Comparison

SecPortal vs Lacework
behavioural cloud detection vs security testing workspace

Lacework (now part of Fortinet as FortiCNAPP) is a cloud-native security platform that anchors on the Polygraph data model. The mechanic is to ingest cloud activity from connected AWS, Azure, GCP, and Oracle Cloud accounts, container runtime signal from a deployed agent, Kubernetes audit logs, identity and entitlement state, and IaC scan output, then build behavioural baselines of how accounts, services, containers, and identities normally behave so that anomalous activity surfaces as a composite alert grouping rather than a single raw event. The buyer assumption is that the connected cloud accounts are the asset of record and the cloud security team needs a behavioural-baseline detection layer across the cloud surface alongside posture, workload protection, and IaC scanning. SecPortal is a different shape: scoped engagements, manual finding entry, AI report generation, branded client portal, native external scanning across 16 modules, authenticated DAST across 17 modules behind stored credentials, and SAST plus dependency analysis through Semgrep on connected GitHub, GitLab, or Bitbucket repositories all live inside one workspace. This page is the side-by-side for enterprise buyers comparing a behavioural cloud detection CNAPP tied to connected cloud accounts to a security testing and remediation workspace that scans, records, reports, and delivers findings on its own.

Get Started Free

No credit card required. Free plan available forever.

Feature	SecPortal	Lacework
Primary use case	Security testing and remediation workspace with scanning, findings, AI reports, branded portal, and engagement record on one tenant	Cloud-native application protection platform (CNAPP) that ingests cloud activity from connected accounts and container runtime signal from a deployed agent, builds the Polygraph behavioural baseline, and surfaces composite alerts on anomalous cloud behaviour
Engagement model with scope, ROE, and deliverables		Cloud account, container, host, Kubernetes cluster, identity, and composite alert model rather than scoped engagement with a kickoff and a deliverable
Client model with onboarding, contacts, and access control		Internal cloud account owner and workload owner model under the FortiCNAPP and Fortinet Security Fabric identity layer
Branded white-label client portal on your subdomain
Runtime agent inside container and VM workloads		Lacework deploys a runtime agent inside container hosts, Kubernetes nodes, and virtual machine workloads to observe process activity, network flow, and syscall behaviour
Behavioural-baseline detection across cloud activity (Polygraph)		Core mechanic; learned baselines of account, service, container, and identity behaviour surface anomalous activity as composite alerts
Cloud control-plane log ingest across AWS, Azure, GCP, and OCI		CloudTrail, Azure Activity Logs, GCP Cloud Audit Logs, and Kubernetes audit logs are ingested into the Polygraph data platform
Cloud security posture management (CSPM)
Cloud workload protection (CWPP)
Cloud infrastructure entitlement management (CIEM)
Container, Kubernetes, and serverless security
IaC scanning on connected Git providers		Code Security covers IaC and secrets on connected GitHub, GitLab, and Bitbucket repositories
Composite alert grouping of related cloud activity events		The Polygraph data model groups related events across accounts, services, containers, and identities into one composite alert
Native external vulnerability scanning (16 modules: SSL, headers, DNS, ports, subdomains, technology fingerprinting, CVE correlation) outside the cloud account boundary
Native authenticated web DAST (17 modules)
Encrypted credential vault for authenticated scans (AES-256-GCM)		Cloud-API and agent-based access; no credential vault for non-cloud-API authenticated scanning
SAST scanning on connected repositories	Semgrep-powered SAST on connected GitHub, GitLab, or Bitbucket repositories	Code Security covers IaC and secrets rather than application-source SAST as a primary lane
Software composition analysis (SCA)	Dependency analysis through Semgrep on connected repositories	Vulnerability scanning across container images and host packages rather than dependency analysis on a connected source repository
Manual finding entry with full editor		Findings originate from connected cloud accounts, the runtime agent, and ingested logs rather than from manual entry by a tester
AI-powered narrative report generation (executive, technical, remediation)		Console dashboards, composite-alert views, and posture exports rather than engagement-shaped executive, technical, and remediation deliverables
300+ finding templates with remediation guidance		Cloud-side rule and behavioural-pattern catalogue with remediation guidance scoped to cloud resources rather than a curated finding template library for manual engagement work
CVSS 3.1 vector parsing and auto-scoring		CVSS is one input to the cloud-side prioritisation; the prioritisation output is the composite alert grouping rather than a per-finding CVSS-only ranking
Scanner result import (Nessus, Burp Suite, CSV)		CNAPP-native ingestion of cloud logs and the runtime agent rather than CSV import of external scanner output
Continuous scheduled scanning cadence (daily, weekly, biweekly, monthly)		Continuous ingest of cloud activity and runtime signal rather than scheduled scans against named targets
Retest workflow paired to original finding		Re-evaluation through the next behavioural-baseline cycle and the next composite alert rather than an engagement-shaped retest record
Exception register with eight-field decision chain		Per-alert suppression scoped to the cloud account, resource, or behavioural rule rather than an engagement-shaped per-finding decision chain
Compliance framework templates	21 frameworks including OWASP, OWASP ASVS, OWASP MASVS, OWASP API Security Top 10, ISO 27001, SOC 2, PCI DSS, NIST 800-53, NIST 800-171, FedRAMP, MITRE ATT&CK, DORA, NIS2, CIS Controls, and Essential Eight	Cloud compliance reporting mapped to common frameworks including PCI DSS, ISO 27001, SOC 2, NIST 800-53, NIST CSF, CIS Benchmarks, HIPAA, and others depending on enabled modules
Native integration with Fortinet Security Fabric (FortiGate, FortiSIEM, FortiSOAR, FortiEDR)
Integrated invoicing and Stripe Connect payments for engagements
Activity audit trail with CSV export		Platform audit logs inside the FortiCNAPP console
MFA enforcement on every workspace		SSO and IdP-driven controls
Free plan available		Sales-led commercial pricing rather than a published free tier
Pricing model	Free, Pro, Team	Sales-led with annual commitment and workload-count, cloud-account-count, agent-footprint, and module-bundle weighting inside the Fortinet Security Fabric commercial model
Setup time	2 minutes	Cloud account onboarding plus runtime agent deployment across container hosts and Kubernetes nodes plus baseline learning window plus module enablement plus alert tuning
Best fit for	AppSec teams, internal security teams, vulnerability management teams, product security teams, pentest firms, MSSPs, and consultancies that scan, report, and deliver findings from one workspace	Enterprise cloud security teams operating multi-cloud AWS, Azure, GCP, and OCI estates at scale with container and Kubernetes workloads where behavioural anomaly detection across cloud activity is the primary need, and Fortinet-anchored security teams that want the cloud security layer inside the wider Fortinet Security Fabric estate

