Application Security Listings

The Application Security Authority directory indexes service providers, practitioners, tools, and organizations operating within the application security sector across the United States. This page describes the structural organization of those listings, the verification standards applied before publication, where gaps remain in current coverage, and the mechanisms used to keep indexed information accurate over time. Readers navigating the Application Security Directory Purpose and Scope will find the classification logic here aligned with the broader directory framework.

Verification status

Listings published in this directory are evaluated against a defined set of qualification signals before inclusion. Verification does not constitute endorsement; it establishes that a listed entity meets minimum documentary thresholds for inclusion in a reference-grade index.

Verification tiers applied across listings:

1. Confirmed active — Organization or practitioner has a verifiable public presence, active service offering, and at least one named credential, published audit, or regulatory authorization traceable to a named body (such as a FedRAMP authorization, PCI DSS Qualified Security Assessor status under the PCI Security Standards Council, or CREST accreditation).
2. Pending review — Entity has submitted information or been identified through secondary sources but has not completed documentary confirmation. Listings at this tier are labeled accordingly and excluded from ranked or featured positions.
3. Unverified/legacy — Entries carried forward from earlier index states where original sourcing is incomplete. These remain visible for research continuity but are flagged for reinvestigation on a rolling basis.

Practitioner-level listings are cross-referenced against publicly verifiable credentials. The GIAC Security Expert (GSE), Offensive Security Certified Expert (OSCE3), and Certified Application Security Engineer (CASE) designations from EC-Council are examples of credentials that appear in listing profiles when publicly documented by the issuing body. Listings referencing NIST SP 800-53 Control SA-11 compliance applicability are noted as such when the provider serves federal or FedRAMP-scoped clients (NIST SP 800-53 Rev. 5).

Coverage gaps

No directory covering a sector as fragmented as application security achieves complete coverage at launch or at any static point in time. Documented gaps in the current index include:

• Regional penetration testing boutiques — Firms with fewer than 10 employees operating at the state or metropolitan level are underrepresented. Identification relies on public registration data, conference speaker records, and CVE acknowledgment appearances, all of which have uneven density across geographies.
• Open-source tool maintainers — Maintainers of significant open-source application security tooling (SAST engines, fuzzing frameworks, dependency scanners) are indexed only where the maintainer operates a commercial service or has a publicly listed organizational affiliation. Pure open-source contributors without a commercial presence fall outside the directory's service-provider scope.
• Managed application security service providers (MSSPs) with limited public disclosure — MSSPs operating under non-disclosure frameworks for government clients frequently omit service detail from public-facing materials, making classification and verification against named standards difficult.
• Academic and research entities — University research groups conducting application security research (vulnerability disclosure, protocol analysis, fuzzing studies) are outside the primary listing scope, which is oriented toward the commercial and professional services market.

Gaps are documented rather than concealed. Researchers requiring broader coverage of the academic or open-source sectors should supplement directory use with direct queries to the OWASP Foundation project registry and the NIST National Vulnerability Database contributor records.

Listing categories

Listings are organized into 6 primary categories, each with defined classification boundaries:

1. Application security assessment firms — Organizations delivering penetration testing, code review, and threat modeling as client-facing professional services. Subcategories distinguish web application specialists, mobile application specialists, and API security specialists. A firm is not cross-listed in multiple subcategories unless its public service documentation explicitly covers each domain.

2. Application security tooling vendors — Commercial vendors of SAST, DAST, IAST, SCA (software composition analysis), and RASP (runtime application self-protection) products. Tool category assignments follow the OWASP Application Security Verification Standard (ASVS) control domain taxonomy rather than vendor-supplied marketing categories.

3. Training and certification providers — Organizations delivering credentialed application security training. Inclusion requires that the certification or curriculum be publicly documented and that the issuing body maintain a verifiable credential registry. The How to Use This Application Security Resource page describes how to filter listings by credential type.

4. Managed AppSec service providers — Firms offering continuous application security monitoring, vulnerability management programs, or bug bounty program management as ongoing retainer or subscription services, distinct from project-based assessment engagements.

5. Compliance and regulatory advisory firms — Providers whose primary application security service is compliance mapping — PCI DSS Requirement 6 assessments, HIPAA §164.312 technical safeguard reviews, or FedRAMP boundary analysis — rather than offensive security or tooling.

6. Independent practitioners — Credentialed individual consultants operating outside a firm structure. Listings in this category require at least 1 publicly verifiable credential from a recognized body and evidence of active professional activity within the prior 24-month window.

How currency is maintained

Directory currency depends on structured review cycles rather than passive accumulation. The following mechanisms govern how listings are updated, flagged, or removed:

• Scheduled reinvestigation — All confirmed-active listings are reinvestigated on an 18-month cycle. Reinvestigation checks for organizational continuity, credential status, and any material change in service scope.
• Regulatory trigger updates — When a named regulatory body (PCI Security Standards Council, NIST, CISA) publishes a standard revision or a new authorization list, listings referencing that standard are prioritized for review in the subsequent update cycle.
• Public record monitoring — Enforcement actions, license revocations, or formal delistings from accreditation bodies (such as CREST or the PCI SSC's QSA company list) trigger immediate review of affected listings.
• Submission-based corrections — Factual corrections to existing listings submitted through the contact pathway are reviewed against documentary evidence before any change is published. Submissions without supporting documentation are logged but do not trigger immediate changes.

Listings that cannot be reverified within 24 months of their last confirmed-active status are reclassified to the unverified/legacy tier and annotated with the date of last verified contact. They are not removed by default, as archived entries retain reference value for historical research into the application security listings landscape over time.