Check Point CloudGuard CNAPP Reviews

One use case was for compliance. The second one was for workload protection, and the third one was for threat hunting in the cloud.

We are able to meet compliance very easily, and we are able to feel a lot more comfortable with the fact that when we have developers deploying things in the cloud, the right guardrails are in place. 

CloudGuard CNAPP's Cloud Security Posture Management capabilities are top-notch. We use it for misconfiguration and compliance reporting. I would rate it an eight out of ten for that. It is quite good.

We use CloudGuard CNAPP's Workload Protection capabilities. The security that it provides is very good. We like it because we are able to do it in both runtime and with Kubernetes Guardrails.

Threat intelligence is another piece that we use, and it is awesome because it lets us do a lot of threat hunting that we were not able to do before, especially in AWS.

The most valuable feature is the ability to work with the APIs to integrate into our own backend systems. 

The threat intelligence is quite unique because we could not find another vendor that had the ability to make all the findings actionable. They have this thing called Event Risk management, and it consolidates things down to make it easy for us to take action on it.

The reporting has a lot of opportunities to continuously improve so that we can continue to show value.

I would love to see more ability to automate and integrate into even more systems for automatic remediation.

We have been using Check Point CloudGuard CNAPP for three and a half years.

It is very rare to have an outage.

It scaled up for us for hundreds of accounts.

They are pretty good, but I wish they had people who are a little bit more knowledgeable at the first level. I would rate them a seven out of ten.

We used Palo Alto's Prisma Cloud. We switched because it did not have the feature sets we were looking for. The price was not very flexible, and we did not get the type of support we needed. It was not like the support that we get from Check Point as our partner.

Its deployment is very straightforward.

We definitely got an ROI. I do not have to put as many people as I did before with Prisma Cloud. I need two full-time employees less than Prisma Cloud to work on it.

We looked at Wiz, and we looked at Orca. Prisma was our incumbent, but ultimately, we picked Check Point based on the outcomes we were able to get in our proof of concept, and we felt that the support was much better.

I would rate Check Point CloudGuard CNAPP a nine out of ten. It is a pretty awesome product, but there is always room for improvement. I would have rated everything else we tested a six out of ten.

CloudGuard constantly monitors cloud systems for misconfigurations and vulnerabilities that attackers could exploit. Many processes associated with cloud security management, such as asset detection, risk assessment, and remediation, are automated by CloudGuard. This allows security teams to concentrate on more strategic efforts. CloudGuard is intended to assist organizations in securing their cloud environments by continuously monitoring and analyzing cloud setups for misconfigurations, vulnerabilities, and compliance violations.

Many of the duties associated with maintaining cloud security are automated by CloudGuard, including asset detection, risk assessment, and remediation. 

In addition to improving compliance, this frees up security personnel to concentrate on more strategic initiatives and enables organizations to adhere to industry standards and laws like PCI DSS, HIPAA, and GDPR. 

It offers security advice and insights to assist organizations in acting quickly to address concerns. It also has automated remediation capabilities to address found problems and automatically enact security policies.

The asset detection, risk assessment, and remediation processes are only a few of the duties that CloudGuard automates while managing cloud security. This improves compliance, enables organizations to adhere to industry standards and laws like PCI DSS, HIPAA, and GDPR, and frees up security personnel to concentrate on more strategic objectives. 

It offers security insights and recommendations to assist organizations in acting and remediating issues swiftly. It also has automated remediation capabilities to address found issues and automatically enforce security policies.

Compliance checks on cloud resources against various industry standards and compliance framework templates need to be improved, to ensure that organizations meet regulatory requirements with clear visibility action controls. This can make it difficult to create and manage custom security policies. 

Cloud security posture management is a proprietary solution, which means that there is no open-source community to support it. This can make it difficult to get help with troubleshooting and other issues.

We have been adopting the solution for more than a year.

CloudGuard is known for being highly scalable and reliable. It handles big cloud workloads with ease and may be implemented in complex cloud infrastructures.

In terms of cloud solutions, the scalability was a fairly simple and entirely software-driven approach.

The customer support is good and offers regularly updated new features and security patches. This ensures that CloudGuard is always protected against the most advanced threats.

Positive

We adopted our cloud journey last year, and while developing the cloud, we took all security precautions. CSPM was a priority solution, and we have apt.

We implemented CSPM in 30 days. Since the solution was simple to implement and the transition was painless, we added many of our cloud environments.

We implemented the solution through a partner.

CloudGuard's return on investment (ROI) varies based on the organization and its cloud environment.

