This GigaOm Research Reprint Expires Aug 11, 2024

GigaOm Radar for Cloud Security Posture Management (CSPM)v2.0

1. Summary

Cloud security posture management (CSPM) offerings are security solutions designed specifically for cloud environments. They employ the multitude of application programming interfaces (APIs) offered by public cloud service providers to gather data from diverse sources. This rich data stream comprises a broad array of cloud configuration data and workload events. By leveraging this data, CSPM solutions can monitor and identify security risks, such as misconfigurations, vulnerabilities, and risks inside of workloads and CI/CD tooling.

The data harvested via APIs is meticulously sorted, processed, and analyzed using sophisticated algorithms and AI technologies. This in-depth analysis serves to identify risk patterns and anomalies that could indicate potential threats. It helps to mitigate risks proactively by pinpointing potential security gaps and suggesting remedial measures before any actual breach occurs.

CSPM solutions have evolved significantly since their inception. Initially, they were simple tools for API monitoring and data visualization, aimed at giving security teams a clear view of their cloud infrastructure. Now they’re comprehensive security platforms that incorporate features such as identity and access management (IAM) and workload monitoring. Organizations of all sizes and maturity levels use CSPM solutions to illuminate risks and advance security objectives.

As the cloud security landscape evolves and threats become more complex, CSPM vendors continue to innovate. Many vendors are now exploring the integration of advanced security features like static application security testing (SAST) and source code analysis (SCA). These additions signify the vendors’ commitment to developing comprehensive, one-stop-shop solutions for cloud security.

This GigaOm Radar report highlights key CSPM vendors and equips IT decision-makers with the information needed to select the best fit for their business and use case requirements. In the corresponding GigaOm report “Key Criteria for Evaluating CSPM Solutions,” we describe in more detail the capabilities and metrics that are used to evaluate vendors in this market.

This is our second year evaluating the CSPM space in the context of our Key Criteria and Radar reports. All solutions included in this Radar report meet the following table stakes—capabilities widely adopted and well implemented in the sector:

  • Cloud workload scanning
  • Enhanced visibility into cloud services
  • Cloud-native risk identification
  • Compliance reporting
  • Real-time cloud services monitoring

How to Read this Report

This GigaOm report is one of a series of documents that helps IT organizations assess competing solutions in the context of well-defined features and criteria. For a fuller understanding, consider reviewing the following reports:

Key Criteria report: A detailed market sector analysis that assesses the impact that key product features and criteria have on top-line solution characteristics—such as scalability, performance, and TCO—that drive purchase decisions.

GigaOm Radar report: A forward-looking analysis that plots the relative value and progression of vendor solutions along multiple axes based on strategy and execution. The Radar report includes a breakdown of each vendor’s offering in the sector.

2. Market Categories and Deployment Types

To better understand the market and vendor positioning (Table 1), we assess how well CSPM solutions are positioned to serve specific market segments and deployment models.

For this report, we recognize the following market segments:

  • Small-to-medium business (SMB): In this category, we assess solutions on their ability to meet the needs of organizations ranging from small businesses to medium-sized companies. Also assessed are departmental use cases in large enterprises where ease of use and deployment are more important than extensive management functionality, data mobility, and feature set.
  • Large enterprise: Here, offerings are assessed on their ability to support large enterprises and business-critical projects. Optimal solutions in this category have a strong focus on flexibility, performance, data services, and features that improve security and data protection. Scalability is another big differentiator, as is the ability to deploy the same service in different environments.

In addition, we recognize three deployment models for solutions in this report:

  • API: Solutions that leverage API data collection methods provide rapid deployment and simplified integration capabilities but are limited by the type and quantity of out-of-the-box API integrations made available by the vendor.
  • Agent: Solutions that leverage a small piece of software to collect telemetry from hosts provide rich and accurate data, but they introduce management overhead related to the deployment and maintenance of that software.
  • Snapshot scanning: The solutions integrate with the organization’s cloud infrastructure in a way that lets the solution create snapshots of workloads to analyze without the need for an agent or API.

Table 1. Vendor Positioning: Market Segment and Deployment Model

Market Segment

Deployment Method

SMB Large Enterprise API Agent Snapshot Scanning
Aqua Security
Check Point
Ermetic
Microsoft
Orca Security
Palo Alto Networks
Rapid7
Sophos
Wiz
XM Cyber
3 Exceptional: Outstanding focus and execution
2 Capable: Good but with room for improvement
2 Limited: Lacking in execution and use cases
2 Not applicable or absent

3. Key Criteria Comparison

Building on the findings from the GigaOm report “Key Criteria for Evaluating CSPM Solutions,” Table 2 summarizes how each vendor included in this research performs in the areas we consider differentiating and critical in this sector. Table 3 follows this summary with insight into each product’s evaluation metrics—the top-line characteristics that define the impact each will have on the organization.

The objective is to give the reader a snapshot of the technical capabilities of available solutions, define the perimeter of the market landscape, and gauge the potential impact on the business.

