Lacework
Data-driven cloud security platform built around the Polygraph behavioural model. Detects cloud and workload anomalies by learning baselines and surfacing deviations, plus host vulnerability management and container security.
Compare
Blackglass vs Lacework
Lacework's Polygraph is at its best when you want a single tool watching for unknown-unknowns across cloud workloads — anomaly scoring across runtime telemetry. Blackglass takes the opposite approach for the in-server question: capture a baseline you trust, then alert on any deviation, full stop. The two coexist well because they answer different questions: 'what looks weird?' vs 'what changed since I approved this server?'.
Blackglass
Server-side configuration integrity for Linux fleets. Captures explicit baselines you approve, detects every drift event against them, and exports per-line evidence — deterministic, not behavioural.
Capability comparison
Drawn from Lacework’s public product pages and Blackglass docs as of May 2026. Capabilities not listed are typically out of scope for both products.
| Capability | Lacework | Blackglass |
|---|---|---|
| Detection model | Behavioural / anomaly-based — Polygraph learns what's normal and flags deviations from learned baselines. | Deterministic — operator captures an approved baseline; every change is a drift event, with severity tagged from a finite policy library. |
| Primary scope | Cloud accounts + container runtime + Linux workload telemetry. Strong cloud-side coverage (AWS, Azure, GCP). | Linux servers, on-disk config state. Cloud resource hygiene available via the optional Charon add-on (DigitalOcean, AWS, GCP). |
| Audit evidence | Polygraph-based findings; exports available but tied to behavioural scoring and learned baselines. | Per-host PDF + JSON evidence bundles tied to operator-approved baselines. Designed to hand to an external auditor without further interpretation. |
| Linux-specific drift checks | Vulnerability and runtime behaviour focus — not designed to enumerate every sshd_config / sudoers / package change. | Primary use case — sshd_config, sudoers, services, packages, file integrity, hardening profile, all with per-line diff and CIS alignment. |
| Alert posture | Severity scoring driven by Polygraph; tunable but inherently probabilistic. | Drift-based — every change has a deterministic severity from policy. Calmer dashboards by design; no anomaly score to interpret. |
| Pricing posture | Enterprise sales motion; per-workload pricing typically discussed under NDA. | Public price ladder from $59/mo (Starter, 15 hosts) up to a $2,500/mo Enterprise anchor. Free Lab tier and a 14-day trial without a card. |
| Air-gap / self-hosted | Primarily SaaS; on-prem agents available but central platform is cloud-hosted. | Self-hosted Helm chart, BYOK encryption with rotation, and an air-gap probe wired in for fully disconnected deployments. |
Pick Lacework when
- Your security team prefers behavioural / anomaly detection over deterministic policy.
- Cloud-runtime telemetry across many workloads is your primary concern.
- You want a single tool to span cloud security posture + workload runtime + image scanning, and you're comfortable with anomaly-style severity.
- You have the analyst capacity to triage probabilistic findings and tune Polygraph baselines over time.
Add (or pick) Blackglass when
- Auditors or change-control reviewers want explicit, per-line evidence — not anomaly scores.
- Your fleet is long-lived Linux servers where the question is 'what changed since I approved this?' not 'what looks unusual right now?'.
- You need a calmer dashboard your platform / IT team can actually keep on top of without dedicated security analysts.
- You operate air-gapped or self-hosted environments Lacework can't reach.
- Your budget for in-server visibility is $59 – $2,500 per month, not enterprise platform pricing.
- You want the optional Charon cloud-waste cleanup as a side benefit at no extra platform cost.
Try Blackglass against the Lacework sales motion
Most prospects evaluating both end up keeping Laceworkfor cloud-posture and adding Blackglass for the in-server visibility their existing tool can’t reach. The 14-day trial covers up to 10 hosts and doesn’t need a card.