Skip to content
Home IaC Security Tools Prisma Cloud
Prisma Cloud

Prisma Cloud

Category: IaC Security
License: Commercial
Visit Website →
Suphi Cankurt
Suphi Cankurt
AppSec Enthusiast
Updated February 9, 2026
4 min read
Key Takeaways
  • Palo Alto Networks CNAPP covering CSPM, CWPP, CIEM, DSPM, and code security in a single platform across AWS, Azure, GCP, OCI, Alibaba Cloud, and IBM Cloud.
  • Code security module built on Checkov (2M+ downloads), scanning Terraform, CloudFormation, Kubernetes, Helm, and ARM templates against CIS/NIST/PCI benchmarks.
  • Monitors configurations against 100+ compliance frameworks including CIS Benchmarks, PCI-DSS, HIPAA, GDPR, SOC 2, and NIST 800-53.
  • Transitioning to Cortex Cloud (merged with Cortex CDR) as of Q3 FY25, with existing customers being migrated to the new platform.

Prisma Cloud is Palo Alto Networks’ IaC security and CNAPP platform. It covers cloud security posture management, workload protection, entitlement management, data security, and code security across AWS, Azure, GCP, OCI, Alibaba Cloud, and IBM Cloud.

The platform’s code security module is built on Checkov, the open-source IaC scanner from Bridgecrew (acquired by Palo Alto in 2021). Checkov has been downloaded over 2 million times.

Cortex Cloud transition

Palo Alto Networks is merging Prisma Cloud with Cortex CDR to create Cortex Cloud. The new platform became available in Q3 FY25 (late 2025).

Existing Prisma Cloud customers are being transitioned with all capabilities preserved.

What is Prisma Cloud?

Prisma Cloud platform dashboard showing cloud security posture across multiple cloud providers

Prisma Cloud Enterprise Edition is a unified CNAPP that bundles CSPM, CWPP, CIEM, DSPM, code security, cloud network security, and web application/API security into a single platform. Rather than buying separate tools for each discipline, teams get a consolidated view of cloud risk.

The platform connects to cloud provider APIs to scan configurations, workloads, entitlements, and code. It maps relationships across resources, identities, and vulnerabilities to prioritize the issues that actually matter in your environment.

Code Security
IaC scanning built on Checkov covers Terraform, CloudFormation, Kubernetes, Helm, ARM, and Serverless Framework. Includes SCA and secrets detection in CI/CD pipelines.
CSPM
Continuous monitoring of cloud configurations against 100+ compliance frameworks including CIS, PCI-DSS, HIPAA, and NIST. Detects exposed storage buckets, overly permissive IAM roles, and disabled logging.
CWPP
Protects IaaS, PaaS, FaaS, and container workloads at runtime. Covers vulnerability management, compliance, and runtime defense.

Key Features

ModuleDetails
CSPMConfiguration monitoring across AWS, Azure, GCP, OCI, Alibaba, IBM. 100+ compliance frameworks including CIS.
CWPPWorkload protection for VMs, containers, serverless. Runtime defense and vulnerability management.
CIEMIdentity and entitlement management across multi-cloud. Net-effective permissions analysis.
DSPMSensitive data discovery, classification, and access monitoring across cloud storage.
Code SecurityBuilt on Checkov. Scans Terraform, CloudFormation, Kubernetes, Helm, ARM templates. SCA and secrets detection.
CNSCloud network segmentation and microsegmentation.
Web App/APIApplication-layer protection for web applications and APIs.

Code Security (Checkov)

The code security module scans infrastructure-as-code files against hundreds of built-in policies based on CIS, NIST, PCI, and HIPAA benchmarks.

Developers get feedback in their IDE and as pull request comments with fix suggestions. The module also runs in CI/CD pipelines, blocking misconfigurations before they reach production.

Supported IaC frameworks: Terraform, CloudFormation, Kubernetes manifests, Helm charts, ARM templates, and Serverless Framework.

Prisma Cloud AI-powered risk insights showing prioritized vulnerability findings

Cloud Security Posture Management

CSPM monitors configurations across multiple cloud providers from a single console. It detects misconfigurations like publicly accessible storage buckets, overly permissive security groups, unencrypted databases, and disabled audit logging.

The compliance engine maps findings to regulatory frameworks and generates reports for auditors. Teams can set custom policies or use the built-in policy library.

Cloud Workload Protection

CWPP covers the full workload lifecycle from vulnerability scanning in the CI pipeline to runtime defense in production. It protects VMs, containers, and serverless functions.

