Forecasts predict public cloud spending will soar to over $720 billion by 2025, with 90%[1] of organizations embracing a hybrid cloud approach by 2027. These figures could also be eclipsed as more businesses unearth the potential impact that AI can make on their productivity. The pace of evolution is staggering, but one thing hasn’t changed: the cloud security market is a maze of complexity. Filled with acronyms, overlapping capabilities, and endless use cases tailored to every buyer persona.
On top of this, organizations face a fragmented landscape of security tools, each designed to cover just one slice of the cloud security puzzle. Then there’s CNAPP (Cloud-Native Application Protection Platform) — a broad platform promising to do it all but often falling short, especially around providing runtime detection and response capabilities. It’s no wonder organizations struggle to cut through the noise and find the precision they require.
Looking more closely at what CNAPP has to offer, it can feel like as if it is all you would ever need, but is that really the case?
Strengths and limitations of CNAPP
A CNAPP is undeniably a compelling solution, originally coming from CSPM (Cloud Security Posture Management), it provided organizations with a snapshot of their deployed cloud assets, highlighting whether they were as secure as intended. However, this often resulted in an overwhelming list of issues to fix, leaving organizations unsure where to focus their energy for maximum impact.
To address this, CNAPP’s evolved, incorporating capabilities like; identifying software vulnerabilities, mapping attack paths, and understanding which identities could act within the cloud. The goal became clear: prioritize fixes to reduce the risk of compromise.
But what if we could avoid these problems altogether? Imagine deploying software securely from the start — preventing the merging of vulnerable packages and ensuring proper configurations in production environments by shifting left. This preventative approach is vital to any “secure by design” strategy, CNAPP’s again evolving to add this functionality alongside.
However, as applications grow more complex, so do the variety and scope of potential issues. The responsibility for addressing these challenges often falls to engineers, who are left balancing the pressure to write code with the burden of fixing critical findings that may never even pose a real risk to the organization.
While CNAPP serves as an essential risk prevention tool — focusing on hygiene, compliance, and enabling organizations to deploy high-quality code on well-configured infrastructure — its role is largely limited to reducing the potential for issues. Once applications and infrastructure are live, the game changes. Security’s focus shifts to detecting unwanted activity and responding to real-time risks.
Limitations of CNAPP
Here’s where CNAPP shows its limitations:
1. Blind spots for on-premises workloads
Designed for cloud-native environments, it can leave blind spots for workloads that remain on-premises — a significant concern given that 90% of organizations are expected to adopt a hybrid cloud strategy by 2027. These blind spots can increase the risk of cross-domain attacks, underscoring the need for a solution that goes beyond purely prevention but adds real-time detection and response.
2. Detecting and mitigating cross-domain threats
Adversaries have evolved to exploit the complexity of hybrid and cloud environments through cross-domain attacks. These attacks span multiple domains — including traditional network environments, identity systems, SaaS platforms, and cloud environments — making them exceptionally difficult to detect and mitigate. Attackers are human and will naturally choose the path of least resistance, why spend time writing a detailed software exploit for a vulnerability if you can just target the identity?
Imagine a scenario where an attacker compromises an organization via leaked credentials and then moves laterally, similar to the example outlined in this blog: The Price of Admission: Countering Stolen Credentials with Darktrace. If an attacker identifies cloud credentials and moves into the cloud control plane, they could access additional sensitive data. Without a detection platform that monitors these areas for unusual activity, while working to consolidate findings into a unified timeline, detecting these types of attacks becomes incredibly challenging.
A CNAPP might only point to a potential misconfiguration of an identity or for example a misconfiguration around secret storage, but it cannot detect when that misconfiguration has been exploited — let alone respond to it.
Identity + Network: Unlocking cross-domain threats
Identity is more than just a role or username; it is essentially an access point for attackers to leverage and move between different areas of a digital estate. Real-time monitoring of human and non-human identities is crucial for understanding intent, spotting anomalies, and preventing possible attacks before they spread.
Non-human roles, such as service accounts or automation tooling, often operate with trust and without oversight. In 2024, the Cybersecurity and Critical Infrastructure Agency (CISA) [2] released a warning regarding new strategies employed by SolarWinds attackers. These strategies were primarily aimed at cloud infrastructure and non-human identities. The warning details how attackers leverage credentials and valid applications for malicious purposes.
With organizations opting for a hybrid approach, combining network, identity, cloud management and cloud runtime activity is essential to detecting and mitigating cross domain attacks, these are just some of the capabilities needed for effective detection and response:
- AI driven automated and unified investigation of events – due to the volume of data and activity within businesses digital estates leveraging AI is vital, to enable SOC teams in understanding and facilitating proportional and effective responses.
- Real-time monitoring auditing combined with anomaly detection for human and non-human identities.
- A unified investigation platform that can deliver a real-time understanding of Identity, deployed cloud assets, runtime and contextual findings as well as coverage for remaining on premises workloads.
- The ability to leverage threat intelligence automatically to detect potential malicious activities quickly.
The future of cloud security: Balancing risk management with real-time detection and response
Darktrace / CLOUD's CDR approach enhances CNAPP by providing the essential detection and native response needed to protect against cross-domain threats. Its agentless, default setup is both cost-effective and scalable, creating a runtime baseline that significantly boosts visibility for security teams. While proactive controls are crucial for cloud security, pairing them with Cloud Detection and Response solutions addresses a broader range of challenges.
With Darktrace / CLOUD, organizations benefit from continuous, real-time monitoring and advanced AI-driven behavioural detection, ensuring proactive detection and a robust cloud-native response. This integrated approach delivers comprehensive protection across the digital estate.
Unlock advanced cloud protection
Download the Darktrace / CLOUD solution brief to discover how autonomous, AI-driven defense can secure your environment in real-time.
References
- https://www.gartner.com/en/newsroom/press-releases/2024-11-19-gartner-forecasts-worldwide-public-cloud-end-user-spending-to-total-723-billion-dollars-in-2025
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-057a
Look out for your first newsletter, coming soon.
