Check Point CloudGuard CNAPP Reviews

Our primary use case for Check Point CloudGuard CNAPP is for securing our multi-cloud environment, AWS, Azure, by providing continuous posture management, threat detection, and compliance monitoring. We use it to identify misconfigurations, enforce security best practices, and monitor cloud workloads in real-time. It also helps us with vulnerability scanning and keeping our environment compliant to frameworks such as CIS, GDPR, etc.

Check Point CloudGuard CNAPP flagged a misconfiguration in our AWS S3 bucket that had overly permissive access settings. That configuration could have exposed our sensitive data to the public internet. The platform not only identified the issue but also provided remediation that our team was able to apply immediately. This prevented a potential data exposure.

Check Point CloudGuard CNAPP offers a unified, modular platform that combines CSPM, CWPP, CIEM, code security, and cloud detection and response. The agentless workload posture, real-time threat detection and response, multi-cloud coverage and visibility, compliance automation, and one-click remediations stand out as its best features.

I find myself relying on the risk management engine and prioritization the most day-to-day. In any cloud environment, you are flooded with findings, misconfigurations, vulnerabilities, and compliance gaps. Without prioritization, it is overwhelming for our team to take care of the posture. CloudGuard's risk scoring helps us cut through incidents. This makes remediation faster and focused instead of wasting time checking every alert. We get to fix the issues that pose real business risks.

Check Point CloudGuard CNAPP has positively impacted our organization at a significant level. We get greater visibility and control across all our cloud environments. Some biggest benefits we have seen are faster detection and remediation of misconfigurations, improved compliance posture, reduced risk exposure, operational efficiency, and cost savings. Overall, it has made our cloud environment more secure, compliant, and easier to manage while freeing up our teams to focus on projects instead of chasing alerts.

Areas of improvement for Check Point CloudGuard CNAPP can be the UI navigation. The dashboard is feature-rich, but it can sometimes feel overwhelming. A more streamlined or customizable view would help teams focus on the highest priority risks more quickly. While it integrates with AWS and GCP, deeper integration with DevOps and third-party SIEM tools could make workflows even smoother. For first-time users, the documentation could be more intuitive or hands-on.

Positive

I previously used different solutions, specifically native cloud security tools such as AWS Security Hub and Azure Security Center with manual compliance checks. While they provided some visibility, they lacked a unified multi-cloud view and deep threat prevention capabilities. We switched to Check Point CloudGuard CNAPP because it consolidated compliance, posture management, and threat protection, reducing tool sprawl and giving us stronger coverage across AWS and GCP.

We have seen measurable outcomes since using Check Point CloudGuard CNAPP, with time saving being a significant outcome. We reduced manual compliance checks by about 40 to 50%, saving our team 10 to 12 hours per week. The compliance has improved as our overall compliance score against CIS benchmark has improved from around 72 to 92% within the first three months of adoption. We also saw a drop in recurring misconfigurations after enabling continuous posture management and automated guardrails.

My experience with pricing, setup cost, and licensing is that the pricing model is flexible and consumption-based, which makes it easier to align with our cloud. The setup cost was moderate, not too heavy. In terms of ROI, we can see time savings for audit preparation of at least 30-40%.

I would rate Check Point CloudGuard CNAPP an eight out of ten, because it is powerful and reliable, but still has room for polish.

I provided this rating because it delivers strong visibility, compliance, and misconfiguration detection, but there are still areas that could be refined such as complex UI navigation, integration gaps, and alert fatigue.

If you are considering Check Point CloudGuard CNAPP, start by clearly mapping out your cloud environments and compliance needs. The platform is effective for leveraging single visibility across AWS, Azure, GCP. Ensure you integrate all accounts early on. Take time to configure policies to match your organization's compliance framework such as CIS, GDPR, PCI. This saves a lot of effort later.

My main use case for Check Point CloudGuard CNAPP is securing cloud-native workloads end-to-end. I rely on it to continuously assess risk, enforce security posture, and catch misconfigurations across my cloud environments.

A specific example of how I use it to secure my cloud-native workloads is that it flagged an exposed storage resource with overly permissive access during a routine scan. I fixed the misconfiguration immediately, preventing potential data exposure before it became a real incident.

