Cybersecurity Market Perspectives

Share this post

Cybersecurity Market Perspectives
Cybersecurity Market Perspectives
How CNAPPs are disrupting the security market
Copy link
Facebook
Email
Notes
More

How CNAPPs are disrupting the security market

Reading time: 4-5 minutes

David Vance
Jul 06, 2023

Share this post

Cybersecurity Market Perspectives
Cybersecurity Market Perspectives
How CNAPPs are disrupting the security market
Copy link
Facebook
Email
Notes
More
Share

What’s a CNAPP anyway?

  • Acronym for Cloud Native Application Protection Platform

  • CNAPP is a new security category defined by Gartner in 2021

  • Essentially v2.0 of Cloud Workload Protection Platforms (CWPP)

  • Gartner defines CNAPPs as:

    • “A unified and tightly integrated set of security and compliance capabilities designed to secure and protect cloud-native applications across development and production”

The challenge

Over the past 10+ years, businesses have been shifting (migrating and/or refactoring) compute workloads from on-premises data centers to cloud providers a.k.a. Infrastructure as a Service (IaaS) providers. Cloud providers such as AWS, Microsoft Azure and Google Cloud offer tremendous benefits to customers including support for modern application architecture, increased reliability, agility and cost savings.

However, securing workloads in cloud environments come with its own set of challenges including:

Thanks for reading Cybersecurity Market Perspectives! Subscribe for free to receive new posts and support my work.

  • Increased complexity of cloud environments with a broader attack surface that legacy security tools may not provide support for including Infrastructure as Code (IaC), APIs, containers and serverless functions.

  • Siloed tools making it difficult for both development and security teams to connect the dots between tools:

    • Application Security Testing tools for artifact scanning by developers and/or security teams

    • Point solutions for securing cloud infrastructure configurations such as Infrastructure as Code (IaC) Security or Cloud Security Posture Management (CSPM) tools

    • Application monitoring tools for runtime monitoring and protection

  • Management overhead that comes with managing multiple security tools and vendors.

Q: Need to scan cloud-hosted containers and endpoints for vulnerabilities?

-You need two separate security tools for that!

Q: Need to understand if a recently disclosed vulnerability exists in the cloud-hosted application that is currently running?

-That’s a difficult and time consuming challenge for the security team!

Q: Need to ensure all the serverless functions are secure?

-Serverless functions are not supported. Welp, there’s a security gap!

You get the idea. A good-sized chunk of the security market was ripe for disruption. Cue the need for a better “mousetrap” called CNAPP.

Capitalizing on an opportunity

For cloud-hosted workloads, CNAPP vendors are taking a new approach and attempting to solve the problem with legacy security tools by bridging the gap between application development artifact risk visibility, cloud risk visibility and runtime security risk visibility.

CNAPPs attempt to consolidate multiple product capabilities into a single solution including:

For businesses with cloud-hosted workloads looking to streamline their security stack and gain risk visibility, a unified security solution provided by a single vendor is appealing. That said, CNAPPs obviously have limitations and may not be the right security solution especially for businesses with large on-premises workloads or other situations.

The CNAPP market landscape

As of July 2023, there are 25 vendors in the CNAPP space. I’ve broken these vendors down into 3 categories:

  1. “Pure-play” CNAPP vendors - Most of these vendors started with addressing a specific security use case and have added additional capabilities over time and ultimately evolved into a CNAPP (e.g.: Aqua was originally a container security vendor). However, vendors such as Orca Security and Wiz started with the original intent of being “CNAPP-like” (even before Gartner officially defined the category) and continue to be focused on addressing CNAPP-specific use cases.

  2. Enterprise security vendors with CNAPP capabilities - Larger security vendors such as Check Point, Palo Alto Networks and others have evolved organically or through a series of acquisitions and have assembled a CNAPP offering.

  3. Vulnerability Management (VM) vendors with CNAPP capabilities - The largest vendors in the VM space; Tenable, Qualys and Rapid7. You can read more about how these vendors are continuing to expand their capabilities in my previous post, The future of Vulnerability Management.

Note: All of the above CNAPP vendors have varying levels of maturity and capabilities. For example, some vendors have a greater focus on developers and development artifacts while other vendors are more focused on runtime visibility/monitoring. Today, few vendors offer strong integrated capabilities across development and operations.

The market impact

In April 2023, CNBC reported that YoY growth had slowed for major cloud providers1, however despite slower growth cloud providers are still experiencing double-digit growth. And as businesses continue to move more workloads to the cloud, they’ll look to embrace solutions like CNAPPs that are a purpose-built for securing those types of workloads.

Based on the integrated security capabilities CNAPPs provide coupled with the challenges of using legacy security tools to secure cloud workloads, CNAPP vendors will end up taking revenue away from other security markets. This will ultimately impact Application Security Testing, Cloud Workload Protection Platforms (CWPP), Vulnerability Assessment/Management and other markets for vendors who do not pivot into the CNAPP space.

In fact, Gartner backs this up. They estimate2 that CNAPP vendors will pull overall spending from the following six security markets:

  1. Application Security Testing Software (e.g.: SAST, DAST, IAST, SCA, etc…)

  2. Cloud Workload Protection Platforms (CWPP)

  3. Vulnerability Assessment/Management (VM)

  4. Web Application and API Protection (WAAP)

  5. Cloud Access Security Brokers (CASB)

  6. Other Security Software

At this stage, it’s too early to estimate exactly how much of an impact CNAPPs will have on other security markets.

Does this mean legacy security tools and vendors will go away? Absolutely not! At least not in the foreseeable future. Safety standards and regulatory frameworks continue to necessitate security scans with Application Security Testing tools for example. However, for businesses that need to secure cloud workloads and aren’t required to follow standards and frameworks, CNAPPs could be a better viable alternative.

Takeaway/Summary

  • CNAPP vendors are uniquely addressing complex security challenges and risk visibility for modern, cloud-hosted workloads in a single integrated solution

  • CNAPPs aim to address risk visibility across development and operations rather than a disparate tool stack from multiple vendors

  • There are currently 25 vendors in the CNAPP market with varying levels of maturity and capabilities

  • CNAPPs are estimated to pull revenue from 6 existing security markets

If you liked this post, please subscribe and share it with others.

If you think my insight would add value to your organization, please email or DM me on LinkedIn to engage. Thank you!

1

CNBC news report, 30 April 2023

2

Gartner, Inc., Market Guide for Cloud-Native Application Protection Platforms, 14 March 2023

Share this post

Cybersecurity Market Perspectives
Cybersecurity Market Perspectives
How CNAPPs are disrupting the security market
Copy link
Facebook
Email
Notes
More
Share

No posts

Ready for more?

© 2025 David Vance
Privacy ∙ Terms ∙ Collection notice
Start WritingGet the app
Substack is the home for great culture

Share

Copy link
Facebook
Email
Notes
More