I've been asking myself this question for a few months now.

I feel the CSPM space is saturated.

Almost all Cloud Security Posture Management (CSPM) tools (open source & commercial) have similar capabilities. The differentiating factor is add-ons like commercial support, near real-time detection, neat UI, and intuitive output with misconfigurations represented in graphs.

Will the commercial CSPM vendors keep the minimum number of developers to maintain the product and fire the rest?

Will there be no new features besides periodic UI/UX changes?

(Spoiler alert: I don't think so)

After spending considerable time with CSPMs, I predict 3 things that would happen in the CSPM space (in the next 3 years or until Gartner replaces it with another jargon - whichever comes first.)

Note: These are my personal views and predictions. I'll probably post in 2028, reviewing if my predictions were correct and what I missed.

What do CSPMs do?

Refer to Gartner's definition of CSPM tools:

On a high level, CSPMs:

• Maintain Asset Inventory

• Detect configuration issues

  • Missing security best practices

  • Cloud service misconfigurations that can lead to security incidents

These tools provide remediation steps and automation to prevent, detect, and respond to issues in the future.

Will CSPMs still exist in the near future?

They will continue to exist. I'm confident.

Fresh grads join the workforce. New ideas and startups emerge.

What's a better place to deploy your MVP than cloud platforms, given the incentives and credits they offer to startups.

And, what solution mitigates common security issues in cloud platforms that lead to breaches?

CSPMs. Unarguably.

The CSPM segment will continue to exist.

“Okay, my friend. Won’t CNAPPs replace CSPMs?”

I don't think so. The base assumption for using CNAPP solutions is that there's a security team to manage the tool. Many companies and funded startups don't have security teams or even a one-person security team.

CSPMs balance between no cloud security and a full-fledged CNAPP tool.

Companies whose security teams have been using CSPM for some time and got their internal processes sorted (like Devs and DevOps fix bugs within SLA) might aim to get a CNAPP tool to level up their cloud security. In those cases, CNAPP would replace CSPM tools.

How will CSPMs evolve?

Increases coverage to include more services

Currently, CSPMs don't cover all services in supported cloud providers, focusing on the most commonly used ones.

AWS Config, a native CSPM service (when used alongside Amazon SecurityHub), doesn't support all AWS services and has different resource coverage across regions.

In the near future, CSPMs (and Cloud Native CSPM services) will stabilize across regions and increase the coverage of other existing services. Then, there's the development of new services and features among cloud providers.

So, as long as Cloud Providers keep shipping new services and features, CSPMs will keep adding them to the checklist.

Note: If new regulatory frameworks involving cloud platforms emerge or if there are changes to existing ones, CSPMs will pick up.

Increases coverage to include niche cloud providers

Major cloud providers are costly. If you disagree, check the data egress fees of AWS, GCP, and Azure to begin with.

Good number of startups and companies using cloud platforms, especially those running containerized workloads in production, are switching/planning to switch to other cloud providers offering cheaper resources and/or private data centers.

Migrating to cloud platforms like Oracle Cloud, Alibaba Cloud, etc.

Cloud-native companies can see a considerable price reduction after migration. Companies can use a fraction of the saved costs to hire engineers to develop missing capabilities or workarounds for the new cloud platform.

Other players (like Linode and Cloudflare) could start marketing themselves as cloud platforms and better alternatives to major cloud platforms for certain usecases. (I also predict Cloudflare's Developer services will become a niche cloud platform with a customer base for Workers, R2, and AI services. 🙂)

So, CSPMs will cover other cloud platforms and possibly private cloud/data centers where security issues are just a misconfiguration away.

Niche commercial CSPM players emerge

While the core functionality remains the configuration checks, the commercial CSPM tools might cater to specific audience.

For example, Akash Mahajan’s startup, Kloudle, helps Developers and DevOps teams to secure their cloud.

Similar CSPM startups will emerge.

Such CSPMs might focus on one or few service types (like Serverless, GenAI, etc.), do it slightly better than the competition, and grow further.

So, yeah. These are my three predictions for CSPMs in the near future. Let's see how things pan out.