Report: Comparing Top CSPM Vendors for AWS-Focused Mid‑Market Orgs

Introduction

You’re a mid‑market, engineering-heavy org running on AWS, and you care about today’s top threats, not just checking a CIS box. In that world, “top CSPM” really means “who actually helps you not get popped via IAM abuse, misconfig, and exposed workloads.”

This report looks at three of the most commonly shortlisted CSPM/CNAPP platforms for that job:

Wiz
Palo Alto Networks Prisma Cloud
Lacework (now effectively Lacework FortiCNAPP under Fortinet)

The goal isn’t marketing fluff; it’s to show where each genuinely helps against modern AWS threats, where they fall short, and how that plays out for a mid‑market security team.

Along the way, you’ll see inline links to deeper dives such as whether Wiz actually reduces AWS breach risk or Prisma Cloud vs AWS-native for CSPM. Click those if you ever want a focused follow-up.

Quick Comparison Table

The rows are framed around threat-centric capabilities, not generic product modules.

| Feature / Capability                                   | Wiz                                   | Prisma Cloud (Palo Alto Networks)                          | Lacework / FortiCNAPP                                  |
|--------------------------------------------------------|---------------------------------------|------------------------------------------------------------|--------------------------------------------------------|
| Agentless AWS asset & vuln discovery                  | Strong, graph-based, widely cited as best-in-class ([AWS case study](https://aws.amazon.com/solutions/case-studies/wiz-neptune/)) | Strong, but more config/policy centric; agentless + agent mix ([datasheet](https://www.paloaltonetworks.com/resources/datasheets/prisma-cloud-native-security-aws)) | Good, but historically less differentiated vs newer CNAPPs ([CSO review](https://www.csoonline.com/article/574215/lacework-adds-new-capabilities-to-its-cspm-solution.html)) |
| Attack-path / exposure graph across IAM, network, data | Core to platform; built on Neptune graph, used heavily in AWS examples ([AWS Neptune story](https://aws.amazon.com/solutions/case-studies/wiz-neptune/)) | Has risk-prioritization/attack-path concepts, but more tightly coupled to Cortex ecosystem ([risk docs](https://docs.prismacloud.io/en/enterprise-edition/content-collections/alerts/risk-prioritization-remediation)) | Has APA (Attack Path Analysis) but often positioned via Fortinet bundle; less independently referenced in practitioner write-ups ([Fortinet briefing](https://www.fortinet.com/content/dam/fortinet/assets/solution-guides/sb-fortinet-lacework-aws-guard-duty.pdf)) |
| IAM risk & privilege-escalation detection              | Strong focus; Wiz research routinely publishes IAM abuse and misconfig findings in AWS ([cloud threat work](https://www.wiz.io/academy/aws-security-risks)) | CIEM capabilities and IAM Access Analyzer integration, but some orgs reevaluate at large scale ([Wiz competitive take](https://www.wiz.io/academy/palo-alto-networks-competitors)) | IAM awareness present, but third‑party comparisons consistently highlight deeper identity focus elsewhere ([Uptycs vs Lacework](https://www.uptycs.com/compare-us/lacework-uptycs)) |
| Runtime / threat detection quality for cloud workloads | Wiz Defend is newer but gets detailed runtime coverage and industry attention ([runtime analysis](https://softwareanalyst.substack.com/p/runtime-security-in-2025-how-wiz)) | Mature runtime/XDR story via Cortex, but can feel heavy-weight and complex for mid‑market ([XSOAR integration](https://xsoar.pan.dev/docs/reference/packs/prisma-cloud)) | FortiCNAPP leans on Fortinet runtime stack; strong if you’re already a Fortinet customer, otherwise more moving parts ([Fortinet blog](https://www.fortinet.com/blog/business-and-technology/cloud-security-gaps-and-how-forticnapp-can-close-them)) |
| Noise level & prioritization of *exploitable* issues   | Frequently cited for collapsing thousands of findings into dozens of critical ones ([Arctiq case study](https://arctiq.com/case-studies/transforming-cloud-security-for-a-large-healthcare-provider-with-wiz)) | Has risk scoring and correlation, but customers sometimes describe more tuning work to get to “top 10 things that matter” ([customer reviews](https://aws.amazon.com/marketplace/reviews/reviews-list/prodview-fhoptf6o4hcyu)) | Fortinet pitches FortiCNAPP as closing “visibility and misconfiguration gaps,” but alert quality still depends heavily on tuning and surrounding Fortinet stack ([Fortinet guide](https://www.fortinet.com/content/dam/fortinet/assets/solution-guides/sb-lacework-aws.pdf)) |
| Depth of AWS-native ecosystem integration              | Deep integration into AWS Organizations, Security Hub, Marketplace, partner programs ([Security Hub partners](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-partner-providers.html)) | Very deep network + NGFW tie‑ins; strong if you are already a Palo Alto shop ([Prisma AWS datasheet](https://www.paloaltonetworks.com/resources/datasheets/prisma-cloud-native-security-aws)) | Now tightly coupled with Fortinet’s broader portfolio; benefits Fortinet-first shops but increases platform lock-in ([Lacework–Fortinet acquisition context](https://teckpath.com/lacework-acquisition-by-fortinet-what-changes-and-how-it-advances-fortinet-in-the-cybersecurity-space/)) |
| Market momentum & customer sentiment (2024–2025)       | Very high: huge growth, many modern orgs standardize on Wiz as primary CNAPP ([growth analysis](https://softwareanalyst.substack.com/p/the-wiz-playbook-how-they-dominated)) | Strong enterprise footprint, especially where Palo Alto firewalls/XDR are already entrenched ([Prisma leader write‑up](https://www.paloaltonetworks.com/blog/2022/11/prisma-cloud-is-a-cnapp-leader/)) | Uneven: Fortinet is investing heavily, but Lacework’s pre-acquisition struggles and repositioning mean some buyers are cautious ([critical analysis](https://www.omeronsecurity.com/p/laceworks-ai-didnt-work)) |
| Fit for AWS‑only, mid‑market, eng‑heavy orgs           | Excellent: fast agentless onboarding, opinionated attack-path views, accessible to security & platform teams | Good if you are already standardizing on Palo Alto; otherwise may feel like “too much platform” for the size | Mixed: can work well in Fortinet-centric shops, but for greenfield mid‑market AWS, overlaps and complexity vs alternatives are a real concern |

