Lacework

This Lacework review examines a cloud security platform that has carved out a distinct position in the CNAPP (Cloud-Native Application Protection Platform) market through its behavioral analytics engine called Polygraph. Unlike rule-based security tools that depend on predefined threat signatures, Lacework ingests telemetry from cloud workloads, containers, Kubernetes clusters, and IAM configurations, then builds a behavioral baseline to flag anomalies. The platform supports AWS, Azure, and Google Cloud, making it relevant for organizations running multi-cloud infrastructure. For security teams drowning in alert noise from misconfigured rules, Lacework's machine-learning approach offers a fundamentally different operating model.

Overview

Lacework operates as a unified cloud security platform that consolidates workload protection, configuration auditing, vulnerability scanning, and threat detection into a single agent-based and agentless architecture. The company was founded in 2015 and gained traction among mid-market and enterprise teams looking to move beyond bolt-on security tools that required constant tuning.

The platform's core differentiator is its Polygraph Data Engine, which continuously observes process behavior, network connections, file activity, and user actions across cloud environments. Rather than relying on static rules that generate thousands of low-value alerts, Polygraph builds a graph of normal behavior and surfaces deviations that actually matter. This approach reduces alert volume significantly -- Lacework claims up to 95% fewer alerts compared to rule-based alternatives.

Lacework also provides Cloud Security Posture Management (CSPM), Infrastructure as Code (IaC) scanning, and container image vulnerability analysis, positioning it as a platform play rather than a point solution.

Key Features and Architecture

Lacework's architecture centers on three pillars: data collection, behavioral modeling, and contextual alerting.

Data Collection Layer. Lacework deploys a lightweight agent on workloads (EC2 instances, Kubernetes nodes, bare-metal hosts) that captures system-level telemetry -- process trees, network flows, file integrity changes, and DNS queries. For agentless coverage, the platform integrates via cloud provider APIs to pull CloudTrail logs, VPC Flow Logs, Azure Activity Logs, and GCP Audit Logs. This dual approach means teams can get visibility into both host-level and cloud-control-plane activity without choosing one over the other.

Polygraph Behavioral Analytics. The Polygraph engine ingests collected telemetry and constructs a behavioral graph for each environment. It maps relationships between users, machines, containers, and applications over a baseline period (typically 7-14 days). Once the baseline stabilizes, Polygraph identifies deviations: a container suddenly making outbound connections to an unfamiliar IP, a service account accessing resources it has never touched, or a process spawning a child that deviates from its historical pattern. Each anomaly gets a severity score based on how far it deviates from the baseline and how many correlated anomalies are occurring simultaneously.

Composite Alerts. Rather than firing one alert per anomaly, Lacework groups related anomalies into composite alerts that tell a story. A single composite alert might combine an unusual login location, privilege escalation, and data exfiltration attempt into one actionable incident. This dramatically cuts investigation time.

Additional Capabilities. The platform includes CIS benchmark scanning for cloud accounts, Kubernetes admission controller integration for shifting security left, and a vulnerability scanner that assesses container images and host packages against CVE databases. The API is well-documented, with Terraform providers available for infrastructure-as-code deployments.

Ideal Use Cases

Lacework fits best in organizations with the following characteristics:

Multi-cloud environments with 200+ workloads. The per-workload pricing model and behavioral analytics engine deliver the most value at scale, where rule-based tools become unmanageable. Teams running across AWS, Azure, and GCP benefit from a single pane of glass rather than stitching together provider-native tools like GuardDuty, Defender for Cloud, and Security Command Center.

DevOps-driven organizations with container-heavy architectures. Teams running Kubernetes at scale need runtime protection that adapts to ephemeral workloads. Lacework's ability to baseline container behavior without writing custom rules makes it practical for environments where containers spin up and down constantly.

Security teams with limited headcount. Because Polygraph reduces alert noise and groups anomalies into composite alerts, smaller security teams (3-8 analysts) can operate Lacework without dedicating full-time staff to alert triage and rule maintenance.

Compliance-driven enterprises. Organizations needing continuous CIS, SOC 2, PCI DSS, or HIPAA compliance monitoring across cloud accounts will find the built-in compliance dashboards useful for audit preparation.

Pricing and Licensing

Lacework uses enterprise pricing with annual contracts. There is no free tier, no self-service signup, and no monthly billing option. All pricing discussions go through the sales team.

The pricing model is per-workload, calculated based on the total count of cloud resources (compute instances, containers, serverless functions) under management. Typical contracts start around $36,000 to $60,000 per year for mid-size deployments, which generally covers a few hundred workloads across one or two cloud accounts.

Polygraph anomaly detection is included in all plans -- it is not an add-on module. This is worth noting because some competitors charge separately for behavioral analytics or advanced threat detection capabilities.

Larger deployments with thousands of workloads or complex multi-cloud footprints will see pricing scale accordingly, and volume discounts are available for multi-year commitments. The annual contract requirement means Lacework is not a tool teams can trial at low cost; the sales-driven model targets organizations with established cloud security budgets.

For teams evaluating total cost of ownership, factor in the reduced operational cost from lower alert volumes. Organizations replacing multiple point tools (a CSPM vendor, a separate workload protection agent, and a standalone vulnerability scanner) may find the consolidated pricing competitive despite the high entry point.

Pros and Cons

Pros:

• Polygraph behavioral analytics dramatically reduces false positives and alert fatigue compared to rule-based alternatives
• Composite alerts group correlated anomalies into single incidents, cutting investigation time
• Multi-cloud support across AWS, Azure, and GCP from a single platform
• Agentless and agent-based deployment options provide flexibility
• Built-in compliance frameworks (CIS, SOC 2, PCI DSS, HIPAA) reduce audit preparation overhead
• Strong container and Kubernetes runtime protection without custom rule writing

Cons:

• High entry price ($36,000+/year) puts it out of reach for startups and small teams
• No free tier or self-service option for evaluation; requires sales engagement
• 7-14 day baseline period means threat detection is limited during initial deployment
• Limited value for single-cloud or small-workload environments where simpler tools suffice

Alternatives and How It Compares

The cloud security platform market has several alternatives worth evaluating alongside Lacework.

Orca Security is the closest direct competitor, also offering a CNAPP with agentless scanning and multi-cloud support. Orca uses SideScanning technology rather than behavioral baselining, which means faster initial deployment but less depth in runtime anomaly detection. Pricing is similar, with enterprise contracts starting around $36,000 to $60,000 per year.

DefenceNet takes a different approach, focusing on proactive cybersecurity with AI-driven blocking of phishing and malicious links. It operates at the network perimeter rather than the cloud workload level, making it complementary to Lacework rather than a direct replacement.

CodeWatchdog targets code review and security auditing of AI-generated codebases, starting at $9 per month. It occupies the shift-left security space and does not overlap with Lacework's runtime protection capabilities.

PromptBrake specializes in AI and LLM security testing, starting at $79 per month. It addresses a narrow but growing segment -- prompt injection and data leak prevention -- that falls outside Lacework's scope entirely.

For teams needing deep cloud runtime protection with behavioral analytics, Lacework remains one of the few platforms that builds a true behavioral graph rather than relying on static rules. The trade-off is the high price floor and lack of a low-commitment entry path.