Table of Contents
1. Summary
Vulnerability management is a mature component of the cybersecurity ecosystem. It has become a commodity function, an expected part of every organization’s cybersecurity program. It aids in the discovery of both hardware and software assets, identifying weaknesses in the assets that attackers might leverage to overcome elaborate security controls and countermeasures.
For all of the value vulnerability management creates through risk reduction, legacy versions of it have two primary limitations. The first is a focus on physical infrastructure—network devices, servers, and desktops—and the applications that run on top of that infrastructure. This is still a vital part of a complete vulnerability management program but has limited value in identifying vulnerabilities in other common and emerging technologies.
The second limitation is the fact that it’s a point-in-time reference of an organization’s vulnerabilities. A scan is run, data from the scan is gathered and analyzed, and plans are then made to remediate vulnerabilities. In a modern development operations (DevOps) environment, this snapshot of the vulnerabilities will age poorly. It’s very likely that what exists today will not exist tomorrow, or worse, could be transient and come and go. Because of these challenges as well as others, legacy vulnerability management will have difficulties supporting DevOps practices.
The evolutionary next step in this space is continuous vulnerability management. It starts with the network-based infrastructure and application scanning of legacy vulnerability management, then extends this with a continuous approach that now includes scanning container images, infrastructure as code (IaC) manifests, cloud configurations, cloud identities, and other cloud-native technologies. We believe that continuous vulnerability management has now superseded legacy vulnerability management techniques and methodologies due the widespread adoption of public cloud resources and DevOps practices.
How to Read this Report
This GigaOm report is one of a series of documents that helps IT organizations assess competing solutions in the context of well-defined features and criteria. For a fuller understanding, consider reviewing the following reports:
Key Criteria report: A detailed market sector analysis that assesses the impact that key product features and criteria have on top-line solution characteristics—such as scalability, performance, and TCO—that drive purchase decisions.
GigaOm Radar report: A forward-looking analysis that plots the relative value and progression of vendor solutions along multiple axes based on strategy and execution. The Radar report includes a breakdown of each vendor’s offering in the sector.
Solution Profile: An in-depth vendor analysis that builds on the framework developed in the Key Criteria and Radar reports to assess a company’s engagement within a technology sector. This analysis includes forward-looking guidance around both strategy and product.
2. Market Categories and Deployment Types
To better understand the market and vendor positioning (Table 1), we assess how well solutions for continuous vulnerability management are positioned to serve specific market segments.
- Small-to-medium business (SMB): In this category we assess solutions on their ability to meet the needs of organizations ranging from small businesses to medium-sized companies. Also assessed are departmental use cases in large enterprises, where ease of use and deployment are more important than extensive management functionality, data mobility, and feature set.
- Large enterprise: Here offerings are assessed on their ability to support large and business-critical projects. Optimal solutions in this category will have a strong focus on flexibility, performance, data services, and features to improve security and data protection. Scalability is another big differentiator, as is the ability to deploy the same service in different environments.
- Managed service provider (MSP): Optimal solutions will be designed to operate across multiple independent organizations. Features might support multitenancy, data separation architectures, and client access.
In addition, we recognize three deployment models for solutions in this report: application programming interface (API), agent, and network scanner.
- API: Solutions that leverage API data collection methods will provide rapid deployment and simplified integration capabilities but will be limited by the type and quantity of out-of-the-box API integrations made available by the vendor.
- Agent: Solutions that leverage a small piece of software to collect telemetry from hosts will provide rich and accurate data but will introduce management overhead related to the deployment and maintenance of software.
- Network scanner: Solutions that leverage network-based scanning will be able to discover client IP space, including previously unknown devices and services. This feature has inherent limitations, such as the accuracy of the telemetry, and requires deploying the scanning software or appliance.
Table 1. Vendor Positioning
Market Segment |
Deployment Model |
|||||
|---|---|---|---|---|---|---|
| SMB | Large Enterprise | MSP | API | Agent | Network Scanner | |
| Aqua Security | ||||||
| BreachLock | ||||||
| Debricked | ||||||
| Nucleus Security | ||||||
| Qualys | ||||||
| Rapid7 | ||||||
| Tenable | ||||||
| Vulcan | ||||||
|
Exceptional: Outstanding focus and execution |
|
Capable: Good but with room for improvement |
|
Limited: Lacking in execution and use cases |
|
Not applicable or absent |
3. Key Criteria Comparison
Building on the findings from the GigaOm report, “Key Criteria for Evaluating Continuous Vulnerability Management Solutions,” Table 2 summarizes how each vendor included in this research performs in the areas that we consider differentiating and critical in this sector. Table 3 follows with insight into each product’s evaluation metrics—the top-line characteristics that define the impact each will have on the organization.
