Introduction
I just read Google's Q4 2025 earnings report. Cloud revenue grew 48%. They hit a $70 billion annual run rate. Backlog jumped 55% to $240 billion.
But what really caught my attention is what these numbers mean for GCP security.
I started working with GCP back when security was a mess. Cloud Asset Inventory was separate from Security Health Analytics. IAM security was its own thing. You had all these tools but no way to see them together. I spent hours in different services just to get a unified view of my security posture.
It was frustrating. AWS had GuardDuty and Security Hub. Azure had Microsoft Defender for Cloud (after how many times renaming it?). GCP just didnt feel well integrated.
Now, Security Command Center has become what I wanted it to be years ago. Attack path analysis finally launched. The platform actually integrates all the security services. I can see my entire security posture in one place.
And Google is acquiring Wiz.
This combination could change how we think about GCP security. Or it could create a confusing mess of overlapping products. I have opinions on both scenarios.
Sundar Pichai
The Numbers Everyone Is Talking About
48% cloud revenue growth is massive. Google signed more billion-dollar deals in 2025 than the previous three years combined. Customer velocity doubled since Q1.
What interests me more is the AI adoption. 75% of cloud customers use Google's AI products. These customers use 1.8x more products than non-AI customers.
This tells me enterprises trust GCP with production workloads now. Five years ago, GCP was the "third cloud" where you might run some analytics or k8s environments. Production stayed on AWS or Azure.
That has changed.
When customers commit billions of dollars and run AI workloads in your cloud, they need mature security. You cannot grow cloud revenue without solving security problems. Google knows this.
Security Command Center: My Journey From Frustration to Relief
I remember my first major GCP security project. The client’s ask was straightforward: A single dashboard for all organization-wide findings and custom alerts tailored to their specific industry.
A simple request. Or so I thought.
It turned into a multi-day treasure hunt. Back then, it felt like Google was hiding their best features from us. The "Custom Alerts" everyone wanted were actually called Security Health Analytics custom modules, and they were buried so deep in the settings menus that they felt like an Easter egg.
But the real pain was the data.
Every service had its own data model. I spent hours wrestling with Common Expression Language (CEL) just to normalize findings so they looked consistent in a dashboard. I was doing manual labor for a cloud that was supposed to be automated.
This was GCP’s biggest gap. They had amazing security services, but they were silos and complex. No unified view. No correlation. No "Source of Truth." I spent meetings complaining. I sent feedback.
Something Changed
Security Command Center started as a basic dashboard. I was skeptical if it would integrate with all other services. Another Google product that would stay in beta forever or at least feel like it.
But Google kept shipping features. They added graph search. Event Threat Detection integration improved. The API got better. Support for custom findings and threats.
I wrote about creating custom SCC findings when that feature released. Finally, I could integrate my third-party scanners into SCC.
Then they added compliance monitoring. Then attack path analysis. The platform actually started working.
Attack Path Analysis Changed Everything
Attack path analysis launched a few months ago. This is what I have been waiting for.
Before this, I looked at hundreds of medium-severity findings. Which ones matter? Which ones are just noise?
Attack path analysis shows me how findings connect. A public storage bucket on its own? Low severity. But that bucket contains a service account key. And that service account has BigQuery access. Now I have a critical attack path.
I wrote about this feature in my article about the most underrated service in GCP. Attack path simulation lets me prioritize remediation based on actual risk, not just CVSS scores.
This is what modern cloud security should look like. Context matters more than individual finding scores.
Where I Use It Today
My current workflow centers on Security Command Center. I automate finding enrichment with Gemini. I build custom threat detections for organization-specific risks.
Security Command Center integrates with my other security tools. Sensitive data findings from Cloud DLP appear in SCC.
This is what I wanted years ago. One platform. All findings. Actual context for prioritization.
GCP security is not perfect. The UI can be slow with many findings and still feels complex and clunky. Some features need better documentation. But the foundation works now.
Google Buying Wiz: Smart Move, But I Have Questions
Wiz is one of the best CNAPP platforms on the market. I have seen it in action at client sites. Their cloud security posture management works across AWS, Azure, and GCP. The Kubernetes security is excellent. The graph-based risk analysis is innovative.
Google acquiring Wiz makes sense. Most enterprises run multi-cloud. GCP-only security tools limit adoption. Wiz gives Google a security product that works everywhere.
But here is what keeps me up at night: how will they integrate this?
