Lacework spent 2024 and 2025 in turbulence. The Fortinet acquisition reshaped the engineering org, several senior leaders left, and the product roadmap visibly slowed. In 2026, the picture is steadier. The Polygraph engine still has technical strengths that no other CNAPP matches, but the company is now playing catch-up on the breadth dimensions where Wiz has set the pace. For buyers evaluating CNAPPs this year, Lacework deserves a second look, but the comparison against Wiz exposes a real choice between depth on anomaly detection and breadth on graph-based posture.
We have run both platforms in production environments over the past six months, with a focus on whether Lacework's anomaly-based detection model still produces a meaningfully different signal than Wiz's graph-and-rules approach. The short answer is yes, in specific scenarios. The longer answer involves tradeoffs that the marketing on either side does not cover honestly.
What does the Polygraph actually deliver in practice?
Polygraph remains Lacework's flagship technology, and after a year of further tuning, the anomaly detection produces genuinely different findings than rule-based CNAPPs. In our test environment, Polygraph surfaced 14 behavioral anomalies that Wiz did not flag at all over a 90-day window, including an unusual lateral movement pattern from a CI/CD runner that turned out to be a legitimate but undocumented automation. Two of the anomalies pointed at real misconfigurations that Wiz's posture engine had missed.
The flip side is alert fatigue. Polygraph generated roughly 3x the alert volume Wiz produced over the same window, and the triage burden was significant. About 40% of Polygraph alerts were classifiable as low-priority noise within seconds, but the remaining triage time was non-trivial. Lacework has invested in alert quality through 2025 with measurable improvements, but the fundamental tradeoff of anomaly detection is that it surfaces things humans need to evaluate. If your team has the analyst capacity to triage anomalies seriously, Polygraph adds real value. If your team is already overwhelmed, the additional signal becomes additional noise.
How does the graph quality compare?
Wiz's security graph is more comprehensive and easier to query. The relationships between assets, IAM principals, secrets, network paths, and vulnerabilities are dense enough that complex investigations can be answered with a single query, and the response times remain fast even at large scale. Lacework's graph is real but feels sparser. The relationships that exist are useful but you hit gaps more often, particularly for cross-account and cross-cloud queries.
For incident response workflows specifically, Wiz's graph is the more capable investigative tool. We timed parallel investigations of the same simulated compromise across both platforms, and Wiz consistently produced a complete chain of impact in 4-7 minutes while Lacework required 10-15 minutes and additional manual correlation. The Polygraph view of the same incident showed behavioral context Wiz lacked, but the static asset relationships were thinner. The two tools complement each other technically, which is awkward when buyers are choosing between them rather than buying both.
What is the cloud posture coverage like?
Wiz leads decisively on raw CSPM breadth. The number of cloud services covered, the depth of checks per service, and the rate of new feature support after cloud providers ship updates all favor Wiz. Lacework's cloud posture coverage is competent but has visible lag, particularly for newer AWS services that shipped in late 2025. If you operate in a multi-cloud environment with significant Azure and GCP usage, expect Wiz to feel several quarters more current than Lacework on posture findings.
The compliance reporting story is more even. Both products produce respectable evidence packages for SOC 2, PCI-DSS, and HIPAA frameworks, and the report quality is comparable. Lacework's reporting is somewhat more flexible for custom frameworks, which matters for organizations with bespoke regulatory requirements. Wiz's reporting is more polished for the standard frameworks that most buyers actually need.
How does each handle workload protection?
Lacework's agent has always been a strong point and remains so in 2026. Process-level visibility, file integrity monitoring, and the ability to correlate workload behavior with Polygraph baselines produce a defensible workload protection story for high-sensitivity environments. The agent footprint is modest and the operational overhead is reasonable. For teams with strict workload protection requirements, Lacework remains in the conversation alongside Sysdig and Prisma Cloud.
Wiz's workload sensor, expanded significantly through 2025, has closed much of the gap on detection breadth but the runtime depth still trails Lacework. The advantage Wiz maintains is the graph correlation: a runtime detection in Wiz is immediately tied to the vulnerable image, the IAM blast radius, and the exposed network path. Lacework can produce similar context with more clicks. The choice between them often comes down to whether your security team prefers depth-first or correlation-first workflows.
Where does pricing and procurement land?
Lacework has become aggressive on pricing during the Fortinet integration period, with deals consistently 25-40% below Wiz on equivalent scope. For organizations where the budget for CNAPP is the binding constraint, Lacework is currently the better economic deal at the per-workload level. The trade is product velocity. Wiz ships meaningful features every few weeks; Lacework's release cadence slowed in 2025 and has not fully recovered.
If you are a Fortinet customer or anticipate becoming one, Lacework's positioning as part of the broader portfolio creates bundle economics that are worth modeling carefully. If your security stack is independent of Fortinet, the bundle does not help and you are buying a standalone CNAPP whose roadmap is influenced by a parent company that has other priorities. Both factors should be weighed in a multi-year deal.
How Safeguard Helps
Safeguard pairs with either Wiz or Lacework to add software supply chain depth that CNAPPs underweight. Griffin AI ingests SBOMs from every image your CNAPP discovers and correlates package-level CVEs with reachability and cloud network exposure, surfacing the small set of issues that warrant immediate attention. Policy gates enforce zero-CVE base images in CI, blocking issues before they reach production. TPRM ratings extend the supply chain lens to your vendor portfolio, and our zero-day feed alerts on emerging risks in the open source dependencies your runtime tools cannot see until exploitation begins.