SAN FRANCISCO — Over the past three years, a quiet but unmistakable pattern has taken shape inside the application security market: the vendors that built their businesses on scanning code are now buying the companies that can watch code run. Static analysis, software composition analysis, and CI/CD pipeline scanning built the first generation of AppSec platforms. But a wave of acquisitions — spanning CrowdStrike, Cisco, Palo Alto Networks, Tenable, SentinelOne, Veracode, Wiz, and GitLab — shows where the category is heading next: runtime visibility.
The logic behind the deals is consistent across nearly every one of them. Code-centric tools are exceptionally good at finding things — vulnerable dependencies, insecure code patterns, exposed secrets, misconfigured pipelines. What they are not good at, on their own, is telling a security team which of those thousands of findings actually matter in production. That gap — between "detected" and "exploitable" — is exactly what runtime visibility closes, and it is exactly what AppSec vendors have spent the last several years acquiring their way toward.
The deals that define the trend
The pattern is easiest to see by lining up the transactions in order.
Palo Alto Networks acquired Cider Security in October 2022, folding the CI/CD and software-supply-chain security startup into what would become Prisma Cloud's application security posture management (ASPM) capability — an early signal that pipeline and runtime context, not just code scanning, would anchor the next phase of cloud security platforms.
CrowdStrike acquired Bionic in September 2023. Bionic's agentless technology maps application architecture and dependencies in production, letting security teams see which services, APIs, and data flows a piece of code actually touches at runtime — not just what it looks like in a repository. CrowdStrike folded that capability into Falcon Cloud Security, pairing it with the runtime sensor telemetry the company already collects across endpoints and workloads, explicitly to connect "code to cloud" risk.
Cisco acquired Isovalent in December 2023, closing the deal in 2024. Isovalent is the primary commercial steward of Cilium, the eBPF-based networking and observability project used widely in Kubernetes environments. eBPF gives security tools a kernel-level vantage point on what workloads are actually doing — network connections, process execution, system calls — in real time. Cisco later built its Hypershield architecture on top of that eBPF foundation, explicitly framing runtime enforcement as a core part of its security strategy.
SentinelOne acquired PingSafe in March 2024, adding cloud-native application protection (CNAPP) and cloud detection and response capabilities to its Singularity platform, extending endpoint-style runtime detection logic into cloud workloads and containers.
Tenable acquired Eureka Security and Vulcan Cyber in 2024, integrating cloud data security posture management and exposure-based vulnerability prioritization into the Tenable One platform. Both acquisitions push Tenable's traditional vulnerability-scanning business toward correlating findings with real-world exposure and business context rather than raw CVSS scores.
GitLab acquired Oxeye in 2024. Oxeye's technology performs runtime-informed reachability analysis for cloud-native applications — determining whether a vulnerable code path is actually reachable and exploitable in a running service — and GitLab has been integrating that capability into its DevSecOps platform to cut down on noisy, unprioritized findings from traditional SAST and SCA scans.
Veracode acquired Longbow Security in 2024, aimed squarely at connecting static and software-composition-analysis findings to runtime and cloud context so that application security teams can prioritize the small subset of vulnerabilities that pose genuine risk in deployed environments.
Wiz acquired Gem Security in 2024, adding cloud detection and response — a runtime-focused discipline — to a CNAPP platform that already correlates configuration, identity, and code risk across the cloud estate.
Eight deals, eight different acquirers, one recurring thesis: static findings without runtime context don't tell security teams what to fix first.
Why now
None of this is happening in a vacuum. Three forces are pushing AppSec vendors toward runtime data at the same time.
