Boundary Breakers encompass vendors that are taking risks in creating new categories around their offerings. This category exists to highlight tools that are attempting to define new categories.
Oligo provides runtime protection against the exploitation of open source or third party vulnerabilities - not just "is this package running," but "what is this package doing?" Their engine drastically reduces the risk of supply chain exploitation, in a way that might make SCA in general obsolete.
Seal is another vendor that threatens to make open source scanning entirely obsolete. They backport security fixes to your current version of open source libraries for instant, ongoing auto-patching; that way you don't need to make major framework upgrades under duress. Seal changes everything about SCA scanning, and threatens to upheave the whole industry.
Instead of hiding their open source projects and trying to sell you the impossible, Aikido openly tells you what they're using and have created a simple cloud based scanner to do 9-in-1 security scanning. A no brainer recommendation for startups.
Formal is super cool. They built a simple to deploy reverse proxy (it's just a binary!) that automatically gets total visibility into data on the way in and can decrypt it based on policies to control who can view what, when.
AI Strike is combining LLMs with traditional SIEM and CSPM to provide a holistic LLM based approach to security incident response. They're combining robust asset data with log sources to give the LLM enough context to make accurate alerting decisions.
Permiso is creating incident response for identities. They bridge the gap between "SaaS Security" and "IAM security" by tracking identities across IaaS and SaaS, while baselining and firing alerts for suspected misbehavior, along with session tracking.
I had not heard of unikernels before meeting with nanovms, but they're an elegant solution for simply hosting cloud applications at scale without adding the complexity of Kubernetes. If you're willing to make the architecture switch, there are many security benefits along the way.
Pangea provides an API and SDK to easily implement security features into your application - such as checking a user's password against a breach database, or checking a user's email against a spam database. They're the only company I've seen that's trying to make security features as easy to implement as Stripe.
One of the largest challenges in security operations is testing your detection capabilities. Security Runners is a neat project for deploying realistic attack scenarios into your environment. These exercises are written in Go and customizable.
HoundDog is the kind of solution that uniquely solves an interesting problem in AppSec - logging or accidentally sharing PII. They use a combination of regex and AI to scan for data leak scenarios. I think this capability will be quickly desired as part of broader ASPM.
It took quite a bit of time for me to understand how uniquely Xygeni is approaching ASPM. Rather than chasing buzzwords and features, they've been focusing on stopping real attacks. They have a unique technological approach for detecting not just pipeline attacks, but more significantly scanning third party libraries for malware; not just vulnerabilities. For example, if I decided to make the open source Latio scanner send all your code to my server, they'd be the only full ASPM platform that could also detect that attack.
Of all the companies in this space, Tidelift is the only one I could describe as uniquely ethical. If you're tired of shoveling your CVE scanner results into open source backlogs, never to be fixed, working with Tidelift allows you to actually work with maintainers to get your issues fixed upstream - while checking the box on standard SCA feature sets (plus a few unique package health assessments).
Tracebit is building very holistic deception technology that serves as honeypots for your cloud infrastructure. They deploy deceptive resources that match your existing ones, and monitor those resources for any suspicious activity.
It's great to see a company build a product around honey tokens. Honeypots provide a ton of security ROI but are difficult to setup and maintain, Seedata takes care of that for you so that you can focus on analyzing the results. I'd highly recommend this tooling for people with advanced security operations teams.
Myrror provides the standard suite of SCA tools with functional level reachability, but they have a much more unique technology that allows you to confirm that a binary was built from a particular source code. This allows the most thorough validation of supply chain assets I've seen and is an awesome functionality to ensuring you're not deploying unknown risks to your customers.
TrustOnCloud has created in depth threat models for cloud services. For example, they can show you every possible way someone could exploit an S3 bucket. Because they don't focus on scanning, they've created a library of potential exploits that goes far beyond what most CSPMs offer; however, that comes with the downside of being fundamentally a work generation tool. If you're operating at a scale where formal threat models need to be conducted before adopting new AWS services, their tool is undoubtedly useful.
VulnCheck provides well curated data on vulnerability exploitations - I can't see myself using them directly at smaller companies, but I'd hope all of my providers were using them for upstream data.
Devici has created a collaboration tool specifically for threat modelling, allowing for unique opportunities for mapping resources with tagging, dataflows, and notes. As development teams get more directly involved with day to day security alerts, it seems that threat modelling will be a key value add for security teams, and I wouldn't be surprized to see more tools arise in this space.
Leen is building a unified API for security integration data - a great product for product teams or people building their own tooling!
Dropzone is in the quickly emerging field of AI SOC analysts. They correlate logs across platforms and use generative AI to try and de-noise the amount of false positive alerts that waste analyst time. A few differentiators are being given the query used to generate the logs, and that the LLM will look at the alerts in their organizational context to look for known false positive trends. I'm skeptical of what these tools do in real environments when available data isn't always integrated.
Bedrock Systems has created a hypervisor that can watch for malicious interactions with the Linux kernel, and other suspicious read/write operations. This makes them an extremely powerful tool for detecting container escapes and attackers getting funky with core Linux systems, but it comes at the cost of having a custom deployment for your node infrastructure - which may or may not be worth it depending on your security posture.
Ophion gets the closest I've seen to a realistic automated pentest, and are essentially offering ongoing recon as a service. They aren't just running DAST scanners against your endpoints, but are instead doing a very realistic reacon of your public facing assets. One small example illustrating the difference is looking at the public commit history of your company employees on public GitHub repos.
