Wiz vs Orca Security vs Lacework vs Microsoft Defender for Cloud: CSPM Comparison for Multi-Cloud Teams (2026)

Retool's new app builder is where AI-generated code ships safely
Building apps with AI is easy. Getting them to production safely is another story.
The wiz vs orca vs lacework cloud security comparison is one of the most common evaluations in enterprise security buying cycles right now, and for good reason: these platforms are solving the same fundamental problem with meaningfully different approaches. When a security team asks what are the best CSPM tools for identifying cloud misconfigurations, the honest answer is that the right tool depends on your cloud estate composition, your existing vendor relationships, your tolerance for agent deployment, and how mature your security program already is. This guide covers all four platforms across the five dimensions that actually matter for a practitioner making a purchasing decision: scan architecture, attack path analysis, data security posture management, compliance and finding management workflows, and pricing.
CSPM Architecture Showdown: Agentless vs Agent-Based vs Hybrid
The architecture decision is the most consequential choice in a CSPM evaluation because it determines deployment speed, coverage completeness, runtime visibility, and operational overhead.
Wiz: Pure Agentless via Read-Only Cloud API
Wiz connects to cloud accounts using read-only IAM roles and does not install agents on any workload. In AWS, Wiz creates a cross-account role with a curated set of read-only permissions (ec2:Describe*, s3:GetBucketAcl, iam:Get*, and approximately 200 similar read-only API calls). It then uses out-of-band snapshot analysis: for each EC2 instance or VM, Wiz takes an EBS snapshot, mounts it in a Wiz-owned scanning account, reads the filesystem and installed packages, and deletes the snapshot. No code runs on your workload. The full environment scan of a 1,000-account AWS organization typically completes in 24 to 48 hours for the initial crawl, then updates incrementally as cloud API events fire. The limitation is that Wiz sees the disk snapshot state at scan time, not real-time process execution.
Orca Security: SideScanning -- the Same Agentless Approach
Orca invented the agentless snapshot scanning approach that Wiz later popularized. Orca's SideScanning connects via cloud provider APIs, takes snapshots of running workloads without touching them, and analyzes the filesystem outside the production environment. The key differentiator Orca claims is that SideScanning reads the actual runtime stack: installed packages, configuration files, running processes (from process tables captured in the snapshot), and environment variables. Like Wiz, Orca requires read-only cloud API access and mounts snapshots in an Orca-controlled account for analysis.
Lacework: Agent-First with Agentless Supplement
Lacework's architecture reflects its detection-first heritage. The Lacework agent (Polygraph Data Platform agent) installs on each workload and streams syscall telemetry, process events, network connections, and file integrity data in real time. This gives Lacework visibility into runtime behavior that neither Wiz nor Orca can see from snapshots: which processes are actually running, which network connections are active, and what a container did after it started. Lacework added agentless CSPM scanning in 2023 to cover cloud API-level misconfigurations where agent installation is impractical (managed services like RDS, S3, Lambda). In practice, most Lacework deployments use both: agentless for posture and agents for runtime detection.
Microsoft Defender for Cloud: Native Integration
Defender for Cloud connects natively to Azure subscriptions with zero additional IAM configuration because it runs inside the Azure management plane. For AWS and GCP, it uses the same cloud connector pattern as Wiz and Orca (read-only role via AWS Organizations or GCP Organization Policy). The agent story for Defender is complex: Azure Arc, the MMA (Microsoft Monitoring Agent), the AMA (Azure Monitoring Agent), and the Defender for Servers plan all interact in ways that vary by subscription configuration. For Azure-native environments, Defender for Cloud is the fastest to deploy with the deepest native integration. For multi-cloud environments without Azure as the primary cloud, the deployment experience is significantly more complex.
Architecture Fit by Scenario
| Scenario | Best Fit |
|---|---|
| No agents allowed in production | Wiz or Orca |
| Runtime process anomaly detection required | Lacework |
| Azure-native, M365 integration needed | Defender for Cloud |
| Full Kubernetes runtime visibility | Lacework or Wiz (with Sensor) |
Attack Path Analysis: Which Platform Finds the Realistic Kill Chain
Attack path analysis is the feature that separates CSPM from simple misconfiguration scanning. Any tool can report that an S3 bucket is public. The harder and more valuable capability is determining whether that public S3 bucket is the first hop in a path that reaches a database containing 10 million credit card numbers. This is the question practitioners are asking when they evaluate wiz dspm comparison or attack path depth.