Container security includes image scanning, runtime monitoring, and compliance checks for Kubernetes clusters. The platform also supports agentless scanning for workloads where agent deployment isn’t practical.

Prisma Cloud AI-SPM module securing AI-powered applications and models

Entitlement Management

CIEM discovers cloud identities and their effective permissions across AWS, Azure, and GCP. It compares granted permissions against actual usage to flag excessive access, so teams can enforce least-privilege without breaking production.

Getting Started

1
Connect cloud accounts — Link your AWS, Azure, GCP, or OCI accounts to Prisma Cloud via API credentials. The platform begins scanning configurations within minutes.
2
Enable compliance policies — Select compliance frameworks relevant to your organization (CIS, PCI-DSS, SOC 2, etc.). Prisma Cloud maps your cloud resources against the selected policies.
3
Set up code security — Integrate with your SCM (GitHub, GitLab, Bitbucket) to scan IaC files in repositories. The Checkov engine evaluates every commit and pull request.
4
Configure alerts — Route findings to Slack, Jira, email, or your SIEM. Set severity thresholds so teams focus on the issues that matter.

When to Use Prisma Cloud

Prisma Cloud makes sense for organizations already in the Palo Alto Networks ecosystem or those looking to consolidate multiple cloud security tools into one platform. Having CSPM, CWPP, CIEM, DSPM, and code security in a single console reduces tool sprawl.

Strengths:

  • Unified platform covering CSPM, CWPP, CIEM, DSPM, and code security
  • Code security built on Checkov, a proven open-source IaC scanner
  • Multi-cloud support including AWS, Azure, GCP, OCI, Alibaba, and IBM
  • 100+ compliance frameworks with audit-ready reporting
  • Integration with Palo Alto’s broader security portfolio

Limitations:

  • Commercial product with enterprise pricing (no free tier for the platform itself)
  • Complexity of a multi-module platform requires dedicated training
  • Transitioning to Cortex Cloud may cause uncertainty for new buyers
  • Checkov open-source can be used independently for basic IaC scanning

For a broader view of CNAPP platforms and cloud security, see our cloud infrastructure security guide. For open-source alternatives to the IaC scanning component, see Checkov or Trivy.

For other CNAPP platforms, compare with Wiz and Orca Security.

Best for
Enterprise teams running multi-cloud environments who want a single platform covering cloud posture, workload protection, entitlements, and code security. Particularly strong for Palo Alto Networks customers.

Frequently Asked Questions

What is Prisma Cloud?
Prisma Cloud is Palo Alto Networks’ Cloud Native Application Protection Platform (CNAPP). It covers CSPM, CWPP, CIEM, DSPM, code security, and web application/API security across AWS, Azure, GCP, OCI, Alibaba Cloud, and IBM Cloud. The Enterprise Edition includes all modules in a single platform.
How does Prisma Cloud relate to Checkov?
Prisma Cloud’s code security module is built on Checkov, the open-source IaC scanner developed by Bridgecrew (acquired by Palo Alto Networks in 2021). Checkov has been downloaded over 2 million times and scans Terraform, CloudFormation, Kubernetes, Helm, ARM, and Serverless Framework files against hundreds of built-in policies.
Is Prisma Cloud being replaced by Cortex Cloud?
Palo Alto Networks is merging Prisma Cloud with Cortex CDR to create Cortex Cloud, which became available in Q3 FY25 (late 2025). Existing Prisma Cloud customers are being transitioned to Cortex Cloud with all existing capabilities plus new AI-powered features.
What compliance frameworks does Prisma Cloud support?
Prisma Cloud supports over 100 compliance frameworks including CIS Benchmarks, PCI-DSS, HIPAA, GDPR, SOC 2, NIST 800-53, and ISO 27001. The CSPM module continuously monitors configurations and generates audit-ready compliance reports.
How we review tools Suggest an edit

Other IaC Security Tools

Sysdig Secure
Sysdig Secure

Runtime-first cloud security

Orca Security
Orca Security

Patented SideScanning technology

Wiz
Wiz

Leader in agentless CNAPP

Checkov
Checkov

1,000+ Policies for Terraform, CloudFormation & K8s

Conftest
Conftest

Policy-as-Code Testing

Falco
Falco

Cloud-native runtime security

See all IaC Security tools

Complement with SCA

Pair IaC scanning with dependency analysis for broader coverage.

Syft
Syft

SBOM generation tool

Anchore
Anchore

SBOM-First Container Security Platform

See all SCA tools

Learn More

CSPM vs CNAPP Terraform Security Scanning What is CNAPP? What is IaC Security?

Explore all IaC Security guides and tools