Safeguard
Cloud Security

Cloud Security Assessment Tools: how to evaluate your pos...

Wiz and other CNAPPs assess your deployed cloud infrastructure — but not the software supply chain that built it. Here's how to evaluate both.

Karan Patel
Cloud Security Engineer
7 min read

Every CISO evaluating a cloud security assessment tool eventually runs into the same wall: the shortlist is dominated by cloud security posture management (CSPM) and cloud-native application protection platform (CNAPP) vendors, and Wiz sits at the top of nearly every one of those lists. Wiz raised its valuation to $12 billion in 2024, agreed to a $32 billion acquisition by Google announced in March 2025, and became the default reference point for "cloud security assessment" as a category. That makes it a useful benchmark — but also easy to mistake for the whole problem. Cloud posture tools are built to answer one question: is my cloud infrastructure misconfigured? They are not built to answer a second, increasingly costly question: can I trust the software artifacts running inside that infrastructure? This post breaks down what cloud security assessment tools actually evaluate, where Wiz-style CNAPPs excel, where the coverage gap sits, and how to build an evaluation framework that doesn't leave your build pipeline unassessed.

What Do Cloud Security Assessment Tools Actually Assess?

Cloud security assessment tools assess the state of your cloud environment at a point in time — IAM permissions, network exposure, storage bucket ACLs, workload configuration, and known vulnerabilities in running images — not the integrity of the software that produced those workloads. A typical CNAPP connects to your AWS, Azure, or GCP account via read-only API access, pulls a snapshot of resources, and correlates findings into a risk graph: this S3 bucket is public, it's attached to an IAM role with AdministratorAccess, and that role is assumable by an EC2 instance running an image with a known CVE. That's genuinely valuable triage. The 2023 IBM Cost of a Data Breach Report found that breaches involving cloud misconfiguration cost organizations an average of $4.14 million and took 258 days to identify and contain — exactly the kind of exposure CSPM tools are designed to catch. But the assessment stops at "what's running," not "how did this get here, and is it what it claims to be."

How Does Wiz Approach Cloud Posture Assessment?

Wiz approaches cloud posture assessment through agentless, API-based scanning combined with a security graph that correlates misconfigurations, identities, vulnerabilities, and network paths into prioritized "toxic combinations." Founded in 2020 by the former Adallom/Microsoft cloud security team, Wiz built its pitch around eliminating the deployment friction of agent-based scanners — a full environment scan can complete in hours rather than the weeks legacy tools required. That architecture is well suited to answering questions like "which of my 40,000 cloud resources have an internet-facing path to a critical vulnerability," and it's a large part of why Wiz grew to a reported $350 million+ in annualized recurring revenue by 2024. What it is not designed to answer is whether the container image or the OSS package that produced the vulnerable workload was itself tampered with before it ever reached the cloud — because by the time Wiz's scan runs, the artifact is already deployed.

What Gaps Exist Between Cloud Posture Tools and Software Supply Chain Risk?

The gap is temporal: cloud posture tools assess artifacts after deployment, while the highest-impact supply chain compromises happen before deployment, during build and dependency resolution — a window CNAPPs don't instrument. The XZ Utils backdoor (CVE-2024-3094), discovered in March 2024, was inserted through a multi-year social-engineering campaign against an open-source maintainer and hidden inside build scripts and test artifacts of a compression library used across most Linux distributions. No cloud misconfiguration scan would have caught it, because the compromised binary looked perfectly legitimate once deployed — the malicious behavior was injected during the build, triggered only under specific SSH conditions. The same blind spot applies to the 2020 SolarWinds Orion compromise (18,000 downstream customers affected) and the 2021 Codecov bash uploader breach, which exposed CI secrets across hundreds of customer environments for over two months before detection. Gartner's 2023 Market Guide for CNAPP explicitly notes that software composition and pipeline security are adjacent but distinct capabilities from cloud workload protection — a distinction that gets lost when procurement treats "cloud security assessment tool" as a single checkbox.

What Criteria Should You Use to Evaluate a Cloud Security Assessment Tool?

The right evaluation criteria are coverage completeness, evidence quality, and remediation speed — not just breadth of cloud resource types supported. Concretely, run any shortlisted tool, Wiz included, through five checks: (1) Does it map findings to a specific compliance control, such as SOC 2 CC7.1 or NIST 800-53 SI-2, or just a generic severity score? (2) Does it generate and verify a Software Bill of Materials (SBOM) for artifacts before they reach the registry, or only inventory what's already running? (3) Can it trace a running container back to the exact commit, build job, and signer that produced it — build provenance per SLSA Level 2+ — or does its lineage stop at the image digest? (4) What is the mean time from finding to verified fix in your environment, not just time to detection? (5) What's the pricing model at scale — per-resource, per-workload, or per-identity — since CNAPP costs can grow faster than your cloud footprint as you add accounts and clusters. A tool that scores well on cloud graph visualization but can't answer questions 2 and 3 is assessing half of your actual attack surface.

How Do You Measure Whether Your Posture Is Actually Improving?

You measure posture improvement with lagging remediation metrics, not the raw count of findings a tool surfaces. A dashboard showing 12,000 open findings tells you a scanner is thorough; it doesn't tell you whether your organization's mean time to remediate (MTTR) for critical findings is trending from, say, 21 days down to 5, or whether the same misconfiguration pattern keeps reappearing across new accounts because there's no policy-as-code guardrail preventing it upstream. The 2024 Verizon Data Breach Investigations Report found that the median time to remediate critical vulnerabilities across organizations it studied was still measured in months, not days, despite widespread CSPM adoption — evidence that visibility alone doesn't move the needle without enforcement built into CI/CD. Track: percentage of critical findings resolved within your internal SLA, percentage of new deployments blocked by policy before reaching production versus caught after, and drift rate — how often previously-remediated resources regress to a misconfigured state within 90 days.

How Safeguard Helps

Safeguard is built to close exactly the gap described above: the space between "the cloud environment looks fine" and "the software that populated it can be trusted." Where CNAPP tools like Wiz assess your deployed infrastructure, Safeguard assesses the pipeline that builds and delivers your software before it ever reaches that infrastructure. Concretely, Safeguard generates verifiable SBOMs at build time, attests build provenance so you can trace any running artifact back to its source commit and CI job, and continuously monitors dependencies for tampering, typosquatting, and known-malicious package indicators — the same category of attack pattern behind XZ Utils and the 2022 PyPI/npm typosquat waves. Safeguard maps every finding to concrete compliance controls (SOC 2, FedRAMP, NIST SSDF) so audit evidence is generated automatically rather than assembled by hand during renewal season, and it integrates directly into existing CI/CD pipelines rather than requiring a parallel scanning workflow.

For teams that already run Wiz or another CNAPP for cloud posture, Safeguard is deliberately complementary rather than competitive: it doesn't try to re-scan your VPCs or IAM policies. Instead, it hands your cloud security stack a missing input — a verified, tamper-evident record of what's actually inside every artifact before it's deployed — so the graph-based risk correlation your CNAPP already does can operate on trustworthy data. If your current evaluation of cloud security assessment tools is stopping at infrastructure posture, that's the signal to add a supply chain layer: request a Safeguard assessment of your current build pipeline and see how many of your production artifacts can be traced back to a verified, attested source today. In most environments we onboard, that number is lower than teams expect.

Never miss an update

Weekly insights on software supply chain security, delivered to your inbox.