GigaOm Radar for Continuous Vulnerability Management v5

Vulnerability management is now a cornerstone of digital security frameworks and should be a part of every organization's cybersecurity plan. This critical process plays a pivotal role in the discovery of hardware and software assets, presenting a clear overview of an organization's digital infrastructure security.

Along with asset identification, vulnerability management is also vital for exposing potential weak spots in these assets. Such weaknesses could serve as entry points for cyberattackers, allowing them to circumvent otherwise advanced and robust security measures. Once these vulnerabilities are identified, organizations can proactively address them, thereby enhancing their overall cybersecurity posture and reducing the likelihood of successful cyberattacks.

And yet, for all the risk-reducing value that vulnerability management brings, traditional versions of these solutions have two main drawbacks. The first is their emphasis on physical infrastructure (like network devices, servers, and desktops) and the applications that operate on this infrastructure. Although these are still a crucial part of any comprehensive vulnerability management plan, this focus results in limited help in identifying vulnerabilities in other prevalent and emerging technologies.

The second shortcoming is that a traditional solution provides a snapshot of an organization's vulnerabilities at a specific moment only. After running a scan and analyzing the data, plans are then created to address the particular vulnerabilities detected. But in a dynamic DevOps environment, such a snapshot can quickly become outdated. It's highly possible that today's vulnerabilities might not exist tomorrow, or they may appear and disappear intermittently. As a result of these two limitations especially, traditional vulnerability management struggles to support DevOps practices effectively.

In the face of such difficulties, continuous vulnerability management (CVM) has become the method of choice to counteract these limitations. This approach starts with the network-based infrastructure and application scanning from traditional vulnerability management, then augments it with ongoing methods that now include scanning container images, infrastructure-as-code (IaC) manifests, cloud configurations, cloud identities, and other cloud-native technologies. CVM is overtaking traditional vulnerability management due to the widespread adoption of public cloud resources and DevOps practices.

This is our fifth year evaluating the CVM space in the context of our Key Criteria and Radar reports. This report builds on our previous analysis and considers how the market has evolved over the last year. 

This GigaOm Radar report examines 28 of the top CVM solutions and compares offerings against the capabilities (table stakes, key features, and emerging features) and nonfunctional requirements (business criteria) outlined in the companion Key Criteria report. Together, these reports provide an overview of the market, identify leading CVM offerings, and help decision-makers evaluate these solutions so they can make a more informed investment decision.

GIGAOM KEY CRITERIA AND RADAR REPORTS

The GigaOm Key Criteria report provides a detailed decision framework for IT and executive leadership assessing enterprise technologies. Each report defines relevant functional and nonfunctional aspects of solutions in a sector. The Key Criteria report informs the GigaOm Radar report, which provides a forward-looking assessment of vendor solutions in the sector.

To help prospective customers find the best fit for their use case and business requirements, we assess how well CVM solutions are designed to serve specific target markets and deployment models (Table 1).

For this report, we recognize the following market segments:

• Small-to-medium business (SMB): The SMB market segment comprises businesses with smaller IT teams and limited resources. Buyer requirements in this segment often prioritize affordability, ease of use, and comprehensive vulnerability coverage across various assets, including networks, servers, and web applications. Purchase considerations typically involve cost-effective solutions with low maintenance overhead, automated vulnerability scanning and reporting capabilities, and seamless integration with existing IT environments.

• Large enterprise: Large enterprises typically have extensive and complex IT infrastructures, spanning on-premises data centers, cloud environments, and hybrid architectures. Buyer requirements in this segment emphasize scalability, advanced analytics, and integration with existing security operations and IT service management platforms. Purchase considerations involve robust vulnerability management solutions with centralized management, risk prioritization based on business context, compliance reporting capabilities, and seamless integration with other security tools for efficient vulnerability remediation workflows.

• Public sector: The public sector market segment encompasses government agencies, educational institutions, and other public organizations. Buyer requirements in this segment often prioritize robust security, compliance with regulatory frameworks (like NIST and FedRAMP), and stringent data protection measures. Purchase considerations typically involve solutions with advanced security controls, comprehensive compliance reporting capabilities, support for secure enclaves and air-gapped environments, and the ability to integrate with existing government-approved security tools and infrastructures.

In addition, we recognize the following deployment models:

• SaaS: This deployment model involves a cloud-based vulnerability management solution provided by a third-party vendor. The service is hosted and maintained by the vendor, and users can access it through the internet. SaaS solutions offer a cost-effective and scalable option because organizations do not need to invest in hardware or software installations. Updates and maintenance are also handled by the vendor, ensuring that the solution is always up-to-date with the latest vulnerability intelligence and security enhancements.

• Software: In this model, the vulnerability management solution has software components, either agents or other lightweight components, that are installed as part of the deployment. This is in opposition to the agentless approach and carries with it its own set of strengths and weaknesses. Typically, software deployed in support of vulnerability management is able to provide richer telemetry from assets, but it adds to the administrative burden because of deployment and maintenance costs.

• On-premises: This deployment model involves hosting the vulnerability management solution within the organization's own data center or on-premises infrastructure. The organization maintains full control over the hardware, software, and data, ensuring maximum security and compliance with regulatory requirements. On-premises solutions are often preferred by organizations with stringent data privacy and security requirements or those operating in highly regulated industries. However, this model demands significant upfront investment in hardware, software licenses, and ongoing maintenance resources.

Table 1. Vendor Positioning: Target Market and Deployment Model

Table 1 components are evaluated in a binary yes/no manner and do not factor into a vendor’s designation as a Leader, Challenger, or Entrant on the Radar chart (Figure 1). 

“Target market” reflects which use cases each solution is recommended for, not simply whether that group can use it. For example, if an SMB could use a solution but doing so would be cost-prohibitive, that solution would be rated “no” for SMBs.

All solutions included in this Radar report meet the following table stakes—capabilities widely adopted and well implemented in the sector:

• Asset discovery and tracking

• Policy compliance reporting

• Issue tracking and management

• Risk profiling and prioritization

• Remediation recommendations 

• Automation of workflows

Tables 2, 3, and 4 summarize how each vendor in this research performs in the areas we consider differentiating and critical in this sector. The objective is to give the reader a snapshot of the technical capabilities of available solutions, define the perimeter of the relevant market space, and gauge the potential impact on the business.

• Key features differentiate solutions, highlighting the primary criteria to be considered when evaluating a CVM solution.

• Emerging features show how well each vendor implements capabilities that are not yet mainstream but are expected to become more widespread and compelling within the next 12 to 18 months. 

• Business criteria provide insight into the nonfunctional requirements that factor into a purchase decision and determine a solution’s impact on an organization.

These decision criteria are summarized below. More detailed descriptions can be found in the corresponding report, “GigaOm Key Criteria for Evaluating CVM Solutions.”

Key Features

• Application vulnerability assessment: This is a critical feature that enables the identification and analysis of security weaknesses in software applications. This capability is essential to enable organizations to proactively secure their custom and third-party applications, which are often prime targets for cyberattacks.

• Network-based vulnerability scanning: This is a feature that systematically probes an organization's network infrastructure to identify potential security weaknesses and misconfigurations. This capability is crucial for maintaining a comprehensive view of an organization's attack surface and detecting vulnerabilities that could be exploited by malicious actors.

• Software composition analysis (SCA): This feature examines software applications to identify and inventory open source components, libraries, and dependencies. This capability is essential for managing security risks associated with third-party code, ensuring license compliance, and maintaining software supply chain integrity.

• IaC vulnerability and misconfiguration assessment: This feature scans IaC templates for security vulnerabilities and misconfigurations before deployment. This capability is essential for organizations adopting DevOps and cloud-native practices because it helps prevent security issues from being introduced into production environments through automated infrastructure provisioning.

• Cloud-native and serverless function scanning: This feature provides visibility into security vulnerabilities within ephemeral cloud-native applications and serverless functions that traditional vulnerability scanners often miss. This capability is critical as organizations accelerate cloud adoption and serverless architectures, where unique attack surfaces emerge from application dependencies, configuration issues, and event-triggered execution models.

• Risk-based assessment: This feature evaluates vulnerabilities in the context of an organization's unique risk profile and business impact. This approach enables organizations to prioritize remediation efforts effectively, focusing resources on the most critical issues that pose the greatest threat to their specific environment and operations.

• Customizable risk scoring: This feature allows organizations to tailor vulnerability risk calculations to their specific needs and risk tolerance. This feature is crucial for aligning vulnerability management efforts with an organization's unique security posture and business objectives.

• Integrations: This feature enables the vulnerability management solution to connect to and collect and share data with other technologies, security solutions, and IT management tools in an organization's ecosystem. This is essential for building a unified vulnerability management approach, streamlining workflows, and maximizing the value of vulnerability data across the entire IT and security infrastructure.

Table 2. Key Features Comparison

Emerging Features

• Automated vulnerability validation and exploit testing: Automated vulnerability validation and exploit testing is an emerging feature that automatically verifies the exploitability of detected vulnerabilities through safe, controlled exploit attempts. This capability is important for reducing false positives, prioritizing remediation efforts, and providing concrete evidence of security risks to stakeholders.

• Attack path analysis: Attack path analysis is a sophisticated capability that identifies and visualizes potential exploitation routes through an organization's environment by connecting vulnerabilities, misconfigurations, and identity relationships. This approach transcends traditional vulnerability prioritization by revealing how attackers could chain multiple lower-severity issues together to reach critical assets, enabling security teams to focus remediation efforts on the vulnerabilities that pose the greatest actual risk.

Table 3. Emerging Features Comparison 

Business Criteria

• Scalability: Scalability refers to the ability to efficiently handle growing volumes of assets, vulnerabilities, and data across expanding IT environments without significant performance degradation. This capability is crucial for organizations that need to maintain comprehensive vulnerability management as their digital footprint grows, ensuring consistent security coverage and performance across cloud, on-premises, and hybrid infrastructures.

• Flexibility: Flexibility refers to the ability to adapt to diverse IT environments, support various common and uncommon use cases, and integrate with a wide range of security and IT management tools. This is crucial for enabling organizations to tailor their vulnerability management approach to their unique infrastructure, workflows, and security requirements, ensuring comprehensive coverage and efficient operations across complex, hybrid environments.

• Cost transparency: Cost transparency in vulnerability management refers to the clarity, predictability, and control organizations have over how licensing, scanning, and remediation activities impact their total expenditure across complex hybrid environments. This criterion is critical as vulnerability management costs can unexpectedly escalate due to asset growth, scanning frequency requirements, cloud resource expansion, and the increasing need to scan diverse technologies like containers, serverless functions, and IoT devices.

• Ease of use: Ease of use refers to the intuitive design, user-friendly interfaces, and streamlined workflows that enable efficient operation by security teams of varying skill levels. This criterion is crucial for maximizing the effectiveness of vulnerability management efforts, ensuring rapid adoption, and reducing the learning curve for new users.

• Ecosystem: In the vulnerability management market, ecosystem refers to a solution's ability to integrate with and leverage existing security infrastructure, third-party tools, and broader IT systems through robust APIs, partnerships, and prebuilt connectors. A strong ecosystem enables vulnerability data to flow seamlessly between systems, enriches findings with contextual information, and allows security teams to orchestrate remediation workflows across their technology stack without creating data silos or forcing platform switches.

Table 4. Business Criteria Comparison 

The GigaOm Radar plots vendor solutions across a series of concentric rings with those set closer to the center judged to be of higher overall value. The chart characterizes each vendor on two axes—balancing Maturity versus Innovation and Feature Play versus Platform Play—while providing an arrowhead that projects each solution’s evolution over the coming 12 to 18 months.

Figure 1. GigaOm Radar for CVM

As you can see in Figure 1, the Radar chart reveals a market in transition, balancing established approaches with emerging capabilities. The distribution of vendors across the radar illustrates an industry that's actively evolving, with significant momentum toward innovation and platform-based approaches.

The concentration of solutions in the Innovation half of the chart indicates that vulnerability management is undergoing substantial transformation. This innovation surge is driven by the expanding attack surface created by cloud adoption, containerization, and the proliferation of serverless architectures. Traditional vulnerability scanning approaches are being reimagined to address these modern environments.

There's a noticeable weighting toward the Platform Play side of the spectrum, signaling that the market is moving away from point solutions toward comprehensive vulnerability management ecosystems. This shift reflects enterprise preferences for integrated security tools that provide broader visibility and streamlined workflows rather than siloed capabilities that address only specific aspects of vulnerability management.

The Leaders circle contains about one-third of the surveyed solutions, highlighting that excellence in this space requires both technical sophistication and execution consistency. Those that have achieved leadership status demonstrate a balance between stability and innovation, managing to evolve their offerings while maintaining operational reliability.

The presence of multiple Outperformers reveals a competitive landscape where vendors are rapidly enhancing capabilities to gain market share. These vendors are either building new features while maintaining the same look and feel year over year (Maturity)  or expanding into new feature sets, which impact the user experience and function of the solution, showing how these are the two paths to differentiation in this market.

Several vendors are poised to enter the Leaders circle in future evaluations, showing a healthy competitive dynamic where challengers continue to pressure established leaders to innovate. This competitive tension benefits customers through accelerated feature development and more flexible pricing models.

The clustering of vendors in the Innovation/Platform Play quadrant tells us that the future of vulnerability management lies in comprehensive, forward-looking solutions that extend beyond traditional scanning to encompass cloud-native environments, application security, and integrated remediation workflows.

Organizations evaluating vulnerability management solutions should consider whether they need the stability and comprehensive capabilities of platforms in the Maturity side, or if they would benefit more from the cutting-edge approaches represented in the Innovation half. The decision largely depends on security program maturity, existing security investments, and specific use case requirements.

In reviewing solutions, it’s important to keep in mind that there are no universal “best” or “worst” offerings; every solution has aspects that might make it a better or worse fit for specific customer requirements. Prospective customers should consider their current and future needs when comparing solutions and vendor roadmaps.

INSIDE THE GIGAOM RADAR

To create the GigaOm Radar graphic, key features, emerging features, and business criteria are scored and weighted. Key features and business criteria receive the highest weighting and have the most impact on vendor positioning on the Radar graphic. Emerging features receive a lower weighting and have a lower impact on vendor positioning on the Radar graphic. The resulting chart is a forward-looking perspective on all the vendors in this report, based on their products’ technical capabilities and roadmaps.

Note that the Radar is technology-focused, and business considerations such as vendor market share, customer share, spend, recency or longevity in the market, and so on are not considered in our evaluations. As such, these factors do not impact scoring and positioning on the Radar graphic.

For more information, please visit our Methodology.

Aqua Security: Aqua Cloud Native Security Platform*

Solution Overview
Aqua Security delivers a cloud-native security solution that is focused on protecting applications, infrastructure, and data across public, private, and hybrid cloud environments. The company's primary emphasis is on securing containerized and serverless workloads throughout the entire application lifecycle. In 2021, Aqua Security acquired tfsec, an open source security scanner for IaC, enhancing its capabilities in cloud security posture management. Its vulnerability scanning is based on its popular open source project, Trivy.

The company offers the Aqua Cloud Native Security Platform, a unified solution that encompasses multiple components to address various aspects of cloud native security. The platform is not a standalone product but rather an integrated suite of modules designed to work together. This includes its CSPM module, its Workload Protection module, and code security.

Aqua Security is positioned as a Challenger and Outperformer in the Innovation/Feature Play quadrant of the GigaOm Radar for CVM chart.

Strengths
Aqua Security scored well on a number of decision criteria, including:

• Application vulnerability assessment: The platform provides comprehensive scanning capabilities for code, containers, and dependencies with direct CI/CD pipeline integration. It leverages the industry-recognized Trivy scanner, known for its strong accuracy in detecting vulnerabilities. While coverage for legacy, non-cloud-native applications is more limited, the solution excels in modern application environments.

• Software composition analysis: The solution delivers robust SCA capabilities through its Trivy scanner. It effectively identifies third-party components, generates software bills of materials (SBOMs), and flags both vulnerabilities and license issues. This functionality is particularly strong in cloud-native environments, aligning with the vendor’s overall focus on securing modern application infrastructure.

• Cloud-native and serverless function scanning: The solution offers thorough scanning of serverless functions, detecting vulnerabilities, secrets, and permissions issues. It supports major cloud providers and integrates with CI/CD pipelines. Though the depth of support varies across different serverless platforms, the overall capability effectively addresses security concerns in cloud-native architectures.

Aqua Security was classified as an Outperformer given its rapid development of its AI application security feature set as well as recent significant product improvements. 

Opportunities
Aqua Security has room for improvement in a few decision criteria, including:

• IaC vulnerability and misconfiguration assessment: Despite providing automated scanning capabilities across major cloud providers, the solution demonstrates varying depth of coverage across different platforms. Organizations operating in complex multicloud environments or using less common IaC tools might experience inconsistent protection levels. Those in highly regulated industries with specific compliance requirements may find the scanning depth insufficient for certain platforms.

• Customizable risk scoring: While the solution incorporates industry-standard scoring mechanisms like CVSS and EPSS, it offers only partial customization options that are not fully user-definable at all levels. Security teams with specialized risk assessment methodologies or organizations that need to align scoring with unique corporate risk frameworks may find these limitations restrictive, particularly in sectors where context-specific risk evaluation is crucial.

• Integrations: The solution supports a range of integrations with common DevOps and security tools, but organizations with specialized or niche tools in their technology stack might encounter integration gaps. This could be particularly challenging for enterprises with custom-built internal systems or those using emerging technologies not yet fully supported by the integration framework.

Purchase Considerations
Aqua Security offers modular licensing with two primary SKUs: CSPM and Workload Protection (priced per cloud asset) and a third SKU, Software Supply Chain Security (priced per source-code repository), which can be added onto either of the previous products. Customers can purchase both to unlock all modules or mix combinations like CSPM and Workloads or SSCS and Workloads. This approach provides flexibility but introduces moderate complexity when determining exact pricing needs. 

The solution scales horizontally in both SaaS and self-hosted deployments, making it suitable for large enterprise environments. Performance remains strong for data ingestion and analysis, though the interface can slow when processing large result sets due to the way individual CVE instances are rendered. The user experience is generally intuitive but occasionally disrupted by UI bugs and dead documentation links. Organizations should consider the manual triage requirements for duplicate CVE entries, as the solution lacks automatic vulnerability deduplication.

Aqua Security's extensive ecosystem integration capabilities represent a significant strength, with comprehensive support across major cloud providers, container platforms, artifact registries, and DevOps toolchains.

Use Cases
Aqua Security excels in securing cloud-native CI/CD pipelines where its Trivy scanner identifies vulnerabilities across containers, code, and dependencies before deployment. DevSecOps teams in regulated industries benefit from Aqua Security's comprehensive SBOM generation and license compliance checks, addressing software supply chain risks with minimal workflow disruption. The solution's serverless function scanning capabilities serve organizations expanding into function as a service (FaaS) architectures by detecting vulnerabilities, secrets, and permissions issues across AWS Lambda, Azure Functions, and GCP Cloud Run environments. Kubernetes-centric organizations gain actionable security insights through kube-hunter's automated penetration testing and Tracee's runtime threat detection.

Armis: Armis Centrix

Solution Overview
Armis is a cyber exposure management and security company focusing on identifying and securing all managed, unmanaged, IT, OT, IoT, and IoMT (medical things) devices in an organization's environment. Armis Centrix, the company’s platform, is a comprehensive solution designed to address various aspects of device security and management. A key component of this platform is Armis Centrix for VIPR Pro – Prioritization and Remediation. Recently, Armis acquired Otorio, which bolsters its OT and IoT capabilities.

The company's primary emphasis is on providing visibility, protection, and management for the expanding array of connected devices in modern networks. In 2024, Armis made two acquisitions: Silk Security, a cyber risk company that enhances its approach to risk prioritization and remediation, and CTCI, an AI security startup that boosts early detection features. 

Armis takes a less common approach to device security by employing an agentless deployment option that allows it to discover and protect devices without requiring software installation on endpoints. 

Armis Centrix leverages a multi-detection engine that can (based on the administrator) both passively and actively monitor network traffic to identify and classify devices, assess their risk, detect threats, and enforce policies. It uses a 6-billion-device asset security data lake along with AI/ML algorithms to analyze device behavior and identify potential security issues. Armis Centrix enhances this functionality by automating the prioritization of vulnerabilities through consolidation, deduplication, and contextualization of security tool alerts across on-premises hosts, endpoints, cloud environments, and application security tools, thereby providing a unified view that highlights the most critical risks requiring immediate attention.

Armis is positioned as a Leader and Fast Mover in the Maturity/Platform Play quadrant of the GigaOm Radar for CVM chart.

Strengths
Armis scored well on a number of decision criteria, including:

• Risk-based assessment: The solution employs a multidimensional risk model that extends beyond basic CVSS scoring by incorporating threat intelligence, exposure data, and architectural context. It evaluates external exposure, compensating controls, attack complexity, real-time exploitation data, and segmentation posture to provide a comprehensive risk picture. The continuous real-time scoring updates enable organizations to implement "fix-first" strategies that identify highest-impact remediations, allowing for more efficient vulnerability management.

• Customizable risk scoring: The platform offers a configurable risk scoring framework built on three core dimensions: asset context, finding severity, and environmental exposure. It supports role-based and asset criticality models with modified CVSS weighting that can be applied globally or targeted to specific assets, sites, business units, or vulnerability types. The continuous recalculation of risk scores as conditions change enables dynamic risk management capabilities that adapt to evolving environments.

• Integrations: The solution provides an extensive integration ecosystem that spans multiple security domains with out-of-box connectors. It covers cloud platforms, endpoint and network tools, application security, threat intelligence, ITSM and collaboration systems, and identity management. Its RESTful API and webhooks enable bidirectional exchange of information, while agentless, read-only operation supports deployment in sensitive environments without disrupting existing infrastructure.

Opportunities
Armis has room for improvement in a few decision criteria, including:

• Software composition analysis: While the solution effectively creates SBOMs through third-party data ingestion, it lacks native scanning capabilities of its own. However, Armis Centrix seamlessly ingests security findings from a wide array of existing sources, including vulnerability scanners, asset management platforms, cloud services, code repositories, developer security platforms, and application security tools. Additionally, the inference method used for embedded, OT, and IoT devices—where direct SBOM creation is impossible—can yield incomplete or inaccurate component identification, potentially increasing risk in critical infrastructure environments.

• Cloud-native and serverless function scanning: The solution provides comprehensive resource discovery for major cloud service providers but has less coverage for tier 2 and 3 providers such as Alibaba, Oracle, and IBM when compared to major cloud service providers. Organizations with multicloud strategies that include these providers may experience security visibility gaps. Furthermore, capabilities for regional and sovereignty-sensitive deployments remain underdeveloped, which could present challenges for global enterprises operating under varying compliance regimes.

• Automated vulnerability validation and exploitation testing: The intelligence-driven approach lacks true exploitation testing capability, instead relying on passive analysis and limited active querying. This methodology struggles with zero-day vulnerabilities and encrypted traffic blind spots, making it less effective than dedicated penetration testing in high-security environments where validation of exploitation success is critical.

