Cloud Security Posture Management (CSPM) and Cloud-Native Application Protection Platform (CNAPP) Tools

The CNAPP Promise: A Crucible of Monitoring, Security, and Compliance in All Environments

CONTENTS

About This Report

Executive Summary

The Observatory

Conclusion

Key Terms

About ETR

See More Observatory Reports

View and download report PDF

about this report

43-minute read • Based on data collected May 2024

The ETR Observatory for Cloud Security Posture Management (CSPM) and Cloud-Native Application Protection Platforms (CNAPP) will build on the strong foundational work done by traditional market research firms that have identified and defined the sector by analyzing data on a comprehensive list of vendor tools that address these unique cloud-native threats. This Observatory features the most comprehensive and current data about the CSPM and CNAPP marketplace.

While structuring a grouping of disparate vendors with varying functionalities is subjective, the ETR Observatory for CSPM/CNAPP vendors categorizes the vendor group primarily by breaking down the data-driven plotting of each vendor into our four Observatory Scope vectors. In addition, while acknowledging that all these vendors offer multiple functionalities and that the categorization may not appease all definitions, given the rapid convergence in this space, joining these adjacent CSPM and CNAPP tools was deemed prudent and necessary to produce the most comprehensive, data-backed study of this burgeoning security market. As always, with all ETR research, it is important to remind our readers that ETR’s Observatory reports are based solely on end-user data and feedback from our qualified IT decision maker community, without vendor involvement.
This report focuses on the following vendors: Aqua | Check Point CloudGuard | Cisco Cloud Security / Panoptica | CrowdStrike Falcon Cloud Security | Dynatrace / Runecast | Lacework | Microsoft Defender | Orca | Palo Alto Prisma Cloud | Rapid7 InsightsCloudSec | SentinelOne PingSafe | Sophos Cloud Optix | Tenable Cloud Security | Trend Micro Vision One | Wiz | Zscaler Posture Control

ETR MARKET ARRAY

In addition to relying upon ETR’s industry-leading evaluation and spending intentions data, this report also leverages ETR’s proprietary data set: the ETR Market Array. The ETR Market Array for CSPM/CNAPP was designed specifically to capture usage and evaluation metrics across a wide swath of security professionals representing the end user and evaluator buying demographic. The study offers data and analysis around spending trends, usage, return on investment (ROI), churn, product feature rankings, Net Promoter Scores (NPS), and more for the plethora of players encompassed in this Observatory scope. This report utilizes a small portion of that market intelligence data; however, the full CSPM/CNAPP Market Array study is available separately.

Figure 1. Positioning for the above ETR Observatory Scope for CSPM/CNAPP was determined purely by ETR’s proprietary surveys powered by the ETR Community. The full methodology and graphic explanation are available on our About the ETR Observatory page.

Executive Summary

Cloud platforms and cloud-native applications have gained significant popularity due to their cost-effectiveness, flexibility, and scalability. However, the increasing adoption of cloud infrastructure and the cloud-native applications built within them has also led to a massive surge in security threats. Nation-state-sponsored attacks, independent hackers, and cybercriminals are increasingly targeting cloud infrastructure misconfigurations, APIs, and the software supply chain, making it imperative to secure these workloads and applications. While this is a major concern, market economics within enterprise technology dictate that where there is a problem, solutions become available…at a cost. On cue, various Cloud Security Posture Management (CSPM) and Cloud-Native Application Protection Platforms (CNAPP) are increasingly available that combine multiple security capabilities into a single platform to address this growing need. CSPM has existed for a decade now, but demand continues to increase as workloads shift away from on-premises and into the cloud.

While cloud providers are responsible for the security of the cloud externally, enterprises are responsible for what happens within it. CPSM is a software tool that scans cloud infrastructure for security risks. It looks for misconfigurations, compliance violations, and other vulnerabilities. CSPM tools automate visibility, monitoring, threat detection, and remediation workflows. This helps identify and fix risks in a timely manner. CSPM can be used for risk assessment, visualization, incident responses, compliance, monitoring, and DevOps integration. Security teams use this information to improve their prioritization efforts. CSPM vendors advertise that their tools strengthen security while minimizing risk exposure in cloud environments. Additionally, CSPM tools can aid in meeting enhanced compliance and governance requirements and potentially reduce costs by eliminating redundant tools in an organization's existing security stack.

Meanwhile, CNAPP brings together a diverse range of security features, including CSPM, into a consolidated platform to identify and prioritize high-risk areas across cloud-native applications and their underlying infrastructure. This platform is designed to provide a more comprehensive approach to security that covers both the application and its infrastructure, including potential vulnerabilities in associated compute layers, identities, APIs, and software supply chains. CNAPP often employs agentless scanning technology, which can rapidly search cloud environments at scale without required installation on virtual machines.

Many security experts and practitioners now define CNAPP as a converged security architecture that includes CSPM functionality. CNAPP consolidates CSPM and other capabilities into a single platform, providing a holistic view of cloud risk and actionable findings for security, DevOps, and engineering teams. This combination of enhanced security cannot happen fast enough, given the advanced threat landscape that enterprises face daily. Other security modules under the CNAPP umbrella include Cloud Workload Protection Platform (CWPP), Cloud Infrastructure Entitlement Platform (CIEM), and Infrastructure-as-Code (IaC) scanning.

The attack surface of cloud-native applications is expanding with attackers increasingly targeting the misconfiguration of cloud infrastructure, APIs, identities, software supply chains, and so much more. This has led to a corresponding increase in the importance of identifying and addressing vulnerabilities in these areas to ensure the security of cloud-native applications. Despite being quite a bold statement, CSPM and CNAPP vendors are essentially promising comprehensive protection throughout the application's lifecycle, from development to production.

