Free CNAPP as Renewal Defense
Wiz
Free CNAPP turns cloud security into a renewal defense tactic, which is exactly why Wiz winning matters. Palo Alto can use Prisma Cloud to stop churn across a much larger base, because the real goal is protecting an $8B security revenue machine, not maximizing standalone CNAPP revenue. That pushes the market toward bundled, good enough coverage, while Wiz has to keep proving that faster deployment and better risk prioritization are worth paying for.
-
The pricing weapon works because incumbents already sit inside big enterprise contracts. Palo Alto had roughly 85,000 customers and about $8B ARR in 2024, versus Wiz at about 800 customers and $396M ARR, so giving away cloud security can be cheaper than losing a broader platform renewal.
-
The product difference behind the fight is deployment friction. Wiz and Orca connect to AWS, Azure, and Google Cloud with read only access and scan environments agentlessly, while incumbents like Palo Alto historically came from more agent based security workflows. That made Wiz easier to land, but easier features are also easier to bundle.
-
This is why incumbents bought CNAPP pieces so aggressively in 2022 and 2023. Palo Alto bought Dig Security, Cisco bought Lightspin, and CrowdStrike bought Bionic, then folded those capabilities into broader platforms. The pattern shows a market shifting from point tools to suites sold through existing security budgets.
The next phase is less about who has a CNAPP checklist, and more about who becomes the default cloud security control plane. Incumbents will keep using bundle pricing to compress the category, and Wiz will keep moving outward into adjacent workflows so it can own a bigger contract before bundled competition makes standalone CNAPP pricing harder to sustain.