Wiz Security Graph
Wiz's Security Graph is a property graph database that stores every cloud resource, its configuration attributes, its relationships to other resources (network reachability, IAM trust, tag association), its vulnerability state, and its data classification as nodes and edges. Attack paths in Wiz are graph traversal queries over this model. A path might look like: Public EC2 instance (exposed via security group) --> IMDSv1 enabled (credential theft possible via SSRF) --> Instance role has s3:GetObject on sensitive bucket --> Bucket contains files matching PII classifiers. Wiz surfaces these as toxic combinations: multi-factor findings where a single fix (like enabling IMDSv2 or restricting the security group) breaks the attack path. Wiz's Security Graph queries run continuously and new paths surface as new resources are added or existing resources change configuration.
Wiz acquired Gem Security in 2024 for cloud detection and response, adding runtime threat detection to the graph context. This means Wiz can now correlate a runtime alert (someone is running an unusual command inside a container) with the graph context (that container has a role with admin IAM permissions and network access to a production database).
Orca Security: Attack Path Visualization
Orca's attack path analysis builds on similar graph principles. Orca's differentiator is the asset risk score that aggregates finding severity, exploitability, network exposure, and business context (production vs dev tag, data sensitivity) into a single prioritization score. Orca's interface presents attack paths visually with each hop displayed as a step in the chain. Security teams can click into any node to see the specific control that needs to be fixed to break that path. Orca's alert grouping reduces alert volume by clustering related findings into single issues rather than producing hundreds of individual misconfiguration alerts.
Lacework: Anomaly Detection, Not Graph-Based Paths
Lacework's approach to attack correlation is fundamentally different. Rather than building a static graph of potential attack paths, Lacework uses behavioral baselines (its Polygraph behavioral analysis) to identify when actual runtime behavior deviates from normal patterns. If a workload that normally serves HTTP requests on port 443 suddenly makes outbound connections to a rare external IP on an unusual port, Lacework fires an alert. This is a detection-first model rather than a posture-first model. For attack path analysis in the CSPM sense (potential paths an attacker could take based on configuration), Lacework is less mature than Wiz or Orca. Lacework is stronger when the question is 'is something happening right now' rather than 'what could happen if an attacker got in.'
Microsoft Defender for Cloud: Recommendations and Secure Score
Defender for Cloud's attack path analysis (introduced as a public feature in 2023) models cloud attack paths using its cloud security graph. The feature identifies attack paths that target internet-exposed resources with exploitable vulnerabilities and high-privilege access to sensitive data. For Azure-native environments, Defender's attack path integration with Microsoft Sentinel for SIEM correlation is a genuine advantage: a Defender attack path finding can trigger a Sentinel analytic rule and automate a Logic App response playbook without additional integration work. For multi-cloud paths that span AWS and Azure resources, the attack path quality drops because the graph completeness in non-Azure clouds is lower.
“The goal is not to give you a list of misconfigurations. The goal is to show you the three paths that actually matter this week and let you break them before an attacker walks them.”
Common framing from Wiz and Orca sales engineers during platform demonstrations, reflecting the industry shift from compliance lists to risk-prioritized attack path analysis
Briefings like this, every morning before 9am.
Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.
DSPM and Data Security Posture: Wiz vs Orca vs Lacework
The cloud security posture management scan job policy rule finding suppression exception data model is mature territory. What is newer and less standardized across vendors is how each platform handles data security posture management: discovering where sensitive data lives in cloud storage, classifying it, and connecting that data exposure context to the broader security posture graph.
Wiz DSPM: Acquired from Laminar Security
Wiz acquired Laminar Security in 2023 for approximately 175 million dollars, adding dedicated DSPM capabilities to the platform. Wiz DSPM discovers data stores across AWS S3, Azure Blob Storage, GCP Cloud Storage, Snowflake, RDS, Redshift, and BigQuery without requiring agents by using the same snapshot scanning approach used for workload analysis. The classification engine identifies sensitive data using pattern matching for PII (social security numbers, credit card numbers, passport numbers), PHI (ICD codes, medication names, patient identifiers), and financial data. Results feed back into the Security Graph: if a misconfigured EC2 instance has an attack path to an S3 bucket, and that bucket contains data classified as containing credit card numbers, the attack path severity increases automatically. DSPM findings appear in the same finding console as CSPM findings, with the same suppression and exception workflow.
