The 30-second version: CSPM finds misconfigurations. CWPP protects what's running on your VMs and containers. CIEM analyzes who can do what across your IAM. DSPM finds and watches your sensitive data. CNAPP is the umbrella that bundles all of the above into one platform. SSPM does the same job as CSPM but for SaaS apps (Microsoft 365, Salesforce) instead of cloud accounts.
If you only buy one tool, buy a CSPM (or the CSPM module of a CNAPP). It addresses 60–70% of cloud-security findings. The other categories are layers you add as your environment matures.
📖 On this page
- Side-by-side comparison
- CSPM — Cloud Security Posture Management
- CWPP — Cloud Workload Protection Platform
- CIEM — Cloud Infrastructure Entitlement Management
- DSPM — Data Security Posture Management
- SSPM — SaaS Security Posture Management
- CNAPP — the umbrella category
- Which do I actually need?
- Open-source options for each
- FAQ
Side-by-side comparison
The categories are easier to keep straight when you see them next to each other:
| Category | What it watches | Primary signal | Catches things like | When you need it |
|---|---|---|---|---|
| CSPM | Cloud account configuration | Cloud APIs, IaC scans | Public S3, open SGs, missing MFA, no encryption | From day one |
| CWPP | Running VMs, containers, serverless | Agents, eBPF, syscalls | Vulnerable images, unauthorized processes, malware | When you run K8s/VMs at scale |
| CIEM | IAM permissions across accounts | CloudTrail, IAM policies | Over-privileged roles, unused permissions, privilege paths | When IAM > ~50 roles |
| DSPM | Data stores (S3, RDS, Snowflake, etc.) | Content scanning, classification | PII in dev environments, shadow data, exposed databases | When you have regulated data |
| SSPM | SaaS apps (M365, Salesforce, GitHub) | SaaS APIs, OAuth tokens | Risky third-party app grants, weak SaaS configs | When SaaS sprawl matters |
| CNAPP | All of the above | Multi-source unified | Toxic combinations across categories | When tool sprawl hurts |
CSPM — Cloud Security Posture Management
The oldest and most mature category. CSPM tools continuously scan your cloud accounts (AWS, Azure, GCP, OCI) via their APIs and flag deviations from a security baseline — public S3 buckets, security groups open to the internet on port 22, unencrypted databases, IAM users without MFA, root-account API keys, missing CloudTrail, the works.
What good CSPM does
- Continuous scanning across every cloud account in your organization
- Findings mapped to standards (CIS Benchmarks, AWS FSBP, NIST, PCI DSS, HIPAA)
- IaC scanning at PR time (Terraform, CloudFormation, Bicep) so misconfigurations don't reach prod
- Auto-remediation playbooks for common findings ("close this public S3 bucket")
- Compliance posture reporting that satisfies auditors without manual evidence collection
Pros
Cheapest credible cloud-security investment per dollar. Closes the bulk of the "how did this happen?" findings before they happen. Mature category — every cloud-security vendor has a CSPM module.
Cons
Doesn't see anything inside your workloads. Can't tell you if a process is doing something it shouldn't, only whether the surrounding configuration allows that to happen. CSPM-alone teams sometimes get a false sense of security ("we have 0 findings") while runtime threats go undetected.
Examples
Open-source: Prowler, ScoutSuite, Steampipe, Cloudsplaining. Provider-native: AWS Security Hub, Microsoft Defender for Cloud, Google Security Command Center. Commercial: Wiz, Orca, Lacework, Palo Alto Prisma Cloud, CrowdStrike Falcon Cloud Security, Tenable Cloud Security.
CWPP — Cloud Workload Protection Platform
CWPP protects the running workload — virtual machines, containers, serverless functions. It's the cloud-era successor to endpoint protection: where EDR watches a Windows desktop's processes and registry, CWPP watches a Linux VM's syscalls or a Kubernetes pod's network and filesystem activity.
What good CWPP does
- Vulnerability scanning of container images (registry and runtime) and VM disk images
- Runtime threat detection — unauthorized process execution, network connections to known-bad IPs, privilege escalation, file integrity violations
- Behavioral baselining — alert when a workload starts doing something it never did before
- Compliance evidence (FIM for PCI, host-level audit for SOC 2)
- Increasingly, eBPF-based agents that don't require kernel modules and have low overhead
Pros
Catches what CSPM can't see — the post-exploitation and persistence stages of an attack. Falco's "shell spawned in container" rule has caught more than one supply-chain compromise.
Cons
Agent management overhead. False-positive tuning is a real ongoing job. Coverage gaps on serverless workloads (Lambda, Cloud Functions, Cloud Run) where you can't run an agent — those rely on provider-side telemetry instead.
Examples
Open-source: Falco, Tetragon (eBPF-based), Trivy (image vuln). Commercial: most CNAPP platforms include CWPP modules; SentinelOne, CrowdStrike, Sysdig Secure, Aqua, Palo Alto Prisma all have strong workload offerings.
CIEM — Cloud Infrastructure Entitlement Management
CIEM is IAM as a graph problem. It analyzes every identity (user, role, service principal, workload identity) and every permission across every cloud account, finds privilege-escalation paths, and surfaces over-permissioned roles.
