Check Point CloudGuard CNAPP Reviews

When a customer has a multi-cloud environment with AWS, Azure, GCP, or any other cloud, maintaining posture across the cloud environment is very difficult. They need a CNAPP solution for governance and centralized compliance. It gives centralized visibility where they can track each and every cloud account, compliance check, misconfigurations, risks, and vulnerabilities. Accordingly, they can take remediation action as well. That is the main purpose of a CNAPP solution.

CloudGuard CNAPP helps to be compliant across a multi-tenant environment. We can be sure of the compliance status with respect to different cloud tenants. There is visibility into each and every cloud tenant. It is very easy to get visibility from a single console. Centralized management gives good granular control where we can check the risks and vulnerabilities and also do remediation centrally.

Its benefits can be realized in four weeks. It is API integration, so it is very straightforward. You integrate with the client, and you start monitoring. You get the information in real-time. The overall implementation time frame is about four weeks. The first two weeks can be for the monitoring stage. In the third week, you can fine-tune your policies, and in the fourth week, you can start remediating.

Posture management is a part of CloudGuard CNAPP. CloudGuard CNAPP is a combination of three technologies: Cloud Security Posture Management, Cloud Workload Protection (CWP), and Cloud Infrastructure Entitlement Management (CIEM). It is a combination of technologies. When customers use CloudGuard CNAPP, they use all these three models.

Cloud Security Posture Management is very good for identifying misconfiguration. It is able to capture all misconfigurations.

They maintain different compliance standards. Apart from that, they are also very good with the alerts and notification part. Whenever they perform a scan and find a vulnerability, it is sent to different channels as an alert or notification. It is good. They only need to improve the impact analysis on CSPM.

Cloud Security Posture Management identifies the risks that are most critical to the business. In terms of time savings, it can identify a risk within 10 to 15 minutes instead of it being a day-long task. The scanning happens in almost real-time. It is a good feature they have given, and I appreciate their solution.

The scanning provided by CloudGuard Workload Protection helps to identify problems before they go live. It has good capability for that. It can perform a proactive analysis, and we can identify the risks or vulnerabilities before the exploit. This identification of problems is very important because knowing about a problematic scenario in advance and being able to address it can save us a huge business loss. A proactive analysis is very critical. In the cybersecurity domain, it is one of the critical features for every customer.

CloudGuard CNAPP gives us the severity score. When it identifies any risks or vulnerabilities, it assigns a severity score.

CloudGuard CNAPP gives good visibility across all the multi-cloud tenants. We have everything covered in one solution. It covers risks, vulnerabilities, misconfigurations, compliance, data security, data loss, etc. It gives good visibility. This visibility is important for customers.

The identification of misconfigurations, maintenance of compliance in a centralized way, and visibility across all the multi-cloud tenants are the key functionalities.

The first improvement area is the impact analysis. The impact analysis that they perform can be improved. It is currently lacking. It should be more detailed.

The second improvement area is that they should adopt more remediation on various resources.

The third improvement area is that they should introduce Gen-AI capability on their platform so that remediation can be very easy. They have the threat hunting and detection part, but they need to adapt more on the Gen-AI side so that the remediation can happen automatically. People should be able to do remediation with a click. It would be a very good feature to have for remediation.

These are three main improvement areas for them. I have already provided Check Point feedback about these through another channel.

With respect to Cloud Workload Protection, they should introduce more granular security control in terms of policy. I feel they should work on it and develop it more. They need to provide more granular security control in terms of various attacks, such as the MITRE ATT&CK framework. They need to give a different policy for each technique and tactic such as ransomware, exploitation, etc. I also work with CrowdStrike, so I know about different types of granular controls. From the Cloud Workload Protection perspective, they need to improve the policy framework.

I have been working with CloudGuard CNAPP for 2 years.

I have not seen any issues. It works in the passive mode, so it does not impact performance or anything like that.

It is a scalable solution. Every SaaS solution is scalable, so CloudGuard CNAPP is also a scalable solution.

I have not contacted them much, which is a good thing. CloudGuard CNAPP works in a passive mode. If anything needs to be done, it has to be done in your cloud tenant. There are very few times when you or an admin is required to communicate with the support team.

I also work with CrowdStrike and Palo Alto. CrowdStrike does not have the CNAPP capability. CrowdStrike is an EDR solution.

