Raw CNAPP Data: Why It Matters and the Future of Cloud Security Analytics

Security today is as much about data operations as it is about firewalls or policies. CNAPP platforms (Cloud-Native Application Protection Platforms) collect an enormous volume of telemetry from cloud environments — configurations, vulnerabilities, API calls, identity mappings, runtime events.

Most teams consume this through the vendor’s UI, pre-built dashboards, and canned alerts. While useful, this often leaves the most valuable capability underused: direct access to the raw data.

Advantages of Having Raw CNAPP Data

1. Custom Querying for Unique Threat Models

Every company has its own risk profile. By pulling raw CNAPP data into a warehouse like Snowflake or a data lake, you can write queries that match your environment, not a generic template.

• Correlate IAM changes with high-risk resource exposure.
• Detect drift in security groups tied to sensitive workloads.
• Identify unusual API patterns across multiple accounts.

At Sprinklr, Lacework pushes enriched event data into Snowflake, and our security team writes targeted SQL to surface issues specific to our platforms — things the out-of-the-box dashboards might not even consider.

2. Cost-Effective at Multi-Cloud Scale

Multi-cloud environments make licensing painfully expensive — you often pay per account, per region, or per data volume, even when you’re storing the same type of telemetry twice.

• Warehouse economics: Store once in Snowflake/BigQuery, query many times.
• Vendor UI avoidance: Skip the seat-based or feature-tier pricing traps that lock critical capabilities behind “enterprise” SKUs.
• Consolidated views: Instead of flipping between dashboards for AWS, Azure, and GCP, unify them in one query layer.

3. Faster Compliance Point-Fixes

Certain compliance violations — like open S3 buckets, unencrypted databases, or missing IAM MFA — need to be fixed as soon as they’re detected to avoid audit failure or regulatory exposure.

• With raw data, you can instantly search for all instances across accounts.
• Run ad-hoc scripts to push fixes.
• Document remediation steps for auditors in real time.

With this approach, a point-fix script can be executed immediately — no waiting for the vendor’s UI refresh cycle.

4. Breach & Alert Response

When a security breach or critical alert comes in, speed matters:

• Query the full dataset, not just the subset a dashboard shows.
• Trace lateral movement by joining logs across services.
• Identify and revoke risky identities in minutes, not hours.

This turns the CNAPP from a slow “alert feed” into a real-time investigation engine.

The “What If” Scenario — Open-Source CNAPP Orchestration

Could we have an open-source CNAPP orchestration framework that:

• Ingests security data from multiple SaaS APIs and logs.
• Normalizes it into a central warehouse/lake.
• Provides a query layer and basic dashboards.
• Lets you plug in ML models or detection logic.

This could combine:

• Security Lake architectures (AWS Security Lake, GCP Chronicle).
• ETL tooling (Airbyte, dbt, Apache NiFi).
• Visualization (Superset, Metabase, Grafana).

And crucially — no vendor UI lock-in.

Closing Thoughts

Security vendors often say “security is about data”, but in practice, it’s about what you can do with that data. Raw CNAPP exports let your team:

• Cut costs in multi-cloud licensing.
• Respond to compliance violations immediately.
• Investigate breaches with full context.

At Sprinklr, our experience has been clear: owning our query layer lets us move faster, fix more precisely, and ask better questions. The next evolution could be a more open, interoperable, community-driven CNAPP pipeline — one where every security team has both the raw ingredients and the kitchen to cook their own insights.