Cloud Security

Cloud Security Posture Management in 2026: The Honest Vendor Comparison Wiz, Lacework, Orca, Palo Alto, CrowdStrike, and Aqua Won't Write

Samuel A.14 min read
Cloud Security Posture Management in 2026: The Honest Vendor Comparison Wiz, Lacework, Orca, Palo Alto, CrowdStrike, and Aqua Won't Write
Share
~22 min

A procurement lead at a Lagos fintech messaged me three PDFs last month, one after the other, with the same question underneath each — is this what I should be reading? The first was a Wiz "CSPM buyer's guide" that concluded, with admirable consistency, that Wiz was the best choice. The second was a Palo Alto Networks paper that concluded, with equally admirable consistency, that Prisma Cloud was the best choice. The third was a Gartner Magic Quadrant that managed to say nothing about pricing, deployment effort, or where any of the leaders fall over. She had spent her week with three documents and ended it with no closer to a decision than she started.

There is no vendor-neutral comparison of CSPM tooling in 2026 because everyone writing one is either selling something or being paid to place vendors on a grid. cmdev sells engineering. We do not resell Wiz, Orca, Prisma Cloud, CrowdStrike, Lacework, or Aqua. We have deployed against all six in client engagements and walked away from at least one because the price quoted was three times what the customer's footprint justified. The piece below is the structurally honest version, because our revenue does not depend on which vendor you pick.

Key takeaways

  • Five dimensions matter: coverage breadth, detection-versus-response integration with your SOAR, multi-cloud honesty (most claim it, few deliver it equally across AWS, Azure, and GCP), pricing-model honesty, and integration tax.
  • Six vendors define the market: Wiz, Lacework (now Fortinet), Orca, Palo Alto Prisma Cloud, CrowdStrike Falcon Cloud Security, and Aqua. AWS Security Hub, Microsoft Defender for Cloud, and GCP Security Command Center are the cloud-native options.
  • Wiz leads on graph visualisation and AI-SPM marketing but pricing scales aggressively with cloud spend; the procurement conversation is harder than the technical one.
  • CrowdStrike has the deepest detection moat from its endpoint heritage but the posture side still feels bolted on; Prisma Cloud has the broadest compliance coverage and the heaviest deployment; Orca's agentless architecture is its differentiator but detection depth lags.
  • For estates under roughly 50 cloud accounts, cloud-native plus Open Policy Agent and custom rules is more honest than buying CSPM. Below that scale, engineering cost beats licence cost.

Three PDFs, Zero Answers

The CSPM vendor comparison genre — call it the Wiz Academy genre — has a predictable shape. It opens by laying out evaluation criteria conveniently aligned with the publishing vendor's strengths, then concludes, with the rhythm of a metronome, that the publishing vendor is the best choice for modern cloud-native enterprises. Read three of them and the criteria barely overlap.

The analyst-quadrant genre is structurally the same dance with different clothes. A vendor can pay an analyst firm enough to move within a quadrant, and the criteria are negotiable in a way that the public document does not disclose. The 2026 CNAPP leaders quadrant contains four vendors who all paid handsomely to be there. The competitor-takedown genre — Vendor A's blog explaining why Vendor B is wrong — is sometimes technically accurate but never honest about Vendor A's own weaknesses.

The piece a procurement lead actually needs covers the dimensions that matter, the per-vendor read, the price each vendor will quote, and the workload classes each one fits. It also names the build-versus-buy threshold honestly, because for a meaningful portion of the market the right answer is not to buy CSPM at all.

The Five Things That Actually Decide the Decision

The first dimension is coverage breadth. The 2018 CSPM thesis was IaaS-only. The 2026 thesis is CNAPP — PaaS, SaaS, identity entitlement analysis, and increasingly AI-SPM, as covered in AI workload posture management. Vendors claim they cover everything. The honest question is how many of the resource types you actually use does the vendor have rules for, and how recently were they updated. For the long tail of newer services — Bedrock, SageMaker, Q Business, OpenSearch Serverless — we cover Bedrock usually means inventory plus three or four basic rules.

The second is detection versus response integration. CSPM that produces findings without an integration path to remediation is alert fatigue at scale dressed in better fonts. How do findings reach your SOAR, your ticketing system, your auto-remediation pipeline? Vendors who can only export findings to CSV are not viable. Vendors who require professional services to wire findings into your incident-response pipeline are an integration-tax warning that should land in the contract negotiation, not after.

The third is multi-cloud honesty. Every vendor claims multi-cloud coverage. The honest question is whether they are equally strong across AWS, Azure, and GCP, or whether they started on one cloud and bolted on the others. Vendors who started on AWS are usually weaker on Azure and weaker still on GCP. If your estate is genuinely split, the vendor's weakest cloud determines whether the tool is fit for purpose.

