165 shares, 187 points


Hear from CIOs, CTOs, and different C-level and senior execs on information and AI methods on the Future of Work Summit this January 12, 2022. Learn extra

While the cloud safety market has developed quickly lately, there’s now a big selection of instruments to juggle for securing cloud infrastructure and purposes.

There are “too many tools,” the truth is, stated Neil MacDonald, a vice chairman and analyst at Gartner, talking on the analysis agency’s Security & Risk Management Summit — Americas digital convention final week. Now, nevertheless, there’s main consolidation underway within the cloud safety instruments market, a development that’s “good news” for enterprises, MacDonald stated.

In response to cloud safety challenges and the rising recognition of the cloud — Gartner estimates 70% of workloads will probably be working in public cloud inside three years, up from 40% at the moment — the demand for cloud safety has surged. Research agency MarketsandMarkets forecasts that cloud safety spending will attain $68.5 billion by 2025, up from $34.5 billion final yr.

But the cloud safety instruments, and acronyms, are quite a few. There’s CSPM (cloud safety posture administration) for recognizing misconfigurations in cloud infrastructure. There’s CIEM (cloud infrastructure entitlements administration) for managing cloud identities and permissions. There’s CWPP (cloud workload safety platforms) for securing digital machines, containers, and serverless capabilities. And there are extra instruments to proactively establish vulnerabilities throughout app growth, resembling instruments for scanning containers and Infrastructure as Code (IaC).

But now, as an alternative of needing to accumulate these totally different instruments and discover a approach to make use of all of them collectively, the concept is to have one platform to rule all of them: CNAPP.

That stands for cloud-native utility safety platform, and it’s an providing that features the entire instruments talked about above. Or at the very least, that’s beginning to be the case — with many distributors within the strategy of assembling the totally different items right into a CNAPP complete (extra on that beneath). Vendors within the rising CNAPP house embody a number of the best-funded startups in cybersecurity together with a number of the most well-established firms within the safety business.

Gartner coined the time period CNAPP earlier this yr — partly in recognition of what was already occurring out there, and partly to encourage additional consolidation of cloud safety instruments underneath the CNAPP umbrella.

“These walls are coming down,” MacDonald stated. “We need to think of cloud-native application protection as a lifecycle problem from development into operations. And there are vendors now that can do most of everything [that’s part of CNAPP].”

Cloud safety challenges

While enterprises have accelerated their shift to the cloud in the course of the pandemic, cloud safety stays a foremost problem. A current survey of cloud engineering professionals discovered that 36% of organizations suffered a severe cloud safety information leak or a breach previously 12 months. Likewise, a current Gartner survey discovered that greater than a 3rd of firms see lack of safety readiness as an impediment to public cloud migration — rating as the most typical problem to cloud cited within the survey.

Thus, for purchasers, the cloud safety development of unifying disparate instruments so there are fewer to cope with is value contemplating, MacDonald stated.

“I think you should have fewer vendors, not more security vendors — do not mistake more security vendors for ‘defense in depth,’” he stated, referring to the cybersecurity technique of deploying a number of layers of protection. “But it also means you should be open to switching vendors, consolidating vendors, switching to one that understands your needs.”

Many cyber distributors have already embraced the CNAPP idea, saying that finally, the shoppers win with a unified providing within the cloud safety realm. Some — resembling Palo Alto Networks, Aqua Security, and Orca Security — had been already providing the important thing elements of CNAPP previous to Gartner coining the time period.

For occasion, Aqua Security describes its providing, the Aqua Platform, as a “complete” cloud-native utility safety platform. And the seller has seen “high double-digit” income and buyer development for its CNAPP to date this yr, stated Rani Osnat, senior vice chairman of technique on the 450-person firm.

“Customers are looking for a broader platform,” Osnat stated. “Even customers that are relatively in the beginning of their journey understand that from a vision standpoint, they don’t want to slice this up into too many little pieces.”

Simplifying cloud safety

Freelance companies market Fiverr adopted Orca Security’s platform partly to assist simplify the method of making certain cloud safety, stated Shahar Maor, chief info safety officer at Fiverr, in an announcement to VentureBeat.