Table 2. Key Criteria Comparison

Key Criteria

Multicloud Support Low/No-Code Configuration AI-Driven Analysis Supply Chain Analysis Automated Remediations Cloud Cost Tracking
Aqua Security 3 3 3 3 2 0
Check Point 3 2 3 3 3 0
Ermetic 2 3 3 2 3 0
Microsoft 2 2 3 2 2 0
Orca Security 3 2 3 2 3 2
Palo Alto Networks 3 2 3 3 3 0
Rapid7 3 3 2 2 3 2
Sophos 2 2 3 2 2 2
Wiz 3 3 1 1 3 1
XM Cyber 3 2 1 1 1 0
3 Exceptional: Outstanding focus and execution
2 Capable: Good but with room for improvement
2 Limited: Lacking in execution and use cases
2 Not applicable or absent

Table 3. Evaluation Metrics Comparison

Evaluation Metrics

Flexibility Scalability Licensing Data Controls & Security
Aqua Security 2 3 2 3
Check Point 3 3 2 3
Ermetic 3 2 2 2
Microsoft 3 2 3 2
Orca Security 2 2 3 3
Palo Alto Networks 3 3 3 2
Rapid7 3 2 3 2
Sophos 2 2 3 2
Wiz 3 3 2 3
XM Cyber 3 2 2 2
3 Exceptional: Outstanding focus and execution
2 Capable: Good but with room for improvement
2 Limited: Lacking in execution and use cases
2 Not applicable or absent

By combining the information provided in the tables above, the reader can develop a clear understanding of the technical solutions available in the market.

4. GigaOm Radar

This report synthesizes the analysis of key criteria and their impact on evaluation metrics to inform the GigaOm Radar graphic in Figure 1. The resulting chart is a forward-looking perspective on all the vendors in this report based on their products’ technical capabilities and feature sets.

The GigaOm Radar plots vendor solutions across a series of concentric rings, with those set closer to the center judged to be of higher overall value. The chart characterizes each vendor on two axes—balancing Maturity versus Innovation and Feature Play versus Platform Play—while providing an arrow that projects each solution’s evolution over the coming 12 to 18 months.

Figure 1. GigaOm Radar for CSPM

This is a space that has settled on an agreed upon set of capabilities which forces it to differentiate in more nuanced ways. An example is the commoditization of cloud workload scanning, which became a table stakes feature in this report (but was a key criterion in the previous version). This has resulted in repositioning of vendors from last year’s report to this year’s report, with some moving from Leader to Challenger. Overall, this space is trending toward an eventual “merge” with other cloud protections that will ultimately result in a new, more comprehensive approach to cloud security.

As you can see in the Radar chart in Figure 1, Microsoft’s Defender for CSPM is the only product in the Maturity/Feature Play quadrant. It offers a focused set of capabilities best suited for customers who either need infrastructure-oriented security controls or are already using Azure.

In contrast, the Maturity/Platform Play quadrant on the right holds the majority of the solutions we’re reviewing. Check Point continues to deliver a comprehensive security solution that is not, however, suitable for smaller organizations. Orca has developed and implemented new capabilities, including workload protections, and has enhanced existing features, making it an Outperformer and moving it into the Leaders ring. Prisma Cloud, Palo Alto Networks’ cloud security suite, supports many public clouds, delivers automation, and integrates into many popular CI/CD tools to create a well-rounded solution suitable for many organizations. Rapid7 delivers a practical and effective cloud security suite, making it an easy choice for consumers of Rapid7 products. Sophos offers a capable AI-powered solution, though it’s limited in shift-left capabilities. Wiz, a relative newcomer (founded 2020), focuses on developing extensive visibility and attack path analysis in cloud environments.

The Innovation/Feature Play quadrant on the lower left includes XM Cyber, which continues to focus on its broader mission of exposure and risk management across the enterprise, putting it a little further out in the Challengers ring.

Lastly, the Innovation/Platform Play quadrant on the lower right holds Aqua Security and Ermetic. Aqua Security has shifted from Feature Play into Platform Play this year with its innovative approach to security, simplified licensing, and broadly applicable capabilities. Ermetic takes an identity-centric approach to cloud security. This approach gives customers unique insights into risks and that, coupled with its container workload controls, makes a compelling argument for looking for new ways to improve cloud security.

Inside the GigaOm Radar

The GigaOm Radar weighs each vendor’s execution, roadmap, and ability to innovate to plot solutions along two axes, each set as opposing pairs. On the Y axis, Maturity recognizes solution stability, strength of ecosystem, and a conservative stance, while Innovation highlights technical innovation and a more aggressive approach. On the X axis, Feature Play connotes a narrow focus on niche or cutting-edge functionality, while Platform Play displays a broader platform focus and commitment to a comprehensive feature set.

The closer to center a solution sits, the better its execution and value, with top performers occupying the inner Leaders circle. The centermost circle is almost always empty, reserved for highly mature and consolidated markets that lack space for further innovation.

The GigaOm Radar offers a forward-looking assessment, plotting the current and projected position of each solution over a 12- to 18-month window. Arrows indicate travel based on strategy and pace of innovation, with vendors designated as Forward Movers, Fast Movers, or Outperformers based on their rate of progression.

Note that the Radar excludes vendor market share as a metric. The focus is on forward-looking analysis that emphasizes the value of innovation and differentiation over incumbent market position.

