Tooling Market Analysis
One-Shot Capability Coverage
Companion to: Security-as-Code Enterprise Operating Model v1.0
1. Purpose & Scope
This addendum provides a single-view market analysis of which commercial and open-source platforms can cover the most operating model capabilities within the target enterprise stack. The goal: identify the minimum number of contracts that cover the maximum number of capabilities.
| Constraint | Target |
|---|---|
| Cloud Providers | AWS (multi-account, Organizations) + Azure (management groups, landing zones) |
| SIEM / Detection | Microsoft Sentinel (primary analytics engine) |
| Governance / ITSM | ServiceNow (ITSM, IRM/GRC, SIR, VR, CMDB) |
| CI/CD | Azure DevOps primary, AWS CodePipeline secondary, GitHub Actions tertiary |
| IaC | Terraform (multi-cloud), Bicep (Azure-native), CloudFormation (AWS-native) |
| Remediation | Automated, AI-driven remediation orchestration |
| Philosophy | Capabilities first. Open source where viable. Minimise vendor sprawl. Maximise coverage per contract. |
2. Market Landscape — February 2026
CNAPP Market State
The CNAPP market surpassed $2B in 2023 revenue, projected to reach $6B by 2028 at 25% CAGR. Consolidated around three leaders: Palo Alto Networks (Prisma Cloud / Cortex Cloud), CrowdStrike (Falcon Cloud Security), and Wiz.
The Google/Wiz Factor
Wiz is being acquired by Google/Alphabet for $32B (EU approval granted Feb 2026). Post-acquisition, long-term roadmap bias toward GCP is a reasonable assumption. This analysis flags this risk and provides alternatives.
The Remediation Gap
Every CNAPP excels at finding problems. None excel at fixing them. Average MTTR: 30+ days. ZEST Security closes this gap with multi-agent AI that generates IaC fixes, simulates impact, traces root cause, and validates remediation.
Tenable One — Exposure Foundation
2025 Gartner MQ Leader for Exposure Assessment Platforms. Continuous discovery across IT, cloud, OT, IoT, containers, web apps, identity, and AI. 300+ integrations. 10-year ServiceNow partnership.
3. Vendor Capability Matrix
3.1 Layer 1 — Authoring Capabilities
| Capability | Claude Code | Wiz | Prisma/Cortex | CrowdStrike | MS Defender | OSS Stack |
|---|---|---|---|---|---|---|
| Policy Authoring | ||||||
| Detection Engineering | ||||||
| IaC Security Authoring | ||||||
| Compliance Scripting | ||||||
| Threat Modelling | ||||||
| Pen Test Authoring |
VERDICT: No CNAPP covers authoring. This is the CLI + AI layer. Claude Code plus open-source tooling is the only viable approach. This is by design.
3.2 Layer 2 — Version Control
| Capability | ADO | GitHub | GitLab | Wiz | Prisma/Cortex |
|---|---|---|---|---|---|
| Repository Management | |||||
| Branch Governance | |||||
| Secrets Prevention | |||||
| Audit Trail |
VERDICT: Azure DevOps is the primary choice given the target stack. Supplement with Gitleaks for secrets prevention. No CNAPP replaces Git.
3.3 Layer 3 — Pipeline & Deployment
| Capability | ADO Pipelines | Wiz | Prisma/Cortex | ZEST | Checkov | Trivy |
|---|---|---|---|---|---|---|
| Policy Validation | ||||||
| Detection Testing | ||||||
| SAST / IaC Scanning | ||||||
| Infra Plan & Validate | ||||||
| Artefact Signing | ||||||
| Environment Gating | ||||||
| Remediation Orchestration | ||||||
| IaC Fix Generation | ||||||
| Root Cause Tracing |
VERDICT: ADO Pipelines orchestrates. Checkov + Trivy handle scanning. ZEST Security fills the critical remediation gap. No other platform does this at this depth.
3.4 Layer 4 — Runtime (Multi-Cloud)
| Capability | AWS Native | Azure Native | Wiz | Tenable One | ZEST | CrowdStrike |
|---|---|---|---|---|---|---|
| Vulnerability Management | ||||||
| Config Compliance | ||||||
| Threat Detection | ||||||
| CSPM / Posture | ||||||
| CWPP / Workload | ||||||
| CIEM / Identity | ||||||
| Identity Exposure (AD/Entra) | ||||||
| Container / K8s | ||||||
| Attack Path Analysis | ||||||
| Exposure Scoring | ||||||
| OT / IoT Security | ||||||
| AI Exposure Mgmt | ||||||
| Remediation Orchestration | ||||||
| ServiceNow Integration |
VERDICT: Tenable One is the only platform rated STRONG across VM, CSPM, CIEM, identity exposure, attack path, exposure scoring, OT/IoT, AND AI exposure. ZEST is the only platform rated STRONG for remediation. Wiz leads in CWPP and container security. Together: Tenable sees everything, Wiz maps cloud risk, ZEST fixes it.
