Safeguard
Cloud Security

Cloud Security Tools: a comprehensive guide to the 10 types

A breakdown of the 10 cloud security tool categories — CSPM, CNAPP, CIEM, DSPM, and more — and why supply chain security remains the gap even Wiz-style platforms leave open.

Karan Patel
Cloud Security Engineer
7 min read

If you've priced out a cloud security program in 2026, you've likely seen the same acronym soup: CSPM, CNAPP, CIEM, CWPP, CASB, SSPM, DSPM. Vendors like Wiz built a $12 billion business by consolidating several of these into a single graph-based platform, and that consolidation pitch has convinced a lot of security teams that "one tool for everything" is achievable. It mostly isn't — not because the vendors are wrong about the value of correlation, but because "cloud security" now spans identity, infrastructure, SaaS, data, and the software supply chain that builds all of it. This guide breaks down the 10 categories of cloud security tools actually in use today, where their coverage overlaps, where it stops, and why the artifacts you ship — containers, packages, CI pipelines — need protection that posture-management platforms were never built to provide.

What are the 10 types of cloud security tools, and where does each one stop?

The 10 categories are CSPM, CWPP, CNAPP, CIEM, CASB, SSPM, DSPM, IaC scanning, container/Kubernetes security, and software supply chain security (SCA, SBOM, secrets, and build-pipeline protection) — and each one answers a different question about your environment. CSPM (Cloud Security Posture Management) checks cloud accounts against benchmarks like CIS AWS Foundations, flagging things like an S3 bucket set to public-read or an IAM role with *:* permissions. CWPP (Cloud Workload Protection Platform) watches running VMs, containers, and serverless functions for runtime threats — a reverse shell spawned inside a pod, for example. CNAPP bundles CSPM, CWPP, and often CIEM into one console; Wiz, Palo Alto Prisma Cloud, and Orca Security compete hardest here. CIEM (Cloud Infrastructure Entitlement Management) maps who can actually do what across AWS, Azure, and GCP identities, which matters because Microsoft's 2023 Digital Defense Report found over-permissioned identities implicated in the majority of cloud compromises it investigated. The remaining six — CASB, SSPM, DSPM, IaC scanning, container security, and supply chain security — cover SaaS access, SaaS misconfiguration, sensitive data location, pre-deployment infrastructure code, orchestration layers, and the code/dependency/pipeline layer respectively. None of them substitute for the others.

Why can't a CNAPP alone catch a supply chain compromise like the 2024 XZ Utils backdoor?

Because CNAPP tools are built to assess deployed cloud resources, not the build process and dependency tree that produced the artifact running on them. The XZ Utils backdoor, discovered in March 2024, was inserted over roughly two years by a trusted contributor into a compression library used by OpenSSH on countless Linux distributions — it was caught by a Microsoft engineer noticing 500ms of extra SSH latency, not by any posture scanner, because the malicious code lived in a build script and a test-data blob, not in a misconfigured cloud resource. A CSPM or CNAPP tool has nothing to say about a tampered configure script or a maintainer account takeover; that's the job of SCA (software composition analysis), SBOM generation, and build-provenance verification. This is also the gap behind the 2020 SolarWinds Orion compromise and the 2021 Codecov bash-uploader breach, both of which fully bypassed cloud posture controls because the attackers never touched a misconfigured cloud resource — they touched the pipeline that shipped the software.

How do CIEM and CASB tools solve two different identity problems?

CIEM governs machine and human identities inside your cloud accounts, while CASB governs access to third-party SaaS applications outside them — and conflating the two leaves gaps in both. A CIEM tool answers "can this Lambda execution role read every bucket in the account," which matters given that AWS alone ships over 17,000 distinct IAM permissions, making manual entitlement review impractical past a handful of accounts. A CASB answers a structurally different question: is data leaving Salesforce or Google Workspace through an unsanctioned OAuth integration, or is a departing employee still authenticated to a SaaS tool three weeks after offboarding. Netskope and Microsoft Defender for Cloud Apps lead the CASB category; Wiz and similar CNAPP vendors have pushed into CIEM but generally don't touch SaaS-to-SaaS access at all, because it isn't cloud infrastructure in the traditional sense — it's a parallel identity fabric that needs its own control plane.

What makes DSPM and SSPM necessary when you already run a CNAPP?

DSPM (Data Security Posture Management) and SSPM (SaaS Security Posture Management) exist because a CNAPP tells you a resource is misconfigured, not what's inside it or which SaaS tenant it belongs to. DSPM tools like Wiz's own DSPM module or standalone players such as Cyera scan storage — S3, Azure Blob, Snowflake, BigQuery — to classify sensitive data at rest, which is how teams discover, for instance, that a "test" bucket has been quietly holding production customer PII since a 2022 migration nobody documented. SSPM tools instead audit configuration drift inside SaaS platforms themselves — Salesforce sharing rules, Microsoft 365 conditional access policies, Slack workspace settings — a surface that grew sharply after the 2023 Okta support-system breach showed that SaaS admin consoles are now a primary attacker entry point, not a side concern. Neither discipline is infrastructure posture management; both require their own scanning logic tuned to schema and application semantics rather than cloud resource configuration.

Why do IaC scanning and container/Kubernetes tools need to run before and after deployment?

They cover the same infrastructure at two different lifecycle stages, and skipping either one leaves a blind spot the other can't backfill. IaC scanning (Checkov, tfsec, Terrascan) evaluates Terraform, CloudFormation, and Helm charts before anything is applied, catching an overly permissive security group or a missing encryption flag while it's still a two-line diff in a pull request — fixing it here costs a code review comment. Container and Kubernetes security tools (Falco, Kube-bench, Wiz's own runtime sensor, or Sysdig) instead watch the cluster after deployment, because drift happens: someone runs kubectl edit under a deadline, a Helm chart gets manually patched, or a base image gets an emergency hotfix that never goes back through IaC. The 2023 investigation into initial-access broker activity found Kubernetes API servers exposed directly to the internet as a repeat entry point — a state a pre-deploy IaC scan can't detect because the exposure was introduced live, well after the plan was applied.

How Safeguard Helps

Wiz and the broader CNAPP category are strong at the six posture-and-runtime categories above; Safeguard is purpose-built for the one they cover thinnest: software supply chain security. Where a CNAPP tells you a workload is running, Safeguard tells you what's actually inside it and how it got built — dependency-level SCA against live CVE and malicious-package feeds, automatic SBOM generation in CycloneDX and SPDX for every build, secrets detection across source and CI logs before a key ever reaches a commit history, and build-provenance checks modeled on SLSA to catch the kind of maintainer-account or build-script tampering that let XZ Utils and the Codecov uploader run undetected for months. Safeguard plugs directly into GitHub Actions, GitLab CI, and Jenkins pipelines, so findings surface at pull-request time — the cheapest point in the lifecycle to fix them — rather than after deployment, when a CNAPP might eventually flag the resulting workload as anomalous. For teams already running Wiz or a similar CNAPP for cloud posture and runtime protection, Safeguard is designed to sit alongside it, closing the pre-deployment, code-to-build gap that posture platforms weren't architected to see, so the full 10-category picture — from IAM entitlements down to the compression library three dependencies deep — actually gets covered instead of assumed.

Never miss an update

Weekly insights on software supply chain security, delivered to your inbox.