Safeguard
Industry Analysis

How Analyst Firms Are Redrawing Category Lines Around ASPM

Gartner, Forrester, and other analyst firms are redrawing the boundaries around ASPM, CNAPP, and traditional AppSec testing — reshaping how security teams buy and organize tools.

Safeguard Research Team
Research
7 min read

JULY 7, 2026 — For the past two years, a five-letter acronym has been quietly rearranging the org charts, RFPs, and analyst briefings of the application security industry: ASPM. What began as a niche label in a Gartner research note has hardened into a full-blown market category — one that is now pulling budget, vendor positioning, and product roadmaps away from the tool-by-tool model that has defined AppSec since the introduction of static analysis two decades ago. The question security leaders are asking heading into their next budget cycle is no longer "do we need ASPM," but "whose definition of ASPM are we buying."

That question matters more than it sounds. Analyst firms don't just describe markets — they create them. A Gartner category name shapes which vendors get evaluated together, which budget line a purchase comes from, and which capabilities buyers assume are table stakes. Right now, the lines Gartner, Forrester, and other research firms are drawing around Application Security Posture Management are actively being redrawn, and the outcome will determine how tens of thousands of security teams organize their AppSec stacks for the next several years.

How Gartner Built the Category

Application Security Posture Management did not emerge from a vendor's marketing department — it emerged from Gartner's long-running pattern of naming "posture management" categories after a market fragments into too many overlapping point tools. Gartner set the template in 2019 with its "Innovation Insight for Cloud Security Posture Management," which took a scattered set of cloud configuration scanners and gave them a shared identity: CSPM. The same naming logic produced SSPM for SaaS configuration and DSPM for data security. ASPM is the application-layer entry in that lineage.

Gartner's own definition, published in its IT glossary and reiterated across its application security research, describes ASPM as tooling that aggregates and correlates findings from the existing alphabet soup of AppSec tools — SAST, DAST, SCA, container and IaC scanning, secrets detection — into a single, prioritized view of risk across the software development lifecycle, rather than asking security teams to triage each tool's output separately. The emphasis is deliberately on correlation and prioritization, not new detection technology. Gartner has been explicit that ASPM is not meant to replace scanners; it is meant to sit above them.

Gartner lead analyst Dale Gardner, who has published extensively on the category — including the widely referenced research note "Emerging Tech: Security — The Future of AppSec Is Application Security Posture Management" — has framed ASPM as the natural next step once organizations accumulate enough scanning tools that the scanners themselves become a visibility problem. Gartner has also put a number on how fast it expects that shift to happen: in its published cybersecurity trend research, the firm has stated that by 2026, 40% of organizations developing proprietary applications will adopt ASPM to more rapidly and accurately identify and remediate vulnerabilities, up from less than 5% in 2021. That projection, cited repeatedly across vendor and analyst commentary since it was published, is a big part of why so much of the AppSec vendor landscape has spent the last three years repositioning around the term.

ASPM has also made repeat appearances in Gartner's Hype Cycle for Application Security, tracked as an emerging profile alongside more established categories like SAST and SCA — a placement that itself signals to enterprise buyers that the category is still forming rather than settled.

Why the Lines Keep Moving

The complication is that Gartner is not the only firm drawing boundaries, and even Gartner's own adjacent categories are colliding with the one it created. Cloud-Native Application Protection Platform, or CNAPP — another Gartner-coined term, this one merging CSPM and Cloud Workload Protection Platform (CWPP) — has expanded over the past two product cycles to absorb application security signal as well: IaC scanning, container image analysis, and in some vendor portfolios, source-to-cloud vulnerability correlation that looks functionally identical to what ASPM vendors sell. Vendors that started as cloud posture players have added application-layer correlation; vendors that started as ASPM-native have added cloud runtime context. The result is that "ASPM" and "CNAPP" now describe genuinely overlapping capability sets depending on which vendor's website you read, even though the two terms originated from the same analyst firm with, originally, distinct scopes.

The traditional AppSec testing vendors have complicated the picture further. Companies built around SAST, DAST, or SCA — the very tools ASPM was defined to sit on top of — have spent the last few product cycles adding their own aggregation, prioritization, and cross-tool correlation layers, marketing those additions as ASPM capability rather than positioning ASPM as a separate purchase. A category that Gartner defined in opposition to the standalone scanner model is now, in practice, being sold by many of the same standalone scanner vendors as a feature bolted onto their existing platforms.

A distinct wave of vendors built ASPM as their core product from day one — names like Apiiro, Cycode, OX Security, Legit Security, ArmorCode, Endor Labs, and Phoenix Security have all shipped products marketed explicitly as ASPM platforms, generally emphasizing code-to-cloud traceability and risk-based prioritization across the SDLC. Their existence is itself evidence the category has real market pull; their differing feature sets are evidence the category's edges are still soft. Forrester, for its part, has approached the same underlying problem — tool sprawl and alert fatigue across fragmented AppSec point products — through its own research on application security testing consolidation and platform strategy, without adopting "ASPM" as consistently as Gartner has, which means buyers comparing Gartner-oriented and Forrester-oriented vendor shortlists can end up with meaningfully different candidate lists for what is nominally the same buying decision.

What It Means for Security Teams

For CISOs and AppSec leads, the practical consequence of this analyst-driven boundary-shifting is that RFPs written against a category name alone are increasingly unreliable. Two vendors both claiming ASPM fit can differ substantially in whether they include cloud runtime context, whether they replace or merely sit atop existing scanners, and whether their prioritization logic accounts for reachability and exploitability or relies on raw severity scores. Buying decisions are safer when they are anchored to the specific outcomes Gartner's own definition emphasizes — aggregation across existing tools, correlation of findings to the same underlying artifact, and risk-based prioritization that reduces noise — rather than to the acronym on a vendor's homepage.

The category churn also reflects a real and durable underlying problem, independent of what any analyst firm ultimately calls it: application security findings are generated by too many disconnected tools, arrive without shared context, and overwhelm the engineering teams who are supposed to act on them. That is the problem ASPM was defined to solve, and it is the problem that will persist regardless of how the category boundaries are eventually settled.

How Safeguard Helps

Safeguard was built around that underlying problem rather than around any single analyst-defined category label. Instead of asking security teams to bet on where Gartner, Forrester, or the next research firm draws the line between ASPM, CNAPP, and traditional AppSec testing, Safeguard focuses on the outcomes those categories are all reaching for: pulling findings from the scanners and source control systems already in use, correlating them against the actual software components and dependencies they affect, and surfacing a prioritized, actionable view of software supply chain risk rather than a pile of disconnected alerts.

Because Safeguard sits across source control integrations, dependency and vulnerability data, and organization-level reporting, security teams get the aggregation and correlation benefits that analyst definitions of ASPM describe — without having to re-architect their AppSec stack around whichever vendor's interpretation of the category happens to be in favor this budget cycle. As the analyst community continues to redraw these lines, Safeguard's approach is to keep security teams anchored to what actually reduces risk: consolidated visibility, accurate prioritization, and a clear line of sight from a vulnerability to the code and pipeline that introduced it.

Never miss an update

Weekly insights on software supply chain security, delivered to your inbox.