For a wiz dspm comparison evaluation, the key question is scan depth versus sampling strategy. Wiz DSPM samples data stores (it does not read every object in every bucket) and applies statistical classification based on sampled content. This approach works well for large data lakes but may miss small sensitive files in otherwise unremarkable buckets.
Orca Security: Data Discovery and Sensitivity Scoring
Orca's data discovery is part of its core SideScanning output. When Orca scans a workload, it reads filesystem paths where databases are stored, configuration files with credentials, and any files accessible from cloud storage mounts. For cloud-native object storage (S3, Blob), Orca scans bucket contents using its cloud API connector. Orca classifies content against a library of patterns and assigns each data store a sensitivity label that feeds into the asset risk score. Orca's data discovery is deeply integrated with its attack path analysis: an Orca attack path that terminates at a data store will show the data sensitivity score of that store as part of the path's priority calculation.
Lacework: Data Classification via Agent Telemetry
Lacework's data classification relies on agent-side telemetry: when the Lacework agent observes a process reading from or writing to a file, it can classify that activity based on the file path, process name, and data patterns observed. This approach provides real-time data access monitoring (who touched what sensitive file at what time) but is not a scalable cloud storage classifier in the way Wiz DSPM or Orca's scanner are. Lacework partners with third-party DSPM vendors for full data classification capabilities. If DSPM is a primary evaluation criterion, Lacework is the weakest of the four platforms.
Microsoft Defender for Cloud: Sensitive Data Discovery (MDVM Integration)
Microsoft introduced Sensitive Data Discovery in Defender for Cloud via integration with Microsoft Purview's data classification engine. For Azure Blob Storage, Azure SQL, Azure Cosmos DB, and other Azure-native data services, the classification is strong because Purview already indexes these for Microsoft 365 compliance. For AWS S3, the integration requires the Defender CSPM plan (P2) and the AWS connector with S3 scanning permissions enabled. The Purview classification labels (Highly Confidential, Confidential, General) are consistent with what organizations using Microsoft Information Protection already have deployed, reducing the need for custom classifiers.
Wiz DSPM: Best for security graph integration
Data sensitivity scores feed directly into attack path severity and toxic combination detection. A public S3 bucket containing credit card numbers surfaces as a critical path, not just a medium misconfiguration.
Orca DSPM: Best for agentless breadth
SideScanning covers filesystems, databases, and cloud storage in the same scan pass. No separate DSPM connector or additional product purchase required.
Defender DSPM: Best for Microsoft-first organizations
Purview integration reuses existing data classification labels from M365 compliance deployments. Eliminates the need to re-classify data already labeled by a Purview DLP policy.
Lacework DSPM: Agent-side access monitoring only
Better for detecting who accessed sensitive files in real time than for discovering where sensitive data lives across cloud storage at scale. Pair with a dedicated DSPM tool if this is a priority.
Compliance Framework Coverage and Finding Management
Every CSPM platform ships with compliance framework coverage out of the box. The differentiation is not in the list of frameworks but in how the platform manages the finding lifecycle: how suppression works, how exceptions are created and audited, how custom policies are written and tested, and how compliance posture is reported to stakeholders who are not in the security console.
Built-in Framework Coverage Across All Four Platforms
All four platforms cover the frameworks most commonly required in enterprise environments: CIS Benchmarks (AWS Foundations v1.4 and v2.0, Azure Foundations v2.0, GCP Foundations v2.0, Kubernetes v1.7), SOC 2 Type II control mapping, PCI DSS v4.0, NIST CSF 2.0, NIST SP 800-53 Rev 5, ISO 27001:2022, HIPAA Security Rule, and FedRAMP Moderate. Defender for Cloud adds Microsoft Cloud Security Benchmark (MCSB) as its default standard, which maps to NIST SP 800-53 and CIS benchmarks simultaneously.
Finding Suppression and Exception Workflows
The cloud security posture management scan job policy rule finding suppression exception data model varies significantly across platforms. In Wiz, findings are organized by Issue (the actual misconfiguration instance on a specific resource), Control (the policy that generated it), and Project (the organizational grouping for cloud accounts). Exceptions in Wiz are created at three levels: resource level (suppress this specific S3 bucket's public access finding because it is an intentional public static site), resource type level (suppress all publicly accessible EC2 findings in the dev-sandbox project), or global control level (disable this control entirely). Each exception requires an expiration date and justification text. Wiz logs all exceptions with the user identity, timestamp, and justification for audit trail purposes.