SecPortal vs Lacework: delivery workspace vs behavioural cloud detection platform

Lacework (now Fortinet FortiCNAPP after the June 2024 acquisition) is a cloud-native security platform that anchors on the Polygraph data model. The mechanic is to ingest cloud activity from connected AWS, Azure, GCP, and Oracle Cloud accounts, container runtime signal from a deployed agent, Kubernetes audit logs, identity and entitlement state, and IaC scan output, then build behavioural baselines of how accounts, services, containers, and identities normally behave so that anomalous activity surfaces as a composite alert grouping rather than a single raw event. The buyer assumption is that the connected cloud accounts are the asset of record and the cloud security team needs a behavioural-baseline detection layer across the cloud surface alongside posture, workload protection, and IaC scanning.

SecPortal is a different category. SecPortal is a security testing and remediation workspace that carries the engagement, the findings, the scanning, the AI report, the branded client portal, and the invoice all on one tenant. The buyer is a penetration testing firm, an MSSP, a consultancy, an AppSec team, a vulnerability management team, a product security team, or an in-house security function that ships scoped work to clients or stakeholders. If you are comparing a behavioural cloud detection platform tied to connected cloud accounts to a delivery and remediation workspace that scans, reports, and delivers on its own, this page is the side-by-side. The adjacent CNAPP comparisons buyers in the cloud-native security category often evaluate alongside are SecPortal vs Wiz, SecPortal vs Orca Security, SecPortal vs Prisma Cloud, SecPortal vs Microsoft Defender for Cloud, SecPortal vs Sysdig, and SecPortal vs Aqua Security.

Where Lacework FortiCNAPP stops for delivery and engagement-shaped security work

These are not Lacework-specific criticisms; they are properties of a behavioural cloud detection platform when you compare it to running scoped engagements or a scanner-plus-findings programme on a single workspace.

Built as a behavioural cloud detection platform anchored on the Polygraph data model

Lacework (now part of Fortinet as FortiCNAPP) is a cloud-native security platform that anchors on the Polygraph data model. The mechanic is to ingest cloud activity from connected AWS, Azure, GCP, and Oracle Cloud accounts, container runtime signal from a deployed agent, Kubernetes audit logs, identity and entitlement state, and IaC scan output, then build behavioural baselines of how accounts, services, containers, and identities normally behave so that anomalous activity surfaces as a composite alert grouping rather than a single raw event. The buyer assumption is that the connected cloud accounts are the asset of record and the cloud security team needs a behavioural-baseline detection layer across the cloud surface alongside posture and workload protection. SecPortal is a different shape: scoped engagements, manual finding entry, AI report generation, branded client portal, native external scanning, authenticated DAST, and SAST plus SCA on connected repositories all live inside one workspace.

