Chat with your cloud in Turbot Pipes →
HomeHomePSPM and CNAPP: Better TogetherHow PSPM and CNAPP Work Together

How PSPM and CNAPP Work Together

PSPM and CNAPP create a symbiotic relationship where each enhances the other's effectiveness through continuous feedback loops.

CNAPP Findings Inform PSPM Priorities

Detection data drives prevention investment decisions:

Volume analysis identifies prevention targets. CNAPP shows which issues appear most frequently. "Unencrypted EBS volumes" appearing 1,500 times signals a prime prevention candidate. "Public RDS snapshots" appearing 800 times across accounts indicates systematic gaps. PSPM uses this volume data to prioritize which preventive controls to deploy first for maximum impact.

Pattern recognition reveals systematic issues. CNAPP exposes recurring misconfigurations: the same teams deploying public S3 buckets repeatedly, the same security group mistakes in every region, the same compliance gaps across accounts. These patterns indicate where prevention would eliminate systematic problems rather than requiring repeated remediation.

Risk correlation focuses prevention efforts. CNAPP identifies which findings create actual risk versus noise. PSPM concentrates prevention on issues that matter: production environments, sensitive data, critical workloads, external exposure, compliance requirements. Prevention gets deployed where it delivers real risk reduction.

Gap identification guides layer selection. CNAPP findings expose prevention gaps. If "public RDS instances" appears as a finding, it means build-layer scanning, access-layer policies, and config-layer defaults all failed to prevent it. PSPM analyzes which layer should address each gap for optimal coverage.

Example Workflow

  1. CNAPP identifies "public S3 buckets" as top finding by volume (3,000+ instances)
  2. PSPM analyzes prevention coverage: no organization policy blocks public buckets, no config-layer defaults prevent public access, only runtime remediation exists
  3. PSPM simulates deploying an AWS SCP to block public bucket creation
  4. Simulation shows impact: 2,800 would be prevented, 200 require exceptions (legitimate CDN use cases)
  5. PSPM orchestrates gradual SCP deployment with monitoring, testing, then production rollout
  6. CNAPP finding volume for public buckets drops from 3,000 to 200 (93% reduction)
  7. PSPM measures effectiveness: 2,800 findings eliminated, 140 hours/month capacity freed

PSPM Deployment Reduces CNAPP Noise

Prevention systematically reduces what detection finds:

Alert volume reduction at scale. As PSPM expands prevention coverage across the four layers, fewer misconfigurations reach production. Organizations implementing comprehensive prevention typically see 50-80% reductions in CNAPP findings within 6-12 months.

Signal-to-noise improvement. With preventable misconfigurations eliminated, CNAPP findings focus on genuine threats: sophisticated attacks, zero-day exploits, insider threats, complex misconfigurations requiring architectural changes. Security teams stop drowning in preventable alerts and concentrate on issues requiring investigation and judgment.

Remediation cycle elimination. Preventive controls block issues at deployment time. There's no detection finding to create, no ticket to triage, no coordination across teams, no implementation of fixes, no validation of remediation. The entire remediation cycle disappears for prevented issues - capacity gets freed for strategic work.

Repeat issue elimination. Prevention breaks the endless cycle. Public buckets blocked by organization policies never reach production. Unencrypted volumes prevented by config-layer defaults never appear in CNAPP. Issues that would have appeared hundreds of times get prevented systematically.

Example Impact Metrics

Before prevention:

  • 12,000 CNAPP findings per month
  • 400 hours remediation effort
  • 85% repeat issues
  • 3-14 day exposure windows
  • Security team burnout

After prevention:

  • 2,500 CNAPP findings per month
  • 80 hours remediation effort
  • 25% repeat issues
  • Minutes to remediation (runtime layer)
  • Security team strategic capacity

Result: 79% finding reduction, 80% capacity freed, better security outcomes

Together They Create Defense in Depth

PSPM and CNAPP provide overlapping layers of protection:

Layer 1 - Prevention (PSPM manages): Stop known, preventable issues before production. Organization policies block risky API calls. Secure defaults make resources safe automatically. IaC scanning catches misconfigurations in code. Runtime remediation fixes drift within minutes.

Layer 2 - Detection (CNAPP provides): Catch sophisticated threats and what prevention missed. Continuous scanning finds all current misconfigurations. Runtime threat detection identifies malicious activity. Vulnerability management reveals exploitable weaknesses. Attack path analysis maps compound risks.

Overlapping coverage creates resilience:

  • Issues bypassing build-layer scanning get blocked by access-layer policies
  • Issues bypassing organization policies get caught by config-layer defaults
  • Issues bypassing config defaults get remediated by runtime controls
  • Issues bypassing all prevention get detected by CNAPP
  • Sophisticated threats not addressable by prevention get detected and responded to

This defense in depth approach means no single control failure creates exposure. Multiple layers provide redundancy and resilience. Prevention reduces the volume of issues. Detection ensures comprehensive visibility. Together they deliver security that scales.

The Feedback Loop: Continuous Improvement

PSPM and CNAPP create continuous feedback for optimization:

CNAPP validates prevention works. Before-and-after metrics show whether preventive controls actually reduced specific finding types. If "unencrypted EBS volumes" doesn't decrease after deploying encryption defaults, something is wrong. CNAPP provides the validation data.

CNAPP identifies prevention bypasses. When CNAPP finds issues that prevention should have blocked, it exposes gaps: policy scope issues, conditions excluding accounts, exceptions that became too broad, or new services not covered by existing controls. These findings drive PSPM priorities.

PSPM demonstrates prevention ROI. Quantified finding reductions prove prevention value. Freed remediation capacity justifies investment. Measured coverage expansion shows progress. These metrics make the business case for continued prevention investment.

CNAPP shifts focus as prevention expands. With predictable misconfigurations prevented, CNAPP teams shift attention to sophisticated threats, complex attack paths, and strategic risk assessment - the high-value work that CNAPP enables but that gets buried in misconfiguration noise without prevention.

Organizations with integrated PSPM and CNAPP platforms continuously optimize the prevention-detection balance based on measured outcomes rather than guesswork.