The fourth is pricing-model honesty. This is the dimension vendors are most opaque about, and the one that hurts most after the contract is signed. Per-asset pricing — Wiz, Orca, parts of Prisma Cloud — scales super-linearly, because ephemeral resources can count as assets even though they exist for minutes. Per-workload pricing — CrowdStrike, parts of Aqua — is cleaner but penalises microservices architectures. Per-cloud-account pricing — cloud-native options, parts of Lacework — is flat per account and friendly to large estates with light workloads. Per-feature-module pricing — Prisma Cloud, Defender for Cloud — quotes you a base CSPM price and then adds multipliers for container, identity, and AI-SPM modules. The advertised price is the entry point. The production cost is somewhere upstairs. Force the vendor to quote against your real footprint. Most will resist. The ones who comply are easier to do business with for the rest of the engagement.

The fifth is integration tax. Advertised time-to-value is twenty-four hours. Realistic time-to-value for a production-grade deployment is six to twelve weeks for the leaders and four to six months for Prisma Cloud at enterprise scale. The question is who owns this tool after the professional-services engagement ends. If the answer is the vendor will manage it for us, the tool drifts into shelfware within twelve months and the only person surprised is the executive who approved the purchase.

The Six Vendors, In Their Own Light

Wiz, the graph people

The graph visualisation is genuinely the best in the market. Attack-path analysis surfaces relationships across IAM, network, and workload posture that other tools require you to assemble manually. Deployment is the fastest in the category — a meaningful baseline is visible within forty-eight hours on a single-cloud AWS estate, and that first dashboard does land as advertised.

Then year three arrives. Pricing is opaque and scales aggressively. Multiple cmdev customers have renewed Wiz at two-and-a-half to three times year-one after cloud spend grew, and that trajectory is not surfaced at procurement. Detection depth is lighter than CrowdStrike. The 2025 Google acquisition introduced uncertainty around the long-term multi-cloud roadmap that has not yet resolved. The AI-SPM module shipped early — in practice it covers inventory and a subset of the controls in AI workload posture management, with model-version-pinning and eval-gate-enforcement still outside reach. Fits single-cloud AWS or GCP estates with strong engineering teams and a budget that can absorb the renewal curve.

Lacework, now Fortinet's

The ML-based anomaly detection on workload behaviour is genuinely differentiated. Lacework flags deviation from baseline patterns in a way rules-based competitors cannot match, which matters when the attacker is doing something nobody wrote a rule for. The Kubernetes runtime story is strong and the compliance reporting is mature.

The Fortinet acquisition is still settling. The integration roadmap has been published but not fully executed. Pre-acquisition support quality has shifted as engineering resources were reallocated. The standalone proposition is weakening; the integrated Fortinet Security Fabric is stronger but only attractive if you are already a Fortinet shop. Fits existing Fortinet customers comfortably and almost nobody else for the next eighteen months.

Orca, the agentless one

Orca's agentless architecture remains the cleanest deployment model in the category. For organisations with strict change-control on production workloads — and there are a lot of them in regulated sectors — this is not a feature, it is the deciding factor. Strong on data classification, which overlaps usefully with the DSPM-for-AI control surface. Multi-cloud parity is solid and consistent.

Detection depth lags Wiz on graph analysis and CrowdStrike on runtime telemetry. The AI-SPM story is less developed — as of mid-2026 it covers inventory and basic configuration analysis but not the application-layer controls. Fits multi-cloud estates where agentless deployment is operationally important and detection depth is a tolerable trade.

Palo Alto Prisma Cloud, the heavyweight

Prisma Cloud has the deepest IaaS coverage in the market. The rule library is the largest. The compliance-framework coverage — PCI DSS, HIPAA, GDPR, SOC 2, ISO 27001, NIS2, NDPA, CBN CSAT — is the broadest by a clear margin. For regulated organisations needing to demonstrate compliance against fifteen frameworks across a multi-cloud estate, Prisma Cloud is the tool that gets you there. Integration with Cortex XSOAR and Cortex XDR is mature in a way the competitors have not matched.

The console is heavy. The deployment is complex. You need a dedicated team. Honest time-to-value at enterprise scale is four to six months, not four to six weeks, and the difference between those numbers is where most procurement timelines come apart. Pricing is module-based and the modules add up faster than the procurement spreadsheet anticipated. Fits large regulated enterprises with dedicated SecOps. The right tool for a Tier 1 Nigerian bank with NDPA, CBN CSAT, ISO 27001, and SOC 2 obligations. The wrong tool for a fifty-person fintech, and we would say so on the call.

