Blog
/
Cloud
/
February 3, 2025

CNAPP Alone Isn’t Enough: Focusing on CDR for Real-Time Cross Domain Protection

Default blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog image
03
Feb 2025
This blog dives into the strengths and limitations of CNAPP, explaining how a CDR solution can enhance cloud security to identify and mitigate cross-domain threats.

Forecasts predict public cloud spending will soar to over $720 billion by 2025, with 90%[1] of organizations embracing a hybrid cloud approach by 2027. These figures could also be eclipsed as more businesses unearth the potential impact that AI can make on their productivity. The pace of evolution is staggering, but one thing hasn’t changed: the cloud security market is a maze of complexity. Filled with acronyms, overlapping capabilities, and endless use cases tailored to every buyer persona.

On top of this, organizations face a fragmented landscape of security tools, each designed to cover just one slice of the cloud security puzzle. Then there’s CNAPP (Cloud-Native Application Protection Platform) — a broad platform promising to do it all but often falling short, especially around providing runtime detection and response capabilities. It’s no wonder organizations struggle to cut through the noise and find the precision they require.

Looking more closely at what CNAPP has to offer, it can feel like as if it is all you would ever need, but is that really the case?

Strengths and limitations of CNAPP

A CNAPP is undeniably a compelling solution, originally coming from CSPM (Cloud Security Posture Management), it provided organizations with a snapshot of their deployed cloud assets, highlighting whether they were as secure as intended. However, this often resulted in an overwhelming list of issues to fix, leaving organizations unsure where to focus their energy for maximum impact.

To address this, CNAPP’s evolved, incorporating capabilities like; identifying software vulnerabilities, mapping attack paths, and understanding which identities could act within the cloud. The goal became clear: prioritize fixes to reduce the risk of compromise.

But what if we could avoid these problems altogether? Imagine deploying software securely from the start — preventing the merging of vulnerable packages and ensuring proper configurations in production environments by shifting left. This preventative approach is vital to any “secure by design” strategy, CNAPP’s again evolving to add this functionality alongside.

However, as applications grow more complex, so do the variety and scope of potential issues. The responsibility for addressing these challenges often falls to engineers, who are left balancing the pressure to write code with the burden of fixing critical findings that may never even pose a real risk to the organization.

While CNAPP serves as an essential risk prevention tool — focusing on hygiene, compliance, and enabling organizations to deploy high-quality code on well-configured infrastructure — its role is largely limited to reducing the potential for issues. Once applications and infrastructure are live, the game changes. Security’s focus shifts to detecting unwanted activity and responding to real-time risks.

Limitations of CNAPP

Here’s where CNAPP shows its limitations:

1. Blind spots for on-premises workloads

Designed for cloud-native environments, it can leave blind spots for workloads that remain on-premises — a significant concern given that 90% of organizations are expected to adopt a hybrid cloud strategy by 2027. These blind spots can increase the risk of cross-domain attacks, underscoring the need for a solution that goes beyond purely prevention but adds real-time detection and response.

2. Detecting and mitigating cross-domain threats

Adversaries have evolved to exploit the complexity of hybrid and cloud environments through cross-domain attacks. These attacks span multiple domains — including traditional network environments, identity systems, SaaS platforms, and cloud environments — making them exceptionally difficult to detect and mitigate. Attackers are human and will naturally choose the path of least resistance, why spend time writing a detailed software exploit for a vulnerability if you can just target the identity?

Imagine a scenario where an attacker compromises an organization via leaked credentials and then moves laterally, similar to the example outlined in this blog: The Price of Admission: Countering Stolen Credentials with Darktrace. If an attacker identifies cloud credentials and moves into the cloud control plane, they could access additional sensitive data. Without a detection platform that monitors these areas for unusual activity, while working to consolidate findings into a unified timeline, detecting these types of attacks becomes incredibly challenging.

