Cloud Security Has Spent 20 Years Producing Signals, Never Decisions
Security researcher Scott Piper published a twenty-year retrospective on cloud security in March 2026, dividing the field into four eras: Foundational (2006–2016), CSPM (2016–2021), CNAPP (2021–2025), and AI (2025–present). Each era introduced new tools with distinct core actions — matching, aggregating, and scoring — but all produced the same category of output: signals requiring human interpretation. No era has yet delivered a tool whose output is a machine-readable verdict that can directly gate a pipeline without human triage. The distinction drawn is between a 'finding,' which enters a human review queue, and a 'verdict,' which carries a deterministic compliance result an automated system can act on. The analysis argues this gap — two decades of signals but no decisions — is the defining structural limitation that cloud security tooling has yet to solve.
This is an AI-generated summary. ShortSingh links to the original source for the complete article.
Discussion (0)
Log in to join the discussion and vote.
Log in