Zenity has created a suite of security tools for scanning low and no-code applications, which are becoming more and more common in large enterprises. These monitor dataflows, third party vulns, and secrets usage in non-traditional coding applications like Salesforce, Servicenow, and Microsoft Copilot.
Cloudfence has focused on creating a more actionable CSPM for specifically managing network and identity security in the cloud. Their network visibility allows them to do some cool things like limiting security groups based on observed traffic.
Tracking third party data flows is a hot topic in security right now - most companies are tracking via OAuth or API flows. Riscosity is cutting through that to the sources of truth, namely the code and network layers. They scan your code for third party data flows, and then validate at runtime by proxying your egress.
DiscrimiNAT has built a unique way to enforce egress network security by controlling outgoing traffic via security groups. They take advantage of VPC endpoints to create a lighter touch way to scale egress control, which is one of the most difficult challenges in cloud environments.
Kosli has created a way to attest to actions taken in cloud environments, most clearly CI/CD artifacts. Their core technology allows them to detect any change to any file, so there are a lot of potential use cases for this technology.
Mimic has created a unique ransomeware defense solution that focuses on protecting critical assets while using honeypot like deception techniques to buy response time.
Dig Security checks all of the boxes for DSPM and DLP, namely data categorization. They differentiate by having database detection and response rules more akin to Database Access Management types of technologies. This gives them a runtime value that others lack. Hopefully the Palo acquisition doesn't kill the detection response capabilities.
This category is for the quickly emerging field of LLM Security tools. These tools cover visibility, detection, and response for LLMs across code, endpoints, and infrastructure. I'm most excited for the application level security use cases, but early companies here are focused on monitoring employee chat sessions. Success in this category is dictated by ability to adept to rapidly changing conditions.
Prompt Security offers comprehensive solutions for LLM security. They have both corporate IT visibility with their browser plugin, alongside application visibility with API, SDK, and reverse proxy options. You can also trace user sessions and detect/redact/block numerous types of data and attacks.
Aim has built a flexible offering in the LLM space. They offer a browser plugin, copilot wrappers, can connect to third party network logs, create privacy policies, their own chat, anonymizers, and an API for proxying application level calls.
Lasso has the most fully functional product right now - they use plugins to monitor different LLM entry points to detect for data leakage and do prevention and anonymization. They're solving the current issues CISOs are looking to be solved.
Pillar is building exactly what I think LLM security should be - a simple to use library that wraps LLM calls giving you visibility and blocking capabilities that exceed most of what's out there.
Despite being so early in development, what I've seen from Apex is the most unique approach to GenAI security. They offer visibility, configuration protection, and runtime detection and response for LLMs, both for corporate and application use cases. Everything from DLP to Injection detection, to LLM quarantining.
Mindgard has taken a cool approach to LLM security by building an in depth testing library for your existing models. Given the rapidly changing nature of the field, it's a great way to learn about existing attacks and how to protect against them.
Lakera offers a simple way to protect LLM's by importing their SDK into your code. Their approach is simple and elegant, and their Gandalf tool allows you to better understand how LLM prompt injections work.
Harmonic currently has the standard suite of LLM protection visibility via browsers, but has a long term focus on detecting the flow of sensitive data - a vision that aligns well with the team's history in detecting sensitive data across the internet.
Unbound offers a browser plugin for DLP and AI usage discovery, and a proxy based approach for data sanitization and visibility.
AppSOC has created a unique solution for LLM security that's focused on the governance and risk of using specific models over others - they've layered this on top of general SCA scanning.
Originally CIEM (Cloud Identity and Entitlement Management), this category has been broadened to Cloud Identity. These offerings help manage the numerous ways cloud identities can be created and proliferated, whether it be through IaC or AWS policies.
Kivera provides an identity proxy for true enforcement of access policies. Their setup is awesome out of the box for IaC deployments, giving developers instant feedback for when they're attempting to implement permission policies that are dangerous.
Entro watches for API key generation and usage across tools, alerting you to both unused permissions, as well as potential malicious activity. An example use case is detecting when a secret is shared on Slack.
P0 has built a truly unique workflow for JIT access for multiple development tools. While other providers in this space work for AWS, P0 differentiates by also supporting things like K8s, Postgres, and Snowflake with temporary policy access.
Axiom provides standard scanning and remediation for least privileged access, but also grant least privileged roles on demand for just in time access. Their approach is to reduce permissions while providing temporary roles when major changes are needed.
Apono enables you define access policies to cloud and workload resources, creating JIT workflows for accessing different environments. One standout feature is kubernetes RBAC visualization, combined with JIT access roles.
Aembit provides the most secure way I've seen of delivering machine to machines credentials to your workloads. They uniquely validate asset identity via contextual properties and integrations, and then inject the approved credentials into the workload.
Andromeda has built a promising solution for making least privileged identity enforcement a reality. They do some discovery, sensitive permission scanning, blast radius building, looking for unused permissions, and JIT access. What makes them unique is AI approval workflows for JIT, and a rich checking for unused permissions.
Oasis security discovers identities across cloud, on prem, and SaaS, graphs them, and points out potential violations and security issues. It shows what the roles, or NHIs if you want to get marketing with it, are accessing, their likely owner, and what it should be accessing
Token connects into your cloud and SaaS identities, with some support for workloads like Postgres and K8s, and looks for identity issues like over-permissioned accounts or a lack of rotation or MFA.
