Boundary Breakers encompass vendors that are taking bold risks in creating new categories around their offerings. These trailblazing solutions tackle complex security challenges by adopting novel approaches and leveraging advancements in technology to empower unique outcomes. This category exists to highlight tools that are attempting to define new categories.
Oligo provides runtime protection against the exploitation of open source or third party vulnerabilities - not just "is this package running," but "what is this package doing?" Their engine drastically reduces the risk of supply chain exploitation, in a way that might make SCA in general obsolete.
Instead of hiding their open source projects and trying to sell you the impossible, Aikido openly tells you what they're using and have created a simple cloud based scanner to do 9-in-1 security scanning. A no brainer recommendation for startups.
Tracking third party data flows is a hot topic in security right now - most companies are tracking via OAuth or API flows. Riscosity is cutting through that to the sources of truth, namely the code and network layers. They scan your code for third party data flows, and then validate at runtime by proxying your egress.
DryRun helps your security team focus on the changes that actually matter, and with a simpler integration that's not dependent on any heavy handed app inventories. I've had to create a ton of custom scripts over my career to monitor high impact files, and only DryRun can properly handle that kind of prioritization.
Permiso is creating incident response for identities. They bridge the gap between "SaaS Security" and "IAM security" by tracking identities across IaaS and SaaS, while baselining and firing alerts for suspected misbehavior, along with session tracking.
Pangea provides an API and SDK to easily implement security features int your application - such as checking a user's password against a breach database, or checking a user's email against a spam database. They're the only company I've seen that's trying to make security features as easy to implement as Stripe.
Dig Security checks all of the boxes for DSPM and DLP, namely data categorization. They differentiate by having database detection and response rules more akin to Database Access Management types of technologies. This gives them a runtime value that others lack. Hopefully the Palo acquisition doesn't kill the detection response capabilities.
Of all the tools claiming to be "developer centric" or "developer loved," only Moderne tries to automate as much as possible of the painful work of fixing vulnerabilities. They leverage Apache Openwrite to create playbooks across your code for remediating major issues like migrating Java or Spring versions.
Lakera offers a simple way to protect LLM's from injection attacks. Their approach is simple and elegant, and their Gandalf tool allows you to better understand how LLM prompt injections work.
Originally CIEM (Cloud Identity and Entitlement Management), this category has been broadened to identity more broadly. There are a ton of exciting developments in the identity space with the proliferation of cloud, OIDC, and terraform; with more options than ever for managing identities across your infrastructure.
Kivera provides an identity proxy for true enforcement of access policies. Their setup is awesome out of the box for IaC deployments, giving developers instant feedback for when they're attempting to implement permission policies that are dangerous.
Iambic is a brand new tool for managing cloud entitlements. It's novel approach allows everything to be managed more easily as code, and open pull requests to handle identity changes.
Axiom provides standard scanning and remediation for least privileged access, but also grant least privileged roles on demand for just in time access. Their approach is to reduce permissions while providing temporary roles when major changes are needed.
Entro watches for API key generation and usage across tools, alerting you to both unused permissions, as well as potential malicious activity. An example use case is detecting when a secret is shared on Slack.
Raito gets the details of database access right - they've managed to standardize controlling access to databases across different architectures and providers. Data owners can be assigned and manage who has access to what data, and risk assessments can be done for access. They have an amazing foundation for the future of managing DB access.
Astrix gives you visibility into OAuth connections in your environment - such as when a user authorizes an unknown third party application into your Slack. They provide great visibility into whats usually a black box for security teams.
StackIdentity provides a platform that excels in diving deep into your IAM environment and assessing over permissive and high risk resources. They provide a data lake that allows you to really see and maintain proper access controls across tools.
The only challenge with Teleport is figuring out the right time to implement it - they have the only way to provide access to servers, k8s, and cloud that provides logical and safe workflows out of the box. Their product is truly the only way I'd want to access things.
Lumos is fascinating for the breadth of use cases they cover - general SaaS contract management, user audit logs, and request flows for Okta apps - all from a single platform. From what I've seen, Lumos seems like a dream come true for most corporate IT teams, where managing Okta has turned into a team sized job.
Entitle.io is focused on the specific use case of granting break glass permissions in AWS, and rolling back changes when they're not needed. They also support more general permission scanning.
Like other CNAPPs, Wiz is focused on cloud security more broadly than just CIEM tools; however, they vendors offer the basic functionality of tuning your policies to be less permissive.
Sysdig differentiates itself from most CIEM providers by being able to look at which permissions haven't been used by anyone and can be removed. However, this has since become built in to AWS' access analyzer tool, making it less valuable.
AWS Access Analyzer looks at your users and policies and suggests changes. It is a great built in tool, but doesn't offer easy organization level management.
Basic built in analysis for GCP policies and users. Also provides role recommendations. At a high level, GCP is the easiest of cloud providers to manage permissions in.
CloudSploit is a great tool to run a quick scan to check your permissions at a high level.
ScoutSuite is another useful tool to run a quick scan of your cloud environment to check for any issues.
Application Security Posture Management (ASPM) is the latest buzzword to take over the application security market. It's meant to correlate all application security scanning into a single dashboard for remediation prioritization. I've taken the liberty to define it this way - ASPM provides everything you need to scan your application, while remediation platforms focus only on the remediation workflows. Always validate what tool coverage looks like in this category - many vendors have one or two scanners built in house, and are relying on open source tooling for the rest of the pipeline coverage. Great tools will allow you to track and correlate findings across an entire application. Bad tools will rely purely on third party scanners and have major gaps.
