Disclaimer: Gartner has decided to call these vulnerability management platforms ASPM, which you can read my opinion on over here. I call them what they are - remediation platforms, or with even less marketing pizazz, vulnerability management platforms. Why? Because they help manage vulnerabilities and get them fixed. Let’s not make this more confusing than it has to be.

Remediation platforms are the hottest new tool on the block. From Dazz to Opus, and dozens more, the problem has been made crystal clear: there are too many vulns and not enough time.

In this article we’ll do a little bit of an overview of the state of the space, and then cover a critical differentiator emerging in the market.

Table of Contents

• Overview

  • First, remediation platforms.

  • Second, data platforms.

  • Third, workflow builders.

• Emerging Market

Overview

The critical problem with the remediation space in that every pitch sounds exactly the same: we take all of your vulnerabilities, identify the best people to get the tickets, and create workflows to manage it. The problem? That doesn’t actually fix a single finding.

These tools ought to be completely measured on their ability to make fixing vulnerabilities take less time; instead many of them have fallen into the trap of making the prettiest workflow management software they possibly can. At a high level, there are three major buckets of tools:

1. Remediation Helpers

2. Data first platforms

3. Workflow builders

First, remediation platforms.

These are the hottest tools in the market, and the ones that stand out the most to me are Dazz, DevOcean, Silk, and Opus. This bucket of tools are focused on tying together the code to cloud picture for companies. The need is driven by appsec providers being too slow into cloud, and vice versa. None of the legacy code scanners tie the picture together with the elegance of newer ASPMs like Ox or Cycode.

The benefit of these tools is that they give developers almost the amount of context they need to fix something by showing exactly where the vulnerability is getting introduced. They help security teams:

1. Speak developer-ese by showing the application context

2. Point to the right solution at the right place - such as fixing a Dockerfile or a package.json

3. They add a unique value beyond the individual point scanners by showing how dependencies relate to one another

The drawbacks of these tools and what to look for during an assessment are:

1. Testing on your specific environment. This stuff is easy to demo, difficult to execute with accuracy in a customer environment

2. The right context sometimes doesn’t actually make fixing things any faster

3. Since they’re trying to surface the automation, they can sometimes be missing critical data fields from their integrations

Second, data platforms.

This second class of tooling is a great fit for enterprises, because they’re less opinionated about your data and workflows. I put Avalor, Phoenix, and Armorcode in this category. I think of it this way: remediation platforms were created with developers first in mind, while data platforms were created with enterprise security teams first in mind.

I love the elegance of the remediation platform demos; however, FedRAMP has made me painfully aware of the data driven nuance required of many compliance frameworks at an enterprise scale. I absolutely had more fun prioritizing based on asset criticality and dependency trees, but that doesn’t fly in these bigger environments where more complexity is needed.

The benefit of these tools is that they just work. You know it’s going to do the thing you need. The drawback is that you know it’s not going to work auto-magically, and fill you with that new product smell we love so much. It’s going to be a platform for managing work, not a platform to make it go away.

Third, workflow builders.

This class of remediation tools is built first and foremost around the immediate problem: “AHHHH THERE’S SO MANY TICKETS PLEASE HELP ME GET THESE TO THE RIGHT PEOPLE!” To be clear, most platforms sort of does this, but Seemplicity has been the most focused on it. The pros and cons of this category seem pretty obvious, the pro is that workflows are critical to the process, the con is that there’s a lot of data stitching that’s just as important as the workflows.

Emerging Market

As cool as all this stuff is, there’s a new kid on the block, Powered by AI™ (but interestingly enough, not as much as you’d think). I’m launching this on Latio under the Emerging Tools category as “Code Fixers.” These approach the same problem as remediation platforms: there’s too many vulnerabilities and fixing them is too hard, but their approach is driven by creating the code fixes as merge requests for you. The examples in this category are Mobb, Pixee, and Corgea.

At the moment, these platforms are pretty early and limited because they only help with SAST findings, such as: “hey you didn’t parameterize this query, here’s a PR where we did that for you.” That issue really hurts their large market potential compared to the other providers; however, it’s easy to see how this becomes the future of the industry: providing the exact fixes instead of just helping manage tickets around them.

Other examples I’d put in this general category of novel approaches to vulnerability management are Seal Security, Rapidfort, and Chainguard. These providers all similarly focus on remediating vulnerabilities for you instead of just kicking and screaming about how many of them there are - but they’ve done so outside of SAST. If Seal, Chainguard, and Mobb all teamed up, theoretically you’d have auto-remediation for SCA, Container, and SAST findings - which is getting close to the promised land.

I think remediation platforms (or ASPM providers more broadly) would benefit from acquiring some of these GenAI fueled startups, but that’s not before some more years of duking it out first. In sum, this is definitely the market where the rocket fuel is strapped at the moment, but vendors are painfully in need of differentiators to stand out from the noise. And, as I wrote in the ASPM post, I think the real long term winner is the all in one scanning tool; why buy a workflow for your scanner instead of a scanner with a workflow?