First, alert volume has outpaced remediation capacity. Modern SCA and SAST tools routinely surface thousands of findings per application as dependency trees grow deeper and scanning coverage improves. Security researchers, including work published by the Cyentia Institute in its long-running "Prioritization to Prediction" series with Kenna Security, have repeatedly found that only a small fraction of publicly disclosed vulnerabilities are ever observed being exploited in the wild. That gap between "disclosed" and "exploited" is precisely why the industry built the Exploit Prediction Scoring System (EPSS), maintained by FIRST.org, as a way to estimate real-world exploitation likelihood — and it is why acquirers now want runtime signals that go a step further than even EPSS, showing not just whether a vulnerability is likely to be exploited somewhere, but whether the vulnerable code path is actually reachable in a specific customer's running environment.
Second, cloud-native architectures made static analysis alone insufficient. Microservices, ephemeral containers, and serverless functions mean that the code in a repository and the code actually executing in production can diverge in meaningful ways — feature flags, environment-specific configuration, dead code paths, and dynamic dependency resolution all affect what is truly exposed. Gartner has tracked this shift through its coverage of Application Security Posture Management (ASPM) as an emerging category in its Hype Cycle research, describing it as a layer that aggregates and correlates findings from multiple AppSec tools — including runtime data — to prioritize risk. That analyst framing gave vendors a category name to build roadmaps and, in several of the cases above, acquisitions around.
Third, platform consolidation is a broader buyer preference, not just an AppSec phenomenon. Security teams have said for years, through analyst surveys and RFP behavior, that they want fewer point tools and more integrated platforms. For vendors, the fastest way to add a runtime capability they don't have in-house — and to do it before a competitor locks up the same target — is to acquire a startup that already built it, rather than building it from scratch and losing a year or more of market timing.
What it means for buyers
For security and engineering leaders, the consolidation wave has practical implications beyond vendor-landscape trivia.
Procurement leverage is shifting. As standalone runtime-visibility and ASPM startups get absorbed into larger platforms, the number of independent point solutions in this space shrinks, which can reduce the negotiating options available to teams that prefer best-of-breed tooling over a single vendor's suite.
Integration risk moves in-house. Every acquisition on the list above still has to prove the acquired technology works cleanly inside the parent platform — data models, agent architectures, and deployment footprints from a startup rarely map one-to-one onto an established platform's existing sensors and consoles. Buyers evaluating these platforms should ask pointed questions about how deeply an acquired capability is actually integrated versus sold as a bolted-on module.
The core problem — noisy, unprioritized findings — doesn't disappear just because a vendor bought a runtime company. Correlating static and runtime data well is a genuinely hard engineering problem, and a logo change on an acquisition announcement isn't evidence that the correlation logic is mature. Teams should evaluate acquired runtime capabilities on the same criteria they'd apply to a standalone product: accuracy, coverage, and how much manual triage it actually removes.
How Safeguard Helps
This consolidation wave validates a thesis Safeguard has built around from the start: software supply chain security only works when you can connect what's in your code to what's actually running in your environment. Buying a runtime-visibility startup and bolting it onto a scanner is a strategy; building that correlation as a first-class part of the platform is a different, harder commitment — and it's the one that determines whether security teams get fewer, more trustworthy findings instead of a second dashboard to triage.
Safeguard approaches this by treating your software bill of materials, dependency graph, and provenance data as living inputs that get continuously reconciled against real deployment and usage signals — not a point-in-time scan result that goes stale the moment a new artifact ships. That means when a new CVE lands in a widely used package, Safeguard can help you answer the question that actually matters: is this dependency present in something we run, is the vulnerable function reachable, and does it sit on a path an attacker could realistically use — rather than adding another unprioritized line item to an already overloaded backlog.
For teams watching the market consolidate around runtime-aware AppSec, the takeaway isn't that you need to wait for your existing vendor's next acquisition to catch up. It's that the underlying capability — reliable code-to-runtime correlation grounded in accurate software supply chain data — is worth demanding now, from whichever platform you trust to deliver it. That's the standard Safeguard holds itself to, and it's why supply chain visibility and runtime context are treated as one problem, not two products stitched together after a deal closes.