Boundary Breakers encompass vendors that are taking risks in creating new categories around their offerings. This category exists to highlight tools that are attempting to define new categories.
Oligo provides runtime protection against the exploitation of open source or third party vulnerabilities - not just "is this package running," but "what is this package doing?" Their engine drastically reduces the risk of supply chain exploitation, in a way that might make SCA in general obsolete.
Seal is another vendor that threatens to make open source scanning entirely obsolete. They backport security fixes to your current version of open source libraries for instant, ongoing auto-patching; that way you don't need to make major framework upgrades under duress. Seal changes everything about SCA scanning, and threatens to upheave the whole industry.
Instead of hiding their open source projects and trying to sell you the impossible, Aikido openly tells you what they're using and have created a simple cloud based scanner to do 9-in-1 security scanning. A no brainer recommendation for startups.
Tracking third party data flows is a hot topic in security right now - most companies are tracking via OAuth or API flows. Riscosity is cutting through that to the sources of truth, namely the code and network layers. They scan your code for third party data flows, and then validate at runtime by proxying your egress.
DryRun helps your security team focus on the changes that actually matter, and with a simpler integration that's not dependent on any heavy handed app inventories. I've had to create a ton of custom scripts over my career to monitor high impact files, and only DryRun can properly handle that kind of prioritization.
Deepfactor and Oligo Security empower the same outcome, detecting malicious third party library activity, but they go about it in very different ways. Deepfactor intercepts application calls with a shared library, while Oligo uses eBPF. I don't have enough hands on experience to say which approach is better, but there are pros and cons with each.
Permiso is creating incident response for identities. They bridge the gap between "SaaS Security" and "IAM security" by tracking identities across IaaS and SaaS, while baselining and firing alerts for suspected misbehavior, along with session tracking.
Pangea provides an API and SDK to easily implement security features into your application - such as checking a user's password against a breach database, or checking a user's email against a spam database. They're the only company I've seen that's trying to make security features as easy to implement as Stripe.
It took quite a bit of time for me to understand how uniquely Xygeni is approaching ASPM. Rather than chasing buzzwords and features, they've been focusing on stopping real attacks. They have a unique technological approach for detecting not just pipeline attacks, but more significantly scanning third party libraries for malware; not just vulnerabilities. For example, if I decided to make the open source Latio scanner send all your code to my server, they'd be the only full ASPM platform that could also detect that attack.
Grit is awesome - they provide pre-baked playbooks for everything from framework migrations to major security patches. The most time consuming part of patching is figuring out the changes, and Grit does that part for you, even updating tests. Them and Moderne are providing amazing value for actually getting things patched.
Of all the tools claiming to be "developer centric" or "developer loved," only Moderne & Grit try to automate as much as possible of the painful work of fixing vulnerabilities. Moderne leverages Apache Openwrite to create playbooks across your code for remediating major issues like migrating Java or Spring versions.
Of all the companies in this space, Tidelift is the only one I could describe as uniquely ethical. If you're tired of shoveling your CVE scanner results into open source backlogs, never to be fixed, working with Tidelift allows you to actually work with maintainers to get your issues fixed upstream - while checking the box on standard SCA feature sets (plus a few unique package health assessments).
Tracebit is building very holistic deception technology that serves as honeypots for your cloud infrastructure. They deploy deceptive resources that match your existing ones, and monitor those resources for any suspicious activity.
It's great to see a company build a product around honey tokens. Honeypots provide a ton of security ROI but are difficult to setup and maintain, Seedata takes care of that for you so that you can focus on analyzing the results. I'd highly recommend this tooling for people with advanced security operations teams.
Myrror provides the standard suite of SCA tools with functional level reachability, but they have a much more unique technology that allows you to confirm that a binary was built from a particular source code. This allows the most thorough validation of supply chain assets I've seen and is an awesome functionality to ensuring you're not deploying unknown risks to your customers.
TrustOnCloud has created in depth threat models for cloud services. For example, they can show you every possible way someone could exploit an S3 bucket. Because they don't focus on scanning, they've created a library of potential exploits that goes far beyond what most CSPMs offer; however, that comes with the downside of being fundamentally a work generation tool. If you're operating at a scale where formal threat models need to be conducted before adopting new AWS services, their tool is undoubtedly useful.
VulnCheck provides well curated data on vulnerability exploitations - I can't see myself using them directly at smaller companies, but I'd hope all of my providers were using them for upstream data.
Devici has created a collaboration tool specifically for threat modelling, allowing for unique opportunities for mapping resources with tagging, dataflows, and notes. As development teams get more directly involved with day to day security alerts, it seems that threat modelling will be a key value add for security teams, and I wouldn't be surprized to see more tools arise in this space.
Leen is building a unified API for security integration data - a great product for product teams or people building their own tooling!
Dig Security checks all of the boxes for DSPM and DLP, namely data categorization. They differentiate by having database detection and response rules more akin to Database Access Management types of technologies. This gives them a runtime value that others lack. Hopefully the Palo acquisition doesn't kill the detection response capabilities.
This category is for the quickly emerging field of LLM Security tools. These tools cover visibility, detection, and response for LLMs across code, endpoints, and infrastructure. I'm most excited for the application level security use cases, but early companies here are focused on monitoring employee chat sessions. Success in this category is dictated by ability to adept to rapidly changing conditions.
Prompt Security offers comprehensive solutions for LLM security. They have both corporate IT visibility with their browser plugin, alongside application visibility with API, SDK, and reverse proxy options. You can also trace user sessions and detect/redact/block numerous types of data and attacks.
Despite being so early in development, what I've seen from Apex is the most unique approach to GenAI security. They offer visibility, configuration protection, and runtime detection and response for LLMs, both for corporate and application use cases. Everything from DLP to Injection detection, to LLM quarantining.
Pillar is building exactly what I think LLM security should be - a simple to use library that wraps LLM calls giving you visibility and blocking capabilities that exceed most of what's out there.
Lakera offers a simple way to protect LLM's by importing their SDK into your code. Their approach is simple and elegant, and their Gandalf tool allows you to better understand how LLM prompt injections work.
Harmonic currently has the standard suite of LLM protection visibility via browsers, but has a long term focus on detecting the flow of sensitive data - a vision that aligns well with the team's history in detecting sensitive data across the internet.
Lasso has the most fully functional product right now - they use plugins to monitor different LLM entry points to detect for data leakage and do prevention and anonymization. They're solving the current issues CISOs are looking to be solved.
Originally CIEM (Cloud Identity and Entitlement Management), this category has been broadened to Cloud Identity. These offerings help manage the numerous ways cloud identities can be created and proliferated, whether it be through IaC or AWS policies.
Kivera provides an identity proxy for true enforcement of access policies. Their setup is awesome out of the box for IaC deployments, giving developers instant feedback for when they're attempting to implement permission policies that are dangerous.
Entro watches for API key generation and usage across tools, alerting you to both unused permissions, as well as potential malicious activity. An example use case is detecting when a secret is shared on Slack.
Axiom provides standard scanning and remediation for least privileged access, but also grant least privileged roles on demand for just in time access. Their approach is to reduce permissions while providing temporary roles when major changes are needed.
P0 has built a truly unique workflow for JIT access for multiple development tools. While other providers in this space work for AWS, P0 differentiates by also supporting things like K8s, Postgres, and Snowflake with temporary policy access.
Apono enables you define access policies to cloud and workload resources, creating JIT workflows for accessing different environments. One standout feature is kubernetes RBAC visualization, combined with JIT access roles.
Aembit provides the most secure way I've seen of delivering machine to machines credentials to your workloads. They uniquely validate asset identity via contextual properties and integrations, and then inject the approved credentials into the workload.
Raito gets the details of database access right - they've managed to standardize controlling access to databases across different architectures and providers. Data owners can be assigned and manage who has access to what data, and risk assessments can be done for access. They have an amazing foundation for the future of managing DB access.
Abbey allows you to define grant kits in code, which are custom pre-defined terraform for different access scenarios. Developers can then request access via Abbey, and open a PR subject to defined approval workflows.
Sonrai has built a simple deployment for securing numerous cloud identities with as little complexity as possible by focusing on deploying permissions boundaries through SCPs and removing unused resources.
Turbot's Guardrails product allows for enforcement of cloud identity controls, while Pipes enables querying and alerting on logs and metadata.
InstaSecure uniquely flips the paradigm of identity management by helping you set robust IAM boundaries and SCPs instead of focusing on the endless tweaking of individual users and roles. The approach is a great way to get high impact low effort results.
StackIdentity provides a platform that excels in diving deep into your IAM environment and assessing over permissive and high risk resources. They provide a data lake that allows you to really see and maintain proper access controls across tools.
Entitle.io is focused on the specific use case of granting break glass permissions in AWS, and rolling back changes when they're not needed. They also support more general permission scanning.
Like other CNAPPs, Wiz is focused on cloud security more broadly than just Cloud-Identity tools; however, they offer the basic functionality of tuning your policies to be less permissive.
Sysdig differentiates itself from most Cloud-Identity providers by being able to look at which permissions haven't been used by anyone and can be removed. However, this has since become built in to AWS' access analyzer tool, making it less valuable.
