What Is a Cloud-Native Application Protection Platform (CNAPP)? Four Must-Have Features

Panoptica Team
Tuesday, Dec 20th, 2022

Cloud security is a giant field for good reason: 77% of CIOs say their IT environment changes once every minute or less. As you can imagine, the dynamic nature of cloud computing makes preventing, detecting and fixing vulnerabilities much more challenging. To solve such challenges, many are turning to a CNAPP – but only ones with the following 4 essential features.

A fast-paced, ever-changing cloud environment is only the tip of the iceberg. CIOs also say their teams use, on average, 10 separate tools to monitor their cloud environment. Even with all these tools, they report observability across merely 9% of their environment.

Nine percent.

It’s time for a change. How can DevOps and security teams do more with fewer tools? It’s called a cloud-native application protection platform (CNAPP).

What Is a Cloud-Native Application Protection Platform (CNAPP)?

A CNAPP is an all-in-one platform that simplifies monitoring, detecting and remediating potential cloud security threats and vulnerabilities — from pre-deployment phases to incidents live in production. It is an integrated approach to cloud security and compliance.

What do we mean by all-in-one?

Traditionally teams use a number of different tools to cover all their cloud security bases. A CNAPP brings an integrated approach to cloud security and compliance by typically covering:

  • Cloud Security Posture Management (CSPM): manages monitoring, identification, alerting and remediation of compliance risks and misconfigurations in cloud environments.
  • Kubernetes Security Posture Management (KSPM): automates security measures across K8 clusters.
  • Cloud Workload Protection (CWPP): detects and removes threats from a cloud environment by continuously monitoring and removing threats from cloud workloads.
  • Cloud Infrastructure Entitlement Management (CIEM): manages identities and privileges in cloud environments.
  • Continuous Integration and Continuous Delivery (CI/CD Security): identifies and mitigates security weaknesses at every stage of the CI/CD pipeline.
  • Infrastructure-as-Code (IaC) Scanning: scans IaC files and identifies security risks and infrastructure misconfigurations before deploying them to production.

Most CNAPPs will, by definition, include these tools. However, not all CNAPPs are created equal. The following four features will take your cloud security efforts to the next level.

Four Must-Have CNAPP Features

#1. Agentless

Agentless scanning is a method of inspecting the vulnerabilities of a cloud device without having to install software. Instead, it reaches out from the server directly to the device.

Agentless monitoring was built to address the limitations of agent-based scanning. Agent-based scanning runs “agents” – software packages or applications – on your machine and devices and reports back on vulnerabilities. This comes with a few disadvantages:

  • Manpower resources and time to install agents and oversee their management and maintenance
  • Issues with software compatibility
  • Negative impacts on cloud workload performance
  • Increase in security risks due to high privileges and access credentials

There’s a time and a place for agent-based scanning. (In fact, mixed environments would benefit from a combined agentless + agent-based approach.

But to overcome these problems and get quick cloud security wins, you’ll want to look for a CNAPP that leads with agentless scanning.

#2. Built on the Graph

A graph is a cross-platform map of your cloud environment that is created by building an explicit and well-defined relationship table stating all the possible links between assets from a multi-cloud environment and how these can be deducted from the data collected.

A CNAPP that is built on the graph (as opposed to integrating third-party graph technology with the system) allows users to  view attack paths  that show new and unknown risks – not just known attack vectors.

This important feature unlocks the capability for 2 more must-have CNAPP features.

#3. Contextual Prioritization (Root Cause Analysis)

Teams that are using 10+ tools to monitor their cloud environments understand the reality of alert fatigue.

Alert fatigue is usually the result of a long list of findings that DevSecOps teams have to sift through to determine relevance and priority.

Instead, look for a CNAPP that offers true contextual prioritization. This means the platform goes beyond basic visualizations and rules-based risk approaches by conducting root cause analysis. It contextualizes everything and delivers the most urgent cloud risks, in order.

#4. Dynamic Remediation

CNAPP feature #3 leads us to this next one: dynamic remediation.

Remediation is the process of resolving threats to a cloud environment. Your developers are the experts, but they only have so much time in the day. That’s why you need a CNAPP that goes beyond just generic recommendations. You need a platform that recommends specific guardrails that your developers can take, tweak and remediate faster than ever.


Cloud security is an important job. And when it comes to tools, less is more – look for an agentless CNAPP that truly brings everything together. Using a CNAPP like Panoptica, you can improve developer and security team effectiveness, reduce complexity and costs while maintaining speed and agility in product development.

Popup Image