Boundary Breakers encompass vendors that are taking risks in creating new categories around their offerings. This category exists to highlight tools that are attempting to define new categories.
This category is for the quickly emerging field of LLM Security tools. These tools cover visibility, detection, and response for LLMs across code, endpoints, and infrastructure. I'm most excited for the application level security use cases, but early companies here are focused on monitoring employee chat sessions. Success in this category is dictated by ability to adept to rapidly changing conditions.
Originally CIEM (Cloud Identity and Entitlement Management), this category has been broadened to Cloud Identity. These offerings help manage the numerous ways cloud identities can be created and proliferated, whether it be through IaC or AWS policies.
This category of tooling is for vendors that focus on providing pull requests with code fixes in them across various scanning tools. It's a different approach than remediation workflow platforms.
This category is for tools that assist primarily with managing user identities outside of cloud environments. This includes tools that help with user provisioning, authentication, and authorization. Good tools in this category help with user lifecycle management, and provide a single pane of glass for managing user access across your infrastructure. Bad tools in this category are difficult to integrate, and require a lot of manual tuning.
Application Security Posture Management (ASPM) is the latest buzzword to take over the application security market. It's meant to correlate all application security scanning into a single dashboard for remediation prioritization - but my thoughts on definition are here. Always validate what tool coverage looks like in this category - many vendors have one or two scanners built in house, and are relying on open source tooling for the rest of the pipeline coverage. Great tools will allow you to track and correlate findings across an entire application. Bad tools will rely purely on third party scanners and have major gaps.
Software composition analysis (SCA) is also called open-source vulnerability scanning. It works by examining the source code of an application to identify any open-source components that are being used. It then checks these components against a database of known vulnerabilities, and alerts the user if any are found. Great tools in this category will run quickly, in pipeline, and most importantly, provide resolution guidance in the developer workflow. Bad tools will run on a cadence, provide CVE's without an guidance, and only work at runtime.
Static application security testing (SAST) analyzes source code for security vulnerabilities, such as a function being called that doesn't do validation on its input. Great tools in this category will run quickly, in pipeline, teach developers, have effective reporting and easy rule tuning. Bad tools will run on a cadence, provide less guidance, and be difficult to change or override rules.
Secret scanning identifies sensitive data, such as API keys and passwords, that have been accidentally committed to source code repositories. Good tools in this category will block the commit as early as possible, as rebuilding a commit history using open source tooling is difficult. Bad tools in this category will only scan on a cadence, and will not block.
IaC security scanning identifies security vulnerabilities and misconfigurations in infrastructure as code (IaC). Great tools in this category can serve as CSPM replacements, offering drift detection and misconfiguration findings. They'll support multiple IaC languages, such as helm and terraform, and will be able to run in pipeline. Weak tools will run on a cadence, and only detect based on manually imported rules. This category is a difficult balance between getting results to your development teams, and sharing a single rule base across code and deployment.
Dynamic application security testing (DAST) scans web applications for security vulnerabilities while they are running, trying things like injecting known malicious payloads into fields. Great tools in this category will run quickly, in pipeline, be as easy as possible to integrate, have API coverage, and have smart fuzzing based on the type of backend you are running. Bad tools will run on a cadence, have less technology coverage, and be difficult to implement.
Application Detection and Response (ADR) detects and prevents the exploitation of application level exploits. This category of tooling is the gold standard of application security in its ability to prevent zero days; however, implementation, maintenance, and a lack of contextual application logic has made them historically difficult to implement. Great tools in this category will be easy to implement, and will provide rich contextual information about the application. Bad tools will be difficult to implement, and will provide little to no contextual information. Read more about ADR here.
CNAPPs are the latest category name given to CSPMs as they have evolved into additional layers of tooling. These tools aim to be all in one providers for cloud security, and are often the most expensive tools in the market. Great tools in this category will be best of breed in a single category, and will have a strong vision for the future. Bad tools will be playing endless acquisition catchup as they desperately try to keep pace with one another. In short, I consider this category CSPM + Container Runtime Security. I don't think it's always best to have both of these tools be from the same provider. Read more about CNAPP here.
Cloud Detection and Response is an attempt to move cloud security out of vulnerability management, and into proper attack detection and response. Instead of treating the cloud as a series of API endpoints to be scanned, they instead focus on correlating logs between workloads and clouds. Leaders in this field support correlation between multiple tools - such as Okta, to AWS, to a kubernetes pod. Great tools will provide enough context to respond to alerts, which is a challenge for many cloud environments. Poor tools will just be another alert source on top of your CSPM or CNAPP. Read more about CDR here.
