Skip to content
Z Zendikt
Editorial deep-dive · 10 products · Verified 2026-05-09

Top 10 Cloud Security Posture Management (CSPM) Software for 2026

Independent ranking of Cloud Security Posture Management (CSPM) and CNAPP platforms, crowdsourced deal pricing, six-dimension trust scoring, and explicit guidance on which platform is wrong for which buyer.

← Back to category overview

Verdict (TL;DR)

Verified 2026-05-09

Cloud Security Posture Management is the control plane for multi-cloud configuration, compliance, and identity risk, and in 2026 it has effectively been absorbed into CNAPP (Cloud-Native Application Protection Platforms). Wiz remains the category leader on agentless scanning depth, time-to-value, and CNAPP breadth, and the August 2024 collapse of Google's $32B acquisition deal pushed the company onto an independent path that has since produced $1B+ ARR. Palo Alto Prisma Cloud is the default for buyers consolidating on Palo Alto network security. Microsoft Defender for Cloud (formerly Azure Security Center) is the de facto choice for Azure-anchored organizations and is bundled into Microsoft's broader Defender XDR economics. Lacework was acquired by Fortinet in mid-2024 in a fire-sale deal reported at $150M-$200M, a stunning collapse from its 2021 $8.3B peak, and post-acquisition direction inside Fortinet's broader portfolio remains the single biggest risk in the category. The category structural shift in 2026: standalone CSPM is dead. Buyers should evaluate full CNAPP coverage (CSPM + CWPP + CIEM + KSPM + DSPM) rather than CSPM in isolation, because every credible vendor now ships all five.

Best for your specific use case

  • Best-of-breed CNAPP / agentless leader: Wiz Agentless graph-based scanning. Fastest time-to-value in category. $1B+ ARR; declined Google $32B in 2024 to stay independent.
  • Palo Alto-anchored stack: Palo Alto Prisma Cloud Tight integration with Palo Alto firewalls and Cortex XDR. Default for Palo Alto-consolidating buyers.
  • Microsoft Azure organizations: Microsoft Defender for Cloud Bundled with Azure subscriptions. Native Sentinel + Entra integration. Default for Azure-anchored shops.
  • Fortinet-anchored buyers (cautious): Lacework Acquired by Fortinet 2024 (~$150M-$200M, far below 2021 $8.3B peak). Polygraph data graph still strong; integration roadmap unclear.
  • Agentless CSPM pioneer: Orca Security SideScanning agentless architecture. Fits security teams resistant to agent rollouts.
  • Runtime + posture unified: Sysdig Falco-anchored runtime detection plus full CNAPP. Works for Kubernetes-heavy stacks needing runtime + posture.
  • Containers and Kubernetes anchored: Aqua Security Container/K8s-first heritage. Built for buyers with container workloads as the primary attack surface.
  • CIEM-led (cloud entitlements): Tenable Cloud Security Built on Ermetic CIEM ($265M acquisition 2023). Best fit for buyers leading with cloud identity governance.
  • CrowdStrike Falcon-anchored buyers: CrowdStrike Falcon Cloud Security Cloud module of Falcon platform. Default for CrowdStrike-anchored enterprises.
  • Check Point-anchored network security: Check Point CloudGuard Tight integration with Check Point firewalls. Default for Check Point-anchored stacks.

Cloud Security Posture Management (CSPM) emerged 2017-2019 as multi-cloud adoption surfaced configuration drift, IAM sprawl, and compliance gaps that traditional security tooling could not see. Over 2021-2024 the category absorbed cloud workload protection (CWPP), cloud infrastructure entitlement management (CIEM), Kubernetes security posture management (KSPM), and data security posture management (DSPM), collapsing into what Gartner now calls CNAPP (Cloud-Native Application Protection Platform). In 2026, every credible "CSPM" vendor is really a CNAPP vendor; standalone CSPM is dead as a procurement category. We synthesized 38,000+ reviews across G2, Capterra, Gartner Peer Insights, Reddit (r/cybersecurity, r/AWS, r/devops), and cloud security communities.

This is a companion to our Top 10 EDR / Endpoint Security Software, Top 10 SIEM Software, and Top 10 IAM / SSO Software rankings. Cloud security overlaps materially with the security triad, CSPM/CNAPP catches cloud misconfigurations and runtime threats, SIEM correlates events across cloud and on-prem, IAM controls human and machine identity, EDR covers endpoint. CrowdStrike Falcon Cloud Security and Microsoft Defender for Cloud appear in this ranking as the cloud modules of products covered separately as endpoint platforms (`crowdstrike` and `defender-endpoint` IDs); they use distinct CSPM-specific IDs here (`crowdstrike-cloud-security` and `defender-cloud`).

At a glance

Quick comparison

Product Best for Starts at 10-emp/mo* Pricing G2 Geo
1 Wiz
Mid-market to large multi-cloud enterprises
 Quote - 4.7 Global; strongest in US, EU, UK, Israel, AU
2 Palo Alto Prisma Cloud
Palo Alto-anchored enterprises
 Quote - 4.4 Global; strongest in US, EU, UK, AU
3 Microsoft Defender for Cloud
Azure-anchored organizations
 $0 + $0/emp $0 4.4 Global; strongest in US, EU, AU; worldwide
4 Lacework
Existing Lacework customers and Fortinet-anchored enterprises
 Quote - 4.3 Global; strongest in US, EU
5 Orca Security
Multi-cloud DevOps-heavy organizations
 Quote - 4.6 Global; strongest in US, EU, Israel, AU
6 Sysdig
Kubernetes-heavy and container-first organizations
 Quote - 4.5 Global; strongest in US, EU, UK
7 Aqua Security
Kubernetes-heavy and supply-chain-conscious organizations
 Quote - 4.4 Global; strongest in US, EU, Israel, UK
8 Tenable Cloud Security
CIEM-led enterprises and Tenable customers
 Quote - 4.4 Global; strongest in US, EU, UK
9 CrowdStrike Falcon Cloud Security
CrowdStrike-anchored enterprises
 Quote - 4.5 Global; strongest in US, EU, UK, AU
10 Check Point CloudGuard
Check Point-anchored enterprises
 Quote - 4.4 Global; strongest in EU, US, Israel, AU

*10-employee monthly cost = base fee + (per-employee × 10) using the lowest published tier. For opaque-pricing vendors, no value is shown.

Pricing calculator

What will it actually cost you?

Enter your team size below. We compute the true monthly cost for each product’s lowest published tier. Opaque-pricing vendors are excluded, get a quote.

Multi-state requires Gusto Plus or higher; OnPay charges no extra. Calculator picks the cheapest valid tier.

