What this page is: a categorized directory of cloud security vendors with a one-liner each. The goal is to help a practitioner walking into the market for the first time get oriented - what the categories are, who plays in each, and what their actual differentiator looks like (not their marketing tagline).
What this page is not: a Magic Quadrant, a Wave, a Forrester report, a buyer's guide, a recommendation list, or a ranking. We run nothing in the ranking business. Every category has multiple credible vendors; the right one for you depends on your environment, your team, your contractual constraints, and what you already run. The only honest review is the one you do yourself in your own tenancy.
Affiliation disclosure: Shawn (the author) is a Solutions Architect at Wiz. Wiz appears below - alphabetized or otherwise positioned no differently than any other vendor, with the same one-liner treatment. No affiliate links exist on this site for any vendor. Caveat the trust you grant accordingly.
On this page
- How to use this page
- The category map
- CNAPP
- CSPM (standalone)
- KSPM & container security
- CIEM
- SSPM
- DSPM
- SIEM / security data lake
- EDR / XDR
- MDR
- SOAR / security automation
- ASPM
- SAST / SCA / DAST
- IaC scanning
- Secrets management & detection
- PAM
- IdP / IAM (workforce)
- WAF / DDoS / bot
- API security
- CASB
- SASE / SSE
- ZTNA
- DevSecOps / CI/CD security
- Container image hardening
- Supply chain security
- AI security
- Vulnerability management
- Forensics & IR tooling
- MSSP / services firms
- GRC platforms
- Open-source standouts
- Acquisition watch
- How to evaluate a vendor
- Caveats
- Where next
How to use this page
Three things are true about every vendor categorization in cloud security, and they're true about this one too:
- The categories aren't clean. CNAPP swallows CSPM, KSPM, CWPP, CIEM, and IaC scanning. SSE swallows CASB, SWG, and ZTNA. ASPM is the umbrella over SAST, SCA, and IaC. Anything you put in one bucket can credibly be put in two others. The category labels here are the ones the market currently uses; don't read too much into them.
- Many vendors play in multiple categories. A vendor listed once for their dominant capability may credibly compete in three or four neighboring categories. Wiz, Palo Alto Prisma Cloud, Microsoft Defender for Cloud, and CrowdStrike all overlap with each other in ways that make a clean side-by-side impossible.
- "Platforms" claim everything. Every multi-billion-dollar security vendor has an architecture slide that covers every category on this page. That slide is true at the level of "we have a product that touches this" and usually misleading at the level of "and it competes with the category leader." Read the docs, deploy in your tenancy, count clicks. Don't read the architecture slide.
The honest framing: this is a starting map, not an evaluation. It tells you what shelves exist. The product-on-shelf research is your job.
The one-liner format. Each vendor below gets one sentence that names their actual differentiator - the thing they do that the next vendor in the list does not do as well, or the angle the market gives them credit for. Marketing taglines are deliberately excluded; "AI-powered, agentless, cloud-native" tells you nothing.
The category map
Before the lists, a mental model of how the categories relate. The market sells thirty acronyms and most of them are subsets, supersets, or rebadges of each other.
| Umbrella | What's inside | Quick gloss |
|---|---|---|
| CNAPP | CSPM + CWPP + KSPM + IaC scanning + secrets scanning + CIEM (and increasingly DSPM) | The "everything for the cloud" platform. Most CSPM-only vendors have rebranded into CNAPP. |
| SSE | SWG + CASB + ZTNA + FWaaS + DLP | The cloud edge for users and SaaS. SASE = SSE + SD-WAN. |
| XDR | EDR + identity + email + cloud + network - correlated | Detection + response across the stack. Sits above or beside SIEM. |
| SIEM | Log collection + correlation + UEBA (sometimes) + case management | The detection data plane. Increasingly a "security data lake" in 2026 framing. |
| SOAR | Playbooks + integrations + ticket workflow | Automation for what SIEM / XDR finds. Increasingly merged into the SIEM / XDR product. |
| ASPM | SAST + SCA + DAST + IaC + secrets + container scanning - correlated | The CNAPP idea, applied to the application code side. |
| SSPM | SaaS-app posture, identity-in-SaaS, third-party app sprawl | What CSPM is for IaaS, SSPM is for Salesforce / Workday / Microsoft 365 / etc. |
| DSPM | Data discovery + classification + access + lineage | "Find sensitive data wherever it sprawled to." Often consumed by CNAPP. |
The practical reality of consolidation: in 2024-2026 the big platforms have been absorbing the point tools. Standalone CSPM is mostly extinct as a market category; standalone CIEM is being absorbed by CNAPP and IdP; DSPM is being absorbed by CNAPP. Standalone tools survive where the depth justifies the integration cost.
CNAPP - Cloud-Native Application Protection Platform
The "everything for the cloud" platform. Combines posture (CSPM), workload protection (CWPP), Kubernetes posture (KSPM), IaC scanning, secrets scanning, and identity/entitlements (CIEM) - ideally with risk correlation across them so a public bucket + over-permissioned role + vulnerable workload + sensitive data is one finding, not four. The category gravity in 2026.
- Wiz - agentless graph-first scanning that built the modern "toxic combination" framing; widely cited for fastest time-to-value on a new tenant. (Disclosure: the author works here.)
- Palo Alto Prisma Cloud - broadest checkbox coverage in the category; result of stitching Twistlock, RedLock, Bridgecrew, and Dig together; deep if you're already a Palo customer.
- CrowdStrike Falcon Cloud Security - leverages the EDR install base and runtime telemetry; the strongest "single agent for endpoint and cloud" pitch on the market.
