Skip to content
Z Zendikt
United States edition · 10 products ranked · Verified 2026-05-23

Top 10 CNAPP Software in the United States for 2026

Independent US ranking of CNAPP platforms, USD pricing, FedRAMP status by vendor, agentless versus agent-based posture trade-offs, and DoD CMMC fit for 2026.

← Global ranking · Category overview
CNAPP Software by country
🌐 Global United States India United Kingdom France Germany

United States verdict (TL;DR)

Verified 2026-05-23

Wiz dominates the US CNAPP market in 2026 by deployment scale, brand, and net-new evaluation win rate, with reported $32B secondary valuation and Fortune 100 customer wins at JPMorgan Chase, Salesforce, and Blackstone. Orca Security is the credible agentless alternative for buyers resistant to Wiz pricing-power renewals (30-60% increases reported at scale). Sysdig wins US financial services (Goldman Sachs, BNP Paribas reference accounts) on Falco-based runtime forensics. Palo Alto Prisma Cloud is the default for US enterprises already on Palo Alto NGFW or Cortex XDR. CrowdStrike Falcon Cloud Security wins where Falcon EDR is already the endpoint default. FedRAMP status matters for US federal and defense buyers: Wiz, Orca, Prisma Cloud, Sysdig, and Aqua are in-process or authorized; verify current status before procurement.

Picks for United States

  • US enterprise multi-cloud default (Fortune 500, 50+ cloud accounts): wiz-cnapp Wiz is the rational US enterprise default in 2026. Reported $32B secondary valuation, Fortune 100 reference customers (JPMorgan Chase, BMW, Salesforce), broadest multi-cloud coverage including AWS GovCloud, Azure Government, and OCI. FedRAMP in-process. The Wiz Security Graph remains the cleanest investigation interface for US SOCs. Negotiate renewal pricing aggressively; 30-60% renewal increases reported at scale through 2025.
  • US buyers resistant to Wiz pricing-power renewals (mid-market and enterprise): orca-cnapp Orca is the agentless alternative with the SideScanning patent heritage (2019) that predates Wiz. Used by Robinhood, Lemonade, and Databricks. Transparent platform-team-friendly deployment. Pricing typically 20-35% below Wiz at comparable workload scope. Independent path through CNAPP consolidation; no acquisition pressure as of 2026.
  • US financial services and SOC runtime-forensics buyers: sysdig-cnapp Sysdig is the Falco creator (CNCF graduated runtime detection). Goldman Sachs, BNP Paribas, and Worldpay reference customers in US financial services. Sysdig Threat Research Team publishes credible attack advisories. eBPF runtime depth wins where SOC teams need defensible runtime evidence for incident response and SEC cyber-disclosure obligations.
  • US Palo Alto Networks-stack enterprises consolidating: prisma-cloud-cnapp Prisma Cloud is the default when NGFW, Cortex XDR, or Cortex XSIAM is already the US enterprise standard. Broadest feature surface (CSPM, CWPP, CIEM, IaC via Bridgecrew, WAAP, DSPM). Highest license cost in the category; credit-based pricing model creates consumption surprises. FedRAMP Moderate authorized for federal customers.
  • US CrowdStrike-stack security organizations extending to cloud: crowdstrike-cnapp Falcon Cloud Security leverages the existing Falcon agent and Charlotte AI for cloud workload protection. Best when Falcon EDR is already deployed across the US estate. Single console across endpoint, identity (Falcon Identity), and cloud. FedRAMP High authorized. Wins consolidation deals where one-vendor coverage outweighs best-of-breed CNAPP depth.
  • US kubernetes-first estates (OpenShift, EKS, GKE-heavy): aqua-cnapp Aqua is the kubernetes-native original. Deepest admission-control and runtime container security in the category. Trivy open-source heritage drives US practitioner trust. Best for US enterprises with substantial OpenShift investment or container-platform teams that prioritize image-scanning and supply-chain security over agentless multi-cloud breadth.
  • US Tenable-stack vulnerability management buyers extending to CNAPP: tenable-cloud-cnapp The Ermetic acquisition (October 2023, $265M) gave Tenable credible CIEM and CNAPP capability bolted onto Nessus and Tenable.io. Best for US enterprises already running Tenable for traditional vuln management; consolidated reporting and unified asset inventory across on-premises and cloud. Verify Ermetic integration roadmap in contract.
Market context

How the cnapp software market looks in United States

The United States is the origin market for CNAPP and remains the deepest by revenue, installed base, and product velocity. Wiz (New York), Orca Security (US sales-led despite Tel Aviv HQ), Sysdig (San Francisco), Palo Alto Prisma Cloud (Santa Clara), CrowdStrike Falcon Cloud Security (Austin), Tenable Cloud Security (Columbia MD), Lacework (San Jose), and Uptycs (Waltham) are all US-headquartered or US-led. Combined US CNAPP spend crossed $4B annually by 2025 per Gartner cloud-security tracker.

US enterprise buyers in 2026 are making three structural calls. First, platform consolidation versus best-of-breed: Palo Alto-anchored enterprises (Bank of America, AT&T, Verizon) lean toward Prisma Cloud despite higher license cost; CrowdStrike-anchored organizations (Shopify, Goldman Sachs Falcon installations) lean toward Falcon Cloud Security; Tenable-anchored vulnerability programs lean toward Tenable Cloud Security via Ermetic. Independent best-of-breed buyers default to Wiz or Orca. Second, agentless versus agent-based: agentless wins for fast time-to-value and infrastructure-team friction avoidance (Wiz, Orca lead here); agent-based wins for runtime forensics depth (Sysdig leads). Third, post-acquisition risk absorption: Lacework under Fortinet (August 2024 down round from $8.3B 2022 peak) and Ermetic under Tenable are the two live integration risks US buyers actively underwrite.

FedRAMP status is the decisive procurement gate for US federal and DoD CNAPP buying. Wiz, Orca, Sysdig, Aqua, and Prisma Cloud are in-process or authorized at various baselines; CrowdStrike Falcon Cloud Security holds FedRAMP High authorization. US Department of Defense CMMC 2.0 compliance pushes defense industrial base CNAPP buying toward FedRAMP-authorized platforms exclusively by 2026. SEC cyber-disclosure rules (effective December 2023) have raised CISO accountability for material cloud security incidents at US public companies, increasing demand for defensible runtime forensics (the Sysdig pitch) and audit-grade asset inventory (the Wiz Security Graph pitch).

US healthcare and financial services drive disproportionate CNAPP demand. HIPAA-regulated estates require BAA coverage from CNAPP vendors; PCI DSS for payment processors requires segmentation and runtime monitoring evidence. Wiz, Prisma Cloud, and CrowdStrike all offer HIPAA BAA at enterprise tier. Verified pricing data: US mid-market deals (500-5,000 employees) run $200K-$400K annually; US enterprise (5,000+ employees, 250+ cloud accounts) runs $1M-$3M annually for Wiz and $1.5M-$5M for Prisma Cloud at full Enterprise scope.

Compliance & local rules

FedRAMP: Wiz, Orca Security, Sysdig, Aqua, and Prisma Cloud are FedRAMP in-process or authorized at Moderate baseline; CrowdStrike Falcon Cloud Security holds FedRAMP High authorization. Verify current status at marketplace.fedramp.gov before federal procurement. SOC 2 Type II: required from every CNAPP vendor; all top 10 platforms hold current attestations. HIPAA: US healthcare buyers (Epic-adjacent estates, payer cloud workloads) require BAA; Wiz, Prisma Cloud, CrowdStrike, and Sysdig offer HIPAA BAA at Enterprise tier; verify coverage of all subprocessors. PCI DSS v4.0: payment processor CNAPP deployments must satisfy PCI DSS 4.0 requirements 1.x (network security), 6.x (secure systems), 10.x (logging) and 11.x (testing); CNAPP-derived evidence is increasingly accepted by QSAs but verify with your assessor. SEC cyber-disclosure rules (December 2023): material cybersecurity incidents at US public companies require Form 8-K disclosure within four business days; CISOs are pulling CNAPP runtime-forensics capability forward to meet materiality determination timelines. CMMC 2.0: DoD contractors at CMMC Level 2 and Level 3 require FedRAMP-equivalent cloud security platforms; verify CNAPP vendor authorization status before bidding on defense contracts. CCPA/CPRA: cloud workload metadata containing California consumer personal information falls under CPRA scope; CNAPP vendors processing cloud-account snapshots must support deletion and access request workflows. NIST SP 800-53 Rev 5: federal CNAPP deployments require mapping to NIST control families; Wiz, Prisma Cloud, and Sysdig publish NIST control mapping templates. FTC Section 5: post-breach FTC enforcement of cloud misconfiguration negligence has accelerated; CNAPP detection-to-remediation evidence is being requested in FTC investigations of US breach incidents.