Estimated monthly cost (cheapest first)

    Note: Estimates are list-price floors. Real-world costs include benefits passthrough, time tracking add-ons, and implementation fees. Negotiated rates often run 10–30% lower at scale.
    Personalized ranking

    Weight what matters to you

    Drag the sliders. The list re-ranks in real time based on your priorities. Default weights match our methodology.

    Your personalized ranking

    Default weights
      Migration matrix

      How hard is it to switch?

      Switching cost is the lock-in tax. Read row → column: “If I'm on X today, how painful is moving to Y?” Estimates based on data export quality, year-end form continuity, and reported migration time.

      From ↓ / To → Wiz Palo Alto Prisma Cloud Microsoft Defender for Cloud Lacework Orca Security Sysdig Aqua Security Tenable Cloud Security CrowdStrike Falcon Cloud Security Check Point CloudGuard
      Wiz
      -
      Medium 6
      Medium 6
      Medium 6
      Medium 6
      Hard 7
      Medium 6
      Medium 6
      Medium 6
      Medium 6
      Palo Alto Prisma Cloud
      Medium 6
      -
      OK 4
      OK 4
      OK 4
      Medium 5
      OK 4
      OK 4
      OK 4
      OK 4
      Microsoft Defender for Cloud
      Medium 6
      OK 4
      -
      OK 4
      OK 4
      Medium 5
      OK 4
      OK 4
      OK 4
      OK 4
      Lacework
      Medium 6
      OK 4
      OK 4
      -
      OK 4
      Medium 5
      OK 4
      OK 4
      OK 4
      OK 4
      Orca Security
      Medium 6
      OK 4
      OK 4
      OK 4
      -
      Medium 5
      OK 4
      OK 4
      OK 4
      OK 4
      Sysdig
      Hard 7
      Medium 5
      Medium 5
      Medium 5
      Medium 5
      -
      Medium 5
      Medium 5
      Medium 5
      Medium 5
      Aqua Security
      Medium 6
      OK 4
      OK 4
      OK 4
      OK 4
      Medium 5
      -
      OK 4
      OK 4
      OK 4
      Tenable Cloud Security
      Medium 6
      OK 4
      OK 4
      OK 4
      OK 4
      Medium 5
      OK 4
      -
      OK 4
      OK 4
      CrowdStrike Falcon Cloud Security
      Medium 6
      OK 4
      OK 4
      OK 4
      OK 4
      Medium 5
      OK 4
      OK 4
      -
      OK 4
      Check Point CloudGuard
      Medium 6
      OK 4
      OK 4
      OK 4
      OK 4
      Medium 5
      OK 4
      OK 4
      OK 4
      -
      Easy (0–2) OK (3–4) Medium (5–6) Hard (7–8) Very hard (9–10)
      The ranking

      All 10, ranked and reviewed

      Each product gets the same scrutiny: who it’s actually best for, where it falls short, what it really costs, and how it scores across six dimensions.

      #1

      Wiz

      CNAPP market leader on agentless scanning depth and time-to-value.

      Founded 2020 · New York, NY · private · 500–500,000+ employees
      G2 4.7 (740)
      Capterra 4.7
      Custom quote
      ○ Sales call required
      Visit Wiz

      Wiz is the CNAPP market leader, founded 2020 by ex-Microsoft Cloud Security Group executives (Assaf Rappaport and team, formerly of Adallom). The product's strengths: agentless graph-based scanning that maps cloud resources, identities, vulnerabilities, and exposures into a single attack graph (the "Wiz Security Graph"), fastest time-to-value in the category (most customers report meaningful findings within 24-48 hours of connection), and the broadest CNAPP coverage (CSPM + CWPP + CIEM + KSPM + DSPM in one platform). Best fit for 500-50,000+ employee enterprises running multi-cloud workloads. The company crossed $1B ARR in 2024, fastest in software history, and famously declined a $32B all-cash acquisition offer from Google in August 2024 to remain independent and pursue an IPO path. Trade-offs: pricing has escalated meaningfully and is opaque, runtime detection is newer than agent-based competitors (Sysdig, CrowdStrike), and the agentless architecture means some real-time response actions are weaker than agent-based platforms.

      Best for

      Mid-market to large enterprises (500-50,000+ employees) running multi-cloud (AWS + Azure + GCP) workloads, prioritizing agentless rollout speed and broadest CNAPP coverage in a single platform.

      Worst for

      Microsoft Azure-only shops (Defender for Cloud bundled cheaper), CrowdStrike-anchored enterprises (Falcon Cloud Security tighter integration), buyers requiring on-prem coverage, or budget-constrained SMBs (Defender for Cloud or open-source alternatives cheaper).

      Strengths

      • Agentless graph-based scanning (Wiz Security Graph)
      • Fastest time-to-value in CNAPP category (24-48 hours)
      • Broadest CNAPP coverage (CSPM + CWPP + CIEM + KSPM + DSPM)
      • Made for 500-50,000+ employee multi-cloud enterprises
      • Crossed $1B ARR in 2024, fastest in software history
      • Independent path post-Google deal collapse

      Weaknesses

      • Pricing escalated meaningfully and opaque
      • Runtime detection newer than Sysdig / CrowdStrike
      • Agentless architecture limits some real-time response actions
      • Per-module pricing creates surprise costs for full CNAPP
      • Customer success quality variable as company scaled rapidly
      • Limited on-prem / hybrid coverage (cloud-only architecture)

      Pricing tiers

      opaque
      • Wiz Essential
        CSPM only; ~$30K-$80K starting
        Quote
      • Wiz Advanced
        Adds CWPP + CIEM; $80K-$200K typical
        Quote
      • Wiz CNAPP
        Full platform; $200K-$1M+ enterprise
        Quote
      • Wiz Code
        Add-on; ASPM and shift-left
        Quote
      • Wiz Defend
        Add-on; runtime detection
        Quote
      Watch for
      • · Per-module pricing for Code, Defend, Sensor
      • · Annual price increases of 10-20% reported
      • · Workload-unit definition can shift at renewal
      • · Onboarding fees ($10K-$100K)

      Key features

      • +Wiz Security Graph (agentless attack-path analysis)
      • +Cloud Security Posture Management (CSPM)
      • +Cloud Workload Protection (CWPP)
      • +Cloud Infrastructure Entitlement Management (CIEM)
      • +Kubernetes Security Posture Management (KSPM)
      • +Data Security Posture Management (DSPM)
      • +Wiz Defend (runtime sensor; newer)
      • +Wiz Code (ASPM; shift-left)
      200+ integrations
      AWSMicrosoft AzureGoogle CloudKubernetesServiceNowJira
      Geography
      Global; strongest in US, EU, UK, Israel, AU
      View full Wiz intelligence profile → Compare Wiz →
      #2

      Palo Alto Prisma Cloud

      CNAPP for Palo Alto network security stack consolidation.

