Cloud Security
What Is CWPP? Cloud Workload Protection Explained
What Is a Cloud Workload Protection Platform (CWPP)? #
A cloud workload protection platform (CWPP) is a security solution that monitors and protects workloads running across cloud, on-premises, and hybrid infrastructure. The term was originally defined by Gartner to describe tools that focus specifically on securing the compute layer - the VMs, containers, serverless functions, and other runtime environments where applications execute.
The distinction matters because cloud security is not one problem. Your cloud infrastructure has a configuration layer (are your S3 buckets public?), an identity layer (who can access what?), and a workload layer (what's running inside your compute resources?). CWPP addresses that third layer. It watches the processes, file systems, network connections, and system calls happening inside your workloads and flags anything that looks like an active threat.
A CWPP typically protects several types of compute workloads:
- Virtual machines (EC2 instances, Azure VMs, GCE instances)
- Containers running on Docker, Kubernetes, ECS, or similar orchestrators
- Serverless functions like AWS Lambda, Azure Functions, and Google Cloud Functions
- Bare-metal servers in on-premises or co-location environments
- Ephemeral and batch workloads - short-lived processes for tasks like data processing or CI/CD jobs
Why Does CWPP Matter? #
Traditional perimeter-based security assumed you could draw a boundary around your infrastructure and guard the edges. That model breaks down in cloud environments where workloads spin up and disappear in seconds, span multiple providers, and run on shared infrastructure you don't control.
The shift to containers and serverless architectures compounds the problem. A Kubernetes cluster might run hundreds of pods, each with its own set of dependencies, network policies, and potential vulnerabilities. Without workload-level visibility, security teams are left guessing about what's running inside their infrastructure.
Three trends drive CWPP adoption:
The attack surface keeps expanding. Every container image pulled from a public registry, every third-party library in a Lambda function, and every VM running outdated packages is a potential entry point. CWPP tools scan these artifacts for known vulnerabilities and monitor them at runtime for exploitation attempts.
Cloud-native architectures are ephemeral. Workloads that exist for minutes or seconds don't show up in periodic security scans. CWPP provides continuous, real-time monitoring that matches the pace of modern infrastructure.
Compliance frameworks now require runtime monitoring. Standards like PCI-DSS, SOC 2, and HIPAA require evidence that you're monitoring workloads for threats and maintaining audit trails. CWPP platforms generate the logs and reports that auditors expect.
What Are the Core Capabilities of a CWPP? #
CWPP products vary, but most share a common set of capabilities that span the workload lifecycle from build to runtime.
Vulnerability Management #
CWPP tools scan container images, VM snapshots, and application dependencies for known CVEs (Common Vulnerabilities and Exposures). This scanning happens both in CI/CD pipelines (shift-left) and continuously against running workloads. The goal is to identify vulnerable packages before they get exploited - or at least know they're there if a new CVE drops.
Runtime Threat Detection #
This is where CWPP diverges from static scanning tools. Runtime protection monitors system calls, process execution, file system changes, and network connections inside live workloads. If a container starts spawning unexpected processes or making outbound connections to unknown IPs, the CWPP flags it. Some platforms use behavioral baselines to distinguish normal activity from anomalous behavior.
Network Segmentation and Microsegmentation #
CWPP platforms can enforce network policies between workloads, restricting lateral movement. If an attacker compromises one container, microsegmentation limits their ability to reach other services. This is different from VPC-level network controls - it operates at the workload layer, following the workload wherever it runs.
System Integrity Monitoring #
File integrity monitoring (FIM) tracks changes to critical system files, configuration files, and binaries. If someone modifies
/etc/passwd on a production VM or alters a container's filesystem at runtime, the CWPP detects and alerts on it.Application Control and Allowlisting #
Some CWPP solutions enforce application allowlists, preventing unauthorized executables from running. This is particularly relevant for locked-down environments where the set of approved processes is well defined.
