Cybersecurity Listings
This directory catalogs cybersecurity service providers, tooling vendors, professional practitioners, and organizational resources operating within the application security sector across the United States. Entries span commercial firms, independent consultants, open-source project maintainers, and standards-aligned service organizations. The cybersecurity-directory-purpose-and-scope page establishes the full mandate governing what this directory covers and the criteria used to categorize entries.
How to read an entry
Each listing record follows a standardized structure designed for rapid professional assessment rather than general browsing. Fields are presented in a fixed sequence so that practitioners comparing vendors or consultants can evaluate equivalent data points without reformatting.
A standard entry contains the following components in this order:
- Organization or practitioner name — The legal entity name or sole-proprietor trade name as registered with the relevant state authority or professional body.
- Service category — Drawn from the controlled taxonomy described below. One primary category is required; secondary categories are permitted where the provider's scope genuinely spans multiple disciplines.
- Primary service lines — A factual enumeration of distinct deliverables (e.g., penetration testing engagements, static application security testing tooling, secure code review retainers).
- Geographic footprint — Whether the provider operates nationally, regionally, or remotely only, per self-reported data verified against public licensing records where applicable.
- Standards alignment — Named frameworks or certifications the provider claims conformance with, such as NIST SP 800-218 (Secure Software Development Framework), PCI DSS v4.0, or ISO/IEC 27001. Claims are listed as declared, not independently audited.
- Verification tier — A status indicator (see the Verification Status section below) indicating the level of source cross-referencing applied to this record.
- Last confirmed active — The most recent date at which the listing was confirmed as a live, operating entity.
Entries do not include pricing, client testimonials, or comparative rankings. The directory is structured as a neutral enumeration, not a recommendation engine.
What listings include and exclude
Included categories:
- Application security consulting firms offering application penetration testing, threat modeling for applications, or secure code review as primary services
- Commercial tooling vendors whose products map to recognized disciplines including dynamic application security testing, software composition analysis, or runtime application self-protection
- Managed security service providers (MSSPs) with a documented application security practice, distinct from general IT managed services
- Training and certification providers operating programs aligned with recognized credentialing bodies such as (ISC)², SANS Institute, or EC-Council
- Bug bounty platform operators and vulnerability disclosure intermediaries
Excluded categories:
- General IT support firms without a demonstrable application security specialization
- Marketing or PR agencies operating in the cybersecurity sector without technical service delivery
- Providers whose primary focus is network security, endpoint protection, or physical security — unless they maintain a distinct, separately staffed application security division
- Academic institutions listed purely for research output, rather than as service providers
The distinction between a qualifying MSSP and a general IT firm is substantive: a qualifying entry must demonstrate at minimum 1 named practitioner holding a recognized application security credential, or documented delivery of at least 1 application-layer security engagement type (e.g., OWASP ASVS-aligned assessment, DAST-integrated CI/CD pipeline audit).
Verification status
Listings carry one of three verification statuses reflecting the depth of cross-referencing performed against public records:
- Confirmed — The entity's legal registration, at least 1 named credential, and active web presence have been cross-referenced against a named public source (state business registry, (ISC)² member directory, CISA vendor resources, or equivalent).
- Declared — Information is drawn from the provider's own public-facing materials (website, LinkedIn company page, SEC filing, or equivalent). No independent third-party corroboration has been completed.
- Pending — The entry has been submitted or identified but has not yet passed minimum cross-referencing checks.
No listing in this directory should be interpreted as an endorsement. Verification status confirms data provenance, not service quality or regulatory compliance. Practitioners seeking compliance-grade vendor due diligence should consult the provider's SOC 2 Type II reports, NIST Cybersecurity Framework self-assessments, or audit results under applicable frameworks such as PCI DSS application security requirements or HIPAA application security compliance.
Coverage gaps
The directory does not yet achieve uniform density across all application security disciplines. The following gaps reflect known limitations of the current dataset:
Geographic imbalance — Providers headquartered in California, New York, and Virginia account for a disproportionate share of confirmed entries. Providers operating exclusively in states such as Wyoming, Montana, and South Dakota are underrepresented even where active service delivery occurs remotely.
Emerging discipline coverage — Service providers specializing in serverless application security, GraphQL security, and software bill of materials (SBOM) management represent a smaller segment of indexed entries relative to their growing operational relevance under frameworks like Executive Order 14028 (Improving the Nation's Cybersecurity, May 2021).
Independent practitioner gap — Solo practitioners and boutique firms with fewer than 5 staff members are structurally underrepresented. Larger commercial entities with active marketing presences are more easily identified through public records than independent consultants operating through personal LLC structures.
Open-source project maintainers — Organizations maintaining open-source application security tools are cataloged where a legal entity or recognized project governance structure exists (e.g., OWASP Foundation projects), but informal maintainer collectives without organizational registration are excluded by policy.
Gaps are addressed on a rolling basis as submissions are reviewed and public-record cross-referencing is completed. The how-to-use-this-cybersecurity-resource page describes the process for submitting or correcting a listing record.
Explore This Site
References
- CERT/CC — Coordinated Vulnerability Disclosure
- 2023 guidance on cybersecurity in medical devices
- 45 C.F.R. Part 164
- 45 C.F.R. Parts 160 and 164 — HIPAA Administrative Simplification (eCFR)
- 45 CFR Part 164
- 45 CFR § 164.308(a)(8)
- 45 CFR § 164.312 — HIPAA Technical Safeguards (HHS)
- 45 CFR § 164.400–414