KEV-TICKERcves_ytd=28,720kev_total=1,289added_7d=+7[CISA KEV ↗]
// facet: cloud

Cloud vulnerability scanners: directory + pricing

Cloud-native CNAPP and cloud VM scanners filtered out of the main directory. Per-cloud-account or per-workload pricing where published.

author: Oliver Wakefield-Smith · verified 2026-06-26
// direct-answer

What is a cloud vulnerability scanner?

A cloud vulnerability scanner inspects cloud accounts (AWS / Azure / GCP) for CVEs in deployed workloads, configuration drift (CSPM), identity entitlements (CIEM), and container images, usually agentlessly via snapshot-based scanning. Wiz and Orca lead; Tenable Cloud Security and Qualys TotalCloud compete.
// filter ::
asset
deployment
scan-type
compliance
price-band
license
Tenable Nessus Professional

Single-scanner on-prem workhorse. Per-scanner not per-asset.

verified 2026-06-25 · vendor page
networkwebcloud
self-hostedagent
AMBER
$4,790 / year (1 scanner, 1-year)
pci-asvsoc2hipaaiso27001free tier
Tenable Vulnerability Management (Tenable.io)

Per-asset SaaS replacement for Nessus at scale, plus WAS/EASM/CTEM modules.

verified 2026-06-25 · vendor page
networkwebcloudcontainer
saasagentagentlesshybrid
AMBER
$3,500 / year for 100 assets (~$35/asset/yr)
pci-asvfedrampsoc2hipaaiso27001free tier
Qualys VMDR

Cloud-native VMDR with TruRisk scoring; quote-only at enterprise scale.

verified 2026-06-25 · vendor page
networkwebcloudcontainer
saasagentagentless
QUOTE
Quote only; partner-reported ~$199 per asset per year
pci-asvfedrampsoc2hipaaiso27001free tier
Rapid7 InsightVM

Insight Agent + Live Dashboards + Remediation Projects; per-asset list tiers.

verified 2026-06-25 · vendor page
networkcloud
saasagenthybrid
AMBER
$1.75 per asset per month list (~$21/asset/yr) at higher tiers
pci-asvsoc2hipaaiso27001free tier
Wiz

Agentless CNAPP. Graph-based risk, big in cloud-native shops. Anchors on workloads not assets.

verified 2026-06-25 · vendor page
cloudcontainercode
saasagentless
QUOTE
Quote only; partner-reported $70k-$120k for ~500-workload mid-market estate
soc2fedramphipaaiso27001free tier
Orca Security

SideScanning agentless CNAPP. Often discounted aggressively against Wiz in head-to-heads.

verified 2026-06-25 · vendor page
cloudcontainercode
saasagentless
QUOTE
Quote only; partner-reported $50k-$100k for ~500-workload estate
soc2fedramphipaaiso27001free tier
[ 6 of 15 scanners shown ] · row prices verified against vendor pages on the date stamped above.

Why this list is smaller than the SERP listicles claim

Most "top 20 cloud vulnerability scanner" listicles include tools that scan cloud-deployed assets via traditional agent or network methods. That is cloud-hosted, not cloud-native. The shortlist above is the set that anchors on the cloud account or workload directly.

// faq

FAQ

  • Is Tenable Cloud Security agentless?
    Yes, Tenable Cloud Security is agentless and snapshot-based, comparable architecturally to Wiz and Orca.
  • Do I need a CNAPP if I already run Tenable.io?
    Often yes. Tenable.io scans cloud-hosted workloads, but Wiz / Orca scan cloud configuration (CSPM) and identity entitlements (CIEM) that Tenable.io does not cover.
  • What is the pricing anchor?
    Cloud workload, not asset. A 500-workload estate is typically quoted $50k-$120k by Wiz or Orca.
  • Do CNAPPs replace web app scanners?
    No. CNAPPs scan cloud configuration and image content; they do not perform DAST against running web apps.
  • Which CNAPP wins for SOC 2?
    Wiz and Orca both ship SOC 2-ready evidence packages. The deciding factor is auditor familiarity and which compliance automation platform you use.
Related: Wiz Orca Security Wiz vs Orca