Cloud Security Vendor Landscape

A vendor-neutral map of the cloud security market - categorized by function, with a one-liner per vendor about what they actually do. No rankings, no affiliations, no recommendations. The goal is orientation: when someone in a meeting says "we're evaluating CIEM tools," you should be able to point at the shelf without buying anything off it.

A dashboard view filled with charts, graphs, and category tiles
Photo by Lukas on Pexels

ยท ยท Vendor-neutral ยท View source on GitHub

What this page is: a categorized directory of cloud security vendors with a one-liner each. The goal is to help a practitioner walking into the market for the first time get oriented - what the categories are, who plays in each, and what their actual differentiator looks like (not their marketing tagline).

What this page is not: a Magic Quadrant, a Wave, a Forrester report, a buyer's guide, a recommendation list, or a ranking. We run nothing in the ranking business. Every category has multiple credible vendors; the right one for you depends on your environment, your team, your contractual constraints, and what you already run. The only honest review is the one you do yourself in your own tenancy.

Affiliation disclosure: Shawn (the author) is a Solutions Architect at Wiz. Wiz appears below - alphabetized or otherwise positioned no differently than any other vendor, with the same one-liner treatment. No affiliate links exist on this site for any vendor. Caveat the trust you grant accordingly.

On this page

  1. How to use this page
  2. The category map
  3. CNAPP
  4. CSPM (standalone)
  5. KSPM & container security
  6. CIEM
  7. SSPM
  8. DSPM
  9. SIEM / security data lake
  10. EDR / XDR
  11. MDR
  12. SOAR / security automation
  13. ASPM
  14. SAST / SCA / DAST
  15. IaC scanning
  16. Secrets management & detection
  17. PAM
  18. IdP / IAM (workforce)
  19. WAF / DDoS / bot
  20. API security
  21. CASB
  22. SASE / SSE
  23. ZTNA
  24. DevSecOps / CI/CD security
  25. Container image hardening
  26. Supply chain security
  27. AI security
  28. Vulnerability management
  29. Forensics & IR tooling
  30. MSSP / services firms
  31. GRC platforms
  32. Open-source standouts
  33. Acquisition watch
  34. How to evaluate a vendor
  35. Caveats
  36. Where next

How to use this page

Three things are true about every vendor categorization in cloud security, and they're true about this one too:

The honest framing: this is a starting map, not an evaluation. It tells you what shelves exist. The product-on-shelf research is your job.

The one-liner format. Each vendor below gets one sentence that names their actual differentiator - the thing they do that the next vendor in the list does not do as well, or the angle the market gives them credit for. Marketing taglines are deliberately excluded; "AI-powered, agentless, cloud-native" tells you nothing.

The category map

Before the lists, a mental model of how the categories relate. The market sells thirty acronyms and most of them are subsets, supersets, or rebadges of each other.

Umbrella What's inside Quick gloss
CNAPP CSPM + CWPP + KSPM + IaC scanning + secrets scanning + CIEM (and increasingly DSPM) The "everything for the cloud" platform. Most CSPM-only vendors have rebranded into CNAPP.
SSE SWG + CASB + ZTNA + FWaaS + DLP The cloud edge for users and SaaS. SASE = SSE + SD-WAN.
XDR EDR + identity + email + cloud + network - correlated Detection + response across the stack. Sits above or beside SIEM.
SIEM Log collection + correlation + UEBA (sometimes) + case management The detection data plane. Increasingly a "security data lake" in 2026 framing.
SOAR Playbooks + integrations + ticket workflow Automation for what SIEM / XDR finds. Increasingly merged into the SIEM / XDR product.
ASPM SAST + SCA + DAST + IaC + secrets + container scanning - correlated The CNAPP idea, applied to the application code side.
SSPM SaaS-app posture, identity-in-SaaS, third-party app sprawl What CSPM is for IaaS, SSPM is for Salesforce / Workday / Microsoft 365 / etc.
DSPM Data discovery + classification + access + lineage "Find sensitive data wherever it sprawled to." Often consumed by CNAPP.