- Microsoft Defender for Cloud - first-party for Azure, multi-cloud for AWS/GCP; included in many E5 bundles, which makes the price hard to beat for Microsoft shops.
- Lacework (Fortinet) - pioneered behavioral baselining ("polygraph") for cloud workloads; acquired by Fortinet in 2024 and now sold as FortiCNAPP.
- Sysdig - open-source Falco roots show; the strongest runtime-detection story in the category, particularly for Kubernetes.
- Aqua - container-first heritage with strong runtime controls; deep image scanning lineage from Trivy (open-source).
- Orca - pioneered the agentless side-scanning approach (snapshots-of-disks) that the rest of the market followed.
- Tenable Cloud Security - formerly Ermetic; identity-first CNAPP; strongest CIEM heritage inside a CNAPP.
- Rapid7 InsightCloudSec - formerly DivvyCloud; strong remediation-automation lineage; integrated with Rapid7's InsightVM/IDR.
- Check Point CloudGuard - broad coverage including network and posture; appeals to existing Check Point firewall customers.
- Qualys TotalCloud - leverages the Qualys vuln-management data plane; for orgs already running Qualys at scale.
- Trend Micro Cloud One - workload-protection heritage (Deep Security); strong for Windows/Linux server fleets that want signature + behavior + posture.
- Uptycs - osquery-based with a unified endpoint + cloud data model; appeals to teams that like SQL as the analytics interface.
- Runecast - proactive posture with strong VMware and hybrid-cloud roots; smaller but punches above its weight in the multi-cloud SMB segment.
- Stream.Security - formerly Lightlytics; real-time cloud event modeling so changes are evaluated as they happen, not after-the-fact in inventory.
- Sweet Security - eBPF-based runtime sensor focused on cloud-native workloads; "runtime CNAPP" positioning.
CSPM - Cloud Security Posture Management (standalone)
The original category - continuous misconfiguration detection against CIS, NIST, SOC 2, etc. baselines. Mostly absorbed into CNAPP; the standalone survivors are open-source or commoditized.
- Prowler (OSS) - the de facto open-source CSPM for AWS / Azure / GCP / Kubernetes; the tool most cloud-security engineers learned posture on. A commercial company (Prowler Cloud) now backs it.
- CloudSploit (Aqua) - open-source posture scanner now part of Aqua's CNAPP; still maintained as OSS.
- OpenCSPM (OSS) - community-maintained posture engine, smaller footprint but valuable for teams who want to read the rules themselves.
If you're shopping for "just CSPM," the honest answer is: you probably want CNAPP, or you want Prowler in a pipeline. The middle ground (paid standalone CSPM) is a vanishing segment.
KSPM & container security
Kubernetes Security Posture Management - checks on cluster, namespace, pod, network policy, RBAC configurations - plus image scanning and runtime defense for containers. Most CNAPPs include KSPM; specialists go deeper.
- Wiz - Kubernetes graph integrated with the broader CNAPP risk model; agentless cluster scanning.
- Sysdig - Falco-derived runtime detection is the category's longest-running strength.
- Aqua - full container lifecycle, image scanning to runtime controls; one of the original container-security companies.
- Snyk Container - developer-workflow positioning; pairs naturally with their SAST/SCA.
- Anchore - policy-driven image scanning with strong FedRAMP / DoD heritage.
- Tenable Container Security - image-registry scanning tied to the broader Tenable platform.
- Tigera Calico Cloud - Calico CNI vendor; identity-aware microsegmentation for Kubernetes.
- ARMO Kubescape - open-source-first KSPM scanner; first KSPM to reach CNCF.
- Red Hat Advanced Cluster Security (formerly StackRox) - open-source-backed KSPM integrated into OpenShift.
CIEM - Cloud Infrastructure Entitlement Management
"Who has access to what in the cloud, what could they actually do, and what should they not have?" - least-privilege analysis across IAM, service accounts, federated identities, and effective permissions. Largely being absorbed into CNAPP and IdP suites.
- Sonrai Security - graph-based identity analysis; one of the original CIEM vendors.
- Ermetic - now Tenable Cloud Security / Tenable Identity Exposure; pioneered effective-permissions calculation.
- Permiso - identity-threat-detection lens on CIEM; alert-on-identity-anomaly rather than posture-of-permissions.
- Veza - authorization graph spanning IaaS, SaaS, data warehouses, on-prem; broader-than-cloud CIEM positioning.
- Zilla Security - access-review automation; the audit-evidence angle of CIEM.
- ConductorOne - workforce-identity governance with strong cloud reach; access-request workflow native.
- Opal - self-service access requests with just-in-time grants; engineering-team adoption pattern.
- AccessOwl - SaaS-app access provisioning with audit trail; smaller and SaaS-focused.
- JumpCloud - IdP-first platform that ranges into CIEM/PAM territory for SMB.
SSPM - SaaS Security Posture Management
What CSPM is for IaaS, SSPM is for SaaS - misconfiguration, identity, third-party-app sprawl, and shadow SaaS across Microsoft 365, Google Workspace, Salesforce, Workday, GitHub, Slack, etc.
- Adaptive Shield (CrowdStrike) - broadest app coverage at acquisition; now integrated into the platform as Falcon Shield.
- AppOmni - depth-on-Salesforce roots; strong for enterprises with critical-data SaaS apps.
- Obsidian Security - SaaS threat detection alongside posture; SOC-friendly framing.
- Wing Security - discovery-first, with strong third-party-app inventory.