Purchase ConsiderationsThe platform targets both mid-market and enterprise environments, with proven deployments scaling to more than 10 million assets and 30 billion network flows daily. The solution operates as a full platform play with modules that can be toggled on and off for Vulnerability Prioritization, OT Defender, Medical Defender, and Asset Governance, delivering extensive coverage across IT endpoints, IoT devices, OT and ICS systems, medical equipment, VMs, and SaaS identities.

Deployment complexity is minimized through multiple implementation options including full SaaS, hybrid sensor configurations, and fully offline modes with periodic data synchronization. Zero-touch onboarding enables device fingerprinting within 30 seconds after sensor deployment, while integration wizards facilitate connections to common platforms like ServiceNow, Splunk, and XSOAR with fewer than five clicks. 

Use Cases
Armis excels in complex environments including IT, OT, IoT, and IoMT. Its passive monitoring and specialized protocol decoders (HL7 and DICOM) reveal security gaps in devices that cannot be traditionally scanned. The solution is particularly valuable for manufacturing operations where IT and OT systems intersect, identifying cross-domain attack paths while respecting sensitive industrial protocols. Large enterprises with diverse technology ecosystems benefit from Armis's rapid device fingerprinting capability, which discovers and classifies shadow IT assets within 30 seconds, enabling comprehensive governance across previously invisible network segments.

Balbix: Balbix Risk and Exposure Management Platform

Solution Overview
Balbix is a cybersecurity company that specializes in AI-native cyber risk management, continuously quantifying, prioritizing, and automating risk reduction in financial terms across the enterprise attack surface. The company's primary focus is on providing organizations with real-time visibility into their cybersecurity posture and automating risk mitigation efforts. 

Balbix's approach to cybersecurity is somewhat unique in its emphasis on continuous, AI-driven risk assessment and quantification. The company’s Balbix Risk and Exposure Management Platform is a comprehensive cybersecurity posture automation platform. It is not a standalone product but rather an integrated solution that combines multiple components to provide a holistic view of an organization's cyber risk landscape.

The platform works by continuously discovering and analyzing an organization's entire attack surface, including on-premises, cloud, and hybrid environments. It uses advanced AI and ML algorithms to predict potential breach scenarios, quantify cyber risk in financial terms, and prioritize mitigation actions. The Balbix Security Cloud can be deployed as a SaaS solution, integrating with existing security tools and infrastructure to provide real-time insights and actionable intelligence.

Balbix is positioned as a Challenger and Fast Mover in the Maturity/Platform Play quadrant of the GigaOm Radar for CVM chart.

Strengths
Balbix scored well on a number of decision criteria, including:

• Risk-based assessment: The solution incorporates EPSS, CISA KEV, and internal threat intel feeds into risk scoring logic. The risk model is customizable at the asset-type level and includes controls-based suppression (for example, EDR presence and segmentation enforcement). This approach enables security teams to address the most critical issues first, enhancing overall risk management efficiency.

• Software composition analysis: The platform employs AI for near real-time detection of vulnerable software components across the environment. It maps complex vulnerabilities to specific assets and provides export capabilities to CMDB tools for compliance reporting. This capability gives organizations visibility into their software supply chain risks and helps maintain accurate vulnerability inventories.

• Customizable risk scoring: The solution allows organizations to tailor risk assessments based on business context and asset criticality. It provides FAIR-like methodologies for risk quantification and customized analytics for reporting to different stakeholders. These capabilities enable security teams to communicate risk in business-relevant terms and align remediation efforts with organizational priorities.

Opportunities
Balbix has room for improvement in a few decision criteria, including:

• Application vulnerability assessment: While the solution provides comprehensive integration with modern AppSec tools and offers SBOM ingestion with component-level vulnerability tracking, organizations with complex application architectures may encounter implementation challenges. Despite strong full-stack visibility capabilities across containerized and serverless environments, enterprises with highly specialized or custom deployment models might discover coverage limitations when attempting to map relationships between proprietary components. Additionally, organizations in regulated industries might find that while the technical vulnerability assessment is robust, translating these findings into compliance-specific reporting requires additional effort. Security teams managing legacy applications alongside modern microservices might also experience inconsistent visibility across their entire application portfolio despite the generally strong capabilities.

• IaC vulnerability and misconfiguration assessment: The solution demonstrates significant limitations in predeployment security assessment of infrastructure as code. With minimal dedicated scanning capability for templates like Terraform or CloudFormation, it relies primarily on runtime detection of cloud misconfigurations. This reactive approach creates potential security gaps during the development phase, which is particularly problematic for organizations embracing DevSecOps practices that require shift-left security integration throughout the development lifecycle.

• Cloud-native and serverless function scanning: The solution provides workload telemetry ingestion via container runtime APIs with integration across major serverless services like AWS Lambda and Fargate. However, organizations with multicloud serverless deployments may encounter visibility inconsistencies across different cloud providers, as the implementation appears stronger for AWS environments than others. Additionally, enterprises with complex event-driven architectures might find the vulnerability enrichment capabilities less effective for analyzing sophisticated trigger chains or nested serverless function relationships. Security teams in highly regulated industries might also discover that while the configuration validation and least-privilege detection work well for standard deployments, specialized compliance requirements for serverless functions may require additional context beyond what is currently provided by the solution.

Purchase Considerations
Balbix offers a subscription model with published list pricing at $X per active asset per year across three tiers (0-25K, 25-100K, 100K+). The licensing includes unlimited users, connectors, and API calls, providing reasonable transparency for budgeting. Customers should account for potential add-on costs: Cyber Risk Quantification module (+20%), Auto-Remediation pack (+10%), and optional hardware sensor appliances ($7,900 CAPEX per unit). The pricing structure features no overages for data volume or scan frequency, a renewal cap of 5% year-over-year, and a 15% discount for 3-year prepayments.

The solution functions as a platform play, providing comprehensive coverage across IT workstations and servers, cloud environments, containers, SaaS identities, and IoT and OT systems. Its scale and feature set make it suitable for mid-market to enterprise deployments, with demonstrated capacity handling 10 billion security observations daily and 100 million indexed assets. It also scales to more than 250 million indexed assets in production and supports inline ingestion from over 100 connectors without needing sensors in cloud environments.

Deployment offers flexibility with full SaaS, hybrid (on-premises sensor with SaaS analytics), or dark-site options with monthly encrypted data transfers. Implementation typically requires some professional services engagement, available as either a fixed-price QuickStart package (4 weeks for $35K) or time-and-materials at $250 per hour. Organizations should plan for a 7-14 day initial data normalization window. While connector wizards streamline many integrations to under 10 minutes each, legacy on-premises connectors may require manual credential rotation, adding modest operational overhead.

Use Cases
Balbix delivers exceptional value for large enterprises overwhelmed by vulnerability data, using AI to transform raw findings into business-aligned security priorities. Its natural language search allows security teams to quickly identify vulnerable assets ("Windows servers missing KB5005565"), while the auto-deduplication engine reduces ticket volume by 85%. Organizations with complex hybrid infrastructures benefit from Balbix's comprehensive asset relationship mapping that connects applications to underlying infrastructure components for contextual risk assessment. 

The solution's monetary risk quantification capabilities serve security leaders needing to justify remediation investments to executives through clear financial impact metrics. Healthcare organizations and critical infrastructure providers appreciate the platform's ability to discover and assess specialized IoT and OT devices via protocols like BACnet, CIP, and DNP3 alongside traditional IT assets.

Brinqa: The Brinqa Vulnerability and Exposure Management Platform

Solution Overview
Brinqa is a provider of cyber risk management solutions, focusing on helping large enterprises identify, prioritize, and remediate cybersecurity risks as well as provide remediation status natively within the solution across the customer’s IT ecosystem. The company's primary emphasis is on integrating data from various security and IT tools to provide a comprehensive view of an organization's risk posture.

Brinqa's approach is notable for its emphasis on knowledge graphs and advanced analytics to contextualize and prioritize risks in large enterprises. The Brinqa Vulnerability and Exposure Management Platform is a standalone product.

The solution works by ingesting data from various security and IT tools, applying advanced analytics and ML algorithms to contextualize and prioritize risks, and automating remediation workflows. It employs a knowledge graph to model complex relationships among assets, vulnerabilities, and threats, enabling more accurate risk assessments. The Brinqa platform can be deployed in the cloud (although on-premises deployments are offered in some circumstances), integrating with existing security infrastructure to provide real-time insights and actionable intelligence for risk mitigation.

Brinqa is positioned as a Leader and Fast Mover in the Innovation/Platform Play quadrant of the GigaOm Radar for CVM chart.

Strengths
Brinqa scored well on a number of decision criteria, including:

• Risk-based assessment: Brinqa provides a multifactor risk assessment approach that incorporates asset criticality, exploitability, and business context. The solution integrates threat intelligence including active exploitation data and CISA Known Exploited Vulnerabilities (KEVs) for real-time score adjustments. This enables security teams to triage vulnerabilities beyond basic CVSS scores, focusing remediation efforts on threats that pose the most significant business risk.

• Customizable risk scoring: Brinqa employs a three-tiered approach to risk scoring that operates at vulnerability, asset, and organizational levels using CVSS, severity ratings, and EPSS with contextual adjustments. The solution offers a white-boxed methodology that reveals contributing models and provides a visual editor for model customization with transparent risk factor fields. This approach gives organizations visibility into how risk scores are calculated and the ability to tailor assessments to their unique environment.

• Integrations: Brinqa features an extensive ecosystem with over 220 prebuilt connectors and best-practice UDM mapping for various data types. The solution supports custom data ingestion via multiple formats (CSV, JSON, SQL) and API connectors with on-premises collection capabilities via agent. Regular updates driven by customer needs ensure the integration ecosystem remains relevant to evolving security toolsets and requirements.

Opportunities
Brinqa has room for improvement in a few decision criteria, including:

• IaC vulnerability and misconfiguration assessment: The solution functions as an orchestration platform without native scanning capabilities, creating significant dependencies on external tools. It cannot directly parse configuration files, instead relying on integrations with third-party scanners for IaC assessment. This results in potential coverage gaps when source tools have inconsistent detection capabilities across different IaC formats. Additionally, the lack of remediation validation capabilities limits its effectiveness in ensuring security issues are properly addressed in production environments.

• Cloud-native and serverless function scanning: With no native cloud scanning capabilities, the solution is dependent on third-party CSPM and CWPP integrations for coverage across major cloud providers. This approach creates challenges for organizations using tier two and three cloud providers where integration support is limited. 

• Automated vulnerability validation and exploitation testing: The solution cannot perform native validation or active testing and instead relies on third-party intelligence sources. This dependency means it cannot directly verify vulnerability existence or exploitability or validate the effectiveness of compensating controls. 

Purchase Considerations
Brinqa offers a transparent licensing model based on de-duplicated assets with active findings, regardless of how many vulnerabilities each asset contains. The pricing structure includes unlimited users, dashboards, connectors, and correlation rules with subscription terms ranging from one to three years and annual true-ups if asset counts increase. Cost transparency is enhanced by not charging for context-only assets or additional data sources, encouraging broader data ingestion. No module gating exists, as CSPM, AppSec, VM, and Cloud functionality are included once an asset is licensed, with optional future add-ons planned for a long-term analytics warehouse and a GenAI query layer.

The solution functions as a comprehensive platform play with demonstrated enterprise-scale deployments at Fortune 100 retailers managing millions of assets and tens of millions of vulnerabilities daily. Its architecture supports both SaaS and self-hosted deployment options using a microservice approach with stateless API tiers and distributed graph storage. The flexible risk model builder allows organizations to combine various scoring systems including CVSS, EPSS, KEV, asset criticality, and business impact factors.

Implementation complexity is mitigated through guided wizards for connectors, scoring models, and workflows, though the system appears primarily designed for larger organizations with dedicated security teams rather than SMB environments with limited resources. The low-code designer provides flexibility for advanced users while offering role-based access control for nontechnical stakeholders.

Use Cases
Brinqa excels as a vulnerability correlation platform for large enterprises with diverse security toolsets, normalizing findings from more than 220 data sources into a unified risk model. Security leaders gain visibility across previously siloed domains through Brinqa's interactive dashboards and attack path visualizations, enabling strategic prioritization of remediation efforts. Organizations with mature security programs leverage its highly customizable risk scoring to align vulnerability management with business priorities, applying conditional logic based on attributes like IP ranges, cloud accounts, or data sensitivity. The platform's workflow engine serves complex enterprises by automating multistep approval processes with SLA timers and escalations, reducing manual overhead in remediation tracking across distributed teams and technologies.

Check Point: Harmony Endpoint

Solution Overview
Check Point focuses on providing cybersecurity solutions with an emphasis on prevention-first security for enterprise environments. Over the past year, the company completed the acquisition of Cyberint Technologies, enhancing its external risk management and threat intelligence capabilities, which are being integrated into its broader security services. However, its Cloud Native Application Protection Platform (CNAPP) offering is no longer available due to its agreement with Wiz, which moves Check Point’s CNAPP customers to the Wiz solution.

Harmony Endpoint is Check Point’s endpoint security solution, designed to deliver comprehensive protection for endpoints against a wide range of threats. It operates as a standalone solution within the larger Harmony suite, offering advanced endpoint protection platform (EPP), endpoint detection and response (EDR), and extended detection and response (XDR) capabilities through a single agent and unified management console. 

Harmony Endpoint integrates with Ivanti for automated vulnerability assessment and patch management, enabling organizations to discover, manage, and remediate software vulnerabilities across endpoints with minimal manual intervention. The solution supports multiple operating systems, provides threat intelligence via Check Point’s ThreatCloud, and includes features such as anti-ransomware, antimalware, anti-phishing, behavioral analysis, data loss prevention, and full disk encryption. Harmony Endpoint can be deployed on-premises or in the cloud and is managed through a unified console, supporting both centralized and distributed environments.

Check Point is positioned as a Challenger and Fast Mover in the Maturity/Feature Play quadrant of the GigaOm Radar for CVM chart.

Strengths
Check Point scored well on a number of decision criteria, including:

• Risk-based assessment: The solution provides risk-based prioritization through its managed vulnerability services and Infinity External Risk Management capabilities. It leverages established frameworks such as NIST RMF and CISv8 RAM to assess and prioritize vulnerabilities based on risk, impact, and remediation effort. This approach helps organizations focus their remediation efforts on the vulnerabilities that pose the greatest risk to their environment.

• Application vulnerability assessment: The platform, through its integration with Ivanti, delivers automated vulnerability scanning and patch management for endpoints. It can identify vulnerabilities in applications installed on endpoints, providing visibility into potential security gaps. This capability helps organizations maintain a more secure application environment through automated detection and remediation workflows.

• Integrations: The solution integrates with Ivanti to provide vulnerability and patch management capabilities. Additionally, the managed services it offers integrate with third-party vulnerability scanners, including Tenable and Microsoft. These integrations extend the solution's capabilities and allow it to function within diverse security ecosystems.

Opportunities
Check Point has room for improvement in a few decision criteria, including:

• Network-based vulnerability scanning: The solution relies on integration with third-party platforms rather than offering native scanning capabilities, creating potential workflow disruptions and visibility gaps. This integration-dependent approach may present challenges for organizations with complex network infrastructures requiring specialized scanning configurations, as the solution lacks unique scanning algorithms that differentiate it from competitors. Financial institutions and healthcare organizations with strict compliance requirements may find the depth of scanning insufficient for their regulated environments, particularly when dealing with legacy systems that require specialized assessment methodologies.

• Customizable risk scoring: The solution's risk scoring functionality demonstrates considerable limitations in environments requiring tailored risk assessment approaches. The reliance on standard frameworks and vendor-defined criteria restricts organizations from fully aligning security prioritization with their specific business context. This limitation particularly impacts enterprises with unique threat models or specialized compliance requirements that fall outside conventional scoring parameters. Security teams in industries with distinct risk profiles, such as critical infrastructure or manufacturing, may struggle to accurately represent their particular vulnerability exposure and impact scenarios within the constraints of the solution's scoring model.

Purchase Considerations
Check Point offers a straightforward subscription model priced per protected endpoint with volume tiers (≤500, ≤5,000, >5,000) and annual or multiyear options. The licensing structure presents two main bundles: Harmony Endpoint Advanced (core EPP functionality) and Harmony Endpoint Complete (adding advanced capabilities like Threat Emulation and Extraction, Forensics and EDR, and encryption). Cloud management is included with no additional charges for API usage or event retention up to 12 months. Organizations should consider potential add-on costs for Harmony Mobile (UEM-integrated mobile protection) and Harmony Connect (ZTNA and VPN), though cross-bundle discounts are available. Support tiers include Standard (8 hours a day, 5 days a week), with Premium (24/7) available at a 15% list price premium.

The solution integrates with the broader Check Point ecosystem while providing standalone endpoint protection capabilities. Scalability is suitable for mid-market to enterprise deployments, supporting tens of thousands of agents in a single tenant (production references exceed 30,000) with an option for on-premises deployment supporting up to 15,000 endpoints per appliance. The agent's resource footprint remains lightweight at under 2% average CPU utilization and 150-200 MB RAM during idle operation.

Implementation complexity is moderate with multiple deployment methods supported across Windows, macOS, and Linux environments. The guided onboarding wizard enables basic setup in under 15 minutes through the web-based Infinity Portal. Organizations with existing security infrastructure will benefit from integrations with major SIEM and SOAR platforms, ServiceNow ITSM, and identity providers, though some operational limitations exist including Windows-only log viewing for offline troubleshooting and bulk operations capped at 1,000 objects per action.

Use Cases
Check Point delivers a consolidated security approach centered around endpoint protection with integrated vulnerability management. Organizations with large Windows and macOS device fleets benefit from Harmony Endpoint's lightweight agent (150-200 MB RAM idle), which combines vulnerability scanning with automated ransomware recovery capabilities. The solution serves IT security teams in regulated industries through its FIPS 140-2 validated cryptography and compliance reporting options. Mid-size enterprises appreciate the flexible deployment options spanning cloud-managed, on-premises, and hybrid architectures supporting up to 30,000 endpoints. 

Check Point's risk-based assessment framework helps security teams prioritize remediation efforts based on business impact, though organizations seeking comprehensive vulnerability management across cloud-native environments, IaC, or software components will need additional solutions to fill these capability gaps.

Cisco: Cisco Vulnerability Management 

Solution Overview
Cisco Vulnerability Management is designed to help organizations prioritize and remediate cybersecurity vulnerabilities. The company's primary emphasis is on using data science and ML to assess and quantify risk across an organization's attack surface. Cisco acquired Kenna Security in 2021 to bolster its SecureX platform.

Cisco’s use of advanced data science and ML algorithms to prioritize vulnerabilities based on real-world threat intelligence is notable. The solution is not a standalone product but rather an integrated system that combines multiple components to provide a holistic view of an organization's vulnerability landscape.

Cisco Vulnerability Management works by ingesting vulnerability data from various sources, including scanners, asset management tools, and threat intelligence feeds. It then applies ML algorithms to analyze this data, considering factors such as exploit availability, real-world attack trends, and asset criticality. Cisco Vulnerability Management is cloud-based, integrating with existing security infrastructure to provide actionable insights for risk reduction. 

Cisco is positioned as a Challenger and Fast Mover in the Maturity/Platform Play quadrant of the GigaOm Radar for CVM chart.

Strengths
Cisco scored well on a number of decision criteria, including:

• Risk-based assessment: The solution employs a scoring engine that combines machine learning, real-world exploit telemetry, threat intelligence, and predictive analytics to evaluate risk. The system effectively contextualizes risk across different assets, allowing organizations to understand their vulnerability exposure in relation to their environment. The prioritization approach considers both exploitation likelihood and business impact, enabling more focused remediation efforts on vulnerabilities that present the greatest actual risk.

• Customizable risk scoring: The platform provides robust customization options including adjustable risk meters, asset groupings, and tolerance levels to align with organizational priorities. It incorporates both internal factors such as asset criticality and vulnerability prevalence alongside external threat intelligence for comprehensive risk assessment. The peer benchmarking capabilities with organization-specific options allow security teams to understand their posture relative to industry standards.

• Integrations: Integration capabilities are a core design principle of the solution, with an extensive ecosystem connecting to vulnerability scanners, security tools, ticketing systems, SIEMs, and threat intelligence feeds. The mature connector framework supports virtually all major security and IT management platforms, enabling streamlined workflows and broader visibility across the security infrastructure.

Opportunities
Cisco has room for improvement in a few decision criteria, including:

• Software composition analysis: The solution relies heavily on third-party integrations for SCA functionality rather than offering native capabilities. This dependency on external tools like Contrast Security for raw data collection creates potential integration challenges in environments with strict security boundaries or unique deployment models. Organizations in highly regulated industries such as healthcare or financial services may find this approach insufficient when comprehensive, auditable component analysis is required for compliance purposes.

• IaC vulnerability and misconfiguration assessment: The integration-based approach, while functional, introduces potential security gaps during tool transitions or API changes. The solution's reliance on connections to external security tools means effectiveness varies based on the quality and coverage of these third-party integrations. This creates particular challenges for organizations with complex multicloud deployments or those using emerging IaC frameworks that may not be fully supported by the integrated security partners.

• Cloud-native and serverless function scanning: Despite adequate integration with major cloud providers' security controls, the solution faces limitations with specialized cloud environments or custom serverless implementations. The indirect scanning approach may result in detection delays for ephemeral resources and potential visibility gaps in containerized environments where traditional security models are insufficient. Organizations with multicloud or hybrid architectures may encounter inconsistent coverage across different deployment models.

Purchase Considerations
Cisco offers two SaaS tiers for its vulnerability risk management solution: Advantage (core RBVM functionality) and Premier (adding Talos Zero-Day intelligence, remediation analytics, and exploit prediction modeling). The pricing metric is based on active assets with at least one open finding, with annual billing and volume discount bands (≤25K, ≤250K, >250K). The pricing structure includes unlimited users, connectors, and API calls. Multiyear discounts up to 15% are available for 3-year commitments, and additional professional services are offered at published rates ($2,000 per day remote for North America).

This solution delivers a comprehensive platform within the Cisco security ecosystem with proven enterprise-scale capabilities. Its architecture ensures high performance at scale, featuring dashboards for user interface access and robust APIs for seamless integration with existing workflows. Organizations should note the SaaS-only deployment model on AWS offers a 99.9% availability SLA and SOC 2 Type II auditing.

Implementation complexity is minimized through no-code connector wizards and an intuitive HTML5 UI featuring customizable dashboards and global search functionality. The "Top Fixes" algorithm clusters CVEs by common patch to reduce duplicate remediation work. Integration capabilities are exceptional, particularly within the Cisco ecosystem (Cyber Vision, Secure Workload, XDR, and Splunk), while also supporting numerous third-party SIEM and SOAR platforms, ITSM systems, and data export options. The solution is well suited for organizations seeking advanced risk prioritization with extensive integration capabilities, though some users report occasional UI lag with very large result sets.