Palo Alto has the Prisma solution. Its capabilities are similar to Check Point. They are similar to me. I do not see much difference. There might be some difference in the cost, but technology-wise, they are the same.

CloudGuard CNAPP is a SaaS-based solution, and you need to integrate all your cloud accounts into that. That is it.

You need to integrate your cloud account or onboard your cloud account in the CloudGuard CNAPP solution by doing the API integration. After you onboard, you first put the cloud account in the monitoring mode. You monitor things for two weeks. After you validate your findings on CloudGuard CNAPP and you do not see any false positives, you can go for the block mode as well. That is the approach the industry should follow while onboarding any CNAPP solution.

You start to get an ROI from the day you deploy CloudGuard CNAPP or integrate it with your cloud account. 

It is like insurance. When something happens, only then you realize its value. CloudGuard CNAPP works in the same way. Without such a solution, it is very difficult to find vulnerabilities, misconfigurations, and data breaches on each and every cloud tenant. When you integrate CloudGuard CNAPP with your cloud account, you get a single view. It is very easy for your cloud administrator to take quick action. The ROI starts once you integrate or onboard a cloud account with CloudGuard CNAPP.

After you have subscribed to CloudGuard CNAPP, I would advise onboarding your cloud account and then monitoring your cloud account and the CloudGuard CNAPP findings for two weeks. After that, you can fine-tune the policies and then run the solution in block mode. That is the process.

A CNAPP product is mandatory for any organization that works in a multi-cloud environment.

Overall, I would rate CloudGuard CNAPP a nine out of ten.

We use Check Point CloudGuard Posture Management to maintain our organization's security posture.

With a bit of upscaling, it is possible to write custom rules and policies using the GSL Builder. We used the GSL Builder to build the rules for our playground environment and internet-facing environments.

It takes a couple of weeks for a nontechnical person to learn how to use GSL Builder.

The Unified Security Management console is helpful because it provides a single pane of glass. 

From a control plane perspective, the solution offers excellent visibility into our framework, enabling the identification of non-compliance.

CloudGuard provides good value for money in terms of automating our security across multiple clouds.

The agentless workload posture analysis, which primarily focuses on our cloud platform, provided valuable insights into our organization's overall security posture.

CloudGuard helped to eliminate some manual processes for a few teams, freeing up some of their time.

Our organization's security operations were able to save time by using CloudGuard's unified platform.

The most valuable feature is the ability to apply common tools across all accounts.

The integration process could be enhanced by enabling integration at the organizational level rather than requiring the manual setup of individual accounts. The current workflow of creating and linking each role is time-consuming and labor-intensive. Streamlining account onboarding by allowing CloudGuard to identify and integrate at the organizational level would significantly simplify the process.

I have been using Check Point CloudGuard Posture Management for one year.

Check Point CloudGuard Posture Management is stable.

CloudGuard Posture Management is scalable, as it is a SaaS product.

Before implementing Check Point CloudGuard Posture Management, we relied on the native CSPM of AWS Config.

For beginners in the field, AWS might be a good starting point due to its simplicity. However, for more experienced users who require more advanced features, CloudGuard offers a more mature and comprehensive solution.

I would give Check Point CloudGuard Posture Management a rating of seven out of ten. Consolidating additional capabilities into CloudGuard, along with Fusion, would create a comprehensive package offering for customers. This, along with maintaining compatibility with the evolving AWS service, would help to avoid complicating any integration issues.

While developing our tools, there is always a need for ongoing review and updates. However, compared to AWS, the maintenance required for CloudGuard is minimal.

As a manufacturing company, we always ensure our production and workloads are not being interrupted by anything. Therefore, we are making sure our automated processes are not hindered by any means. 

As we have many cloud-based applications, CloudGuard gives us prime support in terms of the security of the system. This includes securing cloud workloads, applications, and data by integrating threat prevention, detection, and response capabilities. 

It also ensures compliance and governance across multi-cloud environments.

It provides complete visibility and control over cloud-native applications and infrastructure, allowing our security teams to monitor and manage every part of their cloud environments. 

CloudGuard CNAPP also assures compliance with industry standards and regulatory requirements by automating governance and risk management procedures. This streamlines security management and lowers the operational strain on our IT teams, allowing them to focus on strategic goals. We are able to work freely by putting aside some additional stress.

