Cloud Security Tooling is maturing fast, and AWS has been feeling the competitive pressure. Over recent years, third-party platforms like Wiz, Orca Security, and Palo Alto’s Prisma Cloud set the pace in cloud-native application protection — offering agentless scanning, multi-cloud coverage, and rich contextual risk analysis that AWS’s native tooling struggled to match. AWS has since mounted a fight back with the “new” AWS Security Hub, unveiled in preview at Re:Inforce 2025 and reaching GA at re:Invent 2025, represents the company’s most ambitious attempt yet to close that gap.
During a recent AWS Workshop I got to kick the tyres on it’s current features. And so, here is an honest assessment of where the new Security Hub is at, where it still falls short, where it needs to moves the needle. But first, some clarity required!!
AWS Security Hub CSPM vs. The New AWS Security Hub
We need to clarify a naming shift that has caused some confusion in the market. What most practitioners have known as “AWS Security Hub” — the service focused on aggregating compliance findings, running security checks against standards like CIS and NIST, and surfacing misconfigurations across AWS accounts — has effectively been rebranded as AWS Security Hub CSPM. It still exists and still does that same job (Cloud Security Posture Management).
The “new AWS Security Hub” is a broader unified security platform built a layer above that adds correlation, attack path analysis, near real-time risk analytics, and integrated signals from AWS Security Hub CSPM, GuardDuty, Inspector, and Macie. If you were already using Security Hub for compliance dashboards and control checks, that capability is still there; it has simply become one layer within a more capable platform.
Practically, this means:
Near real-time risk analytics. The previous version of Security Hub was, in many practitioners’ experience, more useful for compliance reporting than for active security operations. The 2025 redesign introduces near real-time risk scoring and automatic correlation of findings across services and accounts, helping teams answer the question that has historically been hardest to answer from Security Hub: what should we fix first?
Attack path visualisation. Security Hub now automatically maps how an adversary could chain together threats, vulnerabilities, and misconfigurations to reach critical resources. This is significant — attack path analysis was previously a selling point of specialist tools like Wiz and Orca, and having it natively in Security Hub reduces the need for separate tooling.
Historical trends and exposure summaries. New visualisations let teams track security posture over time rather than just seeing a snapshot of current findings. This is operationally important for demonstrating improvement and identifying drift.
Security coverage widgets. A new widget surfaces gaps in coverage — identifying which accounts, regions, or services are not being monitored — reducing the risk of blind spots.
Streamlined pricing. The new model consolidates charges across GuardDuty, Inspector, and Security Hub CSPM, improving cost predictability for organisations running the full AWS security stack. Including the ability to procure bolt-on ISV solutions from partners such as Crowdstrike, Drata or Splunk within the same UI.
How It Compares Against the Competition
Wiz has dominated the CNAPP conversation over the past few years, and for good reason. Its agentless scanning model — deploying in minutes with no performance impact on workloads — combined with its Security Graph for contextual risk prioritisation has made it the reference point against which cloud security tools are measured. As of early 2026, Wiz holds over 16% mindshare in the CSPM category, compared to Security Hub’s approximately 4%, reflecting Wiz’s strength as a standalone, cloud-agnostic platform.
Where the new Security Hub begins to compete more seriously is in contextual risk analysis and attack path reasoning — capabilities that were previously Wiz’s clearest differentiator. For organisations that are predominantly AWS-native and already paying for GuardDuty and Inspector, Security Hub’s unified analytics layer now makes a compelling case for consolidation. The price-to-value equation shifts meaningfully when you consider that AWS’s native integration is deeper than anything a third party can replicate.
Where Wiz retains a clear advantage is multi-cloud coverage and breadth of CNAPP capabilities. Wiz protects AWS, Azure, GCP, and OCI with a single platform, and covers DSPM, CIEM, container security, IaC scanning, and vulnerability management in an integrated way. Security Hub, even with its improvements, remains primarily AWS-centric for now… but “Multi-Cloud” intentions were announced during a recent AWS Security Blog post.
Orca‘s SideScanning technology provides deep agentless workload visibility without agents or credentials, offering coverage comparable to agent-based approaches. Like Wiz, Orca’s strength is breadth across cloud providers. The new Security Hub narrows the gap in detection depth and risk context, but organisations with multi-cloud workloads or complex hybrid environments will still find Orca’s cloud-agnostic approach more comprehensive.
Microsoft Defender for Cloud is the most direct native-cloud equivalent. It offers extensive multi-cloud and hybrid coverage — including AWS and GCP environments via Azure Arc — and has a more mature multi-cloud story than Security Hub. AWS is aware of this gap and the new Security Hub is part of a broader push to provide better visibility across heterogeneous environments, but Defender for Cloud remains ahead on this dimension today.
And finally, Palo Alto Prisma Cloud and Check Point CloudGuard. Both platforms offer strong compliance automation and broader platform coverage than Security Hub. Prisma Cloud in particular excels in developer-facing controls and shift-left security. Check Point CloudGuard is notable for automated remediation capabilities — a point we will return to below.
