What is a Cloud-Native Application Protection Platform (CNAPP)?

CNAPP stands for Cloud-Native Application Protection Platform. The term was coined by Gartner, who recognized the expanding needs that go into securing applications in the cloud.

4 minutes read

The security space is rife with acronyms and it can be difficult to keep track of everything. There is a new acronym emerging, however, that is worth diving into: CNAPP. CNAPP, or Cloud-Native Application Protection Platform, is a new category of security products, encompassing the functionality previously found in Cloud Security Posture Management (CSPM) and Cloud Workload Protection Platform (CWPP) products and more.

What does CNAPP mean?

CNAPP stands for Cloud-Native Application Protection Platform. The term was coined by Gartner, who recognized the expanding needs that go into securing applications in the cloud. Broadly speaking, CNAPP solutions aim to address workload and configuration security by scanning them in development and protecting them at runtime.

Earlier, we said that CNAPP is a step forward in cloud security. The reason for that is that CNAPP serves as a convergence of multiple technologies, combining the capabilities of existing cloud security solutions, primarily CSPM and CWPP, and also including elements of Cloud Infrastructure Entitlement Management (CIEM), Kubernetes Security Posture Management (KSPM), API discovery and protection, serverless security, and more.

Why does CNAPP exist?

There are two important elements in the term CNAPP that help explain why it exists. The first is “cloud-native.” The shift to the cloud has brought a wide range of new security needs along with it. The rise of dynamic and ephemeral environments within the cloud have increased complexity and created unique and unpredictable interactions. Traditional agent-based security approaches can’t provide the coverage needed to keep up with ephemeral, containerized, and serverless environments.

The second element is “application protection.” Previously, most cloud security tooling was focused on helping teams understand the security of their infrastructure. However, as Gartner says, “it’s no longer enough to ask, ‘Is my cloud infrastructure secure?’ Security tools must now ask, ‘Are my cloud applications secure?’”

When it comes to cloud applications, organizations need to be holistic in their security thinking. There are many ways to expose applications to risk in the cloud, from unintentional public Internet exposure to overly permissive access rights and more. Organizations should focus on identifying and mitigating the highest priority risks their cloud applications are exposed to, not just collecting a long list of security-related issues that in isolation pose little risk. With individual point solutions, it is often the case that they focus narrowly on a limited set of security issues and don’t integrate well together when it comes to correlating their signals, leading to challenges around prioritizing many low-priority alerts.

Key components of CNAPP

As CNAPP represents a convergence of existing security product categories, let’s briefly review what capabilities fall under the CNAPP umbrella. Everything below represents an existing point solution. CNAPPs bring aspects of these point solutions together to provide full stack visibility across cloud environments, and shift the focus from individual security issues to broader, interconnected combinations of issues that pose a critical risk.


CSPM solutions are focused on identifying misconfigurations in cloud resources and tracking compliance to different controls and frameworks. They focus on the control plane, examining cloud infrastructure at the provider level. CNAPPs perform a deeper analysis of configurations and combine them with other inputs to identify and prioritize actual risks.


CWPP is about securing cloud workloads, such as VMs, containers, and serverless functions, regardless of their location. CWPP capabilities go inside the workload, scanning for vulnerabilities, system configuration, secrets, and more. CNAPPs leverage CWPP capabilities to identify issues in the data plane within workloads themselves.

Supporting tooling: CIEM, KSPM, serverless, and more

While CSPM and CWPP capabilities are the primary components of CNAPP, a complete CNAPP solution will bring in elements of other cloud security tooling. Some examples include:

  • CIEM. CIEMs deliver infrastructure entitlement management capabilities so organizations can enforce related governance controls. Identity and access governance represent an important risk area that CNAPPs should be able to address. For example, Wiz recently found that 82% of cloud companies unknowingly give 3rd party providers access to all their cloud data.

  • KSPM. KSPMs are essentially CSPMs for Kubernetes. They focus on Kubernetes-related misconfigurations and security needs. For CNAPPs, bringing in a dedicated focus on Kubernetes and container security is important for cloud-native environments.

  • Some other areas that are relevant for CNAPP solutions include serverless security, API discovery and protection, and more.

Learning more about CNAPP

Ultimately, the rise of CNAPP is a recognition that cloud security is complex, and requires new approaches to support and secure what DevOps teams are doing in the cloud. Increasingly dynamic and ephemeral environments, faster release cycles, and a growing number of technologies deployed in the cloud all lead to new challenges for cloud security. With CNAPP, the goal is not just to identify all the misconfigurations and security issues in your environment, but to uncover the actual risks that merit the team’s attention.

If you’re interested in uncovering the largest risks in your cloud environment, consider exploring a full stack, multi-cloud solution like a CNAPP. Ensure that you find something that can cover the breadth of your cloud deployment and perform a deep assessment of your cloud environment to identify and correlate the security issues that expose you to actual risk.  

EVEN MORE TO DISCOVERReady to see for yourself?
“Best User Experience I have ever seen, provides full visibility to cloud workloads.”
Chipotle Logo
David EstlickCISO
“Wiz provides a single pane of glass to see what is going on in our cloud environments.”
Blackstone Logo
Adam FletcherChief Security Officer
“We know that if Wiz identifies something as critical, it actually is.”
Mars Logo
Greg PoniatowskiHead of Threat and Vulnerability Management

Continue reading

Is your organization leaking sensitive Dynamic DNS data? Here’s how to find out

At Black Hat on Wednesday, Wiz researchers disclosed a vulnerability in DNS hosting services that affects millions of corporate endpoints.

Black Hat 2021: How isolated is your AWS cloud environment?

Last November, Wiz Research mapped all the services in AWS that allow access from other accounts to see if any of them might inadvertently expose customers and discovered 3 vulnerabilities in different AWS services that allowed anyone to read or write into the accounts of other AWS customers.

Black Hat 2021: DNS loophole makes nation-state level spying as easy as registering a domain

Wiz CTO Ami Luttwak discusses a new class of vulnerabilities discovered by Wiz Research, which exposed valuable dynamic DNS data from millions of endpoints worldwide.