The best features Check Point CloudGuard CNAPP offers include continuous posture assessment, risk prioritization, and integrated compliance checks across cloud workloads.

The risk prioritization works very well for me and definitely makes my job easier. It prioritizes risks based on exposure and impact, so I can focus on the few critical issues instead of hundreds of low-risk alerts.

Check Point CloudGuard CNAPP has positively impacted my organization by reducing security gaps and misconfigurations across my cloud environments. I believe it also helps my team focus on high-priority risks, which has improved overall cloud security without increasing workload.

Check Point CloudGuard CNAPP can improve with more intuitive onboarding and policy templates for new users who are not accustomed to it, better customizable dashboards for different team roles, and deeper automated remediation suggestions to speed up fixes.

I have been using Check Point CloudGuard CNAPP for one year.

Check Point CloudGuard CNAPP is stable.

I find Check Point CloudGuard CNAPP's scalability very good. It handles growth, cloud resources, and workloads smoothly, and visibility scales without performance issues as my environment expands.

The customer support has been very good.

Positive

I used basically native cloud security tools before, which is what I relied on.

My experience with pricing, setup cost, and licensing has been reasonable for the value it delivers. The initial setup cost was fair. Understanding the right modules and tiers took a bit of planning upfront, but overall, I feel it is good value given the risk reduction I get.

I have seen a clear return on investment. I have had about a thirty to thirty-five percent drop in cloud misconfiguration alerts, which reduced alert noise and saved time. This helped my team cut manual review time by roughly twenty to twenty-five percent, allowing me to reallocate effort to proactive cloud security improvements.

My experience with pricing, setup cost, and licensing has been reasonable for the value it delivers. The initial setup cost was fair. Understanding the right modules and tiers took a bit of planning upfront, but overall, I feel it is good value given the risk reduction I get.

I did not really evaluate other options before choosing Check Point CloudGuard CNAPP. I think I looked at Palo Alto Prisma Cloud, and that was it.

Check Point CloudGuard CNAPP delivers strong visibility, clear risk prioritization, and real value in daily cloud security work. It is not a perfect solution mainly because there is still room to improve. In my opinion, everything has room to improve, and I will not give a perfect score to anything, but I believe it should at least improve the onboarding and automation. Overall, it is very effective. My advice for others looking into using Check Point CloudGuard CNAPP is to connect all cloud accounts early and trust the risk prioritization from day one. I would rate Check Point CloudGuard CNAPP a nine out of ten.

My main use case for Check Point CloudGuard CNAPP is strengthening cloud security posture, monitoring configurations, identifying risks earlier, and keeping workloads aligned with compliance requirements.

Check Point CloudGuard CNAPP offers continuous posture monitoring, risk prioritization, and automated remediation guidance as some of its best features.

The automated remediation guidance in Check Point CloudGuard CNAPP has made it easier because it points directly to what needs fixing and suggests the exact steps, so I spend less time digging for a root cause. For example, when it flagged an overly permissive IAM policy, the guidance made it quick to tighten it up without guesswork.

Check Point CloudGuard CNAPP has positively impacted my organization by making a clear difference in reducing the time spent tracking down cloud misconfigurations and helping teams focus on the issues that matter most. The clearer visibility and faster risk triage have made day-to-day security work noticeably smoother.

I have noticed specific outcomes with Check Point CloudGuard CNAPP, including a clear drop in recurring configuration issues, and the time spent reviewing alerts has gone down quite a bit. The prioritization helps me get to the important items faster.

A typical day using Check Point CloudGuard CNAPP usually involves running posture checks to spot new misconfigurations and reviewing the alerts it surfaces so I can address issues before they turn into real problems.

One area that Check Point CloudGuard CNAPP could use improvement is the navigation when switching between modules. A more streamlined interface and a quicker drill-down into findings would make the workflow feel even smoother.

I have been using Check Point CloudGuard CNAPP for about two years.

Check Point CloudGuard CNAPP demonstrates strong security visibility and posture checks, but the interface still feels somewhat clunky. I rate Check Point CloudGuard CNAPP an eight out of ten.

I came from a compliance world where I focused on static configuration checks. I have now evolved more towards a CDR approach, where I actively monitor cloud detection and response as well. I am monitoring activities in the clouds, including Azure, AWS, and Oracle, OCI.