A CNAPP might only point to a potential misconfiguration of an identity or for example a misconfiguration around secret storage, but it cannot detect when that misconfiguration has been exploited — let alone respond to it.

Identity + Network: Unlocking cross-domain threats

Identity is more than just a role or username; it is essentially an access point for attackers to leverage and move between different areas of a digital estate. Real-time monitoring of human and non-human identities is crucial for understanding intent, spotting anomalies, and preventing possible attacks before they spread.

Non-human roles, such as service accounts or automation tooling, often operate with trust and without oversight. In 2024, the Cybersecurity and Critical Infrastructure Agency (CISA) [2] released a warning regarding new strategies employed by SolarWinds attackers. These strategies were primarily aimed at cloud infrastructure and non-human identities. The warning details how attackers leverage credentials and valid applications for malicious purposes.

With organizations opting for a hybrid approach, combining network, identity, cloud management and cloud runtime activity is essential to detecting and mitigating cross domain attacks, these are just some of the capabilities needed for effective detection and response:

  • AI driven automated and unified investigation of events – due to the volume of data and activity within businesses digital estates leveraging AI is vital, to enable SOC teams in understanding and facilitating proportional and effective responses.
  • Real-time monitoring auditing combined with anomaly detection for human and non-human identities.
  • A unified investigation platform that can deliver a real-time understanding of Identity, deployed cloud assets, runtime and contextual findings as well as coverage for remaining on premises workloads.
  • The ability to leverage threat intelligence automatically to detect potential malicious activities quickly.

The future of cloud security: Balancing risk management with real-time detection and response

Darktrace / CLOUD's CDR approach enhances CNAPP by providing the essential detection and native response needed to protect against cross-domain threats. Its agentless, default setup is both cost-effective and scalable, creating a runtime baseline that significantly boosts visibility for security teams. While proactive controls are crucial for cloud security, pairing them with Cloud Detection and Response solutions addresses a broader range of challenges.

With Darktrace / CLOUD, organizations benefit from continuous, real-time monitoring and advanced AI-driven behavioral detection, ensuring proactive detection and a robust cloud-native response. This integrated approach delivers comprehensive protection across the digital estate.

Unlock advanced cloud protection

Darktrace / CLOUD solution brief screenshot

Download the Darktrace / CLOUD solution brief to discover how autonomous, AI-driven defense can secure your environment in real-time.

  • Achieve 60% more accurate detection of unknown and novel cloud threats.
  • Respond instantly with autonomous threat response, cutting response time by 90%.
  • Streamline investigations with automated analysis, improving ROI by 85%.
  • Gain a 30% boost in cloud asset visibility with real-time architecture modeling.

References

  1. https://www.gartner.com/en/newsroom/press-releases/2024-11-19-gartner-forecasts-worldwide-public-cloud-end-user-spending-to-total-723-billion-dollars-in-2025
  2. https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-057a
Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Author
Adam Stevens
Director of Product, Cloud Security
Book a 1-1 meeting with one of our experts
Share this article

More in this series

No items found.

Blog

/

Cloud

/

March 6, 2025

From Containment to Remediation: Darktrace / CLOUD & Cado Reducing MTTR

Default blog imageDefault blog image

Cloud environments operate at speed, with workloads spinning up and down in seconds. This agility is great for business and is one of the main reasons for cloud adoption. But this same agility and speed presents new challenges for security teams. When a threat emerges, every second counts—yet many organizations struggle with slow Mean Time to Respond (MTTR) due to operational bottlenecks, outdated tooling, and the complexity of modern cloud infrastructure.

To minimize disruption and potential damage, containment is a critical step in incident response. By effectively responding to contain a threat, organizations can help prevent lateral movement limiting an attack’s impact.

However, containment is not the end goal. Full remediation requires a deep understanding of exactly what happened, how far the threat spread, and what assets were involved and what changes may be needed to prevent it from happening again.