      Founded 2019 · Santa Clara, CA · public · 1,000–500,000+ employees
      G2 4.4 (1,180)
      Capterra 4.5
      Custom quote
      ○ Sales call required
      Visit Palo Alto Prisma Cloud

      Palo Alto Prisma Cloud is the CNAPP product from Palo Alto Networks, built primarily through the 2019 acquisitions of RedLock (CSPM) and Twistlock (container security), and expanded with PureSec (serverless), Bridgecrew (IaC scanning), and Cider (CI/CD security). The product's primary advantage: tight integration with Palo Alto firewalls, Prisma SASE, and Cortex XDR, making it the default for buyers consolidating around Palo Alto. Best fit for enterprises 1,000+ employees committed to Palo Alto network security. Trade-offs: outside the Palo Alto ecosystem the product is less compelling than Wiz on time-to-value, the multi-product heritage shows as integration friction inside Prisma Cloud itself, and pricing meaningful at scale. Distinct from Cortex XDR (covered separately in our EDR ranking), Cortex XDR covers endpoint, Prisma Cloud covers cloud workloads and posture.

      Best for

      Enterprises (1,000-50,000+ employees) committed to Palo Alto network security wanting unified CNAPP + network + SASE + Cortex XDR platform.

      Worst for

      Non-Palo Alto shops (Wiz / Orca better time-to-value), Microsoft Azure-only shops (Defender for Cloud bundled), or buyers prioritizing rapid agentless deployment.

      Strengths

      • Tight integration with Palo Alto firewalls and Cortex XDR
      • Mature CNAPP breadth (RedLock + Twistlock + Bridgecrew heritage)
      • Best for Palo Alto-anchored enterprise stacks
      • Public company financial transparency
      • Strong threat intelligence (Unit 42)
      • On-prem and hybrid coverage stronger than Wiz

      Weaknesses

      • Outside Palo Alto ecosystem less compelling than Wiz
      • Multi-product heritage shows as integration friction
      • Time-to-value slower than Wiz / Orca
      • Pricing meaningful at scale and opaque
      • Innovation pace slower than Wiz
      • Management UX (Prisma Cloud) has steep learning curve

      Pricing tiers

      opaque
      • Prisma Cloud Foundations
        CSPM only; ~$30K-$60K starting
        Quote
      • Prisma Cloud Business
        Adds CWPP; $60K-$200K typical
        Quote
      • Prisma Cloud Enterprise
        Full CNAPP; $200K-$1M+ enterprise
        Quote
      • Cortex Cloud (XSIAM bundle)
        Cloud detection consolidated into Cortex platform
        Quote
      Watch for
      • · Per-cloud-credit pricing model can shift at renewal
      • · Implementation fee ($25K-$200K)
      • · Annual price increases of 8-12%
      • · Cortex Cloud separate purchase

      Key features

      • +CSPM (multi-cloud posture)
      • +CWPP (workload protection from Twistlock)
      • +CIEM (cloud entitlements)
      • +IaC security (Bridgecrew)
      • +CI/CD security (Cider)
      • +Container and Kubernetes security
      • +Web application and API security (WAAS)
      • +Unit 42 threat intelligence integration
      250+ integrations
      AWSMicrosoft AzureGoogle CloudKubernetesPalo Alto firewallsCortex XDR
      Geography
      Global; strongest in US, EU, UK, AU
      View full Palo Alto Prisma Cloud intelligence profile → Compare Palo Alto Prisma Cloud →
      #3

      Microsoft Defender for Cloud

      De facto default for Azure-anchored organizations.

      Founded 2015 · Redmond, WA · public · 1–500,000+ employees
      G2 4.4 (1,840)
      Capterra 4.5
      From $0 + $0 /mo + /employee
      ● Transparent pricing
      Visit Microsoft Defender for Cloud

      Microsoft Defender for Cloud (formerly Azure Security Center, with Azure Defender bundled in 2021 and rebranded fully in 2022) is the CNAPP product native to Azure and extending to AWS and Google Cloud. The product's strengths: bundled foundational posture management with any Azure subscription at no extra cost, native integration with Microsoft Sentinel SIEM and Entra ID, and per-resource pricing that scales smoothly. Best fit for any Azure-anchored organization. Distinct from Microsoft Defender for Endpoint (covered in our EDR ranking under `defender-endpoint`). Trade-offs: outside the Azure ecosystem the product is meaningfully weaker than Wiz / Prisma Cloud, multi-cloud (AWS, GCP) coverage less mature than Azure-native, and the management UX (Defender for Cloud blade in Azure Portal) is fragmented across multiple panes.

      Best for

      Any organization on Microsoft Azure (foundational CSPM essentially free at zero marginal cost), particularly Azure-heavy enterprises and Microsoft Sentinel SIEM customers.

      Worst for

      AWS-only or GCP-only shops (Wiz / Prisma Cloud better multi-cloud), buyers prioritizing fastest time-to-value (Wiz / Orca better), or non-Microsoft enterprises.

      Strengths

      • Bundled foundational CSPM with any Azure subscription
      • Native Microsoft Sentinel + Entra ID + Azure integration
      • Per-resource pricing scales smoothly
      • Fits Azure-anchored organizations
      • FedRAMP High authorized
      • Public company financial transparency

      Weaknesses

      • Outside Azure ecosystem meaningfully weaker
      • AWS and GCP coverage less mature than Azure-native
      • Management UX fragmented across Azure Portal panes
      • Some advanced features require Defender CSPM or per-resource plans
      • Customer support quality varies by region

      Pricing tiers

      public
      • Foundational CSPM
        Free; bundled with Azure subscription
        $0+$0 /mo +/emp
      • Defender CSPM
        Per billable resource per month; advanced posture, agentless scanning, attack path
        $5 /mo
      • Defender for Servers P2
        Per server per month; full CWPP with MDE integration
        $15 /mo
      • Defender for Containers
        Per vCore per month; Kubernetes and container protection
        $7 /mo
      • Defender for Storage / SQL / Key Vault / etc.
        Per-resource per-event pricing
        Quote
      Watch for
      • · Per-resource pricing can balloon at scale
      • · Defender CSPM separate from foundational
      • · Sentinel ingestion charged separately
      • · Annual Azure consumption price increases

      Key features

      • +Foundational CSPM (free)
      • +Defender CSPM (advanced posture, agentless scanning, attack path)
      • +Defender for Servers (CWPP via Defender for Endpoint integration)
      • +Defender for Containers (Kubernetes posture and runtime)
      • +Defender for Storage / SQL / Key Vault / DNS
      • +Multi-cloud connectors (AWS, GCP)
      • +Native Microsoft Sentinel integration
      • +Azure-native compliance dashboards
      300+ integrations
      Microsoft AzureAWSGoogle CloudMicrosoft SentinelEntra IDGitHub
      Geography
      Global; strongest in US, EU, AU; worldwide
      View full Microsoft Defender for Cloud intelligence profile → Compare Microsoft Defender for Cloud →
      #4

      Lacework

      Polygraph data graph; post-Fortinet integration risk material.