The objective is to give the reader a snapshot of the technical capabilities of available solutions, define the perimeter of the market landscape, and gauge the potential impact on the business.
Table 2. Key Criteria Comparison
Key Criteria |
||||||
|---|---|---|---|---|---|---|
| Static Application Security Testing | Infrastructure Vulnerability Scanning | Dynamic Application Security Testing | Software Composition Analysis | Infrastructure as Code Review | Machine Learning | |
| Aqua Security |
|
|
|
|
|
|
| BreachLock |
|
|
|
|
|
|
| Debricked |
|
|
|
|
|
|
| Nucleus Security |
|
|
|
|
|
|
| Qualys |
|
|
|
|
|
|
| Rapid7 |
|
|
|
|
|
|
| Tenable |
|
|
|
|
|
|
| Vulcan |
|
|
|
|
|
|
|
|
Exceptional: Outstanding focus and execution |
|
|
Capable: Good but with room for improvement |
|
|
Limited: Lacking in execution and use cases |
|
|
Not applicable or absent |
Table 3. Evaluation Metrics Comparison
Evaluation Metrics |
|||||
|---|---|---|---|---|---|
| Adaptability & Speed | Coverage | Solution Ecosystem | Licensing & Support | ROI & TCO | |
| Aqua Security |
|
|
|
|
|
| BreachLock |
|
|
|
|
|
| Debricked |
|
|
|
|
|
| Nucleus Security |
|
|
|
|
|
| Qualys |
|
|
|
|
|
| Rapid7 |
|
|
|
|
|
| Tenable |
|
|
|
|
|
| Vulcan |
|
|
|
|
|
|
|
Exceptional: Outstanding focus and execution |
|
|
Capable: Good but with room for improvement |
|
|
Limited: Lacking in execution and use cases |
|
|
Not applicable or absent |
By combining the information provided in the tables above, the reader can develop a clear understanding of the technical solutions available in the market.
4. GigaOm Radar
This report synthesizes the analysis of key criteria and their impact on evaluation metrics to inform the GigaOm Radar graphic in Figure 1. The resulting chart is a forward-looking perspective on all the vendors in this report, based on their products’ technical capabilities and feature sets.
The GigaOm Radar plots vendor solutions across a series of concentric rings, with those set closer to the center judged to be of higher overall value. The chart characterizes each vendor on two axes—balancing Maturity versus Innovation, and Feature Play versus Platform Play—while providing an arrow that projects each solution’s evolution over the coming 12 to 18 months.
Figure 1. GigaOm Radar for Continuous Vulnerability Management
As you can see in the Radar chart in Figure 1, the Mature Platform Players are Qualys, Rapid7, and Tenable; each offer similar solution packages. Breachlock, a relative newcomer, also sits solidly in the space. Qualys leads the pack with the recent introduction of VMDR 2.0, which boasts enhanced risk management capabilities. Rapid7’s integration of its proven Metasploit open-source project and accurate scanning capabilities place it inside the Leader’s circle, though overall development speed appears to be slower than the competition. Tenable’s newest offering, Tenable.ep, combines several Tenable products to deliver a comprehensive vulnerability management solution. Breachlock’s vulnerability management solution provides evidence-backed findings and reduced false positivity rates through its employment of machine learning (ML). However, the solution does not offer IaC scanning capabilities, static application security testing (SAST), or software composition analysis (SCA).
Aqua Security is delivering cloud-focused vulnerability management solutions that provide tremendous insight into cloud-native vulnerabilities as well as vulnerabilities within cloud workloads like containers and functions. Aqua Security’s record of innovation in both the private and public space demonstrates an intention to provide novel and creative solutions.
Nucleus and Vulcan both take a different approach to solving the vulnerability management challenge. Nucleus asserts that the legacy approach to vulnerability management is insufficient and proposes a unified approach that consumes data from various tools and platforms to create a single source of truth with deep insights into a vulnerability’s full lifecycle. Vulcan appears to be taking a similar path, but while Nucleus is designed with large enterprise in mind, Vulcan could be suitable for both the SMB and larger enterprise markets.
