Wiz Created the CNAPP Category
Israel's YC of cybersecurity
Wiz won by turning a messy cluster of cloud security tools into one simple buying decision. Before Wiz, security teams often stitched together separate products for posture management, workload protection, identity permissions, and Kubernetes checks. Wiz connected to AWS, Azure, and Google Cloud with read only access, scanned everything without agents, and ranked the few risks most likely to matter, which let it define what buyers now recognize as CNAPP.
-
The practical product shift was from manual deployment to instant visibility. Older tools often needed agents installed on workloads or worked best inside one cloud. Wiz made multi cloud security feel like connecting an app, then getting a single dashboard of toxic combinations, like a public VM with a critical vulnerability and excessive permissions.
-
Orca arrived early with a similar agentless, read only approach, which shows the category was forming around this architecture, not just around one company. Wiz still shaped the commercial category by packaging that workflow for large enterprises and expanding fast from posture management into CIEM, Kubernetes, secrets, and detection products.
-
That early product framing also changed the competitive map. Incumbents like Palo Alto Networks responded by buying cloud security startups and bundling CNAPP into broader platforms, sometimes free for two years, because Wiz had made cloud security a platform budget line instead of a niche point tool.
The next phase is less about inventing CNAPP and more about owning the full cloud security stack around it. As Wiz adds runtime, detection, and developer facing products, the category it helped define becomes the wedge into a much larger platform battle against Palo Alto Networks, CrowdStrike, and other bundled security suites.