Notifications
Clear all
Topic starter
12/06/2026 9:11 pm
TL;DR: Orca argues that cloud security pricing should not force teams to decode tiers, add-ons, or fragmented feature bundles, and says its model is built around one SKU, workload-based pricing, and flexible reallocation across CNAPP, AppSec, and runtime protection. The real issue is governance: pricing complexity often mirrors security complexity, and that makes coverage gaps easier to hide.
NHIMG editorial — based on content published by Orca Security: the blog post on CNAPP pricing and simplified cloud security packaging
By the numbers:
- 69% of security leaders agree identity management must fundamentally shift to address agentic AI systems.
Questions worth separating out
Q: How should teams evaluate CNAPP pricing when identity governance is a priority?
A: Teams should map pricing to governance outcomes, not feature names.
Q: Why do tiered cloud security packages create governance risk?
A: Tiered packages create risk when they separate visibility, detection, and response into different commercial buckets.
Q: What should practitioners check before buying a unified CNAPP platform?
A: They should check whether the platform truly keeps policy, telemetry, and remediation aligned across development and runtime.
Practitioner guidance
- Map pricing tiers to control coverage List each CNAPP capability you need, then verify whether posture, AppSec, runtime, and data controls are governed under one operational model or split across separate packages.
- Test whether workload protection follows movement Confirm that new workloads, environment shifts, and runtime expansion do not require a separate commercial change before protection can be applied.
- Review identity visibility across bundled controls Check whether workload identity, telemetry, and remediation decisions remain consistent when you move from development to runtime coverage.
What's in the full article
Orca Security's full blog post covers the commercial and platform detail this post intentionally leaves for the source:
- The specific pricing-model breakdown for the one-SKU approach and what is included at each coverage layer.
- The vendor's explanation of how unused workload credits can be reallocated across runtime and AppSec use cases.
- The list of three CNAPP pricing red flags as the vendor frames them for buyers comparing packages.
- The platform feature inventory tied to Orca's own packaging choices, including runtime, AppSec, and CSPM-adjacent capabilities.
👉 Read Orca Security's analysis of CNAPP pricing and cloud security packaging →
CNAPP pricing and feature fragmentation: what do teams miss?
Explore further
12/06/2026 11:04 pm
Pricing complexity is usually a symptom of control fragmentation, not just commercial design. When a CNAPP vendor splits core capabilities into tiers and add-ons, it is often exposing a deeper architectural reality: the security model is not fully unified. That matters because cloud security outcomes depend on consistent context across posture, runtime, and application layers. The implication is that practitioners should treat pricing structure as an indicator of governance coherence, not merely budget predictability.
A few things that frame the scale:
- Only 19.6% of security professionals express strong confidence in their organisation's ability to securely manage non-human workload identities, according to the 2024 Non-Human Identity Security Report.
- 23.7% of organisations share secrets through insecure methods such as email or messaging applications, which shows how quickly governance weakens when controls are fragmented.
A question worth separating out:
Q: When does pricing complexity become an identity management issue?
A: Pricing becomes an identity issue when it changes who gets visibility into workloads, which controls are enabled, and how consistently access is governed across environments. If packaging determines security scope, identity and access decisions stop being purely technical and become a procurement constraint.
👉 Read our full editorial: Orca's CNAPP pricing pitch exposes the cost of fragmented security