Raito gets the details of database access right - they've managed to standardize controlling access to databases across different architectures and providers. Data owners can be assigned and manage who has access to what data, and risk assessments can be done for access. They have an amazing foundation for the future of managing DB access.
Abbey allows you to define grant kits in code, which are custom pre-defined terraform for different access scenarios. Developers can then request access via Abbey, and open a PR subject to defined approval workflows.
Sonrai has built a simple deployment for securing numerous cloud identities with as little complexity as possible by focusing on deploying permissions boundaries through SCPs and removing unused resources.
Procyon provides JIT access for cloud workloads
Turbot's Guardrails product allows for enforcement of cloud identity controls, while Pipes enables querying and alerting on logs and metadata.
InstaSecure uniquely flips the paradigm of identity management by helping you set robust IAM boundaries and SCPs instead of focusing on the endless tweaking of individual users and roles. The approach is a great way to get high impact low effort results.
StackIdentity provides a platform that excels in diving deep into your IAM environment and assessing over permissive and high risk resources. They provide a data lake that allows you to really see and maintain proper access controls across tools.
Entitle.io is focused on the specific use case of granting break glass permissions in AWS, and rolling back changes when they're not needed. They also support more general permission scanning.
Like other CNAPPs, Wiz is focused on cloud security more broadly than just Cloud-Identity tools; however, they offer the basic functionality of tuning your policies to be less permissive.
Sysdig differentiates itself from most Cloud-Identity providers by being able to look at which permissions haven't been used by anyone and can be removed. However, this has since become built in to AWS' access analyzer tool, making it less valuable.
AWS Access Analyzer looks at your users and policies and suggests changes. It is a great built in tool, but doesn't offer easy organization level management.
Basic built in analysis for GCP policies and users. Also provides role recommendations. At a high level, GCP is the easiest of cloud providers to manage permissions in.
CloudSploit is a great tool to run a quick scan to check your permissions at a high level.
ScoutSuite is another useful tool to run a quick scan of your cloud environment to check for any issues.
This category of tooling is for vendors that focus on providing pull requests with code fixes in them across various scanning tools. It's a different approach than remediation workflow platforms.
Most code-fixers are starting with SAST because it's the easiest to implement. Seal however is starting with SCA - creating backported patches for your current version of open source libraries. This is a game changer for SCA scanning, and threatens to upheave the whole industry. Seal uses GenAI to help backport patches to your current version of open source libraries.
Grit is awesome - they provide pre-baked playbooks for everything from framework migrations to major security patches. The most time consuming part of patching is figuring out the changes, and Grit does that part for you, even updating tests. Them and Moderne are providing amazing value for actually getting things patched. Grit uses GenAI to help create playbooks for major upgrades.
Despite being the only one without ai in their domain, Corgea's platform is the most driven by GenAI that I've seen. Because of the reliance on GenAI, I've seen some really cool and unique solutions to specific vulnerabilities that other tools would likely have a very difficult time standing up. They also have the cutest logo of any other platform on here. Corgea uses GenAI to help create fixes & detections for SAST findings.
DryRun helps your security team focus on the changes that actually matter, and with a simpler integration that's not dependent on any heavy handed app inventories. I've had to create a ton of custom scripts over my career to monitor high impact files, and only DryRun can properly handle that kind of prioritization.
Staris built a platform for open box pentesting powered by GenAI. They look at your code and your application, build a PoC exploit of findings as a code test, and give you the fixed code. The workflow is wrapped as a pentest - which offers a glimpse into what the future of pentesting will undoubtedly look like. Staris uses GenAI to help find exploits from SAST to runtime.
Pixee is taking a unique approach to SAST fixes by raising pull requests on customizable cadences to make progress burning down your backlog. They provide their own wrappers around commonly exploited functions that are suggested in the raised pull requests. It's worth mentioning it didn't find any vulnerabilities in our test code. Pixee uses GenAI to help create fixes & detections for SAST findings.
Mobb integrates with SAST tools like Snyk, Checkmarx, Fortify, and Codeql to scan your code and then provides fixes for merging into your code base. Their generated fixes seem good, but it's something that other providers are also working to build natively such as Snyk's DeepCode. Mobb uses GenAI to help create fixes for SAST findings.
Nullify is also starting with SAST use cases, but has expanded their AI agent functionality to be more holistic with their slack app and creating rudimentary threat models of code changes. Their vision is more holistic - focusing on creating an AI based product security engineer.
Amplify security leverages multi-AI Agents to generate relevant and accurate fixes, alongside SAST scanning capabilities. This approach replicates the process of developers and security engineers working together to fix issues so both teams are happy. Amplify tries to make the code fixes look as if the developer themselves wrote the fix, emphasizing the contextual nature of the code.
Seezo turns design docs into security requirements.
Of all the tools claiming to be "developer centric" or "developer loved," only Moderne tries to automate as much as possible for even the most painful parts of fixing vulnerabilities - major version upgrades. They leverage Apache Openwrite to create playbooks across your code for remediating major issues like migrating Java or Spring versions.
Infield offers both a product and services for handling complex migration efforts for common application upgrades. They have a robust history of success and combining the service with the SaaS should be appealing to customers who don't find the product value in upgrades.
In order to help people see the value of using LLMs for application security detection, we created a simple command line tool for code scanning with OpenAI. It's bring your own OpenAI API key, so you can manage the data however you see fit, and has templated github action for pipeline use.
This category is for tools that assist primarily with managing user identities outside of cloud environments. This includes tools that help with user provisioning, authentication, and authorization. Good tools in this category help with user lifecycle management, and provide a single pane of glass for managing user access across your infrastructure. Bad tools in this category are difficult to integrate, and require a lot of manual tuning.