Debricked, although recently acquired by Micro Focus, was reviewed as if it were a stand-alone organization because the integration will not be complete for some time. For organizations that only need a deeper understanding of the risks posed by their software supply chains, Debricked offers a solution that’s simple, intuitive, and capable.
Inside the GigaOm Radar
The GigaOm Radar weighs each vendor’s execution, roadmap, and ability to innovate to plot solutions along two axes, each set as opposing pairs. On the Y axis, Maturity recognizes solution stability, strength of ecosystem, and a conservative stance, while Innovation highlights technical innovation and a more aggressive approach. On the X axis, Feature Play connotes a narrow focus on niche or cutting-edge functionality, while Platform Play displays a broader platform focus and commitment to a comprehensive feature set.
The closer to center a solution sits, the better its execution and value, with top performers occupying the inner Leaders circle. The centermost circle is almost always empty, reserved for highly mature and consolidated markets that lack space for further innovation.
The GigaOm Radar offers a forward-looking assessment, plotting the current and projected position of each solution over a 12- to 18-month window. Arrows indicate travel based on strategy and pace of innovation, with vendors designated as Forward Movers, Fast Movers, or Outperformers based on their rate of progression.
Note that the Radar excludes vendor market share as a metric. The focus is on forward-looking analysis that emphasizes the value of innovation and differentiation over incumbent market position.
5. Vendor Insights
Aqua Security
Founded in 2015, Aqua Security is well known for its Trivy open-source container scanning solution. The company delivers a suite of cloud security products that includes container and Kubernetes security, virtual machine (VM) security, supply chain security, and integrations with DevOps platforms.
It’s important to note that because Aqua is a cloud-native security platform, its discovery capabilities are aimed at cloud environments, including public clouds, Kubernetes, and OpenShift. None of these capabilities are available for on-premises environments.
Aqua specializes in the analysis of software supply chains, open-source software, and cloud-native applications. Along with this specialty comes an ability to scan for vulnerabilities in Git repositories, open-source packages, continuous integration and continuous deployment (CI/CD) pipelines, container images, Kubernetes configuration files, VMs, and serverless functions. Of particular interest is the way the Aqua platform is able to integrate context from the environment to enable better risk decision-making as a part of the whole vulnerability management process. It provides the ability to filter and prioritize vulnerabilities not just by severity and score but also by whether they’re remotely exploitable, have exploits in the wild, and affect running workloads.
As indicated above, though, an organization will need to cover on-premises technology with a different solution. Moreover, API testing is not available in the solution today, though it may be in the future.
The Aqua Security platform doesn’t perform SAST; instead, it focuses on a type of dynamic application security testing (DAST), accomplished via a feature called Aqua Dynamic Threat Analysis (DTA). Aqua DTA is essentially a sandbox, but for containers. Once a container image is run in DTA, additional context is supplied so that the container appears to be running inside of a normal enterprise environment. This additional context is supplied because modern malware will often contain environmental checks that attempt to detect a sandbox environment and evade eventual detection. The end result of DTA is a malware detection mechanism that isn’t rule-based but instead relies on the observation of behaviors and thereby is able to catch unknown threats.
Aqua’s cloud infrastructure vulnerability scanning capabilities can leverage either an agent (for Kubernetes cluster hosts, for example) or agentless methods to discover, gather, and analyze cloud infrastructure for misconfigurations and vulnerabilities. This capability set is available for Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP).
Cloud environments are frequently created and managed using an IaC tool called Terraform that lets you build and change cloud infrastructure while versioning the architecture. However, the use of Terraform creates a security challenge that typically centers around managing secrets (passwords or cryptographic materials) or failing to select secure options (for example, encrypted versus unencrypted storage). To meet this challenge, Aqua Security integrates its open-source Terraform security tool, TFsec, into the security solution to provide robust Terraform code inspection to identify vulnerabilities. It also scans AWS’s IaC tool, CloudFormation, in a similar fashion.
While not directly evaluated here, Aqua Security also offers a Kubernetes-focused security monitoring solution called Kubernetes Security Posture Management (KSPM) that can find Kubernetes-specific vulnerabilities (and other risk data) when it’s used by the larger Aqua Security platform.
Strengths: Aqua Security is a comprehensive cloud infrastructure and application vulnerability management solution that offers deep insight into container workloads with Aqua DTA as well as novel approaches to IaC security and software supply chain security.
