GigaOm Radar for Software Supply Chain Security v2

Software supply chain attacks are highly visible due to extensive media coverage and the increasing scope of damage they cause.  Notable attacks in 2025 include the addition of malicious packages to open source repositories like npm, the PyPI, and RubyGems, and the insertion of a backdoor in the XZ Utils open source compression library, allowing bad actors access to a large number of Linux systems. These incidents have broad impacts not only on IT and cybersecurity teams but also on consumers. In response to novel cyberthreats and an ever-expanding attack surface, comprehensive software supply chain security (SSCS) solutions have become vital to every organization's cybersecurity strategy. 

SSCS encompasses a suite of methodologies and tools designed to identify, catalog, and manage software components while scanning for vulnerabilities and misconfigurations across code, containers, and infrastructure as code (IaC). These solutions are pivotal in preventing data breaches, unauthorized access, and malicious attacks that can impact operations, erode customer trust, and inflict significant financial damage. SSCS is essential for organizations of all sizes and industries, particularly those handling sensitive data or operating in highly regulated sectors. Regulated industries are increasingly impacted by new mandates such as the U.S. Cybersecurity Executive Order 14144 and the EU Cyber Resilience Act, which impose stricter requirements around software transparency, SBOMs, and vulnerability management. These regulations drive demand for supply chain security solutions that offer end-to-end visibility, enforceable policies, and continuous compliance monitoring.

CxOs can no longer ignore the escalating sophistication of cyberattacks or the growing complexity of the software they create and consume because they exist in an environment where organizations face persistent and evolving threats. The fallout from a successful attack can be devastating, including regulatory fines, legal repercussions, loss of customers, and irreparable damage to brand reputation. Investing in SSCS is a strategic decision that directly impacts an organization's resilience, competitiveness, and long-term success.

While the need for SSCS stems primarily from a requirement to meet compliance or risk mitigation targets, the capabilities it provides have the added benefit of increasing developer productivity, ensuring business continuity, and protecting and growing revenue streams. By proactively identifying and remediating vulnerabilities and misconfigurations, organizations can avoid costly downtime, prevent data breaches, and maintain the trust of their customers.

The SSCS landscape is constantly evolving, driven by technological advancements and the changing nature of cyberthreats. Vendors are offering a wide range of solutions securing different portions of the software development lifecycle (SDLC), with some leaning toward shift left solutions, others leaning toward shift right, and still others presenting unique solutions positioned in the middle of the development lifecycle, as posture and risk management solutions, and as solutions that review commercial software for threats.

Businesses must adopt a comprehensive strategy for software development, deployment, and usage, employing automation to match fast-paced release schedules. Prioritizing SSCS and new technologies will strengthen defenses, reduce risks, and ensure long-term success in today's digital landscape.

This is our second year evaluating the Software Supply Chain Security (SSCS) space in the context of our Key Criteria and Radar reports. This report builds on our previous analysis and considers how the market has evolved over the last year. 

This GigaOm Radar report examines 25 of the top SSCS solutions and compares offerings against the capabilities (table stakes, key features, and emerging features) and nonfunctional requirements (business criteria) outlined in the companion Key Criteria report. Together, these reports provide an overview of the market, identify leading SSCS offerings, and help decision-makers evaluate these solutions so they can make a more informed investment decision.

GIGAOM KEY CRITERIA AND RADAR REPORTS

The GigaOm Key Criteria report provides a detailed decision framework for IT and executive leadership assessing enterprise technologies. Each report defines relevant functional and nonfunctional aspects of solutions in a sector. The Key Criteria report informs the GigaOm Radar report, which provides a forward-looking assessment of vendor solutions in the industry.

To help prospective customers find the best fit for their use case and business requirements, we assess how well SSCS solutions are designed to serve specific target markets and deployment models (Table 1).

For this report, we recognize the following market segments:

• SMB: These are smaller organizations with limited resources. They are likely to prioritize feature-specific platforms to meet business needs and smaller budgets. 

• Enterprise: These are larger organizations with complex IT environments. They are likely to have software development teams that collaborate with security teams and seek comprehensive and scalable SSCS platforms that integrate with existing security workflows.

• Public sector: This includes government agencies and organizations subject to regulatory compliance requirements. They prioritize secure SSCS platform solutions that align with strict regulations.

• Regulated industry: These include finance, healthcare, critical infrastructure, and the like, all of which operate under strict compliance mandates that require rigorous security controls, auditability, and data integrity. Organizations in these sectors prioritize solutions that deliver traceability, policy enforcement, and continuous risk monitoring to meet regulatory standards and reduce operational risk.

In addition, we recognize the following deployment models:

• Software-as-a-service (SaaS): The SSCS solution is hosted and managed by the vendor in the cloud, providing scalability without requiring local infrastructure.

• Public cloud: The SSCS solution is hosted by a public cloud provider and managed by either the vendor or customer, without requiring on-premises infrastructure.

• Hybrid: Hybrid solutions integrate both SaaS and on-premises components, allowing organizations to leverage cloud-based services and scalability while maintaining certain elements locally.

• On-premises: The solution is installed on the organization's local or cloud infrastructure. This offers full control over adherence to compliance frameworks but requires internal resources for maintenance and updates.

Table 1. Vendor positioning: Target Market and Deployment Model

Table 1 components are evaluated in a binary yes/no manner and do not factor into a vendor’s designation as a Leader, Challenger, or Entrant on the Radar chart (Figure 1). 

“Target market” reflects which use cases each solution is recommended for, not simply whether that group can use it. For example, if an SMB could use a solution but doing so would be cost-prohibitive, that solution would be rated “no” for SMBs.

All solutions included in this Radar report meet the following table stakes—capabilities widely adopted and well implemented in the sector:

• Software composition analysis

• Integration with CI/CD

• Software bill of materials (SBOM) generation

• Policy management and enforcement

• Auditing

• Vulnerability and threat intelligence integrations

• Dashboards for risk management

Tables 2, 3, and 4 summarize how each vendor in this research performs in the areas we consider differentiating and critical in this sector. The objective is to give the reader a snapshot of the technical capabilities of available solutions, define the perimeter of the relevant market space, and gauge the potential impact on the business.

• Key features differentiate solutions, highlighting the primary criteria to be considered when evaluating a SSCS solution.

• Emerging features show how well each vendor implements capabilities that are not yet mainstream but are expected to become more widespread and compelling within the next 12 to 18 months. 

• Business criteria provide insight into the nonfunctional requirements that factor into a purchase decision and determine a solution’s impact on an organization.

These decision criteria are summarized below. More detailed descriptions can be found in the corresponding report, “GigaOm Key Criteria for Evaluating SSCS Solutions.”

Key Features

• Dependencies management: Comprehensive monitoring and management of software dependencies, both direct and transitive, is vital to ensure risks are mitigated from vulnerabilities, licensing, and malicious code.

• IaC security scanning: Developers and security teams need to identify issues in cloud infrastructure before deployment to ensure alignment with security policies. To enable this, IaC security scanning analyzes IaC files for security vulnerabilities, malware, secrets, and misconfigurations.

• Container image security scanning: Working similarly to the way IaC scanning does, container scanning analyzes container images for vulnerabilities and misconfigurations. Since containers operate at the application level, additional capabilities differentiate the two features.    

• ML-based detection and response: All SSCS vendors offer some basic behavioral analytics capabilities, but not all of them use ML. Stronger solutions are beginning to use ML models to analyze patterns in code, builds, and deployments, look for anomalies, and identify potential security threats and then flag them for either investigation or remediation.  

• Code risk scoring and analysis: Risk scoring and analysis is vital to ensure security teams can prioritize the greatest threats first. This feature identifies and prioritizes potential threats and vulnerabilities, enabling informed decision-making.

• Customization of security policies: With the unique requirements every business presents, customizable security policies allow organizations to tailor protection to their specific needs.  

• Supply chain mapping and visualization: Detailed supply chain mapping and visualization provides crucial insights into complex dependencies and potential vulnerabilities.  

• Automated security testing (SAST, DAST, IAST): Automated security testing integrates continuous security checks into the software development lifecycle, scanning code, dependencies, and configurations for vulnerabilities. It employs a variety of tools and techniques to identify potential security flaws, misconfigurations, and compliance issues, enabling rapid detection and remediation of risks before they reach production environments.

• Open source governance: This feature encompasses the processes and tools that help organizations manage the use of open source software components throughout the software development lifecycle through tracking, inventorying, and ensuring license compliance.  

Table 2. Key Features Comparison 

Emerging Features

• Software exposure analysis: Software exposure analysis is a comprehensive set of measures that assist organizations in identifying the greatest risks to their organization. Effective analysis covers a wide range of potential threat vectors combined into a single view.    

• AI-driven security and remediation: Automated remediation streamlines the process of fixing identified security vulnerabilities and compliance issues in software supply chains. It leverages intelligent algorithms and predefined policies to automatically apply patches, update dependencies, or implement fixes, reducing manual intervention and accelerating the mitigation of potential threats.

• Supply chain posture and visibility: Posture and pipeline visibility in an SSCS platform refers to how well the solution maps, monitors, and contextualizes risk across artifacts, pipelines, and configurations. It’s essential for understanding where vulnerabilities exist, how they propagate, and which components or teams represent a higher risk and which can enable a targeted response from organizations, addressing root causes instead of tackling singular vulnerabilities.

• Artifact integrity: Artifact integrity ensures that every software component, whether code, container, or binary, is cryptographically verifiable, traceable, and securely sourced throughout the development lifecycle. It plays a critical role in preventing tampering, supply chain attacks, and unauthorized code injection by validating the origin and trustworthiness of each artifact.

• Runtime threat protection: This encompasses security features that safeguard deployed applications and infrastructure by detecting and responding to threats that emerge during execution, such as zero-day exploits or unauthorized behaviors. This capability is important for preventing real-time attacks that bypass earlier security checks and for detecting exploits in real time.  

• Binary composition analysis: Binary composition analysis identifies and evaluates the contents of compiled software artifacts to uncover open source components, third-party code, potential vulnerabilities, and signs of tampering. This feature helps organizations analyze products they deliver, third-party software they consume, and legacy binaries where the source code is unavailable.

Table 3. Emerging Features Comparison 

Business Criteria

• Scalability: This metric reflects the ability of the solution to grow along with a company’s needs, from dealing with multiple projects simultaneously to supporting complex organizational structures in large enterprise environments. 

• Flexibility: Software development platforms continually undergo rapidly evolving changes throughout the SDLC, so a flexible software supply chain security platform should be able to operate in diverse environments and onboard new ones quickly, even as it responds to evolving threats. 

• Cost transparency: In ideal circumstances, any significant investment in an SSCS solution will be offset by the value of the risk mitigation it facilitates. Initially, decision-makers should consider the pricing model to determine whether a per-user or consumption-based plan meets organizational needs and can scale sufficiently.

• Compliance: Compliance in software supply chain security ensures adherence to regulatory requirements and industry standards and is increasingly important due to the growing risks associated with software supply chain breaches. 

• Ecosystem: This metric indicates how well the solution integrates with other software in the SDLC and whether it interfaces with the cloud components of an organization's existing IT environment. Ecosystems are crucial because they ensure seamless interaction, enhance defensive coverage, and increase the overall effectiveness of the security remediations.

• Ease of use: Ease of use in an SSCS platform refers to how quickly and effectively users can navigate, configure, and derive insights from the system. This is critical because intuitive workflows reduce ramp-up time, improve adoption across teams, and accelerate response to software supply chain risks.

Table 4. Business Criteria Comparison

The GigaOm Radar plots vendor solutions across a series of concentric rings with those set closer to the center judged as having the most complete solution. The chart characterizes each vendor on two axes—balancing Maturity versus Innovation and Feature Play versus Platform Play—while providing an arrowhead that projects each solution’s expected evolution over the coming 12 to 18 months.

Figure 1. GigaOm Radar for SSCS

As you can see in the Radar chart in Figure 1, a significant concentration of 13 vendors is positioned in the Maturity/Platform Play quadrant. This large cluster represents vendors that focus on incremental improvement of their solutions, with an emphasis on stability and continuity. These platforms are looking to be a complete solution for organizations. In contrast, only seven vendors appear in the Innovation/Feature Play quadrant. These are companies seeking to add emerging features to improve the capabilities of their solutions as they work toward appealing to a broader set of use cases and organizations. 

While consolidated platforms remain strong in the software supply chain security market, competition is intensifying on both the feature depth and platform breadth fronts. Vendors are racing to differentiate through emerging technologies and different protection strategies. As a result, the landscape is splitting between established platforms that are expanding through integrations and acquisitions and newcomers offering specialized, often AI-powered capabilities that deliver faster time to value. This dual dynamic is reshaping buyer expectations and accelerating innovation across the ecosystem.

The Feature Play versus Platform Play axis reveals a dichotomy in vendor strategies. While some players concentrate on specialized capabilities like SBOM management, code security testing tools, or binary analysis, the majority are striving to offer solutions that address a wide range of security needs throughout the SDLC. This split reflects the increasing need for comprehensive DevSecOps platforms that integrate security measures throughout the software supply chain, from development to deployment.

There are a small number of Outperformers, categorized primarily by their strong performance on the emerging feature metrics and by their compelling roadmaps embracing AI features. These vendors will continue to set new standards that customers will expect all vendors to meet in the future. 

Over the past year, some vendors have moved into the Maturity hemisphere, as they’ve created more cohesive platforms. This movement reflects buyer demand for end-to-end visibility and governance within a single solution. At the same time, the Feature Play side saw the most dynamic activity, with several new entrants introducing new capabilities. These vendors are challenging incumbents by focusing on speed, developer experience, and automation, highlighting a growing appetite for a broader range of security approaches and solutions alongside larger platforms.

Overall, the SSCS market continues to experience rapid growth and development, with established players challenged by innovative newcomers. Comprehensive platforms will remain the core for most large organizations, while the importance of DevSecOps will shape the market's direction. However, companies will also look towards new solutions to address emerging threats and find gains in efficiency.   

In reviewing solutions, it’s important to keep in mind that there are no universal “best” or “worst” offerings; every solution has aspects that might make it a better or worse fit for specific customer requirements. Prospective customers should consider their current and future needs when comparing solutions and vendor roadmaps.

INSIDE THE GIGAOM RADAR

To create the GigaOm Radar graphic, key features, emerging features, and business criteria are scored and weighted. Key features and business criteria receive the highest weighting and have the most impact on vendor positioning on the Radar graphic. Emerging features receive a lower weighting and have a lower impact on vendor positioning on the Radar graphic. The resulting chart is a forward-looking perspective on all the vendors in this report, based on their products’ technical capabilities and roadmaps.

Note that the Radar is technology-focused, and business considerations such as vendor market share, customer share, spend, recency or longevity in the market, and so on are not considered in our evaluations. As such, these factors do not impact scoring and positioning on the Radar graphic.

For more information, please visit our Methodology.

Aikido Security

Solution Overview
Aikido Security is a software company that specializes in a developer-centric software security platform that provides advanced code scanning and cloud vulnerability assessments. The platform helps to prioritize real threats, reduces false positives, and makes vulnerabilities easily understandable for developers. In 2025, the company completed three acquisitions: Trag, an AI code quality and review platform, and Allseek and Haicker, two AI pentesting companies.

Aikido Security’s approach combines multiple open source security scanners into a unified platform enhanced with proprietary tools to fill functional gaps and expand capabilities. The platform features Aikido Intel, a proprietary threat intelligence feed blending AI-driven analysis with in-house research, along with AI AutoFix for automated code remediation and AutoTriage to filter false positives and prioritize true vulnerabilities.  The solution provides static application security testing (SAST) for code security, dynamic application security testing (DAST) for dynamic testing, IaC and cloud security posture management (CSPM) for infrastructure risks, container scanning, secrets detection, and software composition analysis (SCA) with SBOM generation and reachability analysis. It also handles open source license compliance, malware detection to prevent supply chain attacks, and runtime protection using Aikido Zen, an in-app firewall.