Another complexity in cloud-native security is the continual push to “shift left” and add security layers earlier on in the development process, which means that the role of DevOps is expanding into and also converging with DevSecOps. Developers are increasingly responsible for operational tasks, such as addressing vulnerabilities, deploying infrastructure, and managing implementations. Historically, there has been a stereotype that developers viewed security layers as a bridle stifling creativity and speed, but that belief is a dangerous vestige of a past world that must be obliterated from development culture going forward. To address this expanded scope of responsibility, developers need tools that can provide comprehensive support across all areas of the development and operational process.

Here are several examples of challenges that developers face when building cloud-native applications: Operational tasks that they don’t have experience with nor ever sought jurisdiction over

Lingering prejudice that security is an obstacle to productivity
Managing increasingly complex cloud infrastructure and dependencies
Balancing production deadlines and security measures in a fast-paced environment
A general lack of security expertise and training
Extensive use of open-source code and libraries that may contain vulnerabilities; and
Different development tools across enterprises with multi-cloud environments.

It is urgent that organizations equip developers with the necessary support, tools, and training to overcome these challenges so they can do what they do best: build resilient cloud-native applications. Enter the promise (and allure) of CSPM and CNAPP, which is designed to prioritize the identified risks and provide developers with sufficient context to remediate them quickly and comprehensively.

The Observatory

The plotting of vendors across the Observatory Scope is supported wholly by ETR’s exclusive market intelligence and spending intentions data sets (see Figure 1). Most vectors in this period were evenly distributed and populated, with three data-plotted vectors consisting of five vendors and only the Tracking vendor having one. Based on the results of this Market Array study, the Leading vector consisted of CrowdStrike Falcon Cloud Security, Zscaler Posture Control, Microsoft Defender for Cloud, Palo Alto Prisma Cloud, and Tenable Cloud Security (listed by highest Momentum positioning first).

The entirety of the Advancing vector had impressive positioning, with almost every vendor borderline crossing into the Leading category, and all coming up just shy due to lower Presence levels than their aforementioned peers in this marketplace. These vendors included Wiz, Rapid7 InsightsCloudSec, SentinelOne PingSafe, CheckPoint CloudGuard, and Dynatrace / Runecast (again listed by the highest Momentum positioning first). It should be noted that Wiz had the highest Momentum of the entire survey, and the CNAPP tools for Rapid7, SentinelOne, and CheckPoint captured Momentum levels that were in line with the majority of the Leading vector peers.

Cisco was the lone vendor occupying the Tracking vector in this Market Array survey with their Cloud Security / Panoptica tool. Cisco captured enough Momentum to enter the right half of this scope but fell short in Momentum to break into the Leading vector. In this ETR Observatory, numerous vendors, including Trend Micro Vision One, Orca, Lacework, Sophos Cloud Optix, and Aqua Security (listed in Momentum order), are in the Pursuing vector based on relational plotting of the Momentum and Presence data versus the other CNAPP vendors.

From this group, Trend Micro captured the highest Momentum and Presence. Orca had the second-highest Momentum and Sophos exhibited the second-highest Presence from this grouping. In general, the appearance of Orca, Lacework, and Aqua Security as private names that ETR tracks in our Emerging Technology Survey (ETS) is an impressive feat, given that the companies garnered enough spending and evaluation citations in this survey against a field populated with such large and mature competitors.

It is critical to note again that ETR’s positioning is based wholly on survey responses from IT decision makers with direct utilization and knowledge of the CNAPP vendors and toolsets. The plotting does not reflect, nor does it intend to opine on, the efficacy of these tools and security vendors. The full Observatory methodology can be viewed on the ETR website.

This report will first break down the overall spending intent Net Score for these CNAPP vendors and will then analyze each of the four Observatory Scope vectors and the vendors in more detail in the following sections; however, the best way to view this data is through the full ETR Market Array, which is available on our research platform.

Spending Intentions

Figure 2. ETR’s Market Array spending Net Score for CNAPP vendors was derived from a survey of 313 security-expert IT decision makers with direct utilization and evaluation knowledge of the specific CNAPP tools listed. If a vendor did not garner enough citations, it was eliminated from certain analyses.

In Figure 2, we exhibit the Market Array Net Score for select vendors within the CNAPP marketplace. This tracks the forward-looking spending trajectory for each vendor’s CNAPP-specific offerings and differs from ETR’s TSIS, which tracks overall spending projections at the company- and sector-wide levels. The data visualized in this figure will be referenced throughout this Observatory report. This visualization depicts the respondent's spending intent by answer options, showing the percentage of each end-user intent to Adopt, Increase, Remain Flat, Decrease, or Replace the vendor. The right-side percentage scale is the culmination of these inputs, resulting in ETR’s proprietary Market Array Net Score metric.

Impressively, all vendors listed had a positive Net Score with a wide scale ranging from 80% to 26% across all listed tools. Among this grouping, it is the private player Wiz that leads with an extremely elevated Net Score above 80%, driven by the highest level of Adoption intentions and being one of only two vendors (along with Orca) to capture zero negativity (Decrease and/or Replace intent).

Among the vendors with high customer-citation representation above 10%, CrowdStrike Falcon Cloud Security and Rapid7 InsightsCloudSec lead these CNAPP tools with a Net Score above 68%. Zscaler Posture Control and SentinelOne PingSafe are coupled just one tranche lower with Net Scores that are also above 60%, followed by a 58% Net Score for the omnipresent Microsoft and its Defender for Cloud tool (which captured the most customer utilization citations that represented more than half of the survey respondents). Palo Alto Prisma Cloud and Check Point CloudGuard were virtually tied with elevated Net Scores above 55%, followed next by the private players Aqua and Lacework at 50%. The next couple came from Tenable Cloud Security and Dynatrace / Runecast, with healthy Net Scores around 45%.

