How does CNAPP differ from CSPM?

Cloud Security Posture Management (CSPM) anchors on the configuration state of cloud-account resources: storage buckets, security groups, IAM policies, encryption settings, logging configuration, public-access flags, and the benchmark of those settings against a baseline such as CIS Benchmarks or vendor-provider security best practices. CNAPP includes CSPM as one of its sub-disciplines and surrounds it with workload protection (CWPP), identity entitlement analysis (CIEM), and the correlation layer that reads a CSPM misconfiguration finding against the workload running on the affected resource and the identity reachable to it. A CSPM-only platform produces configuration findings. A CNAPP produces correlated findings that combine configuration, workload runtime state, identity exposure, and the data class behind the asset. Programmes that operate at low cloud-account density with a small workload footprint may not need the full CNAPP correlation layer yet; programmes at material cloud-account density typically benefit from CNAPP correlation more than from CSPM alone.

How does CNAPP differ from CWPP?

Cloud Workload Protection Platforms (CWPP) anchor on running workloads: containers, virtual machines, serverless functions, and the host operating system. CWPP capabilities include workload-level vulnerability scanning, runtime threat detection, file integrity monitoring, image scanning in the build pipeline, behavioural anomaly detection at runtime, and on-host policy enforcement. CNAPP includes CWPP as a sub-discipline and pairs it with the configuration view (CSPM), the identity view (CIEM), and the correlation layer. A CWPP-only platform protects workloads but does not necessarily read the cloud-account configuration that fronts the workload or the identities that can reach the workload from elsewhere in the account. CNAPP reads all three together. Mature programmes evaluate CWPP depth (agent-based vs agentless, runtime detection breadth, image scanning quality, support for the workload types the team actually runs) inside CNAPP rather than treating CNAPP as a single capability.

How does CNAPP differ from CIEM?

Cloud Infrastructure Entitlement Management (CIEM) anchors on the identity and permission graph: which identities exist in the cloud account, what each can do, what each has actually done, the gap between granted entitlement and used entitlement, the overprivilege pattern, and the shadow administrator accounts that aggregate entitlement without being labelled as such. CIEM is the identity governance layer for the cloud plane in the same way IAM tools serve the on-premises plane. CNAPP includes CIEM as a sub-discipline and pairs it with configuration (CSPM), workload (CWPP), and the correlation layer that reads an overprivileged identity against the workload it can reach and the configuration that exposes the asset. A CIEM-only platform produces identity findings. A CNAPP combines identity findings with the workload and configuration context that determines whether the overprivilege is materially exploitable. Programmes with material cloud-account scale typically find CIEM the most concentrated source of high-priority findings inside the CNAPP correlation, because identity is the lateral movement vector that connects an exposed asset to the rest of the account.

How does CNAPP differ from KSPM?

Kubernetes Security Posture Management (KSPM) anchors on Kubernetes-specific posture: the cluster configuration, the namespace and role-based access control state, admission controller policies, pod security standards, network policies, the workload deployment specifications, the supply chain of container images, and the runtime behaviour inside the cluster. KSPM has emerged as a discrete sub-discipline because Kubernetes posture is operationally distinct from cloud-account posture: the cluster sits on top of cloud infrastructure but operates its own identity, network, and policy planes. CNAPP increasingly includes KSPM as a sub-discipline; some platforms market KSPM separately and others fold it inside CWPP or CSPM. Programmes that run Kubernetes at material scale should evaluate the KSPM depth specifically (admission policy support, network policy validation, pod security standard enforcement, image supply chain coverage) rather than assuming a CNAPP covers it sufficiently.

How does CNAPP differ from ASPM, DSPM, SSPM, EASM, and CTEM?

ASPM (Application Security Posture Management) consolidates findings on the in-house application or repository record; CNAPP consolidates findings on the cloud-account and workload record. DSPM (Data Security Posture Management) anchors on the data plane and where sensitive data lives; CNAPP anchors on the cloud infrastructure and workload plane that hosts the data. SSPM (SaaS Security Posture Management) anchors on third-party SaaS tenant configuration; CNAPP anchors on the company-owned cloud accounts. EASM (External Attack Surface Management) anchors on internet-facing external assets observed from the outside in; CNAPP anchors on the cloud accounts observed from the inside out. CTEM (Continuous Threat Exposure Management) is the programme cycle that scopes, discovers, prioritises, validates, and mobilises across all of these surfaces as one operating model. CNAPP is typically one of the discovery and assessment sources CTEM consumes when the in-scope surface includes the cloud plane. Most mature enterprise programmes run several of these categories in parallel; the categories sit on different anchors and answer different questions.