5. Vendor Insights

Aqua Security

Established in 2015, Aqua Security is renowned for Trivy, a comprehensive and versatile open source security scanner. Aqua’s platform delivers a range of cloud security capabilities for containers and Kubernetes and virtual machines (VMs), provides supply chain analysis, and interfaces with DevOps platforms. In addition, its CSPM solution provides scanning, monitoring, and remediation capabilities across several public clouds.

From its start in 2015, Aqua Security understood that containers (and container orchestration) were quickly becoming a force in the technology landscape. The rapid growth of these technologies came with an expansion of security concerns, from the classic (misconfigurations) to the unfamiliar (vulnerable images). The need for solutions to address these problems in the public cloud was evident. Aqua delivers a real-time CSPM solution that skips point-in-time measurements and focuses instead on continuous visibility into cloud native risks.

The Aqua CSPM solution is cloud native and integrates with Alibaba, Amazon Web Services (AWS), Microsoft Azure, Google Cloud Platform (GCP), and Oracle Cloud Infrastructure (OCI), as well as non-cloud environments like OpenShift and Kubernetes. The solution’s discovery capabilities are uniform across these public cloud environments. Once objects are discovered, they’re referred to as “secured resources” and are analyzed for misconfigurations and vulnerabilities. This telemetry is then used to drive the dashboards, reporting, and alerting features of the solution.

To present risk data to users, Aqua employs what it calls “Aqua Hub.” This is a dynamic visual representation that provides a real-time view of running workloads in Kubernetes environments as well as workloads in the future supply chain analysis. New this year is the addition of remediation guidance that is tailored to each customer through AI, specifically a bespoke large language model (LLM) that is able to produce accurate, specific instructions tailored to each customer. This feature delivers useful insights and expertise to security teams, which are often understaffed, underskilled, or both.

This is a comprehensive solution that can not only identify security issues in the public cloud service itself, it can also analyze workloads running inside of containers or serverless functions. Though this wide-ranging approach isn’t unique to Aqua, the availability of Aqua’s dynamic threat analysis (DTA) feature—which runs containers in a sandboxed environment—adds capabilities that are quite effective. This feature, designed to identify unknown threats that could be hidden in a container image, helps simulate a real environment to fool malware into running. Moreover, DTA doesn’t rely on signatures but instead tracks and records the behavior of the container image. The end result is a detection method for container-based zero-day attacks.

With Aqua’s acquisition of Argon (completed in 2021), the Aqua CSPM solution is now able to analyze and identify upstream software risks present in commodity code and integrate into the continuous integration/continuous delivery (CI/CD) pipeline. This simplifies usage and enables the additional data to be presented in a uniform fashion throughout the CSPM solution.

Strengths: This is a comprehensive cloud security solution with a highly capable workload-scanning feature set. Its remediation capability, which leverages LLM technology, is an excellent combination of useful and novel capabilities.

Challenges: This solution doesn’t have cloud cost-tracking features.

Check Point

Check Point’s CloudGuard CSPM offers broad compatibility with major public clouds such as Alibaba, AWS, Azure, and GCP. The vendor plans to support IBM Cloud and custom integrations soon. The solution demonstrates impressive capabilities in key cloud areas, including compliance management, risk detection, and workload and software supply chain security—the latter boosted by its acquisition of Spectral. Recently, it introduced cloud infrastructure entitlement management (CIEM) and CI/CD pipeline security features.

The CloudGuard SaaS solution takes an agentless data collection approach that leverages API data collection techniques and creates an identity within the cloud account to enable access for gathering telemetry.

Although we don’t review table stakes as part of our Radar reports, CloudGuard’s ability to map telemetry to over 60 security or compliance frameworks is noteworthy, driven by machine learning (ML) and over 2,400 rules. If compliance is an organization’s key objective, this solution offers excellent capabilities to achieve it. CloudGuard’s recent integration of AWS Macie, an ML-based sensitive data discovery service, simplifies the identification and tracking of sensitive data within the customer’s cloud environment. This information alone provides tremendous value to organization, yet CloudGuard goes a step further and uses it as a component of its risk calculation. This process ultimately creates a clearer picture of risks that are unique from customer to customer.

The newly introduced CIEM feature allows users to graphically depict cloud identities, clearly showcasing relationships among cloud assets, permissions, and identities, thereby simplifying the identification of IAM-based risks, a common challenge. Leveraging CloudBots, optimized IAM permission sets can be auto-generated and implemented, reducing associated risks. This holistic approach to identity-based security provides a novel solution to a persistent problem.

Automation is delivered through CloudGuard’s CloudBots, an open source low-code automation feature provided in the solution. CloudBots requires a one-time setup per cloud provider. Once the integration is performed, automations can be configured and assigned to asset policies. This feature can be used to enforce organizational configurations as well as compliance framework mandates in an automated fashion across multiple cloud providers.

CloudGuard distinguishes itself with its detection and remediation capabilities, which is a gap in some CSPM solutions. It utilizes AI/ML technologies to power a refined risk calculation process, factoring in base risks like misconfigurations and vulnerabilities, along with other elements, such as known threats and exposed secrets, for an accurate risk representation. The advanced risk comprehension, infused with extra context, aids swift and accurate threat detection. Integrated with the powerful CloudBots automation, CloudGuard’s detection and response capabilities can significantly enhance a security team’s operational efficiency.

