Skip to content
Z Zendikt
Canada edition · 10 products ranked · Verified 2026-05-27

Top 10 CSPM Software in Canada for 2026

Canadian cloud security posture management ranking with CAD pricing, OSFI B-13, ITSG-33 PROTECTED B, AWS ca-central-1 and Azure Canada residency context.

← Global ranking · Category overview
Cloud Security Posture Management (CSPM) by country
🌐 Global United States India United Kingdom France Germany Australia Canada

Canada verdict (TL;DR)

Verified 2026-05-27

Picks for Canada

  • Canadian SaaS scale-up on AWS ca-central-1: wiz Wiz is the default at Shopify-tier Canadian SaaS (Wealthsimple, Clio, 1Password, Vidyard, Hootsuite). Agentless ca-central-1 / ca-west-1 scanning, graph-based attack paths, hours to value.
  • Microsoft-aligned Canadian enterprise on Azure: defender-cloud Microsoft Defender for Cloud is the default at RBC, TD, Manulife, Sun Life, Telus and Bell when Azure Canada Central/East is the primary cloud; bundled in Azure EA and ITSG-33 PROTECTED B accreditation precedent.
  • Big Five bank or insurer enterprise CSPM program: palo-alto-prisma-cloud Palo Alto Prisma Cloud has the deepest enterprise install base across Canadian banks and insurers, with OSFI B-13 evidence packages and the ITSG-33 control mappings federal auditors expect.
  • Endpoint and identity already on CrowdStrike Falcon: crowdstrike-cloud-security Telus, Bell, Loblaws and many Canadian enterprises run Falcon EDR; Falcon Cloud Security extends posture management to ca-central-1, ca-west-1 and Canada Central without a separate procurement.
  • Container-heavy Canadian fintech or healthtech: sysdig Sysdig's Falco-based runtime detection combined with posture is the standard for Kubernetes-heavy Canadian SaaS (Ada, League, Maple, Telus Health) on EKS ca-central-1.
Market context

How the cloud security posture management (cspm) market looks in Canada

Canada's CSPM market mirrors its CNAPP buying patterns. Toronto-Waterloo-Montreal-Vancouver SaaS scale-ups (Shopify, Wealthsimple, Clio, 1Password, Vidyard, Hootsuite, Top Hat, Ada, League) gravitate to Wiz and Orca for agentless cloud posture; Big Five banks (RBC, TD, Scotiabank, BMO, CIBC), large insurers (Manulife, Sun Life, Great-West, Intact), telcos (Bell, Rogers, Telus) and Microsoft-aligned Crown corporations standardize on Microsoft Defender for Cloud and Palo Alto Prisma Cloud. CrowdStrike Falcon Cloud Security is increasingly chosen where Falcon EDR is already entrenched. BlackBerry's Waterloo security heritage means Canadian buyers often have sharp opinions about agent footprints.

Cloud residency matters: AWS ca-central-1 (Montreal), AWS ca-west-1 (Calgary), Azure Canada Central (Toronto) and Canada East (Quebec City), GCP Montreal and Toronto cover the workloads being scanned. CSPM control planes mostly sit in US regions, which is acceptable under PIPEDA with contracts but adds OSFI B-13 third-party risk documentation. Microsoft Defender for Cloud can be configured to keep data inside Azure Canada Central, which is the cleanest path for ITSG-33 PROTECTED B accreditation and federal Crown work.

Quebec Law 25 (Loi 25) requires PIA when CSPM data includes Quebec resident identifiers (asset tags, alert payloads, leaked-credential events). Bill 96 mandates French-language UI when Quebec workforce thresholds are met; Wiz, Defender, Prisma Cloud and CrowdStrike all publish French interfaces. Bill C-26 (CCSPA) will extend cyber-incident reporting to federally regulated critical infrastructure (banks, telcos, energy, transportation), and CSPM-detected misconfigurations become part of the inventory.

Compliance & local rules

CSPM tools ingest cloud configuration, asset metadata and alert data; some of this is personal information under PIPEDA and Quebec Law 25 when asset names, tags or alert payloads identify Quebec residents. Law 25 requires PIA, designated privacy officer, French-language privacy notice and cross-border transfer assessment. OSFI B-13 (effective 1 January 2024) requires federally regulated banks and insurers to inventory third-party SaaS including CSPM, with residency, sub-processor and incident-response SLAs. OSFI B-10 covers third-party risk. Federal Crown work requires ITSG-33 controls and CCCS PROTECTED B accreditation; Microsoft Defender for Cloud on Azure Canada Central has the cleanest federal precedent. Bill C-26 (CCSPA) extends cyber-incident reporting to federally regulated critical infrastructure. Provincial health legislation (PHIPA Ontario, HIA Alberta, HIPMA Yukon) applies when healthcare workloads are scanned. Bill 96 requires French UI when Quebec workforce thresholds are met.

At a glance

Quick comparison, ranked for Canada

Product Best for Starts at 10-emp/mo* Pricing G2 Geo
1 Wiz
Mid-market to large multi-cloud enterprises
 Quote - 4.7 Global; strongest in US, EU, UK, Israel, AU
2 Palo Alto Prisma Cloud
Palo Alto-anchored enterprises
 Quote - 4.4 Global; strongest in US, EU, UK, AU
3 Microsoft Defender for Cloud
Azure-anchored organizations
 $0 + $0/emp $0 4.4 Global; strongest in US, EU, AU; worldwide
9 CrowdStrike Falcon Cloud Security
CrowdStrike-anchored enterprises
 Quote - 4.5 Global; strongest in US, EU, UK, AU
5 Orca Security
Multi-cloud DevOps-heavy organizations
 Quote - 4.6 Global; strongest in US, EU, Israel, AU
6 Sysdig
Kubernetes-heavy and container-first organizations
 Quote - 4.5 Global; strongest in US, EU, UK
4 Lacework
Existing Lacework customers and Fortinet-anchored enterprises
 Quote - 4.3 Global; strongest in US, EU
8 Tenable Cloud Security
CIEM-led enterprises and Tenable customers
 Quote - 4.4 Global; strongest in US, EU, UK
7 Aqua Security
Kubernetes-heavy and supply-chain-conscious organizations
 Quote - 4.4 Global; strongest in US, EU, Israel, UK
10 Check Point CloudGuard
Check Point-anchored enterprises
 Quote - 4.4 Global; strongest in EU, US, Israel, AU

*10-employee monthly cost = base fee + (per-employee × 10) using the lowest published tier. For opaque-pricing vendors, no value is shown.

