Forrester Wave CNAPP 2026 Deep Dive — Runtime-First Cloud Security and Building an Open-Source CNAPP Stack
In February 2026, Forrester published The Forrester Wave™: Cloud Native Application Protection Solutions, Q1 2026, evaluating 14 vendors across the CNAPP market. The defining message: runtime is no longer optional — it's the foundation. Static scanning and configuration checks alone cannot address the dynamic threats in cloud-native environments. Real-time runtime telemetry has become the central axis for security prioritization.
This article provides a deep analysis of the Forrester Wave results and a practical guide to building a production-grade runtime-first CNAPP stack using only CNCF open-source projects — without commercial licenses.
Forrester Wave CNAPP Q1 2026 — The Three Leaders
Forrester designated Wiz, Sysdig, and Qualys as Leaders. Here's what differentiates each:
| Vendor | Key Strength | Runtime Strategy | AI Integration |
|---|---|---|---|
| Wiz | Highest Current Offering score; perfect scores in 10 of 12 criteria including CSPM and IaC Security | Agentless + runtime sensor hybrid; Attack Path Analysis for exploitability prioritization | Agentic AI Copilot (perfect score), native AI-SPM |
| Sysdig | Runtime-first philosophy; above-average customer feedback; built on open-source Falco | Kernel-level syscall analysis (Falco); unified posture + vulnerability + runtime telemetry | Agentic AI analyst with 76% MTTR reduction |
| Qualys | Top pricing transparency; 20+ years of vulnerability management data | Unified agent-based runtime protection with automatic workload-vulnerability correlation | Agentic AI Copilot (perfect score) |
All three leaders share a strategic direction: runtime-context-based priority decisions. Among thousands of CVEs, only those actually exploitable in production — exposed to external networks and reachable through attack paths — are surfaced, dramatically reducing alert fatigue.
What Is the Runtime-First Paradigm?
Traditional cloud security focused on Shift-Left: scanning images, validating IaC, and generating SBOMs in CI/CD pipelines. This approach remains valuable but has a fundamental limitation: what's safe at build time isn't guaranteed to be safe at runtime.
Runtime-first inverts this model. It observes running workloads at the kernel level in real time, using that runtime context to determine security priorities. When a container spawns an unexpected process, accesses sensitive files, or initiates anomalous network connections, the system detects and blocks it immediately.
| Aspect | Shift-Left (Build Time) | Runtime-First (Production) |
|---|---|---|
| Detection Point | CI/CD pipeline | Running production workloads |
| Data Source | Image manifests, SBOM, IaC | syscalls, network flows, file access, process trees |
| Priority Basis | CVSS score + known exploits | Actual reachability + runtime exposure + attack path |
| Alert Noise | Thousands of CVE alerts → fatigue | Only exploitable items → 95% noise reduction |
| Core Technology | Trivy, Grype, Checkov, Cosign | Falco, KubeArmor, Tetragon, eBPF |
Open-Source Runtime-First CNAPP Stack Architecture
While commercial CNAPP solutions demand significant licensing costs, combining CNCF open-source projects can build a production-grade CNAPP stack. The architecture consists of four layers:
1. Falco — CNCF Graduated Runtime Threat Detection Engine
Falco is a CNCF Graduated project that captures kernel-level syscalls via eBPF or kernel modules, combining them with container/Kubernetes metadata for real-time threat detection. Version 0.43.0 (January 2026) expanded the plugin architecture to support AWS CloudTrail, GitHub Audit Logs, and Okta events. It's also officially available as an Amazon EKS Add-on.