At a glance

Quick comparison, ranked for United States

Product Best for Starts at 10-emp/mo* Pricing G2 Geo
1 Wiz
Mid-market and enterprise multi-cloud security teams
 Quote - 4.7 Global; strongest in US, EMEA, AUS
2 Orca Security
Mid-market and enterprise agentless CNAPP buyers
 Quote - 4.6 Global; strongest in US, EMEA, Israel
4 Sysdig
Mid-market and enterprise runtime-forensics buyers
 Quote - 4.6 Global; strongest in US, EMEA
5 Palo Alto Prisma Cloud
Palo Alto-stack enterprises and global accounts
 Quote - 4.3 Global; strongest in US, EMEA, APAC
8 CrowdStrike Falcon Cloud Security
CrowdStrike-stack enterprises and global accounts
 Quote - 4.5 Global; strongest in US, EMEA, APAC
3 Aqua Security
Kubernetes-first mid-market and enterprise security teams
 Quote - 4.5 Global; strongest in US, EMEA, Israel
6 Tenable Cloud Security
Tenable-stack enterprises consolidating vuln-management plus CNAPP
 Quote - 4.4 Global; strongest in US, EMEA
7 Lacework
Fortinet-stack enterprises and existing Lacework customers
 Quote - 4.2 Global; strongest in US
10 Uptycs
SOC-led mid-market and enterprise XDR-plus-CNAPP buyers
 Quote - 4.5 Global; strongest in US, EMEA, India
9 Check Point CloudGuard
Check Point-stack enterprises with firewall heritage
 Quote - 4.3 Global; strongest in EMEA, Israel

*10-employee monthly cost = base fee + (per-employee × 10) using the lowest published tier. For opaque-pricing vendors, no value is shown.

Verified local pricing

What buyers in United States actually pay

Median annual deal size by employee band, in USD. Crowdsourced from anonymized buyer disclosures.

Product Employee band Median annual (USD) Sample Notes
Wiz 500-5,000 employees (50 cloud accounts) $360,000 92 Advanced tier; USD; annual contract; renewal increases 30-60% reported at scale
Wiz 5,000+ employees (250+ cloud accounts) $1,400,000 62 Enterprise tier with Runtime Sensor; USD; multi-year common
Orca Security 500-5,000 employees (50 cloud accounts) $280,000 74 Full CNAPP tier; USD; typically 20-35% below Wiz at comparable scope
Sysdig 500-5,000 employees $220,000 52 Sysdig Secure with runtime sensors; USD; annual
Palo Alto Prisma Cloud 5,000+ employees $1,800,000 48 Enterprise tier credit-based; USD; highest license cost in category
CrowdStrike Falcon Cloud Security 1,000-10,000 employees $320,000 58 Falcon Cloud Security; USD; typically bundled with Falcon EDR Enterprise
Aqua Security 500-5,000 employees (kubernetes-heavy) $240,000 58 Aqua Advanced; USD; kubernetes-first deployments
Tenable Cloud Security 1,000-10,000 employees $180,000 41 Tenable Cloud Security via Ermetic; USD; often bundled with Tenable.io renewal
Local challengers

United States-built or United States-strong vendors worth knowing

Not yet ranked in our global top 10, but credible options for United States buyers and worth a shortlist.

Wiz (primary listing)

Visit ↗

New York-headquartered. Founded 2020 by Assaf Rappaport and ex-Microsoft Cloud Security Group team. Reported $32B secondary valuation mid-2024. Fortune 100 customer base including JPMorgan Chase, BMW, Salesforce, Blackstone. The dominant US CNAPP by net-new evaluation win rate and brand recognition.

CrowdStrike Falcon Cloud Security (primary listing)

Visit ↗

Austin, Texas. US public company. FedRAMP High authorized. Best-in-class US federal and DoD CNAPP option for Falcon-anchored security organizations. Charlotte AI integration adds generative-AI security operations workflow.

Sysdig (primary listing)

Visit ↗

San Francisco-headquartered. Creator of Falco (CNCF graduated runtime detection). US financial services strength: Goldman Sachs, BNP Paribas, Worldpay reference customers. Sysdig Threat Research Team publishes credible cloud-native attack advisories monthly.

Uptycs (primary listing)

Visit ↗

Waltham, Massachusetts. The XDR-CNAPP convergence bet on osquery-based unified agent across servers, containers, kubernetes, laptops, and cloud. Smaller US installed base than Wiz or CrowdStrike but distinctive single-telemetry-pipeline architecture worth evaluating for US security teams consolidating endpoint and cloud tooling.

The United States ranking

All 10, ranked for United States

Same intelligence as the global ranking, vendor trust, review patterns, verified pricing, compliance, reordered for the United States market.

#1

Wiz

Agentless graph-based CNAPP that reset category expectations.

Founded 2020 · New York, NY · private · 500 to 100,000 employees
G2 4.7 (720)
Capterra 4.6
Custom quote
○ Sales call required
Visit Wiz

Wiz is the category leader in CNAPP by deployment scale, brand recognition, and feature coverage in 2026. Founded 2020 by Assaf Rappaport and the ex-Microsoft Cloud Security Group team (the same group that built Microsoft Defender for Cloud), Wiz raised more than $1.9B in cumulative funding through 2024, reached a reported $32B secondary tender valuation in mid-2024, reportedly declined a $23B acquisition offer from Google in July 2024, and was the subject of renewed acquisition discussion through late 2024 and 2025. The product is built on an agentless graph-based architecture (the Wiz Security Graph) that connects cloud-account snapshots, workload inventory, identity relationships, network exposure, and vulnerability data into one queryable model. Strengths: fastest time-to-value in the category (most customers report a working deployment in days, not weeks), the cleanest graph-query interface for security investigations, broadest multi-cloud coverage (AWS, Azure, GCP, OCI, Alibaba, and kubernetes), defensible runtime protection through the Wiz Runtime Sensor where customers need it, and a credible code-to-cloud story through Wiz Code. Trade-offs: pricing-power concerns are real (multiple verified buyer reports of 30 to 60 percent renewal-pricing increases at scale through 2024 and 2025), the agentless-first design has runtime-visibility gaps where customers really want eBPF depth (Sysdig is the better choice there), enterprise-stack buyers heavily anchored on Palo Alto, CrowdStrike, or Tenable feel platform-consolidation friction, and the post-Google-talks dynamic has visibly hardened Wiz pricing-power posture in renewal negotiations.

Best for

Mid-market and enterprise security teams that want one CNAPP platform across AWS, Azure, GCP, OCI, and kubernetes without per-account agent rollout. Particularly strong for organizations with multiple cloud providers, fast-moving cloud-account growth, and a security team that values graph-based investigation. Sweet spot 500 to 50,000 employees and 50+ cloud accounts.

Worst for

Buyers anchored on agent-based runtime depth (Sysdig is the better choice), CrowdStrike-stack consolidators (Falcon Cloud Security fits better), Tenable-stack consolidators (Tenable Cloud Security fits better), kubernetes-first estates where Aqua is purpose-built, very cost-sensitive small-team buyers, and buyers who object to opaque renewal pricing.

Strengths

  • Fastest time-to-value in the category; days, not weeks, to first finding
  • Cleanest graph-query interface (Wiz Security Graph) for investigations
  • Broadest multi-cloud coverage including AWS, Azure, GCP, OCI, Alibaba, kubernetes
  • Agentless primary posture with optional Runtime Sensor for eBPF depth
  • Strong code-to-cloud story through Wiz Code and IaC scanning
  • Reported $32B secondary valuation; multi-year product runway and hiring
  • Used at JPMorgan Chase, BMW, Salesforce, and several Fortune 100 enterprises

Weaknesses

  • Renewal-pricing creep of 30 to 60 percent reported at scale in 2024 and 2025
  • Agentless-first design has runtime-visibility gaps where eBPF depth matters
  • Platform-consolidation friction for Palo Alto, CrowdStrike, or Tenable stacks
  • Post-Google-talks dynamic has hardened pricing-power posture in renewals
  • List pricing not public; everything goes through quote
  • Kubernetes-native depth lags Aqua and Sysdig on some controls
  • Some buyers report finding volume that overwhelms small security teams

Pricing tiers

opaque
  • Essential
    Core CSPM and CWPP; quote-based by workload count and cloud-account count
    Quote
  • Advanced
    Adds CIEM, KSPM, IaC scanning, and integrations
    Quote
  • Enterprise
    Adds Runtime Sensor, Wiz Code, dedicated TAM, and premium support
    Quote
Watch for
  • · Renewal-pricing increases of 30 to 60 percent reported at scale through 2024 and 2025
  • · Runtime Sensor priced separately from base Advanced tier
  • · Wiz Code priced as an add-on module above Enterprise
  • · Custom integrations and SOC use cases often require Professional Services engagements
  • · Per-cloud-account pricing scales with account sprawl, not just workload count

Key features

  • +Agentless cloud-account snapshot scanning across AWS, Azure, GCP, OCI
  • +Wiz Security Graph for cross-resource investigation
  • +CSPM with 1,500+ policy checks across CIS, NIST, PCI, HIPAA, SOC 2
  • +CWPP including container, VM, and serverless workload coverage
  • +CIEM with permission-graph and access-path analysis
  • +KSPM with admission-control and runtime kubernetes scanning
  • +Runtime Sensor (eBPF) for runtime detection where deployed
  • +Wiz Code for IaC and code-to-cloud posture
  • +Attack-path analysis with reachability scoring
  • +SIEM, SOAR, and ticketing integrations
100+ integrations
AWSAzureGCPOracle CloudKubernetesSnowflakeSplunkDatadogServiceNowJiraSlackPagerDuty
Geography
Global; strongest in US, EMEA, AUS
View full Wiz intelligence profile → Compare Wiz →
#2

Orca Security

Agentless cloud security pioneer with deep SideScanning IP.

