CSPM, CWPP, CIEM, CNAPP: what you actually need at your scale
Cloud Security
Vendors have collapsed every cloud security capability into the CNAPP acronym. The components are still distinct and you do not need all of them on day one. Here's the buying decision in plain language.
By Arjun Raghavan, Security & Systems Lead, BIPI · March 18, 2024 · 8 min read
A series-B SaaS CTO showed us four CNAPP quotes ranging from 90k to 480k a year. Each vendor claimed they did 'everything'. The lowest quote was honest: it was a CSPM with a few light extras. The highest was a CNAPP with workload runtime, IaC scanning, CIEM, and Kubernetes posture, most of which the company had no use for yet. Buying the highest tier would have been a 4x overspend on capabilities that would not pay back for two years.
The vendor pitches blur the categories on purpose. The categories themselves are still meaningful and the scope of what you are buying matters.
CSPM: configuration posture
Cloud Security Posture Management. Reads your cloud control plane via APIs and tells you which configurations violate a policy: public S3 buckets, security groups open to 0.0.0.0/0 on port 22, IAM users with old access keys, RDS instances without encryption. Output is a list of misconfigurations with remediation guidance. AWS Config + Security Hub plus a custom dashboard does most of this for free. Commercial tools add multi-cloud coverage, prebuilt compliance frameworks, and remediation workflows.
CWPP: workload runtime protection
Cloud Workload Protection Platform. Agent or agentless inspection of running workloads: VMs, containers, serverless. Detects vulnerable packages, malware, runtime anomalies, suspicious processes. This is the EDR-equivalent for cloud workloads. Falcon Cloud Workload, Sysdig, and Wiz Runtime Sensor live here. Worth it once you have production workloads running outside fully managed services.
CIEM: entitlements management
Cloud Infrastructure Entitlement Management. Analyses IAM policies and access logs to find over-privileged identities and unused permissions. Recommends right-sized policies. Useful at scale where IAM has grown beyond what humans can review. AWS IAM Access Analyzer covers the floor of this for free; tools like Sonrai and Wiz add cross-cloud and graph-based privilege escalation analysis.
IaC scanning: shift-left posture
Scans Terraform, CloudFormation, and Kubernetes manifests in CI for the same misconfigurations CSPM finds at runtime. Catches issues before they ship. Checkov and tfsec are free and good enough for most teams. Commercial CNAPPs add policy-as-code consoles and PR-blocking workflows.
CNAPP: the bundle
CNAPP is the umbrella term for buying CSPM + CWPP + IaC + sometimes CIEM from one vendor. The pitch is unified context: a runtime alert correlated to the IaC commit that introduced the misconfig and the IAM identity that touched it. The pitch is real when the platform actually correlates well, which varies by vendor. Wiz, Orca, and Prisma Cloud are the canonical CNAPPs; each has different strengths.
What to buy at what scale
Under 50 cloud resources and a single account: AWS Config + Security Hub + Access Analyzer + Checkov in CI. Total cost in the low hundreds a month. The capabilities are real, the dashboards are basic, and you will outgrow it.
50-500 resources, 5-20 accounts: a CSPM-only commercial tool plus the AWS-native runtime stack (GuardDuty, Inspector, Macie). 30-80k a year. You get cross-account visibility and a usable dashboard without paying for runtime sensors you would not have headcount to action anyway.
500+ resources, multi-cloud, regulated workloads: a CNAPP with the runtime sensor, IaC scanning, and CIEM modules. 150k-500k a year. At this scale the correlation across modules pays back, especially during incident response when you need to trace a runtime alert back to the IaC change that caused it.
The mistake that triggers the rebuy
Buying the CNAPP without the headcount to action it. We have seen 300k-a-year tools used purely as compliance dashboards because nobody had time to triage the runtime alerts. At that point you are paying CNAPP prices for CSPM-only value. Match the tool to the operational maturity, not to the marketing slide.
Pick the smallest scope that solves your current problem and budget for an upgrade in 12-18 months. Cloud security tooling moves fast and the vendor that wins your bake-off today may not be the right answer at twice your current size.
Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.