CloudGuard offers considerable depth in its workload scanning and software supply chain analysis features. This solution provides workload security scanning for containers, images, serverless functions, and most running web apps with integrated application and API firewall capabilities. The company’s Spectral acquisition powers the software supply chain analysis, which gives CloudGuard users the ability to identify risks via integrated developer environments (IDEs) and Git repository and infrastructure as code (IaC) scanning.

Check Point’s solution integrates telemetry from its diverse technologies, providing a unified experience for security staff. Newly introduced is the “K8SPM” feature (Kubernetes security posture management), which offers full security visibility for Kubernetes, both in the cloud and on-premises.

Cloud cost-tracking and other cloud cost-management features are not a part of CloudGuard. The company’s current licensing model is based on units of 100 assets, so smaller organizations may find this solution too costly.

Strengths: Check Point’s CloudGuard is a comprehensive solution for organizations with diverse cloud deployments and workloads. Its capabilities have expanded to include an identity-focused (CIEM) capability as well as full Kubernetes security posture management.

Challenges: Cloud cost tracking is not available, and its license model may not appeal to smaller organizations.

Ermetic

Ermetic tackles cloud security in a different way. While some companies focus only on finding and following risks tied to cloud infrastructure, Ermetic believes it’s better to keep track of both the infrastructure risks and the access rights risks that come with cloud infrastructure. This year, Ermetic expanded this approach to cover cloud resources as well as Kubernetes, and it has added more functions, like code scanning and workload protections, making its cloud security platform even more versatile and wide-ranging.

Ermetic supports the big three—AWS, Azure, and GCP—with Oracle Cloud and Alibaba on the roadmap. Within the supported clouds, Ermetic provides AI-driven analysis of risks, workload scanning for container images, code scanning, and automated remediation capabilities. Licensing has also been updated to a model that bundles capabilities into packages. These license packages are aligned with broader goals or needs based on customer demand.

Ermetic tracks cloud entitlements via an identity-centric approach, enabling users to find risks based on identity behaviors, much as user and entity behavior analytics (UEBA) does. As normal behaviors are identified through ML, anomalous behaviors bubble up. This identity telemetry coupled with infrastructure risk data grants Ermetic valuable insights into risks in the public cloud.

As noted above, workload scanning capabilities are provided for container images, as well as VMs and containers running on VMs, but they’re not available for functions and other workload types found in the cloud. Function security controls are expected to be released within the next 12 months. While most workloads in the public cloud are found inside of containers, for organizations that leverage other workload types, this limitation should be noted. Another limitation is that Ermetic does not provide cloud cost insights within this solution.

Privileged access management (PAM) is a common endeavor in on-premises technology. The goal of this feature is to monitor and manage when and where privileged access, like a root account, is used. This is a capability that is missing from many CSPM solutions, but one that Ermetic provides. The company asserts that proactively identifying over-privileged identities and automatically remediating or adjusting these privilege configurations can effectively reduce the blast radius of an attack. In this vein, Emertic now offers just-in-time (JIT) identity provisioning, which can be triggered either manually or via an event from an integrated third party (like a service desk). Using JIT, identity-based risks can be better managed by reducing duration of risk exposure automatically.

Strengths: With its identity-first risk methodology and use of AI to identify anomalies and risks, this vendor has a unique approach to cloud security. New this year are enhanced identity-based risk visibility, supply chain analysis, and Kubernetes platform security.

Challenges: The Ermetic solution does not provide the ability to track cloud costs, and its workload protections may be too narrow in scope for some customers.

Microsoft Defender Cloud Security Posture Management

Building on the earlier capabilities of Microsoft Defender, Defender for CSPM broadens its scope to include AWS, Azure, GCP, and certain technologies running on-premises, such as Kubernetes. It offers a dual data collection model—both agent-based and agentless—that functions across all supported platforms. The solution focuses on the importance of contextual understanding to mitigate risks and features benchmarking capabilities for assessing security compliance. Defender for CSPM Fundamentals, a complimentary tier of the Defender platform, serves as an accessible initial step toward cloud security maturity for existing Azure customers.

The Defender CSPM tool enables entities to assess their security stance via a numerically grounded system known as the “secure score.” This score is formulated by combining thousands of customer cloud data points with situational insight furnished by threat intelligence, allowing organizations to more seamlessly monitor historical and present-day risks across supported cloud platforms.

While Defender for CSPM primarily targets cloud infrastructure, provisions for cloud workload protections are also accessible in the companion Cloud Workload Protection solution.

The concept of attack path analysis and management is swiftly gaining traction within cloud security tools. Defender for CSPM integrates a proactive attack path analysis feature, illuminating risks emanating from potential attack vectors linked in a chain. This forward-looking strategy fosters a culture of decision-making informed by risk, eschewing a defensive stance that merely reacts to the immediate crisis at hand.

The issue of tracking cloud costs is a point of debate in the security domain. While not every customer explicitly demands it, it’s a significant tool, given that cloud expenditure directly influences cloud security initiatives and objectives. Defender for CSPM does not offer a cloud cost tracking feature. Instead, the vendor encourages customers to rely on the capabilities offered by public cloud providers for monitoring their spending.