Challenges: There’s no coverage for on-premises infrastructure, and the solution relies on dynamic testing rather than SAST, and as of this writing, there’s no API testing.
BreachLock
BreachLock is a SaaS-delivered platform that integrates AI and human-in-the-loop expertise for vulnerability assessment of web applications and network, API, cloud, and on-premises infrastructure.
While the focus here is on BreachLock’s vulnerability management solution, a brief introduction to its other services helps to explain its unique approach to vulnerability management.
Among other services, BreachLock offers penetration testing as a service, through which BreachLock compiles and then disseminates its own threat intelligence. This yields a source of threat intelligence that is integrated into its vulnerability assessment service and is then used to identify false positives more easily, while delivering what the company refers to as “evidence-backed” true-positive vulnerabilities.
It’s important to understand this approach, which is a departure from the reliance on common vulnerabilities and exposures (CVE) data. BreachLock doesn’t only rely on CVE numbers and data to illuminate vulnerability data; instead it uses its own bespoke threat intelligence source and documents contextual information about the vulnerability under an object called a “plugin.” Each plugin tracks all phases of the discovered vulnerability, reducing the overall quantity of vulnerabilities and, at the same time, simplifying the remediation plan for a vulnerability.
This approach is powered by internally developed ML algorithms coupled with threat intelligence feeds from US CERT, Exploit DB and other public threat-intelligence feeds. Breachlock has claimed that this approach results in a 100% reduction in false positives.
BreachLock provides a method to discover both on-premises and cloud infrastructure as a part of its vulnerability assessment solution. On-premises or in private clouds, scanning is performed using a virtual appliance, which can also be deployed on AWS, Azure, and GCP. The virtual appliance performs network-based scanning. Cloud-based scanning can be performed through API integration with the cloud provider.
An interesting architecture and deployment option not often found in other vulnerability management solutions is the ability to instantiate this solution in a private cloud. Although this option comes at a higher cost than the SaaS architecture, it does grant the client organization near-complete control over all aspects of the data collected and created during this process.
In an effort to identify vulnerabilities earlier when they are easier to remediate, some vulnerability assessment solutions are broadening the scope of infrastructure to include the code used to manage cloud infrastructure. This is one of two areas that BreachLock’s solution is unable to address. The other area is SAST, although BreachLock does offer a partner integration that can address some of these needs at an additional cost.
Finally, when considering any security solution, a point should be made to evaluate its impact on operational resources. Solutions that add a considerable burden to operational loads should be avoided. Looking at this solution’s adaptability and speed, it can be observed that through its deployment of ML, it learns customer environments and prunes back the type of testing performed to then speed up the testing and deliver results in a shorter time span.
Strengths: The solution provides strong evidence-backed vulnerability data that shortens the vulnerability lifecycle, as well as broad coverage of on-premises and cloud infrastructure and a unique approach to vulnerability tracking that simplifies remediation plans. The solution leverages ML to speed up tests and reduce false positives significantly.
Challenges: SAST and SCA are offered only through integration with third-party products. There are no IaC review capabilities.
Debricked
Debricked is a developer-centric security solution aimed at securing organizations’ software supply chain. Debricked was recently acquired by CyberRes, a Micro Focus line of business. The Debricked solution is being integrated into the CyberRes portfolio.
Through integrations with Git repositories, Debricked analyzes an organization’s code. Because Debricked is laser-focused on securing code, it does not provide the legacy vulnerability management capabilities found in some other solutions, such as network or agent-based scanning. Debricked is a SaaS solution, and does not offer an on-premises or private-cloud solution.
A unique quality found in Debricked is the way data is collected; the entire process is conducted through ML algorithms, making results both speedy and accurate. This allows Debricked to find vulnerabilities more quickly than most, and to minimize false positives to almost none.
End-to-end coverage, or the extent of the vulnerability lifecycle that is observed or managed by the solution, is an important metric used to measure the potential efficacy of a solution. Debricked integrates with several CI/CD systems like GitHub, CircleCI, and GitLab, while it also offers a command-line interface (CLI) tool that streamlines use of the Debricked solution via a system command line.
Automations are used to enforce organizational policies. For example, an automation workflow can be created to block the deployment of code containing blocked open-source packages. This automation is achieved through a no-code configuration set within the Debricked GUI. Automations can be configured on a per-repository basis.
