What is a CNAPP?
A cloud native application protection platform (CNAPP) is an end-to-end cloud native security solution that combines key functionalities like posture management, workload protection, runtime protection, and data security.
These platforms consolidate multiple cloud security technologies, including cloud security posture management (CSPM), cloud workload protection platforms (CWPPs), cloud infrastructure entitlement management (CIEM), infrastructure as code (IaC) scanning, and more. CNAPPs enhance DevOps and DevSecOps by integrating security into the development lifecycle, automating security tasks, and enabling continuous security and compliance.
Gartner, which coined the term, defines a CNAPP as a “unified and tightly integrated set of security and compliance capabilities designed to secure and protect cloud native applications across development and production.”
By 2029, 60% of enterprises that do not deploy a unified CNAPP solution within their cloud architecture will lack extensive visibility into the cloud attack surface and consequently fail to achieve their desired zero-trust goals.
Gartner
Gartner® Market Guide for Cloud-Native Application Protection Platforms (CNAPP)
In this report, Gartner offers insights and recommendations to analyze and evaluate emerging CNAPP offerings.
Download Report
Cloud security challenges that CNAPP solves
Below are key cloud security challenges that you can solve by adopting a CNAPP for your cloud security:
New types of security risks
Cloud environments are complex—they allow organizations to add new resources on demand for scalability, from virtual machines to serverless functions and containers. This complexity introduces new types of attack paths, which require organizations to have anomaly detection and threat response strategies for cloud native attacks.
But with so many different types of services and configurations, organizations need a solution to keep their environment secure as it changes.
One example of a new emerging threat is the use of artificial intelligence. According to Wiz’s State of AI in the Cloud 2025 report, 85% of companies use AI services or tools. As organizations adopt more AI apps and software to become more efficient, they open new risks with hard-to-secure attack surfaces.
CNAPPs like Wiz have become the forefront of these unique cloud threats by evolving and adapting security for future attacks.
Visibility gaps and blind spots
To gain visibility into this complex environment, organizations often use security tools that rely on agents to provide visibility into their workloads. However, agent-based solutions cause blind spots in the environment, as cloud resources without the agent receive no protection. These visibility gaps result in unnoticed critical issues, which can lead to a breach.
One example of a key visibility gap for an AI workload was when Wiz researchers uncovered an exposed DeepSeek database with complete control over DB operations, which leaked sensitive information like usage history and log streams.
To combat risks like these, employ a CNAPP that features conscious scanning, prioritized risk assessments, and unified solutions to uncover these vulnerabilities across your infrastructure—all from one platform.
Siloed tooling and operational challenges
To establish a security foundation within the cloud, organizations often use standalone security tools like vulnerability management, data security posture management (DSPM), Kubernetes security posture management (KSPM), cloud security posture management, and others. Gartner talks about this approach to security in its CNAPP Market Guide:
This lack of integration results in fragmented views of risk with limited context, making it difficult to effectively prioritize overall business risk.
CNAPP Market Guide 2024
Using standalone tools creates silos in security posture and operational challenges since each tool requires unique expertise and processes per tool, as well as manual time to identify and remediate risks. In addition, organizations need to manually correlate risks across their different tools to understand risk criticality, which results in further operational overhead.
CNAPPs, on the other hand, bring all your tools into focus within a single platform.
Alert fatigue
Siloed tools lack context for each risk. For example, a vulnerability management solution can identify if a machine is vulnerable, but it doesn’t know if the machine is also exposed to the Internet or has high privileges. Context, however, can bring these two issues together into one picture.
A lack of context results in the tools’ inability to identify which risks are more critical than others, which creates noise and alert fatigue for users. This also makes it hard for teams to identify critical risks in their environment and prioritize them. With CNAPPs, though, teams can get prioritized recommendations so they know which to focus on first.
Gaps between the security team and developers
Security teams are responsible for ensuring the security of their cloud environment. However, developers are the ones spinning up resources in the cloud, so security tends to slow down innovation. Additionally, developers often don’t have visibility into the risks related to their resources—and even when they do, they can’t successfully prioritize them since they lack context and prioritization.
CNAPPs can solve this issue by integrating into security workflows through CI/CD pipelines and IaC scanning so teams can shift left for improved security.
CNAPP benefits
Here are several benefits that come from adopting a CNAPP:
Faster deployment: Agentless CNAPPs enable organizations to protect their entire cloud environment in minutes by using the cloud provider’s APIs to scan for resources. This gives teams benefits like reduced time-to-value and increased agility.
Improved operational efficiency: Agents are expensive to maintain and can slow down workloads, which leads to operational challenges that hinder innovation. Additionally, DevOps teams often reject them, and the value of runtime visibility into ephemeral workloads may not outweigh the overhead of managing agents. However, a CNAPP with agentless visibility and risk reduction can reduce operational costs and complexity.
Unified risk engine: A CNAPP should be a single platform that covers all risk factors—including vulnerabilities, network exposures, secrets, malware, identities, and sensitive data—and provides real-time threat detection. With a unified risk engine, CNAPPs can assess risk criticality by understanding how risks combine to create attack paths into your environment. CNAPPs also automatically correlate all risks across prevention and detection to eliminate the need for manual correlation, which enables organizations to focus on remediating critical risks.