Multi-Cloud Ambitions: The Direction Is Right, the Progress Is Early
A recurring criticism of Security Hub has been that it is, fundamentally, an AWS service for AWS environments. The competitive pressure from Wiz, Defender for Cloud, and Orca — all of which support true multi-cloud deployments — has clearly influenced AWS’s roadmap.
The new Security Hub makes steps in the right direction through expanded ISV integrations. With new partnerships announced at re:Invent 2025, alongside long-standing connections to Splunk, ServiceNow, Jira Cloud, and a growing list of partners, expand Security Hub’s reach beyond AWS’s native boundaries.
The honest assessment, however, is that Security Hub’s multi-cloud story is still largely dependent on partners surfacing findings from non-AWS environments into Security Hub, rather than Security Hub natively scanning Azure or GCP resources. For organisations running multi-cloud estates, a third-party CNAPP is still the more robust choice. AWS will need to make significant progress to change this picture.
The Remediation Gap: Security Hub’s Most Significant Remaining Weakness
This is where a candid review has to be direct: the current Security Hub experience around remediation remains the most frustrating part of the product.
When a finding surfaces — say, an S3 bucket with public access enabled, or a security group with an overly permissive inbound rule — the default experience in Security Hub is to provide a link to the relevant documentation. The analyst reads the guidance, navigates to the affected resource, and manually applies the fix. For teams managing hundreds or thousands of findings across large AWS Organizations, this is operationally untenable.
Competitors have set a different expectation here. Check Point CloudGuard, for instance, offers one-click automated remediation as a standard feature. Wiz provides guided remediation with contextual steps. Orca similarly surfaces actionable remediation paths. The standard in the CNAPP market is moving toward immediate action, not documentation.
AWS Has Already Built the Solution — It Just Needs to Integrate It
What makes this gap particularly notable is that AWS has already built an excellent answer to the remediation problem. The AWS Automated Security Response (ASR) solution — available on the AWS Solutions Library and fully open-sourced on GitHub — does exactly what Security Hub’s native remediation experience lacks.
ASR provides one-click remediation of Security Hub findings using a library of predefined playbooks implemented as AWS Systems Manager automation documents. It covers common findings including unused access keys, open security groups, weak account password policies, misconfigured VPC flow logging, and public S3 buckets. Remediation can also be configured to trigger automatically when findings appear, enabling fully hands-off response for lower-risk issues. The solution supports CIS AWS Foundations Benchmark v1.2.0 and v1.4.0, AWS Foundational Security Best Practices, PCI DSS, and NIST SP 800-53 Rev. 5.
Critically, ASR supports cross-account remediation — a finding in a member account can be remediated centrally from the Security Hub admin account with a single action. This is essential for large organisations running AWS Organizations with dozens or hundreds of member accounts.
The gap is not that AWS lacks the capability. The gap is that ASR requires a separate CloudFormation deployment and is not yet surfaced as a native, integrated experience within Security Hub itself. Today, getting one-click remediation requires a security engineer to know that ASR exists, deploy it via CloudFormation, and wire it into their Security Hub environment. For teams that have done this, the result is excellent. But the experience is not discoverable or seamless enough for most customers.
AWS should prioritise deeply integrating ASR’s remediation playbooks directly into the Security Hub console. Imagine a finding card that shows not just documentation links, but an “Apply Fix” button — backed by the relevant ASR playbook — with a confirmation prompt showing exactly what will change and in which account.
Imagine the visual tooling having similar “Address this Vulnerability” capabilities. That would be a genuine leap forward for AWS Customers. It would also make Security Hub significantly stickier for AWS-native organisations that are currently evaluating alternative competitor solutions.
Closing Thoughts
The new AWS Security Hub is a meaningful advancement. The shift toward near real-time risk analytics, attack path visualisation, and tighter service integration makes it a far more credible option for AWS-centric security teams than its predecessor. Growing ISV integrations are extending its reach, and the pricing consolidation makes the business case easier to present.
Against specialist platforms like Wiz and Orca, Security Hub still has ground to cover in multi-cloud coverage and the breadth of CNAPP capabilities. But for organisations deeply invested in the AWS ecosystem, the gap has narrowed considerably.
The one area where AWS Security Hub needs to move urgently is remediation. The tooling exists — ASR is a mature, open-source solution with a rich playbook library. The work required is integration and discoverability, not invention. Bringing ASR’s one-click and automated remediation capabilities natively into Security Hub would eliminate AWS’s most significant competitive gap, shifting the conversation from “Security Hub identifies the risk” to “Security Hub remediates the risk.” Tighter integration could go further still — imagine Security Hub working in conjunction with AWS Security Agents surfacing recommendations before risky configurations are deployed.
About
With over 25 years in the technology sector, Keith has spent the last decade providing consultancy, support, and strategic direction to customers across multiple cloud platforms.
Disclaimer: The information shared on this blog is for informational purposes only and should not be considered as professional advice. The opinions presented here are personal and independent of any affiliations with tech companies or organizations.