When should an enterprise adopt CNAPP?

The signals that CNAPP is the next investment include: material cloud-account scale with multiple accounts, regions, and workload types in production; a parallel tool sprawl across CSPM, CWPP, CIEM, container scanning, IaC scanning, and Kubernetes posture where findings live in separate dashboards and reconciliation costs are visible; a vulnerability management programme where cloud findings are tracked separately from on-premises findings on different cadences; a security leadership read where the cloud risk picture cannot be reconciled across the existing tool set; an audit cycle where evidence on cloud configuration, workload, identity, and Kubernetes posture has to be assembled from multiple tools; a remediation programme where ownership of cloud findings is unclear because the asset, the workload, and the identity sit on different team records; and an enterprise scoping question (cyber insurance carrier, customer assurance review, regulatory inquiry) the team cannot answer for the cloud plane from a single record. Programmes that operate at low cloud-account density with a small workload footprint and a single dominant cloud provider may not need CNAPP yet; the cloud findings can live alongside the rest of the security backlog. Programmes at multi-cloud, multi-account, multi-region scale with material workload presence are the ones for which CNAPP correlation pays back. The decision is when and how deep, not whether.

Is CNAPP a replacement for the wider vulnerability management programme?

No. CNAPP is a discovery and assessment layer for the cloud plane that produces cloud-anchored findings. The wider vulnerability management programme runs across the cloud plane, the on-premises plane, the application code plane, the data plane, the SaaS plane, and the external surface; CNAPP covers the cloud plane portion. The defensible operating model routes CNAPP-derived findings into the wider vulnerability management programme with the same SLA tiers, owner assignment, exception register, retest discipline, and audit evidence pattern that applies to findings from other surfaces. Programmes that treat CNAPP as a parallel queue with its own remediation workflow, its own SLA scheme, and its own evidence pattern produce a fork that does not converge with the rest of the security backlog. The correlation value of CNAPP comes from the cloud-plane signal stack; the operating value comes from routing those signals into the unified remediation record.

Does SecPortal function as a CNAPP platform?

SecPortal does not market itself as a Cloud-Native Application Protection Platform. SecPortal does not run agentless cloud-account snapshot collection, container runtime workload protection, IAM entitlement graph analysis, or Kubernetes admission policy enforcement. SecPortal does provide the consolidated operating record where CNAPP-derived findings (from a dedicated CNAPP platform, from CSPM/CWPP/CIEM/KSPM tools used separately, from a cloud security assessment engagement, or from a manual review) land alongside the wider security backlog with the same lifecycle, audit trail, framework mapping, and remediation governance the rest of the programme runs on. The verified external scanning surface covers the external-facing cloud properties (subdomains, DNS, certificates, exposed paths, technology fingerprinting, cloud exposure checks against verified domains) but is not the cloud-internal posture layer a CNAPP provides. Programmes evaluating dedicated CNAPP platforms should benchmark the four sub-disciplines (CSPM, CWPP, CIEM, KSPM) and the correlation layer depth, then use SecPortal as the consolidated operating record that holds the resulting findings against the wider vulnerability management programme, the framework mapping, and the audit-read evidence pack.

← Back to Blog

Technical24 May 202617 min read

Cloud-Native Application Protection Platform (CNAPP): Explained

A Cloud-Native Application Protection Platform (CNAPP) is the consolidating category for cloud security tooling that brings Cloud Security Posture Management (CSPM), Cloud Workload Protection Platforms (CWPP), Cloud Infrastructure Entitlement Management (CIEM), and increasingly Kubernetes Security Posture Management (KSPM) into one operating surface. For cloud security teams, AppSec teams, vulnerability management teams, GRC and compliance owners, security engineering, and the CISOs who sponsor the programme, CNAPP is the category that names the cloud-plane posture and workload problem alongside ASPM, DSPM, SSPM, EASM, and CTEM. This guide covers what CNAPP is and is not, the five functional layers, how CNAPP differs from CSPM, CWPP, CIEM, KSPM, ASPM, DSPM, SSPM, EASM, and CTEM, the signals CNAPP consumes, the recurring adoption pitfalls, the audit-read shape of the operating record, and a phased rollout that takes a programme from sprawling cloud accounts to a single cloud security record.