I transitioned from unstructured cloud environments, described as a bit like the Wild West, lacking oversight. Now, I have established specific rule sets based on compliance standards, which I have adapted to suit my use case. CloudGuard greatly assists me in understanding my assets, assessing my security, and identifying risk areas.

The compliance is well executed, and the CDR is evolving, with both progressing well. 

We use the CloudGuard CNAPP CloudGuard Security Posture Management capabilities. It's good for identifying misconfiguration. You have a a variety of rulesets that you can apply. So you can choose on depending on which on which industry standard that you are following. And you can really adapt it towards your environment, so you can mix and match what you need and really come to a more secure cloud environment.  

The effectiveness of its cloud security posture management for providing compliance rule sets and security best practices has been good. You can define KPIs in CNAPP. You can say: "this is the percentage that we want to work towards." And you can see your progress and say, "okay, at the beginning of the month, we are we are at 60%. And at the end of the year, we are there 80% compliance." You can do that. And you can really monitor it.

The cloud security posture management identify the risks that are the most critical to our business. We can define certain key assets that are your crown jewels. And whenever something hits on these crown jewels, you get a very high score. So you can really fine tune towards protecting your risk based assets in the cloud. 

It also lowered the amount of time it takes when identifying of the most critical risks. If I would do that manually, it would take me ages. So when I have a fine tuned rule set that I that I apply upon all my workloads, I do have automatic identification of every resource. The time savings are indefinite.

The CloudGuard CNAPP visibility into CloudGuard logs for simplifying incident investigation is very good. It can reach CloudGuard VPC flow logs and GoToKey events, and it can also look at Azure activity logs. So you can have multi cloud capability, CDR, and you have different rule sets that are quite good. So far, it's excellent.

The CDR helps detect anomalous behavior and respond to threats before they become an issue. We had we had some third party products that were using that was not properly configured. CDR detected this when it was doing certain certain scans. We updated the role towards the policy that that CDR provided, and it really helped. The events went away. 

The user interface needs work. Sometimes, it is a transition from the old tool to the new CNAPP Two that I currently have, and remnants of the old environment can still be detected. I require consistency in the user interface to ensure everything is streamlined into the same look and feel. 

More work is needed in fine-tuning the threat data towards your CSPM and activity logs, aligning them with business intelligence, which requires a cohesive console interface.

My assessment of CloudGuard CDRs in intrusion detection and threat hunting capabilities is that it still needs some work. All the threat data that comes in, you need to fine tune it a bit.  

I have used the solution for four years.

The stability could always improve. It is an ever-changing world. It is rapidly evolving, and sometimes mistakes occur, necessitating testing. Every cloud security provider experiences challenges like that.

The solution scales well. You just apply the the policy and the rule sets. You apply your configuration, and it scales indefinitely.

I have a dedicated support engineer and a presales engineer dedicated to me. Additionally, I have a project manager. Overall, it's a good setup.

Positive

I used the Security Hub inside AWS. CloudGuard offers more rule sets and is better streamlined.

The initial setup was a bit cumbersome in the in the beginning, however, it improved a lot. Now it's it's working fine. 

I am the integrator that handles the initial setup.

Monitoring cloud security automatically ensures a return on investment. When I deploy applications in a UAT environment, setting rule sets beforehand guarantees adherence. When deviations occur, corrections are made, thereby ensuring compliance.

From a licensing and cost perspective, it is really competitive. It is one of the better options available.

Before switching, I evaluated solutions like Palo Alto, Prisma CloudGuard, Trend Micro Cloud Conformity, and now I use CNAPP Pro. The deciding factor for choosing CNAPP was cost.

I advise the company to keep evolving and keep it up. Open-source vendors are entering the scene and evolving rapidly, so staying up to speed is essential. 

I rate the solution seven out of ten.

I am using most of the CSPM functionality, primarily providing assessments for my customer bases with the CNAPP CSPM functionality. 

I conduct benchmarks and compare the cloud infrastructure with, for example, the CIS benchmarks or other types of benchmarks depending on my customer needs. That's my main use case, to be honest. 

It is not yet the workload protection point. I see that evolving. For now, it is more about CSPM.

It's helped with misconfigurations.

