Cloud Security Engineer Tool Stack 2026

Secure the cloud. From IaC to runtime — the full cloud security stack.

💰 $120,000 – $190,000 · 📊 Senior

A Cloud Security Engineer designs, implements, and monitors security controls across AWS, Azure, and GCP environments.

CSPM & Posture Management

Detect misconfigurations across cloud accounts.

  • Wiz CNAPP — Agentless cloud security with AI-powered risk prioritization across VMs containers and serverless.
  • Prisma Cloud CNAPP — Comprehensive cloud-native application protection with code-to-cloud security coverage.
  • Orca Security Platform — Agentless CNAPP with AI-powered risk prioritization and full cloud estate visibility.
  • Prowler Cloud Security — Open-source cloud security tool performing AWS, Azure and GCP security assessments and compliance.

Container & K8s Security

Protect containers from build to runtime.

  • Aqua Security Platform — Cloud-native security platform protecting containers, serverless and VMs from build to runtime.
  • Sysdig Secure Platform — Cloud and container security with runtime threat detection powered by open-source Falco engine.
  • Trivy — Open-source vulnerability scanner for containers images filesystems and Kubernetes clusters.
  • Falco Runtime — Open-source cloud-native runtime security with real-time threat detection for containers and Kubernetes.
  • Kubescape — Open-source Kubernetes security platform with risk analysis compliance and misconfiguration scanning.

IaC Scanning

Catch misconfigs before deployment.

  • Checkov IaC Scanner — Open-source static analysis for IaC scanning Terraform, CloudFormation, Kubernetes and ARM templates.
  • Terrascan IaC — Open-source static code analyzer for IaC with 500+ security policies across cloud platforms.
  • TFSec Scanner — Open-source Terraform static analysis security scanner detecting potential misconfigurations.
  • Bridgecrew by Prisma — Developer-first IaC security with automated scanning for Terraform, CloudFormation and Kubernetes.

CIEM & Identity

Right-size cloud permissions.

  • Ermetic — Cloud infrastructure entitlement management with AI-powered permission analysis and remediation.
  • Sonrai Security — Cloud permissions and data security platform with identity governance and blast radius analysis.
  • Tenable Cloud Security — Cloud security with CIEM, CSPM and vulnerability management for multi-cloud environments.

Runtime Protection

Detect threats in running workloads.

  • CrowdStrike Falcon Cloud — Cloud workload protection with AI threat detection runtime security and container scanning.
  • Sweet Security Runtime — Cloud runtime security platform using behavioral profiling for real-time threat detection
  • Upwind Security — Runtime-powered cloud security platform combining CNAPP with real-time threat detection.

Frequently Asked Questions

What is the difference between CSPM and CNAPP?

CSPM focuses on misconfiguration detection. CNAPP combines CSPM + CWPP + CIEM + container security into one platform.

Which certification first?

Start with AWS Security Specialty or AZ-500 depending on your primary cloud.

Average salary?

$120K–$190K in the US. Staff roles at FAANG exceed $250K.