Find your next security tool.

Boundary Breakers

Boundary Breakers encompass vendors that are taking risks in creating new categories around their offerings. This category exists to highlight tools that are attempting to define new categories.

Oligo provides runtime protection against the exploitation of open source or third party vulnerabilities - not just "is this package running," but "what is this package doing?" Their engine drastically reduces the risk of supply chain exploitation, in a way that might make SCA in general obsolete.

Seal is another vendor that threatens to make open source scanning entirely obsolete. They backport security fixes to your current version of open source libraries for instant, ongoing auto-patching; that way you don't need to make major framework upgrades under duress. Seal changes everything about SCA scanning, and threatens to upheave the whole industry.

Instead of hiding their open source projects and trying to sell you the impossible, Aikido openly tells you what they're using and have created a simple cloud based scanner to do 9-in-1 security scanning. A no brainer recommendation for startups.

Tracking third party data flows is a hot topic in security right now - most companies are tracking via OAuth or API flows. Riscosity is cutting through that to the sources of truth, namely the code and network layers. They scan your code for third party data flows, and then validate at runtime by proxying your egress.

Formal is super cool. They built a simple to deploy reverse proxy (it's just a binary!) that automatically gets total visibility into data on the way in and can decrypt it based on policies to control who can view what, when.

HoundDog is the kind of solution that uniquely solves an interesting problem in AppSec - logging or accidentally sharing PII. They use a combination of regex and AI to scan for data leak scenarios. I think this capability will be quickly desired as part of broader ASPM.

Permiso is creating incident response for identities. They bridge the gap between "SaaS Security" and "IAM security" by tracking identities across IaaS and SaaS, while baselining and firing alerts for suspected misbehavior, along with session tracking.

Pangea provides an API and SDK to easily implement security features into your application - such as checking a user's password against a breach database, or checking a user's email against a spam database. They're the only company I've seen that's trying to make security features as easy to implement as Stripe.

It took quite a bit of time for me to understand how uniquely Xygeni is approaching ASPM. Rather than chasing buzzwords and features, they've been focusing on stopping real attacks. They have a unique technological approach for detecting not just pipeline attacks, but more significantly scanning third party libraries for malware; not just vulnerabilities. For example, if I decided to make the open source Latio scanner send all your code to my server, they'd be the only full ASPM platform that could also detect that attack.

Of all the companies in this space, Tidelift is the only one I could describe as uniquely ethical. If you're tired of shoveling your CVE scanner results into open source backlogs, never to be fixed, working with Tidelift allows you to actually work with maintainers to get your issues fixed upstream - while checking the box on standard SCA feature sets (plus a few unique package health assessments).

Tracebit is building very holistic deception technology that serves as honeypots for your cloud infrastructure. They deploy deceptive resources that match your existing ones, and monitor those resources for any suspicious activity.

It's great to see a company build a product around honey tokens. Honeypots provide a ton of security ROI but are difficult to setup and maintain, Seedata takes care of that for you so that you can focus on analyzing the results. I'd highly recommend this tooling for people with advanced security operations teams.

Myrror provides the standard suite of SCA tools with functional level reachability, but they have a much more unique technology that allows you to confirm that a binary was built from a particular source code. This allows the most thorough validation of supply chain assets I've seen and is an awesome functionality to ensuring you're not deploying unknown risks to your customers.

TrustOnCloud has created in depth threat models for cloud services. For example, they can show you every possible way someone could exploit an S3 bucket. Because they don't focus on scanning, they've created a library of potential exploits that goes far beyond what most CSPMs offer; however, that comes with the downside of being fundamentally a work generation tool. If you're operating at a scale where formal threat models need to be conducted before adopting new AWS services, their tool is undoubtedly useful.

VulnCheck provides well curated data on vulnerability exploitations - I can't see myself using them directly at smaller companies, but I'd hope all of my providers were using them for upstream data.

Devici has created a collaboration tool specifically for threat modelling, allowing for unique opportunities for mapping resources with tagging, dataflows, and notes. As development teams get more directly involved with day to day security alerts, it seems that threat modelling will be a key value add for security teams, and I wouldn't be surprized to see more tools arise in this space.

Leen is building a unified API for security integration data - a great product for product teams or people building their own tooling!

Bedrock Systems has created a hypervisor that can watch for malicious interactions with the Linux kernel, and other suspicious read/write operations. This makes them an extremely powerful tool for detecting container escapes and attackers getting funky with core Linux systems, but it comes at the cost of having a custom deployment for your node infrastructure - which may or may not be worth it depending on your security posture.

Ophion gets the closest I've seen to a realistic automated pentest, and are essentially offering ongoing recon as a service. They aren't just running DAST scanners against your endpoints, but are instead doing a very realistic reacon of your public facing assets. One small example illustrating the difference is looking at the public commit history of your company employees on public GitHub repos.

Zenity has created a suite of security tools for scanning low and no-code applications, which are becoming more and more common in large enterprises. These monitor dataflows, third party vulns, and secrets usage in non-traditional coding applications like Salesforce, Servicenow, and Microsoft Copilot.

Mimic has created a unique ransomeware defense solution that focuses on protecting critical assets while using honeypot like deception techniques to buy response time.

Dig Security checks all of the boxes for DSPM and DLP, namely data categorization. They differentiate by having database detection and response rules more akin to Database Access Management types of technologies. This gives them a runtime value that others lack. Hopefully the Palo acquisition doesn't kill the detection response capabilities.