No engagement, scope, or deliverable model

Lacework is organised around the cloud account, the container, the host, the Kubernetes cluster, the identity, and the composite alert rather than around a scoped engagement with a kickoff, a defined target list, a final report, and a closure date. If the work you ship is a scoped pentest, a vulnerability assessment, an external attack surface programme, an AppSec code review, or a compliance audit with a contract scope and a deliverable, FortiCNAPP does not carry that record. The composite alert is a behavioural detection grouping, not a deliverable shaped for a client, an auditor, or a board.

No branded client portal on your tenant subdomain

Lacework output lives inside the FortiCNAPP console (and the wider Fortinet Security Fabric for connected products). There is no white-label portal a security firm, an MSSP, or an in-house security team can hand to an external client or to a stakeholder business unit under their own brand. SecPortal serves a branded client portal on the tenant subdomain so every finding, retest, remediation thread, and report download lives under your name rather than under a vendor name.

No native external vulnerability scanning, authenticated web DAST, or scoped pentest workflow outside the cloud surface

Lacework reads cloud APIs, container runtime signal through the deployed agent, Kubernetes audit logs, identity and entitlement state, and IaC against connected Git providers. It does not run its own external vulnerability scan of internet-facing assets across SSL, headers, DNS, ports, subdomains, and technology fingerprinting outside the cloud account boundary. It does not run authenticated web DAST behind stored credentials against a verified domain. The buyer is expected to license those scanners separately when the work is web application testing, scoped pentests, or external attack surface management on assets that are not cloud-native or not inside the connected accounts. SecPortal runs 16 external scanner modules, 17 authenticated web scanner modules, and SAST plus SCA via Semgrep against connected repositories on the same workspace as findings, reports, and delivery.

No AI-generated executive summaries, technical writeups, or remediation narratives shaped for an engagement

Lacework produces composite alerts, posture dashboards, attack-path views across the Polygraph graph, runtime detection trails, and Kubernetes audit reads from ingested cloud activity. The deliverable is the alert grouping, the posture report, and the attack-path view. The platform does not draft executive summaries, technical pentest writeups, or narrative remediation roadmaps that are shaped for a client read, an audit committee read, or a board read. SecPortal uses Claude to draft executive, technical, and remediation deliverables from the live findings record so the deliverable goes out without separate writeup time.

Sales-led procurement with vendor-bundled enterprise commercial pricing

Lacework FortiCNAPP pricing is sales-led with a contract floor that fits enterprise procurement: cloud workload count, connected cloud account count, agent footprint, and module bundle depending on deployment shape. After the Fortinet acquisition the product is sold inside the Fortinet Security Fabric commercial model. There is no published price list, no free tier, and no self-service path from sign-up to a real engagement. The buyer enters a procurement cycle that includes a demo, a scoping call, an account-connection plan, a runtime agent deployment plan, and an annual commitment before the platform produces value. SecPortal pricing is published on the website with a free plan, monthly Pro and Team tiers, and no annual contract floor for the Pro and Team tiers.

How behavioural cloud detection actually shows up on the operator queue

Behavioural cloud detection is a useful framing for surfacing anomalous activity that policy-rule-based CSPM misses, but the buyer should be clear-eyed about what a learned baseline gives the programme and what it costs to operate alongside a separate finding record. The contrast below is between a composite alert from a learned behavioural baseline and a finding record on an engagement record with severity, exception, retest, and audit trail on the same workspace.

Behavioural baseline detection across cloud activity is one model for cloud security

Lacework sits in a category of cloud-native security platforms that includes Wiz (Security Graph attack-path analysis), Palo Alto Prisma Cloud (multi-module CNAPP with Cortex Cloud runtime sensor), Orca Security (agentless SideScanning across block storage), Microsoft Defender for Cloud (Microsoft-first multicloud posture), Sysdig (Falco-anchored runtime), and Aqua Security (container-and-Kubernetes lifecycle). The Lacework differentiator is the Polygraph behavioural baseline that learns normal behaviour for accounts, services, containers, and identities and surfaces anomalous behaviour as composite alerts rather than raw rule firings. The shared category assumption is that the connected cloud account is the asset of record and the security team needs a multi-layer platform on top of cloud APIs and container runtimes.