Ox security blew my mind - providing the ultimate all in one configuration scanning tool. They're the only ones I've seen who can track a container lifecycle, individually vulnerable functions from dependencies, and provide both rich integrations alongside their own scanners.
Arnica is building the next gen security scanner for SAST, SCA, SDLC and IaC scanning (with container soon I'm sure). Their secret sauce is rich code owner insights with a user graph of your Git provider. I love their focus on remediation workflows and confidence in their own scanners.
Oxeye is building the most runtime-y of ASPM providers - they map out your application using everything from code to agents to network validations. Then they prioritize based on how your app is most likely to be exploited. The only ASPM with DAST validation.
Instead of hiding their open source projects and trying to sell you the impossible, Aikido openly tells you what they're using and have created a simple cloud based scanner to do 9-in-1 security scanning. A no brainer recommendation for startups.
Apiiro is like Bionic on steroids by working better in non Java/Spring environments - it builds an in depth application inventory by scanning your code for API endpoints and provides excellent prioritization tools based on that map. It does a great job at detecting what PR's will likely be major changes.
Cycode offers all in one scanning and integrations across the SDLC pipeline. Their primary in house built tool is their secret scanner, but their differentiator is their graph querying of deployment processes. If you have a lot of pipelines, they have a lot of querying.
Bionic offers a unique approach to application visibility by building a graph of your services, their dependencies, and the classification of their downstream data. Their application map works best in Java/Spring environments.
For the providers based solely on integration with other security vendors, JIT is my favorite pick. They consolidate scanners and create workflows and prioritization for developers. The JIT scanner is unique in that it's a wrapper for other scanners that you run in your own pipelines - an approach with pros and cons.
Legit Security takes a holistic approach to SDLC security. They aggregate your SDLC pipeline findings across different tools, allowing for remediation, especially within pipeline scanning. They do asset discovery via code, rather than via runtime detection.
Kondukto's strength is integrating with just about every tool you could want, including open source ones, to prioritize and remediate in a single platform. They provide a great Jira workflow for working through findings.
Tromzo leans into the inventory and asset discovery aspects of ASPM by tieing discovered vulnerabilities from code to runtime back to where they entered your code.
Does Synopsys technically do everything you'd need from an ASPM? Yes. Would you ever want to use it? No. They've focused heavily into the semiconductor industry, and their ASPM is heavily patched together from various acquisitions.
This section will help you find the best SCA tool. Software composition analysis (SCA) is also called open-source vulnerability scanning. It works by examining the source code of an application to identify any open-source components that are being used. It then checks these components against a database of known vulnerabilities, and alerts the user if any are found. Great tools in this category will run quickly, in pipeline, and most importantly, provide resolution guidance in the developer workflow. Bad tools will run on a cadence, provide CVE's without an guidance, and only work at runtime.
Oligo provides runtime protection against the exploitation of open source or third party vulnerabilities - not just "is this package running," but "what is this package doing?" Their engine drastically reduces the risk of supply chain exploitation, in a way that might make SCA in general obsolete.
Ox's reachability analysis is one of very few that tries to find if the function tied to the CVE exploit in the third party code is actually used in the app - this is a step beyond just checking if the package is loaded.
Snyk's first product was SCA, and it remains what they're stellar at. They do an unparalleled job at rolling up dependencies properly, and surfacing the information to developers in the easiest possible way to fix.
Arnica's SCA is differentiated by finding the most likely owner for the fix and automating a lot of the workflow process such as pinging them on slack and creating a Jira ticket.
Mend (formerly WhiteSource) was Snyk's main competitor early on, but did not develop as quickly as Snyk. Their open source Renovate tool is great for keeping your in-house dependencies up to date, but they do not offer insights or rollups as well as Snyk.
For what Snyk offers in usability across functions, SemGrep excels in customization. Their tool offers extensive customizations and rule sets, and their reachability analysis, a critical aspect of SCA, beat Snyk to market. Also, their open source tooling is powering many other tools on this list.
Deep Factor differentiates their SCA tool with deep runtime insights on the open source package and its state of being loaded or not in the application - a good way to prioritize fixing.
Oxeye allows you to prioritize SCA based on where the findings live in your infrastructure with rich runtime insights.
Apiiro prioritizes your SCA findings by tying them to asset inventory and application context.
Endor Labs stands out in their granularity and reachability analysis for open source packages. They get the meaningful details from function level reachability, and are the ones who scared everyone into trying to make it.
Cycode offers their own in house built SCA scanning as part of their ASPM platform.
Fossa is one of the older open source scanning providers - they've focused a lot on SBOM and audit readiness, so haven't evolved much into the broader "ASPM" space.
Black Duck SCA provides a product that technically checks all of the SCA boxes, but is not nearly as user friendly as other tools. They get the job done, but UI is targeted more at security than developers.
SonaType was one of the first organizations doing SDLC tooling; however, until recently, they did not have a cloud platform. Their platform is still catching up to the intuitiveness of the SaaS competition, but their product checks all the boxes.
Veracode is a legacy SAST vendor that has done the best job at catching up to cloud native tooling. They are a great choice for organizations using more legacy or waterfall type development methods.
Using Prisma Cloud as an SCA tool is technically possible, but I wouldn't recommend it. It's part of what Twistlock did, but it hasn't been updated since the acquisition and is very painful for developer use.