Verified local pricing

What buyers in Canada actually pay

Median annual deal size by employee band, in CAD. Crowdsourced from anonymized buyer disclosures.

Product Employee band Median annual (CAD) Sample Notes
Wiz 500-2,000 employees CA$215,000 16 Wiz CSPM only, Canadian SaaS scale-up ca-central-1
Microsoft Defender for Cloud 5,000-25,000 employees CA$425,000 11 Defender for Cloud Plan 2, Big Five bank tier on Azure Canada Central
Palo Alto Prisma Cloud 5,000-25,000 employees CA$685,000 9 Prisma Cloud enterprise, Canadian bank / insurer
CrowdStrike Falcon Cloud Security 1,000-5,000 employees CA$325,000 12 Falcon Cloud Security as extension of existing EDR
Orca Security 500-2,000 employees CA$195,000 8 Orca CSPM Canadian SaaS tier
Sysdig 200-1,500 employees CA$165,000 7 Sysdig Secure container-heavy workloads
Local challengers

Canada-built or Canada-strong vendors worth knowing

Not yet ranked in our global top 10, but credible options for Canada buyers and worth a shortlist.

BlackBerry Cylance / IVY

Visit ↗

Waterloo. BlackBerry retains Canadian security heritage and partners with several CSPM vendors; not a standalone CSPM but often part of Canadian enterprise security architectures.

The Canada ranking

All 10, ranked for Canada

Same intelligence as the global ranking, vendor trust, review patterns, verified pricing, compliance, reordered for the Canada market.

#1

Wiz

CNAPP market leader on agentless scanning depth and time-to-value.

Founded 2020 · New York, NY · private · 500–500,000+ employees
G2 4.7 (740)
Capterra 4.7
Custom quote
○ Sales call required
Visit Wiz

Wiz is the CNAPP market leader, founded 2020 by ex-Microsoft Cloud Security Group executives (Assaf Rappaport and team, formerly of Adallom). The product's strengths: agentless graph-based scanning that maps cloud resources, identities, vulnerabilities, and exposures into a single attack graph (the "Wiz Security Graph"), fastest time-to-value in the category (most customers report meaningful findings within 24-48 hours of connection), and the broadest CNAPP coverage (CSPM + CWPP + CIEM + KSPM + DSPM in one platform). Best fit for 500-50,000+ employee enterprises running multi-cloud workloads. The company crossed $1B ARR in 2024, fastest in software history, and famously declined a $32B all-cash acquisition offer from Google in August 2024 to remain independent and pursue an IPO path. Trade-offs: pricing has escalated meaningfully and is opaque, runtime detection is newer than agent-based competitors (Sysdig, CrowdStrike), and the agentless architecture means some real-time response actions are weaker than agent-based platforms.

Best for

Mid-market to large enterprises (500-50,000+ employees) running multi-cloud (AWS + Azure + GCP) workloads, prioritizing agentless rollout speed and broadest CNAPP coverage in a single platform.

Worst for

Microsoft Azure-only shops (Defender for Cloud bundled cheaper), CrowdStrike-anchored enterprises (Falcon Cloud Security tighter integration), buyers requiring on-prem coverage, or budget-constrained SMBs (Defender for Cloud or open-source alternatives cheaper).

Strengths

  • Agentless graph-based scanning (Wiz Security Graph)
  • Fastest time-to-value in CNAPP category (24-48 hours)
  • Broadest CNAPP coverage (CSPM + CWPP + CIEM + KSPM + DSPM)
  • Made for 500-50,000+ employee multi-cloud enterprises
  • Crossed $1B ARR in 2024, fastest in software history
  • Independent path post-Google deal collapse

Weaknesses

  • Pricing escalated meaningfully and opaque
  • Runtime detection newer than Sysdig / CrowdStrike
  • Agentless architecture limits some real-time response actions
  • Per-module pricing creates surprise costs for full CNAPP
  • Customer success quality variable as company scaled rapidly
  • Limited on-prem / hybrid coverage (cloud-only architecture)

Pricing tiers

opaque
  • Wiz Essential
    CSPM only; ~$30K-$80K starting
    Quote
  • Wiz Advanced
    Adds CWPP + CIEM; $80K-$200K typical
    Quote
  • Wiz CNAPP
    Full platform; $200K-$1M+ enterprise
    Quote
  • Wiz Code
    Add-on; ASPM and shift-left
    Quote
  • Wiz Defend
    Add-on; runtime detection
    Quote
Watch for
  • · Per-module pricing for Code, Defend, Sensor
  • · Annual price increases of 10-20% reported
  • · Workload-unit definition can shift at renewal
  • · Onboarding fees ($10K-$100K)

Key features

  • +Wiz Security Graph (agentless attack-path analysis)
  • +Cloud Security Posture Management (CSPM)
  • +Cloud Workload Protection (CWPP)
  • +Cloud Infrastructure Entitlement Management (CIEM)
  • +Kubernetes Security Posture Management (KSPM)
  • +Data Security Posture Management (DSPM)
  • +Wiz Defend (runtime sensor; newer)
  • +Wiz Code (ASPM; shift-left)
200+ integrations
AWSMicrosoft AzureGoogle CloudKubernetesServiceNowJira
Geography
Global; strongest in US, EU, UK, Israel, AU
View full Wiz intelligence profile → Compare Wiz →
#2

Palo Alto Prisma Cloud

CNAPP for Palo Alto network security stack consolidation.

