# CSPM decision matrix — native AWS vs third-party

Score each row **0** (no), **1** (partial), **2** (yes). Sum per column. **Native wins** at ≤8 total on third-party column; **third-party** at ≥14; **hybrid** in between.

| Criterion | Weight | Native (Security Hub Essentials + Inspector + Config + Macie + GuardDuty) | Third-party (Wiz / Orca / Lacework-class) |
|-----------|--------|------------------------------------------------------------------------|-------------------------------------------|
| Workloads are **AWS-only** (no Azure/GCP production) | 3 | | |
| SOC team already lives in **Security Hub / EventBridge** | 2 | | |
| Need **continuous standards** (CIS, PCI 4.0, NIST 800-53, HIPAA) in-console | 3 | | |
| Need **attack-path / toxic combination** graph as primary triage UI | 3 | | |
| **Multi-cloud** posture in one console is contractual | 3 | | |
| **DSPM** (data catalog + exposure) beyond Macie S3 patterns | 2 | | |
| Budget ceiling **<$2.5k/mo** for security tooling (excl. SIEM) | 2 | | |
| Existing **EDP/commit** on a third-party CSPM | 2 | | |
| Dedicated **AWS security analyst** ≥0.5 FTE | 2 | | |
| Regulated audit accepts **Security Hub control status** as evidence | 2 | | |

## Interpretation

- **Native:** Sum native column ≥18 and third-party ≤10.
- **Third-party:** Sum third-party ≥16 and you have multi-cloud or attack-path as hard requirements.
- **Hybrid:** Native for AWS standards + vuln; third-party for multi-cloud graph only if duplicate findings are deduplicated in the SOC runbook.

## Evidence to attach before procurement

1. Security Hub **usage** page export (resource units).
2. Count of **duplicate** finding types (Inspector + third-party on same CVE).
3. List of **frameworks** in customer contracts (not “all of them”).