What CNAPP Actually Is

CNAPP is the consolidating shape for cloud security tooling. Before the term existed, organisations buying cloud security typically held three or four separate platforms: a Cloud Security Posture Management tool for configuration checks, a Cloud Workload Protection Platform for runtime workload coverage, a Cloud Infrastructure Entitlement Management tool for the identity and permission graph, and a container or Kubernetes security tool for the cluster posture. Each of those platforms produced its own findings stream, its own dashboard, its own severity scheme, and its own remediation workflow. The cost of reconciliation across them was real: the same underlying risk (an overprivileged identity that can reach a vulnerable workload running on a misconfigured asset) appeared as three separate findings on three separate dashboards, with three separate owners and three separate remediation queues.

CNAPP is the consolidation answer. The platform reads the cloud account from multiple dimensions (configuration, workload, identity, network, Kubernetes, data) and correlates the signals across them. The risk in the example above is read as one prioritised finding with the configuration, workload, and identity signals attached. The remediation owner is one team rather than three, the severity is calibrated against the combined exposure rather than against each signal in isolation, and the audit-read evidence is one record rather than three.

The category label was popularised by Gartner; the underlying capability is the consolidation of pre-existing cloud security disciplines (CSPM, CWPP, CIEM, KSPM, container scanning, IaC scanning, cloud DLP) into a single operating record. The label is recent; the capability is the operational answer to cloud tool sprawl. CNAPP buyers should evaluate the platform on the depth of each sub-discipline and on the quality of the correlation layer that connects them, rather than as a single monolithic capability.

The Five Functional Layers

An operating CNAPP record exposes five layers. Each layer can be present at different depths in a given vendor offering; programmes evaluating platforms should benchmark each layer separately rather than treating CNAPP as a single capability.

Layer 1: Discover the cloud estate

Enumerate the cloud accounts, subscriptions, projects, regions, virtual networks, identity providers, container clusters, function deployments, managed services, and data stores the organisation operates across one or more cloud providers. The discover layer is judged by breadth of cloud provider support (AWS, Azure, Google Cloud, Oracle Cloud, Alibaba Cloud), breadth of resource type coverage inside each provider, the ability to onboard new accounts without per-account configuration work, agentless deployment patterns, and the cadence at which the discovered estate refreshes against the actual cloud state.

Layer 2: Assess configuration posture

Read the configuration state of each discovered resource against the operative baseline. Standard baselines include the CIS Benchmarks for the cloud provider, the vendor provider security best practices, the organisation's internal cloud security standard, and the framework-specific control sets (PCI DSS, HIPAA, ISO 27001, SOC 2, NIST 800-53). The assess layer is judged by the breadth of supported baselines, the customisability of policy packs, the explainability of each finding (the operator must be able to read why a setting fails the baseline), and the per-finding evidence the platform produces against the underlying configuration state.

Layer 3: Observe workloads and runtime

Cover the workload runtime: virtual machines, container hosts, Kubernetes pods, serverless functions, and the operating-system processes inside each. Workload coverage includes vulnerability scanning at the image level and the running-instance level, behavioural anomaly detection at runtime, file integrity monitoring, supply chain provenance for container images, and the cluster-internal posture for Kubernetes deployments. The workload layer is judged by the agent vs agentless deployment model, the detection content breadth, the supply chain coverage (signed images, SBOM extraction, image provenance), and the support for the workload types the team actually runs.

Layer 4: Govern identity and entitlement

Read the identity and permission graph across the cloud account. Map every identity (human users, service principals, machine identities, federation trust relationships, cross-account roles) to the entitlements it holds, the entitlements it has actually used over a window, the gap between granted and used entitlement, the overprivilege pattern, the shadow administrator aggregation, and the lateral movement path each identity opens. The identity layer is judged by the entitlement graph depth, the used-vs-granted analysis quality, the detection of overprivilege and toxic combinations, and the ability to read the identity exposure against the workload and configuration signals.