Lumos is fascinating for the breadth of use cases they cover - general SaaS contract management, user audit logs, and request flows for Okta apps - all from a single platform. From what I've seen, Lumos seems like a dream come true for most corporate IT teams, where managing Okta has turned into a team sized job.
Astrix gives you visibility into OAuth connections in your environment - such as when a user authorizes an unknown third party application into your Slack. They provide great visibility into whats usually a black box for security teams.
Axiom provides standard scanning and remediation for least privileged access, but also grant least privileged roles on demand for just in time access. Their approach is to reduce permissions while providing temporary roles when major changes are needed.
Veza has created a unique graph querying tool associating users to the data they have access to - this extends beyond basic Okta user assignments to include things like sensitive S3 buckets or databases. Alerting can also be configured based on the searches. They also include onboarding/offboarding automations.
At their core, Garantir offers a solution for public and private key storage, but that description sells them short of numerous use cases they support with elegance. They can be used as a PAM, for SSH management, to accomplish HSM with ease, and can run just about anywhere a private key is needed with their agent on user endpoints.
Push Security created a browser plugin that monitors SaaS applications being used by employees, and can alert on risky identity controls such as re-using weak passwords or lack of MFA.
Teleport works by giving end users certificates that allow them to enforce access policies across numerous cloud resources that are typically difficult to manage. The user experience is better than any alternatives I've seen.
BalkanID is a platform for SaaS access management. They have the standard features of detecting overpermissioned users and creating workflows for adding and removing users automatically, but they have a surprisingly robust playbook functionality for creating custom workflows.
Komo provides user access request flows for Okta and AWS SSO, allowing users to easily request and be assigned permissions. They uniquely allow the creation of attribute based rules, creating workflows around users as their attributes change.
ConductorOne provides a management platform for okta user assignments. I haven't met with them.
Opal provides a management platform for okta user assignments. I haven't met with them.
Application Security Posture Management (ASPM) is the latest buzzword to take over the application security market. It's meant to correlate all application security scanning into a single dashboard for remediation prioritization - but my thoughts on definition are here. Always validate what tool coverage looks like in this category - many vendors have one or two scanners built in house, and are relying on open source tooling for the rest of the pipeline coverage. Great tools will allow you to track and correlate findings across an entire application. Bad tools will rely purely on third party scanners and have major gaps.
Ox security blew my mind - providing the ultimate all in one configuration scanning tool. They're the only ones I've seen who can track a container lifecycle, individually vulnerable functions from dependencies, and provide both rich integrations alongside their own scanners.
Arnica is building the next gen security scanner for SAST, SCA, SDLC and IaC scanning (with container soon I'm sure). Their secret sauce is rich code owner insights with a user graph of your Git provider. I love their focus on remediation workflows and confidence in their own scanners.
Instead of hiding their open source projects and trying to sell you the impossible, Aikido openly tells you what they're using and have created a simple cloud based scanner to do 9-in-1 security scanning. A no brainer recommendation for startups.
Apiiro is like Bionic on steroids by working better in non Java/Spring environments - it builds an in depth application inventory by scanning your code for API endpoints and provides excellent prioritization tools based on that map. It does a great job at detecting what PR's will likely be major changes.
Cycode offers all in one scanning and integrations across the SDLC pipeline. Their primary in house built tool is their secret scanner, but their differentiator is their graph querying of deployment processes. If you have a lot of pipelines, they have a lot of querying.
Xygeni has built a unique approach to ASPM tooling by focusing on malware detection, GitOps exploits, and detecting active supply chain attacks. They've built everything in house and also have an asset graph for relating resources to one another.
Backslash provides SCA, SAST, and Secrets scanning, with a focus on reachability from network, API, and function perspectives without an agent. This approach to reachability is uniquely holistic - including features like detecting if a transitive dependency is directly called by your code, or if a specific SAST finding is surfaced via API.
Oxeye is building the most runtime-y of ASPM providers - they map out your application using everything from code to agents to network validations. Then they prioritize based on how your app is most likely to be exploited. The only ASPM with DAST validation.
Phoenix security is more on the vulnerability management side of ASPM, but they offer their own SCA and DAST options alongside existing scanners. Due to the emphasis on management & orchestration, they offer a wide variety of contextualizations and in depth vulnerability data.
Boost Security has a shared vision for all in one configuration scanning out to runtime. They have smart kubernetes & Istio integrations for runtime context, alongside the standard suite of SCA, SDLC, SAST, IaC, Secrets, and Containers based on a combination of open source and in house built tools. I appreciate the openness of their rule set in their documentation.
Qwiet has been doing all in one scanning for a long time - they have a powerful unique approach to scanning that starts with a map of your application, and scans within that context. They have smart prioritization filters combined with the standard suite of SCA, container, SAST, Secrets, and IaC scanning. They don't offer "pipeline-less" scanning via webhooks if that's a requirement for you.
Soos is a good all in one ASPM scanning option with SBOM tooling, but it has a lot of caveats around the details. Only SCA scanning works via webhooks, it can ingest SAST findings from other tools, and other scanners require different instrumentations and are at different maturities.
Rezlion combines their own scanning at runtime with ingesting from other platforms to provide an exploitability prioritization view of container and SCA vulnerabilities. They focus on simple deployment into your environment to prioritize what packages and libraries are running.