Founded 2019 · Tel Aviv, Israel · private · 200 to 50,000 employees
G2 4.6 (360)
Capterra 4.5
Custom quote
○ Sales call required
Visit Orca Security

Orca Security is the agentless CNAPP pioneer, founded 2019 in Tel Aviv by Avi Shua and a team that filed the foundational SideScanning patent in 2019 for reading cloud-workload disk snapshots out-of-band rather than via in-workload agents. The product reached a $1.8B valuation in late 2021 and has since maintained an independent path through the CNAPP consolidation cycle. Strengths: longest agentless track record in the category (the SideScanning patent predates Wiz), strong EMEA presence and Tel Aviv-anchored engineering talent, defensible workload coverage including VMs, containers, serverless, and managed services, transparent platform-team-friendly deployment (no agent rollout negotiation), and a credible competitive challenger position to Wiz on agentless-only ground. Trade-offs: brand recognition and momentum trail Wiz in 2026 (the Wiz secondary at $32B has compressed Orca mindshare in net-new evaluations), runtime-protection story depends on optional sensor deployment, and some kubernetes-first buyers prefer Aqua or Sysdig for depth on container admission-control and runtime forensics. Orca remains a legitimate Wiz alternative for buyers who want agentless CNAPP without the platform-leader pricing-power dynamic.

Best for

Security teams that want agentless multi-cloud CNAPP without the Wiz platform-leader pricing-power dynamic. Particularly strong for EMEA-headquartered buyers, mid-market organizations sensitive to Wiz pricing concerns, and platform teams that value the SideScanning architectural heritage. Sweet spot 200 to 20,000 employees and 20 to 500 cloud accounts.

Worst for

Buyers anchored on agent-based runtime depth (Sysdig is the better choice), kubernetes-first estates that need Aqua admission-control depth, Wiz-incumbent customers facing low switching cost, and buyers who require the broadest multi-cloud coverage including OCI and Alibaba.

Strengths

  • Longest agentless track record in the category (SideScanning patent 2019)
  • Strong EMEA presence and Tel Aviv engineering talent depth
  • Defensible workload coverage including VMs, containers, serverless, managed
  • Transparent platform-team-friendly deployment without agent rollout
  • Credible Wiz alternative on agentless-only ground
  • Strong attack-path and Crown Jewel analysis features
  • Active independent path through the CNAPP consolidation cycle

Weaknesses

  • Brand recognition and net-new evaluation momentum trail Wiz
  • Runtime-protection story depends on optional sensor deployment
  • Kubernetes-first depth trails Aqua and Sysdig on some controls
  • Smaller integration catalog than Wiz or Prisma Cloud
  • Some buyer reports of slower release cadence than Wiz through 2024 and 2025
  • Opaque list pricing; everything goes through quote

Pricing tiers

opaque
  • Cloud Workload Protection
    Core CSPM, CWPP, vulnerability scanning; quote-based by workload
    Quote
  • Full CNAPP
    Adds CIEM, KSPM, IaC scanning, attack-path analysis
    Quote
  • Enterprise
    Adds optional sensor, dedicated TAM, premium support
    Quote
Watch for
  • · Optional sensor priced separately for runtime coverage
  • · Per-workload pricing scales with VM, container, and serverless count
  • · Custom integrations may require Professional Services
  • · Annual contract typical 10 to 15 percent discount versus quarterly

Key features

  • +SideScanning agentless workload scanning (patented)
  • +Multi-cloud coverage across AWS, Azure, GCP
  • +CSPM with broad policy coverage including CIS, NIST, PCI, HIPAA
  • +CWPP including VM, container, serverless workload coverage
  • +CIEM with permission-graph and access-path analysis
  • +KSPM with admission-control and runtime kubernetes scanning
  • +Attack-path analysis with Crown Jewel scoring
  • +IaC and code-to-cloud scanning
  • +SIEM and ticketing integrations
  • +Optional runtime sensor for deeper detection
80+ integrations
AWSAzureGCPKubernetesSplunkDatadogServiceNowJiraSlackPagerDuty
Geography
Global; strongest in US, EMEA, Israel
View full Orca Security intelligence profile → Compare Orca Security →
#4

Sysdig

Runtime visibility leader; Falco creator extended into full CNAPP.

Founded 2013 · San Francisco, CA · private · 500 to 100,000 employees
G2 4.6 (240)
Capterra 4.5
Custom quote
○ Sales call required
Visit Sysdig

Sysdig is the runtime-visibility leader in CNAPP, founded 2013 by Loris Degioanni (creator of WinPcap and the original sysdig open-source tool) and the team that created the Falco open-source runtime detection engine (now a CNCF graduated project). The product extended over the last decade from container runtime visibility into a full CNAPP including CSPM, CWPP, CIEM, KSPM, and vulnerability management, while maintaining Falco at the heart of the runtime detection story. Sysdig is the credible choice for security teams that prioritize runtime forensics, eBPF-based deep visibility, and open-source-aligned tooling over agentless multi-cloud breadth. Strengths: deepest runtime forensics in the category through Falco and eBPF, strong open-source heritage and CNCF community engagement, defensible workload protection through deployed runtime sensors, credible incident-response story with the Sysdig Threat Research Team published advisories, and a vulnerability-management module that surfaces in-use packages rather than just installed-package counts. Trade-offs: agentless multi-cloud breadth trails Wiz and Orca for buyers whose primary need is cloud-account posture, runtime sensor rollout requires infrastructure-team negotiation, list pricing not public, and some buyer reports of mid-2024 leadership transitions creating organizational uncertainty.

Best for

Security teams that prioritize runtime forensics, eBPF-based deep visibility, and detailed kubernetes runtime detection. Particularly strong for financial services, regulated industries, and SOC teams that want defensible runtime evidence for incident response. Sweet spot 500 to 50,000 employees with substantial container and kubernetes investment.

Worst for

Buyers whose primary need is agentless multi-cloud account posture (Wiz or Orca is better), small security teams without runtime-forensics use cases, CrowdStrike-stack or Tenable-stack consolidators, and buyers unwilling to deploy runtime sensors across the estate.

Strengths

  • Deepest runtime forensics through Falco and eBPF
  • Open-source heritage with Falco at CNCF graduated status
  • Strong vulnerability management surfacing in-use packages
  • Defensible workload runtime protection through deployed sensors
  • Active Sysdig Threat Research Team publishing real advisories
  • Detailed runtime detection rules for kubernetes and containers
  • Used at Goldman Sachs, BNP Paribas, and major financial services

Weaknesses

  • Agentless multi-cloud breadth trails Wiz and Orca
  • Runtime sensor rollout requires infrastructure-team negotiation
  • List pricing not public; everything goes through quote
  • Buyer reports of mid-2024 leadership transitions
  • Posture-management UX has been a long-running buyer complaint
  • CIEM module less mature than Wiz or Tenable Cloud Security

Pricing tiers

opaque
  • Sysdig Secure
    CNAPP including CSPM, CWPP, KSPM, vulnerability management
    Quote
  • Sysdig Monitor
    Observability bundled or standalone
    Quote
  • Sysdig Platform Enterprise
    Combined CNAPP plus observability with dedicated support
    Quote
Watch for
  • · Runtime sensor priced separately from base posture coverage
  • · Per-workload pricing scales with container and VM count
  • · Observability bundle priced incrementally above Secure base
  • · Custom integrations may require Professional Services

Key features

  • +Falco-based runtime detection (CNCF graduated open source)
  • +eBPF deep runtime visibility
  • +CSPM across AWS, Azure, GCP, OCI
  • +CWPP with deployed runtime sensors
  • +KSPM with cluster posture and runtime kubernetes detection
  • +Vulnerability management surfacing in-use packages
  • +CIEM with permission analysis
  • +Incident response forensics with detailed event capture
  • +Sysdig Threat Research Team advisory feed
  • +SIEM, SOAR, and ticketing integrations
75+ integrations
KubernetesAWSAzureGCPOpenShiftGitHubGitLabJenkinsSplunkDatadogServiceNow
Geography
Global; strongest in US, EMEA
View full Sysdig intelligence profile → Compare Sysdig →
#5

Palo Alto Prisma Cloud

Broadest enterprise CNAPP platform; deepest license, heaviest integration.