LLM

This category is for the quickly emerging field of LLM Security tools. These tools cover visibility, detection, and response for LLMs across code, endpoints, and infrastructure. I'm most excited for the application level security use cases, but early companies here are focused on monitoring employee chat sessions. Success in this category is dictated by ability to adept to rapidly changing conditions.

Prompt Security offers comprehensive solutions for LLM security. They have both corporate IT visibility with their browser plugin, alongside application visibility with API, SDK, and reverse proxy options. You can also trace user sessions and detect/redact/block numerous types of data and attacks.

Despite being so early in development, what I've seen from Apex is the most unique approach to GenAI security. They offer visibility, configuration protection, and runtime detection and response for LLMs, both for corporate and application use cases. Everything from DLP to Injection detection, to LLM quarantining.

Pillar is building exactly what I think LLM security should be - a simple to use library that wraps LLM calls giving you visibility and blocking capabilities that exceed most of what's out there.

Mindgard has taken a cool approach to LLM security by building an in depth testing library for your existing models. Given the rapidly changing nature of the field, it's a great way to learn about existing attacks and how to protect against them.

Lakera offers a simple way to protect LLM's by importing their SDK into your code. Their approach is simple and elegant, and their Gandalf tool allows you to better understand how LLM prompt injections work.

Harmonic currently has the standard suite of LLM protection visibility via browsers, but has a long term focus on detecting the flow of sensitive data - a vision that aligns well with the team's history in detecting sensitive data across the internet.

Lasso has the most fully functional product right now - they use plugins to monitor different LLM entry points to detect for data leakage and do prevention and anonymization. They're solving the current issues CISOs are looking to be solved.

Cloud Identity

Originally CIEM (Cloud Identity and Entitlement Management), this category has been broadened to Cloud Identity. These offerings help manage the numerous ways cloud identities can be created and proliferated, whether it be through IaC or AWS policies.

Kivera provides an identity proxy for true enforcement of access policies. Their setup is awesome out of the box for IaC deployments, giving developers instant feedback for when they're attempting to implement permission policies that are dangerous.

Entro watches for API key generation and usage across tools, alerting you to both unused permissions, as well as potential malicious activity. An example use case is detecting when a secret is shared on Slack.

P0 has built a truly unique workflow for JIT access for multiple development tools. While other providers in this space work for AWS, P0 differentiates by also supporting things like K8s, Postgres, and Snowflake with temporary policy access.

Axiom provides standard scanning and remediation for least privileged access, but also grant least privileged roles on demand for just in time access. Their approach is to reduce permissions while providing temporary roles when major changes are needed.

Apono enables you define access policies to cloud and workload resources, creating JIT workflows for accessing different environments. One standout feature is kubernetes RBAC visualization, combined with JIT access roles.

Aembit provides the most secure way I've seen of delivering machine to machines credentials to your workloads. They uniquely validate asset identity via contextual properties and integrations, and then inject the approved credentials into the workload.

Andromeda has built a promising solution for making least privileged identity enforcement a reality. They do some discovery, sensitive permission scanning, blast radius building, looking for unused permissions, and JIT access. What makes them unique is AI approval workflows for JIT, and a rich checking for unused permissions.

Raito gets the details of database access right - they've managed to standardize controlling access to databases across different architectures and providers. Data owners can be assigned and manage who has access to what data, and risk assessments can be done for access. They have an amazing foundation for the future of managing DB access.

Abbey allows you to define grant kits in code, which are custom pre-defined terraform for different access scenarios. Developers can then request access via Abbey, and open a PR subject to defined approval workflows.

Sonrai has built a simple deployment for securing numerous cloud identities with as little complexity as possible by focusing on deploying permissions boundaries through SCPs and removing unused resources.

Procyon provides JIT access for cloud workloads

Turbot's Guardrails product allows for enforcement of cloud identity controls, while Pipes enables querying and alerting on logs and metadata.

InstaSecure uniquely flips the paradigm of identity management by helping you set robust IAM boundaries and SCPs instead of focusing on the endless tweaking of individual users and roles. The approach is a great way to get high impact low effort results.

StackIdentity provides a platform that excels in diving deep into your IAM environment and assessing over permissive and high risk resources. They provide a data lake that allows you to really see and maintain proper access controls across tools.

Entitle.io is focused on the specific use case of granting break glass permissions in AWS, and rolling back changes when they're not needed. They also support more general permission scanning.

Like other CNAPPs, Wiz is focused on cloud security more broadly than just Cloud-Identity tools; however, they offer the basic functionality of tuning your policies to be less permissive.

Sysdig differentiates itself from most Cloud-Identity providers by being able to look at which permissions haven't been used by anyone and can be removed. However, this has since become built in to AWS' access analyzer tool, making it less valuable.

AWS Access Analyzer looks at your users and policies and suggests changes. It is a great built in tool, but doesn't offer easy organization level management.

Basic built in analysis for GCP policies and users. Also provides role recommendations. At a high level, GCP is the easiest of cloud providers to manage permissions in.

CloudSploit is a great tool to run a quick scan to check your permissions at a high level.

ScoutSuite is another useful tool to run a quick scan of your cloud environment to check for any issues.

Code Fixers

This category of tooling is for vendors that focus on providing pull requests with code fixes in them across various scanning tools. It's a different approach than remediation workflow platforms.

Most code-fixers are starting with SAST because it's the easiest to implement. Seal however is starting with SCA - creating backported patches for your current version of open source libraries. This is a game changer for SCA scanning, and threatens to upheave the whole industry. Seal uses GenAI to help backport patches to your current version of open source libraries.