Founded 2019 · Santa Clara, CA · public · 1,000–500,000+ employees
G2 4.4 (1,180)
Capterra 4.5
Custom quote
○ Sales call required
Visit Palo Alto Prisma Cloud

Palo Alto Prisma Cloud is the CNAPP product from Palo Alto Networks, built primarily through the 2019 acquisitions of RedLock (CSPM) and Twistlock (container security), and expanded with PureSec (serverless), Bridgecrew (IaC scanning), and Cider (CI/CD security). The product's primary advantage: tight integration with Palo Alto firewalls, Prisma SASE, and Cortex XDR, making it the default for buyers consolidating around Palo Alto. Best fit for enterprises 1,000+ employees committed to Palo Alto network security. Trade-offs: outside the Palo Alto ecosystem the product is less compelling than Wiz on time-to-value, the multi-product heritage shows as integration friction inside Prisma Cloud itself, and pricing meaningful at scale. Distinct from Cortex XDR (covered separately in our EDR ranking), Cortex XDR covers endpoint, Prisma Cloud covers cloud workloads and posture.

Best for

Enterprises (1,000-50,000+ employees) committed to Palo Alto network security wanting unified CNAPP + network + SASE + Cortex XDR platform.

Worst for

Non-Palo Alto shops (Wiz / Orca better time-to-value), Microsoft Azure-only shops (Defender for Cloud bundled), or buyers prioritizing rapid agentless deployment.

Strengths

  • Tight integration with Palo Alto firewalls and Cortex XDR
  • Mature CNAPP breadth (RedLock + Twistlock + Bridgecrew heritage)
  • Best for Palo Alto-anchored enterprise stacks
  • Public company financial transparency
  • Strong threat intelligence (Unit 42)
  • On-prem and hybrid coverage stronger than Wiz

Weaknesses

  • Outside Palo Alto ecosystem less compelling than Wiz
  • Multi-product heritage shows as integration friction
  • Time-to-value slower than Wiz / Orca
  • Pricing meaningful at scale and opaque
  • Innovation pace slower than Wiz
  • Management UX (Prisma Cloud) has steep learning curve

Pricing tiers

opaque
  • Prisma Cloud Foundations
    CSPM only; ~$30K-$60K starting
    Quote
  • Prisma Cloud Business
    Adds CWPP; $60K-$200K typical
    Quote
  • Prisma Cloud Enterprise
    Full CNAPP; $200K-$1M+ enterprise
    Quote
  • Cortex Cloud (XSIAM bundle)
    Cloud detection consolidated into Cortex platform
    Quote
Watch for
  • · Per-cloud-credit pricing model can shift at renewal
  • · Implementation fee ($25K-$200K)
  • · Annual price increases of 8-12%
  • · Cortex Cloud separate purchase

Key features

  • +CSPM (multi-cloud posture)
  • +CWPP (workload protection from Twistlock)
  • +CIEM (cloud entitlements)
  • +IaC security (Bridgecrew)
  • +CI/CD security (Cider)
  • +Container and Kubernetes security
  • +Web application and API security (WAAS)
  • +Unit 42 threat intelligence integration
250+ integrations
AWSMicrosoft AzureGoogle CloudKubernetesPalo Alto firewallsCortex XDR
Geography
Global; strongest in US, EU, UK, AU
View full Palo Alto Prisma Cloud intelligence profile → Compare Palo Alto Prisma Cloud →
#3

Microsoft Defender for Cloud

De facto default for Azure-anchored organizations.

Founded 2015 · Redmond, WA · public · 1–500,000+ employees
G2 4.4 (1,840)
Capterra 4.5
From $0 + $0 /mo + /employee
● Transparent pricing
Visit Microsoft Defender for Cloud

Microsoft Defender for Cloud (formerly Azure Security Center, with Azure Defender bundled in 2021 and rebranded fully in 2022) is the CNAPP product native to Azure and extending to AWS and Google Cloud. The product's strengths: bundled foundational posture management with any Azure subscription at no extra cost, native integration with Microsoft Sentinel SIEM and Entra ID, and per-resource pricing that scales smoothly. Best fit for any Azure-anchored organization. Distinct from Microsoft Defender for Endpoint (covered in our EDR ranking under `defender-endpoint`). Trade-offs: outside the Azure ecosystem the product is meaningfully weaker than Wiz / Prisma Cloud, multi-cloud (AWS, GCP) coverage less mature than Azure-native, and the management UX (Defender for Cloud blade in Azure Portal) is fragmented across multiple panes.

Best for

Any organization on Microsoft Azure (foundational CSPM essentially free at zero marginal cost), particularly Azure-heavy enterprises and Microsoft Sentinel SIEM customers.

Worst for

AWS-only or GCP-only shops (Wiz / Prisma Cloud better multi-cloud), buyers prioritizing fastest time-to-value (Wiz / Orca better), or non-Microsoft enterprises.

Strengths

  • Bundled foundational CSPM with any Azure subscription
  • Native Microsoft Sentinel + Entra ID + Azure integration
  • Per-resource pricing scales smoothly
  • Fits Azure-anchored organizations
  • FedRAMP High authorized
  • Public company financial transparency

Weaknesses

  • Outside Azure ecosystem meaningfully weaker
  • AWS and GCP coverage less mature than Azure-native
  • Management UX fragmented across Azure Portal panes
  • Some advanced features require Defender CSPM or per-resource plans
  • Customer support quality varies by region

Pricing tiers

public
  • Foundational CSPM
    Free; bundled with Azure subscription
    $0+$0 /mo +/emp
  • Defender CSPM
    Per billable resource per month; advanced posture, agentless scanning, attack path
    $5 /mo
  • Defender for Servers P2
    Per server per month; full CWPP with MDE integration
    $15 /mo
  • Defender for Containers
    Per vCore per month; Kubernetes and container protection
    $7 /mo
  • Defender for Storage / SQL / Key Vault / etc.
    Per-resource per-event pricing
    Quote
Watch for
  • · Per-resource pricing can balloon at scale
  • · Defender CSPM separate from foundational
  • · Sentinel ingestion charged separately
  • · Annual Azure consumption price increases

