Wiz vs Orca Security vs Lacework/FortiCNAPP: CSPM Comparison (2026)

Why CSPM Tool Selection Matters More Than Most Security Decisions

Your CSPM platform is the lens through which your security team sees your cloud. A poor choice means alert fatigue, missed critical findings, and engineers spending half their week triaging noise. A good choice means your team surfaces actual risk, fixes the things that matter, and spends less time managing the tool than using it.

Wiz, Orca Security, and Lacework/FortiCNAPP are the three names that come up most in shortlists. Each takes a different architectural bet, and those bets have real consequences for your team.

Market context, June 2026: Wiz now sits under Google after Google's completed acquisition, so roadmap and procurement questions matter for non-Google-cloud buyers. Lacework was acquired by Fortinet and is increasingly positioned as FortiCNAPP, so evaluate the current Fortinet packaging and integration roadmap rather than treating Lacework as the same standalone company it was in 2023.

Quick Comparison

Wiz

Wiz launched in 2020 and scaled faster than any security startup in history, reaching $100M ARR in 18 months. The reason is the graph. Wiz builds a Security Graph of your entire cloud environment: every resource, every identity, every network path, every vulnerability, and uses it to find attack paths: the sequences of misconfigurations, exposed secrets, and over-privileged identities that an attacker could chain together to reach a critical asset.

That's a fundamentally different problem framing than "here are your 847 medium findings." Instead of showing you a list of issues, Wiz shows you the three paths an attacker could actually walk from the internet to your production database.

What Wiz does well:

• The Security Graph genuinely changes how teams prioritize. Finding a public-facing VM with a critical CVE is interesting; finding that it has a role binding to your S3 bucket containing customer PII is what you fix tonight.
• CNAPP breadth is best-in-class. Wiz covers IaC scanning, code-to-cloud tracing, container security, CIEM, and runtime threat detection under one license.
• The Wiz Query Language (WQL) lets security engineers build custom graph queries: useful once your team is comfortable with the tool.
• Integrations are extensive: Jira, ServiceNow, Slack, GitHub, most CI/CD pipelines.

Where Wiz falls short:

• Pricing is opaque and expensive. Enterprise deals frequently run $500K–$2M/year depending on cloud footprint. The per-resource model scales up quickly in dynamic environments.
• The breadth can overwhelm smaller teams. If you have two security engineers, the full CNAPP surface area is more than you'll use.
• Runtime behavioral detection is newer and less mature compared to Lacework's core capability.
• No persistent agent means some runtime telemetry is more limited than agent-based alternatives.

Best fit: Organizations with 500+ cloud workloads, a dedicated cloud security team, and a security leader who needs to communicate risk to executives. The graph makes board-level reporting substantially easier.

Orca Security

Orca's innovation was SideScanning: a patent-pending approach that reads the disk of your cloud workloads out-of-band, without deploying an agent and without touching your production traffic. Orca connects to your cloud provider's snapshot API, creates a read-only copy of each volume, and scans it for vulnerabilities, malware, exposed secrets, and misconfigurations in an isolated environment.

The result: full workload visibility with zero performance impact and zero deployment friction.

What Orca does well:

• The fastest time-to-value of the three. You connect your cloud accounts and have results within an hour, no agent rollout required.
• Orca's risk scoring is sophisticated. It evaluates each finding in context: a critical CVE on an internet-accessible machine with a privileged IAM role scores dramatically higher than the same CVE on an isolated dev instance. This reduces noise considerably.
• Strong secret detection. Orca finds exposed AWS keys, API tokens, and certificates baked into AMIs and container images: findings that most teams have no other way to discover.
• The Attack Paths view is comparable to Wiz in quality and often preferred for its readability.

Where Orca falls short:

• SideScanning is read-only by design, which means some runtime behavioral context is limited compared to agents.
• Lacework's behavioral anomaly detection (spotting unusual process execution, lateral movement) is more mature.
• The WQL equivalent in Orca is less flexible than Wiz's for advanced custom queries.
• At the high end of enterprise scale (10,000+ workloads), some teams report dashboard performance issues.

Best fit: Security teams that need fast deployment and high-quality risk prioritization without a lengthy rollout. Strong fit for organizations with limited security headcount who need the tool to do the triage work.

Lacework / FortiCNAPP

Lacework's core bet was behavioral analytics. After Fortinet acquired Lacework, the product direction is increasingly tied to FortiCNAPP and Fortinet's broader security platform. Rather than snapshot scanning or static configuration analysis alone, Lacework/FortiCNAPP builds a baseline of normal behavior for workloads and alerts when something deviates: a process spawning an unexpected child process, a container making outbound connections to a new external IP, or a user account accessing resources at 3 AM from an unrecognized location.

This is fundamentally complementary to: rather than competitive with: the snapshot-scanning approach. But most organizations buy one CNAPP platform, not two.

What Lacework / FortiCNAPP does well:

• Behavioral detection catches threats that static scanners miss. A compromised workload running a cryptominer or acting as a pivot point won't show up in a CVE database. It will show up as anomalous behavior.
• The Polygraph visualization (Lacework's equivalent of Wiz's Security Graph) shows relationship maps between workloads, accounts, and users: effective for investigating active incidents.
• Lacework's composite alerts are good at reducing noise: it correlates multiple weak signals into a single high-confidence alert rather than firing on each individually.
• Strong Kubernetes security. Lacework has native K8s admission control and runtime security that some teams prefer to standalone tools like Falco. For a broader checklist of what runtime K8s protection should cover regardless of vendor, see our [Kubernetes security best practices guide](/blog/kubernetes-security-best-practices-2026).