Graph-based context: CNAPPs should provide a graph-based context to show risks. In particular, the node-and-edge structure, a best practice for graphs, makes defining queries that represent risks much more intuitive. A graph-based view also makes it easy for anyone at any skill level to understand the relationships between resources and the context around risks so they can respond to issues faster.
Prioritization: A CNAPP with a fully integrated set of features can more effectively prioritize risks by correlating them and identifying critical attack paths. It should also provide a single queue of prioritized risks so teams can focus on the most important issues and reduce noise.
Shift-left enablement: Once CNAPPs identify and prioritize your risks in production, they should enable organizations to shift left to scale security across the development lifecycle. By integrating with CI/CD pipelines, a CNAPP allows organizations to identify risks early on in development so they don’t reach production. This results in fewer issues to remediate in production so security teams can instead focus on broader initiatives.
Contextualized detection and rapid incident response: To create an effective detection and response strategy, teams need to understand the attack paths in their environment so they can assess their potential impact. A CNAPP helps teams proactively remove attack paths through contextual risk reduction before an attack occurs. It can also help defenders detect threats in real time based on cloud events and runtime signals after an attack and limit an attack’s blast radius based on the cloud context.
By correlating runtime signals, security events, and cloud and infrastructure risks, a CNAPP enables security teams to respond rapidly to potential threats and minimize the impact of a potential incident.
How a CNAPP works
Below are the key ways that a CNAPP works within your cloud computing infrastructure:
Complete visibility into multi-cloud environments
Complete cloud visibility: A CNAPP should provide complete visibility into your cloud environment, no matter which your workloads run in—AWS, GCP, Azure, Alibaba, OCI, or others.
Holistic resource visibility: CNAPPs should provide comprehensive coverage and visibility into every resource in your environment, including virtual machines, serverless functions, containers, databases, managed services, and any other cloud service you use.
Visibility across all risk factors, from prevention to detection: These platforms should also allow for visibility into all risk factors, including vulnerabilities, network exposures, secrets, malware, identities, and sensitive data—as well as security threats—in real time.
Agentless visibility: A CNAPP should ensure full coverage and no blind spots in security posture by using an agentless approach to provide visibility into cloud environments. This approach uses the cloud service provider’s APIs to detect and scan for resources and workloads rather than relying on agents that require configuration and maintenance.
Independent, unified cloud security solutions
A single approach to security: A CNAPP provides you with one platform, one process, and consistent controls across all environments. A fully integrated CNAPP replaces all point solutions with a platform that covers all security aspects, which removes the need for a unique process per tool and reduces operational overhead.
Unified risk engine: CNAPPs also use a unified risk engine to identify risks across CSPM, CWPP, CIEM, KSPM, DSPM, and IaC scanning.
Defense-in-depth strategy: A comprehensive CNAPP provides a complete, defense-in-depth cloud security strategy—from prevention, through agentless visibility and risk reduction, to detection and protection from threats inside the workload—through a lightweight agent. A CNAPP with defense-in-depth also provides end-to-end visibility into attacks, which enables faster, more efficient solutions.
Single pane of glass: A CNAPP not only provides visibility into all risk factors but also correlates and models risks on a security graph to provide complete context. Gartner recommends that a CNAPP “should include the front-end console [...] and a unified back-end data model” to reduce switching between multiple consoles.
Prioritized risks with context
Context: A fully integrated CNAPP can identify the context around risks and find attack paths in an environment, which enables organizations to understand risk criticality in their environment. Using a security graph, a CNAPP can also provide a deep understanding of relationships between all elements in the cloud environment.
Prioritization: A contextual CNAPP can prioritize risks based on criticality and only surface high-priority issues so your team can focus on those that truly matter. Gartner also recommends finding a CNAPP that has “integrated advanced analytics that are combined with the relationships to risk-prioritize findings in development and at runtime.” This prioritization allows teams to spend less time responding to distracting noise and more time remediating critical issues.
A bridge between development and security teams
Minimal remediation time in production: A CNAPP can integrate security checks into CI/CD pipelines to scan for risks during development. It also enables you to apply unified security policies across production and the CI/CD pipeline to prevent issues from reaching production.
Faster and more secure deployments: CNAPPs empower developers with the context, prioritization, and specific remediation guidance they need to fix issues related to their resources. Context and prioritization enable developers to stay agile and move fast while staying secure.