Three Paths Forward
Google could go three ways:
Path 1: Keep them separate. Wiz stays cloud-agnostic. Security Command Center stays GCP-native. Customers choose based on their needs.
This creates confusion. Why does Google have two security platforms? Which one should I buy? Sales conversations get messy.
Path 2: Replace Security Command Center with Wiz. Migrate everyone to Wiz. Deprecate SCC.
This would be a disaster. I invested time building custom threat detections. I automated SCC finding enrichment with Vertex AI. Migration would be expensive and disruptive.
Path 3: Integrate them. Wiz feeds findings into Security Command Center. SCC becomes the aggregation layer. Wiz provides deep CNAPP capabilities. SCC provides GCP-specific integrations.
This is hardest technically but makes most sense strategically.
What I Want to See
I want Path 3 with clear boundaries.
Use Wiz for:
- Deep CNAPP capabilities across all clouds
- Runtime threat detection with eBPF
- Container and Kubernetes security
- CI/CD pipeline scanning
- Secrets detection
Use Security Command Center for:
- GCP resource inventory
- IAM analysis and recommendations
- GCP-specific compliance frameworks
- Integration with Google security services
- Custom findings from GCP-adjacent tools
Feed Wiz findings into SCC or vice versa. Give me one place to see my entire security posture. Let Wiz stay cloud-agnostic while SCC provides GCP depth.
My Real Concern
Microsoft acquired RiskIQ, ReFirm Labs, and other security companies. Integration into Defender has been slow. Some features stayed separate. Others merged in ways that reduced functionality.
Google could fumble this the same way.
I need to know: will my Security Command Center investments be safe? Will Wiz remain cloud-agnostic? What is the integration timeline?
Google needs to communicate the strategy clearly. Soon. (The acquisition is still in progress, so hopefully we have clarity after its finalized)
What This Means for GCP
GCP was always the "third cloud." Great for BigQuery and analytics. Fine for k8s environments. But production workloads stayed on AWS.
The Q4 numbers show this is changing. 48% growth does not happen by accident. $240 billion in backlog means enterprises trust GCP now.
Security services maturation enabled this growth. You cannot convince customers to move critical workloads without mature security tooling. The fragmented security services from years ago would not support today's revenue numbers.
Wiz acquisition accelerates this further. If Google executes the integration well, GCP's security story becomes competitive with AWS and Azure or would even overtake them.
The next 12 months will tell us a lot. Will Google communicate the integration strategy clearly? Will they maintain Security Command Center's momentum? Will they keep shipping features enterprises need?
Based on SCC's development over the last few years, I am cautiously optimistic.
My Predictions
Wiz stays separate for 18 months. Google needs to maintain cloud-agnostic positioning. Integration planning takes time. Do not expect immediate changes.
Security Command Center gets AI features. Automated remediation. ML-based risk scoring. Enhanced attack path analysis. Google will lean into their AI advantage.
GCP wins security-focused workloads. Companies that deprioritized GCP due to security concerns will reconsider. Wiz plus mature SCC changes the conversation.
Competitive response intensifies. AWS will enhance Security Hub. Microsoft will accelerate Defender for Cloud. The CNAPP market will consolidate.
What I Am Watching
Integration execution. How Google handles the Wiz integration will define GCP's security credibility for the next five years.
Product clarity. If Google runs SCC and Wiz as separate products without clear differentiation, customers will be confused.
Pricing. GCP security pricing is already complex. Adding Wiz makes this worse unless Google simplifies it.
Feature parity. Customers will expect the best features from both platforms. Delivering this is technically hard.
Final Thoughts
GCP security has come a long way. Security Command Center evolved from scattered services to a platform I actually want to use. Attack path analysis brought the context I needed. The platform integrates my security tools now.
The Wiz acquisition is smart. Wiz brings CNAPP capabilities that complement Security Command Center. Multi-cloud coverage matters for enterprise adoption.
But acquisitions are risky. Google needs to execute this integration carefully. Communicate the strategy clearly. Give customers confidence in their platform choices.
I have worked with GCP security for years. I wrote scripts to aggregate findings because no platform existed. I watched Security Command Center grow from a basic dashboard to a mature platform. I built custom detections, automated enrichment, and integrated compliance monitoring.
GCP security is no longer a weakness. It is becoming a strength.
Now Google needs to prove they can integrate Wiz without breaking what works. The next year will be interesting.
Member discussion