- Grip Security - SaaS sprawl identification, including shadow IT discovered from email and IdP.
- Reco - AI-led analysis of SaaS user behavior and sharing patterns.
- Valence Security - focus on third-party SaaS-to-SaaS integrations and OAuth scopes.
- Suridata - Israeli SSPM with a focus on automatic remediation flows.
- Spin.AI - SaaS data protection (Microsoft 365 / Workspace backup + posture).
- Push Security - browser-extension delivery makes SaaS account discovery and phishing detection a workflow primitive.
See also our SaaS Security page for the discipline behind the tools.
DSPM - Data Security Posture Management
"Find sensitive data wherever it ended up, classify it, understand who can access it, and watch it move." DSPM is a younger category being rapidly consumed by CNAPP - most CNAPPs now ship DSPM modules.
- Cyera - agentless multi-cloud data discovery with strong AI-classification accuracy.
- Sentra - emphasizes data lineage and movement, not just at-rest classification.
- Symmetry Systems - data-flow graph approach; identity + data combined.
- Dig Security (Palo Alto) - acquired into Prisma Cloud; among the first cloud-native DSPMs.
- Theom - DSPM with built-in DLP-style controls for cloud data stores.
- Eureka Security - multi-cloud data store discovery and risk scoring.
- Polar Security (IBM) - acquired by IBM into Guardium; data-flow + posture.
- Normalyze - DSPM tied to access and identity context.
- BigID - data discovery and privacy heritage; covers more privacy-and-governance use cases than typical DSPM.
- Securiti.ai - privacy/DSPM hybrid; strong on GDPR/CCPA workflow.
- Concentric AI - semantic / context-based classification rather than regex.
SIEM / Security Data Lake
The detection data plane. Log ingestion, normalization, correlation, alerting, case management. 2026 framing emphasizes "security data lake" - cheap storage for everything, queries when needed - rather than the high-cost SIEM index of 2015.
- Splunk (Cisco) - the long-time category leader; Cisco acquisition completed in 2024.
- Microsoft Sentinel - cloud-native, KQL-driven; Azure-priced storage makes high-volume telemetry economical.
- Google SecOps (Chronicle) - Google's big-data infrastructure repurposed for security telemetry; differentiator is petabyte-scale at flat pricing.
- IBM QRadar - enterprise SIEM with deep correlation library; now integrated into IBM's broader security suite.
- Sumo Logic - log analytics with strong SaaS-app + cloud integrations.
- Elastic Security - Elasticsearch underneath; appealing for teams that already run the Elastic stack.
- Devo - high-cardinality search and long retention without the cost arc of a traditional SIEM.
- Exabeam - UEBA-led detection with a SIEM around it.
- LogRhythm - long-running mid-market SIEM, merged with Exabeam in 2024.
- Securonix - UEBA-strong SIEM with cloud-native re-architecture in recent years.
- Panther - detection-as-code in Python on top of a data lake; engineering-team-friendly.
- Hunters - automation-leaning XDR/SIEM hybrid.
- Anvilogic - detection engineering platform sitting above your existing SIEM/data lake.
- Query.AI - federated search across security data sources without centralizing.
- Snowflake (with SecOps partners) - not a SIEM, but the data warehouse many modern SOCs use, with partners like Hunters/Panther providing the detection layer.
Related discipline: Cloud SOC, Detection Engineering.
EDR / XDR - Endpoint Detection & Response, Extended Detection & Response
Endpoint telemetry, detection, and response - extended (XDR) when correlated across cloud, identity, email, and network.
- CrowdStrike Falcon - the agent that defined the modern EDR/XDR category; broadest install base.
- SentinelOne Singularity - autonomous-response framing; strong AI/ML positioning.
- Microsoft Defender for Endpoint - bundled in Microsoft 365 E5; native on Windows and increasingly competitive elsewhere.
- Palo Alto Cortex XDR - endpoint + network + cloud correlated; tied to PA's broader platform.
- Trend Vision One - Trend's XDR with endpoint, email, cloud, and network sensors.
- Sophos Intercept X - strong mid-market presence; deep-learning-on-endpoint positioning.
- Bitdefender GravityZone - mid-market and MSP-friendly; high-quality engine, leaner positioning.
- ESET PROTECT - long-running Slovak vendor; quiet but credible enterprise presence in EMEA.
- Cybereason - operation-centric detection (storyline view of an attack across endpoints).
- Trellix - McAfee Enterprise + FireEye merged; broad portfolio rationalization ongoing.
- Cisco Secure Endpoint - formerly AMP; integrated with Cisco's SecureX.
- Tanium - endpoint platform broader than EDR (IT ops + security on one agent); strongest where speed-of-query on huge fleets matters.
MDR - Managed Detection & Response
"Hire someone to run the SOC for you." Combines tooling (sometimes the provider's, sometimes yours) with a 24/7 analyst team. The growth engine of the security services market.
- Arctic Wolf - concierge security operations; mid-market dominant.
- Expel - strong cloud-detection coverage; transparent metrics and customer-facing tooling.
- Red Canary - high-fidelity detection engineering; long-running EDR-managed-service heritage.
- ReliaQuest - GreyMatter platform that integrates customer's existing tools rather than replacing them.
- Critical Start - managed-XDR with a strong "no alert left untouched" SLA framing.
- eSentire - 24/7 SOC services with deep IR muscle.
- Rapid7 MDR - Rapid7 InsightIDR + analysts.
- Sophos MDR - Sophos endpoint + their analyst team; mid-market and SMB strong.