AWS Access Analyzer looks at your users and policies and suggests changes. It is a great built in tool, but doesn't offer easy organization level management.
Basic built in analysis for GCP policies and users. Also provides role recommendations. At a high level, GCP is the easiest of cloud providers to manage permissions in.
CloudSploit is a great tool to run a quick scan to check your permissions at a high level.
ScoutSuite is another useful tool to run a quick scan of your cloud environment to check for any issues.
This category of tooling is for vendors that focus on providing pull requests with code fixes in them across various scanning tools. It's a different approach than remediation workflow platforms.
Most code-fixers are starting with SAST because it's the easiest to implement. Seal however is starting with SCA - creating backported patches for your current version of open source libraries. This is a game changer for SCA scanning, and threatens to upheave the whole industry. Seal uses GenAI to help backport patches to your current version of open source libraries.
Grit is awesome - they provide pre-baked playbooks for everything from framework migrations to major security patches. The most time consuming part of patching is figuring out the changes, and Grit does that part for you, even updating tests. Them and Moderne are providing amazing value for actually getting things patched. Grit uses GenAI to help create playbooks for major upgrades.
Despite being the only one without ai in their domain, Corgea's platform is the most driven by GenAI that I've seen. Because of the reliance on GenAI, I've seen some really cool and unique solutions to specific vulnerabilities that other tools would likely have a very difficult time standing up. They also have the cutest logo of any other platform on here. Corgea uses GenAI to help create fixes & detections for SAST findings.
Staris built a platform for open box pentesting powered by GenAI. They look at your code and your application, build a PoC exploit of findings as a code test, and give you the fixed code. The workflow is wrapped as a pentest - which offers a glimpse into what the future of pentesting will undoubtedly look like. Staris uses GenAI to help find exploits from SAST to runtime.
Pixee is taking a unique approach to SAST fixes by raising pull requests on customizable cadences to make progress burning down your backlog. They provide their own wrappers around commonly exploited functions that are suggested in the raised pull requests. It's worth mentioning it didn't find any vulnerabilities in our test code. Pixee uses GenAI to help create fixes & detections for SAST findings.
Mobb integrates with SAST tools like Snyk, Checkmarx, Fortify, and Codeql to scan your code and then provides fixes for merging into your code base. Their generated fixes seem good, but it's something that other providers are also working to build natively such as Snyk's DeepCode. Mobb uses GenAI to help create fixes for SAST findings.
Nullify is also starting with SAST use cases, but has expanded their AI agent functionality to be more holistic with their slack app and creating rudimentary threat models of code changes. Their vision is more holistic - focusing on creating an AI based product security engineer.
Amplify provides fixes for SAST findings, complete with importing libraries that will help fix the security issue. They have PR and remediation workflows for providing the fixes to developers. Amplify uses GenAI to help create fixes & detections for SAST findings.
Of all the tools claiming to be "developer centric" or "developer loved," only Moderne tries to automate as much as possible for even the most painful parts of fixing vulnerabilities - major version upgrades. They leverage Apache Openwrite to create playbooks across your code for remediating major issues like migrating Java or Spring versions.
Infield offers both a product and services for handling complex migration efforts for common application upgrades. They have a robust history of success and combining the service with the SaaS should be appealing to customers who don't find the product value in upgrades.
In order to help people see the value of using LLMs for application security detection, we created a simple command line tool for code scanning with OpenAI. It's bring your own OpenAI API key, so you can manage the data however you see fit, and has templated github action for pipeline use.
This category is for tools that assist primarily with managing user identities outside of cloud environments. This includes tools that help with user provisioning, authentication, and authorization. Good tools in this category help with user lifecycle management, and provide a single pane of glass for managing user access across your infrastructure. Bad tools in this category are difficult to integrate, and require a lot of manual tuning.
Lumos is fascinating for the breadth of use cases they cover - general SaaS contract management, user audit logs, and request flows for Okta apps - all from a single platform. From what I've seen, Lumos seems like a dream come true for most corporate IT teams, where managing Okta has turned into a team sized job.
Astrix gives you visibility into OAuth connections in your environment - such as when a user authorizes an unknown third party application into your Slack. They provide great visibility into whats usually a black box for security teams.
Axiom provides standard scanning and remediation for least privileged access, but also grant least privileged roles on demand for just in time access. Their approach is to reduce permissions while providing temporary roles when major changes are needed.
Veza has created a unique graph querying tool associating users to the data they have access to - this extends beyond basic Okta user assignments to include things like sensitive S3 buckets or databases. Alerting can also be configured based on the searches. They also include onboarding/offboarding automations.
At their core, Garantir offers a solution for public and private key storage, but that description sells them short of numerous use cases they support with elegance. They can be used as a PAM, for SSH management, to accomplish HSM with ease, and can run just about anywhere a private key is needed with their agent on user endpoints.
Push Security created a browser plugin that monitors SaaS applications being used by employees, and can alert on risky identity controls such as re-using weak passwords or lack of MFA.
Teleport works by giving end users certificates that allow them to enforce access policies across numerous cloud resources that are typically difficult to manage. The user experience is better than any alternatives I've seen.
Komo provides user access request flows for Okta and AWS SSO, allowing users to easily request and be assigned permissions. They uniquely allow the creation of attribute based rules, creating workflows around users as their attributes change.
ConductorOne provides a management platform for okta user assignments. I haven't met with them.
Opal provides a management platform for okta user assignments. I haven't met with them.
Application Security Posture Management (ASPM) is the latest buzzword to take over the application security market. It's meant to correlate all application security scanning into a single dashboard for remediation prioritization - but my thoughts on definition are here. Always validate what tool coverage looks like in this category - many vendors have one or two scanners built in house, and are relying on open source tooling for the rest of the pipeline coverage. Great tools will allow you to track and correlate findings across an entire application. Bad tools will rely purely on third party scanners and have major gaps.
Ox security blew my mind - providing the ultimate all in one configuration scanning tool. They're the only ones I've seen who can track a container lifecycle, individually vulnerable functions from dependencies, and provide both rich integrations alongside their own scanners.
Arnica is building the next gen security scanner for SAST, SCA, SDLC and IaC scanning (with container soon I'm sure). Their secret sauce is rich code owner insights with a user graph of your Git provider. I love their focus on remediation workflows and confidence in their own scanners.
Instead of hiding their open source projects and trying to sell you the impossible, Aikido openly tells you what they're using and have created a simple cloud based scanner to do 9-in-1 security scanning. A no brainer recommendation for startups.
Apiiro is like Bionic on steroids by working better in non Java/Spring environments - it builds an in depth application inventory by scanning your code for API endpoints and provides excellent prioritization tools based on that map. It does a great job at detecting what PR's will likely be major changes.
Cycode offers all in one scanning and integrations across the SDLC pipeline. Their primary in house built tool is their secret scanner, but their differentiator is their graph querying of deployment processes. If you have a lot of pipelines, they have a lot of querying.
Xygeni has built a unique approach to ASPM tooling by focusing on malware detection, GitOps exploits, and detecting active supply chain attacks. They've built everything in house and also have an asset graph for relating resources to one another.
Backslash provides SCA, SAST, and Secrets scanning, with a focus on reachability from network, API, and function perspectives without an agent. This approach to reachability is uniquely holistic - including features like detecting if a transitive dependency is directly called by your code, or if a specific SAST finding is surfaced via API.
Oxeye is building the most runtime-y of ASPM providers - they map out your application using everything from code to agents to network validations. Then they prioritize based on how your app is most likely to be exploited. The only ASPM with DAST validation.
Boost Security has a shared vision for all in one configuration scanning out to runtime. They have smart kubernetes & Istio integrations for runtime context, alongside the standard suite of SCA, SDLC, SAST, IaC, Secrets, and Containers based on a combination of open source and in house built tools. I appreciate the openness of their rule set in their documentation.
Qwiet has been doing all in one scanning for a long time - they have a powerful unique approach to scanning that starts with a map of your application, and scans within that context. They have smart prioritization filters combined with the standard suite of SCA, container, SAST, Secrets, and IaC scanning. They don't offer "pipeline-less" scanning via webhooks if that's a requirement for you.
Rezlion combines their own scanning at runtime with ingesting from other platforms to provide an exploitability prioritization view of container and SCA vulnerabilities. They focus on simple deployment into your environment to prioritize what packages and libraries are running.
Bionic offers a unique approach to application visibility by building a graph of your services, their dependencies, and the classification of their downstream data. Their application map works best in Java/Spring environments.
For the providers based solely on integration with other security vendors, JIT is my favorite pick. They consolidate scanners and create workflows and prioritization for developers. The JIT scanner is unique in that it's a wrapper for other scanners that you run in your own pipelines - an approach with pros and cons.
Legit Security takes a holistic approach to SDLC security. They aggregate your SDLC pipeline findings across different tools, allowing for remediation, especially within pipeline scanning. They do asset discovery via code, rather than via runtime detection.
Kondukto's strength is integrating with just about every tool you could want, including open source ones, to prioritize and remediate in a single platform. They provide a great Jira workflow for working through findings.