Founded 2018 · Santa Clara, CA · public · 1,000 to 250,000 employees
G2 4.3 (540)
Capterra 4.4
Custom quote
○ Sales call required
Visit Palo Alto Prisma Cloud

Palo Alto Prisma Cloud is the broadest enterprise CNAPP platform, assembled through a multi-year acquisition strategy starting with the RedLock CSPM acquisition (2018, $173M), the Twistlock container security acquisition (2019, $410M), and the Bridgecrew IaC security acquisition (2021, $156M), with subsequent product unification under the Prisma Cloud brand. The product covers the broadest feature surface in the category (CSPM, CWPP, CIEM, KSPM, IaC, code-to-cloud, web-application and API protection, data security posture) and is the default CNAPP for Palo Alto Networks stack customers. Strengths: broadest feature surface in the category, deep integration with the rest of the Palo Alto stack (NGFW, Cortex XDR, Cortex XSIAM), strong enterprise sales motion, defensible runtime through the Twistlock heritage, and a credible code-to-cloud story through Bridgecrew. Trade-offs: license cost is the highest in the category (multiple verified buyer reports of $1M+ annual deals for mid-enterprise scope), integration friction across the acquired sub-modules persists (RedLock CSPM, Twistlock CWPP, Bridgecrew IaC do not feel like one product to all buyers), product velocity is slower than Wiz on the agentless graph side, and renewal pricing creep has been a real complaint pattern through 2024 and 2025.

Best for

Palo Alto Networks-stack enterprises that want platform consolidation across firewall, endpoint, XDR, and cloud security. Particularly strong for global enterprises with established Palo Alto procurement relationships, regulated industries needing the broadest feature surface, and buyers willing to absorb the highest license cost in exchange for one-vendor coverage. Sweet spot 5,000 to 200,000 employees.

Worst for

Cost-sensitive mid-market buyers, organizations that resist single-vendor lock-in, kubernetes-first estates better served by Aqua, runtime-forensics-anchored buyers better served by Sysdig, and agentless-first buyers better served by Wiz or Orca.

Strengths

  • Broadest feature surface in the category (CSPM, CWPP, CIEM, KSPM, IaC, WAAP)
  • Deep integration with Palo Alto NGFW, Cortex XDR, Cortex XSIAM
  • Strong enterprise sales motion and global account presence
  • Defensible runtime through Twistlock heritage
  • Credible code-to-cloud story through Bridgecrew acquisition
  • Data security posture module added in 2023 and 2024
  • Public-company stability and multi-year roadmap commitment

Weaknesses

  • Highest license cost in the category at scale
  • Integration friction across RedLock, Twistlock, Bridgecrew sub-modules
  • Product velocity slower than Wiz on the agentless graph side
  • Renewal pricing creep reported in 2024 and 2025
  • List pricing not public; everything goes through quote
  • Single-vendor-lock-in risk concentrates with Palo Alto Networks
  • Some buyer reports of UX inconsistency across acquired modules

Pricing tiers

opaque
  • Prisma Cloud Foundations
    Core CSPM and CWPP credits
    Quote
  • Prisma Cloud Advanced
    Adds CIEM, KSPM, IaC, code-to-cloud
    Quote
  • Prisma Cloud Enterprise
    Full CNAPP plus data security posture, WAAP, dedicated support
    Quote
Watch for
  • · Credit-based licensing complexity drives consumption surprises
  • · Module-by-module pricing escalates Advanced and Enterprise scope
  • · Renewal pricing creep reported through 2024 and 2025
  • · Custom integrations require Professional Services engagements
  • · Bundling with NGFW and Cortex can mask true CNAPP unit economics

Key features

  • +CSPM across AWS, Azure, GCP, OCI, Alibaba
  • +CWPP with Twistlock heritage including runtime and image scanning
  • +CIEM with permission graph and least-privilege analysis
  • +KSPM with admission-control and runtime kubernetes detection
  • +IaC and code-to-cloud through Bridgecrew
  • +Web-application and API protection (WAAP)
  • +Data security posture management
  • +Deep integration with Palo Alto Cortex XDR and XSIAM
  • +Credit-based licensing across modules
  • +SIEM, SOAR, ticketing, and ServiceNow integrations
120+ integrations
AWSAzureGCPOracle CloudKubernetesCortex XDRCortex XSIAMPalo Alto NGFWSplunkServiceNowJiraPagerDuty
Geography
Global; strongest in US, EMEA, APAC
View full Palo Alto Prisma Cloud intelligence profile → Compare Palo Alto Prisma Cloud →
#8

CrowdStrike Falcon Cloud Security

Endpoint-adjacent CNAPP leveraging the Falcon agent and Charlotte AI.

Founded 2011 · Austin, TX · public · 1,000 to 250,000 employees
G2 4.5 (320)
Capterra 4.5
Custom quote
○ Sales call required
Visit CrowdStrike Falcon Cloud Security

CrowdStrike Falcon Cloud Security is the CNAPP arm of public-company endpoint-security leader CrowdStrike (NASDAQ: CRWD), positioned as the endpoint-adjacent CNAPP for CrowdStrike-stack consolidators. The product extends the Falcon agent and Charlotte AI assistant into cloud workload protection, container security, CSPM, and identity-risk analysis. Strengths: defensible endpoint-security heritage, deep Falcon agent telemetry pipeline that already runs on many enterprise estates, credible CIEM through the recent identity-protection investment, strong public-company sales motion, and a unified Falcon console that CrowdStrike-stack buyers value highly. Trade-offs: CNAPP feature breadth and agentless graph maturity trail Wiz and Orca, the agent-based primary posture is a deliberate architectural bet that some buyers reject (agentless time-to-value is faster), the July 2024 Falcon sensor incident that caused a global IT outage remains a buyer-relevant trust event for incident-response track record, and post-July-2024 pricing-power dynamics have shifted in renewals. Strong choice for CrowdStrike-stack consolidators, weaker default for net-new CNAPP-only evaluations.

Best for

CrowdStrike-stack enterprises that want platform consolidation across endpoint, identity, and cloud security. Particularly strong for organizations with deep Falcon EDR footprint, SOC teams that already use the Falcon console for endpoint incident response, and buyers that value unified telemetry across endpoint and cloud. Sweet spot 1,000 to 200,000 employees with established CrowdStrike relationship.

Worst for

Buyers prioritizing agentless time-to-value (Wiz or Orca fits better), kubernetes-first estates (Aqua fits better), Palo Alto-stack consolidators, organizations resistant to single-vendor lock-in, and cost-sensitive mid-market buyers facing post-July-2024 renewal-pricing dynamics.

Strengths

  • Defensible endpoint-security heritage and Falcon agent telemetry
  • Public-company stability (NASDAQ: CRWD) and strong sales motion
  • Charlotte AI assistant integrated across the Falcon console
  • Credible CIEM through identity-protection investment
  • Unified Falcon console for endpoint, identity, and cloud
  • Strong incident-response and threat-intelligence heritage
  • Used at major enterprise accounts globally

Weaknesses

  • CNAPP feature breadth trails Wiz and Orca
  • Agent-based primary posture has slower time-to-value than agentless
  • July 2024 Falcon sensor incident remains a buyer-relevant trust event
  • Post-July-2024 pricing-power posture has hardened in renewals
  • CSPM agentless graph maturity trails Wiz
  • Single-vendor-lock-in risk with CrowdStrike-stack consolidation
  • List pricing not public; everything goes through quote

Pricing tiers

opaque
  • Falcon Cloud Security Foundations
    Core CWPP with Falcon agent
    Quote
  • Falcon Cloud Security Advanced
    Adds CSPM, KSPM, IaC, vulnerability management
    Quote
  • Falcon Cloud Security Enterprise
    Full CNAPP plus Charlotte AI and dedicated support
    Quote
Watch for
  • · Per-workload pricing scales with VM, container, and serverless count
  • · CSPM and KSPM modules priced incrementally above Foundations
  • · Charlotte AI usage may be metered above included quota
  • · Bundling with Falcon EDR can mask true CNAPP unit economics

Key features

  • +Falcon agent telemetry pipeline for cloud workload protection
  • +Charlotte AI assistant integrated across Falcon console
  • +CSPM across AWS, Azure, GCP
  • +CWPP with deep agent-based runtime visibility
  • +CIEM with identity-graph analysis
  • +KSPM with kubernetes posture and admission-control
  • +Vulnerability management with Falcon agent telemetry
  • +IaC scanning across Terraform, CloudFormation
  • +Unified Falcon console across endpoint and cloud
  • +Threat intelligence from CrowdStrike Intelligence
90+ integrations
AWSAzureGCPKubernetesFalcon EDRFalcon IdentitySplunkServiceNowJiraPagerDutyMicrosoft Sentinel
Geography
Global; strongest in US, EMEA, APAC
View full CrowdStrike Falcon Cloud Security intelligence profile → Compare CrowdStrike Falcon Cloud Security →
#3

Aqua Security

The kubernetes-native original; container security extended to full CNAPP.

