Cybersecurity Directory: Purpose and Scope

The Application Security Authority directory maps the professional service landscape for application security across the United States, covering vendors, practitioners, testing methodologies, compliance frameworks, and tooling categories. This reference organizes the sector for service seekers, procurement professionals, and researchers who require structured access to a field that spans dozens of specializations and a regulatory environment governed by agencies including NIST, the FTC, HHS, and PCI SSC. The directory does not rank or endorse listed entities — it classifies them against established sector definitions and public qualification standards.

How entries are determined

Entries in this directory are evaluated against the structural definitions that govern the application security field. The primary classification reference is NIST Special Publication 800-53, Revision 5, which defines application-layer security controls under the System and Communications Protection (SC) and System and Information Integrity (SI) control families. Entries are further assessed against NIST's Secure Software Development Framework (SSDF), SP 800-218, which establishes four practice groups — Prepare the Organization (PO), Protect the Software (PS), Produce Well-Secured Software (PW), and Respond to Vulnerabilities (RV) — providing a discrete four-phase taxonomy for classifying vendor and practitioner service scope.

Entries are assigned to one or more of the following service categories, each with defined scope boundaries:

  1. Security testing services — firms delivering static application security testing (SAST), dynamic application security testing (DAST), interactive testing (IAST), or application penetration testing.
  2. Program and governance services — entities supporting appsec program building, risk quantification, policy architecture, and appsec metrics and KPIs.
  3. Tooling vendors — commercial and open-source tool providers classified by primary function (SAST, DAST, SCA, WAF, RASP, secrets management).
  4. Compliance and framework specialists — consultancies and service providers operating under PCI DSS application security requirements, HIPAA application security compliance, or NIST-aligned controls.
  5. Training and certification bodies — organizations delivering application security certifications or structured appsec training and resources.

An entry must operate within one of these five categories and must demonstrate a publicly verifiable service scope — through licensing documentation, published methodology references, or publicly indexed professional credentials — to qualify for inclusion. Entries referencing credentials are validated against the issuing body's published registry where one exists.

Geographic coverage

This directory covers application security service providers operating within the United States at national scale. National scope means the provider delivers services across state lines, remotely, or through a distributed delivery model — not that physical offices exist in all 50 states. The majority of application security services (penetration testing, code review, tool deployment, compliance consulting) are delivered remotely by default, which renders strict geographic segmentation less operationally meaningful than in sectors tied to physical presence.

State-specific regulatory requirements remain relevant to classification. California's Consumer Privacy Act (CCPA), enforced by the California Privacy Protection Agency, imposes application-layer obligations that affect software handling data from California residents regardless of where the vendor is headquartered. Similarly, healthcare-sector entries are assessed against HIPAA Security Rule requirements published by HHS at 45 CFR Part 164, which apply to covered entities and business associates regardless of state.

Entries headquartered outside the United States but operating materially within US markets — including under US federal contracting vehicles or serving US-regulated industries — are eligible for inclusion and are flagged accordingly.

How to use this resource

The directory is structured to support three primary research patterns: vendor discovery, regulatory landscape research, and service category benchmarking.

Vendor discovery is best approached through the cybersecurity listings index, which allows filtering by service category, delivery model, and regulatory specialization. Researchers seeking context on what a category entails before reviewing vendors should consult the corresponding topic reference — for example, software composition analysis before evaluating SCA vendors, or web application firewall before comparing WAF providers.

Regulatory landscape research is supported through the compliance and framework reference pages, including application security standards and frameworks and the NIST Secure Software Development Framework reference. These pages do not constitute legal or regulatory guidance — they describe the published frameworks as structured by their originating bodies.

Service category benchmarking is supported by the application security tools comparison and appsec vendor directory sections, which present entries within defined category boundaries rather than as undifferentiated lists. A key distinction maintained throughout: penetration testing services (human-led, scope-bound engagements) are classified separately from automated scanning tooling — a contrast that matters materially when procurement teams are evaluating coverage against controls required by PCI DSS Requirement 6.4.

The how to use this cybersecurity resource reference page provides additional navigation guidance for researchers approaching the directory for the first time.

Standards for inclusion

Inclusion in this directory requires that an entry meets a minimum threshold across three dimensions:

Verifiable scope definition. The entity must operate in a publicly documentable application security service category. Services must be bounded — an entry cannot qualify on the basis of a general "cybersecurity" offering without a demonstrable application-layer specialization aligned to one of the five classification categories above.

Qualification transparency. Entries claiming practitioner expertise must reference a publicly verifiable qualification standard. Accepted standards include certifications issued by bodies such as GIAC (Global Information Assurance Certification), Offensive Security, ISC², or EC-Council, as well as methodology adherence to OWASP testing standards or the PTES (Penetration Testing Execution Standard). Entries asserting NIST or ISO alignment must identify the specific publication or control set.

Absence of disqualifying factors. Entries are excluded or removed when an entity has an active FTC enforcement action related to deceptive security claims, when a certification listed has been publicly revoked by the issuing body, or when a vendor's product is the named subject of an active CISA Known Exploited Vulnerability (KEV) catalog entry that remains unpatched and unmitigated per the vendor's own published advisory timeline.

These standards apply uniformly across service categories. A boutique secure code review firm and a large enterprise application security posture management platform vendor are evaluated against the same three-dimensional threshold — scope definition, qualification transparency, and absence of disqualifying factors — with no preferential weighting by company size or revenue.

📜 1 regulatory citation referenced  ·  🔍 Monitored by ANA Regulatory Watch  ·  View update log

Explore This Site

Regulations & Safety Regulatory References
Topics (56)
Tools & Calculators Password Strength Calculator

References