Wiz: Very Strong for Threat-Focused AWS CSPM

What supporters like

People who bet on Wiz tend to be the ones who are already very aware of how ugly AWS gets at scale: sprawling orgs, zombie accounts, weird IAM edges, and “who exposed this RDS to the internet?” sorts of questions.

Wiz’s architecture is built around a cloud security graph, backed directly by Amazon Neptune in AWS’s own case study:

“Wiz built an innovative cloud security platform by modeling security graph data in Amazon Neptune, enabling near real-time analysis of complex relationships between cloud resources, identities, and configurations.” (AWS Neptune case study)

That graph is what lets it answer questions you actually care about:

“Which internet-exposed compute instances have critical CVEs and can reach S3 buckets with PII?”
“Which CI/CD roles can assume org‑admin roles, and from where?”

This isn’t theoretical. Customers describe massive reduction in noise when they move to that model. A large healthcare provider reported:

“Correlating thousands of alerts into twelve critical issues” when they moved to Wiz, effectively killing alert fatigue and letting them focus on real attack paths. (Arctiq case study)

Wiz also leans heavily into AWS-specific threat research and content:

They publish guidance on AWS security risks—IAM abuse, misconfig, data exposure—and then surface those exact anti-patterns in product (AWS risks explainer).
Their cloud attacks & attack vectors material explicitly models how real attackers chain IAM, network, and workload issues to reach data (attack vectors overview).

From an AWS-focused engineer’s point of view, that feels a lot closer to “give me a ranked list of how we actually get owned” than traditional policy-only CSPM.

Where critics push back

The main critique isn’t that Wiz can’t see things; it’s whether it’s too much platform or too expensive relative to what a given org will really operationalize.

A few recurring friction points from practitioners and critical write‑ups:

Operationalization takes work. Third parties like GuidePoint explicitly sell services to help customers “fully operationalize their Wiz platform,” calling out that many orgs struggle to take full advantage of the depth of data and actions available (GuidePoint datasheet).
Runtime is still maturing. Analyses of Wiz Defend see it as a big move into runtime but also note that the broader market (including Wiz) is still figuring out what “cloud detection & response” should really look like compared to classic EDR/XDR (runtime analysis).
Not magic against fundamentals. Even Wiz’s own content emphasizes that many AWS incidents still come down to basic things—misconfig, IAM sprawl, ungoverned AI services—and those require cultural and process fixes, not just tooling (cloud security challenges).

If you have the staff and appetite to tune a graph-based CNAPP, Wiz lines up very well with today’s AWS threat landscape. If you don’t, you can end up buying a Ferrari and driving it like a Prius.

Prisma Cloud: Broad, Integrated, and Heavier

What Prisma Cloud brings to the table

Prisma Cloud is a natural fit when your organization is already invested in Palo Alto firewalls, Cortex XDR/XSOAR, and wants one big fabric from code to runtime.