Use Cases
Cisco's solution excels for large organizations with diverse vulnerability data sources seeking unified risk prioritization. Security teams leverage Cisco's extensive threat intelligence network, including Talos, to focus remediation efforts on exploitable vulnerabilities rather than theoretical risks. The platform's "Top Fixes" algorithm intelligently clusters related CVEs by common patches, reducing duplicate work for remediation teams. Organizations already invested in Cisco's security ecosystem gain additional value through seamless integration with CiscoXDR, Secure Firewall, and Secure Endpoint. Enterprise security leaders appreciate the scalability for environments with up to 40 million assets and 3.5 billion vulnerability records while maintaining sub-4-second dashboard load times through efficient data handling.

Fortra: Fortra Vulnerability Management

Solution Overview
Fortra stands out as a dynamic vendor in the vulnerability management landscape, with a primary focus on delivering cybersecurity solutions that help organizations safeguard critical data and infrastructure. In the past year, Fortra has bolstered its portfolio through strategic acquisitions and enhancements, notably expanding its capabilities in managed security services and automation to strengthen its market position. 

Fortra Vulnerability Management operates by combining advanced scanning, risk prioritization, and remediation tools to provide a holistic view of an organization’s security posture. It functions as part of a broader portfolio of cybersecurity offerings, with modular components that allow customization based on specific needs.

Fortra’s strategy caters to diverse use cases from enterprise security to compliance needs. Positioned in the Innovation half of the Radar due to its focus on integrated, adaptable features, Fortra exemplifies a forward-thinking mindset. 

Fortra is positioned as a Challenger and Forward Mover in the Innovation/Platform Play quadrant of the GigaOm Radar for CVM chart.

Strengths
Fortra scored well on a number of decision criteria, including:

• Risk-based assessment: The solution employs a Threat Rank (0 to 100) and Active Risk Score system that combines severity, exploit intelligence, exposure, and criticality factors. It utilizes machine learning models supplemented with real-world threat feeds to deliver more nuanced risk prioritization than simple CVSS-only ranking approaches. This enables organizations to focus on vulnerabilities that pose the highest actual risk rather than just high CVSS scores and includes peer comparison capabilities for contextual prioritization.

• Application vulnerability assessment: The platform provides a combination of DAST capabilities through its Web Application Scanning (WAS) technology covering OWASP Top 10 vulnerabilities with automated crawling via a proprietary engine. While the solution lacks IAST or deep API-specific testing functionality, it delivers solid application security assessment capabilities.

• Network-based vulnerability scanning: The solution delivers both authenticated and unauthenticated network scanning with an unlimited capacity based on the number of scanners the customer deploys. It supports distributed scanners with unified reporting and covers a wide range of devices including routers, firewalls, and wireless access points. Additionally, it includes CIS benchmark checks for compliance requirements, providing a comprehensive view of network vulnerability posture.

Opportunities
Fortra has room for improvement in a few decision criteria, including:

• Software composition analysis: The solution offers only limited open source software checks within its framework, creating substantial gaps in security coverage. This approach lacks comprehensive dependency tracking, version monitoring, and license compliance capabilities that are essential for organizations with complex software supply chains. Security teams in enterprises with significant open source usage will struggle to gain complete visibility into their component risk exposure, which is particularly problematic for organizations facing strict regulatory compliance requirements.

• Cloud-native and serverless function scanning: While providing basic container image assessment functionality, the solution demonstrates significant limitations in cloud-native security coverage. The absence of comprehensive serverless function scanning capabilities creates potential blind spots in modern cloud architectures. Organizations adopting cloud-native development approaches or leveraging serverless computing models will encounter security visibility gaps that could leave critical workloads inadequately protected against emerging threats.

• Customizable risk scoring: Despite offering Active Risk Profiles and a Security GPA system that allows some weighting adjustments, the solution's customization depth falls short of leading platforms. Organizations with specialized risk assessment requirements or unique business contexts may find the limitations restrictive when attempting to align security priorities with specific organizational risk tolerances or industry-specific compliance frameworks.

Forta was classified as a Forward Mover given its relatively slower rate of development and limited feature releases over the past year. It has instead focused on growing through market awareness efforts targeting specific buyers.

Purchase Considerations
Forta offers a core subscription model priced per active asset or IP with a single SKU covering the network and another SKU for web application scanning functionality. The pricing structure includes unlimited users, scan frequency, and connector calls. Organizations should consider potential add-on costs for specialized modules like the Container Security module. Purchasing options include direct sales, value-added resellers, and a usage-based MSSP program, with multiyear (3- to 5-year) term discounts available and a perpetual on-premises license option with annual maintenance.

The solution functions as a comprehensive vulnerability assessment platform addressing network layer scanning (both unauthenticated and credentialed), web application and API dynamic testing, cloud asset discovery, and container image and registry scanning. Its distributed scanner architecture enables deployment across multiple sites and VLANs while maintaining centralized management, making it suitable for organizations of varying sizes. The platform processes over 2 billion vulnerability checks daily across its customer base, with practical limits determined by licensed-asset count rather than software constraints.

Deployment options provide flexibility with SaaS (multitenant), virtual appliances (VMware, Hyper-V, and KVM), cloud marketplace images (AWS and Azure), and air-gapped OVA for classified networks. Implementation complexity is moderate, with a new-scan wizard taking under five minutes to configure, and integration wizards for common platforms like ServiceNow, Splunk, and Jira. Organizations should note that the HTML5 UI features role-based dashboards that load quickly even with large datasets. Additionally, built-in workflow automation and remediation validation capabilities are basic, potentially requiring external ITSM and SOAR integration for advanced playbooks.

Use Cases
Fortra delivers robust vulnerability management through a unified platform combining network and application scanning capabilities. Mid-market organizations with resource constraints benefit from its "Start Here" panel that automatically prioritizes vulnerabilities grouped by common remediation actions, reducing technical debt efficiently. The solution serves compliance-focused teams with prebuilt report templates mapped to PCI-DSS, HIPAA, NIST 800-53, and ISO 27001 frameworks. Security teams in distributed environments leverage its scalable architecture with distributed scanners managed from a central console. 

While strong in traditional vulnerability assessment, organizations with advanced cloud-native environments or requiring IaC scanning will find gaps. The platform is particularly well suited for MSSPs and service providers through its multitenant support and flexible deployment options across SaaS, virtual appliances, and air-gapped installations for classified networks.

GFI Software: GFI LanGuard

Solution Overview
GFI Software is a vendor in the vulnerability management space with a focus on providing practical IT solutions for small- to medium-sized businesses, aiming to address security and network management needs. The company targets organizations seeking accessible tools for managing vulnerabilities alongside other IT operations. 

GFI LanGuard functions by scanning networks to identify vulnerabilities, providing patch management, and generating compliance reports to assist with security maintenance. It operates as a standalone solution but can integrate with other products within GFI Software’s broader portfolio of IT management tools. Relevant products include Appmanager AI, GFI LanGuard Unlimited for comprehensive coverage, and GFI LanGuard Subscription for flexible licensing. GFI Software’s strategy takes a focused approach, addressing common use cases like patch management and basic vulnerability scanning for smaller enterprises. The vendor is positioned in the Maturity half of the Radar due to its established presence and focus on well-defined, conventional features. 

GFI Software is positioned as a Challenger and Fast Mover in the Maturity/Feature Play quadrant of the GigaOm Radar for CVM chart.

Strengths
GFI Software scored well on a number of decision criteria, including:

• Network-based vulnerability scanning: The solution provides robust network vulnerability assessment capabilities, conducting over 60,000 vulnerability assessments across diverse network devices and virtual environments. It offers flexibility with both agent-based and agentless scanning options, allowing organizations to implement the most appropriate approach for different segments of their infrastructure.

• Application vulnerability assessment: The solution identifies vulnerabilities in installed applications by leveraging vulnerability databases like OVAL. This provides organizations with visibility into potential security issues within their application stack, though the solution lacks advanced testing capabilities for modern application architectures.

• Risk-based assessment: The solution implements a vulnerability level indicator system that categorizes security issues as high, medium, or low. This basic prioritization mechanism helps organizations understand which vulnerabilities might require more immediate attention, though it lacks more advanced contextualization with business impact assessment or threat intelligence incorporation.

Opportunities
GFI Software has room for improvement in a few decision criteria, including:

• Customizable risk scoring: The solution demonstrates significant limitations in its risk scoring functionality, offering only basic severity adjustments without comprehensive customization capabilities. Organizations requiring sophisticated risk models that incorporate business context will find these constraints particularly problematic. Security teams in regulated industries or those with complex risk evaluation frameworks cannot adequately reflect their unique security posture using the limited adjustment options available, potentially leading to misaligned prioritization and resource allocation.

• Integrations: While the solution connects with numerous traditional security applications, it exhibits notable gaps in modern tool integration. The lack of robust API support creates obstacles for organizations heavily invested in contemporary SIEM solutions or DevOps automation frameworks. This limitation is particularly challenging for enterprises pursuing security automation initiatives or implementing CI/CD pipelines where seamless integration capabilities are essential. Development teams attempting to incorporate security earlier in the software lifecycle may struggle with the solution's limited capabilities for DevOps tool integration.

Purchase Considerations
GFI Software offers a straightforward licensing model based on managed nodes (agent or agentless). The same SKU includes both scanning and patching capabilities for operating systems and third-party applications. Cost transparency is enhanced through the Central Management Server component and relay-agent functionality, which are included at no additional cost. 

The solution functions primarily as a traditional vulnerability assessment and patch management tool, with a single LanGuard server supporting up to 3,000 managed endpoints. For larger environments, the Central Management Server can aggregate multiple LanGuard instances to provide cross-site rollup dashboards. The product supports both agent-based and agentless approaches, with agents performing local scanning to reduce bandwidth consumption, which is particularly beneficial for WAN and VPN links and branch offices.

Implementation complexity is moderate with a Windows MMC-style console that includes predefined scan profiles and a guided "Scan & Fix" wizard. Organizations should note that the management console is Windows-only, and large result sets (>1M entries) may experience performance delays. The ecosystem integration is centered around Microsoft technologies with strong Active Directory integration and Windows Update and WSUS connectivity, though API-based integration options are limited, with most integrations relying on scheduled exports or database views rather than a modern REST API.

Use Cases
GFI Software provides a traditional vulnerability management and patching solution best suited for Windows-centric environments. Security teams in small- to mid-size organizations appreciate LanGuard's unified console for vulnerability scanning and automated patch deployment across Windows, macOS, and Linux systems. The solution serves compliance-focused teams with built-in templates for PCI-DSS, HIPAA, SOX, and ISO 27001, enabling straightforward regulatory reporting. While the Windows MMC-style console may feel dated compared to modern web interfaces, its familiar design reduces learning curves for Windows administrators. The solution's key limitations include its SQL Server dependency, lack of native API integration capabilities, and performance constraints with large result sets.

Holm Security: Vulnerability Management Platform (VMP)*

Solution Overview
Holm Security is a vendor in the vulnerability management domain with a focus on providing comprehensive security assessment tools for organizations looking to strengthen their cybersecurity posture. The company concentrates on delivering solutions that address both technical vulnerabilities and human factors through a unified platform. 

Holm Security VMP functions by combining automated scanning for network and application vulnerabilities with features for phishing simulation and security awareness training. It operates as a platform with modular components that can be tailored to specific organizational needs rather than acting as a standalone tool. Relevant products include Holm Security VMP Enterprise for larger setups and Holm Security VMP Essentials for smaller environments. The vendor is positioned in the Innovation half of the Radar due to its integration of human-centric security elements alongside traditional scanning.

Holm Security is positioned as a Challenger and Fast Mover in the Innovation/Platform Play quadrant of the GigaOm Radar for CVM chart.

Strengths
Holm Security scored well on a number of decision criteria, including:

• Network-based vulnerability scanning: The solution provides extensive scanning capabilities covering over 150,000 vulnerabilities across diverse assets. It employs inference-based engines for accurate fingerprinting of systems and devices, enhancing detection reliability. Additionally, it incorporates CIS Benchmarks for policy assessment, allowing organizations to evaluate their security posture against industry-recognized standards.

• Risk-based assessment: The platform offers a unified 0-100 risk scoring system enhanced by AI-driven threat intelligence. This comprehensive approach factors in exploits, ransomware, exposure, and business impact for effective prioritization. It enables security teams to focus remediation efforts on vulnerabilities that present the greatest actual risk to the organization rather than relying solely on severity scores.

• Application vulnerability assessment: The solution delivers robust dynamic application security testing (DAST) within its web application scanning capabilities. It supports OWASP Top 10 vulnerability detection, advanced authentication methods, and modern JavaScript frameworks, though its static analysis capabilities are more limited compared to its dynamic testing functions.

Opportunities
Holm Security has room for improvement in a few decision criteria, including:

• Software composition analysis: The solution exhibits considerable limitations in its SCA capabilities, only identifying outdated JavaScript components through its dynamic scanning mechanism. This narrow approach lacks comprehensive dependency analysis and fails to generate software bills of materials (SBOMs), which presents significant challenges for organizations with complex software supply chains. The restricted visibility into open source components creates potential security blind spots, particularly problematic for development teams working with diverse programming languages beyond JavaScript or those needing to meet regulatory compliance requirements for software composition transparency.

• IaC vulnerability and misconfiguration assessment: The solution demonstrates notable deficiencies in infrastructure-as-code security assessment. Without documented scanning capabilities for common IaC tools like Terraform or CloudFormation, organizations embracing DevSecOps practices face significant gaps in their security coverage. While runtime cloud misconfiguration detection is available through cloud security posture management, the absence of predeployment security validation prevents organizations from identifying security issues early in the development lifecycle, creating inefficiencies and increasing remediation costs.

• Customizable risk scoring: Although the solution allows vulnerability prioritization through business impact settings and filtering options, it shows limitations in core risk algorithm customization. This constraint can impact organizations with specialized risk frameworks or unique security posture requirements. Financial institutions, healthcare organizations, and government agencies that operate under strict compliance regimes may find the customization options insufficient to accurately reflect their specific risk contexts or incorporate industry-specific risk factors that fall outside standard assessment models.

Purchase Considerations
Holm Security offers a subscription-based licensing model priced per active IP or host for System & Network Scanning and per web application for Web Application Scanning, with an additional Phishing module licensed per user mailbox. The pricing structure includes unlimited scans, users, and scanner nodes in the base fee with no surcharge for cloud versus on-premises sensors. Optional add-ons include dedicated hardware scanners, premium support SLAs, and fixed-scope penetration testing services. Volume discounts are available for MSSPs, with multiyear contracts offering up to 15% discount for 3-year terms. Overages are handled through quarterly true-ups based on portal counters, providing reasonable transparency for budget planning.

The solution functions as a comprehensive vulnerability management system with a cloud-native control plane and distributed scanner architecture. Its operational scope covers traditional system and network scanning (both authenticated and unauthenticated), web application scanning (OWASP Top 10, REST and GraphQL APIs), and an optional phishing simulation module. The platform supports various deployment models including a standard SaaS portal with on-premises scanner nodes and a fully on-premises option for restricted networks.

Implementation complexity is moderate with initial setup taking under 15 minutes to deploy the scanner nodes. The HTML5 web console offers predefined scan templates and GUI-based policy editing that doesn't require XML or CLI knowledge. Organizations should take note of the platform's limitations with very large result sets (over 1 million findings), which may require additional filtering before export to avoid browser timeouts. Integration capabilities include a REST and JSON API with Swagger documentation, out-of-box connections to ServiceNow SecOps and Jira, standardized syslog outputs for SIEM integration, and SSO support via SAML 2.0.

Use Cases
Holm Security delivers a balanced vulnerability management platform particularly suited for mid-size European organizations navigating regulatory compliance requirements. Security teams appreciate its unified 0-100 risk scoring system enhanced by AI-driven threat intelligence that factors in exploit availability, ransomware likelihood, and business impact for effective prioritization. The solution serves distributed enterprises through its unlimited scanner node architecture that can be deployed across multiple network zones while maintaining central management. Organizations with traditional infrastructure benefit from comprehensive network vulnerability scanning covering more than 150,000 vulnerabilities with strong CIS Benchmark policy assessment. The platform provides valuable compliance mapping for PCI-DSS, GDPR, and ISO 27001 frameworks through customizable report templates. While strong in traditional vulnerability assessment, organizations seeking attack path analysis or comprehensive software composition analysis will find limitations in the current offering.

Intel 471*

Solution Overview
Intel 471 is a cybersecurity intelligence and threat hunting company that specializes in providing actionable threat intelligence to organizations worldwide. The company's primary focus is on monitoring cybercriminal activities, tracking threat actors, and delivering timely, relevant intelligence and threat-hunt packages to help businesses protect their assets and mitigate risks. 

Intel 471's approach is based on human intelligence gathering combined with technical data collection. The company offers a comprehensive threat intelligence solution designed to provide a holistic view of the threat landscape.

The Intel 471 core intelligence solution consists of several components, including Adversary Intelligence, Malware Intelligence, Credential Intelligence, Cyber Geopolitical Intelligence, Marketplace Intelligence, and Vulnerability Intelligence. These services work together to provide organizations with a deep understanding of cybercriminal activities, tactics, and motivations. The solution operates by leveraging a global network of intelligence analysts and sophisticated data collection technologies to gather information from various sources, including dark web forums, underground marketplaces, and cybercriminal communications channels. This raw data is then analyzed, contextualized, and delivered to clients through a user-friendly web portal, API integrations, and customized reports. 

Intel 471 is positioned as a Challenger and Fast Mover in the Innovation/Feature Play quadrant of the GigaOm Radar for CVM chart.

Strengths
Intel 471 scored well on a number of decision criteria, including:

• Risk-based assessment: The solution implements a proprietary intelligence-driven approach that factors in exploit status, actor interest, patch availability, CVSS score, and CVE ID. It tracks "precursors to exploitation," including underground market activity and proof-of-concept availability. This contextual assessment goes beyond traditional CVSS scoring by incorporating actor-based threat intelligence correlation, providing organizations with a more comprehensive view of their vulnerability risk landscape.

• Integrations: The platform provides RESTful API capabilities with multiple documented third-party integrations. It connects with various security tools including SIEMs, TIPs, Microsoft Security Copilot, ThreatConnect, FortiSOAR, Cortex XSOAR, ServiceNow, and Anomali. The API access enables custom integration development and automated intelligence ingestion workflows, allowing organizations to incorporate Intel 471's data into their existing security ecosystem.

• Customizable risk scoring: The solution allows risk ratings to be configured by users based on correlation rules that identify risks. It includes over 40 rules that analyze identified OSINT from scans and surface findings requiring attention, such as critical unpatched vulnerabilities, exposed S3 buckets, email addresses found in data breaches, and malware activity emanating from the customer's network.

Opportunities
Intel 471 has room for improvement in a few decision criteria, including:

• Application vulnerability assessment: The solution's approach to vulnerability assessment relies exclusively on external application detection combined with threat intelligence for risk evaluation. This methodology creates significant limitations for organizations needing comprehensive application security testing. The absence of traditional static, dynamic, and interactive testing capabilities means it cannot detect many common vulnerability types within application code or runtime environments. Organizations with complex web applications or those requiring compliance with security standards will find the detection capabilities insufficient compared to dedicated application security testing tools.

• Network-based vulnerability scanning: The solution offers only limited external attack surface monitoring without comprehensive internal network vulnerability assessment capabilities. This external-only approach creates notable security gaps for organizations needing visibility into internal network vulnerabilities and misconfigurations. The reliance on OSINT sources rather than traditional scanning engines may result in less precise vulnerability detection and limited coverage depth. Organizations with complex network infrastructures requiring detailed vulnerability assessment will find these constraints particularly challenging.

• Cloud-native and serverless function scanning: The solution demonstrates severe limitations in cloud security assessment, with capabilities restricted to basic identification of exposed cloud resources like storage buckets and databases. The absence of comprehensive cloud-native application scanning, container security assessment, and serverless function vulnerability detection creates significant blind spots in modern cloud environments. Organizations adopting cloud-native architectures or serverless computing models will experience substantial security coverage gaps that could leave critical workloads exposed to threats.

Purchase Considerations
Intel 471 offers tiered flat-rate SKUs (Essential, Advanced, Elite) based on feature access rather than asset count, providing unlimited domain and /IP monitoring. The pricing structure includes optional add-ons such as Domain Takedown Service, Analyst Chat, and Dark-Web Monitoring, priced as fixed annual blocks. Base tier licenses include API usage, user seats, report exports, and 12-month data retention, with extended 24-month retention available for a 10% premium. Multiyear prepayments (3-year) can yield discounts up to 18%, and procurement options include direct purchase, value-added resellers, or MSSP consumption models.

The solution functions as an external attack surface management and threat intelligence platform operating entirely as SaaS on AWS. Its focus is exclusively on external visibility with no internal network scanning capabilities; by design, it complements rather than replaces traditional vulnerability management tools. Coverage includes open ports, banner vulnerabilities, certificate issues, typosquatting domains, malware hosting, credential leaks, breached third parties, darknet chatter, and exploit mapping.

Implementation complexity is minimal, requiring no scanners, agents, or credentialed connectors. Onboarding involves simply entering primary domains to auto-discover subdomains, netblocks, and brand variants, with initial findings available in under 15 minutes. The AngularTypeScript console presents a single "Prioritized Exposures" list sortable by risk, exploit maturity, and discovery date, with inline remediation guidance linking directly to vendor knowledge bases and CERT advisories. Integration options include a REST and JSON API, STIX and TAXII 2.1 feed for threat intelligence platforms, certified apps for Splunk and Microsoft Sentinel, and bidirectional ticketing with ServiceNow and Jira.

Use Cases
Intel 471 offers specialized external attack surface monitoring with strong threat intelligence rather than traditional vulnerability management. Security operations teams value its ability to correlate vulnerabilities with real-world exploitation data from underground forums, helping prioritize remediation of externally-exposed assets based on actual threat actor interest. The solution serves organizations seeking improved external visibility without deploying additional infrastructure, as its SaaS architecture requires no on-premises scanners or agents. Incident response teams appreciate Intel 471's fast deployment model where entering primary domains yields actionable findings within 15 minutes through automated discovery of subdomains, netblocks, and brand variants. While excellent for external risk prioritization, organizations should note this solution complements rather than replaces traditional vulnerability management programs, as it lacks internal scanning, software composition analysis, and infrastructure-as-code assessment capabilities.

Intruder

Solution Overview
Intruder is a cybersecurity company that provides automated vulnerability scanning and management solutions for businesses of all sizes. The company's primary focus is on simplifying the process of identifying and addressing security weaknesses in an organization's external attack surface.

Intruder's approach to vulnerability management is characterized by its emphasis on simplicity, automation, and continuous monitoring. The company offers a single, comprehensive solution called Intruder, a standalone product that combines multiple components to provide a holistic view of an organization's vulnerabilities.