Cisco’s Cloud Security / Panoptica tool captured a 36% Net Score, which was impacted by half of its customers citing Flat spend intentions (which are removed from Net Score calculations). Still, 10% of Cisco’s CNAPP citations indicated Adoption intent, the same rate captured by highly entrenched player Palo Alto Networks, which is an auspicious sign for potential net new logos and customer growth for mature companies.

Among higher citation totals, extremely elevated Adoption rates of 25% and 22% were recorded for Wiz and SentinelOne PingSafe, respectively. In order, Zscaler Posture Control, CrowdStrike Falcon Cloud Security, and Rapid7 Insights CloudSec are noted for robust Increased spend intent at 59%, 58%, and 55%, respectively. Regarding total customer representation in this survey, the top three direct-customer citations came from Microsoft Defender for Cloud, CrowdStrike Falcon Cloud Security, and Palo Alto Prisma Cloud.

The aforementioned citation variance should be reviewed here, with Aqua, Lacework, Orca, Sophos, and TrendMicro receiving less than 10% total customer representation in this survey, hence their reflective Presence position in the Observatory Scope (Figure 1). BMC Helix and Sysdig Secure did not garner enough customer utilization to be included in the graphic; however, both tools did have enough citations from end-users who have evaluated their products recently to be included in other analysis aspects of the full Market Array data set.

ETR Data: In the recent Pre-RSA Security Trends Survey conducted by ETR, in conjunction with theCUBE Research, 87% of respondents expect their security-related budgets to increase over the next twelve months, with 14% expecting an increase of more than 15%. This indicates a growing focus on security and a recognition of the importance of investing in security measures. Furthermore, and specific to this report, Multi-Cloud/Hybrid Security was cited as the top driver for that security-focused budget growth, with 55% of respondents stating it as a reason for increased security spending. This suggests that organizations are prioritizing cloud security measures, a trend that is clearly seen in the strength of spending intention scores in this CNAPP/CSPM Market Array survey and Observatory report.

Rounding out the CNAPP tools’ Net Score spending metrics are Trend Micro Vision One (32%) and Sophos Cloud Optix (26%). Each vendor saw high relative levels of Flat spend indications, with Sophos capturing the highest at 63% of their end-user representation, citing flat spending for the year. However, Sophos also had zero Replacement indications, and 32% of its customers indicated plans to increase their spending with Optix. Regarding Trend Micro, the 8% Adoption rate was a positive data point, and when combined with their Increase citations shows that 44% of their customers within this survey sample plan a Positive spending trajectory with Vision One; however, the overall Net Score was weighed down somewhat by an 8% Decrease indication, which was tied for second-highest along with SentinelOne’s PingSafe in this grouping.

I. Leading Vector: CrowdStrike Falcon Cloud Security, Zscaler Posture Control, Microsoft Defender for Cloud, Palo Alto Prisma Cloud, and Tenable Cloud Security

As seen in Figure 1, the Leading vendors captured the highest overall combination of Momentum and Presence within ETR’s Market Array survey for CNAPP tools. However, it should be noted that for the first time in ETR’s Observatory and Market Array work, a vendor (Wiz) in the Advancing category had the highest overall Momentum ranking. This data point exhibits the burgeoning and competitive nature of this still wide-open cloud-security marketplace.

Within the Leading vector, CrowdStrike Falcon Cloud Security had the highest overall Momentum, and Microsoft Defender for Cloud had the highest Presence. It is to be expected that Microsoft also has the strongest Presence across the entire grouping, given the technology giant’s massive penetration into the enterprise world and its bundled licensing strategy. The entire enterprise technology world has witnessed a transformation in trust and respect for Microsoft over recent years to the point where it is commonplace to see their security products atop ETR’s data models.

As one IT decision maker (ITDM) stated in a recent ETR Insights interview, “Historically, people did not like Defender, but that has changed over a number of years.” Another security executive offered a more colorful take on the subject, “As recently as 2019, I wouldn't have trusted Microsoft Defender any further than I could throw it, but it's become a great product in the last number of years.” Many other ITDM comments still state that the other tools listed in this report are still considered best of breed, but given the Microsoft bundling practices, it is hard to justify the cost of using additional tools. As one CISO bluntly stated, “It's tough to say that I'm already paying for Defender, but I want money and approval to use something else. That's why you see a big push with Microsoft and why they hold so much of the market right now.”

Innovative Vendors

Figure 3. ETR’s Market Array survey asked security-expert ITDMs to write-in which ONE vendor they believe is the most innovative. The image above shows the top 5 responses.

As seen in Figure 3, Microsoft Defender certainly has risen in reputation. The ETR Market Array survey asked the respondents to write-in which one vendor they believe is the most innovative in the CNAPP market, and CrowdStrike and Microsoft were virtually tied for first with 16% and 15.7% of the survey share, respectively.

Despite Microsoft's somewhat expected positioning, CrowdStrike holds the top spot in this Market Array data set with the highest Momentum positioning with the Leading vector. CrowdStrike Falcon Cloud Security garnered nearly one-third share of our survey respondents citing utilization of the product, and as seen in Figure 2 above, the CNAPP product Net Score was in the top tier with an amazing 72% of their customers citing an intent to either newly adopt the product or increase spending on it, versus less than 4% showing negative intent (Decrease + Replace).

Holding true to the promise of CNAPP’s all-encompassing cloud security goals, the company markets CrowdStrike Falcon as a comprehensive cybersecurity platform designed to deliver a range of protection services through a cloud-native architecture. ETR Insights feedback for this leading vendor is that it is widely considered a best-of-breed solution across its growing suite of product offerings, although it can be a bit more expensive than other options in the market. However, those cost concerns don’t show up in this Market Array’s Return on Investment (ROI) data, where the product is ranked higher than average and in a virtual tie with SentinelOne PingSafe, and Microsoft Defender for Cloud in their ROI Net Score. It should be noted that CrowdStrike Falcon was one of only two vendors in this study that had a positive Net Promoter Score (NPS), along with Wiz. Again, the full NPS rankings and the drivers of recommendation analysis that accompany it are available in the Market Array data set.