Founded 2015 · Ramat Gan, Israel · private · 200 to 50,000 employees
G2 4.5 (280)
Capterra 4.5
Custom quote
○ Sales call required
Visit Aqua Security

Aqua Security is the original kubernetes-native container security company, founded 2015 in Israel before CNAPP existed as a Gartner category. The product extended over the last decade from image scanning and runtime container protection into a full CNAPP including CSPM, CIEM, KSPM, and code-to-cloud posture. Aqua sponsors the popular open-source Trivy vulnerability scanner (acquired with Argon in 2021) and remains the deepest kubernetes-native CNAPP in the category. Strengths: longest kubernetes track record in the category, deepest admission-control and runtime container security, defensible open-source heritage through Trivy and Tracee, strong container-image and supply-chain security story, and credible standalone platform position through 2025 without acquisition pressure. Trade-offs: agentless multi-cloud breadth trails Wiz and Orca for buyers whose primary need is cloud-account posture rather than kubernetes depth, brand momentum has slowed since Wiz reset category expectations in 2020 to 2022, and the platform breadth (CSPM, CIEM) added to compete with Wiz feels less mature than the kubernetes-native core. Aqua remains a strong default for kubernetes-first estates and a defensible Wiz challenger for buyers prioritizing container-native depth.

Best for

Kubernetes-first security teams that prioritize container-native depth, admission-control, and runtime forensics over agentless multi-cloud breadth. Particularly strong for OpenShift estates, container-platform teams, and CISOs who want open-source-aligned tooling through Trivy and Tracee. Sweet spot 200 to 20,000 employees with substantial kubernetes investment.

Worst for

Buyers whose primary need is agentless multi-cloud account posture (Wiz or Orca is better), non-kubernetes estates, CrowdStrike-stack or Palo Alto-stack consolidators, and buyers who want the platform-leader brand and renewal-pricing-power dynamic of Wiz.

Strengths

  • Longest kubernetes-native track record in the category (since 2015)
  • Deepest admission-control and runtime container security
  • Open-source heritage through Trivy (vulnerability scanner) and Tracee (runtime)
  • Strong container-image and software-supply-chain security
  • Credible standalone position through 2025 without acquisition pressure
  • Multi-environment coverage including hybrid kubernetes and OpenShift
  • Active CNCF ecosystem participation

Weaknesses

  • Agentless multi-cloud breadth trails Wiz and Orca
  • Brand momentum slowed since Wiz reset category expectations
  • CSPM and CIEM modules feel less mature than kubernetes core
  • List pricing not public; everything goes through quote
  • Some buyer reports of integration friction between modules
  • Net-new mindshare in non-kubernetes-first deals trails Wiz

Pricing tiers

opaque
  • Aqua Standard
    Core container security, image scanning, runtime protection
    Quote
  • Aqua Advanced
    Adds CSPM, CIEM, KSPM, IaC scanning
    Quote
  • Aqua Enterprise
    Full CNAPP, supply-chain security, dedicated support
    Quote
Watch for
  • · Per-workload pricing scales with container, VM, and serverless count
  • · Aqua Advanced and Enterprise modules priced incrementally
  • · Custom integrations may require Professional Services
  • · Annual contract typical 10 percent discount versus monthly

Key features

  • +Kubernetes admission-control with policy enforcement
  • +Runtime container protection with eBPF
  • +Image scanning with Trivy open-source heritage
  • +Software supply-chain security including SBOM and signing
  • +CSPM across AWS, Azure, GCP
  • +CIEM with permission analysis
  • +KSPM with cluster posture and runtime detection
  • +IaC scanning across Terraform, CloudFormation, ARM
  • +Open-source Tracee runtime detection contribution
  • +SIEM, SOAR, and ticketing integrations
70+ integrations
KubernetesOpenShiftAWSAzureGCPDockerGitHubGitLabJenkinsSplunkServiceNow
Geography
Global; strongest in US, EMEA, Israel
View full Aqua Security intelligence profile → Compare Aqua Security →
#6

Tenable Cloud Security

Vulnerability-management heritage bolted into CNAPP via the Ermetic acquisition.

Founded 2002 · Columbia, MD · public · 500 to 100,000 employees
G2 4.4 (180)
Capterra 4.4
Custom quote
○ Sales call required
Visit Tenable Cloud Security

Tenable Cloud Security is the CNAPP arm of public-company vulnerability-management leader Tenable (NASDAQ: TENB), built primarily on the foundation of the October 2023 Ermetic acquisition ($265M). Ermetic was a credible standalone CIEM and CNAPP startup, and the acquisition gave Tenable a path to extend its Nessus and Tenable.io vulnerability-management franchise into multi-cloud posture and entitlement management. Strengths: defensible vulnerability-management heritage with deep CVE coverage, public-company stability, strong CIEM through the Ermetic-acquired engineering team, broad cloud-account coverage across AWS, Azure, and GCP, and credible platform consolidation for Tenable-stack buyers who want vuln-management plus CNAPP from one vendor. Trade-offs: post-acquisition integration risk is real (the Ermetic-Tenable platform unification is still in progress 18 months after the deal closed), CNAPP feature breadth trails Wiz and Prisma Cloud, runtime protection story is thinner than Sysdig and Aqua, brand recognition in CNAPP buying committees trails the pure-plays, and some buyer reports of Ermetic-era roadmap commitments slipping under Tenable ownership.

Best for

Tenable-stack security teams that want consolidated vulnerability-management plus CNAPP reporting from one vendor. Particularly strong for organizations with substantial existing Nessus or Tenable.io footprint, CIEM-anchored buyers who valued the Ermetic engineering approach, and mid-market enterprises that prefer public-company vendor stability over pure-play independence. Sweet spot 500 to 50,000 employees.

Worst for

Buyers prioritizing CNAPP feature breadth and category-leader brand (Wiz fits better), runtime-forensics-anchored buyers (Sysdig fits better), kubernetes-first estates (Aqua fits better), Palo Alto-stack consolidators, and buyers who do not value Tenable.io vuln-management heritage.

Strengths

  • Defensible vulnerability-management heritage with deep CVE coverage
  • Public-company stability (NASDAQ: TENB) and multi-year roadmap visibility
  • Strong CIEM through Ermetic-acquired engineering team
  • Broad cloud-account coverage across AWS, Azure, GCP
  • Credible platform consolidation for Tenable-stack buyers
  • Established compliance and reporting heritage from Nessus and Tenable.io
  • Reasonable pricing relative to Wiz and Prisma Cloud

Weaknesses

  • Post-acquisition integration risk; Ermetic-Tenable unification still in progress
  • CNAPP feature breadth trails Wiz and Prisma Cloud
  • Runtime protection story thinner than Sysdig and Aqua
  • Brand recognition in CNAPP buying committees trails pure-plays
  • Buyer reports of Ermetic-era roadmap commitments slipping
  • Kubernetes-native depth trails Aqua and Sysdig
  • List pricing not public; everything goes through quote

Pricing tiers

opaque
  • Tenable Cloud Security Essentials
    CSPM and CWPP basics
    Quote
  • Tenable Cloud Security Advanced
    Adds CIEM, KSPM, IaC scanning
    Quote
  • Tenable One Platform Bundle
    Combined vuln-management plus CNAPP with unified console
    Quote
Watch for
  • · Per-workload pricing scales with cloud-account and VM count
  • · CIEM and KSPM modules priced incrementally above Essentials
  • · Tenable One bundle requires existing Tenable.io commit
  • · Custom integrations may require Professional Services

Key features

  • +CSPM across AWS, Azure, GCP
  • +CWPP with workload posture and image scanning
  • +CIEM with permission-graph analysis (Ermetic heritage)
  • +KSPM with kubernetes posture
  • +IaC scanning across Terraform, CloudFormation
  • +Vulnerability management integration with Nessus and Tenable.io
  • +Unified Tenable One platform console
  • +Compliance reporting heritage from Nessus
  • +SIEM and ticketing integrations
  • +Public-company support SLAs
60+ integrations
AWSAzureGCPKubernetesNessusTenable.ioSplunkServiceNowJiraPagerDuty
Geography
Global; strongest in US, EMEA
View full Tenable Cloud Security intelligence profile → Compare Tenable Cloud Security →
#7

Lacework

Polygraph-based CNAPP now operating as a Fortinet subsidiary after a sharp 2024 down round.