Layer 5: Score and prioritise correlated risk

Combine the configuration, workload, identity, network, and data signals into a per-finding correlated risk score. The defensible composition stacks the operative signals (configuration severity, workload vulnerability, identity reachability, data class context, network exposure, known exploitation context) rather than collapsing them into a single opaque number. The score layer is judged by transparency (the operator can read why a finding ranked where it did), tunability (the score function can be calibrated against the team's remediation throughput), and the explainability of the correlation across the underlying dimensions.

A platform that covers only the first two layers is a CSPM. A platform that covers layers two and three is closer to a CWPP. A platform that covers all five with correlation across them is a CNAPP. The label is increasingly applied to both partial and full coverage; the operational distinction matters when evaluating fit.

CNAPP vs CSPM, CWPP, CIEM, KSPM, ASPM, DSPM, SSPM, EASM, and CTEM

Nine adjacent categories overlap with CNAPP. The first four (CSPM, CWPP, CIEM, KSPM) are sub-disciplines that CNAPP consolidates. The next four (ASPM, DSPM, SSPM, EASM) are parallel posture categories anchored on different surfaces. The ninth (CTEM) is the programme cycle that runs above them all. The table below lays out the differences buyers and operators should keep in view when deciding what each category buys them.

Category	Anchor	Relationship to CNAPP
CSPM	Configuration of cloud-account resources against baselines such as CIS Benchmarks.	Sub-discipline. CNAPP includes CSPM as one of its functional layers.
CWPP	Workload runtime protection across virtual machines, containers, and serverless functions.	Sub-discipline. CNAPP includes CWPP as one of its functional layers.
CIEM	Identity and permission graph, used vs granted entitlement, overprivilege detection, shadow administrator aggregation.	Sub-discipline. CNAPP includes CIEM as one of its functional layers.
KSPM	Kubernetes cluster posture: configuration, RBAC, admission policies, pod security standards, network policies, image supply chain.	Sub-discipline. CNAPP increasingly includes KSPM; some platforms market KSPM separately or fold it inside CWPP.
ASPM	Application security findings consolidated across SAST, SCA, DAST, IaC, secret scanning, container scanning on the application or repository record.	Parallel. ASPM lives on the application record; CNAPP lives on the cloud-account and workload record. The two reconcile when a tracked repository deploys to a tracked cloud workload.
DSPM	Data plane: where sensitive data lives, who can read it, how it flows.	Parallel. DSPM observes the data inside an asset; CNAPP observes the cloud infrastructure and workload hosting it. The two reconcile when a tracked cloud asset holds regulated data.
SSPM	SaaS tenant configuration and identity surface for purchased SaaS applications.	Parallel. SSPM observes purchased SaaS posture; CNAPP observes company-owned cloud account posture. The two share the configuration baseline pattern but anchor on different planes.
EASM	External attack surface: internet-facing assets observed from the outside in.	Parallel. EASM observes the external footprint from outside; CNAPP observes the cloud accounts from inside. The two reconcile at the internet-facing asset boundary.
CTEM	Programme cycle that scopes, discovers, prioritises, validates, and mobilises across surfaces.	Upstream. CTEM is the programme layer; CNAPP is one of the discovery and assessment sources CTEM consumes when the in-scope surface includes the cloud plane.

For programmes running risk-based vulnerability management alongside cloud security, the risk-based vulnerability management buyer guide covers how the wider operating model decomposes across signal sources. For the programme layer above CNAPP that scopes, validates, and mobilises across all posture and exposure surfaces as one cycle, the CTEM explainer covers the programme model and how CNAPP output feeds the CTEM Discovery and Prioritisation stages.