Following CrowdStrike in Momentum within the Leading vector, Zscaler exhibited solid competitive positioning in this CNAPP study, recording the fourth-highest Presence ranking in the marketplace as well. While some vendors in this report talk about their cloud security offerings in more general terms, Zscaler has fully embraced the CNAPP terminology. They market Zscaler Posture Control as a CNAPP product designed to enhance cloud security by addressing risks associated with misconfigurations, threats, and vulnerabilities throughout the cloud-native lifecycle. This comprehensive tool also includes CSPM and is an agentless platform, which is quickly becoming a popular approach and a fundamental capability within CNAPP systems.

Zscaler Posture Control should earn the new nickname of “nickel” because the product came in the top 5 in most of ETR’s Market Array data rankings. It was 5th highest in Product Net Score, among the top 5 write-in vendors for our most Desired and most Innovative rankings, and it held a top 5 ranking in ETR’s Stickiness/Churn score. However, the product did not fare as well in our ROI scoring, where it was positioned below average.

Next, we review a small portion of the Market Array data for Palo Alto Networks’ Prisma Cloud product, which had the 4th highest Momentum in the Leading vector and the 3rd highest Presence in the entire marketplace, a very strong combination. One of the important takeaways for the company in this survey was that despite being mature and already well-entrenched in the enterprise, Prisma Cloud garnered 10% of their survey share, citing intent to newly adopt the product, which is a positive indicator for future customer growth. In tandem with 54% of their existing customers citing plans to increase their spending on the product, Palo Alto Prisma Cloud is well positioned as a leader in the CNAPP market.

As seen in Figure 4, ETR presented the survey respondents with a series of ten statements about the CNAPP marketplace and aggregated their responses on each statement for every vendor tracked. Here, we illustrate the findings for the statement, “This product does everything I expect a CNAPP product to do,” and see that Palo Alto Prisma is tied for third with Microsoft and only one percentage point below Wiz's second spot (CrowdStrike Falcon took the lead).

Expectations

Figure 4. ETR’s Market Array posed a series of statements about the CNAPP marketplace products and ranked their level of agreement for each.

While not shown here, ETR also breaks down each listed product by 10 areas of product strength in the full data set. Palo Alto Prisma Cloud looked impressive across the board, with 7 of the 10 product strength areas having higher than 70% agreement rates with their customers and evaluators. One of the three that did not was for the statement, “This product is difficult to replace,” where the vendor was still ranked the second-highest, just behind Microsoft Defender for Cloud.

Palo Alto Networks has long supported the “shift left” in security and, given the strong performance in numerous aspects of this customer and evaluator-driven survey, the Prisma Cloud product might be the flagship for that movement. The company markets the product as a fully comprehensive security platform across the entire development lifecycle, in tandem with the broader CNAPP functionality across hybrid and multi-cloud environments.

Wrapping up the Leading vector, Tenable’s overall customer and evaluator data set plotted its Cloud Security product in the Leading CNAPP vector, albeit with lower relative levels of both Momentum and Presence measures than some of its other vector peers. Still, the Tenable Cloud Security product garnered more than 10% customer share with our survey takers and captured 10% Adoption rates, along with almost 42% of its customers planning to increase spending on the product. In addition, the product got high marks for being easy to implement and integrating well with existing systems in our Product Strengths data.

The ease of use is not surprising given the open-sourced origins of Tenable’s Nessus foundational layer, and while ETR Insights transcripts offer ample praise for the tool in vulnerability and exposure management, along with close competitor Rapid7, there is some concern around the ability to keep up with the shift left of DevSecOps, especially in cloud-native and container environments as compared to more newly architected emerging tools. Still, both Tenable and Rapid7 hold solid positions in this CNAPP Market Array study.

ETR Data: In the most recent APR24 TSIS data (N=1,844), the three core Vulnerability Management players of Qualys, Tenable, and Rapid7 have recorded year-over-year decreases in their spending intentions Net Scores, with Net Scores scaling from 20% to 17% to 14%, respectively. However, Pervasion rates within our survey sample for the three vendors remained steady, with Tenable leading with a 20% Pervasion rate and the other two tied at 18%.

In Figure 5, ETR’s Security Trends survey recorded data showing that Vulnerability Management and Patching was the second-highest security priority, in close proximity with Identity Management (SSO, MFA) and Endpoint Security (EDR / XDR). In fact, all three areas of priority were separated by just two percentage points. When combining this data point with another from the Security Trends survey showing that Multi-Cloud and Hybrid security was the biggest driver of increasing security budgets, it is clear that exposure management in cloud architectures is a critical component of current security models, signaling the importance of this CNAPP market.

Information Security Priorities

Figure 5. Source: ETR’s RSA Security Trends Survey. Vulnerability Management was 2nd highest priority across all survey respondents (N=321).

That concludes the Leading vector coverage. The following section will cover the CNAPP products plotted in the Advancing and Tracking vectors.

II. Advancing and Tracking Vectors: Wiz, Rapid7 InsightsCloudSec, SentinelOne PingSafe, CheckPoint CloudGuard, Dynatrace / Runecast, and Cisco Cloud Security / Panoptica

In this particular Market Array study for the CNAPP sector, the products that were plotted in the Advancing vector showed comparative strength in Momentum equal to their counterparts in the Leading vector. In fact, Wiz had the highest Momentum ranking across the entire sector, and three other products (Rapid7 InsightsCloudSec, SentinelOne PingSafe, and Check Point Cloud Guard) had Momentum levels even with Zscaler Posture Control, Microsoft Defender for Cloud, and Palo Alto Prisma Cloud. At a lower tranche, Dynatrace and its recent acquisition of Runecast had a Momentum level in line with Tenable Cloud Security as well. With that stated, it was the overall Presence measures that fell below their Leading vector peers, albeit just barely.