The practical reality of consolidation: in 2024-2026 the big platforms have been absorbing the point tools. Standalone CSPM is mostly extinct as a market category; standalone CIEM is being absorbed by CNAPP and IdP; DSPM is being absorbed by CNAPP. Standalone tools survive where the depth justifies the integration cost.

An organized toolbox with many compartments holding different tools
Photo by Cottonbro Studio on Pexels

CNAPP - Cloud-Native Application Protection Platform

The "everything for the cloud" platform. Combines posture (CSPM), workload protection (CWPP), Kubernetes posture (KSPM), IaC scanning, secrets scanning, and identity/entitlements (CIEM) - ideally with risk correlation across them so a public bucket + over-permissioned role + vulnerable workload + sensitive data is one finding, not four. The category gravity in 2026.

CSPM - Cloud Security Posture Management (standalone)

The original category - continuous misconfiguration detection against CIS, NIST, SOC 2, etc. baselines. Mostly absorbed into CNAPP; the standalone survivors are open-source or commoditized.

If you're shopping for "just CSPM," the honest answer is: you probably want CNAPP, or you want Prowler in a pipeline. The middle ground (paid standalone CSPM) is a vanishing segment.

KSPM & container security

Kubernetes Security Posture Management - checks on cluster, namespace, pod, network policy, RBAC configurations - plus image scanning and runtime defense for containers. Most CNAPPs include KSPM; specialists go deeper.

CIEM - Cloud Infrastructure Entitlement Management

"Who has access to what in the cloud, what could they actually do, and what should they not have?" - least-privilege analysis across IAM, service accounts, federated identities, and effective permissions. Largely being absorbed into CNAPP and IdP suites.

SSPM - SaaS Security Posture Management

What CSPM is for IaaS, SSPM is for SaaS - misconfiguration, identity, third-party-app sprawl, and shadow SaaS across Microsoft 365, Google Workspace, Salesforce, Workday, GitHub, Slack, etc.

See also our SaaS Security page for the discipline behind the tools.

DSPM - Data Security Posture Management

"Find sensitive data wherever it ended up, classify it, understand who can access it, and watch it move." DSPM is a younger category being rapidly consumed by CNAPP - most CNAPPs now ship DSPM modules.

SIEM / Security Data Lake

The detection data plane. Log ingestion, normalization, correlation, alerting, case management. 2026 framing emphasizes "security data lake" - cheap storage for everything, queries when needed - rather than the high-cost SIEM index of 2015.

Related discipline: Cloud SOC, Detection Engineering.

EDR / XDR - Endpoint Detection & Response, Extended Detection & Response

Endpoint telemetry, detection, and response - extended (XDR) when correlated across cloud, identity, email, and network.

MDR - Managed Detection & Response

"Hire someone to run the SOC for you." Combines tooling (sometimes the provider's, sometimes yours) with a 24/7 analyst team. The growth engine of the security services market.

SOAR / Security Automation

Playbook-driven automation across security tools. Once a standalone category; increasingly merged into the SIEM/XDR product. The standalone tools are the most engineering-friendly.

ASPM - Application Security Posture Management

The CNAPP idea applied to application code: aggregate findings across SAST, SCA, DAST, IaC, secrets, container scanning - correlate them, prioritize by reachability/exploitability, and present a single risk view to security and engineering.

SAST / SCA / DAST

The individual application scanners that ASPM aggregates. Static (SAST) reads your code; software composition (SCA) finds vulnerable dependencies; dynamic (DAST) probes the running application.

IaC Scanning

Catch misconfigurations before they're deployed. Terraform, CloudFormation, ARM, Bicep, Kubernetes manifests, Helm charts - evaluated against a rule set, in CI or pre-commit.

Secrets Management & Detection

Two distinct disciplines often discussed together: secrets management (vaults that store and broker access to credentials) and secrets detection (scanners that find leaked credentials in code, commits, and other artifacts).