- Secureworks Taegis MDR - Dell-spun-out heritage, broad-platform monitoring.
- Trustwave - long-running MSSP/MDR with PCI/QSA heritage.
- Pondurance - MDR with strong threat-hunting positioning and human-led analysis emphasis.
SOAR / Security Automation
Playbook-driven automation across security tools. Once a standalone category; increasingly merged into the SIEM/XDR product. The standalone tools are the most engineering-friendly.
- Palo Alto Cortex XSOAR - formerly Demisto; the most-integration-rich SOAR.
- Splunk SOAR - formerly Phantom; tightly integrated with Splunk ES.
- Microsoft Sentinel (Logic Apps + automation rules) - SOAR baked into the SIEM; cheap for Azure-aligned teams.
- Tines - no-code automation that engineering teams actually adopt; growing fastest in the category.
- Torq - hyper-automation with strong cloud-security-team adoption.
- Swimlane - low-code SOAR with case-management heft.
- Mindflow - modern entrant focused on natural-language playbook authoring.
- ThreatConnect - SOAR with TIP (threat-intelligence platform) heritage.
- Cortex XSIAM - Palo Alto's next-gen SOC platform that merges SIEM + SOAR + XDR.
ASPM - Application Security Posture Management
The CNAPP idea applied to application code: aggregate findings across SAST, SCA, DAST, IaC, secrets, container scanning - correlate them, prioritize by reachability/exploitability, and present a single risk view to security and engineering.
- Apiiro - code-to-runtime risk graph; strong on material change detection in PRs.
- Cycode - broad ASPM with native SCM hygiene checks.
- Backslash - reachability-based prioritization to cut noise.
- ArmorCode - vulnerability orchestration across many AppSec tools.
- Phoenix Security - risk-based AppSec orchestration with strong reporting.
- Wabbi - policy-driven AppSec workflow automation.
- Legit Security - SDLC security posture across pipelines and developer tools.
- OX Security - pipeline-bill-of-materials approach to AppSec.
- Snyk ASPM - extending Snyk's individual scanners into a unified posture view.
- Endor Labs - reachability analysis for OSS dependencies plus code-side ASPM.
- Aikido Security - bundled multi-scanner platform priced for SMB.
SAST / SCA / DAST
The individual application scanners that ASPM aggregates. Static (SAST) reads your code; software composition (SCA) finds vulnerable dependencies; dynamic (DAST) probes the running application.
- Snyk - developer-experience-led across SAST, SCA, container, IaC; the dev-first market leader.
- Sonatype Nexus - SCA + repository firewall; long history in OSS governance.
- Mend (formerly WhiteSource) - SCA with strong remediation guidance.
- Black Duck (Synopsys) - enterprise SCA with deep license-compliance roots.
- Veracode - long-running SAST/DAST/SCA suite; enterprise standard at many regulated firms.
- Checkmarx - SAST heritage; broadened into a full AppSec platform.
- GitHub Advanced Security - CodeQL SAST + Dependabot SCA + secret scanning inside the GitHub experience.
- GitLab Ultimate - equivalent inside GitLab; secret detection, SAST, DAST, SCA bundled.
- Semgrep - open-source-led SAST with engineer-readable rules; fastest dev-team adoption among new SAST tools.
- SonarQube - code quality + security; widely embedded in dev workflows.
- Aikido Security - all-in-one scanner suite at SMB pricing.
- OWASP ZAP (OSS) - the open-source DAST.
- Invicti (formerly Netsparker) - DAST with proof-based scanning.
- Acunetix - long-running web DAST.
- StackHawk - DAST positioned for CI/CD integration and developer ownership.
- Bright Security - modern DAST/IAST aimed at engineering teams.
IaC Scanning
Catch misconfigurations before they're deployed. Terraform, CloudFormation, ARM, Bicep, Kubernetes manifests, Helm charts - evaluated against a rule set, in CI or pre-commit.
- Checkov (Bridgecrew / Palo Alto) - the open-source standard; broad coverage including Terraform, CloudFormation, Kubernetes, Dockerfile, Helm.
- KICS (Checkmarx) - open-source IaC scanner with broad framework coverage.
- tfsec - focused Terraform scanner, now integrated into Trivy.
- Terrascan - IaC scanner with Rego-based policies; Tenable-owned.
- OPA / Conftest - Rego policies evaluated against any structured input (Terraform plans, K8s manifests, anything).
- Snyk IaC - IaC scanning inside the Snyk developer workflow.
- Wiz IaC - pre-deploy scanning that ties to the runtime risk graph in the same platform.
- Aikido - included IaC scanner in their bundle.
Secrets Management & Detection
Two distinct disciplines often discussed together: secrets management (vaults that store and broker access to credentials) and secrets detection (scanners that find leaked credentials in code, commits, and other artifacts).
Secrets management (vaults)
- HashiCorp Vault - the de facto multi-cloud secrets vault.
- AWS Secrets Manager - first-party for AWS; rotation hooks for many AWS services.
- Azure Key Vault - first-party for Azure; integrates with managed identities natively.
- Google Cloud Secret Manager - first-party for GCP.
- Akeyless - SaaS-delivered secrets management with distributed-fragments cryptography.
- CyberArk Conjur - enterprise secrets platform tied to CyberArk's broader PAM offering.
- Doppler - developer-experience-led secrets management for application configs.
- 1Password Secrets Automation - password-manager roots, increasingly competitive for developer/runtime secrets.
- Infisical (OSS) - open-source secrets platform.
Secrets detection (scanners)
- GitGuardian - the category leader for git-repo secrets scanning at scale.