Grit is awesome - they provide pre-baked playbooks for everything from framework migrations to major security patches. The most time consuming part of patching is figuring out the changes, and Grit does that part for you, even updating tests. Them and Moderne are providing amazing value for actually getting things patched. Grit uses GenAI to help create playbooks for major upgrades.

Despite being the only one without ai in their domain, Corgea's platform is the most driven by GenAI that I've seen. Because of the reliance on GenAI, I've seen some really cool and unique solutions to specific vulnerabilities that other tools would likely have a very difficult time standing up. They also have the cutest logo of any other platform on here. Corgea uses GenAI to help create fixes & detections for SAST findings.

DryRun helps your security team focus on the changes that actually matter, and with a simpler integration that's not dependent on any heavy handed app inventories. I've had to create a ton of custom scripts over my career to monitor high impact files, and only DryRun can properly handle that kind of prioritization.

Staris built a platform for open box pentesting powered by GenAI. They look at your code and your application, build a PoC exploit of findings as a code test, and give you the fixed code. The workflow is wrapped as a pentest - which offers a glimpse into what the future of pentesting will undoubtedly look like. Staris uses GenAI to help find exploits from SAST to runtime.

Pixee is taking a unique approach to SAST fixes by raising pull requests on customizable cadences to make progress burning down your backlog. They provide their own wrappers around commonly exploited functions that are suggested in the raised pull requests. It's worth mentioning it didn't find any vulnerabilities in our test code. Pixee uses GenAI to help create fixes & detections for SAST findings.

Mobb integrates with SAST tools like Snyk, Checkmarx, Fortify, and Codeql to scan your code and then provides fixes for merging into your code base. Their generated fixes seem good, but it's something that other providers are also working to build natively such as Snyk's DeepCode. Mobb uses GenAI to help create fixes for SAST findings.

Nullify is also starting with SAST use cases, but has expanded their AI agent functionality to be more holistic with their slack app and creating rudimentary threat models of code changes. Their vision is more holistic - focusing on creating an AI based product security engineer.

Amplify provides fixes for SAST findings, complete with importing libraries that will help fix the security issue. They have PR and remediation workflows for providing the fixes to developers. Amplify uses GenAI to help create fixes & detections for SAST findings.

Seezo turns design docs into security requirements.

Of all the tools claiming to be "developer centric" or "developer loved," only Moderne tries to automate as much as possible for even the most painful parts of fixing vulnerabilities - major version upgrades. They leverage Apache Openwrite to create playbooks across your code for remediating major issues like migrating Java or Spring versions.

Infield offers both a product and services for handling complex migration efforts for common application upgrades. They have a robust history of success and combining the service with the SaaS should be appealing to customers who don't find the product value in upgrades.

In order to help people see the value of using LLMs for application security detection, we created a simple command line tool for code scanning with OpenAI. It's bring your own OpenAI API key, so you can manage the data however you see fit, and has templated github action for pipeline use.

Corporate Identity

This category is for tools that assist primarily with managing user identities outside of cloud environments. This includes tools that help with user provisioning, authentication, and authorization. Good tools in this category help with user lifecycle management, and provide a single pane of glass for managing user access across your infrastructure. Bad tools in this category are difficult to integrate, and require a lot of manual tuning.

Lumos is fascinating for the breadth of use cases they cover - general SaaS contract management, user audit logs, and request flows for Okta apps - all from a single platform. From what I've seen, Lumos seems like a dream come true for most corporate IT teams, where managing Okta has turned into a team sized job.

Astrix gives you visibility into OAuth connections in your environment - such as when a user authorizes an unknown third party application into your Slack. They provide great visibility into whats usually a black box for security teams.

Axiom provides standard scanning and remediation for least privileged access, but also grant least privileged roles on demand for just in time access. Their approach is to reduce permissions while providing temporary roles when major changes are needed.

Veza has created a unique graph querying tool associating users to the data they have access to - this extends beyond basic Okta user assignments to include things like sensitive S3 buckets or databases. Alerting can also be configured based on the searches. They also include onboarding/offboarding automations.

At their core, Garantir offers a solution for public and private key storage, but that description sells them short of numerous use cases they support with elegance. They can be used as a PAM, for SSH management, to accomplish HSM with ease, and can run just about anywhere a private key is needed with their agent on user endpoints.

Push Security created a browser plugin that monitors SaaS applications being used by employees, and can alert on risky identity controls such as re-using weak passwords or lack of MFA.

Teleport works by giving end users certificates that allow them to enforce access policies across numerous cloud resources that are typically difficult to manage. The user experience is better than any alternatives I've seen.

Komo provides user access request flows for Okta and AWS SSO, allowing users to easily request and be assigned permissions. They uniquely allow the creation of attribute based rules, creating workflows around users as their attributes change.

ConductorOne provides a management platform for okta user assignments. I haven't met with them.

Opal provides a management platform for okta user assignments. I haven't met with them.

ASPM

Application Security Posture Management (ASPM) is the latest buzzword to take over the application security market. It's meant to correlate all application security scanning into a single dashboard for remediation prioritization - but my thoughts on definition are here. Always validate what tool coverage looks like in this category - many vendors have one or two scanners built in house, and are relying on open source tooling for the rest of the pipeline coverage. Great tools will allow you to track and correlate findings across an entire application. Bad tools will rely purely on third party scanners and have major gaps.

Ox security blew my mind - providing the ultimate all in one configuration scanning tool. They're the only ones I've seen who can track a container lifecycle, individually vulnerable functions from dependencies, and provide both rich integrations alongside their own scanners.

