* [Blog](https://www2.paloaltonetworks.com/blog)
* [Cloud Security](https://www2.paloaltonetworks.com/blog/cloud-security/)
* [Cloud Security Posture Management](https://www2.paloaltonetworks.com/blog/category/cloud-security-posture-management/)
* How CSPM Will Shape the F...

# How CSPM Will Shape the Future of Cloud Security

[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2Fcloud-security%2Fcspm-shapes-future-cloud-security%2F)  
[](https://twitter.com/share?text=How+CSPM+Will+Shape+the+Future+of+Cloud+Security&url=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2Fcloud-security%2Fcspm-shapes-future-cloud-security%2F)  
[](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2Fcloud-security%2Fcspm-shapes-future-cloud-security%2F&title=How+CSPM+Will+Shape+the+Future+of+Cloud+Security&summary=&source=)  
[](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://www2.paloaltonetworks.com/blog/cloud-security/cspm-shapes-future-cloud-security/&ts=markdown)  
\[\](mailto:?subject=How CSPM Will Shape the Future of Cloud Security)  
Link copied  
By [Jason Williams](https://www.paloaltonetworks.com/blog/author/jason-williams/?ts=markdown "Posts by Jason Williams")  
May 24, 2024  
4 minutes  
[Cloud Security Posture Management](https://www.paloaltonetworks.com/blog/category/cloud-security-posture-management/?ts=markdown)  
[Code to Cloud](https://www.paloaltonetworks.com/blog/cloud-security/category/code-to-cloud/?ts=markdown)  
[CNAPP](https://www.paloaltonetworks.com/blog/tag/cnapp/?ts=markdown)

*Address the gaps of last generation CSPM tools with more context and proactive security measures that prevent repeated mistakes.*

When companies switch to the cloud, it's natural for their security teams to adopt a [cloud security posture management (CSPM)](https://www.paloaltonetworks.com/cyberpedia/what-is-cloud-security-posture-management) tool to gain visibility, detect misconfigurations and solve compliance challenges. After all, CSPM solutions provide valuable security insights, including those that normally require an agent or proxy. With cloud environments becoming more complex, organizations and cloud security vendors must adapt to stay ahead of modern threats.

This blog covers how CSPM technologies changed over time and what makes a modern approach stand out from traditional solutions.

## The Evolution of CSPM Tools

Since the cybersecurity industry introduced CSPM, offerings have developed to better equip businesses with more comprehensive security. Here are some of the key milestones we've observed in the market and their challenges.

### First Generation CSPM

The first generation of CSPM tools helped organizations address three security functions:

1. *What assets do I have across my public clouds?*
2. *Where are my misconfigurations?*
3. *What is my compliance posture?*

*![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2024/05/word-image-321510-1.png)*

During this era, CSPM provided essential visibility without requiring any agents, proxies or network scanners, making it easy to adopt. But security teams quickly realized a new challenge---they had an overwhelming number of misconfigurations and didn't know which risks to prioritize.

### Second Generation CSPM

To overcome the alert prioritization challenges, the industry responded by consolidating CSPM with other cloud security functions, often into a [cloud-native application protection platform (CNAPP)](https://www.paloaltonetworks.com/cyberpedia/what-is-a-cloud-native-application-protection-platform). This shift increased the scope of CSPM to include identifying and correlating risk factors that form attack paths within cloud environments, such as misconfigurations, network exposures, vulnerabilities and excessive permissions.

Internal research from Palo Alto Networks found that in the typical cloud environment, only 1% of cloud misconfigurations are linked to open attack paths. Identifying these helps security teams focus on the issues that matter.

![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2024/05/word-image-321510-2.png)

With organizations seeking tool consolidation, pure-play CSPM tools vanished during this era. This doesn't mean CSPM is dead. On the contrary, a [Gartner forecast](https://www.gartner.com/en/documents/4540599) predicts that by 2026, 60% of organizations will view preventing cloud misconfigurations as a cloud security priority, compared with 25% in 2021.

## Why Second Generation CSPM Falls Short

The second wave of CSPM emerged to address the challenges caused by previous iterations; however, these solutions leave visibility and security gaps because of several critical limitations:

* **Attack surface blind spots --** Scanning only the inside of the clouds is incomplete visibility. Our research indicates that approximately 30% - 40% of an organization's publicly accessible attack surface is unknown. This creates the need for an "outside-in" view of your company's clouds.
* **No application context --** Traditional CSPM approaches provide an asset-centric view of your cloud, while internal teams think in terms of applications. This leaves security teams blind to application risk impact and makes collaboration with development teams difficult.
* \*\*Find and fix treadmill --\*\*Resolving issues at runtime completely ignores that a single configuration mistake in code can multiply into dozens, sometimes hundreds, of cloud misconfigurations. Traditional approaches leave security teams stuck in a loop of identifying and resolving issues in their cloud environments, many of which are repeated mistakes that could have been prevented.

