Traditional tools generate endless alerts because they lack context. A CSPM sees an open bucket; a CWPP sees a vulnerability. CNAPP connects the dots: "This container has a critical vulnerability AND is exposed to the internet via this misconfiguration." That is an actionable risk.
Why CNAPP Exists
As organizations embraced cloud-native technologies like containers, Kubernetes, and serverless, security teams tried to keep up by buying point solutions: one tool for cloud configuration (CSPM), another for workload protection (CWPP), and yet another for identity (CIEM).
This created three major problems:
- Fragmented Visibility: No single pane of glass to see risk across the entire estate.
- Operational Inefficiency: Teams constantly switched between consoles to correlate data.
- Blind Spots: Risks that spanned multiple domains (e.g., identity + configuration) were missed.
Gartner defined CNAPP to solve this fragmentation by converging these capabilities into a single, integrated platform ensuring consistent security from development (Shift Left) to production (Shield Right).
The Three Pillars of CNAPP
1. CSPM (Cloud Security Posture Management)
Focuses on the configuration of cloud infrastructure. It continuously audits cloud environments (AWS, Azure, GCP) against compliance standards (CIS, NIST, SOC2) to detect risks like unencrypted databases, open security groups, or missing logging.
2. CWPP (Cloud Workload Protection Platform)
Focuses on the compute resources—VMs, containers, and serverless functions. It provides runtime protection, vulnerability scanning, malware detection, and behavioral monitoring to stop attacks executing inside workloads.
3. CIEM (Cloud Infrastructure Entitlement Management)
Focuses on identities and permissions. It analyzes excessive permissions (the "identity gap") for both human users and non-human service accounts, enforcing the principle of Least Privilege.
CNAPP Capability Matrix
| Domain | Point Solution | CNAPP Approach |
|---|---|---|
| Configuration | CSPM (API scanning only) | Context-aware config auditing |
| Workloads | CWPP (Agents everywhere) | Agentless scanning + runtime agents |
| Identity | CIEM / IAM tools | Identity graph mapped to resources |
| DevOps | VaC / SCA scanners | IaC scanning with production feedback |
Agentless vs. Agent-Based
Modern CNAPP solutions often use a hybrid approach:
- Agentless Scanning: Takes snapshots of cloud disks (EBS volumes) to scan for vulnerabilities without installing anything on the workload. Provides 100% coverage and zero friction.
- Agent-Based Runtime: Lightweight eBPF probes deployed on hosts to detect real-time attacks (e.g., reverse shell execution, crypto mining) that snapshots cannot catch.
CNAPP and DevSecOps
CNAPP enables true DevSecOps by integrating into the CI/CD pipeline. It scans:
- Infrastructure as Code (IaC): Terraform, Helm charts, Dockerfiles.
- Open Source Libraries (SCA): Detecting vulnerable dependencies.
- Secrets: Hardcoded API keys or credentials in code.
This allows developers to fix security issues before infrastructure is provisioned, significantly reducing the cost and risk of remediation.
Key Vendors
- Platform Leaders: Wiz, Palo Alto Networks (Prisma Cloud), Sysdig, Orca Security
- Emerging Players: Lacework (acquired by Fortinet), Uptycs, Aqua Security
Alterra's Perspective
For our defense clients operating in air-gapped environments, CNAPP presents unique challenges. Cloud-native assumptions often break when there is no internet connectivity. We specialize in adapting CNAPP principles—comprehensive visibility and shift-left security—to disconnected, sovereign cloud environments where data residency and control are paramount.