A delivery and remediation workspace holds the engagement record across cloud and non-cloud work

SecPortal does not assume that the cloud account is the only asset of record. The workspace runs scoped external scanning against internet-facing assets, authenticated web DAST against a verified domain, SAST and SCA against connected GitHub, GitLab, or Bitbucket repositories, and supports manual finding entry from a tester or a reviewer. The engagement record holds the kickoff, the scope, the deliverables, the closure, and the invoice in one place. The same record carries a scoped cloud security assessment alongside an external pentest, an AppSec code review, an external attack surface engagement, and a compliance audit. The finding lives where the work is done, not in a CNAPP console that ends at the composite alert.

The right answer depends on whether the work is cloud-resident detection or scoped delivery

If the security programme already operates a multi-cloud estate across AWS, Azure, GCP, and OCI, the agent footprint can be deployed across container hosts and Kubernetes nodes, and the bottleneck is behavioural anomaly detection across cloud activity that policy-rule-based CSPM does not surface, a behavioural cloud detection platform like Lacework FortiCNAPP is the right shape. If the team needs the scanners themselves (external, authenticated, code), the engagement record, the AI report, the branded portal, and the invoice on one workspace without a stack of separate cloud agent deployments, a delivery and remediation workspace like SecPortal is the right shape. Both can be true for different parts of an enterprise programme; one is the right shape for a given buyer at a given time.

Composite alert versus engagement-shaped audit record

A behavioural composite alert tells the cloud security team that something is anomalous against the learned baseline. An engagement audit record tells the auditor which findings closed, when, against which evidence, by which named owner, under which exception. The two artefacts are not interchangeable.

A composite alert is not the same as an engagement-shaped audit record

A behavioural composite alert tells the cloud security team that a grouped pattern of activity is anomalous compared to the learned baseline at a specific point in time. It does not produce the audit record that pairs the original finding identity, the named owner, the severity rationale, the exception decision chain (if applicable), the retest evidence, and the timestamped state changes against a contract or programme scope. The composite alert artefact and the engagement audit artefact are different shapes and they sit at different points of the cloud security lifecycle.

SecPortal captures the finding identity, the owner, the severity, the exception, the retest, and the timestamped activity log on one record

SecPortal records the finding identity (template reference, scanner module, asset reference, engagement reference, control reference), the named owner from the team management catalogue, the severity through CVSS 3.1 vector parsing, the exception decision through the eight-field decision chain on the override record, the retest verification status against the original finding identity, and the timestamped state changes against named users through the activity log with CSV export. The closure record is read against the original finding identity rather than reconstructed from a composite alert snapshot.

The record lives where the operator runs and the auditor reads

In SecPortal the engagement record is the same record the operator works on, the auditor reads at fieldwork time, the client downloads from the branded portal, and the leadership view regenerates from. In a Lacework deployment the composite alerts live in the FortiCNAPP console, the work happens in the cloud control plane and downstream in the change management or IaC pipeline, and the audit trail spans the FortiCNAPP console, the cloud account audit log, the IaC pipeline log, and the change ticketing system. Reconciling those records at audit time is part of the recurring operating cost of a vendor-console-centric architecture.

Who each platform is the right fit for

Lacework and SecPortal solve different problems for different buyers. The honest answer is that the right tool depends on whether you are running behavioural anomaly detection across connected cloud accounts or running scoped engagements and findings on one workspace with native scanning of your own.

Lacework fits enterprise cloud security teams with multi-account, container-heavy estates and behavioural-baseline detection requirements

If you are an enterprise cloud security team, the cloud security function operates across AWS, Azure, GCP, and OCI accounts at scale, container and Kubernetes workloads run across the production estate, the runtime agent footprint can be deployed across hosts and clusters, and the bottleneck is behavioural anomaly detection across cloud activity that surface-level CSPM does not produce, Lacework FortiCNAPP was built for that detection shape. The buyer assumption is one behavioural-baseline cloud detection layer plus posture and workload protection plus IaC scanning across the connected cloud surface.

SecPortal fits teams who want scanning, findings, reports, and delivery in one workspace

If you are an AppSec team, a vulnerability management team, an internal security team, a product security team, a penetration testing firm, an MSSP, or a consultancy that wants the scanner, the finding record, the AI report, the branded portal, and the invoice all on one tenant, SecPortal carries that lifecycle without forcing the team to deploy cloud agents and connect every cloud account before the workspace produces value. Cloud-side findings from a separately licensed CNAPP can be imported through CSV bulk-finding-import alongside the native scan output.