Arnica is building the next gen security scanner for SAST, SCA, SDLC and IaC scanning (with container soon I'm sure). Their secret sauce is rich code owner insights with a user graph of your Git provider. I love their focus on remediation workflows and confidence in their own scanners.

Instead of hiding their open source projects and trying to sell you the impossible, Aikido openly tells you what they're using and have created a simple cloud based scanner to do 9-in-1 security scanning. A no brainer recommendation for startups.

Apiiro is like Bionic on steroids by working better in non Java/Spring environments - it builds an in depth application inventory by scanning your code for API endpoints and provides excellent prioritization tools based on that map. It does a great job at detecting what PR's will likely be major changes.

Cycode offers all in one scanning and integrations across the SDLC pipeline. Their primary in house built tool is their secret scanner, but their differentiator is their graph querying of deployment processes. If you have a lot of pipelines, they have a lot of querying.

Xygeni has built a unique approach to ASPM tooling by focusing on malware detection, GitOps exploits, and detecting active supply chain attacks. They've built everything in house and also have an asset graph for relating resources to one another.

Backslash provides SCA, SAST, and Secrets scanning, with a focus on reachability from network, API, and function perspectives without an agent. This approach to reachability is uniquely holistic - including features like detecting if a transitive dependency is directly called by your code, or if a specific SAST finding is surfaced via API.

Oxeye is building the most runtime-y of ASPM providers - they map out your application using everything from code to agents to network validations. Then they prioritize based on how your app is most likely to be exploited. The only ASPM with DAST validation.

Boost Security has a shared vision for all in one configuration scanning out to runtime. They have smart kubernetes & Istio integrations for runtime context, alongside the standard suite of SCA, SDLC, SAST, IaC, Secrets, and Containers based on a combination of open source and in house built tools. I appreciate the openness of their rule set in their documentation.

Qwiet has been doing all in one scanning for a long time - they have a powerful unique approach to scanning that starts with a map of your application, and scans within that context. They have smart prioritization filters combined with the standard suite of SCA, container, SAST, Secrets, and IaC scanning. They don't offer "pipeline-less" scanning via webhooks if that's a requirement for you.

Rezlion combines their own scanning at runtime with ingesting from other platforms to provide an exploitability prioritization view of container and SCA vulnerabilities. They focus on simple deployment into your environment to prioritize what packages and libraries are running.

Bionic offers a unique approach to application visibility by building a graph of your services, their dependencies, and the classification of their downstream data. Their application map works best in Java/Spring environments.

For the providers based solely on integration with other security vendors, JIT is my favorite pick. They consolidate scanners and create workflows and prioritization for developers. The JIT scanner is unique in that it's a wrapper for other scanners that you run in your own pipelines - an approach with pros and cons.

Legit Security takes a holistic approach to SDLC security. They aggregate your SDLC pipeline findings across different tools, allowing for remediation, especially within pipeline scanning. They do asset discovery via code, rather than via runtime detection.

Kondukto's strength is integrating with just about every tool you could want, including open source ones, to prioritize and remediate in a single platform. They provide a great Jira workflow for working through findings.

Snyk's ASPM product is frankly pretty weird. It provides pipeline coverage and asset classification, but since it neither integrate with other platforms, nor Snyk's issues, it's hard to see how it fulfills the goals of ASPM.

Does Synopsys technically do everything you'd need from an ASPM? Yes. Would you ever want to use it? No. They've focused heavily into the semiconductor industry, and their ASPM is heavily patched together from various acquisitions.

SCA

Software composition analysis (SCA) is also called open-source vulnerability scanning. It works by examining the source code of an application to identify any open-source components that are being used. It then checks these components against a database of known vulnerabilities, and alerts the user if any are found. Great tools in this category will run quickly, in pipeline, and most importantly, provide resolution guidance in the developer workflow. Bad tools will run on a cadence, provide CVE's without an guidance, and only work at runtime.

Oligo provides runtime protection against the exploitation of open source or third party vulnerabilities - not just "is this package running," but "what is this package doing?" Their engine drastically reduces the risk of supply chain exploitation, in a way that might make SCA in general obsolete.

Seal doesn't do SCA scanning in the traditional sense, instead they backport security patches for open source libraries, allowing you to auto-patch any vulnerabilities without doing major framework updates. Their only limit is their velocity pushing the backported patches.

Ox's reachability analysis is one of very few that tries to find if the function tied to the CVE exploit in the third party code is actually used in the app - this is a step beyond just checking if the package is loaded.

Arnica's SCA is differentiated by finding the most likely owner for the fix and automating a lot of the workflow process such as pinging them on slack and creating a Jira ticket.

Kodem provides runtime insights on container vulnerabilities, but uniquely ties them back to SCA findings in pipeline. This gives you a single holistic view of container and SCA vulnerabilities, as well as what's executing at runtime.

Instead of hiding their open source projects and trying to sell you the impossible, Aikido openly tells you what they're using and have created a simple cloud based scanner to do 9-in-1 security scanning. A no brainer recommendation for startups.

For what Snyk offers in usability across functions, SemGrep excels in customization. Their tool offers extensive customizations and rule sets, and their reachability analysis, a critical aspect of SCA, beat Snyk to market. Also, their open source tooling is powering many other tools on this list.

Phylum meets standard SCA scanning requirements, but differentiates with upstream malware detection. They have some smart features such as providing a CLI wrapper for NPM stalls to block attempted malware installation during development.