Snyk's ASPM product is frankly pretty weird. It provides pipeline coverage and asset classification, but since it neither integrate with other platforms, nor Snyk's issues, it's hard to see how it fulfills the goals of ASPM.
Does Synopsys technically do everything you'd need from an ASPM? Yes. Would you ever want to use it? No. They've focused heavily into the semiconductor industry, and their ASPM is heavily patched together from various acquisitions.
Software composition analysis (SCA) is also called open-source vulnerability scanning. It works by examining the source code of an application to identify any open-source components that are being used. It then checks these components against a database of known vulnerabilities, and alerts the user if any are found. Great tools in this category will run quickly, in pipeline, and most importantly, provide resolution guidance in the developer workflow. Bad tools will run on a cadence, provide CVE's without an guidance, and only work at runtime.
Oligo provides runtime protection against the exploitation of open source or third party vulnerabilities - not just "is this package running," but "what is this package doing?" Their engine drastically reduces the risk of supply chain exploitation, in a way that might make SCA in general obsolete.
Seal doesn't do SCA scanning in the traditional sense, instead they backport security patches for open source libraries, allowing you to auto-patch any vulnerabilities without doing major framework updates. Their only limit is their velocity pushing the backported patches.
Ox's reachability analysis is one of very few that tries to find if the function tied to the CVE exploit in the third party code is actually used in the app - this is a step beyond just checking if the package is loaded.
Arnica's SCA is differentiated by finding the most likely owner for the fix and automating a lot of the workflow process such as pinging them on slack and creating a Jira ticket.
Kodem provides runtime insights on container vulnerabilities, but uniquely ties them back to SCA findings in pipeline. This gives you a single holistic view of container and SCA vulnerabilities, as well as what's executing at runtime.
Instead of hiding their open source projects and trying to sell you the impossible, Aikido openly tells you what they're using and have created a simple cloud based scanner to do 9-in-1 security scanning. A no brainer recommendation for startups.
For what Snyk offers in usability across functions, SemGrep excels in customization. Their tool offers extensive customizations and rule sets, and their reachability analysis, a critical aspect of SCA, beat Snyk to market. Also, their open source tooling is powering many other tools on this list.
Phylum meets standard SCA scanning requirements, but differentiates with upstream malware detection. They have some smart features such as providing a CLI wrapper for NPM stalls to block attempted malware installation during development.
Of all the companies in this space, Tidelift is the only one I could describe as uniquely ethical. If you're tired of shoveling your CVE scanner results into open source backlogs, never to be fixed, working with Tidelift allows you to actually work with maintainers to get your issues fixed upstream - while checking the box on standard SCA feature sets (plus a few unique package health assessments).
Endor Labs stands out in their granularity and reachability analysis for open source packages. They get the meaningful details from function level reachability, and are the ones who scared everyone into trying to make it.
SCA scanning fits into Xygeni's larger ASPM platform but differentiates by scanning the packages from a SAST perspective instead of just looking up CVEs.
Backslash's SCA supports function level reachability, but can even detect direct calls to transitive dependencies. SCA is part of their ASPM which includes SAST and secrets.
Myrror provides the standard suite of SCA tools with functional level reachability, but they have a much more unique technology that allows you to confirm that a binary was built from a particular source code. This allows the most thorough validation of supply chain assets I've seen and is an awesome functionality to ensuring you're not deploying unknown risks to your customers.
Deep Factor differentiates their SCA tool with deep runtime insights on the open source package and its state of being loaded or not in the application - a good way to prioritize fixing.
Socket takes the unique approach of looking for malware within open source packages instead of focusing on only CVEs. They have robust support within the JavaScript ecosystem. They only scan your package manifest and not your source code. Their reachability analysis is unique in that they do it for transitive dependencies instead of your code (checking if the transitive dependency is used in the direct dependency).
Qwiet has a powerful unique approach to scanning that starts with a map of your application, and scans within that context. They have smart prioritization filters combined with the standard suite of SCA, container, SAST, Secrets, and IaC scanning. They don't offer "pipeline-less" scanning via webhooks if that's a requirement for you.
Snyk's first product was SCA, and it remains what they're stellar at. They do an unparalleled job at rolling up dependencies properly, and surfacing the information to developers in the easiest possible way to fix.
Mend was Snyk's main competitor early for quick open source scanning in pipeline, but did not expand as quickly as Snyk into other areas. Their open source Renovate tool is great for keeping your in-house dependencies up to date, but their UI and scanning engine were more difficult to deploy, maintain, and navigate. However, due to Renovate they have unique visibility into the expected challenge of a version upgrade.
Oxeye allows you to prioritize SCA based on where the findings live in your infrastructure with rich runtime insights.
Apiiro prioritizes your SCA findings by tying them to asset inventory and application context.
Paraxial provides a unique combination of security tooling specializing in the Elixir language and Phoenix framework. They're a great choice for companies that use Elixir, and have unique runtime elements that them stand out from open source options.
Cycode offers their own in house built SCA scanning as part of their ASPM platform.
Boost Security is primarily an all in one scanner. Their SBOM functionality seems bare bones at the moment.
Rezlion combines their own scanning at runtime with ingesting from other platforms to provide an exploitability prioritization view of container and SCA vulnerabilities. They focus on simple deployment into your environment to prioritize what packages and libraries are running.
Fossa is one of the older open source scanning providers - they've focused a lot on SBOM and audit readiness, so haven't evolved much into the broader "ASPM" space. A couple of neat enterprise features are creating custom internal dependencies and exporting ignore lists in VEX format.
Apona provides a combination SCA, SAST, and DAST features. Something unique about their SCA is providing a function level fix if one is available to avoid the patch.
Black Duck SCA provides a product that technically checks all of the SCA boxes, but is not nearly as user friendly as other tools. They get the job done, but UI is targeted more at security than developers.
SonaType was one of the first organizations doing SDLC tooling; however, until recently, they did not have a cloud platform. Their platform is still catching up to the intuitiveness of the SaaS competition, but their product checks all the boxes.
As part of their larger platform, Checkmarx also provides SCA Scanning.
Veracode is a legacy SAST vendor that has done the best job at catching up to cloud native tooling. They are a great choice for organizations using more legacy or waterfall type development methods.
Aqua Security offers SCA scanning as part of their CNAPP solution - they have a longer commitment in the cloud space than developer one.
Using Prisma Cloud as an SCA tool is technically possible, but I wouldn't recommend it. It's part of what Twistlock did, but it hasn't been updated since the acquisition and is very painful for developer use.
While using your git provider as an SCA tool may make sense on the surface, GitLab relies entirely on open source tooling to do the actual scanning, and their reporting is hard to use. Only recommended for organizations that are already on Ultimate.
Dependabot is a great check the box solution for saying you do vulnerability scanning, but it is very difficult to use and doesn't provide much guidance. Generates a lot of noise for developers.
Static application security testing (SAST) analyzes source code for security vulnerabilities, such as a function being called that doesn't do validation on its input. Great tools in this category will run quickly, in pipeline, teach developers, have effective reporting and easy rule tuning. Bad tools will run on a cadence, provide less guidance, and be difficult to change or override rules.
Arnica's SAST is the most robust I've seen from a workflow perspective and actually getting findings fixed.
Ox is a wider ASPM platform, but their SAST scanning covers the basics while integrating with more powerful language specific providers.
Semgrep is a close second choice to Snyk for SAST. Their scanning library is more robust, and the ability to easily create custom rules is a huge bonus that Snyk only recently added. However, their SCA is not as robust, and having two different tools can be a hard pill to swallow. Great product for companies with an appetite for custom rules.
Backslash's SAST is unique in its ability to detect if a finding is surfaced via your API, allowing you to more effectively prioritize findings. SAST is part of their ASPM which includes SCA and secrets.
OpenRefactory has an amazingly robust SAST scanner that has really focused on building the best detections possible. While they're still building their full SaaS platform and features, the SAST engine itself is one of the best out there.
SonarCloud has the benefit of winning your developer's hearts due to its initial product focus on bug squashing and the ability to ingest a wide variety of reports. While the SAST functionalities are newer, they robust enough to warrant the add-on to their code health scanning. Great choice for developer only teams with low risk products.
Bearer is a newer SAST product that is built from an open source lense. They have done excellent analysis of the SAST market and are dialed in on the correct issues, namely false positives, and time to scan.
Paraxial provides a unique combination of security tooling specializing in the Elixir language and Phoenix framework. They're a great choice for companies that use Elixir, and have unique runtime elements that them stand out from open source options.
Instead of hiding their open source projects and trying to sell you the impossible, Aikido openly tells you what they're using and have created a simple cloud based scanner to do 9-in-1 security scanning. A no brainer recommendation for startups.
Snyk's SAST tool is newer to market but has come a long way since its release. Although it's not the most robust in any single category, it has the diverse levels of support needed to make SAST happen as a whole and actually get work done. Great choice for companies looking for scalable, simple solutions.
Boost Security is primarily an all in one scanner. I appreciate their openness of sharing their IaC rules.
Oxeye provides standard SAST scanning, but builds out prioritization and exploit likelihood with a powerful runtime engine. A major differentiator is validation via DAST scanning.