Bionic offers a unique approach to application visibility by building a graph of your services, their dependencies, and the classification of their downstream data. Their application map works best in Java/Spring environments.
For the providers based solely on integration with other security vendors, JIT is my favorite pick. They consolidate scanners and create workflows and prioritization for developers. The JIT scanner is unique in that it's a wrapper for other scanners that you run in your own pipelines - an approach with pros and cons.
Codacy is a code quality and scanning toolbox similar to SonarQube for code scanning. They support many languages via open source scanning tools.
Legit Security takes a holistic approach to SDLC security. They aggregate your SDLC pipeline findings across different tools, allowing for remediation, especially within pipeline scanning. They do asset discovery via code, rather than via runtime detection.
Kondukto's strength is integrating with just about every tool you could want, including open source ones, to prioritize and remediate in a single platform. They provide a great Jira workflow for working through findings.
Start Left brings SAST, SCA, Container, and IaC scanning in a single platform. They also have AI code remediation recommendations, and provide a docker image for running local scans.
Snyk's ASPM product is frankly pretty weird. It provides pipeline coverage and asset classification, but since it neither integrate with other platforms, nor Snyk's issues, it's hard to see how it fulfills the goals of ASPM.
Does Synopsys technically do everything you'd need from an ASPM? Yes. Would you ever want to use it? No. They've focused heavily into the semiconductor industry, and their ASPM is heavily patched together from various acquisitions.
Uptycs biggest strength is its biggest weakness - it undoubtedly has the most features of any CNAPP platform, from ASPM to container runtime. However, that creates a corresponding UI bloat that's as bad as it gets for these platforms. As a certified Kubernetes enjoyer though, their cluster visibility with Kubequery is quite good.
Software composition analysis (SCA) is also called open-source vulnerability scanning. It works by examining the source code of an application to identify any open-source components that are being used. It then checks these components against a database of known vulnerabilities, and alerts the user if any are found. Great tools in this category will run quickly, in pipeline, and most importantly, provide resolution guidance in the developer workflow. Bad tools will run on a cadence, provide CVE's without an guidance, and only work at runtime.
Oligo provides runtime protection against the exploitation of open source or third party vulnerabilities - not just "is this package running," but "what is this package doing?" Their engine drastically reduces the risk of supply chain exploitation, in a way that might make SCA in general obsolete.
Raven has built a comprehensive runtime oriented SCA solution that can detect function executions from packages being exploited. This empowers them to detect application layer attacks, create prioritization based on what functions are being used, as well as virtual patching to prevent vulnerability exploitation.
Seal doesn't do SCA scanning in the traditional sense, instead they backport security patches for open source libraries, allowing you to auto-patch any vulnerabilities without doing major framework updates. Their only limit is their velocity pushing the backported patches.
Ox's reachability analysis is one of very few that tries to find if the function tied to the CVE exploit in the third party code is actually used in the app - this is a step beyond just checking if the package is loaded.
Arnica's SCA is differentiated by finding the most likely owner for the fix and automating a lot of the workflow process such as pinging them on slack and creating a Jira ticket.
Kodem provides runtime insights on container vulnerabilities, but uniquely ties them back to SCA findings in pipeline. This gives you a single holistic view of container and SCA vulnerabilities, as well as what's executing at runtime.
Instead of hiding their open source projects and trying to sell you the impossible, Aikido openly tells you what they're using and have created a simple cloud based scanner to do 9-in-1 security scanning. A no brainer recommendation for startups.
For what Snyk offers in usability across functions, SemGrep excels in customization. Their tool offers extensive customizations and rule sets, and their reachability analysis, a critical aspect of SCA, beat Snyk to market. Also, their open source tooling is powering many other tools on this list.
Phylum meets standard SCA scanning requirements, but differentiates with upstream malware detection. They have some smart features such as providing a CLI wrapper for NPM stalls to block attempted malware installation during development.
Of all the companies in this space, Tidelift is the only one I could describe as uniquely ethical. If you're tired of shoveling your CVE scanner results into open source backlogs, never to be fixed, working with Tidelift allows you to actually work with maintainers to get your issues fixed upstream - while checking the box on standard SCA feature sets (plus a few unique package health assessments).
Endor Labs stands out in their granularity and reachability analysis for open source packages. They get the meaningful details from function level reachability, and are the ones who scared everyone into trying to make it.
SCA scanning fits into Xygeni's larger ASPM platform but differentiates by scanning the packages from a SAST perspective instead of just looking up CVEs.
Backslash's SCA supports function level reachability, but can even detect direct calls to transitive dependencies. SCA is part of their ASPM which includes SAST and secrets.
Myrror provides the standard suite of SCA tools with functional level reachability, but they have a much more unique technology that allows you to confirm that a binary was built from a particular source code. This allows the most thorough validation of supply chain assets I've seen and is an awesome functionality to ensuring you're not deploying unknown risks to your customers.
Deep Factor differentiates their SCA tool with deep runtime insights on the open source package and its state of being loaded or not in the application - a good way to prioritize fixing.
Socket takes the unique approach of looking for malware within open source packages instead of focusing on only CVEs. They have robust support within the JavaScript ecosystem. They only scan your package manifest and not your source code. Their reachability analysis is unique in that they do it for transitive dependencies instead of your code (checking if the transitive dependency is used in the direct dependency).
Netrise has created rich dependency analysis specializing in firmware on hardware devices like Cisco Switches. They also detect hard-coded credentials, and other vulnerabilities. They've expanded this technology into containers.
