Cloud Native Security Tools: Wiz, Lacework, Orca, and Prisma Cloud Compared

The cloud security tooling market has converged around a new category: Cloud-Native Application Protection Platform (CNAPP). CNAPP combines what were previously separate product categories — CSPM, CWPP, CIEM, and CI/CD security — into a single platform. Choosing between the leading vendors requires understanding the architectural tradeoffs they've made and matching them to your security program's maturity and requirements.

Understanding the Categories

Before comparing tools, it's worth clarifying what each acronym actually means:

CSPM: Cloud Security Posture Management

CSPM tools connect to cloud provider APIs and evaluate resource configurations against security best practices and compliance frameworks. They answer: "Is my cloud configured securely?"

Key CSPM capabilities:

• Configuration assessment against CIS benchmarks, NIST, PCI-DSS, SOC2
• Drift detection (alerting when secure configurations change)
• Compliance reporting with evidence collection
• Asset inventory across cloud accounts

CSPM alone is insufficient because it only looks at configuration — it doesn't assess what's running inside VMs or containers.

CWPP: Cloud Workload Protection Platform

CWPP tools protect running workloads — VMs, containers, and serverless functions. They answer: "Are my running workloads secure and are there active threats?"

Key CWPP capabilities:

• Runtime threat detection (detecting exploitation attempts, cryptomining, lateral movement)
• Vulnerability scanning of running workloads
• Malware detection
• Process monitoring and behavioral analysis

Traditional CWPP required agents deployed in every workload, which created operational overhead.

CIEM: Cloud Infrastructure Entitlement Management

CIEM tools analyze IAM permissions and identify excessive access. They answer: "Who can access what, and is that appropriate?"

Key CIEM capabilities:

• Effective permissions analysis (what can each principal actually do?)
• Unused permission identification
• Privilege escalation path detection
• Just-in-time access recommendations

CNAPP: The Convergence

CNAPP combines CSPM + CWPP + CIEM plus:

• CI/CD pipeline security (scanning IaC, containers before deployment)
• Attack path analysis (connecting misconfigurations into exploitable paths)
• Data security posture management (finding sensitive data in cloud storage)
• Kubernetes security posture management (KSPM)

The rationale for convergence: a misconfigured security group (CSPM finding) combined with a CVE in a running container (CWPP finding) and an overpermissioned IAM role (CIEM finding) creates an attack path. Separate tools surface three separate findings; a CNAPP surfaces one prioritized risk.

Wiz: The Attack Graph Leader

Architecture

Wiz is 100% agentless. It connects via read-only API integrations to your cloud providers (AWS, Azure, GCP, OCI, Alibaba Cloud, vSphere). For workload-level visibility, Wiz uses a technique called "out-of-band scanning" — it takes snapshots of EBS volumes, disk images, and container registries and analyzes them in Wiz's own AWS environment.

The result is a graph database — the Wiz Security Graph — that models every resource, its configuration, network exposure, IAM relationships, running packages (from disk scanning), and data contents.

Attack Path Analysis

Wiz's differentiating capability is connecting individual findings into complete attack paths:

Example Wiz Attack Path:
External Internet
  → Public-facing application server (EC2 t3.large)
    Exposed because: Security group allows 0.0.0.0/0:443
  → Critical CVE: CVE-2024-XXXX in application container
    Severity: Critical, CVSS 9.8, exploit publicly available
  → Container has volume mount to host filesystem
    Can access: host /etc, /var/lib/docker
  → Node IAM role: EC2FullAccess, S3FullAccess
    Can reach: 847 S3 objects across 12 buckets
  → Sensitive data in S3 bucket "customer-exports"
    Detected: 45,000 email addresses, 12,000 SSNs

Without Wiz, this would be surfaced as four separate findings:

1. Security group open to internet
2. Critical CVE in container
3. Overpermissioned node IAM role
4. PII in S3 bucket

Only by connecting them does the true risk (internet-accessible path to 45k SSNs) become visible.