Due to its integration within the Microsoft ecosystem, Defender for CSPM may appear to be primarily intended for existing Azure clients or those heavily invested in on-premises Microsoft technologies. However, it’s not exclusive to that user base, and it delivers uniform security management across all supported cloud platforms, including AWS and GCP.

Strengths: Defender for CSPM offers versatile and robust security management across various platforms. Its proactive attack path analysis enables strategic, informed risk management. Finally, its seamless integration with the Microsoft ecosystem makes it convenient, particularly for organizations already embedded in Microsoft technologies.

Challenges: Cloud workload protections are a part of the broader Microsoft solution set, not bundled specifically into the CSPM capabilities. There are no cloud cost-tracking capabilities.

Orca Security

Orca Security’s CSPM solution provides deep insights into cloud infrastructure risks, as well as security and compliance framework mapping to simplify security tasks. Orca is architected as either a SaaS offering or a customer-managed cloud deployment. Both deployment types leverage API calls and agentless data collection for workloads, called “SideScanning.” SideScanning is a patented technology from Orca in which the solution creates a snapshot of a VM in the client’s cloud account and then transfers this snapshot to the Orca-controlled cloud, where it’s run and analyzed to identify risks. The customer-managed cloud deployment architecture operates in the same manner; however, instead of transferring the VM snapshot to Orca’s cloud, the VM snapshot is transferred to the customer-managed cloud location. The latter approach allows customers to control data during all stages of the Orca analysis.

Orca works with AWS, Azure, Google Cloud, Oracle, Alibaba, and Kubernetes. Once linked with a cloud account, it inventories assets and services, generating a security report within 30 minutes. It compiles all data into a unified model, simplifying multicloud data management and reducing the expertise required from staff. This single model also minimizes noise, preventing security analysts from being overwhelmed.

Attack path analysis is a standout feature of the Orca solution. It visually demonstrates how seemingly independent vulnerabilities and misconfigurations can be chained together by an attacker to execute an attack. This feature is a simple way to consume complex threat data and to build a better understanding of an organization’s environment.

This solution provides low-code features for the creation of compliance policies, the configuration of alerts, CI/CD integrations, and integrations with communication technologies like Slack and PagerDuty.

Initially, Orca’s workload scanning supported Linux and Windows VMs, container images, the Kubernetes control plane, and serverless functions. But through a partnership with ThreatOptix—which specializes in runtime monitoring and securing cloud-native applications, including VMs, containers, and Kubernetes applications—Orca’s expanded its workload protections to include deep telemetry from Linux hosts and container workloads. These features are seamlessly provided through Orca and managed entirely by Orca’s support staff, with no intervention from ThreatOptix.

Although Orca provides DevSecOps features (like the Orca CLI) that integrate into IDEs and IaC templates for building security into coding practices, it relies on integrated third parties to deliver software supply chain analysis. Orca has expanded its remediation capabilities, which now include remediation guidance powered by OpenAI’s GPT4 LLM. This feature delivers tailored-made remediation guidance for each customer.

Strengths: Orca’s innovations in the cloud security space, from SideScanning to the unified data model, provide practical security for the cloud. Its recent partnership with ThreatOptix expands its workload capabilities to match those who have previously led in that regard.

Challenges: SideScanning is a novel approach that grants deep visibility into cloud services. However, this approach introduces a slight delay in discovery of risks because SideScanning occurs just once every 24 hours.

Palo Alto Networks

Prisma Cloud, a platform from Palo Alto Networks, delivers insights across various public cloud services, encompassing infrastructure, workloads, identity, and code-scanning functions. This year, Palo Alto Networks upgraded asset discovery and management capabilities, introduced an attack path analysis feature, fine-tuned the solution to cater to DevSecOps use cases better, and established a more streamlined pricing model. With the emphasis on real-time visibility, the company aims to ensure continuous, up-to-date cloud security oversight.

Prisma Cloud’s CSPM capabilities include workload safeguarding, entitlement administration, and cloud code security features. Prisma Cloud adopts a distinctive sales approach that facilitates user-friendly engagement with its services. Clients are granted the flexibility to decide the manner, timing, and location of their consumption of Prisma Cloud services. In essence, clients procure Prisma Cloud credits, which they can use to activate and deactivate Prisma Cloud services according to their needs, promoting on-demand service usage with real-time monitoring.

Threat detection is a standout capability in Prisma Cloud that leverages ML, Palo Alto Networks’ Unit-42 threat feed, UEBA, and a newly introduced attack path analysis feature. Prisma Cloud identifies anomalous events, malicious actions, and threats across the client’s cloud—including distributed denial of service (DDoS) attacks, botnets, ransomware, cryptomining, and other potentially harmful activities—improving visualization and simplifying comprehension of intricate cloud-native risks. Palo Alto Networks Wildfire malware prevention engine lends its feature set to Prisma Cloud, offering a unique threat intelligence source that results from scanning the customer’s workloads, infrastructure, and code.

“Shifting left” is a common goal touted by cloud security vendors, and Prisma Cloud enables it through code scanning capabilities like IaC review, scanning of Git repositories, and integrations with Visual Studio, most JetBrains IDEs, and CI tools that streamline the secure development of cloud resources. Additional capabilities include supply chain posture visibility enabled by supply chain analysis.