This is why Darktrace’s recent acquisition of Cado is so exciting. Darktrace / CLOUD provides real-time threat detection and automated cloud native response for containment. With Cado, Darktrace / CLOUD ensures security teams have the forensic insights that are required to fully remediate and strengthen their defenses.

Why do organizations struggle with MTTR in the cloud?

Many security teams experience delays in fully responding to cloud threats due to several key challenges:

1. Limited access to cloud resources

Security teams often don’t have direct access to cloud environments because often infrastructure is managed by a separate operations team—or even an outsourced provider. When a threat is detected, analysts must submit access requests or escalate to another team, slowing down investigations.

This delay can be particularly costly in cloud environments where attacks unfold rapidly. Without immediate access to affected resources, the time to contain, investigate, and remediate an incident can increase significantly.

2. The cloud’s ephemeral nature

Cloud workloads are often dynamic and short-lived. Serverless functions, containers, and auto-scaling resources can exist for minutes or even seconds. If a security event occurs in one of these ephemeral resources and it disappears before forensic data is captured, understanding the full scope of the attack becomes nearly impossible.

Traditional forensic methods, which rely on static endpoints, fail in these environments—leaving security teams blind to what happened.

3. Containment is critical, but businesses require more

Automated cloud native response for containment is essential for stopping an attack in progress. However, regulatory frameworks underline the need for a full understanding to prove the extent of an incident and determine the root cause, this goes beyond just containing a threat.

Digital Operational Resilience Act (DORA): [1] Enacted by the European Union, DORA requires financial entities to establish robust incident reporting mechanisms. Organizations must detect, manage, and notify authorities of significant ICT-related incidents, ensuring a comprehensive understanding of each event's impact. This includes detailed analysis and documentation to enhance operational resilience and compliance.

Network and Information Security Directive 2 (NIS2): [2]This EU directive imposes advanced reporting obligations on essential and important entities, requiring them to report significant cybersecurity incidents to relevant authorities. Organizations must conduct thorough post-incident analysis to understand the incident's scope and prevent future occurrences.

Forensic analysis plays a critical role in full remediation, particularly when organizations need to:

  • Conduct post-incident investigations for compliance and reporting.
  • Identify affected data and impacted users.
  • Understand attacker behavior to prevent repeat incidents.

Without a clear forensic understanding, security teams are at risk of incomplete remediation, potentially leaving gaps that adversaries can exploit in a future attack.

How Darktrace / CLOUD & Cado reduce MTTR and enable full remediation

By combining Darktrace / CLOUD’s AI-driven platform with Cado’s automated forensics capture, organizations can achieve rapid containment and deep investigative capabilities, accelerating MTTR metrics while ensuring full remediation in complex cloud environments.

Darktrace / CLOUD: Context-aware anomaly detection & cloud native response

Darktrace / CLOUD provides deep visibility into hybrid cloud environments, by understanding the relationships between assets, identity behaviours, combined with misconfiguration data and runtime anomaly activity. Enabling customers to:

  • Detect and contain anomalous activity before threats escalate.
  • Understand how cloud identities, permissions, and configurations contribute to organizational risk.
  • Provide visibility into deployed cloud assets and services logically grouped into architectures.

Even in containerized services like AWS Fargate, where traditional endpoint security tools often struggle due to the lack of persistent accessible infrastructure, Darktrace / CLOUD monitors for anomalous behavior. If a threat is detected, security teams can launch a Cado forensic investigation from the Darktrace platform, ensuring rapid evidence collection and deeper analysis.

Ensuring:

  • Complete timeline reconstruction to understand the full impact.
  • Identification of persistence mechanisms that attackers may have left behind.
  • Forensic data preservation to meet compliance mandates like DORA, NIS2, and ISO 27001.

The outcome: Faster, smarter incident response

Darktrace / CLOUD with Cado enables organizations to detect, contain and forensically analyse activity across hybrid cloud environments

  • Reduce MTTR by automating containment and enabling forensic analysis.
  • Seamlessly pivot to a forensic investigation when needed—right from the Darktrace platform.
  • Ensure full remediation with deep forensic insights—even in ephemeral environments.