The solution works by continuously scanning an organization's internet-facing assets, including websites, IP addresses, and cloud infrastructure, as well as its internal assets. It utilizes a combination of proprietary scanning technology and integrations with leading vulnerability databases to identify potential security weaknesses. 

One of the key capabilities of Intruder is its ability to perform both scheduled and on-demand scans, ensuring that organizations have up-to-date information on their security posture. The solution also offers integration with popular development and security tools, allowing seamless incorporation into existing workflows. Additionally, Intruder provides detailed reports and notifications, enabling security teams to quickly understand and address identified vulnerabilities.

Intruder is positioned as a Challenger and Fast Mover in the Innovation/Feature Play quadrant of the GigaOm Radar for CVM chart.

Strengths
Intruder scored well on a number of decision criteria, including:

• Automated vulnerability validation and exploitation testing: The platform differentiates itself through a dedicated internal security team that actively validates vulnerabilities and develops custom detection checks. This human-led process reduces false positives and improves reliability, particularly for complex and evolving vulnerabilities. The solution is continuously updated based on the latest threat intelligence and attack techniques.

• Risk-based assessment: The solution employs a multilayered assessment approach starting with a CVSSv3 baseline that is reviewed and adjusted by their security team. Scores are modified based on exposure factors such as whether assets are internet-facing or internal. The solution incorporates CISA KEV data for active exploitation intelligence and EPSS for exploitation probability. A unified data model presents all vulnerabilities in a single view with categorized, risk-prioritized remediation recommendations.

• Cloud-native and serverless function scanning: The platform integrates with major cloud providers to identify, auto-sync, and scan internet-facing assets immediately upon exposure. It offers organization or tenant-level integration to discover new accounts and subscriptions. Recently launched CSPM functionality identifies misconfigurations and exposures including hard-coded secrets in Lambda files and unsupported runtimes.

Opportunities
Intruder has room for improvement in a few decision criteria, including:

• Application vulnerability assessment: The solution focuses exclusively on dynamic scanning with no static analysis capabilities, creating challenges for organizations needing comprehensive application security coverage. While it offers various authentication methods for web applications, it demonstrates notable limitations with OAuth workflows that can increase false positives in modern applications using complex authentication mechanisms. Financial services companies and healthcare organizations with sophisticated single sign-on implementations may find these limitations particularly problematic, as incomplete authentication coverage could leave critical application paths unexplored.

• Software composition analysis: The solution employs external fingerprinting and agent-based enumeration techniques that only identify visible components rather than performing comprehensive dependency analysis. This approach creates potential blind spots in dependency chains where vulnerabilities often hide. Organizations with complex software supply chains or those in regulated industries requiring complete software bills of materials will find these limitations restrictive, as nested dependencies and transitive vulnerabilities may remain undetected without deeper analysis capabilities.

• Customizable risk scoring: While the solution allows for custom SLAs based on risk tiers, it lacks individual vulnerability scoring customization. This constraint limits organizations that need to adjust risk evaluations based on specific business context or asset criticality. Large enterprises with varied risk profiles across different business units may struggle to accurately prioritize vulnerabilities, as the fixed scoring approach cannot be tailored to reflect different impacts across diverse organizational environments.

Purchase Considerations
Intruder offers a transparent tiered subscription model (Essential, Cloud, Pro, and Enterprise) with published rates on their website. Pricing is based on "infrastructure licenses" covering unique external IP and FQDN or internal hosts, with an optional Web-App Scanning add-on priced per target URL. All plans include unlimited users, unlimited scan frequency, and all current integrations, with no implementation or setup fees. 

The solution functions primarily as a vulnerability scanning platform with a 100% SaaS architecture hosted on Google Cloud Platform. Scan engines spin up elastically in the vendor's VPC with no customer-side infrastructure required. The platform supports both external-facing and internal assets through cloud connectors or VPN appliances, along with web applications and cloud environments (AWS, Azure, GCP). This breadth of coverage makes it suitable for organizations seeking consolidated visibility across diverse infrastructure components.

Implementation complexity is minimal with an onboarding wizard that imports assets from major cloud providers or via CSV, enabling first scans to start within 10 minutes of signup. The platform includes a "noise reduction" engine that automatically suppresses low-impact findings, presenting prioritized vulnerabilities with remediation advice, CVE details, vendor patch links, and CLI examples. This approach, combined with intuitive dashboards and UI aids, makes the solution particularly well suited for SMB and mid-market teams with limited security resources.

Use Cases
Intruder offers a straightforward vulnerability management solution ideal for small to mid-size organizations with limited security expertise. Security teams value its human-led vulnerability validation process that reduces false positives, distinguishing it from purely automated approaches. The platform serves resource-constrained IT departments through its noise reduction engine that automatically suppresses low-impact findings, allowing teams to focus on critical issues. Organizations with multicloud environments benefit from its integrations with AWS, Azure, and GCP that automatically discover and scan new assets as they're deployed. The solution's transparent pricing model based on infrastructure licenses makes budgeting predictable, while its intuitive interface enables new users to launch their first scan within 10 minutes of signup. Though excellent for external attack surface management, organizations requiring infrastructure-as-code scanning or attack path analysis capabilities will need to supplement with additional solutions.

Microsoft: Microsoft Defender Vulnerability Management*

Solution Overview
Microsoft's approach to vulnerability management is integrated into its broader security ecosystem, leveraging its extensive presence in enterprise IT environments. The company's solution, Microsoft Defender Vulnerability Management, is not a standalone product but rather a component of the larger Microsoft 365 Defender suite, which is part of the Microsoft Security portfolio.

Microsoft Defender Vulnerability Management works by continuously discovering, assessing, and prioritizing vulnerabilities across an organization's devices, applications, and networks. It uses Microsoft's vast threat intelligence network and ML algorithms to provide context-aware risk assessments. The solution integrates seamlessly with other Microsoft security products, offering a unified view of an organization's security posture.

The solution operates through agents installed on endpoints and servers, as well as agentless scanning capabilities for network devices. It provides real-time vulnerability assessments, prioritizes risks based on threat intelligence and exploit likelihood, and offers remediation guidance. The solution's dashboard provides a centralized view of vulnerability data, allowing security teams to quickly identify and address the most critical issues across their environment.

Microsoft is positioned as a Challenger and Fast Mover in the Maturity/Feature Play quadrant of the GigaOm Radar for CVM chart.

Strengths
Microsoft scored well on a number of decision criteria, including:

• Attack path analysis: The solution delivers comprehensive attack path analysis capabilities through Defender for Cloud and Security Exposure Management. It employs graph-based algorithms to visualize exploitable paths across the environment, enabling security teams to understand potential attack vectors. This approach helps organizations prioritize remediation efforts by focusing on vulnerabilities that create the most dangerous attack paths, providing context beyond isolated vulnerability scores.

• Risk-based assessment: The solution implements risk-based prioritization using an Exposure Score system ranging from 0-100. This scoring approach incorporates threat intelligence, breach likelihood, and asset criticality to provide a more contextual view of risk. The solution helps security teams focus on vulnerabilities that present the greatest actual risk rather than simply addressing issues based on severity scores alone.

• IaC vulnerability and misconfiguration assessment: The platform provides robust IaC scanning through Microsoft Security DevOps. It supports agentless analysis of various IaC templates including ARM, Terraform, and Kubernetes, with CI/CD integration capabilities. This enables organizations to identify and remediate security issues early in the development lifecycle before infrastructure is deployed.

Opportunities
Microsoft has room for improvement in a few decision criteria, including:

• Application vulnerability assessment: The solution offers restricted application security testing capabilities through its DevOps security components. These tools demonstrate notable scaling limitations in enterprise environments with diverse application portfolios. Organizations with complex application landscapes requiring comprehensive security testing will encounter significant coverage gaps compared to dedicated SAST and DAST alternatives. Financial services and healthcare sectors with stringent compliance requirements may find these constraints particularly limiting for achieving adequate security assurance across their application estates.

• Software composition analysis: The solution presents substantial deficiencies in software composition analysis, with only rudimentary capabilities for identifying vulnerable components. The absence of systematic dependency analysis and license compliance functionality creates significant security and legal risks in modern development environments. Organizations relying heavily on open source components or operating in regulated industries will find these limitations particularly problematic, as they cannot effectively manage supply chain security risks or meet compliance requirements for third-party code usage.

• Customizable risk scoring: The risk scoring approach employs predetermined severity ratings with minimal customization options, preventing organizations from aligning vulnerability prioritization with their specific business context. This inflexibility creates challenges for enterprises with unique risk profiles or specialized compliance requirements that necessitate tailored scoring methodologies. Security teams in critical infrastructure, healthcare, or financial services will struggle to accurately reflect their distinct risk landscapes within these constrained parameters.

Purchase Considerations
Microsoft offers a vulnerability management solution available through multiple licensing options: as a standalone SKU (Microsoft Defender Vulnerability Management, priced per endpoint per month) or included at no additional cost with Microsoft Defender for Endpoint Plan 2 and Microsoft 365 E5 Security bundles. For Azure-based servers, pricing follows a "per vCore/month" model through Defender for Cloud. Purchase channels include Enterprise Agreement, CSP, and MCA, with 3-year term discounts up to 15%. There are no surcharges for API usage, user seats, or report exports, though data retention is fixed at 90 days for endpoints and one year for Log Analytics unless extended through paid Azure Monitor retention.

The solution functions as a SaaS-native platform hosted on Azure with a 99.99% SLA. It leverages the Defender for Endpoint sensor for vulnerability detection on Windows, macOS, and Linux systems while providing agentless assessment for Azure resources, M365 Apps, and O365 services. Microsoft publicly cites "tens of millions of endpoints" sending vulnerability data daily with under 2-hour ingestion-to-portal latency. The endpoint sensor performs local CVE matching and sends only delta information, keeping network overhead below 50KB per endpoint per day.

Implementation leverages the unified Defender portal with automated prioritization that combines CVSS scores, Microsoft's Exploitability Index, and active exploitation signals from Microsoft Threat Intelligence Center. Organizations should note certain limitations: UI pagination caps exports at 5,000 rows, CVE deduplication is limited, and the solution cannot ingest third-party scanner data from platforms like Qualys or Tenable. The solution is most advantageous for organizations already invested in the Microsoft security ecosystem, as it offers native integrations with Azure Sentinel, Intune, ServiceNow, and GitHub Advanced Security.

Use Cases
Microsoft delivers vulnerability management deeply integrated with its broader security ecosystem, offering exceptional value for organizations already invested in Microsoft 365 E5 or Defender for Endpoint P2. Security teams in Windows-centric environments benefit from the seamless agent deployment and remediation workflow integration with Intune for automated patching. The solution particularly excels in attack path analysis, using graph-based algorithms to visualize exploitable paths across hybrid environments, helping security teams prioritize remediation of critical choke points. Organizations with Azure-focused cloud strategies gain comprehensive visibility through native integration with Azure services and Microsoft Sentinel for unified security monitoring. While strong within the Microsoft ecosystem, organizations with diverse technology stacks requiring specialized application security testing or comprehensive software composition analysis may need supplementary solutions.

NopSec: Unified VRM

Solution Overview
NopSec's approach to vulnerability management is characterized by its emphasis on risk-based prioritization and automation. This platform is a standalone product that combines multiple components to provide a view of an organization's vulnerability landscape.

This solution works by ingesting vulnerability data from various sources, including network scanners, cloud infrastructure, and web applications. It then applies ML algorithms and threat intelligence to contextualize and prioritize vulnerabilities based on their potential impact and likelihood of exploitation. It provides a centralized dashboard for visualizing risk across an organization's entire attack surface.

One of the key capabilities of this solution is its ability to automate the vulnerability management workflow, from discovery to remediation. The solution integrates with popular ticketing systems and DevOps tools, allowing seamless incorporation into existing processes. Additionally, it offers customizable reporting and analytics capabilities, enabling security teams to track progress and demonstrate the effectiveness of their vulnerability management efforts.

The platform can be deployed as a cloud-based service, providing flexibility for organizations with different infrastructure requirements.

NopSec is positioned as a Leader and Fast Mover in the Innovation/Platform Play quadrant of the GigaOm Radar for CVM chart.

Strengths
NopSec scored well on a number of decision criteria, including:

• Risk-based assessment: The platform provides comprehensive risk contextualization by incorporating vulnerability and misconfiguration data, asset telemetry, threat intelligence, security control effectiveness, identity factors, and topology and attack path analysis. It utilizes its patented machine learning prioritization engine that delivers "white-box" evidence-based recommendations. A proprietary Asset Value algorithm automates business impact analysis while maintaining override capabilities. The solution differentiates itself through security control validation across multiple dimensions and visualizes security controls and chokepoints in attack paths.

• Customizable risk scoring: NopSec employs a "white-box" model with user customization options that allow organizations to adjust asset value and business impact after automated algorithm recommendations and modify risk scores following ML processing. This approach preserves the integrity of the ML data model while enabling manual adjustments based on tribal knowledge. The solution maintains complete audit trails for risk score modifications, providing transparency and accountability.

• Cloud-native and serverless function scanning: The solution offers integrated cloud scanning services that leverage both commercial and open source scanners. It can ingest results from customer-managed cloud scanning tools to provide unified aggregation, prioritization, workflow, and reporting capabilities across cloud environments.

Opportunities
NopSec has room for improvement in a few decision criteria, including:

• Network-based vulnerability scanning: The solution relies heavily on aggregating results from commercial and open source scanners rather than offering robust native scanning capabilities. This integration-focused approach creates potential challenges for organizations requiring specialized scanning configurations or customized vulnerability detection logic. Security teams may face limitations when needing to address unique network environments or specialized hardware that falls outside standard scanner coverage. Additionally, the reliance on customer-managed tools introduces potential inconsistency in scan quality and coverage across different organizational units.

• Software composition analysis: Though it provides integration with third-party SCA tools, the solution lacks comprehensive native analysis capabilities, potentially creating visibility gaps in complex software supply chains. Organizations with diverse technology stacks may experience inconsistent coverage across different programming languages or frameworks based on the limitations of the underlying scanning tools. The effectiveness of the SCA function is inherently constrained by the quality and currency of the third-party scanners being leveraged, which may result in inconsistent depth of dependency analysis across different application types.

• IaC vulnerability and misconfiguration assessment: The solution's approach to IaC assessment through aggregating results from external tools creates potential challenges in providing unified, consistent security coverage across diverse infrastructure-as-code implementations. Organizations using emerging IaC frameworks or custom configuration management systems may encounter visibility gaps where integrated scanners provide insufficient coverage. The dependence on external scanning tools may also limit real-time assessment capabilities during rapid development cycles, creating potential security blind spots in fast-moving DevOps environments.

Purchase Considerations
Nopsec offers a subscription-based pricing model where customers pay per unique asset with at least one open vulnerability. The solution is available in two main bundles: Essentials (providing ingest, ML prioritization, dashboards, and API access) and Enterprise (adding workflow automation, ticket synchronization, SOAR export, and custom ML retraining). Optional add-ons include technical account management, vulnerability management and governance bootcamp, data science workshop, and exploit validation testing. Multiyear commitments receive a 15% discount for 3-year terms, and professional services are available at published rates ($225 per hour remote, $275 per hour onsite).

The solution functions as a platform play delivered as a 100% AWS-hosted SaaS offering. The platform demonstrates enterprise-grade scalability with production references including a retail conglomerate managing 2.8 million assets and 35 million vulnerability records across 26 connectors. The "white-box" machine learning risk engine allows administrators to review machine-generated risk scores without the need to manually input weights of asset value, threat vectors, exploit likelihood, and control context because the entire risk algorithm is autonomous without human manipulation of a formula. Moreover, end users can override the risk scores after the algorithmic ML processing based on their tribal knowledge of the environment.

Implementation complexity is moderate with a connector wizard that enables setup in under five minutes through a simple API key configuration process. The React and TypeScript portal features persona-based landing pages with real-time filtering capabilities. While the platform offers comprehensive functionality, potential adopters should verify that the more than 100 available connectors include integration with their specific vulnerability scanners, application security tools, cloud providers, and ticketing systems. The bidirectional integration with ServiceNow and Jira keeps ticket statuses current, while developer resources including Swagger documentation and SDKs facilitate custom integrations when needed.

Use Cases
NopSec delivers risk-based vulnerability management through its ML-powered prioritization engine, serving organizations struggling with vulnerability overload. Security teams value its "white-box" approach to risk scoring that maintains algorithmic intelligence while allowing manual adjustments based on business context, with full audit trails preserving compliance requirements. The platform serves enterprises with heterogeneous environments by integrating with over 100 security tools, creating a unified view across network, application, cloud, and container vulnerabilities. Organizations with established security controls gain unique insights through NopSec's security control validation that assesses the effectiveness of existing protective measures against specific vulnerabilities, visualizing which controls are bypassable versus effective. This evidence-based approach to attack path analysis enables security teams to remediate vulnerabilities based on real-world exploitability rather than theoretical severity scores.

Nucleus Security: Nucleus Security Platform

Solution Overview
Nucleus Security is a cybersecurity company that provides organizations with a centralized platform to aggregate, analyze, and manage vulnerabilities across their entire IT, Cloud, OT, and application ecosystem. Nucleus Security's approach to vulnerability management is characterized by its emphasis on data aggregation and workflow automation. This is a standalone platform that uses a specialized data fabric architecture to unify and organize data into multiple components and provide a comprehensive view of an organization's vulnerability landscape.

The solution works by ingesting vulnerability, asset, and threat data from various sources, including network scanners, application security tools, cloud infrastructure providers, threat intelligence feeds, and IT asset systems. It then normalizes, correlates, and deduplicates this data to provide a single source of truth for vulnerability and asset management. The platform uses ML algorithms to prioritize vulnerabilities based on their potential impact and exploitability and provides business context, allowing security teams to focus on the most critical issues first.

One of the key qualities of the solution is its ability to automate vulnerability management workflows using its dynamic automation framework. The solution integrates with popular ticketing systems and collaboration tools, enabling seamless communication between security teams and IT operations. Additionally, the platform offers customizable dashboards and reporting capabilities, allowing organizations to track their vulnerability management progress and demonstrate compliance with various security standards.

The Nucleus Security platform can be deployed in the cloud, via software, or on-premises (including air-gapped environments), which provides flexibility for organizations with different stringent requirements. By centralizing vulnerability data and automating key processes, Nucleus Security aims to streamline the risk-based vulnerability management process and improve an organization's overall security posture.

Nucleus Security is positioned as a Leader and Outperformer in the Maturity/Platform Play quadrant of the GigaOm Radar for CVM chart.

Strengths
Nucleus Security scored well on a number of decision criteria, including:

• Risk-based assessment: The solution combines vulnerability data, asset context, and threat intelligence into a comprehensive 0-1000 risk scoring system. It calculates a threat intelligence Vulnerability Risk Score (VRS) based on severity and exploitability factors and an Asset Risk Score (ARS) based on criticality, compliance scope, sensitivity, and exposure. By multiplying these scores, it creates a unified risk measurement that enables multifactor risk-based prioritization. These unified Risk Scores create a universal risk language across the organization, helping teams align on remediation priorities.

• Customizable risk scoring: The scoring framework offers transparency and customization through user-defined weightings. Organizations can leverage their existing risk systems while incorporating the contextual data provided by the solution. The system aggregates risk across asset groups with automatic recalculation whenever customization changes are made. This flexibility allows security teams to adapt the risk model to their specific organizational needs and priorities.

• Integrations: The solution utilizes an integration-first approach with connections to over 160 tools spanning the security and IT ecosystem. Its flat, schema-driven data model makes objects and metadata accessible for automation, reporting, and prioritization. Advanced grouping capabilities handle complex connectors using rule-based logic, while dynamic field mapping automatically adapts to changes and maintains integrity. The vendor-agnostic design supports best-of-breed toolchains, allowing organizations to maintain their preferred security tools while gaining centralized visibility.

Nucleus was classified as an Outperformer given its major updates, which include a proprietary intelligence feed, the Vulnerability Intelligence feature set, and UI redesigns.

Opportunities
Nucleus Security has room for improvement in a few decision criteria, including:

• Network-based vulnerability scanning: The solution lacks native scanning capabilities, instead relying entirely on external sources for vulnerability data. This dependency creates significant operational challenges for organizations that must maintain and manage multiple separate scanning tools, potentially increasing both cost and complexity. Security teams may struggle with limited control over scan frequency and coverage parameters, which can impact vulnerability detection timeliness in rapidly changing environments. Additionally, the quality of analysis is inherently constrained by external data sources without independent verification mechanisms, potentially creating blind spots in environments where specialized scanning requirements exist.

• Software composition analysis: Without native SCA capabilities, the solution functions solely as an aggregator of third-party findings rather than providing independent analysis. This creates potential challenges for organizations requiring comprehensive software supply chain visibility. The limited details regarding license compliance management and transitive dependency handling may present difficulties for enterprises with strict open source governance requirements. Security teams may also find the remediation guidance insufficient for addressing complex SCA-specific issues, particularly in regulated industries where component provenance documentation is critical.

• IaC vulnerability and misconfiguration assessment: The solution's complete reliance on external tools for IaC scanning creates potential coverage gaps and inconsistency in security assessment. Without native capabilities, organizations may struggle to implement standardized approaches across different infrastructure-as-code languages and frameworks. The vague details regarding secure coding standards and remediation strategies specific to IaC issues could challenge teams attempting to implement secure-by-design practices. This limitation may be particularly problematic for organizations with complex multicloud deployments requiring consistent security controls across varied infrastructure definitions.

Purchase Considerations
Nucleus Security offers a subscription model based on de-duplicated "core assets" with active findings, featuring two primary tiers: Standard (foundational vulnerability management orchestration) and Advantage (adding Vulnerability Intelligence Platform, Adaptive Contexts, and POA&M reporting). Volume brackets range from 5,000 to more than 500,000 assets, with ELA options for uncapped enterprise use. Supporting assets (cloud infrastructure, subcontainers) are discounted compared to core hosts and repositories. The pricing structure includes unlimited connectors, ingest frequency, workflow automation, and threat intelligence (Mandiant feed included) at no additional cost. Optional add-ons include premium support SLAs, white-glove onboarding, and managed rule-authoring professional services with published rate cards available to customers and partners.

The solution functions as a comprehensive vulnerability management orchestration platform, operating as multitenant SaaS on Google Cloud, as on-premises software, and in air-gapped environments with Kubernetes microservices. The Nucleus Data Fabric utilizes a flat, object-oriented structure that has demonstrated enterprise-scale capabilities with proven single-tenant references handling over 3 million assets, more than 40 data sources, and more than 80 million active findings with sub-4-second query latency. The continuous, asynchronous connector engine runs each integration in its own queue with delta ingestion to prevent source API throttling, making it suitable for high-frequency CI/CD scanning environments.