Data is gathered through Git repositories and in combination with features like debAI, so the Debricked solution provides rapid ROI for organizations that need deeper insights into their software supply chain. Organizations that need network or agent-based scanning capabilities, SAST, DAST, or IaC code-review capabilities will want to consider another solution.
Strengths: Strong AI features simplify vulnerability identification, and Debricked enables simple automation creation using no-code methods. The solution offers rapid ROI and broad integration support.
Challenges: Debricked is hyper-focused on software supply chain analysis. It lacks network and agent-based scanning capabilities, and there’s no SAST, DAST, or IaC review.
Nucleus Security
Launched in 2018 after successfully solving a massive vulnerability management challenge for the US government, Nucleus Security offers a unique approach to vulnerability management. Nucleus’s thesis is that vulnerability “scanning” is a commodity technology, and it therefore doesn’t offer a scanning component in its solution. Instead, the company asserts, the real challenge comes into play post-scan as organizations attempt to create remediation plans based on incomplete data sets typically delivered from legacy vulnerability scanning solutions.
Instead of scanning, the Nucleus solution ingests data from other technologies, including network vulnerability scanners, configuration management databases (CMDBs), application security tools, and Git repositories. Once this data is brought into the Nucleus solution, it’s enriched and correlated. In this way, Nucleus provides a management layer that is often missing in other vulnerability management solutions. Also worth noting, Nucleus has chosen to rely less on CVE and common vulnerability scoring system (CVSS) data in its risk calculations and instead integrates context from the organization’s environment for more accurate risk scores. Although other CVM solutions are doing this too, it’s always worth pointing out.
Nucleus’ best fit is for larger enterprises and MSPs. The solution is able to sequester data from designated business units (or independent businesses) into “pools,” which can then be managed at a higher level, enabling large enterprises to effectively manage vulnerabilities across multiple continents or business units, independently of the management structure within those organizations.
Once the vulnerability data is in Nucleus, remediation is available. It’s important to consider what “remediation” means, as this term can encompass different things. Remediation should be thought of as any action taken during the course of correcting an issue, which may include evidence gathering, attribution to owners, false positive management, configuration change requirements, or software patching.
Nucleus is able to offer a wide variety of remediation steps that can be configured through a no-code, menu-driven approach that populates available options for automation workflows to the operators of the platform, with no prior knowledge of the available options needed. This approach allows for simple workflow automations and significantly eases the learning curve.
Nucleus is delivered as a SaaS solution. Because it doesn’t provide scanning, its integration capabilities are diverse and mature, enabling it to collect data across multiple technologies. However, if an organization has requirements to either host in its own private cloud or on-premises, Nucleus supports these deployment models.
The approach that Nucleus takes to solving modern vulnerability management problems is unique; no other vendor surveyed in this report approaches the problem in this same way. This unique approach is Nucleus’ strength; the solution acts as the management plane through which all vulnerability data is consumed and acted upon. However, this strength is also a challenge, because Nucleus does not perform scanning itself. Although this is easily solved, it could present additional challenges that may not exist with other solutions and may add to the cost.
Strengths: Nucleus provides deep visibility into the vulnerabilities lifecycle. It offers numerous mature integrations, simple and intuitive no-code workflow management, and accurate vulnerability data.
Challenges: No scanning functionality exists within the solution. Scanning must be provided by a third-party technology.
Qualys
Qualys is a long-time player in the vulnerability management space. Qualys VMDR is a risk-based vulnerability management solution that helps organizations manage vulnerabilities and misconfigurations throughout the entire lifecycle. The VMDR platform has recently undergone a major upgrade, and with the VMDR 2.0 launch occurring in Q2 of this year, many features are now available. VMDR is composed of several SaaS-delivered features.
VMDR is deployable in numerous architectures, making it easily adaptable to many use cases and organizational requirements. The solution offers physical and virtual appliances, public deployments in 11 global regions, private cloud deployments, and hybrid capabilities. The VMDR platform provides the broadest deployment and architecture options of all the solutions surveyed.
A key feature of the VMDR 2.0 platform is its TruRisk feature, which leverages commodity vulnerability data, external threat intelligence sources (for the vulnerability and maturity level of a published exploit, for example), and telemetry found within an organization, such as SSL certificate data, data from a CMDB, cloud configurations, and identity information. This diversity of data inputs results in accurate, timely identification of previously difficult to understand or hard-to-find vulnerabilities. The identified vulnerabilities are assessed using the Qualys Detection Score (QDS), which can be used as a custom criticality measure for each organization.