Cycode offers SAST scanning as part of their ASPM platform, but it's hard to tell what's open source versus proprietary from them.
Qwiet has a powerful unique approach to scanning that starts with a map of your application, and scans within that context. They have smart prioritization filters combined with the standard suite of SCA, container, SAST, Secrets, and IaC scanning. They don't offer "pipeline-less" scanning via webhooks if that's a requirement for you.
Staris built a platform for open box pentesting powered by GenAI. They look at your code and your application, build a PoC exploit of findings as a code test, and give you the fixed code. The workflow is wrapped as a pentest, but their scan of your source code with GenAI could be considered a SAST.
Mend built SAST into their primarily SCA based platform - I haven't directly seen the updated platform.
Checkmarx is pre cloud-native SAST tool that has had many years to develop a robust library of controls. They're a good fit for enterprises that follow more legacy methods of software development, and are trying to expand into more agile workflows. A lot of companies on this list were started by former Checkmarx employees.
Fortify had a great reputation before the MicroFocus acquisition, but has since become slower to innovate. Lacks a lot of functionality compared to other SaaS options.
Apona provides a combination SCA, SAST, and DAST features.
Kiuwan is a great choice for companies that care above the fidelity of results more than anything else. Kiuwan's scanning offered the most robust true positives we've seen, but they really dragged in terms of their implementation processes, UI, and integration/maintenance of developer workflows.
Veracode is a legacy provider that has done the best job at trying to rapidly innovate with their vendors. They're a good fit for larger enterprises that may need more hands on security developer work to get up and running, and may prefer more waterfall methods of development.
Aqua Security offers SAST scanning as part of their CNAPP solution - they have a longer commitment in the cloud space than developer one.
GitLab's SAST tool totally relies on ingesting open source reports into their pull requests. We would not recommend it as a standalone tool, but is a worthwhile add-on to their security options if you're already invested.
Secret scanning identifies sensitive data, such as API keys and passwords, that have been accidentally committed to source code repositories. Good tools in this category will block the commit as early as possible, as rebuilding a commit history using open source tooling is difficult. Bad tools in this category will only scan on a cadence, and will not block.
Arnica's secret scanning is amazing in how it builds fix PR's that handle the remediation workflow for you. They also do cool validation of your keys.
GitGuardian is the best paid provider for this tool and is a great solution for deploying secret detection at scale. On the one hand, secret scanning is a very narrow function, but on the other, a leak is extremely costly. While Arnica does the workflow, GitGuardian has more robust detection.
Cremit does all of the expected secret scanning, but has great real time alerting on what api keys have done and if they're active by innovatively pulling their command history when available.
SemGrep recently announced their secret scanning solution - it promises an exciting new approach to secret scanning that focuses on context instead of regex to detect secrets.
Instead of hiding their open source projects and trying to sell you the impossible, Aikido openly tells you what they're using and have created a simple cloud based scanner to do 9-in-1 security scanning. A no brainer recommendation for startups.
Cycode offers Secret Scanning scanning as part of their ASPM platform, and it's the piece of the platform they've most developed in house.
Boost Security is primarily an all in one scanner. I appreciate their openness of sharing their supported secret detection formats
Backslash provides SCA, SAST, and Secrets scanning, with a focus on internet reachability analysis for prioritization.
Oxeye provides standard secret scanning, but builds out prioritization and exploit likelihood with a powerful runtime engine.
Secret scanning is part of Xygeni's larger ASPM platform, which focuses more on SDLC attacks in general than secret scanning specifically.
Dazz is a vulnerability remediation tool that also provides their own built in secret scanning.
Nosey Parker stands out for being able to scan file systems alongside repositories, and has some great built in reporting functionality.
Qwiet has a powerful unique approach to scanning that starts with a map of your application, and scans within that context. They have smart prioritization filters combined with the standard suite of SCA, container, SAST, Secrets, and IaC scanning. They don't offer "pipeline-less" scanning via webhooks if that's a requirement for you.
Legit Security provides secret scanning as part of their holistic ASPM platform.
GitHub's secret scanning now has the ability stop secrets before they're pushed to the repository, making them by far the best choice. However, they are bundling this with their Advanced Security package, which is very expensive.
Turbot's plugins can robustly query infrastructure for secrets - going beyond just code scanning.
GitLab's scaner can run in pipeline and is provided directly by them. A good choice since it's available in their Premium tier and Ultimate is not needed.
Trufflehog is the best open source scanner available, and easily integrates as a GitHub action.
GitLeaks is a Trufflehog alternative that is also extremely effective. Both repos are well maintained.
IaC security scanning identifies security vulnerabilities and misconfigurations in infrastructure as code (IaC). Great tools in this category can serve as CSPM replacements, offering drift detection and misconfiguration findings. They'll support multiple IaC languages, such as helm and terraform, and will be able to run in pipeline. Weak tools will run on a cadence, and only detect based on manually imported rules. This category is a difficult balance between getting results to your development teams, and sharing a single rule base across code and deployment.
Kivera circumvents the need for traditional IaC scanning by providing granular level policy and access controls to the cloud provider API. This allows for instant enforcement of policies and rules, and is a great way to prevent misconfigurations from ever happening.
Of the ASPM providers, Apiiro offers the most holistic IaC scanning due to their system of building a full application inventory out of your code.
Arnica's IaC scanning is the weakest part of their platform - but the value of getting an all in one tool is worth it.
Boost Security is primarily an all in one scanner. I appreciate their openness of sharing their IaC rules.
IaC scanning is part of Xygeni's larger ASPM platform, which focuses more on SDLC attacks in general than IaC specifically; however, they provide an asset map to help see where changes are coming from.
Snyk IaC integrates directly into your pipeline to easily scan and block IaC misconfigurations. Their support for various IaC templates is a big plus, but their cloud rules are not as advanced as other competitors. Combining with runtime data opens unique use cases for automatic remediation.
Ox relies solely on open source options for their IaC scanning, but tie it together nicely with runtime context.
Cycode offers their own built in IaC scanning as part of their ASPM platform.
Instead of hiding their open source projects and trying to sell you the impossible, Aikido openly tells you what they're using and have created a simple cloud based scanner to do 9-in-1 security scanning. A no brainer recommendation for startups.
Turbot's Guardrails allow enforcement of IaC controls, while Pipes enables querying across your charts and plans.
Qwiet has a powerful unique approach to scanning that starts with a map of your application, and scans within that context. They have smart prioritization filters combined with the standard suite of SCA, container, SAST, Secrets, and IaC scanning. They don't offer "pipeline-less" scanning via webhooks if that's a requirement for you.
Legit Security provides IaC scanning as part of their holistic ASPM platform.
As part of their larger platform, Checkmarx also provides IaC Scanning.
For organizations that are already using Wiz, their IaC scanning is a great option. If your devops team is willing to adopt their solution in pipeline, it can be a solid support tool.
Checkov is the leader in IaC scanning as an open source solution. Combining with Bridgecrew can be an okay solution, but we're skeptical of the long term outlook due to the Prisma Cloud acquisition.
KICS is another solid open source solution; however, they're more easily adopted into traditional security review models.
Aqua Security offers IaC scanning as part of their CNAPP solution.
Gomboc promises a unique approach to IaC in that it goes beyond traditional regex based rules. We're pending hands on time with the tool for more information.
We're pending hands on time with the tool for more information.
We're pending hands on time with the tool for more information.
Dynamic application security testing (DAST) scans web applications for security vulnerabilities while they are running, trying things like injecting known malicious payloads into fields. Great tools in this category will run quickly, in pipeline, be as easy as possible to integrate, have API coverage, and have smart fuzzing based on the type of backend you are running. Bad tools will run on a cadence, have less technology coverage, and be difficult to implement.
StackHawk is a developer-first DAST, and it shows every step of the way. They're built to scan quickly, in pipeline, and make it easy to attempt to reproduce issues. They're a major player in reshaping modern DAST and have really paved a way for the future with features like fuzzing API specific data.
Escape is doing amazing things with their approach to DAST. They offer similar in-pipeline scanning capabilities as StackHawk, but have additional tags based on API usage and do API discovery through a variety of different methods.
Pynt has created an elegant solution for running DAST type scanning against your APIs by running tests via a local proxy. This helps to bypass a lot of the pain with configuring DAST tools against your endpoints.
Akto has created an open source flavored approach to next generation DAST with features like looking at log data for API discovery, sensitive data flows, and customized scanning. A uniquely helpful feature is the ability to easily edit and tweak tests from the UI.
Probely has created an excellent version of traditional web based DAST that can handle APIs alongside webcrawling. While they currently don't support GraphQL or have a CLI, they have created unique ways to achieve similar outcomes. The team clearly has a passion for the details of getting the vulnerabilities right.
Oxeye provides a lot of runtime insights and uses DAST to validate their findings - this is one of their major differentiators from other ASPM providers.
ZAP (Zed Attack Proxy) is the scanning tool underlying numerous scanners, and if your internal team is up for the challenge, it can be adapted directly to provide most scanning needs.
