Why the CWS Forrester Wave got it wrong

Cloud security is no easy task. Organizations are pressured to innovate at an extremely fast pace, which introduces immense amounts of cybersecurity risk. In tandem, threat actors are unleashing a constant barrage of attacks, using increasingly sophisticated tools and techniques. And, on top of it all, the cloud security vendor landscape is extremely crowded, making solution assessment an extremely difficult undertaking — especially for bandwidth-deprived security teams.

That’s why analyst vendor assessments — the Waves, the Quadrants, the Radars — are extremely valuable and important tools. They are helpful, trusted guides to traversing the crowded marketplace. However, when the trusted guides are, well, misguided, they can be damaging to those companies they are leading. Especially when dealing with something as important as cloud security.

The recent Forrester Wave™ for Cloud Workload Security (CWS) is one such report that missed the mark. Here are six reasons why the Forrester analyst behind the report got his assessment of cloud workload security vendors wrong.

1. The CWS analyst overlooked the integration of threat and risk management

Time is cloud security's number one adversary. The cloud, while enabling companies to innovate faster, has created exponentially more risks and threats. Organizations’ code bases and software supply chains are expanding rapidly, which inevitably leads to more vulnerabilities. At the same time, the constantly changing nature of the cloud creates new opportunities for threat actors to exploit your systems and data while remaining undetected for months. 

This puts companies in a real bind. Should they focus their efforts on risk mitigation, in hopes that they can build an impenetrable defense? Or should they focus their efforts on threat detection, to be well-prepared for the inevitable breach?

The answer, of course, is yes.

The inconvenient truth is that neither risk management alone nor threat management alone is enough. To work most efficiently and prioritize issues most effectively, risk findings must be enriched with threat context, and threat findings must be enriched with risk context. This integration ensures that risk teams can swiftly mitigate significant vulnerabilities, while threat teams prioritize and address the most dangerous threats. 

The analyst totally missed the mark on this nuanced understanding of cloud security, which balances the scales between threat detection and risk management. Their criteria obviously lean toward infrastructure entitlement management (CIEM), agentless workload scanning, and cloud security posture management (CSPM) — areas reflective of the author's expertise but not representative of the current security challenges customers are facing today. 

2. The CWS analyst discredited the importance of high-quality, correlated runtime data

When we discussed this report with the Forrester research leadership team, they referred to agents as “old technology.” This is inaccurate and overlooks the value that runtime data brings to effective and accurate threat detection. 

It also overlooks the significant advancements made to security agents in the cloud era. Some agents (like the Lacework agent) have been built specifically for the ephemerality of cloud workloads. They handle vast amounts of data efficiently, offer flexible deployment, update automatically for easy maintenance, are customizable, and have a light footprint in cloud environments. This telemetry simply isn’t available to cloud APIs and agentless-only security solutions, and this deep visibility is critical for detecting active threats in workload environments.

The importance of agents in cloud security is not only recognized by Lacework but is also echoed by our peers. Over the past few months, we’ve seen competitors attempting to release sensors and we’ve seen others introduce early versions of agents. We’re glad to see other vendors embracing something that we have always believed: the only way to truly protect customers and their data in the cloud is through a holistic agentless and agent-based approach.

As highlighted in the 2023 Gartner® Market Guide for CNAPP, “Agentless workload scanning has become a popular approach and an expected core CNAPP capability, although in-workload approaches provide the best protection.” Lacework offers our customers both approaches to provide customers with best-in-class protection of their workloads and cloud environments.

We continually refine our technology, including our agent, with detailed insights from Lacework Labs, our dedicated research team, which focuses on emerging threats and attack surface risks in the cloud. You may have seen the recent FBI and CISA warning for AndroxGh0st — a malware capable of scanning for and exploiting exposed cloud credentials and APIs. Because of the patented way we build and analyze composite threats, Lacework was the first to discover this malware back in 2022, and we’ve been protecting our customers from it for more than a year ahead of the recent advisory.