What good CIEM does
- Map effective permissions — what can identity X actually do, accounting for all attached policies, group memberships, SCPs, and condition evaluations?
- Find unused permissions — "this role has S3:* but only ever uses S3:GetObject, here's the trimmed policy"
- Detect privilege-escalation chains — "this user can
iam:CreatePolicyVersion, which means they can become admin" - Cross-cloud visibility — federations, SAML trust relationships, OIDC workload identities, all in one graph
- Drift alerting — flag when a role's permissions expand beyond its baseline
Pros
The thing that catches the Capital One pattern (over-privileged role + SSRF). Mature CIEM tools turn IAM least-privilege from a wish into an operational practice.
Cons
Hard to operationalize at small scale — if you have 5 IAM roles, you don't need a graph database. Implementation effort is real: tuning what counts as "actually unused" requires baselining and data review.
Examples
Open-source: Cloudsplaining, Pacu (offensive — finds privilege paths), ROADtools (Entra). Provider-native: AWS IAM Access Analyzer (gets closer with each release), Microsoft Entra Privileged Identity Management. Commercial CIEM is typically a CNAPP module now (Wiz, Orca, Sonrai, Ermetic / Tenable).
DSPM — Data Security Posture Management
DSPM scans your data stores (S3, EBS snapshots, RDS, BigQuery, Snowflake, GitHub repos…) and tells you what sensitive data lives where, who can access it, and whether the surrounding controls match the data's classification. The newer category — emerged around 2022.
What good DSPM does
- Auto-discover and classify data — PII, PCI, PHI, IP, secrets — at scale, without sampling
- Map data flow — "this PII lives in a prod RDS, snapshots get copied to a dev account, the dev account is shared with a contractor"
- Surface "shadow data" — copies of regulated data in places nobody's tracking (test environments, shared drives, backup buckets)
- Tie data classification to access policy — flag sensitive data accessible to overly broad principals
Pros
Increasingly the differentiator for organizations with regulatory burden (healthcare, financial services, EU residents under GDPR). Catches things CSPM and CWPP miss because they're not looking at the actual data.
Cons
Newest category, so terminology and capabilities still shifting. Scanning costs (especially at S3 scale) can be material. Privacy-of-the-scanner concerns: in some regulated environments, you can't ship customer data out of the account to a SaaS DSPM.
Examples
Open-source: Open-DSPM, Macie (provider-native, AWS only). Commercial: Wiz DSPM, Cyera, Sentra, Dig (acquired by Palo Alto), Laminar (acquired by Rubrik), Symmetry.
SSPM — SaaS Security Posture Management
The same job CSPM does for IaaS, but for SaaS — Microsoft 365, Google Workspace, Salesforce, GitHub, Slack, Workday, etc. It catches risky configurations, third-party OAuth grants, and dormant admin accounts that traditional cloud security tools don't see.
What good SSPM does
- Catalog OAuth apps connected to corporate SaaS, with risk scores
- Find unused/forgotten admin accounts and external collaborators
- Audit SaaS configurations against vendor benchmarks (Microsoft Secure Score, Google Cloud security best practices)
- Detect risky behavior — bulk downloads, anomalous OAuth grants, unusual login locations
Pros
SaaS is where most modern data lives. Traditional CASB / CSPM tools don't touch the inside of SaaS apps. The OAuth-app problem alone is worth the cost for orgs with 100+ SaaS subscriptions.
Cons
Coverage varies wildly by app — vendors integrate with the most popular apps first. Long tail of niche SaaS may not be supported. Less critical for organizations with strict SaaS allowlists.
Examples
Commercial: AppOmni, Adaptive Shield (acquired by CrowdStrike), Obsidian, Reco, DoControl. Microsoft and Google's native security centers cover their own ecosystems well.
CNAPP — the umbrella category
Coined by Gartner in 2021. CNAPP doesn't replace any of the above — it bundles them. A CNAPP platform typically includes CSPM + CWPP + CIEM + IaC scanning + container vuln + (increasingly) DSPM, with a unified data model and one console.
The pitch
One pane of glass. One vendor relationship. Toxic-combination detection — the unique CNAPP capability that no single-category tool offers. A CSPM might tell you "this S3 bucket is public." A separate CIEM might tell you "this IAM role has unused permissions." A CNAPP can tell you "this S3 bucket is public AND contains regulated PII AND is accessible by a workload identity that's reachable from the internet via a known-vulnerable container." That cross-domain reasoning is the actual value.
Pros
Operationally simpler if you're starting from scratch. Cross-domain detections that point tools can't replicate. Single procurement / contract / training surface. Generally cheaper than buying CSPM + CWPP + CIEM + DSPM separately at scale.
Cons
Vendor lock-in. A CNAPP that's mediocre at one of its modules may still beat your existing point tool because of integration leverage — but the reverse is true too. "Best of breed" arguments exist for a reason. Also: CNAPP is a market category, not a product spec — what one vendor calls CNAPP differs in capability from another by a lot.