SecPortal fits buyers who deliver findings to clients, business unit owners, or auditors

If you ship reports to external clients, internal business unit owners, audit committees, or external auditors, and every finding, retest, remediation thread, exception decision, and report download has to live under your brand rather than inside a vendor console that the cloud security team operates from, SecPortal is the workspace that holds that record across engagements and across years. Findings can still be imported from Lacework FortiCNAPP, Wiz, Orca, Prisma Cloud, Defender for Cloud, or any other CNAPP output through CSV when those platforms remain part of the wider cloud security programme.

Transparent pricing, no procurement cycle

SecPortal pricing is published on the website and self-service from sign-up. There is no annual contract floor, no per-workload licensing model, no cloud agent footprint planning, and no enterprise sales call required before you can run a real engagement.

SecPortal Free

Free forever

1 user, 3 clients, 2 engagements per client, 3 AI credits, 6 core scan modules.

SecPortal Pro

From $149/month

All scan modules, 100 clients, 25 AI credits/month, branded client portal, invoicing, compliance tracking.

SecPortal Team

From $299/month

Up to 5 users, 75 AI credits/month, team management, activity audit trail with CSV export, MFA enforcement.

Why teams pick SecPortal over Lacework

Run scoped engagements with a kickoff, deliverables, retests, and a final invoice on one record instead of an open-ended composite alert queue inside a vendor console
Scan internally with 16 external modules, 17 authenticated modules, and SAST plus SCA code scanning rather than depending on a cloud-account-only platform that does not cover assets outside the connected cloud accounts
Generate executive, technical, and remediation deliverables with Claude from the live findings record so the audit, client, and leadership read regenerates from the same record
Deliver findings through a branded client portal on your tenant subdomain instead of through a vendor CNAPP console
Pair every retest to the original finding identity so the closure record holds up against an audit citation rather than against a composite alert snapshot
Document CVSS 3.1, exception rationale, asset reference, and severity calibration on the engagement record so prioritisation is defensible to a board, an auditor, or a business unit owner
Map findings across 21 framework templates including OWASP, ISO 27001, SOC 2, PCI DSS, NIST 800-53, NIST 800-171, FedRAMP, MITRE ATT&CK, DORA, NIS2, CIS Controls, and Essential Eight
Store privileged scan credentials encrypted at rest with AES-256-GCM and rotate them through the in-product credential vault rather than passing credentials between cloud APIs and a separate agent footprint
Invoice clients or business units directly from the engagement record through Stripe Connect
Start on the free plan and upgrade without procurement, a workload-count audit, an agent deployment plan, or an enterprise sales call

Honest scope: what SecPortal does not do

SecPortal is a security testing and remediation workspace. It is not a CNAPP, not a runtime agent platform, not a behavioural cloud detection engine, and not a cloud workload protection product. The capabilities below are intentionally out of scope.

SecPortal does not deploy a runtime agent inside container hosts, virtual machines, or Kubernetes nodes to observe live process activity, network flow, or syscalls.
SecPortal does not connect to AWS, Azure, GCP, or Oracle Cloud accounts to read CloudTrail, Azure Activity Logs, GCP Cloud Audit Logs, or other cloud control-plane audit streams as a primary discovery mechanic.
SecPortal does not learn behavioural baselines of cloud accounts, identities, services, or container behaviour over time and does not generate composite alerts from anomalous deviation against a learned baseline.
SecPortal does not run cloud security posture management (CSPM) across connected cloud accounts, does not enforce policy compliance on cloud resources, and does not block or remediate misconfigurations inline.
SecPortal does not ship packaged push connectors into Jira, ServiceNow, Slack, Teams, PagerDuty, SIEM, SOAR, GRC, CMDB, or ticketing platforms; integration into those systems is the workspace consumer responsibility.
SecPortal does not replace a separately licensed CNAPP; cloud-side findings from FortiCNAPP, Wiz, Orca, Prisma Cloud, Defender for Cloud, or any other cloud-native security platform can be imported through CSV bulk-finding-import when those platforms remain part of the cloud security programme.

When the work is scoped engagement delivery and remediation tracking, not behavioural cloud anomaly detection across connected accounts

Run scoped AppSec, pentest, vulnerability management, and cloud security assessment engagements, generate AI reports, and ship findings through a branded portal on one workspace. SAST plus dependency analysis plus DAST plus external scanning live on the same engagement record. Pair alongside a Lacework FortiCNAPP deployment when the buyer also operates a multi-cloud estate at enterprise scale. Start free.