Orca uses a similar hierarchy: Alert (the specific finding), Alert Rule (the policy), and Exception. Orca's exceptions can be scoped by tag (suppress findings on resources tagged env:dev), by cloud account, or by asset type. Orca alerts on exceptions that are approaching expiration, which reduces the problem of suppression rules that never get reviewed.
Lacework's compliance finding management uses Policy (the compliance check), Violation (the finding), and Exception (the suppression). Lacework's custom policy authoring uses its own SQL-like query language (LQL, the Lacework Query Language) which is more accessible for practitioners who are comfortable with SQL-style syntax. Writing a custom LQL policy to check whether all S3 buckets in a given account have a specific tag requires approximately 10 to 15 lines of LQL rather than the YAML-heavy policy-as-code approach used by some tools.
Defender for Cloud organizes findings as Recommendations (individual checks), with Governance Rules to assign owners and set remediation due dates. The Governance feature is genuinely useful for large organizations: a finding can be assigned to a specific team with an SLA deadline, and Defender tracks whether the finding was remediated within the agreed window. Exception handling in Defender uses Exemptions at the subscription, resource group, or resource level, with justification categories (waiver, mitigated) and expiration timestamps.
Custom Policy Authoring
Wiz: Custom controls use a graph-based query language (Wiz Query Language) that traverses the Security Graph. Writing a custom policy to detect EC2 instances with a specific combination of security group rule and IMDSv1 enabled requires traversing the graph from the EC2 node to its security group relationships. The learning curve is steeper than SQL but the expressiveness for multi-resource conditions is significantly higher.
Orca: Custom alert rules are configured in the UI with filter conditions and threshold values. For complex multi-resource conditions, Orca's custom rule interface is more limited than Wiz's graph traversal approach.
Lacework: LQL (Lacework Query Language) is the most SQL-like custom policy option. SELECT * FROM LW_HE_EVENTS WHERE EVENT_TYPE = 'CreateBucket' AND not json_extract_scalar(EVENT:requestParameters, '$.bucketPolicy') IS NOT NULL covers the logic for detecting S3 buckets created without a bucket policy in a single readable query.
Pricing Models Compared: What You Actually Pay
CSPM pricing is one of the least transparent areas in enterprise security buying. Vendors rarely publish list prices, and the actual cost depends heavily on cloud spend volume, workload count, and which modules are included. Here is what practitioners report from actual procurement conversations.
Wiz: Percentage of Cloud Spend
Wiz prices based on a percentage of annual cloud spend across all connected cloud accounts. The published starting range is approximately 1 to 3 percent of annual cloud spend, with the percentage declining as cloud spend increases. For an organization with 5 million dollars in annual AWS spend, Wiz pricing typically falls in the 75,000 to 150,000 dollar range annually for the core CNAPP platform including CSPM, vulnerability management, and IaC scanning. DSPM (the Laminar acquisition) is a separate add-on module priced separately, typically adding 20 to 40 percent to the base cost. Defender for Containers is included in base Wiz. The Wiz CDR (Cloud Detection and Response) module is an additional charge. Wiz's pricing makes it more expensive as your cloud spend grows, which is the opposite of the discount structure most enterprise software buyers expect.
Orca Security: Per-Asset Pricing
Orca's pricing is based on the number of cloud assets (compute instances, cloud functions, containers, and cloud data stores) connected to the platform. Orca publishes a starting price of approximately 500 to 2,500 dollars per asset per year depending on volume tier and module selection. For a 500-asset environment with mixed EC2, RDS, Lambda, and EKS nodes, Orca pricing typically comes in at 150,000 to 300,000 dollars annually for the full platform including DSPM. Orca's per-asset model is more predictable than Wiz's percentage-of-spend model because asset count grows more slowly than cloud spend in infrastructure-heavy environments. The disadvantage is that asset count can grow quickly in Kubernetes-heavy environments with ephemeral workloads.
Lacework: Consumption-Based with Credit Model
Lacework moved to a consumption-based credit model in 2023. Organizations purchase a pool of credits, and consumption is based on the number of resources scanned per day and the data ingestion volume from agents. The credit model is intended to let organizations scale coverage up and down without renegotiating contracts. Reported annual costs for mid-market deployments (200 to 500 workloads) range from 100,000 to 250,000 dollars. The consumption model can lead to cost surprises if agent deployments expand faster than planned: each new workload with a Lacework agent running continuously consumes credits daily.
