The security market looks like an unmanageable wall of acronyms — SIEM, SOAR, EDR, XDR, NDR, CSPM, CNAPP, ZTNA, PAM, DLP, ASM, TIP. Catalogue the roughly 150 named products and the sprawl collapses. The 17 categories answer only six underlying jobs; the same seven or eight vendors reappear category after category; and almost every category has a mature open-source substitute. What reads as 17 buying decisions is closer to six — and increasingly one platform decision.
1 · Seventeen Categories, Six Jobs
Every acronym in the landscape is a tool built to do one of six things: find and stop attacks, shrink what’s exposed, decide who gets in, keep data from leaving, prove you’re governed, or check your own defences. Grouping the categories by job — not by vendor marketing — is what makes the market legible.
| Job | Categories it covers | The question it answers |
|---|---|---|
| Detect & Respond | SIEM, SOAR, EDR, NDR, XDR, Threat Intelligence, Deception | “Is something happening, and can we stop it fast?” |
| Manage Exposure | Attack Surface Mgmt, Vulnerability/Patch Mgmt, CSPM/CNAPP | “What can an attacker even reach?” |
| Control Identity | IAM, Privileged Access Mgmt, Zero-Trust Network Access | “Who is this, and what should they touch?” |
| Protect Data | Data Loss Prevention, Email Security / Anti-Phishing | “Is sensitive data staying where it belongs?” |
| Govern Risk | GRC platforms | “Can we prove we’re managing all of the above?” |
| Test Defences | Penetration testing / red-team / adversary simulation | “Does any of this actually work?” |
▸ Buy for the job, not the acronym. Two “different” products in the same job column are usually competing for the same budget line — the overlap is the point, not a feature.
2 · The Platform Players: Few Vendors, Many Boxes
The clearest signal in the landscape is repetition. Map each vendor to the categories it appears in and a short list of platform players emerges — suites that already span a third to half of the entire market. This is why “best-of-breed vs platform” is the defining procurement question of the decade.
| Vendor | Categories spanned (of 17) | Where it shows up |
|---|---|---|
| Microsoft | 9 | Sentinel (SIEM), Defender EDR/XDR, O365 email, Entra (IAM), Purview (DLP), Defender for Cloud, Defender Vuln Mgmt, Zero Trust |
| Palo Alto Networks | 8 | Cortex XSOAR/XDR, Xpanse (ASM), Prisma Cloud (CNAPP), Prisma Access (ZTNA), AutoFocus (TIP), NDR |
| Fortinet | 5 | FortiSOAR, FortiEDR, FortiXDR, FortiMail, Fortinet ZTNA |
| IBM | 5 | QRadar (SIEM), Resilient (SOAR), Randori (ASM), OpenPages (GRC), X-Force (TIP) |
| Trellix | 4 | EDR, NDR, XDR, DLP |
| Cisco | 4 | Stealthwatch (NDR), Secure Email, Duo (IAM/ZTNA), Kenna (vuln) |
| Trend Micro | 4 | Vision One (EDR/XDR), email security, Cloud One (CSPM) |
| SentinelOne | 3 | Singularity EDR/XDR, Attivo (deception) |
Category spans are counted across the 17 functional categories in this landscape, based on the products each vendor fields in it — a directional read of reach, not market share.
3 · The Convergence: Everything Is Becoming XDR
The category list is a snapshot of a market mid-merge. Four originally separate boxes — endpoint (EDR), network (NDR), log analytics (SIEM) and automation (SOAR) — are collapsing into a single detection-and-response plane branded XDR. On the exposure side, standalone vulnerability scanning, cloud posture (CSPM) and workload protection are fusing into CNAPP. Identity is pulling IAM, PAM and network access (ZTNA) toward one control point.
| Converging into | Absorbs | Driver |
|---|---|---|
| XDR | EDR + NDR + SIEM + SOAR + threat intel | Correlation across signals beats siloed alerts; less swivel-chair |
| CNAPP | CSPM + vulnerability mgmt + workload & IaC scanning | Cloud risk is one continuum from code to runtime |
| Identity fabric | IAM + PAM + ZTNA + ITDR | Identity is the perimeter; access decisions want one brain |
▸ The 17-box map is already dating. Buy a point tool today and you may be buying a feature of tomorrow’s platform — so weight integration and data portability as heavily as the feature checklist.
4 · The Shadow Stack: Open Source Covers Most of It
Almost every commercial category has a battle-tested open-source counterpart. A capable team can assemble a credible detection-and-response stack for the cost of the people running it — which reframes many “buy” decisions as “buy the time, not the tool.”
| Commercial category | Open-source substitute | Does the job of |
|---|---|---|
| SIEM / log analytics | Wazuh · Elastic | Collection, correlation, alerting |
| NDR / IDS | Zeek · Suricata · Snort | Network detection & traffic analysis |
| SOAR / case mgmt | TheHive | Incident response orchestration |
| Threat Intelligence | MISP · OTX | Indicator sharing & enrichment |
| Vulnerability scanning | OpenVAS (Greenbone) | Network & host vuln assessment |
| Digital forensics / DFIR | Velociraptor | Endpoint hunting & evidence collection |
| Detection engineering | Sigma · YARA | Portable detection & malware rules |
| Adversary simulation | Caldera (MITRE ATT&CK) | Automated red-team / emulation |
The trade is real: open source shifts spend from licences to skilled engineering time and integration effort. It is cheapest where you already have the talent.
Bottom line
- Seventeen categories, six jobs — organise your stack by job and the map stops being intimidating.
- The platforms already won the middle — Microsoft and Palo Alto each span roughly half the categories; consolidation is the default, not the exception.
- XDR and CNAPP are absorbing point tools — buy for integration and data portability, because today’s product is tomorrow’s feature.
- Open source covers most categories — the question is whether you’re buying the tool or the team-time to run it.
- Coverage > count — ten well-integrated tools mapped to the six jobs beat thirty overlapping ones and their alert fatigue.
Sources & method. The category list and product names are drawn from published security technology-stack maps and vendor documentation; products were grouped into 17 functional categories, then into six jobs, and each vendor’s category span was counted across that landscape. Vendor spans are a directional measure of breadth in this map, not market share. Open-source substitutes are widely used projects for each category. This is original analysis; no third-party graphics or text are reproduced.