Palo Alto positions Prisma as “Cloud Native Security Built for AWS”, specifically claiming "code to cloud" security and compliance (AWS environment page). Their AWS datasheet describes:

“Code to cloud security and compliance for Amazon Web Services (AWS), including misconfiguration detection, vulnerability management, data security posture, and runtime threat detection.” (AWS datasheet)

On the CSPM side, the cloud security posture management component is tightly embedded in their CNAPP story:

A dedicated CSPM module with policy-based checks and risk prioritization (CSPM feature page).
Specific content for AWS resources (ELBs, S3, IAM, etc.), with frequent policy additions; for example, new policies around ELB deletion protection and other AWS-hardening details show up in release notes (July 2024 release).

Where it shines for a mid‑market AWS shop:

If you are already a Palo Alto shop, you get tighter alignment between network controls, NGFW, and cloud posture.
If you care about data security posture and app/runtime, Prisma’s DSPM + CWPP combo is strong when fully deployed (DSPM docs).

Where Prisma Cloud feels heavy or limited

For a mid‑market, engineering-heavy AWS org that doesn’t live and breathe Palo Alto, Prisma can feel like a big enterprise platform bolted onto a smaller team.

Several consistent themes show up when people talk about limitations or friction:

Complexity and operational overhead
KuppingerCole’s CNAPP market compass notes that Prisma is one of the more feature-complete CNAPPs, but also implies it’s best suited to larger enterprises with the people and processes to run it end‑to‑end (CNAPP report). For a mid‑market crew, that often translates into:
- Longer onboarding and policy-tuning cycles.
- Higher dependency on Palo Alto’s ecosystem (Cortex, XSOAR) for incident workflows.
Risk prioritization vs. truly attack‑path centric
Prisma does have a risk-prioritization engine that correlates findings into attack paths (risk docs), but analysts and some practitioners note that graph-first players (Wiz, Orca, etc.) often produce more intuitive “this is your top exploitable path” output. Even Palo Alto’s own docs still emphasize policy-driven findings:

“All Prisma Cloud findings are driven by policies… findings are purely informational and provide security context.” (findings reference)

That’s not bad—but if you want highly opinionated exploitability ranking out of the box, you may find Prisma more “governance-heavy, threat-moderate” compared with alternatives.
Application security gaps noted by users
Some user feedback calls out that Prisma’s application security side still needs work:

“Prisma Cloud's application security capabilities should be enhanced. The next update should include static application security testing and expand the functionalities of dynamic and API security testing.” (PeerSpot feedback)

For a dev-heavy org that wants strong shift-left support and deeply integrated IaC scanning, that matters.

Taken together, Prisma Cloud is powerful but heavy. It aligns best when you’re already using Palo Alto’s stack, have a SOC that likes Cortex, and are okay with a more enterprise-y CSPM that leans on policies and integrations rather than an out‑of‑the-box graph that screams “these 10 paths will get you breached.”

Lacework / FortiCNAPP: Capable, but in Flux

What Lacework historically did well

Before the acquisition, Lacework was pitched as a data-driven cloud security platform with strong anomaly detection. It focused on behavioral analysis of cloud workloads and accounts, particularly in AWS.

Fortinet now positions Lacework FortiCNAPP as an integrated CNAPP, emphasizing your exact pain points:

“A busy cloud environment can generate 8 to 10 billion data points per month… FortiCNAPP with Lacework uses behavioral analytics and machine learning to surface critical threats out of this noise.” (Fortinet–Lacework + GuardDuty brief)

They showcase insider-threat detection and misconfig awareness, for example:

“How Lacework FortiCNAPP caught an accidental insider threat” by mapping abnormal access patterns and surfacing them as high-severity events (Fortinet blog).

From an AWS mid‑market perspective, the pros look like this:

Strong behavioral detection and anomaly focus when fully configured.
Tight Fortinet integration for orgs that already have FortiGate, FortiManager, etc.
CSPM-plus model (their “CSPM+” lab content walks through detecting S3 ransomware-style configurations and attack progression in AWS (Lacework AWS workshop)).