The Signal Stack CNAPP Consumes

CNAPP consolidates signals across the cloud plane. The boundaries are not strict; some signals come from the platform itself and some are imported from adjacent tools. The standard signals and their roles are:

Signal	What it answers	Role inside CNAPP
Configuration severity	Whether a cloud resource configuration fails the operative baseline (public storage bucket, open security group, disabled logging, missing encryption).	Baseline severity input from the CSPM sub-discipline. Configuration that fails a hard baseline jumps to the top of the queue independent of other signals.
Workload vulnerability	Whether a workload image or running instance contains a known CVE or a vulnerable dependency.	Workload signal from the CWPP sub-discipline. Combined with configuration and identity to determine exploitability.
Identity reachability	Which identities can reach the affected resource, and what those identities can do once reached.	Identity signal from the CIEM sub-discipline. The lateral movement multiplier that determines whether a contained finding is a programme-wide finding.
Data class context	Whether the affected resource holds or fronts regulated personal, payment, health, or contractual data.	Multiplier. Regulated data classes typically escalate the SLA tier and require evidence at audit.
Network exposure	Whether the resource is internet-facing, accessible across cloud accounts, or contained inside a private network segment.	Exposure multiplier. Internet-facing resources promote the severity of configuration and workload findings.
Known exploitation	Whether the fingerprinted technology or CVE on the resource is in active exploitation according to CISA KEV, EPSS, or vendor advisories.	Promotion signal. Findings with active exploitation context are escalated and routed against the operative SLA tier.
Configuration drift	Whether a resource has drifted away from a previously approved baseline (new port opened, policy changed, encryption disabled).	Drift input. Generated by the CNAPP platform itself when a posture result changes between two scans on the same resource.

The defensible composition is to stack the signals deliberately rather than collapse them into a single opaque score. The vulnerability prioritisation framework guide covers the multi-signal scoring pattern adjacent exposure platforms apply; the asset criticality scoring use case covers the asset-criticality signal that CNAPP and adjacent posture tools depend on; the CISA KEV catalogue guide covers the known-exploitation signal a CNAPP ingests against discovered cloud workload CVEs.

When to Adopt CNAPP

The adoption decision is operational rather than strategic. CNAPP solves a specific problem; programmes that do not have the problem do not need a dedicated platform. The signals that CNAPP is the next investment are:

Material cloud-account scale with multiple accounts, regions, and workload types in production.
A parallel tool sprawl across CSPM, CWPP, CIEM, container scanning, IaC scanning, and Kubernetes posture where findings live in separate dashboards.
A vulnerability management programme where cloud findings are tracked separately from on-premises findings on different cadences.
A security leadership read where the cloud risk picture cannot be reconciled across the existing tool set.
An audit cycle where evidence on cloud configuration, workload, identity, and Kubernetes posture has to be assembled from multiple tools at audit week.
A remediation programme where ownership of cloud findings is unclear because the asset, the workload, and the identity sit on different team records.
An enterprise scoping question (cyber insurance carrier, customer assurance review, regulatory inquiry) the team cannot answer for the cloud plane from a single record.
Multi-cloud presence where each provider currently has its own posture and workload tooling and the team cannot read across them.

Programmes that operate at low cloud-account density with a small workload footprint and a single dominant cloud provider may not need CNAPP yet; the cloud findings can live alongside the rest of the security backlog inside a wider vulnerability management programme. Programmes at multi-cloud, multi-account, multi-region scale with material workload presence and a sprawling identity surface are the ones for which CNAPP correlation pays back. The decision is when and how deep, not whether.

The Operating Record a CNAPP Programme Produces

The output of a CNAPP programme is not a tool dashboard. The output is an operating record that lives independently of the dashboard and survives vendor changes. The record has a recurring shape across mature programmes:

Cloud asset inventory

Per-account resource inventory across compute, storage, networking, identity, and managed services, with owner, business purpose, data classification, environment tier, and the date the inventory entry was last reviewed.

Configuration baseline record

The active baseline pack the platform reads against (CIS Benchmarks, vendor provider best practices, the organisation's internal standard), the per-resource baseline state, the approved exceptions with documented basis, owner, expiry, and re-evaluation trigger.

Workload and runtime record

Per-workload vulnerability inventory, image supply chain provenance, runtime detection events, Kubernetes cluster posture, and the cadence and result of the most recent workload scan.

Identity and entitlement graph

Per-identity entitlement record, used-vs-granted analysis, overprivilege and toxic combination findings, shadow administrator aggregation, lateral movement path inventory, and the cross-account trust relationships.

Correlated finding lifecycle

Per-finding identifier, the signals that composed the score, severity at open, severity at closure, status lifecycle transitions, owner, remediation evidence, retest result, and the closure actor and timestamp.