# Falco DaemonSet — Helm values.yaml
driver:
kind: ebpf
ebpf:
leastPrivileged: true
falcosidekick:
enabled: true
config:
slack:
webhookurl: "https://hooks.slack.com/services/..."
minimumpriority: "warning"
prometheus:
enabled: true
customRules:
custom-rules.yaml: |-
- rule: Crypto Mining Detection
desc: Detect cryptocurrency mining processes in containers
condition: >
spawned_process and container and
(proc.name in (xmrig, minerd, cpuminer, cgminer) or
proc.cmdline contains "stratum+tcp")
output: >
Crypto mining process detected
(user=%user.name container=%container.name
image=%container.image.repository
command=%proc.cmdline namespace=%k8s.ns.name)
priority: CRITICAL
tags: [cryptomining, runtime]
- rule: Sensitive Mount Detected
desc: Host sensitive path mounted in container
condition: >
container and evt.type = open and
(fd.name startswith /etc/shadow or
fd.name startswith /etc/kubernetes/pki)
output: >
Sensitive file access detected
(file=%fd.name user=%user.name
container=%container.name pod=%k8s.pod.name)
priority: WARNING
tags: [filesystem, sensitive-access]
2. KubeArmor — LSM/eBPF Runtime Enforcement
While Falco specializes in detection, KubeArmor focuses on enforcement. This CNCF Sandbox project uses Linux Security Modules (AppArmor, BPF-LSM, SELinux) to proactively block process execution, file access, and network connections at the pod/container level — all managed declaratively via Kubernetes CRDs without host-level configuration changes.
# KubeArmor Security Policy — Workload Hardening
apiVersion: security.kubearmor.com/v1
kind: KubeArmorPolicy
metadata:
name: block-package-manager
namespace: production
spec:
selector:
matchLabels:
app: api-server
process:
matchPaths:
- path: /usr/bin/apt
- path: /usr/bin/apt-get
- path: /usr/bin/yum
- path: /usr/bin/pip
- path: /usr/bin/curl
- path: /usr/bin/wget
action: Block
file:
matchDirectories:
- dir: /etc/
readOnly: true
recursive: true
- dir: /root/.ssh/
readOnly: true
action: Block
network:
matchProtocols:
- protocol: raw # Block raw sockets (port scan prevention)
action: Block
3. Tetragon — Cilium eBPF Kernel-Level Observability
Tetragon is Cilium's runtime security component. Unlike Falco, it uses TracingPolicy CRDs to directly specify kernel function hooking points, enabling highly granular custom detection scenarios.
# Tetragon TracingPolicy — Privilege Escalation Detection
apiVersion: cilium.io/v1alpha1
kind: TracingPolicy
metadata:
name: privilege-escalation-detect
spec:
kprobes:
- call: "security_bprm_check"
syscall: false
args:
- index: 0
type: "linux_binprm"
selectors:
- matchBinaries:
- operator: "In"
values:
- "/usr/bin/sudo"
- "/usr/bin/su"
- "/usr/bin/pkexec"
matchNamespaces:
- namespace: Pid
operator: NotIn
values:
- "host_ns"
matchActions:
- action: Sigkill
- action: NotifyEnforcer
4. Kubescape — Unified Posture Management (KSPM)
Kubescape evaluates Kubernetes cluster security posture against NSA/CISA hardening guides, CIS Benchmarks, and MITRE ATT&CK frameworks. Combined with runtime context, it filters static scan findings to only those active in production, eliminating 95%+ noise.