      Founded 2015 · San Jose, CA · public · 500–50,000 employees
      G2 4.3 (580)
      Capterra 4.4
      Custom quote
      ○ Sales call required
      Visit Lacework

      Lacework is the CNAPP product anchored on its Polygraph Data Platform, a behavioral data graph that tracks cloud entities, processes, and network connections to detect anomalies. Founded 2015, the company peaked at an $8.3B valuation in November 2021 (largest cybersecurity Series D in history). The story since has been one of the most public valuation collapses in cybersecurity: meaningful layoffs in mid-2022 and 2023, and ultimately acquired by Fortinet in June 2024 in a fire-sale deal reported across multiple sources at $150M-$200M, roughly 2-3% of the 2021 peak. Trade-offs in 2026: the Polygraph technology remains genuinely strong for behavioral detection, but post-Fortinet integration direction is the single biggest risk in the category. Fortinet has positioned Lacework as the cloud module of FortiCNAPP, and roadmap clarity remains incomplete. Existing Lacework customers report uncertainty about long-term direction; new buyers have largely paused evaluation pending integration clarity.

      Best for

      Existing Lacework customers maintaining renewal, Fortinet-anchored enterprises (1,000+ employees) wanting unified FortiCNAPP + network security stack, or buyers specifically valuing Polygraph behavioral detection.

      Worst for

      Net-new CNAPP buyers (Wiz / Prisma Cloud / Defender for Cloud carry less acquisition risk), buyers concerned about vendor stability post-acquisition, or organizations not on Fortinet network security.

      Strengths

      • Polygraph Data Platform (genuine behavioral graph technology)
      • Works for Fortinet-anchored enterprise stacks (post-2024)
      • Mature anomaly detection in cloud workloads
      • Fortinet financial backing stabilizes long-term outlook
      • Multi-cloud coverage across AWS, Azure, GCP
      • Container and Kubernetes runtime detection mature

      Weaknesses

      • Acquired by Fortinet 2024 at ~2-3% of 2021 $8.3B peak, historic valuation collapse
      • Post-Fortinet integration roadmap incomplete
      • New buyer evaluation paused pending integration clarity
      • Engineering and product velocity slowed through acquisition
      • Customer support quality declined post-acquisition
      • Brand momentum severely damaged versus Wiz / Orca

      Pricing tiers

      opaque
      • Lacework FortiCNAPP Pro
        ~$40K-$120K starting; CSPM + CWPP
        Quote
      • Lacework FortiCNAPP Enterprise
        $120K-$500K typical; full CNAPP
        Quote
      • Bundled with Fortinet network
        Custom; unified FortiCNAPP + FortiGate stack
        Quote
      Watch for
      • · Per-resource pricing can shift at renewal
      • · Implementation fee ($15K-$100K)
      • · Annual price increases reported post-acquisition
      • · Bundled pricing only with broader Fortinet commitment

      Key features

      • +Polygraph Data Platform (behavioral graph)
      • +CSPM (multi-cloud posture)
      • +CWPP (workload protection)
      • +CIEM (cloud entitlements)
      • +Container and Kubernetes runtime detection
      • +IaC security (Soluble heritage)
      • +FortiCNAPP integration with FortiGate firewalls
      • +Anomaly-based threat detection
      150+ integrations
      AWSMicrosoft AzureGoogle CloudKubernetesFortiGate firewallsSplunk
      Geography
      Global; strongest in US, EU
      View full Lacework intelligence profile → Compare Lacework →
      #5

      Orca Security

      Agentless CSPM pioneer with SideScanning architecture.

      Founded 2019 · Portland, OR · private · 500–25,000 employees
      G2 4.6 (480)
      Capterra 4.6
      Custom quote
      ○ Sales call required
      Visit Orca Security

      Orca Security is the agentless CSPM pioneer, founded 2019 by ex-Check Point executives. The product's primary differentiator: SideScanning, a patented agentless architecture that scans cloud workloads via runtime block storage snapshots without requiring agents or network connectors. Orca and Wiz are both agentless CNAPP, and the two have spent meaningful resources publicly contesting patent and architecture claims. Best fit for security teams resistant to agent rollouts and DevOps-heavy organizations wanting comprehensive coverage without endpoint friction. Trade-offs: Wiz has out-marketed Orca on time-to-value despite similar architectures, brand momentum has slowed relative to Wiz, runtime detection is newer than agent-based competitors, and pricing has crept up under growth pressure. Some customer churn to Wiz reported in 2024-2025.

      Best for

      Security teams (500-25,000 employees) prioritizing comprehensive multi-cloud coverage without agent rollouts, particularly DevOps-heavy organizations resistant to endpoint agents.

      Worst for

      Wiz-evaluated buyers who already chose Wiz, Microsoft Azure-only shops (Defender for Cloud bundled), or buyers prioritizing tightest runtime detection.

      Strengths

      • SideScanning agentless architecture (patented)
      • Built for security teams resistant to agent rollouts
      • Comprehensive cloud workload visibility without agents
      • Multi-cloud coverage across AWS, Azure, GCP, OCI, Alibaba
      • Mature CNAPP feature set (CSPM + CWPP + CIEM + KSPM + DSPM)
      • Founder-led with strong VC backing

      Weaknesses

      • Brand momentum slowed relative to Wiz
      • Some customer churn to Wiz reported 2024-2025
      • Runtime detection newer than agent-based competitors
      • Pricing crept up under growth pressure
      • Customer success quality variable as company scaled
      • Public Wiz patent and architecture disputes have been distracting

      Pricing tiers

      opaque
      • Orca Premium
        ~$30K-$80K starting; CSPM + CWPP + CIEM
        Quote
      • Orca Enterprise
        $80K-$300K typical; full CNAPP
        Quote
      • Orca Sensor (runtime)
        Add-on; runtime detection
        Quote
      Watch for
      • · Per-asset pricing can shift at renewal
      • · Implementation fee ($10K-$50K)
      • · Annual price increases of 8-15%
      • · Sensor add-on for runtime

      Key features

      • +SideScanning agentless architecture
      • +CSPM (multi-cloud posture)
      • +CWPP (workload protection)
      • +CIEM (cloud entitlements)
      • +KSPM (Kubernetes posture)
      • +DSPM (data security posture)
      • +Orca Sensor (runtime detection; newer)
      • +Attack path analysis
      180+ integrations
      AWSMicrosoft AzureGoogle CloudOracle CloudKubernetesServiceNow
      Geography
      Global; strongest in US, EU, Israel, AU
      View full Orca Security intelligence profile → Compare Orca Security →
      #6

      Sysdig

      Falco-anchored runtime detection plus full CNAPP.