Framework mapping

Per-finding crosswalk to ISO 27001 Annex A 5.23 use of cloud services, 8.8 management of technical vulnerabilities, 8.9 configuration management, 8.20 networks security, 8.21 security of network services, SOC 2 CC6.1 logical access, CC6.6 vulnerability management, CC7.1 detection of security events, NIST 800-53 AC, CM, and RA families, CIS Controls 3, 4, 5, 6, and 12, and the operative regulator references.

Six Recurring Adoption Pitfalls

CNAPP as a single tool replacement. Buying a CNAPP and decommissioning the existing CSPM, CWPP, CIEM, and KSPM tools without first benchmarking each sub-discipline depth against the new platform typically produces a coverage regression. The disciplined adoption path benchmarks each layer separately and decommissions only where the new platform meets or exceeds the prior coverage.
Correlation in name only. Some platforms market CNAPP without the correlation layer that connects configuration, workload, and identity signals. The dashboards show the three streams side by side but do not produce correlated findings. Buyers should test the correlation by reviewing the platform's output on a known cross-signal scenario (overprivileged identity reachable to a vulnerable workload running on a misconfigured asset) and verifying the platform presents one prioritised finding, not three.
Findings without lifecycle. Surfacing cloud findings without tracking when each was opened, who owns it, when it was last reviewed, and whether it is open, fixed, accepted, or deferred produces a backlog that grows monotonically and never closes. The lifecycle field is the one that keeps the queue useful and the audit-read durable.
CNAPP as a parallel queue. Detecting cloud findings inside the CNAPP without routing them into the wider vulnerability management programme with SLA tiers, owner assignment, and remediation tracking produces a fork that does not converge with the rest of the security backlog. The correlation value of CNAPP comes from the cloud-plane signal stack; the operating value comes from routing those signals into the unified remediation record.
Tier-one cloud only. Modelling only the primary production accounts and the headline workloads leaves the long tail of development, sandbox, acquired-entity, and shadow IT accounts unobserved. The shadow cloud footprint routinely holds material exposure that the official inventory does not see. Discovery breadth across the full cloud estate matters at least as much as detection depth on the headline accounts.
CNAPP as the only cloud record. Treating the CNAPP platform as the system of record for cloud security means the programme breaks when the vendor is changed or when the platform misses a resource. The operating record should sit independently and pull from CNAPP as the primary cloud signal source, with the wider vulnerability management programme, the framework mapping, and the audit-read evidence pack reconciling across CNAPP, on-premises, application, data, and third-party surfaces.

How Auditors Read CNAPP Evidence

Audit teams reading CNAPP evidence look at three lenses. The platform shape is secondary; the lens shape is primary.

Coverage. The audit reads the cloud asset inventory against the cloud provider billing record, the central IT cloud-account onboarding record, the federated identity provider, and the authoritative acquisition record, and asks where the gaps are. Programmes that cannot reconcile the sources are flagged.
Decision durability. The audit reads the exception register, the identity overprivilege ledger, and the finding-closure record and asks whether each open exception, identity decision, and closure decision has documented basis, owner, and a re-evaluation trigger. Decisions captured only in chat or in cloud console annotations are flagged.
Framework alignment. The audit reads the CNAPP evidence against the operative framework controls and asks whether the record satisfies the control requirements. ISO 27001 Annex A 5.23 expects cloud service governance, A 8.9 expects configuration management, A 8.8 expects vulnerability management on technical assets, A 8.20 expects networks security, and A 8.21 expects security of network services. SOC 2 CC6.1 expects logical access controls, CC6.6 expects vulnerability management, and CC7.1 expects detection of security events. NIST 800-53 AC family expects access control, CM family expects configuration management, and RA-5 expects vulnerability monitoring and scanning. CIS Controls 3 expects data protection, 4 expects secure configuration, 5 expects account management, 6 expects access control, and 12 expects network infrastructure management. Mapping CNAPP output to the framework is the work that turns cloud signals into audit evidence.

A Phased Rollout

Mature CNAPP programmes do not arrive at the operating shape on day one. The rollout pattern across enterprise programmes is consistent enough to warrant a phased plan rather than a big-bang adoption.