Detecting misconfigurations in the cloud is what the CSPM delivers. I often see that small mistakes and misconfigurations can lead to bigger impacts. That's why I focus on finding those. It saves a lot of time, especially in dynamic environments where we see cloud infrastructure is built up and taken down again, and different parts are deployed in various locations. It delivers fast value, and it's way faster than it would be without it.

We use the Cloud Security Posture Management capabilities. It's perfect for our use cases. Onboarding is very easy. Selecting a benchmark is easy. Defining custom rules is easy, as well, to be honest. This is the part we most rely on.

The Posture management provides rules and checks for security best practices. It's good. That's really the component that is the most valuable for us and our customers and the most easy to implement. It's critical to the business. We provide security services like assessments based on that functionality. That's why our customers come to us. And if this component wouldn't do what it's intended to, then our business would really be affected in a negative way.

The shift left part is not yet at a maturity level I desire. I need more integration from the code-to-cloud principle. It feels somewhat fractured to me. I haven't grasped all the parts yet, and better integration would make CNAPP most valuable.

I have been using it for roughly a year plus. It's been about a year and a half.

From the product itself, CNAPP is pretty stable. Sometimes I might experience that some functionalities aren't described transparently enough for me. It's hard to grasp how it works in the background, and I sometimes need to contact someone to get that information. 

Overall, the product itself is stable. However, if there are errors, it is sometimes challenging to elaborate or troubleshoot since it is not transparent enough to understand what to search for.

Regarding scalability, there is not really a need for scaling up or down. It is good. I never had any performance-related issues. 

We've never had any big integrations with other products within the environment. 

Customer service is very good. When I need help or have open questions, or if I require the capability to deploy a quick test environment, there are always people I can contact at Check Point to get my information or the environment as fast as I need it. I love it. This is basically one of the main reasons why I love working with Check Point products.

Positive

Depending on the cloud environments, I mostly used the native components, such as Defender for Cloud on Azure. I conducted many comparisons, even in some community sessions within my company, and found that Defender for Cloud is not as capable as CloudGuard, especially in multi-cloud environments. It is not as easy to use and has some drawbacks. 

Of course, it is easier to integrate native since it is already there; you just press the button, and it's available. However, the overall solution isn't as mature as the one from Check Point. 

I also paired up with other vendors like Tenable, Palo Alto, and Wiz, and observed that CNAPP is not CNAPP. Depending on where the vendor is coming from, different aspects may be better or more mature than others. It is all somehow speeding up in this very dynamic environment. We always have to redo evaluations and see the current status to keep up.

It's hard to gauge ROI for our specific use case. It's not measurable from our point of view. 

It's not too expensive. However, it is sometimes hard to explain to customers why they should pay this price, and I need to elaborate on that. It is not cheap, of course, yet it is a necessity.

We do not so much use the workload protection capabilities yet. We also do not use the CloudGuard Detection Response.

We're a partner of Check Point. 

Some areas still need development, however it is a very solid solution, definitely. I would rate the overall solution a seven out of ten.

CloudGuard CNAPP has many use cases depending on your business requirements. If your organization's infrastructure is spread across various cloud vendors, such as AWS, GCP, and Azure, you can implement CNAPP. 

Our use case entails gaining visibility into cloud components. We have an infrastructure platform where our resources are deployed. We are now focusing on having a clear visibility of all the cloud platforms, whether it is AWS, Azure, or GCP.

CloudGuard expands your visibility. If your infrastructure is segregated across AWS, Azure, and GCP, it can track all the resources deployed on these cloud vendors. It covers any cloud devices like S3 buckets, containers, etc. You get clear visibility of all those resources, and it helps to check for misconfigurations. 

For example, if you have an S3 bucket exposed publicly, that is a security concern. You need to do things to ensure that your S3 bucket is kept private when configuring it. It will evaluate your security configuration with respect to the deployed resources and give you the scores. CloudGuard will tell you where your resources stand regarding configuration, security scores, compliance checks, etc. It gives you all the visibility within the single platform. 

It also protects your workload. The features of the traditional CSPM can be varied. If you have deployed an application running on a Kubernetes cluster, it will give you visibility into all clusters and the workloads deployed and running in the background if you want to scale the workloads.