While using your git provider as an SCA tool may make sense on the surface, GitLab relies entirely on open source tooling to do the actual scanning, and their reporting is hard to use. Only recommended for organizations that are already on Ultimate.
Dependabot is a great check the box solution for saying you do vulnerability scanning, but it is very difficult to use and doesn't provide much guidance. Generates a lot of noise for developers.
This section will help you find the best SAST. Static application security testing (SAST) analyzes source code for security vulnerabilities, such as a function being called that doesn't do validation on its input. Great tools in this category will run quickly, in pipeline, teach developers, have effective reporting and easy rule tuning. Bad tools will run on a cadence, provide less guidance, and be difficult to change or override rules.
Arnica's SAST is the most robust I've seen from a workflow perspective and actually getting findings fixed.
Ox is a wider ASPM platform, but their SAST scanning covers the basics while integrating with more powerful language specific providers.
Snyk's SAST tool is newer to market but has come a long way since its release. Although it's not the most robust in any single category, it has the diverse levels of support needed to make SAST happen as a whole and actually get work done. Great choice for companies looking for scalable, simple solutions.
Semgrep is a close second choice to Snyk for SAST. Their scanning library is more robust, and the ability to easily create custom rules is a huge bonus that Snyk only recently added. However, their SCA is not as robust, and having two different tools can be a hard pill to swallow. Great product for companies with an appetite for custom rules.
SonarCloud has the benefit of winning your developer's hearts due to its initial product focus on bug squashing and the ability to ingest a wide variety of reports. While the SAST functionalities are newer, they robust enough to warrant the add-on to their code health scanning. Great choice for developer only teams with low risk products.
Bearer is a newer SAST product that is built from an open source lense. They have done excellent analysis of the SAST market and are dialed in on the correct issues, namely false positives, and time to scan.
Mobb integrates with SAST tools like Snyk, Checkmarx, Fortify, and Codeql to scan your code and then provide LLM generated fixes for merging into your code base. A unique product application, but one that the other providers are also working to build natively such as Snyk's DeepCode.
Oxeye provides standard SAST scanning, but builds out prioritization and exploit likelihood with a powerful runtime engine. A major differentiator is validation via DAST scanning.
Cycode offers SAST scanning as part of their ASPM platform, but it's hard to tell what's open source versus proprietary from them.
Checkmarx is a legacy SAST tool that has had many years to develop a robust library of controls. They're a good fit for enterprises that follow more legacy methods of software development, and are trying to expand into more agile workflows.
Fortify had a great reputation before the MicroFocus acquisition, but has since become slower to innovate. Lacks a lot of functionality compared to other SaaS options.
Kiuwan is a great choice for companies that care above the fidelity of results more than anything else. Kiuwan's scanning offered the most robust true positives we've seen, but they really dragged in terms of their implementation processes, UI, and integration/maintenance of developer workflows.
Veracode is a legacy provider that has done the best job at trying to rapidly innovate with their vendors. They're a good fit for larger enterprises that may need more hands on security developer work to get up and running, and may prefer more waterfall methods of development.
GitLab's SAST tool totally relies on ingesting open source reports into their pull requests. We would not recommend it as a standalone tool, but is a worthwhile add-on to their security options if you're already invested.
This section will help you find the best secret scanning tool. Secret scanning identifies sensitive data, such as API keys and passwords, that have been accidentally committed to source code repositories. Good tools in this category will block the commit as early as possible, as rebuilding a commit history using open source tooling is difficult. Bad tools in this category will only scan on a cadence, and will not block.
Arnica's secret scanning is amazing in how it builds fix PR's that handle the remediation workflow for you. They also do cool validation of your keys.
GitGuardian is the best paid provider for this tool and is a great solution for deploying secret detection at scale. On the one hand, secret scanning is a very narrow function, but on the other, a leak is extremely costly. While Arnica does the workflow, GitGuardian has more robust detection.
Oxeye provides standard secret scanning, but builds out prioritization and exploit likelihood with a powerful runtime engine.
SemGrep recently announced their secret scanning solution - it promises an exciting new approach to secret scanning that focuses on context instead of regex to detect secrets.
Cycode offers Secret Scanning scanning as part of their ASPM platform, and it's the piece of the platform they've most developed in house.
Nosey Parker stands out for being able to scan file systems alongside repositories, and has some great built in reporting functionality.
GitHub's secret scanning now has the ability stop secrets before they're pushed to the repository, making them by far the best choice. However, they are bundling this with their Advanced Security package, which is very expensive.
GitLab's scaner can run in pipeline and is provided directly by them. A good choice since it's available in their Premium tier and Ultimate is not needed.
Trufflehog is the best open source scanner available, and easily integrates as a GitHub action.
GitLeaks is a Trufflehog alternative that is also extremely effective. Both repos are well maintained.
This section will help you find the best IaC Security tool. IaC security scanning identifies security vulnerabilities and misconfigurations in infrastructure as code (IaC). Great tools in this category can serve as CSPM replacements, offering drift detection and misconfiguration findings. They'll support multiple IaC languages, such as helm and terraform, and will be able to run in pipeline. Weak tools will run on a cadence, and only detect based on manually imported rules. This category is a difficult balance between getting results to your development teams, and sharing a single rule base across code and deployment.
Kivera circumvents the need for traditional IaC scanning by providing granular level policy and access controls to the cloud provider API. This allows for instant enforcement of policies and rules, and is a great way to prevent misconfigurations from ever happening.
Of the ASPM providers, Apiiro offers the most holistic IaC scanning due to their system of building a full application inventory out of your code.