The company is working to improve its offering at a fast pace, with an aggressive roadmap that shows Aikido enhancing existing features and adding new capabilities.

Aikido Security is positioned as a Leader and Fast Mover in the Innovation/Platform Play quadrant of the SSCS Radar chart.

Strengths
Aikido Security scored well on a number of decision criteria, including:

• IaC security scanning: The solution can scan a wide range of platforms to detect misconfigurations and compliance issues. It can scan repos on demand or automatically on code pushes while checking against CIS benchmarks and best practices. Teams can also add custom policies, such as enforcing private registries or required tags. By integrating into the early development workflows, these capabilities help teams catch issues before they reach production. 

• Code risk scoring and analysis: The risk scoring model is applied using a multifactor scoring framework across code repos, containers, and cloud assets. Each potential issue is scored using CVSS as a baseline, then adjusted for exploitability, asset sensitivity, reachability, and blast radius. This creates prioritized issue lists and aggregate risk scores, helping teams focus on what matters most. Scores evolve with feedback from the team and track posture over time, enabling benchmarking against industry standards and compliance thresholds. 

• Runtime threat protection: The platform provides runtime threat protection using an in-app firewall deployed as a lightweight agent for Node.js, Python, Java, .NET, and PHP. The firewall monitors traffic and system calls, detecting known exploits, anomalies, and CVE signatures. It can alert or block in real time, with features like IP blocking, geo-fencing, bot detection, and outbound monitoring. Events integrate back into Aikido’s platform, linking runtime threats to code issues, enabling proactive defense and continuous security improvement.

Opportunities
Aikido Security has room for improvement in a few decision criteria, including:

• Supply chain mapping and visualization: The platform has a simple view of individual security issues, but there are no visualizations to show a complete dependency tree or to provide a data flow view across the SDLC.

• Customization of security policies: The solution provides flexibility in security rule customization, allowing teams to tailor detections and controls to their environment. Users can define SLAs for remediation timelines, choose to ignore certain findings, and manage access with role-based controls. However, the platform does not support policy as code, meaning policies cannot be versioned, and complex governance requirements might not be met.

• ML-based detection and response: Aikido leverages ML primarily to cut through noise and speed up vulnerability management, and organizations can use an LLM to generate recommended code changes or dependency updates. To advance further, the vendor would need to enhance self-learning capabilities, which could include deploying models that not only react to known patterns but also predict emerging risks and dynamically adapt detection and response to evolving threat landscapes.

Purchase Considerations
Aikido Security licensing is sold as a SaaS subscription tiered by the number of developer seats and features required, broken out into three tiers: Basic, Pro, and Enterprise plans for larger organizations, which can require custom pricing. The vendor has modular pricing for mid-market and enterprise organizations that usually have teams larger than 100 developers. There’s also a free tier for small teams getting started or for trial use. All core features are included in every paid plan, and customers are not charged separately for each scanner or feature toggle. This allows the cost to scale as the organization size increases rather than with usage, which can be hard to predict. 

There are some limits on how many repositories, images, and other items may be scanned. Aikido Zen is structured with the same tiers, but they are usage-based according to requests, number of apps, and log retention. 

By taking advantage of the free tier, customers can evaluate Aikido Security without needing to commit financial resources. However, organizations that require strong security should either consider the Pro tier or evaluate custom pricing.

Use Cases
Aikido Security is a single solution that contains all major features, and the vendor is focusing on creating a robust platform for all use cases, securing the supply chain. 

Its comprehensive security services and robust data protection features make the platform an ideal choice for highly regulated industries, such as finance and healthcare, for which data integrity and compliance are paramount. Large enterprises can benefit from its scalability and automation capabilities, which are particularly valuable for organizations managing multiple applications and development teams. Additionally, Aikido Security has tailored its offering to accommodate development agencies, providing them with the flexibility to use its features across multiple Git workspaces, thus enhancing their workflow and security measures.

Anchore: Anchore Enterprise

Solution Overview
Anchore specializes in container security, software supply chain security, and federal government compliance. The company’s main product, Anchore Enterprise, is a fully managed SBOM-powered SCA platform for cloud-native security and compliance. It provides deep visibility into software components, identifies vulnerabilities and risks, and enforces security policies throughout the development lifecycle.

Anchore Enterprise generates and tracks SBOMs across the SDLC, from source code to production deployments, providing a detailed inventory of all software components, including direct and transitive dependencies. Employing a multilayered security approach, the platform continuously scans these SBOMs to identify misconfigurations, malware, secrets, license risks, and known vulnerabilities using a broad set of vulnerability feed sources. It applies a precision matching algorithm to identify vulnerabilities while minimizing false positives accurately.

Anchore is incrementally improving features in the platform by providing additional interoperability and compliance capabilities. It has added the ability to ingest SBOMs, additional license management, and a new deployment option for a cloud image hosted in the public cloud. The solution leans heavily into its SBOM capabilities and container scanning, emphasizing help for security teams to improve workflows and the security posture of their organizations. 

Anchore is positioned as a Challenger and Fast Mover in the Maturity/Feature Play quadrant of the SSCS Radar chart.

Strengths
Anchore scored well on a number of decision criteria, including:

• Customization of security policies: The solution offers out-of-the-box policy packs for regulated organizations and includes policy as code capabilities, which can be applied to data or metadata. These capabilities allow the solution to meet strict regulatory requirements for enterprises and public sector organizations.

• Container image security scanning: The platform supports container vulnerability scanning for all major formats and for many of the lesser-known ones that other vendors do not support. It can also scan a wide range of container registries to enforce policies and govern the SDLC.   

• Dependencies management: The Anchore Policy Engine controls which dependencies are allowed in applications, and all metadata about dependencies is included in the platform’s SBOM management features. 

Opportunities
Anchore has room for improvement in a few decision criteria, including:

• IaC security scanning: The solution is primarily a container-focused product and doesn’t have support for IaC template scanning. It could improve by integrating with vendors or open source tools to enrich platform security capabilities.

• Supply chain mapping and visualization: This feature is not included because the platform is focused on vulnerabilities rather than posture management.

• ML-based detection and response: As a compliance tool, this solution does not have detection and response capabilities, as it focuses on broader SBOM and vulnerability management for regulated industries.

Purchase Considerations
Anchore offers on-premises deployment and a public cloud image offered in AWS, so organizations must have the technical resources to manage these container-based and cloud-based deployment models. This solution is primarily suited for large enterprise customers and those with compliance requirements looking for SBOM management and software composition analysis. 

The company offers two different licensing options targeted at two markets: enterprise and the public sector. Each target market has a set of pricing tiers allowing organizations to find a model that will meet requirements. Tiers are primarily organized around the number of SBOMs analyzed each month and additional security controls. Additional features, such as policy packs and policy templates for FedRAMP and DoD customers, can be added at additional cost.

Anchore also offers three support tiers, with basic assistance including setup and configuration, weekday support, and office hours. Essential and complete tiers expand by offering 24/7 support and access to more vendor support staff.   

Use Cases
Anchore strategically targets two primary industry verticals: regulated industries and enterprises. For regulated industries, particularly organizations dealing with DoD and FedRAMP, Anchore leverages its SBOM management features and robust reporting capabilities to assist with compliance across an expanding range of frameworks. In the enterprise sector, Anchore's scalability and automation capabilities make it an ideal solution for large organizations managing multiple applications and development teams. In addition to SBOM management, Anchore also specializes in two other key use cases: software composition analysis and container security scanning.

Aqua Security: Aqua Cloud Native Security Platform

Solution Overview
Aqua Security provides robust security solutions for containerized applications, serverless functions, and other cloud-native technologies. Its products span the SDLC, focusing on detection, prevention, and remediation of vulnerabilities, compliance violations, and runtime threats.

The Aqua Cloud Native Security Platform is a comprehensive solution designed to secure cloud-native applications from development to production, and the Aqua SSCS platform is a module within the broader offering. Aqua SSCS combines static code scanning, SCA, IaC scanning, OSS health assessment, SBOM creation and analysis, pipeline integrity controls, toolchain governance controls, and the ability to create guardrails and gates at multiple points to ensure only trusted artifacts are allowed to progress and make it into production.

Supporting both agent-based and agentless security controls, the platform's architecture is modular and extensible, allowing customers to select and deploy specific components, such as container security, based on their requirements.

Aqua Security is focused on incrementally improving the features in the platform, adding more language support and more risk analysis tools, and enhancing the user experience to ensure that organizations can secure their code more efficiently. 

Aqua Security is positioned as a Leader and Fast Mover in the Maturity/Platform Play quadrant of the SSCS Radar chart.

Strengths
Aqua Security scored well on a number of decision criteria, including:

• Container image security scanning: Aqua Security’s scanning capabilities are built on Aqua Trivy, an open source security scanner that is widely used by organizations and by some competitors to scan container images. The commercial offering enhances Trivy with proprietary vulnerability feeds as it scans for vulnerabilities, malware, secrets, licensing, and configuration issues, and can show vulnerability exploitability, reachability, and use in runtime. 

• IaC security scanning: The solution has the capability to scan IaC templates for configuration weaknesses and compliance issues. It goes beyond simple detection by offering contextual remediation guidance that developers can apply early in the pipeline. In addition, policy enforcement ensures that high-risk or noncompliant changes are automatically flagged or blocked before deployment, reducing the likelihood of insecure infrastructure being pushed into production.

• Supply chain mapping and visualization: The SSCS module creates a code-to-cloud infrastructure security graph that visualizes issues across both the supply chain and the cloud production environment, showing software inventory down to individual pipelines, repositories, and build artifacts. It will also display detailed threat mapping down to individual packages and versions.

Opportunities
Aqua Security has room for improvement in a few decision criteria, including:

• Software exposure analysis: The platform adds prioritization to vulnerabilities that are reachable, and integrates with AI to offer remediation options, but could extend its capabilities to include automated remediation of discovered issues based on prioritization.

• ML-based detection and response: The company primarily uses a human security team with AI tools to enrich its research for indicators of compromise, and it also uses AI to assist with vulnerability remediation, enhancing both threat detection and mitigation processes. It could provide additional value if it improved the automated response capabilities in the AI models being used. 

• Open source governance: The platform evaluates OSS project health by analyzing factors such as project age, pull request frequency, number of maintainers, and license type. While this offers a risk analysis, there could be additional capabilities around auditing and tracking compliance over time.

Purchase Considerations
Aqua Security offers a comprehensive suite of software supply chain security solutions, which may provide cost efficiencies for organizations looking to consolidate their security stack. While the platform is user-friendly, organizations with complex environments may benefit from professional services for optimal configuration.

The cloud-based deployment model eliminates on-premises infrastructure requirements, but potential buyers should review their data residency needs. Highly regulated organizations with on-premises infrastructure requirements should determine whether the AWS GovCloud deployment option meets their compliance requirements. 

Licensing is determined by the number of code repositories connected to source code management platforms. This model provides transparency and predictability, making it easier for larger organizations with extensive development teams or complex integration needs to align costs with their budgets.

Aqua SSCS should be licensed as a complete solution, and organizations should consider displacing incumbent solutions in order to take full advantage of the synergy across the platform. The full Aqua Security cloud native application protection platform (CNAPP) solution should be evaluated for additional use cases across the application lifecycle. 

Use Cases
Aqua Security supports a wide range of use cases, including code security, runtime protection, and posture management. These features enable the solution to effectively support the complex needs of both compliance-driven sectors and large-scale business operations. It caters to a diverse range of verticals, with a particular focus on two key areas. First, it serves highly regulated industries such as finance, healthcare, and US federal agencies, leveraging its comprehensive security services and robust data protection features to meet strict compliance mandates. Second, Aqua Security offers scalability and automation capabilities that are ideal for large organizations managing numerous applications and development teams.

Black Duck: Polaris Platform

Solution Overview
Black Duck is a provider of application security solutions, specializing in SCA to help organizations manage open source security, license compliance, and software supply chain risks. Originally acquired by Synopsys in 2017, Black Duck operated within that company until October 2024, when it was spun out as an independent firm following an acquisition.

Black Duck’s solutions operate by scanning codebases to identify software components and their associated risks. The risk insights are powered by the Black Duck KnowledgeBase, and the platform evaluates components for known vulnerabilities and license compliance issues, while an embedded policy management feature enables organizations to define and enforce policies that govern the use of open source software, ensuring compliance and consistency. 

The primary offering is the Black Duck SCA tool. While this tool can operate independently, it is also part of a broader suite of application security tools that includes the Polaris Platform, which offers a variety of testing capabilities as well as other specialized solutions such as Coverity Static Analysis for source code defect detection, Seeker Interactive Analysis for uncovering vulnerabilities at runtime, and Defensics Protocol Fuzzing for assessing the robustness of software protocols. Additional Black Duck product SKUs include Defensics Protocol Fuzzing, Software Risk Manager (an ASPM solution), and Code Sight IDE Plug-in. Black Duck Supply Chain Edition and Black Duck Security Edition are two different configurations of the Black Duck SCA product. These products and configurations are designed to work together, providing comprehensive application security coverage throughout the software development lifecycle.

Black Duck is positioned as a Challenger and Fast Mover in the Maturity/Platform Play quadrant of the SSCS Radar chart.

Strengths
Black Duck scored well on a number of decision criteria, including:

• Automated security testing (SAST, DAST, IAST): The solution includes SAST, DAST, and IAST capabilities, enabling organizations to perform comprehensive application security testing across the development lifecycle.

• Open source governance: The platform supports governance across license compliance, vulnerability detection, and customizable policy enforcement. These policies can be configured to break builds when violations are detected, effectively ensuring that open source software is being properly deployed.

• Customization of security policies: By offering strong policy customization options with efficient alerting, prebuilt policy templates, and support for build failure enforcement for policy violations to simplify governance and security, this solution can help teams secure code at scale.

Opportunities
Black Duck has room for improvement in a few decision criteria, including:

• Container image security scanning: The solution effectively scans for vulnerabilities and license compliance across open source components in container environments. However, its ability to secure code could be improved by adding capabilities to detect hardening gaps and provide recommendations in container settings and runtime environments.

• ML-based detection and response: The platform relies primarily on static rules and focuses on generating risk scores within the codebase. It does not include AI driven behavior detection capabilities for pipeline changes or uncommon commit behavior, limiting its ability to detect potential malicious activities or anomalous behavior in the CI/CD process.

• Supply chain mapping and visualization: The solution presents dependencies and vulnerabilities in a tree view format, allowing users to drill down into details like version history, security findings, license obligations, and dependency relationships. However, it would benefit from a more holistic, graphical visualization that shows all connections across entire projects for a clearer supply chain context, allowing teams to pinpoint risks more effectively.

Purchase Considerations
Black Duck is primarily an enterprise-grade solution, with pricing listed for the Security Edition, while the Software Supply Chain edition requires direct engagement for a custom quote. Some advanced features, such as binary analysis, may require separate licenses or add-ons, potentially impacting total cost. For smaller organizations, there is the Security Edition, which is primarily focused on open source policy concerns and is priced per team member with a minimum of 20 seats and a maximum of 150. For existing customers, Black Duck SCA can't be integrated into the Polaris Platform, but Polaris does have an SCA component that its customers can select.  For SSCS use cases, organizations should focus on the Black Duck SCA solution, which addresses a wide range of use cases.

Black Duck can support both SMBs and large enterprises, with a comprehensive set of integrated tools that address a wide range of SSCS use cases, and should be considered as a single solution for organizations looking to consolidate disparate tools and vendors. The platform is supported by robust professional services, including training through Black Duck Academy and expert consulting, which can help organizations accelerate adoption and impact. Deployment complexity depends on the product, with the SaaS platform suited for fast onboarding, while on-premises implementations will require more time and internal resources to implement.