Phase 1: Cloud-account inventory reconciliation

Reconcile the cloud provider billing record, the central onboarding inventory, the federated identity provider, and the acquisition record into a single cloud-account inventory. Establish ownership for each account. Mark which accounts host customer-facing services, payment surfaces, regulated-data tenants, and tier-one workloads. Do not attempt full posture coverage yet; the inventory is the foundation that everything else reads against.

Phase 2: Tier-one configuration baseline

Run the configuration baseline (CIS Benchmarks plus the organisation's internal standard) on the tier-one accounts. Surface deviations against the operative policy and route findings to owners with SLAs. Establish an exception register for approved deviations with documented basis, owner, expiry, and re-evaluation trigger. Defer workload and identity coverage until the configuration view is stable.

Phase 3: Workload and runtime coverage

Layer workload coverage on top of the configuration baseline. Run image scanning in the build pipeline, runtime scanning on the deployed workloads, container supply chain provenance on the image registry, and cluster posture on the Kubernetes deployments. Route workload findings into the wider vulnerability management programme with SLA tiers and owner assignment. Surface the cross-signal correlation where a workload vulnerability sits on a misconfigured asset.

Phase 4: Identity entitlement governance

Onboard the identity provider, machine identities, federation trust relationships, and cross-account roles. Run the used-vs-granted entitlement analysis across a sufficient window. Surface overprivileged identities, toxic combinations, shadow administrator aggregations, and lateral movement paths. Route the identity findings into the access governance programme; route the correlated findings (overprivileged identity reachable to a vulnerable workload on a misconfigured asset) into the vulnerability management programme.

Phase 5: Govern and report

Wire the CNAPP record into the wider GRC posture. Map findings to ISO 27001, SOC 2, NIST 800-53, CIS Controls, and the operative regulator references. Generate the leadership read of the record on a quarterly cadence. Establish a steady-state review cycle that covers configuration baseline drift, workload supply chain hygiene, identity entitlement governance, and Kubernetes posture review.

Phase 6: Steady-state operations

Run the recurring cadence: configuration scans on tier-one accounts continuous, workload image scans every build, runtime detection continuous, identity entitlement analysis monthly, Kubernetes posture continuous, leadership read quarterly, framework re-mapping annually, and full programme review during the operative ISMS or compliance cycle.

Adjacent Programmes CNAPP Connects To

CNAPP sits inside a wider programme estate. The connections worth wiring early are:

Vulnerability prioritisation consumes CNAPP-derived signals (configuration severity, workload vulnerability, identity reachability, data class context, network exposure) as inputs to the multi-signal scoring policy.
Asset ownership mapping attaches a named owner to every cloud asset so findings route without the team rediscovering ownership for every finding.
Cloud security assessment runs scoped cloud assessments that can ingest CNAPP-derived findings as the starting evidence pack rather than rediscovering exposure each cycle.
Scanner result triage is the workflow for moving CNAPP-exported findings from the discovery dashboard into the structured remediation backlog.
Control mapping wires CNAPP evidence to ISO 27001, SOC 2, NIST 800-53, and CIS Controls without maintaining duplicate per-framework records.
Continuous threat exposure management cycle consumes CNAPP output during the CTEM Discovery and Prioritisation stages and feeds the resulting findings into Validation and Mobilisation.
Cloud Infrastructure Entitlement Management (CIEM) is the CIEM leg of the CNAPP umbrella that anchors specifically on cloud entitlement: which identities can act against which resources, where standing privilege exists, and where the entitlement record drifts from the least-privilege baseline.

How SecPortal Reads Against the CNAPP Operating Record

CNAPP programmes succeed or fail on the recordkeeping. The configuration finding, the workload vulnerability, the identity overprivilege, the Kubernetes posture deviation, the correlated risk score, the lifecycle state, the exception decision, the framework mapping, and the owner field all need to live on the same record so the AppSec queue, the vulnerability management backlog, the leadership dashboard, and the audit read collapse into one query rather than into a multi-tool reconciliation.