Arnica's IaC scanning is the weakest part of their platform - but the value of getting an all in one tool is worth it.
Snyk IaC integrates directly into your pipeline to easily scan and block IaC misconfigurations. Their support for various IaC templates is a big plus, but their cloud rules are not as advanced as other competitors. Combining with runtime data opens unique use cases for automatic remediation.
Ox relies solely on open source options for their IaC scanning, but tie it together nicely with runtime context.
Slauth leverages LLMs to generate policy feedback directly in terraform - a simple and clear way for developers to make best practice changes to their policies
Cycode offers their own built in IaC scanning as part of their ASPM platform.
For organizations that are already using Wiz, their IaC scanning is a great option. If your devops team is willing to adopt their solution in pipeline, it can be a solid support tool.
Checkov is the leader in IaC scanning as an open source solution. Combining with Bridgecrew can be an okay solution, but we're skeptical of the long term outlook due to the Prisma Cloud acquisition.
KICS is another solid open source solution; however, they're more easily adopted into traditional security review type models.
Gomboc promises a unique approach to IaC in that it goes beyond traditional regex based rules. We're pending hands on time with the tool for more information.
We're pending hands on time with the tool for more information.
We're pending hands on time with the tool for more information.
This section will help you find the best DAST. Dynamic application security testing (DAST) scans web applications for security vulnerabilities while they are running, trying things like injecting known malicious payloads into fields. Great tools in this category will run quickly, in pipeline, be as easy as possible to integrate, have API coverage, and have smart fuzzing based on the type of backend you are running. Bad tools will run on a cadence, have less technology coverage, and be difficult to implement.
StackHawk is a developer-first DAST, and it shows every step of the way. They're built to scan quickly, in pipeline, and make it easy to attempt to reproduce issues. They're a major player in reshaping modern DAST and have really paved a way for the future with features like fuzzing API specific data.
Escape is doing amazing things with their approach to DAST. They offer similar in-pipeline scanning capabilities as StackHawk, but have additional tags based on API usage and do API discovery through a variety of different methods.
Oxeye provides a lot of runtime insights and uses DAST to validate their findings - this is one of their major differentiators from other ASPM providers.
ZAP (Zed Attack Proxy) is the scanning tool underlying numerous scanners, and if your internal team is up for the challenge, it can be adapted directly to provide most scanning needs.
Acunetix is the best of traditional DAST scanning applications that rely upon older techniques and set scanning intervals. They have robust content and integration potential, but struggle to handle many newer more popular architectures.
We don't feel good recommending Qualys DAST to anyone in good faith, but it's a reasonable extension if you're locked into their larger platform. They function as a standard crawler, but have their platform is challenging to configure, deploy, and for reporting.
Like much of their security tooling, GitLab DAST lacks the maturity of dedicated products in terms of robustness, maintenance, and reporting. It can be a useful extension of GitLab ultimate, but has numerous challenges if trying to implement just that solution.
GCP offers a nice to have robust webs security scanner. It's not a great choice for organizations looking to invest in depth on scanning, but if you're already on GCP or looking to check a box, it's a nice to have.
This section will help you find the best Kubernetes Security vendor. A lot of tools on the cloud and app security list apply to kubernetes, but we wanted a space to highlight specialty vendors who bring unique value to the space. Great vendors in this space will provide something that meaningfully distinguishes them from larger CNAPP providers, such as RBAC visualizations. Bad tools in the space will just be worse versions of larger providers.
KSOC has deep roots in contributing to kubernetes security developments and provides dedicated services to help customers secure kubernetes. They have in depth policy, audit log, RBAC, and runtime capabilities.
ARMO's has contributed perhaps more to open source kubernetes security than any other vendor through their kubescape product. Kubescape is hands down the best way to get a quick scan of your environment, and their paid product has expanded into image vulnerability scanning and RBAC visualization.
AccuKnox began with the open source project KubeArmor and has since built into a larger Kubernetes platform. Their specialization is runtime protection policies for Kubernetes, which allows for granular rules on which processes can access which files. Their other scanning features are more check the box.
Tigera is leading the charge on what's possible with kubernetes network security. They offer deep insights and protections on what's traversing your network, and have built out a robust set of features around that core product.
Spyderbat is doing some wonderful work with eBPF and proactive configuration protection in the form of specifying what processes can run on a container. They have a clear emphasis on providing actionable process and network level data to indicate when threats exist on a system, but still are working on their interface and UI.
Sysdig does the runtime application protection side of Kubernetes better than anyone, and have successfully uplifted their compliance and attack graph sides to be competitive with the other providers. Their focus into Runtime Cloud Detection Response is a great one.
Datadog's runtime workload protection is a close second to Sysdig in terms of their robust content library. It lacks response capabilities, but it's a great option if you're already using Datadog for other monitoring and security needs.
This section will help you find the best Container Vulnerability scanning tool. Container vulnerability tools help identify and remediate security vulnerabilities in container images. This category was created because host based vulnerability scanners are often completely unaware of containers. Great tools in this category understand how containers are built, and offer simple remediations to developers directly in their workflow. Bad tools will provide a dump of thousands of CVE's, with little to no guidance about where they're coming from, or how to fix them. I separate tools in this category into two groups, those that dump CVEs, and those that roll-up container image versions.
Ox covers a wide variety of tooling, but I was most impressed at their ability to tie container images from repo to runtime, making the findings actually fixable.