Use Cases
Black Duck supports a broad range of use cases across industries such as automotive, finance, and medical devices, for which compliance, security, and audit readiness are critical. The platform can help both Dev and DevOps teams identify and manage open source vulnerabilities, licenses, and outdated components early in the SDLC. Security teams use it to enforce policies, monitor for newly disclosed CVEs, and reduce software supply chain risk. Legal teams rely on Black Duck for accurate license attribution, compliance auditing, and M&A due diligence. Its flexible deployment and deep integration make it valuable across the enterprise for securing modern applications.

Bitfront AB: Bytesafe and SBOM Observer

Solution Overview
Bitfront AB’s Bytesafe is a software security platform that protects organizations by securely managing software packages and dependencies in all parts of the software supply chain. In 2024, Bytesafe integrated its SBOM Observer into its core offering to help customers manage SBOMs and provide insights into their software supply chains.

The Bytesafe platform, comprised of Dependency Firewall and SBOM Observer, offers a comprehensive suite of features designed to enhance software security and management and provides package management for both private and public software components. Its Dependency Firewall provides a number of functions to protect third-party packages, versions, and licenses, effectively blocking potential threats. SBOM Observer not only manages SBOMs, it integrates with the open source Observer CLI tool, which uploads to SBOM Observer for analysis and maintains a complete software inventory. 

The platform continuously tracks license compliance to ensure adherence to legal requirements. Its issue-tracking system automatically creates issues when problems are detected by the Dependency Firewall, which is integrated into various CI/CD platforms. The Dependency Firewall acts as a gatekeeper for the entire development ecosystem, intercepting and scanning all incoming software dependencies from public and private registries, enforcing security and license compliance policies, and blocking vulnerable or unapproved packages before they enter the build pipelines.

Bytesafe is a feature-focused solution, and the company is currently working to develop new integrations and capabilities to fix feature gaps and is actively improving SBOM Observer’s features and integration capabilities. 

Bitfront AB is positioned as a Challenger and Fast Mover in the Innovation/Feature Play quadrant of the SSCS Radar chart.

Strengths
Bitfront AB scored well on a number of decision criteria, including:

• Code risk scoring and analysis: The solution helps organizations prioritize the vulnerability remediation process, using a combination of risk scoring and impact analysis to determine the practical effect of each risk. 

• Customization of security policies: The platform offers two options for configuring security policies: a visual policy builder for the most common policies and the ability to write custom policies using code, which allows access to the entire domain of options and conditions to meet an organization's compliance objectives. 

• Supply chain mapping and visualization: The platform offers multiple levels of visualization across the SDLC, from endpoint to coding environment to servers and components to vulnerabilities. Teams can use the graphic to perform impact analysis during remediation efforts.  

Opportunities
Bitfront AB has room for improvement in a few decision criteria, including:

• IaC security scanning: The platform does not natively have this feature. In order to improve, it would need to include native capabilities or develop integrations with other vendors to ingest the threat signals.

• ML-based detection and response: These capabilities have not been incorporated into the solution, as its primary focus has been on SBOM management and package delivery. Some detection and response capabilities are on the development roadmap; their release would yield an improved product.

• Automated security testing (SAST, DAST, IAST): These capabilities are not included in the platform, and it would benefit the solution to include integrations with other vendors or open source tools that could incorporate vulnerability information into the vendor’s policy engine.

Purchase Considerations
Bytesafe is offered in four tiers to suit different organizational needs. The Community Edition is free with feature and scale limitations, ideal for small teams or initial evaluations. The Professional plan is licensed per user and bundled with SBOM Observer, providing advanced SBOM lifecycle management, policy enforcement, and vulnerability intelligence suited for development and security teams. The Business plan offers a fixed price including 100 users, making it well suited for mid-to-large organizations that need centralized compliance controls and collaborative workflows. For large-scale or specialized requirements, the Enterprise plan provides custom pricing, features, and integrations tailored to unique security, compliance, or operational needs. SBOM Observer has a different pricing model and is priced per user. Custom pricing is determined by deployment type, SLA, support, and customizations.

SBOM Observer supports multiple deployment models. Organizations can opt for SaaS, which is fully managed by the vendor, or deploy in a public cloud environment. Hybrid deployments allow teams to bring their own on-premises data backend, shipped as Docker containers, while on-premises deployments are also delivered as Docker containers. For hybrid and on-premises scenarios, organizations should plan for dedicated DevOps and IT resources to handle installation, configuration, security hardening, and ongoing maintenance.

The platform's combination of package management and the additional features included with SBOM Observer, along with its competitive pricing for up to 100 users, makes it a viable option for SMBs. Organizations requiring automated security testing or IaC scanning will need to consider supplemental solutions.

Use Cases
Organizations in regulated industries can rely on Bytesafe for critical security and compliance needs. Healthcare providers can maintain FDA-compliant software documentation, while financial institutions can use the solution to meet SEC cybersecurity requirements through comprehensive SBOM tracking. Government contractors can use the platform to demonstrate compliance across federal procurement processes, streamlining formerly manual documentation tasks. Beyond regulatory requirements, security teams can leverage Bytesafe to monitor vulnerable components across their enterprise software portfolio, while DevSecOps teams track third-party dependencies in real-time for potential risks. 

Checkmarx: Checkmarx One

Solution Overview
Checkmarx is an application security testing vendor that offers a range of solutions for identifying and addressing security vulnerabilities. Checkmarx One is a comprehensive application security platform focused on both identifying risks and remediating them across the entire application footprint and software supply chain, within one seamless platform that serves all relevant stakeholders.

Checkmarx One integrates multiple security testing methodologies. At its core, it offers SAST for source code vulnerability detection, DAST for testing running applications, and API security. The platform also includes SCA to identify vulnerabilities and malicious code in open source components, AI security capabilities to enable secure use of AI code generation tools while defending against AI-related threats, repository health scoring to assess repository-level application risk, and secrets detection to identify sensitive credentials that may have been unintentionally exposed. Checkmarx One further extends its security coverage for cloud-native applications with IaC security and a dedicated container security solution to protect containerized applications throughout their development lifecycle. This modular approach allows organizations to address a wide range of application security concerns within a single, integrated platform.

Checkmarx prioritizes stability and continuity, favoring a structured approach to innovation that values incremental improvements, a consistent user experience, and assured compatibility. Recent enhancements, such as secret detection and repository health scoring, reflect a maturing offering built upon robust vulnerability and malicious code detection with few false positives.

Checkmarx is positioned as a Leader and Fast Mover in the Maturity/Platform Play quadrant of the SSCS Radar chart.

Strengths
Checkmarx scored well on a number of decision criteria, including:

• Dependency management: The solution provides dependency management by analyzing direct, transitive, open source, and third-party dependencies with no depth limits. It also detects private packages via pattern recognition, ensuring full inventory visibility. Integrated with the vendor’s malicious packages database, the platform identifies known threats across all sources, providing comprehensive results that cover open source, private, and potentially harmful components.

• Code risk scoring and analysis: The solution aggregates risk and vulnerability data across Checkmarx solutions and other third-party integrated security solutions. It combines security posture, vulnerability, malware, and licensing risks to generate a risk score and provides prioritization of remediation efforts. This feature includes access to a database of third-party package risks that can be evaluated before incorporating them into software. 

• Automated security testing (SAST, DAST, IAST): The platform includes all three automated security testing tools: SAST, DAST, and API security, with a broad range of languages and frameworks supported. 

Opportunities
Checkmarx has room for improvement in a few decision criteria, including:

• Supply chain mapping and visualization: The solution does not include these capabilities but has the ability to measure repository health. It would benefit from a graphical representation of the pipeline.  

• Software exposure analysis: The tool integrates with Sysdig and Wiz to enhance exposure-aware risk analysis across the software development lifecycle. These integrations allow Checkmarx to ingest runtime and cloud exposure data such as workload context, exploitability, and configuration risks. In order to improve, the solution would need to support deeper exploitable path detection and reachability analysis and blast radius analysis.

• Artifact integrity: The platform integrates with JFrog Artifactory to extend capabilities, and security policies can be configured to apply risk thresholds, enabling organizations to block the upload of risky artifacts to Artifactory or prevent developers from downloading vulnerable components. It would benefit the platform to natively support artifact signing. 

Purchase Considerations
Checkmarx One is offered in several packages: Start with SAST, Start with SSCS, and Essentials, Professional, and Enterprise. All packages are priced based on the number of contributing developers and vary by the features included. Organizations should consider their requirements to determine which product meets their specific needs, keeping in mind that some advanced features can be added onto the Start with SAST and Essentials packages. Organizations looking to begin operationalizing their code security should consider the Start with SSCS offering, which includes SCA, Malicious Package Protection, Container Security, and Repository Health.

The platform allows organizations to deploy into the Checkmarx managed SaaS infrastructure or into a single tenant configuration in the organization’s account, which can impact the way regulated companies consume the product. For organizations in highly regulated environments, additional deployment options are available.

Checkmarx also offers managed services, with prices and scope based on customer needs, including by software project, groups of applications, and entire application security program.

Checkmarx should be licensed as a complete solution at the Professional and Enterprise tiers, which will provide the broadest range of features to secure the entire SDLC. Organizations should consider displacing incumbent solutions in order to take full advantage of the synergy across the platform. 

Use Cases
Checkmarx caters to a wide range of use cases across diverse industries. Key use cases include highly regulated industries like finance and healthcare because of the comprehensive security services and data security features it offers. Enterprises benefit from its scalability and automation, making it well suited for large organizations with numerous applications and development teams. DevOps and DevSecOps teams can leverage the automation capabilities and integrations for seamless adoption into existing development workflows, integrating security testing into CI/CD pipelines for early and continuous vulnerability detection.

Cloudsmith

Solution Overview
Cloudsmith is a cloud-native solution for managing and securing the software supply chain by serving as a universal artifact repository and control center for all of the software assets within an organization. The platform scans and caches essential packages, ensuring a secure and controlled environment for software development and deployment. It provides a single source of truth for an organization's software components, including public, private, and open source packages. Along with artifact management, Cloudsmith provides a dependency firewall, which prevents critical issues from making it into production; a globally distributed infrastructure for the deployment of packages; and Cloudsmith Navigator, which combines data from various sources to provide novel insights into the quality of open source packages. 

Cloudsmith’s approach to software supply chain security is notable, and the company will continue to build new features into the platform and develop deeper integrations to secure the development process. 

Cloudsmith is positioned as a Challenger and Fast Mover in the Innovation//Feature Play quadrant of the SSCS Radar chart.

Strengths
Cloudsmith scored well on a number of decision criteria, including:

• Customization of security policies: Cloudsmith’s policy management engine, built on Open Policy Agent and Rego, enables organizations to define customized policies as code that incorporate all available package data to enforce security and compliance requirements across the SDLC. These policies are evaluated and are used to control the ingestion, access, and delivery of all binary components, providing robust customization and enforcement.

• Dependencies management: The solution can proxy or cache open source packages from upstream sources, storing all dependencies in a single platform where they are scanned for vulnerabilities, checked for licenses, and validated against organizational policies before developer use, ensuring they are referencing code that has been vetted to be without vulnerabilities or malware. 

• Artifact integrity: The solution supports artifact integrity by storing immutable package and container versions, verifying checksums on upload, and preserving provenance metadata such as upstream sources and publisher details. All artifacts are signed within the platform, with upstream signatures passed through to support client-side verification. Cloudsmith also supports storing and distributing signed artifacts while integrating with CI/CD workflows to enforce trusted publishing practices. 

Opportunities
Cloudsmith has room for improvement in a few decision criteria, including:

• IaC security scanning: The platform does not natively have this feature. In order to improve, it should include native capabilities or develop integrations with other vendors to ingest these threat signals.

• Container image security scanning: Container image scanning primarily focuses on vulnerabilities, but for more comprehensive security, it should offer capabilities such as continuous scanning, hardening suggestions, and runtime analysis.

• Automated security testing (SAST, DAST, IAST): The solution does not perform automated security testing directly but integrates with Trivy and OSV.dev, which are managed by the vendor. It can also control other integrated platforms and assets to ensure external findings are governed and enforced under Cloudsmith’s policies. In order to improve, it would need to offer these toolsets natively.

Purchase Considerations
Cloudsmith licensing consists of four tiers: Core, Pro, Ultra, and Enterprise. There are no limits on users or the number of packages; instead, pricing is determined based on artifact data and package delivery in GB. Organizations that require a higher level of security should consider the Enterprise or Ultra tiers because advanced security features, including enterprise policy management and continuous security, are available as add-ons for these plans. With the lowest tier having zero cost, both SMB and enterprise customers can evaluate Cloudsmith without needing to commit financial resources.

Organizations intending to move their artifact management to a fully managed cloud-native solution with robust security controls, and those that need to distribute software globally, should take a look at this vendor. 

Cloudsmith does not compete with security tools that include automatic security testing and scanners but ingests their scan data to support policy management and compliance requirements. Organizations requiring such capabilities will need to ensure the solutions they choose can integrate with Cloudsmith. 

Use Cases
Cloudsmith is well suited for organizations across various verticals, particularly highly regulated industries such as finance, healthcare, and government, due to its comprehensive security services, data security features, and artifact management capabilities. Its scalability and automation also make it an excellent choice for large enterprises with numerous applications and development teams. Key use cases for Cloudsmith include artifact management, global distribution of software packages, and ensuring the quality of open source software. These features and use cases make Cloudsmith a versatile and powerful solution for organizations seeking robust software management and distribution tools.

Contrast Security

Solution Overview
Contrast Security is a runtime security platform designed to integrate across the SDLC into applications and hosts. It uses sensors at runtime to provide real-time vulnerability detection, developer contextual guidance, and active protection and attack protection in production. 

Contrast Security offers three core product offerings. Contrast ADR delivers real-time attack detection and blocking through application-layer runtime protection. Contrast AST is the company’s application security testing platform, combining SAST, IAST, and SCA to identify and prioritize vulnerabilities across the SDLC. Contrast’s Application Security Testing (AST) operates continuously, assessing vulnerabilities as the application runs. This real-time analysis is both highly accurate and context-aware. By analyzing the full logic of an application, including how inputs flow through the code and interact with internal components, Contrast can accurately detect and prioritize genuine vulnerabilities, significantly minimizing false positives and reducing alert fatigue for security teams. Contrast One is a managed service offering that provides expert-driven deployment, monitoring, and operational support for organizations seeking to offload the management of Contrast’s security platform while maintaining full protection and visibility.

Contrast Security is an innovative platform that embeds security instrumentation directly into applications, enabling real-time detection and protection from within the code. It is also highly flexible and responsive to market needs, delivering rapid advancements and frequent updates that help organizations stay ahead of emerging threats.

Contrast Security is positioned as a Challenger and Fast Mover in the Innovation/Feature Play quadrant of the SSCS Radar chart.

Strengths
Contrast Security scored well on a number of decision criteria, including:

• Customization of security policies: Organizations can configure a wide range of controls and policies to ensure applications are protected and regulatory controls are met. The platform also offers a full policy as code framework, allowing security teams to define, manage, and enforce policies programmatically.

• Code risk scoring and analysis: The solution includes robust prioritization and risk scoring capabilities that aggregate findings across its integrated toolsets to create a digital twin of the entire application, the Contrast Graph, a unified, contextual view. It evaluates factors like severity, exploitability, runtime reachability, and component usage to elevate the most critical issues and incorporates technical, architectural, threat, and business contexts from the Contrast Graph. Additionally, it allows organizations to define customized business impact criteria, enabling teams to align security prioritization with application criticality, data sensitivity, and operational risk.

• Runtime threat protection: The platform delivers real-time monitoring, detection, and blocking of exploit attempts directly within running applications, providing fine-grained, application-layer defense that functions independently of infrastructure or network-level controls. Its application detection and response (ADR) capability enhances this protection by identifying malicious actors, suspicious IPs, and attack techniques while correlating exploit attempts with known and unknown vulnerabilities to enable rapid, targeted response.