## The New Generation of CSPM

At Palo Alto Networks, we believe CSPM should provide more visibility, context and prevention-first security. The new wave of CSPM builds on the groundwork laid out by previous iterations and addresses gaps by delivering the following:

### External Attack Surface Management

A modern CSPM approach scans the entire internet to discover internet exposures and evaluate the risk of the shadow clouds, unknown assets or unmanaged services. [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud), a Code to Cloud^TM^ platform, makes this possible through [cloud discovery and exposure management (CDEM)](https://www.paloaltonetworks.com/prisma/cloud/cloud-discovery-exposure-management), enabling security teams to gain an outside-looking-in view of their cloud environments, including clouds they might not know even existed.

**![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2024/05/word-image-321510-3.png)**

### Application Context

Traditional CSPM tools focus on assets and workloads, but security and developer teams really care about the applications. Prisma Cloud delivers AppDNA, helping security teams understand what applications are deployed across clouds, which assets form the application and who owns the application.

![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2024/05/word-image-321510-4.png)

### Tracing Cloud Risks to Code

Forwarding cloud misconfigurations to developers via ticketing systems is an extremely common, but inefficient CSPM approach. Tackling issues in the cloud as opposed to fixing mistakes at the source is like treating an illness instead of curing it. That's why Prisma Cloud traces cloud risks back to the [infrastructure-as-code (IaC)](https://www.paloaltonetworks.com/cyberpedia/what-is-iac) misconfiguration that caused the issue, enabling security teams to resolve security risks at the source.

![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2024/05/word-image-321510-5.png)

These are just a few of the many reasons why organizations choose [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud/cloud-security-posture-management) to secure their applications from code to cloud. Want to see what critical risks lurk in your cloud? Schedule a quick [cloud security assessment](https://start.paloaltonetworks.com/how-healthy-is-your-cloud-security).

*** ** * ** ***

## Related Blogs

### [Code to Cloud](https://www.paloaltonetworks.com/blog/cloud-security/category/code-to-cloud/?ts=markdown), [Data Security](https://www.paloaltonetworks.com/blog/category/data-security/?ts=markdown), [Interview](https://www.paloaltonetworks.com/blog/category/interview/?ts=markdown)

[#### Why Code to Cloud™, Data Security and Platforms Matter in Cloud Security](https://www2.paloaltonetworks.com/blog/cloud-security/why-code-cloud-data-security-platforms-matter/)

### [Code to Cloud](https://www.paloaltonetworks.com/blog/cloud-security/category/code-to-cloud/?ts=markdown), [Healthcare](https://www.paloaltonetworks.com/blog/category/healthcare/?ts=markdown)

[#### Why Healthcare Needs a Code to Cloud Security Platform](https://www2.paloaltonetworks.com/blog/cloud-security/code-cloud-healthcare/)

### [Cloud Native Application Protection Platform](https://www.paloaltonetworks.com/blog/category/cloud-native-application-protection-platforms/?ts=markdown), [Cloud Security Posture Management](https://www.paloaltonetworks.com/blog/category/cloud-security-posture-management/?ts=markdown), [Cloud Workload Protection Platform](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-workload-protection-platform/?ts=markdown)

[#### Addressing the Need for Integrated Cloud Native Security with CNAPP](https://www2.paloaltonetworks.com/blog/cloud-security/the-future-of-cloud-native-security-is-cloud-native-application-protection-platforms-2/)

### [Cloud Security](https://www.paloaltonetworks.com/blog/category/cloud-security/?ts=markdown), [CNAPP](https://www.paloaltonetworks.com/blog/cloud-security/category/cnapp/?ts=markdown), [Code to Cloud](https://www.paloaltonetworks.com/blog/cloud-security/category/code-to-cloud/?ts=markdown)

[#### Overcoming Cloud Security Consolidation Challenges](https://www2.paloaltonetworks.com/blog/cloud-security/cloud-security-consolidation-challenges/)

### [Cloud Infrastructure Entitlement Management](https://www.paloaltonetworks.com/blog/category/cloud-infrastructure-entitlement-management/?ts=markdown), [Cloud Workload Protection](https://www.paloaltonetworks.com/blog/category/cloud-workload-protection/?ts=markdown), [CSO Perspective](https://www.paloaltonetworks.com/blog/category/cso-perspective/?ts=markdown), [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown)

[#### The Next Wave of Cybersecurity](https://www2.paloaltonetworks.com/blog/2025/06/next-wave-cybersecurity/)

### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [News and Events](https://www.paloaltonetworks.com/blog/security-operations/category/news-and-events/?ts=markdown), [Points of View](https://www.paloaltonetworks.com/blog/category/points-of-view/?ts=markdown)

[#### Cortex Cloud --- Unified Efficiency, Now with Dual FedRAMP Authority](https://www2.paloaltonetworks.com/blog/2025/05/cortex-cloud-dual-fedramp-authority/)

### Subscribe to Cloud Security Blogs!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.
![spinner](https://www2.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up  
Please enter a valid email.  
By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.  
This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply.  
{#footer} {#footer}

## Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)

## Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
* [Careers](https://jobs.paloaltonetworks.com/en/)
* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)
* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)
* [Investor Relations](https://investors.paloaltonetworks.com/)
* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)

## Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
* [Event Center](https://events.paloaltonetworks.com/)
* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)
* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)
* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)
* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)
* [Tech Docs](https://docs.paloaltonetworks.com/)
* [Unit 42](https://unit42.paloaltonetworks.com/)
* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)
* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)
* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)
* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)
* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2026 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language