Why an rising cloud safety pattern presents ‘excellent news’ to companies


Hear from CIOs, CTOs, and different C-level and senior execs on information and AI methods on the Way forward for Work Summit this January 12, 2022. Be taught extra

Whereas the cloud safety market has developed quickly lately, there’s now a big selection of instruments to juggle for securing cloud infrastructure and purposes.

There are “too many instruments,” in actual fact, mentioned Neil MacDonald, a vice chairman and analyst at Gartner, talking on the analysis agency’s Safety & Danger Administration Summit — Americas digital convention final week.

Now, nevertheless, there’s main consolidation underway within the cloud safety instruments market—a pattern that’s “excellent news” for enterprises, MacDonald mentioned.

In response to cloud safety challenges and the rising recognition of the cloud—Gartner estimates 70% of workloads shall be operating in public cloud inside three years, up from 40% immediately—the demand for cloud safety has surged. Analysis agency MarketsandMarkets forecasts that cloud safety spending will attain $68.5 billion by 2025, up from $34.5 billion final 12 months.

However the cloud safety instruments, and acronyms, are quite a few.

There’s CSPM (cloud safety posture administration) for recognizing misconfigurations in cloud infrastructure. There’s CIEM (cloud infrastructure entitlements administration) for managing cloud identities and permissions. There’s CWPP (cloud workload safety platforms) for securing digital machines, containers, and serverless features. And there are extra instruments to proactively establish vulnerabilities throughout app growth, corresponding to instruments for scanning containers and Infrastructure as Code (IaC).

However now, as a substitute of needing to accumulate these completely different instruments and discover a manner to make use of all of them collectively, the concept is to have one platform to rule all of them: CNAPP.

That stands for cloud-native software safety platform, and it’s an providing that features all the instruments talked about above.

Or not less than, that’s beginning to be the case—with many distributors within the strategy of assembling the completely different items right into a CNAPP entire (extra on that beneath). Distributors within the rising CNAPP area embody among the best-funded startups in cybersecurity together with among the most well-established firms within the safety business.

Gartner coined the time period CNAPP earlier this 12 months—partly in recognition of what was already occurring out there, and partly to encourage additional consolidation of cloud safety instruments beneath the CNAPP umbrella.

“These partitions are coming down,” MacDonald mentioned. “We have to consider cloud-native software safety as a lifecycle drawback from growth into operations. And there are distributors now that may do most of every thing [that’s part of CNAPP].”

Cloud safety challenges

Whereas enterprises have accelerated their shift to the cloud through the pandemic, cloud safety stays a foremost problem. A latest survey of cloud engineering professionals discovered that 36% of organizations suffered a critical cloud safety information leak or a breach up to now 12 months.

Likewise, a latest Gartner survey discovered that greater than a 3rd of firms see lack of safety readiness as an impediment to public cloud migration—rating as the most typical problem to cloud cited within the survey.

Thus, for patrons, the cloud safety pattern of unifying disparate instruments so there are fewer to take care of is value contemplating, MacDonald mentioned.

“I feel you must have fewer distributors, no more safety distributors—don’t mistake extra safety distributors for ‘protection in depth,’” he mentioned, referring to the cybersecurity technique of deploying a number of layers of protection. “But it surely additionally means try to be open to switching distributors, consolidating distributors, switching to at least one that understands your wants.”

Many cyber distributors have already embraced the CNAPP idea—saying that in the end, the purchasers win with a unified providing within the cloud safety realm.

Some—corresponding to Palo Alto Networks, Aqua Safety, and Orca Safety—have been already providing the important thing elements of CNAPP previous to Gartner coining the time period.

As an example, Aqua Safety describes its providing, the Aqua Platform, as a “full” cloud-native software safety platform. And the seller has seen “excessive double-digit” income and buyer development for its CNAPP to this point this 12 months, mentioned Rani Osnat, senior vice chairman of technique on the 450-person firm.

“Prospects are on the lookout for a broader platform,” Osnat mentioned. “Even clients which can be comparatively at first of their journey perceive that from a imaginative and prescient standpoint, they don’t need to slice this up into too many little items.”

Simplifying cloud safety

Freelance providers market Fiverr adopted Orca Safety’s partly to assist simplify the method of guaranteeing cloud safety, mentioned Shahar Maor, chief data safety officer at Fiverr, in a press release to VentureBeat.

