Definition

What is CSPM (without buzzword)

CSPM (Cloud Security Posture Management) is a platform that continuously audits the configuration of your cloud accounts (AWS, Azure, GCP, OCI) against security benchmarks, finds misconfigurations, and prioritizes what to fix first.

In practice: "is this S3 bucket public? Does this security group have port 22 open to the internet? Is RDS encrypted? Is CloudTrail enabled in all regions?" Multiply by 12k+ resources in a typical environment and you understand why nobody checks manually.

It is not: EDR, WAF, SIEM, DLP or code scanner. CSPM only looks at cloud control plane configuration. Stops where the workload starts.

Where it fits

CSPM vs CWPP vs CNAPP

CSPM

Control plane

Configuration of the cloud account. Finds: public buckets, open ports, non-rotated keys, missing MFA, drift from benchmarks.

Reads: CloudTrail, Config, Azure Activity, GCP Audit

CWPP

Workload plane

Content of the workload. Finds: vulnerabilities in containers, malware in VMs, non-compliant runtime, dangerous processes.

Reads: container images, VM processes, Kubernetes pods

CNAPP

Unified

Consolidation of CSPM + CWPP + CIEM + IaC scanning + Kubernetes security in a single platform. Trend since 2024.

Examples: Orca, Wiz, Prisma Cloud, Defender CSPM

Pragmatic recommendation for a medium-large environment: start with CSPM, add CWPP in 6 months, consolidate to CNAPP in year 2 if the budget allows.

What to monitor

8 CSPM controls that matter (above the noise)

1. Public data exposure

Public S3/Blob/GCS buckets, public RDS snapshots, anonymous access to storage, public Kubernetes dashboards.

2. Exposed network

Security groups with 0.0.0.0/0 on sensitive ports (22, 3389, 3306, 5432, 6379, 27017, 9200).

3. IAM/CIEM

Root account without MFA, access keys older than 90 days, excessive permissions, wide wildcards, long-lived service accounts.

4. Encryption at rest / in transit

EBS, RDS, S3, Blob without encryption, TLS < 1.2, non-rotated KMS keys, insecure internal traffic.

5. Audit logging

CloudTrail / Activity Log / Audit Log off or sending to non-protected destination, log retention below compliance.

6. Kubernetes

API Server exposed, no Pod Security Admission, open Tiller, privileged pods, Secrets as plaintext environment variables.

7. Drift from benchmark

Gap vs CIS AWS Foundations, Azure CIS, GCP CIS, NIST SP 800-53, PCI-DSS, LGPD, ISO 27001.

8. IaC

Pre-deploy scan of Terraform / CloudFormation / ARM / Bicep / Pulumi with Checkov, tfsec, Terrascan to prevent misconfig from being born.

Fighting noise

How to prioritize 5,000 findings

Every modern CSPM returns thousands of findings in day 1. The mistake is opening all of them as tickets. The Evernow approach is a three-dimensional filter:

  • Dim 1 — Blast radius: Does the misconfiguration allow reaching personal data (LGPD), money (payment systems), or the control plane (root)? Yes → critical regardless of CVSS.
  • Dim 2 — Exploitable today: Is it reachable from the internet and the exploit is public? Yes → highest priority.
  • Dim 3 — Effort: Is the fix an IaC PR of 3 lines or a data-level migration? Cluster similar fixes in the same sprint to optimize effort.
  • Result: 5,000 findings become ~120 actionable tickets in week 1, 40 in week 3, < 20 in week 6. Auto-suppression of findings in non-production environments.
Tooling

Platforms Evernow deploys in production

Orca Security

Agentless CNAPP with SideScanning: CSPM + CWPP + CIEM + IaC in one deploy.

AWS Security Hub

Native CSPM for AWS only, fast ROI for all-AWS shops.

Qualys VMDR

VM + CSPM unified, strong for hybrid environments.

→ Managed CSPM

Evernow implements, tunes and operates your CSPM.

FAQ

Frequent questions about CSPM

Native CSPM (AWS Security Hub) or third-party (Orca, Wiz, Prisma)?

Native for single-cloud and tight budget. Third-party is mandatory for multi-cloud and when you need CIEM, CNAPP or cross-account correlation. Native tools do not talk to each other across clouds.

How much does a CSPM cost for a 200-person engineering org?

Licenses are priced by number of cloud accounts or workloads. A typical environment (20-40 accounts, 3-5k workloads) is around USD 90-250k/year. Managed operation by Evernow adds R$ 25-60k/month depending on scope.

Will it break our CI/CD or DevOps workflow?

Only if you turn on enforce-mode in week 1. The Evernow approach is: month 1 observability only, month 2 PR gating with override, month 3 hard gating for critical IaC rules. No delivery friction.

Does CSPM replace pentest of the cloud environment?

No. CSPM checks known misconfigurations against benchmarks. Pentest chains findings, exploits business logic, attacks CIEM/IAM boundaries, validates what is actually exploitable. They complement.

Go deeper

Related content

DevSecOps 2026

Where CSPM fits in the CI/CD pipeline shift-left/shift-right.

Managed CSPM

Technical scope, deliverables and KPIs.

SOC as a Service

The SOC consumes CSPM alerts and turns them into resolved incidents.

Ready to turn cloud into a controlled surface?

Free 30-minute cloud diagnosis — we show the top-5 critical risks today in your environment.

Talk to a specialist
Request diagnosis
Evernow

Specialized cybersecurity consulting: AppSec, data protection, compliance and security operations.

Solutions

Industries

Resources

Company

Contact

Copyright Evernow © 2026. All rights reserved.