Lacework

Overview

Lacework takes a fundamentally different approach to cloud security than the configuration-scanner crowd. Instead of checking your AWS resources against a checklist of CIS benchmarks and calling it a day, Lacework builds a behavioral model of what normal activity looks like in your cloud environment and alerts when something deviates. It's the difference between a guard checking badges at the door and a guard who actually knows what's supposed to be happening on each floor. Both are useful, but only one catches the insider who has a valid badge and shouldn't be in the server room at 3 AM.

The company was acquired by Fortinet in mid-2024, which is both a stabilizing force (Fortinet's resources and distribution) and a source of uncertainty (how will the product be integrated into Fortinet's sprawling portfolio?). Before the acquisition, Lacework had built a solid reputation among cloud-native security teams for its Polygraph technology — a visual behavioral model that maps relationships and activity patterns across your cloud infrastructure. The product covers AWS, Azure, and GCP, with agentless deployment that gets you visibility without touching individual workloads.

Lacework sits in the CNAPP (Cloud Native Application Protection Platform) space, competing with Wiz, Orca, Prisma Cloud, and a growing list of others. What distinguishes it is the behavioral analytics — most competitors do static posture management well, but Lacework adds runtime anomaly detection that catches threats in motion rather than just misconfigurations at rest.

How It Works

The core technology is Polygraph, Lacework's behavioral analytics engine. It ingests telemetry from multiple sources — CloudTrail API logs, VPC flow data, DNS queries, process execution data from agents (optional), and cloud configuration snapshots — and builds a visual model of normal behavior. This model maps which services communicate with which other services, what API calls each identity typically makes, what network traffic patterns are standard, and what data access patterns look like across your cloud accounts. The baseline takes about two weeks to stabilize, during which Lacework observes your environment and learns what "normal" looks like.

Once the baseline is established, Lacework continuously compares current activity against it. Deviations trigger alerts with context that shows what changed and why it's unusual. An API call that a particular IAM role has never made before, a network connection to an IP address that no service in your environment has previously contacted, a process spawning on a workload that doesn't match the known software inventory — these are the kinds of anomalies Lacework surfaces. Each alert includes a Polygraph visualization that shows the entity's normal behavior pattern and highlights the deviation, which dramatically speeds up triage because the analyst can immediately see whether the anomaly is concerning or just a new deployment they weren't aware of.

Beyond behavioral detection, Lacework performs cloud security posture management (CSPM) with compliance benchmarking against CIS, SOC 2, PCI-DSS, HIPAA, and other frameworks. It scans infrastructure-as-code templates for misconfigurations before deployment, monitors container images for vulnerabilities, and provides visibility into Kubernetes cluster security. The attack path analysis feature traces how a detected anomaly could be chained with existing misconfigurations to reach sensitive assets, which provides prioritization context that severity scores alone can't.

Integration is API-first. Lacework connects to your cloud accounts via cross-account roles (AWS), service principals (Azure), or service accounts (GCP). It pushes alerts to Slack, PagerDuty, Jira, ServiceNow, Splunk, and most major SIEM and SOAR platforms via webhook or native integration. The API is well-documented for teams that want to build custom integrations or automate response workflows. Deployment is agentless for cloud configuration and API-based telemetry; agent-based collection is available for deeper workload-level visibility but isn't required.

What We Liked

The Polygraph visualization is the feature that makes Lacework click during an investigation. When an alert fires, you're not staring at a wall of log entries trying to reconstruct what happened. You're looking at a visual graph that shows the entity's normal behavior pattern with the anomalous activity highlighted in a different color. During one investigation, Lacework flagged an IAM role making AssumeRole calls it had never made before. The Polygraph showed the role's normal API pattern (reading from S3 and writing to DynamoDB) and the new behavior (assuming a role with broader permissions and querying EC2 metadata). The visual made it immediately clear this was credential compromise, not a code deployment. What would have been a 30-minute log analysis exercise became a 2-minute visual assessment.

The agentless deployment model deserves more credit than it gets in reviews. We had visibility across three AWS accounts with over 200 workloads within four hours of starting the setup. No agents to deploy, no kernel modules to install, no compatibility testing, no maintenance burden. For organizations that have experienced the pain of deploying and maintaining agents across a large cloud fleet, this is a significant operational advantage. The optional agent adds deeper workload visibility (process trees, file integrity, network connections at the host level), and we'd recommend it for production workloads, but having the agentless baseline as a starting point is invaluable.

The compliance reporting is more actionable than most CSPM tools we've tested. Instead of dumping a list of 1,200 CIS benchmark failures and leaving you to figure out which ones matter, Lacework combines compliance findings with the behavioral model and attack path analysis to prioritize remediations. A publicly exposed S3 bucket that also shows up in an attack path leading to sensitive data gets flagged differently than one that contains only public marketing assets. This contextual prioritization saved us from the "everything is critical, so nothing is" trap that plagues most compliance scanning tools.

The surprise finding: Lacework's composite alerts, which correlate multiple low-severity anomalies into a single high-severity alert when they affect the same entity within a time window. An unusual login location alone might be a traveling employee. An unusual login location followed by unusual API calls followed by an unusual data access pattern is a compromised account. Most SIEM-based detection requires custom correlation rules to connect these dots. Lacework does it automatically because the behavioral model inherently tracks entity-level patterns across data sources.

What Fell Short

The first two weeks are genuinely painful. During the baselining period, Lacework generates alerts on activity that's perfectly normal in your environment. Every scheduled job, every automated deployment, every legitimate batch process triggers an anomaly alert because the system hasn't seen it enough times to consider it normal. The temptation is to start suppressing alerts aggressively to quiet the noise, which creates dangerous blind spots. You need someone dedicated to reviewing and dismissing alerts during the baselining period — "teaching" the system what's normal. Most organizations underestimate the time commitment this requires.

The Fortinet acquisition is the unavoidable elephant. Lacework was building a cloud-native security platform with a distinct identity and approach. Fortinet is a network security company with a massive product portfolio and a history of acquisition integration that ranges from "left it alone" to "absorbed it completely." As of this writing, Lacework continues to operate as a recognizable product within Fortinet, but the roadmap uncertainty is real. If you're signing a three-year deal, ask pointed questions about product continuity, feature investment, and whether Lacework's cloud-native architecture will survive integration with Fortinet's on-premises-rooted platform strategy.

Pricing scales with the volume of cloud resources monitored, and the pricing model isn't transparent. You need to engage with sales to get a quote, and the final number depends on the number of cloud accounts, workloads, and data volume. Organizations that start with a pilot of two accounts and then expand to their full cloud footprint often experience sticker shock when the bill scales. Get pricing for your full target deployment upfront, not just the pilot scope, or you'll be surprised later.

Pricing and Value

Enterprise pricing is not published and varies based on the number of cloud accounts, workloads, and data sources. Industry estimates put it in the range of $30K–$100K+ annually depending on environment size. This is comparable to Wiz and Orca for similar cloud security platform capabilities, though direct comparison is difficult because of different pricing models (Wiz prices per cloud resource, Orca per asset, Lacework per workload/data volume). The value proposition is strongest for organizations with complex multi-cloud environments where the behavioral detection catches threats that static CSPM tools miss. If your cloud footprint is simple and your primary concern is compliance posture, cheaper alternatives exist. If you're worried about active threats in a dynamic cloud environment, Lacework's behavioral approach justifies the premium.

Who Should Use This

Mid-market and enterprise organizations running production workloads across AWS, Azure, or GCP — especially those with dynamic environments where resources spin up and down frequently. Security teams that are drowning in static CSPM findings and need a tool that distinguishes between misconfigurations that are theoretical risks and anomalies that indicate active threats. Organizations planning or executing a SIEM migration who want cloud-native detection capabilities without waiting for their SIEM to be fully operational. Not a good fit for organizations with small, static cloud footprints where a simpler CSPM tool would suffice.

The Bottom Line

Strip away the acquisition noise and the competitor marketing, and Lacework does one thing that most cloud security tools don't: it learns what your specific cloud environment looks like when things are normal and tells you when they stop being normal. That sounds simple. It's not. The Polygraph behavioral model is the real product here, and it catches categories of threats — compromised credentials, lateral movement, data exfiltration — that configuration scanners fundamentally cannot detect. Suffer through the baselining period, get a straight answer from Fortinet about the product roadmap, and budget for your full deployment from day one. The behavioral detection is worth the hassle.