RapidFort is one of few companies taking container vulnerability scanning with the seriousness it deserves. They differentiate through focusing on removing vulnerabilities by creating slimmed down container images for your applications, but their remediation dashboard is not the best we've seen.
Snyk Container remains an under-rated gem for container vulnerability scanning. They offer robust coverage and integration options. Most importantly, they provide clear breakdowns of where vulnerabilities are being introduced, and what versions exist to remediate issues.
Container vulnerability scanning is usually relegated to a bottom bin in larger CNAPP providers; unlike these approaches, Kodem provides usable analysis of the vulnerabilities in your container images and how to fix them. They give essential information like if the package is used, where the dependency is coming from, and what repo the image was built from.
Slim detects what vulnerabilities exist in your container images and creates slimmed down versions of those images based what it's seeing on runtime. They're currently in beta but seem to have ambitious plans for the market.
ARMO provides awesome in depth scanning of kubernetes configurations and has since expanding into RBAC visualization and image scanning. Their container image scanning does great work with application context, but is still developing in terms of workflow.
The Wiz offering in this space has evolved to give about as actionable data as you can give about container vulnerabilities from a purely runtime context. They give docker layers and base images, and are just missing the code integration (coming soon) that allows them to see the Docker Files themselves.
Docker has quietly built out their container vulnerability scanning to be comparable to other tools in the area. While, at the moment, they lack a full enterprise platform for full tracking across container lifecycles, their scanning built into the Docker Desktop app and CLI options provide much needed visibility into where vulnerabilities are coming from.
Aqua Security was one of the first to market in this area, but suffers from the "CVE dump" problem that leaves security teams drowning in alerts without providing clear guidance to developers.
Sysdig Secure is similar to other CVE dump type tools, but offers unique benefits due to their runtime insights. They're a great compliment to Snyk and their partnership tells the story.
Like Aquasec, Twistlock was an early leader in container vulnerability scanning. They suffer from the "CVE dump" problem that leaves security teams drowning in alerts without providing clear guidance to developers.
AWS ECR has vulnerability scanning that works, but much like other tools has "CVE dump" problems. They also don't provide clear guidance on how to remediate issues, but can be a good extension of an AWS native security approach.
Of the cloud providers, GCP offers the best native tooling to scan and remediate container vulnerabilities. That being said, the tooling still suffers from "CVE dump" problems and doesn't provide clear guidance on how to remediate issues.
This section will help you find the best Container Runtime protection. Container runtime security tools empower detection and response in containerized environments. These tools are needed because most host based Endpoint Detection Response (EDR) tools have no container visibility. Evaluating these tools comes down heavily to how quickly the company has modernized their detection capabilities. Great products will detect container specific actions and threats, and empower security teams to easily see where they came from, even in short lived containers. Bad tools will provide vague content, and only alert on basic threats with tons of false positives.
Sysdig Secure is built on top of the most powerful open source container runtime security tool, Falco. It provides the most in depth protection from container threats available today. The setup is more complicated than other tools in the CNAPP space, but the power is worth it.
Spyderbat is doing some wonderful work with eBPF and proactive configuration protection in the form of specifying what processes can run on a container. They have a clear emphasis on providing actionable process and network level data to indicate when threats exist on a system, but still are working on their interface and UI.
Datadog's runtime workload protection is a close second to Sysdig in terms of their robust content library. It lacks response capabilities, but it's a great option if you're already using Datadog for other monitoring and security needs.
Sweet Security has developed a platform that gets to the details of actually securing your environment. While other providers on this list may be more mature at cloud visibility more generally, Sweet Security provides a level of detail that would actually stop a real attack.
KSOC offers a unique approach to container runtime security that's focused mostly on the security of the cluster itself. It works by analyzing kubernetes audit logs, which lets it sit a unique position between container and IaC scanning. They're a great supplement to existing runtime protection.
Deepfactor uses their unique ability to intercept application calls to provide unique container runtime protection that's not seen in other providers. Their workflow for going through alerts needs work however.
AccuKnox began with the open source project KubeArmor and has since built a full fledged CNAPP platform. Their runtime container protection allows for granular rules on which processes can access which files, which is a huge differentiator.
Wiz's v1 of container runtime didn't make the list because it was so basic. However, over the last 6 months it has basic content worthy of inclusion in the category, and gives all the necessary information for analysis. As they develop a more full runtime protection suite, they will continue to be a strong contender.
Despite being one of the first to market in this area, AquaSec relies more on a passive scanning approach and doesn't offer the same robust runtime protection.
Palo's acquisition of Twistlock gave them amazing potential in runtime container security; however, they have failed to keep the product up to date. It still caught many things and provided great baseline protection, but lacks the depth and customization of other tools.
SentinelOne's container detection runs their same Linux detections inside of containers. Their content is still heavily weighted on traditional EDR detections, but their rich query language allows for custom content that can be more applicable to cloud environments.
CrowdStrike's container runtime technically works, but deployment, maintenance, and usefulness do not compare to other tools at the time of testing. It may be a good option if you're looking to extend a substantial CrowdStrike deployment.
Lacework has attempted to increase it's presence in cluster with a runtime agent; however, it is very new to market and has limited detection content. This extension of Lacework would only be beneficial if you're already on their platform.
GuardDuty is always a great cost effective tool for baseline protections. It's EKS integration is no different. It's a great option if you're looking to just get started with runtime security in K8s (Kubernetes).