When you perform all the activities on the back end, there are a lot of chances that you misconfigure. Any misconfigurations within the namespace of the Kubernetes cluster can lead to a security vulnerability. When it's exposed publicly, it can add some more risk. All of those things can be easily tracked in some of the recent cloud vendors. 

Wiz is one of the industry contenders within the CNAPP solution. In addition, there are a couple of other vendors like Orca. All of these vendors provide workload protection in addition to the typical CSPM.

If most of your resources are deployed in CloudGuard, one of the bigger concerns
is the failure to monitor your devices. You can only protect the things you can see. You cannot take action if you don't have visibility into how your resources are deployed or distributed. 

Regardless of scale, it gives any cloud-dependent organization an edge over the other technologies so that they can track their infrastructure. You can see where your resources are deployed and how they perform regarding health checkups, security misconfigurations, compliance checks, etc. So it gives you better visibility. 

Most of the features are pretty valuable, whether that's a description of the attacks or the attack graph showing the vulnerabilities. If a single tool does all this work, the value is centralizing all these functions on a single tool. These are the cloud-native applications we talk about — containers, Kubernetes, and cloud infrastructure — and all those things are the primary focus of the CNAPP solution. 

I think EDR, MDR, and any of those systems do a great job at the endpoint level, but you need CDR if you want to use those features on a cloud level. For example, if a VM is deployed, it can also detect all misconfiguration there. In addition, if any of these are critical, it will show you the attack graph. 

It shows you all the pictures from the attacker's perspective, such as if there is some loophole at your gateway level and if the traffic is coming from the Internet. If you have misconfigurations at the gateway level, it will give you the attack path the attacker can use to enter your organization. If you enter, it shows how you can move laterally if some additional new points can be exploited within your infrastructure. It gives you a list of any misconfigurations in terms of user access.

Regarding the response part, the onus is on the department or the team implementing those technologies because you need to have strong processes, policies, and procedures. For example, if you can address some of the detections or vulnerabilities at the application or cloud level, you should have a policy to prioritize those things in your organization. Once you have those policies, you can lead in those scenarios and maybe collaborate with different teams responsible for addressing those new issues. 

It involves some coordination and collaboration as well. At the end of the day, you want to make things easier, so you can provision access for the various teams within that platform if they want to consume these things directly rather than getting the information via a report or any other mechanism. Let's say there's a problem with your S3 bucket, and you need to fix issues inside that rather than fixing them in the CNAPP solution. CNAPP is something that gives you an overview, but you need a process for the remediation.

CloudGuard's reporting could be better. It's good now, but there is room for improvement. If you're looking for a centralized platform, there are a lot of features that can be appreciated. However, you want complete security integration with SaaS, DAST, secret scanning, etc., and a single platform for all these features. 

Check Point is known for its firewall. Six or seven years ago, it used to be a good thing because most businesses were on on-prem. If your business is on the cloud, you do not need a firewall because most of the cloud vendors already have that built into their cloud premises, and you can configure the rules there. You can do everything as a network security engineer. 

It depends on your business model. Some companies are segregated and most of their things are on-prem. They have physical outlets in multiple countries. Managing everything in these business environments and deploying the Check Point firewall would be a good investment. However, it doesn't make sense if your business is totally in the cloud. 

It depends on how Check Point sees things in the market. If they want to compete with all these vendors in terms of CNAPP, they need to first understand their audience. Once they have some visibility into who their audience is, they need to maintain their business. 

I am evaluating CNAPP vendors for my organization, and Check Point Cloudguard is one of them. I have evaluated all the other vendors, so I have the experience.

One vendor I worked with in the CNAPP market was Rapid7. They have a CSPM tool called InsightCloudSec that offers similar visibility of all cloud resources. The various cloud vendors are populated over the platform, and you can see the same things. However, some features are available in other vendors, like Wiz or Orca that are missing in Rapid7. They are trying to incorporate some of the features they lack, but there's still a long way to go. 

It's more about how you leverage the APIs of the cloud provider so that you can get the data and make things as easy as possible for the end user. You do not want to overwhelm them with so much data. You want the information that's necessary for your organization to take action. Wiz and Orca are the industry standard for CNAPP solutions. I would rate Wiz nine out of 10 and Orca eight out of 10, but Rapid7 ICS would receive five out of 10. In terms of CNAPP features, I don't think Check Point is a competitor here. Check Point generally focuses on things related to the firewall, such as VPN, etc. 

