Find your next security tool.

Boundary Breakers

Boundary Breakers encompass vendors that are taking risks in creating new categories around their offerings. This category exists to highlight tools that are attempting to define new categories.

Oligo provides runtime protection against the exploitation of open source or third party vulnerabilities - not just "is this package running," but "what is this package doing?" Their engine drastically reduces the risk of supply chain exploitation, in a way that might make SCA in general obsolete.

Seal is another vendor that threatens to make open source scanning entirely obsolete. They backport security fixes to your current version of open source libraries for instant, ongoing auto-patching; that way you don't need to make major framework upgrades under duress. Seal changes everything about SCA scanning, and threatens to upheave the whole industry.

Instead of hiding their open source projects and trying to sell you the impossible, Aikido openly tells you what they're using and have created a simple cloud based scanner to do 9-in-1 security scanning. A no brainer recommendation for startups.

Tracking third party data flows is a hot topic in security right now - most companies are tracking via OAuth or API flows. Riscosity is cutting through that to the sources of truth, namely the code and network layers. They scan your code for third party data flows, and then validate at runtime by proxying your egress.

DryRun helps your security team focus on the changes that actually matter, and with a simpler integration that's not dependent on any heavy handed app inventories. I've had to create a ton of custom scripts over my career to monitor high impact files, and only DryRun can properly handle that kind of prioritization.

Deepfactor and Oligo Security empower the same outcome, detecting malicious third party library activity, but they go about it in very different ways. Deepfactor intercepts application calls with a shared library, while Oligo uses eBPF. I don't have enough hands on experience to say which approach is better, but there are pros and cons with each.

Permiso is creating incident response for identities. They bridge the gap between "SaaS Security" and "IAM security" by tracking identities across IaaS and SaaS, while baselining and firing alerts for suspected misbehavior, along with session tracking.

Pangea provides an API and SDK to easily implement security features into your application - such as checking a user's password against a breach database, or checking a user's email against a spam database. They're the only company I've seen that's trying to make security features as easy to implement as Stripe.

It took quite a bit of time for me to understand how uniquely Xigeni is approaching ASPM. Rather than chasing buzzwords and features, they've been focusing on stopping real attacks. They have a unique technological approach for detecting not just pipeline attacks, but more significantly scanning third party libraries for malware; not just vulnerabilities. For example, if I decided to make the open source Latio scanner send all your code to my server, I think they'd be the only scanners to detect it before a CVE was published.

Dig Security checks all of the boxes for DSPM and DLP, namely data categorization. They differentiate by having database detection and response rules more akin to Database Access Management types of technologies. This gives them a runtime value that others lack. Hopefully the Palo acquisition doesn't kill the detection response capabilities.

Grit is awesome - they provide pre-baked playbooks for everything from framework migrations to major security patches. The most time consuming part of patching is figuring out the changes, and Grit does that part for you, even updating tests. Them and Moderne are providing amazing value for actually getting things patched.

Of all the tools claiming to be "developer centric" or "developer loved," only Moderne & Grit try to automate as much as possible of the painful work of fixing vulnerabilities. Moderne leverages Apache Openwrite to create playbooks across your code for remediating major issues like migrating Java or Spring versions.

TrustOnCloud has created in depth threat models for cloud services. For example, they can show you every possible way someone could exploit an S3 bucket. Because they don't focus on scanning, they've created a library of potential exploits that goes far beyond what most CSPMs offer; however, that comes with the downside of being fundamentally a work generation tool. If you're operating at a scale where formal threat models need to be conducted before adopting new AWS services, their tool is undoubtedly useful.

LLM

This category is for the quickly emerging field of LLM Security tools. These tools cover visibility, detection, and response for LLMs across code, endpoints, and infrastructure. I'm most excited for the application level security use cases, but early companies here are focused on monitoring employee chat sessions. Success in this category is dictated by ability to adept to rapidly changing conditions.

Prompt Security offers comprehensive solutions for LLM security. They have both corporate IT visibility with their browser plugin, alongside application visibility with API, SDK, and reverse proxy options. You can also trace user sessions and detect/redact/block numerous types of data and attacks.

Despite being so early in development, what I've seen from Apex is the most unique approach to GenAI security. They offer visibility, configuration protection, and runtime detection and response for LLMs, both for corporate and application use cases. Everything from DLP to Injection detection, to LLM quarantining.

Harmonic currently has the standard suite of LLM protection visibility via browsers, but has a long term focus on detecting the flow of sensitive data - a vision that aligns well with the team's history in detecting sensitive data across the internet.

Lakera offers a simple way to protect LLM's by importing their SDK into your code. Their approach is simple and elegant, and their Gandalf tool allows you to better understand how LLM prompt injections work.

Lasso has the most fully functional product right now - they use plugins to monitor different LLM entry points to detect for data leakage and do prevention and anonymization. They're solving the current issues CISOs are looking to be solved.

Cloud Identity

Originally CIEM (Cloud Identity and Entitlement Management), this category has been broadened to Cloud Identity. These offerings help manage the numerous ways cloud identities can be created and proliferated, whether it be through IaC or AWS policies.

Kivera provides an identity proxy for true enforcement of access policies. Their setup is awesome out of the box for IaC deployments, giving developers instant feedback for when they're attempting to implement permission policies that are dangerous.

Entro watches for API key generation and usage across tools, alerting you to both unused permissions, as well as potential malicious activity. An example use case is detecting when a secret is shared on Slack.

Axiom provides standard scanning and remediation for least privileged access, but also grant least privileged roles on demand for just in time access. Their approach is to reduce permissions while providing temporary roles when major changes are needed.

