5000 CyberSecurity Vendors for 3 Cloud Service Providers Problem ??

CyberSecurity vendors and analysts loves acronyms to define a "new" security problem that we discover as unique enough to solve in most organizations but sometimes this is the exact reason why we end up in spaghetti solutions instead of the right one for the right problem.

The Business Reality of Cloud Security in 2025: Beyond Technical Solutions

Welcome to this week's edition of the Cloud Security Newsletter!

This week, we're diving deep into Cloud Security and the intersection of CyberSecurity industry vendors. CyberSecurity vendors and analysts have loved 4 letter acronyms to define a "new" security problem that we discover as unique enough to solve in most organizations but sometimes these are process problems or even how the technology has evolved.

With increasing popularity of AI experiments and case studies in most organizations there is a critical shift happening in cloud security tooling and we are again in perhaps a “new” problem area.

Vulnerability management and Posture tools in Cloud have dominated the cloud security landscape for over a decade, evolving from being a compliance and posture management to attack path visualisation for cloud security practitioners.

There's a growing recognition that landscape is evolving with AI and shift coming in Cloud Security due to AI getting more attention.

In this week’s issue our featured experts from Cloud Security Podcast, share their practical insights on potential areas of change for Cloud Security, the reality of security tools usage that’s perhaps enabling this change and next evolution of security solutions in the cloud domain.

Featured Experts This Week

• James Berthoty - Founder of Latio Tech, former DevSecOps and Cloud Security practitioner
• Ross Haleliuk - Author of "Cybersecurity for Builders" and creator of Venture in Security blog
• Ashish Rajan ????????♂? - CISO & Host of Cloud Security Podcast

Definitions and Core Concepts

Market Categories in Cloud Security:

• CSPM (Cloud Security Posture Management)
• CNAPP (Cloud Native Application Protection Platform)
• CADR (Cloud Application Detection and Response)
• ASPM (Application Security Posture Management)

CNAPP (Cloud Native Application Protection Platform): An integrated security platform that combines various cloud security capabilities. However, as James Berthothy notes, the definition has become increasingly broad and potentially problematic: "I really hate what analysts have done to CNAPP... I see some people even include SaaS as part of CNAPP, at which point, like it is literally every piece of security you could have."

Runtime Security: Security measures that protect applications while they're executing, as opposed to static analysis or configuration checks. This approach enables active response to threats rather than just identifying potential vulnerabilities.

CADR (Cloud Application Detection and Response): A emerging category focused on runtime protection for cloud workloads, specifically designed for SOC teams to effectively respond to containerized alerts.

                               This week's Issue is sponsored by Vanta

Proving trust is more important than ever. Especially when it comes to your security program.

Vanta helps centralize program requirements and automate evidence collection for frameworks like SOC 2, ISO 27001, HIPAA, and more, so you save time and money—and build customer trust.

And with Vanta, you get continuous visibility into the state of your controls.

Join more than 9,000 global companies like Atlassian, Flo Health, and Quora, who trust Vanta to manage risk and prove security in real time. 

Download the GRC Buyer's Guide to learn more about continuous compliance and what to look for in a solution.        

Download the GRC Buyer’s Guide Now - Vanta

?? Our Insights from these Practitioners

1. The Reality of Security Tool Adoption

All experts highlighted a crucial disconnect in how security tools are built versus how they're actually used. Ross Haleliuk notes: "The vast majority of the market are companies that don't actually have incentives to invest in security, but they're the ones that need security the most."

James Berthothy adds a complementary perspective: "Most vendors in this space are very confused about how to go to market. They are vulnerability management but built for cloud applications."

Key implications for practitioners:

• Focus on solutions that align with business incentives
• Consider the actual implementation cost beyond the tool's price
• Look for security tools that solve immediate problems to show ROI quicker to the business to continue investing security team’s time into improving the coverage of the picked security tool

2. The Reality of Container-Centric Security

A particularly insightful observation from James challenges our traditional view of cloud security: "I think cloud security is really just container security and it almost always has been, but that's been obscured through several layers of people learning the infrastructure of how containerization works at the same time as cloud."