Buying considerations
- Coverage of YOUR clouds (some are AWS-strong but Azure/GCP shallow)
- Agent footprint (agentless full-coverage is the new bar; agent-required CWPP modules are increasingly seen as a downgrade)
- How well it integrates with your SIEM, ticketing, and IaC pipelines
- Detection content quality — anyone can ship 1,000 rules; the question is which fire and which are noise
- Pricing model — most charge per workload or per "billable resource"; do the math at your actual size
Examples
Wiz (the market leader as of 2026), Orca, Lacework, Palo Alto Prisma Cloud, CrowdStrike Falcon Cloud Security, Microsoft Defender for Cloud (the first-party CNAPP for Azure), Sysdig Secure, Aqua, Tenable Cloud Security, Check Point CloudGuard.
Which do I actually need?
The honest answers, by maturity stage:
"We just put workloads in the cloud last quarter"
Start with provider-native CSPM (AWS Security Hub, Microsoft Defender for Cloud, GCP Security Command Center). They're cheap, decent, and tied to the cloud you're already using. Get the findings to zero before evaluating commercial tools. Open-source Prowler for ad-hoc deep audits.
"We have a few hundred resources across AWS"
Add a commercial CSPM (or the CSPM module of a CNAPP). The provider-native tools start to feel limited at this scale — too many findings, hard to triage, weak IaC scanning. Wiz, Orca, and Lacework are the typical short-list.
"We run Kubernetes in production"
Add CWPP. Falco as a free starting point if you have the operational chops; commercial CNAPP CWPP modules if you want managed detection content and consolidated alerting. Definitely do Network Policies and Pod Security Standards — those are configuration practices, not products.
"Our IAM has gotten complicated"
If you've crossed roughly 50 IAM roles or 5 cloud accounts, CIEM starts paying off. AWS IAM Access Analyzer is a free starting point. Commercial CIEM (now mostly CNAPP-bundled) for the privilege-escalation graph view.
"We handle regulated data"
Add DSPM. Especially if you have data flowing through copy/snapshot/backup pipelines that nobody's tracking. AWS Macie is a starting point on AWS; commercial DSPM for multi-cloud and finer classification.
"We have 200+ SaaS subscriptions"
Add SSPM. Especially worth it if you have a distributed workforce making OAuth-grant decisions you don't see.
"We have 4 different point tools and security ops is drowning"
This is where CNAPP consolidation makes financial sense. Run a serious POC — POCs are how you discover that "consolidated" doesn't always mean "as good as the point tool you're replacing."
Open-source options for each category
You can build a credible cloud-security program entirely on open source, especially if you're small or budget-constrained. Quality is real:
- CSPM: Prowler (AWS, Azure, GCP, K8s — the gold standard), ScoutSuite, Steampipe (SQL queries against cloud APIs)
- CWPP: Falco (runtime detection), Tetragon (eBPF-based), Trivy (vuln scanning)
- CIEM: Cloudsplaining (AWS IAM least-privilege analysis), ROADtools (Entra ID)
- DSPM: Largely a commercial space; some adjacent OSS in the data-classification area (Microsoft Presidio for PII detection)
- IaC scanning: tfsec, Checkov, Conftest
Combine: Prowler in CI for posture, Falco on K8s nodes for runtime, Cloudsplaining on a schedule for IAM drift, Macie or Presidio for data classification, Trivy at PR time for image scanning. That's a credible cloud-security program for free, with the trade-off of more operational overhead than a managed CNAPP.
FAQ
Is CNAPP just a marketing term?
It started as a Gartner-coined category, and there's marketing energy around it. But the bundled offerings are real product capabilities — not just rebadged CSPM. The cross-domain "toxic combination" detections are technically distinctive and require a unified data model that point tools don't have.
Should I buy CNAPP or stay best-of-breed?
Run the POC. The honest answer is: depends on your scale, your existing investments, your team's specialization, and the specific vendors. Most mid-size organizations end up at CNAPP because the operational simplification outweighs the per-module compromises. Specialized shops (heavy K8s, heavy regulated data) often stay best-of-breed for their critical category and use a CNAPP for everything else.
Where does CASB fit in?
CASB (Cloud Access Security Broker) is the older umbrella for SaaS controls — proxy-based or API-based monitoring of SaaS usage. SSPM is essentially the API-based half of CASB, evolved. Most modern programs use SSPM directly and don't deploy CASB proxies.
Do I need a CNAPP if I'm fully serverless?
Probably not. Serverless workloads (Lambda, Cloud Functions) don't have agents to deploy or hosts to scan. CSPM + IaC scanning + provider-native runtime telemetry covers most of what CNAPP would otherwise add.
What's "ASPM" and where does it fit?
ASPM (Application Security Posture Management) is the AppSec-flavor cousin — finds vulns in your code and dependencies, with attack-surface mapping into the running app. Mostly an AppSec tool category; some CNAPP vendors are extending into it.
Where next
- Cloud security best practices — the controls these tools implement.
- Shared responsibility model — what you actually need to secure.
- Resources directory — vendor and open-source tools, organized by category.
- Friday Zoom — practitioners debate tool selections every week. Bring your shortlist.
- Glossary — every acronym on this page, defined.