Key features

  • +Foundational CSPM (free)
  • +Defender CSPM (advanced posture, agentless scanning, attack path)
  • +Defender for Servers (CWPP via Defender for Endpoint integration)
  • +Defender for Containers (Kubernetes posture and runtime)
  • +Defender for Storage / SQL / Key Vault / DNS
  • +Multi-cloud connectors (AWS, GCP)
  • +Native Microsoft Sentinel integration
  • +Azure-native compliance dashboards
300+ integrations
Microsoft AzureAWSGoogle CloudMicrosoft SentinelEntra IDGitHub
Geography
Global; strongest in US, EU, AU; worldwide
View full Microsoft Defender for Cloud intelligence profile → Compare Microsoft Defender for Cloud →
#9

CrowdStrike Falcon Cloud Security

Cloud module of the Falcon platform, default for CrowdStrike-anchored buyers.

Founded 2018 · Austin, TX · public · 1,000–500,000+ employees
G2 4.5 (480)
Capterra 4.6
Custom quote
○ Sales call required
Visit CrowdStrike Falcon Cloud Security

CrowdStrike Falcon Cloud Security is the cloud module of the Falcon platform, the EDR/XDR market leader covered separately in our Top 10 EDR / Endpoint Security Software ranking under `crowdstrike`. The product extends CrowdStrike's endpoint dominance into CNAPP, primarily through the 2021 Humio acquisition (data lake foundation) and the 2024 Flow Security acquisition for DSPM ($200M). Best fit for enterprises already running Falcon for endpoint who want cloud security on the same platform and console. Trade-offs: outside the CrowdStrike ecosystem the product is less compelling than Wiz / Orca, time-to-value slower than agentless competitors, the broader CrowdStrike trust impact from the July 2024 Falcon Sensor channel-file outage extends to customer perception of cloud security expansion, and pricing meaningful at scale. The cloud module is genuinely strong but rarely a standalone purchase decision, it sells via Falcon platform expansion.

Best for

Enterprises (1,000-50,000+ employees) already running CrowdStrike Falcon for endpoint, wanting cloud security on the same platform and console with unified threat intelligence.

Worst for

Non-CrowdStrike enterprises (Wiz / Orca better standalone), Microsoft Defender for Endpoint shops (Defender for Cloud bundled), or buyers prioritizing fastest agentless time-to-value.

Strengths

  • Tight integration with Falcon endpoint platform
  • Made for CrowdStrike-anchored enterprise stacks
  • Mature DSPM via Flow Security acquisition (2024)
  • Strong threat intelligence (CrowdStrike Intelligence + Overwatch)
  • Public company financial transparency
  • Single-agent and agentless hybrid architecture

Weaknesses

  • Outside CrowdStrike ecosystem less compelling than Wiz/Orca
  • Time-to-value slower than agentless competitors
  • July 2024 Falcon outage trust impact extends to platform expansion
  • Pricing meaningful at scale and per-module
  • Rarely a standalone purchase, sells via Falcon expansion
  • Cloud-only architecture limits hybrid coverage

Pricing tiers

opaque
  • Falcon Cloud Security CSPM
    ~$25K-$60K starting; CSPM only
    Quote
  • Falcon Cloud Security Advanced
    $60K-$200K typical; CSPM + CWPP + CIEM
    Quote
  • Falcon Cloud Security Enterprise
    $200K-$1M+; full CNAPP including DSPM
    Quote
Watch for
  • · Per-module pricing within Falcon platform adds up
  • · Implementation fee ($10K-$100K)
  • · Annual price increases of 8-12% reported
  • · Often bundled with Falcon endpoint at platform discount

Key features

  • +CSPM (multi-cloud posture)
  • +CWPP (workload protection via Falcon Sensor)
  • +CIEM (cloud entitlements)
  • +KSPM (Kubernetes posture)
  • +DSPM (Flow Security acquisition)
  • +Container and Kubernetes runtime
  • +Native Falcon endpoint integration
  • +CrowdStrike Intelligence + Overwatch threat hunting
250+ integrations
AWSMicrosoft AzureGoogle CloudKubernetesFalcon EndpointSplunk
Geography
Global; strongest in US, EU, UK, AU
View full CrowdStrike Falcon Cloud Security intelligence profile → Compare CrowdStrike Falcon Cloud Security →
#5

Orca Security

Agentless CSPM pioneer with SideScanning architecture.

Founded 2019 · Portland, OR · private · 500–25,000 employees
G2 4.6 (480)
Capterra 4.6
Custom quote
○ Sales call required
Visit Orca Security

Orca Security is the agentless CSPM pioneer, founded 2019 by ex-Check Point executives. The product's primary differentiator: SideScanning, a patented agentless architecture that scans cloud workloads via runtime block storage snapshots without requiring agents or network connectors. Orca and Wiz are both agentless CNAPP, and the two have spent meaningful resources publicly contesting patent and architecture claims. Best fit for security teams resistant to agent rollouts and DevOps-heavy organizations wanting comprehensive coverage without endpoint friction. Trade-offs: Wiz has out-marketed Orca on time-to-value despite similar architectures, brand momentum has slowed relative to Wiz, runtime detection is newer than agent-based competitors, and pricing has crept up under growth pressure. Some customer churn to Wiz reported in 2024-2025.

Best for

Security teams (500-25,000 employees) prioritizing comprehensive multi-cloud coverage without agent rollouts, particularly DevOps-heavy organizations resistant to endpoint agents.

Worst for

Wiz-evaluated buyers who already chose Wiz, Microsoft Azure-only shops (Defender for Cloud bundled), or buyers prioritizing tightest runtime detection.