Founded 2015 · San Jose, CA · subsidiary · 1,000 to 50,000 employees
G2 4.2 (220)
Capterra 4.3
Custom quote
○ Sales call required
Visit Lacework

Lacework is the Polygraph-based CNAPP product founded in 2015 that reached an $8.3B valuation at its 2022 funding peak before announcing layoffs in 2023 and ultimately being acquired by Fortinet in August 2024 at a reported sharp down round from the 2022 peak (terms not publicly disclosed but widely reported as a fraction of the 2022 valuation). The product is built around the Polygraph behavioral analytics engine that builds an automated baseline of cloud-account behavior and detects anomalies, plus CSPM, CWPP, KSPM, and vulnerability management. Strengths: defensible Polygraph behavioral analytics technology, deep AWS coverage, established enterprise customer base, and Fortinet acquisition provides parent-company stability and integration with the Fortinet Security Fabric. Trade-offs: post-acquisition integration risk is significant (Fortinet absorbing a once-independent CNAPP pure-play is a multi-quarter project), product velocity has visibly slowed since the 2023 layoffs and 2024 acquisition, multiple verified buyer reports of customer churn through 2024 and 2025, and the Fortinet stack is not the natural consolidation point for CNAPP buying committees that did not previously favor Fortinet. Most buyers should treat Lacework as a high-risk choice in 2026 unless they are committed Fortinet-stack consolidators.

Best for

Existing Lacework customers who are Fortinet-stack consolidators and value the Polygraph behavioral analytics heritage. Particularly applicable for organizations with deep Fortinet NGFW or FortiSIEM footprint that want integrated cloud security from the Fortinet Security Fabric. Sweet spot 1,000 to 50,000 employees with established Fortinet relationship.

Worst for

Net-new CNAPP buyers, organizations not anchored on Fortinet, buyers prioritizing product velocity and brand momentum (Wiz fits better), kubernetes-first estates (Aqua fits better), runtime-forensics buyers (Sysdig fits better), and any buyer not willing to absorb post-acquisition integration risk.

Strengths

  • Defensible Polygraph behavioral analytics technology
  • Deep AWS coverage with established enterprise customer base
  • Fortinet parent-company stability post-August-2024 acquisition
  • Integration path into Fortinet Security Fabric
  • CWPP with anomaly-detection heritage that predates many competitors
  • Compliance and reporting depth for enterprise audits

Weaknesses

  • Sharp 2024 down round from $8.3B 2022 peak signals platform pressure
  • Post-acquisition integration risk significant; Fortinet absorption ongoing
  • Product velocity visibly slowed since 2023 layoffs and 2024 acquisition
  • Verified buyer reports of customer churn through 2024 and 2025
  • Fortinet stack is not the natural consolidation point for most CNAPP buyers
  • Brand momentum collapsed in net-new evaluations through 2024
  • List pricing not public; everything goes through quote

Pricing tiers

opaque
  • Lacework CWPP
    Core workload protection with Polygraph
    Quote
  • Lacework CNAPP
    Adds CSPM, KSPM, vulnerability management
    Quote
  • Lacework FortiCNAPP Bundle
    Integrated with Fortinet Security Fabric
    Quote
Watch for
  • · Post-acquisition pricing-model changes possible under Fortinet ownership
  • · Per-workload pricing scales with VM and container count
  • · Custom integrations may require Professional Services
  • · Renewal terms increasingly tied to Fortinet enterprise agreements

Key features

  • +Polygraph behavioral analytics for cloud-account baseline
  • +CSPM across AWS, Azure, GCP
  • +CWPP with anomaly-detection heritage
  • +KSPM with kubernetes posture
  • +Vulnerability management with risk scoring
  • +Integration path into Fortinet Security Fabric
  • +Compliance reporting for SOC 2, PCI, HIPAA, NIST
  • +SIEM integration including FortiSIEM
  • +IaC scanning
  • +Anomaly detection on user behavior
50+ integrations
AWSAzureGCPKubernetesFortiSIEMFortinet NGFWSplunkServiceNowJira
Geography
Global; strongest in US
View full Lacework intelligence profile → Compare Lacework →
#10

Uptycs

XDR-CNAPP convergence with one osquery-based agent across the estate.

Founded 2016 · Waltham, MA · private · 200 to 25,000 employees
G2 4.5 (140)
Capterra 4.4
Custom quote
○ Sales call required
Visit Uptycs

Uptycs is the XDR-CNAPP convergence bet, founded 2016 in Waltham, MA around the open-source osquery project (originally created at Facebook) and positioned as the unified telemetry platform that runs one agent across servers, containers, kubernetes, laptops, and cloud. The company has raised over $130M in cumulative funding and maintains an independent path through 2025. Strengths: defensible osquery open-source heritage, one-agent architecture removes the typical two-agent friction between endpoint and cloud security teams, credible CSPM, CWPP, KSPM, and CIEM coverage, strong forensic-evidence story through osquery telemetry, and active independent operation through the CNAPP consolidation cycle. Trade-offs: smaller vendor footprint than Wiz, Orca, Aqua, or Sysdig (multi-year runway is a real evaluation factor), brand momentum trails the pure-play CNAPP leaders, agentless multi-cloud breadth trails Wiz, the XDR-CNAPP convergence thesis is a strategic bet that not all security organizations buy (many keep endpoint and cloud security separate by design), and net-new evaluation wins remain modest. Strong choice for security teams that want one telemetry pipeline; weaker default for buyers that want clear category-leader status.

Best for

Security teams that want one telemetry pipeline across endpoint, server, container, kubernetes, and cloud, plus the forensic-evidence depth of osquery. Particularly strong for SOC-led organizations that value unified detection and response across the estate, mid-market security teams that want CNAPP plus XDR from one vendor, and open-source-aligned buyers. Sweet spot 200 to 10,000 employees.

Worst for

Buyers prioritizing category-leader brand and net-new evaluation momentum (Wiz fits better), kubernetes-first estates that need Aqua admission-control depth, runtime-forensics buyers anchored on Falco (Sysdig fits better), CrowdStrike-stack or Palo Alto-stack consolidators, and buyers who want a separate clean line between endpoint and cloud security.

Strengths

  • Defensible osquery open-source heritage from the Facebook origin
  • One-agent architecture across servers, containers, kubernetes, laptops, cloud
  • Credible CSPM, CWPP, KSPM, CIEM coverage in one platform
  • Strong forensic-evidence story through osquery telemetry
  • Active independent operation through CNAPP consolidation cycle
  • Reasonable pricing relative to Wiz and Prisma Cloud
  • XDR-plus-CNAPP unified telemetry for SOC efficiency

Weaknesses

  • Smaller vendor footprint; multi-year runway is a real evaluation factor
  • Brand momentum trails pure-play CNAPP leaders
  • Agentless multi-cloud breadth trails Wiz
  • XDR-CNAPP convergence thesis not all buyers buy into
  • Net-new evaluation wins remain modest
  • Kubernetes admission-control depth trails Aqua
  • List pricing not public; everything goes through quote

Pricing tiers

opaque
  • Uptycs CNAPP
    CSPM, CWPP, KSPM, CIEM via osquery telemetry
    Quote
  • Uptycs XDR
    Endpoint detection and response via osquery telemetry
    Quote
  • Uptycs Unified Platform
    Combined CNAPP plus XDR with one agent and console
    Quote
Watch for
  • · Per-endpoint and per-workload pricing scales with estate size
  • · XDR and CNAPP modules priced incrementally on combined bundle
  • · Custom integrations may require Professional Services
  • · Annual contract typical 10 to 15 percent discount versus monthly

Key features

  • +osquery-based unified telemetry across endpoint, server, container, kubernetes, cloud
  • +CSPM across AWS, Azure, GCP
  • +CWPP with workload posture and runtime visibility
  • +KSPM with kubernetes posture and runtime detection
  • +CIEM with permission analysis
  • +XDR with endpoint detection and response
  • +IaC scanning across Terraform, CloudFormation
  • +Forensic-evidence depth through osquery telemetry
  • +One agent, one console across the estate
  • +SIEM and ticketing integrations
50+ integrations
AWSAzureGCPKubernetesDockerSplunkServiceNowJiraPagerDutyMicrosoft Sentinel
Geography
Global; strongest in US, EMEA, India
View full Uptycs intelligence profile → Compare Uptycs →
#9

Check Point CloudGuard

Legacy enterprise CNAPP from the Check Point firewall heritage; slow velocity.

