A procurement lead at a Lagos-based fintech sent me three PDFs last month. One was a Wiz "CSPM buyer's guide" that concluded Wiz was the best choice. One was a Palo Alto Networks paper that concluded Prisma Cloud was the best choice. The third was a Gartner Magic Quadrant that managed to say nothing about pricing, deployment effort, or where any of the leaders fall over. There is no vendor-neutral comparison of CSPM tooling in 2026 because everyone writing one is either selling something or being paid to place vendors on a grid.
cmdev sells engineering. We do not resell Wiz, Orca, Prisma Cloud, CrowdStrike, Lacework, or Aqua. We have deployed against all six and walked away from at least one because the price quoted was three times what the customer's footprint justified. We can write the structurally honest version because our revenue does not depend on which vendor you pick.
Key takeaways
- Five dimensions matter: coverage breadth, detection-versus-response integration with your SOAR, multi-cloud honesty (most claim it, few deliver it equally across AWS, Azure, and GCP), pricing-model honesty, and integration tax.
- Six vendors define the market: Wiz, Lacework (now Fortinet), Orca, Palo Alto Prisma Cloud, CrowdStrike Falcon Cloud Security, and Aqua. AWS Security Hub, Microsoft Defender for Cloud, and GCP Security Command Center are the cloud-native options.
- Wiz leads on graph visualisation and AI-SPM marketing but pricing scales aggressively with cloud spend; the procurement conversation is harder than the technical one.
- CrowdStrike has the deepest detection moat from its endpoint heritage but the posture side still feels bolted on; Prisma Cloud has the broadest compliance coverage and the heaviest deployment; Orca's agentless architecture is its differentiator but detection depth lags.
- For estates under roughly 50 cloud accounts, cloud-native plus Open Policy Agent and custom rules is more honest than buying CSPM. Below that scale, engineering cost beats licence cost.
Why every CSPM comparison piece you have read is useless
The CSPM vendor comparison genre — call it the Wiz Academy genre — has a predictable shape. It lays out evaluation criteria conveniently aligned with the publishing vendor's strengths, then concludes that the publishing vendor is the best choice for "modern cloud-native enterprises."
The analyst-quadrant genre is structurally the same. A vendor can pay an analyst firm enough to move within a quadrant, and the criteria are negotiable in a way that the public document does not disclose. The 2026 CNAPP leaders quadrant contains four vendors who all paid handsomely to be there. The competitor-takedown genre — Vendor A's blog explaining why Vendor B is wrong — is sometimes technically accurate but never honest about Vendor A's own weaknesses.
The piece a procurement lead actually needs covers the dimensions that matter, the per-vendor read, the price each vendor will quote, and the workload classes each one fits. It also names the build-versus-buy threshold honestly, because for a meaningful portion of the market the right answer is to not buy CSPM at all.
The five dimensions that actually matter
Coverage breadth
The 2018 CSPM thesis was IaaS-only. The 2026 thesis is CNAPP — PaaS, SaaS, identity entitlement analysis, and increasingly AI-SPM as covered in AI workload posture management. Vendors claim they cover everything. The honest question is how many of the resource types you actually use does the vendor have rules for, and how recently were they updated. For the long tail of newer services — Bedrock, SageMaker, Q Business, OpenSearch Serverless — "we cover Bedrock" usually means inventory plus three or four basic rules.
Detection versus response integration
CSPM that produces findings without an integration path to remediation is alert fatigue at scale. How do findings reach your SOAR, your ticketing system, your auto-remediation pipeline? Vendors who can only export findings to CSV are not viable. Vendors who require professional services to wire findings into your incident-response pipeline are an integration-tax warning.
Multi-cloud honesty
Every vendor claims multi-cloud coverage. The honest question is whether they are equally strong across AWS, Azure, and GCP, or whether they started on one cloud and bolted on the others. Vendors who started on AWS are usually weaker on Azure and weaker still on GCP. If your estate is genuinely split, the vendor's weakest cloud determines whether the tool is fit for purpose.
Pricing-model honesty
This is the dimension vendors are most opaque about, and the one that hurts most after the contract is signed.