Deploying CloudGuard is pretty straightforward. You don't need to invest much time because the deployment model isn't rigorous. You establish the connection with your CloudGuard vendor, and it takes a few hours. There are additional steps if you want to configure more in-depth to get more visibility into your Kubernetes cluster. It doesn't require any agent to be installed on your resources, which is a good thing.  

If you're running a serverless architecture like AWS Lambda and you want better visibility in those complex scenarios, there are some additional configurations that require you to check some documentation that you need to go through. However, it takes only a few hours to achieve visibility into the typical cloud resources, such as EC2 instances, S3 buckets, containers, and user accounts. 

All these technologies are expensive. Wiz is the most expensive. You might have seen that Google is making overtures toward acquiring Wiz. It's valued at $12 billion, but it may go as high as $24 billion, which would make it the most expensive acquisition in Google's history. The bottom line is that you need to spend a good amount of money to implement these things and it depends on your organization's priorities. 

I rate Check Point CloudGuard CNAPP six out of 10. 

I use the solution for some cloud applications, which are cloud-native.

The solution helps increase security posture and provides a greater scope for protection. 

I value the comfort and the ability to receive proper insights almost hands-off. It sends us the information of interest. It offers very good security posture management capabilities. We're receiving the information of interest, like security posture, details, settings, and so on. And the solution is spot-on. There are capabilities to check actions to mitigate and measures and controls that come with these features are valuable.

It's providing compliance rule sets and security best practices.

One of the main reasons we use the solution is that it is great at identifying risks that are critical to our business. It saves us time at identifying risks. I might save one FTE continuously checking in. 

We use the CDR (the intelligence capabilities). It's helpful and does the job.

The solution detects anomalous behavior. We don't have any issues. 

I would appreciate a way to receive periodic updates, like through email. I am the kind of person who likes to receive data passively. It would be nice to have periodic updates on what people should do, maybe with some analysis or something.

I have used the solution for about four months.

The stability is good. It does its job.

It was good in terms of scalability.

I found the customer service to be very professional, great, and very spot-on.

Positive

We did not previously use a different solution. 

The initial setup was very easy.

I completed the implementation together with a colleague from Check Point. The experience was very professional.

We had the 60-day evaluation already. It's now something we have to pay.

I did not consider alternate solutions.

I would rate the solution ten out of ten although I have no other comparison.

I assess the effectiveness of Check Point CloudGuard CNAPP in preventing misconfigurations across cloud environments as an important part.

The ability of Check Point CloudGuard CNAPP to secure multi-cloud environments has impacted my customer's compliance efforts; it is not the priority, but it is an important solution.

Check Point CloudGuard CNAPP is effective. It is not as powerful as Harmony and Collaboration, but it is a challenging solution.

Check Point CloudGuard CNAPP has some advantages over its competitors.

One of the best features is easy integration.

The automated threat prevention of Check Point CloudGuard CNAPP is impressive. It uses the same model and engine as antivirus or Harmony and Collaboration, making it effective.

I find false positives to be the most valuable metrics for threat detection. The number of false positives is important.

I assess the role of Check Point CloudGuard CNAPP in providing real-time visibility into cloud infrastructure depending on the client, and we usually do a business case to address that.

There is a lack of functionalities and usability. I used to compare it with another solution that is focused on specific features. All solutions have some gaps, and we are looking for the best one in every single scope.

I believe improvements could be made to the notification system, ease of use, and integrations.

The interface could be simplified and more focused on user experience. It appears somewhat unrefined in its current state.

If they improve their interface and integration capabilities, I would give them a higher rating.

The technical support provided by Check Point is really good.

I would rate their technical support as eight out of ten.

Positive

I find the initial setup easy to integrate. The main challenge is maximizing the solution's potential.

To get the full power of the solution, you need to fine-tune it extensively to achieve the expected behavior.

I consider the pricing of Check Point CloudGuard CNAPP to be average.

On a scale of one to ten, I rate Check Point CloudGuard CNAPP a seven.

The solution is for used for protection of workloads.