Implementation complexity is manageable with a connector wizard that enables setup in under 10 minutes for initial data ingestion. The system offers more than 160 native connectors to popular vulnerability scanners, cloud security platforms, application security tools, and threat intelligence sources. Organizations typically implement the platform without requiring external professional services, as deployments are led by Nucleus CSMs and implementation engineers. The platform's extensive integration ecosystem includes bidirectional connections with ITSM and DevOps tools (such as ServiceNow and Jira), SIEM and SOAR platforms, and data lakes, plus a comprehensive REST API.

Use Cases
Nucleus Security excels as a vulnerability correlation platform unifying findings from over 160 security tools without disrupting existing workflows. Security leaders in large enterprises with complex tool environments leverage its dynamic automation framework to create consistent remediation processes across application, cloud, and network vulnerabilities. Organizations with sophisticated organizational structures benefit from Nucleus's flexible ownership model that supports automatic assignment with fallback logic, ensuring findings always reach the right teams. The platform's flat, object-oriented data architecture enables security teams to process over 9 billion findings daily with query response times under 4 seconds even for environments with 3 million assets. While not providing native scanning capabilities, Nucleus differentiates through its "work-aligned remediation" approach that groups vulnerabilities by shared fix rather than by technical similarity, dramatically reducing remediation effort through contextual prioritization.

OpenText: Core Software Composition Analysis*

Solution Overview
Debricked was an SCA company that helped organizations manage and secure their open source software dependencies (identifying, analyzing, and mitigating vulnerabilities in open source components). In 2022, Debricked was acquired by Micro Focus (which was then acquired by OpenText), expanding its reach and resources within the broader application security landscape. 

OpenText's approach to SCA is characterized by its developer-centric focus and emphasis on automation. The solution is designed to address various aspects of open source security and compliance. The Debricked platform is a standalone product within the broader OpenText product suite.

The solution works by continuously scanning and analyzing an organization's codebase and dependencies, leveraging ML algorithms to identify potential security risks and license compliance issues. It provides real-time alerts and recommendations for addressing vulnerabilities, along with detailed information about each identified issue. It can be deployed as a cloud-based solution or on-premises, integrating seamlessly with popular development environments and CI/CD pipelines. 

OpenText is positioned as a Challenger and Fast Mover in the Innovation/Feature Play quadrant of the GigaOm Radar for CVM chart.

Strengths
OpenText scored well on a number of decision criteria, including:

• Application vulnerability assessment: The solution provides comprehensive application security testing through its Fortify platform. It offers robust SAST, covering 1,657 vulnerability categories across more than 33 programming languages. The DAST capabilities address over 250 web application vulnerabilities. These capabilities are enhanced by AI-driven prioritization that helps development teams focus on the most critical issues first.

• Software composition analysis: The solution delivers comprehensive software composition analysis through its Debricked integration. It supports detection of client-side library CVEs, provides open source health data, and enables CycloneDX SBOM generation for compliance purposes. The capability also includes Docker image scanning, allowing organizations to identify vulnerabilities in container environments.

• Integrations: The solution features extensive CI/CD integrations with popular platforms including Jenkins, GitLab CI, and Azure DevOps. It provides REST APIs for custom integrations and supports multiple IDEs including Visual Studio, Eclipse, and IntelliJ IDEA, enabling developers to address security issues within their preferred development environments.

Opportunities
OpenText has room for improvement in a few decision criteria, including:

• Network-based vulnerability scanning: The solution demonstrates considerable limitations in traditional network vulnerability scanning capabilities. With its primary focus directed toward application-layer security rather than comprehensive infrastructure assessment, organizations requiring robust network security visibility face significant challenges. This approach creates potential blind spots in network device configurations, protocol vulnerabilities, and infrastructure weaknesses that could expose critical systems. Organizations with complex hybrid environments or those in regulated industries requiring complete infrastructure security assessment may find these constraints particularly limiting.

• IaC vulnerability and misconfiguration assessment: While supporting infrastructure-as-code scanning within its static analysis framework for cloud-native applications, the solution lacks clearly documented coverage across the full spectrum of IaC frameworks. This creates uncertainty regarding detection depth for organizations using diverse infrastructure definition approaches. Security teams working with specialized IaC tools or implementing multicloud strategies may encounter inconsistent scanning coverage. Additionally, the limited details regarding detection capabilities may present challenges for organizations needing to validate compliance with specific security standards across their infrastructure definitions.

• Customizable risk scoring: The solution offers minimal evidence of robust risk scoring customization capabilities that would allow organizations to integrate business-specific context into vulnerability prioritization. This limitation restricts security teams from aligning remediation efforts with their unique operational requirements. Organizations with specialized compliance needs or those operating in environments with distinct risk profiles may struggle to effectively prioritize vulnerabilities based on their actual business impact rather than generic severity ratings.

Purchase Considerations
OpenText offers an SCA solution with transparent tiered pricing: a free Community tier (unlimited repos, five users, basic vulnerability and license scanning, and 30-day history), a Business tier (priced per user per month, adding private-repo scanning, policy engine, alerts, and 1-year history), and an Enterprise tier (negotiated pricing with SAML SSO, SCIM, on-premises mirror cache, custom risk models, and dedicated CSM). All tiers include unlimited assets with no overage fees for scan frequency. Optional add-ons include Professional Services workshops and API burst packs for increased throttle capacity.

The solution functions as a specialized tool focused exclusively on open source dependency risk management (vulnerabilities, licenses, and project health). It supports major language ecosystems including Maven and Gradle, npm and yarn, pip and Poetry, Go modules, Cargo, RubyGems, NuGet, Composer, CocoaPods, Swift PM, Helm, and Terraform modules. The platform's specialized nature means it complements rather than replaces broader security solutions, functioning primarily as an application security point product in the software supply chain security domain.

Implementation complexity is minimal with a quick OAuth handshake to Git providers enabling automatic repository import in under two minutes. The dashboard presents critical vulnerabilities, license risks, abandoned packages, and policy violations, with detailed CVE cards providing CVSS scores, EPSS data, patched versions, and remediation options including an automated Create Fix PR button. Integration capabilities include connections with major VCS providers (GitHub, GitLab, Bitbucket, Azure Repos), CI/CD tools, Slack alerts, and Jira ticket creation. However, organizations seeking broader vulnerability management beyond software dependencies will need additional solutions.

Use Cases
OpenText (formerly Debricked) delivers a specialized software composition analysis solution focusing exclusively on open source dependency risk across multiple programming languages. Development teams appreciate its seamless integration with popular code repositories (GitHub, GitLab, Bitbucket, and Azure DevOps) and CI/CD platforms, enabling automatic scanning with minimal configuration. The solution serves organizations prioritizing shift-left security through its automated remediation capability that generates pull requests with version bumps to secure releases, reducing developer friction. Security teams value its customizable policy engine that enforces severity thresholds, license compliance, and project health checks with blocking or warning modes. The platform's lightweight architecture processes changes quickly (under 30 seconds for typical repositories) while scaling to handle enterprise environments with more than 25,000 repositories and over 60 million dependency files daily.

Palo Alto Networks: Prisma Cloud*

Solution Overview
Palo Alto Networks is a global cybersecurity company that provides a wide range of security solutions for networks, clouds, and mobile devices. While known for its next-generation firewalls, the company has expanded its offerings to include advanced threat detection and response capabilities. In 2022, Palo Alto Networks acquired Cider Security to bolster its application security and supply chain security capabilities.

Palo Alto Networks' vulnerability management is integrated into its broader cloud security ecosystem, leveraging its extensive threat intelligence network. Its solution is Prisma Cloud.

The solution works by continuously discovering, assessing, and prioritizing vulnerabilities across an organization's cloud-native applications, containers, and infrastructure. It uses advanced analytics and ML algorithms to provide context-aware risk assessments. The solution integrates seamlessly with other Prisma Cloud modules, offering a unified view of an organization's cloud security posture.

The platform uses both agentless and agent-based scanning, providing comprehensive coverage of cloud assets. It provides real-time vulnerability assessments, prioritizes risks based on threat intelligence and exploit likelihood, and offers remediation guidance. The solution's dashboard supplies a centralized view of vulnerability data, allowing security teams to quickly identify and address the most critical issues across their cloud environment.

Palo Alto Networks is positioned as a Leader and Fast Mover in the Innovation/Platform Play quadrant of the GigaOm Radar for CVM chart.

Strengths
Palo Alto Networks scored well on a number of decision criteria, including:

• Cloud-native and serverless function scanning: The solution delivers exceptional cloud-native and serverless scanning with comprehensive container, Kubernetes, and FaaS coverage. It supports both agent-based and agentless approaches with 100% continuous monitoring capabilities. Detailed API-accessible reporting for serverless functions enhances visibility into potential security issues. This represents a best-in-class capability for securing modern cloud architectures across multiple providers and deployment models.

• Software composition analysis: The platform provides strong SCA capabilities that identify open source packages, vulnerabilities, and license risks while generating comprehensive SBOMs. Its deep dependency scanning extends beyond basic packages to include IaC templates and Kubernetes manifests with policy enforcement. While it lacks runtime SCA functionality and has limited advanced policy customization options, the core SCA capabilities are robust and comprehensive.

• IaC vulnerability and misconfiguration assessment: The solution effectively inspects IaC templates for vulnerabilities and misconfigurations, enabling shift-left security in CI/CD pipelines. It can block policy violations at merge or build stages, providing seamless integration with DevOps workflows. Though it lacks comprehensive support for all IaC frameworks and offers limited rule customization options, the core capability provides effective security for common infrastructure deployment scenarios.

Opportunities
Palo Alto Networks has room for improvement in a few decision criteria, including:

• Application vulnerability assessment: While the solution offers comprehensive scanning across running applications and source code repositories, it lacks advanced dynamic and interactive application security testing capabilities. This limitation presents challenges for organizations with complex web applications where static analysis alone is insufficient. Financial services companies and healthcare organizations with transaction-heavy applications requiring robust runtime security validation may find these constraints particularly limiting, as the absence of sophisticated DAST and IAST functionality leaves potential security gaps in application logic that cannot be detected through static analysis.

• Network-based vulnerability scanning: The solution provides extensive network scanning capabilities but falls short in offering active exploitation testing or custom scanning logic development. This presents challenges for organizations with specialized security requirements or unique network environments. Critical infrastructure providers, government agencies, and organizations with proprietary protocols may find the inability to develop tailored assessment methodologies restrictive, potentially leaving specialized systems inadequately evaluated against sophisticated threats that require context-specific testing approaches.

• Customizable risk scoring: Despite leveraging standard CVSS metrics with some intelligent features, the solution's rigid scoring methodology and apparent lack of user-defined risk models create challenges for organizations with specific risk weighting requirements. Enterprises in heavily regulated industries requiring alignment between vulnerability prioritization and compliance frameworks may struggle to tailor risk assessments to their specific business context.

Purchase Considerations
Palo Alto Networks offers a credit-based licensing model for Prisma Cloud, utilizing Prisma Cloud Credits as a precommitted pool. Different resources consume varying amounts of credits: Host Defender (1 credit per host per month), Container Defender (0.25 credit per container per month on average), Agentless Scanning (credits per scanned vCPU snapshot), and Code Security (credit per repo per month). This approach provides notable flexibility as credits are fungible across all Prisma Cloud modules (CSPM, CWPP, CI/CD, and WAAS), enabling organizations to adjust their security focus without procurement amendments. Standard support is bundled with Premium (+15%) and Premium Plus (+25%) options available, while Professional Services are offered at a $2,400 per day list price for QuickStart implementations or custom policy development.

The solution functions as a comprehensive cloud security platform with coverage spanning containers, Kubernetes, VMs, serverless functions, images in registries, infrastructure as code files, container build pipelines, open source packages, and PaaS services. Operating as a SaaS-first platform with a multitenant control plane hosted across AWS, Azure, and GCP regions, it scales effectively for enterprise environments with reference deployments handling 15,000 cloud accounts, 120,000 containers, 2 million hosts, and 7 billion vulnerability records. One limitation to note is the absence of native network-layer vulnerability scanning, which requires integration with external tools.

Implementation is streamlined through a single HTML5 Console with intuitive dashboards for vulnerability exploration, risk package visualization, and attack path graphing. An Alert Rules wizard facilitates integration with ticketing systems, while automated fix generation assists with remediation. The platform offers extensive ecosystem integration across cloud providers (including GovCloud and China regions), CI/CD tools, container registries, and ITSM, SOAR, and SIEM systems. Organizations should be aware of some UX limitations including limited vulnerability deduplication, occasional documentation link failures after major releases, and the need to use the API or Terraform for bulk editing of custom policies rather than the UI.

Use Cases
Palo Alto Networks delivers comprehensive cloud vulnerability management through Prisma Cloud, excellent for organizations deploying container and serverless architectures across AWS, Azure, and GCP. DevSecOps teams implementing shift-left security benefit from its robust IaC scanning and software composition analysis that integrates with CI/CD pipelines to block vulnerable code before deployment. The platform's reference implementations demonstrate strong scalability, handling environments with 15,000 cloud accounts and millions of hosts while maintaining sub-5-minute alert latencies. Security leaders appreciate the flexible credit-based licensing model that allows resource allocation across different protection types without procurement overhead. The solution's unified console provides intuitive vulnerability prioritization and remediation guidance, though it lacks automated exploitation testing capabilities and offers only basic attack path analysis. Organizations seeking to secure their entire cloud application lifecycle gain particular value from Palo Alto Networks' comprehensive protection for containerized workloads and cloud services.

Qualys: Vulnerability Management Detection and Response 

Solution Overview
Qualys is a provider of Enterprise Cyber Risk and Security Platform solutions, with a primary focus on vulnerability management and risk assessment. The company's flagship offering is Vulnerability Management Detection and Response (VMDR), a comprehensive platform designed to identify, assess, and mitigate security vulnerabilities across an organization's IT infrastructure.

Qualys's approach to vulnerability management is characterized by its emphasis on risk-based assessment and its wide range of deployment options. The VMDR platform is not a standalone product but rather an integrated suite of tools within the broader Qualys Enterprise TruRisk Platform. This solution combines multiple components to provide a holistic view of an organization's vulnerability and cyber risk landscape.

VMDR works by continuously scanning and assessing an organization's IT assets, leveraging a combination of network scanning, agent-based monitoring, and cloud-native assessment techniques. The platform uses advanced analytics and ML algorithms to prioritize vulnerabilities based on their potential impact and exploitability. Qualys TruRisk Scoring enhances this capability by incorporating external threat intelligence and internal telemetry data to provide more accurate risk assessments. The solution can be deployed through various methods, including physical and virtual appliances; public cloud deployments across multiple global regions (including Kingdom of Saudi Arabia, United Arab Emirates, and Australia) to comply with data localizations requirements; private cloud installations; and hybrid setups, offering flexibility to organizations with diverse infrastructure requirements.

Qualys is positioned as a Leader and Outperformer in the Maturity/Platform Play quadrant of the GigaOm Radar for CVM chart.

Strengths
Qualys scored well on a number of decision criteria, including:

• Software composition analysis: The solution provides runtime SCA with real-time visibility into open source and commercial components, enabling rapid response to zero-days such as Log4j and OpenSSL vulnerabilities. It includes workflows to query impacted components and assess risk through its TruRisk framework. The integrated remediation capabilities significantly reduce triage time from weeks to hours, allowing security teams to address critical vulnerabilities more efficiently.

• Cloud-native and serverless function scanning: The TotalCloud (CNAPP) functionality employs a multimodal approach using no-touch, agentless, API- and snapshot-based scanning and agent- and network-based scanning for comprehensive cloud workload monitoring. This provides near real-time threat detection capabilities and attack path analysis to help identify potential security exposures in cloud environments. The flexible scanning options accommodate different security and operational requirements.

• Risk-based assessment: The solution identifies multiple risk factors including internet-facing exposure, end-of-life and end-of-support software, missing security controls and asset and business criticality, and unauthorized software within its TruRisk Scoring system. It leverages over 25 threat intelligence feeds and maps potential attack paths to MITRE ATT&CK, providing context beyond simple vulnerability scores. This comprehensive approach helps organizations prioritize remediation efforts based on actual risk.

Qualys was classified as an Outperformer given its major enhancements to the UI and its release of TotalCloud 2.16.0, which includes CWPP, a feature set that was previously a noticeable gap. 

Opportunities
Qualys has room for improvement in a few decision criteria, including:

• Customizable risk scoring: While the solution allows asset criticality customization on a 1-5 scale that influences risk calculations, it demonstrates notable limitations in advanced customization scenarios. Organizations requiring sophisticated risk modeling will find the restricted customization beyond basic criticality limiting, particularly when needing to incorporate detailed business context into vulnerability prioritization. 

• Integrations: While the solution provides extensive integration capabilities with over 160 vendor integrations and open APIs, organizations with highly specialized security environments may still encounter implementation challenges. Despite comprehensive API documentation, security teams working with niche or legacy systems might need to invest additional development resources to achieve the desired integration workflows. Additionally, enterprises in regulated industries with strict documentation requirements might find they need to develop supplementary materials beyond the standard implementation details to satisfy compliance auditors. Though the solution handles high-volume environments well for standard use cases, organizations with unique performance requirements or unconventional data exchange patterns may need to conduct additional testing to ensure optimal performance for their specific integration scenarios.

• Automated vulnerability validation and exploitation testing: The solution relies heavily on customer-developed scripting or third-party solutions rather than offering robust native validation capabilities. This approach requires significant additional investment and expertise to implement effective validation workflows. Organizations without dedicated scripting resources will find this particularly challenging, as the validation scope remains unclear and the integration of validation results into risk assessment is not well defined.

Purchase Considerations
Qualys offers a transparent pricing model based on de-duplicated assets when first actioned (scanned, patched, or policy-applied), with initial discovery in CSAM provided at no cost. Baseline MSRP starts at $2,195 for VMDR TruRisk (32 assets per year), with higher tiers adding patch management ($2,995) or AV+EDR capabilities ($4,645). Volume discounts apply across three tiers (1-10K, 10-100K, and over 100K) with multiyear prepayments offering up to 20% savings. The pricing structure includes no additional fees for users, API calls, or connector count, and standard support is included at no cost.

With nine global datacenters to comply with the data localization requirements in multiple regions plus GovCloud options with FedRamp Moderate to comply with stringent U.S. Government mandates, the solution provides options for highly regulated industries. Its scale has been proven with reference customers including a retailer managing 3 million endpoints and a global bank handling 1.7 million assets. The single-agent design handles vulnerability assessment, configuration checks, EDR, and patching capabilities, eliminating agent sprawl while supporting virtually all asset types—from on-premises servers to cloud resources, containers, OT environments, and web applications.

Implementation complexity is reduced through multiple onboarding options, including the lightweight Cloud Agent (3-10 MB RAM idle), network scanners, and cloud connectors that require no proxy. The Qualys console provides role-based dashboards for different stakeholders and a unified workflow from discovery through remediation. Organizations should note some legacy UX considerations, including recently replaced flash widgets and occasional documentation link redirects. 

Use Cases
Qualys delivers enterprise-scale vulnerability management with comprehensive coverage across hybrid environments. Organizations with complex infrastructures benefit from its multimodal FlexScan approach combining agent-based monitoring (4-hour intervals) with network scanning and API-based assessment. The platform serves security teams overwhelmed by vulnerability data through its TruRisk scoring system that incorporates CVSS, exploitability metrics, threat intelligence, and asset criticality to prioritize remediation efforts. Large enterprises appreciate Qualys's proven scalability, supporting environments with millions of assets while maintaining sub-4-second dashboard response times. The solution's unified agent design (3-10MB RAM idle) addresses agent sprawl concerns by handling vulnerability assessment, configuration compliance, EDR, and patching through a single lightweight binary. While strong in traditional vulnerability management, organizations seeking comprehensive application security testing will need to supplement with additional solutions beyond Qualys's DAST-only capabilities.

Rapid7: Exposure Command

Solution Overview
Rapid7 is a cybersecurity company that provides a wide range of solutions for vulnerability management, application security, cloud security, and threat detection. The company's primary focus is on delivering actionable intelligence and automated remediation capabilities to help organizations improve their overall security posture.

Rapid7's approach to vulnerability management is characterized by its emphasis on risk-based prioritization and automation. The company offers Exposure Command, a comprehensive vulnerability management solution that is part of the broader Insight platform. Exposure Command is a standalone product, but it can be integrated with the broader Rapid7 ecosystem.

Rapid7’s Exposure Command platform provides customers with a variety of data collection methods depending on environment or asset type, including scan engines, endpoint agents, and agentless API-driven assessments. Its console is available as a SaaS offering or as an on-premises appliance, serving as the central management interface for scan engine management. Exposure Command works by continuously scanning and assessing an organization's assets, prioritizing vulnerabilities based on real-world threat intelligence, and providing automated remediation workflows.

Rapid7 is positioned as a Leader and Fast Mover in the Maturity/Platform Play quadrant of the GigaOm Radar for CVM chart.

Strengths
Rapid7 scored well on a number of decision criteria, including:

• Network-based vulnerability scanning: The solution combines network scanners with agent-based assessment, utilizing authenticated scans and dynamic discovery for real-time network asset visibility. Vulnerability intelligence is continuously updated from multiple sources, including NVD, vendor advisories, exploit databases, and proprietary research, with daily check updates to maintain current detection capabilities.

• IaC vulnerability and misconfiguration assessment: The solution offers IaC scanning via a proprietary CLI tool for early misconfiguration detection in Terraform and AWS CloudFormation templates during development. It integrates with CI/CD pipelines (including Azure DevOps), enabling security teams to implement industry-standard or custom policy checks before infrastructure deployment.

• Cloud-native and serverless function scanning: The solution scans cloud-native and serverless functions across AWS, Azure, GCP, Oracle, and Kubernetes environments, automatically detecting publicly accessible assets and correlating findings with misconfigurations. Its integration of IAM configurations, IaC templates, runtime environments, and data sensitivity provides cross-domain risk correlation for more comprehensive security assessment.

Opportunities
Rapid7 has room for improvement in a few decision criteria, including:

• Software composition analysis: The solution relies heavily on integrations with third-party libraries rather than native SCA capabilities. This integration-dependent approach may create challenges for organizations with diverse codebases spanning multiple languages or frameworks where comprehensive coverage is critical. Additionally, security teams in regulated industries may find it difficult to maintain consistent software inventory visibility, as the effectiveness varies based on the quality of underlying integrations.

• Customizable risk scoring: While offering robust tagging capabilities and query functionality, the solution restricts direct modification of the underlying risk engine to preserve model integrity. This constraint limits organizations with specialized risk evaluation needs or unique compliance frameworks requiring deep customization. The heavy reliance on tagging for risk adjustments creates significant maintenance overhead in large environments, while the dependency on specialized Cypher graph queries introduces potential adoption barriers for security teams without specific technical expertise.

• Integrations: While the solution integrates with a vast ecosystem of security tools and maintains source data fidelity, organizations with complex security environments may still face implementation challenges. Security teams requiring specialized knowledge of Cypher queries to customize the proprietary scoring algorithm might experience adoption barriers, particularly in environments with limited technical expertise. This could impact how effectively security findings can be prioritized across the organization. Additionally, enterprises managing hundreds of integrated security tools might encounter operational complexity when maintaining these connections, especially during version upgrades or configuration changes.

