Last Updated on May 11, 2026 by Arnav Sharma
Native cloud security posture and workload protection platforms — Updated April 2026
| Category | Microsoft Azure | Amazon Web Services (AWS) | Google Cloud Platform (GCP) |
|---|---|---|---|
| Primary Service |
Microsoft Defender for Cloud Unified CNAPP combining CSPM, CWPP, and DevSecOps. Single pane of glass across Azure, AWS, and GCP. Named a leader in the IDC MarketScape CNAPP 2025 assessment. |
AWS Security Hub CSPM + Amazon Inspector + GuardDuty Composite AWS does not offer a single CNAPP product. You assemble CNAPP-like coverage by combining Security Hub CSPM, Inspector, GuardDuty, Macie, IAM Access Analyzer, and Config. |
Security Command Center (SCC) Enterprise Full CNAPP that merges proactive cloud security with Google SecOps and Mandiant threat intelligence. Supports Google Cloud, AWS, and Azure. |
| CSPM Capabilities |
Foundational CSPM Free + Defender CSPM (paid) Free tier: asset inventory, secure score, MCSB compliance. Paid: agentless vulnerability scanning, attack path analysis, cloud security graph, data-aware posture, code-to-cloud mapping. |
Security Hub CSPM Continuous configuration checks against AWS FSBP, CIS, PCI DSS, and NIST. Customisable control parameters. Security score 0–100 per standard. Findings stored in ASFF format for 90 days. |
SCC Standard Free + Premium / Enterprise Standard: basic misconfig detection (auto-enabled for some orgs). Premium: vulnerability scanning, compliance monitoring, AI Protection. Enterprise: full multi-cloud CSPM with risk engine. |
| Workload Protection (CWPP) |
Defender Plans Dedicated plans for Servers, Containers, Storage, Databases, App Service, Key Vault, DNS, and Resource Manager. Real-time threat alerts with severity ratings. |
Amazon GuardDuty + Inspector GuardDuty: threat detection for EC2, EKS, S3, Lambda, RDS, and DNS. Inspector: continuous vulnerability scanning for EC2, container images, and Lambda functions. Separate services, separate billing. |
SCC Threat Detection Built-in detectors for Compute Engine, GKE, BigQuery, Cloud Run. Virtual Machine Threat Detection (VMTD) for cryptomining and rootkits. Industry’s only Cryptomining Protection Program (financial guarantee). |
| Attack Path Analysis |
Cloud Security Graph Graph-based attack path analysis that correlates vulnerabilities, misconfigurations, identities, and data sensitivity. Visual explorer for querying relationships across multicloud resources. |
Limited / Third-party Security Hub correlates findings from multiple services but does not provide native graph-based attack path analysis. Requires third-party CNAPP (Wiz, Prisma Cloud, etc.) for full attack path modelling. |
Risk Engine Simulates sophisticated attackers (virtual red teaming) to identify exploitable paths to high-value resources. Generates attack exposure scores. Enhanced heuristics update shipped March 2026. |
| Vulnerability Management |
Agentless Scanning (Defender CSPM) Scans VMs, container registries, and databases without agents. Correlates findings with attack paths for risk-based prioritisation. Also supports agent-based scanning via Defender for Endpoint. |
Amazon Inspector Automated, continuous scanning of EC2, ECR container images, and Lambda. Environment-adjusted CVSS severity scores. Org-wide enablement with a single click. Findings feed into Security Hub. |
Web Security Scanner + SCC Findings Managed vulnerability scanning for web apps and cloud resources. Integrates with Mandiant Attack Surface Management for external attack surface discovery. |
| Identity / CIEM |
Entra Permissions Management Full CIEM solution. Discovers, right-sizes, and monitors permissions across Azure, AWS, and GCP. Integrates with Defender CSPM attack path analysis for identity-based risk. |
IAM Access Analyzer Identifies resources shared externally or unused permissions. Policy validation and generation. Findings feed into Security Hub. Not a full CIEM — covers a narrower scope than dedicated CIEM tools. |
IAM Recommender + Policy Analyzer Recommends least-privilege permissions. Policy Analyzer lets you query who has access to what. SCC Enterprise integrates identity context into attack path simulations via Security Graph. |
| Data Security (DSPM) |
Data-aware Security Posture (Defender CSPM) Discovers and classifies sensitive data across storage and databases. Integrates data sensitivity into attack path analysis and cloud security graph for risk-weighted prioritisation. |
Amazon Macie ML-driven discovery and classification of sensitive data in S3 (PII, financial, health data). Automated alerting on public/unencrypted buckets. Findings feed into Security Hub. |
Sensitive Data Protection (formerly DLP) Discovers, classifies, and de-identifies sensitive data across GCP services. Integrates with SCC — resources containing high-sensitivity data receive elevated priority values in Risk Engine. |