Ashish on recent Linkedin post shared the emerging pattern in most organisations: “Most companies have given the directive that it is a Kubernetes first compute for all new products or features that would be built. Virtual machines are only by exceptions“

This perspective suggests practitioners should:

• Prioritize container & Kubernetes security as a core component of cloud security strategy
• Focus on protection for containerized workloads which can be native to the type of deployment e.g solution can look into a kubernetes cluster not just share the misconfiguration.
• Consider how traditional security approaches need to adapt for container-centric environments moving forward in the security program

3. The Business Reality Check

Ross Haleliuk provides a sobering perspective: "I believe that there are only two reasons why companies invest in security. One is sales enablement... The second bit is fear."

James Berthothy adds: "There are too many different users in that one platform for it to fully satisfy any one of them."

Ashish Rajan concurs: “The Expectation vs Reality behind the success of Security tool in an organization is decided by the coverage of the tool across the organization. In most cases they never match :(“

Practitioners should:

• Align security initiatives on risks with business drivers to have a more productive conversation with leadership on why a tool can close the gap from the risk.
• Focus on demonstrable business value in the beginning to increase efforts of higher coverage for the tool
• Consider the actual user and why they are not able to resolve a vulnerability instead of only relying on the tool to drive a change.

4. The Shift from Posture Management to Runtime Protection

James Berthothy presents a compelling argument for why runtime security deserves more attention in 2025. He notes: "This is why I push the runtime path so much is we've gone down this path as though we can create this perfectly secure cloud environment, where if we just fix all the vulnerabilities, there's no attacks. But fixing all the vulnerabilities is first of all, a waste of time. And it's second of all, like it can't be done."

Ashish Rajan added “I am seeing more organizations push CSPM/CNAPP metrics into real-time threat intelligence, aiming to build filter false positive and drive detect and respond instantly for alerts that true positive. The industry is buzzing about “real-time cloud security,” and vendors are positioning acquisitions or integrations around this“

Key takeaways for practitioners:

• Focus on actionable security measures rather than endless vulnerability management by building filters for false positive
• Consider how focus on “real-time“ or even “run-time” security can provide immediate response capabilities
• Look for tools that enable active mitigation rather than just detection

5. The Evolution of Security Tools and Teams

Ross Haleliuk provides valuable context about the broader security market: "When I worked in fintech, there were 50,000 vendors. In cybersecurity, there is about 5,000. So that is 10 times fewer. If you say that cybersecurity is everybody's problem, then 5,000 vendors is probably not that many."

This insight, combined with James's expertise, suggests:

• The market is less saturated than many believe
• There's still room for innovation, particularly in runtime security
• Tools need to evolve to better serve different types of users

This analysis reflects a significant shift in how we approach cloud security, moving from a predominantly static, posture-based approach to a more dynamic, runtime-focused strategy. As we progress through 2025, practitioners should consider how this evolution affects their security architecture and team structure.

Next week, we'll explore another critical aspect of cloud security. Stay tuned!

???Related Resources

• NIST Container Security Guide
• Kubernetes Security Best Practices
• OWASP Kubernetes Security Cheat Sheet
• Cloud Native Security Whitepaper

???Related Podcast Episodes

• Cybersecurity Isn’t Crowded: Security Engineering and the 5,000 Vendor Problem

• The Truth About CNAPP and Kubernetes Security

• Code to Cloud to SOC

We would love to hear from you?? for a feature or topic request or if you would like to sponsor an edition of Cloud Security Newsletter.

Thank you for continuing to subscribe and Welcome to the new members in tis newsletter community??

Peace!

Shilpi Bhattacharjee

Links

Read older Issues of Cloud Security Newsletter here!