Purchase Considerations
Rapid7 utilizes a transparent pricing structure based on a 90-day rolling average of "active assets" (endpoints, cloud resources, containers, and web applications) with published list pricing starting at approximately $23 per asset per year for 1,000 assets on the Essentials tier. External assets discovered through EASM capabilities don't count against licensing, and deployment components like agent software and scan engines are provided at no additional cost. Organizations considering Rapid7 should note that add-on components including Threat Command intelligence feed, Vector Command continuous red-team capability, and MDR services may impact total investment.

The solution functions as a comprehensive security platform with a cloud-native architecture (AWS multitenant) offering a 99.95% uptime SLA. Its hybrid collection model supports both agent-based monitoring (proven at over 650K agents in a single tenant) and network scanning through horizontally scalable engines. The platform's flexibility extends to risk scoring (configurable "Rapid7 Active Risk" score), custom dashboards with natural language filtering, and no-code automation through InsightConnect playbooks. This integrated approach makes it particularly suitable for organizations seeking to consolidate multiple security functions under a unified asset graph.

Implementation complexity is moderate with a React-based web console providing role-based landing pages and contextual drill-downs from assets to specific vulnerabilities. Onboarding processes are streamlined through cloud connector templates (CloudFormation and ARM scripts), agent installers across major platforms, and scan engine deployment options (OVA or Docker). The Top Fixes algorithm helps reduce alert fatigue by grouping vulnerabilities by common patch, reportedly decreasing ticket noise by approximately 60%. Organizations should be aware of occasional UI cache issues requiring manual refresh and some legacy documentation links that redirect to newer content.

Use Cases
Rapid7 delivers a comprehensive vulnerability management platform with exceptional network scanning capabilities and attack path visualization. Security teams in complex hybrid environments benefit from its combination of agent-based and network scanning approaches, providing real-time visibility across traditional and cloud infrastructure. The platform's Top Fixes algorithm serves remediation teams by reducing ticket noise approximately 60% through intelligent vulnerability grouping based on common patches. Organizations implementing DevSecOps practices appreciate Rapid7's IaC scanning for early detection of misconfigurations in Terraform and CloudFormation templates. The solution scales effectively for large enterprises, supporting environments with over 650,000 agents and 1 million assets while maintaining responsive performance. While strong in traditional and cloud-native vulnerability assessment, organizations seeking advanced application security testing capabilities will need to leverage Rapid7's third-party integrations rather than native functionality.

RunSafe Security: RunSafe Security Platform

Solution Overview
RunSafe Security is a vendor focused on vulnerability identification, analysis, and protection for embedded software, addressing risks in both commercial and defense sectors. The company specializes in proactive cybersecurity for embedded systems, leveraging patented technology to mitigate memory-based vulnerabilities and automate risk identification. Over the past year, RunSafe Security introduced the RunSafe Security Platform, an integrated solution that combines build-time SBOM generation, vulnerability identification, automated remediation, and runtime monitoring for embedded systems. 

The primary offering, the RunSafe Security Platform, is a modular suite comprising three main components: RunSafe Identify, RunSafe Protect, and RunSafe Monitor. RunSafe Identify generates detailed SBOMs at build time, identifies vulnerabilities (including those in C and C++ code without standard package managers), and quantifies risk reduction options. RunSafe Protect mitigates memory-based exploits by dynamically relocating software functions in memory at runtime, which prevents attackers from leveraging predictable memory layouts without requiring code rewrites. 

The RunSafe Security Platform is offered as a single, integrated solution with modular components that can be adopted individually or in combination, allowing organizations to tailor their vulnerability management approach according to their needs.

RunSafe Security is positioned as a Challenger and Forward Mover in the Maturity/Feature Play quadrant of the GigaOm Radar for CVM chart.

Strengths
RunSafe Security scored well on a number of decision criteria, including:

• Application vulnerability assessment: The solution provides specialized binary inspection and SBOM generation capabilities that effectively detect CVEs and memory-based zero-days in embedded C and C++ firmware. This approach is enhanced by runtime crash telemetry that aids in identifying potential security issues. Though it lacks DAST, IAST, or coverage for web, mobile, or SaaS code, the solution delivers exceptional capabilities for firmware security assessment within its focused domain.

• Risk-based assessment: The platform employs a Quantitative Risk Reduction Analysis that tallies CVE severity, exploitability, and ROP gadget exposure to demonstrate mitigation impact. This approach provides a clear view of security improvements achieved through remediation efforts.

• Integrations: The solution offers CI/CD plug-ins and APIs that output SBOMs and vulnerability lists at build time, enabling security validation during the development process. These integration capabilities support security-aware development practices, though the solution lacks native SIEM, SOAR, ticketing, or VM platform connectors which limits its ecosystem reach.

Opportunities
RunSafe Security has room for improvement in a few decision criteria, including:

• Software composition analysis: The solution provides build-time SBOMs generated within CI pipelines that inventory third-party libraries and flag CVEs specifically for embedded systems. However, this approach demonstrates significant limitations for diverse technology environments. Organizations with heterogeneous application portfolios will struggle with the restricted language support, while teams focused on cloud-native development will find minimal value from this capability. The embedded systems focus creates potential blind spots for modern application architectures, problematic for organizations transitioning to microservices or containerized environments.

• Customizable risk scoring: While the solution offers a default model that combines severity, exploitability, and system impact metrics to prioritize remediation efforts, it lacks advanced customization capabilities. The absence of user-defined weighting mechanisms or custom formula options significantly reduces flexibility for security teams with specialized risk frameworks. Organizations in regulated industries or those with unique threat landscapes may find these constraints limiting when attempting to align vulnerability prioritization with their specific business context.

RunSafe Security was classified as a Forward Mover given its limited public release notes and roadmap in addition to few year over year changes to features. 

Purchase Considerations
RunSafe offers a quote-based pricing model and provides an interactive TCO calculator to assist in calculating costs. While the solution provides tools to measure potential value, the closed price list approach may complicate initial budget planning for prospective customers.

The solution functions as a specialized binary hardening technology that implements memory protection through techniques like Live Function Randomization (LFR). Rather than traditional vulnerability scanning, RunSafe focuses on making software intrinsically resistant to memory corruption exploits regardless of patch status. Its minimal overhead (approximately 10% memory and negligible CPU impact) makes it suitable for deployment across diverse environments from microcontrollers to servers, with proven implementation in Department of Defense weapons systems.

Implementation requires three primary steps: installing the package, exporting a key, and prefixing build commands. This approach requires no source code modifications, workflow changes, or agent configuration, making integration relatively straightforward for development teams. The solution supports multiple build systems (including Make, CMake, Bazel, and Yocto) and works with C and C++, Rust, Go, and ELF binaries. Organizations with existing CI/CD pipelines can integrate RunSafe's SBOM and vulnerability mitigation capabilities into their existing jobs. While the ecosystem includes connectors for major cloud platforms, containers, and CI/CD tools with a documented REST API, it reportedly offers fewer turnkey integrations than top-tier competitors.

Use Cases
RunSafe Security delivers specialized vulnerability mitigation focused on memory safety for embedded C and C++ firmware rather than broad vulnerability management. Organizations with critical infrastructure systems benefit from its binary inspection and SBOM generation capabilities that detect CVEs and potential zero-day vulnerabilities in embedded applications. Development teams working with containerized workloads appreciate its easy deployment through a one-line Helm install that auto-discovers running containers within 60 seconds without requiring code changes. The solution's continuous validation engine serves security teams by suppressing nonreachable CVEs, reducing false positives by up to 90% according to vendor claims. While excellent for its specialized use case, RunSafe Security lacks broader vulnerability management capabilities including network scanning, IaC assessment, and cloud-native scanning, making it a complementary solution rather than a comprehensive platform.

runZero

Solution Overview
runZero is a cybersecurity company that specializes in asset inventory and network security solutions. The company's primary focus is on delivering comprehensive exposure management and visibility into an organization's entire IT, OT, and IoT environment, including on-premises, cloud, and remote assets.

runZero takes a distinctive approach to vulnerability management by emphasizing deep, system-level telemetry and network analysis. runZero is a standalone solution designed to provide detailed asset inventory and vulnerability assessment. Unlike traditional vulnerability management tools, it leverages advanced active scanning techniques and passive monitoring to gather extensive information about assets without requiring agents or credentials. In addition, its platform can ingest data from third-party sources to further enrich asset details and provide a consolidated view.

runZero works by conducting comprehensive analysis of internal and external attack surfaces, including analyzing network traffic to identify and fingerprint devices, applications, and services. It uses a proprietary scanning engine that can detect and classify a wide range of assets, including IoT devices, operational technology, and cloud instances. The platform provides highly detailed information about each asset, including operating systems, installed software, open ports, and vulnerabilities. 

The solution can be deployed on-premises or as a cloud-based service, offering flexibility for organizations with different infrastructure requirements. runZero's platform integrates with existing security tools and workflows, enabling organizations to enhance their vulnerability management processes with rich contextual asset data.

runZero is positioned as a Leader and Fast Mover in the Innovation/Platform Play quadrant of the GigaOm Radar for CVM chart.

Strengths
runZero scored well on a number of decision criteria, including:

• Network-based vulnerability scanning: The solution provides continuous unauthenticated fingerprinting across IT, OT, IoT, and cloud environments. It flags CVEs along with other security issues including default credentials, end-of-life software, anonymous FTP, Telnet, and multihomed bridges. Its detection capabilities are guided by CISA KEVs and internal Rapid Response research. While the approach is network-only and misses authenticated host checks and patch-level validation, it delivers comprehensive visibility into networked assets.

• Customizable risk scoring: The platform offers user-assigned criticality, tags, and query-based logic that reshape dashboards, alerts, and prioritization through both UI and API interfaces. This allows security teams to adjust how findings are presented and prioritized based on their specific organizational needs. Though the core risk formula and factor weights remain non-editable, the available customization options provide significant flexibility.

• Risk-based assessment: The solution merges exposure data with external reachability, asset criticality, and exploited-in-the-wild signals to rank findings across hybrid environments. This approach provides context beyond simple vulnerability scores, though the underlying weighting model is largely fixed and somewhat opaque, requiring users to rely on separate customization features for fine-tuning.

Opportunities
runZero has room for improvement in a few decision criteria, including:

• Application vulnerability assessment: The solution's inference-based approach demonstrates significant limitations compared to traditional application security methodologies. Without SAST, DAST, or IAST capabilities, it cannot inspect code paths or actively test application logic, creating substantial blind spots in detecting true application-layer vulnerabilities. Organizations in sectors requiring comprehensive application security assessment, such as financial services or healthcare, may find these constraints problematic when trying to identify complex vulnerabilities like logic flaws, injection attacks, or authentication weaknesses.

• Software composition analysis: While providing detailed software inventory capabilities, the solution lacks native dependency graphing, license checking, and direct vulnerability matching functionality. This creates challenges for organizations needing comprehensive software supply chain visibility without depending on external platforms. The absence of built-in dependency analysis means security teams cannot independently assess transitive vulnerability impact or identify dependency-chain attacks without integrating additional specialized tools, potentially creating visibility gaps in complex application ecosystems.

• IaC vulnerability and misconfiguration assessment: The solution's post-deployment validation approach fails to address predeployment security needs for infrastructure as code. The absence of static analysis for Terraform or CloudFormation templates means security issues cannot be identified early in the development lifecycle when remediation is most efficient. Additionally, the limited visibility for ephemeral or containerized assets creates blind spots in modern cloud-native architectures where short-lived resources require specialized security assessment techniques.

Purchase Considerations
runZero offers a transparent licensing model based on unique assets seen within a rolling 30-day window (using proprietary methods for merging and deduplication of MAC and UUID data), with annual subscription terms starting at 500 assets and tiered discounts based on asset volumes. A single SKU includes all functionality: internal and external discovery, vulnerability detection and correlation, cloud connectors, OT and IoT fingerprinting, dashboards, and APIs. The pricing structure includes no additional charges for users, Explorers, integrations, or scan frequency, and the self-hosted package is provided at no cost if customers supply their own hardware and VM. 

The solution functions primarily as an asset discovery and attack surface management platform with exceptional scalability. The architecture employs lightweight "Explorer" services (requiring ≤1 vCPU and 512 MB RAM) that perform active or passive discovery before sending compressed data to the console over TLS 443. Additionally, for fully air-gapped networks, runZero offers architectures to support full functionality. Organizations can leverage as many Explorers as needed. Some deployments only need a single Explorer, while more distributed and segmented networks might leverage multiple Explorers, with reference customers running more than 250 Explorers managing over 3 million assets per scan cycle. The platform's performance optimizations include parallel scan tasks with configurable throttling, delta uploads to minimize bandwidth utilization (typically <5 KB per asset per scan), and indexed search capabilities that maintain sub-2-second query performance even with datasets exceeding 100 million service records.

Implementation is straightforward with a web-based UI featuring an intuitive search bar with a user-friendly query builder. The setup process involves creating an organization, downloading the Explorer installer, and configuring the scan wizard with CIDR ranges, SNMP credentials, and throttling parameters. Initial results appear within 5 minutes, and a complete subnet fingerprint typically completes in about 90 seconds for a /24 network at 100 packets per second. The platform provides comprehensive ecosystem integration through numerous inbound connectors (VM, EDR and XDR, MDM and CMDB, cloud providers, and identity systems), outbound and bidirectional integrations (ServiceNow, Jira, and Splunk), and extensive API capabilities (REST, GraphQL, and webhooks). Additionally, runZero customers can import data from custom data sources via runZero’s Python SDK or custom integration scripts, which can be run directly on a runZero Explorer. runZero provides a GitHub repository to share existing custom integrations with support for partners and customers to contribute to the GitHub repo.

Use Cases
runZero excels in discovering and assessing previously unknown and unmanageable assets across diverse environments. Security teams struggling with shadow IT benefit from its continuous unauthenticated fingerprinting that identifies rogue devices, default credentials, and exposed services within minutes of deployment. The solution particularly serves OT and IoT environments like manufacturing, healthcare, and utilities through its nonintrusive scanning approach that operates safely on sensitive networks without disruption. Organizations with distributed infrastructure appreciate its lightweight Explorer sensors (≤1 vCPU, 512 MB RAM) that scale horizontally across multiple sites while minimizing bandwidth usage (<5 KB per asset per scan). The platform's unified visibility across IT, OT, and cloud resources creates a comprehensive asset inventory that enhances vulnerability management by providing essential context about exposure and network paths. While not replacing dedicated application security tools, runZero provides the critical foundation of accurate internal and external asset visibility that other security programs depend on.

SecPod Technologies: SecPod Saner CVEM

Solution Overview
SecPod Technologies is a provider of endpoint security and management solutions with a primary focus on vulnerability and exposure management for enterprise IT environments. The company’s offerings are designed to help organizations identify, assess, and remediate security vulnerabilities across diverse infrastructures, supporting a range of operating systems and third-party applications.

Its flagship solution in this space is SecPod Saner CVEM (part of SecPod's Saner Platform), which contains Saner CVEM for endpoints and Saner CNAPP for cloud infrastructure. Saner CVEM combines continuous vulnerability scanning, asset exposure monitoring, posture anomaly detection, compliance management, risk prioritization, patch management, and endpoint management within a single cloud-based console. 

The architecture is built on a cloud-hosted server, a lightweight agent deployed on endpoints, and a network scanner and cloud scanner, enabling rapid, automated scans and real-time remediation actions. The platform leverages a proprietary vulnerability intelligence feed (supporting over 193,000 security checks that are updated daily) and provides detailed analytics and reporting for compliance and risk management. Saner CVEM’s integrated approach is designed to streamline vulnerability management processes, offering organizations centralized visibility and control over their security posture.

SecPod Technologies is positioned as a Challenger and Fast Mover in the Innovation/Feature Play quadrant of the GigaOm Radar for CVM chart.

Strengths
SecPod Technologies scored well on a number of decision criteria, including:

• Risk-based assessment: The solution is supported by a proprietary SCAP repository containing over 193,000 security checks with new vulnerabilities updated within 24 to 36 hours of discovery by a dedicated threat intelligence team. The solution considers multiple factors for assessment including exploitability, public exploit availability, CVSS scores, attack patterns, business context, and mission-critical device identification. This comprehensive approach enables more precise risk assessment than solutions relying solely on CVSS scores.

• Application vulnerability assessment: The solution utilizes an endpoint-based agent to scan applications and operating systems using its proprietary SCAP Repository. This approach maps software characteristics to known vulnerabilities and is complemented by network-based scanning for application exposure identification. While it lacks static application security testing capabilities, the runtime detection methodology provides valuable visibility into potential vulnerabilities in deployed applications.

• Cloud-native and serverless function scanning: It supports AWS and Azure environments with vulnerability, misconfiguration, and exposure detection capabilities that include serverless services such as AWS Lambda and Azure Functions. The solution differentiates between internet-exposed and internal services for risk-based assessment while integrating findings across the computing landscape from endpoints to cloud workloads, providing a more unified view of the security posture.

Opportunities
SecPod Technologies has room for improvement in a few decision criteria, including:

• Network-based vulnerability scanning: The solution utilizes a proprietary database and native scanning capabilities for vulnerability detection, but demonstrates notable limitations in third-party scanner integration. This restriction creates potential visibility gaps for organizations with existing scanning infrastructure from vendors like Tenable, Qualys, or Rapid7. Security teams in large enterprises with established vulnerability management programs may struggle to consolidate findings without sacrificing context and detection coverage, particularly in heterogeneous environments where multiple scanning technologies are necessary for comprehensive coverage.

• Software composition analysis: While leveraging a substantial SCAP repository for vulnerability detection in applications and components, the solution is limited to identifying detectable installed software using version and binary fingerprinting techniques. This approach lacks the depth of dedicated SCA tools, missing critical capabilities in source code analysis, dependency mapping, and license compliance tracking. Organizations with complex software supply chains or those required to maintain detailed software bills of materials will find these constraints limiting.

• Integrations: The solution offers native integration with selected ITSM platforms while providing REST APIs for custom integrations, but presents a limited integration ecosystem compared to market leaders. The heavy reliance on API-based custom integration creates additional implementation burdens for security teams. Organizations with diverse security toolchains may face challenges exchanging data with specialized security solutions due to the minimal prebuilt connector options, potentially creating information silos that undermine comprehensive security visibility.

Purchase Considerations
SecPod Technologies offers exceptional cost transparency with a straightforward annual subscription model priced per managed endpoint, device, workload, or cloud asset. Customers can select any combination of modules (Vulnerability Management, Patch Management, Compliance, Asset Management, Endpoint Management, Posture Anomaly Management and Risk Prioritization) or choose the discounted Complete Suite bundle. The pricing structure includes no implementation, training, or connector fees, with unlimited users and API calls included in the base license.

The solution functions as an integrated vulnerability and endpoint management platform using a single lightweight "Saner agent" (approximately 15 MB installer using ≤2% CPU when idle) that performs discovery, vulnerability scanning, configuration assessment, and patch deployment. This unified approach eliminates the need for separate scanners while supporting a wide range of operating systems including Windows, macOS, and various Linux distributions. The architecture demonstrates enterprise-grade scalability with production references exceeding 15,000 endpoints under a single tenant and internal load tests simulating 100,000 endpoints while maintaining sub-2-second dashboard query response times.

Implementation complexity is moderate with standard deployment methods for the agent (MSI, PKG, and RPM files deployed via GPO, Intune, and SCCM). Devices appear in the console within two to three minutes of deployment, with full environments typically operational in under 24 hours according to the vendor's service level objective. The SaaS portal features a unified dashboard with intuitive Detect, Prioritize, and Remediate tabs enabling one-click transition from finding to patch job. Organizations should note some reported UX issues with pages failing to load when managing over 1 million findings unless filters are applied. Integration capabilities include native connections to ServiceNow and Freshservice for ticketing, CMDB import functionality, webhook templates for Slack and Microsoft Teams, and standard syslog (CEF) output for SIEM integration.

Use Cases
SecPod Technologies delivers a streamlined vulnerability and patch management platform particularly well suited for mid-size organizations seeking operational efficiency. Security teams benefit from its lightweight "Saner agent" (approximately 15 MB, ≤2% CPU idle) that combines vulnerability scanning, configuration assessment, and patch deployment in a single component, eliminating the need for multiple agents. IT departments with budget constraints appreciate its transparent pricing model that allows modular selection of capabilities without hidden implementation or connector fees. The solution serves organizations with diverse environments through comprehensive support for Windows, macOS, and various Linux distributions, creating unified visibility across operating systems. While it offers strong automation capabilities for patch deployment workflows with testing stages and rollback support, its integration ecosystem remains somewhat limited compared to enterprise-focused competitors, primarily supporting ServiceNow, Freshservice, and basic SIEM connections through syslog exports.

Sysdig: Sysdig Secure

Solution Overview
Sysdig is a cybersecurity company that specializes in cloud, container, and Kubernetes security solutions. The company's primary focus is on providing visibility, security, and compliance for cloud-native applications and infrastructure.

Sysdig's approach to cloud security is characterized by its emphasis on real-time detection and runtime insights. Sysdig Secure, a comprehensive CNAPP solution designed to address various aspects of cloud-native security and compliance, is a standalone product containing all features described below.

The solution operates by leveraging Sysdig's patented Sysdig's instrumentation technology, which provides deep visibility into container environments without requiring changes to application code or infrastructure.

It collects and analyzes data from various sources within cloud and container environments, including system calls, network traffic, and application logs. This data is then used to provide real-time insights, detect threats, and enforce security policies across the entire application lifecycle. The solution can be deployed as a SaaS offering or on-premises, integrating with popular container orchestration platforms and cloud services to provide comprehensive security coverage for modern cloud-native environments.

Sysdig is positioned as a Leader and Fast Mover in the Innovation/Platform Play quadrant of the GigaOm Radar for CVM chart.

Strengths
Sysdig scored well on a number of decision criteria, including:

• Software composition analysis: The solution performs registry and CI scans that enumerate packages, OS layers, and language modules across container environments. It merges "in-use" runtime signals to help focus remediation efforts on components actually being utilized in production. Integration with Snyk and Checkmarx provides access to richer vulnerability data, though advanced SCA capabilities like license compliance and deep dependency graphing are delegated to these partners.

• Customizable risk scoring: The solution offers both out-of-box and custom SysQL policies that let users craft specific risk definitions such as "Exposed Workload with Critical CVE." Users can assign context tags and asset criticality to tailor risk assessments to their environment. While custom queries are restricted to a fixed set of resource types and do not allow altering base severity calculations, the available customization options provide significant flexibility.

• Network-based vulnerability scanning: The platform utilizes a hybrid agent-plus-agentless discovery approach that fingerprints both cloud and host assets. It correlates CVEs and non-CVE issues with KEVs and Exploit Prediction Scoring System (EPSS) data that updates continuously. While it lacks a fully authenticated network scanner and relies on metadata and endpoint agents for depth, the solution can ingest external scanner results for additional coverage.

