1 Introduction / Executive Summary

This KuppingerCole Leadership Compass provides an overview of the Cloud-Native Application Protection Platform (CNAPP) market segment and the vendors in that segment. It covers the trends that are influencing the market, how it is further divided, and the essential capabilities required of solutions designed to protect cloud-native applications across the development and production lifecycle. It also provides ratings of how well these solutions meet our expectations. To better understand the fundamental principles this report is based on, please refer to KuppingerCole’s Research Methodology.

The distinctive feature of CNAPP solutions currently offered by vendors is the integration of several capabilities that were previously offered as standalone products. These most often include Cloud Security Posture Management (CSPM) for identifying vulnerabilities and misconfigurations in cloud infrastructures, Cloud Workload Protection Platforms (CWPP) that deal with runtime protection of workloads deployed in the cloud (such as virtual machines, containers, and Kubernetes, as well as databases and APIs), and Cloud Infrastructure Entitlement Management (CIEM) for centralized management of rights and permissions across (multi-)cloud environments. Cloud Service Network Security (CSNS) is sometimes included as well, combining such capabilities as web application firewalls, secure web gateways, and DDoS protection.

Cloud IaaS is now extensively used to develop and deliver new applications and reengineer existing ones. This is often because cloud services provide an environment for accelerated development without the need for capital expenditure and avoids lengthy procurement delays to obtain hardware. However, security is a shared responsibility for cloud services, and this increases complexity.

While the Cloud Service Providers (CSPs) must take steps to secure the service they provide, it is up to the customer to secure the way they use the service. CNAPP tools are intended to reduce complexity by helping organizations using multiple cloud services to identify and manage the risks for which they have responsibility.

1.1 Highlights

The highlights from this report are:

• The customer is responsible for the security and compliance of how they use cloud services, and there are several factors which increase risks when using the cloud.
• Cloud services are dynamic, thus a traditional static approach to security is not effective. In addition, many organizations fail to adapt and apply their normal internal security and compliance controls.
• The distinctive feature of CNAPP solutions is the integration of multiple capabilities that were previously offered as standalone products to address various risks and challenges.
• This report describes the major capabilities that CNAPP should provide to help customers secure their use of cloud services, and then evaluates solutions from several vendors.
• These solutions should cover the major IaaS cloud services and provide visibility of the risks from the way that these are configured and used.
• The capabilities should automate the detection, reporting and remediation of vulnerabilities and threats across cloud entitlements, compute services, cloud network and storage elements as well as Kubernetes orchestration platforms and CI/CD pipelines.
• The capabilities should support DevOps teams as well as security teams.
• They should also help to manage and report on compliance with laws and regulations, as well as to implement security best practices.
• This is still an evolving market and in the near term we expect products to mature by expanding the depth of their coverage and increasing the use of AI/ML to enhance effectiveness.
• In the longer term, the increasing use of AI and Large Language Models (LLM) creates an entirely new kind of cloud workload with new risks and challenges. Tools will be needed to help to manage these.