Checkpoint vs Prisma Cloud Cloud Native Security Overview

Supports Azure Container RegistryClosed (ACR), AWS Elastic ContainerClosed Registry (ECR), Docker Hub Container Registry, Google Cloud Container Registry (GCR), Google Artifact Registry (GAR), Harbor Registry, JFrog Artifactory, Nexus, GitHub Container Registry, Quay.io Container Registry

Repo Scan - Nexus, Alibaba Cloud Container Registry, ECR, ACR, Docker Registry v2, GitLab Container Registry, GAR, GCR, Harbor, IBM Cloud Container Registry, JFrog Artifactory Docker Registry, OpenShift integrated Docker Registry, CoreOS Quay, Trigger Registry scans with webhooks

Does not support scanning windows images

Requires a Scanner to be deployed

Uses Spectral to scan for secrets, keys, misconfigured code and perform SCA. Does not provide DAST capabilities

Helps identify 3rd party dependencies and licensing issues(SCA), limited languages supported for SAST Does not provide DAST

Supports integrating with CI/CD for Shift left security

Integrates with CI/CD for software supply chain security

Application behavior Analysis using Runtime Protection mechanism that combines several engines to monitor kernel system calls, file access, and network activity

Runs in user space with capabilities of net_admin, sys_admin, sys_ptrace, mknod, and setfcap to interact with host and containers. IPTables to observe network traffic

Requires instrumenting the container runtime of each application with Prisma runC which is intrusive.

Can audit the activities on the cluster and limited visualization features

Created profiles based on behavior via profiling but can only send alerts when a violation of the profile is detected

Does not provide visibility into the identity structure of the Kubernetes clusters

Deny rules kill the container to stop the attack instead of stopping the malicious process

Can prevent files from being created but cannot prevent write/delete to existing files

Limited support. Certain activities like file modification cannot be prevented

Supports runtime protection in Kubernetes and AWS Serverless only

Supports RuleSets for CIS and provides Admission controller

Supports Admission Controllers

The On Premise agents need to be connected to the CloudGuard platform, it cannot be deployed On Prem

Supports on prem with some limitations

Supports both Agent based protection and Agentless scanning

Can deploy scanners for agentless scanning and provide agent based security

Uses proprietary runtime protection agent

Uses open source tools such as Checkov to perform scans

Does not ingest findings from open source scanners

Supports integrations with Proprietary tools

Integrates with SIEM, Ticketing and proprietary security tools

Can integrate with only Proprietary tools

IoT security solutions are available. Supports 5G infrastructure security

Supports 5G and IoT/Edge Security as separate modules

Provides KSPM capabilities

Provides benchmarking checks for kubernetes to identify misconfigurations and identity issues

AI security with Infinity Gen-AI Protect

Provides security for AI with AI-SPM module