Opportunities
Sysdig has room for improvement in a few decision criteria, including:

• Application vulnerability assessment: The solution relies entirely on ingesting third-party scanning results rather than offering native code scanning capabilities. This dependency creates potential visibility gaps for organizations with custom application frameworks not well covered by partner tools. Security teams requiring immediate vulnerability detection may experience delays waiting for partner feed updates to propagate through the system. The roadmap focusing on deeper partnerships rather than developing first-party testing capabilities suggests this limitation will persist.

• IaC vulnerability and misconfiguration assessment: While providing predeployment scanning for common IaC templates, the solution currently lacks drift detection capabilities and offline CLI functionality. This limitation creates security blind spots for organizations needing to identify post-deployment divergence from secure baselines. Companies in regulated industries with strict compliance requirements for continuous configuration validation may find this gap problematic until the planned six-month roadmap delivers these features.

• Cloud-native and serverless function scanning: The solution offers coverage across major cloud providers but demonstrates limitations with tier-2 cloud platforms and function code inspection. Organizations with multicloud strategies extending beyond mainstream providers or operating in regions where providers like Alibaba Cloud dominate will experience coverage gaps. Additionally, security teams requiring deep analysis of serverless function code for comprehensive security validation will find the current capabilities insufficient.

Purchase Considerations
Sysdig offers a subscription-based licensing model where pricing is determined by protected assets: cloud CSPM and agentless VM scanning is priced per cloud VM instance, while container and Kubernetes runtime and vulnerability protection is charged per node. Image registry scanning is included with node or VM entitlements without additional per-image fees. The solution is available in four module bundles: Detection and Response, Workload Protection, Risk Management, and CNAPP. Optional add-ons include extended data retention (13 or 25 months) and Premium Support (24/7). Pricing is consistent whether purchased directly or through AWS Marketplace, with multiyear commitment discounts up to 18% for 3-year terms.

The solution functions as a comprehensive cloud-native security platform with proven scalability for enterprise deployments. Customer references include a SaaS provider managing 30,000 Kubernetes nodes with 150 million syscalls per minute and a global bank covering 12 regions with 2 million container images scanned weekly across more than 500 AWS accounts. The three collection modes (eBPF-based agent, agentless VM snapshot scanner, and registry and CI inline scanning) provide flexibility in deployment approaches, while Infrastructure as Code templates facilitate rapid onboarding—connecting AWS Organizations, Azure Management Groups, or GCP Folders in under 60 seconds.

Implementation complexity is minimized through guided wizards for cloud connections, agent installation, and registry integration in the unified SaaS console. The platform provides several noise reduction controls, including the ability to display only runtime-in-use vulnerabilities (reducing findings by up to 95%), exclude distroless base images, and hide development namespaces. Integration capabilities include connections with ticketing systems (like Jira and ServiceNow), messaging platforms (like Slack, and Teams), SIEM and SOAR tools, and development platforms. Organizations seeking comprehensive protection across containers, Kubernetes, VMs, and cloud services will find Sysdig's unified approach particularly valuable, though they should consider how the per-node or per-instance pricing model aligns with their infrastructure scale.

Use Cases
Sysdig delivers specialized security for cloud-native environments, excelling in container and Kubernetes protection. DevSecOps teams benefit from its flexible scanning options (eBPF agent, agentless VM scanning, and registry and CI integration) that adapt to different stages of the software development lifecycle. The solution's runtime insights capability serves security teams overwhelmed by vulnerability alerts by reducing findings up to 95% through identification of packages actually loaded in memory rather than merely present in images. Organizations with large-scale containerized deployments appreciate Sysdig's proven scalability, supporting environments with more than 30,000 Kubernetes nodes and processing 150 million syscalls per minute with sub-2-second backend latency. The platform's Attack Graph visualization helps security analysts understand potential exploit paths from internet-exposed resources to vulnerable workloads and data stores, enabling more strategic remediation prioritization.

Tanium: Converged Endpoint Management (AEM)

Solution Overview
Tanium Converged Endpoint Management (AEM) offers vulnerability management as part of its broader Risk and Compliance suite. The Risk and Compliance and Endpoint Management solutions include data gathering features that identify, investigate, and remediate vulnerabilities across an organization's endpoint infrastructure, software supply chain, and other assets.

Tanium AEM stands out for its ability to detect vulnerabilities and provide immediate, actionable remediation. It offers a unique click-through investigation process, allowing users to examine potential patches and receive guided remediation steps. Its native patch management capability, executed directly through the AEM platform, eliminates the need for separate patching tools.

For organizations using ServiceNow, Tanium integrates vulnerability data and patch processes into ServiceNow's risk and change management workflows, ensuring a unified approach to IT operations and security. In cases where patches are unavailable, Tanium offers alternative risk mitigation strategies, including endpoint quarantine, process termination, and software uninstallation.

Tanium is positioned as a Challenger and Fast Mover in the Maturity/Feature Play quadrant of the GigaOm Radar for CVM chart.

Strengths
Tanium scored well on a number of decision criteria, including:

• Software composition analysis: The solution provides robust SBOM capabilities that identify runtime libraries and dependencies across multiple ecosystems including Java and Python. It enables real-time detection of vulnerabilities in software components, as demonstrated during critical vulnerabilities like Log4j. This visibility into software dependencies helps organizations understand their exposure to supply chain risks and respond quickly to newly discovered vulnerabilities.

• Risk-based assessment: The solution offers risk-based assessment through its Benchmark feature, providing a quantifiable enterprise-wide risk posture score. It delivers real-time views of security posture and includes industry comparisons that help organizations understand how their risk levels compare to peers. These capabilities enable security teams to better prioritize remediation efforts based on actual risk rather than just vulnerability severity.

• Integrations: The solution features extensive integrations with major platforms including ServiceNow, Splunk, Microsoft Security Copilot, and OpenCTI. These connections are supported by robust API capabilities for system connectivity, allowing organizations to incorporate the solution into their existing security infrastructure. The integration ecosystem helps extend functionality and streamline workflows across security operations.

Opportunities
Tanium has room for improvement in a few decision criteria, including:

• Application vulnerability assessment: The solution's endpoint-based scanning approach provides limited coverage for complex web applications that require specialized dynamic testing. While effective for traditional software vulnerability assessment across distributed environments, it struggles with detecting sophisticated web application vulnerabilities such as complex injection flaws or authentication bypass issues. Organizations with critical customer-facing applications or those processing sensitive data may find the lack of deep application-specific testing insufficient for comprehensive security validation, particularly when compliance frameworks require thorough application penetration testing.

• Network-based vulnerability scanning: The solution demonstrates a notable endpoint-centric approach that creates potential blind spots in comprehensive network infrastructure assessment. Its satellite architecture, while effective for endpoint and unmanaged asset detection, provides less robust analysis of network devices, complex routing infrastructures, and specialized equipment. Organizations with diverse network ecosystems including IoT deployments, industrial control systems, or software-defined networking environments may encounter coverage limitations when attempting to establish complete network visibility and vulnerability detection.

• Automated vulnerability validation and exploitation testing: The solution exhibits significant limitations in native vulnerability validation capabilities, instead relying on third-party integrations for breach simulation functionality. This dependence on external tools creates potential workflow friction and integration challenges for security teams. Organizations requiring continuous, automated validation of vulnerability exploitation risk may find the lack of built-in capabilities restricts their ability to effectively prioritize remediation efforts based on actual exploitability in their specific environment.

Purchase Considerations
CVM capabilities are packaged as a part of Tanium Risk and Compliance Plus, which offers a comprehensive overview of the organization's risk status across all endpoints. The solution allows CISOs and their teams to manage risk at scale from large global environments to regional entities. Tanium collects real-time risk data (including vulnerabilities, compliance configuration risks, and sensitive data findings) from millions of assets and unifies risk assessment and remediation in a single platform with the ability to build a comprehensive Software Bill of Materials (SBOM) at runtime.

The solution functions through a unique peer-to-peer architecture with a single lightweight agent (≈15 MB RAM idle, <1% CPU) deployed on endpoints. This design enables remarkable scalability with minimal network impact—maintaining constant 1% network utilization even at more than 500,000 endpoints. Reference deployments include a global bank with 350,000 endpoints achieving ≤15-second median response times to ad-hoc vulnerability queries and a U.S. DoD program managing over 1 million assets with daily SCAP scans completing in under four hours.

Implementation complexity is mitigated through the HTML5 Tanium Console featuring natural language queries and intuitive dashboards. The platform provides extensive content libraries with over 100,000 vulnerability checks and more than 90 compliance checks, supporting Windows, macOS, Linux, AIX, and Solaris environments.

Integration capabilities are robust with native connections to ITSM and CMDB systems (including significant ServiceNow integrations), SIEM and SOAR platforms, patch orchestration systems, and comprehensive API options including REST, JSON, and GraphQL. Organizations should note that while the Satellite option enables limited scanning of unmanaged devices, the solution's primary strength lies in comprehensive management of endpoints with installed agents.

Use Cases
Tanium delivers enterprise-scale vulnerability management driven by its unique peer-to-peer architecture, making it valuable for organizations with distributed endpoints. Security operations teams appreciate its real-time visibility, with documented cases showing 15-second median response times for ad-hoc vulnerability queries across 350,000 endpoints. The solution serves compliance-focused organizations through extensive coverage of security standards with more than 90 CIS and STIG benchmark checks. IT operations teams benefit from the tight integration between vulnerability assessment and patch deployment capabilities, enabling efficient remediation workflows. The platform's lightweight agent maintains minimal performance impact while providing comprehensive endpoint visibility across Windows, macOS, Linux, AIX, and Solaris systems. Organizations with air-gapped or high-latency networks gain particular value from Tanium's linear chain protocol that maintains constant low network utilization regardless of endpoint count.

Tenable: Tenable Vulnerability Management, Security Center

Solution Overview
Tenable is a cybersecurity company that specializes in vulnerability management and exposure detection. The company's primary focus is on providing organizations with comprehensive visibility into their attack surface and helping them proactively manage cyber risk. 

Tenable's approach to vulnerability management is characterized by its emphasis on continuous monitoring and risk-based prioritization. The company offers a comprehensive solution called Tenable One, an exposure management platform that combines multiple components to provide a holistic view of an organization's security posture. Tenable One is not a standalone product but rather an integrated suite of tools designed to work together seamlessly.

The platform includes Tenable Vulnerability Management, which covers on-premises and cloud infrastructure scanning, container security, and web application scanning. It also incorporates Lumin Exposure View, a visualization engine that aids in presenting vulnerability data. It operates through various deployment options, including SaaS scanners and agents connected to a cloud-based console. For container security, the solution offers multiple integration methods, such as CLI push using Docker commands, connector configurations with cloud services, or on-premises container scanner appliances. 

Tenable is positioned as a Leader and Fast Mover in the Maturity/Platform Play quadrant of the GigaOm Radar for CVM chart.

Strengths
Tenable scored well on a number of decision criteria, including:

• Network-based vulnerability scanning: The solution combines active host discovery with passive traffic monitoring through Nessus Network Monitor while incorporating agent telemetry for near-real-time data collection. It provides daily Vulnerability Priority Rating updates and maintains a continuous plugin feed sourced from the National Vulnerability Database, GitHub, vendor advisories, and internal research. Though scanning depth remains contingent on credentials or agent placement, the multilayered approach provides comprehensive network visibility.

• IaC vulnerability and misconfiguration assessment: The solution utilizes Terrascan to check various IaC formats including Terraform, CloudFormation, and ARM templates. This capability encompasses over 500 CIS rules with Rego customization options, GitOps hooks, and CI/CD blocking. While runtime drift detection has limitations and coverage for niche IaC formats continues to mature, the core functionality addresses key security concerns in infrastructure code.

• Integrations: The solution offers over 200 prebuilt connectors plus REST API and SDK links to platforms like ServiceNow, CyberArk, Splunk, ForeScout, and major cloud providers. These integrations enable credential pulls, ticketing workflows, and data sharing across the security ecosystem, though gaps remain for some OT, DevOps, and real-time bidirectional use cases.

Opportunities
Tenable has room for improvement in a few decision criteria, including:

• Application vulnerability assessment: The solution offers strong dynamic application security testing for web applications but lacks native static and interactive application security testing capabilities. This limitation creates potential blind spots for organizations requiring deep code analysis of custom applications. Companies with complex proprietary software or those operating in heavily regulated industries may find these constraints challenging, as comprehensive security assessment often requires multiple testing methodologies working in concert to identify vulnerabilities across different application layers.

• Software composition analysis: While providing effective scanning for IaC files and container images, the solution demonstrates notable limitations in comprehensive software supply chain analysis. The absence of full language-level dependency graphing creates challenges for organizations needing to understand complex dependency relationships within their applications. Additionally, the limited license risk analysis capabilities and lack of SBOM export functionality for non-container workloads may prove problematic for enterprises requiring complete software inventory visibility for compliance purposes.

• Automated vulnerability validation and exploitation testing: Despite enriching vulnerability findings with contextual information through machine learning models, the solution lacks built-in breach-and-attack simulation capabilities. This absence of automated exploit execution functionality within customer environments creates challenges for security teams seeking to validate vulnerability impact through real-world attack scenarios. Organizations in high-security industries may find these limitations restrict their ability to effectively prioritize remediation efforts based on actual exploitability in their specific environment.

Purchase Considerations
Tenable offers a subscription-based licensing model where pricing is determined by unique assets with findings, with multiple IPs for the same asset counting as a single license and a 5% burst buffer that auto-recovers. The solution is available in tiered subscriptions: Tenable VM core, VM + WAS bundle, and an Enterprise plan that adds Lumin Exposure AI and Predictive Prioritization. Additional add-ons include PCI ASV certification, Patch Management, and Tenable OT (priced per IP). The base subscription includes unlimited scanners and agents, daily plugin feeds, API access, and basic support, with Premier support (more than 15%) and TAM service (more than 25%) available at additional cost.

The platform functions as a comprehensive vulnerability management solution with a cloud architecture deployed on AWS across multiple regions and availability zones. Its scalability is evidenced by reference implementations including a Fortune 50 retailer managing over 5 million assets across nine regions and processing 12 billion plugin results daily, and the US Department of Veterans Affairs handling 1.7 million endpoints with 260 scanner appliances. The solution supports unlimited Nessus scanners per tenant (each handling approximately 512 concurrent hosts) and has demonstrated the ability to manage over 1 million Nessus Agents in a single deployment for the US DoD.

Implementation is streamlined through an HTML5 console with intuitive assets and findings workbenches, global search capabilities, and drag-and-drop widgets. Scan templates (Basic, Credentialed, Malware, Compliance, and SCAP) and guided wizards simplify deployment, while scan health diagnostics automatically identify credential or firewall issues. Organizations benefit from dynamic tagging that auto-populates groups and eliminates manual list maintenance, as well as My Exposure View and Top Fixes features that aggregate duplicate CVEs into single remediation items. The ecosystem includes over 200 certified integrations across cloud platforms, SIEM and SOAR tools, ITSM and CMDB systems, credential vaults, and EDR and XDR platforms, complemented by open REST and Streaming APIs, Webhooks, and GraphQL for custom development.

Use Cases
Tenable delivers comprehensive vulnerability management across hybrid environments with exceptional network scanning capabilities. Large enterprises benefit from its proven scalability, supporting deployments with over 5 million assets and processing 12 billion plugin results daily while maintaining sub-2-second query performance. Security teams struggling with vulnerability prioritization leverage Tenable's Vulnerability Priority Rating (VPR) that combines more than 150 data points, threat intelligence, and exploit probability to focus remediation efforts on the most critical issues. Organizations adopting IaC practices value Terrascan's ability to check Terraform, CloudFormation, and ARM templates against more than 500 CIS rules, enabling policy enforcement before deployment. The solution's intuitive interface and guided workflows serve both experienced security professionals and those new to vulnerability management, with features like Top Fixes that aggregate duplicate CVEs into single remediation items, dramatically improving operational efficiency.

Tromzo: Tromzo Platform

Solution Overview
Tromzo is a cybersecurity company that focuses on application security posture management (ASPM) and vulnerability management. The company's primary emphasis is on helping organizations identify, prioritize, and remediate security risks across their entire software development lifecycle, from code to cloud.

Tromzo's approach to security is differentiating in its emphasis on providing a comprehensive view of an organization's security posture while facilitating rapid remediation. The company offers a single solution, the Tromzo platform, which serves as a security posture and vulnerability management tool. This solution is a standalone product that integrates with existing development and security tools to provide a holistic view of an organization's risk landscape.

The Tromzo platform functions by aggregating and analyzing data from various sources across the software development lifecycle. It uses advanced analytics to contextualize risks, enabling security teams to prioritize vulnerabilities based on their potential impact and likelihood of exploitation. The solution acts as a single source of truth for security posture, providing clear visibility into an organization's risk landscape. By integrating with existing workflows and tools, Tromzo facilitates communication between security and development teams, streamlining the remediation process. 

Tromzo is positioned as a Challenger and Fast Mover in the Innovation/Platform Play quadrant of the GigaOm Radar for CVM chart.

Strengths
Tromzo scored well on a number of decision criteria, including:

• Application vulnerability assessment: The solution aggregates findings from multiple security tools including SAST, DAST, SCA, CSPM, and CNAPP to provide a comprehensive code-to-cloud security view. It employs AI agents to automatically triage findings and route fixes to the appropriate teams. While it lacks native scanning capabilities and functions as a pure orchestrator, this approach allows it to leverage the strengths of specialized tools while providing centralized visibility.

• Software composition analysis: The solution pulls dependency data from various sources including Snyk, BlackDuck, Mend, code repositories, and container scanners. It then enriches this data with ownership information, risk metrics, and CI/CD guardrails. Though it lacks a first-party SCA engine and depends on integrations for visibility, the enrichment capabilities add significant contextual value to the aggregated findings.

• Customizable risk scoring: The solution enables users to redefine severities, business groupings, KPIs, and dashboards to meet specific governance targets. This flexibility allows organizations to align security metrics with their unique risk tolerance and reporting requirements. The implementation requires some user design effort but provides substantial adaptability.

Opportunities
Tromzo has room for improvement in a few decision criteria, including:

• Network-based vulnerability scanning: The solution depends entirely on external data feeds rather than offering native scanning capabilities, creating significant limitations in vulnerability detection depth. This reliance on third-party scanners means coverage quality varies based on external tool capabilities, potentially creating visibility gaps. Organizations with specialized infrastructure requiring custom scanning approaches may find these constraints problematic, as the solution cannot directly control scan frequency, depth, or protocol coverage to address unique environmental requirements.

• IaC vulnerability and misconfiguration assessment: The solution lacks native template parsing capabilities, instead surfacing issues only when partner scanners push results. This dependency creates potential blind spots for organizations using specialized IaC frameworks or custom infrastructure templates. Though it can correlate findings with repositories and infrastructure metadata, the absence of built-in misconfiguration checks means security teams remain dependent on external tools for comprehensive assessment, potentially missing emerging IaC security issues until third-party scanners add detection capabilities.

• Integrations: While offering connections to common development and cloud platforms, the solution's integration ecosystem has limitations for specialized environments. Organizations with legacy systems or industry-specific tools may require custom API development work to achieve full visibility. Financial services companies with proprietary trading platforms or healthcare organizations with specialized clinical systems might encounter integration challenges that limit the solution's effectiveness in comprehensively securing their entire technology landscape.

Purchase Considerations
Tromzo offers an annual subscription model where pricing is based on the combined count of code repositories and cloud workloads (ECS and EKS pods, Lambda functions, and so forth) under management. The licensing structure includes unlimited users, API calls, and out-of-box integrations without additional connector or feature add-on fees. Support services including email, Slack channel access, and quarterly success reviews are bundled with the subscription. Organizations considering additional assistance can opt for Professional Services at $225 per hour or a fixed-scope QuickStart package that spans two weeks.

The solution functions primarily as an ASPM platform, operating as a SaaS offering hosted on AWS with a 99.9% availability SLA. Its API-only ingestion model eliminates the need for scanners or agents, simplifying deployment. The platform demonstrates substantial scalability with customers managing over 25,000 repositories and 3 million SCA findings with hourly synchronization cycles completing in under 30 minutes. Rather than attempting to be comprehensive across all security domains, Tromzo focuses specifically on application security with integrations to code repositories, CI/CD platforms, AppSec scanners, and container registries.

Implementation is straightforward given the API-based approach, with a modern React and TypeScript interface featuring global search capabilities and visual dependency graphing for package-to-repository-to-service mapping. The automation studio offers drag-and-drop workflow creation with YAML export and import and dry-run testing. Organizations should note some limitations including occasional stale cache issues when editing policies (requiring manual refresh) and the absence of native network and host scanning capabilities. With more than 50 maintained integrations updated bi-weekly, the solution provides adequate connectivity despite having a smaller ecosystem than some competitors.

Use Cases
Tromzo delivers a specialized ASPM platform that consolidates findings from disparate security tools into a unified view without adding another scanner to the environment. DevSecOps teams value its ability to reduce alert noise through AI-driven false positive detection and automatic prioritization based on business impact, exploitability data, and environmental context. Development organizations with complex repository structures benefit from Tromzo's ownership mapping that automatically routes security findings to the right teams based on configurable rules. The platform's no-code automation studio serves security leaders by enabling quick creation of custom workflows that align vulnerability management with organizational processes. While excellent for coordinating application security efforts across large development organizations, Tromzo's reliance on third-party tools for actual vulnerability detection means its effectiveness is directly tied to the quality and coverage of integrated scanners.

WithSecure: WithSecure Elements Exposure Management 

Solution Overview
WithSecure is a European cybersecurity vendor focused on delivering outcome-based security solutions for mid-market organizations, IT service providers, and managed security service providers. The company emphasizes privacy, data sovereignty, and regulatory compliance, aligning its offerings with the evolving needs of businesses facing increasingly complex cyberthreats and regulatory requirements. Over the past year, WithSecure has undergone notable changes, including the divestment of its open source data collection business to Patria and the sale of its cybersecurity consulting business to Neqst, moves that reflect a sharpened focus on its Elements product suite.

The WithSecure Elements Exposure Management solution is a modular suite designed to address multiple aspects of cybersecurity, including vulnerability management, endpoint protection, detection and response, collaboration protection, cloud security posture management, and eASM. Elements Exposure Management, a key component of the suite, provides asset discovery, vulnerability scanning (including authenticated and unauthenticated scans), risk assessment, and centralized reporting through the Elements Security Center. Users can deploy scans via dedicated scan nodes or agent-based capabilities, with all findings managed through a unified interface. The solution is available as a standalone module or as part of the broader Elements suite, allowing organizations to select individual capabilities or combine them for broader coverage. This approach supports self-managed, vendor-managed, and partner-managed service models, with cloud-native architecture enabling streamlined deployment and management.

WithSecure is positioned as a Challenger and Fast Mover in the Maturity/Feature Play quadrant of the GigaOm Radar for CVM chart.

