Manzill Surolia

Analysis · 14 Jul 2026

The Cybersecurity Tooling Landscape, Mapped

About 150 products fill 17 acronym-named categories. Strip the branding and the market does just six jobs — and a handful of vendors now do most of them.

~150products catalogued
17named categories
6jobs they actually do
9categories the top platform spans
10+open-source substitutes

The security market looks like an unmanageable wall of acronyms — SIEM, SOAR, EDR, XDR, NDR, CSPM, CNAPP, ZTNA, PAM, DLP, ASM, TIP. Catalogue the roughly 150 named products and the sprawl collapses. The 17 categories answer only six underlying jobs; the same seven or eight vendors reappear category after category; and almost every category has a mature open-source substitute. What reads as 17 buying decisions is closer to six — and increasingly one platform decision.

Where the 17 categories sit — share by job
Detect & RespondSIEM, SOAR, EDR, NDR, XDR, TIP, deception7
Manage ExposureASM, vuln/patch, CSPM/CNAPP3
Control IdentityIAM, PAM, ZTNA3
Protect DataDLP, email / anti-phishing2
Govern RiskGRC1
Test Defencespen-test / red-team1

1 · Seventeen Categories, Six Jobs

Every acronym in the landscape is a tool built to do one of six things: find and stop attacks, shrink what’s exposed, decide who gets in, keep data from leaving, prove you’re governed, or check your own defences. Grouping the categories by job — not by vendor marketing — is what makes the market legible.

JobCategories it coversThe question it answers
Detect & RespondSIEM, SOAR, EDR, NDR, XDR, Threat Intelligence, Deception“Is something happening, and can we stop it fast?”
Manage ExposureAttack Surface Mgmt, Vulnerability/Patch Mgmt, CSPM/CNAPP“What can an attacker even reach?”
Control IdentityIAM, Privileged Access Mgmt, Zero-Trust Network Access“Who is this, and what should they touch?”
Protect DataData Loss Prevention, Email Security / Anti-Phishing“Is sensitive data staying where it belongs?”
Govern RiskGRC platforms“Can we prove we’re managing all of the above?”
Test DefencesPenetration testing / red-team / adversary simulation“Does any of this actually work?”

▸ Buy for the job, not the acronym. Two “different” products in the same job column are usually competing for the same budget line — the overlap is the point, not a feature.

2 · The Platform Players: Few Vendors, Many Boxes

The clearest signal in the landscape is repetition. Map each vendor to the categories it appears in and a short list of platform players emerges — suites that already span a third to half of the entire market. This is why “best-of-breed vs platform” is the defining procurement question of the decade.

VendorCategories spanned (of 17)Where it shows up
Microsoft9Sentinel (SIEM), Defender EDR/XDR, O365 email, Entra (IAM), Purview (DLP), Defender for Cloud, Defender Vuln Mgmt, Zero Trust
Palo Alto Networks8Cortex XSOAR/XDR, Xpanse (ASM), Prisma Cloud (CNAPP), Prisma Access (ZTNA), AutoFocus (TIP), NDR
Fortinet5FortiSOAR, FortiEDR, FortiXDR, FortiMail, Fortinet ZTNA
IBM5QRadar (SIEM), Resilient (SOAR), Randori (ASM), OpenPages (GRC), X-Force (TIP)
Trellix4EDR, NDR, XDR, DLP
Cisco4Stealthwatch (NDR), Secure Email, Duo (IAM/ZTNA), Kenna (vuln)
Trend Micro4Vision One (EDR/XDR), email security, Cloud One (CSPM)
SentinelOne3Singularity EDR/XDR, Attivo (deception)

Category spans are counted across the 17 functional categories in this landscape, based on the products each vendor fields in it — a directional read of reach, not market share.

3 · The Convergence: Everything Is Becoming XDR

The category list is a snapshot of a market mid-merge. Four originally separate boxes — endpoint (EDR), network (NDR), log analytics (SIEM) and automation (SOAR) — are collapsing into a single detection-and-response plane branded XDR. On the exposure side, standalone vulnerability scanning, cloud posture (CSPM) and workload protection are fusing into CNAPP. Identity is pulling IAM, PAM and network access (ZTNA) toward one control point.

Converging intoAbsorbsDriver
XDREDR + NDR + SIEM + SOAR + threat intelCorrelation across signals beats siloed alerts; less swivel-chair
CNAPPCSPM + vulnerability mgmt + workload & IaC scanningCloud risk is one continuum from code to runtime
Identity fabricIAM + PAM + ZTNA + ITDRIdentity is the perimeter; access decisions want one brain

▸ The 17-box map is already dating. Buy a point tool today and you may be buying a feature of tomorrow’s platform — so weight integration and data portability as heavily as the feature checklist.

4 · The Shadow Stack: Open Source Covers Most of It

Almost every commercial category has a battle-tested open-source counterpart. A capable team can assemble a credible detection-and-response stack for the cost of the people running it — which reframes many “buy” decisions as “buy the time, not the tool.”

Commercial categoryOpen-source substituteDoes the job of
SIEM / log analyticsWazuh · ElasticCollection, correlation, alerting
NDR / IDSZeek · Suricata · SnortNetwork detection & traffic analysis
SOAR / case mgmtTheHiveIncident response orchestration
Threat IntelligenceMISP · OTXIndicator sharing & enrichment
Vulnerability scanningOpenVAS (Greenbone)Network & host vuln assessment
Digital forensics / DFIRVelociraptorEndpoint hunting & evidence collection
Detection engineeringSigma · YARAPortable detection & malware rules
Adversary simulationCaldera (MITRE ATT&CK)Automated red-team / emulation

The trade is real: open source shifts spend from licences to skilled engineering time and integration effort. It is cheapest where you already have the talent.

Bottom line

  • Seventeen categories, six jobs — organise your stack by job and the map stops being intimidating.
  • The platforms already won the middle — Microsoft and Palo Alto each span roughly half the categories; consolidation is the default, not the exception.
  • XDR and CNAPP are absorbing point tools — buy for integration and data portability, because today’s product is tomorrow’s feature.
  • Open source covers most categories — the question is whether you’re buying the tool or the team-time to run it.
  • Coverage > count — ten well-integrated tools mapped to the six jobs beat thirty overlapping ones and their alert fatigue.

Sources & method. The category list and product names are drawn from published security technology-stack maps and vendor documentation; products were grouped into 17 functional categories, then into six jobs, and each vendor’s category span was counted across that landscape. Vendor spans are a directional measure of breadth in this map, not market share. Open-source substitutes are widely used projects for each category. This is original analysis; no third-party graphics or text are reproduced.