Reversing Labs has very robust malware detection capabilities when picking apart binaries. They're expanding this binary analysis into also creating SBOMs and SCA results. Some platform strengths are supporting traditional Windows packages and having robust approval workflows for stringent enterprise support. I wouldn't say developer workflows or ease of integrations are as good as other tools.
Coana has built an SCA with direct and transitive dependency detection. They also have advanced function level reachability analysis.
Qwiet has a powerful unique approach to scanning that starts with a map of your application, and scans within that context. They have smart prioritization filters combined with the standard suite of SCA, container, SAST, Secrets, and IaC scanning. They don't offer "pipeline-less" scanning via webhooks if that's a requirement for you.
Snyk's first product was SCA, and it remains what they're stellar at. They do an unparalleled job at rolling up dependencies properly, and surfacing the information to developers in the easiest possible way to fix.
Mend was Snyk's main competitor early for quick open source scanning in pipeline, but did not expand as quickly as Snyk into other areas. Their open source Renovate tool is great for keeping your in-house dependencies up to date, but their UI and scanning engine were more difficult to deploy, maintain, and navigate. However, due to Renovate they have unique visibility into the expected challenge of a version upgrade.
Oxeye allows you to prioritize SCA based on where the findings live in your infrastructure with rich runtime insights.
Apiiro prioritizes your SCA findings by tying them to asset inventory and application context.
Paraxial provides a unique combination of security tooling specializing in the Elixir language and Phoenix framework. They're a great choice for companies that use Elixir, and have unique runtime elements that them stand out from open source options.
Cycode offers their own in house built SCA scanning as part of their ASPM platform.
Boost Security is primarily an all in one scanner. Their SBOM functionality seems bare bones at the moment.
Rezlion combines their own scanning at runtime with ingesting from other platforms to provide an exploitability prioritization view of container and SCA vulnerabilities. They focus on simple deployment into your environment to prioritize what packages and libraries are running.
Fossa has really focused on SCA and SBOM for the enterprise. They have mature SBOM offerings such as a sharing portal, evolving reachability capabilities, internal dependency tracking, and good quality insights on repos.
Apona provides a combination SCA, SAST, and DAST features. Something unique about their SCA is providing a function level fix if one is available to avoid the patch.
Soos offers SCA and SBOM generation as part of the their ASPM platform.
Contrast wraps commonly exploited functions at runtime to detect and prevent application exploits, e.g. they scan the application once it's actually built and running.
Black Duck SCA provides a product that technically checks all of the SCA boxes, but is not nearly as user friendly as other tools. They get the job done, but UI is targeted more at security than developers.
SonaType was one of the first organizations doing SDLC tooling; however, until recently, they did not have a cloud platform. Their platform is still catching up to the intuitiveness of the SaaS competition, but their product checks all the boxes.
Start Left brings SAST, SCA, Container, and IaC scanning in a single platform. They also have AI code remediation recommendations, and provide a docker image for running local scans.
As part of their larger platform, Checkmarx also provides SCA Scanning.
Scribe has created a tool for SBOM management and software attestation as your application is being built.
Veracode is a legacy SAST vendor that has done the best job at catching up to cloud native tooling. They are a great choice for organizations using more legacy or waterfall type development methods.
Aqua Security offers SCA scanning as part of their CNAPP solution.
Using Prisma Cloud as an SCA tool is technically possible, but I wouldn't recommend it. It's part of what Twistlock did, but it hasn't been updated since the acquisition and is very painful for developer use.
While using your git provider as an SCA tool may make sense on the surface, GitLab relies entirely on open source tooling to do the actual scanning, and their reporting is hard to use. Only recommended for organizations that are already on Ultimate.
Dependabot is a great check the box solution for saying you do vulnerability scanning, but it is very difficult to use and doesn't provide much guidance. Generates a lot of noise for developers.
Static application security testing (SAST) analyzes source code for security vulnerabilities, such as a function being called that doesn't do validation on its input. Great tools in this category will run quickly, in pipeline, teach developers, have effective reporting and easy rule tuning. Bad tools will run on a cadence, provide less guidance, and be difficult to change or override rules.
Arnica's SAST is the most robust I've seen from a workflow perspective and actually getting findings fixed.
Ox is a wider ASPM platform, but their SAST scanning covers the basics while integrating with more powerful language specific providers.
Semgrep is a close second choice to Snyk for SAST. Their scanning library is more robust, and the ability to easily create custom rules is a huge bonus that Snyk only recently added. However, their SCA is not as robust, and having two different tools can be a hard pill to swallow. Great product for companies with an appetite for custom rules.
Backslash's SAST is unique in its ability to detect if a finding is surfaced via your API, allowing you to more effectively prioritize findings. SAST is part of their ASPM which includes SCA and secrets.
Kodem is the first to offer SAST results based on runtime results provided by their deployed scanner.
OpenRefactory has an amazingly robust SAST scanner that has really focused on building the best detections possible. While they're still building their full SaaS platform and features, the SAST engine itself is one of the best out there.
SonarCloud has the benefit of winning your developer's hearts due to its initial product focus on bug squashing and the ability to ingest a wide variety of reports. While the SAST functionalities are newer, they robust enough to warrant the add-on to their code health scanning. Great choice for developer only teams with low risk products.
Bearer is a newer SAST product that is built from an open source lense. They have done excellent analysis of the SAST market and are dialed in on the correct issues, namely false positives, and time to scan.
Paraxial provides a unique combination of security tooling specializing in the Elixir language and Phoenix framework. They're a great choice for companies that use Elixir, and have unique runtime elements that them stand out from open source options.