| AI Workload Security |
AI Security Posture (Defender CSPM) Discovers AI workloads, maps attack paths to AI models and data pipelines, and provides AI-specific security recommendations. Part of the paid Defender CSPM plan. |
Bedrock Guardrails + GuardDuty Guardrails for content/prompt safety at inference time. GuardDuty provides runtime threat detection. No dedicated AI posture management service — requires manual or third-party tooling. |
AI Protection + Model Armor GA AI Protection: org-wide AI asset inventory, risk assessment, and AI-specific threat detection. Model Armor: LLM firewall screening inputs/outputs against prompt injection, data leakage, and harmful content. Integrates with MCP servers. |
| DevSecOps / Shift Left |
DevOps Security (Defender for Cloud) Azure DevOps and GitHub integration. IaC scanning, PR annotations, code-to-cloud mapping. Pull request annotations require Defender CSPM paid plan. |
CodeGuru + Inspector CI/CD CodeGuru for code reviews. Inspector integrates into CI/CD pipelines for container image scanning. AWS Config rules for IaC compliance checks. No unified DevSecOps dashboard. |
Software Delivery Shield + Binary Authorization End-to-end software supply chain security. Binary Authorization enforces signed container images. Integrates with Cloud Build and Artifact Registry. SCC surfaces code-to-cloud findings. |
| Compliance Frameworks | Microsoft Cloud Security Benchmark (MCSB), CIS, NIST SP 800-53, PCI DSS, ISO 27001, SOC 2, HIPAA, and 450+ built-in assessments across Azure, AWS, and GCP. | AWS Foundational Security Best Practices (FSBP), CIS AWS Foundations, PCI DSS, NIST 800-53. Customisable control parameters. Standards are AWS-scoped — no native cross-cloud compliance view. | CIS Benchmarks, PCI DSS, NIST 800-53, ISO 27001, SOC 2. Enterprise tier extends compliance monitoring to AWS and Azure resources connected via multi-cloud connectors. |
| Multicloud Support |
Native multicloud Full CSPM and CWPP coverage for Azure, AWS, and GCP from a single console. Attack path analysis works across all three clouds. |
AWS-only Security Hub, Inspector, and GuardDuty are designed for AWS environments. No native coverage for Azure or GCP. Third-party CNAPP required for multicloud. |
Multicloud (Enterprise tier) Connects to AWS and Azure for posture management, threat detection, and log ingestion. Premium tier is Google Cloud-only. |
| Automation & Response |
Workflow Automation Logic Apps integration for automated remediation. Bi-directional integration with Microsoft Sentinel (SIEM/SOAR) and Microsoft 365 Defender portal for unified SecOps. |
EventBridge + Automation Rules Security Hub automation rules for auto-updating/suppressing findings. EventBridge triggers Lambda functions for custom remediation. Integration with Step Functions for complex workflows. |
Google SecOps Integration Enterprise tier includes SOAR-driven case management with auto-created cases for critical findings. Playbooks, automated remediation, and Mandiant-backed threat intelligence baked in. |
| Pricing Model | Foundational CSPM is free. Defender CSPM billed per billable resource (VMs, storage, DBs, serverless). CWPP plans priced per workload type. Commit Units available with up to 22% savings. | Security Hub CSPM: per-check and per-finding ingestion pricing. GuardDuty: per-volume pricing (event/flow analysis). Inspector: per-instance/image scan. Each service billed separately. | Standard tier is free. Premium: pay-as-you-go or subscription per resource. Enterprise: subscription pricing covering Google Cloud + connected clouds. Consumption-based Google SecOps included. |
| Key Differentiator | True unified CNAPP with native multicloud. Cloud security graph connects code, identity, data, and workload signals in a single attack surface view. Tight integration with Microsoft’s broader security stack (Sentinel, Entra, Defender XDR). | Deepest AWS-native integration. Most cost-effective for AWS-only environments. Composable architecture lets you pick and pay for only the services you need. Largest third-party partner ecosystem via Security Hub APN integrations. | Only CNAPP with embedded SecOps (SIEM + SOAR) and Mandiant threat intelligence. Risk Engine provides virtual red teaming with attack exposure scoring. Model Armor provides dedicated AI workload firewalling not available in competing native platforms. |
Arnav Sharma
Microsoft MVPMCT
Microsoft Certified Trainer · Cloud · Cybersecurity · AI
I help organisations secure their cloud infrastructure and stay ahead of evolving cyber threats. Microsoft MVP and Certified Trainer, author of Mastering Azure Security, and founder of arnav.au — a platform for practical Cloud, Cybersecurity, DevOps and AI content.