P0 has built a truly unique workflow for JIT access for multiple development tools. While other providers in this space work for AWS, P0 differentiates by also supporting things like K8s, Postgres, and Snowflake with temporary policy access.

Raito gets the details of database access right - they've managed to standardize controlling access to databases across different architectures and providers. Data owners can be assigned and manage who has access to what data, and risk assessments can be done for access. They have an amazing foundation for the future of managing DB access.

Abbey allows you to define grant kits in code, which are custom pre-defined terraform for different access scenarios. Developers can then request access via Abbey, and open a PR subject to defined approval workflows.

StackIdentity provides a platform that excels in diving deep into your IAM environment and assessing over permissive and high risk resources. They provide a data lake that allows you to really see and maintain proper access controls across tools.

Entitle.io is focused on the specific use case of granting break glass permissions in AWS, and rolling back changes when they're not needed. They also support more general permission scanning.

Like other CNAPPs, Wiz is focused on cloud security more broadly than just Cloud-Identity tools; however, they offer the basic functionality of tuning your policies to be less permissive.

Sysdig differentiates itself from most Cloud-Identity providers by being able to look at which permissions haven't been used by anyone and can be removed. However, this has since become built in to AWS' access analyzer tool, making it less valuable.

AWS Access Analyzer looks at your users and policies and suggests changes. It is a great built in tool, but doesn't offer easy organization level management.

Basic built in analysis for GCP policies and users. Also provides role recommendations. At a high level, GCP is the easiest of cloud providers to manage permissions in.

CloudSploit is a great tool to run a quick scan to check your permissions at a high level.

ScoutSuite is another useful tool to run a quick scan of your cloud environment to check for any issues.

Code Fixers

This category of tooling is for vendors that focus on providing pull requests with code fixes in them across various scanning tools. It's a different approach than remediation workflow platforms.

Most code-fixers are starting with SAST because it's the easiest to implement. Seal however is starting with SCA - creating backported patches for your current version of open source libraries. This is a game changer for SCA scanning, and threatens to upheave the whole industry.

Grit is awesome - they provide pre-baked playbooks for everything from framework migrations to major security patches. The most time consuming part of patching is figuring out the changes, and Grit does that part for you, even updating tests. Them and Moderne are providing amazing value for actually getting things patched.

Mobb integrates with SAST tools like Snyk, Checkmarx, Fortify, and Codeql to scan your code and then provides fixes for merging into your code base. Their generated fixes seem good, but it's something that other providers are also working to build natively such as Snyk's DeepCode.

Pixee is taking a unique approach to SAST fixes by raising pull requests on customizable cadences to make progress burning down your backlog. They provide their own wrappers around commonly exploited functions that are suggested in the raised pull requests. It's worth mentioning it didn't find any vulnerabilities in our test code.

Despite being the only one without ai in their domain, Corgea's platform is the most driven by GenAI that I've seen. Because of the reliance on GenAI, I've seen some really cool and unique solutions to specific vulnerabilities that other tools would likely have a very difficult time standing up. They also have the cutest logo of any other platform on here.

Amplify provides fixes for SAST findings, complete with importing libraries that will help fix the security issue. They have PR and remediation workflows for providing the fixes to developers.

Of all the tools claiming to be "developer centric" or "developer loved," only Moderne tries to automate as much as possible for even the most painful parts of fixing vulnerabilities - major version upgrades. They leverage Apache Openwrite to create playbooks across your code for remediating major issues like migrating Java or Spring versions.

In order to help people see the value of using LLMs for application security detection, we created a simple command line tool for code scanning with OpenAI. It's bring your own OpenAI API key, so you can manage the data however you see fit, and has templated github action for pipeline use.

Corporate Identity

This category is for tools that assist primarily with managing user identities outside of cloud environments. This includes tools that help with user provisioning, authentication, and authorization. Good tools in this category help with user lifecycle management, and provide a single pane of glass for managing user access across your infrastructure. Bad tools in this category are difficult to integrate, and require a lot of manual tuning.

Lumos is fascinating for the breadth of use cases they cover - general SaaS contract management, user audit logs, and request flows for Okta apps - all from a single platform. From what I've seen, Lumos seems like a dream come true for most corporate IT teams, where managing Okta has turned into a team sized job.

Axiom provides standard scanning and remediation for least privileged access, but also grant least privileged roles on demand for just in time access. Their approach is to reduce permissions while providing temporary roles when major changes are needed.

Astrix gives you visibility into OAuth connections in your environment - such as when a user authorizes an unknown third party application into your Slack. They provide great visibility into whats usually a black box for security teams.

Crosswire focuses on Okta health from both a configuration and runtime protection perspective. Their primary value is spotting malicious and suspicious identity behavior, such as unusual logins or user agents.

Veza has created a unique graph querying tool associating users to the data they have access to - this extends beyond basic Okta user assignments to include things like sensitive S3 buckets or databases. Alerting can also be configured based on the searches. They also include onboarding/offboarding automations.

At their core, Garantir offers a solution for public and private key storage, but that description sells them short of numerous use cases they support with elegance. They can be used as a PAM, for SSH management, to accomplish HSM with ease, and can run just about anywhere a private key is needed with their agent on user endpoints.

Teleport works by giving end users certificates that allow them to enforce access policies across numerous cloud resources that are typically difficult to manage. The user experience is better than any alternatives I've seen.

Komo provides user access request flows for Okta and AWS SSO, allowing users to easily request and be assigned permissions. They uniquely allow the creation of attribute based rules, creating workflows around users as their attributes change.

ConductorOne provides a management platform for okta user assignments. I haven't met with them.

Opal provides a management platform for okta user assignments. I haven't met with them.