Core CNAPP features
An integrated CNAPP seamlessly consolidates the following security tools within a unified platform:
| Feature | Description |
|---|---|
| CSPM | Offers insight into cloud resource configuration and continuous monitoring |
| CWPP | Ensures visibility into cloud workloads and risk mitigation across VMs, containers, and serverless functions without relying on agents |
| CIEM | Oversees entitlements within cloud setups and guides the least privilege permission implementation while optimizing access and entitlements across the environment |
| KSPM | Automates security and compliance for Kubernetes components to provide comprehensive visibility into containers, hosts, and clusters |
| DSPM | Safeguards sensitive data within the cloud environment |
| CDR | Enables detection and investigation of and response to cloud-based cyber threats by monitoring activity within the cloud environment and identifying suspicious events |
| Code security | Secures the SDLC by detecting risks in source code, IaC templates, and pipelines (with tools like Wiz Code) for proactive security and remediation before deployment |
Here’s a more detailed breakdown of how CNAPPs consolidate each of these features:
CSPM
CSPM offers insight into cloud resource configuration and continuous monitoring by assessing cloud resources against rules for proper configuration and identifying instances of misconfiguration. It also ensures compliance through built-in, customized standards and frameworks, then automatically remediates non-compliant resources using machine learning.
By evaluating resources during development, CSPM prevents misconfigurations from propagating to production environments.
CWPP
CWPP ensures visibility into cloud workloads and risk mitigation across VMs, containers, and serverless functions without relying on agents. It also scans for vulnerabilities, secrets, malware, and secure configurations within workloads and identifies workload misconfigurations and vulnerabilities in CI/CD pipelines.
As the final line of defense, CWPP employs a lightweight agent for real-time threat detection and enriches data through agentless visibility and risk reduction.
CIEM
CIEM oversees entitlements within cloud setups and guides least privilege permission implementation while optimizing access and entitlements across the ecosystem. This management system also analyzes effective permissions for principals and resources and detects potential secret or credential leaks that could compromise access to sensitive cloud assets.
KSPM
KSPM automates security and compliance for Kubernetes components and provides comprehensive visibility into containers, hosts, and clusters. It assesses vulnerabilities, misconfigurations, permissions, secrets, and networking risks and correlates these risks to offer contextual insights and prioritization.
This tool also facilitates a shift left approach by identifying and preventing Kubernetes security issues during development.
DSPM
DSPM identifies and safeguards sensitive data within the cloud environment and provides visibility into its location across buckets, data volumes, OS and non-OS environments, and managed and hosted databases. DSPM also correlates sensitive data with underlying cloud context and other risk factors to comprehend data asset configuration, usage, and movement.
A fully integrated DSPM can pinpoint potential attack paths on sensitive data and allow for proactive issue prioritization to prevent breaches.
CDR
Cloud detection and response (CDR) capabilities enable teams to detect, investigate, and respond to cloud-based threats by monitoring malicious activity within the cloud environment and identifying suspicious events.
While proactive risk reduction without agents eliminates potential attack paths, real-time threat detection remains essential. To support this, CDR identifies threats and suspicious activities in real time, including remote code execution, malware, crypto-mining, lateral movement, privilege escalation, and container escape. This tool also offers comprehensive visibility and automatically correlates threats across real-time signals, cloud activity, and audit logs to track attacker movements. This enables rapid response and limits the impact of potential security incidents.
The future of CNAPP
Before long, CNAPPs will become the standard way for cloud developers to ensure that they follow best practices for cloud security. They’re usable and consumable by developers and operations teams, so they’ll allow those teams to be more proactive with their resource security.
Today, security teams have very few ways to tell if their security is in a good state, if they've taken the right steps to secure their cloud, or if they’ve left some areas wide open. However, CNAPPs allow any cloud developer to see that they’re taking the right steps to secure their applications and resources and any security team to validate the state of their security across cloud applications without gaps.
Wiz’s approach to CNAPPs
In a CNAPP-focused episode of the mnemonic security podcast—which featured security experts Scott Piper, principal cloud security researcher at Wiz, and Håkon Sørum—host Robby Peraltra asked a pivotal question on the future of cybersecurity: “How do we organize ourselves in a world where our assets are in the cloud but our procedures and thinking are still in the basement?”
Industries across markets and the globe rely on the cloud daily, so traditional cybersecurity methods won’t cut it. After all, transforming legacy security systems for the cloud doesn’t bridge necessary security gaps. That’s why it’s important to adopt CNAPPs, which use native technology and automation to meet the cloud’s needs and face threats head-on. This type of future-forward, cloud-first approach will create a faster, safer future for cloud computing—all within a holistic, unified platform.
Wiz’s approach to CNAPP hinges on these key pillars:
Agentless architecture: Wiz uses an agentless approach for scanning your cloud resources, which makes it easy to deploy and manage and avoids any performance impact.
Comprehensive visibility: This platform provides 100% visibility into your cloud resources and risks, from infrastructure to data, across all cloud providers and services.
Graph-based security and risk prioritization: Wiz builds a graph of all your cloud resources and their relationships to identify complex attack paths and prioritize risks more effectively. The solution’s graph-based security approach also allows you to focus on the most important issues first.
Unified platform: Its CNAPP provides a single platform for all your cloud security needs, including vulnerability management, misconfiguration management, secrets management, and cloud forensics.
Wiz CNAPP supports security across our cloud environments in a single place. All of our security information is in one place, and the solution is flexible enough that different teams can focus on just the details they need.
Ralf Kleinfeld, Information Security Officer, OTTO
Try the demo today to see how Wiz’s actionable insights and recommendations can improve your security—or check out the Cloud Security Self-Assessment for more actionable solutions for improving your cloud security.