- TruffleHog - open-source secrets scanner with a commercial offering (Truffle Security).
- Gitleaks - popular OSS scanner for git history.
- Spectral (Check Point) - secrets and misconfig scanning across SCM, CI, container images.
PAM - Privileged Access Management
Vault, broker, record, and audit privileged sessions to servers, databases, cloud consoles, network gear. Pivoting in 2026 toward just-in-time, identity-aware, ephemeral access patterns.
- CyberArk - the long-time category leader for enterprise PAM.
- Delinea (formerly Thycotic + Centrify) - enterprise PAM with strong on-prem and cloud reach.
- BeyondTrust - PAM + privileged remote access + endpoint privilege management.
- ARCON - large in EMEA and APAC; PAM with discovery and risk-scoring.
- ManageEngine PAM360 - Zoho's enterprise PAM; mid-market price point.
- StrongDM - modern infrastructure-access proxy that engineers actually want to use.
- Teleport - identity-aware access for SSH, Kubernetes, databases, apps; ephemeral-credential pattern.
- HashiCorp Boundary - HashiCorp's identity-based session broker, integrated with Vault.
- Saviynt - identity governance with cloud PAM capabilities.
- Britive - cloud-native JIT privilege; "zero-standing-privilege" framing.
IdP / IAM (Workforce)
The identity layer for employees - SSO, MFA, lifecycle, conditional access. The single most consequential security decision most orgs make.
- Okta - the independent IdP leader; broad app catalog.
- Microsoft Entra ID (formerly Azure AD) - bundled with Microsoft 365; the largest installed base by user count.
- Google Workspace + Cloud Identity - Google's workforce identity for Workspace customers.
- Ping Identity - enterprise IdP with strong federation heritage; now part of Thoma Bravo's identity platform alongside ForgeRock.
- JumpCloud - directory + IdP + device management in one platform, SMB-friendly.
- OneLogin (One Identity) - mid-market IdP.
- Auth0 (Okta) - customer-and-developer-facing identity (CIAM), now an Okta brand.
- ForgeRock - long-running IAM platform; now consolidated with Ping under Thoma Bravo.
- Duo (Cisco) - MFA and access; Cisco-owned.
- Beyond Identity - phishing-resistant, passwordless authentication.
- Stytch - developer-API-led identity for B2B and consumer apps.
For the broader discipline see IAM & Identity and Zero Trust.
WAF / DDoS / Bot
Edge protection for web apps and APIs - rule-based filtering (WAF), volumetric/protocol attack mitigation (DDoS), and automated-traffic identification (bot management).
- Cloudflare - CDN-first edge with WAF, DDoS, bot, and increasingly the full SSE stack.
- Akamai - the original CDN/edge security platform; strong enterprise and government adoption.
- Imperva - WAF heritage; broadest signature library for app-layer attacks.
- F5 / NGINX - appliance and container WAF; deep in enterprise data centers.
- Fastly Signal Sciences - modern WAF with strong developer-team adoption.
- AWS WAF / Shield - first-party WAF and DDoS for AWS workloads.
- Azure Front Door WAF - Azure's edge WAF.
- Google Cloud Armor - GCP's edge WAF and DDoS.
- Radware - DDoS and WAF appliances + cloud; strong in carrier and large enterprise.
- DataDome - bot management specialist.
- HUMAN - bot/fraud platform; sophisticated traffic differentiation.
- Kasada - bot defense with a strong client-side challenge approach.
API Security
Discover, document, and defend APIs at runtime - including the shadow and zombie APIs the dev team forgot about.
- Salt Security - among the earliest dedicated API security platforms; behavioral baseline approach.
- Traceable - distributed-tracing-based API discovery and runtime defense.
- Noname Security (Akamai) - API discovery and posture; acquired by Akamai.
- Cequence - bot and API security combined.
- Apiiro - code-side API inventory; strong on shift-left discovery.
- Wallarm - API protection with WAF heritage.
- Imperva - API security adjacent to WAF.
- Akamai API Security - Noname + native capabilities.
- 42Crunch - OpenAPI-spec-driven API security with strong developer workflow.
- Pynt - automated API security testing in CI.
CASB - Cloud Access Security Broker
Visibility and control over SaaS usage. Once a market by itself; now mostly a feature inside SSE platforms.
- Netskope - CASB-rooted SSE; strongest pure-play CASB heritage still active.
- Zscaler ZIA - CASB capabilities inside Zscaler's broader SSE.
- Cisco Cloudlock - Cisco's API-mode CASB.
- Palo Alto Prisma SaaS - CASB-equivalent inside Prisma.
- Microsoft Defender for Cloud Apps - formerly MCAS; bundled in Microsoft 365 E5.
- Skyhigh Security (Trellix) - McAfee MVISION roots, spun out as Skyhigh; long CASB heritage.
- Forcepoint - CASB + DLP + SSE.
- Lookout - mobile + cloud + DLP positioning.
SASE / SSE
SSE (Secure Service Edge) bundles SWG + CASB + ZTNA + FWaaS. SASE adds SD-WAN to that. The 2026 framing emphasizes user-to-app secure connectivity from anywhere.
- Zscaler - the pure-play SSE leader; ZIA (web) + ZPA (private apps) + ZDX (digital experience).
- Netskope - broad SSE with strong CASB and data-protection heritage.
- Palo Alto Prisma Access - SASE built on Palo Alto's NGFW capabilities.
- Cloudflare One - SSE on Cloudflare's global edge.