# Kubescape cluster security scans
# 1. NSA/CISA framework comprehensive scan
kubescape scan framework nsa \
--enable-host-scan \
--format json \
--output nsa-report.json
# 2. CIS Kubernetes Benchmark
kubescape scan framework cis-v1.23-t1.0.1 \
--exclude-namespaces kube-system
# 3. CI/CD integration — fail below threshold
kubescape scan framework mitre \
--compliance-threshold 80 \
--fail-threshold critical
# 4. Runtime vulnerability scan
kubescape scan image \
--runtime-context \
--severity-threshold high
Production Deployment — Unified Helm Stack
#!/bin/bash
set -euo pipefail
NAMESPACE="security-runtime"
kubectl create namespace ${NAMESPACE} --dry-run=client -o yaml | kubectl apply -f -
# 1. Falco — Runtime Threat Detection
helm repo add falcosecurity https://falcosecurity.github.io/charts
helm upgrade --install falco falcosecurity/falco \
--namespace ${NAMESPACE} \
--set driver.kind=ebpf \
--set falcosidekick.enabled=true \
--set falcosidekick.config.prometheus.enabled=true \
--wait
# 2. KubeArmor — Runtime Enforcement
helm repo add kubearmor https://kubearmor.github.io/charts
helm upgrade --install kubearmor kubearmor/kubearmor \
--namespace ${NAMESPACE} \
--set kubearmor.defaultPosture.file=audit \
--set kubearmor.defaultPosture.network=audit \
--wait
# 3. Tetragon — eBPF Kernel Observability
helm repo add cilium https://helm.cilium.io
helm upgrade --install tetragon cilium/tetragon \
--namespace ${NAMESPACE} \
--set tetragon.enableProcessCred=true \
--set tetragon.enableProcessNs=true \
--wait
# 4. Kubescape — Posture Management
helm repo add kubescape https://kubescape.github.io/helm-charts
helm upgrade --install kubescape kubescape/kubescape-operator \
--namespace ${NAMESPACE} \
--set capabilities.continuousScan=enable \
--set capabilities.vulnerabilityScan=enable \
--set capabilities.runtimeDetection=enable \
--wait
echo "CNAPP Runtime Stack deployed to namespace: ${NAMESPACE}"
Tool Role Matrix and Selection Guide
| Capability | Falco | KubeArmor | Tetragon | Kubescape |
|---|---|---|---|---|
| CNCF Status | Graduated | Sandbox | Cilium sub-project | Sandbox |
| Threat Detection | ● | ◐ | ● | ○ |
| Runtime Enforcement | ○ | ● | ● | ○ |
| Posture Management | ○ | ○ | ○ | ● |
| Network Policy | ○ | ◐ | ● | ○ |
| Cloud Audit | ● | ○ | ○ | ◐ |
| Technology Base | eBPF/kmod + plugins | LSM + eBPF | eBPF kprobe/tracepoint | K8s API + OPA |
Phased adoption recommendation: Start with Falco (detection) + Kubescape (posture) for visibility, then add KubeArmor in audit mode to validate false positives, and finally integrate Tetragon + Cilium network policies for complete runtime protection.
Real-World Scenario: CVE-2026-1580 Ingress-NGINX RCE Response
CVE-2026-1580, disclosed in February 2026, enables remote code execution through NGINX configuration injection via the auth-method annotation in Ingress-NGINX Controller. In default installations, the controller has access to all cluster-wide Secrets, making successful exploitation catastrophic. A runtime-first CNAPP stack defends against this in multiple layers:
- Kubescape detects vulnerable controller versions during continuous scanning
- Kyverno admission policy blocks malicious annotation values at deploy time
- Falco custom rules detect unexpected process spawning inside ingress-nginx containers
- KubeArmor policies harden the controller workload, blocking writes outside expected paths
Conclusion — 2026 CNAPP Strategy Roadmap
As Forrester Wave Q1 2026 clearly demonstrates, the CNAPP market is converging on runtime-first. Static scanning alone cannot address dynamic threats in cloud-native environments. Real-time runtime telemetry has become the foundation for security decision-making.
This shift isn't limited to commercial solutions. CNCF open-source projects like Falco, KubeArmor, Tetragon, and Kubescape have reached production-grade maturity. When properly combined, they can build a runtime security posture comparable to commercial CNAPP platforms.
The key is phased adoption: start with detection and visibility, validate in audit mode, then gradually transition to enforcement. Hasty blocking policies can cause service outages — collect sufficient runtime data before tightening policies.
This article was written with the assistance of AI (Claude Opus 4.6). Technical accuracy was cross-verified against official documentation. | © 2026 ManoIT
Originally published at ManoIT Tech Blog.
Top comments (0)