CWPP (Cloud Workload Protection Platform)
What is CWPP (Cloud Workload Protection Platform)?
CWPP (Cloud Workload Protection Platform)A platform that protects cloud workloads — virtual machines, containers, and serverless functions — across their entire lifecycle, from build to runtime.
CWPP focuses on the workload itself rather than the cloud account: it scans images and IaC for vulnerabilities and secrets, hardens the OS, enforces application allow-listing, monitors host and container behaviour, and detects runtime threats such as cryptominers or container escapes. CWPPs work across hybrid and multi-cloud environments because the workload may run on EC2, on-prem VMs, EKS pods, or Lambda. They commonly combine agent-based telemetry (eBPF, kernel modules) with agentless snapshot scanning. Together with CSPM and CIEM, CWPP is now usually delivered as one of the pillars of a CNAPP.
● Examples
- 01
SentinelOne Singularity Cloud or Sysdig Secure scanning container images and detecting runtime drift.
- 02
Microsoft Defender for Servers monitoring EC2 and on-prem VMs for malware and exploits.
● Frequently asked questions
What is CWPP (Cloud Workload Protection Platform)?
A platform that protects cloud workloads — virtual machines, containers, and serverless functions — across their entire lifecycle, from build to runtime. It belongs to the Cloud Security category of cybersecurity.
What does CWPP (Cloud Workload Protection Platform) mean?
A platform that protects cloud workloads — virtual machines, containers, and serverless functions — across their entire lifecycle, from build to runtime.
How do you defend against CWPP (Cloud Workload Protection Platform)?
Defences for CWPP (Cloud Workload Protection Platform) typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for CWPP (Cloud Workload Protection Platform)?
Common alternative names include: Workload protection.