Strengths
WithSecure scored well on a number of decision criteria, including:

• Attack path analysis: The solution provides strong attack path simulation capabilities, utilizing AI-based technologies to model and visualize how attackers could exploit vulnerabilities and misconfigurations across networked assets. This approach helps security teams understand potential attack vectors and prioritize remediation efforts based on actual risk paths rather than isolated vulnerabilities, enabling more strategic security resource allocation.

• Network-based vulnerability scanning: The solution delivers robust network scanning functionality that maps full attack surfaces through both active and passive checks. It conducts authenticated scans via WinRM and SSH protocols while identifying open ports and misconfigurations. This comprehensive approach provides visibility into network vulnerabilities that could potentially be exploited by attackers.

• Integrations: The solution offers API access and integrations with SOAR platforms like Shuffle, as well as Microsoft Sentinel. These integration capabilities allow organizations to incorporate vulnerability data into broader security workflows and analytics, though the overall breadth of integrations is relatively limited compared to some competitors.

Opportunities
WithSecure has room for improvement in a few decision criteria, including:

• Application vulnerability assessment: The solution demonstrates significant limitations in its application security testing capabilities, providing only basic web application scanning without comprehensive static or dynamic analysis. This approach creates potential blind spots for organizations with complex applications requiring in-depth security validation. Companies developing custom applications or operating in regulated industries may find the restricted assessment depth inadequate for identifying sophisticated vulnerabilities or meeting compliance requirements that demand thorough application security testing methodologies.

• Cloud-native and serverless function scanning: While the solution offers identity security posture management and cloud security posture management capabilities, it demonstrates significant limitations in comprehensive cloud-native coverage. The focus on AWS and Azure platforms creates potential visibility gaps for organizations using multicloud strategies that include other providers. Additionally, the solution lacks clear serverless function-specific scanning capabilities. 

• Automated vulnerability validation and exploitation testing: Despite the comprehensive attack path simulation capabilities provided through AI-driven modeling, the solution may demonstrate limitations in environments with highly specialized or emerging threat vectors not well-represented in historical attack analysis data. While it offers continuous automated assessment through XDR telemetry integration, organizations with segmented networks or limited telemetry collection might experience reduced effectiveness in attack path modeling. 

Purchase Considerations
WithSecure offers Exposure Management for Business with per-user licensing based on the number of users with workstations and servers. The Frontline add-on is available for those without workstations. Exposure Management for Cloud (CSPM) licensing is based on monthly cloud bills. Two main offerings include Elements Exposure Management (replacing the end-of-sale Vulnerability Management) and Elements Cloud platform, which includes Endpoint Protection, Patch Management, EDR, Collaboration Protection, Identity Security, and Cloud Security. Luminen GenAI experience is included at no additional cost. The pricing structure features advanced support with no additional costs for API calls or scan nodes. WithSecure's products are available primarily through their sales channel network and recently on AWS Marketplace. Their flagship Elements Infinite service combines Continuous Threat Exposure Management (CTEM), Endpoint Protection, Detection, Response (XDR), and Managed Detection and Response (MDR).

The solution functions as a comprehensive vulnerability management platform with a SaaS control plane hosted on AWS (99.9% service SLA) and distributed scan nodes. Its flexibility is evident in multiple deployment options, including full SaaS and hybrid (local scan nodes with SaaS portal). Network scan nodes on local systems are available for implementation, along with connection to restricted networks from endpoints through the Elements Connector, which functions as a proxy. Coverage extends across network and host scanning, authenticated checks, web application and API testing, and public cloud discovery through Azure and AWS connectors.

Implementation complexity is moderate, with an HTML5 portal featuring wizard-driven discovery scanning that delivers initial results within 15 minutes after node deployment. The agentless architecture eliminates endpoint footprint and reboot requirements, simplifying operational management. Organizations should note potential performance limitations with the UI when managing over 500,000 findings, which may require filtering before export to avoid interface lag. Integration capabilities include a RESTand JSON API, turn-key connections to SIEM and SOAR platforms and ITSM systems, and CMDB import functionality via CSV, ServiceNow, and Azure tag synchronization.

Use Cases
WithSecure delivers strong network vulnerability assessment with excellence in attack path analysis. Security teams benefit from its AI-based attack simulation capabilities that model and visualize how attackers could exploit vulnerabilities across networked assets, enabling truly risk-based remediation prioritization. The solution serves organizations with distributed infrastructure through its unlimited scan node architecture, supporting environments with hundreds of thousands of IPs while maintaining responsive performance. Smaller security teams in the SME space will find the unified solution combines endpoint protection, detection, and response with exposure management to simplify defenses. While exceptional for traditional network security, organizations seeking comprehensive application security testing, software composition analysis, or infrastructure-as-code assessment will need to supplement with additional solutions, as WithSecure focuses primarily on network and endpoint security rather than cloud-native or development pipeline vulnerabilities.

Wiz: Wiz Cloud Security Platform

Solution Overview
Wiz is a vendor specializing in cloud security, with its primary focus on providing vulnerability management and risk assessment for organizations operating in cloud environments. In March of 2025, Wiz and Google announced a definitive agreement for Google Cloud to acquire Wiz. The deal is subject to regulatory review, and Wiz will join Google Cloud after close. Over the past year, Wiz expanded its capabilities through several acquisitions, including Dazz and Gem Security, which have contributed to broadening its security offerings.

The main solution offered by Wiz is known as the Wiz Cloud Security Platform, which unifies vulnerability management, risk assessment, and remediation across the entire cloud stack. This platform is agentless, leveraging API connectors to scan and analyze cloud configurations, workloads, and assets across public and hybrid cloud environments, including AWS, Azure, GCP, Kubernetes, and OpenShift. It provides comprehensive coverage for clouds by identifying vulnerabilities in virtual machines, containers, serverless functions, and PaaS services, while also evaluating network exposure, identities, entitlements, and data sensitivity.

Wiz’s approach combines automated vulnerability detection with contextual risk analysis, using a graph-based model to correlate risk factors and prioritize remediation efforts based on potential attack paths and business impact. The solution includes integrated modules such as Wiz Cloud for visibility and risk prioritization, Wiz Code for secure development pipeline oversight, and Wiz Defend for runtime threat detection and response. The solution is designed as a unified suite rather than a standalone product, enabling organizations to manage vulnerabilities, compliance, and incident response within a single environment.

Wiz is positioned as a Leader and Outperformer in the Maturity/Feature Play quadrant of the GigaOm Radar for CVM chart.

Strengths
Wiz scored well on a number of decision criteria, including:

• Risk-based assessment: The solution provides top-tier contextual risk analysis by correlating vulnerabilities with exposure, entitlements, and data sensitivity through its Security Graph technology. This comprehensive approach enables security teams to prioritize critical issues effectively based on actual risk rather than isolated vulnerability scores. The unified view of risk helps organizations focus remediation efforts where they matter most.

• Attack path analysis: The solution delivers exceptional attack path analysis capabilities via its Security Graph, mapping cross-cloud attack routes and visualizing exploitable paths to high-value assets. By correlating multiple risk factors, it provides security teams with a clear understanding of how vulnerabilities could be chained together in real-world attack scenarios, enabling more strategic remediation planning.

• Integrations: The solution features extensive integrations with cloud providers, ticketing systems like ServiceNow, SIEMs, and SOAR platforms. These connections enable seamless workflow automation across security toolchains, enhancing the overall efficiency of security operations. The robust integration ecosystem allows organizations to incorporate the solution into their existing security infrastructure with minimal friction. With Wiz UVM, customers can also centrally manage security findings from their external scanners, including infrastructure vulnerability scanners, code scanners, and pen test assessments.

Wiz was classified as an Outperformer given its release of Wiz Defend and Cloud Detection and Response as well as its rapid platform evolution despite the acquisition, which often slows development work to prioritize rebranding and integration. 

Opportunities
Wiz has room for improvement in a few decision criteria, including:

• Network-based vulnerability scanning: Despite recent additions of Unified Vulnerability Management and Sensor Workload Scanners for on-premises environments, the solution's sensor-based approach demonstrates inherent limitations compared to traditional network scanning methodologies. The sensor deployment model creates potential visibility gaps in environments where agents cannot be installed or maintained, particularly in legacy systems or specialized equipment common in manufacturing, healthcare, and critical infrastructure. Additionally, the sensor approach typically provides less comprehensive network topology mapping and traffic analysis than dedicated network scanning solutions, potentially missing complex attack vectors that require deep packet inspection or protocol-specific analysis. 

• Software composition analysis: Despite its comprehensive dependency analysis capabilities and strong cloud integration, the solution demonstrates limitations in certain specialized environments. While effective at processing lock files and reconstructing dependency trees for common ecosystems, organizations with legacy applications or custom package management systems may encounter reduced visibility. The binary artifact analysis, though robust for standard compiled formats, may struggle with proprietary binary formats or heavily obfuscated code commonly found in certain industry sectors. Additionally, enterprises with strict regulatory compliance requirements in highly regulated industries such as healthcare or financial services might find the remediation guidance insufficient for documenting compliance with specific supply chain security frameworks. 

• Customizable risk scoring: Despite enabling custom controls with user-defined severity assignments based on business impact, the solution still exhibits limitations in certain specialized risk assessment scenarios. The reliance on the predefined Security Graph analysis framework, while powerful, restricts organizations requiring completely custom algorithmic approaches to risk calculation. Additionally, environments with highly specialized asset types or those with unusual threat models might struggle to fully represent their unique risk contexts within the provided customization parameters. While the ability to assign custom controls to compliance frameworks offers flexibility, security teams with advanced quantitative risk modeling requirements may need supplementary tools to address complex scenario-based risk calculations beyond what the solution currently supports.

Purchase Considerations
Wiz offers a workload-based licensing model, where a workload is defined as a compute instance, container node, or serverless bundle. Public AWS Marketplace pricing ranges from approximately $240 to $380 per 100 workloads per year (varying by region and term length), with volume discounts available across tiers (≤5K, ≤25K, ≤100K, >100K). Multiyear commitments provide additional savings, with 3-year prepayments offering up to an 18% discount. The pricing structure includes no charges for users, APIs, or integrations, with CSPM objects bundled into the workload count. Organizations should consider potential costs for add-ons like Sensitive Data Discovery, MDR for Cloud, and the Professional Services QuickStart package ($25K fixed price).

The solution functions as a cloud-native security platform delivered exclusively through a SaaS model hosted on AWS in multiple regions. Its architecture demonstrates exceptional scalability with a reference tenant managing more than 70,000 AWS accounts and more than 5 million cloud resources while maintaining a delta-sync SLA under 15 minutes. The agentless approach uses provider-native mechanisms for snapshot analysis, eliminating per-host sensor limits and reducing operational overhead. Coverage extends across virtually all cloud asset types including IaaS VMs, containers, serverless functions, PaaS databases, SaaS identities, IaC templates, container images, and CI pipelines.

Implementation is remarkably straightforward—launching CloudFormation, ARM, or Terraform stacks with read-only IAM roles provides initial findings in under five minutes, with full security graph population within 24 hours. The modern React UI features intuitive visual attack path mapping from internet exposure through vulnerable assets to sensitive data. Organizations with existing security infrastructure will benefit from Wiz's ecosystem integrations with major SIEM and SOAR platforms, ticketing systems, CI/CD tools, and messaging services. The solution is particularly well suited for cloud-first organizations seeking comprehensive visibility without agent deployment overhead.

Use Cases
Wiz delivers agentless cloud security that excels in rapidly securing complex multicloud environments. Cloud security teams benefit from its comprehensive visibility across AWS, Azure, GCP, OCI, and Alibaba Cloud without deploying resource-intensive agents. Large enterprises appreciate Wiz's proven scalability, handling environments with more than 70,000 cloud accounts and more than 5 million resources while maintaining sub-1-second query performance on its Security Graph database. DevSecOps practitioners value the platform's intuitive risk prioritization capabilities that combine vulnerability data with exploitability metrics, internet exposure, and potential access to sensitive data. Organizations with sophisticated cloud architectures gain particular value from Wiz's visualization of attack paths from internet exposure to critical assets, enabling targeted remediation of the most consequential security gaps. The solution's ease of deployment—with first findings appearing within five minutes of connecting cloud accounts—makes it attractive for security teams needing immediate visibility into their cloud risk posture.

XM Cyber: Continuous Exposure Management 

Solution Overview
XM Cyber is a vendor specializing in continuous exposure management, focusing on helping organizations understand and reduce cyber risk across hybrid environments by modeling how attackers could exploit vulnerabilities, misconfigurations, and identity exposures. In the past year, XM Cyber expanded its capabilities through the acquisition of Confluera, a cyberattack detection and response firm, which has enhanced its offering to include real-time monitoring and response for active threats in cloud environments. The primary solution relevant to vulnerability management is the XM Cyber Vulnerability Risk Management solution, which is an add-on module within the broader XM Cyber Continuous Exposure Management suite rather than a standalone product.

The solution operates by continuously discovering, mapping, and reassessing vulnerabilities using lightweight sensors and a cloud-hosted dynamic dictionary of CVEs. It prioritizes vulnerabilities based on a combination of CVE severity, exploitability, and potential impact to business-critical assets, leveraging attack path modeling and attack graph analysis to provide context on which exposures pose the most significant risk. This approach enables organizations to focus remediation efforts where they will have the most impact, reducing time spent on vulnerabilities that do not lead to critical assets. The suite includes features for dynamic CVE mapping, exploitability validation, contextual risk reporting, and closed-loop remediation guidance, supporting both traditional and attack-centric vulnerability management workflows.

XM Cyber is positioned as a Challenger and Forward Mover in the Maturity/Feature Play quadrant of the GigaOm Radar for CVM chart.

Strengths
XM Cyber scored well on a number of decision criteria, including:

• Attack path analysis: The solution provides a continuous graph visualization that shows potential lateral movement paths across hybrid environments. It updates in real time with sensor data and stolen-credential intelligence, enabling security teams to understand how attackers might navigate through the network. The ability to flag choke points—critical junctures where multiple attack paths converge—helps organizations identify high-value remediation targets that can efficiently disrupt numerous potential attack routes.

• Risk-based assessment: The solution employs attack graph analysis that fuses multiple data sources including CVSS, KEV, EPSS, and ExploitDB along with asset labels to rank exposures. This approach helps prioritize vulnerabilities that represent actual risk rather than isolated severity scores. The solution intelligently ignores blocked or dead-end paths, focusing attention on viable attack routes, though the weighting model is fixed without options for granular user customization.

• Network-based vulnerability scanning: The solution utilizes both passive and external active probes to map assets, with a daily-fed CVE catalog to identify vulnerabilities. Sensor telemetry supplies real-time exposure data to maintain current visibility into the attack surface. While it lacks deep authenticated network scanning capabilities and relies on once-per-day signature updates, the hybrid approach provides comprehensive asset discovery.

Opportunities
XM Cyber has room for improvement in a few decision criteria, including:

• Application vulnerability assessment: The solution relies on sensors and APIs to track version changes and configuration flaws, supplemented by third-party vulnerability feeds. However, it lacks fundamental application security testing capabilities including SAST, DAST, and IAST, creating substantial blind spots for organizations developing custom applications. Software-focused enterprises will find these limitations particularly problematic, as code-level defects remain entirely undetected despite potentially creating significant security exposure. Organizations in regulated industries requiring comprehensive application security validation will struggle to meet compliance requirements with these constraints.

• Cloud-native and serverless function scanning: While providing API-based detection of cloud service provider misconfigurations and Kubernetes flaws, the solution demonstrates notable limitations in comprehensive cloud security coverage. The dependency on optional sensors for complete visibility creates potential blind spots in environments where sensor deployment is challenging. Organizations with multicloud strategies face particular difficulties due to the absence of tier-2 cloud provider support. Additionally, the lack of current agentless workload scanning capabilities (only on the roadmap) restricts effectiveness in dynamic cloud environments where agent deployment may be impractical.

• Customizable risk scoring: The solution offers scenario-building capabilities that allow teams to identify breach points and critical assets but demonstrates significant limitations in fundamental risk calculation customization. The inability to modify the underlying scoring mathematics restricts organizations with specialized risk frameworks from aligning the solution with their specific requirements. Instead of true algorithm customization, the solution relies on scenario filters, which may prove insufficient for enterprises in heavily regulated industries with unique compliance requirements or those needing to incorporate industry-specific risk factors.

XM Cyber was classified as a Forward Mover given it has focused mostly on strategic initiatives and platform consolidation rather than releasing new features and enhancing existing features.

Purchase Considerations
XM Cyber offers an annual SaaS subscription model with tiering based on different entity counts: servers, VMs, and cloud workloads, workstations and VDI, managed database services, and Kubernetes worker nodes and clusters. Additional modules are priced à-la-carte, including Security Controls Monitoring (per integrated control set), External Attack Surface Management (based on externally resolved asset counts), and Exposed Credentials Monitoring (percentage uplift on total subscription). For MSSPs, a flexible monthly usage metering program is available without upfront commitments, with sensor licenses included.

The solution functions as a specialized attack path management platform that models lateral movement possibilities across hybrid environments. Its architecture demonstrates enterprise-grade scalability with a reference implementation handling 15 billion security events daily and 3 million assets in a single tenant while maintaining sub-15-minute model refresh times. The big-data stack leverages Apache Flink for stream enrichment, Apache Spark for batch attack-path recomputation, and Neo4j for lateral-movement graph modeling—all orchestrated by Kubernetes with autoscaling capabilities.

Implementation complexity is moderate with a three-click onboarding wizard to deploy collectors, add credentials, and select critical-asset tags, typically delivering the first attack path visualization within 30 minutes. The solution excels in risk prioritization by scoring assets based on attack-path distance to critical assets, exploitability, control gaps, and compensating controls, with adjustable weightings for business impact and various vulnerability metrics. While the platform offers more than 80 native integrations across cloud providers, on-premises systems, vulnerability scanners, identity providers, and security tools, its ecosystem integration capabilities received a lower rating than other aspects, potentially indicating limitations in API extensibility or integration depth compared to competitors.

Use Cases
XM Cyber delivers attack path analysis technology that identifies how adversaries could chain vulnerabilities, misconfigurations, and identity issues to reach critical assets. Security teams overwhelmed by vulnerability data benefit from its choke point identification that highlights the small subset of security issues creating the most significant risk reduction opportunities. The platform serves complex hybrid environments through its continuous attack graph that updates in real-time as conditions change, identifying lateral movement paths spanning on-premises, cloud, and identity domains. Organizations with limited security resources appreciate the platform's "Fix First" recommendations that prioritize remediations by risk reduction impact rather than raw vulnerability severity. The solution's scalable architecture handles environments with 3 million assets and processes 15 billion security events daily, making it suitable for large enterprises. While excellent for attack path visualization and prioritization, organizations seeking comprehensive application security or infrastructure-as-code assessment will need to supplement XM Cyber with additional solutions.

Vulnerability management has pushed far beyond the days of quarterly port scans and generic CVSS charts. It is now a dynamic, data-rich discipline that lives at the intersection of cloud operations, application security, and identity posture. For a prospective buyer, the first step toward grasping this space is to recognize that the products no longer separate neatly into “scanners.” Instead, you are evaluating risk intelligence platforms—some full-stack, some laser-focused on cloud, OT, or application code, and others built to knit together findings from every tool you already own. Before you open an RFP template, plot your own attack surface on a whiteboard, identify the crown-jewel assets, pinpoint environments that change hourly, clarify ownership of remediation, and define how business risk is measured today.

That picture will tell you whether you need a unifying backbone that ingests data from many sources, a cloud-native specialist that speaks Kubernetes, or a developer-centric engine that shifts left into the CI/CD pipeline.  

Three required capabilities should now shape every purchasing decision. The first is risk-based prioritization, in which vendors differentiate themselves by how credibly they fold business context, exploit data, and asset criticality into a single score that overrules raw CVSS. The second is attack-path analysis, which is the ability to map how seemingly low-risk misconfigurations can daisy-chain toward a high-value target. The third is unified visibility across hybrid estates. If any of those pillars is missing, security teams end up churning through thousands of false priorities or juggling multiple consoles—either way, risk persists.  

What should happen next? Stand up a cross-functional review board that includes infrastructure, DevOps, and compliance leads, then draft three to five concrete use cases, such as “reduce mean time to remediate internet-facing vulnerabilities by 40%” or “enforce IaC policies before merge.” Then, shortlist the vendors against those scenarios, not against generic feature grids, and insist on a proof-of-concept that runs in production for at least one sprint cycle. Measure outcomes with hard KPIs such as reduction in critical open issues, fewer escalations to senior engineers, and a measurable drop in attack-path length. Demand data-plane integrations into ticketing and orchestration tools before signing. Finally, negotiate for success services that bake in workflow tuning and executive reporting, because even the best technology will underdeliver if your teams cannot translate insights into closed tickets.  

Looking ahead, the market is already steering toward converged posture-management platforms that blur the lines between CSPM, CNAPP, SCA, and vulnerability management. Generative AI will soon power conversational triage and “what-if” remediation simulators that lower the barrier of entry for less specialized teams. That evolution means continuous detection will replace periodic scans, policy-as-code will govern remediation at scale, and security leadership will need metrics that resonate with board-level risk appetite. Begin planning for that future by automating asset inventory, enforcing tagging hygiene, and codifying risk scoring models that reflect your own business impact, because tools can only prioritize what you label as valuable.  

*Vendors marked with an asterisk did not participate in our research process for the Radar report, and their capsules and scoring were compiled via desk research.

For more information about our research process for Radar reports, please visit our Methodology.

Chris Ray is a veteran of the cyber security domain. He has a collection of experiences ranging from small teams to large financial institutions. Additionally, Chris has worked in healthcare, manufacturing, and tech. More recently, he has acquired an extensive amount of experience advising and consulting with security vendors, helping them find product-market fit as well as deliver cyber security services.

GigaOm provides technical, operational, and business advice for IT’s strategic digital enterprise and business initiatives. Enterprise business leaders, CIOs, and technology organizations partner with GigaOm for practical, actionable, strategic, and visionary advice for modernizing and transforming their business. GigaOm’s advice empowers enterprises to successfully compete in an increasingly complicated business atmosphere that requires a solid understanding of constantly changing customer demands.

GigaOm works directly with enterprises both inside and outside of the IT organization to apply proven research and methodologies designed to avoid pitfalls and roadblocks while balancing risk and innovation. Research methodologies include but are not limited to adoption and benchmarking surveys, use cases, interviews, ROI/TCO, market landscapes, strategic trends, and technical benchmarks. Our analysts possess 20+ years of experience advising a spectrum of clients from early adopters to mainstream enterprises.

GigaOm’s perspective is that of the unbiased enterprise practitioner. Through this perspective, GigaOm connects with engaged and loyal subscribers on a deep and meaningful level.

© Knowingly, Inc. 2025 "GigaOm Radar for Continuous Vulnerability Management" is a trademark of Knowingly, Inc. For permission to reproduce this report, please contact sales@gigaom.com.