Besides the integrations that streamline secure code development, Prisma Cloud also monitors vulnerabilities in Git repositories and can even preemptively block pull requests if a pre-set threshold of vulnerabilities is detected in the code. Proactive capabilities like these, enhanced with real-time monitoring, provide immediate benefits to security teams that may be dealing with an overwhelming number of tasks.

This solution is unable to provide insight into cloud costs, tracking of cloud costs, or other related management activities. While such insight is not commonly found in CSPM solutions, at least one vendor includes this feature, which is valued by smaller organizations.

Prisma Cloud supports the six largest public clouds—AWS, Azure, GCP, Oracle, Alibaba, and IBM Cloud—a wider-than-typical spectrum of cloud integrations. All solution capabilities are fully accessible on these supported clouds, providing comprehensive and real-time monitoring across a variety of cloud landscapes. Additionally, Prisma Cloud is able to offer some security controls to private cloud and on-premises infrastructure through its code security capabilities and a self-hosted architecture which can run entirely within a customer’s infrastructure.

Strengths: Prisma Cloud, with its wide-ranging public cloud support and robust machine-learning-based threat detection, seamlessly integrates with CI/CD tools and IDEs. Its user-friendly purchasing model eases the rollout of new features.

Challenges: This solution does not have cloud cost-tracking features.

Rapid7

Rapid7 is available in a standard SaaS model, a private deployment model that can be set up on-premises, in a private cloud, or through a client-owned public cloud account. Regardless of the chosen architecture, data collection and telemetry are achieved through the same agentless, real-time, event-driven harvesting techniques.

Pricing follows a consumption-based model that tallies the average daily usage of compute instances, container registries, and serverless functions on a quarterly basis. This approach streamlines the billing procedure in a fluctuating setting like a public cloud.

Rapid7 supports deployments in AWS, Azure, GCP, Alibaba, and Oracle Cloud. This is average support for the space. For reference, some vendors now include support for the six largest public clouds while others include a “build your own connector” capability.

When workloads sprawl across multiple clouds, it can be difficult to align data from these diverse sources into a unified view for security staff. Rapid7’s multicloud inventory feature simplifies this process by combining data from all supported clouds. As data is mapped from the disparate clouds, Rapid7 standardizes the naming for each service. For example, storage containers in AWS are “S3 buckets,” and in Azure, they’re “Blob Storage.” In Rapid7, these are both named “storage containers.” This approach is repeated for all other cloud services, simplifying compliance and policy management.

One of the solution’s primary strengths is workload scanning, particularly in Kubernetes security. Rapid7 provides expansive security features, including “guardrails,” an agentless, API-driven method that continuously monitors Kubernetes security for configuration drift, best practice violations, and other vulnerabilities in real time. This year’s report update includes the ability to pinpoint the exact line of code in an IaC template that caused a compliance failure, and to recommend specific remediation steps for the owner. Rapid7 facilitates early insight into IaC templates during their construction, enabling security teams to spot misconfigurations and vulnerabilities before deployment. Designed with Jenkins, CircleCI, and Azure Pipelines in view, this feature operates seamlessly across all supported clouds.

Rapid7 helps identify cloud waste, such as orphaned services that are not in use, to reduce cloud spend. Though this is an unusual feature to find in a security tool, SMBs will find value in it because of the close relationship between cloud cost and security in this situation. However, the solution does not include a way to see cloud costs where it’s deployed.

The automation capabilities are quite good. Using Rapid7’s bots technology, security teams can proactively remediate risks as they’re identified. There are several hundred predefined actions the bots can take out of the box, and Rapid7 also enables security professionals to define custom actions using a no-code configuration tool. Controlling the remediation process is important, and to facilitate it, Rapid7 includes the ability to apply granular controls to remediation workflows using one or several of the over 1500 filters included with the solution.

Strengths: Rapid7 showcases in-depth visibility for supported clouds, effective workload security, and superior remediation with no-code configuration. Its unified, standardized overview across various clouds minimizes the expertise needed for public cloud security.

Challenges: The solution’s supply chain analysis capabilities are adequate and maturing but may be useful only in limited use cases.

Sophos

The Sophos CSPM solution, Cloud Optix—part of Sophos Cloud Native Security—protects organizations from attacks found in public clouds and provides assurances against compliance violations. Cloud Optix is SaaS-delivered, with agentless data collection methods that leverage the public cloud provider’s API for telemetry. Cloud Optix is licensed based on asset quantity, which is typical in this space.

Cloud Optix includes support for the big three cloud providers—AWS, Azure, and GCP—with similar solution capabilities across all of them. A standout feature of the Sophos solution is its integration of AI. Sophos has a dedicated AI team, which has developed use cases for a variety of cloud-based attacks, using telemetry like outbound network data, anomalous user activity, and high-risk behaviors. The result is an AI-based analysis that delivers higher quality intrusion detection.