Cloud security posture management (CSPM) is a security practice that helps organizations identify and remediate misconfigurations and security risks in their cloud environments. CSPM's are often the first tool that organizations buy when they start their cloud security journey. Great tools in this category will be able to accurately assess cloud infrastructure while generating minimal noise. Bad tools will run on a cadence, and provide little guidance about who deployed a change. This category has morphed into CNAPP as the market as evolved to include runtime.
A lot of tools on the cloud and app security list apply to kubernetes, but we wanted a space to highlight specialty vendors who bring unique value to the space. Great vendors in this space will provide something that meaningfully distinguishes them from larger CNAPP providers, such as RBAC visualizations. Bad tools in the space will just be worse versions of larger providers.
Container runtime security tools empower detection and response in containerized environments. These tools are needed because most host based Endpoint Detection Response (EDR) tools have no container visibility. Evaluating these tools comes down heavily to how quickly the company has modernized their detection capabilities. Great products will detect container specific actions and threats, and empower security teams to easily see where they came from, even in short lived containers. Bad tools will provide vague content, and only alert on basic threats with tons of false positives.
Container vulnerability tools help identify and remediate security vulnerabilities in container images. This category was created because host based vulnerability scanners are often completely unaware of containers. Great tools in this category understand how containers are built, and offer simple remediations to developers directly in their workflow. Bad tools will provide a dump of thousands of CVE's, with little to no guidance about where they're coming from, or how to fix them. I separate tools in this category into two groups, those that dump CVEs, and those that roll-up container image versions.
Vulnerability Management's evolution into Continuous Threat Exposure Management (CTEM) is an acknowledgement of the complexity and volume of alerts of most CNAPP platforms. We're hesitant on the long-term value proposition of these tools - since they rely on other security tools, and everyone always wants to be a "single pane of glass." However, they are certainly solving the problems of the present moment, and their immediate usefulness cannot be denied.
This section will help you find the best GRC automation tool, such as SOC 2 and ISO27001 automation. Governance Risk & Compliance automation vendors provide software that helps organizations automate their compliance workflows. These vendors are typically aimed at helping organizations achieve compliance outcomes with the least amount of engineering involvement needed. Great tools in this category have detailed automation capabilities, and provide clear security guidance. Bad tools will be focused on risk management and manual tracking.
API security comes in many flavors, but most serve as a specialized web application firewall (WAF). That was my initial description, but I'm broadening this category to really focus on API. Newer vendors are combining static, dynamic, and runtime analysis specializing in APIs. Great tools in this category will provide a clear understanding of the API's attack surface, and will provide clear guidance on how to secure it. Bad tools will have narrow focuses that don't add much value over a WAF.
Security Information and Event Management (SIEM) products are the backbone of a security team's operations, enabling them to collect, analyze, and respond to security events and incidents in real-time. By consolidating log data from various sources, SIEM's are the essential tool for finding the details of what happened. Great tools in this category will have strong detection capabilities out of the box, and will be able to integrate with your existing infrastructure. Bad tools will be difficult to integrate, and will require a lot of manual tuning.
Pentesting (Penetration Testing) is a proactive cybersecurity practice in which ethical hackers simulate real-world attacks on a network, application, or system to identify vulnerabilities and assess the effectiveness of security measures. Great vendors provide valuable insights into your infrastructure based on actual exploits they were able to perform. Poor vendors will run common automated scanning and output a simple report.
This section will help you find the best tools for protecting Mobile devices. Mobile device protection can range from pentesting services to virtualization and MDM providers. Great tools in this category will be able to detect and respond to threats on mobile devices, and will be able to integrate with your existing infrastructure. Bad tools will be difficult to integrate, and will require a lot of manual tuning.
Managed Detection Response (MDR) providers offer security management services, usually focused on SIEMs, EDRs, and responding to incidents. Great providers in this category offer dedicated engineers to your account, provide technical details, and are quick to respond to emerging threats. Poor providers will be slow to respond, and will provide little to no technical detail to help your team. Choosing the wrong MDR can be devastating, limiting your own hiring budget while bogging down your internal security teams.
SaaS security typically provides some combination of posture/configuration management, discovery, and runtime protection.
Data Security tools cover everything from data discovery to DLP protection. Cool tools in this category focus on real time data encryption or data masking. Bad tools in this category will focus only on the discovery of sensitive data.
Asset management tools allow you to query and manage large amounts of data across cloud and on prem assets. In the cloud, these are typically CSPM tools, but many have expanded to include SaaS and other kinds of assets.
MDMs typically provide policy enforcement and setup for laptops, desktops, and mobile devices. Great tools in this category provide robust customization and configurations, weaker tools will be difficult to manage and install.
Our most common questions