Opportunities
Contrast Security has room for improvement in a few decision criteria, including:

• Supply chain mapping and visualization: Contrast AST provides a visualization of applications, servers, APIs, and related databases to give context for the potential of an attack, allowing teams to understand the way software components and custom code interact within applications. This helps prioritize vulnerabilities based on usage and reachability. However, it does not offer full visualization of all components across an organization's entire code deployment pipeline, such as linking code to build pipelines, or infrastructure as code configurations, thereby limiting its visibility beyond the application layer.

• Container image security scanning: The solution integrates with other security solutions to provide full image layer analysis of containers. Including native capabilities would increase its appeal.

• IaC security scanning: The platform does not natively have this feature. However, it integrates with other platforms to extend IaC visibility and incorporate infrastructure-layer risk into broader security and compliance workflows. In order to improve, it would need to include native capabilities.  

Purchase Considerations
Contrast uses a subscription-based pricing model, billed per application, with volume discounts and optional add-ons available. A support package, which includes onboarding, is required, while additional training and service hours are optional. Contrast also offers AST as an add-on to ADR through the Contrast ADR Pro + Application Vulnerability Monitoring (AVM) bundle, which is priced per concurrent host. Organizations can also opt to purchase both the AST and ADR products combined with managed services from this vendor, which includes dedicated experts and tailored remediation guidance that can help enhance the effectiveness of smaller teams.   

Contrast Security supports flexible deployment models (SaaS, on-premises, or hybrid) with a strong agent-based architecture designed for deep application-layer insight. Its model is well suited to both cloud-native and legacy environments, as long as organizations are comfortable embedding agents in their applications.

Contrast Security is focused on application-layer security, not infrastructure, pipeline posture, or traditional static testing options. It’s best suited for organizations looking to secure custom applications through embedded runtime analysis and exploit prevention.

Use Cases
Contrast Security supports use cases centered around securing custom applications across diverse industries, including finance, healthcare, retail, and insurance. Its runtime security platform enables development and security teams to detect, prioritize, and remediate vulnerabilities throughout the software development lifecycle, helping organizations meet compliance and risk management goals. ADR provides real-time runtime protection, detecting and blocking live exploit attempts with application-layer context. These capabilities are particularly valuable for companies with dynamic development environments, microservices architectures, or regulatory requirements, enabling proactive application security without slowing down software delivery.

Cycode: Cycode AI-Native Application Security Platform

Solution Overview
Cycode’s solution is an application security platform that converges application security testing, SSCS, and application security posture management, providing visibility, prioritization, risk analysis, and remediation of vulnerabilities across the entire SDLC. In 2024, Cycode acquired Bearer, which combines sensitive data context with static code analysis to assist organizations in making security and privacy decisions. 

Cycode AI-Native Application Security Platform is a modular platform that works with Cycode’s Risk Intelligence Graph for prioritization and code-to-cloud traceability across the software supply chain. The platform comprises three essential modules designed to enhance security throughout the application lifecycle. Application Security Testing encompasses SCA, application security testing, and scanning for IaC and containers. Pipeline Security focuses on safeguarding CI/CD processes by detecting secrets, ensuring CI/CD security, preventing source code leakage, and hardening builds with artifact integrity. Finally, Posture Management serves as an integration platform that facilitates the connection of third-party security tools, further strengthening the overall security framework.

Cycode is positioned as a Leader and Outperformer in the Maturity/Platform Play quadrant of the SSCS Radar chart.

Strengths
Cycode scored well on a number of decision criteria, including:

• Code risk scoring and analysis: Cycode delivers dynamic risk scoring that continuously updates risk scores in real time, providing organizations with an accurate assessment of their security posture. By incorporating business impact analysis into its risk calculations, it also ensures security findings are contextualized within the organization's specific operational framework. This real-time approach ensures security efforts are always aligned with current threats and business priorities, maximizing the effectiveness of security initiatives. 

• Container image security scanning: The platform helps identify and prevent vulnerabilities before they reach production by detecting risky dependencies, vulnerabilities, security threats, and nonpermissive licenses in the cloud. Its traceability features link vulnerabilities from containers back to the source code, enabling teams to remediate defects at their origin.

• AI-driven security and remediation: The solution provides developer-facing tools for AI-assisted code fixes to accelerate secure resolution. Its agentic AI supports remediation by analyzing change impact, assessing exploitability, and enriching threat context with risk intelligence.

Cycode was classified as an Outperformer because of its strong investment in AI technologies that significantly enhance its ASPM and AST capabilities.

Opportunities
Cycode has room for improvement in a few decision criteria, including:

• ML-based detection and response: The platform uses ML-based detection to identify and validate secrets and flag anomalous behavior through user pattern analysis. It applies risk scoring to violations and offers limited automated responses, such as toggling repository visibility to “private” or enforcing branch protection rules. However, it lacks self-learning models to adapt detection dynamically.

• Open source governance: The solution helps identify and prevent vulnerabilities before they reach production by detecting security issues, potential threats, and nonpermissive licenses in the cloud. It provides full visibility into dependencies along with their licenses and known vulnerabilities. This feature could be improved by including policy suggestions and metrics or dashboards for compliance teams to track adherence to regulatory frameworks.

• Dependencies management: The solution delivers full visibility into all software dependencies, both direct and indirect. To strengthen its capabilities, it would need to enhance governance and auditing capabilities so compliance teams can more effectively evaluate and manage associated risks.

Purchase Considerations
Cycode’s pricing structure is easy to understand, as it is priced per developer, with access to all tools included in the platform. 

The platform's extensive features and scalability make it a valuable investment for any organization, but smaller organizations may need to prioritize implementation of specific components based on their needs. Organizations can deploy in the Cycode SaaS infrastructure or use a hybrid or on-premises model, which provides options for the ways regulated companies consume the product.

While Cycode can be licensed as a complete solution, organizations should maximize the platform’s synergy through its deep integrations and marketplace. Other tools and vendors can be added to the platform's application risk engine for visibility, prioritization, and remediation efforts.

Use Cases
Cycode's AI-Native Application Security Platform is an ideal solution for organizations across diverse industries and use cases. Its scalability and automation cater to enterprise organizations with extensive applications and multiple development teams. SMBs can also benefit because the suite of tools helps to protect their software development processes while allowing for growth and the addition of features as needed. Additionally, organizations with existing toolsets can seamlessly integrate Cycode through the ConnectorX marketplace, enabling them to continue using their current tools while enhancing their security measures or replacing them as necessary.

Endor Labs

Solution Overview
Endor Labs is an application and software supply chain security platform designed to secure modern software, improving both developer experience and security posture. The platform combines code reviews, code scanning, risk-based prioritization, and streamlined remediation in one complete graph of the software development infrastructure, giving teams visibility into security risks spanning open source, first-party AI, and human-generated code.

The platform combines reachability-based SCA, SAST, container security, CI/CD pipeline security, artifact integrity verification, and AI-driven code security into a single solution. It operates as a single platform with modular packages tailored to different organizational requirements. Companies can purchase the solution through tiered packages, Endor Core, Endor Pro, with optional add-ons such as Endor Patches or SBOM Hub for supplier SBOM analysis and Endor Code for enhanced code security capabilities. It offers a holistic approach to securing modern software development by governing open source code and CI/CD pipelines, integrating advanced capabilities across code, pipeline security, and compliance, all driven by flexible policies and APIs that seamlessly scale with specific company requirements.

Endor Labs is positioned as a Challenger and Outperformer in the Innovation/Feature Play quadrant of the SSCS Radar chart.

Strengths
Endor Labs scored well on a number of decision criteria, including:

• Dependencies management: The platform provides reachability analysis across direct, transitive, and phantom dependencies, ensuring teams can focus on vulnerabilities that are actually exploitable. Patching can be automated through its remediation capabilities, which include upgrade impact analysis to assess potential breakages before changes are applied.

• Customization of security policies: The solution supports highly customizable configuration options, including policy-as-code for tailored governance. Policies can be exported via API or directly imported into other tools, enabling seamless integration into existing security and governance and risk workflows.

• AI-driven security and remediation: Endor Labs uses AI to enhance contextual detection in its SCA and SAST capabilities, delivering more accurate vulnerability identification and prioritization. The platform provides developer-facing tools that integrate directly into other AI coding tools, allowing platform data to feed LLMs with recommendations of fixes in real time. Its AI technology combines intelligent agents, specialized tools, learning and memory functions, multiple AI models, and access to proprietary data to deliver highly targeted, context-aware security guidance.

Endor Labs was classified as an Outperformer due to its rapid pace of innovation, adding capabilities such as container scanning, secret detection, and AI model discovery. The vendor is quickly expanding its platform to address emerging security challenges, demonstrating a strong commitment to evolving with customer needs and strengthening software supply chain protection.

Opportunities
Endor Labs has room for improvement in a few decision criteria, including:

• IaC security scanning: The solution currently lacks this capability and is limited to SAST and AI-driven code review. Adding IaC scanning features, either static or in real time, would be necessary to improve its performance.

• Supply chain mapping and visualization: The solution includes a tabular view of security issues, with dependency path analysis integrated into remediation workflows but limited to specific code repositories. The solution also maps all the SDLC integrations attached to each project in an organization's codebase. To improve, it would need to add enhanced visualization capabilities that map the entire SDLC in a graph data visualizer.

• ML-based detection and response:  The solution uses ML models to identify suspicious behaviors in code, such as malware and typosquatting, and uses machine learning to assess and score vulnerabilities, estimating the likelihood of exploitation. It applies ML algorithms to reduce false positives and integrates with SIEM and SOAR platforms for downstream incident response, leveraging platform signals for policy enforcement. However, the solution lacks self-learning capabilities and would need real-time ML models trained on rich telemetry across the entire SLDC and production systems to achieve advanced detection and adaptive remediation.

Purchase Considerations
Endor Labs is sold on a per-contributing-developer model, with two primary packages: Endor Core, which starts with SCA and open source software security tools, and Endor Pro, which includes more advanced capabilities covering container scanning, artifact integrity, and other advanced use cases. Customers can also purchase three add-ons: Endor Patches, which is sold based on patch volume with discounts for quantity and support for fixing new CVEs; SBOM Hub, which enables importing and assessing third-party SBOMs from suppliers for vulnerabilities; and Endor Code, which consolidates SAST and secret scanning for organizations looking to consolidate capabilities in the platform. This flexible model allows customers to expand services as requirements evolve, enabling intentional and scalable usage of the platform.

Endor Labs offers a fully hosted SaaS service with integrations for cloud applications while also supporting organizations with additional compliance requirements by enabling them to deploy scanning capabilities locally on their own infrastructure and use the SaaS platform solely for dashboards and reporting. Potential customers will need to carefully assess whether their compliance requirements align with the deployment options.

Use Cases
Endor Labs is focused on code-centric use cases, excelling at vulnerability prioritization through function-level reachability analysis that reduces noise by highlighting only exploitable issues. The platform supports developer productivity with automated patching, upgrade impact analysis, and copilot integration for real-time remediation. Designed to fit a wide range of organization sizes, Endor Labs is effective for enterprises and growing teams alike, enabling them to secure modern software development workflows at scale while maintaining efficiency and strong security governance.

Fortinet: Lacework FortiCNAPP*

Solution Overview
Fortinet is a cybersecurity company that provides a broad portfolio of security products and solutions to protect networks, users, and data from evolving threats. To bolster its cloud and container security capabilities, Fortinet acquired Lacework, an AI-powered CNAPP provider, on August 1, 2024, with the aim of creating a comprehensive software security solution spanning both CNAPP and code security.

Lacework FortiCNAPP offers comprehensive software supply chain security through multiple integrated capabilities. It includes IaC scanning to detect misconfigurations before deployment, vulnerability management for containers and hosts, and anomaly detection using machine learning. The platform provides CSPM to assess cloud configurations and cloud infrastructure entitlement management (CIEM) to optimize access permissions. It enforces security policies and compliance automatically, integrates security into CI/CD pipelines and repositories, and performs code security analysis, including SBOM generation, software composition analysis, and SAST capabilities. Fortinet delivers these features as a SaaS offering, with options for on-premises deployment of certain components, like code scanners and agents.

Fortinet is focused on incrementally improving platform features by adding more language support, offering more format support in other tools, and by integrating the Lacework platform with Fortinet products to ensure organizations can leverage the tools included with the SSCS platform. With the two companies integrated, additional features should be added over the next year, improving coverage across emerging features.  

Fortinet is positioned as a Leader and Fast Mover in the Maturity/Platform Play quadrant of the SSCS Radar chart.

Strengths
Fortinet scored well on a number of decision criteria, including:

• IaC security scanning: This feature analyzes infrastructure code templates before deployment to detect potential misconfigurations and vulnerabilities and provides automated remediation and suggested changes to reduce risk and meet security policies. Fortinet also provides hardened IaC deployment templates and out-of-the-box policies, shortening development timelines. 

• Code risk scoring and analysis: The solution uses a comprehensive, contextual approach to code risk scoring and analysis. It delivers continuous assessments that incorporate threat intelligence feeds, exploitability, business impact, and attack path analysis. It also evaluates asset coverage, exposure levels, and exploit data, and determines whether a package is active in running workloads to help security teams prioritize risks effectively.

• Customization of security policies: Fortinet offers deep capabilities for customizing security policies and frameworks, combining templates with customization. It also includes the ability to turn policy into code using custom queries. 

Opportunities
Fortinet has room for improvement in a few decision criteria, including:

• Dependencies management: Though the platform is able to track dependencies in real time and assess license compliance, it does not have automated updates and patching for open source packages. It offers remediation suggestions in the IDE and includes SmartFix, which reviews all dependencies, making recommendations for versions that do not include common vulnerabilities and exposures (CVEs).

• Open source governance: While the solution provides sufficient information about vulnerabilities and license compliance, Fortinet could improve it by adding automated governance for new open source usage, deeper policy enforcement capabilities, and additional auditing to support GRC teams. 

• Artifact integrity: The platform ensures artifact integrity by validating the provenance, signatures, and build metadata of containers and packages using integrations with artifact repositories, and it integrates with signing tools. It enforces policy controls in CI/CD pipelines by blocking unverified or unsigned artifacts. It could further improve these capabilities by incorporating these features natively and improving tamper detection capabilities.

Purchase Considerations
This solution is offered only as SaaS through which some of the agents and scanners can be used within a customer’s network. The cloud-based deployment model eliminates on-premises infrastructure requirements, but potential buyers should review their data residency needs. Highly regulated organizations with on-premises infrastructure requirements need to carefully determine whether the SaaS option meets their compliance requirements. 

The CNAPP platform is available in three main subscription tiers (Standard, Professional, and Enterprise), with Code Security as an available add-on. The top two tiers include advanced code risk scoring capabilities and cloud entitlement management, and Enterprise also includes file integrity monitoring. The CNAPP pricing is based on vCPU utilized, while code security has a minimum requirement of 20 contributing developers. This solution is primarily targeted toward midsize and enterprise customers, but some highly regulated SMB organizations might find value in a single consolidated platform. 

Lacework FortiCNAPP should be licensed as a complete solution, and organizations should consider the displacement of incumbent solutions in order to take full advantage of the synergy across the platform. If an organization is already a customer and looking to add SSCS capabilities, native integration with other products in the platform can extend existing security procedures into code security. 

Use Cases
This product caters to a wide range of use cases across diverse industries. Its comprehensive security services and data protection features make it a suitable choice for highly regulated sectors like finance and healthcare. DevOps and DevSecOps teams benefit from its automation capabilities and integrations, enabling seamless integration into existing development workflows and incorporating security testing into CI/CD pipelines for early and continuous vulnerability detection. Additionally, Fortinet's scalability and automation make it ideal for large enterprises with numerous applications and development teams.

FOSSA*

Solution Overview
FOSSA provides a platform that helps organizations manage and maximize open source software while remaining secure and compliant, enabling them to track the open source portions of their code with automated license scanning, vulnerability, and SBOM management. In August 2024, FOSSA acquired StackShare, a company that helps developers discuss, track, and share the tools they use to build applications. 