CSPM is an invaluable resource for any organization that makes use of cloud computing. It can assist organizations in improving their cloud security posture, reducing the risk of cyberattacks, and adhering to industry norms and regulations.

We evolved various CSPM tools such as PAN, TRELIX, and Fortinet, however, our management opted to install CloudGuard as a strategic step.

CloudGuard provides a comprehensive set of security solutions for cloud environments.

We have a hybrid environment so we use Check Point Cloud Guard to protect the cloud workload. On-prem, we are already using the Check Point Firewalls so we can manage both environment firewalls using the same management server, AKA the smart console, which saves time and effort to look for logs during any type of troubleshooting. It helps us avoid creating the same objects for each firewall but also provides a single pane of glass through which we can see all gateways, logs, policies, objects, user management, and traffic tracing. 

It is a next-generation firewall that helps a lot in many ways to protect my workloads from threats, such as: 

- firewall blade providing protection at Layer 3 and 4

- application filtering blade providing protection from unauthorized applications or services

- URL filtering providing protection on malicious URLs based on various categories as updated by Check Point on a daily basis

- threat prevention and sandboxing capability to actually help with unknown or zero-day threats (it tests, removes the malicious content, and then releases or blocks by itself)

Overall, it provides good security.

The threat extraction and emulation module is a savior for us from unknown threats. We know that daily millions of new threats emerge over the internet so we like that it provides protection from them all. It's good to have a sandboxing environment that can first assess the threat before releasing it to the production environment. These threats are called zero-day threats for which there is no signature or update available whether it be on an endpoint, machine, antivirus solution, or other software. Therefore, it becomes very useful to use this feature to stop threats from spreading right at the gateway itself.

Their service needs improvement. Their vendor doesn't provide good support. Also, there is no way to escalate it to Check Point so that Check Point can take action against their partner. I don't have direct support with Check Point. We have collaborative support with one of the Check Point partners who do not provide good support. When we reached out to Check Point to escalate; they denied taking any action against the vendor.

I've used the solution for five years.

We use CloudGuard to monitor the cloud IaaS, AWS, and Azure security postures, including cloud assets' configurations. Based on the framework in the rulesets, it will give us failing, passing, or partially compliant scores. It allows us to implement auto-remediation and guardrails. 

If a user exposes storage on the public internet accidentally or purposefully, a daily report is sent to the account owner. CloudGuard will automatically fix the issue if auto-remediation is appropriate. We have GCP, AWS, and Azure accounts. CloudGuard is a SaaS solution, and we onboard all our AWS accounts, whether public, private, or hybrid.

In our sandbox environment, auto-remediation kicks in, and everything is fixed. Users try to do it themselves but often don't know how because they're not trained to provide cloud support. We don't currently use complete remediation, which will break their production environment, but we're getting better by nagging the cloud account users. Our cybersecurity team can use the shared response score to encourage cloud account owners to fix the problem.

CloudGuard has specific instructions for how users should fix issues, but it's like pulling teeth sometimes. Users often don't respond, and we get to the point where we need to tell them that it's going through change management and we can't renew it. We will auto-remediate in production environments if they don't respond by that date. 

It helped some cloud deployment users understand how to improve security posture, but not all of them. It depends on whether they are reading the CloudGuard reports daily. Many don't want to manage that part, and we believe our cybersecurity will help fix that for them.

We automated account onboarding. When a user wants a new cloud account, the automation scripts kick in after the request is approved to create the cloud account. After the provisioning is completed, the account is onboarded into CloudGuard. It enables us to have full coverage because CloudGuard monitors all our organization's cloud accounts.

I wouldn't say that CloudGuard has freed up staff for other projects. I have two or three dedicated SecOps people to monitor and follow up with remediation when auto-remediation isn't possible. We also deal with CloudGuard account requests and just-in-time user account access. It's difficult to assign a specific user to view the cloud accounts only they can see. 

I'm an SME for the product and train people annually because SecOps folks come and go. So far, we have had this software for three years. A lot of other organizations will switch solutions after two or three years. Training is essential because it's a high learning curve for people unfamiliar with the cloud. I don't think CloudGuard has made it more accessible. While it has decreased the resources, we still need at least one full-time admin dealing with CloudGuard, especially with the bugs.

We saved some time. We always go for a Unified Enterprise Platform. In terms of Cloud Security Posture Management, we wanted an enterprise solution with GCP, AWS, and Azure support, so we chose CloudGuard.

