The Origins of CNAPP: Merging Proactive and Reactive Cloud Security
Initially, CNAPP emerged from the need to merge two cloud security categories:
Cloud Security Posture Management (CSPM) and Cloud Workload Protection Platforms (CWPP):
CSPM
is focused on ensuring that cloud environments are configured securely, eliminating misconfigurations, improper permissions, and other vulnerabilities before attackers can exploit them.
CWPP
on the other hand, provides real-time monitoring and threat detection for workloads such as virtual machines, containers, and serverless functions running in the cloud.
Since its initial conception, though, CNAPP has evolved and diversified. Today, there are many different "flavors" of CNAPP solutions on the market, with vendors offering varying capabilities, approaches, and integrations. These solutions provide a mix of proactive and reactive security, with some leaning more toward vulnerability management, others focusing on runtime protection, and some blending both to create an all-encompassing solution.
Gartner’s Core Capabilities of CNAPP
Regardless of the type of CNAPP, there are core capabilities that are embedded in this solution. According to Gartner’s market guide for CNAPP, those core capabilities are:
Cloud Security Posture Management (CSPM)
Provides visibility into cloud security configurations, detects misconfigurations, and integrates with leading hyperscale cloud providers (AWS, Azure, GCP) to ensure compliance and security best practices.
Infrastructure as Code (IaC) Scanning
Scanning of IaC templates, including major scripting languages such as Terraform, CloudFormation, and YAML/Helm for Kubernetes, to prevent misconfigurations before deployment.
Cloud Infrastructure Entitlement Management (CIEM)
Provides visibility and control over identity, entitlement, and permission risks across cloud environments.
Kubernetes Security Posture Management (KSPM)
Offers security risk analysis of Kubernetes orchestration platforms, ensuring clusters and workloads adhere to security policies.
Container and Registry Scanning
Analyzes container images and registries for vulnerabilities, misconfigurations, and risks before they are deployed into production.
Vulnerability Management
Vulnerability scanning for known vulnerabilities.
Cloud Workload Protection (CWP)
Ensures security at the workload level through:
- Agentless runtime visibility into virtual machines (VMs), containers, and serverless functions
- point-in-time analysis to detect threats within workloads
- Attack path analysis to understand how attackers might exploit vulnerabilities
Cloud Security Posture Management (CSPM)
is focused on ensuring that cloud environments are configured securely, eliminating misconfigurations, improper permissions, and other vulnerabilities before attackers can exploit them.
The Evolution of Attacker Techniques: Why CNAPP Must Adapt
As CNAPP technology advanced, so did the techniques used by adversaries. Modern cloud attacks are no longer limited to exploiting misconfigurations or vulnerabilities; they have become faster, more automated, and require less skill and more persistence. Attackers are leveraging AI-driven automation, low-code hacking tools, and advanced evasion techniques to breach cloud environments.
Bypass static security measures
by timing attacks between scheduled scans.
Exploit multiple layers of the cloud stack—
from infrastructure to workloads to applications—creating complexity for defenders.
Move laterally across cloud environments
using compromised identities, misconfigured permissions, and exposed APIs.
Cloud security teams are left asking: What’s next?
They’ve embraced shift-left security and visibility with CNAPP, but how else can they stay ahead of attackers?The answer lies in proactive defense, requiring a fundamental shift in how CNAPP is perceived and operates.
Looking Ahead
The next evolution of CNAPP will bridge the gap between prevention and response, providing organizations with continuous visibility, real-time detection, and automated response to cloud threats. This shift-right approach will ensure that organizations can not only build securely but also defend proactively against live attacks.
As a result, it will solve the following gaps CNAPPs have:
Relying on Periodic Scanning
Attackers recognized that most CNAPP solutions rely on periodic, static security scans that occur only a few times a day. This predictable cadence created opportunities for adversaries to time their attacks between scans, evading detection.
No Visibility for Multi-Layered Attack Patterns
Attackers got smarter and faster and began taking advantage of visibility gaps between security views to evade detection.
Consolidated, But Not Unified Security
While CNAPPs integrated multiple security functions into a single platform, these capabilities often remained siloed within the platform itself. This resulted in fragmented insights across cloud infrastructure, workloads, applications, networks, and data, limiting the ability to detect the multi-layered attack patterns mentioned above
Lack of Deep Insight into Application-Layer Threats
CNAPPs focus heavily on cloud infrastructure and workload security but lack Layer 7 (application layer) visibility – which was provided by other tools. Adversaries exploited vulnerabilities in APIs, microservices, and application logic—areas where traditional CNAPPs had limited monitoring – as they knew application and cloud security teams did not often collaborate.
Sweet Security’s Flavor of CNAPP
Runtime Monitoring: Cloud environments need to be secured 24/7, not just periodically. Continuous runtime monitoring ensures that security teams can detect and respond to active threats in real time.
True Platform Unification: Security should not be fragmented within a platform. Sweet Security correlates data across cloud, workloads, applications, networks, and user identities to provide holistic, unified detection and response.
Application-Layered Security Focus: The application layer (Layer 7) is a prime target for attackers. Sweet Security integrates application visibility into the same framework as cloud visibility, ensuring that both security and development teams have the context they need to protect cloud-native applications.