Workload scanning is becoming so common it’s a table stake feature and expected in CSPM solutions. The Sophos Cloud Optix solution includes image-scanning capabilities for containers in AWS ECR, Azure ACR, and Docker Hub, as well IaC pipelines. This breadth of coverage is above average and should provide ample opportunities for organizations to integrate workload scanning into their posture management practices. New this year, Cloud Optix’s serverless storage protection scans assets stored in the AWS Simple Storage Service (S3) to detect malware in all file types, including executables, media, and documents. The capability uses the Sophos anti-malware engine and scans all file contents without leaving a customer’s cloud environment, supporting file sizes up to 2.5 TB.

The software supply chain analysis capability of the Cloud Optix solution is average, supporting deep analysis of container images that are submitted to the Cloud Optix solution. This analysis can discover and inventory operating system packages, libraries, and file content, and can extract metadata. The telemetry is then cross-referenced to external vulnerability data to identify risks within a container image. However, this functionality doesn’t extend beyond container images to something like a serverless function, for example. Additionally, low- or no-code changes are limited to the configuration of remediations.

The remediation capabilities of the Cloud Optix solution allow security teams to apply (preapproved) automated remediations that Sophos provides in the form of functions that can be run within AWS or Azure but not yet in GCP. These functions can be modified as desired or used as provided.

Although a security team is primarily responsible for the security of people, systems, and data, planning can be difficult when a major portion of the overall environment (like cost) can’t be tracked. While some vendors suggest that cloud cost-tracking and resource-utilization monitoring should fall outside of the scope of security teams, Sophos disagrees. The Cloud Optix solution enables clients to track spend by environment, with tracking provided daily and monthly across AWS, Azure, and GCP. For AWS and Azure customers, additional insights and recommendations are provided.

Strengths: Sophos leverages AI technologies more so than other vendors in this space. It has good cloud support, integrated cost-tracking features, and a simple licensing model based on asset count.

Challenges: This solution has limited use of low- and no-code configuration changes. Additionally, software supply chain analysis is limited to container images that are submitted to Cloud Optix.

Wiz

Wiz offers a cloud security platform designed to efficiently analyze, evaluate, and prioritize significant risks within an organization’s cloud environment. This enables both security and development teams to take proactive measures to fortify their cloud infrastructure. Wiz’s CSPM solution delivers comprehensive visibility across the entire cloud environment within a matter of minutes, eliminating the need for additional agents. It effectively identifies misconfigurations and potentially harmful combinations within various cloud environments. Wiz CSPM streamlines compliance processes through automation and minimizes alert fatigue by presenting risks in a contextualized, graph-based format, allowing for a prioritized approach.

Wiz’s cloud security platform extends its support to a wide range of prominent cloud providers and platforms, including AWS, Azure, GCP, OCI, Alibaba Cloud, VMware vSphere, Kubernetes, and RedHat OpenShift. By offering compatibility with these popular services, Wiz ensures that its solution can be integrated into diverse cloud environments, catering to the needs of organizations that use a range of different cloud providers and technologies.

Customers can create tailored remediation workflows that align with their specific needs, ensuring efficient and systematic handling of identified security risks within their cloud environment. Additionally, Wiz seamlessly integrates with existing ticketing systems, enabling collaboration and communication between security teams and other stakeholders. By streamlining the incident tracking and resolution process, this integration ensures timely and effective response to security issues. Wiz’s automated report generation feature provides customers with detailed insights into their security posture. These reports offer a consolidated view of vulnerabilities, misconfigurations, and compliance status, empowering organizations to make data-driven decisions and prioritize their security efforts.

Wiz delivers comprehensive visibility and consistent risk assessment, addressing the demands of security teams. Customers appreciate its heuristics-based controls and policies that readily identify attack paths out of the box. With that said, Wiz doesn’t integrate AI technologies like ML into its solution; however, Wiz does recognize customers may be leveraging AI (like ChatGPT) elsewhere in their security operations and provides guidance and best practices on how to do it.

In July 2023, Wiz launched basic supply chain analysis capabilities. These capabilities enable users to generate software bills of materials (SBOM) using agentless data collection methods to analyze and manage their software supply chain.

Customers have a range of options for remediation, including automatic, built-in, and custom remediations according to their specific requirements. What sets Wiz apart is a feedback loop feature: once the remediation flow is triggered, Wiz keeps users informed about the results of their run, providing valuable insights and updates on the progress of the remediation process.

Strengths: Wiz provides extensive visibility across popular cloud platforms and offers flexible remediation options, including automatic, built-in, and custom remediations. The solution’s feedback loop ensures users are informed about the results of their remediation actions.

Challenges: Supply chain analysis capabilities are new as of July 2023, but the initial release is limited. Cloud cost analysis is minimal.

XM Cyber

XM Cyber understands that a company’s attack surface can range across public and private clouds as well as on-premises. Its CSPM solution thus uses both agents and agentless data collection methods that can identify attack paths, just as an attacker would, in both on-premises and cloud infrastructure and workloads.

The solution is delivered through a SaaS model, as is commonplace now. Licensing is based on an annual subscription, and cost is determined based on customer use of cloud and on-premises technologies like servers, storage, and databases.

This solution supports AWS, Azure, and GCP, as well as on-premises and some private cloud infrastructure through the deployment of an agent. This unique approach to cloud security recognizes that the demarcation between on-premises and cloud technologies is seldom neatly defined. This disconnect can create an opportunity for attackers, but with XM Cyber’s solution, this risk is controlled because visibility is maintained through the demarcation.