The posture management and remediation features are the most valuable. We use GSL Builder to build custom rules in alignment with our organization's policies. CloudGuard has canned rules using multiple standard frameworks, but we also have additional rules. Building custom rules with GSL Builder is medium difficulty. They have several examples of other compliance rules you can use. The GSL documentation is decent. A non-technical person can learn to use GSL Builder in about a week. GSL Builder saved us time and reduced human error. 

The auto-remediation works when it works. It does its job and is based on the rule instead of the alert's severity. In our company, we say, "Okay, this rule is a high severity. We don't want the data to be exposed on the internet." For example, if someone puts a public IP on our database, we will set a rule to shut it down immediately. That's how we define remediation. 

It isn't based on the severity or the level of work. Some rules may be defined as lower severity by default, but they might be higher depending on the organization's policy. It kicks in when there's an alert matching the remediation rule. The effectiveness of the remediation is 50%. Some of their bots used to fix issues automatically need to be updated. We had to make a few custom changes to some bots because they don't wake up.

CloudGuard's effective risk management only scans accounts every hour. We have more than 150 AWS accounts and 20 Azure accounts. We sent Check Point a request asking them to increase the frequency to five to fifteen minutes. I want the flexibility to scan it as often as possible based on the account's importance. That part is lacking. 

When rules change, it messes up the remediation. They haven't found a fix for that yet. The remediation rule goes into limbo. It's an architectural design flaw within their end compliance engine—a serious bug. We must spend extra time reapplying the rule when they periodically update the compliance presets. Auto-remediation breaks if you're using that particular out-of-the-box rule. I haven't experienced this recently, so maybe they fixed that part. However, that's what it did in the past.

Check Point is slow to respond to bugs. They resolve bugs maybe once every two weeks, and their R&D is slow. They're in Israel, and it's not just the Israeli holidays. I would probably pick a large US company if we did this over again. 

They don't give us continuous feedback. I want live feedback when they change something. Stop breaking things. The company should let us know what they're doing when they add new features. They don't have an official beta program, so you can't test the new features. 

That's the other bad thing about this product, but I don't know about other Check Point products. They're a firewall company but not a software company. If you put out a beta, customers should have the option to test it and give feedback. I've been putting a lot of work into CloudGuard to fix all the bugs. They should have paid me to fix their bugs for them.

They need to decrease their bug resolution time. Anything longer than two weeks is problematic. It's why we don't jump into the deep end with all these other features they've added. Our primary feature is the CSPM cloud part. The solution is useless if the reporting or remediation breaks, as it has in the past. It requires an SME for CloudGuard to dig in deeper, which takes time away from our SecOps folks.

We've been using CloudGuard for three years.

CloudGuard is pretty stable.

CloudGuard is scalable. I don't need to worry about it.

I rate Check Point's support a seven out of ten. They respond within a day. 

Neutral

Setting up CloudGuard is straightforward, and it takes a few days. We handled the deployment in-house with two full-time employees. It's a SaaS solution, so the only maintenance required is backups. 

We implemented this solution in-house.

The pricing of CloudGuard increases annually, and we don't see the value because we don't use all the features. We're primarily using CSPM and maybe Workload Protection. We did the Kubernetes part and used Network Explorer as a one-off. We only used Network Explorer for diagnostics. 

We use the Intelligence module for CSPM but don't analyze network traffic with CloudGuard. It's an expensive subscription, so we don't use the intelligence part.

We evaluated Palo Alto Prisma Cloud and Twistlock. Back then, the solution was owned by an independent company called Dome9, and Check Point acquired them. It had the best rule set out there. We chose it because it had all the rule sets out of the box and supported GCP, Azure, and AWS. 

I rate Check Point CloudGard Posture Management a seven out of ten. CloudGuard does its job, but the remediation is not perfect. Other CSPM tools do a better job of using remediation exclusion rules, especially scanning and putting out reports at a custom frequency versus every hour.

If the price isn't an issue and you don't care about using all the features, it's an okay product for enterprises to use to cover all cloud IaaS. If you're thinking about implementing CloudGuard, you should consider two things. First, the price is marked up every year by 10-plus percent, whether you use a particular feature or not. It's an annual subscription model, so you can always cancel at any time. 

Second, you should think about the modules. Workload Protection is okay if you use Kubernetes. You can use intelligence if you need to analyze traffic within your cloud environment for regulation-specific reasons, but it will cost you extra. CloudGuard's strong suit is that they support a lot of the features and AWS cloud assets.

We have used CNAPP on our OpenShift test cluster but are planning to deploy it in our production clusters. We used CNAPP to enhance the visibility of our cloud-deployed applications. It offers various modules to do so. For example, the Posture Management module shows you exposed secrets and security misconfigurations and also gives you hints and ready-to-use JSON configuration files to fix them. 