The VMDR platform’s infrastructure scanning capabilities are robust. Data is collected on-premises and in the cloud via virtual agents, network scanning, and API integrations with cloud technologies and other solutions. This broad collection practice enables low false-positive vulnerability identification with a comprehensive view of risks across most technology stacks. Documentation doesn’t define how ML or other AI technologies are deployed but indicates that they’re integrated into this solution.
SAST and SCA are not features available within the Qualys solution. However, DAST is available via Qualys’ web application scanning (WAS) feature. WAS, in coordination with the Qualys in-house threat-intelligence feed, is able to rapidly identify vulnerabilities in applications, and this integration with WAS enables VMDR to provide API security testing. Authentication can be tricky when testing APIs, and VMDR offers solutions that can integrate with OAUTH2-compliant providers, as well as form-based authentication and other complex authentication mechanisms.
WAS supports integrations with technologies like Azure DevOps, Jenkins, Team City, and Bamboo. Additionally, through the Qualys API, users of VMDR with WAS can create solutions for custom use cases.
A distinctive quality of the VMDR platform is its automation capability, specifically as related to patching. Patching is a time-consuming process and is usually a direct result of the vulnerability management program. The VMDR solution is able to deploy patches to vulnerable endpoints automatically, significantly reducing the labor required during remediation activities for most organizations.
VMDR licensing is based on the number of assets across all environments, including on-premises as well as private and public cloud.
Strengths: Qualys is a comprehensive CVM solution with broad deployment and architecture options. Its TruRisk scoring simplifies understanding of vulnerabilities, and the solution offers powerful patching capabilities.
Challenges: Qualys has no support for SAST or SCA at this time; it demonstrates ambiguous use of ML.
Rapid7
Rapid7 has become a household name in the security space because of its diverse portfolio of solutions that range from application security to endpoint security. The broad solution set offered is enhanced with a vulnerability management solution, InsightVM.
InsightVM is composed of two major components: the scan engine and the security console. The scan engine is an agent that’s installed on an endpoint, on-premises, or in a cloud. The security console is either a SaaS or an appliance-delivered operator portal for the InsightVM solution. A third option exists—remote scanning performed by Rapid7. This option moves the onus of scanning maintenance to Rapid7 but leaves the decision of where to deploy the security center in the hands of the customer.
InsightVM’s asset discovery capabilities are on par with other network and agent-based discovery solutions in the market, and asset tracking also remains competitive with an integrated CMDB-like asset management feature. A core feature of many Rapid7 solutions is the integration of Metasploit, Rapid7’s open-source vulnerability and exploit testing framework. InsightVM includes Metasploit integration capabilities that provide another method for validating vulnerability data and reducing false positives.
Because of Rapid7’s platform approach, the security application testing features (SAST and DAST), SCA, and IaC analysis are all available but not found within the InsightVM solution. InsightVM is able to consume and act on the telemetry provided by the other modules in the Rapid7 security platform, but this feature comes at an additional cost.
Assessing the end-to-end coverage of the InsightVM solution, it fills the demand created by legacy vulnerability scanning practices that require network and agent-based infrastructure scanning, the correlation of data from this process, and the enrichment of vulnerability events to enable risk-prioritized remediation work, like patching and configuration changes. However, with this approach, Rapid7 encourages customers to add other modules in the security platform to create a more comprehensive vulnerability management solution.
Strengths: InsightVM’s mature integration with Metasploit offers instant validation of vulnerability data. The solution also provides capable network and agent-based scanning technology and a streamlined deployment process through either an appliance or the cloud.
Challenges: SAST, DAST, SCA, and IaC review capabilities are offered in other Rapid7 solutions with which InsightVM integrates; however, none of these are found within InsightVM.
Tenable
Tenable is one of the top names in the vulnerability management space, and for good reason. Starting in the early 2000s with the creation of Nessus, a fork of the open-source security scanner OpenVAS, Tenable established itself as an innovator in the space. More recently, Tenable created what it calls the Tenable Exposure Platform, or Tenable.ep.
Tenable.ep is composed of Tenable.io, which provides on-premises and cloud infrastructure scanning, container security, WAS, and Lumin, a visualization engine that assists with the presentation of vulnerability data. This is a unique approach to the market because while some vendors offer these capabilities, they don’t combine them in a solution set in the same way that Tenable does.