CrowdStrike Falcon Cloud Security, the runtime tribe

Detection depth is the deepest in the category, inheriting CrowdStrike's endpoint moat. Runtime protection is class-leading — the EDR telemetry pipeline translates well to cloud workload contexts, and the integration with the broader Falcon platform (Identity Protection, OverWatch, Charlotte AI) is operationally tight. For threat models centred on active intrusion rather than passive misconfiguration, Falcon Cloud Security is the strongest read in the market.

The posture side still feels bolted on. CrowdStrike came from endpoint detection, acquired its way into cloud posture (Bionic, Flow Security), and the integration is still in progress. IaC scanning, compliance-framework coverage, and graph visualisation lag the dedicated CSPM leaders. Pricing assumes you are also a Falcon endpoint customer; standalone pricing is uncompetitive. Fits existing Falcon customers extending into cloud — for everyone else, the maths does not quite work.

Aqua, the container specialists

Aqua's container and Kubernetes-native heritage is genuine. The company was building container security before most of the competition existed, and that history shows in the depth on image scanning, registry posture, runtime protection, and OPA Gatekeeper integration. Strong fit for the hardened container tier decision when AI workloads make container provenance load-bearing.

Less broad than the rest. Aqua is a niche specialist rather than a general-purpose CNAPP. IaaS posture is thinner. Identity coverage is thin. AI-SPM is barely on the roadmap. Fits container-heavy organisations where Kubernetes and image-supply-chain security are the dominant workloads — and the choice between Aqua and a CNAPP leader is the choice between depth on what matters and breadth on what does not.

The cloud-native options

Free or near-free. Native integration with the cloud provider's services. Defender for Cloud is genuinely strong on Azure and increasingly competent on AWS and GCP via multi-cloud connectors. GCP Security Command Center Premium has matured into a credible posture-and-detection platform within GCP. None requires procurement negotiation, which is its own quiet superpower.

Single-cloud by default. Multi-cloud extensions are weaker than the third-party leaders on non-native clouds. AI-SPM coverage is absent or early. Detection rules are baseline. Fits single-cloud estates and organisations under fifty accounts. For a single-cloud AWS estate, Security Hub plus AWS Config plus a thoughtful custom-rule library covers seventy to eighty per cent of what Wiz delivers at a fraction of the cost — and the fraction matters more than the percentage when the budget is tight.

The Threshold Most Procurement Teams Get Wrong

The honest threshold sits at roughly fifty cloud accounts or roughly five million dollars annual cloud spend. Below it, building on cloud-native foundations plus Open Policy Agent plus a custom rule library beats the licence cost of any of the six vendors. A capable SecOps engineer at $150-200K loaded cost can maintain the stack at 0.4 FTE for a twenty-five-account estate. Security Hub plus AWS Config plus custom-rule development is $80-120K all-in, year one. The same estate quoted from Wiz comes in at $180-300K year one, growing at the cloud-spend rate.

Above fifty accounts, build cost scales linearly while the operational maturity of a commercial CNAPP dominates. Build crosses buy somewhere between fifty and a hundred accounts. Above a hundred the buy case is unambiguous. Buy is also unambiguous for organisations without the SecOps capacity to build — which is most regulated organisations under five hundred employees, and most of the procurement leads we end up advising.

The Matrix Nobody Publishes

Workload class Best fit Why
Multi-cloud regulated enterprise (NDPA + CBN CSAT + ISO 27001) Prisma Cloud Framework breadth and rule depth are unmatched
Single-cloud AWS SaaS, growth-stage Wiz or Security Hub + OPA Wiz if the team can absorb price growth; cloud-native if not
AI-heavy enterprise (Bedrock + Azure OpenAI + Vertex) Wiz + custom AIWPM Wiz has the AI-SPM lead; rest from the AIWPM architecture
Kubernetes-centric platform Aqua or Lacework Container depth justifies the niche choice
Financial services with strict residency Prisma Cloud or Defender for Cloud Defender wins if Azure-dominant
Existing CrowdStrike endpoint shop Falcon Cloud Security Unified detection worth the posture-side compromises
Under 50 accounts, SecOps engineer available Cloud-native + OPA Cheaper, team understands the tool
Under 50 accounts, no SecOps engineer Wiz or Orca Fastest time-to-value

The Numbers in the Marketing That Mean Nothing

The X per cent of Fortune 500 claims tell you the vendor's sales team is good. They do not tell you the tool fits your environment. Fortune 500 organisations are large enough to have multiple CSPM tools deployed across business units. The penetration number is not the endorsement it appears to be.