3.5 Layer 5 — Governance (ServiceNow)
| Capability | ServiceNow | Wiz | Prisma/Cortex | CrowdStrike |
|---|---|---|---|---|
| CMDB / CSDM | ||||
| Change Management | ||||
| GRC / IRM | ||||
| Security Incident Response | ||||
| Vulnerability Response | ||||
| Continuous Evidence | ||||
| Board Reporting |
VERDICT: ServiceNow IS the governance layer. No CNAPP replaces it. Wiz has the best ServiceNow integration of any CNAPP.
4. The One-Shot Recommendation
No commercial platform covers authoring. This is the human + AI layer.
ADO is already in the target stack. Gitleaks adds pre-commit secret scanning.
ADO orchestrates. Checkov and Trivy are open source and pipeline-native.
Wiz provides broadest single-platform coverage. Cloud-native for guardrails, detection, logging.
Broadest exposure platform. Gartner MQ Leader 2025. 300+ integrations. 10-year ServiceNow partnership.
Bridges the gap between Wiz (findings) and pipeline (fixes). Turns 30-day MTTR into same-day fix.
Sentinel is the primary SIEM/SOAR. Ninja Signal provides graph-based threat intelligence.
Non-negotiable in the target stack. Custom integration required for evidence and change automation.
4.3 Alternatives to Wiz
If the Google acquisition risk is unacceptable, or if procurement constraints apply:
Strong CSPM, CWPP, IaC scanning. Policy-as-code guardrails. Largest CNAPP market share (12.8%).
Rebranding confusion. Weaker ServiceNow integration. Azure coverage historically behind AWS.
Strong alternative if Google/Wiz risk is decisive.
Best-in-class runtime threat detection (Falcon sensor). Strong EDR-to-cloud extension.
CSPM weaker than Wiz. Agent-heavy. CIEM developing. Not a posture-first platform.
Best if runtime threat detection is primary concern.
Native Azure integration. Multi-cloud connectors. Free tier for basic CSPM. Sentinel-native.
AWS coverage less mature. CWPP developing. Attack path analysis behind Wiz.
Strong zero-cost baseline for Azure-primary estates.
Best container/K8s runtime security (Falco-based). Open-source roots.
Limited CSPM. Not a full CNAPP. ServiceNow integration weak.
Niche choice for heavily containerised estates.
5.1 Contract Count
| # | Vendor | Covers |
|---|---|---|
| 1 | Microsoft EA (Azure, ADO, Sentinel, Defender, Entra) | L2, L3, L4 (Azure), L4 (SIEM) |
| 2 | AWS (Organizations, Config, GuardDuty, SecurityHub, CloudTrail, KMS) | L4 (AWS) |
| 3 | ServiceNow (ITSM, IRM, SIR, VR) | L5 |
| 4 | Wiz (CNAPP) | L3 (scanner), L4 (CSPM/CWPP/CIEM) |
| 5 | Tenable One (Exposure Management) | L4 (VM, Cloud, Identity, AI, OT/IoT) |
| 6 | ZEST Security (Remediation Orchestration) | L3↔L4↔L5 (finding→fix→validate) |
| 7 | Anthropic (Claude Code) | L1 |
| 8 | Ninja Signal (threat intelligence) | L4 (TI) |
Seven commercial contracts plus open source cover all 50+ capabilities including exposure management and the critical remediation gap. Tenable One sees everything. Wiz maps cloud-specific risk. ZEST generates the fixes. The pipeline deploys them. ServiceNow governs the outcome.
6. Key Risks & Mitigations
| Risk | Impact | Likelihood | Mitigation |
|---|---|---|---|
| Wiz acquired by Google; roadmap bias toward GCP | Medium-High | Medium | Maintain cloud-native fallback (Defender + SecurityHub). Review Wiz roadmap quarterly. Alternative: Cortex Cloud. |
| ServiceNow integration requires custom development | Medium | High (certain) | Budget for integration sprint. Use IntegrationHub where possible. Build reusable API client library. |
| Open-source tool maintenance burden | Low-Medium | Medium | Pin versions. Automate updates via Dependabot/Renovate. Community support is robust. |
| Claude Code pricing/availability changes | Low | Low | Maintain ability to author without AI. AI accelerates; it does not enable. |
| CNAPP vendor consolidation changes market | Low-Medium | Medium | Operating model is capability-first. Any CNAPP can slot into L4. The model survives vendor substitution. |
7. Closing
Five contracts plus one remediation platform plus one exposure management platform. A curated set of open-source tools. Cloud-native services that are non-negotiable. And a CLI with an AI that turns intent into artefacts.
The capability layer is stable. The tooling layer is not. That is the entire point.
scottg/out
© 2026 Scott Gardner · ninja.ing · DRAFT — COMMERCIAL IN CONFIDENCE