DAST Integration

Wiz recently added a "Technology Preview" capability to probe exposed services and verify whether vulnerabilities are actually exploitable, reducing false positives in attack path analysis.

Pricing

Wiz pricing is workload-based:

• $15-20/month per VM
• $5-8/month per container node
• $1-3/month per serverless function
• Additional for data security features

Enterprise contracts typically include all modules. Annual contracts offer significant discounts over monthly.

Strengths and Weaknesses

Strengths:

• Fastest time-to-value (hours, not days)
• Best attack path visualization in the market
• Strong data security posture management
• No operational overhead (no agents to manage)

Weaknesses:

• No real-time runtime protection (agentless means detection delay)
• Agent required for process-level monitoring if needed
• Kubernetes visibility is good but not as deep as native Falco

Lacework: Behavioral Analytics Leader

Architecture

Lacework uses a combination of agentless cloud scanning (similar to CSPM) and an optional agent (the Lacework Agent) for deep workload monitoring. The core differentiator is the Polygraph behavior modeling system.

Polygraph works by:

1. Collecting all API call activity from CloudTrail, GCP Audit Logs, Azure Monitor
2. Collecting all network connections and process activity from Lacework Agents
3. Building a machine learning baseline of normal behavior per account, per service, per workload
4. Alerting when observed behavior deviates from the baseline

Behavioral Detection Example

Lacework's Polygraph would detect:

Anomaly: IAM Role "production-app-role" making unusual API calls

Normal behavior (last 90 days):
  s3:GetObject on "app-data" bucket: 2,400/day
  secretsmanager:GetSecretValue on "prod/db-password": 24/day
  logs:PutLogEvents: 48,000/day

Detected anomaly (today):
  ec2:RunInstances in us-west-2: 47 calls [NEW REGION - NEVER SEEN]
  s3:PutObject on "attacker-bucket": 3 calls [NEW BUCKET - NEVER SEEN]
  iam:CreateAccessKey: 2 calls [NEW BEHAVIOR]

Risk: HIGH - Credential compromise indicated

This detection doesn't require any rules about "RunInstances in unusual regions" — it fires purely because the behavior is different from the established baseline.

Pricing

Lacework pricing is based on compute resources monitored:

• Per vCPU/month for VM workloads (agent-based)
• Per cloud account/month for agentless scanning
• Enterprise contracts are volume-discounted

Typically $15-30/VM/month for full platform coverage.

Strengths and Weaknesses

Strengths:

• Best behavioral anomaly detection — catches novel attacks
• Low false positive rate after baseline period
• Strong threat investigation workflow
• Good coverage for financial services compliance requirements

Weaknesses:

• Baseline period (2-4 weeks) before meaningful alerts
• Less polished UI than Wiz
• Attack path visualization is less comprehensive

Orca Security: Agentless Deep Scanning

Architecture

Orca pioneered "SideScanning" — taking read-only snapshots of cloud storage (EBS, Azure Managed Disks, GCP persistent disks) and analyzing them in Orca's environment. This provides depth comparable to agent-based scanning (running processes, installed packages, sensitive files) without deploying any software.

Contextual Risk Prioritization

Orca's scoring model combines:

• Vulnerability severity (CVE CVSS score)
• Exploitability (is an exploit available? is it being actively exploited?)
• Asset exposure (is the workload internet-facing?)
• Crown jewel proximity (is sensitive data or a privileged role reachable from this workload?)
• Lateral movement potential (what other resources can be reached?)

This produces an "Orca Score" that ranks findings by actual risk rather than just technical severity. A critical CVE on an isolated dev instance scores lower than a medium CVE on an internet-facing instance with database access.

