Lacework is commonly evaluated as a commercial cloud security platform in the CSPM/CNAPP category, now discussed in market context alongside Fortinet’s FortiCNAPP packaging. Buyers usually consider it when native cloud tools or open-source checks are not enough for cloud posture, vulnerability context, workload visibility, compliance reporting, and security-team workflow.
The short version: Lacework/FortiCNAPP is worth evaluating when cloud security has become a real program, not a side project. It is probably too much if the team only needs a first baseline scan or has not assigned anyone to act on findings.
This review avoids exact pricing because enterprise cloud-security packaging changes often and depends on cloud accounts, workloads, modules, support, retention, and contract terms. Treat the vendor quote and current documentation as the source of truth.
Quick verdict
Lacework belongs on the shortlist for teams that want a commercial CNAPP-style platform rather than a toolbox of scripts and native consoles. The potential value is not just finding misconfigurations; it is helping a security team prioritize risk, explain it to engineering, track remediation, and report progress.
The caution is complexity. Broad cloud-security platforms can be expensive and noisy if deployed without clear scope, owners, and success criteria. A successful evaluation should prove signal quality, not just feature breadth.
What Lacework is for
Common buying reasons include:
- monitoring cloud posture across multiple accounts and environments;
- connecting configuration risk with workload, vulnerability, identity, and compliance context;
- replacing manual spreadsheet-based cloud reviews with platform workflow;
- giving security leadership dashboards and trend reporting;
- routing prioritized findings to engineering teams;
- supporting audit, customer-security, or board-level cloud risk conversations.
It is especially relevant when a startup or mid-market company has outgrown native findings and needs a more organized cloud-security operating model.
Who should consider Lacework?
Consider Lacework/FortiCNAPP if cloud infrastructure is material to the business, engineering teams ship often, and security needs a single place to understand which cloud risks matter. It can fit companies with multiple cloud accounts, Kubernetes or workload concerns, compliance pressure, and a dedicated security or platform owner.
A proof of concept should include representative production-like accounts, not a sanitized demo environment. The buyer should see real noise levels, remediation workflow, exception handling, and reporting before signing.
Who should skip Lacework first?
Skip or delay it if the team is still trying to establish basic cloud inventory, IAM hygiene, logging, and ownership. In that case, native cloud tools, Prowler, Steampipe, or Cloud Custodian may provide a cheaper learning phase.
Also pause if procurement wants a platform but engineering has not agreed to fix findings. CNAPP tools expose work; they do not create engineering capacity. Without remediation ownership, the dashboard becomes a backlog of guilt.
Implementation reality
Start with scoped onboarding. Pick the cloud accounts and workloads that represent real risk, define least-privilege permissions or agents where required, and agree which findings will count as evaluation success. Include security, platform, and engineering owners in the same review loop.
During the proof of concept, measure how many findings are actionable, how duplicates are grouped, how risk is prioritized, and how tickets or Slack alerts reach the right team. Ask for before-and-after examples: a risky identity permission, an exposed resource, an unpatched workload, or a compliance control that changed status after remediation.
The biggest mistake is buying on feature checklists alone. In cloud security, prioritization quality and workflow fit matter more than the number of detections in a demo.
Pricing and packaging caveats
Confirm exactly what the quote includes: cloud accounts, workloads, Kubernetes coverage, code or IaC scanning if relevant, users, retention, compliance packs, ticketing integrations, SSO, support tier, implementation help, and expansion triggers.
Because Lacework is now evaluated in a Fortinet context, ask direct transition questions. Which console, support path, roadmap, contract entity, and product name will your team use during the contract term? Do not rely on assumptions from older reviews or screenshots.
Lacework alternatives
Compare Wiz and Orca Security for agentless CNAPP-style evaluations with strong market mindshare. Compare Prisma Cloud when the buyer wants a broad Palo Alto Networks security platform relationship. Compare Tenable Cloud Security when exposure management and Tenable context matter.
Compare native AWS, Azure, and Google Cloud security tools for provider-managed baselines. Compare Prowler, Steampipe, and Cloud Custodian when engineering ownership and lower software spend matter more than packaged workflow. For category context, see our best cloud security posture management tools for startups guide.
For lighter-weight baselines before an enterprise CNAPP purchase, compare our Prowler review, Steampipe review, and Cloud Custodian review. For adjacent commercial options, see the Wiz review and use the security vendor due diligence checklist to pressure-test contract and evidence requirements.
Demo questions
Ask the vendor to show the workflow on your reality, not a generic sample tenant:
- Which cloud accounts, regions, clusters, and workloads are in the proof of concept?
- What permissions or agents are required, and how are they limited?
- Which findings are truly critical after prioritization, and why?
- How do exceptions expire, and how is accepted risk documented?
- How do Jira, Slack, SIEM, ticketing, and reporting integrations behave in practice?
- What support and roadmap commitments apply under the exact SKU we are buying?
Contract red flags
Be cautious if pricing is hard to map to your environment. Cloud platforms can expand through accounts, workloads, modules, users, data retention, and support tiers. Get growth scenarios in writing.
Also watch for unclear Fortinet/Lacework transition answers. Product integration may be beneficial, but buyers still need clarity on roadmap, support, renewals, and which capabilities are generally available now versus promised later.
Bottom line
Lacework/FortiCNAPP is a serious option for teams that need commercial cloud-security posture and CNAPP workflow. It is best when security has authority, engineering has remediation capacity, and the proof of concept uses representative cloud environments.
Choose a lighter tool if you are still building basic cloud hygiene. Choose Lacework when platform workflow, prioritization, and executive reporting are worth the enterprise evaluation effort.
Compare Lacework with alternatives
Use these comparison guides to see where Lacework fits against adjacent tools and category shortlists:
Related reviews
Nudge Security Review 2026: SaaS Discovery Fit, Buyer Checks, and Alternatives
A practical Nudge Security review for startups and security teams evaluating SaaS discovery, OAuth risk, employee nudges, implementation effort, pricing caveats, and alternatives.
Published
Google Security Command Center Review 2026: GCP Security Fit, Limits, and Buyer Checks
A practical Google Security Command Center review for startups evaluating GCP posture, threat findings, compliance support, implementation effort, pricing caveats, and alternatives.
Published
Microsoft Defender for Cloud Review 2026: Azure Fit, Multi-Cloud Caveats, and Buyer Checks
A practical Microsoft Defender for Cloud review for startups evaluating cloud posture, workload protection, Microsoft ecosystem fit, implementation effort, pricing caveats, and alternatives.
Published