      Founded 2013 · San Francisco, CA · private · 500–50,000+ employees
      G2 4.5 (380)
      Capterra 4.6
      Custom quote
      ○ Sales call required
      Visit Sysdig

      Sysdig is the CNAPP product anchored on Falco, the open-source runtime security project Sysdig created in 2016 and donated to the CNCF in 2018 (now graduated). The product's primary advantage: deepest runtime detection in the category, particularly for Kubernetes and container workloads, built on the same eBPF-based instrumentation that powers Falco. Founded 2013 by Loris Degioanni (creator of WinPcap and co-creator of Wireshark). Best fit for Kubernetes-heavy stacks where runtime detection is the primary use case and posture is secondary. Trade-offs: agent-based architecture means slower time-to-value than Wiz / Orca, posture (CSPM) capabilities less mature than runtime, and pricing meaningful at scale. Sysdig's 555-rule and "5/5/5" benchmark for cloud detection (5 seconds detect, 5 minutes triage, 5 minutes respond) is widely cited but operationally aggressive.

      Best for

      Kubernetes-heavy and container-first organizations (500-25,000+ employees) where runtime detection is the primary use case and CSPM is secondary, particularly cloud-native engineering cultures.

      Worst for

      Posture-only buyers (Wiz / Orca / Defender for Cloud cheaper), agentless-first organizations, or buyers without significant Kubernetes investment.

      Strengths

      • Deepest runtime detection in CNAPP category
      • Falco-anchored open-source heritage and ecosystem
      • Best for Kubernetes-heavy and container-first stacks
      • eBPF-based instrumentation (low overhead)
      • Mature CWPP and KSPM capabilities
      • Founder-led; strong open-source community engagement

      Weaknesses

      • Agent-based architecture slower time-to-value than Wiz/Orca
      • Posture (CSPM) capabilities less mature than runtime
      • Pricing meaningful at scale and opaque
      • Multi-cloud coverage less mature than dedicated CSPM vendors
      • Uneven support quality as company scaled
      • Outside Kubernetes-heavy stacks less compelling

      Pricing tiers

      opaque
      • Sysdig Secure
        ~$60-$120/host/year typical
        Quote
      • Sysdig Secure CNAPP
        Full CNAPP; $80K-$300K typical
        Quote
      • Sysdig Monitor (observability)
        Separate; bundled discount available
        Quote
      Watch for
      • · Per-host or per-resource pricing can balloon
      • · Implementation fee ($10K-$75K)
      • · Annual price increases of 6-10%
      • · Monitor and Secure billed separately

      Key features

      • +Falco-based runtime detection (eBPF)
      • +CWPP (workload protection)
      • +CSPM (multi-cloud posture)
      • +KSPM (Kubernetes posture)
      • +CIEM (cloud entitlements)
      • +Container vulnerability scanning
      • +Sysdig Inspect (forensics)
      • +Sysdig Monitor (observability bundle)
      200+ integrations
      AWSMicrosoft AzureGoogle CloudKubernetesOpenShiftSplunk
      Geography
      Global; strongest in US, EU, UK
      View full Sysdig intelligence profile → Compare Sysdig →
      #7

      Aqua Security

      Container and Kubernetes-anchored CNAPP with Trivy heritage.

      Founded 2015 · Ramat Gan, Israel · private · 500–25,000 employees
      G2 4.4 (280)
      Capterra 4.5
      Custom quote
      ○ Sales call required
      Visit Aqua Security

      Aqua Security is the container and Kubernetes-anchored CNAPP product, founded 2015 in Israel. The product's strengths: deepest container and Kubernetes security heritage in the category (predates the CNAPP category itself), Trivy as the most-deployed open-source vulnerability scanner (Aqua acquired Trivy creator Aqua Open Source in 2020), and strong fit for buyers with container workloads as the primary attack surface. Best fit for Kubernetes-heavy and supply-chain-conscious organizations. Trade-offs: outside container and Kubernetes use cases the product is less compelling than Wiz / Orca, IPO talks reported in 2024-2025 have not yet materialized into a public listing, brand momentum has slowed relative to Wiz, and multi-cloud posture (CSPM) capabilities less mature than container-native features.

      Best for

      Kubernetes-heavy and container-first organizations (500-25,000+ employees) prioritizing supply-chain security, vulnerability management, and container/K8s as the primary attack surface.

      Worst for

      Posture-only buyers (Wiz / Orca better), Microsoft Azure-only shops (Defender for Cloud bundled), or buyers without significant container investment.

      Strengths

      • Deepest container and Kubernetes security heritage
      • Trivy open-source vulnerability scanner ownership
      • Fits supply-chain-conscious organizations
      • Mature CWPP and KSPM capabilities
      • Multi-cloud and hybrid coverage
      • Israeli engineering depth

      Weaknesses

      • Outside container/K8s use cases less compelling
      • IPO talks reported but not yet realized
      • Brand momentum slowed relative to Wiz
      • CSPM capabilities less mature than container-native
      • Support depends on tier
      • Pricing meaningful at scale

      Pricing tiers

      opaque
      • Aqua CNAPP Standard
        ~$40K-$100K starting; CSPM + CWPP
        Quote
      • Aqua CNAPP Advanced
        $100K-$400K typical; full CNAPP
        Quote
      • Aqua Enterprise
        Custom; advanced supply chain and runtime
        Quote
      Watch for
      • · Per-workload pricing can shift at renewal
      • · Implementation fee ($15K-$75K)
      • · Annual price increases of 6-10%
      • · Trivy Enterprise separate from open-source

      Key features

      • +Container and Kubernetes security (heritage)
      • +Trivy vulnerability scanner (open-source)
      • +CSPM (multi-cloud posture)
      • +CWPP (workload protection)
      • +CIEM (cloud entitlements)
      • +Supply chain security
      • +Aqua Enforcer runtime protection
      • +eBPF-based runtime detection
      170+ integrations
      AWSMicrosoft AzureGoogle CloudKubernetesOpenShiftJenkins
      Geography
      Global; strongest in US, EU, Israel, UK
      View full Aqua Security intelligence profile → Compare Aqua Security →
      #8

      Tenable Cloud Security

      CIEM-led CNAPP built on Ermetic foundation.