ASPM

Application Security Posture Management (ASPM) is the latest buzzword to take over the application security market. It's meant to correlate all application security scanning into a single dashboard for remediation prioritization - but my thoughts on definition are here. Always validate what tool coverage looks like in this category - many vendors have one or two scanners built in house, and are relying on open source tooling for the rest of the pipeline coverage. Great tools will allow you to track and correlate findings across an entire application. Bad tools will rely purely on third party scanners and have major gaps.

Ox security blew my mind - providing the ultimate all in one configuration scanning tool. They're the only ones I've seen who can track a container lifecycle, individually vulnerable functions from dependencies, and provide both rich integrations alongside their own scanners.

Arnica is building the next gen security scanner for SAST, SCA, SDLC and IaC scanning (with container soon I'm sure). Their secret sauce is rich code owner insights with a user graph of your Git provider. I love their focus on remediation workflows and confidence in their own scanners.

Boost Security has a shared vision for all in one configuration scanning out to runtime. They have smart kubernetes & Istio integrations for runtime context, alongside the standard suite of SCA, SDLC, SAST, IaC, Secrets, and Containers based on a combination of open source and in house built tools. I appreciate the openness of their rule set in their documentation.

Oxeye is building the most runtime-y of ASPM providers - they map out your application using everything from code to agents to network validations. Then they prioritize based on how your app is most likely to be exploited. The only ASPM with DAST validation.

Instead of hiding their open source projects and trying to sell you the impossible, Aikido openly tells you what they're using and have created a simple cloud based scanner to do 9-in-1 security scanning. A no brainer recommendation for startups.

Apiiro is like Bionic on steroids by working better in non Java/Spring environments - it builds an in depth application inventory by scanning your code for API endpoints and provides excellent prioritization tools based on that map. It does a great job at detecting what PR's will likely be major changes.

Cycode offers all in one scanning and integrations across the SDLC pipeline. Their primary in house built tool is their secret scanner, but their differentiator is their graph querying of deployment processes. If you have a lot of pipelines, they have a lot of querying.

Xygeni has built a unique approach to ASPM tooling by focusing on malware detection, GitOps exploits, and detecting active supply chain attacks. They've built everything in house and also have an asset graph for relating resources to one another.

Backslash provides SCA, SAST, and Secrets scanning, with a focus on internet reachability analysis for prioritization.

Qwiet has been doing all in one scanning for a long time - they have a powerful unique approach to scanning that starts with a map of your application, and scans within that context. They have smart prioritization filters combined with the standard suite of SCA, container, SAST, Secrets, and IaC scanning. They don't offer "pipeline-less" scanning via webhooks if that's a requirement for you.

Rezlion combines their own scanning at runtime with ingesting from other platforms to provide an exploitability prioritization view of container and SCA vulnerabilities. They focus on simple deployment into your environment to prioritize what packages and libraries are running.

Bionic offers a unique approach to application visibility by building a graph of your services, their dependencies, and the classification of their downstream data. Their application map works best in Java/Spring environments.

For the providers based solely on integration with other security vendors, JIT is my favorite pick. They consolidate scanners and create workflows and prioritization for developers. The JIT scanner is unique in that it's a wrapper for other scanners that you run in your own pipelines - an approach with pros and cons.

Legit Security takes a holistic approach to SDLC security. They aggregate your SDLC pipeline findings across different tools, allowing for remediation, especially within pipeline scanning. They do asset discovery via code, rather than via runtime detection.

Kondukto's strength is integrating with just about every tool you could want, including open source ones, to prioritize and remediate in a single platform. They provide a great Jira workflow for working through findings.

Does Synopsys technically do everything you'd need from an ASPM? Yes. Would you ever want to use it? No. They've focused heavily into the semiconductor industry, and their ASPM is heavily patched together from various acquisitions.

SCA

Software composition analysis (SCA) is also called open-source vulnerability scanning. It works by examining the source code of an application to identify any open-source components that are being used. It then checks these components against a database of known vulnerabilities, and alerts the user if any are found. Great tools in this category will run quickly, in pipeline, and most importantly, provide resolution guidance in the developer workflow. Bad tools will run on a cadence, provide CVE's without an guidance, and only work at runtime.

Oligo provides runtime protection against the exploitation of open source or third party vulnerabilities - not just "is this package running," but "what is this package doing?" Their engine drastically reduces the risk of supply chain exploitation, in a way that might make SCA in general obsolete.

Seal doesn't do SCA scanning in the traditional sense, instead they backport security patches for open source libraries, allowing you to auto-patch any vulnerabilities without doing major framework updates. Their only limit is their velocity pushing the backported patches.

Ox's reachability analysis is one of very few that tries to find if the function tied to the CVE exploit in the third party code is actually used in the app - this is a step beyond just checking if the package is loaded.

Snyk's first product was SCA, and it remains what they're stellar at. They do an unparalleled job at rolling up dependencies properly, and surfacing the information to developers in the easiest possible way to fix.

Arnica's SCA is differentiated by finding the most likely owner for the fix and automating a lot of the workflow process such as pinging them on slack and creating a Jira ticket.

Instead of hiding their open source projects and trying to sell you the impossible, Aikido openly tells you what they're using and have created a simple cloud based scanner to do 9-in-1 security scanning. A no brainer recommendation for startups.

For what Snyk offers in usability across functions, SemGrep excels in customization. Their tool offers extensive customizations and rule sets, and their reachability analysis, a critical aspect of SCA, beat Snyk to market. Also, their open source tooling is powering many other tools on this list.

Endor Labs stands out in their granularity and reachability analysis for open source packages. They get the meaningful details from function level reachability, and are the ones who scared everyone into trying to make it.

