ZaunZaun
Book a demo →
§ BCloud Security

Cloud security beyond CSPM: the layers that actually catch attackers

CSPM tells you the door was unlocked yesterday at scan time. It cannot tell you someone is inside the house right now. A walk through the cloud security stack in 2025: CWPP, CIEM, KSPM, DSPM, ASPM, CNAPP, CDR, AI-SPM, and where each layer fits.

Tyler·July 19, 2025← All notes

CSPM was the first cloud security category that mattered. Gartner introduced it in 2019 with the now-quoted line: "nearly all successful attacks on cloud services are the result of customer misconfiguration, mismanagement and mistakes." That was true at the time.

Six years later, it is still partly true, and increasingly insufficient. The cloud attack surface has expanded in directions CSPM was never built to see: into runtime, into identity, into data, into AI workloads. The breaches that defined 2023 and 2024 (Microsoft Storm-0558, MOVEit, Sisense, Snowflake) were not "the bucket was set to public." They were forged tokens, supply-chain backdoors, harvested credentials, OIDC trust abuse. CSPM does not see any of those at the moment they happen.

This post is a walk through the layers that have grown up around CSPM, what each one does, and where the real gaps still are.

What CSPM does well, and where it stops

Cloud Security Posture Management is the API and control-plane scanner for your cloud accounts. It enumerates resources, evaluates them against benchmarks (CIS, NIST CSF, PCI, HIPAA, SOC 2 mappings), and emits findings on misconfigurations and drift. It is the right answer for "is this S3 bucket public," "is this RDS instance encrypted at rest," "do all my IAM policies forbid wildcards in admin actions."

It also runs into four problems by design.

One: it is snapshot-based. Sysdig's 2024 Cloud-Native Security and Usage Report found that 70% of containers live for 5 minutes or less, while a typical cloud attack averages around 10 minutes from initial access to action. Posture scans on a 24-hour cadence cannot inspect a workload that was born and died inside a single window.

Two: it sees configurations, not behavior. A storage bucket with sensitive data exposed via a stolen token looks identical to legitimate access. A privileged role being assumed by an external account through a federated trust looks identical to legitimate cross-account work.

Three: it is severity-blind. A public bucket in a sandbox account looks identical to one with PII. CSPMs commonly emit thousands of findings per week, and the work of triaging them is not security work, it is paperwork.

Four: it has no view of identity, data sensitivity, runtime processes, or AI workloads. Each of those gaps spawned its own category.

The layers that grew up around CSPM

CWPP (Cloud Workload Protection Platform). Coined by Gartner in 2017. Workload-centric security for VMs, containers, and serverless. Process behavior, file integrity, in-memory exploits, syscall-level telemetry. The "EDR for cloud workloads." Vendors: Trend Micro, Palo Alto Prisma Cloud, CrowdStrike Falcon Cloud Security, Aqua, Sysdig, Wiz, Microsoft Defender for Cloud.

CIEM (Cloud Infrastructure Entitlement Management). Coined by Gartner in 2020. The IAM permission engine for the cloud. Enumerates every identity (human, service, role, federated), maps effective permissions, identifies excessive grants, recommends right-sizing. Unit 42's Cloud Threat Report Vol. 7 (April 2024) found 99% of cloud users, roles, and services were granted excessive permissions across 680,000 identities. Sysdig's 2024 report found only 2% of granted cloud permissions are actually used. Vendors: Sonrai, Tenable (post-Ermetic), Microsoft Entra Permissions Management, Saviynt, Britive.

KSPM (Kubernetes Security Posture Management). CSPM for the Kubernetes control plane: RBAC, network policies, pod security standards, admission controllers, Helm chart hygiene, CIS Kubernetes Benchmark mapping. Vendors: Aqua, Sysdig, Wiz, Palo Alto, ARMO, CrowdStrike, Red Hat ACS.

DSPM (Data Security Posture Management). Gartner introduced this category in the 2022 Hype Cycle for Data Security. The thesis: posture for data, not infrastructure. Discover shadow data, classify sensitivity, map who has access, flag exposure. Critical for cloud because data sprawl in S3, GCS, Azure Blob, and SaaS is invisible to CSPM. Vendors: Cyera, Sentra, Varonis, BigID, Palo Alto (post-Dig), Rubrik (post-Laminar), Symmetry Systems.

ASPM (Application Security Posture Management). Gartner's 2023 Innovation Insight. Pulls signals from SAST, SCA, DAST, secrets scanning, IaC scanning, and runtime to produce a single application-level view of risk. Closes the build-time-to-runtime correlation gap. Vendors: Apiiro, ArmorCode, Cycode, Snyk, Legit Security, OX Security.