The analyst-quadrant placement tells you about marketing budget. The 2026 Gartner CNAPP leaders quadrant contains Wiz, Prisma Cloud, CrowdStrike, and Microsoft. Their relative positioning has more to do with quarterly briefings than with which tool fits your environment.

The AI-SPM newcomer claims are mostly CSPM plus a tag layer renamed. Most of the marketed coverage is inventory plus basic misconfiguration detection, with the application-layer controls still outside every vendor's reach.

The Verdict, Per Class

Per workload class, the honest cmdev recommendation:

For a Tier 1 Nigerian bank, multi-cloud, multi-framework — Prisma Cloud. Trade-off: heavy deployment, you commit to a Palo Alto relationship for years.

For a Lagos fintech under fifty cloud accounts — Security Hub plus Open Policy Agent plus custom rules. Trade-off: requires 0.4 FTE SecOps capacity you have to find and pay for.

For an EU energy operator under NIS2 with a mature SOC — Wiz for the graph and attack-path analysis. Trade-off: budget for year-three at two-to-three times year-one and plan the conversation now.

For an AI-heavy enterprise running Bedrock in production — Wiz for the AI-SPM lead, plus the custom AIWPM architecture for the controls Wiz does not cover. Trade-off: still partly a build problem regardless of vendor.

For a Kubernetes platform team — Aqua if runtime depth matters more than broader CNAPP coverage. Trade-off: niche choice, separate procurement, smaller vendor.

For an existing Microsoft 365 / Azure shop extending into AWS — Defender for Cloud. Trade-off: works when AWS is a minority workload; less viable when AWS is primary.

None of these is the recommendation any vendor would write about themselves. So if you have spent your week with three PDFs and no clearer answer, what colour was the procurement decision you were leaning toward before any of the vendors got to you?

FAQs

Why is cmdev allowed to write this when other consultancies cannot?

Because cmdev does not resell any of the vendors discussed. We have no kickback arrangement, no MDF, no SPIFF, no channel partnership that depends on which tool the customer picks. We sell engineering, and our revenue is independent of the procurement decision. Most cloud-security-specialist boutiques derive a meaningful portion of revenue from vendor partner programs, which structurally compromises their ability to write the honest version.

Is the Wiz pricing trajectory really 2-3x by year three?

For cmdev customers who started with Wiz on a growing cloud estate, renewal pricing at year three has consistently come in between 2.2x and 3.1x year-one ACV. The driver is per-asset pricing meeting cloud-spend growth, with ephemeral resources compounding the effect. Orca's per-asset pricing has a similar shape — Wiz is where we have the most data points.

What about Sysdig, Tenable Cloud Security, Rapid7 InsightCloudSec?

They exist and win specific procurement processes. Sysdig is strong on Kubernetes runtime. Tenable Cloud Security and Rapid7 InsightCloudSec are credible mid-market plays. None has reached the procurement consideration set of the regulated enterprises cmdev typically engages with, which is why this piece does not give them dedicated sections. For mid-market decisions, they belong on the shortlist.

How does AI-SPM coverage actually compare across vendors?

Wiz leads on marketing and inventory coverage. Prisma Cloud's AI-SPM module is GA with broader compliance framework mappings. Defender for Cloud's AI-SPM is in preview with discovery, threat protection, and an AI Bill of Materials. CrowdStrike, Lacework, Orca, and Aqua have less developed stories as of mid-2026. None covers the full eight-control surface described in AI workload posture management.

Should we run two CSPM tools in parallel?

Almost never. The cost compounds, alert deduplication is engineering work, and the operational confusion of two posture sources is worse than the marginal coverage gain. The exception is the cloud-native-plus-commercial pattern — Security Hub or Defender for Cloud as the always-on layer, plus a single commercial CNAPP for cross-cloud aggregation. The two-commercial-CNAPP pattern is shelfware waiting to happen.

Companion content

How to engage

If you are running a CSPM/CNAPP procurement process and you want a vendor-neutral read on which tool fits your environment, talk to us at creativeminds.dev/contact. The Phase 0 diagnostic runs the dimensions above against your real cloud estate, models the pricing each vendor will quote against your real asset count, and produces a procurement-ready recommendation that names trade-offs honestly. We do not resell any of these vendors; the recommendation is the deliverable.

cspmcnappcloud-securitywizorcapalo-alto-prismacrowdstrikelaceworkaquavendor-comparisonperspective

Ready to strengthen your security posture?

We help organizations across Africa build resilient infrastructure, deploy AI at scale, and navigate complex regulatory environments.

Start a conversation