I've signed Cloud-Native Application Protection Platform (CNAPP) contracts. The pitch is always the same: one platform, complete coverage, fewer tools to manage, one renewal conversation instead of four.
It sounds like a good deal when the slide deck is in front of me and the line item is one of the bigger checks I write. The pitch obscures a basic problem: CNAPP bundles four components at very different maturity levels, and the one that routinely disappoints is the one operators lean on hardest when something is actually happening.
The gap shows up fast in real evaluations. Cloud Security Posture Management (CSPM) and Cloud Infrastructure Entitlement Management (CIEM) are mature and useful, and Cloud Workload Protection Platform (CWPP) depends entirely on architecture.
Cloud Detection and Response (CDR), the detection and response component, is consistently the weakest link. It's either absent, planned for later, or acquired and bolted on after the core product shipped. CNAPP evaluations should separate what the buyer is actually getting from what the category name promises.
In Brief:
- CNAPP bundles four components at different maturity levels, but the category name implies they're all equally good.
- CSPM tells you a bucket is public, but it misses valid-credential data staging through that bucket. That blind spot is structural.
- Several major CNAPP vendors added CDR through acquisition rather than building it natively: Wiz bought Gem Security, Fortinet bought Lacework. Where CDR was bolted on, integration depth varies.
- The fastest way to expose a weak CDR component in a demo is to ask which MITRE ATT&CK Cloud techniques it detects by ID, then ask for a credential abuse walkthrough.
What CNAPP is, and how the category got assembled
CNAPP stands for Cloud-Native Application Protection Platform. The category emerged to describe platforms that bundle cloud security capabilities across the application lifecycle, from code to runtime.
In practice, that usually means a unified set of proactive and reactive capabilities: artifact scanning, security guardrails, configuration and compliance management, risk detection and prioritization, and behavioral analytics in one platform.
The four bundled components are CSPM, CIEM, CWPP, and CDR. Here's the part the category name hides: CNAPP didn't start as a unified design. It grew out of CSPM and CWPP convergence, then expanded into identity, infrastructure, application, and runtime use cases.
CDR came later for many platforms, and vendors filled that gap however they could. For the deeper argument on why posture and detection are different problems, I covered it in our cloud-native security piece.
The pitch is consolidation, and consolidation is real
One platform covers posture, entitlements, workload protection, and detection. One console instead of five, one data model, one vendor relationship, and one renewal cycle. For a team drowning in tool sprawl, that's genuinely attractive, and the consolidation case isn't fake.
Consolidation value depends on what you're consolidating onto. When four components sit under one label at four different maturity levels, the label flattens the difference.
You sign for complete cloud security and usually get strong posture management plus a detection capability that may or may not hold up. The bundle exists, but the label implies a uniform quality the components don't always deliver.
What each component actually delivers
Evaluate CNAPP component by component. Three of the four are worth what you pay. The fourth is where the category's promise outruns its delivery, and it's the one to test hardest before signing.
CSPM is the strongest component, with one consistent blind spot
CSPM is the most mature piece across every CNAPP I've looked at. It handles configuration scanning and compliance benchmarking, including misconfiguration detection. It's well understood and genuinely useful, and if a vendor is weak here, something has gone badly wrong.
CSPM's blind spot is structural. It monitors configuration state and misses runtime behavior: it tells me a bucket is public while missing valid-credential data staging through it.
If an instance is compromised but still correctly configured, posture tools may miss it entirely. Credential abuse and malware-free activity are exactly where posture-only tooling struggles, because a correctly configured resource accessed by a stolen credential is invisible to CSPM by design.
CIEM is table stakes
CIEM analyzes entitlements and finds roles or accounts with more access than they need. It helps you find the identity and access management (IAM) role nobody scoped down and the service account with more access than it ever needed.
In most CNAPP evaluations, I treat CIEM as a baseline capability rather than a differentiator. It should be present and competent, but I don't make platform decisions on the strength of a CIEM module alone. The right-sizing it provides reduces the blast radius when credentials do get abused, but the capability itself rarely decides the buy.
CWPP depends entirely on whether you're buying agent or agentless
This is the component where vendors disclose the least and the difference matters the most. Agentless implementations scan from outside the guest operating system (OS). Agent-based implementations run software on the host and see process execution in real time.
Agentless gives you broad coverage with minimal operational friction, but it gives you a snapshot-oriented view rather than live process execution. For runtime threats that unfold in minutes, a delayed snapshot is weaker than detection.
Agent-based and eBPF approaches trace host activity at the event source and catch privilege escalation as it happens. Ask which one you're buying, and ask what the scan cadence is.
CDR is the component that keeps disappointing
CDR is behavioral detection of active threats across identity, workload, and the cloud control plane. It's the piece that's supposed to catch the credential abuse CSPM can't see, and it is consistently absent or immature, sometimes because it was acquired later.