The most useful element of Check Point CloudGuard CNAPP is its advanced threat prevention capabilities. This functionality is vital because it proactively addresses security issues before they affect cloud applications and notifies a real-time incident, ensuring the integrity and availability of critical services. 

Furthermore, the platform's full visibility and control across many cloud environments allows us to effectively monitor the security posture, uncover vulnerabilities, and consistently enforce security standards.

The management and monitoring of security regulations and incidents might be made easier by improving the user interface, which could be made more intuitive and user-friendly. 

For businesses with varied IT ecosystems, increasing the integration capabilities with additional third-party products and services would also increase flexibility and user-friendliness. 

To further reduce the amount of manual work required by security teams, the future release could benefit from more sophisticated automation capabilities, such as automated incident response and remediation workflows. 

In order to facilitate better decision-making and strategic planning, improved analytics and reporting capabilities would also be beneficial. These would provide deeper insights into security occurrences and patterns.

I've used the solution for two years. 

I'd rate stability nine out of ten.

I'd rate scalability nine out of ten.

Technical support has to be improved.

Neutral

We have not used a different solution previously.

The initial setup is complex.

We implemented it through the vendor. I'd rate the services eight out of ten.

Our inhouse IT department's workload has reduced considerably since using the product. 

Setup cost and licensing are quite expensive. 

We did not evaluate other solutions. 

For two years the product has done its job perfectly. 

We use CloudGuard to monitor the cloud IaaS, AWS, and Azure security postures, including cloud assets' configurations. Based on the framework in the rulesets, it will give us failing, passing, or partially compliant scores. It allows us to implement auto-remediation and guardrails. 

If a user exposes storage on the public internet accidentally or purposefully, a daily report is sent to the account owner. CloudGuard will automatically fix the issue if auto-remediation is appropriate. We have GCP, AWS, and Azure accounts. CloudGuard is a SaaS solution, and we onboard all our AWS accounts, whether public, private, or hybrid.

In our sandbox environment, auto-remediation kicks in, and everything is fixed. Users try to do it themselves but often don't know how because they're not trained to provide cloud support. We don't currently use complete remediation, which will break their production environment, but we're getting better by nagging the cloud account users. Our cybersecurity team can use the shared response score to encourage cloud account owners to fix the problem.

CloudGuard has specific instructions for how users should fix issues, but it's like pulling teeth sometimes. Users often don't respond, and we get to the point where we need to tell them that it's going through change management and we can't renew it. We will auto-remediate in production environments if they don't respond by that date. 

It helped some cloud deployment users understand how to improve security posture, but not all of them. It depends on whether they are reading the CloudGuard reports daily. Many don't want to manage that part, and we believe our cybersecurity will help fix that for them.

We automated account onboarding. When a user wants a new cloud account, the automation scripts kick in after the request is approved to create the cloud account. After the provisioning is completed, the account is onboarded into CloudGuard. It enables us to have full coverage because CloudGuard monitors all our organization's cloud accounts.

I wouldn't say that CloudGuard has freed up staff for other projects. I have two or three dedicated SecOps people to monitor and follow up with remediation when auto-remediation isn't possible. We also deal with CloudGuard account requests and just-in-time user account access. It's difficult to assign a specific user to view the cloud accounts only they can see. 

I'm an SME for the product and train people annually because SecOps folks come and go. So far, we have had this software for three years. A lot of other organizations will switch solutions after two or three years. Training is essential because it's a high learning curve for people unfamiliar with the cloud. I don't think CloudGuard has made it more accessible. While it has decreased the resources, we still need at least one full-time admin dealing with CloudGuard, especially with the bugs.

We saved some time. We always go for a Unified Enterprise Platform. In terms of Cloud Security Posture Management, we wanted an enterprise solution with GCP, AWS, and Azure support, so we chose CloudGuard.

The posture management and remediation features are the most valuable. We use GSL Builder to build custom rules in alignment with our organization's policies. CloudGuard has canned rules using multiple standard frameworks, but we also have additional rules. Building custom rules with GSL Builder is medium difficulty. They have several examples of other compliance rules you can use. The GSL documentation is decent. A non-technical person can learn to use GSL Builder in about a week. GSL Builder saved us time and reduced human error. 