“There are a lot of complexities in securing public cloud environments,” Maor stated. “The value of a CNAPP like Orca Security is that I’ve got a single, comprehensive solution to identify risk, as well as provide actionable insights and value across IT, DevOps, and engineering.”

Along with Orca Security, Palo Alto Networks, and Aqua Security, different distributors providing the capabilities that fall underneath CNAPP embody Lacework, McAfee Enterprise, Qualys, Sonrai Security, and Wiz.

Aqua Security

Aqua Security has provided capabilities for scanning purposes throughout growth, together with IaC safety scanning, because the launch of the corporate in 2015. In phrases of workload safety, Aqua centered on containers initially and added serverless and VMs in 2017 to provide it full CWPP capabilities. The firm added CSPM via the acquisition of CloudSploit in 2019. Recent enhancements to Aqua’s CNAPP providing have included cloud-native detection and response, which gives monitoring and detection to establish zero-day assaults in cloud-native environments.

“One of the things that make CNAPP such a ‘gospel’ in this market is that unlike traditional security solutions in the past, it covers a very broad set of personas,” Osnat stated. “It spans developers and DevOps to cloud admins and security personnel. And that is quite unique in the market. So while nobody expects developers to become security experts, by helping developers embed security into their CI/CD processes, you help solve the problem.”

In March, Aqua Security raised $135 million in collection E funding at a $1 billion valuation.


Lacework, which was based in 2014, began out in CWPP and later added CSPM.

“We began by addressing CWPP use cases with automation, without requiring the use of any rules/policies,” stated Adam Leftik, vice chairman of product at Lacework, in an e mail to VentureBeat. “We later added in CSPM and vulnerability management capabilities with all of the insights necessary to efficiently handle compliance, audit, and risk management needs.”

Other additions have included IaC remediation capabilities via the acquisition of Soluble earlier this month, together with different options together with an inline vulnerability scanner to assist builders discover and repair vulnerabilities of their CI/CD pipelines.

“CNAPP represents a mindset shift toward a security approach that includes everyone involved in the business,” Leftik stated. “Enterprises have an opportunity to completely rethink their security approach as one overarching continuum throughout development and operations rather than one-off problems that have to be fixed with manual, rules-based processes. As more customers embrace cloud and build in containers, there will be more demand for platforms that can protect cloud-native applications across development and production.”

Lacework raised $1.3 billion in funding earlier this month — one of many largest enterprise rounds within the U.S. this yr — at an $8.3 billion post-money valuation. That adopted the corporate’s $525 million fundraise in January.

McAfee Enterprise

McAfee Enterprise started providing CWPP in early 2017 and added CSPM performance to the providing in early 2019. The McAfee Enterprise MVision CNAPP additionally contains container safety capabilities by way of the acquisition of NanoSec in 2019, and information loss prevention capabilities by way of the acquisition of Skyhigh Networks in 2018. In March, MVision CNAPP added in-tenant DLP scanning facilitating for elevated information safety, privateness, and value optimization.

“As organizations continue to benefit from moving more workloads to the cloud, cloud threats are also on the rise,” stated Dan Frey, product advertising and marketing engineer at McAfee Enterprise and FireEye, in an e mail to VentureBeat. “McAfee Enterprise expects adoption of MVision CNAPP to continue in step with customer requirements and cloud adoption rates.”

In October, McAfee Enterprise was mixed with cybersecurity agency FireEye in a deal orchestrated by their proprietor, non-public fairness agency Symphony Technology Group. Symphony had acquired McAfee’s enterprise safety enterprise in March for $4 billion.

Orca Security

Orca Security has had CSPM, CWPP, and CIEM since its founding in 2019. “We were a CNAPP before the term existed, and we are excited to see the official emergence and recognition for the category,” stated Avi Shua, cofounder and CEO of Orca Security, in an e mail to VentureBeat.

The firm just lately enhanced its id and entry administration threat detection capabilities to cowl misconfigurations, occasions and anomalies, and entry traversal. Additionally, a brand new CI/CD providing contains detection of safety points within the developer pipeline and through deployment earlier than reaching manufacturing.