Stopping an attack is only the first step—understanding its impact is what prevents it from happening again. Together, Darktrace / CLOUD and Cado empower security teams to investigate, respond, and remediate cloud threats with speed and confidence.

References

[1] eiopa.europa.eu

[2] https://zcybersecurity.com/eu-nis2-requirements

Continue reading
About the author
Adam Stevens
Director of Product, Cloud Security

Blog

/

AI

/

March 5, 2025

Our Annual Survey Reveals How Security Teams Are Adapting to AI-Powered Threats

Default blog imageDefault blog image

At the end of 2023, over half of cybersecurity professionals (60%) reported feeling unprepared for the reality of AI-augmented cyber threats. Twelve months later, that number had dropped to 45%—a clear sign that the industry has recognized the urgency of AI-driven threats and is taking steps to prepare.

This preparation has involved enhancing and optimizing technology and processes in the SOC, improving cybersecurity awareness training, and improving integration among existing cybersecurity solutions. But the biggest priority in addressing the challenge posed by AI-powered cyber-threats, according to the more than 1,500 cybersecurity professionals we surveyed around the world, is defenders themselves adopting defensive AI to fight fire with fire.  

In December 2023, 58% listed ‘adding AI-powered security tools to supplement existing solutions’ as a top priority for their teams. By December 2024, it had risen to 64%.  

On the other end of the spectrum, ‘increasing security staff’ fell to just over 10% – and only 8% among CISOs. This is despite ‘insufficient personnel’ being listed as the top challenge which inhibits organizations in the fight against AI-powered cyber-threats. This underscores a stark reality: while teams are understaffed and struggling, hiring the right talent is so challenging that expanding headcount is often seen as an unrealistic solution.

What security leaders are looking for in AI-powered solutions

As AI adoption accelerates, confidence in AI-powered security tools remains high, with over 95% of respondents agreeing that AI-enhanced solutions improve their ability to combat advanced threats. But what exactly are security leaders prioritizing when evaluating vendors?

Three key principles emerged:

  1. Platform solutions over point products – 88% of respondents prefer integrated security platforms over standalone tools, emphasizing the need for cohesive and streamlined defense strategies.
  1. A shift toward proactive security – 87% favor solutions that free up security teams to focus on proactive risk management, rather than reacting to attacks after they occur.
  1. Keeping data in-house – 84% express a strong preference for security tools that retain sensitive data within their organization, rather than relying on cloud-hosted ‘data lakes’ for analysis.

The knowledge delta: AI knowledge is growing, but there is a long way to go  

While AI adoption is accelerating, how well do security leaders understand the AI technologies they are deploying? Do they have the expertise to differentiate between effective solutions and vague marketing claims?

Our survey found that overall familiarity with AI techniques is improving, particularly with generative AI, which saw the most significant increase in understanding over the past year. Respondents also reported growing awareness of supervised machine learning, Generative Adversarial Networks (GANs), deep learning, and natural language processing. However, knowledge of unsupervised machine learning—critical for identifying novel threats—actually declined.

Alarmingly, 56% of respondents admitted they do not fully understand the AI techniques used in their existing security stack. Clearly there is a long way to go in understanding this vast and fast-changing landscape. Darktrace has recently published a whitepaper breaking down the different AI types in use in cybersecurity which you can read here.  

For many security leaders, staying ahead starts with understanding industry trends: how CISOs are thinking about AI’s impact, the steps they are taking, and the challenges they face. Our full State of AI Cybersecurity report is now available, offering deeper insights into these trends across industries, regions, company sizes, and job roles.

State of AI report

Download the full report to explore these findings in depth

Continue reading
About the author
Max Salisbury
Senior Manager, Content Marketing
Your data. Our AI.
Elevate your network security with Darktrace AI