Strengths

  • SideScanning agentless architecture (patented)
  • Built for security teams resistant to agent rollouts
  • Comprehensive cloud workload visibility without agents
  • Multi-cloud coverage across AWS, Azure, GCP, OCI, Alibaba
  • Mature CNAPP feature set (CSPM + CWPP + CIEM + KSPM + DSPM)
  • Founder-led with strong VC backing

Weaknesses

  • Brand momentum slowed relative to Wiz
  • Some customer churn to Wiz reported 2024-2025
  • Runtime detection newer than agent-based competitors
  • Pricing crept up under growth pressure
  • Customer success quality variable as company scaled
  • Public Wiz patent and architecture disputes have been distracting

Pricing tiers

opaque
  • Orca Premium
    ~$30K-$80K starting; CSPM + CWPP + CIEM
    Quote
  • Orca Enterprise
    $80K-$300K typical; full CNAPP
    Quote
  • Orca Sensor (runtime)
    Add-on; runtime detection
    Quote
Watch for
  • · Per-asset pricing can shift at renewal
  • · Implementation fee ($10K-$50K)
  • · Annual price increases of 8-15%
  • · Sensor add-on for runtime

Key features

  • +SideScanning agentless architecture
  • +CSPM (multi-cloud posture)
  • +CWPP (workload protection)
  • +CIEM (cloud entitlements)
  • +KSPM (Kubernetes posture)
  • +DSPM (data security posture)
  • +Orca Sensor (runtime detection; newer)
  • +Attack path analysis
180+ integrations
AWSMicrosoft AzureGoogle CloudOracle CloudKubernetesServiceNow
Geography
Global; strongest in US, EU, Israel, AU
View full Orca Security intelligence profile → Compare Orca Security →
#6

Sysdig

Falco-anchored runtime detection plus full CNAPP.

Founded 2013 · San Francisco, CA · private · 500–50,000+ employees
G2 4.5 (380)
Capterra 4.6
Custom quote
○ Sales call required
Visit Sysdig

Sysdig is the CNAPP product anchored on Falco, the open-source runtime security project Sysdig created in 2016 and donated to the CNCF in 2018 (now graduated). The product's primary advantage: deepest runtime detection in the category, particularly for Kubernetes and container workloads, built on the same eBPF-based instrumentation that powers Falco. Founded 2013 by Loris Degioanni (creator of WinPcap and co-creator of Wireshark). Best fit for Kubernetes-heavy stacks where runtime detection is the primary use case and posture is secondary. Trade-offs: agent-based architecture means slower time-to-value than Wiz / Orca, posture (CSPM) capabilities less mature than runtime, and pricing meaningful at scale. Sysdig's 555-rule and "5/5/5" benchmark for cloud detection (5 seconds detect, 5 minutes triage, 5 minutes respond) is widely cited but operationally aggressive.

Best for

Kubernetes-heavy and container-first organizations (500-25,000+ employees) where runtime detection is the primary use case and CSPM is secondary, particularly cloud-native engineering cultures.

Worst for

Posture-only buyers (Wiz / Orca / Defender for Cloud cheaper), agentless-first organizations, or buyers without significant Kubernetes investment.

Strengths

  • Deepest runtime detection in CNAPP category
  • Falco-anchored open-source heritage and ecosystem
  • Best for Kubernetes-heavy and container-first stacks
  • eBPF-based instrumentation (low overhead)
  • Mature CWPP and KSPM capabilities
  • Founder-led; strong open-source community engagement

Weaknesses

  • Agent-based architecture slower time-to-value than Wiz/Orca
  • Posture (CSPM) capabilities less mature than runtime
  • Pricing meaningful at scale and opaque
  • Multi-cloud coverage less mature than dedicated CSPM vendors
  • Uneven support quality as company scaled
  • Outside Kubernetes-heavy stacks less compelling

Pricing tiers

opaque
  • Sysdig Secure
    ~$60-$120/host/year typical
    Quote
  • Sysdig Secure CNAPP
    Full CNAPP; $80K-$300K typical
    Quote
  • Sysdig Monitor (observability)
    Separate; bundled discount available
    Quote
Watch for
  • · Per-host or per-resource pricing can balloon
  • · Implementation fee ($10K-$75K)
  • · Annual price increases of 6-10%
  • · Monitor and Secure billed separately

Key features

  • +Falco-based runtime detection (eBPF)
  • +CWPP (workload protection)
  • +CSPM (multi-cloud posture)
  • +KSPM (Kubernetes posture)
  • +CIEM (cloud entitlements)
  • +Container vulnerability scanning
  • +Sysdig Inspect (forensics)
  • +Sysdig Monitor (observability bundle)
200+ integrations
AWSMicrosoft AzureGoogle CloudKubernetesOpenShiftSplunk
Geography
Global; strongest in US, EU, UK
View full Sysdig intelligence profile → Compare Sysdig →
#4

Lacework

Polygraph data graph; post-Fortinet integration risk material.

Founded 2015 · San Jose, CA · public · 500–50,000 employees
G2 4.3 (580)
Capterra 4.4
Custom quote
○ Sales call required
Visit Lacework

Lacework is the CNAPP product anchored on its Polygraph Data Platform, a behavioral data graph that tracks cloud entities, processes, and network connections to detect anomalies. Founded 2015, the company peaked at an $8.3B valuation in November 2021 (largest cybersecurity Series D in history). The story since has been one of the most public valuation collapses in cybersecurity: meaningful layoffs in mid-2022 and 2023, and ultimately acquired by Fortinet in June 2024 in a fire-sale deal reported across multiple sources at $150M-$200M, roughly 2-3% of the 2021 peak. Trade-offs in 2026: the Polygraph technology remains genuinely strong for behavioral detection, but post-Fortinet integration direction is the single biggest risk in the category. Fortinet has positioned Lacework as the cloud module of FortiCNAPP, and roadmap clarity remains incomplete. Existing Lacework customers report uncertainty about long-term direction; new buyers have largely paused evaluation pending integration clarity.

Best for

Existing Lacework customers maintaining renewal, Fortinet-anchored enterprises (1,000+ employees) wanting unified FortiCNAPP + network security stack, or buyers specifically valuing Polygraph behavioral detection.