Compliance Monitoring and Audit Logging #
CWPP platforms maintain detailed logs of workload activity, configuration states, and security events. These logs feed into compliance reports for frameworks like CIS Benchmarks, PCI-DSS, and SOC 2. The audit trail matters both for meeting regulatory requirements and for forensic investigation after incidents.
How Does CWPP Compare to CSPM, CNAPP, and EDR? #
The alphabet soup of cloud security categories causes real confusion. Here's how these tools differ in scope and focus.
CWPP vs. CSPM: CSPM looks at how your cloud services are configured - is that S3 bucket public? Is that security group too permissive? CWPP looks at what's happening inside the workloads themselves. They operate at different layers and complement each other.
CWPP vs. CNAPP: A CNAPP (Cloud Native Application Protection Platform) bundles CWPP, CSPM, and often CIEM (Cloud Infrastructure Entitlement Management) into a single platform. If CWPP and CSPM are individual tools, CNAPP is the converged product that tries to cover everything. Most major vendors now market their offerings as CNAPPs.
CWPP vs. EDR: EDR (Endpoint Detection and Response) protects traditional endpoints like laptops and workstations. CWPP applies similar threat detection concepts - behavioral analysis, process monitoring, forensic investigation - but targets cloud workloads. Some vendors, like CrowdStrike, extended their EDR platform into CWPP, so the technology overlap is real.
Who Are the Major CWPP Vendors? #
The CWPP market has largely consolidated into broader CNAPP platforms. Most standalone CWPP tools have either been acquired or expanded their scope. Here are some of the notable players.
Palo Alto Networks (Cortex Cloud) offers CWPP as part of its Cortex Cloud CNAPP suite (formerly Prisma Cloud, renamed in February 2025). Its workload protection covers VMs, containers, and serverless with both agent-based and agentless scanning. Cortex Cloud also includes CSPM, CIEM, and code security in a single platform.
CrowdStrike (Falcon Cloud Security) extended its endpoint protection heritage into cloud workloads. Falcon uses a single lightweight agent across endpoints and cloud workloads, which appeals to teams that want one agent doing both jobs. CrowdStrike's strength is in real-time threat detection using behavioral indicators of attack (IOAs).
Wiz takes an agentless approach, scanning cloud environments through API-level access rather than deploying agents. Wiz builds a graph of your cloud resources and identifies attack paths - combinations of misconfigurations, vulnerabilities, and excessive permissions that an attacker could chain together. Wiz started as a CSPM but has expanded into workload protection and CNAPP territory.
Sysdig focuses on runtime security for containers and Kubernetes, built on top of the Falco open-source project. Sysdig captures system calls at the kernel level, giving deep visibility into container behavior. It's particularly popular with teams running heavy Kubernetes workloads.
Aqua Security covers the full container lifecycle from build to runtime. Aqua scans container images in CI/CD pipelines, enforces runtime policies in Kubernetes clusters, and provides compliance monitoring. Its DTA (Dynamic Threat Analysis) sandbox executes container images to detect malware that static scanning might miss.
Lacework (now part of Fortinet) uses an approach it calls "Polygraph" to baseline normal workload behavior and detect anomalies. Fortinet acquired Lacework in 2024 and integrated its CWPP capabilities into FortiCNAPP.
Where Does CloudQuery Fit? #
CloudQuery Platform is not a CWPP. We don't deploy agents into your workloads or perform runtime threat detection. What we do is provide the asset inventory and policy evaluation layer that sits alongside - and feeds into - your workload protection strategy.
Here's the practical connection: a CWPP tells you that a container is running a vulnerable package. But to act on that finding, you need context. Which team owns that container? What account is it in? Is it internet-facing? What other resources does it interact with? That's the kind of infrastructure context that CloudQuery provides.