Deep Factor differentiates their SCA tool with deep runtime insights on the open source package and its state of being loaded or not in the application - a good way to prioritize fixing.

SCA scanning fits into Xigeni's larger ASPM platform but differentiates by scanning the packages from a SAST perspective instead of just looking up CVEs.

Qwiet has a powerful unique approach to scanning that starts with a map of your application, and scans within that context. They have smart prioritization filters combined with the standard suite of SCA, container, SAST, Secrets, and IaC scanning. They don't offer "pipeline-less" scanning via webhooks if that's a requirement for you.

Mend (formerly WhiteSource) was Snyk's main competitor early on, but did not develop as quickly as Snyk. Their open source Renovate tool is great for keeping your in-house dependencies up to date, but their UI and scanning engine were more difficult to deploy, maintain, and navigate.

Aqua Security offers SCA scanning as part of their CNAPP solution - they have a longer commitment in the cloud space than developer one.

Oxeye allows you to prioritize SCA based on where the findings live in your infrastructure with rich runtime insights.

Apiiro prioritizes your SCA findings by tying them to asset inventory and application context.

Paraxial provides a unique combination of security tooling specializing in the Elixir language and Phoenix framework. They're a great choice for companies that use Elixir, and have unique runtime elements that them stand out from open source options.

Cycode offers their own in house built SCA scanning as part of their ASPM platform.

Boost Security is primarily an all in one scanner. Their SBOM functionality seems bare bones at the moment.

Rezlion combines their own scanning at runtime with ingesting from other platforms to provide an exploitability prioritization view of container and SCA vulnerabilities. They focus on simple deployment into your environment to prioritize what packages and libraries are running.

Backslash provides SCA, SAST, and Secrets scanning, with a focus on internet reachability analysis for prioritization.

Fossa is one of the older open source scanning providers - they've focused a lot on SBOM and audit readiness, so haven't evolved much into the broader "ASPM" space.

Black Duck SCA provides a product that technically checks all of the SCA boxes, but is not nearly as user friendly as other tools. They get the job done, but UI is targeted more at security than developers.

SonaType was one of the first organizations doing SDLC tooling; however, until recently, they did not have a cloud platform. Their platform is still catching up to the intuitiveness of the SaaS competition, but their product checks all the boxes.

As part of their larger platform, Checkmarx also provides SCA Scanning.

Veracode is a legacy SAST vendor that has done the best job at catching up to cloud native tooling. They are a great choice for organizations using more legacy or waterfall type development methods.

Using Prisma Cloud as an SCA tool is technically possible, but I wouldn't recommend it. It's part of what Twistlock did, but it hasn't been updated since the acquisition and is very painful for developer use.

While using your git provider as an SCA tool may make sense on the surface, GitLab relies entirely on open source tooling to do the actual scanning, and their reporting is hard to use. Only recommended for organizations that are already on Ultimate.

Dependabot is a great check the box solution for saying you do vulnerability scanning, but it is very difficult to use and doesn't provide much guidance. Generates a lot of noise for developers.

SAST

Static application security testing (SAST) analyzes source code for security vulnerabilities, such as a function being called that doesn't do validation on its input. Great tools in this category will run quickly, in pipeline, teach developers, have effective reporting and easy rule tuning. Bad tools will run on a cadence, provide less guidance, and be difficult to change or override rules.

Arnica's SAST is the most robust I've seen from a workflow perspective and actually getting findings fixed.

Ox is a wider ASPM platform, but their SAST scanning covers the basics while integrating with more powerful language specific providers.

Snyk's SAST tool is newer to market but has come a long way since its release. Although it's not the most robust in any single category, it has the diverse levels of support needed to make SAST happen as a whole and actually get work done. Great choice for companies looking for scalable, simple solutions.

Semgrep is a close second choice to Snyk for SAST. Their scanning library is more robust, and the ability to easily create custom rules is a huge bonus that Snyk only recently added. However, their SCA is not as robust, and having two different tools can be a hard pill to swallow. Great product for companies with an appetite for custom rules.

SonarCloud has the benefit of winning your developer's hearts due to its initial product focus on bug squashing and the ability to ingest a wide variety of reports. While the SAST functionalities are newer, they robust enough to warrant the add-on to their code health scanning. Great choice for developer only teams with low risk products.

Bearer is a newer SAST product that is built from an open source lense. They have done excellent analysis of the SAST market and are dialed in on the correct issues, namely false positives, and time to scan.

Paraxial provides a unique combination of security tooling specializing in the Elixir language and Phoenix framework. They're a great choice for companies that use Elixir, and have unique runtime elements that them stand out from open source options.

Instead of hiding their open source projects and trying to sell you the impossible, Aikido openly tells you what they're using and have created a simple cloud based scanner to do 9-in-1 security scanning. A no brainer recommendation for startups.

Boost Security is primarily an all in one scanner. I appreciate their openness of sharing their IaC rules.

Oxeye provides standard SAST scanning, but builds out prioritization and exploit likelihood with a powerful runtime engine. A major differentiator is validation via DAST scanning.

Cycode offers SAST scanning as part of their ASPM platform, but it's hard to tell what's open source versus proprietary from them.

Backslash provides SCA, SAST, and Secrets scanning, with a focus on internet reachability analysis for prioritization.

Qwiet has a powerful unique approach to scanning that starts with a map of your application, and scans within that context. They have smart prioritization filters combined with the standard suite of SCA, container, SAST, Secrets, and IaC scanning. They don't offer "pipeline-less" scanning via webhooks if that's a requirement for you.

Mend built SAST into their primarily SCA based platform - I haven't directly seen the updated platform.

