A Field Guide to the Cloud and SaaS Security Acronym Soup: CSPM, CWPP, CNAPP, CIEM, SSPM, DSPM, ASPM

The cloud and SaaS security category landscape has produced an unusually dense set of acronyms over the past five years. CSPM, CWPP, CNAPP, CIEM, SSPM, DSPM, ASPM, KSPM — each describes a real category, each has serious vendors, and each appears in the Gartner Magic Quadrants and analyst frameworks practitioners are expected to navigate. The proliferation has outpaced most teams' ability to keep the definitions straight.

This guide describes the major categories in current use, what each one is designed to do, and the most common overlaps and conflicts among them. It is intended as a reference for security and platform engineering teams making category-level decisions about their stack.

Cloud Security Posture Management (CSPM)

CSPM is the oldest of the modern categories. It addresses misconfiguration of cloud-provider resources — IaaS and PaaS objects in AWS, Azure, GCP, and OCI. The category emerged from earlier compliance-scanning approaches and matured into continuous configuration assessment against benchmarks such as CIS, NIST, and PCI. CSPM does not address workloads or data — only the configuration of cloud-provider resources themselves.

Cloud Workload Protection Platform (CWPP)

CWPP focuses on what runs inside the cloud — virtual machines, containers, serverless functions, Kubernetes pods. The category includes runtime protection, vulnerability scanning of running workloads, behavioral baselining, and host hardening. CWPP and CSPM are complementary: CSPM tells you the configuration is wrong, CWPP tells you the running workload is misbehaving.

Cloud-Native Application Protection Platform (CNAPP)

CNAPP is an analyst-driven consolidation category that combines CSPM, CWPP, CIEM, and IaC scanning into a unified platform. The thesis is that cloud risk should be modeled as a single graph rather than across multiple disconnected tools. CNAPP vendors have largely succeeded in delivering on this consolidation; the trade-off is breadth of integration depth, since covering five categories well is harder than covering one.

Cloud Infrastructure Entitlement Management (CIEM)

CIEM addresses the cloud-provider IAM problem specifically: human and machine identities accumulating excessive entitlements across cloud accounts. The category includes effective-permissions analysis, right-sizing recommendations, and just-in-time access workflows. CIEM is increasingly bundled inside CNAPP, but standalone CIEM products continue to serve organizations with particularly complex multi-cloud entitlement landscapes.

SaaS Security Posture Management (SSPM)

SSPM applies the CSPM model to SaaS applications: continuous monitoring of configuration, sharing, identity, and OAuth posture inside connected SaaS apps. The category emerged separately from CSPM because the SaaS attack surface is structurally different — vendor-managed infrastructure, no IaaS controls, and dependence on vendor-exposed APIs. A comparison of SSPM and DSPM covers the most common adjacency.

Data Security Posture Management (DSPM)

DSPM operates one layer down — at the data itself. The category includes discovery of sensitive data across cloud, SaaS, and on-prem stores, classification at scale, access analysis for who can read what, and continuous compliance evidence. DSPM is the newest of the major posture categories and has grown rapidly in response to AI adoption concerns about data flowing into model training pipelines.

Application Security Posture Management (ASPM)

ASPM unifies the diverse outputs of application security tools — SAST, DAST, IaC scanning, container scanning, secrets detection, dependency analysis — into a single application-centric risk view. The category is the application-development complement to CNAPP's cloud-runtime focus.

How the categories interact

The single most important point is that all of these categories presuppose a complete inventory of what they are governing. CSPM needs a complete cloud account list; CIEM needs every cloud identity; SSPM needs every SaaS application; DSPM needs every data store; CNAPP and ASPM need everything in their underlying scope. The inventory is the silent assumption. The inventory is the part most organizations get wrong, regardless of which posture acronym they have chosen.

Authoritative guidance on the broader landscape includes the Cloud Security Alliance SaaS governance research, the CISA SCuBA project, and the CIS Controls.

What "best" looks like in 2026

For any of these categories, the leading vendors deliver credible capabilities. The differentiator is not which acronym you have selected, but whether the inventory feeding it is current and complete. Discovery tools such as Waldo Security's SaaS Discovery are positioned underneath the posture categories — providing the continuous identity-anchored inventory that makes everything downstream actually work.

For a structured comparison of the posture categories applied to your environment, a working session can be arranged.