This section will help you find the best CSPM. Cloud security posture management (CSPM) is a security practice that helps organizations identify and remediate misconfigurations and security risks in their cloud environments. CSPM's are often the first tool that organizations buy when they start their cloud security journey. Great tools in this category will be able to accurately assess cloud infrastructure while generating minimal noise. Bad tools will run on a cadence, and provide little guidance about who deployed a change. This category has morphed into CNAPP as the market as evolved to include runtime.
Wiz has skyrocketed to success due to their efficient approach to CSPM scanning and prioritization. Their agentless approach allows deep insight into your workloads quickly. The downside is that for use cases like runtime container security, where an agent is required, they are very new to market.
Kivera is not strictly speaking a CSPM, but provides granular controls over what cloud API calls are permissible within your environment. This allows instant enforcement of custom rules and policies, giving the same outcomes as CSPMs without the alert explosion. The downside of using them as a sole CSPM would be missing out on more holistic CNAPP features and visibility, but they run well alongside other providers.
Prowler is built on top of the most robust open source cloud scanner there is. It's a great option for organizations that want to get started with CSPM scanning, but aren't sure where to start. I'd recommend anyone use it at least once to get an idea of what's in your environment.
Plerion has built a competitive CNAPP with a significantly smaller team. Alongside CSPM, they provide attack maps, IaC scanning, Secret scanning, and vulnerability scanning. They link findings to assets in a clean and intuitive way.
Orca offers a suite of cloud configuration scanning that closely aligns to Wiz. Their primary differentiator is their model for "Outpost" based scanning, where ephemeral instances are used for scanning rather than permanent ones to cut down on costs.
Sysdig Secure excels inside kubernetes clusters, but their runtime cloud scanning is becoming a force to be reckoned with. They've executed quickly on leveling up their CSPM offering, and it does a great job checking the box.
Lacework differentiates itself by taking an alerting approach to CSPM rather than browsing scan results. This has the benefit of being more actionable, but the downside of being less comprehensive. Can be a good fit for orgs looking to take a responsive approach to configuration management, but keep in mind that your security team are not usually the ones pushing the changes.
Prisma Cloud's CSPM offering is chock-full of complicated rules and false positives; that being said, the rule set is robust and you can feel confident in your coverage in terms of compliances being checked and rules for specific services.
Security Hub does a decent job aggregating AWS' security tooling reports into a single dashboard. They also offer a lot of integrations into other tools. That being said, they're not a great CSPM solution on their own and their dashboards have limited usefulness.
This section will help you find the best CNAPP. CNAPPs are the latest category name given to CSPMs as they have evolved into additional layers of tooling. These tools aim to be all in one providers for cloud security, and are often the most expensive tools in the market. Great tools in this category will be best of breed in a single category, and will have a strong vision for the future. Bad tools will be playing endless acquisition catchup as they desperately try to keep pace with one another.
Sysdig does the runtime application protection side of CNAPP better than anyone, and have successfully uplifted their compliance and attack graph sides to be competitive with the other providers. Their focus into Runtime Cloud Detection Response is a great one.
SkyHawk is the only company I've seen take the Cloud Detection Response approach to CNAPP so seriously from their conception. They're betting big that they can provide just as much runtime response protection as agent based CNAPPs, but without an agent. This means that certain detection gaps exist, but in the examples I've seen from them, it makes me wonder if those gaps really matter.
Sweet Security has developed a platform that gets to the details of actually securing your environment. While other providers on this list may be more mature at cloud visibility more generally, Sweet Security provides a level of detail that would actually stop a real attack.
AccuKnox began with the open source project KubeArmor and has since built into a larger CNAPP platform. Their specialization is runtime protection policies for Kubernetes, which allows for granular rules on which processes can access which files. Their other scanning features are more check the box.
Tigera is leading the charge on what's possible with kubernetes network security. They offer deep insights and protections on what's traversing your network, and have built out a robust set of features around that core product.
Deepfence has delivered an incredible amount of work on top of an open source framework. Their Open Source ThreatMapper scans for malware, vulnerabilities, misconfigurations, and secrets. Their paid offering, ThreatStryker, adds eBPF runtime protection - including network and quarantine responses. Unbelievable value for a free offering.
Gem is one of the first platforms to focus on cloud detection & response. Realizing the limitations of configuration scanning in the incident response process, they've built a tool primarily for the SOC to respond to cloud attack patterns. The lack of an agent for kubernetes context is the biggest gap.
Plerion has built a competitive CNAPP with a significantly smaller team. Alongside CSPM, they provide attack maps, IaC scanning, Secret scanning, and vulnerability scanning. They link findings to assets in a clean and intuitive way. Currently there is no agent based runtime protection.
If you're focused on cloud visibility from a security perspective, there's not a better tool out there. Their rapid investment into their runtime agent is scary for the competition, and their general cloud scanning is best in breed.
Prisma Cloud was the first and most encompassing CNAPP provider. They cover all the bases, but you're paying Palo prices for a product with a lot of skeletons in the closet.
Aqua Security bet big on open source tooling and still maintains some of the most user friendly repos out there. However, their paid offering has a UX that lags behind other products.
Lacework built on tope of an alert based approach rather than more traditional scanning models. That has the benefit of reduced noise and a faster reactive approach, but at the cost of surfacing a lot of alerts to security that they don't have the ability to fix.
Every organization using AWS should absolutely turn on GuardDuty as their first cloud security step. They provide awesome base level protections.
GCP Security Command Center is slowly enabling runtime detection for enterprises, but they charge too much for it to be useable at smaller scales. GCP focuses on secure design for smaller businesses rather than runtime insights.