Checkmarx is pre cloud-native SAST tool that has had many years to develop a robust library of controls. They're a good fit for enterprises that follow more legacy methods of software development, and are trying to expand into more agile workflows. A lot of companies on this list were started by former Checkmarx employees.

Fortify had a great reputation before the MicroFocus acquisition, but has since become slower to innovate. Lacks a lot of functionality compared to other SaaS options.

Kiuwan is a great choice for companies that care above the fidelity of results more than anything else. Kiuwan's scanning offered the most robust true positives we've seen, but they really dragged in terms of their implementation processes, UI, and integration/maintenance of developer workflows.

Veracode is a legacy provider that has done the best job at trying to rapidly innovate with their vendors. They're a good fit for larger enterprises that may need more hands on security developer work to get up and running, and may prefer more waterfall methods of development.

Aqua Security offers SAST scanning as part of their CNAPP solution - they have a longer commitment in the cloud space than developer one.

GitLab's SAST tool totally relies on ingesting open source reports into their pull requests. We would not recommend it as a standalone tool, but is a worthwhile add-on to their security options if you're already invested.

Secret Scanning

Secret scanning identifies sensitive data, such as API keys and passwords, that have been accidentally committed to source code repositories. Good tools in this category will block the commit as early as possible, as rebuilding a commit history using open source tooling is difficult. Bad tools in this category will only scan on a cadence, and will not block.

Arnica's secret scanning is amazing in how it builds fix PR's that handle the remediation workflow for you. They also do cool validation of your keys.

GitGuardian is the best paid provider for this tool and is a great solution for deploying secret detection at scale. On the one hand, secret scanning is a very narrow function, but on the other, a leak is extremely costly. While Arnica does the workflow, GitGuardian has more robust detection.

Oxeye provides standard secret scanning, but builds out prioritization and exploit likelihood with a powerful runtime engine.

SemGrep recently announced their secret scanning solution - it promises an exciting new approach to secret scanning that focuses on context instead of regex to detect secrets.

Instead of hiding their open source projects and trying to sell you the impossible, Aikido openly tells you what they're using and have created a simple cloud based scanner to do 9-in-1 security scanning. A no brainer recommendation for startups.

Cycode offers Secret Scanning scanning as part of their ASPM platform, and it's the piece of the platform they've most developed in house.

Boost Security is primarily an all in one scanner. I appreciate their openness of sharing their supported secret detection formats

Backslash provides SCA, SAST, and Secrets scanning, with a focus on internet reachability analysis for prioritization.

Secret scanning is part of Xigeni's larger ASPM platform, which focuses more on SDLC attacks in general than secret scanning specifically.

Dazz is a vulnerability remediation tool that also provides their own built in secret scanning.

Nosey Parker stands out for being able to scan file systems alongside repositories, and has some great built in reporting functionality.

Qwiet has a powerful unique approach to scanning that starts with a map of your application, and scans within that context. They have smart prioritization filters combined with the standard suite of SCA, container, SAST, Secrets, and IaC scanning. They don't offer "pipeline-less" scanning via webhooks if that's a requirement for you.

GitHub's secret scanning now has the ability stop secrets before they're pushed to the repository, making them by far the best choice. However, they are bundling this with their Advanced Security package, which is very expensive.

GitLab's scaner can run in pipeline and is provided directly by them. A good choice since it's available in their Premium tier and Ultimate is not needed.

Trufflehog is the best open source scanner available, and easily integrates as a GitHub action.

GitLeaks is a Trufflehog alternative that is also extremely effective. Both repos are well maintained.

IaC

IaC security scanning identifies security vulnerabilities and misconfigurations in infrastructure as code (IaC). Great tools in this category can serve as CSPM replacements, offering drift detection and misconfiguration findings. They'll support multiple IaC languages, such as helm and terraform, and will be able to run in pipeline. Weak tools will run on a cadence, and only detect based on manually imported rules. This category is a difficult balance between getting results to your development teams, and sharing a single rule base across code and deployment.

Kivera circumvents the need for traditional IaC scanning by providing granular level policy and access controls to the cloud provider API. This allows for instant enforcement of policies and rules, and is a great way to prevent misconfigurations from ever happening.

Of the ASPM providers, Apiiro offers the most holistic IaC scanning due to their system of building a full application inventory out of your code.

Arnica's IaC scanning is the weakest part of their platform - but the value of getting an all in one tool is worth it.

Boost Security is primarily an all in one scanner. I appreciate their openness of sharing their IaC rules.

IaC scanning is part of Xigeni's larger ASPM platform, which focuses more on SDLC attacks in general than IaC specifically; however, they provide an asset map to help see where changes are coming from.

Snyk IaC integrates directly into your pipeline to easily scan and block IaC misconfigurations. Their support for various IaC templates is a big plus, but their cloud rules are not as advanced as other competitors. Combining with runtime data opens unique use cases for automatic remediation.

Ox relies solely on open source options for their IaC scanning, but tie it together nicely with runtime context.

Cycode offers their own built in IaC scanning as part of their ASPM platform.

Instead of hiding their open source projects and trying to sell you the impossible, Aikido openly tells you what they're using and have created a simple cloud based scanner to do 9-in-1 security scanning. A no brainer recommendation for startups.

Qwiet has a powerful unique approach to scanning that starts with a map of your application, and scans within that context. They have smart prioritization filters combined with the standard suite of SCA, container, SAST, Secrets, and IaC scanning. They don't offer "pipeline-less" scanning via webhooks if that's a requirement for you.

As part of their larger platform, Checkmarx also provides IaC Scanning.

For organizations that are already using Wiz, their IaC scanning is a great option. If your devops team is willing to adopt their solution in pipeline, it can be a solid support tool.