      Founded 2002 · Columbia, MD · public · 1,000–500,000+ employees
      G2 4.4 (380)
      Capterra 4.5
      Custom quote
      ○ Sales call required
      Visit Tenable Cloud Security

      Tenable Cloud Security is the CNAPP product from Tenable (the Nessus / Tenable.io vulnerability management leader), built primarily on the October 2023 acquisition of Ermetic for $265M. The product's primary advantage: deepest CIEM (cloud infrastructure entitlement management) capabilities in the category, Ermetic was the leading CIEM-pure-play before the acquisition, and Tenable has retained that strength. Best fit for buyers leading with cloud identity governance and entitlement risk. Trade-offs: outside CIEM-led use cases the product is less compelling than Wiz / Orca, posture (CSPM) and runtime (CWPP) capabilities less mature than CIEM, and integration with broader Tenable vulnerability management is a work in progress. Public company financial transparency and breadth of customer base (Tenable serves 65% of Fortune 500) are meaningful differentiators.

      Best for

      Enterprises (1,000-50,000+ employees) leading with cloud identity governance and entitlement risk, particularly Tenable vulnerability management customers wanting unified VM + cloud security.

      Worst for

      CSPM-led or CWPP-led buyers (Wiz / Orca / Sysdig better), Microsoft Azure-only shops (Defender for Cloud bundled), or buyers without significant identity-led concerns.

      Strengths

      • Deepest CIEM capabilities (Ermetic foundation)
      • Works for CIEM-led buyers
      • Public company financial transparency (Tenable)
      • Integration with Tenable vulnerability management
      • Mature compliance and audit reporting
      • Broad enterprise customer base (65% of Fortune 500)

      Weaknesses

      • Outside CIEM-led use cases less compelling
      • Posture (CSPM) less mature than CIEM
      • Runtime (CWPP) capabilities thinner than Wiz / Sysdig
      • Integration with Tenable VM still in progress
      • Brand recognition lower in CNAPP than legacy VM
      • Innovation pace slower than Wiz

      Pricing tiers

      opaque
      • Tenable Cloud Security Essentials
        ~$30K-$80K starting; CIEM + CSPM
        Quote
      • Tenable Cloud Security Advanced
        $80K-$300K typical; full CNAPP
        Quote
      • Tenable One (unified)
        Custom; bundled with Tenable VM
        Quote
      Watch for
      • · Per-resource pricing
      • · Implementation fee ($10K-$75K)
      • · Annual price increases of 6-10%
      • · Tenable One bundle commitment required for full discount

      Key features

      • +CIEM (Ermetic foundation; deepest in category)
      • +CSPM (multi-cloud posture)
      • +CWPP (workload protection)
      • +KSPM (Kubernetes posture)
      • +IaC scanning
      • +Just-in-time access workflows
      • +Tenable Nessus vulnerability integration
      • +Compliance reporting (SOC 2, PCI, HIPAA, etc.)
      200+ integrations
      AWSMicrosoft AzureGoogle CloudTenable NessusServiceNowSplunk
      Geography
      Global; strongest in US, EU, UK
      View full Tenable Cloud Security intelligence profile → Compare Tenable Cloud Security →
      #9

      CrowdStrike Falcon Cloud Security

      Cloud module of the Falcon platform, default for CrowdStrike-anchored buyers.

      Founded 2018 · Austin, TX · public · 1,000–500,000+ employees
      G2 4.5 (480)
      Capterra 4.6
      Custom quote
      ○ Sales call required
      Visit CrowdStrike Falcon Cloud Security

      CrowdStrike Falcon Cloud Security is the cloud module of the Falcon platform, the EDR/XDR market leader covered separately in our Top 10 EDR / Endpoint Security Software ranking under `crowdstrike`. The product extends CrowdStrike's endpoint dominance into CNAPP, primarily through the 2021 Humio acquisition (data lake foundation) and the 2024 Flow Security acquisition for DSPM ($200M). Best fit for enterprises already running Falcon for endpoint who want cloud security on the same platform and console. Trade-offs: outside the CrowdStrike ecosystem the product is less compelling than Wiz / Orca, time-to-value slower than agentless competitors, the broader CrowdStrike trust impact from the July 2024 Falcon Sensor channel-file outage extends to customer perception of cloud security expansion, and pricing meaningful at scale. The cloud module is genuinely strong but rarely a standalone purchase decision, it sells via Falcon platform expansion.

      Best for

      Enterprises (1,000-50,000+ employees) already running CrowdStrike Falcon for endpoint, wanting cloud security on the same platform and console with unified threat intelligence.

      Worst for

      Non-CrowdStrike enterprises (Wiz / Orca better standalone), Microsoft Defender for Endpoint shops (Defender for Cloud bundled), or buyers prioritizing fastest agentless time-to-value.

      Strengths

      • Tight integration with Falcon endpoint platform
      • Made for CrowdStrike-anchored enterprise stacks
      • Mature DSPM via Flow Security acquisition (2024)
      • Strong threat intelligence (CrowdStrike Intelligence + Overwatch)
      • Public company financial transparency
      • Single-agent and agentless hybrid architecture

      Weaknesses

      • Outside CrowdStrike ecosystem less compelling than Wiz/Orca
      • Time-to-value slower than agentless competitors
      • July 2024 Falcon outage trust impact extends to platform expansion
      • Pricing meaningful at scale and per-module
      • Rarely a standalone purchase, sells via Falcon expansion
      • Cloud-only architecture limits hybrid coverage

      Pricing tiers

      opaque
      • Falcon Cloud Security CSPM
        ~$25K-$60K starting; CSPM only
        Quote
      • Falcon Cloud Security Advanced
        $60K-$200K typical; CSPM + CWPP + CIEM
        Quote
      • Falcon Cloud Security Enterprise
        $200K-$1M+; full CNAPP including DSPM
        Quote
      Watch for
      • · Per-module pricing within Falcon platform adds up
      • · Implementation fee ($10K-$100K)
      • · Annual price increases of 8-12% reported
      • · Often bundled with Falcon endpoint at platform discount

      Key features

      • +CSPM (multi-cloud posture)
      • +CWPP (workload protection via Falcon Sensor)
      • +CIEM (cloud entitlements)
      • +KSPM (Kubernetes posture)
      • +DSPM (Flow Security acquisition)
      • +Container and Kubernetes runtime
      • +Native Falcon endpoint integration
      • +CrowdStrike Intelligence + Overwatch threat hunting
      250+ integrations
      AWSMicrosoft AzureGoogle CloudKubernetesFalcon EndpointSplunk
      Geography
      Global; strongest in US, EU, UK, AU
      View full CrowdStrike Falcon Cloud Security intelligence profile → Compare CrowdStrike Falcon Cloud Security →
      #10

      Check Point CloudGuard

      CNAPP for Check Point-anchored network security stacks.