Microsoft Defender for Cloud: P1 and P2 Per-Resource Pricing
Defender for Cloud has the most granular and published pricing structure of the four platforms. Defender CSPM (the free tier, CSPM Foundational) provides basic recommendations at no cost for Azure subscriptions. Defender CSPM (paid, sometimes called DCSPM or P2 capabilities) is priced at approximately 0.018 dollars per billable resource per hour (roughly 13 dollars per resource per month). Defender for Servers Plan 1 is approximately 5 dollars per server per month; Plan 2 is approximately 15 dollars per server per month and includes vulnerability assessment via Microsoft Defender Vulnerability Management. AWS and GCP resources connected via cloud connectors are billed at lower rates than Azure resources. For an organization with 500 Azure VMs, the cost for full Defender CSPM plus Defender for Servers P2 is approximately 10,000 to 12,000 dollars per month. Defender's pricing transparency is an advantage in procurement: you can estimate costs precisely before signing.
Pricing Summary
| Platform | Model | Estimated Annual Cost (500 workloads) |
|---|---|---|
| Wiz | % of cloud spend | $150K-$400K (varies by cloud spend) |
| Orca | Per asset | $150K-$300K |
| Lacework | Credit consumption | $100K-$250K |
| Defender for Cloud | Per resource/hour | $60K-$144K (Azure only) |
Which Platform Fits Which Organization
After evaluating architecture, attack path depth, DSPM, compliance workflows, and pricing, the decision usually comes down to organizational profile. Here is a decision matrix for the most common profiles practitioners encounter.
Microsoft 365 and Azure-First Organizations
If your primary cloud is Azure and your security team is already operating Microsoft Sentinel, Defender XDR, and Purview, Defender for Cloud is the default choice. The integration depth is real: Defender for Cloud findings flow into Sentinel automatically, Purview data classification labels appear natively in CSPM findings, and the identity plane via Entra ID connects to CIEM capabilities without additional connectors. The pricing transparency and existing enterprise agreement terms often make Defender the most cost-effective option for Azure-heavy organizations. The limitation is multi-cloud coverage quality: AWS and GCP coverage in Defender is functional but not as deep as Wiz or Orca for non-Azure-native services.
AWS-Native Multi-Account Organizations
For organizations primarily on AWS with 50 or more accounts in an AWS Organization, Wiz has become the dominant choice in this segment. The CloudFormation StackSet deployment for cross-account role creation works well with AWS Organizations, the Security Graph handles the IAM relationship complexity that is common in large AWS environments, and the attack path analysis for IAM privilege escalation paths (the most common critical finding category in AWS) is the most mature of the four platforms. Orca is a competitive alternative with a lower entry-level price point for smaller AWS environments.
Multi-Cloud (AWS plus Azure plus GCP) Enterprise
For true multi-cloud environments with significant workloads on two or three providers, Wiz or Orca are the strongest options because both were built as multi-cloud platforms from the start. Wiz has better enterprise support depth and a larger integration ecosystem. Orca competes on total cost of ownership for mid-market organizations and has a more approachable pricing model for organizations that want per-asset predictability.
Startups and Growth-Stage Companies
Lacework was historically the go-to for startup cloud security due to its consumption model and developer-friendly positioning. Wiz has aggressively targeted startups through its startup program (discounted rates for early-stage companies under a revenue threshold). For startups under 10 million dollars in cloud spend, Wiz's startup program pricing is often more competitive than Lacework's credit model. Orca offers a similar startup tier.
Organizations with Strong Runtime Detection Requirements
If the primary requirement is detecting active threats in cloud workloads rather than auditing configuration posture, Lacework is the strongest option because its agent provides syscall-level runtime visibility that no agentless scanner can replicate. The combination of Lacework for runtime detection and a secondary CSPM tool for compliance posture is a pattern some mature organizations adopt. Wiz CDR (with the Gem Security acquisition) is the strongest agentless alternative for organizations that need runtime detection without agents.
