Only 15% of CNAPP vendors mention runtime protection on their homepage. Meanwhile, 55% claim "AI-powered."
Here’s what the CNAPP market is actually rewarding: Upwind just raised $250M on a “runtime-first” message. Sysdig got named a Forrester Wave Leader with runtime at the center of their positioning.
In an AI-driven world where attacks unfold in 10 minutes, runtime is the only way to defend.
That quote deserves unpacking, because it explains why runtime isn’t just a positioning opportunity — it’s a fundamentally different approach to security.
Most cloud security today is static. Scan your infrastructure-as-code for misconfigurations. Flag vulnerable packages in your container images. Audit IAM policies at rest. This is valuable work — but it’s all about what could happen, not what is happening. You can have perfect shift-left hygiene and still get compromised, because attackers don’t target your Terraform files. They target your running workloads.
Runtime protection flips the model: instead of scanning artifacts before deployment, it monitors what’s actually executing in production. Which processes are spawning. Which network connections are opening. Which API calls are happening that shouldn’t be. It’s the difference between checking that your locks are installed correctly and watching who’s actually walking through the door.
That’s why the market is rewarding it. Not because it’s a clever messaging angle — because it solves a problem that static scanning can’t. And 85% of CNAPP vendors aren’t saying so.
The Data: 67 Companies, One Clear Signal
We scored the homepage positioning of 67 cloud security companies across 10 sub-verticals — CNAPP, CSPM, CWPP, container security, DSPM, and others — tracking which capabilities each vendor claims and how effectively they differentiate.
The market-wide finding: Runtime protection appears on only 10 of 67 homepages (15%). Yet companies claiming it average a positioning score of 71.9 — the highest of any capability we tracked.
Compare that to the crowded claims:
| Capability | Adoption (67 cos.) | Avg Score |
|---|---|---|
| AI-powered | 55% (37/67) | 68.7 |
| Visibility | 34% (23/67) | 66.8 |
| Unified platform | 30% (20/67) | 65.2 |
| Risk prioritization | 27% (18/67) | 66.8 |
| Runtime protection | 15% (10/67) | 71.9 |
Here’s what matters for CNAPP: of those 10 vendors claiming runtime, nearly all are CNAPP or adjacent container security companies. Runtime maps to CNAPP’s core promise more directly than any other sub-category — yet even within CNAPP, it’s the vendors who lead with runtime (Sysdig, Upwind) that score highest. The rest bury it as a feature or don’t mention it at all.
The broader pattern holds across the market: the more a claim gets used, the less it differentiates. “AI-powered” appears on 89% of CNAPP homepages and more than half of all 67 companies we analyzed. It’s not a differentiator — it’s wallpaper. Runtime, by contrast, remains specific enough to mean something and rare enough to stand out.
Two other under-claimed capabilities show similar dynamics: “developer-friendly” (7% adoption, 69.2 avg) and “attack-path analysis” (4%, 68.3 avg). Low adoption, high performance.
Why CNAPP specifically? Runtime isn’t equally relevant across all cloud security sub-categories. DSPM vendors, for example, are solving fundamentally static problems — data discovery, classification, access posture. But CNAPP is inherently about protecting running workloads. If your entire category exists to secure cloud-native applications in production, and you’re not leading with what happens in production, you have a messaging gap. That’s what makes the 85% figure so striking — most CNAPP vendors are ignoring the capability that most directly maps to their category’s reason for existing.
Three Companies Leading with Runtime
Three companies show what leading with runtime looks like.
Sysdig has built their entire positioning around it. Their homepage leads with “Secure the cloud the right way” — and immediately backs it with a specific claim: 95% noise reduction. They don’t bury runtime as a feature; it’s the frame for everything else. The payoff: Forrester named them a Leader in the CNAPP Wave Q1 2026, explicitly citing their runtime capabilities.
Upwind went even further, coining “runtime-first” as their positioning anchor. Their headline — “Cloud Security for the AI & Realtime Era” — ties runtime to the market moment. It’s not a feature. It’s a philosophy. Investors noticed: $250M Series B in January 2026, one of the largest rounds in the space.
Oligo Security takes a narrower approach, applying runtime to application security specifically — adjacent to CNAPP but instructive for it. Their positioning is less broad than Sysdig or Upwind, but equally clear: runtime observability for the app layer. No “unified platform” claims. No “AI-powered” filler. Just a specific capability, specifically stated.
What these three share: they picked a capability that’s hard to copy, easy to understand, and backed by real outcomes. None of them lead with category buzzwords. All of them lead with what they actually do differently.
The Cost of Commodity Claims
Now look at what most vendors are doing instead.
55% of CNAPP vendors lead with “AI-powered.” That’s not differentiation — it’s category noise. When more than half the market makes the same claim, it becomes invisible. A CISO evaluating platforms will see “AI-powered” on five or six of ten homepages. It stops registering.
The same pattern holds for “unified platform” (30%), “visibility” (34%), and “risk prioritization” (27%). These aren’t bad capabilities. They’re just not differentiators anymore. They’ve become the baseline — what buyers expect, not what makes them choose.
The contrast is stark: companies claiming commoditized capabilities cluster around average scores. Companies claiming rare capabilities — runtime, developer-friendly, attack-path — pull ahead.
This isn’t about having better technology. It’s about stating what’s actually different. Sysdig and Upwind aren’t the only vendors with runtime capabilities. They’re just the ones who made it central to their message.
The opportunity for the other 85%: stop competing on claims everyone makes. Start competing on capabilities few mention.
What to Do About It
The data is clear: runtime protection is one of the most under-claimed, highest-performing differentiators in CNAPP — and the one most naturally aligned with the category’s core promise.
If you have runtime capabilities and your homepage doesn’t mention them, you’re leaving your strongest positioning card on the table. Make it the frame, not a feature buried in a dropdown. Sysdig and Upwind didn’t add runtime to their capabilities list — they built their entire story around it.
If you don’t have runtime capabilities, the lesson still applies. Runtime is the clearest example in this dataset, but it’s not the only one. The underlying principle: rare + specific + true = differentiating. “Developer-friendly” (7% adoption) and “attack-path analysis” (4%) show the same pattern — low adoption, high performance. The question isn’t “do we have runtime?” It’s “what do we do that fewer than 20% of competitors claim, that’s genuinely hard to replicate, and that connects to a real buyer problem?”
The audit is straightforward: list every claim on your homepage. Count how many competitors say the same thing. If more than a third of the market makes the same claim, it’s not a differentiator — it’s table stakes. Then find the capability that passes all three filters — rare, specific, and actually true — and lead with that instead.
In a market where everyone claims AI and visibility, the vendors who win are the ones who say something no one else is saying — and can back it up.
Sources
- Sample: 67 cloud security companies in Innit Labs Positioning Gallery
- Data as of: March 2026
- External: Forrester Wave CNAPP Q1 2026, Upwind Series B announcement (January 2026)