By the slightest of margins, Wiz, Rapid7 InsightsCloudSec, and SentinelOne PingSafe were on the cusp of crossing over into a crowded Leading vector. When this CNAPP Market Array survey is revisited next year, it is logical to expect that many of these products will see increased Presence rankings, resulting in new plotting of the CNAPP tools. In this section, we will also cover Cisco’s Cloud Security / Panoptica product, which was slightly lower in Momentum but had the 5th highest Presence in the entire CNAPP Market Array vendor grouping. Ultimately, the data fell slightly shy of being included in the Leading vector, plotting Cisco’s cloud security product very high in the Tracking vector instead. Since Cisco Cloud Security / Panoptica was the only product within this category, we will cover the product in this section of the report.

Before moving on to the vendor-specific data review, there was another interesting theme within this Advancing vector, which was that recent acquisitions abound among this grouping of tools. Beginning with SentinelOne, which had a deal in place to acquire Orca back in late 2021 before that acquisition fell through, the company completed the acquisition of PingSafe in January 2024. In that same month, Dynatrace announced its intent to acquire Runecast as well. In late April 2024, Wiz announced intent to acquire Lacework, but as of press time, multiple reports surfaced that the deal was falling through. In addition, numerous sources have reported that Palo Alto Networks may also be interested in Lacework. The flurry of recent activity shows the attractive opportunities within the CNAPP space and the strategy of buying existing functionality, as opposed to the much slower plan of building out the features internally.

We begin with the Advancing vector analysis with Wiz, a private player with the highest Momentum ranking in this Market Array, with a CNAPP product Net Score of 80%. As a newer entrant in the enterprise tech market relative to some of the more mature companies included in this report, Wiz has the benefit of being architected as 100% cloud-native from the ground up and is also one of the CNAPP vendors that is agentless. The company markets its cloud security suite as being adept at securing a wide range of cloud environments and resources, including PaaS components, virtual machines, containers, and serverless functions, without the need for agents.

It should be noted that Wiz did not garner customer citations at a rate as high as more established names in this survey, such as Microsoft, CrowdStrike, and Palo Alto Networks (top 3 total customer citations); however, it did garner more than 10% share, which is strong enough to be included in this analysis. Among those customers, there was absolutely zero negativity (Decrease or Replace intent), along with a 25% Adoption rate, which was the highest across the entire survey universe. Again, responsibly noting the lower citations, Wiz also held the highest Stickiness/Churn ranking and ROI score. The product also came in second among all customers in the Product Strength ranking for doing everything expected from a CNAPP tool, as seen in Figure 4 earlier.

In Figure 6, we see that Wiz also has the highest ranking from all survey respondents for the Product Strength statement regarding having an innovative technical roadmap, followed by CrowdStrike Falcon and Palo Alto Prisma Cloud.

Innovative Technical Roadmap

Figure 6. Source: ETR’s Market Array for CNAPP tools (N=313). Wiz, CrowdStrike, and Palo Alto Networks were ranked as the three highest CNAPP tools with the most innovative technical roadmap.

The data and ranking above also mirrored the write-in portion of the survey, where the same three had the most direct customer submissions for being innovative vendors (as seen in Figure 3 earlier). Lastly, Wiz also had a positive Net Promoter Score of 12.5%, tied with CrowdStrike Falcon Cloud Security for the top NPS ranking.

Next up is Rapid7 InsightsCloudSec, another product that toed the line with the Leading vector by holding the third-highest overall Momentum in this survey field; however, its Presence ranking was closer to the marketplace average, ultimately plotting it in our Advancing group. While the vulnerability management aspects of Rapid7 were discussed earlier, the CNAPP portion of Rapid7’s product suite is designed to be a comprehensive, cloud-native solution, marketed as a full platform that enhances the security and compliance of complex cloud environments. InsightsCloudSec claims to integrate numerous capabilities such as CSPM, infrastructure management, infrastructure-as-code, and cloud workload protection into a singular and seamless solution.

The Market Array data for Rapid7 InsightsCloudSec garnered more than 10% of the total customer share and captured the third-highest CNAPP product Net Score at 68%, with an elevated 16% Adoption rate to go along with 55% of its customers citing an intent to increase their spending on the tool. The product had no Decreasing spend intent and only a 2.5% Replacement rate. However, its Stickiness/Churn score was more in the middle of the pack, with 52% stating that they will continue to use the tool for “at least one or two more years” versus only 13% citing “at least four or five more years.”

The next highest Momentum ranking in the Advancing vector was held by SentinelOne PingSafe. SentinelOne is primarily known as a best-in-breed leader in the rapidly evolving and critical endpoint market, which can be viewed in ETR’s recent Endpoint Protection Platforms Observatory report. This includes many of the same vendors from this report, such as Microsoft, CrowdStrike, SentinelOne, Cisco, Palo Alto Networks, Trend Micro, Check Point, and Sophos. In this Observatory for CNAPP tools, however, it is the recent acquisition of the CNAPP-specific PingSafe that joined with SentinelOne’s already strong cloud security features to ultimately give the company such solid footing in this marketplace. SentinelOne PingSafe is another in the agentless grouping of CNAPP vendors that also boasts of container and Kubernetes security in addition to multi and hybrid cloud environments. These two companies combined truly offer a comprehensive suite of security features that well represent the boastful promise of CNAPP security.

As stated earlier in Figure 5, Vulnerability Management and EDR/XDR were virtually tied for second and third in the highest priority areas across all security. Along with the aforementioned data point that security budgets are rising due to multi- and hybrid-cloud environments, these trends are well-suited for the likes of SentinelOne and CrowdStrike, which have the ability to cover both priorities in multiple environments, an aspect that is pressuring traditional vulnerability management players that were born in an on-premises world.