Decision Matrix
| Org Profile | Recommended Platform |
|---|---|
| Azure-primary, M365 ecosystem | Microsoft Defender for Cloud |
| AWS-native, 50+ accounts | Wiz |
| Multi-cloud (3 providers) | Wiz or Orca |
| Runtime anomaly detection priority | Lacework |
| Mid-market, cost-sensitive | Orca or Lacework |
| Startup (under $10M cloud spend) | Wiz startup program or Orca |
| DSPM as primary use case | Wiz (Laminar) |
Proof of concept recommendation: use your own data
Request a 30-day POC from all finalists with your own AWS or Azure accounts connected. The critical test is not feature checkbox coverage but finding quality: how many critical findings does each platform surface in week one, and how many of those are actionable versus noise requiring immediate suppression?
Ask about false positive rates before signing
Request a customer reference from a similar-sized organization in your vertical and ask specifically what percentage of initial findings required exception or suppression. High false positive rates create alert fatigue that erodes program value within 90 days of deployment.
Evaluate the exception workflow with your compliance team
Have your compliance or GRC team walk through the exception creation, justification, expiration, and audit export workflow during the POC. A CSPM tool that creates compliance friction will be bypassed or ignored.
Get pricing in writing with clear definitions of billable units
Require a written definition of what constitutes a billable resource, workload, or asset before finalizing pricing. Vendors define these terms differently: a Kubernetes pod may or may not count as a separate asset depending on the pricing document's fine print.
The bottom line
The wiz vs snyk vs lacework cloud security comparison and the broader CSPM market have matured to a point where all four platforms in this guide will find your critical misconfigurations. The differentiation is in the details that practitioners live with every day: how attack paths are visualized and prioritized, how exceptions are managed at scale without creating an audit liability, how data sensitivity context changes finding severity, and what you actually pay 18 months into the contract when your cloud estate has grown. Wiz wins on attack path depth and DSPM integration. Orca wins on agentless breadth and pricing predictability for mid-market organizations. Lacework wins on runtime detection for organizations that need to know what is happening right now, not just what could happen. Defender for Cloud wins on integration depth for organizations already deep in the Microsoft ecosystem. Run a genuine 30-day POC with your own cloud accounts before committing.
Frequently asked questions
What are the best CSPM tools for identifying cloud misconfigurations?
The best CSPM tools for identifying cloud misconfigurations in 2026 are Wiz, Orca Security, Lacework, and Microsoft Defender for Cloud. Each takes a different approach: Wiz and Orca use agentless snapshot scanning that connects via read-only cloud APIs and analyzes workload filesystems without installing anything on production systems. Lacework uses an agent-first approach that provides deeper runtime visibility but requires agent deployment on each workload. Defender for Cloud integrates natively with Azure and supports AWS and GCP via cloud connectors. For pure misconfiguration coverage (S3 bucket ACLs, security group rules, IAM policy violations, unencrypted volumes, public snapshots), all four platforms perform comparably on the major cloud providers. Where they diverge is in how they prioritize findings using attack path analysis, how they handle compliance exception workflows at scale, and how they integrate data classification to elevate findings that touch sensitive data.
How does Wiz pricing work, and is it worth the cost?
Wiz prices based on a percentage of your annual cloud spend across all connected cloud accounts, typically ranging from 1 to 3 percent depending on volume and modules selected. For an organization with 5 million dollars in annual AWS spend, expect an annual Wiz contract in the 75,000 to 200,000 dollar range depending on which modules are included. DSPM (data security posture management via the Laminar acquisition) and CDR (cloud detection and response via the Gem Security acquisition) are separate add-ons that add 20 to 50 percent to the base cost. Whether Wiz is worth the cost depends on the counterfactual: organizations that previously used multiple point tools (a vulnerability scanner, a separate CSPM tool, a DAST tool, and a secrets scanner) often find Wiz's consolidated Security Graph plus single-pane-of-glass finding management reduces total tooling spend and security team overhead despite the higher per-platform cost.
What is the difference between agentless and agent-based CSPM?
Agentless CSPM (used by Wiz and Orca) connects to cloud provider APIs using read-only IAM roles, takes snapshots of running workloads, and analyzes filesystem contents, installed packages, configuration files, and cloud resource configurations without installing any software on production systems. The advantages are fast deployment (typically hours to days for an entire AWS Organization), no operational overhead for agent lifecycle management, and no performance impact on workloads. The limitation is that agentless scanning sees a point-in-time view: it captures the disk state at scan time, not real-time process activity. Agent-based CSPM (used by Lacework) installs a lightweight agent on each workload that streams syscall telemetry, process events, network connections, and file integrity data in real time. The advantage is runtime visibility: the agent knows what processes are actually running and what network connections are active right now. The disadvantages are deployment overhead (every new workload needs an agent), agent lifecycle management, and the operational burden of maintaining agent versions across a dynamic cloud environment.