The auto-remediation works when it works. It does its job and is based on the rule instead of the alert's severity. In our company, we say, "Okay, this rule is a high severity. We don't want the data to be exposed on the internet." For example, if someone puts a public IP on our database, we will set a rule to shut it down immediately. That's how we define remediation. 

It isn't based on the severity or the level of work. Some rules may be defined as lower severity by default, but they might be higher depending on the organization's policy. It kicks in when there's an alert matching the remediation rule. The effectiveness of the remediation is 50%. Some of their bots used to fix issues automatically need to be updated. We had to make a few custom changes to some bots because they don't wake up.

CloudGuard's effective risk management only scans accounts every hour. We have more than 150 AWS accounts and 20 Azure accounts. We sent Check Point a request asking them to increase the frequency to five to fifteen minutes. I want the flexibility to scan it as often as possible based on the account's importance. That part is lacking. 

When rules change, it messes up the remediation. They haven't found a fix for that yet. The remediation rule goes into limbo. It's an architectural design flaw within their end compliance engine—a serious bug. We must spend extra time reapplying the rule when they periodically update the compliance presets. Auto-remediation breaks if you're using that particular out-of-the-box rule. I haven't experienced this recently, so maybe they fixed that part. However, that's what it did in the past.

Check Point is slow to respond to bugs. They resolve bugs maybe once every two weeks, and their R&D is slow. They're in Israel, and it's not just the Israeli holidays. I would probably pick a large US company if we did this over again. 

They don't give us continuous feedback. I want live feedback when they change something. Stop breaking things. The company should let us know what they're doing when they add new features. They don't have an official beta program, so you can't test the new features. 

That's the other bad thing about this product, but I don't know about other Check Point products. They're a firewall company but not a software company. If you put out a beta, customers should have the option to test it and give feedback. I've been putting a lot of work into CloudGuard to fix all the bugs. They should have paid me to fix their bugs for them.

They need to decrease their bug resolution time. Anything longer than two weeks is problematic. It's why we don't jump into the deep end with all these other features they've added. Our primary feature is the CSPM cloud part. The solution is useless if the reporting or remediation breaks, as it has in the past. It requires an SME for CloudGuard to dig in deeper, which takes time away from our SecOps folks.

We've been using CloudGuard for three years.

CloudGuard is pretty stable.

CloudGuard is scalable. I don't need to worry about it.

I rate Check Point's support a seven out of ten. They respond within a day. 

Neutral

Setting up CloudGuard is straightforward, and it takes a few days. We handled the deployment in-house with two full-time employees. It's a SaaS solution, so the only maintenance required is backups. 

We implemented this solution in-house.

The pricing of CloudGuard increases annually, and we don't see the value because we don't use all the features. We're primarily using CSPM and maybe Workload Protection. We did the Kubernetes part and used Network Explorer as a one-off. We only used Network Explorer for diagnostics. 

We use the Intelligence module for CSPM but don't analyze network traffic with CloudGuard. It's an expensive subscription, so we don't use the intelligence part.

We evaluated Palo Alto Prisma Cloud and Twistlock. Back then, the solution was owned by an independent company called Dome9, and Check Point acquired them. It had the best rule set out there. We chose it because it had all the rule sets out of the box and supported GCP, Azure, and AWS. 

I rate Check Point CloudGard Posture Management a seven out of ten. CloudGuard does its job, but the remediation is not perfect. Other CSPM tools do a better job of using remediation exclusion rules, especially scanning and putting out reports at a custom frequency versus every hour.

If the price isn't an issue and you don't care about using all the features, it's an okay product for enterprises to use to cover all cloud IaaS. If you're thinking about implementing CloudGuard, you should consider two things. First, the price is marked up every year by 10-plus percent, whether you use a particular feature or not. It's an annual subscription model, so you can always cancel at any time. 

Second, you should think about the modules. Workload Protection is okay if you use Kubernetes. You can use intelligence if you need to analyze traffic within your cloud environment for regulation-specific reasons, but it will cost you extra. CloudGuard's strong suit is that they support a lot of the features and AWS cloud assets.

We use Check Point CloudGuard CNAPP for the application protection of our assets on Azure, AWS, and Google Cloud.