With CloudQuery Policies, we write SQL-based rules that continuously evaluate your infrastructure against your standards. These aren't runtime threat detections - they're detective controls that catch misconfigurations, drift, and violations across every cloud account and provider. Think of it as the configuration and governance layer that complements what your CWPP is doing at the workload layer.
A few ways teams use CloudQuery alongside their CWPP:
- Asset inventory for CWPP coverage gaps. Query your infrastructure to find workloads that aren't covered by your CWPP agent. If you have 500 EC2 instances but your CWPP only reports 480 agents, CloudQuery helps you find the 20 that are missing.
- Cross-referencing CWPP findings with infrastructure context. Correlate vulnerability data from your CWPP with CloudQuery's infrastructure inventory to prioritize remediation based on exposure and ownership.
- Governance policies that CWPP doesn't cover. CWPPs focus on workload security. CloudQuery Policies cover the broader infrastructure - tagging compliance, cost governance, network configuration, IAM hygiene - giving your team a single policy engine for CSPM-style controls alongside your CWPP. CWPP fits within a broader cloud operations practice that ties visibility, governance, and automated response together.
Get Visibility into Every Cloud Workload
Inventory every workload across your cloud accounts and find coverage gaps in your protection stack. Query infrastructure context alongside your CWPP data. Or check out the documentation.
FAQ #
What does CWPP stand for? #
CWPP stands for Cloud Workload Protection Platform. It refers to a category of security tools that protect workloads - VMs, containers, serverless functions - running in cloud, hybrid, and on-premises environments.
What is the difference between CWPP and CSPM? #
CWPP protects individual workloads through runtime monitoring, vulnerability scanning, and threat detection inside compute resources. CSPM monitors cloud infrastructure configuration - checking for misconfigured storage buckets, overly permissive security groups, and compliance violations at the service level. They operate at different layers and are often used together.
Do I need both CWPP and CSPM? #
Most organizations benefit from both. CSPM catches misconfigurations in your cloud infrastructure before they become attack vectors. CWPP detects threats that are already executing inside your workloads. Using one without the other leaves a gap - either you're blind to configuration issues or you have no visibility into runtime attacks.
What is a CNAPP and how does it relate to CWPP? #
A CNAPP (Cloud Native Application Protection Platform) combines CWPP, CSPM, and often CIEM into a single platform. It's the market's response to the tool sprawl problem. Rather than buying separate products for workload protection, posture management, and identity governance, a CNAPP bundles them together. Most major CWPP vendors now position their products as part of a broader CNAPP offering.
Is CWPP agent-based or agentless? #
It depends on the vendor. Traditional CWPP solutions deploy lightweight agents onto each workload for deep runtime visibility - monitoring system calls, file changes, and process behavior. Newer entrants like Wiz offer agentless approaches that scan workloads through cloud provider APIs. Agent-based provides deeper runtime data; agentless is faster to deploy and has no performance overhead on the workload.
What types of workloads does CWPP protect? #
CWPP covers most compute workload types: virtual machines (like EC2 or Azure VMs), containers (Docker, Kubernetes pods), serverless functions (Lambda, Cloud Functions), and in many cases bare-metal servers. Some platforms also cover ephemeral and batch workloads used for CI/CD jobs and data processing.
How does CWPP handle container security? #
For containers, CWPP typically provides image scanning in CI/CD pipelines (checking for vulnerable packages before deployment), runtime monitoring of running containers (watching for unexpected processes, network connections, or file system changes), and Kubernetes-specific controls like pod security policies and network segmentation. Tools like Sysdig use kernel-level system call monitoring for deep container visibility.
Can a CWPP replace endpoint detection and response (EDR)? #
Not directly. CWPP and EDR serve different environments. EDR protects traditional endpoints - laptops, desktops, workstations. CWPP protects cloud workloads. Some vendors (CrowdStrike is the most notable example) use a single agent platform that covers both, but the use cases and threat models are different. You likely need both if your organization has traditional endpoints and cloud workloads.