“Security teams are overwhelmed with thousands of meaningless, disconnected alerts,” Shua stated. “With a CNAPP, customers can focus on the alerts that matter, get more functionality with fewer cloud security tools — and can finally address the cost and complexity of managing disparate tools.”

In October, Orca Security prolonged its collection C spherical to $550 million at a $1.8 billion post-money valuation.

Palo Alto Networks

Palo Alto Networks launched its Cloud Native Security Platform, Prisma Cloud, in November 2019, combining CSPM capabilities from its RedLock and Evident.io acquisitions with CWPP capabilities from its Twistlock and PureSec acquisitions. The firm added capabilities together with CIEM with Prisma 2.0 in 2020.

Then final week, Palo Alto Networks debuted Prisma Cloud 3.0 — which it described as a CNAPP — with enhancements together with the mixing of CIEM for Azure and IaC safety.

“Customers today have been using a large number of point solutions to address cloud security requirements ad hoc,” stated Ankur Shah, senior vice chairman and common supervisor of Prisma Cloud at Palo Alto Networks, in an announcement to VentureBeat. “As customers build their overall strategy, they want to use a CNAPP that provides comprehensive security across multi-cloud and hybrid-cloud environments.”

The publicly traded firm at the moment has a market capitalization of $51.98 billion.


Qualys has been providing CWPP for digital machines working within the public cloud for the previous 5 years. The firm prolonged the answer to assist container workloads and launched CSPM in 2018. Recent additions to the Qualys CNAPP providing have included detecting misconfigurations in IaC, compliance for containers, and risk-based venerability administration.

“With an increasing number of organizations charting the course for their cloud journeys — and no sign of stopping or slowing — securing this journey has become one of the top concerns of customers. With this new focus, there is an increasing opportunity for vendors to address this concern with solutions such as CNAPP,” stated Parag Bajaria, vice chairman of cloud and container safety at Qualys, in an e mail. “Cloud security is fragmented into multiple categories and various point products that address those categories. Due to this complexity, there is often a large amount customer confusion. As a result of this confusion, Qualys is increasingly seeing customers ask for a single consolidated solution.”

The publicly traded firm at the moment has a market capitalization of $5.34 billion.

Sonrai Security

Sonrai Security, which was based in 2018, began out in CIEM and later added CSPM. The Sonrai Dig providing additionally contains information safety, and the startup “will soon announce new capabilities to our CIEM, CSPM, and data security platform,” stated Brendan Hannigan, CEO and cofounder of Sonrai Security, in an e mail to VentureBeat.

“Cloud security offerings like Sonrai Dig hold the entire future for cloud security specifically and security in general,” Hannigan stated. “Old-world data center solutions increasingly will become irrelevant as digital disruption expands the cloud while data centers and enterprise networks decline.”

Sonrai Security introduced a $50 million collection C funding spherical in October.


Wiz has supplied CSPM and CWPP performance since its founding in 2020. The startup has primarily centered on increasing its CWPP capabilities, just lately introducing the flexibility to scan workloads for malware without having to put in any brokers.

“CNAPP will become the de facto cloud security product,” stated Yinon Costica, cofounder and vice chairman of product at Wiz, in an e mail to VentureBeat. “It will extend all the way from cloud environments to the code developers are writing. The big opportunity here is to drastically simplify cloud security in a way that lets business move faster than ever before — but securely this time. The fragmented approach we had before could never do that.”

In October, Wiz raised a $250 million collection C funding spherical at a post-money valuation of $6 billion. That adopted the corporate’s $130 million collection B spherical in March.


VentureBeat’s mission is to be a digital city sq. for technical decision-makers to achieve data about transformative expertise and transact.

Our website delivers important info on information applied sciences and methods to information you as you lead your organizations. We invite you to turn into a member of our neighborhood, to entry:

  • up-to-date info on the topics of curiosity to you
  • our newsletters
  • gated thought-leader content material and discounted entry to our prized occasions, resembling Transform 2021: Learn More
  • networking options, and extra

Become a member


Like it? Share with your friends!

165 shares, 187 points

What's Your Reaction?

confused confused
lol lol
hate hate
fail fail
fun fun
geeky geeky
love love
omg omg
win win