The five tool categories that form the cloud security toolchain — what each does, where it sits in the stack, and which open-source tools you can use to build a capable security programme without enterprise budget.
Sign in to mark this article as read and track your progress.
Cloud security vendors use dozens of overlapping acronyms. Understanding the five core tool categories lets you evaluate any product objectively — mapping it to a specific security function rather than marketing language.
What it does: Continuously monitors cloud resources for misconfigurations against security baselines (CIS Benchmarks, NIST, CSA CCM). Identifies public S3 buckets, overly permissive security groups, unencrypted volumes, and disabled MFA.
When to use: From the moment you have any cloud resource. CSPM is the foundation of cloud visibility.
Commercial tools: Wiz, Prisma Cloud, Microsoft Defender for Cloud, AWS Security Hub Open-source: Prowler (AWS/Azure/GCP), ScoutSuite, CloudSploit
A single Prowler scan against a neglected AWS account typically surfaces 50-200 findings within minutes. It is the first tool to run on any new cloud environment.
What it does: Secures compute workloads — VMs, containers, serverless functions — at runtime. Combines vulnerability scanning, runtime anomaly detection, micro-segmentation, and application whitelisting.
When to use: When running workloads in cloud compute (EC2, EKS, Lambda). Particularly critical for containerised environments.
Commercial tools: Aqua Security, Sysdig, Trend Micro Cloud One Open-source: Falco (runtime security for containers and Kubernetes), Trivy (vulnerability scanning)
What it does: Sits between users and cloud services to enforce security policies. Controls shadow IT (unapproved SaaS usage), applies DLP policies to cloud data, enforces authentication policies for SaaS applications.
When to use: When employees use SaaS applications (Microsoft 365, Salesforce, Box) and you need visibility and control over data flowing to and from those services.
Commercial tools: Microsoft Defender for Cloud Apps, Netskope, Zscaler Internet Access Open-source: Limited — most CASB functionality requires commercial solutions due to API integration complexity
What it does: Analyses IAM permissions at scale to identify excessive entitlements, unused permissions, and privilege escalation paths. Addresses the core problem that IAM policies accumulate permissions over time until they are dangerously overprivileged.
When to use: In any environment with more than a handful of IAM users and roles — which is every production environment.
Commercial tools: Authomize, Ermetic (now Tenable CNAPP), AWS IAM Access Analyzer Open-source: Cloudsplaining (AWS IAM analysis), Parliament (IAM policy linting), Enumerate-IAM
What it does: Combines vulnerability management (finding known CVEs in running workloads) with security event monitoring (aggregating and correlating cloud logs). Often overlaps with CWPP for workload scanning.
When to use: As the detective layer — continuously scanning for vulnerabilities and alerting on security events.
Commercial tools: Tenable.io, Qualys VMDR, AWS Inspector Open-source: OpenVAS/Greenbone, Nuclei (fast vulnerability templates)
| Category | Visibility | Control | Runtime | Identity | Cost |
|---|---|---|---|---|---|
| CSPM | Configuration | Detect/alert | No | Partial | Low-Medium |
| CWPP | Workloads | Prevent+Detect | Yes | No | Medium-High |
| CASB | User+Data | Enforce policy | Yes | Partial | Medium-High |
| CIEM | Entitlements | Detect/remediate | No | Yes | Medium |
| CSMV | Vulns+Events | Detect/alert | Partial | No | Low-Medium |
For this course, the following open-source tools are used in practical exercises:
| Tool | Category | Purpose |
|---|---|---|
| Prowler | CSPM | AWS/Azure/GCP misconfiguration scanning |
| Falco | CWPP | Kubernetes and container runtime security |
| Trivy | CWPP/CSMV | Container image and filesystem vulnerability scanning |
| ScoutSuite | CSPM | Multi-cloud security auditing |
| Cloudsplaining | CIEM | AWS IAM analysis and least-privilege assessment |
| kube-bench | CWPP | CIS Kubernetes benchmark assessment |
These five categories represent the minimum viable cloud security toolchain. A mature programme uses all five — with CSPM providing the foundational visibility layer, CWPP protecting workloads, CASB controlling SaaS access, CIEM managing identity risk, and CSMV delivering continuous vulnerability and event monitoring.