A couple weeks ago, we did a video on Alphabet’s (GOOGL) offer to acquire cybersecurity startup Wiz and merge it with Google Cloud. The price tag? A shocking $32 billion! Link to that video here: The Real Reason You Should Care About Google’s Acquisition of Wiz
Wiz is a CNAPP provider. What is CNAPP? Why does Google care to spend so much money on it? And what other ways are there to invest, besides just Google?
First things first, what is CNAPP?
“CNAPP” is an acronym for “cloud-native application protection platform.” It was coined by tech researcher Gartner – yes, the same tech researcher that also coined the cybersecurity acronym SASE. We’ve been discussing and investing in SASE for years too, here’s an old blog post on the topic: https://chipstockinvestor.com/fortinet-stock-will-a-new-cybersecurity-service-reverse-the-downtrend/
But what is CNAPP really? It’s a new type of framework for protecting apps as they migrate from more traditional formats (operated in an office building, or directly on a device like a smartphone) to data center-based (operated via a private data center, or public cloud). See the lower left quadrant of our IT infrastructure chart (we’ll have updated versions of these infographics later this year!).
Apps (software) are just another product – and there’s a race to control the digital product supply chain. For over a decade now, that race has involved building out data center infrastructure that can be rented out to operate apps and help businesses manage their digital data and IT work. Data center and cloud infrastructure has become a new type of rented utility.
But with the advent of AI the last few years, the infrastructure needed to support these new digital products just got a lot bigger… and a lot more complex. More sectors of the economy than ever before have been incentivized to adopt digital supply chains to build new products. And as they do, they need to turn to cybersecurity companies to keep that infrastructure and supply chain safe.
Cybersecurity products have become an integral part of this infrastructure and supply chain, which is why Google is making the bid for Wiz. Besides simply being a high-growth business in the emerging “application security” segment, Wiz’s CNAPP offerings would be a standout service for Google Cloud, something that the other data center infrastructure competitors (Amazon AWS, Microsoft Azure, Oracle Cloud) currently don’t have.
Cybersecurity overall remains a key secular growth trend. We expect CNAPP and related app-level security products to emerge as the next big thing in cybersecurity over the next few years.
What services are needed in the CNAPP framework?
Developing and operating these apps, especially with an increasing amount of AI infused into them, isn’t just getting more complex. The vulnerabilities to cyber attack, or areas where sensitive business/organization data can accidentally “leak,” are also rising fast.
This is why Gartner put together the CNAPP framework. Some of the cybersecurity services needed to complete CNAPP for developing and operating modern software include:
https://www.gartner.com/en/documents/5605291
- CSPM: automated tools that monitor, search out, and fix problems in data center computing workflows.
- KSPM: Kubernetes is an open-source orchestration platform, originally developed by Google Cloud, that manages “containers” for apps that run on data center servers. So, similar to CSPM, KSPM tools monitor and automate fixes in these containerized data center workflows.
- CIEM: not to be confused with SIEM (security information and event management, a different set of security services); CIEM ensures that users – both human users and machine users (like software-based AI agents) – manage credentials to access data center workloads and assets.
- CWP: the ongoing protection needed once an app is put into use; necessary as modern software is continuously updated, and ongoing development can cause vulnerabilities and configuration problems.
Who’s who in the CNAPP race?
Wiz is one of a select few companies that have all the necessary tools to rank it as a full-blown CNAPP provider. Google is paying a premium for that, but it obviously must think the greater CNAPP potential for its Google Cloud segment is worth the high price tag.
Besides Alphabet stock (GOOGL/GOOG), who else offers a route to investing in CNAPP? Let’s start with the big two network security platform giants: Palo Alto Networks (PANW) and Fortinet (FTNT).
CNAPP is recognition that a lot of app functionality – especially new AI features – is moving off device and into a data center. Endpoint security providers recognized this, and started building cloud workload protection (CWP) and similar modules to chase their customer app workloads into the data center. CrowdStrike (CRWD), SentinelOne (S), Microsoft (MSFT), and Trend Micro (TYO:4704) all have parts of a CNAPP offering available.
Lots of other vendors also possess various tools that, in part, make up a complete CNAPP service. In cloud monitoring and observability, data log management, etc., there’s Dynatrace (DT) and Datadog (DDOG). Both offer CSPM and KSPM products, among other features.
Qualys (QLYS) and Tenable (TENB) are two smaller providers that got their start in various cybersecurity point products. These days, both are advertising complete CNAPP services as they’ve stitched together more security features.
And finally there’s Okta (OKTA) and CyberArk (CYBR). We’ve compared these two in the past (https://chipstockinvestor.com/cyberark-plus-venafi-adding-a-new-cybersecurity-leader-to-the-basket-in-2025/), and Okta has been the leader in identity access management (IAM). But CyberArk has been making moves in privileged access management (PAM) – for both humans and machines. This is a key product differentiator, as machine identity is an important part of securing the application development and operations supply chain.
Finally, on the last row of our above infographic, there are a number of other cybersecurity startups building out CNAPP services. Perhaps some of these will eventually IPO, or perhaps they’ll be big tech acquisition targets to keep up with Google’s move on Wiz. Time will tell.
Here at Chip Stock Investor, we’re sticking with our basket approach to cybersecurity, especially centered around the big three: Palo Alto Networks, Fortinet, and CrowdStrike. Other names could emerge as full-fledged security software giants as well, with CNAPP being the catalyst.