- Cisco Umbrella + Duo + Meraki - Cisco's SASE stitched from acquired and organic parts.
- Cato Networks - single-vendor SASE with their own backbone.
- Fortinet Secure SD-WAN + FortiSASE - Fortinet's SASE; appliance-rooted but increasingly cloud-delivered.
- Versa Networks - SD-WAN + SSE leader in carrier deployments.
- iboss - containerized SSE platform.
- HPE / Aruba Edge Services Platform - networking-vendor SASE positioning.
ZTNA - Zero Trust Network Access
Identity-aware, app-specific access to private resources without putting the user "on the network." Built into every SSE platform; standalone offerings still survive for engineering-led teams.
- Cloudflare Access - ZTNA on the Cloudflare edge; commonly paired with Cloudflare Tunnel.
- Zscaler ZPA - the original cloud ZTNA at scale.
- Palo Alto Prisma Access - ZTNA inside Prisma SASE.
- Tailscale - WireGuard-based mesh with engineering-team-friendly UX; widely adopted by dev teams.
- Twingate - modern ZTNA with strong developer experience.
- NetFoundry - open-source OpenZiti commercialized.
- Banyan - device-trust + ZTNA.
- Appgate SDP - software-defined perimeter pioneer; enterprise-leaning.
- Perimeter 81 (Check Point) - mid-market ZTNA; acquired by Check Point.
- Zentry - clientless ZTNA with strong contractor / third-party-access positioning.
See Zero Trust for the model behind these tools.
DevSecOps / CI/CD Security
Security controls embedded in the developer workflow - pipeline hardening, SCM hygiene, build-system integrity, scanner orchestration in CI.
- Snyk - developer-experience-led across the AppSec scanner suite.
- GitHub Advanced Security - SAST + SCA + secrets inside GitHub.
- GitLab Ultimate - equivalent in the GitLab platform.
- Aikido Security - bundled all-in-one scanner suite priced for SMB.
- Endor Labs - reachability-aware OSS analysis + code AppSec.
- Apiiro - material-change risk graph across the SDLC.
- Cycode - ASPM + SCM hygiene.
- JFrog Xray - binary scanning inside Artifactory.
- Mend - SCA-rooted DevSecOps tooling.
- Legit Security - pipeline + dev-tooling security posture.
- Chainguard - secure-by-default images, SBOMs, signing; pipeline-side trust primitives.
See also CI/CD for the pipeline security discipline.
Container Image Hardening
Distroless / minimal images, built with verifiable provenance, with the CVE surface reduced as a primary feature rather than as a follow-up.
- Chainguard - distroless images for everything, with daily-rebuilt streams and signed provenance; the category mover.
- RapidFort - automated minimization of existing images.
- Slim.AI - image profiling and slimming, both OSS (DockerSlim heritage) and SaaS.
- Echo - hardened image streams for common base images.
- Minimus - distroless / minimal images with enterprise support.
Supply Chain Security
"Is the code you're shipping made of trustworthy parts?" - covers SBOMs, OSS curation, provenance, build-system integrity, and dependency-confusion / malicious-package defenses.
- Chainguard - secure-by-default container images, signed SBOMs, daily CVE-free rebuilds.
- JFrog Curation - package-firewall layer in front of public OSS repositories.
- Sonatype Nexus Firewall - repository firewall blocking malicious / vulnerable OSS at the dependency boundary.
- Anchore - image scanning with deep FedRAMP / DoD compliance lineage.
- Endor Labs - reachability-aware OSS analysis to prioritize what actually matters.
- Scribe Security - software supply-chain attestation and SBOM management.
- OX Security - pipeline-bill-of-materials approach.
- Phylum - behavioral OSS package analysis for malicious-package detection.
- Socket - install-time OSS package analysis with strong dev-workflow integration.
See also the Supply Chain Attacks section of the threat research page for the incident side of this discipline.
AI Security
The newest category: securing AI systems (models, prompts, RAG pipelines, agent infrastructure) against prompt injection, model theft, data leakage, and the new attack patterns the LLM era introduced. Most vendors here are pre-Series-C.
- Lakera - runtime guardrails for LLM applications; broadest install base in the prompt-injection-defense subcategory.
- Prompt Security - enterprise gateway for AI usage; both employee-use and embedded-AI angles.
- Protect AI - ML security platform with Rebuff and ModelScan tooling; recently acquired by Palo Alto Networks.
- HiddenLayer - model-integrity monitoring; one of the earliest ML-security pure-plays.
- Robust Intelligence (Cisco) - AI red-teaming and runtime guardrails; acquired by Cisco in 2024.
- Garak (OSS) - open-source LLM red-teaming framework; the de facto OSS baseline.
- CalypsoAI - model-agnostic security and governance for enterprise GenAI deployments.
- Cisco AI Defense - Cisco's organic AI-security positioning, layered onto Robust Intelligence.
- Mindgard - AI red-teaming and continuous testing platform.
- Cranium - AI/ML inventory + risk; the "what AI assets do we even have?" question.
- Witness AI - observability and policy for employee AI usage.
- Knostic - knowledge-permission boundaries for enterprise GenAI / Copilot deployments.
See AI/ML Security for the discipline.
Vulnerability Management
"What's vulnerable, how bad, how do I prioritize, where's the fix?" - the OG security discipline, now spanning endpoints, servers, cloud workloads, web apps, and code.
- Tenable - Nessus heritage; broadest vuln data set; expanded into cloud (Ermetic) and OT.
- Qualys - long-running cloud-delivered VM with deep enterprise coverage.