Founded 1993 · Tel Aviv, Israel · public · 5,000 to 100,000 employees
G2 4.3 (180)
Capterra 4.3
Custom quote
○ Sales call required
Visit Check Point CloudGuard

Check Point CloudGuard is the CNAPP arm of public-company firewall-heritage vendor Check Point Software (NASDAQ: CHKP), positioned as the cloud-security continuation of the Check Point Infinity platform that extends from on-prem firewalls into cloud workloads. The product is built primarily on the Dome9 acquisition (2018) for CSPM, plus subsequent module additions for CWPP, KSPM, and IaC. Strengths: defensible public-company stability, established global enterprise account presence inherited from the firewall business, integration with Check Point Infinity for buyers anchored on the Check Point stack, and reasonable feature coverage on paper. Trade-offs: product velocity has visibly lagged Wiz, Orca, Sysdig, and Aqua through 2023 to 2025, brand momentum in CNAPP evaluations is weak (Check Point CloudGuard rarely wins net-new mid-market or enterprise CNAPP deals against pure-plays in 2026), the cloud-security organization sits within a larger firewall-business culture that has not prioritized CNAPP velocity, and the post-Dome9 integration period left visible UX inconsistencies. Most buyers in 2026 should treat CloudGuard as a legacy enterprise choice that fits only existing Check Point-stack consolidators.

Best for

Existing Check Point-stack enterprises that want cloud security from the same vendor as their firewall and Infinity platform. Particularly applicable for organizations with deep Check Point NGFW footprint and CIO-mandated single-vendor cloud-plus-network security posture. Sweet spot 5,000 to 100,000 employees with established Check Point relationship.

Worst for

Net-new CNAPP buyers, organizations not anchored on Check Point, buyers prioritizing product velocity and brand momentum (Wiz, Orca fit better), kubernetes-first estates (Aqua fits better), runtime-forensics buyers (Sysdig fits better), and any buyer who does not have an existing Check Point procurement relationship.

Strengths

  • Public-company stability (NASDAQ: CHKP) and multi-decade vendor presence
  • Established global enterprise account presence from firewall heritage
  • Integration with Check Point Infinity for stack consolidators
  • Reasonable feature coverage on paper across CSPM, CWPP, KSPM
  • Defensible compliance and audit reporting heritage
  • Long-running customer relationships in regulated industries

Weaknesses

  • Product velocity visibly lags Wiz, Orca, Sysdig, Aqua through 2023 to 2025
  • Brand momentum weak in net-new CNAPP evaluations
  • Cloud-security organization sits within firewall-business culture
  • Post-Dome9 integration period left visible UX inconsistencies
  • Net-new mid-market and enterprise CNAPP wins rare against pure-plays
  • List pricing not public; everything goes through quote
  • Multi-cloud breadth trails Wiz and Prisma Cloud

Pricing tiers

opaque
  • CloudGuard CSPM
    Core cloud-posture management (Dome9 heritage)
    Quote
  • CloudGuard CNAPP
    Adds CWPP, KSPM, IaC, vulnerability management
    Quote
  • CloudGuard plus Infinity Bundle
    Integrated with Check Point Infinity platform
    Quote
Watch for
  • · Per-workload pricing scales with VM and container count
  • · Modules priced incrementally above CSPM baseline
  • · Infinity bundling can mask true CNAPP unit economics
  • · Custom integrations may require Professional Services

Key features

  • +CSPM with Dome9 heritage across AWS, Azure, GCP
  • +CWPP with workload posture
  • +KSPM with kubernetes posture
  • +IaC scanning across Terraform, CloudFormation
  • +Vulnerability management integration
  • +Integration with Check Point Infinity platform
  • +Compliance reporting for SOC 2, PCI, HIPAA, NIST
  • +SIEM integration including Check Point Horizon
  • +Network-security visibility through firewall heritage
  • +Multi-tenancy for service providers
55+ integrations
AWSAzureGCPKubernetesCheck Point NGFWCheck Point InfinitySplunkServiceNowJira
Geography
Global; strongest in EMEA, Israel
View full Check Point CloudGuard intelligence profile → Compare Check Point CloudGuard →

Frequently asked questions

The questions buyers actually ask before they sign.