We implemented CloudGuard CNAPP to address data exposure, prevent exfiltration attempts, ensure compliance with frameworks like SOC 2 and PCI DSS, and gain improved oversight of our cloud environment.

We haven't had any cloud security incidents since implementing CloudGuard CNAPP in 2017. It's been a critical tool as we've grown our cloud usage, transitioning applications from data centers to the cloud. CloudGuard's scalability has kept pace with our growth. As the third-largest enterprise user of Azure, our cloud footprint is significant.

The benefits of CloudGuard CNAPP were immediately apparent upon deployment. Back in 2017, we found ourselves needing to catch up on securing our existing AWS assets. We required a solution that offered quick implementation and usability. CloudGuard was the first platform we considered, and we've continued to expand its use alongside Check Point's ongoing development of new capabilities.

We create custom rules to address our organization's unique security policies, in addition to leveraging the built-in rules within CloudGuard CNAPP's CSPM module. This flexibility is crucial for us.

While CloudGuard CNAPP's CSPM capabilities effectively provide compliance rule sets and security best practices, it's important to understand that this is just one aspect of achieving full alignment with security frameworks. To be fully compliant, additional measures outside of CloudGuard need to be addressed and implemented. However, CloudGuard CNAPP remains a valuable piece of the puzzle.

CSPM helps us identify the most critical business risks. It's a time-saver that translates into cost savings. CSPM provides insights from multiple perspectives. We can analyze what a breach would mean for the business, including brand reputation and the significant cost and time required for recovery. Even in terms of day-to-day operations, CSPM saves us employee hours by streamlining security tasks.

The security provided by the CWP for containers is good. We are extremely satisfied.

Our CI/CD environment utilizes some scanning capabilities offered by workload protection, but it's not fully integrated. This creates limitations in proactively identifying issues before deployment. When we do use the workload protection capabilities they are critical for us.

Cloud security posture management is the feature we've been using the longest. What we particularly like about it is the rule-based capability. This allows us to develop our own custom rules using the GSL language provided by the CloudGuard platform.

The platform would be significantly enhanced by incorporating data security management capabilities.

I'd like to see CloudGuard offer more agentless functionality beyond what's currently available.

I have been using Check Point CloudGuard CNAPP for over seven years.

Check Point CloudGuard CNAPP is extremely stable and if there is an issue, Check Point is on top of it.

Check Point CloudGuard CNAPP is scalable. We haven't run into any scale issues and we have scaled significantly over the last six years.

We plan on expanding it into some of the newer capabilities that Check Point is coming out with.

The technical support is good.

Positive

The initial deployment was straightforward. As a SaaS platform, it is extremely easy to deploy it into environments.

We can deploy CloudGuard CNAPP and use it out of the box within hours.

Our initial strategy was to implement a basic solution and then expand its capabilities over time. Check Point, frankly, has done an excellent job of keeping its platform up-to-date by continuously adding and improving features. This is why we're still using it even after six years.

I would rate Check Point CloudGuard CNAPP nine out of ten.

Check Point CloudGuard CNAPP is predominantly owned by and controlled by the central security organization within our company.

Details matter. When comparing features to other security solutions on the market, the ability to develop custom rules is important to us, along with security posture capabilities. The ability to scale flawlessly is also important to us. The direct and overwhelming support that we received from the Check Point account team, the support team, and the leadership team has been fantastic.

Integrating with the cloud through APIs offered by a SaaS platform has significantly reduced the burden on our organization by eliminating the need for all the complex backend work we previously had to handle. This experience highlights the importance of embracing new ways of doing things.

One use case was for compliance. The second one was for workload protection, and the third one was for threat hunting in the cloud.

We are able to meet compliance very easily, and we are able to feel a lot more comfortable with the fact that when we have developers deploying things in the cloud, the right guardrails are in place. 

CloudGuard CNAPP's Cloud Security Posture Management capabilities are top-notch. We use it for misconfiguration and compliance reporting. I would rate it an eight out of ten for that. It is quite good.

We use CloudGuard CNAPP's Workload Protection capabilities. The security that it provides is very good. We like it because we are able to do it in both runtime and with Kubernetes Guardrails.

Threat intelligence is another piece that we use, and it is awesome because it lets us do a lot of threat hunting that we were not able to do before, especially in AWS.