CNAPP (Cloud Native Application Protection Platform). Coined by Gartner in 2021 as the consolidating category. CNAPP equals CSPM plus CWPP plus CIEM plus KSPM plus IaC scanning plus container scanning, ideally with shared context across all of them. The Gartner Market Guide for CNAPP names the canonical players: Wiz, Palo Alto Prisma Cloud, CrowdStrike Falcon Cloud Security, Orca Security, Sysdig, Aqua, Microsoft Defender for Cloud, Lacework (now Fortinet), Check Point CloudGuard, Tenable Cloud Security. Google's $32B acquisition of Wiz, announced March 18, 2025, the largest in Google's history, is the clearest market signal that CNAPP is now considered foundational infrastructure.

CDR (Cloud Detection and Response). The newest layer, emerging in 2023 and 2024. Real-time detection on cloud control plane and runtime telemetry: CloudTrail, Azure Activity Log, GCP Audit Logs, plus eBPF for workload events. Behavioral analytics across identity and resource activity. Vendors: Wiz Defend, Sweet Security, Permiso, Stream Security, Sysdig Secure, Orca, Gem (acquired by Wiz, April 2024).

AI-SPM (AI Security Posture Management). Posture for AI services, models, training data, and agent workloads. Wiz launched AI-SPM in April 2024. Palo Alto Prisma Cloud built on the Dig acquisition. We come back to this one in a minute.

This is a lot of categories. The right way to read the list is not "buy nine tools." The right way is "the cloud has nine attack surfaces, and CSPM is one of them."

The breaches that explain why CSPM alone is not enough

A short tour of incidents that posture management could not have prevented.

Capital One, July 2019. The canonical case. An SSRF in a misconfigured WAF on EC2 let the attacker reach the IMDSv1 endpoint and steal credentials for the over-permissioned ISRM-WAF-Role. From those credentials, they listed 700-plus S3 buckets and exfiltrated 30GB and 106M records. AWS released IMDSv2 in November 2019 in direct response. The CSPM failure mode is dual: a CSPM might catch the wildcard S3 perms, but it cannot see the runtime SSRF call to the metadata service or the runtime credential exchange. Source: Krebs on Security.

SolarWinds and SUNBURST, December 2020. APT29 / SVR. The on-prem Orion DLL backdoor was the entry. The cloud part was the "Golden SAML" pivot: stealing AD FS signing certificates, forging SAML tokens, modifying federated trust to add attacker IdPs, and minting OAuth refresh tokens against Microsoft 365. CISA documented four distinct on-prem-to-cloud lateral techniques. There is no misconfiguration to find here. The trust path was working as designed; the certificates were stolen.

Codecov Bash Uploader, January to April 2021. Attackers extracted credentials from Codecov's Docker build process and modified the Bash Uploader script to exfiltrate CI environment variables to an attacker server. Roughly 23,000 customers in scope. Two months undetected. Pure supply chain. CSPM has zero view of CI/CD scripts.

Microsoft Storm-0558, May to July 2023. A China-aligned actor obtained an MSA consumer signing key (likely from a 2021 crash dump) and exploited a token-validation flaw to forge enterprise Exchange Online tokens. Roughly 25 organizations compromised including the US State Department and Commerce. Wiz later argued the same key could have signed tokens for any Azure AD app, expanding the blast radius. CSPM cannot tell a forged-but-cryptographically-valid token from a legitimate one.

MOVEit and Cl0p, May to June 2023. Cl0p exploited CVE-2023-34362 (a SQL injection zero-day in Progress MOVEit Transfer), dropped the LEMURLOOT web shell, and exfiltrated databases. CISA tally: 3,000-plus US and 8,000-plus global organizations; about 93M individuals' data. A managed file transfer compromise. CSPM scope-irrelevant.

Sisense, April 2024. Attackers got into Sisense's self-hosted GitLab, found hardcoded AWS credentials, accessed S3, and exfiltrated multi-terabyte caches of customer secrets. CISA issued an urgent rotate-everything advisory. A code-repo-to-cloud blast that no posture tool sees.

Snowflake and UNC5537, May to June 2024. Mandiant attributed roughly 165 customer-instance compromises to UNC5537 using credentials harvested by infostealers (Lumma, Vidar, Raccoon), some up to four years old, on tenants without MFA enforced and without network allowlists. Victims included AT&T, Ticketmaster, Santander, LendingTree, Advance Auto Parts, Neiman Marcus. Snowflake's own infrastructure was not breached. The defining "CIEM and identity, not posture" case of 2024.

The pattern across all of them: the configuration was either irrelevant or only one of several factors. The actual attacks happened in runtime, in identity, in data flows, or in trust relationships that posture scanning does not model.

Mandiant's M-Trends 2025, looking at 2024 frontline data, found 39% of cloud-asset compromises came from phishing and 35% from stolen credentials, and named three drivers of cloud attack success: weak identity controls, insecure on-prem-to-cloud integrations, and poor cloud-attack-surface visibility. The IBM Cost of a Data Breach 2024 report puts public cloud breaches at $5.17M average, the highest of any environment, and 82% of breaches involved cloud-stored data. CrowdStrike's 2025 Global Threat Report reports cloud intrusions up 26% YoY, with 35% of cloud incidents from valid-account abuse.

