AWS CSPM: Native Security Hub Stack vs Third-Party (Wiz, Orca) — 2026 Decision Guide

May 2026. AWS reorganized Security Hub Essentials into a single per-resource-unit price that folds in continuous posture management (CSPM), Amazon Inspector vulnerability scans, and unlimited re-scans—documented on the Security Hub pricing page with example arithmetic (500 resource units × $3.75/unit ≈ $1,875/month). That pricing reset is the reason “CSPM on AWS” stopped meaning “buy a third-party console first.”

This post is a buyer decision guide for regulated SaaS and mid-market AWS estates—not a setup tutorial. For GuardDuty versus Security Hub roles, read the comparison page. For enabling standards, see Security Hub compliance monitoring.

Reference estate (benchmark, not a client) — We scored a 12-account AWS Organization (~180 EC2-equivalent units, ~90 Lambda-heavy workloads rolled into units, ~40 active ECR images) against the published Essentials calculator: landed ~$1,400–$1,900/month for Essentials before Threat Analytics add-on—consistent with AWS’s 500-unit example band. Your unit count is the input; do not copy our dollars into a board slide without exporting your Security Hub usage page.

What CSPM means on AWS (and what it does not)

Cloud security posture management on AWS is not one SKU. It is four overlapping jobs:

Opinionated take: For AWS-only production, we recommend native Essentials + delegated admin + org-wide Config before any Wiz/Orca/Lacework procurement. A third-party CSPM earns budget when it changes workflow (multi-cloud graph, DSPM depth), not when it re-lists Inspector findings.

Native stack map (2026)

1. Security Hub Essentials — standards (CIS, PCI DSS, NIST 800-53, HIPAA), consolidated findings, risk/exposure analytics.
2. AWS Config — resource configuration history; conformance packs (often billed separately—do not forget Config recorder costs).
3. Amazon Inspector v2 — included in Essentials pricing for covered resources; feeds Security Hub.
4. Amazon GuardDuty — behavioral threats; optional Threat Analytics add-on on top of Essentials.
5. Amazon Macie — S3 data classification and sensitive data findings (DSPM slice for object storage).
6. Amazon Detective — investigation graph after GuardDuty noise justifies it (~50+ actionable findings/week is a common threshold).

Enable Organizations delegated administrator for security services so member accounts cannot disable the recorder to pass an audit the week before QSA visit.

When third-party CSPM earns its line item

Buy Wiz-, Orca-, or Lacework-class CSPM when any of these are hard requirements:

• Multi-cloud production (Azure/GCP) with one risk backlog.
• Attack-path visualization is how your SOC prioritizes (not severity × asset criticality in Security Hub).
• DSPM must cover data stores Macie does not (SaaS CRM exports, warehouse shares) in the same product.
• Enterprise EDP already funds Security Hub Extended Plan partner modules—you are integrating, not greenfield buying.

When NOT to buy: single-cloud AWS, Security Hub already satisfies audit evidence, <0.5 FTE security engineering, and no integration owner for deduplication.

Cost model: native vs third-party (order-of-magnitude)

A $200k/year CSPM plus $20k/month native Essentials is rational when multi-cloud graph saves analyst hours. It is not rational when both stream Inspector CVEs into Jira.

Duplication trap (what broke)

What broke — A healthtech SaaS (~35 accounts, SOC 2 + HIPAA) ran Security Hub Essentials and a third-party CSPM for 14 months. Inspector findings appeared twice; Jira auto-assigned ~40% duplicate tickets in the first quarter after go-live. Engineers muted Critical in both systems. MTTR on real issues rose from 9 to 21 days (their ServiceNow export—not a FactualMinds claim). Remediation: Security Hub became system of record for AWS posture + vuln; third-party kept GitHub + container registry paths only; EventBridge suppressed duplicate AwsAccountId + GeneratorId pairs.

Decision workflow

1. Export Security Hub → Usage (resource unit count).
2. List contractual frameworks (SOC 2 only vs PCI + HIPAA).
3. Score the matrix in examples/architecture-blog-2026/cspm-native-vs-third-party/decision-matrix.md.
4. If third-party wins, write deduplication rules before purchase order.

Reproduce this — Copy the scoring matrix from examples/architecture-blog-2026/cspm-native-vs-third-party/decision-matrix.md into your wiki. Pair with AWS’s Security Hub cost estimator and the live pricing page (Essentials unit ratios as of May 2026).

Want a second-opinion review before the PO? AWS cloud security consulting and AWS managed SOC / MDR.

What to do this week

1. Enable Essentials in the security delegated admin account; export unit count.
2. Map one finding type per tool (vuln / posture / threat / data).
3. Run a 30-day pilot: native-only triage; measure duplicate rate if you already pay for third-party.
4. Only then issue CSPM RFP—or cancel renewal if native cleared the backlog.

What this post does not cover

• Step-by-step Security Hub enablement (see setup guide).
• Macie + Detective pairing (see data security investigation guide).
• SIEM replacement analysis (Splunk/Sentinel feeding Security Lake).
• Vendor contract negotiation.

---

Related: Security & compliance hub · Inspector v2 on containers and Lambda · Vulnerability prioritization (CVSS + KEV)

If you only do one thing: Pick one system of record for Inspector CVEs before you renew or buy a third-party CSPM.