The FOSSA platform comprises four major components that work together to ensure comprehensive project oversight. FOSSA Compliance scans all projects for licensing issues and assesses them against established policies. FOSSA Security focuses on identifying vulnerabilities within the code. FOSSA Quality evaluates the overall quality of the code and examines project dependencies. Lastly, FOSSA SBOM Management handles SBOMs, whether imported or generated, and facilitates hosting or publishing them for distribution beyond the organization. The platform also includes a binary scanning add-on that performs full binary scanning of compiled artifacts and containers.

FOSSA is focused on meeting regulatory and customer requirements regarding a complete inventory of software products developed both internally and for customers.

FOSSA is positioned as a Challenger and Fast Mover in the Maturity/Feature Play quadrant of the SSCS Radar chart.

Strengths
FOSSA scored well on a number of decision criteria, including:

• Dependencies management: FOSSA offers real-time monitoring of direct and indirect dependencies that connect with SBOM management capabilities, creating a holistic inventory of software that allows integration with DevOps patching and pull requests. 

• Open source governance: With the customizable filters and policies available, users can manage vulnerabilities and licenses in their open source software. The solution also integrates with IDE environments and offers alerts that can be integrated into an organization’s messaging channels. 

• Binary composition analysis: The platform capabilities include binary scanning to identify vulnerabilities and embedded open source components within compiled artifacts and containers. It generates SBOMs that include binary components, helping organizations reduce security blind spots, ensure license compliance, improve supply chain visibility, and meet regulatory requirements.

Opportunities
FOSSA has room for improvement in a few decision criteria, including:

• IaC security scanning: The platform does not natively have this feature. In order to improve, it would need to include native capabilities or develop integrations with other vendors to ingest these threat signals.

• ML-based detection and response: With the primary focus of the platform on open source compliance and SBOM management, detection and response is not included. In order to improve, the vendor would need to develop alerting for suspicious changes to code by analyzing SBOMs in real time.  

• Automated security testing (SAST, DAST, IAST): The solution does not perform automated security testing for applications. To improve, it would need to offer these toolsets or integrate with other vendors or open source tools.

Purchase Considerations
FOSSA has an easy-to-understand pricing structure that includes a free tier, allowing businesses to get started without a financial commitment. There are two other tiers: Business, with more customization and workflow integrations, and Enterprise, with advanced security and compliance automation. The pricing scales with the number of projects and developers an organization has. The enterprise tier offers unlimited entitlements. There is an add-on for binary scanning, which requires custom pricing.

Organizations that need to meet regulatory compliance and pass audits should consider the features of this platform. However, they may need to consider other platforms if they are looking for security testing that extends beyond vulnerability assessments. This platform is highly focused on open source software compliance, and to perform a benefit analysis, organizations will need to consider how much of this code they are reliant on versus internally developed code. With the inclusion of SBOM management capabilities in the business tier, the total cost should be considered, as it could be able to replace incumbent vendors. This tool represents significant time savings for developers and DevSecOps teams required to maintain SBOMs for all software used within an enterprise. 

Use Cases
FOSSA targets several key industry verticals, including regulated industries and government, is appropriate for organizations of all sizes, and is accessible to smaller teams and startups through its free tier, which includes vulnerability management, license compliance, and container scanning for up to five projects. For regulated industries and the government sector, FOSSA provides SBOM management features and robust reporting capabilities to help organizations comply with a growing list of regulatory frameworks. The platform focuses on specific use cases, such as SBOM management, vulnerability and license management, and compliance and auditing. It specifically supports both automotive manufacturers and medical device manufacturing companies.  

GitHub: GitHub Advanced Security

Solution Overview
GitHub is a leading software developer platform that provides tools for code hosting, project management, and team collaboration and hosts millions of repositories and projects. It was acquired by Microsoft in 2018 and continues to operate as a standalone business, but the acquisition accelerated its growth and the rate of release of new features.

GitHub Advanced Security comprises a set of tools to help developers build more secure software. It includes scanning capabilities for finding vulnerabilities in code and for preventing the leakage of sensitive information. Further capabilities include secret scanning, SBOM generation, and management of dependencies, with the ability to define and create rules for automated remediation. GitHub Advanced Security is available as an add-on for GitHub Team and GitHub Enterprise and as Advanced Security for Azure DevOps. Code Security delivers built-in static analysis, AI-powered remediation with Copilot Autofix, advanced dependency scanning, and proactive vulnerability management. Secret Protection provides enterprise controls for secret hygiene, including secret scanning, push protection, validity checks, and copilot secret scanning.

GitHub provides options for all organizations, from free public code repositories to advanced enterprise features, and will continue incrementally improving current features. 

GitHub is positioned as a Challenger and Fast Mover in the Maturity/Feature Play quadrant of the SSCS Radar chart.

Strengths
GitHub scored well on a number of decision criteria, including:

• Dependencies management: The solution includes a dependency graph to trace direct and transitive dependencies in code, alerting against policy violations and including automatic version updates. 

• Customization of security policies: GitHub does an excellent job of enabling organizations to customize policies related to secure access, code inclusion, secrets usage, and code branching. The platform also allows organizations to create policies from code, enabling replication across instances. 

• AI-driven security and remediation: The platform can automatically patch known vulnerabilities and apply updates to code repositories. In addition, Copilot Autofix can offer code suggestions, apply fixes, and create pull requests for remediating security vulnerabilities.

Opportunities
GitHub has room for improvement in a few decision criteria, including:

• IaC security scanning: The vendor relies on integrating other tools and using GitHub Actions outputs, enriching them with vulnerability information. This allows security insights from external sources to be surfaced directly within CI/CD workflows. In order to improve this score, the platform would need to natively support these features.

• Container image security scanning: The solution integrates external security tools or self-hosted scanners triggered by GitHub Actions. These integrations also enable the direct display of vulnerability information from those tools. These capabilities could be improved by adding native container scanning tools.

• Code risk scoring and analysis: While the platform includes risk scoring capabilities and integrations allowing organizations to prioritize code in production, they are limited because it lacks comprehensive visibility across the entire coding infrastructure. This constraint can hinder its ability to deliver fully contextualized risk assessments that account for dependencies, configurations, and runtime environments beyond the code contained within GitHub.

Purchase Considerations
Organizations considering GitHub Advanced Security should evaluate their specific software supply chain security needs and the extent to which they rely on the GitHub platform. If they already use GitHub for collaboration and code management, the integrated security features can be a valuable addition.

Licensing is clear to navigate, as each product is licensed per developer, but organizations will need to be on either the Team or Enterprise tier to take advantage of the advanced security and copilot options. 

If organizations require the missing scanning capabilities, they will need to integrate with other vendors. Because most other vendors recognize GitHub as one of the largest public code repositories, most are capable of integrating with it. 

Use Cases
GitHub caters to a wide range of use cases across diverse industries, including highly regulated sectors like finance and healthcare, because its comprehensive security services and data protection features ensure compliance and safeguard sensitive information. It is also ideal for DevOps teams, offering automation capabilities and seamless integration into existing development workflows, enabling smoother operations. Additionally, GitHub’s scalability and automation tools make it well suited for organizations of all sizes, allowing businesses to grow, adapt, and add features as needed.

GitLab: GitLab Ultimate*

Solution Overview
GitLab is a provider of a leading web-based DevOps platform that offers a complete solution for software development, collaboration, and deployment. The company's focus on a single application for the entire DevSecOps lifecycle has resonated with development teams seeking an integrated and efficient workflow. In March 2024, GitLab acquired Oxeye, with the initial focus on accelerating GitLab's SAST roadmap. 

GitLab offers three pricing tiers: Free provides basic features for individuals and small teams, while Premium adds advanced CI/CD and security capabilities, and Ultimate supplies enterprise-grade features. There are also self-managed and dedicated solutions that allow on-premises and public or private cloud deployments with similar tier options. GitLab Duo, available with the Premium and Ultimate plans, adds AI-powered features to assist developers.

GitLab continues to expand its platform through organic development, adding new features and capabilities to address various aspects of SDLC security with a heavy focus on AI-enabled security features.

GitLab is positioned as a Challenger and Outperformer in the Maturity/Platform Play quadrant of the SSCS Radar chart.

Strengths
GitLab scored well on a number of decision criteria, including:

• Dependencies management: This feature scans projects for dependencies, detects vulnerabilities, and provides suggestions for recommended updates. It supports multiple languages, integrates with CI/CD pipelines, and provides detailed reports. Users can automate dependency updates, view dependency graphs, and receive alerts for security issues in third-party components. 

• ML-based detection and response: Within the Ultimate pricing tier, AI models are used to evaluate risk and enrich reporting capabilities for the highest risks. The GitLab Duo AI suggestions also have vulnerability explanations, root cause analysis, and code generation features. 

• AI-driven security and remediation: The platform includes a comprehensive set of AI features that enhance the entire development lifecycle. It offers code suggestions, code explanation, and test generation within the IDE; automates code reviews and merge request summaries; and supports root cause analysis and vulnerability resolution to accelerate secure coding and remediation workflows.

GitLab was classified as an Outperformer because of its continued integration of AI capabilities directly into the DevSecOps workflow. Its AI features include code suggestions, summaries, vulnerability explanations, and root cause analysis, enabling teams to address threats and risks quickly.  

Opportunities
GitLab has room for improvement in a few decision criteria, including:

• Supply chain mapping and visualization: While GitLab does not include a graphical representation of the supply chain, there are reports that show dependencies in a table format. The product should be able to show dependencies across the supply chain and demonstrate how reachability exists in the supply chain.

• Container image security scanning: Though the solution scans for vulnerabilities and can provide auto-generated suggestions for remediation efforts, a more advanced feature would add hardening suggestions, prebuilt images, or policy templates.

• IaC security scanning: The solution uses KICKS, an open source scanner that scans for vulnerabilities and generates merge requests integrated with approval workflows. A more robust solution would include misconfiguration detection and additional proprietary enhancements on top of the KICKS platform. 

Purchase Considerations
GitLab offers a tiered pricing model priced per user, with a free entry point and two commercial plans: Premium and Ultimate. The Premium tier includes SAST, secret detection, and some basic policy control. Organizations with extensive security requirements should consider GitLab Ultimate, which includes the highest level of customization and features. Customers can choose among a SaaS, self-managed, or dedicated instance public cloud, offering flexibility. AI features are included starting at the Premium tier, with additional add-ons for deeper AI capabilities extended beyond the IDE.

GitLab Dedicated, hosted on a dedicated cloud instance, includes all features of Ultimate but also meets the needs of organizations that require data isolation, residency, and additional security features to comply with regulations. This option requires a 1,000-seat minimum commitment and should be considered only by large enterprises. 

Organizations that are already customers of GitLab or those evaluating, implementing, or migrating to a new DevOps solution should consider using the Ultimate tier to consolidate costs and reduce complexity in their companies. 

Use Cases
GitLab caters to a wide range of use cases across diverse industries. For highly regulated sectors like finance and healthcare, its comprehensive security services and data protection features make it an ideal choice. DevOps and DevSecOps teams benefit from its automation capabilities and integrations, enabling seamless integration into existing development workflows while incorporating security testing into CI/CD pipelines for early and continuous vulnerability detection. Additionally, its scalability and automation features make GitLab a perfect fit for large enterprises, as it supports organizations with numerous applications and development teams.

JFrog: JFrog Software Supply Chain Platform

Solution Overview
JFrog provides an integrated single system of record platform designed to secure and manage software supply chains, supporting organizations in maintaining security across the entire software delivery lifecycle, which allows companies to build, manage, and distribute software quickly and securely. 

The JFrog Software Supply Chain Platform takes an integrated approach to software supply chain security, embedding it within the tools and workflows developers use throughout the software development lifecycle. JFrog’s modular architecture allows for seamless integration and scalability, ensuring the platform can handle the demands of large-scale enterprise environments.

The platform’s components include JFrog Artifactory, JFrog Xray, JFrog Connect, JFrog Curation, JFrog Advanced Security, JFrog Distribution, JFrog Runtime, and JFrog ML. JFrog Artifactory is the core repository manager, providing a secure, single source of truth for all artifacts and dependencies. JFrog Xray is a universal SCA and security tool that performs deep security scans, vulnerability detection, and license compliance checks. JFrog Connect delivers full Dev-to-device automation using the API; it can push software updates to all IoT devices right from existing pipelines, while JFrog Distribution enables secure and efficient distribution of software updates. Additionally, JFrog Advanced Security includes SAST code scanning, secret detection, IaC template scanning, and contextual analysis capabilities which leverage automated scanners to eliminate false positives,  reducing noise by flagging vulnerabilities applicable to a specific customer’s organization.

JFrog is positioned as a Challenger and Fast Mover in the Maturity/Platform Play quadrant of the SSCS Radar chart.

Strengths
JFrog scored well on a number of decision criteria, including:

• Container image security scanning: JFrog Xray provides a comprehensive security analysis of container images by examining all layers for vulnerabilities, license compliance issues, and security risks. The product provides continuous monitoring, runtime scanning, alerting, and detailed reports with remediation suggestions. It can also scan container binaries without access to source code.

• Code risk scoring and analysis: The solution has context-aware scoring models applied to binaries and artifacts. Risk scoring factors include vulnerability severity, known exploitability, package health, artifact integrity, license risk, and pipeline context. This makes risk analysis more actionable for teams by highlighting what is exploitable, where it resides in the pipeline, and how it impacts compliance and business risk.

• Artifact integrity: The platform ensures that every artifact, package, and release is enriched with signed attestation metadata. This metadata provides a verifiable chain of custody, allowing organizations to track, validate, and prove the authenticity of builds throughout the software supply chain. It strengthens governance and compliance by making artifacts tamper-evident and audit-ready, ensuring only trusted, signed components move through pipelines and into production. 

Opportunities
JFrog has room for improvement in a few decision criteria, including:

• Supply chain mapping and visualization: The solution provides a simple table for displaying dependencies, vulnerabilities, and tools. However, it could be improved by adding a detailed graphical representation that shows how everything is related along the entire development pipeline to assist teams with assessing risk.

• ML-based detection and response: JFrog incorporates some machine learning capabilities for security scanning and vulnerability detection, but these features do not use the level of automation employed by other vendors when offering automated remediation suggestions.

• Dependencies management: Open source and third-party components are continuously scanned, tracked, and governed as part of the artifact lifecycle. The solution could be improved by adding automated updates, patching, and remediation to reduce work for development teams.  

Purchase Considerations
The JFrog Platform offers flexible deployment options to cater to different organizational needs. It can be deployed as a self-hosted solution, allowing organizations to maintain control over their infrastructure, or as a fully managed SaaS offering hosted on major cloud service providers. The platform supports multicloud environments, enabling organizations to distribute their container repositories and security scanning across different cloud providers or hybrid setups. This flexibility extends to the platform's integration capabilities, allowing it to fit into existing CI/CD pipelines and DevOps workflows, enabling security checks at multiple stages of the container lifecycle.

Use Cases
JFrog caters to a wide range of use cases across diverse industries. Its comprehensive security services, artifact and binary management, and secure software distribution capabilities make it an ideal solution for highly regulated sectors such as finance and healthcare. DevOps teams benefit from its automation capabilities and integrations, enabling seamless adoption into existing development workflows. Additionally, JFrog's scalability and automation features make it well suited for large enterprises, supporting organizations with numerous applications and distributed development teams.

Legit Security: Legit ASPM Platform

Solution Overview
The Legit ASPM Platform protects the software supply chain from attack by automatically discovering and securing the pipelines, infrastructure, code, and people. It combines automated discovery and analysis capabilities with security policy enforcement to reduce risk and protect software projects. Legit maps security controls to regulations, security frameworks, and customized requirements, continuously monitoring for noncompliance, and will produce evidence needed for audits.