Of all the companies in this space, Tidelift is the only one I could describe as uniquely ethical. If you're tired of shoveling your CVE scanner results into open source backlogs, never to be fixed, working with Tidelift allows you to actually work with maintainers to get your issues fixed upstream - while checking the box on standard SCA feature sets (plus a few unique package health assessments).

Endor Labs stands out in their granularity and reachability analysis for open source packages. They get the meaningful details from function level reachability, and are the ones who scared everyone into trying to make it.

SCA scanning fits into Xygeni's larger ASPM platform but differentiates by scanning the packages from a SAST perspective instead of just looking up CVEs.

Backslash's SCA supports function level reachability, but can even detect direct calls to transitive dependencies. SCA is part of their ASPM which includes SAST and secrets.

Myrror provides the standard suite of SCA tools with functional level reachability, but they have a much more unique technology that allows you to confirm that a binary was built from a particular source code. This allows the most thorough validation of supply chain assets I've seen and is an awesome functionality to ensuring you're not deploying unknown risks to your customers.

Deep Factor differentiates their SCA tool with deep runtime insights on the open source package and its state of being loaded or not in the application - a good way to prioritize fixing.

Socket takes the unique approach of looking for malware within open source packages instead of focusing on only CVEs. They have robust support within the JavaScript ecosystem. They only scan your package manifest and not your source code. Their reachability analysis is unique in that they do it for transitive dependencies instead of your code (checking if the transitive dependency is used in the direct dependency).

Netrise has created rich dependency analysis specializing in firmware on hardware devices like Cisco Switches. They also detect hard-coded credentials, and other vulnerabilities. They've expanded this technology into containers.

Reversing labs has built an SCA scanner with malware detection.

Coana has built an SCA with direct and transitive dependency detection.

Qwiet has a powerful unique approach to scanning that starts with a map of your application, and scans within that context. They have smart prioritization filters combined with the standard suite of SCA, container, SAST, Secrets, and IaC scanning. They don't offer "pipeline-less" scanning via webhooks if that's a requirement for you.

Snyk's first product was SCA, and it remains what they're stellar at. They do an unparalleled job at rolling up dependencies properly, and surfacing the information to developers in the easiest possible way to fix.

Mend was Snyk's main competitor early for quick open source scanning in pipeline, but did not expand as quickly as Snyk into other areas. Their open source Renovate tool is great for keeping your in-house dependencies up to date, but their UI and scanning engine were more difficult to deploy, maintain, and navigate. However, due to Renovate they have unique visibility into the expected challenge of a version upgrade.

Oxeye allows you to prioritize SCA based on where the findings live in your infrastructure with rich runtime insights.

Apiiro prioritizes your SCA findings by tying them to asset inventory and application context.

Paraxial provides a unique combination of security tooling specializing in the Elixir language and Phoenix framework. They're a great choice for companies that use Elixir, and have unique runtime elements that them stand out from open source options.

Cycode offers their own in house built SCA scanning as part of their ASPM platform.

Boost Security is primarily an all in one scanner. Their SBOM functionality seems bare bones at the moment.

Rezlion combines their own scanning at runtime with ingesting from other platforms to provide an exploitability prioritization view of container and SCA vulnerabilities. They focus on simple deployment into your environment to prioritize what packages and libraries are running.

Fossa is one of the older open source scanning providers - they've focused a lot on SBOM and audit readiness, so haven't evolved much into the broader "ASPM" space. A couple of neat enterprise features are creating custom internal dependencies and exporting ignore lists in VEX format.

Apona provides a combination SCA, SAST, and DAST features. Something unique about their SCA is providing a function level fix if one is available to avoid the patch.

Contrast wraps commonly exploited functions at runtime to detect and prevent application exploits, e.g. they scan the application once it's actually built and running.

Black Duck SCA provides a product that technically checks all of the SCA boxes, but is not nearly as user friendly as other tools. They get the job done, but UI is targeted more at security than developers.

SonaType was one of the first organizations doing SDLC tooling; however, until recently, they did not have a cloud platform. Their platform is still catching up to the intuitiveness of the SaaS competition, but their product checks all the boxes.

As part of their larger platform, Checkmarx also provides SCA Scanning.

Scribe has created a tool for SBOM management and software attestation as your application is being built.

Veracode is a legacy SAST vendor that has done the best job at catching up to cloud native tooling. They are a great choice for organizations using more legacy or waterfall type development methods.

Aqua Security offers SCA scanning as part of their CNAPP solution.

Using Prisma Cloud as an SCA tool is technically possible, but I wouldn't recommend it. It's part of what Twistlock did, but it hasn't been updated since the acquisition and is very painful for developer use.

While using your git provider as an SCA tool may make sense on the surface, GitLab relies entirely on open source tooling to do the actual scanning, and their reporting is hard to use. Only recommended for organizations that are already on Ultimate.

Dependabot is a great check the box solution for saying you do vulnerability scanning, but it is very difficult to use and doesn't provide much guidance. Generates a lot of noise for developers.

SAST

Static application security testing (SAST) analyzes source code for security vulnerabilities, such as a function being called that doesn't do validation on its input. Great tools in this category will run quickly, in pipeline, teach developers, have effective reporting and easy rule tuning. Bad tools will run on a cadence, provide less guidance, and be difficult to change or override rules.

Arnica's SAST is the most robust I've seen from a workflow perspective and actually getting findings fixed.

Ox is a wider ASPM platform, but their SAST scanning covers the basics while integrating with more powerful language specific providers.

Semgrep is a close second choice to Snyk for SAST. Their scanning library is more robust, and the ability to easily create custom rules is a huge bonus that Snyk only recently added. However, their SCA is not as robust, and having two different tools can be a hard pill to swallow. Great product for companies with an appetite for custom rules.