This notion has been supported by multiple ETR Insights interviews as well, as summarized by one CIO, who said, “EDR players are able to leverage the data that they collect on the endpoint to meet the intent of the control for vulnerability management.” Both of these XDR/CNAPP vendors offer elements of auto-remediation, as well, and could potentially replace traditional vulnerability management tools, in no small part, based on cost savings around consolidation. That potential displacement only grows as these CNAPP vendors continue to tie in compliance and reporting functionality. This CIO continues, “I think that is driving the inroads for CrowdStrike and SentinelOne, and those inroads are going to drive their maturity in the market so that they will be technologically on par with what you see in the big three vulnerability management players.”

Quickly touching upon SentinelOne PingSafe’s data in this Market Array, the product held the 6th highest CNAPP Net Score of 61%, driven by an astounding 22% Adoption rate, second only to Wiz. If there was one weak spot in the data set, it was that 8% of customers did cite an intent to Decrease spending with the product this year; however, there were zero Replacement indications. The product also had the 6th highest ROI Score of 47.3%, in a virtual tie with CrowdStrike Falcon and Microsoft Defender for Cloud in the 4th and 5th spots, with less than a one percentage point spread between the three.

Next, we “check in” with Check Point (sorry, I couldn’t help myself). The company that brought us some of the industry’s best and first firewall technology more than 30 years ago continues to bolt on security features to keep pace with the quick and constant evolution of the information security landscape. Check Point has done so with both in-house development and acquisitions. In tandem with its Infinity platform and several acquisitions over recent years, such as Dome9, ForceNock, and Spectra, to name a few, Check Point CloudGuard offers a comprehensive CNAPP platform that includes CSPM. The company markets the security suite as having coverage from code to cloud with a focus on prevention and prioritization across applications, networks, and multiple workload environments.

In Check Point CloudGuard’s Market Array data, the CNAPP product was squarely in the middle of the pack in terms of its Net Score, coming in 8th out of 16 listed vendors with a 56% Net Score. The customer spending intention highlights were 50% indicating plans to Increase spend and minimal negativity with zero replacements and only 3% of customers indicating an intent to Decrease spend. The rankings within the Stickiness/Churn and ROI scores were not as favorable, however, with both metrics falling in the latter half of the vendor rankings.

The final vendor positioned in the Advancing vector was Dynatrace, a company well known for its core application performance monitoring that has evolved along with the broader Observability market to include infrastructure and security monitoring and reporting. With its very recent acquisition of Runecast, Dynatrace now has a legitimate and well-respected CSPM tool to offer to its large enterprise customer base. Runecast is a cloud-native tool that handles multiple aspects, from configuration management to vulnerability, compliance, remediation, and reporting across multi-cloud and hybrid environments.

Although low in overall Momentum, Dynatrace / Runecast had a high overall Presence ranking, which brought it close to the epicenter of ETR’s Observatory Scope, as seen in Figure 1, a positioning that was adjacent to Tenable Cloud Security and Cisco Cloud Security / Panoptica. Dynatrace / Runecast had a CNAPP product Net Score of 44%, highlighted by 45% of their customers indicating plans to Increase spend versus only 8% negative intent (Decrease + Replacement). The product's Stickiness/Churn score was in the middle of the pack, but its ROI score was near the lowest of the vendor grouping, based on 23% stating that ROI would take more than three years to achieve. According to ETR’s Insights commentary, Dynatrace is a well-respected product but is also known as a vendor where you have to pay for what you get, and it is well entrenched in companies with high budgets and deep pockets.

ETR Data: In the APR24 TSIS, Dynatrace captured an astoundingly high 38% of its customer citations from Global 2000 organizations. That equated to a Pervasion rate of 24% within the Global 2000, which is 2x higher than the company’s overall Pervasion rate across all respondents. In addition, 45% of Dynatrace’s customer citations came from the high budget Financials/Insurance and IT/Telco industry verticals.

We wrap up this section of the report by jumping into the lone product that was plotted in the Tracking vector, Cisco Cloud Security / Panoptica. Despite capturing the fifth-highest Presence measure across the CNAPP Market Array vendor universe, overall Momentum fell short of plotting this product in the Leading vector. Cisco is another diverse enterprise technology vendor that offers a full platform play across all of networking and information security. Its Cloud Security / Panoptica offering is the vendor’s CNAPP tool, a multi-cloud security solution providing protection throughout the application lifecycle across complex infrastructures, including cloud, containers, Kubernetes, serverless, and API environments.

The company markets the tool as integrating real-time threat detection, vulnerability management, and risk prioritization, along with compliance and rich contextual data to help security teams prioritize and respond to risks. The CNAPP Net Score for Cisco Panoptica was below the Market Array average, but still healthy at nearly 36%, with the highlight being a 10% Adoption rate, which is extremely high for such a mature company, and bodes well for new logo growth for this product going forward. The CNAPP product Net Score was not impacted by negativity (only 7% indicated a Decrease or Replacement intent) but was driven lower by Flat spending plans, which were cited by 50% of its customers.

In addition, Cisco Panoptica received high marks for having “Technical professionals with relevant expertise for this product being available” in our Product Strengths analysis. It came in fourth, with 73% of respondents agreeing with that statement option, which was only two percentage points away from the second-place holder, Microsoft Defender for Cloud. Furthermore, Cisco Cloud Security Panoptica was squarely in the center of the vendor universe on its ROI score of 37%, with 52% of customers stating that ROI is achieved within 1 to 3 years.

In Figure 3, we showed the top write-in vendors for being the most innovative in the CNAPP market. Here, in Figure 7 below, we show the second write-in question, which asked all survey takers, “if you could rebuild their CNAPP stack, which ONE product or vendor would you prioritize?” Cisco was in the top five in that ranking.

Most Desired

Figure 7. Source: ETR’s Market Array for CNAPP tools (N=313). Survey respondents were asked to write in which ONE vendor they would prioritize if they had to rebuild their CNAPP stack.