The uncomfortable parts: business reality and fit

Two big realities show up when you look past the marketing:

Lacework’s own AI story and business struggles
A widely-shared piece by a former Lacework exec bluntly titled “Lacework’s AI Didn’t Work” argues that the company over‑promised what unsupervised AI anomaly detection could do:

“The spectacular downfall of Lacework is a lesson in the limitations of AI in cybersecurity… The data and threat models proved much harder to operationalize than the pitch deck suggested.” (Omer on Security)

That doesn’t mean the product is useless, but it does highlight a gap between ‘AI will find everything’ and what busy teams actually got—especially in mid‑market environments that can’t afford to babysit an ML pipeline.
The Fortinet acquisition changes the posture
Fortinet’s own materials talk about Lacework FortiCNAPP mostly in the context of closing gaps when combined with the rest of the Fortinet fabric (FortiCNAPP product page). Third-party commentary focuses heavily on how this benefits Fortinet’s portfolio and customers, not on Lacework as an independent best-of-breed CNAPP.

For a mid‑market AWS shop that isn’t already Fortinet‑centric, that raises questions:
- Are you signing up for an integrated Fortinet story you don’t fully need?
- Will product focus skew towards large Fortinet customers and MSSP use cases, rather than self‑serve security engineers?
Competitive analyses rarely put Lacework at the top now
Modern CNAPP evaluations from vendors and analysts tend to pit top contenders like Wiz, Prisma, Orca, CrowdStrike, etc., and Lacework usually appears as an option, not the frontrunner. Uptycs, for example, markets themselves explicitly as outperforming Lacework in “depth of data” and breadth of coverage (Uptycs comparison).

Put bluntly: Lacework/FortiCNAPP can absolutely be effective in AWS, especially when tied into a Fortinet-heavy stack, but for a greenfield mid‑market AWS shop, you’re taking on portfolio complexity and some strategic uncertainty that you may not need—particularly when alternatives are more clearly focused on threat-centric AWS posture.

How This Maps to "Today’s Top Threats" in AWS

If you take Cloud Security Alliance’s 2024 Top Threats and the Verizon DBIR, plus AWS and SentinelOne’s own breakdowns of AWS-specific issues, the patterns are boringly consistent:

Misconfigurations remain the #1 cause of cloud breaches (public buckets, overly permissive security groups, unauthenticated endpoints, etc.) (CSA report, Deepstrike CSPM guide).
IAM abuse and privilege escalation are core to real incidents (Rhino Security Labs AWS IAM work, SentinelOne AWS risks).
Cloud runtime and supply chain attacks are rising (vuln containers, CI/CD abuse, AI service misuse).

Mapping those to the three vendors:

Wiz lines up best with graph-based misconfig + IAM + vuln correlation, and has a strong research-backed picture of AWS threat evolution. It’s the best match if you want attack-path-centric AWS defense with minimal agents.
Prisma Cloud absolutely covers those threats but does it via a broader, heavier platform—excellent if you’re already a Palo Alto shop and planning to integrate posture with Cortex and NGFW policy, less ideal if you’re not.
Lacework / FortiCNAPP aims at the same problem space with strong behavioral analytics, but strategic turbulence, acquisition-driven repositioning, and competitive comparisons suggest it’s no longer the obvious first choice for a net-new mid‑market AWS program.

Straight-Talk Recommendations for a Mid‑Market AWS Org

If you’re an AWS-only, engineering-heavy, mid‑market org focused on real threats rather than pure compliance, the recommendations shake out like this:

Shortlist Wiz as your primary CSPM/CNAPP POC
Use it to answer concrete questions like:
- “Show me the top 10 attack paths from the internet to sensitive S3/RDS.”
- “Which IAM roles, if compromised, give an attacker org‑admin or cross‑account access?”
If it can’t answer those quickly and clearly in your environment, you walk.
Shortlist Prisma Cloud only if you are already in the Palo Alto ecosystem
If your SOC or network team lives in Palo Alto tools, Prisma may be the cleanest governance/compliance/security story. Just go in eyes open about:
- Tuning effort for risk prioritization.
- Whether you actually need all of Cortex/Prisma capabilities at your scale.
Treat Lacework / FortiCNAPP as a Fortinet-aligned option, not the default CNAPP
It’s worth serious consideration if:
- You’re already deep in Fortinet, and
- You want a single Fortinet/Lacework story for CNAPP + NDR + NGFW.
Otherwise, for a fresh AWS-focused security program, other platforms are more straightforward and less strategically complicated.
Keep AWS-native (GuardDuty, Security Hub, IAM Access Analyzer) turned on no matter what
No CSPM replaces the need for:
- GuardDuty for AWS-native threat intel.
- Security Hub for baseline posture.
- IAM Access Analyzer for policy-level exposure checks.
The external CSPM/CNAPP should layer on, not replace, those.

Where You Might Want Deeper Dives

If you decide to go deeper on this, these are natural follow-up questions worth separate treatment:

This is where you’d pressure-test vendors with your own data, not theirs.