Secrets management (vaults)

Secrets detection (scanners)

PAM - Privileged Access Management

Vault, broker, record, and audit privileged sessions to servers, databases, cloud consoles, network gear. Pivoting in 2026 toward just-in-time, identity-aware, ephemeral access patterns.

IdP / IAM (Workforce)

The identity layer for employees - SSO, MFA, lifecycle, conditional access. The single most consequential security decision most orgs make.

For the broader discipline see IAM & Identity and Zero Trust.

WAF / DDoS / Bot

Edge protection for web apps and APIs - rule-based filtering (WAF), volumetric/protocol attack mitigation (DDoS), and automated-traffic identification (bot management).

API Security

Discover, document, and defend APIs at runtime - including the shadow and zombie APIs the dev team forgot about.

CASB - Cloud Access Security Broker

Visibility and control over SaaS usage. Once a market by itself; now mostly a feature inside SSE platforms.

SASE / SSE

SSE (Secure Service Edge) bundles SWG + CASB + ZTNA + FWaaS. SASE adds SD-WAN to that. The 2026 framing emphasizes user-to-app secure connectivity from anywhere.

ZTNA - Zero Trust Network Access

Identity-aware, app-specific access to private resources without putting the user "on the network." Built into every SSE platform; standalone offerings still survive for engineering-led teams.

See Zero Trust for the model behind these tools.

DevSecOps / CI/CD Security

Security controls embedded in the developer workflow - pipeline hardening, SCM hygiene, build-system integrity, scanner orchestration in CI.

See also CI/CD for the pipeline security discipline.

Container Image Hardening

Distroless / minimal images, built with verifiable provenance, with the CVE surface reduced as a primary feature rather than as a follow-up.

Supply Chain Security

"Is the code you're shipping made of trustworthy parts?" - covers SBOMs, OSS curation, provenance, build-system integrity, and dependency-confusion / malicious-package defenses.

See also the Supply Chain Attacks section of the threat research page for the incident side of this discipline.

AI Security

The newest category: securing AI systems (models, prompts, RAG pipelines, agent infrastructure) against prompt injection, model theft, data leakage, and the new attack patterns the LLM era introduced. Most vendors here are pre-Series-C.

See AI/ML Security for the discipline.

Vulnerability Management

"What's vulnerable, how bad, how do I prioritize, where's the fix?" - the OG security discipline, now spanning endpoints, servers, cloud workloads, web apps, and code.

See Vulnerability Management for the discipline behind the tools.

Forensics & IR Tooling

Acquisition, preservation, and analysis of evidence - increasingly cloud-aware as workloads move off endpoints.

See Incident Response for the discipline.

MSSP / Cloud-Focused Services Firms

The humans you hire to run, assess, or co-staff your cloud security program. A mix of MSSPs (run things), assessors (test things), and IR/consulting (help when things break).

GRC Platforms

System-of-record for controls, frameworks, evidence, risk, and audit. Covered in depth on the GRC page; included here as a category summary.

A library shelf filled with carefully organized books
Photo by Pixabay on Pexels

Open-Source Standouts

A short list of open-source tools worth knowing by name - the ones that keep showing up in production environments, in pipelines, in CTFs, and in the toolboxes of working cloud-security engineers.

Acquisition watch

The cloud security market has been consolidating at a brisk pace. A short list of notable deals shaping the 2025-2026 landscape:

The pattern: the big platforms (CrowdStrike, Palo Alto, Cisco, Microsoft, Google, Fortinet, Tenable, Check Point) are buying the category-defining startups in CNAPP, DSPM, SSPM, CIEM, API security, and AI security to fill out their portfolios. Standalone point tools that survive will be the ones with engineering-team adoption that resists "you already have this in the platform" sales motions.

How to evaluate a vendor

The marketing material is approximately worthless for evaluation; the eval has to happen in your environment, with your team, against your workflows. A few practitioner heuristics that consistently separate the platforms that survive a year of operation from the ones that get ripped out:

Caveats

Where next