Staris built a platform for open box pentesting powered by GenAI. They look at your code and your application, build a PoC exploit of findings as a code test, and give you the fixed code. The workflow is wrapped as a pentest, but their linking of the source code to your application could be considered a DAST type of scan.
Instead of hiding their open source projects and trying to sell you the impossible, Aikido openly tells you what they're using and have created a simple cloud based scanner to do 9-in-1 security scanning. A no brainer recommendation for startups.
As part of their larger platform, Checkmarx also provides DAST Scanning.
Edgescan wraps up a lot of services around scanning your endpoints for security issues - from traditional web app crawling, to network scanning, to API scanning.
Acunetix is the best of traditional DAST scanning applications that rely upon older techniques and set scanning intervals. They have robust content and integration potential, but struggle to handle many newer more popular architectures.
Apona provides a web crawling flavored DAST that has some in depth network scanning features as well that are more in line with pentesting.
We don't feel good recommending Qualys DAST to anyone in good faith, but it's a reasonable extension if you're locked into their larger platform. They function as a standard crawler, but have their platform is challenging to configure, deploy, and for reporting.
Like much of their security tooling, GitLab DAST lacks the maturity of dedicated products in terms of robustness, maintenance, and reporting. It can be a useful extension of GitLab ultimate, but has numerous challenges if trying to implement just that solution.
GCP offers a nice to have robust webs security scanner. It's not a great choice for organizations looking to invest in depth on scanning, but if you're already on GCP or looking to check a box, it's a nice to have.
Runtime Application Security Protection (RASP) detects and prevents the exploitation of application level vulnerabilities. This category of tooling is the gold standard of application security in its ability to prevent zero days; however, implementation, maintenance, and a lack of contextual application logic make them difficult to implement. Great tools in this category will be easy to implement, and will provide rich contextual information about the application. Bad tools will be difficult to implement, and will provide little to no contextual information.
Contrast wraps commonly exploited functions at runtime to detect and prevent application exploits, e.g. alerting that XSS was attempted while also sanitizing the input. This is a unique approach that theoretically removes the need for SAST, DAST, SCA, and WAF. The easiest way to understand is an example, you would start your Django app with contrast-python-run -- python manage.py runserver.
Powered by their Sqreen acquisition, DataDog has a unique opportunity with RASP because of how many developers already import their APM library. This allows DataDog to provide function level detection of exploitation attempts.
Paraxial provides a unique combination of security tooling specializing in the Elixir language and Phoenix framework. They're a great choice for companies that use Elixir, and have unique runtime elements that them stand out from open source options.
CNAPPs are the latest category name given to CSPMs as they have evolved into additional layers of tooling. These tools aim to be all in one providers for cloud security, and are often the most expensive tools in the market. Great tools in this category will be best of breed in a single category, and will have a strong vision for the future. Bad tools will be playing endless acquisition catchup as they desperately try to keep pace with one another. In short, I consider this category CSPM + Container Runtime Security. I don't think it's always best to have both of these tools be from the same provider.
Sysdig does the runtime application protection side of CNAPP better than anyone, and have successfully uplifted their compliance and attack graph sides to be competitive with the other providers. Their focus into Runtime Cloud Detection Response is a great one.
Cyscale checks all the boxes for a CNAPP, but their tracking of user identities stands out in the space. They have great visualizations, and have an agent for K8s support.
Deepfence has delivered an incredible amount of work on top of an open source framework. Their Open Source ThreatMapper scans for malware, vulnerabilities, misconfigurations, and secrets. Their paid offering, ThreatStryker, adds eBPF runtime protection - including network and quarantine responses. Unbelievable value for a free offering.
Elastio offers rich snapshot scanning for cloud environments, looking in depth for ransomware indicators of compromise. Their focus on ransomware and support for S3 scanning differentiate them from Wiz and other snapshot scanning solutions.
Upwind provides amazing in depth detection events for runtime kubernetes protection. They don't have some of the generic CSPM detections, but their runtime protection is much more robust.
AccuKnox began with the open source project KubeArmor and has since built into a larger CNAPP platform. Their specialization is runtime protection policies for Kubernetes, which allows for granular rules on which processes can access which files. Their other scanning features are more check the box.
Tigera is leading the charge on what's possible with kubernetes network security. They offer deep insights and protections on what's traversing your network, and have built out a robust set of features around that core product.
Plerion has built a competitive CNAPP with a significantly smaller team. Alongside CSPM, they provide attack maps, IaC scanning, Secret scanning, and vulnerability scanning. They link findings to assets in a clean and intuitive way. Currently there is no agent based runtime protection.
Firemon has assembled a unique collection of cloud security features - CSPM, JIT AWS access, and alerting off cloudtrail events. While they don't have the full feature set of larger CNAPPs, they provide smart features at an aggressive price. They offer CSPM scanning for free.
If you're focused on cloud visibility from a security perspective, there's not a better tool out there. Their rapid investment into their runtime agent is scary for the competition, and their general cloud scanning is best in breed.
Prisma Cloud was the first and most encompassing CNAPP provider. They cover all the bases, but you're paying Palo prices for a product with a lot of skeletons in the closet.
Aqua Security bet big on open source tooling and still maintains some of the most user friendly repos out there. However, their paid offering has a UX that lags behind other products.
Lacework built on tope of an alert based approach rather than more traditional scanning models. That has the benefit of reduced noise and a faster reactive approach, but at the cost of surfacing a lot of alerts to security that they don't have the ability to fix.
Every organization using AWS should absolutely turn on GuardDuty as their first cloud security step. They provide awesome base level protections.
GCP Security Command Center is slowly enabling runtime detection for enterprises, but they charge too much for it to be useable at smaller scales. GCP focuses on secure design for smaller businesses rather than runtime insights.
Defender for Cloud has some awesome insights and coverage, but it's a beast to setup and maintain. It's a good starting point for larger companies who don't have an appetite for a more focused solution.
Cloud Detection and Response is a unique category born out of a operations approach to CSPM alerting. Instead of treating the cloud as a series of API endpoints to be scanned, they instead focus on log ingestion and correlation for response. They're aimed at detecting attacks instead of misconfigurations. Leaders in this field support correlation between multiple tools - such as Okta, to AWS, to a kubernetes pod. Great tools will provide enough context to respond to alerts, which is a challenge for many cloud environments. Poor tools will just be another alert source on top of your CSPM or CNAPP.
Sysdig does the runtime application protection side of CDR better than anyone, and have successfully uplifted their compliance and attack graph sides to be competitive with the other providers. Their focus into Runtime Cloud Detection Response is a great one.
Upwind is the first provider I've seen to demo the fully robust end to end runtime protection many companies are saying they provide. I'm pending hands on time with the tool to confirm - but what I saw was very impressive!
SkyHawk is betting big that they can provide just as much runtime response protection as agent based CDRs, but without an agent. This means that certain detection gaps exist, but in the examples I've seen from them, it makes me wonder if those gaps really matter.
Sweet Security has developed a platform that gets to the details of actually securing your environment. While other providers on this list may be more mature at cloud visibility more generally, Sweet Security provides a level of detail that would actually stop a real attack.
Gem is one of the first platforms to focus on cloud detection & response. Realizing the limitations of configuration scanning in the incident response process, they've built a tool primarily for the SOC to respond to cloud attack patterns. The lack of an agent for kubernetes context is the biggest gap.
Firemon has assembled a unique collection of cloud security features - CSPM, JIT AWS access, and alerting off cloudtrail events. While they don't have the full feature set of larger CDRs, they provide smart features at an aggressive price. They offer CSPM scanning for free.
Lacework built on tope of an alert based approach rather than more traditional scanning models. That has the benefit of reduced noise and a faster reactive approach, but at the cost of surfacing a lot of alerts to security that they don't have the ability to fix.
Every organization using AWS should absolutely turn on GuardDuty as their first cloud security step. They provide awesome base level protections.
GCP Security Command Center is slowly enabling runtime detection for enterprises, but they charge too much for it to be useable at smaller scales. GCP focuses on secure design for smaller businesses rather than runtime insights.
Defender for Cloud has some awesome insights and coverage, but it's a beast to setup and maintain. It's a good starting point for larger companies who don't have an appetite for a more focused solution.
Cloud security posture management (CSPM) is a security practice that helps organizations identify and remediate misconfigurations and security risks in their cloud environments. CSPM's are often the first tool that organizations buy when they start their cloud security journey. Great tools in this category will be able to accurately assess cloud infrastructure while generating minimal noise. Bad tools will run on a cadence, and provide little guidance about who deployed a change. This category has morphed into CNAPP as the market as evolved to include runtime.
Wiz has skyrocketed to success due to their efficient approach to CSPM scanning and prioritization. Their agentless approach allows deep insight into your workloads quickly. The downside is that for use cases like runtime container security, where an agent is required, they are very new to market.
Prowler is built on top of the most robust open source cloud scanner there is. It's a great option for organizations that want to get started with CSPM scanning, but aren't sure where to start. I'd recommend anyone use it at least once to get an idea of what's in your environment.
Cyscale checks all the boxes for a CSPM & CNAPP, but their tracking of user identities stands out in the space. They have great visualizations, and have an agent for K8s support.