How does attack path analysis work in Wiz versus Orca?
Wiz attack path analysis is built on the Wiz Security Graph: a property graph database that stores every cloud resource (EC2 instances, IAM roles, S3 buckets, security groups, Kubernetes pods) as nodes, with edges representing relationships (network reachability, IAM trust, tag association, data access). An attack path is a graph traversal from an external entry point (internet-exposed instance) through a chain of relationships to a high-value target (data store with sensitive classification). Wiz surfaces paths where multiple conditions combine: network exposure plus credential access plus excessive IAM permissions plus sensitive data, flagged as toxic combinations. Orca's attack path analysis uses a similar graph model but layers in its asset risk score, which aggregates finding severity, exploitability, network exposure, and business context tags (production vs dev environment) into a single priority number. Both platforms let practitioners click into any node in the attack path to see the specific configuration change that would break the chain. The practical difference is query expressiveness for custom path detection: Wiz's graph query language is more powerful for complex multi-hop conditions, while Orca's visual path explorer is more accessible for practitioners who are not writing custom queries.
How does Microsoft Defender for Cloud compare to Wiz for multi-cloud environments?
For Azure-native environments, Defender for Cloud offers deeper integration than Wiz because it runs inside the Azure management plane: native Entra ID identity context, Purview data classification labels, Sentinel SIEM integration without additional connectors, and existing enterprise agreement pricing. For multi-cloud environments with significant AWS or GCP workloads, Wiz is typically the stronger choice. Defender's AWS and GCP support works through the cloud connector model (similar to Wiz's approach), but the finding depth for AWS-native services like ECS Fargate, Lambda, DynamoDB, and API Gateway is less comprehensive than Wiz's coverage. Attack path analysis in Defender for multi-cloud paths (a path that starts on an AWS EC2 instance and terminates at an Azure database) requires the Defender CSPM paid plan and is less mature than Wiz's Security Graph for cross-cloud scenarios. Organizations heavily invested in Microsoft Sentinel, Purview, and Entra ID should evaluate Defender seriously even for multi-cloud environments because the integration value can outweigh the coverage gaps in non-Azure clouds.
What is DSPM, and which CSPM platform has the best data security posture management?
Data Security Posture Management (DSPM) is the discipline of discovering where sensitive data lives in cloud environments, classifying it, and connecting that data exposure context to cloud security findings. Without DSPM, a CSPM platform treats a public S3 bucket containing test data the same as a public S3 bucket containing 50 million customer credit card numbers, even though the risk difference is enormous. With DSPM integrated, the sensitive bucket's finding gets elevated severity and appears in attack paths that target it. Wiz has the most mature integrated DSPM capability following its 2023 acquisition of Laminar Security. Wiz DSPM scans cloud storage and databases using the same agentless snapshot approach as its workload scanning, classifies content against PII, PHI, and financial data patterns, and feeds classification results back into the Security Graph so sensitive data stores appear in attack paths at elevated priority. Orca includes DSPM as part of its core SideScanning output with no additional module purchase required, making it a strong option for organizations that want data discovery included in the base platform cost. Lacework is the weakest option for DSPM: its agent-side telemetry provides access monitoring but not scalable cloud storage classification. Microsoft Defender for Cloud with Purview integration is the best option for organizations that have already deployed Microsoft Purview for M365 data classification and want to reuse those classification labels in cloud security findings.
Sources & references
- Wiz: Security Graph and CNAPP Documentation
- Orca Security: SideScanning Architecture Overview
- Lacework: Agent-Based and Agentless Coverage
- Microsoft Defender for Cloud: Plans and Pricing
- Gartner: Magic Quadrant for Cloud-Native Application Protection Platforms 2024
- CIS Benchmarks: Cloud Foundations
- NIST CSF 2.0 Implementation Guide
Free resources
Critical CVE Reference Card 2025–2026
25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.
Ransomware Incident Response Playbook
Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.
Unsubscribe anytime. We never sell your data.

Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.
Win a $2,495 Black Hat pass.
Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.