Instead of hiding their open source projects and trying to sell you the impossible, Aikido openly tells you what they're using and have created a simple cloud based scanner to do 9-in-1 security scanning. A no brainer recommendation for startups.
Snyk's SAST tool is newer to market but has come a long way since its release. Although it's not the most robust in any single category, it has the diverse levels of support needed to make SAST happen as a whole and actually get work done. Great choice for companies looking for scalable, simple solutions.
Boost Security is primarily an all in one scanner. I appreciate their openness of sharing their IaC rules.
Soos offers SAST as part of their platform, and can ingest serif from other scanners.
Oxeye provides standard SAST scanning, but builds out prioritization and exploit likelihood with a powerful runtime engine. A major differentiator is validation via DAST scanning.
Cycode offers SAST scanning as part of their ASPM platform, but it's hard to tell what's open source versus proprietary from them.
Contrast wraps commonly exploited functions at runtime to detect and prevent application exploits, e.g. they scan the application once it's actually built and running.
Qwiet has a powerful unique approach to scanning that starts with a map of your application, and scans within that context. They have smart prioritization filters combined with the standard suite of SCA, container, SAST, Secrets, and IaC scanning. They don't offer "pipeline-less" scanning via webhooks if that's a requirement for you.
Staris built a platform for open box pentesting powered by GenAI. They look at your code and your application, build a PoC exploit of findings as a code test, and give you the fixed code. The workflow is wrapped as a pentest, but their scan of your source code with GenAI could be considered a SAST.
Mend built SAST into their primarily SCA based platform - I haven't directly seen the updated platform.
Start Left brings SAST, SCA, Container, and IaC scanning in a single platform. They also have AI code remediation recommendations, and provide a docker image for running local scans.
Checkmarx is pre cloud-native SAST tool that has had many years to develop a robust library of controls. They're a good fit for enterprises that follow more legacy methods of software development, and are trying to expand into more agile workflows. A lot of companies on this list were started by former Checkmarx employees.
Fortify had a great reputation before the MicroFocus acquisition, but has since become slower to innovate. Lacks a lot of functionality compared to other SaaS options.
Apona provides a combination SCA, SAST, and DAST features.
Kiuwan is a great choice for companies that care above the fidelity of results more than anything else. Kiuwan's scanning offered the most robust true positives we've seen, but they really dragged in terms of their implementation processes, UI, and integration/maintenance of developer workflows.
Veracode is a legacy provider that has done the best job at trying to rapidly innovate with their vendors. They're a good fit for larger enterprises that may need more hands on security developer work to get up and running, and may prefer more waterfall methods of development.
Aqua Security offers SAST scanning as part of their CNAPP solution - they have a longer commitment in the cloud space than developer one.
GitLab's SAST tool totally relies on ingesting open source reports into their pull requests. We would not recommend it as a standalone tool, but is a worthwhile add-on to their security options if you're already invested.
Secret scanning identifies sensitive data, such as API keys and passwords, that have been accidentally committed to source code repositories. Good tools in this category will block the commit as early as possible, as rebuilding a commit history using open source tooling is difficult. Bad tools in this category will only scan on a cadence, and will not block.
Arnica's secret scanning is amazing in how it builds fix PR's that handle the remediation workflow for you. They also do cool validation of your keys.
GitGuardian is the best paid provider for this tool and is a great solution for deploying secret detection at scale. On the one hand, secret scanning is a very narrow function, but on the other, a leak is extremely costly. While Arnica does the workflow, GitGuardian has more robust detection.
Cremit does all of the expected secret scanning, but has great real time alerting on what api keys have done and if they're active by innovatively pulling their command history when available.
SemGrep recently announced their secret scanning solution - it promises an exciting new approach to secret scanning that focuses on context instead of regex to detect secrets.
Instead of hiding their open source projects and trying to sell you the impossible, Aikido openly tells you what they're using and have created a simple cloud based scanner to do 9-in-1 security scanning. A no brainer recommendation for startups.
Cycode offers Secret Scanning scanning as part of their ASPM platform, and it's the piece of the platform they've most developed in house.
Boost Security is primarily an all in one scanner. I appreciate their openness of sharing their supported secret detection formats
Backslash provides SCA, SAST, and Secrets scanning, with a focus on internet reachability analysis for prioritization.
Oxeye provides standard secret scanning, but builds out prioritization and exploit likelihood with a powerful runtime engine.
Secret scanning is part of Xygeni's larger ASPM platform, which focuses more on SDLC attacks in general than secret scanning specifically.
Dazz is a vulnerability remediation tool that also provides their own built in secret scanning.
Nosey Parker stands out for being able to scan file systems alongside repositories, and has some great built in reporting functionality.
Qwiet has a powerful unique approach to scanning that starts with a map of your application, and scans within that context. They have smart prioritization filters combined with the standard suite of SCA, container, SAST, Secrets, and IaC scanning. They don't offer "pipeline-less" scanning via webhooks if that's a requirement for you.
Legit Security provides secret scanning as part of their holistic ASPM platform.
GitHub's secret scanning now has the ability stop secrets before they're pushed to the repository, making them by far the best choice. However, they are bundling this with their Advanced Security package, which is very expensive.
Turbot's plugins can robustly query infrastructure for secrets - going beyond just code scanning.
GitLab's scaner can run in pipeline and is provided directly by them. A good choice since it's available in their Premium tier and Ultimate is not needed.