The Tenable.io components are offered in a SaaS scanner or an agent connected to a SaaS-delivered console and can scan on-premises and cloud infrastructure. Tenable.io’s Container Security feature set is accessed through a number of methods—a CLI push using Docker commands; a connector configuration with AWS, Docker, or Jfrog Artifactory; or through the configuration of a Tenable.io Container Scanner appliance within an on-premises environment. It’s worth noting that Tenable.io Container Scanner is not included in the license for Tenable.ep.
Tenable.io’s infrastructure scanning capabilities are robust. Despite the broad variety of technologies found, both on-premises and in public or private clouds, Tenable network scanning capabilities enumerate them very well. Agent-based scans are also available to reduce the false positivity rate, a known drawback of network-based scanners.
Tenable.io’s container capabilities are on par with other container scanning solutions. This feature is able to identify individual components of a container image, and identify known vulnerabilities and associated CVE and CVSS data, as well as provide a method to track discovery and remediation information to enable governance practices for vulnerabilities.
Through Tenable’s WAS capability, organizations are able to perform DAST; however, no SAST capabilities are available. The WAS performs numerous assessments on running web applications and then sends the gathered information to Tenable.ep for enrichment and correlation.
Absent from the tenable.ep solution set is the ability to perform SCA, often used to track open-source package usage. ML or other AI are also missing. While the absence of AI is notable, it’s not alarming because the application of AI for cyberdefenses is still a burgeoning field.
The tenable.ep solution is sold with a single license based on the quantity of assets in the scope of the solution. Historically, support for identified software bugs has been poor, but support for functioning portions of the application is prompt and accurate.
Strengths: Tenable offers strong infrastructure scanning capabilities, and container scanning (DAST) is included. There are flexible deployment options for numerous use cases.
Challenges: This solution is not as comprehensive as others in that it lacks SAST, IaC, and SCA scanning. Bugs have historically been an issue.
Vulcan
Vulcan, an Israeli firm that launched in 2019, aims to merge and correlate data and telemetry from across an enterprise’s infrastructure. This occurs within the Vulcan Cyber Risk Management (VCRM) solution, where it can also be used as a trigger for automations to reduce risk.
The VCRM solution collects data from across existing security tools, like security information and event management (SIEM) or endpoint detection and response (EDR) solutions, as well as from DevOps and IT service management (ITSM) tools like ServiceNow. Because of its broad collection capabilities, VCRM is able to identify risks that typically fall outside the scope of legacy vulnerability scanner solutions.
Vulcan Cyber is a SaaS-delivered solution that leverages API integrations for data collection. The SaaS model provides the most rapid onboarding and simplified management of the solution, and Vulcan doesn’t offer on-premises or self-hosted options.
Note that Vulcan addresses the challenges of vulnerability management through a new and somewhat different method: Vulcan Cyber itself doesn’t perform on-premises or cloud infrastructure scanning. Instead, it integrates with solutions that perform this type of scanning, like Tenable, Rapid7, or Qualys.
Similarly, Vulcan Cyber doesn’t have its own built-in CMDB and instead leverages existing CMDB solutions, such as ServiceNow or Microsoft Intune, to pull in asset data. The same can be said for SAST, DAST, SCA, and IaC review. While some solutions in this space can perform these various tests or reviews, Vulcan opts instead to provide a management solution for the telemetry and data gathered by these disparate solutions.
This approach may appear counterintuitive because organizations are typically in the market to replace solutions, not pair old and new solutions. However, it creates a unified view of an organization’s risk that is very difficult to produce. This unified approach results in a more comprehensive understanding of risks, allowing for simplified prioritization of risk reduction efforts.
Because the Vulcan Cyber platform offers a broad selection of integrations for a variety of technologies—such as asset data repositories, vulnerability scanners, collaboration tools, and automation solutions—it’s easily adapted to individual organizations. This feature set also allows VCRM to provide greater end-to-end solution coverage than a point solution can.
Vulcan Cyber pricing is easily found on the Vulcan.io site, so we’ll just highlight the basics. There are three pricing tiers: a free tier for a trial of the solution; a Pro tier that supports up to 10 users, 10,000 assets, and API access; and the enterprise package that includes access for 20 users, unlimited assets, unlimited automations, and robust support for enterprise-grade access solutions like multifactor authentication (MFA), single sign-on (SSO), and role-based access control (RBAC).
