What is a Cloud-Native Application Protection Platform (CNAPP), why are security leaders recommended to implement a CNAPP, what should they look for in a CNAPP, and how should they manage the evaluation process? Per our understanding, this is all laid out in the 2024 Market Guide for Cloud-Native Application Protection Platforms (CNAPPs) by Gartner®.

In this blog, we will share our key takeaways from the Gartner CNAPP report and why Gartner is recommending that a CNAPP is used to support modern DevSecOps environments.

Download 2024 Gartner CNAPP Report

What is a CNAPP?

A CNAPP is a comprehensive cloud security solution that consolidates the capabilities of siloed tools such as CSPM, CWPP, KSPM, and CIEM into a single, unified platform and secures cloud infrastructure and applications across all life cycle stages. The advantages of a CNAPP are that it reduces operational complexity, provides better risk prioritization since it sees the full picture, and that it brings together previously siloed teams, including developers, DevOps, and security teams.

Driving factors behind CNAPP adoption

In the report, as per our understanding, Gartner mentions three driving factors behind the increasing CNAPP adoption:

  • Cloud-native application development is increasing, with Gartner predicting that “by 2029, 35% of all enterprise applications will run in containers, an increase from less than 15% in 2023.” (2024 Gartner Market Guide for Cloud-Native Application Protection Platforms (CNAPPs)
  • The attack surface of cloud-native applications and infrastructure is expanding, making them an increasingly attractive target for attackers.
  • Within organizations, operational responsibilities are shifting toward developers and cloud architects, rather than being the sole responsibility of security teams.

Why is a CNAPP needed for modern DevSecOps?

DevSecOps is the practice that integrates security measures into the DevOps process, emphasizing a culture of shared responsibility for security throughout the development lifecycle. By combining development, security, and operations, DevSecOps ensures that security is a core component rather than an afterthought, enabling the rapid and secure delivery of software.

As organizations increasingly adopt cloud-native application development, the need for agile and integrated security measures becomes paramount. A CNAPP meets this need by offering a unified approach to security across the entire software development life cycle, combining capabilities such as workload protection, configuration management, application security and compliance monitoring within a single platform and seamlessly integrating into the existing CI/CD process.

“By 2029, 60% of enterprises that do not deploy a unified CNAPP solution within their cloud architecture will lack extensive visibility into the cloud attack surface and consequently fail to achieve their desired zero-trust goals.”

2024 Gartner Market Guide for Cloud-Native Application Protection Platforms (CNAPPs)
Graphic of Developers’ and Cloud Architects’ Scope of Responsisbility for CNAPP
Download 2024 Gartner CNAPP Report

Our key takeaways from the Gartner CNAPP report 

Below we have listed our six key takeaways from the report:

#1. A CNAPP should be truly unified

As one of Gartner’s CNAPP recommendations, the report states that security leaders responsible for cloud security strategies should: “Prioritize comprehensive and unified CNAPPs that offer a wide range of capabilities with the necessary breadth and depth of functionality to seamlessly integrate across the entire development ecosystem and cloud platform environment.” (2024 Gartner Market Guide for Cloud-Native Application Protection Platforms (CNAPPs))

As a purpose-built CNAPP, Orca combines all cloud security telemetry in a unified data model, including workload-deep intelligence, cloud configuration metadata, identity policies, data scanning, and more. Only a unified data model can provide the holistic insights needed in a CNAPP.

Graphic of Orca Security’s Unified Data Model displaying data sources and security outcomes

“All core services should be fully integrated, not loosely coupled independent modules (typically resulting from a vendor’s internal silos, poorly integrated OEM components or those added from an acquisition). Integration should include the front-end console, unified policy across multiple points of inspection and a unified back-end data model”.

2024 Gartner Market Guide for Cloud-Native Application Protection Platforms (CNAPPs)

#2. A CNAPP should not require developers to leave their environment 

Gartner mentions that one of the challenges to CNAPP adoption is that: “Developers perceive security teams as impeding the speed of modern DevOps processes. Security controls weren’t designed for the speed and scale of cloud-native applications and weren’t designed with the developer as the central customer. Historically, the result has been poorly integrated testing that required the developer to leave their development environment, slow development and waste their time with false positives or asking them to remediate low-risk vulnerabilities.” (2024 Gartner Market Guide for Cloud-Native Application Protection Platforms (CNAPPs)

Orca’s Shift Left Security offers native integrations with common CI and development tools, including Jenkins, BitBucket, CircleCI, GitHub, GitLab, as well as an Orca command-line interface (Orca CLI) to surface findings in native development tooling as well as the Orca Platform UI. Further integrations with ticketing systems such as Jira and ServiceNow, and SOAR, SIEM, and other tools help teams streamline operations and avoid confusion about team responsibilities.

GitHub Platform repository showing results of Orca Cloud Secuirty scan
Orca provides the results of scans within the GitHub platform

#3. A CNAPP must provide visibility into sensitive data

Gartner notes that “For example, sensitive-data visibility and control is often a priority capability for clients but is difficult for many CNAPP vendors to address.” (2024 Gartner Market Guide for Cloud-Native Application Protection Platforms (CNAPPs))

As one of the few CNAPPs, Orca provides full Data Security Posture Management (DSPM) and scans managed, unmanaged, and shadow data, giving security teams wide and deep visibility into where their sensitive data resides.

