Research Highlights

CSPM: Revenue Forecast, Global, 2022–2028

Revenue Estimate Disclaimer

While Frost & Sullivan attempts to measure the CSPM industry separately from other cloud security technologies, such as CWPP, IaC security, CDR, CIEM, KSPM, container security, and the broader CNAPP platform, there are often big overlaps in revenue recognition among them.

Estimating revenue for CSPM alone from other components is challenging as many vendors have shifted away from the module or product-based pricing model to a more platform-based pricing model, which enables their customers to consume these components/functions based on their needs under a single license.

Many traditional CSPM vendors have strengthened their solutions by adding cloud workload and AppSec (e.g., scanning, visibility, micro-segmentation, and compliance) using either an agentless or agent-based approach, which no longer makes them a CSPM, but a CNAPP, and is sold as a platform. As such, it is impossible to break down the revenue for CSPM from the platform.

Similarly, companies that provide CSPM, CWPP, and other modules may package these modules as a total security package, allowing customers to use them without limits and based on their needs, so it is impossible to split the revenue of CSPM from other modules in this case.

These constraints make it impossible to separate the CSPM revenue from their total CNAPP business. As a result, in many cases, the revenue estimate for CSPM function is mainly based on customers’ consumption and the percentage of use cases.

In this study, CSPM revenue may also include revenue from CIEM, IaC security, CDR, DSPM, and SSPM (if these functions are integrated in the same platform).

Research Scope

Revenue from CSPM functionality on top of other solutions, such as attack surface management, is excluded from this analysis.

As customers embrace hybrid and multicloud strategies, a CSPM must support hybrid and multicloud environments. This study will only include vendors that provide dedicated and cloud-agnostic CSPMs that support these environments.

Regional Segmentation

North America

• NA leads the global industry due to widespread and advanced adoption of public cloud and cloud-native technologies, which leads to more advanced needs for holistic security.
• These adoption trends increase demand for a unified platform that provides comprehensive, continuous visibility and monitoring, advanced threat detection, behavior analytics, and integrated code security capabilities.
• These features were traditionally managed by separate point solutions but are now being consolidated to enhance efficiency and effectiveness in security management.
• CSPM has become vital in continuous known/unknown threats and compliance monitoring, while other advanced capabilities are catching up for better threat detection and response to unknown threats.
• In particular, focus on container/K8s security in NA is significant due to high awareness of the threat landscape.
• Adoption of CSPM and other cloud security technologies is also driven by stringent regulatory requirements, particularly in the United States, and includes stringent standards such as FedRAMP, HIPAA, and HITRUST, which require robust security measures to protect sensitive data.

Europe, Middle East & Africa

• EMEA's cloud adoption is maturing, but its security practices and requirements are less mature, with on-premises and hybrid environments still common and an increase in Microsoft Azure use.
• EMEA organizations focus on data privacy regulations, with compliance requirements and the growing need for threat prevention/remediation driving demand.
• CSPM sees wide adoption with limited demand for other advanced capabilities despite their increased evaluation.
• Regional organizations are focusing more on visibility and vulnerability management, with a need for continuous scanning of vulnerabilities and visibility into an SBOM and DevOps tools to understand associated risks.
• A notable shift has occurred in the region’s leadership concerning cloud security initiatives, which drives greater integration of security with DevOps tools and sees security teams taking the lead in adoption of CSPM projects that were traditionally led by DevOps teams.
• Holistic security is seeing increased adoption in the region as organizations highly value flexibility in their security solutions to accommodate different technologies and cloud platforms, driven by the need to accommodate the regulations in different countries.