Defender for Cloud has some awesome insights and coverage, but it's a beast to setup and maintain. It's a good starting point for larger companies who don't have an appetite for a more focused solution.
This section will help you find the best vulnerability remediation tool for your organization. This brand new category of tooling exists as an acknowledgement of the complexity and volume of alerts of most CNAPP platforms. We're hesitant on the long-term value proposition of these tools - since they rely on other security tools, and everyone always wants to be a "single pane of glass." However, they are certainly solving the problems of the present moment, and their immediate usefulness cannot be denied.
Dazz aggregates your security vulnerabilities into a single dashboard which allows easy assignment and risk based prioritization. Their approach to this problem does a lot of automated lookup work and has some advanced ability to find where container images are coming from. Dazz differentiates by being focused on remediation, rather than just prioritization.
Avalor creates a platform for the vulnerability fixes you're probably coding yourself. They offer an elegant no/low code approach for uniting all of your vulnerability data in one place. Their approach heavily relies on the flexibility of their data standardization.
Seemplicity's take on the remediation market heavily emphasizes workflow building via their GUI. Their workflow builder offers robust dispatching of the relevant tickets to the right teams.
DevOcean creates holistic prioritizations and automations for remediation of vulnerabilities across cloud providers. We're pending hands on time with the tool for more information.
Vulcan's approach to vulnerability remediation emphasizes risk based prioritization, which we think is less exciting than the functionality around getting the right information to the right teams, automatically. We're pending hands on time with the tool for more information.
Phoenix security provides a vulnerability remediation platform that integrates with scanners and provides automatic and manual risk categorization and workflows.
Armorcode is the most in the weeds and holistic vulnerability management platforms I've seen. While there's less "magic" happening than in the other providers, I'm also the most confident it would actually work - even down to providing python scripts you can run in pipeline to send vulns to their platform.
Nucleus's approach to vulnerability remediation, like Vulcan, emphasizes risk based prioritization, which we think is less exciting than the functionality around getting the right information to the right teams, automatically. We're pending hands on time with the tool for more information.
This section will help you find the best GRC automation tool, such as SOC 2 and ISO27001 automation. Governance Risk & Compliance automation vendors provide software that helps organizations automate their compliance workflows. These vendors are typically aimed at helping organizations achieve compliance outcomes with the least amount of engineering involvement needed. Great tools in this category have detailed automation capabilities, and provide clear security guidance. Bad tools will be focused on risk management and manual tracking.
Drata had the advantage of starting after Vanta, and they quickly built a greater depth of automation. They were less focused on their endpoint solution, and more focused on powerful evidence automation.
Vanta was first to market and heavily relied on automating endpoint evidence. They have since rapidly expanded and deserve to be considered right next to Drata as a leader in the space.
SecureFrame is a great third choice to Vanta and Drata, but lacks the same depth and breadth of features.
Originally ZenGRC, they were the largest traditional GRC provider to build cloud evidence automation. They're the most automated of the traditional GRC providers, but still lack the depth of Vanta and Drata for getting everything done.
LogicGate is heavily focused on risk assessment and risk management alone, and greatly lacks the automation capabilities of other platforms
ScoutSuite can be used to generate quick compliance based reports to check your environment to try and see if you're compliant with a given framework.
CloudQuery is a great open source tool to check your cloud environment for compliance issues. You can also use it to build compliance automation in house.
Control Tower can be used to try and enforce compliant resource creation across your organization, but is less effective as this is becoming accomplished through policy as code instead.
This section will help you find the best WAF; for simplicity, API security is included in this category. A web application firewall (WAF) is a network device that sits in front of your web application load balancer to filter out common web-based attacks by inspecting the network payload. Great tools in this category have deep inspection capabilities, but with most of the rules written for you. Bad tools will require you to write your own rules, and will be difficult to integrate into your existing infrastructure.
Impart has everything you'd want in an API security platform and there's little reason to look elsewhere - they provide discovery, testing, and protection all in a single platform.
AWS WAF offers amazing out of the box protection with numerous rule packs, and integrates with more advanced rules if necessary. The only essential consideration and downside is their 16KB limit on request size which can be a breaking downside for some applications.
Wallarm is definitely the most robust and mature of API security vendors. They offer a ton of features - from WAF like runtime protection, to secrets detection, to static security testing.
Cloudflare is the traditional leader in WAF for good reason. They offer great in depth protection that is quick to respond to threats. The platform has grown overly complex for simple use cases.
F5 is a close second to Cloudflare for dedicated providers. Their load balancers and WAF's are able to scale to cloud native levels, but their pricing is often prohibitive for startups.
Fortinet's WAF gets the job done, but we wouldn't recommend buying it as a standalone product. It's a great addition to their other offerings, but doesn't stand out on its own.
Like AWS, the GCP WAF offering is quite substantial. They also have an 8KB limit, but offer a great solution for GCP native applications.
This section will help you find the best SIEM. Security Information and Event Management (SIEM) products are the backbone of a security team's operations, enabling them to collect, analyze, and respond to security events and incidents in real-time. By consolidating log data from various sources, SIEM's are the essential tool for finding the details of what happened. Great tools in this category will have strong detection capabilities out of the box, and will be able to integrate with your existing infrastructure. Bad tools will be difficult to integrate, and will require a lot of manual tuning.
We love simplicity in cloud security tooling, and DataDog's Cloud SIEM offers the best out of the box content to keep you covered. They've rapidly developed more niche features like reference sets, but can get you up and running with a proper SIEM faster than any other provider.