Plerion has built a competitive CNAPP with a significantly smaller team. Alongside CSPM, they provide attack maps, IaC scanning, Secret scanning, and vulnerability scanning. They link findings to assets in a clean and intuitive way.
Kivera is not strictly speaking a CSPM, but provides granular controls over what cloud API calls are permissible within your environment. This allows instant enforcement of custom rules and policies, giving the same outcomes as CSPMs without the alert explosion. The downside of using them as a sole CSPM would be missing out on more holistic CNAPP features and visibility, but they run well alongside other providers.
Ox security offers CSPM as part of their ASPM platform.
Cycode offers their own built in CSPM scanning as part of their ASPM platform.
Instead of hiding their open source projects and trying to sell you the impossible, Aikido openly tells you what they're using and have created a simple cloud based scanner to do 9-in-1 security scanning. A no brainer recommendation for startups.
Firemon has assembled a unique collection of cloud security features - CSPM, JIT AWS access, and alerting off cloudtrail events. While they don't have the full feature set of larger CNAPPs, they provide smart features at an aggressive price. They offer CSPM scanning for free.
Orca offers a suite of cloud configuration scanning that closely aligns to Wiz. Their primary differentiator is their model for "Outpost" based scanning, where ephemeral instances are used for scanning rather than permanent ones to cut down on costs.
Sysdig excels inside kubernetes clusters, but their runtime cloud scanning is becoming a force to be reckoned with. They've executed quickly on leveling up their CSPM offering, and it does a great job checking the box.
Argos offers a simple platform built for MSSP's to run cloud security tests on custom environments. They provide a combination of CSPM and Asset Mapping technologies to provide exactly the information a provider needs to generate a point in time report.
Turbot's Guardrails allow enforcement of cloud security controls, while Pipes enables querying across your cloud data.
Lacework differentiates itself by taking an alerting approach to CSPM rather than browsing scan results. This has the benefit of being more actionable, but the downside of being less comprehensive. Can be a good fit for orgs looking to take a responsive approach to configuration management, but keep in mind that your security team are not usually the ones pushing the changes.
Prisma Cloud's CSPM offering is chock-full of complicated rules and false positives; that being said, the rule set is robust and you can feel confident in your coverage in terms of compliances being checked and rules for specific services.
Security Hub does a decent job aggregating AWS' security tooling reports into a single dashboard. They also offer a lot of integrations into other tools. That being said, they're not a great CSPM solution on their own and their dashboards have limited usefulness.
A lot of tools on the cloud and app security list apply to kubernetes, but we wanted a space to highlight specialty vendors who bring unique value to the space. Great vendors in this space will provide something that meaningfully distinguishes them from larger CNAPP providers, such as RBAC visualizations. Bad tools in the space will just be worse versions of larger providers.
Rad has deep roots in contributing to kubernetes security developments and provides dedicated services to help customers secure kubernetes. They have in depth policy, audit log, RBAC, and runtime capabilities.
Upwind provides amazing in depth detection events for runtime kubernetes protection. I'm just pending hands on time to dive into the details, because the demo I saw looked amazing!
ARMO's has contributed perhaps more to open source kubernetes security than any other vendor through their kubescape product. Kubescape is hands down the best way to get a quick scan of your environment, and their paid product has expanded into image vulnerability scanning and RBAC visualization.
Operant offers a unique network level approach for securing containers, kubernetes, and APIs. They create excellently detailed ingress and egress maps of your application, and develop rules against that granular visibility for detection and response.
AccuKnox began with the open source project KubeArmor and has since built into a larger Kubernetes platform. Their specialization is runtime protection policies for Kubernetes, which allows for granular rules on which processes can access which files. Their other scanning features are more check the box.
LeakSignal is a promising product offering for achieving the dreaded network microservice protection and data flow mapping. They use an intelligent agent based approach to map data flows, types of data, and policy building. Very cool stuff!
Tigera is leading the charge on what's possible with kubernetes network security. They offer deep insights and protections on what's traversing your network, and have built out a robust set of features around that core product.
Spyderbat is doing some wonderful work with eBPF and proactive configuration protection in the form of specifying what processes can run on a container. They have a clear emphasis on providing actionable process and network level data to indicate when threats exist on a system, but still are working on their interface and UI.
Sysdig does the runtime application protection side of Kubernetes better than anyone, and have successfully uplifted their compliance and attack graph sides to be competitive with the other providers. Their focus into Runtime Cloud Detection Response is a great one.
Datadog's runtime workload protection is a close second to Sysdig in terms of their robust content library. It lacks response capabilities, but it's a great option if you're already using Datadog for other monitoring and security needs.
Container runtime security tools empower detection and response in containerized environments. These tools are needed because most host based Endpoint Detection Response (EDR) tools have no container visibility. Evaluating these tools comes down heavily to how quickly the company has modernized their detection capabilities. Great products will detect container specific actions and threats, and empower security teams to easily see where they came from, even in short lived containers. Bad tools will provide vague content, and only alert on basic threats with tons of false positives.
Sysdig is built on top of the most powerful open source container runtime security tool, Falco. It provides the most in depth protection from container threats available today. The setup is more complicated than other tools in the CNAPP space, but the power is worth it.
Upwind is the first provider I've seen to demo the fully robust end to end runtime protection many companies are saying they provide. I'm pending hands on time with the tool to confirm - but what I saw was very impressive!
Spyderbat is doing some wonderful work with eBPF and proactive configuration protection in the form of specifying what processes can run on a container. They have a clear emphasis on providing actionable process and network level data to indicate when threats exist on a system, but still are working on their interface and UI.
ARMO has very recently dug into a runtime ebpf agent, kubecop. They've launched in their unique open source way and are promising to deliver some real optionality against Falco.
Operant offers a unique network level approach for securing containers, kubernetes, and APIs. They create excellently detailed ingress and egress maps of your application, and develop rules against that granular visibility for detection and response.
Oligo's ebpf agent is differentiated by its unique detections around exploits against third party platforms. If I was worried about third party zero days - this is the tool I would get.
Datadog's runtime workload protection is a close second to Sysdig in terms of their robust content library. It lacks response capabilities, but it's a great option if you're already using Datadog for other monitoring and security needs.
Sweet Security has developed a platform that gets to the details of actually securing your environment. While other providers on this list may be more mature at cloud visibility more generally, Sweet Security provides a level of detail that would actually stop a real attack.
KSOC offers a unique approach to container runtime security that's focused mostly on the security of the cluster itself. It works by analyzing kubernetes audit logs, which lets it sit a unique position between container and IaC scanning. They're a great supplement to existing runtime protection.
Deepfactor uses their unique ability to intercept application calls to provide unique container runtime protection that's not seen in other providers. Their workflow for going through alerts needs work however.
AccuKnox began with the open source project KubeArmor and has since built a full fledged CNAPP platform. Their runtime container protection allows for granular rules on which processes can access which files, which is a huge differentiator.
Wiz's v1 of container runtime didn't make the list because it was so basic. However, over the last 6 months it has basic content worthy of inclusion in the category, and gives all the necessary information for analysis. As they develop a more full runtime protection suite, they will continue to be a strong contender.
Despite being one of the first to market in this area, AquaSec relies more on a passive scanning approach and doesn't offer the same robust runtime protection.
Palo's acquisition of Twistlock gave them amazing potential in runtime container security; however, they have failed to keep the product up to date. It still caught many things and provided great baseline protection, but lacks the depth and customization of other tools.
SentinelOne's container detection runs their same Linux detections inside of containers. Their content is still heavily weighted on traditional EDR detections, but their rich query language allows for custom content that can be more applicable to cloud environments.
CrowdStrike's container runtime technically works, but deployment, maintenance, and usefulness do not compare to other tools at the time of testing. It may be a good option if you're looking to extend a substantial CrowdStrike deployment.
Lacework has attempted to increase it's presence in cluster with a runtime agent; however, it is very new to market and has limited detection content. This extension of Lacework would only be beneficial if you're already on their platform.
GuardDuty is always a great cost effective tool for baseline protections. It's EKS integration is no different. It's a great option if you're looking to just get started with runtime security in K8s (Kubernetes).
Container vulnerability tools help identify and remediate security vulnerabilities in container images. This category was created because host based vulnerability scanners are often completely unaware of containers. Great tools in this category understand how containers are built, and offer simple remediations to developers directly in their workflow. Bad tools will provide a dump of thousands of CVE's, with little to no guidance about where they're coming from, or how to fix them. I separate tools in this category into two groups, those that dump CVEs, and those that roll-up container image versions.
Ox covers a wide variety of tooling, but I was most impressed at their ability to tie container images from repo to runtime, making the findings actually fixable.
ChainGuard offers a unique solution to container vulnerabilities by providing common images that are more well patched and verified than their public maintainer counterparts. Using their base images can provide immediate remediation of numerous vulnerabilities.
Kodem provides runtime insights on container vulnerabilities, but uniquely ties them back to SCA findings in pipeline. This gives you a single holistic view of container and SCA vulnerabilities, as well as what's executing at runtime.
Rezlion combines their own scanning at runtime with ingesting from other platforms to provide an exploitability prioritization view of container and SCA vulnerabilities. They focus on simple deployment into your environment to prioritize what packages and libraries are running.