Backslash's SAST is unique in its ability to detect if a finding is surfaced via your API, allowing you to more effectively prioritize findings. SAST is part of their ASPM which includes SCA and secrets.

OpenRefactory has an amazingly robust SAST scanner that has really focused on building the best detections possible. While they're still building their full SaaS platform and features, the SAST engine itself is one of the best out there.

SonarCloud has the benefit of winning your developer's hearts due to its initial product focus on bug squashing and the ability to ingest a wide variety of reports. While the SAST functionalities are newer, they robust enough to warrant the add-on to their code health scanning. Great choice for developer only teams with low risk products.

Bearer is a newer SAST product that is built from an open source lense. They have done excellent analysis of the SAST market and are dialed in on the correct issues, namely false positives, and time to scan.

Paraxial provides a unique combination of security tooling specializing in the Elixir language and Phoenix framework. They're a great choice for companies that use Elixir, and have unique runtime elements that them stand out from open source options.

Instead of hiding their open source projects and trying to sell you the impossible, Aikido openly tells you what they're using and have created a simple cloud based scanner to do 9-in-1 security scanning. A no brainer recommendation for startups.

Snyk's SAST tool is newer to market but has come a long way since its release. Although it's not the most robust in any single category, it has the diverse levels of support needed to make SAST happen as a whole and actually get work done. Great choice for companies looking for scalable, simple solutions.

Boost Security is primarily an all in one scanner. I appreciate their openness of sharing their IaC rules.

Oxeye provides standard SAST scanning, but builds out prioritization and exploit likelihood with a powerful runtime engine. A major differentiator is validation via DAST scanning.

Cycode offers SAST scanning as part of their ASPM platform, but it's hard to tell what's open source versus proprietary from them.

Contrast wraps commonly exploited functions at runtime to detect and prevent application exploits, e.g. they scan the application once it's actually built and running.

Qwiet has a powerful unique approach to scanning that starts with a map of your application, and scans within that context. They have smart prioritization filters combined with the standard suite of SCA, container, SAST, Secrets, and IaC scanning. They don't offer "pipeline-less" scanning via webhooks if that's a requirement for you.

Staris built a platform for open box pentesting powered by GenAI. They look at your code and your application, build a PoC exploit of findings as a code test, and give you the fixed code. The workflow is wrapped as a pentest, but their scan of your source code with GenAI could be considered a SAST.

Mend built SAST into their primarily SCA based platform - I haven't directly seen the updated platform.

Checkmarx is pre cloud-native SAST tool that has had many years to develop a robust library of controls. They're a good fit for enterprises that follow more legacy methods of software development, and are trying to expand into more agile workflows. A lot of companies on this list were started by former Checkmarx employees.

Fortify had a great reputation before the MicroFocus acquisition, but has since become slower to innovate. Lacks a lot of functionality compared to other SaaS options.

Apona provides a combination SCA, SAST, and DAST features.

Kiuwan is a great choice for companies that care above the fidelity of results more than anything else. Kiuwan's scanning offered the most robust true positives we've seen, but they really dragged in terms of their implementation processes, UI, and integration/maintenance of developer workflows.

Veracode is a legacy provider that has done the best job at trying to rapidly innovate with their vendors. They're a good fit for larger enterprises that may need more hands on security developer work to get up and running, and may prefer more waterfall methods of development.

Aqua Security offers SAST scanning as part of their CNAPP solution - they have a longer commitment in the cloud space than developer one.

GitLab's SAST tool totally relies on ingesting open source reports into their pull requests. We would not recommend it as a standalone tool, but is a worthwhile add-on to their security options if you're already invested.

Secret Scanning

Secret scanning identifies sensitive data, such as API keys and passwords, that have been accidentally committed to source code repositories. Good tools in this category will block the commit as early as possible, as rebuilding a commit history using open source tooling is difficult. Bad tools in this category will only scan on a cadence, and will not block.

Arnica's secret scanning is amazing in how it builds fix PR's that handle the remediation workflow for you. They also do cool validation of your keys.

GitGuardian is the best paid provider for this tool and is a great solution for deploying secret detection at scale. On the one hand, secret scanning is a very narrow function, but on the other, a leak is extremely costly. While Arnica does the workflow, GitGuardian has more robust detection.

Cremit does all of the expected secret scanning, but has great real time alerting on what api keys have done and if they're active by innovatively pulling their command history when available.

SemGrep recently announced their secret scanning solution - it promises an exciting new approach to secret scanning that focuses on context instead of regex to detect secrets.

Instead of hiding their open source projects and trying to sell you the impossible, Aikido openly tells you what they're using and have created a simple cloud based scanner to do 9-in-1 security scanning. A no brainer recommendation for startups.

Cycode offers Secret Scanning scanning as part of their ASPM platform, and it's the piece of the platform they've most developed in house.

Boost Security is primarily an all in one scanner. I appreciate their openness of sharing their supported secret detection formats

Backslash provides SCA, SAST, and Secrets scanning, with a focus on internet reachability analysis for prioritization.

Oxeye provides standard secret scanning, but builds out prioritization and exploit likelihood with a powerful runtime engine.

Secret scanning is part of Xygeni's larger ASPM platform, which focuses more on SDLC attacks in general than secret scanning specifically.

Dazz is a vulnerability remediation tool that also provides their own built in secret scanning.

Nosey Parker stands out for being able to scan file systems alongside repositories, and has some great built in reporting functionality.

