CXO Bytes

Should You Choose Agentless or Agent-Based for CNAPP?

by Amol Kulkarni

It’s the current great debate among DevOps teams: Which cloud-native application protection platform (CNAPP) approach is best-suited to protect your cloud environments? Is an agent-based or agentless approach the ideal strategy?

Cloud environments and their security needs are becoming more dynamic and complex due to modern applications featuring mixed workloads, multi-cloud environments and different runtimes. As a result, securing the modern IT infrastructure of today is substantially different than it was a few years ago. This shift is forcing DevOps teams to make choices about the best approach to secure this dynamic environment.

So which approach is best for your organization? Do you choose an agent-based security approach with a sensor in every host? Or an agentless approach, which doesn’t require agents installed on systems and has monitoring solutions integrated into the cloud control plane?

The answer is both.

In the face of today’s evolving threat landscape, organizations should look for a CNAPP solution that uses agentless and agent-based scanning to meet their security needs.

Consider what DevOps teams are facing today. They are up against adversaries that are faster – with a breakout time of less than 30 minutes for 30% of attacks – and more sophisticated. Today’s threat actors are laser-focused on trying to break through organizations’ cloud environments: CrowdStrike data showed a 288% growth in cloud workload attacks in 2022.


DevOps teams are running into several obstacles when it comes to defending their cloud environments from these modern threats. Their top challenges include:

  • Lack of Visibility:The dynamic nature of hybrid and multi-cloud environments creates complexity for security monitoring, which opens the door for shadow IT. Since many organizations split responsibilities among DevOps, security and IT teams, blind spots can originate when attackers move laterally across environments from cloud to endpoint.
  • Shared Responsibility Model: It’s common for organizations to lack a clear understanding of who is in charge of securing cloud workloads, as well as any applications, data or activity associated with them. This can result in organizations unknowingly running workloads in the cloud that are not fully protected, making them vulnerable to attacks that target the operating system, data or applications.
  • Increased Costs and Operational Overhead: The use of multiple cloud security tools can lead to fragmented approaches that increase costs and complexity. In fact, 99% of cloud failureswill be the customer’s fault due to mistakes like cloud misconfigurations. When DevOps teams have to pivot between cloud security tools, they’re often using multiple dashboards, which can hinder their response time.


So how can a CNAPP approach that’s both agent-based and agentless help DevOps teams address these challenges?

Protecting the Cloud with Agent-Based and Agentless CNAPP Capabilities

We know when it comes to defending on-premises environments, agent-based security gives DevOps teams sufficient coverage of endpoints and enables them to monitor workloads without interruption. This is crucial when they need to prevent unauthorized access to file directories, detect malware and block suspicious endpoints and images.

DevOps teams can benefit from agent-based solutions like cloud workload protection (CWP) to gather event data generated by endpoints and cloud workloads. This approach leverages agents deployed to cloud workloads and containers. If done right, these are bolstered with cloud-native indicators of attack (IOAs), machine learning and proactive, hands-on threat hunting to ensure you have complete coverage.

For cloud and hybrid environments, however, having a dual agent and agentless approach works exceptionally well because it gives DevOps teams the flexibility they need to deploy the type of protection they need regardless of their environment.

In environments where agents can’t be deployed, agentless solutions can be useful for DevOps teams focused on cloud security posture management (CSPM) because they provide visibility into potential risks and vulnerabilities, non-compliance and control plane protection. Further, the use of agentless CSPM solutions reduces friction and complexity across multi-cloud environments and accounts.

Another area where a mixed approach is beneficial for DevOps teams is cloud resource discovery and identifying misconfigurations. Agentless CSPM solutions can integrate with cloud infrastructure entitlement management (CIEM) to improve visibility, prioritize threats, reduce alert fatigue and more quickly address issues. These capabilities are fast and easy to deploy and serve as the foundation of a strong cloud security program. If you combine this with an agent-based CWP approach, your security teams will have the end-to-end protection and insights needed from their CNAPP solution to respond faster and enable DevOps teams to build safely in the cloud.

As modern adversaries become more sophisticated than ever, it is imperative that DevOps teams have a flexible security strategy to gain the proper level of protection against evolving cloud threats. With adaptable capabilities, organizations can adjust their security approach to meet the needs of their cloud environment.


(The author is Amol Kulkarni, Chief Product and Engineering Officer, CrowdStrike, and the views expressed in this article are his own)

Leave a Response