It offers good detection. This capability allows us to effectively manage compliance. 

It helps us find misconfiguration. We use it to try to find possible storage accounts that may be misused or other misconfigurations.

The effectiveness of its cloud security posture management is good. It's really helpful for us and allows us to comply with various standards.

It helps our company identify risks that are most critical to our business. It not only saves us time, it provides us with the visibility we need to manage the cloud.

I don't have any notes for improvements. I'd need some more time to work with it.

I have used the solution for one year.

The stability is good.

We haven't had issues with scalability.

We have not had any issues with customer service so far.

Positive

This was the first solution I tested. I have not used a different solution. 

The initial setup was straightforward.

The pricing is decent.

We only really tested the capabilities of native tools before we implemented this solution.

My overall product rating is ten out of ten.

CloudGuard is a posture management and workload protection platform. We're also using it for data and risk management.

Our environment includes a hybrid cloud and three public cloud providers: GCP, AWS, and Azure. CloudGuard enables us to manage all the cloud providers from one dashboard. It enables a team approach, so we're more flexible and operationally efficient. The solution provides a holistic view from a single dashboard, making posture management and threat prevention more effective. Detection is not a significant challenge. When I block a particular incident, CloudGuard will implement some kind of prevention activity so that those types of activities are prevented automatically in the future. Prevention is more beneficial for us.  

When managing our service partner, CloudGuard enables easier enrollment and allows us to consolidate all those rules and privileges. It will give them complete visibility of the identities that I am using for all the services, whether it's privileged user access or a normal user. It's based on user suggestions. CloudGuard helps me handle my user identities.  

Another benefit is posture management. We are governed by four regulatory entities in India. We need to stay in 100 percent compliance by avoiding any misconfigurations on our platforms, and this tool helps us.  It also helps with virtual protection of our code by adding another layer of security and an extra step. It can detect abnormalities in the image and register, enabling us to identify and fix compromised packages before any major release. 

As a regulated entity, we receive a monthly external audit from the agency, and we always pass them using CloudGuard because we have a  single dashboard for multiple services for user activity reviews and policies that we have set for the user levels. It's easy to demonstrate our compliance posture using this portal and any incidents with compromised credentials or NetFlow security. 

CloudGuard allows us to do more work with fewer people. A team of six people can manage our entire enrollment. CloudGuard covers a huge footprint. It saves a lot of resources, but I cannot measure that in time saved. Onboarding and learning the product took six months, and it took us another year to address all of the solution's findings. The third year should be focused on monitoring. I can't quantify how much time is consumed in days or weeks, but if I had to rate it on a scale of one to 10, I would say nine. 

A reduction in human error is part of posture management. When we first onboarded to the posture management platform, we had to customize and build some rules for enrollment. We fixed the issues we found, and we don't need to run the posture management tool again. Instead, we run the GSL builder and cross-check the findings. Before addressing the finding, we must create a default rule set in the GSL  Builder. We copy what's in the builder and execute it on a particular enrollment, and we'll say it is good to go. We can save time building custom rulesets with GSL builder, but it's hard to say how much. 

We like the GSL Builder feature. When you're running a security operations center, you spend a lot of time monitoring endpoint activity to ensure there is no malicious traffic or anonymous access in the environment. The GSL Builder is helpful for deep investigations of a particular reason for an incident. You can use it to get more information.

We have more than 30 AWS accounts and use more than 16 versions with some different tenants. I don't want to turn on each enrollment and app one at a time in the application. With GSL Builder, I can select multiple accounts from one place and execute the commands. I can see the results of which entities passed and failed.

It's easy to write custom rules and policies. I have limited coding knowledge, but I can make policies from inside the UI. It will show what services are available in the cloud provider, and I can go through and check the ones I need. It requires no scripting knowledge. If you have experience in the industry, you can immediately learn GSL Builder and adapt it. 

Auto-remediation is a module you can enable at the enrollment level. It detects and fixes human errors or misconfigurations.  For example, we can't create a bucket that is exposed to the internet for compliance reasons. CloudGuard can prevent that bucket from being created, ensuring compliance. 

With effective risk management, we can identify every asset and assign a score to each network violation or process. We will flag the most critical assets and bring them to private subnets. There's also a graph, which is useful if we need to explain things to developers and administrators.