III. Pursuing Vector: Trend Micro Vision One, Orca, Lacework, Sophos Cloud Optix, and Aqua Security

In this particular Market Array survey, the Pursuing vector was populated by a diverse set of five CNAPP vendors and products, including one public company, three independently private companies, and one owned by Thoma Bravo. It should be noted that this vector garnered the lowest shares of total customer citations, resulting in a lower Presence relative to its other CNAPP peers.

Of those five, Trend Micro was best positioned within the vector, with the highest Momentum and Presence of this grouping. Trend Micro Vision One had a CNAPP product Net Score of 32%, driven by a 44% Positivity rate (Adopt + Increase intent) that was weighed down by the highest Decrease indications at 8% among the survey grouping. The product was below average in both Stickiness/Churn and ROI scores but received high marks in the Product Strengths analysis for both technical support and having easy integration with customers' existing tech ecosystems. Next up is the Sophos Cloud Optix platform, a CNAPP product owned by leading private equity player Thoma Bravo. The product is marketed as enhancing continuous security and compliance across cloud environments and integrating with DevOps by scanning for vulnerabilities in container images and Infrastructure-as-Code (IaC) templates.

While the CNAPP product Net Score was the lowest among the survey universe, it was still a positive 26%, which was highlighted by 32% of its customers citing an intent to Increase spending on the product versus only 5% intending to Decrease. There were no replacement indications present in the data set, but 63% did indicate Flat spending, which was the highest percentage of Flat spending intentions across the survey.

The most positive aspects of Sophos Cloud Optix in this CNAPP Market Array were twofold: its Stickiness/Churn, and ROI ranking, which were both above average. The Stickiness/Churn ranking was 6th highest across all 16 listed products, with 46% indicating plans to use the product for at least 3-5 more years. The ROI Score was even better, coming in as the 2nd highest of all CNAPP products, with 25% stating that the product offered ROI within the first year and an additional 42% stating ROI is achieved between 1 and 3 years. The only vendor or product with a higher ROI score was Wiz.

Doubling down on the high ROI and value trend, Sophos also came in third in our Product Strengths analysis, with 66% of all respondents agreeing with the statement, “This product offers good value for the money,” as seen in Figure 8.

Vendor Value

Figure 8. Source: ETR’s Market Array for CNAPP tools (N=313). Survey respondents were asked to what degree they agreed or disagreed with the offered set of Product Strength statements across all vendors in the survey.

The remaining group of CNAPP/CSPM vendors are three privately held companies that were all founded within the last ten years. In addition, all three had low customer citation shares relative to the more mature players in this CNAPP survey and report. That statement is a caveat to their positioning in the Pursuing vector when, in fact, their earned inclusion in this survey field is an impressive feat itself, given the relative size and scale of the sector peers also evaluated. Obviously, each of these companies has a robust product offering to gather enough customer citations to be included in the Market Array data set.

Again, noting a lower active customer citation level than the remaining group of product peers, let’s dive into the data details. Orca had the second-best product Net Score of the entire survey field, coming in at 70%. Wiz and Orca were the only two vendors that saw no negative spend indications at all. In addition, Orca captured a 10% Adoption rate, and 60% of customers cited plans to Increase spend on the product. Aqua and Lacework were further down the ranking, coming in just below average at an identical 50% Net Score, which is still very elevated.

Lacework showed the most volatility among its customer citations, with a very high 20% Adoption rate being partially offset by a survey-high 10% Replacement rate. Unfortunately, these three were poorly positioned in our Stickiness/Churn measure, where all were ranked in the lowest five across all vendors. In this metric, all three had at least 30% of their customer citations indicate that they anticipate continuing to use these CNAPP tools “at least one more year,” which was the lowest answer option offered.

Switching to other tracked metrics that include not only active customers but also recent customer complaints, the response rate for this trio jumps considerably higher, and therefore, no caveat is required on the following data points. The first of which is in our ROI metric, where the ROI score for all three came in squarely in line with the survey averages, with only two percentage points separating the three players. The trio is well positioned with ROI Net Scores of 39%, 38%, and 37% for Aqua, Lacework, and Orca, respectively. Lastly, as shown in Figure 6 earlier, Lacework and Orca both got high marks for having an innovative technical roadmap, with 70% and 69% of all respondents agreeing with that statement for these vendors, respectively. That percentage was good enough for 4th and 6th in this ranking.

ETR Data: These three private players are also tracked in ETR’s Emerging Technology Survey (ETS). In the FEB24 iteration, Wiz led all Cloud Security vendors with 352 citations yielding a sector-high 28% Net Sentiment Score that grew year-over-year from 19%. Aqua came in third with 307 citations and a 17% Net Sentiment Score in line with prior year levels. Orca came in sixth with a 14% Net Sentiment score, which was slightly lower than FEB23 levels of 16%, but captured the most citations among this grouping with 447. It was the more volatile Lacework that ranked last, 16th out of 16 Cloud Security vendors with a 3% Net Sentiment score based on 347 citations, down sharply from 9% a year prior.

Shared Accounts Alignment

Figure 9. Source: ETR’s Emerging Technology Survey (ETS N=1556). This shared accounts alignment analyzes data from both of ETR’s core syndicated surveys, the ETS and TSIS, to track overlap between public and private enterprise technology vendors.

In Figure 9, we illustrate a proprietary feature of ETR’s research platform where we cross-analyze data from our two core syndicated surveys, the TSIS and ETS, to track citation and positioning overlap between public and private enterprise technology vendors. In this data visualization, we are showing the positioning of private cloud security companies among customers of the public information security vendors in this CNAPP vendor universe. Essentially, this data analysis shows the potential disruption or acquisition alignment between public and private players within a specific subsector of technology.