Checkov is the leader in IaC scanning as an open source solution. Combining with Bridgecrew can be an okay solution, but we're skeptical of the long term outlook due to the Prisma Cloud acquisition.

KICS is another solid open source solution; however, they're more easily adopted into traditional security review type models.

Aqua Security offers IaC scanning as part of their CNAPP solution.

Gomboc promises a unique approach to IaC in that it goes beyond traditional regex based rules. We're pending hands on time with the tool for more information.

We're pending hands on time with the tool for more information.

We're pending hands on time with the tool for more information.

DAST

Dynamic application security testing (DAST) scans web applications for security vulnerabilities while they are running, trying things like injecting known malicious payloads into fields. Great tools in this category will run quickly, in pipeline, be as easy as possible to integrate, have API coverage, and have smart fuzzing based on the type of backend you are running. Bad tools will run on a cadence, have less technology coverage, and be difficult to implement.

StackHawk is a developer-first DAST, and it shows every step of the way. They're built to scan quickly, in pipeline, and make it easy to attempt to reproduce issues. They're a major player in reshaping modern DAST and have really paved a way for the future with features like fuzzing API specific data.

Escape is doing amazing things with their approach to DAST. They offer similar in-pipeline scanning capabilities as StackHawk, but have additional tags based on API usage and do API discovery through a variety of different methods.

Pynt has created an elegant solution for running DAST type scanning against your APIs by running tests via a local proxy. This helps to bypass a lot of the pain with configuring DAST tools against your endpoints.

Probely has created an excellent version of traditional web based DAST that can handle APIs alongside webcrawling. While they currently don't support GraphQL or have a CLI, they have created unique ways to achieve similar outcomes. The team clearly has a passion for the details of getting the vulnerabilities right.

Oxeye provides a lot of runtime insights and uses DAST to validate their findings - this is one of their major differentiators from other ASPM providers.

ZAP (Zed Attack Proxy) is the scanning tool underlying numerous scanners, and if your internal team is up for the challenge, it can be adapted directly to provide most scanning needs.

As part of their larger platform, Checkmarx also provides DAST Scanning.

Acunetix is the best of traditional DAST scanning applications that rely upon older techniques and set scanning intervals. They have robust content and integration potential, but struggle to handle many newer more popular architectures.

We don't feel good recommending Qualys DAST to anyone in good faith, but it's a reasonable extension if you're locked into their larger platform. They function as a standard crawler, but have their platform is challenging to configure, deploy, and for reporting.

Like much of their security tooling, GitLab DAST lacks the maturity of dedicated products in terms of robustness, maintenance, and reporting. It can be a useful extension of GitLab ultimate, but has numerous challenges if trying to implement just that solution.

GCP offers a nice to have robust webs security scanner. It's not a great choice for organizations looking to invest in depth on scanning, but if you're already on GCP or looking to check a box, it's a nice to have.

RASP

Runtime Application Security Protection (RASP) detects and prevents the exploitation of application level vulnerabilities. This category of tooling is the gold standard of application security in its ability to prevent zero days; however, implementation, maintenance, and a lack of contextual application logic make them difficult to implement. Great tools in this category will be easy to implement, and will provide rich contextual information about the application. Bad tools will be difficult to implement, and will provide little to no contextual information.

Contrast wraps commonly exploited functions at runtime to detect and prevent application exploits, e.g. alerting that XSS was attempted while also sanitizing the input. This is a unique approach that theoretically removes the need for SAST, DAST, SCA, and WAF. The easiest way to understand is an example, you would start your Django app with contrast-python-run -- python manage.py runserver.

Powered by their Sqreen acquisition, DataDog has a unique opportunity with RASP because of how many developers already import their APM library. This allows DataDog to provide function level detection of exploitation attempts.

Paraxial provides a unique combination of security tooling specializing in the Elixir language and Phoenix framework. They're a great choice for companies that use Elixir, and have unique runtime elements that them stand out from open source options.

CNAPP

CNAPPs are the latest category name given to CSPMs as they have evolved into additional layers of tooling. These tools aim to be all in one providers for cloud security, and are often the most expensive tools in the market. Great tools in this category will be best of breed in a single category, and will have a strong vision for the future. Bad tools will be playing endless acquisition catchup as they desperately try to keep pace with one another. In short, I consider this category CSPM + Container Runtime Security. I don't think it's always best to have both of these tools be from the same provider.

Sysdig does the runtime application protection side of CNAPP better than anyone, and have successfully uplifted their compliance and attack graph sides to be competitive with the other providers. Their focus into Runtime Cloud Detection Response is a great one.

Cyscale checks all the boxes for a CNAPP, but their tracking of user identities stands out in the space. They have great visualizations, and have an agent for K8s support.

Deepfence has delivered an incredible amount of work on top of an open source framework. Their Open Source ThreatMapper scans for malware, vulnerabilities, misconfigurations, and secrets. Their paid offering, ThreatStryker, adds eBPF runtime protection - including network and quarantine responses. Unbelievable value for a free offering.

Elastio offers rich snapshot scanning for cloud environments, looking in depth for ransomware indicators of compromise. Their focus on ransomware and support for S3 scanning differentiate them from Wiz and other snapshot scanning solutions.

Upwind provides amazing in depth detection events for runtime kubernetes protection. They don't have some of the generic CSPM detections, but their runtime protection is much more robust.

AccuKnox began with the open source project KubeArmor and has since built into a larger CNAPP platform. Their specialization is runtime protection policies for Kubernetes, which allows for granular rules on which processes can access which files. Their other scanning features are more check the box.

Tigera is leading the charge on what's possible with kubernetes network security. They offer deep insights and protections on what's traversing your network, and have built out a robust set of features around that core product.