The user interface could be improved. Sometimes, the visibility is not immediately available for the environment. We have the native servers that come with the solutions, but we cannot see them in the Check Point log. Another issue is with the integrated file monitoring. It would make sense to have stuff like file integrity monitoring and malware scanning available within this module because we don't want to integrate another product. 

For example, let's say it's showing a process violation. It should be able to do some additional malware scanning in that particular bucket to get some additional information. I don't want to integrate with another third-party tool or go to the native server to check something. It would be helpful to have integrated monitoring and malware scanning for the file types. 

There are a few flaws with the security management portal where I have limited visibility into the workload protection features. There is no error visibility where I can see the communication and workflow between services. Some of the dashboards need to be fine-tuned if they are not customized. For example, I cannot customize anything on the effective risk management dashboard. Some of the information is not correct for my tenant. With respect to passwords and user management, there are no policies I can measure at the user level. If the user was created more than six months ago, you don't need to worry about that password or do anything like two-factor authentication associated with that user. They can still log in after six months or one year. 

It's also a challenge to use CloudGuard's agentless workload posture with AWS. An Azure storage is summed up with a CNAPP encryption by default. We tried onboarding this data, but the problem is the attachment is not done. After a few days, we identified that it was impossible to do the encryption detection. But CloudGuard's default rules say that this has to be encrypted. 

The AWS module says that we cannot access this volume with this encryption, so we cannot use an agentless workload posture with AWS because of this. It is a best practice to ensure that all the volumes are being encrypted. Without the encryption, how can I do this? It is a big challenge for CloudGuard.

I have used CloudGuard for 14 months.

We only see downtime when there is a global outage. It typically only lasts a few minutes. Also, we sometimes see latency issues when accessing this portal. We double-checked that with the team also, and they asked us to check on our network side. We are in the office network, so we could not refer to that. 

Some of CloudGuard's modules are slower. For example, if I go and click on the posture, it loads immediately within 30 or 50 seconds, but workload protection might take more than a minute. There are some differences in the latency between the services within the cloud version.

We don't have any issues with CloudGuard's performance or scalability. 

I rate Check Point support 10 out of 10. Their customer service is fantastic. We have premium support, so I don't know what their standard support is like. When we open a ticket, they immediately call us back regardless of the severity. 

Positive

We have Prisma Cloud, which is not fully implemented, so we need to use Check Point simultaneously. Prisma Cloud excels in terms of UA, visibility, and user-level policies and management. CloudGuard is more cost-efficient but not as user-friendly as Palo Alto. At the same time, having the GSL Builder makes it more efficient to make CNAPP rules without much background knowledge.

Generally, the deployment is pretty easy. We have a template, so it's automatic. However, we run into problems when we're supporting multiple CSPs. AWS supports CloudGuard 100 percent, whereas for Azure, it's 75 or 80 percent. Some Azure services, like user identity, are not supported, which is a challenge. It should be available in Q1. 

Deploying the threat intelligence for AWS was fine, but we had problems with Azure. I'm part of the security group, which is onboarded into the AWS. The next time I create a new security group, it automatically discovers the asset and will put it in the log. For Azure, a new network security group must be added manually. If I'm doing that manually, I want to completely remove the onboarded threat intelligence, which means I want to completely remove what we added from the portal. That is one problem we face doing the onboarding of Azure.

I don't know the initial proposed amount, but the procurement team looked at the market and compared Prisma and CloudGuard, then settled on one solution.

I rate Check Point CloudGuard CNAPP nine out of 10. Any advice I could give to potential users would be completely based on their use cases. You must look at various criteria, like your environment and enrollment level, but my general advice for implementing a CNAPP solution is to get a cloud dev. 

If you are using AWS with multiple CNAPPs and you don't have a control tower or any other landings in the budget, you want to do policies at each enrollment level. But we're using this out that what we do is, like, we build guardrails where we can apply it at the enterprise level itself. 

For example, we'd want to allow any data to be researched outside the area. I'll create one policy and apply it at the organizational level. I set a policy so that any user in my enrollment could not create an SD bucket or any volumes outside using their agent. If you have multiple CSPs, AWS accounts, or Azure subscriptions, this is one solution where you can cover your entire organization's accounts.