- Per-asset (Wiz, Orca, parts of Prisma Cloud) — every cloud resource is billable. Scales super-linearly because ephemeral resources can count as assets even though they exist for minutes.
- Per-workload (CrowdStrike, parts of Aqua) — cleaner but penalises microservices architectures.
- Per-cloud-account (cloud-native options, parts of Lacework) — flat fee per account. Friendly to large estates with light workloads.
- Per-feature module (Prisma Cloud, Defender for Cloud) — base CSPM is one price; container, identity, and AI-SPM each add multipliers. The advertised price is the entry point, not the production cost.
Force the vendor to quote against your real footprint. Most will resist. The ones who comply are easier to do business with for the rest of the engagement.
Integration tax
Advertised time-to-value is 24 hours. Realistic time-to-value for a production-grade deployment is 6-12 weeks for the leaders and 4-6 months for Prisma Cloud at enterprise scale. The question is who owns this tool after the professional-services engagement ends. If the answer is "the vendor will manage it for us," the tool drifts into shelfware within twelve months.
The per-vendor honest read
Wiz
The graph visualisation is genuinely the best in the market. Attack-path analysis surfaces relationships across IAM, network, and workload posture that other tools require you to assemble manually. Deployment is fastest — a meaningful baseline is visible within 48 hours on a single-cloud AWS estate. The AI-SPM module shipped early; in practice it covers inventory and a subset of the controls in AI workload posture management, with model-version-pinning and eval-gate-enforcement still outside reach.
Pricing is opaque and scales aggressively — multiple cmdev customers have renewed Wiz at 2.5-3x year-one after cloud spend grew, and the trajectory is not surfaced at procurement. Detection depth is lighter than CrowdStrike. The 2025 Google acquisition introduced uncertainty around the long-term multi-cloud roadmap. Fits single-cloud AWS or GCP estates with strong engineering teams.
Lacework (now Fortinet)
ML-based anomaly detection on workload behaviour is genuinely differentiated — Lacework flags deviation from baseline patterns in a way rules-based competitors cannot match. Strong on Kubernetes runtime; mature compliance reporting.
The Fortinet acquisition is still settling. The integration roadmap has been published but not fully executed. Pre-acquisition support quality has shifted as engineering resources were reallocated. The standalone proposition is weakening; the integrated Fortinet Security Fabric is stronger but only attractive if you are already a Fortinet shop. Fits existing Fortinet customers; less attractive where acquisition uncertainty is a procurement risk.
Orca Security
The agentless architecture remains the cleanest deployment model in the category. For organisations with strict change-control on production workloads, this matters. Strong on data classification overlap with the DSPM-for-AI control surface. Solid multi-cloud parity.
Detection depth lags Wiz on graph analysis and CrowdStrike on runtime telemetry. The AI-SPM story is less developed — as of mid-2026 it covers inventory and basic configuration analysis but not the application-layer controls. Fits multi-cloud estates where agentless deployment is operationally important.
Palo Alto Prisma Cloud
The deepest IaaS coverage in the market — the rule library is the largest, the compliance-framework coverage (PCI DSS, HIPAA, GDPR, SOC 2, ISO 27001, NIS2, NDPA, CBN CSAT) is the broadest. For regulated organisations needing to demonstrate compliance against fifteen frameworks across a multi-cloud estate, Prisma Cloud is the tool that gets you there. Integration with Cortex XSOAR and Cortex XDR is mature.
The console is heavy, the deployment is complex, and you need a dedicated team. Honest time-to-value at enterprise scale is 4-6 months, not 4-6 weeks. Pricing is module-based and the modules add up. Fits large regulated enterprises with dedicated SecOps. The right tool for a Tier 1 Nigerian bank with NDPA, CBN CSAT, ISO 27001, and SOC 2 obligations. The wrong tool for a 50-person fintech.
CrowdStrike Falcon Cloud Security
Detection depth is the deepest in the category, inheriting CrowdStrike's endpoint moat. Runtime protection is class-leading — the EDR telemetry pipeline translates well to cloud workload contexts. Integration with the broader Falcon platform (Identity Protection, OverWatch, Charlotte AI) is operationally tight. For threat models centred on active intrusion rather than passive misconfiguration, Falcon Cloud Security is the strongest read.