Data Security Posture Management

Orca has particularly strong data security capabilities — it scans disk snapshots for:

• PII (SSNs, credit card numbers, email addresses, phone numbers)
• Credentials (API keys, passwords, private keys)
• Regulated data patterns (HIPAA PHI, PCI cardholder data)

This catches sensitive data that leaked into unexpected locations — developer test environments with production data copies, backup buckets with unencrypted sensitive data, etc.

Pricing

Orca uses workload-based pricing similar to Wiz, typically $10-18/VM/month.

Strengths and Weaknesses

Strengths:

• True zero-agent architecture (no network access to customer workloads)
• Strong data security posture management
• Good cloud drift detection
• Fast deployment

Weaknesses:

• No real-time runtime protection
• Lower detection fidelity than agent-based tools for active threats
• Attack path analysis less mature than Wiz

Prisma Cloud (Palo Alto Networks): Most Comprehensive

Architecture

Prisma Cloud is the most feature-complete platform, built from acquisitions of RedLock (CSPM), Twistlock (container/Kubernetes security), and Bridgecrew (IaC scanning). It offers both agentless scanning and the Defender agent for deep workload protection.

Defender Agent Capabilities

The Prisma Cloud Defender agent deploys as a DaemonSet in Kubernetes and as a service on VMs. It provides:

• Real-time container runtime protection: blocking exploit attempts, alerting on suspicious process behavior
• Network firewall enforcement: enforcing microsegmentation policies at the container level
• Forensics: capturing filesystem and process state at the time of an alert for post-incident analysis
• WAAS (Web Application and API Security): in-line request inspection for web application protection

# Deploy Defenders via Helm
helm install twistlock-defender twistlock/twistlock-defender \
  --namespace twistlock \
  --create-namespace \
  --set defender.wsAddress=wss://app.prismacloud.io:443 \
  --set defender.communicationPort=8084 \
  --set defender.installBundle="<token>"

CI/CD Pipeline Integration

Prisma Cloud's Bridgecrew integration scans Infrastructure as Code in CI/CD pipelines:

# GitHub Actions integration
- name: Prisma Cloud IaC Scan
  uses: bridgecrewio/checkov-action@master
  with:
    directory: infrastructure/
    check: CKV_AWS_*
    framework: terraform
    output_format: sarif
    output_file_path: results.sarif
    soft_fail: false
    prisma_api_url: https://api.prismacloud.io

Pricing

Prisma Cloud pricing is complex and module-based:

• Cloud Security (CSPM): $3-8/resource/month
• Runtime Security (CWPP): $10-25/VM/month, $5-10/container/month
• Enterprise platform licensing often ~$500K-$2M/year for large organizations

Strengths and Weaknesses

Strengths:

• Most comprehensive feature set
• Best CI/CD pipeline security
• Real-time runtime protection with blocking capability
• 80+ compliance frameworks

Weaknesses:

• Most expensive option
• Longest deployment time
• Higher operational overhead
• UI can be overwhelming

Selecting the Right Tool

Requirement	Best Fit
Fast deployment, minimal ops overhead	Wiz or Orca
Novel threat detection, behavioral analytics	Lacework
Real-time workload protection with blocking	Prisma Cloud
Deep data security posture management	Wiz or Orca
CI/CD pipeline security	Prisma Cloud (Checkov/Bridgecrew)
Startup / SMB budget	Orca or Lacework
Enterprise, regulated industry	Prisma Cloud or Wiz Enterprise

Most security teams benefit more from choosing one platform and deploying it comprehensively than from deploying multiple tools with overlapping coverage. The exception is using a specialized tool for a specific gap — for example, using Falco for Kubernetes runtime alongside Wiz for CSPM, where Wiz doesn't provide the process-level depth needed.

The $0 option that covers significant ground: open-source tools including Trivy (vulnerability scanning), Checkov (IaC scanning), Prowler (AWS CIS benchmark), and kube-bench (Kubernetes CIS benchmark) can provide meaningful coverage before a CNAPP budget is available.