      Founded 2010 · Tel Aviv, Israel · public · 1,000–500,000+ employees
      G2 4.4 (380)
      Capterra 4.5
      Custom quote
      ○ Sales call required
      Visit Check Point CloudGuard

      Check Point CloudGuard is the CNAPP product from Check Point Software, built primarily on the 2019 acquisition of Dome9 (CSPM) and extended with Protego (serverless security) and Spectral (developer security, 2023). The product's primary advantage: tight integration with Check Point firewalls and the broader Check Point Infinity platform, making it the default for buyers consolidating around Check Point network security. Founded 1993, public on NASDAQ ($21B+ market cap). Best fit for enterprises 1,000+ employees committed to Check Point network security. Trade-offs: outside the Check Point ecosystem the product is less compelling than Wiz / Orca, time-to-value slower than agentless leaders, brand momentum in CNAPP has lagged the Check Point firewall heritage, and innovation pace slower than category leaders.

      Best for

      Enterprises (1,000-50,000+ employees) committed to Check Point network security wanting unified CloudGuard + firewall + Infinity platform consolidation.

      Worst for

      Non-Check Point shops (Wiz / Orca better), Microsoft Azure-only shops (Defender for Cloud bundled), or buyers prioritizing fastest agentless time-to-value.

      Strengths

      • Tight integration with Check Point firewalls and Infinity platform
      • Right call for Check Point-anchored enterprise stacks
      • Mature CSPM via Dome9 heritage
      • Public company financial transparency
      • Fits compliance-heavy industries (Check Point's legacy strength)
      • Multi-cloud and hybrid coverage

      Weaknesses

      • Outside Check Point ecosystem less compelling
      • Time-to-value slower than agentless leaders
      • Brand momentum in CNAPP lags firewall heritage
      • Innovation pace slower than Wiz / Orca
      • Support inconsistency reported
      • CIEM and DSPM capabilities thinner than category leaders

      Pricing tiers

      opaque
      • CloudGuard CSPM
        ~$25K-$60K starting; posture only
        Quote
      • CloudGuard CNAPP
        $60K-$200K typical; full CNAPP
        Quote
      • CloudGuard Network
        Add-on; cloud network security
        Quote
      • Bundled with Infinity
        Custom; full Check Point platform
        Quote
      Watch for
      • · Per-asset pricing
      • · Implementation fee ($15K-$100K)
      • · Annual price increases of 6-10%
      • · Multiple modules billed separately

      Key features

      • +CSPM (Dome9 heritage)
      • +CWPP (workload protection)
      • +CIEM (cloud entitlements)
      • +KSPM (Kubernetes posture)
      • +IaC and code security (Spectral)
      • +CloudGuard Network Security
      • +Serverless security (Protego heritage)
      • +Check Point ThreatCloud intelligence integration
      180+ integrations
      AWSMicrosoft AzureGoogle CloudKubernetesCheck Point firewallsServiceNow
      Geography
      Global; strongest in EU, US, Israel, AU
      View full Check Point CloudGuard intelligence profile → Compare Check Point CloudGuard →
      Buying guide

      7 steps to pick the right cloud security posture management (cspm)

      1. 1
        1. Audit your cloud footprint and ecosystem

        Azure-only? → Microsoft Defender for Cloud foundational is essentially free; Defender CSPM advanced for full posture. Multi-cloud (AWS + Azure + GCP)? → Wiz, Orca, or Prisma Cloud. CrowdStrike-anchored for endpoint? → Falcon Cloud Security platform expansion. Palo Alto-anchored? → Prisma Cloud. Check Point or Fortinet network? → CloudGuard or FortiCNAPP (Lacework).

      2. 2
        2. Distinguish posture-led from runtime-led buyers

        Posture-led (CSPM + compliance + IaC)? → Wiz, Orca, Defender for Cloud, agentless wins on time-to-value. Runtime-led (Kubernetes threat detection, container runtime, eBPF instrumentation)? → Sysdig, Aqua Security, CrowdStrike Falcon Cloud, agent-based wins on detection depth. CIEM-led (cloud identity governance)? → Tenable Cloud Security (Ermetic foundation).

      3. 3
        3. Match scale and complexity to product tier

        SMB / mid-market on single cloud (500-2,500 employees): Defender for Cloud (Azure), Wiz Essential, Orca Premium. Multi-cloud mid-market (2,500-10,000 employees): Wiz Advanced, Orca Enterprise, Prisma Cloud Business. Multi-cloud enterprise (10,000+ employees): Wiz CNAPP, Prisma Cloud Enterprise, Falcon Cloud Security Enterprise.

      4. 4
        4. Plan SIEM and IAM integration explicitly

        CNAPP is one leg of the cloud security stack. Microsoft Sentinel + Defender for Cloud + Entra ID is one bundled combo. Splunk + Wiz + Okta is a common best-of-breed combo. Verify your SIEM-CNAPP-IAM telemetry flow before signing, the integration is the actual operational value, not the standalone CNAPP feature list.

      5. 5
        5. Evaluate with real cloud accounts in a 60-90 day POV

        Vendor demos are misleading because cloud security depth surfaces only at production scale. Run a 60-90 day proof-of-value (POV) with your real AWS / Azure / GCP accounts, IaC pipelines, and Kubernetes clusters. Cross-reference Gartner Peer Insights and independent reviews. Don't pick by Magic Quadrant alone, vendor strategic positioning often outpaces actual customer experience.

      6. 6
        6. Negotiate per-module pricing aggressively

        Wiz, Prisma Cloud, Falcon Cloud Security, Orca, Sysdig, Aqua Security all have per-module / per-workload-unit pricing that adds up fast. Negotiate bundled CNAPP packages at signing rather than incremental modules at renewal. Annual contract negotiation typical 15-30% discount at enterprise scale. Multi-year locks common but limit pricing-protection clauses to 5-8% annual increases.

      7. 7
        7. Plan for vendor concentration and acquisition risk

        After Lacework→Fortinet 2024, the Wiz→Google 2024 deal collapse, and Tenable→Ermetic 2023, single-vendor risk and acquisition risk are board-level concerns in cloud security. Consider whether your SLA tolerates a single-vendor outage or post-acquisition product disruption. Some enterprises split CNAPP across business units (Wiz + Defender for Cloud, or Prisma Cloud + Falcon Cloud Security) for resilience. Test exit clauses and data portability before signing.

      Frequently asked questions

      The questions buyers actually ask before they sign a cloud security posture management (cspm) contract.