The posture side still feels bolted on. CrowdStrike came from endpoint detection, acquired its way into cloud posture (Bionic, Flow Security), and integration is still in progress. IaC scanning, compliance-framework coverage, and graph visualisation lag the dedicated CSPM leaders. Pricing assumes you are also a Falcon endpoint customer; standalone pricing is uncompetitive. Fits existing Falcon customers extending into cloud.
Aqua Security
Container and Kubernetes-native heritage is genuine — Aqua was building container security before most of the competition existed. Depth on image scanning, registry posture, runtime protection, and OPA Gatekeeper integration shows that history. Strong on the hardened container tier decision for AI workloads where container provenance matters.
Less broad than the rest. Aqua is a niche specialist rather than a general-purpose CNAPP. IaaS posture is thinner, identity coverage is thin, AI-SPM is barely on the roadmap. Fits container-heavy organisations where Kubernetes and image-supply-chain security are the dominant workloads.
The cloud-native options (Security Hub, Defender for Cloud, Security Command Center)
Free or near-free. Native integration with the cloud provider's services. Defender for Cloud is genuinely strong on Azure and increasingly competent on AWS and GCP via multi-cloud connectors. GCP Security Command Center Premium has matured into a credible posture-and-detection platform within GCP. None requires procurement negotiation.
Single-cloud by default; multi-cloud extensions are weaker than the third-party leaders on non-native clouds. AI-SPM coverage is absent or early. Detection rules are baseline. Fits single-cloud estates and organisations under 50 accounts. For a single-cloud AWS estate, Security Hub plus AWS Config plus a thoughtful custom-rule library covers 70-80% of what Wiz delivers at a fraction of the cost.
Build versus buy
The honest threshold sits at roughly 50 cloud accounts or roughly $5M annual cloud spend. Below it, building on cloud-native foundations plus Open Policy Agent plus a custom rule library beats the licence cost of any of the six vendors. A capable SecOps engineer at $150-200K loaded cost can maintain the stack at 0.4 FTE for a 25-account estate. Security Hub plus AWS Config plus custom-rule development is $80-120K all-in, year one. The same estate quoted from Wiz comes in at $180-300K year one, growing at the cloud-spend rate.
Above 50 accounts, build cost scales linearly while the operational maturity of a commercial CNAPP dominates. Build crosses buy somewhere between 50 and 100 accounts; above 100 the buy case is unambiguous. Buy is also unambiguous for organisations without the SecOps capacity to build — which is most regulated organisations under 500 employees.
The matrix nobody publishes
| Workload class | Best fit | Why |
|---|---|---|
| Multi-cloud regulated enterprise (NDPA + CBN CSAT + ISO 27001) | Prisma Cloud | Framework breadth and rule depth are unmatched |
| Single-cloud AWS SaaS, growth-stage | Wiz or Security Hub + OPA | Wiz if the team can absorb price growth; cloud-native if not |
| AI-heavy enterprise (Bedrock + Azure OpenAI + Vertex) | Wiz + custom AIWPM | Wiz has the AI-SPM lead; rest from the AIWPM architecture |
| Kubernetes-centric platform | Aqua or Lacework | Container depth justifies the niche choice |
| Financial services with strict residency | Prisma Cloud or Defender for Cloud | Defender wins if Azure-dominant |
| Existing CrowdStrike endpoint shop | Falcon Cloud Security | Unified detection worth the posture-side compromises |
| Under 50 accounts, SecOps engineer available | Cloud-native + OPA | Cheaper, team understands the tool |
| Under 50 accounts, no SecOps engineer | Wiz or Orca | Fastest time-to-value |
What to ignore in the marketing
The "X% of Fortune 500" claims tell you the vendor's sales team is good, not that the tool fits your environment. Fortune 500 organisations are large enough to have multiple CSPM tools deployed across business units; the penetration number is not the endorsement it appears to be.
The analyst-quadrant placement tells you about marketing budget. The 2026 Gartner CNAPP leaders quadrant contains Wiz, Prisma Cloud, CrowdStrike, and Microsoft. Their relative positioning has more to do with quarterly briefings than with which tool fits your environment.