“There are lots of complexities in securing public cloud environments,” Maor mentioned. “The worth of a CNAPP like Orca Safety is that I’ve acquired a single, complete resolution to establish danger, in addition to present actionable insights and worth throughout IT, DevOps, and engineering.”

Together with Orca Safety, Aqua Safety, and Palo Alto Networks, different distributors providing the capabilities that fall beneath CNAPP embody Lacework, McAfee Enterprise, Qualys, Sonrai Safety, and Wiz.

Aqua Safety

Aqua Safety has provided capabilities for scanning purposes throughout growth, together with IaC safety scanning, for the reason that launch of the corporate in 2015. By way of workload safety, Aqua centered on containers initially and added serverless and VMs in 2017 to provide it full CWPP capabilities. The corporate added CSPM by the acquisition of CloudSploit in 2019. Current enhancements to Aqua’s CNAPP providing have included cloud-native detection and response, which offers monitoring and detection to establish zero-day assaults in cloud-native environments.

“One of many issues that make CNAPP such a ‘gospel’ on this market is that in contrast to conventional safety options up to now, it covers a really broad set of personas,” Osnat mentioned. “It spans builders and DevOps to cloud admins and safety personnel. And that’s fairly distinctive out there. So whereas no one expects builders to turn out to be safety specialists, by serving to builders embed safety into their CI/CD processes, you assist resolve the issue.”

In March, Aqua Safety raised $135 million in collection E funding at a $1 billion valuation.


Lacework, which was based in 2014, began out in CWPP and later added CSPM.

“We started by addressing CWPP use instances with automation, with out requiring the usage of any guidelines/insurance policies,” mentioned Adam Leftik, vice chairman of product at Lacework, in an electronic mail to VentureBeat. “We later added in CSPM and vulnerability administration capabilities with all the insights essential to effectively deal with compliance, audit, and danger administration wants.”

Different additions have included IaC remediation capabilities by the acquisition of Soluble earlier this month, together with different options together with an inline vulnerability scanner to assist builders discover and repair vulnerabilities of their CI/CD pipelines.

“CNAPP represents a mindset shift towards a safety method that features everybody concerned within the enterprise,” Leftik mentioned. “Enterprises have a possibility to utterly rethink their safety method as one overarching continuum all through growth and operations moderately than one-off issues that must be mounted with guide, rules-based processes. As extra clients embrace cloud and construct in containers, there shall be extra demand for platforms that may defend cloud-native purposes throughout growth and manufacturing.”

Lacework raised $1.3 billion in funding earlier this month—one of many largest enterprise rounds within the U.S. this 12 months—at an $8.3 billion post-money valuation. That adopted the corporate’s $525 million fundraise in January.

McAfee Enterprise

McAfee Enterprise started providing CWPP in early 2017 and added CSPM performance to the providing in early 2019. The McAfee Enterprise MVision CNAPP additionally contains container safety capabilities through the acquisition of NanoSec in 2019, and information loss prevention capabilities through the acquisition of Skyhigh Networks in 2018.

In March, MVision CNAPP added in-tenant DLP scanning facilitating for elevated information safety, privateness, and value optimization.

“As organizations proceed to learn from shifting extra workloads to the cloud, cloud threats are additionally on the rise,” mentioned Dan Frey, product advertising and marketing engineer at McAfee Enterprise and FireEye, in an electronic mail to VentureBeat. “McAfee Enterprise expects adoption of MVision CNAPP to proceed consistent with buyer necessities and cloud adoption charges.”

In October, McAfee Enterprise was mixed with cybersecurity agency FireEye in a deal orchestrated by their proprietor, non-public fairness agency Symphony Expertise Group. Symphony had acquired McAfee’s enterprise safety enterprise in March for $4 billion.

Orca Safety

Orca Safety has had CSPM, CWPP, and CIEM since its founding in 2019.

“We have been a CNAPP earlier than the time period existed and we’re excited to see the official emergence and recognition for the class,” mentioned Avi Shua, cofounder and CEO of Orca Safety, in an electronic mail to VentureBeat.

The corporate lately enhanced its id and entry administration danger detection capabilities to now cowl misconfigurations, occasions and anomalies, entry traversal. Moreover, a brand new CI/CD providing contains detection of safety points within the developer pipeline and through deployment earlier than reaching manufacturing.

