CNAPP is exiting much more quietly than it entered

Firewall vendors, in their constant search for new markets to ravage with their hardware profits, have chosen AI as the latest frontier to chase. Homepages once dominated by how they secure cloud have become replaced with AI powered platforms for the future.

As a reminder, here’s my minimal definition of a Cloud Native Application Protection Platform (CNAPP), even though I’ll argue in a future article this shouldn’t exist:

1. Cloud misconfiguration scanning

2. Cloud asset vulnerability scanning

3. Some kind of workload protection agent

4. (optional) Some kind of cloud based threat detection with cloud logs

5. (optional) CLI for IaC and Container Scanning

In this article, I’ll assert that Check Point and Palo’s transitions are an acknowledgement that the fight for the “posture” side of CNAPP (items 1 and 2) are over.

Two weeks ago, Check Point was kind enough to take me out to their kickoff event CPX, where all the shiny AI firewall features were on full display. Curiously, in light of the Wiz partnership, CloudGuard has morphed into CloudGuard WAF. This news comes in combination with Palo Alto’s big push passing the torch from Prisma Cloud to Cortex Cloud - which is really a data lake for runtime security data, but now including cloud.

Taken in isolation, these recent developments make a lot of sense. For Check Point, entering late into the CNAPP wars was always going to be an uphill battle, and one that they didn’t need to enter. It’s smarter to partner with Wiz and give customers what they want - a best in class CNAPP without getting strong armed into a bundle.

For Palo Alto, in my view, it’s recognition that the CSPM wars are over, and Wiz won. (I am obliged to say that Orca is still a worthy competitor from a product perspective, but the hype isn’t there). Cortex might have a lot of the posture features of Prisma on paper, but it’s fundamentally an XSIAM (good luck with that one, it means XDR) built for the SOC. To be clear, the posture features still exist, but the platform as a whole is for operations teams.

In light of Wiz’s domination of the posture side of the market, companies are left with few angles to compete: push into runtime, vulnerability management, code or AI. Because Check Point never had the same presence as Palo in Cloud Security, their push into AI makes more sense. Unlike cloud, AI security actually has some organic crossover with the firewall and zero trust products - if you’re already monitoring employee network traffic, watching their AI traffic is a natural extension.

Conversely, Palo is shifting the focus to security operations teams, which also makes sense for them. I’ve always argued posture tools exist for developers, not security teams, because they reduce security teams to project managers and prioritizers, which is not what you really want us to be doing. To be clear, there will always be a place for cloud and application security architects, seeking to create guidance for these teams on secure architecture, but it was never a scalable problem: e.g. you can’t say “I have 3,000 new vulnerabilities, so let me hire 10 new security engineers,” but you would argue to hire more developers. The solution to posture findings always ended up back on engineering’s plate. This was a weakness for Palo, as installing an IDE plugin made by my firewall company still feels icky to even think about.

What’s the future of CNAPP look like?

Palo’s shift to Cortex is fascinating to me because they basically invented CNAPP in their Redlock (posture) + Twistlock (workload) acquisitions. Passing the torch to cloud as an add-on to the SOC platform feels like a big deal. If we return to that initial idea of an all-in-one CNAPP, built for the wide range of deverloper-y, devops-y, cloud security people, it seems that the biggest players are unceremoniously passing the torch to Wiz and their competitors (mainly Aqua, Orca, Sysdig, and Upwind - Ironically Fortinet’s homepage doesn’t even mention cloud security outside of one report).

What’s big about the change from Palo’s side is it’s putting all security personas into a single place, which is my primary gripe against the effectiveness of CNAPP. Instead of recognizing that cloud security posture is a special tool used by a different persona, it combines SOC Analyst and Cloud Security into the same place, while inheriting much of the SOC oriented UX from Cortex.

Here are the three future categories that we’ll see get pushed more as a result of the transitions:

1. Cloud Detection Response as part of XDR. There will arise a go-to Wiz like player in the runtime world, but it’s a massively competitive space. First, there’s a real possibility that the Wiz-like runtime market winner ends up being Wiz themselves - Wiz Defend is pretty good. I just don’t buy that there’s a lot of value to CSPM + CDR, as much as everyone wants it to be the case because they built it that way. I’ve written about it elsewhere, and will be talking about it with ARMO in San Francisco on April 10th, but I think CADR will win here. To see who that next runtime Wiz might be, take a look at https://list.latio.tech/#best-CDR-tools

2. CTEM as unified vulnerability management for cloud, code, and on-prem, as much as I hate the acronym for just “better vulnerability management,” will become a critical capability for anyone that even touches vulnerabilities. Wiz is also going in this direction with Dazz and Wiz Code, but there is still time for other players to move fast and solidify a leadership position, especially if they can show unified management across cloud and on-premise options. For those guys: https://list.latio.tech/#best-Vulnerability-Management-tools

3. ASPM as a single solution for securing code that’s built for developers. Like runtime, someone will win this space, and there’s also a decent chance that it’s Wiz themselves with Wiz Code. However, there are real challenges here - I’d argue a lot of ASPMs are much more developer friendly, but ultimately for many organizations it is security making the buying decision before developers. I also think runtime application security will grow as an important compliment, either as CADR or as ADR by itself. https://list.latio.tech/#best-ASPM-tools

Ultimately, I’d argue CNAPP is properly splitting into its composite parts:

1. How do we operationalize reducing our cloud posture and vulnerability findings (CTEM or CSPM)?

2. How do we get developers writing secure code (ASPM)?

3. How do we get the SOC responding to cloud runtime alerts (CADR), and what will the future of the SOC look like?

In the meantime, the firewall bucks will pour into AI security, and I’ve got to prepare myself for the inevitable AIAPP acronym that’ll be just around the corner.