Worst for

Net-new CNAPP buyers (Wiz / Prisma Cloud / Defender for Cloud carry less acquisition risk), buyers concerned about vendor stability post-acquisition, or organizations not on Fortinet network security.

Strengths

  • Polygraph Data Platform (genuine behavioral graph technology)
  • Works for Fortinet-anchored enterprise stacks (post-2024)
  • Mature anomaly detection in cloud workloads
  • Fortinet financial backing stabilizes long-term outlook
  • Multi-cloud coverage across AWS, Azure, GCP
  • Container and Kubernetes runtime detection mature

Weaknesses

  • Acquired by Fortinet 2024 at ~2-3% of 2021 $8.3B peak, historic valuation collapse
  • Post-Fortinet integration roadmap incomplete
  • New buyer evaluation paused pending integration clarity
  • Engineering and product velocity slowed through acquisition
  • Customer support quality declined post-acquisition
  • Brand momentum severely damaged versus Wiz / Orca

Pricing tiers

opaque
  • Lacework FortiCNAPP Pro
    ~$40K-$120K starting; CSPM + CWPP
    Quote
  • Lacework FortiCNAPP Enterprise
    $120K-$500K typical; full CNAPP
    Quote
  • Bundled with Fortinet network
    Custom; unified FortiCNAPP + FortiGate stack
    Quote
Watch for
  • · Per-resource pricing can shift at renewal
  • · Implementation fee ($15K-$100K)
  • · Annual price increases reported post-acquisition
  • · Bundled pricing only with broader Fortinet commitment

Key features

  • +Polygraph Data Platform (behavioral graph)
  • +CSPM (multi-cloud posture)
  • +CWPP (workload protection)
  • +CIEM (cloud entitlements)
  • +Container and Kubernetes runtime detection
  • +IaC security (Soluble heritage)
  • +FortiCNAPP integration with FortiGate firewalls
  • +Anomaly-based threat detection
150+ integrations
AWSMicrosoft AzureGoogle CloudKubernetesFortiGate firewallsSplunk
Geography
Global; strongest in US, EU
View full Lacework intelligence profile → Compare Lacework →
#8

Tenable Cloud Security

CIEM-led CNAPP built on Ermetic foundation.

Founded 2002 · Columbia, MD · public · 1,000–500,000+ employees
G2 4.4 (380)
Capterra 4.5
Custom quote
○ Sales call required
Visit Tenable Cloud Security

Tenable Cloud Security is the CNAPP product from Tenable (the Nessus / Tenable.io vulnerability management leader), built primarily on the October 2023 acquisition of Ermetic for $265M. The product's primary advantage: deepest CIEM (cloud infrastructure entitlement management) capabilities in the category, Ermetic was the leading CIEM-pure-play before the acquisition, and Tenable has retained that strength. Best fit for buyers leading with cloud identity governance and entitlement risk. Trade-offs: outside CIEM-led use cases the product is less compelling than Wiz / Orca, posture (CSPM) and runtime (CWPP) capabilities less mature than CIEM, and integration with broader Tenable vulnerability management is a work in progress. Public company financial transparency and breadth of customer base (Tenable serves 65% of Fortune 500) are meaningful differentiators.

Best for

Enterprises (1,000-50,000+ employees) leading with cloud identity governance and entitlement risk, particularly Tenable vulnerability management customers wanting unified VM + cloud security.

Worst for

CSPM-led or CWPP-led buyers (Wiz / Orca / Sysdig better), Microsoft Azure-only shops (Defender for Cloud bundled), or buyers without significant identity-led concerns.

Strengths

  • Deepest CIEM capabilities (Ermetic foundation)
  • Works for CIEM-led buyers
  • Public company financial transparency (Tenable)
  • Integration with Tenable vulnerability management
  • Mature compliance and audit reporting
  • Broad enterprise customer base (65% of Fortune 500)

Weaknesses

  • Outside CIEM-led use cases less compelling
  • Posture (CSPM) less mature than CIEM
  • Runtime (CWPP) capabilities thinner than Wiz / Sysdig
  • Integration with Tenable VM still in progress
  • Brand recognition lower in CNAPP than legacy VM
  • Innovation pace slower than Wiz

Pricing tiers

opaque
  • Tenable Cloud Security Essentials
    ~$30K-$80K starting; CIEM + CSPM
    Quote
  • Tenable Cloud Security Advanced
    $80K-$300K typical; full CNAPP
    Quote
  • Tenable One (unified)
    Custom; bundled with Tenable VM
    Quote
Watch for
  • · Per-resource pricing
  • · Implementation fee ($10K-$75K)
  • · Annual price increases of 6-10%
  • · Tenable One bundle commitment required for full discount

Key features

  • +CIEM (Ermetic foundation; deepest in category)
  • +CSPM (multi-cloud posture)
  • +CWPP (workload protection)
  • +KSPM (Kubernetes posture)
  • +IaC scanning
  • +Just-in-time access workflows
  • +Tenable Nessus vulnerability integration
  • +Compliance reporting (SOC 2, PCI, HIPAA, etc.)
200+ integrations
AWSMicrosoft AzureGoogle CloudTenable NessusServiceNowSplunk
Geography
Global; strongest in US, EU, UK
View full Tenable Cloud Security intelligence profile → Compare Tenable Cloud Security →
#7

Aqua Security

Container and Kubernetes-anchored CNAPP with Trivy heritage.

Founded 2015 · Ramat Gan, Israel · private · 500–25,000 employees
G2 4.4 (280)
Capterra 4.5
Custom quote
○ Sales call required
Visit Aqua Security

Aqua Security is the container and Kubernetes-anchored CNAPP product, founded 2015 in Israel. The product's strengths: deepest container and Kubernetes security heritage in the category (predates the CNAPP category itself), Trivy as the most-deployed open-source vulnerability scanner (Aqua acquired Trivy creator Aqua Open Source in 2020), and strong fit for buyers with container workloads as the primary attack surface. Best fit for Kubernetes-heavy and supply-chain-conscious organizations. Trade-offs: outside container and Kubernetes use cases the product is less compelling than Wiz / Orca, IPO talks reported in 2024-2025 have not yet materialized into a public listing, brand momentum has slowed relative to Wiz, and multi-cloud posture (CSPM) capabilities less mature than container-native features.

