CNAPP Selling to the Cloud Security Architect — 60-Min Training

Direct Answer

CNAPP (Cloud-Native Application Protection Platform) Selling to the Cloud Security Architect is a 60-minute training for AEs, SEs, and channel managers running $200K–$2.5M ACV cycles against incumbents like Wiz, Palo Alto Prisma Cloud, CrowdStrike Falcon Cloud Security, Orca Security, Lacework, Sysdig Secure, Microsoft Defender for Cloud, Check Point CloudGuard CNAPP, Aqua Security, Tenable Cloud Security, and Snyk Cloud.

The session teaches sellers to qualify against the three-buyer reality (Cloud Security Architect, CISO, DevSecOps Lead), run a structured discovery on toxic-combination economics, demo against the customer's actual cloud accounts, and trap-set the multi-year renewal at month 12.

Built on MEDDPICC, Force Management's Command of the Message, and Andy Paul's "Sell Without Selling Out" discovery cadence.

Section 1 — Why CNAPP Selling Is Different (5 min)

Open the room by killing the SaaS-seller default. CNAPP is the consolidation play — combining CSPM, CWPP, CIEM, container scanning, IaC scanning, and API security into one platform. The Cloud Security Architect runs the technical evaluation; the CISO funds the consolidation; the DevSecOps Lead validates CI/CD integration.

Set the frame on the whiteboard.

• Three buyers, one consolidation thesis. Cloud Security Architect picks; CISO funds the consolidation; DevSecOps Lead integrates with CI/CD. Wiz's 2026 customer survey shows 78% of CNAPP buyers consolidating 3+ point tools.
• Attack-path analysis is the value-add. CNAPP differentiates by mapping toxic combinations — vulnerable workload + public-facing exposure + sensitive data access + over-privileged identity = critical attack path.
• Agentless plus runtime is the modern stack. Wiz and Orca lead on agentless onboarding; Sysdig and CrowdStrike lead on runtime container protection. CNAPPs need both.

End the segment with Mark Roberge's rule: *"Sell the consolidation savings, not the feature count."*

Section 2 — The 60-Minute Discovery Block (15 min)

1. Opening (3 min): "Walk me through your cloud security stack today — CSPM, CWPP, CIEM, container, IaC. What's consolidated and what's still point-tool?"
2. Consolidation baseline (10 min): "How many cloud security point tools do you run today? 3+ consolidation candidates is the typical CNAPP buyer."
3. Attack-path baseline (10 min): "What percentage of your team's effort goes against attack-path-level risks vs. Individual findings? Top quartile runs 70%+ on attack paths."
4. Container and Kubernetes coverage (10 min): "Are you running Kubernetes? EKS, AKS, GKE, OpenShift, Rancher? How are you securing pod admission and runtime?"
5. CI/CD integration (8 min): "Does your CNAPP block bad-config commits at PR time? Pre-merge enforcement is the modern bar."
6. Identity-and-permissions coverage (7 min): "Are you managing cloud entitlements with CIEM? CrowdStrike Falcon Cloud Security and Sonrai Security lead here."
7. Renewal posture (5 min): "When are your various cloud-security contracts up? CNAPP rebundles often."

Section 3 — The POC That Wins (15 min)

Failure modes to ban. Single-domain POCs. No-attack-path output. Agent-only POCs that require platform-team engineering time.

Wins to coach. Agentless multi-cloud connection. Walk through Wiz's and Orca's published POC agendas — both connect to multi-cloud in under 30 minutes. Attack-path map delivered within 7 days. Show a named attack-path map for the customer's environment. Pre-merge enforcement live in CI. Demo blocking bad-config commits live.

End with Andy Paul's rule: *"Show the customer their attack paths closed, not your tool stack expanded."*

Section 4 — Handling the Incumbent Trap (10 min)

The room will face Wiz, Palo Alto Prisma Cloud, and CrowdStrike Falcon Cloud Security in eight of ten enterprise deals. Coach the room on three counter-moves.

Counter-move 1 — The attack-path wedge. Ask the Cloud Security Architect: *"What percentage of your incumbent's findings are attack-path-level? Top quartile is 70%+."*

Counter-move 2 — The consolidation-savings wedge. Ask the CISO: *"What's your total spend across CSPM, CWPP, CIEM, container, and IaC today? CNAPP consolidates these into 1–2 SKUs and saves 20–35% on TCO."*

Counter-move 3 — The Kubernetes runtime wedge. Ask the DevSecOps Lead: *"Does your incumbent run runtime detection on Kubernetes pods, or only at admission? Sysdig and CrowdStrike lead runtime."*

Show Force Management's command-of-the-message rule: *"Displace on consolidation savings, not on feature parity."*

Section 5 — Pricing Conversation and Procurement (10 min)

Landmine 1 — Per-workload vs. Per-account pricing. Per-workload scales with microservices.

Landmine 2 — Multi-year discount math. Three-year deals justify 12–18% discount; five-year deals justify 22–28%.

Landmine 3 — The procurement-only meeting. No procurement-only rule — refuse procurement-only meetings.

Section 6 — The Trap-Set for Renewal at Month 12 (5 min)

Trap-set 1 — Attack-path remediation at 70%+ of effort within 6 months. The number is the renewal narrative.

Trap-set 2 — Tool consolidation completed within 9 months. Each point-tool retired locks in the renewal.

Trap-set 3 — Pre-merge enforcement on 100% of production repos within 6 months. Lock in shift-left discipline.

Trap-set 4 — Joint consolidation-savings dashboard in QBR. Build the savings dashboard into the QBR. By month 12, the dashboard is the renewal narrative.

Close the session by reading Jeb Blount's rule from *"Fanatical Prospecting"*: *"The renewal is sold on day one."*

FAQ

Should we lead with CSPM or with container security? Lead with whichever is the customer's largest open project — both are valid CNAPP entry points.

How do we handle a customer mid-Wiz or Prisma Cloud renewal? Run a complementary deployment in a non-overlapping area (e.g., CIEM while incumbent runs CSPM). Build proof for the displacement conversation at renewal.

What is the right POC size for a Tier-1 enterprise? 60 days, full multi-cloud account inventory, attack-path map and consolidation TCO delivered.

How do we price against Wiz's market-leader positioning? Wiz wins on agentless onboarding speed; we win on runtime detection and CIEM breadth. Position complementary at the entry tier.

What if the customer asks us to integrate with their existing SIEM and ticketing? Yes — every modern CNAPP integrates with Splunk, Sentinel, ServiceNow, Jira. Demo live in the POC.

Sources

• Gartner — Market Guide for Cloud-Native Application Protection Platforms (2026)
• Forrester — The Forrester Wave: Cloud Workload Security (2026)
• Wiz Inc. — Cloud Security Posture Report (2026)
• Palo Alto Networks — Prisma Cloud Customer Outcomes (2026)
• CrowdStrike — Falcon Cloud Security Benchmarks (2026)
• Sysdig — Cloud-Native Security and Usage Report (2026)
• Force Management — Command of the Message and MEDDPICC Reference (2026)
• Mark Roberge — "The Sales Acceleration Formula" Premium-Pricing Chapter
• Andy Paul — "Sell Without Selling Out" Discovery Cadence
• Jeb Blount — "Fanatical Prospecting" Renewal-First Doctrine