The Legit ASPM Platform offers a comprehensive suite of capabilities through its integrated products. These include a range of capabilities such as Legit SCA, Legit SAST (which includes AI-SAST), Legit IaC scanning, Legit Container Scanning, Legit Pipeline for security and posture management, misconfiguration detection, and Legit Material Change Detector. The Legit Secret scanner provides robust secrets security features, encompassing detection, remediation, and prevention capabilities. Additionally, it supports compliance frameworks with reporting and attestation functionalities. The platform generates an SBOM and incorporates AI discovery and governance features, enabling the identification of risky AI models and GenAI-developed code, along with the use of code assistants to ensure governance is applied from the outset of the SDLC.

Legit Security continues to improve its core platform capabilities with additional integrations and extended compliance and AI discovery features.

Legit Security is positioned as a Leader and Fast Mover in the Innovation/Feature Play quadrant of the SSCS Radar chart.

Strengths
Legit Security scored well on a number of decision criteria, including:

• Code risk scoring and analysis: The solution provides a risk score associated with vulnerabilities and risks uncovered across the SDLC, which also considers scores assigned by integrated application security tools. The score is further enriched with business impact data to provide a representation of business risk.

• Supply chain mapping and visualization: The platform continuously maps the software supply chain by analyzing source code repositories, CI/CD pipelines, dependencies, IaC, container images, secrets, and runtime configurations. It generates a live, visual representation of the software factory, tracing the way code moves from development to deployment, which highlights the areas where security controls exist or are missing, and exposes gaps, misconfigurations, and risk propagation paths across the SDLC.

• Supply chain posture and visibility: The solution uses the inventory of SDLC assets to assess risks, allowing teams to identify high-risk components across projects and environments and detect common misconfigurations such as hardcoded secrets, overly permissive access, and insecure IaC templates. The data is fully queryable and enriched with metadata, allowing teams to triage issues with ease.

Opportunities
Legit Security has room for improvement in a few decision criteria, including:

• Container image security scanning: Legit Security does not natively offer this feature, but the platform has prebuilt integrations with other application security tools, allowing organizations to rely on their previous investments. 

• Dependencies management: The solution offers dependency discovery and mapping, along with continuous risk analysis and real-time monitoring of dependencies across the software development lifecycle. However, to enhance its capabilities, the platform would benefit from adding automated upgrading and patching features that source updates from reputable repositories.

• Runtime threat protection: The platform does not provide native runtime protections but integrates with other security tools to ingest runtime threat signals. It uses these inputs to perform exposure analysis, assess blast radius, and help prioritize vulnerabilities based on whether affected components are active in production or exposed to external traffic.

Purchase Considerations
The Legit ASPM Platform is priced per developer per year, with all capabilities included in the offering. While the secrets scanning module can be purchased separately, it is included in the complete solution.

Legit Security can be deployed in a SaaS, hybrid, or on-premises model. Each option can be tailored to meet business needs, and regulated companies should consider the hybrid or on-premises options, depending on regulatory requirements.

Organizations seeking a comprehensive security platform that seamlessly integrates with their existing toolset will find Legit Security to be a compelling solution. This use case is particularly relevant for companies looking to streamline their security operations without replacing their current tools, even though the platform can replace incumbent vendors. Customization of security policies is a core strength of the platform, and organizations seeking depth of customization should consider this solution, particularly in regulated and large-scale environments.

Legit ASPM Platform acts as a unified interface, consolidating risk signals into a single stream, reducing noise and duplicative results from other integrated scanning solutions. This approach not only maximizes the value of existing investments but also improves overall security posture by ensuring consistent policy enforcement and providing comprehensive visibility across the entire software development lifecycle.

Use Cases
Legit Security caters to a wide range of use cases across diverse industries. Its comprehensive security services and data protection features make it well suited for highly regulated industries like finance and healthcare. DevOps and DevSecOps teams benefit from its automation capabilities and integrations, allowing for seamless adoption into existing development workflows while integrating security testing into CI/CD pipelines for early and continuous vulnerability detection. Additionally, Legit Security's scalability and automation make it ideal for large enterprises with numerous applications and development teams.

Lineaje: Lineaje Full-Lifecycle Software Supply Chain Security

Solution Overview
Lineaje provides a comprehensive governance platform for SSCS management to organizations that source, build, buy, or use software applications.​ Lineaje can discover the full lineage of software developed in-house, open sourced, and purchased. Its platform enables organizations to assess and verify software provenance, security posture, and artifact integrity across CI/CD pipelines and production environments.

The Lineaje platform offers a comprehensive governance solution through a suite of integrated products designed to enhance software supply chain security. SBOM360 identifies software components, verifies their integrity, and evaluates associated risks while supporting remediation planning to optimize software operations and reduce vulnerabilities. SBOM360 Hub functions as a centralized repository for creating, managing, publishing, and sharing SBOMs, evidence artifacts, and vulnerability data across the distribution chain, streamlining sales processes and enabling effective risk mitigation. 

Lineaje AI can find and autonomously fix software supply chain security risks. Open Source Manager delivers governance capabilities to manage and reduce risks inherent in open source software development. Third-party risk manager (TPRM) enables organizations to identify and eliminate risks present in commercial or externally acquired software. Gold Open Source (GOS) is a solution that replaces vulnerable open source components with vetted, secure alternatives. It maintains a trusted registry of safe packages and images, integrates into build environments to automate replacements, and verifies provenance, support, and compatibility.

Lineaje is positioned as a Leader and Outperformer in the Innovation/Feature Play quadrant of the SSCS Radar chart.

Strengths
Lineaje scored well on a number of decision criteria, including:

• Dependencies management: The solution offers dependency tracking, including package versioning and a robust policy enforcement feature set. It also includes options for automated remediation of vulnerabilities, detection of geo-provenance of code in open source packages, out-of-date packages, and alternative dependency selection. 

• Code risk scoring and analysis: Lineaje assesses risk across six scores divided into two categories: inherent risk level and lineage component attestation level. These metrics offer organizations a detailed framework for quantifying risk levels and identifying tamperability risks, allowing organizations to prioritize remediation and achieve alignment with compliance frameworks.

• Open source governance: The solution offers deep governance capabilities for developed software, emphasizing risk management, policy gating, and automation throughout the SDLC. Its SBOM-centric approach enables fine-grained control over software components, while integrated third-party risk management addresses risks in vendor-supplied code. Gold Open Source is a curated registry that ensures only safe, secure open source packages and images are used in development. 

Lineaje was classified as an Outperformer because of its release of Gold Open Source, a trusted registry of open source software and AI tools that autonomously find and fix risks in code.

Opportunities
Lineaje has room for improvement in a few decision criteria, including:

• Automated security testing (SAST, DAST, IAST): The solution does not include any SAST, DAST, or IAST scanners, though it can integrate with vendors that do provide this testing and can ingest data from those tools for analysis.

• IaC security scanning: The Lineaje platform lacks IaC scanning capabilities, as it focuses primarily on code rather than underlying infrastructure. In order to improve the score, it would need to integrate with other vendors, adding risks to the Lineaje scoring model. 

• Runtime threat protection: The platform only integrates with runtime security tools to detect known exploit patterns, suspicious processes, tampering, and security threats. Real-time alerts are generated and linked back to specific components in the SBOM, providing clear traceability between runtime events and vulnerable open source packages, but in order to improve on this emerging feature, there would need to be native capabilities.

Purchase Considerations
Lineaje employs a tiered subscription-based model, according to which products (SBOM360 Hub, SBOM360, or TPRM) are purchased and the volume of projects an organization has. Gold Open Source is a yearly subscription with the GOS Premium pricing based on the number of custom fixes. SCA360 pricing is also consumption-based in terms of the number of assets scanned. The platform's extensive features and scalability make it a valuable investment for larger enterprises, but smaller organizations may want to prioritize specific components based on their needs and risks.

Lineaje should be licensed as a complete solution, and organizations should consider replacing incumbent solutions to fully leverage the platform's synergy. Lineaje offers three deployment models: in the vendor's cloud infrastructure, as a hybrid, or on-premises, enabling regulated companies to consume the product as needed. 

Organizations managing large volumes of SBOMs should consider this solution to consolidate search, comparisons, and management activities into a single platform. 

Use Cases
Lineaje caters to a wide range of use cases across industries, making it especially valuable for enterprises and highly regulated sectors such as finance, healthcare, and the public sector. For software publishers, it provides SBOM storage and sharing capabilities, enabling external partners to review and verify builds easily. Its scalability and automation support organizations with complex development pipelines and large application portfolios. Lineaje helps manage risk and compliance by securing builds automatically, contextualizing risks across internally developed and third-party software, and delivering robust reporting to meet strict regulatory requirements.

Mend.io: The Mend AppSec Platform

Solution Overview
Mend.io provides security coverage across the software development lifecycle, protecting both open source and internally developed code. The company helps organizations mitigate risks by automating vulnerability detection and extending security capabilities across SAST, SCA, Container, and AIs. Mend.io acquired Atom Security in 2023, gaining a risk-based approach to container image vulnerability prioritization, and has consistently invested in enhancing its platform with new features and integrations.

The Mend AppSec Platform offers continuous monitoring of code dependencies, providing real-time alerts and remediation guidance to mitigate risks associated with known vulnerabilities and license compliance issues. Mend.io's platform integrates into existing development workflows and empowers organizations to proactively address security risks in their open source software supply chain.

The Mend AppSec Platform is a comprehensive solution that enhances software security by integrating multiple key components. Mend SCA scans codebases to identify open source components and associated vulnerabilities. Mend Renovate streamlines the process of updating dependencies to the latest secure versions, helping maintain application security and currency. Mend AI automates the discovery of AI components in code, prioritizing remediation and enforcing policy compliance.  

Mend.io is positioned as a Leader and Fast Mover in the Maturity/Platform Play quadrant of the SSCS Radar chart.

Strengths
Mend.io scored well on a number of decision criteria, including:

• Dependencies management: The Mend Renovate solution includes automated dependency updates, continuous checking for new versions, and a merge confidence calculation to enhance development speed. It provides automated checks, pull requests, and confidence scores, which are used by Merge Confidence Workflows to automatically merge only the safest updates.

• Container image security scanning: The solution provides image vulnerability scanning, reachability analysis, secrets detection, Kubernetes integration, and security for AI components used to build containers, performing scans both early in development and at runtime.

• Automated security testing (SAST, DAST, IAST): Mend.io’s solution offers SAST testing with fast scanning, prioritization, and a single unified stream of results to help address alert fatigue and improve visibility by project. Mend.io partners with Invicti for DAST and API security functionality, providing a complete set of tools for testing.

Opportunities
Mend.io has room for improvement in a few decision criteria, including:

• Supply chain mapping and visualization: While none of the Mend.io solutions include a graphical representation of the supply chain, there are reports that show dependencies in a table format. The product should expand its functionality to show dependencies and reachability across the supply chain in a graphical representation.

• ML-based detection and response: Mend.io has some machine learning models for code matching and risk analysis, but it could expand those capabilities to include anomaly detection and automated responses.

• Code risk scoring and analysis: The solution calculates risks using a methodology that combines threat intelligence, exploitability data, and insights from across its entire product suite. While effective, this feature could be improved by allowing organizations to customize risk scoring based on their own business context and risk tolerance.

Purchase Considerations
Mend.io’s easy-to-understand pricing structure is arranged per developer for all four primary modules. This structure can simplify budget forecasting for managers, but potential customers should carefully evaluate their use cases to ensure the costs associated with this solution align with organizational needs and they are not incurring additional costs for features that will not be used.

Mend.io offers both a fully managed and a hybrid SaaS solution. In the fully managed option, Mend.io handles the backend, while the local agent runs inside the CI/CD, scanning the code, so no code leaves the customer’s environment. Mend.io does not offer dedicated instances or on-premises deployment options, which organizations with extensive compliance requirements, such as US federal agencies, should consider. 

The solution offers numerous capabilities, but its complexity can hinder full utilization. Customers will need to understand the skills required in their teams to fully leverage this solution.

Use Cases
Mend.io supports a wide range of use cases across diverse industries, including highly regulated sectors like finance and healthcare, due to its comprehensive security and code threat analysis features. The platform focuses on preproduction security, offering SAST, SCA, DAST (via integration with Invicti), and container scanning to identify risks early in the development lifecycle. Its strong automation capabilities and integrations make it particularly well suited for DevOps and DevSecOps teams, enabling seamless adoption into existing development workflows and embedding security testing continuously within CI/CD pipelines. Additionally, Mend.io's scalability and automation make it an ideal choice for large enterprises managing numerous applications and development teams.

OX Security*

Solution Overview
OX Security helps organizations manage and remediate risks throughout the SDLC, including build, CI/CD pipelines, and deployment processes. The platform provides supply chain security, code integrity, and vulnerability management, aiming to give security and DevOps teams visibility and control over their entire software supply chain.

OX Security’s platform scans every step of the software development process to detect and prioritize risks. It leverages visibility across code, open source dependencies, build systems, and CI/CD pipelines to create an end-to-end SBOM. It maps out all potential risks in the SDLC and provides recommendations for remediation. The platform also integrates with existing development and security tools, enabling frictionless workflows and continuous monitoring of code and pipeline security.

OX Security is positioned as a Challenger and Fast Mover in the Innovation/Feature Play quadrant of the SSCS Radar chart.

Strengths
OX Security scored well on a number of decision criteria, including:

• Open source governance: The solution provides open source governance by combining SCA, license compliance, and pipeline enforcement into a unified platform. It continuously scans source code, dependencies, and containerized artifacts to detect known vulnerabilities and identify high-risk packages across the development lifecycle. OX Security automatically detects open source licenses and flags any that conflict with organizational policies or compliance obligations. These insights are integrated into its SBOM and project bill of materials (PBOM) views, offering traceability and auditability across builds and releases.

• Supply chain mapping and visualization: The platform has a detailed visual representation of all pipeline assets and platforms and includes an attack path across the entire SDLC, incorporating reachability, exploitability, and business priority to help teams focus on the most critical risks. 

• Code risk scoring and analysis: The scoring rubric includes business risk modeling that prioritizes issues based on their potential impact on the organization. Unlike tools that focus solely on code-level risks, OX Security evaluates the entire software delivery pipeline, including code, build systems, CI/CD workflows, and deployed artifacts, to assess and assign risk. This end-to-end context helps security and DevOps teams focus remediation efforts.

Opportunities
OX Security has room for improvement in a few decision criteria, including:

• ML-based detection and response: The platform is built around a posture-based security model that relies on static rules and predefined policies. It leverages an internal threat research team to continuously update and refine these rules, enabling the platform to block emerging risks and enforce new security policies across the SDLC. However, it does not incorporate machine learning or behavioral analytics to detect novel threats within customer environments. 

• Automated security testing (SAST, DAST, IAST): The solution offers SCA capabilities that function similarly to the way the SAST does by scanning code for vulnerable dependencies, but it goes further by incorporating SBOM analysis to provide deeper context and traceability. In order to improve this feature, the platform would need to integrate additional testing tools such as DAST or API security testing.  

• Artifact integrity: The solution supports artifact signing for GitHub and GitHub Actions pipelines, allowing organizations to enforce policies that ensure only signed and verified artifacts are used. However, to provide broader coverage, the platform would need to expand support for additional repositories and CI/CD systems, as well as enhance attestation capabilities and threat detection for malware and tampering.

Purchase Considerations
OX Security’s pricing includes unlimited workflows, CI/CD pipeline integrations, connectors, and scanning, and is licensed on a per-monitored-developer basis, billed annually, typically with a one-year commitment. Organizations will need to engage this vendor for a customized price estimate.

If an organization needs traditional SAST/DAST/IAST capabilities like static code rules scanning or dynamic runtime probing, it will need to identify additional tools and should ensure those platforms integrate with this solution. OX Security complements those by providing deep supply chain visibility, vulnerability context, remediation, and policy enforcement.

OX Security is primarily a SaaS platform, but it also supports on-premises deployment, enabling organizations to maintain control over their data and infrastructure while leveraging the same ASPM capabilities as in the cloud deployment model.  Organizations will need to work with the vendor to determine which deployment model meets infrastructure requirements and regulatory needs.  

Use Cases
OX Security focuses on software supply chain and ASPM use cases tailored to the needs of DevOps and DevSecOps teams. The platform can be used by organizations of all sizes looking to consolidate visibility and control across the software development lifecycle. The platform delivers a holistic view into code, CI/CD pipelines, API usage, SaaS dependencies, cloud infrastructure, and application runtime security, which enables organizations to proactively manage supply chain security posture and ensure compliance. 

Palo Alto Networks: Cortex Cloud

Solution Overview
Palo Alto Networks provides advanced cybersecurity solutions, including next-generation firewalls, automated SecOps, and cloud-based security offerings. The company's platform approach delivers integrated solutions to secure networks, clouds, and devices against sophisticated cyberthreats. Over the past three years, Palo Alto Networks has been evolving its Prisma Cloud platform via multiple acquisitions, including Cider Security in 2022, to add code security improvements. In February 2025, Palo Alto Networks introduced Cortex Cloud, the next iteration of Prisma Cloud to secure applications from code to cloud to SOC.

Cortex Cloud offers a comprehensive SSCS solution spanning many different products, protecting organizations from code to cloud. It provides visibility into vulnerabilities across the development lifecycle, scanning code repositories, container images, and infrastructure as code. The platform automates security checks, enforces policies, and integrates with CI/CD pipelines. Cortex Cloud helps prevent supply chain attacks by securing development environments, verifying software integrity, scanning secrets, detecting malicious dependencies, and ensuring compliance with security best practices throughout the software delivery process. 

Cortex Cloud covers three functions, application security, cloud posture management, and runtime security, with features that include data security posture management, AI security posture management, , cloud infrastructure entitlement management, and runtime protection with host, container, serverless, and web application security tools. In addition, risk protection is further enhanced with SCA and IaC, secrets, and CI/CD security. Palo Alto Networks also has Cortex Cloud ASPM, providing posture review for the entire development ecosystem.

Palo Alto Networks is positioned as a Leader and Fast Mover in the Maturity/Platform Play quadrant of the SSCS Radar chart.

Strengths
Palo Alto Networks scored well on a number of decision criteria, including:

• Container image security scanning: Cortex Cloud provides continuous container image scanning across major public cloud vendors, ensuring real-time visibility into vulnerabilities and compliance issues. It offers prebuilt templates for various compliance standards, simplifying adherence to regulatory requirements. The solution integrates smoothly into existing development toolchains, supporting DevSecOps practices.

• ML-based detection and response: Cortex Cloud employs sophisticated machine learning for comprehensive security that features anomaly detection, threat identification, and automated response across development environments. The AI model conducts continuous behavior analysis to predict potential attacks.

• Customization of security policies: Cortex Cloud includes out-of-the-box policies and deep customization capabilities that use policy as code in both Python and YARA, along with UI-based low-code options for organizations that require nuanced security policy configurations.

Opportunities
Palo Alto Networks has room for improvement in a few decision criteria, including:

• AI-driven security and remediation: Cortex Cloud automatically generates code fixes and patches to address vulnerabilities. It offers integrated pull request comments, fixes, and smart fixes that automate the security code review process and streamline remediation efforts. This feature could be improved by using LLM models to generate complex code fixes, assisting developers with creating secure code.

• Code risk scoring and analysis: The solution offers a scoring model that incorporates vulnerability information along with attack path, blast radius and code exposure data points. It can identify threats and teams can trace them back to container images, associated vulnerabilities, or misconfigurations. This feature scored very well and could be further improved by providing the ability for organizations to enrich the scoring model with their specific business risk profiles outside of compliance frameworks.

• Binary composition analysis: The vendor does not offer composition analysis capabilities for binaries. It can scan container images but lacks support for analyzing compiled software artifacts outside of containerized environments. While it can perform some malicious behavior detection at runtime through Cortex Cloud, this functionality is limited to the detection of immediate risks, not a full breakdown of binary compiled code. 

Purchase Considerations
Cortex Cloud is available via a  SaaS offering.. The Palo Alto Networks-hosted option is divided into two cloud security plans, Cloud Posture Security and Cortex Cloud Runtime Security, in which capabilities are combined into packages addressing common organizational requirements, based around agentless and agent-bound deployments.

Cortex Cloud should be licensed as a complete solution, and organizations should consider the displacement of incumbent solutions in order to take full advantage of the synergy across the platform. If an organization is already a customer and looking to add SSCS capabilities, native integration with other products in the platform can extend existing security procedures to cover the software development lifecycle as well. 

Use Cases
Palo Alto Networks caters to a wide range of use cases across diverse industries. Its comprehensive security services and data protection features make it a suitable choice for highly regulated sectors such as finance and healthcare. DevOps and DevSecOps teams benefit from its automation capabilities and integrations, enabling seamless adoption into existing development workflows while integrating security testing into CI/CD pipelines for early and continuous vulnerability detection. Additionally, Palo Alto Networks' scalability and automation make it well suited for large enterprises with numerous applications and development teams.

ReversingLabs: Spectra Assure

Solution Overview
ReversingLabs is a trusted vendor in file and software security, providing an on-premises, hybrid, and cloud-based cybersecurity platform to verify and deliver safe binaries. ReversingLabs provides the critical build exam to determine whether a single file or a full software binary presents a risk to the organization or its customers.

ReversingLabs Spectra Assure identifies and stops software supply chain attacks through binary analysis, detecting malware, tampering, suspicious behaviors, exposed secrets, vulnerabilities, and application hardening. The company provides comprehensive SBOM and risk assessment of software, which includes a full analysis of the entire software package, including proprietary, commercial, and open source components, plus all artifacts added as part of the build process. The solution also includes an extended bill of materials (xBOM) providing visibility into cryptographic elements, AI/ML models, and third-party services included within a software package, supporting a number of additional use cases required by new compliance frameworks. It is capable of handling large and complex software packages that are gigabytes in size, deconstructing, and reporting on issues in minutes or hours without the need for source code.

ReversingLabs has a unique approach to software supply chain security and will continue to build on the new features introduced into its product this year while developing and expanding the functionality into new areas.

ReversingLabs is positioned as a Challenger and Fast Mover in the Maturity/Feature Play quadrant of the SSCS Radar chart.

Strengths
ReversingLabs scored well on a number of decision criteria, including:

• Binary composition analysis: The solution performs deep static analysis of compiled artifacts, detecting embedded components and package versions, identifying malware, tampering, exposed secrets, vulnerabilities, and improper hardening techniques without needing access to the source code. The scan includes the entire software binary, including proprietary, open source, and commercial software, and any artifacts added during the build process. The binary analysis scanning can be utilized at several points in the SDLC and provides a comprehensive build exam of the final package before release to customers.

• Code risk scoring and analysis: Using proprietary analysis engines enhanced with AI models and further enriched with proprietary threat hunting policies, Spectra Assure provides findings in five levels. Customers can either use predefined policies or create their own to customize risk levels specific to business requirements. Organizations can also require that packages meet a certain level before they are considered acceptable to release or deploy, and Spectra Assure also identifies and tracks software behaviors across software versions to flag high risk changes.

• Customization of security policies: Spectra Assure provides extensive policy customization to align with varying organizational risk tolerances. Users can set software assurance foundational evaluation (SAFE) levels per project, modify how policies impact pass/fail outcomes, and define or suppress vulnerabilities using VEX-compliant justifications. Organizations can enforce or block specific software behaviors, create exceptions for internal secrets, and even write custom YARA rules for tailored detections.

Opportunities
ReversingLabs has room for improvement in a few decision criteria, including:

• Automated security testing (SAST, DAST, IAST): Spectra Assure is not a traditional automated code security testing tool. Rather than analyze code during composition (SAST) or while the application is running (DAST), the tool employs binary analysis to identify threats and risks in software. Companies can integrate the analysis results with a wide range of other platforms assisting with wider remediation efforts. While one benefit of this approach is that it does not require source code for analysis, the platform lacks capabilities for dynamic testing or API security. 

• Supply chain mapping and visualization: While Spectra Assure does provide a hierarchical view of software components in a project that identifies risks and vulnerabilities, it does not include a graphical representation of risks throughout the SDLC, as the solution is targeted to secure organizations after coding is finished and before it is introduced into applications and runtimes. 

• IaC security scanning: The product supports scanning of IaC templates for malware, tampering, hard-coded secrets, and software vulnerabilities, but it does not perform real-time scanning or continuous monitoring. In order to improve, the platform would need to integrate with cloud providers to schedule scans of these templates and policy controls, thereby limiting misconfigurations.

Purchase Considerations
ReversingLabs offers a usage-based pricing model charging according to the number of gigabytes of data per binary or file scanned. Organizations can therefore scale up as they implement the solution into their SDLC processes. The platform's extensive features and scalability make it a valuable investment for larger enterprises, but smaller organizations may need to prioritize other toolsets addressing risks earlier in the SDLC while their offerings mature. 

Spectra Assure can be deployed in a SaaS, hybrid, or on-premises model. Each option can be tailored to meet business needs, but regulated companies should consider the hybrid or on-premises options, depending on regulatory requirements. 

The binary analysis and risk visibility offered by Spectra Assure provide invaluable insights, but organizations need to consider whether additional security tools shifted left or right of Spectra Assure may be required to properly secure the coding or software deployment processes. Combining it with other threat detection or vulnerability management platforms would provide a more comprehensive cybersecurity posture, enhancing an organization's ability to identify and mitigate potential threats across the entire corporate attack surface.

Use Cases
ReversingLabs addresses specific cybersecurity challenges across a diverse set of industries. Its security services and file security features make it particularly suitable for highly regulated sectors such as finance, healthcare, and government. ReversingLabs focuses on several specific use cases, including binary analysis, to evaluate entire software binaries and identify malware before they are released, acquired, or deployed. The platform’s capabilities are useful for organizations looking to safeguard the software they consume and deploy, and for software producers looking to curate, secure, and validate their products. It provides SBOMs for all software, including proprietary, commercial, open source, and build artifacts. Furthermore, ReversingLabs specializes in identifying novel threats, such as malware, tampering, exposed secrets, and suspicious behavior changes, enhancing overall security posture.

Scribe Security: Scribe Hub

Solution Overview
Scribe Hub is a platform that enables organizations to secure the SDLC, facilitating governance of all development processes and code produced within the organization while also verifying the integrity, provenance, authenticity, and reputation of code components, protecting against vulnerabilities, tampering, and open source risks. Scribe Security provides organizations with visibility into and assurance of the entire software development lifecycle, from early design stages to final deployment.

The Scribe Hub platform comprises several key components designed to enhance software security throughout the development lifecycle. It features a centralized SBOM management platform that generates SBOMs at every stage, using Scribe Security’s SCA or ingesting third-party SBOMs. The platform includes application security posture management, which gathers output from integrated application security testing (AST) scanners, development tools, configuration files, identities, and actions. Its vulnerability management component provides intelligence on software vulnerabilities, exploitations, reputation, and licenses to facilitate risk analysis, triage, and incident response. 

Additionally, Scribe Security implements automated guardrails to verify and gate the software development and deployment process. The solution offers code signing, integrity, and provenance checks to ensure authenticity and detect unlawful interventions. It also provides organizations with blueprints for compliance with various secure development frameworks, such as SLSA and SSDF, or the flexibility for organizations to customize their own policies.

Scribe Security is positioned as a Challenger and Fast Mover in the Maturity/Platform Play quadrant of the SSCS Radar chart.

Strengths
Scribe Security scored well on a number of decision criteria, including:

• Code risk scoring and analysis: The platform assigns code-level risk scores by analyzing vulnerability severity, exploitability, production exposure, and contextual factors such as dependency criticality and usage patterns, allowing teams to address the highest risks during development and remediation efforts.

• Customization of security policies: The Scribe platform offers robust policy customization that leverages policy-as-code capabilities, allowing organizations maximum flexibility in the way policies are defined and enforced. These policies are connected with the platform’s attestation and integrity capabilities, allowing organizations to enforce chain of custody controls. 

• Supply chain mapping and visualization: The solution continuously scans integrated development tools via APIs, collecting evidence from every SDLC component to build a centralized inventory of assets, SBOMs, pipelines, and configurations. It then creates an interactive visualization of the SDLC, which can map relationships from source repositories through builds to production deployments, supporting ad hoc queries, compliance tracking, and deep investigative DevSecOps analysis.

Opportunities
Scribe Security has room for improvement in a few decision criteria, including:

• ML-based detection and response: Scribe Hub does not include ML-based detection and response. However, its AI agent capabilities can be leveraged for manual investigations, providing recommendations on vulnerability prioritization using agents to generate fix pull requests, root-cause analysis, remediation actions, and policy-tuning guidance.

• Automated security testing (SAST, DAST, IAST): The Scribe platform does not include any native SAST, DAST, or IAST capabilities; however, it integrates with other vendors, bringing those findings into the platform and allowing customers to apply Scribe security policies to deployments, ensuring that developed software maintains security standards.

• IaC security scanning: The Scribe platform does not provide native IaC scanning capabilities but can integrate with other vendors and use those security findings.

Purchase Considerations
Scribe Security’s pricing structure includes a free trial, which allows organizations to pursue proof of concept projects. The two paid licensing tiers are Business, for small and medium businesses, and Enterprise, for custom solutions that cater to larger or highly regulated organizations. The paid plan pricing is tiered by the number of developers, with a minimum commitment of 50 seats.  

Organizations looking to secure their entire pipeline, achieve regulatory compliance, and pass audits should consider the features of this platform. It is designed to be scanner-agnostic, relying on integrations with other vendors. Organizations will need to review whether their current scanners integrate or if they need to purchase other platforms for code security testing. This platform is a good fit for medium to large enterprises with a lack of visibility into the software factory that creates significant business risk. Scribe Security’s discovery capabilities can help close this transparency gap, which can impact security, compliance, and operational efficiency. 

The solution provides a lot of detail and can be complex. Customers will need to understand the skills required in their teams to use the solution. This could drive higher adoption and training costs. Scribe Security offers three deployment models, allowing organizations to deploy in the vendor's cloud infrastructure, in public clouds, and on-premises, which can impact the way regulated companies consume the product. 

Use Cases
Scribe Security caters to a specific range of use cases across various industries that make it particularly suitable for highly regulated sectors such as finance, healthcare, and government. Additionally, its scalability and automation make it ideal for large enterprises with numerous applications and development teams. Scribe Security focuses on compliance governance use cases, including discovery and guardrails, integrity and tamper detection, and centralized SBOM management, allowing security and compliance teams to validate control effectiveness, track deviations over time, and generate audit-ready reports. This ensures both proactive risk management and defensible proof of compliance for internal governance, customer requirements, and regulatory audits.

Snyk*

Solution Overview
Snyk is a cloud-native software security company with a core focus of empowering developers to build secure software by providing them with the tools and insights needed to address vulnerabilities early in the development process. Snyk has actively expanded its offerings through acquisitions such as DeepCode, an AI-powered code analysis platform, underscoring its commitment to developer-centric security solutions. In January 2024, Snyk acquired Helios, a solution that specializes in capturing runtime data, allowing the Snyk platform to gain visibility into risks. 

Snyk is a developer-first security platform that focuses on identifying and remediating vulnerabilities in open source dependencies, container images, and IaC. It provides a comprehensive solution for addressing security risks throughout the software development lifecycle (SDLC), seamlessly integrating into existing development workflows and tools. 

The platform comprises several integrated products designed to enhance software security comprehensively: Snyk Open Source identifies and fixes vulnerabilities in open source dependencies across various programming languages and package managers; Snyk Container scans and monitors container images for vulnerabilities and misconfigurations while providing actionable base image fix advice; Snyk IaC analyzes IaC templates for security issues before deployment; Snyk Code offers SAST capabilities to identify vulnerabilities in proprietary code; and Snyk AppRisk focuses on reducing application risk at scale through complete application discovery, tailored security controls, identification of gaps in scanning, and risk-based prioritization to ensure a robust security posture throughout the software development lifecycle.