Based on this data, among the customers of the public companies in this CNAPP report that participated in ETR’s TSIS survey, Wiz has (by far) the best positioning with the highest Net Sentiment and Shared Mind Share (citation overlap). Aqua Security has the next highest Net Sentiment but trails its private peers in Shared Mind Share. Orca Security is positioned in the middle with a Net Sentiment and Shared Mind Share equally scored in the low-teens range. Again, Lacework is seeing the lowest levels among this private company grouping, with the lowest Net Sentiment at 5% and Shared Mind Share below 10%. Given the fast pace that the CNAPP market is growing and the frenzied M&A activity in the space, this crossover data analysis suggests that Wiz might have already grown beyond being a target, while Aqua and Orca are prime candidates, and Lacework is seeing declining positioning, as depicted by recent current events regarding the company’s reported valuation offers.

We also note that all of the private companies in this CNAPP Market Array offer agentless solutions, which is a differentiating factor and preferred feature among many end users. However, there are some benefits to an agent when scanning for vulnerabilities, and as such, many companies offer a hybrid combination approach.

IV. Macro CNAPP Market Array Data

This Observatory report focuses on the CNAPP vendor data, but the Market Array also tracks data at the macro-sector level, such as the most important feature of the markets we study (see Figure 10). In the case of CNAPP, the most important feature across all respondents was integration, with 27% of respondents choosing that answer option out of the 20 options provided. Surprisingly, ease of use was ranked second at 26%, and neither of the top two was related to the actual security efficacy of the CNAPP tools.

Features

Figure 10. Source: ETR’s Market Array for CNAPP tools (N=313). Survey respondents were asked to write in which features they found most important in CNAPP/CSPM tools.

The Market Array data for CNAPP tools shows the rankings for all 20 options. The survey also tracks pricing model preferences, NPS scores, and the leading drivers of NPS recommendations from our survey panel.

Conclusion

The use of cloud platforms and cloud-native applications has soared in recent years due to their cost-effectiveness, flexibility, and scalability. Unfortunately, the popularity of cloud infrastructure and the applications housed within it has also led to a surge in security threats. These threats target cloud infrastructure misconfigurations, APIs, and the software supply chain, among many other areas. However, market economics dictates that solutions become available when problems arise. Therefore, CNAPP tools, which are inclusive of various security features (including CSPM), are increasingly marketed to address these security concerns.

Demand for CNAPP tools continues to increase as more workloads shift to multi and hybrid cloud, container, and serverless environments. While cloud providers handle external security, the enterprise is responsible for securing the cloud internally, and it is the CNAPP tools that promise that functionality. CNAPP tools need to encompass a dizzying array of monitoring, prioritization, remediation, compliance, and reporting features across complex infrastructure environments, as well as tying into an enterprise's DevOps application lifecycle.

Among the number of providers claiming to offer deep and broad functionality with integrated components across development and operations, agentless workload scanning has become a popular approach and a fundamental capability within the CNAPP system. This approach enables developers to identify and address vulnerabilities without the need for agents, making it easier to maintain security without impacting performance. Beyond the core security efficacy, integration and ease of use are also important features for customers.

According to ETR’s Market Array data, the vendors and solutions competing in this space are numerous and tightly aligned in their features. The more recent and private company entrants that were born cloud-native, especially Wiz, may have an early mover advantage; however, frenzied M&A activity is allowing more mature security vendors to keep pace and catch up. Platform providers like Microsoft, Palo Alto Networks, and Cisco are well-penetrated in enterprise accounts, while best-in-breed leaders in other cloud-native security areas, such as CrowdStrike, Zscaler, and SentinelOne, are broadening their reach successfully. More traditional security leaders from the vulnerability management, APM, and firewall space are also effectively competing and supporting their existing customers in this cloud security journey. Meanwhile, upstart companies like Orca, Aqua, and Lacework push the technological envelope, garnering attention from end-users and established public companies alike.

In conclusion, adopting CNAPP offerings is critical in addressing the evolving security challenges of cloud-native applications. Comprehensive, developer-friendly solutions that prioritize risks and provide sufficient context for developers to remediate them are essential. By adopting these solutions, businesses can enhance the security of their complex infrastructure environments and the applications that are developed, deployed, and run within them while protecting their sensitive data from potential attackers.

DOWNLOAD THIS REPORT

Fill out the form below to get a downloadable PDF of this report.

Press Need a quote, image, or additional information for an article, reach out to our press team at press@etr.ai

Reprints If you would like permission to reprint this report or our ETR Observatory Scope graphic, please send your request to reprints@etr.ai

ETR Insights Team Contact a member of our ETR Insights team to discuss all the details from this analysis or request custom research.

Erik Bradley, Chief Strategist & Research Director epb@etr.ai
Daren Brabham, PhD, VP Research Analyst dbrabham@etr.ai
Jake Fabrizio, Principal Research Analyst jf@etr.ai
Doug Bruehl, Principal Research Analyst dbruehl@etr.ai

Key Terms

Emerging Technology Survey

The Emerging Technology Survey (ETS) is our quarterly survey of technology decision makers capturing the enterprise’s appetite for emerging technology vendors across the global market. Our surveys are standardized, multiple choice format. For each survey question, the technology decision maker will select one of the following answers:

Allocating further
Evaluated, plan to utilize
Currently evaluating
Plan to evaluate
Aware of, no plan to evaluate
Evaluated, no plan to utilize
Replaced or in containment

Net Score

Net Score represents the intensity of spend for a vendor.

Higher Net Scores = a positive spend trajectory
Lower Net Scores = a flat or negative spend trajectory

Pervasion

Pervasion represents how widely a vendor or product is utilized relative to a given sample.

Technology Spending Intentions Survey

The Technology Spending Intentions Survey (TSIS) is our quarterly survey (Jan, Apr, July, Oct) of technology decision makers capturing forward-looking spending intentions for enterprise technology vendors across the global market. Our surveys are standardized, multiple choice format. For each survey question, the technology decision maker will select one of the following answers: