Our State of Cloud Security 2025 report surveyed 1,200 enterprises across 14 industries. The full dataset runs 42 pages, but if you want the short version, here are the five trends that stand out most clearly in this year's numbers.
1. CNAPP consolidation is accelerating
The alphabet soup of cloud security tools (CSPM, CWPP, CIEM, KSPM) is collapsing into cloud-native application protection platforms. In 2023, 34% of respondents said they were evaluating CNAPP solutions. This year, that number hit 61%. The driver is straightforward: security teams are tired of correlating alerts across six different dashboards.
What the data also shows, though, is that consolidation does not automatically mean simplification. Organizations that moved to a CNAPP still report an average of 3.2 supplementary security tools running alongside it. The platform play reduces tool count, but it hasn't eliminated the need for specialized coverage in areas like runtime protection and secrets management.
2. Misconfiguration remains the top incident vector
For the third consecutive year, cloud misconfiguration is the most common root cause of security incidents. Sixty-eight percent of respondents reported at least one misconfiguration-related incident in the past 12 months. The usual suspects remain: overly permissive IAM policies, public storage buckets, and security groups with unrestricted ingress rules.
The more interesting finding is what organizations are doing about it. Policy-as-code adoption has grown from 18% to 37% year-over-year, with Open Policy Agent and HashiCorp Sentinel leading in adoption. But only 23% of organizations enforce these policies in their CI pipeline. The rest run them as informational checks that generate alerts but do not block deployments.
3. The cloud security architect role is splitting
Two years ago, "cloud security" was typically one person's job or a small team's shared responsibility. The survey data shows a clear divergence: organizations above 500 employees are increasingly splitting cloud security into two distinct functions. One focuses on posture management and compliance (preventive controls, policy enforcement, audit readiness). The other focuses on detection and response (threat hunting, incident triage, forensics).
This split mirrors what happened in traditional security a decade ago, when "security engineer" diverged into offensive and defensive specializations. It also creates a hiring challenge. Finding someone who understands both cloud architecture and incident response was already difficult. Finding two such people, each with deeper expertise in their respective domain, is harder.
4. Multi-cloud security is worse than single-cloud security
This is not a new finding, but the gap is widening. Multi-cloud environments reported 2.4x more configuration drift events than single-cloud setups. They also take 34% longer to respond to incidents, largely because tooling and runbooks have to account for different APIs, different logging formats, and different identity models.
The organizations managing multi-cloud security most effectively share a common trait: they have standardized on a single abstraction layer for identity. Whether it's a centralized identity provider federated across clouds or a service mesh with unified mTLS, the teams that solve identity first tend to solve everything else faster.
5. Detection speed is improving, but response speed is not
Mean time to detect cloud-specific breaches dropped from 197 days to 143 days year-over-year. That is meaningful progress, driven largely by better logging, more mature SIEM integrations, and the CNAPP consolidation mentioned above. But mean time to contain those same incidents barely budged: 73 days this year versus 78 days last year.
The bottleneck is not technical. Most respondents cited cross-team coordination as the primary factor slowing containment. Cloud incidents typically span multiple teams (cloud ops, application developers, security, and often legal or compliance). The organizations with the fastest containment times all have one thing in common: pre-defined incident playbooks with clearly assigned roles, practiced through regular tabletop exercises.
What this means for your planning
If you are building or revising your cloud security strategy this year, these five trends suggest a few priorities: invest in policy-as-code enforcement (not just scanning), clarify the organizational split between posture management and detection/response, and spend at least as much time on incident response playbooks as on new tooling evaluations.
The full report is available on our featured reports page.