Snyk is positioned as a Challenger and Fast Mover in the Maturity/Platform Play quadrant of the SSCS Radar chart.

Strengths
Snyk scored well on a number of decision criteria, including:

• Dependencies management: Snyk identifies dependencies and provides features for automated updates, patching, and other code fixes, enabling developers to prioritize top risks and fix exposures quickly. 

• IaC security scanning: In addition to scanning for vulnerabilities and misconfigurations of IaC files, the IaC tool integrates directly with public cloud providers, monitoring IaC code in real time and making code and remediation suggestions during the build process.

• Container image security scanning: The core platform continuously monitors containers for vulnerabilities and misconfigurations and prioritizes the remediation based on context and exploitability. Snyk also provides base image recommendations, allowing teams to start from a more secure base image, with support for both public base images and curated image models, thus avoiding additional image maintenance. 

Opportunities
Snyk has room for improvement in a few decision criteria, including:

• Supply chain mapping and visualization: The solution provides some application or code-level visualization capabilities, but these are generally focused on showing the specific resources affected by a given vulnerability rather than offering a full pipeline view of the entire software supply chain. The graphic highlights impacted repositories, packages, or container images, making them useful for targeted remediation but less holistic for understanding the broader pipeline posture, configuration relationships, or dependency flow across environments.

• Customization of security policies: While Snyk offers deep customization of policies and policy templates to help organizations get started, in order to improve, it would need to offer a more robust policy as code option for highly regulated organizations with deep auditing requirements.

• Artifact integrity: Snyk lacks support for this emerging feature but integrates with other vendors that specialize in it, and the platform can utilize information from the integrations to inform security policies.

Purchase Considerations
Snyk’s easy-to-understand pricing structure includes a free tier and two paid plans based on usage, developers, and features. Individual products are also available for purchase, which offers maximum flexibility for organizations of varying sizes and needs, but potential customers should carefully evaluate the costs associated with scaling their usage and accessing advanced features, as many of the advanced features are available only via the enterprise plan or a customized package.

Snyk is offered primarily as a fully managed SaaS platform, but it also supports hybrid and self-managed options for organizations with specific compliance needs. Scanning engines can run locally on developer machines, in CI/CD pipelines, or in on-premises build servers, and only the results are sent to the cloud for analysis and reporting. For highly regulated organizations, the platform supports brokered connections and limited offline scanning, enabling integration with private source control, artifact repositories, and registries without direct internet exposure. Organizations with high levels of regulatory compliance will need to evaluate these options to ensure all objectives can be achieved.

The solution provides a lot of detail and can be complex. Customers will need to understand the skills required in their teams to use this solution, which could drive higher adoption and training costs. 

Use Cases
Snyk caters to a wide range of use cases across diverse industries, making it especially valuable for highly regulated sectors such as finance and healthcare, for which comprehensive security services and data protection features are essential. For DevOps and DevSecOps teams, Snyk offers automation capabilities and integrations that facilitate seamless adoption into existing development workflows, enabling the integration of security testing into CI/CD pipelines for early and continuous vulnerability detection. Additionally, its scalability and automation make Snyk an excellent fit for large enterprises, supporting their complex application environments and development teams effectively.

Veracode: Application Risk Management Platform

Solution Overview
Veracode offers a comprehensive suite of cloud-based SSCS tools and services designed to address security risks throughout the SDLC. It combines these into a unified platform, providing holistic visibility and control, enabling organizations to identify and fix vulnerabilities early in the development process. In January 2025, Veracode acquired Phylum, which enhances its ability to identify and block malicious code in open source libraries, greatly reducing the window through which that code can be leveraged into an attack.  

The Veracode Application Risk Management Platform is a comprehensive solution that includes several key components: Veracode Static Analysis for early identification of security vulnerabilities in source code and binary code, Veracode Dynamic Analysis for real-time vulnerability detection in running applications, and Veracode Software Composition Analysis for assessment of open source component vulnerabilities, license compliance, and generation of SBOMs. Additionally, Veracode Package Firewall proactively blocks insecure or vulnerable packages before they are introduced into development pipelines. Veracode’s Software Supply Chain Intelligence provides real-time, actionable insights directly from its proprietary threat feed, proactively detecting emerging and stealthy attacks.

The platform also incorporates Veracode Risk Manager, which provides application security posture management to efficiently reduce risk, and Veracode Fix, which offers AI-generated code fixes based on curated data and expert solutions. Additionally, it includes Veracode Container Security for container and IaC scanning with SBOM generation capabilities, and Veracode Security Labs and eLearning that educates developers on secure coding practices through hands-on modules and recorded lessons in their preferred programming language.

Veracode is positioned as a Leader and Fast Mover in the Maturity/Platform Play quadrant of the SSCS Radar chart.

Strengths
Veracode scored well on a number of decision criteria, including:

• Automated security testing (SAST, DAST, IAST): The platform includes a full range of automated security testing tools, SAST, DAST, and IAST, giving developers and security teams a broad range of testing capabilities and allowing them to fix flaws early. These tools also help teach them to code more securely.

• Container image security scanning: Veracode combines three open source scanners for a complete solution that it enriches with secrets detection, misconfiguration identification, and prioritization. 

•  Code risk scoring and analysis: Veracode includes cross-risk analytics, vulnerability and legal risk results, peer benchmarking, and auditable mitigation workflows, which allow organizations to evaluate spots where the largest risks exist and prioritize resolving issues that will have the largest impact. 

Opportunities
Veracode has room for improvement in a few decision criteria, including:

• Supply chain mapping and visualization: Veracode’s dependency view focuses on visualizing open source and third-party components within an application to help identify vulnerabilities, license risks, and update paths, but it lacks a visualization of the entire pipeline components to help assess risk.

• Supply chain posture and visibility: The solution can help teams identify which applications contribute the most risk to deployments and trace vulnerabilities or issues back to their origin and the responsible owner. However, it lacks a broader posture view across every component of the software delivery pipeline and does not provide configuration hardening recommendations to reduce the overall attack surface.

• Runtime threat protection: The platform includes DAST to identify vulnerabilities in running applications during the testing phase, but it offers no runtime visibility or protection once the scan is complete. Threat detection ends after the CI/CD or image scan stage, and there is no ongoing monitoring or defense for applications in production.

Purchase Considerations
Veracode employs a subscription-based model, and depending on the product, there is either a per-contributing-developer cost or a per-product cost, tiered into different usage amounts (per application or project). The core options (SAST, SCA, Container Security, Package Firewall and Risk Manager) are all priced per contributing developer. Other tools are priced differently, with DAST priced per URL, and Security Labs and eLearning either per user or per contributing developer, based on preference. The platform's extensive features and scalability make it a valuable investment for larger enterprises, but smaller organizations may need to prioritize specific components based on their needs. 

Veracode’s offering extends beyond the core application security platform, with additional services available, including penetration testing as a service (PTaaS) and application security assessments, and consultations to guide organizations in secure development best practices, compliance alignment, and remediation strategies. 

The solution is delivered only through a SaaS deployment model, and organizations with strict on-premises compliance requirements should carefully assess whether Veracode’s cloud-based approach meets their regulatory obligations before adoption. Veracode has support for customer-managed encryption keys to protect customer-uploaded code, which might help some organizations meet compliance goals.

Veracode should be licensed as a complete solution, and organizations should consider the displacement of incumbent solutions in order to take full advantage of the synergy across the platform.

Use Cases
Veracode caters to a wide range of use cases across diverse industries, making it especially valuable for highly regulated sectors such as finance and healthcare, for which comprehensive security services and data protection features are essential. For DevOps and DevSecOps teams, Veracode provides automation capabilities and integrations that facilitate seamless adoption into existing development workflows, allowing the integration of security testing into CI/CD pipelines to ensure early and continuous vulnerability detection. Furthermore, its scalability and automation make Veracode an ideal solution for large enterprises with numerous applications and development teams, helping to maintain robust software security across their operations.

Xygeni Security

Solution Overview
Xygeni Security is a software supply chain security vendor providing an integrated solution designed to secure applications throughout the entire software development lifecycle. The platform offers complete control over application risks and a unified security view from code to cloud, eliminating noise to prioritize risks and reducing the risk of software supply chain attacks. 

Xygeni Security’s platform provides an all-in-one solution for application security by combining several key capabilities that enhance visibility and protection throughout the software development lifecycle. It offers Automated Asset Discovery and Inventory Management, which automatically identifies all software assets, including code repositories, dependencies, and pipelines. The risk prioritization module ensures vulnerabilities are ranked based on severity, exploitability, and business impact, enabling teams to focus on critical threats and reducing alert noise. Real-time threat detection identifies malicious code as soon as it is published or updated, notifying customers immediately and quarantining affected components to prevent potential breaches. Anomaly detection capabilities monitor for unusual patterns that could signal emerging threats. Secrets management ensures sensitive information, such as passwords and tokens, is not exposed within code, builds, or deployment pipelines. IaC Security strengthens the integrity of IaC templates to avoid replicating vulnerabilities at scale. Build security promotes continuous integrity and artifact verification, preventing tampering without slowing down the development process. Lastly, compliance assessment helps organizations adhere to software supply chain standards and guidelines, ensuring the security posture is aligned with industry best practices.

Xygeni Security is positioned as a Challenger and Fast Mover in the Maturity/Platform Play quadrant of the SSCS Radar chart.

Strengths
Xygeni Security scored well on a number of decision criteria, including:

• Code risk scoring and analysis: Xygeni Security incorporates vulnerability information and abnormal behavior indicators to deliver a detailed risk scoring analysis weighted across multiple potential attack vectors. In addition, organizations can enrich the scoring according to the sensitivity of the data to clearly identify places where the largest risks exist. 

• IaC security scanning: The proprietary IaC tool integrates into the CI/CD pipelines, with continuous scanning of all major vendor frameworks, and it provides guidelines for remediating security issues according to best practices. 

• Supply chain posture and visibility: The platform automatically discovers software assets, including code repositories, dependencies, and CI/CD pipelines, giving organizations visibility. It also helps find and fix misconfigurations in build scripts and CI/CD pipelines while also enabling the implementation of branch protection rules, multifactor authentication, and other hardened security settings, thereby securing the pipeline tools.

Opportunities
Xygeni Security has room for improvement in a few decision criteria, including:

• ML-based detection and response: The platform lacks these capabilities and could improve by integrating AI and self-learning models across the SDLC to enable intelligent, automated responses to emerging threats.

• Automated security testing (SAST, DAST, IAST): The solution primarily focuses on detecting vulnerabilities in code using SAST capabilities but could improve by adding DAST and API security functionality.

• Open source governance: The solution discovers and catalogs all open source components, enforces license compliance, and monitors vulnerabilities and malware in real time but lacks automated AI-assisted governance policy implementation.

Purchase Considerations
Xygeni Security offers flexible subscription-based pricing with options for on-premises, hybrid, or cloud deployments. Pricing is based on the features purchased and the number of contributing developers who use each product, allowing organizations to scale their investment as their needs grow. The platform's extensive features and scalability make it a valuable asset for larger enterprises, but smaller organizations may need to weigh the cost against their specific needs. Smaller organizations can leverage both the standard and premium pricing to determine which products might be the most effective on limited budgets. The pricing model is tiered so that the cost per license and product becomes discounted as licenses and collaborators increase. If organizations require on-premises installation and/or malicious code detection or are looking for ASPM capabilities, they need to get customized pricing.

Organizations will get the most value from licensing the entire platform. This will give them deeper visibility and insights into the development lifecycle, which reduces noise from false positives. Xygeni Security also provides additional anomaly detection and malicious code and behavior detection that can be adopted into cybersecurity team workflows. 

Use Cases
Xygeni Security caters to a wide range of use cases across diverse industries, including those with heightened compliance requirements. Its comprehensive security services and data protection features make it particularly suitable for highly regulated sectors such as finance and healthcare. For DevOps and DevSecOps teams, Xygeni Security provides automation capabilities and integrations that enable seamless adoption into existing development workflows, facilitating the integration of security testing into CI/CD pipelines for early and continuous vulnerability detection. Xygeni Security enables organizations to achieve full visibility into their pipeline and their security posture, allowing them to identify risks, enforce best practices, and maintain robust protection across the entire software delivery process.

Additionally, its scalability and automation make Xygeni Security an excellent fit for large enterprises with numerous applications and development teams, ensuring robust security across complex environments.

The SSCS market is entering a period of accelerated transformation, driven by increasing regulatory pressure, expanding attack surfaces, and the explosive adoption of AI in development workflows and by threat actors. For prospective buyers entering this space, the best starting point is to understand that SSCS is no longer limited to scanning code for vulnerabilities; it's about securing every stage of the software lifecycle, from artifact creation to scanning third-party applications to runtime protection, and enforcing policy-driven controls that can adapt to risks.

The market is being pushed by the rapid evolution of AI-enhanced capabilities for blue teams, red teams, and threat actors. On the defensive side, we’re seeing platforms integrate more advanced AI models for vulnerability detection, contextual code analysis, and behavior-based threat response. Tools now assist developers directly in the IDE through code reviewers, automated pull request suggestions, and even security copilots that can explain, triage, and remediate findings in real time. On the flip side, AI is also expanding the threat landscape, with attackers leveraging the same models to create malware, automate exploit chains, and manipulate supply chain dependencies. The need to secure AI-generated code and interactions is fast becoming a critical new requirement.

Due to the need to secure more links along the SDLC, more vendors will be adding capabilities for and integrating with vendors that have artifact integrity and posture management. Buyers are now considering platforms that offer signed, verifiable artifacts, real-time exposure modeling, and alignment with frameworks like the SSDF. Automated remediation is also becoming a key enabler of productivity. Solutions that can enforce policies and remediate misconfigurations or vulnerabilities autonomously offer a clear productivity and security advantage.

Looking forward across the next year, organizations should begin by identifying which part of their software lifecycle represents the highest concentration of risk, choosing solutions that can integrate into existing developer workflows, and providing measurable value early, such as risk scoring, policy enforcement, and posture analysis. While it can be challenging to ascertain, organizations should look to vendors that are prioritizing AI-driven features that improve the efficiency of security analysts and developers.

The SSCS market will continue to be disrupted by AI, both as a threat vector and a force multiplier for defenders. Expect the emergence of AI-native security tooling, more dynamic compliance automation, and a stronger emphasis on posture-driven defenses. To stay competitive and secure, organizations must remain agile, prioritize visibility and automation, and be ready to adapt to a landscape defined as much by opportunity as by risk.

*Vendors marked with an asterisk did not participate in our research process for the Radar report, and their capsules and scoring were compiled via desk research.

For more information about our research process for Radar reports, please visit our Methodology.

Seth Byrnes has extensive experience in developing strategic roadmaps, implementing robust technology solutions, and leading cross-functional teams to drive operational excellence.

GigaOm provides technical, operational, and business advice for IT’s strategic digital enterprise and business initiatives. Enterprise business leaders, CIOs, and technology organizations partner with GigaOm for practical, actionable, strategic, and visionary advice for modernizing and transforming their business. GigaOm’s advice empowers enterprises to successfully compete in an increasingly complicated business atmosphere that requires a solid understanding of constantly changing customer demands.

GigaOm works directly with enterprises both inside and outside of the IT organization to apply proven research and methodologies designed to avoid pitfalls and roadblocks while balancing risk and innovation. Research methodologies include but are not limited to adoption and benchmarking surveys, use cases, interviews, ROI/TCO, market landscapes, strategic trends, and technical benchmarks. Our analysts possess 20+ years of experience advising a spectrum of clients from early adopters to mainstream enterprises.

GigaOm’s perspective is that of the unbiased enterprise practitioner. Through this perspective, GigaOm connects with engaged and loyal subscribers on a deep and meaningful level.

© Knowingly, Inc. 2025 "GigaOm Radar for Software Supply Chain Security" is a trademark of Knowingly, Inc. For permission to reproduce this report, please contact sales@gigaom.com.