Wiz Hits $490M ARR as CSPM Pricing Models Split the Market

Wiz's $490M ARR run rate resets buyer expectations for CSPM scale

Wiz reported approximately $490M in annual recurring revenue in April 2026, with 900 customers including 32% of the Fortune 100 and 15% of the Fortune 500. The company's agentless CSPM and cloud-native application protection platform (CNAPP) offering — covering AWS, Azure, and Google Cloud — grew more than 100% year-over-year in 2024–2025.

The revenue figure positions Wiz as the fastest-growing independent CSPM vendor at scale. Most private competitors report ARR in the tens of millions. Palo Alto Networks Prisma Cloud, CrowdStrike Falcon Cloud Security, and Microsoft Defender for Cloud remain the primary alternatives at enterprise scale, but none disclose CSPM-specific revenue.

For enterprise buyers, Wiz's scale changes the consolidation calculus. A vendor approaching $500M ARR is now a tier-1 strategic supplier, which reduces long-term support risk compared to smaller CSPM startups vulnerable to acquisition or pivot. That financial durability strengthens the argument to replace multiple point tools — CSPM, cloud infrastructure entitlement management (CIEM), and data security posture management (DSPM) — with a single CNAPP platform.

The trade-off: per-resource or per-account pricing becomes less flexible. Wiz's customer concentration in the Fortune 100 gives it less incentive to discount aggressively for mid-market buyers. Large enterprises should push for multi-year, multi-product bundles to secure discounts, particularly when consolidating CSPM, CIEM, and cloud workload protection platform (CWPP) spending into one contract.

CrowdStrike publishes per-workload CSPM pricing and bundles data protection

CrowdStrike launched Falcon Data Protection in Q2 2026, bundling Falcon Cloud Security (CSPM + CNAPP), data loss prevention, and data classification into a single offering. The company's updated partner documentation and public price cards list Falcon Cloud Security at $14–$18 per protected cloud workload per month for full CNAPP in enterprise tiers. CSPM-only configurations run $5–$7 per workload monthly. The Falcon Data Protection bundle raises that to $20–$24 per workload but includes DLP and data classification.

CrowdStrike's Falcon Cloud Security ARR exceeded $400M, according to recent earnings commentary. The company's $3.48B in subscription revenue (FY2025) and 34,000 customers give it scale to discount aggressively when attaching CSPM to existing endpoint contracts.

The per-workload pricing model contrasts sharply with Wiz and Orca Security, which price per cloud resource or account and do not publish standard list prices. For buyers, CrowdStrike's transparent pricing enables concrete five-year TCO modeling. A 10,000-workload estate at $6 per workload monthly costs $720,000 annually before discounting. Adding DLP and data protection in the Falcon bundle may land under $1M annually after enterprise discounts, undercutting standalone CSPM plus separate DLP vendors.

The consolidation pressure is deliberate. CrowdStrike's sales messaging emphasizes unified telemetry across endpoint, identity, and cloud. CISOs rationalizing tool sprawl can justify retiring at least one legacy CSPM or agent-based CWPP to fund the bundle without net-new budget. The question for buyers: does per-workload pricing scale better than per-resource pricing as cloud footprints grow, or does it penalize ephemeral infrastructure?

Two pricing models now dominate enterprise CSPM buying decisions

The Wiz and CrowdStrike announcements crystallize a market split. Agentless CSPM vendors like Wiz, Orca, and Lacework price per cloud account or resource. Agent-based or hybrid vendors like CrowdStrike, Palo Alto Networks, and SentinelOne price per workload or host.

Per-resource pricing favors buyers with large numbers of accounts but relatively fewer running workloads — common in financial services and healthcare, where isolated environments proliferate for compliance. Per-workload pricing favors buyers with dense, long-running compute infrastructure — common in SaaS and e-commerce, where ephemeral containers and serverless functions create resource sprawl but stable core workloads.

Neither model is inherently cheaper. A buyer with 500 AWS accounts and 8,000 persistent EC2 instances will pay less with per-workload pricing. A buyer with 200 accounts and 25,000 Lambda functions will pay less with per-resource pricing. The critical variable is resource-to-workload ratio, which most buyers do not measure until they model both pricing structures.

Market Research Future forecasts the CSPM market will reach $14.44B by 2035, implying a compound annual growth rate above 20%. That growth funds vendor feature parity — every major CSPM vendor now offers misconfiguration detection, compliance mapping, and threat detection — which shifts buying criteria from features to pricing model and platform consolidation.

What enterprise buyers should do now

Map your cloud estate to both pricing models before RFP. Calculate resource count (accounts, subscriptions, projects) and workload count (running instances, containers, databases). Model a three-year contract under both structures with 20%, 30%, and 40% annual growth assumptions. The vendor whose pricing scales linearly with your growth pattern wins, not the one with the lowest year-one cost.

Negotiate multi-year CSPM contracts only if bundled with CIEM, CWPP, or DSPM. Wiz's scale and CrowdStrike's endpoint consolidation strategy both push toward platform deals. A standalone CSPM contract leaves budget stranded when you need to add entitlement management or data classification six months later.

Test pricing assumptions against actual usage quarterly. Cloud estates grow unpredictably. A per-resource contract that looked cheap in year one becomes expensive when developers spin up 300 new accounts for microservices. A per-workload contract that looked expensive becomes a bargain when you migrate to serverless and reduce persistent compute by 40%. CSPM contracts without quarterly true-up clauses or usage-based pricing tiers lock you into the wrong economic model for 36 months.