Cloud vulnerability scanners: directory + pricing
Cloud-native CNAPP and cloud VM scanners filtered out of the main directory. Per-cloud-account or per-workload pricing where published.
What is a cloud vulnerability scanner?
Single-scanner on-prem workhorse. Per-scanner not per-asset.
Per-asset SaaS replacement for Nessus at scale, plus WAS/EASM/CTEM modules.
Cloud-native VMDR with TruRisk scoring; quote-only at enterprise scale.
Insight Agent + Live Dashboards + Remediation Projects; per-asset list tiers.
Agentless CNAPP. Graph-based risk, big in cloud-native shops. Anchors on workloads not assets.
SideScanning agentless CNAPP. Often discounted aggressively against Wiz in head-to-heads.
Why this list is smaller than the SERP listicles claim
Most "top 20 cloud vulnerability scanner" listicles include tools that scan cloud-deployed assets via traditional agent or network methods. That is cloud-hosted, not cloud-native. The shortlist above is the set that anchors on the cloud account or workload directly.
FAQ
- Is Tenable Cloud Security agentless?Yes, Tenable Cloud Security is agentless and snapshot-based, comparable architecturally to Wiz and Orca.
- Do I need a CNAPP if I already run Tenable.io?Often yes. Tenable.io scans cloud-hosted workloads, but Wiz / Orca scan cloud configuration (CSPM) and identity entitlements (CIEM) that Tenable.io does not cover.
- What is the pricing anchor?Cloud workload, not asset. A 500-workload estate is typically quoted $50k-$120k by Wiz or Orca.
- Do CNAPPs replace web app scanners?No. CNAPPs scan cloud configuration and image content; they do not perform DAST against running web apps.
- Which CNAPP wins for SOC 2?Wiz and Orca both ship SOC 2-ready evidence packages. The deciding factor is auditor familiarity and which compliance automation platform you use.