Best for

Kubernetes-heavy and container-first organizations (500-25,000+ employees) prioritizing supply-chain security, vulnerability management, and container/K8s as the primary attack surface.

Worst for

Posture-only buyers (Wiz / Orca better), Microsoft Azure-only shops (Defender for Cloud bundled), or buyers without significant container investment.

Strengths

  • Deepest container and Kubernetes security heritage
  • Trivy open-source vulnerability scanner ownership
  • Fits supply-chain-conscious organizations
  • Mature CWPP and KSPM capabilities
  • Multi-cloud and hybrid coverage
  • Israeli engineering depth

Weaknesses

  • Outside container/K8s use cases less compelling
  • IPO talks reported but not yet realized
  • Brand momentum slowed relative to Wiz
  • CSPM capabilities less mature than container-native
  • Support depends on tier
  • Pricing meaningful at scale

Pricing tiers

opaque
  • Aqua CNAPP Standard
    ~$40K-$100K starting; CSPM + CWPP
    Quote
  • Aqua CNAPP Advanced
    $100K-$400K typical; full CNAPP
    Quote
  • Aqua Enterprise
    Custom; advanced supply chain and runtime
    Quote
Watch for
  • · Per-workload pricing can shift at renewal
  • · Implementation fee ($15K-$75K)
  • · Annual price increases of 6-10%
  • · Trivy Enterprise separate from open-source

Key features

  • +Container and Kubernetes security (heritage)
  • +Trivy vulnerability scanner (open-source)
  • +CSPM (multi-cloud posture)
  • +CWPP (workload protection)
  • +CIEM (cloud entitlements)
  • +Supply chain security
  • +Aqua Enforcer runtime protection
  • +eBPF-based runtime detection
170+ integrations
AWSMicrosoft AzureGoogle CloudKubernetesOpenShiftJenkins
Geography
Global; strongest in US, EU, Israel, UK
View full Aqua Security intelligence profile → Compare Aqua Security →
#10

Check Point CloudGuard

CNAPP for Check Point-anchored network security stacks.

Founded 2010 · Tel Aviv, Israel · public · 1,000–500,000+ employees
G2 4.4 (380)
Capterra 4.5
Custom quote
○ Sales call required
Visit Check Point CloudGuard

Check Point CloudGuard is the CNAPP product from Check Point Software, built primarily on the 2019 acquisition of Dome9 (CSPM) and extended with Protego (serverless security) and Spectral (developer security, 2023). The product's primary advantage: tight integration with Check Point firewalls and the broader Check Point Infinity platform, making it the default for buyers consolidating around Check Point network security. Founded 1993, public on NASDAQ ($21B+ market cap). Best fit for enterprises 1,000+ employees committed to Check Point network security. Trade-offs: outside the Check Point ecosystem the product is less compelling than Wiz / Orca, time-to-value slower than agentless leaders, brand momentum in CNAPP has lagged the Check Point firewall heritage, and innovation pace slower than category leaders.

Best for

Enterprises (1,000-50,000+ employees) committed to Check Point network security wanting unified CloudGuard + firewall + Infinity platform consolidation.

Worst for

Non-Check Point shops (Wiz / Orca better), Microsoft Azure-only shops (Defender for Cloud bundled), or buyers prioritizing fastest agentless time-to-value.

Strengths

  • Tight integration with Check Point firewalls and Infinity platform
  • Right call for Check Point-anchored enterprise stacks
  • Mature CSPM via Dome9 heritage
  • Public company financial transparency
  • Fits compliance-heavy industries (Check Point's legacy strength)
  • Multi-cloud and hybrid coverage

Weaknesses

  • Outside Check Point ecosystem less compelling
  • Time-to-value slower than agentless leaders
  • Brand momentum in CNAPP lags firewall heritage
  • Innovation pace slower than Wiz / Orca
  • Support inconsistency reported
  • CIEM and DSPM capabilities thinner than category leaders

Pricing tiers

opaque
  • CloudGuard CSPM
    ~$25K-$60K starting; posture only
    Quote
  • CloudGuard CNAPP
    $60K-$200K typical; full CNAPP
    Quote
  • CloudGuard Network
    Add-on; cloud network security
    Quote
  • Bundled with Infinity
    Custom; full Check Point platform
    Quote
Watch for
  • · Per-asset pricing
  • · Implementation fee ($15K-$100K)
  • · Annual price increases of 6-10%
  • · Multiple modules billed separately

Key features

  • +CSPM (Dome9 heritage)
  • +CWPP (workload protection)
  • +CIEM (cloud entitlements)
  • +KSPM (Kubernetes posture)
  • +IaC and code security (Spectral)
  • +CloudGuard Network Security
  • +Serverless security (Protego heritage)
  • +Check Point ThreatCloud intelligence integration
180+ integrations
AWSMicrosoft AzureGoogle CloudKubernetesCheck Point firewallsServiceNow
Geography
Global; strongest in EU, US, Israel, AU
View full Check Point CloudGuard intelligence profile → Compare Check Point CloudGuard →

Frequently asked questions

The questions buyers actually ask before they sign.

