Cloud-native security without the enterprise stack

You got the mandate in the same meeting where the board asked two questions back to back. Are we secure, and why is the security budget what it is. Now you are staring at a vendor proposal that promises a posture management platform, a separate detection product, an identity governance suite, and a managed service to watch all three. Each one is reasonable on its own. Stacked together, they add up to a number that would fund a third of an engineering team, and you have to walk into the next meeting and defend it.

So you do the math the way a tech leader does it. You ask what each tool catches that you are not already covering. And the more you ask, the more the answer comes back the same: the capability already exists in the cloud accounts you run. Amazon Web Services (AWS) ships threat detection. Microsoft 365 (M365) ships identity controls that a mid-sized company used to buy from three vendors. The proposal is not selling you capability. It is selling you the operation of capability you already own, wrapped in a logo and a renewal.

That is the gap worth understanding before you sign anything. The question is not whether the native controls are good enough. It is whether anyone is running them.

Start with what AWS gives you the day you open an account. Amazon GuardDuty is a threat detection service that continuously watches your account for malicious activity and unauthorized behavior, analyzing logs and traffic without you deploying agents (AWS describes GuardDuty). AWS Control Tower sets up and governs a multi-account environment with guardrails baked in, so the structure that keeps environments clean is itself a native service (AWS describes Control Tower).

On the identity side, M365 carries similar weight. Microsoft Entra Conditional Access lets you write policies that decide who can sign in, from what device, under what conditions, and block everything else (Microsoft describes Conditional Access). And the highest-return control of all is close to free: Microsoft states that requiring multifactor authentication continues to reduce the risk of compromise by more than 99 percent (Microsoft on its managed Conditional Access policies).

Read that list again. Threat detection, account governance, conditional access, and multifactor authentication are the spine of an enterprise security program. For a company under a few hundred people, that spine is sitting in two consoles you already log into.

Here is where the proposal on your desk gets uncomfortable. Many of the platforms in a large security stack are aggregators. They pull findings from the cloud provider, normalize them, and present them in their own dashboard. That can be useful at scale. At your size, it frequently means you are paying a second vendor to show you data the first vendor already generated.

The pattern shows up in three predictable ways:

• A posture tool reports misconfigurations that the native service already flags, and that Control Tower guardrails could prevent in the first place.
• A detection product ingests the same findings GuardDuty produces, then charges you per event to display them.
• An identity governance suite layers a workflow on top of Entra controls that, for a smaller team, Conditional Access and group policy already handle.

None of that makes the stack fraudulent. It makes it sized for someone else. The honest read is that a six-figure tooling budget buys real value when you have the volume and the team to justify it. Below that line, you are often funding overlap, and the overlap is the part you cannot defend to the board.

The reframe that gets a security mandate unstuck is this: posture is not the tools you own. It is whether the tools are configured, watched, and tuned. Security is an operational problem, not a tool problem, and that is true no matter how the budget is shaped.

Walk through what that means in practice. GuardDuty is on, but a finding only matters if a human reads it, decides whether it is real, and acts before it becomes an incident. Conditional Access is licensed, but it does nothing until someone writes the policy, tests it in report-only mode, and confirms it did not lock out the field team. Control Tower can govern many accounts, but the guardrails have to be set to your environment and kept current as it grows.

A control you bought but do not operate is not posture. It is a receipt.

That is the work a platform stack quietly assumes someone else is doing. Buying more dashboards does not add the hours to read them. For a company that has the native controls and the cloud accounts, the missing piece was never another product. It is the time and the context to run what is already there.

This is the part the proposal will not put in writing, so it is worth saying plainly. The native controls cover most of the real risk for most companies under a few hundred people, once someone operates them. That is the floor, and it is a strong one.

It is not unlimited. A company with regulated workloads that carry their own technical mandates, a large multi-account footprint with heavy custom infrastructure, or a security function it wants to build and grow in-house may genuinely outgrow the native tier. At that point a larger stack and a dedicated team can be the right call, and pretending otherwise would not serve you. The floor is for the long stretch where you need the work done well and cannot justify the spend.

So before you sign the proposal you cannot defend, walk back to the board's two questions. If the controls that make you secure are already in the accounts you run, what are you being asked to buy: capability, or someone to finally turn it on?