Trufflehog is the best open source scanner available, and easily integrates as a GitHub action.
GitLeaks is a Trufflehog alternative that is also extremely effective. Both repos are well maintained.
IaC security scanning identifies security vulnerabilities and misconfigurations in infrastructure as code (IaC). Great tools in this category can serve as CSPM replacements, offering drift detection and misconfiguration findings. They'll support multiple IaC languages, such as helm and terraform, and will be able to run in pipeline. Weak tools will run on a cadence, and only detect based on manually imported rules. This category is a difficult balance between getting results to your development teams, and sharing a single rule base across code and deployment.
Kivera circumvents the need for traditional IaC scanning by providing granular level policy and access controls to the cloud provider API. This allows for instant enforcement of policies and rules, and is a great way to prevent misconfigurations from ever happening.
Of the ASPM providers, Apiiro offers the most holistic IaC scanning due to their system of building a full application inventory out of your code.
Arnica's IaC scanning is the weakest part of their platform - but the value of getting an all in one tool is worth it.
Boost Security is primarily an all in one scanner. I appreciate their openness of sharing their IaC rules.
IaC scanning is part of Xygeni's larger ASPM platform, which focuses more on SDLC attacks in general than IaC specifically; however, they provide an asset map to help see where changes are coming from.
Snyk IaC integrates directly into your pipeline to easily scan and block IaC misconfigurations. Their support for various IaC templates is a big plus, but their cloud rules are not as advanced as other competitors. Combining with runtime data opens unique use cases for automatic remediation.
Ox relies solely on open source options for their IaC scanning, but tie it together nicely with runtime context.
Cycode offers their own built in IaC scanning as part of their ASPM platform.
Instead of hiding their open source projects and trying to sell you the impossible, Aikido openly tells you what they're using and have created a simple cloud based scanner to do 9-in-1 security scanning. A no brainer recommendation for startups.
Turbot's Guardrails allow enforcement of IaC controls, while Pipes enables querying across your charts and plans.
Qwiet has a powerful unique approach to scanning that starts with a map of your application, and scans within that context. They have smart prioritization filters combined with the standard suite of SCA, container, SAST, Secrets, and IaC scanning. They don't offer "pipeline-less" scanning via webhooks if that's a requirement for you.
Legit Security provides IaC scanning as part of their holistic ASPM platform.
As part of their larger platform, Checkmarx also provides IaC Scanning.
For organizations that are already using Wiz, their IaC scanning is a great option. If your devops team is willing to adopt their solution in pipeline, it can be a solid support tool.
Checkov is the leader in IaC scanning as an open source solution. Combining with Bridgecrew can be an okay solution, but we're skeptical of the long term outlook due to the Prisma Cloud acquisition.
Start Left brings SAST, SCA, Container, and IaC scanning in a single platform. They also have AI code remediation recommendations, and provide a docker image for running local scans.
KICS is another solid open source solution; however, they're more easily adopted into traditional security review models.
Aqua Security offers IaC scanning as part of their CNAPP solution.
Gomboc promises a unique approach to IaC in that it goes beyond traditional regex based rules. We're pending hands on time with the tool for more information.
We're pending hands on time with the tool for more information.
We're pending hands on time with the tool for more information.
Dynamic application security testing (DAST) scans web applications for security vulnerabilities while they are running, trying things like injecting known malicious payloads into fields. Great tools in this category will run quickly, in pipeline, be as easy as possible to integrate, have API coverage, and have smart fuzzing based on the type of backend you are running. Bad tools will run on a cadence, have less technology coverage, and be difficult to implement.
StackHawk is a developer-first DAST, and it shows every step of the way. They're built to scan quickly, in pipeline, and make it easy to attempt to reproduce issues. They're a major player in reshaping modern DAST and have really paved a way for the future with features like fuzzing API specific data.
Escape is doing amazing things with their approach to DAST. They offer similar in-pipeline scanning capabilities as StackHawk, but have additional tags based on API usage and do API discovery through a variety of different methods.
Nighvision creates API docs based on scanning your code, and then tests those endpoints from the outside based on the docs they created.
Pynt has created an elegant solution for running DAST type scanning against your APIs by running tests via a local proxy. This helps to bypass a lot of the pain with configuring DAST tools against your endpoints.
Akto has created an open source flavored approach to next generation DAST with features like looking at log data for API discovery, sensitive data flows, and customized scanning. A uniquely helpful feature is the ability to easily edit and tweak tests from the UI.
Probely has created an excellent version of traditional web based DAST that can handle APIs alongside webcrawling. While they currently don't support GraphQL or have a CLI, they have created unique ways to achieve similar outcomes. The team clearly has a passion for the details of getting the vulnerabilities right.
Oxeye provides a lot of runtime insights and uses DAST to validate their findings - this is one of their major differentiators from other ASPM providers.
ZAP (Zed Attack Proxy) is the scanning tool underlying numerous scanners, and if your internal team is up for the challenge, it can be adapted directly to provide most scanning needs.
Staris built a platform for open box pentesting powered by GenAI. They look at your code and your application, build a PoC exploit of findings as a code test, and give you the fixed code. The workflow is wrapped as a pentest, but their linking of the source code to your application could be considered a DAST type of scan.
Instead of hiding their open source projects and trying to sell you the impossible, Aikido openly tells you what they're using and have created a simple cloud based scanner to do 9-in-1 security scanning. A no brainer recommendation for startups.
As part of their larger platform, Checkmarx also provides DAST Scanning.