RapidFort is one of few companies taking container vulnerability scanning with the seriousness it deserves. They differentiate through focusing on removing vulnerabilities by creating slimmed down container images for your applications, but their remediation dashboard is not the best we've seen.
Snyk Container remains an under-rated gem for container vulnerability scanning. They offer robust coverage and integration options. Most importantly, they provide clear breakdowns of where vulnerabilities are being introduced, and what versions exist to remediate issues.
Slim detects what vulnerabilities exist in your container images and creates slimmed down versions of those images based what it's seeing on runtime. They're currently in beta but seem to have ambitious plans for the market.
ARMO provides awesome in depth scanning of kubernetes configurations and has since expanding into RBAC visualization and image scanning. Their container image scanning does great work with application context, but is still developing in terms of workflow.
Cycode offers their own built in IaC scanning as part of their ASPM platform.
Mend has built a very unique offering in container vulnerability scanning out of their Atom acquisition - they build file path based reachability out of the container entry point. This provides runtime-like reachability without needing to run the container.
Instead of hiding their open source projects and trying to sell you the impossible, Aikido openly tells you what they're using and have created a simple cloud based scanner to do 9-in-1 security scanning. A no brainer recommendation for startups.
Apiiro offers container vulnerability scanning as part of their larger ASPM platform.
Boost Security is primarily an all in one scanner. Their Container Scanning doesn't seem great on its own.
Qwiet has a powerful unique approach to scanning that starts with a map of your application, and scans within that context. They have smart prioritization filters combined with the standard suite of SCA, container, SAST, Secrets, and IaC scanning. They don't offer "pipeline-less" scanning via webhooks if that's a requirement for you.
As part of their larger platform, Checkmarx also provides IaC Scanning.
The Wiz offering in this space has evolved to give about as actionable data as you can give about container vulnerabilities from a purely runtime context. They give docker layers and base images, and are just missing the code integration (coming soon) that allows them to see the Docker Files themselves.
Docker has quietly built out their container vulnerability scanning to be comparable to other tools in the area. While, at the moment, they lack a full enterprise platform for full tracking across container lifecycles, their scanning built into the Docker Desktop app and CLI options provide much needed visibility into where vulnerabilities are coming from.
Legit Security provides container vulnerability scanning as part of their holistic ASPM platform.
Aqua Security was one of the first to market in this area, but suffers from the "CVE dump" problem that leaves security teams drowning in alerts without providing clear guidance to developers.
Sysdig is similar to other CVE dump type tools, but offers unique benefits due to their runtime insights. They're a great compliment to Snyk and their partnership tells the story.
Veracode offers container vulnerability scanning as part of their larger appsec scanning platform.
Like Aquasec, Twistlock was an early leader in container vulnerability scanning. They suffer from the "CVE dump" problem that leaves security teams drowning in alerts without providing clear guidance to developers.
AWS ECR has vulnerability scanning that works, but much like other tools has "CVE dump" problems. They also don't provide clear guidance on how to remediate issues, but can be a good extension of an AWS native security approach.
Of the cloud providers, GCP offers the best native tooling to scan and remediate container vulnerabilities. That being said, the tooling still suffers from "CVE dump" problems and doesn't provide clear guidance on how to remediate issues.
This brand new category of tooling exists as an acknowledgement of the complexity and volume of alerts of most CNAPP platforms. We're hesitant on the long-term value proposition of these tools - since they rely on other security tools, and everyone always wants to be a "single pane of glass." However, they are certainly solving the problems of the present moment, and their immediate usefulness cannot be denied.
Due to their beginnings focusing on runtime environmnts, DevOcean has created an amazing combination of features - from code to cloud visibility, combined with insights from log data, and a lot of data enrichment to assets, not just vulnerabilities. To be honest, I need to do more hands on work to decide between them and Dazz!
Opus Security focuses on providing root cause analysis - mostly with containers and IaC. Their foundation is building resources and ownership, and then enabling alerting and communication per group to be flexible to different workflows. They provide workflows upon vulnerability detection.
Dazz aggregates your security vulnerabilities into a single dashboard which allows easy assignment and risk based prioritization. Their approach to this problem does a lot of automated lookup work and has some advanced ability to find where container images are coming from. Dazz differentiates by being focused on remediation, rather than just prioritization.
Silk Security offers some unique features like assigning ownership to domains, and provides the rare value of showing asset ownership and code to cloud asset tracking. Another unique feature is their leaderboard - something not enough products have leaned into as a motivator.
Phoenix security is the only provider I've seen in the space that I'm confident could work for the largest of enterprise clients who will value the flexibility, customization, and attention to traditional application security details like custom scoring according to CVSS standards.
Metahub is a uniquely open source context provider for working through your CSPM findings. It provides a lot of valuable context to CSPM findings to help you prioritize based on actual exposure.
Seemplicity's take on the remediation market heavily emphasizes workflow building via their GUI. Their workflow builder offers robust dispatching of the relevant tickets to the right teams.
RevealID maps attack paths in and out of various systems, allowing you to see in the event of a vulnerability exploitation, what the blast radius would be. For example, you can map out the impact of an exploitation of a specific asset, and prioritize accordingly.
Tromzo pulls in rich metadata from your various tools, and uses that metadata to create rich groupings and prioritizations of your vulnerabilities. They uniquely offer a yaml file for adding custom tools and pulling together data.
Vulcan's approach to vulnerability remediation emphasizes risk based prioritization, which we think is less exciting than the functionality around getting the right information to the right teams, automatically. We're pending hands on time with the tool for more information.
Armorcode is the most in the weeds and holistic vulnerability management platforms I've seen. While there's less "magic" happening than in the other providers, I'm also the most confident it would actually work - even down to providing python scripts you can run in pipeline to send vulns to their platform.
SecOps Solution has created a network based scanner for detecting and remediating vulnerabilities across hosts. It's an elegant solution that's great for non-containerized environments.
Avalor creates a platform for the vulnerability fixes you're probably coding yourself. They offer an elegant no/low code approach for uniting all of your vulnerability data in one place. Their approach heavily relies on the flexibility of their data standardization.
Dependency Track is an open source option for creating vulnerability dashboards and notification workflows.
Nucleus's approach to vulnerability remediation, like Vulcan, emphasizes risk based prioritization, which we think is less exciting than the functionality around getting the right information to the right teams, automatically. We're pending hands on time with the tool for more information.
This section will help you find the best GRC automation tool, such as SOC 2 and ISO27001 automation. Governance Risk & Compliance automation vendors provide software that helps organizations automate their compliance workflows. These vendors are typically aimed at helping organizations achieve compliance outcomes with the least amount of engineering involvement needed. Great tools in this category have detailed automation capabilities, and provide clear security guidance. Bad tools will be focused on risk management and manual tracking.
Drata had the advantage of starting after Vanta, and they quickly built a greater depth of automation. They were less focused on their endpoint solution, and more focused on powerful evidence automation.
Vanta was first to market and heavily relied on automating endpoint evidence. They have since rapidly expanded and deserve to be considered right next to Drata as a leader in the space.
Akitra has built an automation platform with less of the big winks vendors in this space tend to make with regards to their automated checks. They've done the hard work of building various cloud reports that can be attached to various frameworks, creating a more realistic automation approach for enterprises.
SecureFrame is a great third choice to Vanta and Drata, but lacks the same depth and breadth of features.
Originally ZenGRC, they were the largest traditional GRC provider to build cloud evidence automation. They're the most automated of the traditional GRC providers, but still lack the depth of Vanta and Drata for getting everything done.
LogicGate is heavily focused on risk assessment and risk management alone, and greatly lacks the automation capabilities of other platforms
ScoutSuite can be used to generate quick compliance based reports to check your environment to try and see if you're compliant with a given framework.
CloudQuery is a great open source tool to check your cloud environment for compliance issues. You can also use it to build compliance automation in house.
Control Tower can be used to try and enforce compliant resource creation across your organization, but is less effective as this is becoming accomplished through policy as code instead.
API security comes in many flavors, but most serve as a specialized web application firewall (WAF). That was my initial description, but I'm broadening this category to really focus on API. Newer vendors are combining static, dynamic, and runtime analysis specializing in APIs. Great tools in this category will provide a clear understanding of the API's attack surface, and will provide clear guidance on how to secure it. Bad tools will have narrow focuses that don't add much value over a WAF.
Impart has everything you'd want in an API security platform and there's little reason to look elsewhere - they provide discovery, testing, and protection all in a single platform.
Levo does a ton of neat stuff with only a lightweight ebpf agent. They create full API schemas which can be real sources of truth, detect version changes, run DAST testing, and look for missing auth tokens. This covers areas where I most commonly see misconfigurations lead to actual exploits - accidental configs of public APIs without authentication.
Operant offers a unique network level approach for securing containers, kubernetes, and APIs. They create excellently detailed ingress and egress maps of your application, and develop rules against that granular visibility for detection and response.
StackHawk is a developer-first DAST, and it shows every step of the way. They're built to scan quickly, in pipeline, and make it easy to attempt to reproduce issues. They do a great job de-constructing your APIs for specific attack attempts.