SecPortal does not market itself as a Cloud-Native Application Protection Platform. SecPortal does not run agentless cloud-account snapshot collection, container runtime workload protection, IAM entitlement graph analysis, or Kubernetes admission policy enforcement. It does provide the consolidated operating record where CNAPP-derived findings (from a dedicated CNAPP platform, from CSPM/CWPP/CIEM/KSPM tools used separately, from a cloud security assessment engagement, or from a manual review) land alongside the wider security backlog. Findings management captures the resulting findings under a unified schema with CVSS 3.1 calibration and lifecycle tracking with 300+ finding templates. Bulk finding import ingests CSV exports of CNAPP-derived findings onto the engagement record so cloud-plane exports can land alongside the wider security backlog. Code scanning via Semgrep SAST and dependency analysis runs against connected repositories for the application code that deploys to the cloud workloads. Repository connections via GitHub, GitLab, and Bitbucket OAuth bind the code findings to the repository that owns them. External scanning covers subdomain enumeration, DNS analysis, port scanning, SSL and certificate analysis, security header analysis, exposed path discovery, technology fingerprinting, cloud exposure checks, WAF detection, open redirect detection, SSRF guard, subdomain takeover detection, WHOIS analysis, and rate-limit checks against verified domains. Authenticated scanning covers cookie, bearer token, basic, and form authentication against the cloud-hosted web applications inside the engagement record, with credentials stored encrypted at rest. Continuous monitoring schedules the recurring scan cadence on a daily, weekly, biweekly, or monthly schedule so the surface and findings stay current without manual re-scoping. Encrypted credential storage (AES-256-GCM) holds the scanner credentials the authenticated scans use. Document management holds the CNAPP-exported reports, the configuration baseline artefacts, and the supporting evidence the programme produces. The activity log records every state change for audit-read durability with CSV export. Compliance tracking maps findings to ISO 27001, SOC 2, PCI DSS, and NIST framework controls. Team management with RBAC scopes who can read, edit, and approve CNAPP-derived findings. MFA enforcement on the workspace itself protects the operating record the programme depends on. AI report generation produces leadership summaries and audit-ready packs from the underlying record.

Programmes evaluating dedicated CNAPP platforms should benchmark the four sub-disciplines (CSPM, CWPP, CIEM, KSPM) and the correlation layer depth against named CNAPP vendors, then use SecPortal as the consolidated operating record that holds the resulting findings against the wider vulnerability management programme, the framework mapping, and the audit-read evidence pack. For buyer-side comparison, the SecPortal vs Orca Security, SecPortal vs Wiz, SecPortal vs Microsoft Defender for Cloud, and SecPortal vs Palo Alto Prisma Cloud pages cover the two dominant agentless CNAPP platforms, the Microsoft-first multicloud CNAPP, and the Palo Alto-anchored multi-module CNAPP side-by-side with a delivery workspace. The companion cloud security tool guide covers the cloud security category landscape and how tools across CSPM, CWPP, CASB, CNAPP, and CIEM connect into a working stack. The cloud security assessment guide covers the scoped assessment methodology that produces the cloud finding evidence pack.

Scope and Limitations

This guide describes the operating shape of Cloud-Native Application Protection Platforms as they are consumed in mainstream enterprise programmes. The vendor landscape evolves rapidly: agent vs agentless deployment patterns, supply chain coverage, identity entitlement analysis depth, Kubernetes posture breadth, and packaged framework mappings shift between releases. Specific feature claims, supported cloud providers, supported resource types, and the precision of named correlation models should be verified against current vendor documentation and against benchmark exercises on the team's own cloud estate.

CNAPP is a posture and assessment record on the cloud plane, not a runtime defence layer for every threat scenario and not a substitute for the wider vulnerability management programme. Programmes that adopt CNAPP as a substitute for the maintained asset record lose the authoritative cross-source reconciliation that the wider asset record provides; programmes that adopt CNAPP as a substitute for the application code review programme lose the upstream coverage that SAST, SCA, IaC scanning, and secret scanning provide on the application repository record. Programmes that adopt CNAPP as the cloud-plane posture and workload layer alongside the wider vulnerability management programme, the application security programme, the data security programme, the external attack surface programme, the third-party SaaS posture programme, and the GRC posture, with disciplined inventory reconciliation, configuration baseline governance, workload supply chain hygiene, identity entitlement review, and annual framework mapping reviews, are the ones that see durable operating value.

Run cloud security findings on SecPortal

Stand up the operating record in under two minutes. Free plan available, no credit card required.

Get Started Free SecPortal for cloud security teams