3. The CWS analyst underestimated the pace of modern tech advancements

We believe that this Forrester Wave placed a greater focus on CSPM and CIEM solutions because of the author’s background focused on identity and posture, with less awareness of the critical nature of threat detection. The fast-evolving nature of this field poses a challenge for any analyst firms, including Forrester; however, this leads to outdated assessments by the time of publication. Such delays can inadvertently mislead customers and limit their ability to make decisions based on the most up-to-date technological landscape.

For example, in the report, the analyst gave us a low score for our deployment scale. The analyst only graded us on our agentless scale number, though we provided numbers for CSPM, CIEM, agents, and agentless in the June 2023 survey. Also, at this time, our agentless capabilities had recently become generally available, so the number wasn’t representative of our ability to scale. By the time the report was published, this number was long outdated and not representative of our scaling abilities in any of the aforementioned workload protection methods. 

4. The CWS analyst assumed innovation is tied to company size

The criteria and scoring in the report was geared toward larger companies (e.g., Palo Alto Networks and CrowdStrike) leaving no opportunity for smaller companies to appear as leaders. As part of the innovation section, Forrester’s analyst asked us for the number of engineers on staff. For vendors with over 500 engineers, a “5” was awarded, while those with less engineers on staff received lower scores. This criteria is skewed towards larger organizations with a large engineering organization that can leverage multiple business units to demonstrate high numbers. 

If innovation was truly determined by company size, there would never have been any disruption in the history of tech: no Internet, no mobile, no cloud, no GenAI, and we’d still be following the lead of HP and IBM.

There is no correlation that we’ve seen in the market between the number of engineers and innovation. In fact, one would argue that smaller organizations innovate more nimbly and efficiently, as evidenced by our delivery over the last year.

The engineering and technical teams at Lacework consist of many industry-renowned developers and application security engineers. Some joined us from the most prominent industrial research labs in the world. Others have developed widely-adopted password hashing algorithms and renowned password auditing tools.

The power of Lacework is our ability to comprehend data at scale, and what makes our behavioral analysis different is that we don’t rely on rules or patterns to spot lurking threats, since they create excessive noise and miss new attack patterns. In fact, how we do this is so innovative that it’s protected by over 200 patents and applications.

5. The CWS analyst amplified the pricing flexibility and transparency misconception

The Forrester analyst’s assessment pointed out a perceived shortfall in our pricing flexibility and transparency, particularly our absence of a public ROI calculator. The criteria appeared to favor companies with a Forrester Total Economic Impact (TEI) study, which Lacework did not purchase this year. We believe that the effectiveness of pricing strategies should not be solely measured by the presence of such calculators or studies and that this approach to pricing evaluation raises concerns about fairness and the potential perception of a pay-to-play model. 

Our approach to pricing is based on direct engagement with customers, offering tailored and transparent solutions rather than fitting into a one-size-fits-all calculator. Our commitment is to adaptability and personalized support, which may not align with proprietary ROI models but is more reflective of our customer-first philosophy. 

6. The CWS analyst is out of step with market feedback

Lacework is repeatedly recognized in the industry for our customer-driven innovation and adaptable, comprehensive security. Our accolades speak volumes: as recently as this week, we were named a Leader in the KuppingerCole Leadership Compass for Cloud-Native Application Protection Platforms (CNAPP), with 5 out of 5 ratings in all of the product capability categories: security, functionality, deployment, interoperability, and usability. And, in January, we were named a Leader in the GigaOm Radar for CWS, specifically noted for our strong adaptability and innovative platform technology. Take a look at this blog for a detailed look at our recognitions from the past year. 

Final thoughts

The Forrester CWS Wave is fundamentally flawed, rooted in a limited understanding of the intricacies of modern cloud security. The Lacework approach emphasizes the integration of risk and threat management, the importance of both agent and agentless technology, and our innovative solutions backed by industry recognition and over 200 patents and applications, stands as a testament to our leadership in the field. As cloud security continues to evolve, it's imperative that evaluations like Forrester's adapt to reflect the true challenges and solutions in the industry.