Escape is doing amazing things with their approach to DAST. They offer similar in-pipeline scanning capabilities as StackHawk, but have additional tags based on API usage and do API discovery through a variety of different methods.
Akto has created an open source flavored approach to next generation DAST with features like looking at log data for API discovery, sensitive data flows, and customized scanning. A uniquely helpful feature is the ability to easily edit and tweak tests from the UI.
Pynt has created an elegant solution for running DAST type scanning against your APIs by running tests via a local proxy. This helps to bypass a lot of the pain with configuring DAST tools against your endpoints.
AWS API offers amazing out of the box protection with numerous rule packs, and integrates with more advanced rules if necessary. The only essential consideration and downside is their 16KB limit on request size which can be a breaking downside for some applications.
Wallarm is definitely the most robust and mature of API security vendors. They offer a ton of features - from API like runtime protection, to secrets detection, to static security testing.
Cloudflare is the traditional leader in API for good reason. They offer great in depth protection that is quick to respond to threats. The platform has grown overly complex for simple use cases.
F5 is a close second to Cloudflare for dedicated providers. Their load balancers and API's are able to scale to cloud native levels, but their pricing is often prohibitive for startups.
Fortinet's API gets the job done, but we wouldn't recommend buying it as a standalone product. It's a great addition to their other offerings, but doesn't stand out on its own.
Like AWS, the GCP API offering is quite substantial. They also have an 8KB limit, but offer a great solution for GCP native applications.
Security Information and Event Management (SIEM) products are the backbone of a security team's operations, enabling them to collect, analyze, and respond to security events and incidents in real-time. By consolidating log data from various sources, SIEM's are the essential tool for finding the details of what happened. Great tools in this category will have strong detection capabilities out of the box, and will be able to integrate with your existing infrastructure. Bad tools will be difficult to integrate, and will require a lot of manual tuning.
We love simplicity in cloud security tooling, and DataDog's Cloud SIEM offers the best out of the box content to keep you covered. They've rapidly developed more niche features like reference sets, but can get you up and running with a proper SIEM faster than any other provider.
Query is not strictly speaking a SIEM, but an excellent way to gather all of your relevant data in a single search. They've created truly on demand, cross integration searches - a great way to save money and time for organizations deep the struggle of log management.
Panther is the SIEM tool truly doing things differently. Their unique approach to detection rules makes things much easier to manage in that they can be written in Python. This makes it easier to write and maintain rules, and also makes it easier to integrate with other tools. They allow some awesome flexibility via Python based rules.
Splunk is still the best tool for security teams willing to invest the time to learning their query language. They have robust features and integration options, but have a steep learning curve and can be expensive. If you're an organization looking to make a substantial investment in dedicated security teams, Splunk is a great option.
IBM QRadar offers robust protection and logging features, but without the steep learning curve of Splunk. Their methodology for filtering is simple and gets the job done, but your team will work more slowly over time without the query language.
SumoLogic's being cloud native has given them a lead in fast cloud queries and development. They're a great middle of the road between QRadar and Splunk, and similarly get the job done with both a query language and understandable dash-boarding. They provide a great cloud native offering.
Devo is a robust cloud SIEM with a lot of solutions. However, their lack of clear focus has made them less effective as they've tried to expand half-heartedly into numerous areas. They're a great option for organizations looking for a single pane of glass, but not the best option for any one area.
Azure Sentinel will get the job done for organizations looking specifically for a SIEM for their Azure environment. They're less robust in their support for other cloud providers, but are a great option for organizations looking to keep things simple and consolidated.
GCP Chronicle is a great option for organizations looking specifically for a SIEM for their GCP environment. They're less robust in their support for other cloud providers, but are a great option for organizations looking to keep things simple and consolidated.
Pentesting (Penetration Testing) is a proactive cybersecurity practice in which ethical hackers simulate real-world attacks on a network, application, or system to identify vulnerabilities and assess the effectiveness of security measures. Great vendors provide valuable insights into your infrastructure based on actual exploits they were able to perform. Poor vendors will run common automated scanning and output a simple report.
Cyrex is the first pentest vendor I've met with that instills a high sense of technical ability from the start. Due to their foundations in the gaming industry, they have built a large variety of custom tooling and take a developer first approach to pentesting that sets them apart by looking at the code alongside your app.
Rhino Security Labs offers the best advanced penetration testing that's focused more heavily on SaaS and DevOps vulnerabilities over traditional infrastructure scaning. They are a great choice for organizations that are looking for a meaningful engagement.
Organizations looking for the highest level of technical sophistication in their engagement should go to Black Hills Information Security. This group has a well earned and stellar reputation for their work.
Intigriti is a bug bounty platform that differentiates with meaningful support from their internal teams to curating and prioritizing your bug reports, as well as finding the right testers for your needs.
Staris built a platform for open box pentesting powered by GenAI. They look at your code and your application, build a PoC exploit of findings as a code test, and give you the fixed code. The workflow is wrapped as a pentest - which offers a glimpse into what the future of pentesting will undoubtedly look like.
Argos offers a simple platform built for MSSP's to run cloud security tests on custom environments. They provide a combination of CSPM and Asset Mapping technologies to provide exactly the information a provider needs to generate a point in time report.
Cobalt has quickly become the leader in penetration testing due to their combination of HackerOne like bug bounty programs with more standard pen testing. They are a great and consistent middle choice for penetration testing, that will go deeper than many, but not as deep as boutique firms.
HackerOne is the standard for bug bounty programs. It's questionable if you could use them to check the box for a pentest, so check with your auditor before doing so; however, a bug bounty program can be much more useful than a pentest in many cases. Keep in mind the heavy maintenance cost of auditing reports from people who want bounties for minor findings.
Abira Security provides holistic security services, one service of which is pentesting.
MindPoint Group offers a robust number of services, primarily differentiated by being able to assist with larger security engineering efforts like implementing secure terraform or active directory.
Cloudyrion provides hands on security testing and consulting designed to help organizations implement secure by design processes.
A-lign offers decent penetration testing alongside their audits. They are a good choice for organizations that are looking for a one stop shop for their compliance needs, but not if you're looking for a deep engagement.
This section will help you find the best tools for protecting Mobile devices. Mobile device protection can range from pentesting services to virtualization and MDM providers. Great tools in this category will be able to detect and respond to threats on mobile devices, and will be able to integrate with your existing infrastructure. Bad tools will be difficult to integrate, and will require a lot of manual tuning.
Corellium has built groundbreaking virtualization capabilities for doing mobile device focused pentesting and security research.
Zimperium offers both MDM style enterprise protections for mobile and an SDK for developers to use to secure mobile devices.
Now Secure offers mobile pentesting services combined with different tools and training for in house security testing.
Managed Detection Response (MDR) providers offer security management services, usually focused on SIEMs, EDRs, and responding to incidents. Great providers in this category offer dedicated engineers to your account, provide technical details, and are quick to respond to emerging threats. Poor providers will be slow to respond, and will provide little to no technical detail to help your team. Choosing the wrong MDR can be devastating, limiting your own hiring budget while bogging down your internal security teams.
Huntress has established themselves as a trustworthy brand in the MDR space through their contribution of open source tools and analysis to the larger security community. They re-sell their huntress tool, which is essentially an XDR platform, to other security vendors.
Like Huntress, Dragos has earned a positive reputation in the general security community. Their threat detection capabilities and analysis are top notch - they've chosen to focus on ICS/OT security.
MindPoint Group offers a robust number of services, primarily differentiated by being able to assist with larger security engineering efforts like implementing secure terraform or active directory.
Kudelski is built on top of the huntress platform and offers MDR services for most enterprises. They have a strong backbone and history in various security sectors, and offer all of the standard MDR services.
Arctic Wolf is built like many older style providers, but has maintained a strong focus on providing meaningful guidance to their customers. They're behind from a platform perspective, but do a great job servicing their customers.
CrowdStrike's MDR provider doesn't provide the most value due to their pure reliance on the CS Falcon platform. They're a great option for organizations that are already using CS Falcon, but not a great option for those that aren't fully invested.
Our most common questions
Contact us at featured@latio.tech if you'd like us to add you to the list, or if you'd like assistance with tool selection, schedule a meeting.
We exist to help companies make better security decisions in the rapidly changing cloud and application security landscapes. We provide all of our content without any vendor sponsorships. We receive no financial incentives from any company on this list, including stock, equity, or paid promotions. We try to have hands on time with as many tools as possible, but if a description is less opinionated, we probably haven't been hands on. Here is our Privacy Policy and Terms of Service.
Logos are shown based on the top 3 companies by upvotes in their category. Upvotes to a company don't carry over to different categories. For example, someone might think Wiz is the best CSPM, but not CNAPP
Making and account allows you to upvote tools and track your favorites. We don't sell your data, and we don't send you emails.
We're currently working on setting up different referral programs with vendors, so the biggest way to help is just letting a vendor know you discovered them thanks to Latio! If you'd like to help us out directly, you can buy us a coffee or subscribe to our socials.
LatioGPT
Consulting
Discord
Videos
Newsletters
GitHub