- Rapid7 InsightVM - VM tied into Rapid7's broader Insight platform.
- Wiz - cloud-workload vulnerability data integrated with the CNAPP risk graph.
- Nucleus Security - vulnerability data orchestration across many scanners.
- Vulcan Cyber (Tenable) - risk-based VM platform; acquired by Tenable.
- Brinqa - risk operations / vulnerability-management aggregation.
- ServiceNow VRO - vulnerability response inside the ServiceNow CMDB.
See Vulnerability Management for the discipline behind the tools.
Forensics & IR Tooling
Acquisition, preservation, and analysis of evidence - increasingly cloud-aware as workloads move off endpoints.
- Cado Security - cloud-native forensics; automated evidence acquisition for AWS/Azure/GCP workloads.
- Mitiga - cloud and SaaS forensics + IR as a service.
- Magnet Axiom Cyber - enterprise forensics suite with strong remote-acquisition capabilities.
- Cellebrite - mobile and endpoint forensics platform.
- Mandiant (Google) - the IR services brand; tooling sold separately and via Google Cloud.
- Volexity Surge - memory acquisition and analysis specialist.
- F-Response - remote forensic-collection software.
See Incident Response for the discipline.
MSSP / Cloud-Focused Services Firms
The humans you hire to run, assess, or co-staff your cloud security program. A mix of MSSPs (run things), assessors (test things), and IR/consulting (help when things break).
- Mandiant (Google) - IR services and threat intelligence; the brand most often called when a major breach lands.
- NCC Group - global assessment and IR consulting.
- Bishop Fox - offensive-security specialist; pentesting, red team, and continuous attack surface monitoring.
- Praetorian - offensive-security and cloud-pentesting specialist.
- Coalfire - assessor / 3PAO with strong FedRAMP and PCI lineage.
- IOActive - research-led security consulting.
- TrustedSec - offensive-security and IR consulting with strong community brand.
- Rhino Security Labs - cloud-pentesting specialists; CloudGoat maintainers.
- Trustwave - long-running MSSP with PCI/QSA heritage.
- Optiv - large security-services integrator.
- Deepwatch - MDR + advisory.
- Kudelski Security - global MSSP with strong EMEA presence.
GRC Platforms
System-of-record for controls, frameworks, evidence, risk, and audit. Covered in depth on the GRC page; included here as a category summary.
- Vanta - compliance-automation leader for B2B SaaS; fastest path to first SOC 2 Type II.
- Drata - head-to-head competitor with Vanta; comparable feature set.
- Secureframe - compliance automation with strong AI-assisted evidence framing.
- OneTrust - broadest privacy-and-GRC platform; enterprise standard for GDPR/CCPA programs.
- ServiceNow GRC - enterprise GRC inside the ServiceNow platform; right for orgs already on ServiceNow.
- Hyperproof - modern GRC with strong control-mapping and evidence-collection workflows.
- AuditBoard - internal-audit-led platform that has expanded into ITGC, SOX, and cyber-GRC.
- LogicGate - risk operations platform with extensible workflow.
- Archer (RSA) - long-running enterprise GRC platform.
- MetricStream - enterprise GRC with strong operational-risk capabilities.
- Diligent (formerly Galvanize / ACL) - audit + risk + governance for the board level.
- Sprinto - compliance automation for the small/mid SaaS market, particularly outside North America.
- Anecdotes - evidence-as-code GRC platform.
Open-Source Standouts
A short list of open-source tools worth knowing by name - the ones that keep showing up in production environments, in pipelines, in CTFs, and in the toolboxes of working cloud-security engineers.
- Prowler - the OSS CSPM; AWS / Azure / GCP / Kubernetes posture scanning.
- ScoutSuite - multi-cloud security auditing from NCC Group.
- Cartography - Neo4j-backed cloud asset graph; the OSS precursor to the modern graph-CNAPP idea.
- Steampipe - SQL queries against cloud APIs; turns inventory into a join.
- CloudQuery - cloud asset extraction into your data warehouse for security analytics.
- Trivy - image, filesystem, and IaC scanner; the default for many CI pipelines.
- Grype - image vulnerability scanner from Anchore.
- Falco - CNCF runtime security via eBPF / kernel events; the OSS that became Sysdig.
- OPA - Open Policy Agent; the policy-as-code standard.
- Kyverno - Kubernetes-native policy engine with YAML rules.
- kube-bench - CIS Kubernetes benchmark checks.
- kube-hunter - Kubernetes attack-surface scanner.
- Pacu - AWS exploitation framework from Rhino Security Labs.
- Stratus Red Team - cloud-attack-technique emulation, MITRE-mapped.
- CloudGoat - vulnerable-AWS-by-design training environment from Rhino.
- Atomic Red Team - Red Canary's library of MITRE-mapped detection tests.
- Sigma - vendor-neutral detection rule format.
- OpenCSPM - community-maintained CSPM with a focus on readable rules.
- Kubescape - KSPM scanner from ARMO, now CNCF.
- Cilium / Tetragon - eBPF-based Kubernetes networking, observability, and runtime security.
- Wiz Open Source - collected OSS tools published by Wiz Research (Threat Landscape, kubectl-mtls, and others).
Acquisition watch
The cloud security market has been consolidating at a brisk pace. A short list of notable deals shaping the 2025-2026 landscape:
- Google โ Wiz - announced 2025 at roughly $32B; the largest cybersecurity acquisition on record. Wiz remains operationally independent inside Google Cloud during integration.
- CrowdStrike โ Adaptive Shield - added a leading SSPM into Falcon, completing the "everywhere posture" pitch.