“Safety groups are overwhelmed with hundreds of meaningless, disconnected alerts,” Shua mentioned. “With a CNAPP, clients can deal with the alerts that matter, get extra performance with fewer cloud safety instruments – and may lastly handle the associated fee and complexity of managing disparate instruments.”

In October, Orca Safety prolonged its collection C spherical to $550 million at a $1.8 billion post-money valuation.

Palo Alto Networks

Palo Alto Networks launched its Cloud Native Safety Platform—Prisma Cloud—in November 2019, combining CSPM capabilities from its RedLock and Evident.io acquisitions with CWPP capabilities from its Twistlock and PureSec acquisitions. The corporate added capabilities together with CIEM with Prisma 2.0 in 2020.

Then final week, Palo Alto Networks debuted Prisma Cloud 3.0—which it described as a CNAPP—with enhancements together with the combination of CIEM for Azure and IaC safety.

“Prospects immediately have been utilizing numerous level options to handle cloud safety necessities advert hoc,” Palo Alto Networks mentioned in a press release to VentureBeat. “As clients construct their total technique, they need to use a CNAPP that gives complete safety throughout multi-cloud and hybrid-cloud environments.”

The publicly traded firm at present has a market capitalization of $51.98 billion.


Qualys has been providing CWPP for digital machines operating within the public cloud for the previous 5 years. The corporate prolonged the answer to help container workloads and launched CSPM in 2018.

Current additions to the Qualys CNAPP providing have included detecting misconfigurations in IaC, compliance for containers, and risk-based venerability administration.

“With an rising variety of organizations charting the course for his or her cloud journeys – and no signal of stopping or slowing – securing this journey has turn out to be one of many prime considerations of shoppers. With this new focus, there’s an rising alternative for distributors to handle this concern with options corresponding to CNAPP,” mentioned Parag Bajaria, vice chairman of cloud and container safety at Qualys, in an electronic mail. “Cloud safety is fragmented into a number of classes and numerous level merchandise that handle these classes. As a consequence of this complexity, there’s typically a big quantity buyer confusion. On account of this confusion, Qualys is more and more seeing clients ask for a single consolidated resolution.”

The publicly traded firm at present has a market capitalization of $5.34 billion.

Sonrai Safety

Sonrai Safety, which was based in 2018, began out in CIEM and later added CSPM. The Sonrai Dig providing additionally contains information safety, and the startup “will quickly announce new capabilities to our CIEM, CSPM, and information safety platform,” mentioned Brendan Hannigan, CEO and cofounder of Sonrai Safety, in an electronic mail to VentureBeat.

“Cloud safety choices like Sonrai Dig maintain your entire future for cloud safety particularly and safety typically,” Hannigan mentioned. “Previous-world information middle options more and more will turn out to be irrelevant as digital disruption expands the cloud whereas information facilities and enterprise networks decline.”

Sonrai Safety introduced a $50 million collection C funding spherical in October.


Wiz has offered CSPM and CWPP performance since its founding in 2020. The startup has primarily centered on increasing its CWPP capabilities, lately introducing the flexibility to scan workloads for malware while not having to put in any brokers.

“CNAPP will turn out to be the de facto cloud safety product,” mentioned Yinon Costica, cofounder and vice chairman of product at Wiz, in an electronic mail to VentureBeat. “It can prolong all the best way from cloud environments to the code builders are writing. The large alternative right here is to drastically simplify cloud safety in a manner that lets enterprise transfer quicker than ever earlier than – however securely this time. The fragmented method we had earlier than may by no means try this.”

In October, Wiz raised a $250 million collection C funding spherical at a post-money valuation of $6 billion. That adopted the corporate’s $130 million collection B spherical in March.


VentureBeat’s mission is to be a digital city sq. for technical decision-makers to realize data about transformative know-how and transact.

Our web site delivers important data on information applied sciences and methods to information you as you lead your organizations. We invite you to turn out to be a member of our neighborhood, to entry:

  • up-to-date data on the themes of curiosity to you
  • our newsletters
  • gated thought-leader content material and discounted entry to our prized occasions, corresponding to Rework 2021: Be taught Extra
  • networking options, and extra

Turn into a member