Asia Pacific

• APAC is experiencing rapid cloud migration. Public cloud adoption continues to increase, leading to a heightened need for cloud security adoption to gain visibility and protect cloud workloads across hybrid cloud environments.
• Misconfigurations are a major cause of cloud security breaches in APAC and drive the strong adoption of CSPM tools that can identify and rectify these vulnerabilities.
• Concerns about data localization and sovereignty are also driving many organizations to use CSPM to stay compliant with different regulatory frameworks.
• Organizations in China, Japan, and South Korea focus largely on compliance and visibility capabilities.
• Basic capabilities such as VMs and container vulnerability management see higher adoption, with lower demand for advanced services. The mainstream adoption of K8s and containers in some countries, such as Japan, South Korea, and China, accelerates CSPM demand.
• Interest is growing in consolidating and integrating other security technologies, such as endpoint and identity management, EDR with real-time cloud misconfiguration management, baseline assessment monitoring, and CI/CD pipeline security.

Latin America

• LATAM is the least mature region, with most organizations maintaining on-premises and hybrid environments with strong VM adoption; however, public and multicloud adoption lags.
• Cloud security adoption remains low because cloud security requirements remain basic across cloud environments.
• Most companies focus on vulnerability management and cloud visibility with less focus on runtime protection capabilities because of the complexity, overhead management costs, and lack of expertise.
• Organizations require agentless scanning for better deployment and management and increasingly demand CSPM tools that provide strong runtime protection and effective vulnerability management.

Competitive Environment

Inclusion and Exclusion of Vendors

While Frost & Sullivan analysts attempt to include all qualified vendors in this analysis, including global and regional vendors (e.g., some just operate in China, Europe, or the US), some vendors may not be featured in the market share sections throughout the report due to the following reasons.

• Vendors Declined to Participate: Some vendors decided against participating in our study, which resulted in lack of visibility and insights from them.
• Vendors Declined to be Featured: Some vendors provided us with insights but declined to be featured separately in the report as a measure to keep their financial performance confidential.
• Limited Insights: Concerning vendors that declined to participate, we tried to estimate their revenue and business performance and conducted secondary research on their products and services, but these inputs are not sufficient to feature them separately in the study.
• Overlapped Functionalities: Some vendors do provide a CSPM functionality on top of other products (e.g., attack surface management, cloud management), but they do not promote the product as CSPM. These vendors are also not included in the study.

Key Competitors

Global

• Algosec
• Alibaba Cloud
• Aqua Security
• Check Point
• Cisco
• CrowdStrike
• JupiterOne
• Lacework
• Microsoft
• Orca Security
• Palo Alto Networks
• Rapid7
• Sonrai Security
• Sysdig
• Tenable
• Trellix
• Trend Micro
• Uptycs
• Wiz

Key Regulations and Frameworks

Regulations and cloud security frameworks are vital in the decision-making process around cloud-native security. Organizations aim to automate compliance monitoring and enable security teams to understand security risks and detect misconfigurations or violations that could lead to breaches and exposure.

Compliance requirements are often industry-specific, and organizations in various industries must comply with industry-specific guidelines and regulations. For example, the Payment Card Industry Data Security Standard (PCI DSS) is the primary regulation for the commercial sectors (retail/eCommerce), and organizations adopting cloud environments must comply with its standards. Industry-specific frameworks, such as the Health Insurance Portability and Accountability Act (HIPAA) and the National Institute of Standards and Technology (NIST) document NIST800-53, apply to the healthcare and defense industries and are the major drivers for the strong adoption of cloud compliance systems in these industries.

Organizations in less-regulated industries tend to comply with security frameworks such as the Center for Internet Security (CIS), NIST800-53, and MITRE to ensure adherence to industry best practices.

Most Frost & Sullivan customers request support for the following regulations:

• Service Organization Control 2 (critical)
• International Organization for Standardization (ISO) 27001
• CIS Benchmarks
• HIPAA
• PCI DSS
• NIST Cybersecurity Framework (becoming prevalent, especially in NA)
• MITRE Adversarial Tactics, Techniques, and Common Knowledge
• Cloud and platform provider security best practices/well-architected frameworks
• Cybersecurity and Infrastructure Security Agency (CISA) for container/K8s security hardening
• Some moving toward using the Cloud Security Alliance (CSA) Cloud Controls Matrix
• Regional/in-country regulations