Can CSPM control planes stay inside Canada?
Microsoft Defender for Cloud can be configured to keep data inside Azure Canada Central or Canada East, the cleanest option for ITSG-33 PROTECTED B accreditation. Wiz, Prisma Cloud, Orca, CrowdStrike, Sysdig, Lacework, Aqua and Tenable host primary control planes in US regions, which is typically acceptable under PIPEDA with contracts but adds OSFI B-13 documentation.
How does OSFI B-13 affect CSPM procurement at Canadian banks?
B-13 requires technology and cyber risk inventories of every third-party SaaS, including CSPM, with residency, sub-processors and incident-response SLAs. Defender for Cloud, Prisma Cloud and Wiz carry mature B-13 evidence packages; newer entrants face 9-18 month third-party risk reviews before production deployment at the Big Five banks.
What about Bill C-26 cyber-incident reporting?
Bill C-26 (Critical Cyber Systems Protection Act) when fully in force will require designated operators of federally regulated critical infrastructure (banking, telecoms, energy, transportation) to report cyber incidents. CSPM-detected misconfigurations that lead to incidents will fall in scope; documented detection, triage and remediation timelines become evidence.
Wiz vs Palo Alto Prisma Cloud, which one?
Wiz if your bottleneck is time-to-value, agentless deployment, and breadth across multi-cloud (AWS + Azure + GCP), Wiz consistently delivers meaningful findings within 24-48 hours of connection and the Security Graph attack-path analysis is best-in-class. Palo Alto Prisma Cloud if you are already standardized on Palo Alto firewalls, Prisma SASE, and Cortex XDR and want unified vendor consolidation. Both are credible at enterprise scale. Wiz declined Google's $32B acquisition offer in August 2024 and remains independent; Prisma Cloud carries roadmap uncertainty as Palo Alto consolidates detection capabilities into Cortex Cloud / XSIAM.
Why is Lacework still on this list given the Fortinet fire-sale?
Honesty: Lacework is here for completeness because the Polygraph Data Platform technology is genuinely strong and existing customers need to know how to think about renewal. We do not recommend Lacework for net-new evaluation in 2026 unless you are already standardized on Fortinet network security and want unified FortiCNAPP + FortiGate. The 2024 Fortinet acquisition at $150M-$200M against the 2021 $8.3B peak is one of the most public valuation collapses in cybersecurity history, and post-acquisition integration roadmap remains incomplete. Net-new buyers should evaluate Wiz, Orca, Prisma Cloud, or Defender for Cloud first.
When does Microsoft Defender for Cloud beat Wiz?
Microsoft Defender for Cloud wins for any organization on Microsoft Azure where foundational CSPM is the primary need, it's bundled at zero incremental cost, native to Microsoft Sentinel SIEM and Entra ID, and per-resource pricing scales smoothly. The economic lever is overwhelming for Azure-anchored shops doing CSPM-only. Wiz wins for multi-cloud (AWS + Azure + GCP), buyers prioritizing fastest agentless time-to-value, and enterprises wanting the broadest CNAPP coverage (CSPM + CWPP + CIEM + KSPM + DSPM) in a single platform with the strongest attack-path analysis.
How does this differ from your EDR ranking?
Our Top 10 EDR / Endpoint Security Software covers endpoint detection and response (CrowdStrike Falcon endpoint, Microsoft Defender for Endpoint, etc.). CSPM/CNAPP (this ranking) covers cloud security posture, workload protection, identity entitlements, and Kubernetes for cloud-native environments. EDR + CNAPP are complementary, most enterprises run both. CrowdStrike Falcon Cloud Security and Microsoft Defender for Cloud appear here as the cloud modules of products covered separately as endpoint platforms; we use distinct product IDs (`crowdstrike-cloud-security` vs `crowdstrike`, `defender-cloud` vs `defender-endpoint`) where products span multiple categories.
How much should I budget for CNAPP?
Azure-only shop on foundational CSPM: $0 incremental (Defender for Cloud foundational free). Small multi-cloud (500-1,000 employees): $30K-$80K/year (Wiz Essential, Orca Premium, Defender CSPM advanced). Mid-market multi-cloud (1,000-5,000 employees): $80K-$200K/year (Wiz Advanced, Prisma Cloud Business, Tenable Cloud Security). Enterprise multi-cloud (5,000+ employees): $200K-$1M+/year (Wiz CNAPP, Prisma Cloud Enterprise, Falcon Cloud Security Enterprise). Add 30-50% for full CNAPP including CWPP runtime + DSPM + Kubernetes runtime detection.
How long does CNAPP rollout take?
Wiz, Orca (agentless): 1-4 weeks for initial coverage, 4-12 weeks for full operational maturity. Microsoft Defender for Cloud foundational: 1-2 weeks (auto-enabled with Azure). Prisma Cloud, Falcon Cloud Security, CloudGuard, Lacework: 8-16 weeks (multi-product integration, IaC pipelines, SOC playbooks). Sysdig and Aqua Security: 8-20 weeks for full Kubernetes runtime maturity. Plan for 90-180 days from contract to full SOC operational maturity for enterprise CNAPP deployments.
Agentless vs agent-based CNAPP, which architecture wins?
Both win for different jobs in 2026. Agentless (Wiz, Orca, Defender CSPM) wins for fastest time-to-value, broadest visibility without DevOps friction, and posture/configuration use cases. Agent-based (Sysdig, Aqua Security, CrowdStrike Falcon Cloud) wins for deepest runtime detection, real-time response actions, and Kubernetes runtime threat hunting. Most credible vendors now ship hybrid architectures, Wiz Defend, Orca Sensor, Prisma Cloud Defender, adding optional runtime sensors to agentless foundations. Evaluate by primary use case (posture-led vs runtime-led) rather than by architecture purity.
How do CNAPP vendor acquisitions affect selection?
The Lacework→Fortinet 2024 fire-sale (~$150M-$200M from a 2021 $8.3B peak), the Wiz→Google 2024 deal collapse ($32B declined), the Tenable→Ermetic 2023 acquisition ($265M for CIEM), and ongoing Aqua Security IPO talks have reset trust expectations in the category. After-action: (1) Verify the vendor's acquisition history and post-acquisition product velocity. (2) Require multi-year roadmap commitments in the contract. (3) Test exit clauses and data portability before signing. (4) Don't overweight vendor independence as a feature, Wiz is independent today but post-IPO trajectory is uncertain. Evaluate product fit first, vendor stability second.

Final word

Looking at a different market? See the global Cloud Security Posture Management (CSPM) ranking, or pick another country at the top of this page.

Last updated 2026-05-27. Local pricing reverified quarterly. Found something inaccurate? Tell us.