Is Wiz still the right US enterprise CNAPP default in 2026 given renewal pricing concerns?
For US enterprises with multi-cloud estates, fast cloud-account growth, and security teams that value graph-based investigation, Wiz remains the rational default. The Wiz Security Graph, multi-cloud breadth (including AWS GovCloud, Azure Government, OCI), and Fortune 100 reference base genuinely lead the category. The renewal pricing concern is real (30-60% increases reported at scale through 2025) and should be negotiated aggressively in initial contracts with explicit renewal caps, multi-year price locks, and account-growth pricing protection. For US buyers who refuse to absorb Wiz pricing-power dynamics, Orca Security is the credible alternative with the SideScanning agentless heritage and pricing typically 20-35% lower at comparable scope.
How do FedRAMP and CMMC 2.0 affect US federal and DoD CNAPP procurement in 2026?
FedRAMP authorization is the decisive procurement gate for US federal CNAPP buying. CrowdStrike Falcon Cloud Security holds FedRAMP High authorization, the highest baseline. Wiz, Orca Security, Sysdig, Aqua, and Prisma Cloud are in-process or authorized at Moderate baseline (verify current status at marketplace.fedramp.gov). DoD CMMC 2.0 compliance, mandatory for defense industrial base contractors by 2026, requires FedRAMP-equivalent cloud security at Level 2 and Level 3. Defense contractors should default to FedRAMP-authorized platforms exclusively and verify CMMC assessment evidence requirements with their C3PAO before CNAPP selection. The practical result: CrowdStrike, Prisma Cloud, and Wiz dominate federal and DoD CNAPP wins through 2026.
CrowdStrike Falcon Cloud Security vs Wiz for a US enterprise with Falcon EDR already deployed?
If Falcon EDR is the established US endpoint security default and CrowdStrike account ownership runs through procurement, Falcon Cloud Security wins on platform consolidation (single console across endpoint, identity, and cloud), FedRAMP High authorization, and Charlotte AI generative-AI security operations integration. Wiz wins on multi-cloud breadth (CrowdStrike cloud coverage is improving but trails Wiz on OCI and Alibaba), graph-based investigation depth, and best-of-breed CNAPP velocity. The honest 2026 answer: for US enterprises where the CISO mandates platform consolidation, Falcon Cloud Security is the rational extension of the Falcon investment; for US security teams where cloud security ownership sits in a separate platform-team organization independent of endpoint operations, Wiz remains the best-of-breed default.
How does the SEC cyber-disclosure rule affect CNAPP buying at US public companies?
The SEC cyber-disclosure rule (effective December 2023) requires US public companies to disclose material cybersecurity incidents on Form 8-K within four business days of materiality determination. CISO accountability for materiality determination timelines has pulled CNAPP runtime-forensics and audit-grade asset-inventory capability forward in procurement priority. Sysdig (Falco runtime forensics), Wiz (Security Graph asset inventory and attack-path reachability), and CrowdStrike Falcon Cloud Security (unified endpoint-cloud incident timeline) are the three platforms most cited in US public-company CNAPP RFPs since the rule took effect. Boards are now asking specific questions about cloud incident detection-to-disclosure timelines that did not appear in 2022-era CNAPP evaluations.
What is CNAPP, and how does it differ from CSPM, CWPP, and CIEM?
CNAPP (Cloud-Native Application Protection Platform) is the Gartner-coined umbrella category that consolidates five previously separate cloud-security product types into one platform. CSPM (Cloud Security Posture Management) scans cloud-provider control planes for misconfigurations (open S3 buckets, public RDS, over-permissive IAM). CWPP (Cloud Workload Protection Platform) protects workloads (VMs, containers, serverless) at runtime through image scanning, vulnerability detection, and runtime defense. CIEM (Cloud Infrastructure Entitlement Management) maps identity-to-resource permissions and surfaces least-privilege violations and toxic-combination access paths. KSPM (Kubernetes Security Posture Management) is the kubernetes-specific subset of CSPM plus admission-control. ASPM (Application Security Posture Management) ties code-level findings through to cloud-deployed workloads. CNAPP bundles CSPM, CWPP, CIEM, and KSPM (plus increasingly ASPM) into one platform with cross-domain context (a misconfigured IAM role plus a public workload plus a known CVE becomes one prioritized attack path). The CNAPP category took shape after Wiz launched in 2020 with an agentless graph-based approach that reset category time-to-value expectations.
Agentless or agent-based CNAPP: which is right for my organization?
Both, layered. Agentless (Wiz, Orca, and the agentless parts of every other CNAPP) reads cloud-provider APIs and out-of-band workload disk snapshots to get fast time-to-value (days, not weeks) and broad multi-cloud account coverage without negotiating agent rollout with infrastructure teams. Agent-based (Sysdig sensors, CrowdStrike Falcon, Aqua runtime, Lacework Polygraph) deploys an in-workload agent to get deeper runtime forensics, eBPF-based system-call detail, and incident-response evidence. The 2026 best practice is agentless-first for breadth across cloud accounts plus selective agent deployment where runtime depth is required (production-tier workloads, high-blast-radius services, regulated environments). Most leading CNAPP platforms now offer both; the architectural emphasis varies (Wiz is agentless-primary with optional Runtime Sensor, Sysdig is agent-primary with agentless add-on, Aqua is kubernetes-agent-primary).
How much should a 5,000-employee enterprise budget for CNAPP in 2026?
Verified medians from our pricing corpus. Wiz at 5,000 employees with 50 cloud accounts: approximately $360,000 per year. Orca at 5,000 employees: approximately $280,000 per year. Aqua at 5,000 employees with kubernetes-heavy estate: approximately $240,000 per year. Sysdig at 5,000 employees: approximately $220,000 per year. Prisma Cloud at 5,000 employees: approximately $380,000 per year on the low end, up to $1.1M at the larger account scope. Tenable Cloud Security at 5,000 employees: approximately $180,000 per year. CrowdStrike Falcon Cloud Security at 5,000 employees: approximately $260,000 per year. The largest drivers of CNAPP unit cost are cloud-account count (not just employee count), workload count (VMs, containers, serverless), and module breadth (CIEM, runtime sensor, code-to-cloud, WAAP). Renewal-pricing creep has been a real complaint pattern on Wiz and Prisma Cloud through 2024 and 2025; budget for 15 to 30 percent renewal increases unless contractually locked.
What happened with the Wiz-Google acquisition talks?
In July 2024, Reuters and Wall Street Journal reported that Google had offered approximately $23B to acquire Wiz. Wiz reportedly declined the offer to pursue an independent IPO path; reports indicate talks resumed in later periods. The dynamic matters for buyers in two ways. First, the post-talks period has visibly hardened Wiz pricing-power posture in renewals (multiple verified buyer reports of 30 to 60 percent renewal-pricing increases at scale through 2024 and 2025). Second, the eventual ownership outcome (independent IPO, Google acquisition, or other) materially shapes the multi-year roadmap and integration story for Wiz customers. Buyers signing multi-year Wiz contracts in 2026 should write in renewal-pricing caps and consider acquisition-trigger clauses where commercially possible.
What happened with the Lacework-Fortinet acquisition?
Fortinet announced the Lacework acquisition in August 2024 at a reported sharp down round from the $8.3B 2022 valuation peak (terms not publicly disclosed but widely reported as a fraction of the 2022 valuation). The acquisition followed a difficult period at Lacework: $1.3B 2021 funding round at $8.3B valuation, 20 percent layoffs announced in 2022 and 2023, and visible customer churn through 2023 to 2024. Post-acquisition, Lacework operates as a Fortinet subsidiary with the FortiCNAPP brand integrating into the Fortinet Security Fabric. Buyer-relevant implications: product velocity has visibly slowed since the 2023 layoffs and 2024 acquisition, customer churn through 2024 and 2025 remains a real pattern, and the Fortinet stack is not the natural consolidation point for most net-new CNAPP buying committees. Most buyers should treat Lacework as a high-risk choice in 2026 unless they are committed Fortinet-stack consolidators.
What happened with the Ermetic-Tenable acquisition?
Tenable acquired Ermetic in October 2023 for $265M to bolt CIEM and CNAPP capability onto its Nessus and Tenable.io vulnerability-management franchise. Ermetic was a credible standalone CIEM and CNAPP startup founded 2019, and the acquisition was widely viewed as a sensible platform extension for Tenable. Post-acquisition, integration has been multi-quarter work: the Tenable One unified platform launched in 2024 folding CNAPP into the broader exposure-management story, but multiple verified buyer disclosures through late 2024 and 2025 cite Ermetic-era roadmap commitments slipping under Tenable ownership and UX inconsistencies between the Ermetic-heritage CIEM module and the rest of the Tenable platform. Buyer-relevant framing: Tenable Cloud Security is a credible mid-tier CNAPP choice for Tenable-stack consolidators, but buyers should weigh post-acquisition integration risk and verify roadmap commitments in writing before signing multi-year deals.
Do I need a separate CSPM tool plus a separate CWPP tool, or just CNAPP?
CNAPP. The category exists precisely to consolidate CSPM and CWPP (plus CIEM and KSPM) into one platform with cross-domain context. The 2018 to 2020 model of buying separate CSPM (Dome9, RedLock, Prisma Cloud Compute) plus separate CWPP (Twistlock, Aqua, Lacework) plus separate CIEM (Ermetic, Sonrai) plus separate KSPM (Aqua, StackRox) is increasingly obsolete in 2026. Modern CNAPP platforms (Wiz, Orca, Aqua, Sysdig, Prisma Cloud, Tenable Cloud Security, CrowdStrike Falcon Cloud Security) cover all four domains with cross-domain context: a misconfigured IAM role plus a public workload plus a known CVE plus a sensitive-data path becomes one prioritized attack path rather than four separate findings. Buyers running multiple legacy point tools should consolidate onto a single CNAPP platform in 2026; the operational savings (one console, one finding-priority model, one vendor relationship) typically justify the migration cost within 12 to 18 months.
How does CNAPP overlap with SIEM, SOAR, and XDR?
CNAPP, SIEM, SOAR, and XDR are complementary layers in the modern security stack. CNAPP focuses on the cloud-native posture and workload-protection surface (CSPM, CWPP, CIEM, KSPM). SIEM (Splunk, Microsoft Sentinel, Elastic) aggregates logs and events from across the estate (cloud, endpoint, identity, network) and runs detection rules. SOAR (Tines, Torq, Cortex XSOAR) automates incident response playbooks across SIEM and other security tools. XDR (CrowdStrike Falcon, SentinelOne, Microsoft Defender XDR) extends endpoint detection and response into other domains (identity, email, cloud workloads). The 2026 best practice is to deploy CNAPP for the cloud surface, integrate CNAPP findings into SIEM for cross-domain correlation, use SOAR to automate response, and use XDR for the endpoint-anchored detection story (with optional extension into cloud workloads). The Uptycs bet is that XDR and CNAPP converge into one platform; the CrowdStrike bet is similar through Falcon Cloud Security. Most enterprises in 2026 still keep CNAPP and XDR as separate platforms.
What is the difference between Wiz Runtime Sensor and Sysdig Falco?
Both are deployed runtime sensors that provide eBPF-based runtime detection for cloud workloads, but the architectural posture is different. Wiz Runtime Sensor is positioned as an optional add-on to the agentless-primary Wiz CNAPP, deployed selectively on workloads where runtime depth is required (production-tier, high-blast-radius, regulated). Sysdig Falco is the open-source CNCF-graduated runtime detection engine that anchors Sysdig CWPP; it is agent-primary and deployed broadly across the estate. Wiz Runtime Sensor has a tighter integration with the Wiz Security Graph for cross-domain context (runtime alerts decorated with posture, identity, and attack-path data). Falco has a longer track record, broader open-source ecosystem participation, and deeper runtime-rule library through the Falco community. The buyer choice is architectural posture: agentless-primary with selective sensor (Wiz) versus agent-primary with broad sensor deployment (Sysdig). Both are credible; the right call depends on whether runtime depth or agentless breadth is the binding constraint.
Should I be worried about post-acquisition risk on Lacework, Ermetic, and Bridgecrew?
Yes, with different weights. Lacework (Fortinet, August 2024 at sharp down round from $8.3B peak): highest post-acquisition risk in the category, product velocity visibly slowed, customer churn through 2024 and 2025 documented, Fortinet stack is not the natural consolidation point for most CNAPP buyers. Treat as high-risk unless committed Fortinet-stack consolidator. Ermetic (Tenable, October 2023, $265M): moderate post-acquisition risk, integration into Tenable One unified platform is multi-quarter work, Ermetic-era roadmap commitments slipping per buyer disclosures, but Tenable is a stable public-company parent and the CIEM capability remains credible. Treat as a mid-tier choice for Tenable-stack buyers; verify roadmap commitments in writing. Bridgecrew (Palo Alto, February 2021, $156M): integration into Prisma Cloud took multiple quarters but is now substantially complete; the IaC and code-to-cloud capability is a defensible part of the Prisma Cloud platform, and the post-acquisition risk has largely cleared. The pattern matters: CNAPP acquisitions take 18 to 36 months to fully integrate, and product velocity often slows during integration; buyers should weigh post-acquisition risk explicitly in multi-year deals.

Final word

Looking at a different market? See the global CNAPP Software ranking, or pick another country at the top of this page.

Last updated 2026-05-23. Local pricing reverified quarterly. Found something inaccurate? Tell us.