With the XM Cyber agent deployed to server instances, deep visibility is provided into the workloads running both on-premises and in clouds. Without the agent, the solution is unable to obtain the same level of visibility into workloads.

XM Cyber sees the cloud security challenge in two ways: one that extends from on-premises technologies, and one that is best addressed through the lens of attack path management. Attack path management is an approach that takes the data collected from an environment and identifies the most likely vulnerabilities, misconfigurations, overly permissive credentials, and user behavior that attackers could leverage to expand their attack and move towards the organization’s critical assets.

Using this approach, XM Cyber presents a unique view into an organization’s infrastructure. This view is called the “attack graph” and is a visual representation of attack path management activities. On the attack graph, high-value assets and associated exposures are displayed with connections across the environment that indicate the most likely path an attacker would take. This type of insight simplifies prioritization of risk mitigation efforts.

While the solution provides a unique approach not found in other platforms in this report, it does lack a few capabilities that are becoming more common in this space, such as built-in automation capabilities (frequently leveraged to ease the burden on security staff), cloud cost tracking (a feature that’s becoming increasingly important to SMB security teams), and integration of AI technologies like ML.

Strengths: Attack path management simplifies prioritization of remediations while the solution’s hybrid approach closes gaps often overlooked by pure-cloud security solutions. XM Cyber has good support for the big three clouds, and the attack graph visualization simplifies the detection of vulnerabilities.

Challenges: Because of the solution’s unique approach, some features found in other solutions—like low- or no-code configuration, AI technologies, automated remediations, and cloud cost tracking—are minimal or absent.

6. Analyst’s Take

Cloud security can mean different things to different people, and much of that meaning depends on what they’ve learned and experienced before. This isn’t just true for cloud security, though; it’s also something that can make finding the right CSPM solution tricky. CSPM solutions help keep data safe in the cloud, but with everyone having different ideas about what’s needed, it can be tough to find one that fits just right.

To find a CSPM solution that suits your needs, first figure out what your own security needs are, then compare the various CSPM solutions out there, and perhaps even get advice from experts. With the right kind of research and assessment of your environment, you can make sure that the CSPM solution you choose will really work for your situation and help to keep your data safe in the cloud.

When considering vendors, and particularly when examining the Platform Play solutions in the top right quadrant of the Radar chart (Figure 1), it’s important for organizations to think about any existing relationships they might have with these vendors. If you’re a potential customer who’s already invested in one of these vendors’ portfolios, you’re likely to experience easier integration with the other technologies in that vendor’s technology stack.

However, if your organization’s infrastructure doesn’t already include solutions from these vendors, it’s probably better to look at the Feature Play solutions that most closely match your organization’s objectives. For example, if a company doesn’t place high value on compliance and audit support but instead needs clear and actionable insights about vulnerabilities, a solution with attack path management capabilities would be a good fit. This is because such a solution would allow the existing security team to start reducing risks in the cloud more comfortably, thanks to its direct and clear security advice.

Another strategy for picking a CSPM solution is to identify those that align best with the skills and resources of the security team. For instance, deployment methods such as agentless and side-scanning are quite straightforward to implement and do not require additional investments in application management solutions, nor do they introduce manual tasks during deployments. This is different from agent-based data collection methods, which require more effort to roll out, maintain, and keep updated.

Ultimately, no matter the deployment method or how well the solution fits with your organization, the benefits should be evident. Before choosing a CSPM solution, always ensure you can align its main features with the goals of your organization. Doing so will simplify getting approval from leadership when making a business case, and it’ll also make it easier to measure the return on investment in the future.

7. Methodology

For more information about our research process for Key Criteria and Radar reports, please visit our Methodology.

8. About Chris Ray

Chris Ray is a veteran of the cyber security domain. He has a collection of experiences ranging from small teams to large financial institutions. Additionally, Chris has worked in healthcare, manufacturing, and tech. More recently, he has acquired an extensive amount of experience advising and consulting with security vendors, helping them find product-market fit as well as deliver cyber security services.

9. About GigaOm

GigaOm provides technical, operational, and business advice for IT’s strategic digital enterprise and business initiatives. Enterprise business leaders, CIOs, and technology organizations partner with GigaOm for practical, actionable, strategic, and visionary advice for modernizing and transforming their business. GigaOm’s advice empowers enterprises to successfully compete in an increasingly complicated business atmosphere that requires a solid understanding of constantly changing customer demands.

GigaOm works directly with enterprises both inside and outside of the IT organization to apply proven research and methodologies designed to avoid pitfalls and roadblocks while balancing risk and innovation. Research methodologies include but are not limited to adoption and benchmarking surveys, use cases, interviews, ROI/TCO, market landscapes, strategic trends, and technical benchmarks. Our analysts possess 20+ years of experience advising a spectrum of clients from early adopters to mainstream enterprises.

GigaOm’s perspective is that of the unbiased enterprise practitioner. Through this perspective, GigaOm connects with engaged and loyal subscribers on a deep and meaningful level.

10. Copyright

© Knowingly, Inc. 2023 "GigaOm Radar for Cloud Security Posture Management (CSPM)" is a trademark of Knowingly, Inc. For permission to reproduce this report, please contact sales@gigaom.com.