I’ve had my fair share of experience evaluating, procuring, and running a CNAPP solution in production environments, especially on AWS and GCP. I’ve seen their benefits and drawbacks, whether it’s agentless workload scanning or agent-based real-time protection.

Do you believe the annual cost of $100,000 for a CNAPP means you will only spend $100,000?

Let me upset you. The short answer is NO.

When it comes to the cost of a CNAPP, a naive mistake is to think the price written on the contract, after the battle between your procurement team and the vendor’s sales team, is final.

The hidden costs of operationalizing the CNAPP are often not highlighted. Not even the best, highest-ranking SEO-optimized CNAPP buyer guides mention this.

In this blog post, I’ll share some insider insights and lessons to help you make informed decisions when considering a CNAPP for your organization.

The Sad Reality of Additional Expenses

These are some of the ways I have seen CNAPP solutions add additional costs (in no particular order):

• Enabling new log sources and security services: CNAPPs might require additional logging to feed their machine-learning models or advanced threat detection. You might also need to enable a cloud platform-specific security service (GuardDuty, etc.). If you enable new log sources and security services just for the CNAPP, the costs must be attributed to the CNAPPs.

• Shipping CNAPP logs to other places: If you have a SIEM/XDR solution and want the CNAPP logs sent to it, then yes, you guessed it right—it costs money. This expense is dependent on the number of logs generated and shipped.

• Self-hosting scanners can cost you a lot of money: If your organization is subject to strict regulatory requirements, you may need to run agentless scans within your cloud accounts. Hosting the vendor’s proprietary scanners on your infrastructure incurs massive additional costs, which will grow with your workload and scanning frequency.

• Agents scale with your workloads: For those using agents in their infrastructure, such as Kubernetes agents, remember that these agents eat up some memory on each VM. If you just had 30-50 worker nodes, you may need to add a few more nodes to make some space for agents in each worker node and distribute the existing load on new VMs.

Some negligible costs that are still not zero

• Encryption and Key Management: If you opt for agentless scanning, you’ll need to consider the cost of the encryption keys used to encrypt and send snapshots to the vendor. Managing encryption keys adds a small fee, but with the security best practice of automatic key rotation, you will have spent a noticeable chunk in a few years.

• Costs of Cloud API and API throttling: While accessing cloud APIs to retrieve information may seem negligible, the costs can accumulate over time, especially if your CNAPP makes frequent requests. I’ve had (unfortunate) firsthand experiences of a spike in S3 costs (due to frequent s3:ListObjects calls) and even AWS API Throttling (that led to a production incident) due to frequent API requests to list 1000s of AWS Glue Tables for inventory purposes.

• Time spent on CI/CD pipelines isn’t free: Integrating CNAPP agents into your CI/CD pipeline to “shift left” can lead to increased CI/CD time and resource consumption, which translates to added expenses. These costs depend on how you have configured your security stages in the pipeline. Scanning every push in the dev environment is more costly than scanning every PR merged to staging/UAT.

These are some hidden costs I found after deploying the CNAPP solution.

You shouldn’t mistake this for vendors not doing anything. I’ve seen vendors doing optimization on their end, like hosting their scanners in the same region and availability zone as the customer, optimizing agent memory consumption, etc.

If you plan to procure a CNAPP, explicitly ask about the additional costs of running the tool. Higher costs should mean more credits in the final quote. 😉