Where Lacework / FortiCNAPP falls short:

• Agent deployment is a real operational burden at scale. Rolling agents across thousands of workloads requires coordination with DevOps and compute teams, and maintaining agent versions adds ongoing overhead.
• CSPM breadth lags behind Wiz and Orca. Configuration checks are solid but the attack path analysis and cloud identity analysis (CIEM) are less developed.
• The pricing model (per-vCPU or per-resource) can be unpredictable in auto-scaling environments.
• The UI has historically been more complex than Wiz or Orca for new users.
• Fortinet ownership changes the buying motion. That may help if you are already a Fortinet customer, but it also means you should validate packaging, support, and roadmap details during proof-of-concept.

Best fit: Organizations with a mature security operations capability that want behavioral threat detection as a primary use case, particularly those running complex Kubernetes environments.

Head-to-Head: Detection Quality

This is what actually matters for your security posture.

Pricing Reality

None of these vendors publish list prices, all deals are custom. Based on publicly shared data and customer reports:

• Wiz: Typically $15–30/resource/year at mid-market scale. A 1,000-workload environment often runs $150K–300K/year at minimum. Large enterprises negotiate better rates.
• Orca: Comparable to Wiz. Most customers report similar pricing per workload.
• Lacework / FortiCNAPP: Often structured on vCPU count or Fortinet packaging. Can be more expensive in compute-heavy environments. Confirm the current FortiCNAPP licensing model rather than relying on older Lacework pricing notes.

All three offer free trials (30 days, typically requiring a sales conversation) and proof-of-concept periods.

How to Choose

Choose Wiz if:

• You need executive-level attack path reporting
• You're multi-cloud with complex identity relationships
• You want a single CNAPP that covers code, cloud, and runtime in one license
• Budget is available and security headcount can use the breadth

Choose Orca if:

• You need results fast with minimal operational overhead
• Your team is lean and needs the tool to do the prioritization work
• Secret detection in workload images is a priority
• You want the best balance of CSPM quality and deployment simplicity

Choose Lacework / FortiCNAPP if:

• You have an active threat detection and response program
• Behavioral anomaly detection is your primary requirement
• You're running complex Kubernetes workloads and want deep runtime visibility
• You're comfortable with agent deployment at scale

The Alternatives Worth Considering

Microsoft Defender for Cloud is worth evaluating if you're primarily Azure-based. It's deeply integrated, free at the basic CSPM tier, and the Defender CSPM plan (paid) adds attack path analysis. It won't match Wiz or Orca for multi-cloud depth, but for Azure-first shops it's hard to beat the native integration and lower cost. Our [CSPM tools comparison](/blog/best-cspm-tools-2026-defender-for-cloud-vs-wiz-vs-orca-vs-prisma-cloud) covers Defender for Cloud and Prisma Cloud against this same field in more depth.

Prisma Cloud (Palo Alto Networks) is the established enterprise choice with the most breadth but also the most complexity. Teams that have existing Palo Alto relationships often end up here.

Bottom Line

Wiz leads the market for a reason: the graph-based attack path analysis is genuinely better than alternatives for most use cases, and the CNAPP breadth reduces tool sprawl. If budget allows and you have the team to use it, Wiz is usually the right answer.

Orca is the best choice for fast-moving teams that can't afford lengthy rollouts. The SideScanning approach is clever engineering and the risk prioritization is excellent.

Lacework/FortiCNAPP fills a specific gap: behavioral runtime detection. If you are buying a primary CSPM and behavioral detection is critical, it earns its place, especially if Fortinet is already strategic in your environment. If you are buying a primary CSPM and behavioral detection is secondary, Wiz or Orca with their improving runtime capabilities is probably sufficient.

Frequently Asked Questions

What is the difference between Wiz, Orca, and Lacework for cloud security?

Wiz uses a Security Graph to model attack paths across your entire multi-cloud environment and is the market leader for attack path analysis. Orca uses SideScanning to read workload snapshots agentlessly, excelling at secrets detection and fast deployment. Lacework (now FortiCNAPP) focuses on behavioral anomaly detection, building baselines of normal workload behavior and alerting on deviations. Wiz and Orca are strongest for posture management; Lacework is strongest for runtime behavioral detection.

Does Orca Security require an agent?

No. Orca's core technology is SideScanning: a patented approach that connects to your cloud provider's snapshot API, creates a read-only copy of each volume, and scans it in an isolated environment without deploying agents or touching production workloads. This gives Orca full workload visibility with zero performance impact and no deployment friction, though it means some runtime behavioral context available from agent-based tools is not collected.

What is Wiz's Security Graph?

Wiz's Security Graph is a unified data model that maps every resource, identity, permission, network connection, and security finding in your cloud environment as a graph of relationships. This enables Wiz to compute attack paths: chains of findings that, taken together, allow an attacker to move from an entry point to a high-value target. A single misconfiguration may have low severity in isolation, but when it appears on the attack path to a crown jewel resource, Wiz elevates its priority accordingly.

Is Lacework still an independent company?

No. Fortinet acquired Lacework in 2024 and rebranded the product as FortiCNAPP. The product continues to be developed but is now part of the Fortinet security platform strategy. Organizations evaluating Lacework should validate the current packaging, support model, and roadmap directly with Fortinet, as the acquisition has changed the product's go-to-market structure.

Which CSPM tool is best for a small security team?

Orca is typically the best fit for small security teams. Its time-to-value is the fastest of any major CSPM: connect your cloud accounts and have findings within an hour, no agent rollout or lengthy deployment project. Orca's risk prioritization engine reduces noise by scoring each finding in context, so a small team without the capacity for manual triage still gets a prioritized list of what to fix first.