Plerion has built a competitive CNAPP with a significantly smaller team. Alongside CSPM, they provide attack maps, IaC scanning, Secret scanning, and vulnerability scanning. They link findings to assets in a clean and intuitive way. Currently there is no agent based runtime protection.

Firemon has assembled a unique collection of cloud security features - CSPM, JIT AWS access, and alerting off cloudtrail events. While they don't have the full feature set of larger CNAPPs, they provide smart features at an aggressive price. They offer CSPM scanning for free.

If you're focused on cloud visibility from a security perspective, there's not a better tool out there. Their rapid investment into their runtime agent is scary for the competition, and their general cloud scanning is best in breed.

Prisma Cloud was the first and most encompassing CNAPP provider. They cover all the bases, but you're paying Palo prices for a product with a lot of skeletons in the closet.

Aqua Security bet big on open source tooling and still maintains some of the most user friendly repos out there. However, their paid offering has a UX that lags behind other products.

Lacework built on tope of an alert based approach rather than more traditional scanning models. That has the benefit of reduced noise and a faster reactive approach, but at the cost of surfacing a lot of alerts to security that they don't have the ability to fix.

Every organization using AWS should absolutely turn on GuardDuty as their first cloud security step. They provide awesome base level protections.

GCP Security Command Center is slowly enabling runtime detection for enterprises, but they charge too much for it to be useable at smaller scales. GCP focuses on secure design for smaller businesses rather than runtime insights.

Defender for Cloud has some awesome insights and coverage, but it's a beast to setup and maintain. It's a good starting point for larger companies who don't have an appetite for a more focused solution.

CDR

Cloud Detection and Response is a unique category born out of a operations approach to CSPM alerting. Instead of treating the cloud as a series of API endpoints to be scanned, they instead focus on log ingestion and correlation for response. They're aimed at detecting attacks instead of misconfigurations. Leaders in this field support correlation between multiple tools - such as Okta, to AWS, to a kubernetes pod. Great tools will provide enough context to respond to alerts, which is a challenge for many cloud environments. Poor tools will just be another alert source on top of your CSPM or CNAPP.

Sysdig does the runtime application protection side of CDR better than anyone, and have successfully uplifted their compliance and attack graph sides to be competitive with the other providers. Their focus into Runtime Cloud Detection Response is a great one.

SkyHawk is betting big that they can provide just as much runtime response protection as agent based CDRs, but without an agent. This means that certain detection gaps exist, but in the examples I've seen from them, it makes me wonder if those gaps really matter.

Sweet Security has developed a platform that gets to the details of actually securing your environment. While other providers on this list may be more mature at cloud visibility more generally, Sweet Security provides a level of detail that would actually stop a real attack.

Gem is one of the first platforms to focus on cloud detection & response. Realizing the limitations of configuration scanning in the incident response process, they've built a tool primarily for the SOC to respond to cloud attack patterns. The lack of an agent for kubernetes context is the biggest gap.

Firemon has assembled a unique collection of cloud security features - CSPM, JIT AWS access, and alerting off cloudtrail events. While they don't have the full feature set of larger CDRs, they provide smart features at an aggressive price. They offer CSPM scanning for free.

Lacework built on tope of an alert based approach rather than more traditional scanning models. That has the benefit of reduced noise and a faster reactive approach, but at the cost of surfacing a lot of alerts to security that they don't have the ability to fix.

Every organization using AWS should absolutely turn on GuardDuty as their first cloud security step. They provide awesome base level protections.

GCP Security Command Center is slowly enabling runtime detection for enterprises, but they charge too much for it to be useable at smaller scales. GCP focuses on secure design for smaller businesses rather than runtime insights.

Defender for Cloud has some awesome insights and coverage, but it's a beast to setup and maintain. It's a good starting point for larger companies who don't have an appetite for a more focused solution.

CSPM

Cloud security posture management (CSPM) is a security practice that helps organizations identify and remediate misconfigurations and security risks in their cloud environments. CSPM's are often the first tool that organizations buy when they start their cloud security journey. Great tools in this category will be able to accurately assess cloud infrastructure while generating minimal noise. Bad tools will run on a cadence, and provide little guidance about who deployed a change. This category has morphed into CNAPP as the market as evolved to include runtime.

Wiz has skyrocketed to success due to their efficient approach to CSPM scanning and prioritization. Their agentless approach allows deep insight into your workloads quickly. The downside is that for use cases like runtime container security, where an agent is required, they are very new to market.

Kivera is not strictly speaking a CSPM, but provides granular controls over what cloud API calls are permissible within your environment. This allows instant enforcement of custom rules and policies, giving the same outcomes as CSPMs without the alert explosion. The downside of using them as a sole CSPM would be missing out on more holistic CNAPP features and visibility, but they run well alongside other providers.

Prowler is built on top of the most robust open source cloud scanner there is. It's a great option for organizations that want to get started with CSPM scanning, but aren't sure where to start. I'd recommend anyone use it at least once to get an idea of what's in your environment.

Plerion has built a competitive CNAPP with a significantly smaller team. Alongside CSPM, they provide attack maps, IaC scanning, Secret scanning, and vulnerability scanning. They link findings to assets in a clean and intuitive way.

Cycode offers their own built in CSPM scanning as part of their ASPM platform.

Cyscale checks all the boxes for a CSPM & CNAPP, but their tracking of user identities stands out in the space. They have great visualizations, and have an agent for K8s support.

Firemon has assembled a unique collection of cloud security features - CSPM, JIT AWS access, and alerting off cloudtrail events. While they don't have the full feature set of larger CNAPPs, they provide smart features at an aggressive price. They offer CSPM scanning for free.