The AI-SPM newcomer claims are mostly CSPM plus a tag layer renamed. Most of the marketed coverage is inventory plus basic misconfiguration detection, with the application-layer controls still outside every vendor's reach.
The verdict
Per workload class, the honest cmdev recommendation:
- Tier 1 Nigerian bank, multi-cloud, multi-framework: Prisma Cloud. Trade-off: heavy deployment, you commit to a Palo Alto relationship.
- Lagos fintech under 50 cloud accounts: Security Hub plus Open Policy Agent plus custom rules. Trade-off: requires 0.4 FTE SecOps capacity.
- EU energy operator under NIS2 with a mature SOC: Wiz for the graph and attack-path analysis. Trade-off: budget for year-three at 2-3x year-one.
- AI-heavy enterprise running Bedrock in production: Wiz for the AI-SPM lead, plus the custom AIWPM architecture for the controls Wiz does not cover. Trade-off: still partly a build problem regardless of vendor.
- Kubernetes platform team: Aqua if runtime depth matters more than broader CNAPP coverage. Trade-off: niche choice, separate procurement.
- Existing Microsoft 365 / Azure shop extending into AWS: Defender for Cloud. Trade-off: works when AWS is a minority workload; less viable when AWS is primary.
None of these is the recommendation any vendor would write. That is the point of the piece.
FAQs
Why is cmdev allowed to write this when other consultancies cannot?
Because cmdev does not resell any of the vendors discussed. We have no kickback arrangement, no MDF, no SPIFF, no channel partnership that depends on which tool the customer picks. We sell engineering, and our revenue is independent of the procurement decision. Most cloud-security-specialist boutiques derive a meaningful portion of revenue from vendor partner programs, which structurally compromises their ability to write the honest version.
Is the Wiz pricing trajectory really 2-3x by year three?
For cmdev customers who started with Wiz on a growing cloud estate, renewal pricing at year three has consistently come in between 2.2x and 3.1x year-one ACV. The driver is per-asset pricing meeting cloud-spend growth, with ephemeral resources compounding the effect. Orca's per-asset pricing has a similar shape — Wiz is where we have the most data points.
What about Sysdig, Tenable Cloud Security, Rapid7 InsightCloudSec?
They exist and win specific procurement processes. Sysdig is strong on Kubernetes runtime. Tenable Cloud Security and Rapid7 InsightCloudSec are credible mid-market plays. None has reached the procurement consideration set of the regulated enterprises cmdev typically engages with, which is why this piece does not give them dedicated sections. For mid-market decisions, they belong on the shortlist.
How does AI-SPM coverage actually compare across vendors?
Wiz leads on marketing and inventory coverage. Prisma Cloud's AI-SPM module is GA with broader compliance framework mappings. Defender for Cloud's AI-SPM is in preview with discovery, threat protection, and an AI Bill of Materials. CrowdStrike, Lacework, Orca, and Aqua have less developed stories as of mid-2026. None covers the full eight-control surface described in AI workload posture management.
Should we run two CSPM tools in parallel?
Almost never. The cost compounds, alert deduplication is engineering work, and the operational confusion of two posture sources is worse than the marginal coverage gain. The exception is the cloud-native-plus-commercial pattern — Security Hub or Defender for Cloud as the always-on layer, plus a single commercial CNAPP for cross-cloud aggregation. The two-commercial-CNAPP pattern is shelfware waiting to happen.
Companion content
- AI Workload Posture Management: The CSPM Gap
- DSPM Meets RAG: Data Classification in the Knowledge Base Era
- AWS Security Posture for AI Workloads
- SOC 2 for AI Deployments: Trust Service Criteria
How to engage
If you are running a CSPM/CNAPP procurement process and you want a vendor-neutral read on which tool fits your environment, talk to us at creativeminds.dev/contact. The Phase 0 diagnostic runs the dimensions above against your real cloud estate, models the pricing each vendor will quote against your real asset count, and produces a procurement-ready recommendation that names trade-offs honestly. We do not resell any of these vendors; the recommendation is the deliverable.