Infosec glossary

CNAPP

Cloud-Native Application Protection Platform

Cloud-native applications span source code, infrastructure definitions, cloud services, identities, containers, and running workloads. CNAPP groups security functions across those layers into one platform category. The exact set of functions varies between implementations.

Platform acronym 6 min read By Infosec Writing Studio editorial team
01

CNAPP combines cloud security across the application lifecycle

Cloud-native application security begins before a workload runs. Source code, open source components, container images, infrastructure code, cloud configuration, and deployment policy can each introduce risk. Runtime activity and identity permissions add information after deployment.

A CNAPP collects or analyzes signals from several of these stages. It may connect a vulnerable component with an exposed workload, excessive permissions, sensitive data access, or observed runtime behavior to support investigation and remediation.

02

Common CNAPP capabilities

CNAPP commonly includes capabilities associated with cloud security posture management and cloud workload protection. Some platforms also include cloud infrastructure entitlement management, data posture, software composition analysis, infrastructure code scanning, Kubernetes security, and attack path analysis.

The category does not require one fixed architecture. Some capabilities rely on cloud APIs, while others use agents, admission controls, build pipeline integrations, or runtime sensors. Coverage should be evaluated for each cloud provider, service, and workload type.

  • Cloud configuration and compliance assessment
  • Workload vulnerability and runtime protection
  • Identity, entitlement, and access path analysis
  • Risk correlation, prioritization, and remediation context
03

CNAPP and CSPM are related but different

CSPM focuses on the configuration and security posture of cloud resources. It identifies conditions such as public access, permissive network rules, missing encryption, or settings that violate a policy or framework.

CNAPP usually includes CSPM but extends into other areas such as workload, identity, software supply chain, and runtime risk. A posture finding may become more urgent when those additional signals show that the affected resource is exposed, active, or able to access sensitive systems.