The acquisition pattern tells the story. Wiz acquired Gem Security in 2024 to round out its cloud detection and response portfolio, and Fortinet acquired Lacework the same year.
When major platform vendors buy detection capability rather than shipping it from the original CNAPP architecture, CDR became table stakes faster than some platforms could build it natively.
A CDR tab may still lack production-grade behavioral detection. Posture-first platforms collect control-plane snapshots, while real cloud detection requires telemetry CSPM never collects: identity behavioral logs, workload runtime, and software-as-a-service (SaaS) and OAuth events.
Where CDR isn't present, you're paying for a posture tool with a detection tab full of misconfiguration findings.
Three questions that reveal whether the CDR is real
I ask these on every CNAPP call now, and they expose a weak detection component faster than any feature list.
The first vendor that fooled me had a Detections tab populated with red counters that turned out to be misconfigurations. I almost signed the renewal anyway because the rest of the deck was strong. Now I lead with these instead.
- Which MITRE ATT&CK Cloud Matrix techniques do you detect, by technique ID? Ask for IDs, not category descriptions. A real CDR can speak to specifics like T1078.004 (Valid Accounts: Cloud Accounts), T1098.001 (Additional Cloud Credentials), and T1530 (Data from Cloud Storage). Push them to the MITRE Cloud Matrix technique level and watch what happens.
- Does your investigation workflow show runtime behavioral telemetry or control-plane snapshots? A timeline built from periodic config state rather than live event telemetry is posture reporting under a detection label.
- Can you demonstrate cross-domain correlation on a credential abuse scenario? Walk an identity anomaly through privilege escalation to data staging: valid account use, infrastructure activity, credential access, and access to cloud storage. If the demo can't connect those dots across identity, workload, and control plane, the CDR is missing or not production-ready.
A vendor that clears all three is selling real detection; many clear only the first.
What fills the gap when CNAPP CDR falls short
Where the CDR component is weak or absent, decide whether to add a detection-first cloud product, use runtime-first eBPF tooling, or cover the gap through AI-native Managed Detection and Response (MDR) with genuine cloud, identity, and SaaS coverage.
That third path matters because the threat data is clear. Stolen credentials rose to the second most common initial infection vector at 16% in Mandiant's M-Trends 2025, and attackers blend into legitimate activity through authorized pathways.
AI-native MDR providers with cloud, identity, workload, and SaaS telemetry address the area posture-first CNAPP architectures often miss. Apply the same critique standard to any MDR you evaluate: ask where the detection telemetry comes from, and ask for the credential abuse walkthrough.
No single label guarantees detection capability. CSPM and CIEM in your CNAPP are doing real work, but test the CDR component against the three questions before you assume it's doing the same.
If it can't walk a credential abuse scenario across domains in a demo, it won't do it in production either, and that's exactly where I'd push back on the bundle's promise of complete coverage. I almost signed on the strength of the slide deck once; don't.
Frequently asked questions about CNAPP
What does CNAPP stand for?
CNAPP stands for Cloud-Native Application Protection Platform. The category describes platforms that bundle cloud security capabilities across the application lifecycle. The four core components are CSPM, CIEM, CWPP, and CDR.
What's the difference between CNAPP and CSPM?
CSPM is one component of CNAPP, focused on configuration scanning, compliance, and misconfiguration detection across the cloud control plane. CNAPP is the broader bundle that adds entitlement management, workload protection, and detection and response on top of CSPM.
A strong CSPM score does not mean a strong CNAPP, because CSPM cannot see runtime behavior or credential abuse against correctly configured resources.
Does CNAPP include runtime threat detection?
It depends on the CDR component and the CWPP architecture. Agentless CWPP relies on snapshots and sees configuration or disk state rather than live process behavior, which can delay or miss runtime detection. Agent-based or eBPF implementations provide live runtime visibility. Ask which one you're buying and what the scan cadence is.
Which vendors offer CNAPP?
Commonly evaluated providers include Wiz, Palo Alto Networks, CrowdStrike, Microsoft Defender for Cloud, Orca Security, Sysdig, and Fortinet. They differ sharply on architecture: some are agentless-first, while others have stronger agent-based runtime capabilities. Treat the vendor list as an initial filter for evaluation.
Do I need CNAPP if I already have an MDR?
Possibly both, because they solve different problems. CNAPP is a technology platform covering posture, entitlements, and workload protection across the cloud lifecycle.
MDR is a managed service for detection and response, and many MDR offerings still vary widely in cloud, identity, workload, and SaaS visibility. If your MDR has real cloud, identity, and SaaS detection coverage, it may close the gap a weak CNAPP CDR leaves.