[xrisk]

Is this a difficult problem to solve? There’s only a handful of major cloud players and these questions don’t seem terribly complicated.

Or is it that it lets you answer arbitrary questions of this sort without having to figure out how to get that data?

[EE84M3i]

CSPM is most valuable for large enterprises that have many cloud tenants as they can provide visibility across the entire footprint in one place.

Consider an enterprise that wants to say "list all the cloud storage buckets we own that are not in the US and are publicly readable and have a name containing 'foo'" - and they have several of each of AWS, Azure and GCP organixations because of acquisitions that aren't fully integrated yet.

Wiz answers that in ~5 seconds, with a rich query language and a bunch of prebuilt rules and detections on top of it, including for tracking compliance with various frameworks.

[raesene9]

Conceptually, I don't think CSPMs are answering complicated questions, however there's quite a lot of complexity (IMO) in scaling the answers consistently, and keeping up to date with all of the tests that need to be implemented.

If you think about the number of services that AWS/GCP/Azure have, adding good compliance checks across even a portion of those is quite a lot of work :)

A small example from an area I know something about is maintaining the CIS Kubernetes benchmarks (which are used by a lot of CSPM products as a source of rules).

Here you've got the different Kubernetes distributions and then each of the cloud distributions has its own CIS benchmark as the checks are different depending on the cloud in use. Then you have changes over time as different clusters run different versions of Kubernetes, so have different checks. Then you add in that the benchmarks don't release with every new version of Kubernetes, and you can end up with quite a complex matrix of checks.