Qwiet has a powerful unique approach to scanning that starts with a map of your application, and scans within that context. They have smart prioritization filters combined with the standard suite of SCA, container, SAST, Secrets, and IaC scanning. They don't offer "pipeline-less" scanning via webhooks if that's a requirement for you.

Legit Security provides secret scanning as part of their holistic ASPM platform.

GitHub's secret scanning now has the ability stop secrets before they're pushed to the repository, making them by far the best choice. However, they are bundling this with their Advanced Security package, which is very expensive.

Turbot's plugins can robustly query infrastructure for secrets - going beyond just code scanning.

GitLab's scaner can run in pipeline and is provided directly by them. A good choice since it's available in their Premium tier and Ultimate is not needed.

Trufflehog is the best open source scanner available, and easily integrates as a GitHub action.

GitLeaks is a Trufflehog alternative that is also extremely effective. Both repos are well maintained.

IaC

IaC security scanning identifies security vulnerabilities and misconfigurations in infrastructure as code (IaC). Great tools in this category can serve as CSPM replacements, offering drift detection and misconfiguration findings. They'll support multiple IaC languages, such as helm and terraform, and will be able to run in pipeline. Weak tools will run on a cadence, and only detect based on manually imported rules. This category is a difficult balance between getting results to your development teams, and sharing a single rule base across code and deployment.

Kivera circumvents the need for traditional IaC scanning by providing granular level policy and access controls to the cloud provider API. This allows for instant enforcement of policies and rules, and is a great way to prevent misconfigurations from ever happening.

Of the ASPM providers, Apiiro offers the most holistic IaC scanning due to their system of building a full application inventory out of your code.

Arnica's IaC scanning is the weakest part of their platform - but the value of getting an all in one tool is worth it.

Boost Security is primarily an all in one scanner. I appreciate their openness of sharing their IaC rules.

IaC scanning is part of Xygeni's larger ASPM platform, which focuses more on SDLC attacks in general than IaC specifically; however, they provide an asset map to help see where changes are coming from.

Snyk IaC integrates directly into your pipeline to easily scan and block IaC misconfigurations. Their support for various IaC templates is a big plus, but their cloud rules are not as advanced as other competitors. Combining with runtime data opens unique use cases for automatic remediation.

Ox relies solely on open source options for their IaC scanning, but tie it together nicely with runtime context.

Cycode offers their own built in IaC scanning as part of their ASPM platform.

Instead of hiding their open source projects and trying to sell you the impossible, Aikido openly tells you what they're using and have created a simple cloud based scanner to do 9-in-1 security scanning. A no brainer recommendation for startups.

Turbot's Guardrails allow enforcement of IaC controls, while Pipes enables querying across your charts and plans.

Qwiet has a powerful unique approach to scanning that starts with a map of your application, and scans within that context. They have smart prioritization filters combined with the standard suite of SCA, container, SAST, Secrets, and IaC scanning. They don't offer "pipeline-less" scanning via webhooks if that's a requirement for you.

Legit Security provides IaC scanning as part of their holistic ASPM platform.

As part of their larger platform, Checkmarx also provides IaC Scanning.

For organizations that are already using Wiz, their IaC scanning is a great option. If your devops team is willing to adopt their solution in pipeline, it can be a solid support tool.

Checkov is the leader in IaC scanning as an open source solution. Combining with Bridgecrew can be an okay solution, but we're skeptical of the long term outlook due to the Prisma Cloud acquisition.

KICS is another solid open source solution; however, they're more easily adopted into traditional security review models.

Aqua Security offers IaC scanning as part of their CNAPP solution.

Gomboc promises a unique approach to IaC in that it goes beyond traditional regex based rules. We're pending hands on time with the tool for more information.

We're pending hands on time with the tool for more information.

We're pending hands on time with the tool for more information.

DAST

Dynamic application security testing (DAST) scans web applications for security vulnerabilities while they are running, trying things like injecting known malicious payloads into fields. Great tools in this category will run quickly, in pipeline, be as easy as possible to integrate, have API coverage, and have smart fuzzing based on the type of backend you are running. Bad tools will run on a cadence, have less technology coverage, and be difficult to implement.

StackHawk is a developer-first DAST, and it shows every step of the way. They're built to scan quickly, in pipeline, and make it easy to attempt to reproduce issues. They're a major player in reshaping modern DAST and have really paved a way for the future with features like fuzzing API specific data.

Escape is doing amazing things with their approach to DAST. They offer similar in-pipeline scanning capabilities as StackHawk, but have additional tags based on API usage and do API discovery through a variety of different methods.

Pynt has created an elegant solution for running DAST type scanning against your APIs by running tests via a local proxy. This helps to bypass a lot of the pain with configuring DAST tools against your endpoints.

Akto has created an open source flavored approach to next generation DAST with features like looking at log data for API discovery, sensitive data flows, and customized scanning. A uniquely helpful feature is the ability to easily edit and tweak tests from the UI.

Probely has created an excellent version of traditional web based DAST that can handle APIs alongside webcrawling. While they currently don't support GraphQL or have a CLI, they have created unique ways to achieve similar outcomes. The team clearly has a passion for the details of getting the vulnerabilities right.

Oxeye provides a lot of runtime insights and uses DAST to validate their findings - this is one of their major differentiators from other ASPM providers.

ZAP (Zed Attack Proxy) is the scanning tool underlying numerous scanners, and if your internal team is up for the challenge, it can be adapted directly to provide most scanning needs.