The most valuable feature is the ability to work with the APIs to integrate into our own backend systems. 

The threat intelligence is quite unique because we could not find another vendor that had the ability to make all the findings actionable. They have this thing called Event Risk management, and it consolidates things down to make it easy for us to take action on it.

The reporting has a lot of opportunities to continuously improve so that we can continue to show value.

I would love to see more ability to automate and integrate into even more systems for automatic remediation.

We have been using Check Point CloudGuard CNAPP for three and a half years.

It is very rare to have an outage.

It scaled up for us for hundreds of accounts.

They are pretty good, but I wish they had people who are a little bit more knowledgeable at the first level. I would rate them a seven out of ten.

Neutral

We used Palo Alto's Prisma Cloud. We switched because it did not have the feature sets we were looking for. The price was not very flexible, and we did not get the type of support we needed. It was not like the support that we get from Check Point as our partner.

Its deployment is very straightforward.

We definitely got an ROI. I do not have to put as many people as I did before with Prisma Cloud. I need two full-time employees less than Prisma Cloud to work on it.

We looked at Wiz, and we looked at Orca. Prisma was our incumbent, but ultimately, we picked Check Point based on the outcomes we were able to get in our proof of concept, and we felt that the support was much better.

I would rate Check Point CloudGuard CNAPP a nine out of ten. It is a pretty awesome product, but there is always room for improvement. I would have rated everything else we tested a six out of ten.

We have a hybrid environment so we use Check Point Cloud Guard to protect the cloud workload. On-prem, we are already using the Check Point Firewalls so we can manage both environment firewalls using the same management server, AKA the smart console, which saves time and effort to look for logs during any type of troubleshooting. It helps us avoid creating the same objects for each firewall but also provides a single pane of glass through which we can see all gateways, logs, policies, objects, user management, and traffic tracing. 

It is a next-generation firewall that helps a lot in many ways to protect my workloads from threats, such as: 

- firewall blade providing protection at Layer 3 and 4

- application filtering blade providing protection from unauthorized applications or services

- URL filtering providing protection on malicious URLs based on various categories as updated by Check Point on a daily basis

- threat prevention and sandboxing capability to actually help with unknown or zero-day threats (it tests, removes the malicious content, and then releases or blocks by itself)

Overall, it provides good security.

The threat extraction and emulation module is a savior for us from unknown threats. We know that daily millions of new threats emerge over the internet so we like that it provides protection from them all. It's good to have a sandboxing environment that can first assess the threat before releasing it to the production environment. These threats are called zero-day threats for which there is no signature or update available whether it be on an endpoint, machine, antivirus solution, or other software. Therefore, it becomes very useful to use this feature to stop threats from spreading right at the gateway itself.

Their service needs improvement. Their vendor doesn't provide good support. Also, there is no way to escalate it to Check Point so that Check Point can take action against their partner. I don't have direct support with Check Point. We have collaborative support with one of the Check Point partners who do not provide good support. When we reached out to Check Point to escalate; they denied taking any action against the vendor.

I've used the solution for five years.

We have used CNAPP on our OpenShift test cluster but are planning to deploy it in our production clusters. We used CNAPP to enhance the visibility of our cloud-deployed applications. It offers various modules to do so. For example, the Posture Management module shows you exposed secrets and security misconfigurations and also gives you hints and ready-to-use JSON configuration files to fix them. 

Cloud Infrastructure Entitlement Management (CIEM) gives you visibility and management automation of identities, roles, entitlements, and privileges in your cloud environments. This helps you find and fix identity- and role-related security holes by constructing a complex privileges graph, which shows you granted permissions and enforced ones, suggesting you enforce the stricter and more secure enforced ones over the ones you granted.

The various CNAPP modules have granted more visibility of our cloud applications to our system engineers and developers. Doing so helps our transition to the cloud by making the management and administrative tasks of our cloud and system engineers easier, as well as suggesting and helping to prioritize patching and updating.

The most valuable features include the Cloud Infrastructure Entitlement Management (CIEM) module, Cloud Security Posture Management (CSPM), and Cloud Workload Protection (CWP).

The costs are really high if you want the entire capabilities of the platform. However, it is really motivated by the great value of the product. Moreover, you can buy individual licenses for the different modules if you don't need some of them.

I've used the solution for one year.