The runtime shift

The throughline of all of the above is that detection has to move closer to where the action is. CrowdStrike's 48-minute average eCrime breakout time means the window between cloud compromise and lateral movement is shorter than most posture scan cycles. Sysdig's 70%-of-containers-under-five-minutes data point makes the case axiomatically.

The runtime layer that has emerged:

eBPF-based telemetry. Falco (CNCF) graduated in February 2024 with over 100M downloads. eBPF lets you watch syscalls, file access, network connections, and (via plugins) AWS CloudTrail, Okta, GitHub, all without a kernel module. Sysdig and Aqua (Tracee) are the canonical commercial eBPF runtime players. Wiz Runtime Sensor and CrowdStrike Falcon use eBPF or BPF/kernel hybrids.

Behavioral analytics on the control plane. UEBA-style modeling on CloudTrail, Azure Activity Log, and GCP Audit Logs. Flag impossible travel. Flag anomalous API call sequences (e.g., iam:CreateAccessKey followed immediately by s3:GetObject from a previously unseen ASN). Flag chained role-assumption that has never happened before. This is what Cloud Detection and Response does, and it is a different shape of work than posture management.

Runtime context for shift-left findings. Industry telemetry suggests shift-left scanning catches the majority of vulnerabilities, with the remainder surfacing only at runtime. Aqua's 2024 Cloud Native Threat Report noted that half of K8s attacks targeted misconfigurations or vulnerabilities not visible in source code. The right answer is not shift-left versus shift-right. It is using runtime context to reprioritize shift-left findings: a critical CVE on a workload that is never network-exposed at runtime is genuinely lower priority than a medium CVE on an internet-facing pod.

The new gap: AI workload security

The next thing this stack has to absorb is AI workloads, and CSPM frameworks do not yet model them.

Wiz internal research from early 2024 showed more than 85% of enterprises using managed AI services (Azure AI, Bedrock, SageMaker, Vertex), and around 53% using OpenAI or Azure OpenAI SDKs. Each of those deployments introduces asset types that CIS Benchmarks and NIST CSF do not yet enumerate: model artifacts, vector databases, embedding stores, training datasets, fine-tuned weights, prompt templates.

Custom agents and MCP servers are even more interesting. The Model Context Protocol, introduced in late 2024, has spawned thousands of community servers by mid-2025. Agents are routinely granted broad OAuth scopes (Gmail.readonly, GitHub repo, Slack channels:read) and live inside the cloud trust boundary while having been authored by third parties with no SOC 2 review. CSPM does not enumerate MCP servers, does not model OAuth scope graphs, and does not see prompt-injection-induced tool calls.

The four shape-of-the-gap problems:

  • Asset model gap. CSPMs enumerate IaaS resources, not AI services or agent inventories.
  • Identity gap. Service accounts and OAuth-grant chains for agents are not in IAM the way an EC2 instance role is.
  • Data gap. Training data poisoning and embedding leakage are DSPM and AI-SPM problems, not posture problems.
  • Runtime gap. Prompt injection, tool-call abuse, and unsafe model output happen at inference time. Invisible to control-plane scanning.

This is the category boundary CNAPP-plus-AI-SPM-plus-CDR is being positioned to close in vendor roadmaps right now.

How to think about layering this

You do not need every category. You need coverage on the four primitives the modern cloud actually has: configuration, identity, data, runtime. CSPM gets configuration. CIEM gets identity entitlement. DSPM gets data. CWPP plus CDR get runtime. AI-SPM is the newest addition and covers asset types the others do not yet model.

Most organizations that have done this well in 2024 and 2025 followed the same arc:

  1. CSPM first, baseline misconfig.
  2. CIEM second, because identity is where attackers are actually winning.
  3. DSPM in parallel, because regulators care about the data, not the infrastructure.
  4. CWPP and CDR third, when there is sufficient signal volume that posture alerts are no longer enough.
  5. AI-SPM fourth, as AI workloads land in production.

CNAPP is the consolidation. The reason Google paid $32B for Wiz is not that they think CSPM is hot. It is that they think every cloud customer eventually needs all of this in one platform, with the context shared across layers.

How we think about it

Zaun is not a CNAPP. It sits one layer up.

Our platform pulls telemetry from CSPM, CIEM, CWPP, CDR, IdP, SaaS audit, endpoint, and network into a single correlated graph and runs investigation autonomously when the signal crosses a threshold. We are built to operate on the runtime gap: the moment the configuration scan stops being enough and the actual attack starts.

For teams that want a 24/7 layer on top, our MDR offering plugs into the same platform. Same telemetry, same playbooks, same investigations.

If your cloud security stack has reached the point where the dashboards are louder than the people watching them, come talk to us.