple verified buyer reports of 30 to 60 percent renewal-pricing increases at scale through 2024 and 2025). Second, the eventual ownership outcome (independent IPO, Google acquisition, or other) materially shapes the multi-year roadmap and integration story for Wiz customers. Buyers signing multi-year Wiz contracts in 2026 should write in renewal-pricing caps and consider acquisition-trigger clauses where commercially possible.
What happened with the Lacework-Fortinet acquisition?
Fortinet announced the Lacework acquisition in August 2024 at a reported sharp down round from the $8.3B 2022 valuation peak (terms not publicly disclosed but widely reported as a fraction of the 2022 valuation). The acquisition followed a difficult period at Lacework: $1.3B 2021 funding round at $8.3B valuation, 20 percent layoffs announced in 2022 and 2023, and visible customer churn through 2023 to 2024. Post-acquisition, Lacework operates as a Fortinet subsidiary with the FortiCNAPP brand integrating into the Fortinet Security Fabric. Buyer-relevant implications: product velocity has visibly slowed since the 2023 layoffs and 2024 acquisition, customer churn through 2024 and 2025 remains a real pattern, and the Fortinet stack is not the natural consolidation point for most net-new CNAPP buying committees. Most buyers should treat Lacework as a high-risk choice in 2026 unless they are committed Fortinet-stack consolidators.
What happened with the Ermetic-Tenable acquisition?
Tenable acquired Ermetic in October 2023 for $265M to bolt CIEM and CNAPP capability onto its Nessus and Tenable.io vulnerability-management franchise. Ermetic was a credible standalone CIEM and CNAPP startup founded 2019, and the acquisition was widely viewed as a sensible platform extension for Tenable. Post-acquisition, integration has been multi-quarter work: the Tenable One unified platform launched in 2024 folding CNAPP into the broader exposure-management story, but multiple verified buyer disclosures through late 2024 and 2025 cite Ermetic-era roadmap commitments slipping under Tenable ownership and UX inconsistencies between the Ermetic-heritage CIEM module and the rest of the Tenable platform. Buyer-relevant framing: Tenable Cloud Security is a credible mid-tier CNAPP choice for Tenable-stack consolidators, but buyers should weigh post-acquisition integration risk and verify roadmap commitments in writing before signing multi-year deals.
Do I need a separate CSPM tool plus a separate CWPP tool, or just CNAPP?
CNAPP. The category exists precisely to consolidate CSPM and CWPP (plus CIEM and KSPM) into one platform with cross-domain context. The 2018 to 2020 model of buying separate CSPM (Dome9, RedLock, Prisma Cloud Compute) plus separate CWPP (Twistlock, Aqua, Lacework) plus separate CIEM (Ermetic, Sonrai) plus separate KSPM (Aqua, StackRox) is increasingly obsolete in 2026. Modern CNAPP platforms (Wiz, Orca, Aqua, Sysdig, Prisma Cloud, Tenable Cloud Security, CrowdStrike Falcon Cloud Security) cover all four domains with cross-domain context: a misconfigured IAM role plus a public workload plus a known CVE plus a sensitive-data path becomes one prioritized attack path rather than four separate findings. Buyers running multiple legacy point tools should consolidate onto a single CNAPP platform in 2026; the operational savings (one console, one finding-priority model, one vendor relationship) typically justify the migration cost within 12 to 18 months.
How does CNAPP overlap with SIEM, SOAR, and XDR?
CNAPP, SIEM, SOAR, and XDR are complementary layers in the modern security stack. CNAPP focuses on the cloud-native posture and workload-protection surface (CSPM, CWPP, CIEM, KSPM). SIEM (Splunk, Microsoft Sentinel, Elastic) aggregates logs and events from across the estate (cloud, endpoint, identity, network) and runs detection rules. SOAR (Tines, Torq, Cortex XSOAR) automates incident response playbooks across SIEM and other security tools. XDR (CrowdStrike Falcon, SentinelOne, Microsoft Defender XDR) extends endpoint detection and response into other domains (identity, email, cloud workloads). The 2026 best practice is to deploy CNAPP for the cloud surface, integrate CNAPP findings into SIEM for cross-domain correlation, use SOAR to automate response, and use XDR for the endpoint-anchored detection story (with optional extension into cloud workloads). The Uptycs bet is that XDR and CNAPP converge into one platform; the CrowdStrike bet is similar through Falcon Cloud Security. Most enterprises in 2026 still keep CNAPP and XDR as separate platforms.
What is the difference between Wiz Runtime Sensor and Sysdig Falco?
Both are deployed runtime sensors that provide eBPF-based runtime detection for cloud workloads, but the architectural posture is different. Wiz Runtime Sensor is positioned as an optional add-on to the agentless-primary Wiz CNAPP, deployed selectively on workloads where runtime depth is required (production-tier, high-blast-radius, regulated). Sysdig Falco is the open-source CNCF-graduated runtime detection engine that anchors Sysdig CWPP; it is agent-primary and deployed broadly across the estate. Wiz Runtime Sensor has a tighter integration with the Wiz Security Graph for cross-domain context (runtime alerts decorated with posture, identity, and attack-path data). Falco has a longer track record, broader open-source ecosystem participation, and deeper runtime-rule library through the Falco community. The buyer choice is architectural posture: agentless-primary with selective sensor (Wiz) versus agent-primary with broad sensor deployment (Sysdig). Both are credible; the right call depends on whether runtime depth or agentless breadth is the binding constraint.
Should I be worried about post-acquisition risk on Lacework, Ermetic, and Bridgecrew?
Yes, with different weights. Lacework (Fortinet, August 2024 at sharp down round from $8.3B peak): highest post-acquisition risk in the category, product velocity visibly slowed, customer churn through 2024 and 2025 documented, Fortinet stack is not the natural consolidation point for most CNAPP buyers. Treat as high-risk unless committed Fortinet-stack consolidator. Ermetic (Tenable, October 2023, $265M): moderate post-acquisition risk, integration into Tenable One unified platform is multi-quarter work, Ermetic-era roadmap commitments slipping per buyer disclosures, but Tenable is a stable public-company parent and the CIEM capability remains credible. Treat as a mid-tier choice for Tenable-stack buyers; verify roadmap commitments in writing. Bridgecrew (Palo Alto, February 2021, $156M): integration into Prisma Cloud took multiple quarters but is now substantially complete; the IaC and code-to-cloud capability is a defensible part of the Prisma Cloud platform, and the post-acquisition risk has largely cleared. The pattern matters: CNAPP acquisitions take 18 to 36 months to fully integrate, and product velocity often slows during integration; buyers should weigh post-acquisition risk explicitly in multi-year deals.

Final word

Looking at a different market? See the global CNAPP Software ranking, or pick another country at the top of this page.

Last updated 2026-05-23. Local pricing reverified quarterly. Found something inaccurate? Tell us.