| Runtime Protection |
Monitors live cloud workloads in real time: system calls, process trees, network connections, and file writes.
Ask: do you use eBPF? At what scope (process, network, file system)? Get the technical answer, not the product slide. Real-time threat detection at the workload level is the standard. |
| Vulnerability Scanning and Management |
Continuously scans virtual machines, container images, and application dependencies for CVEs. Prioritisation must reflect exploitability in your specific environment, not CVSS score alone. A critical CVE in a library unreachable from the internet is lower priority than a medium CVE on an exposed public endpoint. |
| Cloud Security Posture Management |
Misconfigured IAM policies, exposed storage buckets, and open network security groups are the most common root cause of cloud breaches. A CWPP with built-in cloud security posture management correlates infrastructure configuration issues directly with workload risk, giving security teams one correlated view instead of two separate alert streams. |
| Container and Serverless Security |
Containers and serverless functions require separate protection approaches. Containers need continuous runtime monitoring, not just image scans. Serverless functions such as AWS Lambda, Azure Functions, and Google Cloud Platform Functions have no OS layer. Standard agents cannot reach them.
Ask specifically: how do you protect serverless workloads at execution time? |
| Network Segmentation and Microsegmentation |
Limits the attack surface after initial compromise by restricting lateral movement between workloads.
Ask: does microsegmentation apply inside Kubernetes clusters, or only at the perimeter? East-west traffic between pods is where attackers move once they gain access to cloud environments. |
| Compliance Monitoring and Enforcement |
Must run continuously, not on a schedule. Cloud infrastructure drifts daily.
Ask: is compliance status updated in real time when cloud infrastructure configuration changes? Can the platform enforce security policies and auto-remediate drift, or does it only alert? What does the evidence artifact look like for an auditor? |
| Access Management and IAM Monitoring |
Credential theft is the top initial access vector in attacks on cloud environments. The CWPP should continuously detect overprivileged accounts, permission drift, and identity anomalies, then correlate IAM context with workload behavior to surface lateral movement paths before security incidents escalate. |
| Unified Visibility Across Cloud Providers |
Security policies on AWS do not carry to Azure automatically.
Ask: can you show all cloud providers, including private and public clouds, in one interface using our actual provider mix? If the demo requires a sandbox environment, that signals something about real-world coverage depth. |
| Advanced Threat Detection |
Machine learning and behavioral analysis detect what signature-based tools miss: fileless malware, crypto-miners, container escapes, and privilege escalation.
Ask: what is the actionable-alert-to-total-alert ratio in a typical enterprise deployment? Get this from a customer reference, not a vendor estimate. |
| Integration with Your Security Stack |
Threat detection siloed inside the CWPP never reaches the security teams who act on it.
Ask: what are the native connectors to your SIEM and SOAR? How does a threat alert move from the platform into our incident response workflow, and how many manual steps does that require? |
