Cloud-Native Application Protection Platform (CNAPP) Cheat Sheet

Updated 2026-05-21

Next Topic: Cloudflare Workers Cheat Sheet

A CNAPP (Cloud-Native Application Protection Platform) is a unified security suite that consolidates CSPM, CWPP, CIEM, KSPM, DSPM, ASPM, and CDR into a single integrated platform, covering cloud-native applications from code commit through production runtime. Coined by Gartner in the 2021 Hype Cycle for Cloud Security, the term captures a deliberate shift away from point-tool sprawl toward a cohesive risk engine that connects posture, identity, workload, data, and runtime signals into one prioritized view. The critical insight driving adoption is that cloud breaches rarely stem from a single finding — they emerge from toxic combinations: a misconfigured storage bucket combined with an over-permissioned IAM role combined with an internet-exposed workload, each individually medium-risk but collectively critical. CNAPP platforms address this by modeling every cloud resource and relationship in a security graph, surfacing the attack paths that matter rather than the theoretical noise that doesn't.

What This Cheat Sheet Covers

This topic spans 17 focused tables and 142 indexed concepts. Below is a complete table-by-table outline of this topic, spanning foundational concepts through advanced details.

Table 1: CNAPP Architecture and Core ComponentsTable 2: CNAPP vs. Point Tools — The Consolidation CaseTable 3: Agentless vs. Agent-Based ScanningTable 4: Vulnerability Prioritization and Reachability AnalysisTable 5: Identity and Entitlement Security (CIEM)Table 6: Runtime Threat Detection and ResponseTable 7: IaC Security and Shift-Left IntegrationTable 8: Data Security Posture Management (DSPM) and Secrets DiscoveryTable 9: Kubernetes and Container Posture (KSPM)Table 10: AI Workload Protection (AI-SPM)Table 11: Compliance Frameworks and Automated AssessmentTable 12: CNAPP Integration with SIEM, SOAR, and TicketingTable 13: Multi-Cloud and Hybrid CoverageTable 14: CNAPP Vendor LandscapeTable 15: Deployment Patterns and CNAPP OnboardingTable 16: Common Pitfalls and Operational ChallengesTable 17: POC and Vendor Evaluation Criteria

Table 1: CNAPP Architecture and Core Components

Every CNAPP is built on the convergence of several formerly standalone cloud security disciplines into a single data model and policy engine. Understanding what each pillar does — and how they reinforce each other — is the foundation for evaluating and operating any CNAPP product.

Concept	Example	Description
CSPM (Cloud Security Posture Management)	S3 bucket has `PublicAccessBlock` disabled → flagged critical	Continuously monitors cloud resource configurations via provider APIs (AWS Config, Azure Resource Graph, GCP Cloud Asset Inventory), identifying misconfigurations against benchmarks such as CIS, NIST, PCI DSS, and SOC 2.
CWPP (Cloud Workload Protection Platform)	Falco rule fires when `execve` is called inside a running container	Provides vulnerability scanning, malware detection, and behavioral runtime monitoring for VMs, containers, and serverless functions, using agents or agentless snapshot scanning.
CIEM (Cloud Infrastructure Entitlement Management)	IAM role with `AdministratorAccess` has not been used in 90 days	Discovers and governs human and machine identity permissions across cloud environments, enforcing least-privilege by revoking stale or excessive entitlements.
KSPM (Kubernetes Security Posture Management)	`kube-bench` CIS check: API server flag `--anonymous-auth=true`	Automates security assessment of Kubernetes cluster configurations, RBAC policies, network policies, and pod security settings against CIS Benchmarks and custom policies.
DSPM (Data Security Posture Management)	S3 bucket tagged `env:prod` contains unencrypted PHI records	Discovers, classifies, and monitors sensitive data (PII, PHI, PCI) across multi-cloud storage, building exposure graphs that show who can reach what data through which configuration path.

Table 1: CNAPP Architecture and Core Components

Concept	Example	Description
CSPM (Cloud Security Posture Management)	S3 bucket has `PublicAccessBlock` disabled → flagged critical	Continuously monitors cloud resource configurations via provider APIs (AWS Config, Azure Resource Graph, GCP Cloud Asset Inventory), identifying misconfigurations against benchmarks such as CIS, NIST, PCI DSS, and SOC 2.
CWPP (Cloud Workload Protection Platform)	Falco rule fires when `execve` is called inside a running container	Provides vulnerability scanning, malware detection, and behavioral runtime monitoring for VMs, containers, and serverless functions, using agents or agentless snapshot scanning.
CIEM (Cloud Infrastructure Entitlement Management)	IAM role with `AdministratorAccess` has not been used in 90 days	Discovers and governs human and machine identity permissions across cloud environments, enforcing least-privilege by revoking stale or excessive entitlements.
KSPM (Kubernetes Security Posture Management)	`kube-bench` CIS check: API server flag `--anonymous-auth=true`	Automates security assessment of Kubernetes cluster configurations, RBAC policies, network policies, and pod security settings against CIS Benchmarks and custom policies.
DSPM (Data Security Posture Management)	S3 bucket tagged `env:prod` contains unencrypted PHI records	Discovers, classifies, and monitors sensitive data (PII, PHI, PCI) across multi-cloud storage, building exposure graphs that show who can reach what data through which configuration path.