Strengths: VCRM offers broad unification of organizational risks, rapid solution deployment, and simplified licensing.
Challenges: The solution requires an existing scanning solution to be in place. No on-premises or self-hosted architecture is available.
6. Analyst’s Take
Vulnerability management solutions once consisted simply of a network-based scanning technology probing an organization’s IP space. Those solutions have become commoditized, but scanning alone is unable to address the variety of vulnerability management issues organizations face today. This space, which was so well-defined for many years, is going through a transformation, one that in many ways is both spurred on by and resembles the transformation that organizations are going through with cloud adoption, microservices architectures, and a mobile workforce. All of this means modern security issues must be addressed in ways that are different from legacy solutions.
The stalwarts of the space—Qualys, Rapid7, and Tenable—are continuing to improve their solutions iteration after iteration, building on past successes while integrating new features as demanded by their customers. Determining which of these solutions offers the best service and support to fit your needs is not easy. Paying careful attention to service level capabilities and service level agreements (SLAs) will ensure the least amount of friction when operating the solution.
BreachLock provides both on-premises and cloud-based vulnerability scanning capabilities with evidence-backed findings, novel ML uses, and the opportunity to have a fully managed solution. Aqua Security is the lone innovator in the platform quadrant, bringing comprehensive cloud security solutions to the market.
Relative newcomers to the space, Nucleus and Vulcan offer a fresh perspective. Nucleus expects that organizations will already have some type of vulnerability scanner deployed, and their idea is to provide a scaffold from which enterprises can easily manage vulnerabilities. Vulcan takes a similar approach and is a fit for SMBs as well as large enterprises.
Debricked provides powerful software supply chain analysis that may be paired with other features soon because of its recent acquisition by Micro Focus.
As organizations acquire tooling to assist them on their quest to reduce risk through broad-reaching vulnerability management, they need to first consider the basics, then look to build a program suitable for their organization. The basics constitute network, agent, or API-based vulnerability scanning solutions that ensure all infrastructure, both on-premises and cloud, can be scanned. If you have DevOps tools in place, seek out API-based scanners that offer integrations to support shift-left practices in your security operations. The vulnerability solutions selected should provide a simple way to view assets discovered, associated vulnerabilities, projected risk, and should provide remediation plans.
Once the scanning infrastructure is in place, a comprehensive program should be established to address the common elements of a vulnerability’s lifecycle. At a minimum, items such as discovery date, quantifiable risk rating, associated assets, asset owner, and business criticality need to be tracked. Once this data is tracked, action should be taken at regular intervals through meetings and planned changes to methodically eliminate vulnerabilities.
Modern vulnerabilities are more extensive and more critical than ever. They need to be tracked and remediated using modern solutions such as the ones highlighted in this report.
7. About Chris Ray
Chris RayChris Ray is a veteran of the cyber security domain. He has a collection of experiences ranging from small teams to large financial institutions. Additionally, Chris has worked in healthcare, manufacturing & tech. More recently he has acquired an extensive amount of experience advising and consulting with security vendors, helping them find product-market fit as well as deliver cyber security services.
8. About GigaOm
GigaOm provides technical, operational, and business advice for IT’s strategic digital enterprise and business initiatives. Enterprise business leaders, CIOs, and technology organizations partner with GigaOm for practical, actionable, strategic, and visionary advice for modernizing and transforming their business. GigaOm’s advice empowers enterprises to successfully compete in an increasingly complicated business atmosphere that requires a solid understanding of constantly changing customer demands.
GigaOm works directly with enterprises both inside and outside of the IT organization to apply proven research and methodologies designed to avoid pitfalls and roadblocks while balancing risk and innovation. Research methodologies include but are not limited to adoption and benchmarking surveys, use cases, interviews, ROI/TCO, market landscapes, strategic trends, and technical benchmarks. Our analysts possess 20+ years of experience advising a spectrum of clients from early adopters to mainstream enterprises.
GigaOm’s perspective is that of the unbiased enterprise practitioner. Through this perspective, GigaOm connects with engaged and loyal subscribers on a deep and meaningful level.
9. Copyright
© Knowingly, Inc. 2022 "GigaOm Radar for Continuous Vulnerability Management" is a trademark of Knowingly, Inc. For permission to reproduce this report, please contact sales@gigaom.com.