Orca offers a suite of cloud configuration scanning that closely aligns to Wiz. Their primary differentiator is their model for "Outpost" based scanning, where ephemeral instances are used for scanning rather than permanent ones to cut down on costs.

Sysdig excels inside kubernetes clusters, but their runtime cloud scanning is becoming a force to be reckoned with. They've executed quickly on leveling up their CSPM offering, and it does a great job checking the box.

Argos offers a simple platform built for MSSP's to run cloud security tests on custom environments. They provide a combination of CSPM and Asset Mapping technologies to provide exactly the information a provider needs to generate a point in time report.

Lacework differentiates itself by taking an alerting approach to CSPM rather than browsing scan results. This has the benefit of being more actionable, but the downside of being less comprehensive. Can be a good fit for orgs looking to take a responsive approach to configuration management, but keep in mind that your security team are not usually the ones pushing the changes.

Prisma Cloud's CSPM offering is chock-full of complicated rules and false positives; that being said, the rule set is robust and you can feel confident in your coverage in terms of compliances being checked and rules for specific services.

Security Hub does a decent job aggregating AWS' security tooling reports into a single dashboard. They also offer a lot of integrations into other tools. That being said, they're not a great CSPM solution on their own and their dashboards have limited usefulness.

Kubernetes

A lot of tools on the cloud and app security list apply to kubernetes, but we wanted a space to highlight specialty vendors who bring unique value to the space. Great vendors in this space will provide something that meaningfully distinguishes them from larger CNAPP providers, such as RBAC visualizations. Bad tools in the space will just be worse versions of larger providers.

KSOC has deep roots in contributing to kubernetes security developments and provides dedicated services to help customers secure kubernetes. They have in depth policy, audit log, RBAC, and runtime capabilities.

Upwind provides amazing in depth detection events for runtime kubernetes protection. I'm just pending hands on time to dive into the details, because the demo I saw looked amazing!

ARMO's has contributed perhaps more to open source kubernetes security than any other vendor through their kubescape product. Kubescape is hands down the best way to get a quick scan of your environment, and their paid product has expanded into image vulnerability scanning and RBAC visualization.

Operant offers a unique network level approach for securing containers, kubernetes, and APIs. They create excellently detailed ingress and egress maps of your application, and develop rules against that granular visibility for detection and response.

AccuKnox began with the open source project KubeArmor and has since built into a larger Kubernetes platform. Their specialization is runtime protection policies for Kubernetes, which allows for granular rules on which processes can access which files. Their other scanning features are more check the box.

LeakSignal is a promising product offering for achieving the dreaded network microservice protection and data flow mapping. They use an intelligent agent based approach to map data flows, types of data, and policy building. Very cool stuff!

Tigera is leading the charge on what's possible with kubernetes network security. They offer deep insights and protections on what's traversing your network, and have built out a robust set of features around that core product.

Spyderbat is doing some wonderful work with eBPF and proactive configuration protection in the form of specifying what processes can run on a container. They have a clear emphasis on providing actionable process and network level data to indicate when threats exist on a system, but still are working on their interface and UI.

Sysdig does the runtime application protection side of Kubernetes better than anyone, and have successfully uplifted their compliance and attack graph sides to be competitive with the other providers. Their focus into Runtime Cloud Detection Response is a great one.

Datadog's runtime workload protection is a close second to Sysdig in terms of their robust content library. It lacks response capabilities, but it's a great option if you're already using Datadog for other monitoring and security needs.

Container Runtime

Container runtime security tools empower detection and response in containerized environments. These tools are needed because most host based Endpoint Detection Response (EDR) tools have no container visibility. Evaluating these tools comes down heavily to how quickly the company has modernized their detection capabilities. Great products will detect container specific actions and threats, and empower security teams to easily see where they came from, even in short lived containers. Bad tools will provide vague content, and only alert on basic threats with tons of false positives.

Sysdig is built on top of the most powerful open source container runtime security tool, Falco. It provides the most in depth protection from container threats available today. The setup is more complicated than other tools in the CNAPP space, but the power is worth it.

Upwind is the first provider I've seen to demo the fully robust end to end runtime protection many companies are saying they provide. I'm pending hands on time with the tool to confirm - but what I saw was very impressive!

Spyderbat is doing some wonderful work with eBPF and proactive configuration protection in the form of specifying what processes can run on a container. They have a clear emphasis on providing actionable process and network level data to indicate when threats exist on a system, but still are working on their interface and UI.

ARMO has very recently dug into a runtime ebpf agent, kubecop. They've launched in their unique open source way and are promising to deliver some real optionality against Falco.

Operant offers a unique network level approach for securing containers, kubernetes, and APIs. They create excellently detailed ingress and egress maps of your application, and develop rules against that granular visibility for detection and response.

Oligo's ebpf agent is differentiated by its unique detections around exploits against third party platforms. If I was worried about third party zero days - this is the tool I would get.

Datadog's runtime workload protection is a close second to Sysdig in terms of their robust content library. It lacks response capabilities, but it's a great option if you're already using Datadog for other monitoring and security needs.

Sweet Security has developed a platform that gets to the details of actually securing your environment. While other providers on this list may be more mature at cloud visibility more generally, Sweet Security provides a level of detail that would actually stop a real attack.

KSOC offers a unique approach to container runtime security that's focused mostly on the security of the cluster itself. It works by analyzing kubernetes audit logs, which lets it sit a unique position between container and IaC scanning. They're a great supplement to existing runtime protection.

Deepfactor uses their unique ability to intercept application calls to provide unique container runtime protection that's not seen in other providers. Their workflow for going through alerts needs work however.