Cloud security, the right way: What the industry should demand (and why "good enough" isn't)
Falco Feeds extends the power of Falco by giving open source-focused companies access to expert-written rules that are continuously updated as new threats are discovered.
From developing the technology that brought Wireshark’s deep visibility to Windows (WinPcap) to creating what is now the open-source standard for cloud threat detection (Falco), I’ve been deeply ingrained in the security industry for nearly 30 years.
And in that time, I've learned something fundamental: The hardest problems don't get solved by settling. They get solved by doing things the right way, even when it's harder.
And right now, cloud security has a "good enough" problem.
The compromise trap
Here's the situation many teams face today: developers are shipping features at breakneck speed, fueled by AI and the relentless pressure to innovate. Security teams are drowning in alerts, juggling too many tools, and trying to keep up with threats that move faster than their visibility allows.
The result? Teams compromise.
They choose speed over security. Or security over speed. They settle for tools that give partial visibility. They accept that some blind spots are just "the cost of doing business in the cloud." But when your reputation is on the line, when research shows that many cloud-native attacks unfold in under 10 minutes, good enough doesn't cut it.
The stakes are too high. The adversaries are too sophisticated. And frankly, the technology has evolved to where we don't have to choose anymore.
What is CNAPP?
CNAPP (Cloud-Native Application Protection Platform) is the industry's answer to fragmented cloud security. Gartner introduced the term in 2021 to describe an integrated platform that unifies security across the entire cloud lifecycle: from development to deployment to runtime.
The idea? Stop forcing teams to juggle disparate and siloed tools. Consolidate cloud security posture management, workload protection, vulnerability scanning, identity management, and runtime defense into one coherent system.
It sounds great in theory, but not all CNAPPs are built the same. Some give you a dashboard that unifies alerts but doesn't actually unify your security posture. Some focus heavily on configuration checks but miss what's actually happening at runtime. And some promise AI-driven insights but lack the depth of data needed to make those insights meaningful.
The market is crowded with CNAPP labels, but the real shift isn’t about names. It’s about moving the industry from static visibility to real-time understanding.
What does "the right way" actually mean?
Over the past few years, we've crystallized what "the right way" means for cloud security. It's a framework for how security should be built, delivered, and operated. And it comes down to three core pillars.
1. Agentic AI that actually delivers security outcomes
AI is everywhere in security right now. Every vendor has an "AI-powered" something. But most of it is just automation or pattern matching on superficial signals.
For AI to actually help security teams, it has to move past the hype. AI needs to be able to reason, prioritize, and act autonomously on your behalf, not just generate more alerts.
Think about how attackers operate. They don't send you a notification and wait for you to respond. They move laterally, escalate privileges, exfiltrate data, all in minutes. Defenders need AI that can match that speed and sophistication.
AI is only as powerful as the signals it sees. If it’s trained on snapshots and static scans, it’s reacting to yesterday’s threats. True agentic AI draws from continuous runtime telemetry, and understanding intent, not just events.
That's the difference between an AI assistant that highlights yet another alert and an AI analyst that understands what matters and why.
2. Open innovation, not black boxes
I've always believed that the best security happens when the community collaborates. Attackers share tools, tactics, and exploits constantly. Why should defenders operate in isolation?
Open innovation means building on open-source foundations, contributing back to the community, and refusing to lock customers into proprietary ecosystems that make it harder to integrate, customize, or evolve.
Take Falco, the open-source runtime threat detection engine. It's used by more than 60% of the Fortune 500 because it's transparent, extensible, and community-driven. You can see how it works. You can modify it. You can trust it.
As someone who was an early contributor to Wireshark, I’ve seen how open-source collaboration accelerates innovation and trust. Security must evolve the same way: open, interoperable, and resilient. Defending the cloud is a collective effort, not a competitive edge.
Compare that to black-box proprietary solutions where you have no idea what's happening under the hood, no ability to extend functionality, and no community innovating alongside you.
Security is too important to be locked behind closed doors — or held hostage by a single vendor's roadmap or pricing model. Open systems give you the visibility and flexibility that are essential for modern cloud defense.
3. Runtime insights that reveal what matters
Here's a hard truth: most CNAPPs focus heavily on what your environment looks like before it runs. They'll scan your infrastructure-as-code. They'll check for misconfigurations before deployment. And that's important. Those shift-left capabilities catch problems early.
But here's what many platforms miss: once your workloads are running, once the cloud is live and executing, they lose real-time visibility. They rely on stale snapshots and delayed telemetry rather than understanding what’s actually happening live in the system.
That creates a critical gap. Because in the cloud, research shows that many cloud attacks can unfold in under 10 minutes.
If your security platform only knows what your environment looked like 15 minutes ago, you're already behind. And if you can't see which of those thousands of pre-deployment findings are actually running in production, you're wasting time on vulnerabilities that don't matter and missing the ones that do.
Runtime insights close that gap. Technologies like eBPF provide a continuous view of what’s actually executing—processes, network connections, behaviors, and anomalies—turning observability into defense.
Runtime isn't about replacing shift-left security. It's about adding the intelligence layer that tells you which shift-left findings actually matter in production. It lets you see threats as they unfold, prioritize based on what's truly at risk, and stop attacks before they escalate.
The right approach gives you both: comprehensive shift-left scanning paired with deep runtime visibility that provides context, prioritization, and real-time threat detection. Without runtime visibility, you're securing a snapshot and guessing at priorities. With it, you're securing the here and now, and acting on what truly matters.
Why this standard matters for the industry
I'm saying all of this because I fundamentally believe this is what the industry needs. We can’t keep choosing between speed and safety, or accept “agentic AI” that creates more noise than insight. And we can’t keep locking ourselves into closed ecosystems that slow collective community progress.
Cloud security done the right way is:
- Powered by agentic AI that reasons, not just reacts
- Built on open innovation, not proprietary lock-in
- Anchored in both shift-left prevention and runtime intelligence for real-time context
If we demand this standard, the industry will rise to meet it. And when that happens, everyone wins. Collaboration between vendors, researchers, and practitioners will turn runtime data into a shared defense fabric.
The right way starts now
For the past decade, I've built my career and Sysdig on this belief: that there's a better way to do security. A way that doesn't force teams to choose between speed and safety. A way that's built on transparency, powered by real-time intelligence, and strengthened by community.
That's what "the right way" means to me. And I believe it's what the industry should demand.
If you're a security leader, a cloud architect, or a developer trying to ship securely, ask yourself: are your tools built the right way, or are you settling? Because when your reputation is on the line, there's no room for compromise.
Want to dive deeper into what cloud security, the right way, looks like in practice? Read more about our approach here: Redefining cloud security, the right way.