Query is not strictly speaking a SIEM, but an excellent way to gather all of your relevant data in a single search. They've created truly on demand, cross integration searches - a great way to save money and time for organizations deep the struggle of log management.
Splunk is still the best tool for security teams willing to invest the time to learning their query language. They have robust features and integration options, but have a steep learning curve and can be expensive. If you're an organization looking to make a substantial investment in dedicated security teams, Splunk is a great option.
Panther is the SIEM tool truly doing things differently. Their unique approach to detection rules makes things much easier to manage in that they can be written in Python. This makes it easier to write and maintain rules, and also makes it easier to integrate with other tools. They're still a young company, but we're excited to see where they go.
IBM QRadar offers robust protection and logging features, but without the steep learning curve of Splunk. Their methodology for filtering is simple and gets the job done, but your team will work more slowly over time without the query language.
SumoLogic's being cloud native has given them a lead in fast cloud queries and development. They're a great middle of the road between QRadar and Splunk, and similarly get the job done with both a query language and understandable dash-boarding. They provide a great cloud native offering.
Devo is a robust cloud SIEM with a lot of solutions. However, their lack of clear focus has made them less effective as they've tried to expand half-heartedly into numerous areas. They're a great option for organizations looking for a single pane of glass, but not the best option for any one area.
Azure Sentinel will get the job done for organizations looking specifically for a SIEM for their Azure environment. They're less robust in their support for other cloud providers, but are a great option for organizations looking to keep things simple and consolidated.
GCP Chronicle is a great option for organizations looking specifically for a SIEM for their GCP environment. They're less robust in their support for other cloud providers, but are a great option for organizations looking to keep things simple and consolidated.
This section will help you find the best pentesting vendor. Pentesting (Penetration Testing) is a proactive cybersecurity practice in which ethical hackers simulate real-world attacks on a network, application, or system to identify vulnerabilities and assess the effectiveness of security measures. Great vendors provide valuable insights into your infrastructure based on actual exploits they were able to perform. Poor vendors will run common automated scanning and output a simple report.
Cyrex is the first pentest vendor I've met with that instills a high sense of technical ability from the start. Due to their foundations in the gaming industry, they have built a large variety of custom tooling and take a developer first approach to pentesting that sets them apart by looking at the code alongside your app.
Rhino Security Labs offers the best advanced penetration testing that's focused more heavily on SaaS and DevOps vulnerabilities over traditional infrastructure scaning. They are a great choice for organizations that are looking for a meaningful engagement.
Organizations looking for the highest level of technical sophistication in their engagement should go to Black Hills Information Security. This group has a well earned and stellar reputation for their work.
Cobalt has quickly become the leader in penetration testing due to their combination of HackerOne like bug bounty programs with more standard pen testing. They are a great and consistent middle choice for penetration testing, that will go deeper than many, but not as deep as boutique firms.
HackerOne is the standard for bug bounty programs. It's questionable if you could use them to check the box for a pentest, so check with your auditor before doing so; however, a bug bounty program can be much more useful than a pentest in many cases. Keep in mind the heavy maintenance cost of auditing reports from people who want bounties for minor findings.
Cloudyrion provides hands on security testing and consulting designed to help organizations implement secure by design processes.
A-lign offers decent penetration testing alongside their audits. They are a good choice for organizations that are looking for a one stop shop for their compliance needs, but not if you're looking for a deep engagement.
This section will help you find the best tools for protecting Mobile devices. Mobile device protection can range from pentesting services to virtualization and MDM providers. Great tools in this category will be able to detect and respond to threats on mobile devices, and will be able to integrate with your existing infrastructure. Bad tools will be difficult to integrate, and will require a lot of manual tuning.
Corellium has built groundbreaking virtualization capabilities for doing mobile device focused pentesting and security research.
Zimperium offers both MDM style enterprise protections for mobile and an SDK for developers to use to secure mobile devices.
Now Secure offers mobile pentesting services combined with different tools and training for in house security testing.
This section will help you find the best MDR. Managed Detection Response (MDR) providers offer security management services, usually focused on SIEMs, EDRs, and responding to incidents. Great providers in this category offer dedicated engineers to your account, provide technical details, and are quick to respond to emerging threats. Poor providers will be slow to respond, and will provide little to no technical detail to help your team. Choosing the wrong MDR can be devastating, limiting your own hiring budget while bogging down your internal security teams.
Huntress has established themselves as a trustworthy brand in the MDR space through their contribution of open source tools and analysis to the larger security community. They re-sell their huntress tool, which is essentially an XDR platform, to other security vendors.
Like Huntress, Dragos has earned a positive reputation in the general security community. Their threat detection capabilities and analysis are top notch - they've chosen to focus on ICS/OT security.
Kudelski is built on top of the huntress platform and offers MDR services for most enterprises. They have a strong backbone and history in various security sectors, and offer all of the standard MDR services.
Arctic Wolf is built like many older style providers, but has maintained a strong focus on providing meaningful guidance to their customers. They're behind from a platform perspective, but do a great job servicing their customers.
CrowdStrike's MDR provider doesn't provide the most value due to their pure reliance on the CS Falcon platform. They're a great option for organizations that are already using CS Falcon, but not a great option for those that aren't fully invested.
Contact us at featured@latio.tech if you'd like us to add you to the list or subscribe for updates. We do not have a financial involvement with any platforms listed on this site, if you'd like to support us, you can do so here.