“Understanding of data context in unstructured and structured storage repositories is necessary to fully understand and address the context and prioritization of risks, but many CNAPP vendors don’t yet offer this.”

2024 Gartner Market Guide for Cloud-Native Application Protection Platforms (CNAPPs)
Orca Cloud Security Platform Data Security dashboard displaying sensitive data location and detected risks or attack paths
Orca shows where sensitive data is found and any detected risks and attack paths

#4. A CNAPP must prioritize risks based on potential business impact

A challenge that practically all security teams suffer from is alert fatigue. This happens when security professionals are exposed to a large number of often meaningless, unprioritized security alerts and consequently become overwhelmed and desensitized, causing them to miss the actual critical ones. Gartner states that “Prioritizing the risk findings is critical, as developers and security professionals are overloaded with the alerts and findings of siloed tools.” (2024 Gartner Market Guide for Cloud-Native Application Protection Platforms (CNAPPs))

The Orca Cloud Security Alert Fatigue Survey found that 55% of respondents said that critical alerts are being missed due to alert fatigue, often on a weekly and even daily basis.
Gartner notes that “Since risk-free applications are impossible, information security must prioritize risk findings according to business context, identifying the root cause and enabling developers to focus first on the highest risk findings with the highest confidence of potential business impact.” (2024 Gartner Market Guide for Cloud-Native Application Protection Platforms (CNAPPs))

Orca Cloud Security Platform Risk Scoring Module displaying Critical Vulnerability
Orca’s granular risk scoring allows users to quickly understand which are their most critical risks

Orca provides intuitive risk prioritization by applying a granular risk score to each alert. This allows teams to easily understand which risks are the most critical and need to be remediated first. The Orca risk score ranges from 1.0-10.0 and is determined by considering risk accessibility, exploitability, complexity, and potential impact, as well as the full context of the risk and the surrounding cloud environment.

#5. A CNAPP should offer deep insights into relationships using graphs 

Gartner notes that a well-architected, single-vendor CNAPP offering should have “A deep understanding of the relationships between an application’s elements (VMs, containers, service functions and storage), security posture, permissions and connectivity, typically enabled by underlying graph database technology.” 2024 Gartner Market Guide for Cloud-Native Application Protection Platforms (CNAPPs)

Orca Cloud Security Platform Attack Path module showing risk context in interactive graph
For each alert, Orca shows the risk context in an interactive graph

Orca displays an interactive graph for each alert, showing the context of the risk, such as whether it’s exposed to the Internet, does it allow lateral movement, what are the relationships with other cloud assets and risks, and do they provide a path to business critical assets.

Orca Platform Attack Flow dashboard showing how risks are combined in attack path
Orca accelerates understanding by showing how risks can be combined in an attack path

The Orca Platform detects all critical attack paths in your environment and displays them in a visual map so security engineers can easily understand how to break the attack path. By understanding which combinations are a direct path to critical assets, security teams can operate strategically and make sure that the most dangerous risks are remediated first.

#6. A CNAPP should show the development source of risks 

In a cloud native environment, while security teams may be able to identify a risk in production, finding the origin of the risk – the piece of code that needs to be adjusted, and the developer that owns it – can be a painstaking process. Gartner notes that a well-architected, single-vendor CNAPP offering should have “An understanding of the relationship between development artifacts (custom code, libraries, container images, VMs and IaC scripts) as well as who created them and when they were created, who deployed them and when they were deployed, and who

changed them and when they were changed.” (2024 Gartner Market Guide for Cloud-Native Application Protection Platforms (CNAPPs))

If a production misconfiguration or vulnerability is found in production, Orca will automatically include information on the original source code repository where the alert or risk originated from, even down to the exact line of code that is at the root of the identified risk. 

In this way, Orca eliminates the need for security teams to spend time tracing the source artifacts and their respective owners, greatly reducing Mean Time to Resolution (MTTR) and freeing up valuable time for higher-value activities.

Orca Cloud Security Platform container alert module displaying code origin and attribution information
Example of origin and attribution information for a container alert

About Orca CNAPP 

Orca Security is recognized as a representative CNAPP vendor in the 2024 Gartner® Market Guide for CNAPP

The Orca Platform is a unified, purpose-built, Cloud-Native Application Protection Platform (CNAPP) for AWS, Azure, GCP, Kubernetes, Alibaba Cloud, and Oracle Cloud that:

  • Continuously monitors for all cloud risks across the entire SDLC, including misconfigurations, vulnerabilities, malware, API risks, compliance risks, exposed sensitive data, AI risks, and overprivileged identities.
  • Offers agentless-first capabilities to deliver quick time-to-value and comprehensive visibility combined with third-party agent integrations from solutions like Aqua Security, Windows Defender, and CrowdStrike Falcon.
  • Uses the full context of risks to show which ones are critical and need to be addressed right away – something that siloed or poorly integrated cloud security tools cannot do.
  • Enables fast remediation with automated and guided remediation options, including remediation code generated with GenAI.
Schedule 1:1 CNAPP Demo

Learn more about CNAPP

If you would like to learn more about CNAPP, read our What is CNAPP blog, download the 2024 Gartner CNAPP Market Guide, read more about the Orca CNAPP Platform, or book a 1:1 with one of our CNAPP experts.

Gartner, Market Guide for Cloud-Native Application Protection Platforms, Dale Koeppen, Charlie Winckless, Neil MacDonald, Esraa ElTahawy, 22 July 2024. 

GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.

Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.