      Wiz vs Palo Alto Prisma Cloud, which one?
      Wiz if your bottleneck is time-to-value, agentless deployment, and breadth across multi-cloud (AWS + Azure + GCP), Wiz consistently delivers meaningful findings within 24-48 hours of connection and the Security Graph attack-path analysis is best-in-class. Palo Alto Prisma Cloud if you are already standardized on Palo Alto firewalls, Prisma SASE, and Cortex XDR and want unified vendor consolidation. Both are credible at enterprise scale. Wiz declined Google's $32B acquisition offer in August 2024 and remains independent; Prisma Cloud carries roadmap uncertainty as Palo Alto consolidates detection capabilities into Cortex Cloud / XSIAM.
      Why is Lacework still on this list given the Fortinet fire-sale?
      Honesty: Lacework is here for completeness because the Polygraph Data Platform technology is genuinely strong and existing customers need to know how to think about renewal. We do not recommend Lacework for net-new evaluation in 2026 unless you are already standardized on Fortinet network security and want unified FortiCNAPP + FortiGate. The 2024 Fortinet acquisition at $150M-$200M against the 2021 $8.3B peak is one of the most public valuation collapses in cybersecurity history, and post-acquisition integration roadmap remains incomplete. Net-new buyers should evaluate Wiz, Orca, Prisma Cloud, or Defender for Cloud first.
      When does Microsoft Defender for Cloud beat Wiz?
      Microsoft Defender for Cloud wins for any organization on Microsoft Azure where foundational CSPM is the primary need, it's bundled at zero incremental cost, native to Microsoft Sentinel SIEM and Entra ID, and per-resource pricing scales smoothly. The economic lever is overwhelming for Azure-anchored shops doing CSPM-only. Wiz wins for multi-cloud (AWS + Azure + GCP), buyers prioritizing fastest agentless time-to-value, and enterprises wanting the broadest CNAPP coverage (CSPM + CWPP + CIEM + KSPM + DSPM) in a single platform with the strongest attack-path analysis.
      How does this differ from your EDR ranking?
      Our Top 10 EDR / Endpoint Security Software covers endpoint detection and response (CrowdStrike Falcon endpoint, Microsoft Defender for Endpoint, etc.). CSPM/CNAPP (this ranking) covers cloud security posture, workload protection, identity entitlements, and Kubernetes for cloud-native environments. EDR + CNAPP are complementary, most enterprises run both. CrowdStrike Falcon Cloud Security and Microsoft Defender for Cloud appear here as the cloud modules of products covered separately as endpoint platforms; we use distinct product IDs (`crowdstrike-cloud-security` vs `crowdstrike`, `defender-cloud` vs `defender-endpoint`) where products span multiple categories.
      How much should I budget for CNAPP?
      Azure-only shop on foundational CSPM: $0 incremental (Defender for Cloud foundational free). Small multi-cloud (500-1,000 employees): $30K-$80K/year (Wiz Essential, Orca Premium, Defender CSPM advanced). Mid-market multi-cloud (1,000-5,000 employees): $80K-$200K/year (Wiz Advanced, Prisma Cloud Business, Tenable Cloud Security). Enterprise multi-cloud (5,000+ employees): $200K-$1M+/year (Wiz CNAPP, Prisma Cloud Enterprise, Falcon Cloud Security Enterprise). Add 30-50% for full CNAPP including CWPP runtime + DSPM + Kubernetes runtime detection.
      How long does CNAPP rollout take?
      Wiz, Orca (agentless): 1-4 weeks for initial coverage, 4-12 weeks for full operational maturity. Microsoft Defender for Cloud foundational: 1-2 weeks (auto-enabled with Azure). Prisma Cloud, Falcon Cloud Security, CloudGuard, Lacework: 8-16 weeks (multi-product integration, IaC pipelines, SOC playbooks). Sysdig and Aqua Security: 8-20 weeks for full Kubernetes runtime maturity. Plan for 90-180 days from contract to full SOC operational maturity for enterprise CNAPP deployments.
      Agentless vs agent-based CNAPP, which architecture wins?
      Both win for different jobs in 2026. Agentless (Wiz, Orca, Defender CSPM) wins for fastest time-to-value, broadest visibility without DevOps friction, and posture/configuration use cases. Agent-based (Sysdig, Aqua Security, CrowdStrike Falcon Cloud) wins for deepest runtime detection, real-time response actions, and Kubernetes runtime threat hunting. Most credible vendors now ship hybrid architectures, Wiz Defend, Orca Sensor, Prisma Cloud Defender, adding optional runtime sensors to agentless foundations. Evaluate by primary use case (posture-led vs runtime-led) rather than by architecture purity.
      How do CNAPP vendor acquisitions affect selection?
      The Lacework→Fortinet 2024 fire-sale (~$150M-$200M from a 2021 $8.3B peak), the Wiz→Google 2024 deal collapse ($32B declined), the Tenable→Ermetic 2023 acquisition ($265M for CIEM), and ongoing Aqua Security IPO talks have reset trust expectations in the category. After-action: (1) Verify the vendor's acquisition history and post-acquisition product velocity. (2) Require multi-year roadmap commitments in the contract. (3) Test exit clauses and data portability before signing. (4) Don't overweight vendor independence as a feature, Wiz is independent today but post-IPO trajectory is uncertain. Evaluate product fit first, vendor stability second.

      Glossary

      CSPM
      Cloud Security Posture Management. Software that detects misconfigurations and compliance gaps across cloud accounts (AWS, Azure, GCP, OCI). The historical anchor of the category; now subsumed into CNAPP.
      CNAPP
      Cloud-Native Application Protection Platform. Gartner-defined consolidation of CSPM + CWPP + CIEM + KSPM + DSPM into a single platform. The 2026 procurement category; standalone CSPM is dead.
      CWPP
      Cloud Workload Protection Platform. Runtime protection for cloud VMs, containers, and serverless functions. Adds threat detection on top of CSPM posture.
      CIEM
      Cloud Infrastructure Entitlement Management. Identifies and remediates excessive permissions and identity risk across cloud IAM. Tenable Cloud Security (Ermetic foundation) leads this sub-category.
      KSPM
      Kubernetes Security Posture Management. CSPM specialized for Kubernetes clusters, RBAC, network policies, pod security, admission control.
      DSPM
      Data Security Posture Management. Discovers and classifies sensitive data across cloud storage and databases, then evaluates exposure risk. Newer sub-category absorbed into CNAPP 2023-2025.
      Agentless scanning
      Cloud security architecture that scans workloads via runtime block storage snapshots or API connectors rather than installing agents. Wiz and Orca pioneered this; faster time-to-value with some runtime trade-offs.
      Attack path analysis
      Graph-based analysis that maps how an attacker could chain misconfigurations, vulnerabilities, identities, and exposures into a kill chain. Wiz Security Graph is the most-cited implementation.
      Polygraph (Lacework)
      Lacework's proprietary behavioral data graph that tracks cloud entities and processes to detect anomalies. Genuine technology; post-Fortinet acquisition direction is uncertain.
      Falco
      Open-source runtime security project created by Sysdig in 2016 and donated to the CNCF (graduated 2024). The eBPF-based instrumentation behind Sysdig Secure.

      Final word

      See the full intelligence profile for any product on this page, including verified pricing, vendor trust scores, and review patterns. Browse the Cloud Security Posture Management (CSPM) category page →

      Last updated 2026-05-09. Pricing data is reverified quarterly. Found something inaccurate? Tell us.