Cloud Infrastructure Entitlement Management (CIEM) gives you visibility and management automation of identities, roles, entitlements, and privileges in your cloud environments. This helps you find and fix identity- and role-related security holes by constructing a complex privileges graph, which shows you granted permissions and enforced ones, suggesting you enforce the stricter and more secure enforced ones over the ones you granted.

The various CNAPP modules have granted more visibility of our cloud applications to our system engineers and developers. Doing so helps our transition to the cloud by making the management and administrative tasks of our cloud and system engineers easier, as well as suggesting and helping to prioritize patching and updating.

The most valuable features include the Cloud Infrastructure Entitlement Management (CIEM) module, Cloud Security Posture Management (CSPM), and Cloud Workload Protection (CWP).

The costs are really high if you want the entire capabilities of the platform. However, it is really motivated by the great value of the product. Moreover, you can buy individual licenses for the different modules if you don't need some of them.

I've used the solution for one year.

We want network security through machine learning. The product offers threat detection and intelligence for the endpoints. It also provides real-time information on application security. 

Check Point CloudGuard CNAPP's initial configuration is very easy. It is plug-and-play. It also gives regular updates. 

The tool should incorporate more use cases like improving security scores. It should also improve documentation.  

I have been using the product for a year. 

The product is stable. 

Check Point CloudGuard CNAPP is scalable. My company has more than 1000 users. 

Check Point CloudGuard CNAPP's support is very good. 

Positive

The tool's deployment is very easy and takes two weeks to complete. We need engineers to install the product. You need to ensure the overall device landscape before the product's installation. Its maintenance is easy. 

I can get 50-60 percent ROI with the tool's use. 

The tool's pricing is moderate. Its licensing costs are yearly. 

The solution helps to improve security scores, which is important for auditing and compliance. I rate it a nine out of ten. 

We use the solution to protect workloads and users on the cloud, including both internal and external users. The solution must monitor user roles, the overall posture of the cloud application, and database and web servers that are exposed to the internet. It is an improvement over the default Amazon AWS security posture because it is sensitive to the context in which the application is being used, such as whether it is being used by a public user or an internal user who is managing the system on the cloud.

We used on-premises solutions until recently. However, we are now moving to the cloud for all of our applications. Posture management tools are now essential, and we must have them, regardless of whether they are from Tenable, Check Point, CrowdStrike, or another vendor. This solution is cost-effective, so we chose it, but we may change it in the future.

Embedded machine learning in the core of the firewall to provide in-line real-time attack prevention is most valuable. This is because analytics and machine learning capabilities come much later. In a high-volume situation, things can go bad quickly. Therefore, an in-line alert mechanism is much better than any other.

Visibility is the most important part. On the cloud, shared resources can make it difficult to see all of the resources that are deployed. This solution helps to keep everything visible, and it also alerts us if something is wrong, such as if someone opened extra ports or services that they are not supposed to. This is a valuable tool for monitoring and maintaining our cloud environment.

The solution is also capable of controlling resources, but this is a highly controversial and context-aware area. If the platform takes too much control, it could potentially stop our applications from working. Therefore, we limit its use to monitoring and visibility only.

Check Point must provide a multi-cloud facility where AWS, Azure, and GCP can seamlessly work together and display posture in an integrated manner. Instead of showing separate AWS, Azure, and GCP environments, the solution should provide a single integrated view. This will make it easier to decide which issues to fix first and will reduce the amount of technical work required.

Check Point is always adding new features. However, we are sometimes confused about how to use the features that are already available. There are so many features and we are unable to use all of them.

I have only been using Check Point CloudGuard Posture Management for a very short time, not even a year yet. Earlier, we were not using the cloud very much, so there was no need for such a product. However, after we shifted a few of our applications to the cloud, we started using the solution.

The solution has been quite stable for the past year. However, I cannot say how it will behave in the future, as it may experience a bigger load and a wider variety of workloads. The stability of the solution is subjective and will depend on the specific environment in which it is used.

We have not yet tested the solution at that scale. It is just a starting point. We may add more applications and more load to it. We will have to see how scalable the solution is.

The technical support is good. They sometimes call people from outside India to help us, because we are longtime Check Point customers. We have been using their hardware, software, and firewalls for about two decades. This solution is a new addition to our support.

Neutral

We are still using a variety of firewall solutions, including Juniper and Cisco, throughout our organization. As a government organization, we are required to purchase the cheapest option available. Therefore, we must utilize the solution that is the most affordable in each case.

I am involved in the deployment of the solution. I am not the technical hands-on person for this project. I manage the deployment process.