- Cisco โ Splunk - closed 2024 at $28B; the SIEM/observability backbone for the merged platform.
- Cisco โ Robust Intelligence - added AI red-teaming and guardrails to Cisco's security portfolio.
- Fortinet โ Lacework - added behavioral-baselining CNAPP to Fortinet's broader security stack.
- Palo Alto โ Dig Security, IBM โ Polar Security - both platforms absorbed standalone DSPMs in 2023-2024.
- Tenable โ Ermetic, Tenable โ Vulcan - Tenable rolled up CIEM and risk-based VM into Tenable One.
- Akamai โ Noname Security - folded API security into Akamai's edge.
- Thoma Bravo โ Ping Identity + ForgeRock - consolidated under a single PE-backed identity platform.
- Check Point โ Perimeter 81, Check Point โ Spectral - added ZTNA and secrets/IaC scanning to Check Point's portfolio.
- Palo Alto โ Protect AI - added an AI-security platform to Prisma.
The pattern: the big platforms (CrowdStrike, Palo Alto, Cisco, Microsoft, Google, Fortinet, Tenable, Check Point) are buying the category-defining startups in CNAPP, DSPM, SSPM, CIEM, API security, and AI security to fill out their portfolios. Standalone point tools that survive will be the ones with engineering-team adoption that resists "you already have this in the platform" sales motions.
How to evaluate a vendor
The marketing material is approximately worthless for evaluation; the eval has to happen in your environment, with your team, against your workflows. A few practitioner heuristics that consistently separate the platforms that survive a year of operation from the ones that get ripped out:
- Deploy in your environment first. Demos are scripted; production is not. Ask for a 14-day to 30-day trial in your actual cloud accounts, with your actual roles, against your actual data. If the vendor can't or won't, that's information.
- Count clicks per workflow. Pick three real workflows ("investigate this finding," "add an exception," "produce evidence for this control") and count the clicks, the context switches, and the time-to-answer. The platform that's 30% faster on the median workflow is the one your team will actually use.
- Integration coverage that matches your stack. A great platform with a thin integration to your IdP, ticketing, SCM, or SIEM is a worse fit than a B+ platform with a deep one. Check the docs, not the integration page.
- Escape-hatch APIs. Can you get your data out - programmatically, in a structured form, on a schedule, without paid services engagement? "We have an API" and "the API covers 90% of the UI" are different statements.
- Custom-rule depth. Vendor rule libraries are starting points. The interesting question is whether you can write a custom rule, in a language your team already knows, with version control, with test coverage, in under an hour. CSPMs that require a professional-services engagement to write a custom rule are a tax in disguise.
- Noise floor. Every tool has one. Ask a current customer (not the one the vendor referenced) what their false-positive rate looks like in month four, after the initial tuning honeymoon.
- Contractual fine print on data sovereignty. Where is your data processed? Where is it stored? Can a U.S. subpoena reach the data of your EU customers? Sub-processor list, GDPR DPA, regional offerings - read them before, not after.
- Exit cost. What happens when you cancel? How long is your data accessible? Is there a data export at the end? Vendor lock-in is usually quiet rather than loud; read the contract.
- Total cost of ownership across three years. List price + ingest growth + add-on modules + professional services + the cost of running the tool (FTE-hours per month, integrations engineering). The cheap-looking platform often isn't.
- Reference-customer questions worth asking. "What surprised you in the first 90 days?" "What do you wish you'd known before signing?" "If you had to evaluate again, what would you do differently?" Those three questions surface more than thirty Gartner reviews.
Caveats
- Curated, not exhaustive. This list is one practitioner's view of who shows up in real evaluations in 2026. Hundreds of credible vendors are not on it. Inclusion is not endorsement; exclusion is not criticism. It mostly means I haven't watched them long enough to write the one-liner.
- Time-stamped. Cloud security moves fast. By the time you read this, some vendors will have been acquired, others will have pivoted, and a few will have shipped a major release that changed their differentiator. Treat any specific positioning here as 2026-current, not durable.
- Author affiliation. Shawn works at Wiz. The Wiz one-liner is positioned no differently from any other in its category; the disclosure is in the intro and again here. No vendor reviewed this page before publication.
- No affiliate links. No vendor link on csoh.org pays a referral fee. The links are there because they're useful, not because clicking them funds the site.
- Living page. Corrections, additions, and "you missed X" notes are welcome via contribute. The bar for adding a vendor is: a current production presence in cloud security, a differentiator describable in one sentence, and at least one peer customer reference. The bar for removing one is acquisition, market exit, or sustained irrelevance.
- Not legal, procurement, or security advice. Use the list to orient; do your own due diligence before signing.
Where next
- CSPM vs CNAPP - the deeper dive on the two acronyms most vendors here are positioning around.
- SaaS Security (SSPM) - the discipline behind the SSPM category.
- IAM & Identity - the foundation under IdP, PAM, and CIEM.
- Zero Trust - the model behind ZTNA, SSE, and most modern identity-and-network products.
- Vulnerability Management - the discipline VM tools support.
- GRC for Cloud - the discipline behind the GRC platform category.
- Cloud SOC - where SIEM, XDR, MDR, and SOAR all converge in practice.
- Detection Engineering - what good looks like inside the SIEM/XDR layer.
- Incident Response - where the forensics tools earn their keep.
- AI/ML Security - the discipline behind the AI-security category.
- Contribute - suggest an addition, a correction, or a category that should exist.
- Friday Zoom - vendor questions come up most weeks. Drop in.