Staris built a platform for open box pentesting powered by GenAI. They look at your code and your application, build a PoC exploit of findings as a code test, and give you the fixed code. The workflow is wrapped as a pentest, but their linking of the source code to your application could be considered a DAST type of scan.

Instead of hiding their open source projects and trying to sell you the impossible, Aikido openly tells you what they're using and have created a simple cloud based scanner to do 9-in-1 security scanning. A no brainer recommendation for startups.

As part of their larger platform, Checkmarx also provides DAST Scanning.

Edgescan wraps up a lot of services around scanning your endpoints for security issues - from traditional web app crawling, to network scanning, to API scanning.

Acunetix is the best of traditional DAST scanning applications that rely upon older techniques and set scanning intervals. They have robust content and integration potential, but struggle to handle many newer more popular architectures.

Apona provides a web crawling flavored DAST that has some in depth network scanning features as well that are more in line with pentesting.

We don't feel good recommending Qualys DAST to anyone in good faith, but it's a reasonable extension if you're locked into their larger platform. They function as a standard crawler, but have their platform is challenging to configure, deploy, and for reporting.

Like much of their security tooling, GitLab DAST lacks the maturity of dedicated products in terms of robustness, maintenance, and reporting. It can be a useful extension of GitLab ultimate, but has numerous challenges if trying to implement just that solution.

GCP offers a nice to have robust webs security scanner. It's not a great choice for organizations looking to invest in depth on scanning, but if you're already on GCP or looking to check a box, it's a nice to have.

ADR

Runtime Application Security Protection has been re-branded! ADR detects and prevents the exploitation of application level vulnerabilities. This category of tooling is the gold standard of application security in its ability to prevent zero days; however, implementation, maintenance, and a lack of contextual application logic has made them difficult to implement. Great tools in this category will be easy to implement, and will provide rich contextual information about the application. Bad tools will be difficult to implement, and will provide little to no contextual information.

Miggo is maximizing the value of your existing application performance monitoring, or offers an instrumentation of their own, that excels at building maps of distributed systems and real time attack detection and prevention.

Oligo has built the unique ability to gather function level data from an eBPF agent. Combined with baselining common packages, they offer a robust detection of novel attacks against infrastructure and code.

Contrast wraps commonly exploited functions at runtime to detect and prevent application exploits, e.g. alerting that XSS was attempted while also sanitizing the input. This is a unique approach that theoretically removes the need for SAST, DAST, SCA, and WAF. The easiest way to understand is an example, you would start your Django app with contrast-python-run -- python manage.py runserver.

Powered by their Sqreen acquisition, DataDog has a unique opportunity with RASP because of how many developers already import their APM library. This allows DataDog to provide function level detection of exploitation attempts.

Paraxial provides a unique combination of security tooling specializing in the Elixir language and Phoenix framework. They're a great choice for companies that use Elixir, and have unique runtime elements that them stand out from open source options.

CNAPP

CNAPPs are the latest category name given to CSPMs as they have evolved into additional layers of tooling. These tools aim to be all in one providers for cloud security, and are often the most expensive tools in the market. Great tools in this category will be best of breed in a single category, and will have a strong vision for the future. Bad tools will be playing endless acquisition catchup as they desperately try to keep pace with one another. In short, I consider this category CSPM + Container Runtime Security. I don't think it's always best to have both of these tools be from the same provider.

Sysdig does the runtime application protection side of CNAPP better than anyone, and have successfully uplifted their compliance and attack graph sides to be competitive with the other providers. Their focus into Runtime Cloud Detection Response is a great one.

Cyscale checks all the boxes for a CNAPP, but their tracking of user identities stands out in the space. They have great visualizations, and have an agent for K8s support.

Deepfence has delivered an incredible amount of work on top of an open source framework. Their Open Source ThreatMapper scans for malware, vulnerabilities, misconfigurations, and secrets. Their paid offering, ThreatStryker, adds eBPF runtime protection - including network and quarantine responses. Unbelievable value for a free offering.

Elastio offers rich snapshot scanning for cloud environments, looking in depth for ransomware indicators of compromise. Their focus on ransomware and support for S3 scanning differentiate them from Wiz and other snapshot scanning solutions.

Upwind provides amazing in depth detection events for runtime kubernetes protection. They don't have some of the generic CSPM detections, but their runtime protection is much more robust.

AccuKnox began with the open source project KubeArmor and has since built into a larger CNAPP platform. Their specialization is runtime protection policies for Kubernetes, which allows for granular rules on which processes can access which files. Their other scanning features are more check the box.

Tigera is leading the charge on what's possible with kubernetes network security. They offer deep insights and protections on what's traversing your network, and have built out a robust set of features around that core product.

Plerion has built a competitive CNAPP with a significantly smaller team. Alongside CSPM, they provide attack maps, IaC scanning, Secret scanning, and vulnerability scanning. They link findings to assets in a clean and intuitive way. Currently there is no agent based runtime protection.

Firemon has assembled a unique collection of cloud security features - CSPM, JIT AWS access, and alerting off cloudtrail events. While they don't have the full feature set of larger CNAPPs, they provide smart features at an aggressive price. They offer CSPM scanning for free.

If you're focused on cloud visibility from a security perspective, there's not a better tool out there. Their rapid investment into their runtime agent is scary for the competition, and their general cloud scanning is best in breed.

Prisma Cloud was the first and most encompassing CNAPP provider. They cover all the bases, but you're paying Palo prices for a product with a lot of skeletons in the closet.

Aqua Security bet big on open source tooling and still maintains some of the most user friendly repos out there. While their UX struggles in the way other CNAPPs do, they have since re-focused on container protection.