It is very difficult to measure the return on investment for security measures. Security is not an investment in the traditional sense, as it does not generate direct revenue. Instead, security is a safety measure, similar to insurance. As such, it is difficult to quantify the ROI of security measures.

It is difficult to contextualize the pricing because we are used to Indian pricing and licensing. In India, there is very little interaction with North America and the private sector regarding pricing.

We evaluated all the firewalls including Juniper and Cisco.

I give Check Point CloudGuard Posture Management a seven out of ten.

The solution claims to provide a unified platform that integrates all security capabilities. However, there are on-premises issues, cloud issues, and hybrid issues that make this impossible. No tool can ever provide such capability.

We are not a small office. Therefore, I have no experience with how the solution helps small offices. However, for us, the solution only helps us with our cloud posture management. We still use different tools on-premises. And maybe in the future, we will go directly to the cloud.

I have doubts about the value of looking for the cheapest or fastest firewall. There is always someone who is coming out with a new product that is faster or cheaper than the current one. However, it is important to consider the overall security capabilities of a firewall, not just its speed or price. A firewall that is slower because it is doing more analytics may actually be more secure than a faster firewall that does not do as much analysis. The best firewall for you will depend on your specific needs and requirements.

This is my first time at an RSA conference, and I find it very confusing. There are too many vendors, too many products, and too much to see. I only had a few hours to visit today, and it was overwhelming. I think the conference would be better if it were split into two or three parts, with one part focused on the Asia Pacific and another part focused on North America. Most of the vendors here are focused on North America, so it would be helpful to have a dedicated space for vendors from Asia Pacific. I will try to visit the RSA conference in Singapore next year, and I hope it will be more manageable.

The RSA does not impact our cybersecurity solution purchases. The Indian government's procurement process is completely independent of vendors and their products. Our purchases are based on our needs and requirements, and the solutions must be supported in India.

Check Point CloudGuard Intelligence provides network security through machine learning analytics and visualization and detecting and spotting the threat entrant detection and providing threat intelligence security proactively for restricting the endpoints at the entry stage and securing the system in the best manner possible. 

The security application works proactively and diffuses the endpoints in real-time, ensuring swift action in restraining the threat entry into our IT system.

This application supports almost all kinds of cloud and hybrid platforms and is spot on during integration with other systems.

Check Point CloudGuard Intelligence has significantly improved the revenue stream for my organization. Earlier, we had a third party for overall IT security and it was costly for us. We were looking for something with less cost. 

The CloudGuard intelligence helps in the proactive detection of security threats across an IT device or server and immediately takes corrective and remedial action so that the data and security loss is not to minimal. It is one of the masterpieces which is quite advanced with current market requirements and is available at affordable prices.

The solution offers proactive threat detection and immediate remediation of the same.

Threat hunting is easy with this application as its false negative rate is extremely low, and its performance is fantastic.

It offers affordable costing and an easy renewal process for continuing the agreement.

It can work seamlessly with any kind of cloud servers and platform without any tech hassle or disturbance.

Multiple users can access and monitor the application working with a single login, which is quite advantageous and works really well for us.

There is no shutdown or slowdown of the application while in operation.

I strongly advise that the multi-layered security system of Check Point often undergoes updates and new versions keep coming. It is absolutely fantastic and is worth admiring. Every now and then, we feel that their team's training and orientation process on orienting the clients and partners is low and needs to be strengthened so that every single individual is completely aware and informed of the features and their utilities. They are not clueless in utilizing the services to their maximum. We just need more focused training.

I've been using the solution for almost foud to six months.

It is a stable product.

The solution is scalable.

They offer strong and supportive customer support.

Positive

We were using a third-party solution earlier, which was quite localized and was having limited utility in terms of system security. We switched to Check Point due to peer feedback and advice, as my peers were extremely happy after trial use and pushed us to try the solution due to its numerous utilities, which are customizable. It is quite affordable in comparison to its other competitors in the market.

The initial setup is easy and not complex at all.

We had assistance from the vendor team only.

We've seen an ROI of almost 70%.

We thoroughly examined the software and market offerings and found that CloudGuard solutions are reliable and dependable for their good work and globally accepted happy feedback by partners and users.

The setup cost is low and the implementation process is quite smooth.

Pricing is low in comparison to various competitors in the market.

Licensing and renewal of the agreement are effortless.

We evaluated other options, such as McAfee and Trend Security solutions. 

I'd advise potential users to go for the CloudGuard Intelligence solution and strengthen their IT security. It is the best available solution in the market with strong tech support and wider acceptability globally.