Gartner defines an email security solution as a product that secures email infrastructure. Its primary purpose is to protect against malicious messages (phishing, social engineering, malware) or unsolicited messages (spam, marketing). Other functions include email data protection; domain-based message authentication, reporting and conformance (DMARC); investigation; and remediation through a dedicated console. Email security solutions may also support nonemail collaboration tools, such as those for document management and instant messaging. Email security tools protect an organization’s email from spam, phishing, malware attacks, account takeover and data loss. They may provide capabilities for data loss prevention, encryption, domain authentication and security education, as well as advanced protections against business email compromise. Email security platforms give cybersecurity teams visibility into email-related security incidents, support investigation and automated remediation, and enable management of both inbound and outbound email delivery. Email security solutions often integrate with other network, identity and endpoint security controls, and may also support collaboration tools and email relay capabilities.
Gartner defines an endpoint protection platform (EPP) as security software designed to protect managed endpoints — including desktop PCs, laptop PCs, virtual desktops, mobile devices and, in some cases, servers — against known and unknown malicious attacks. EPPs provide capabilities for security teams to investigate and remediate incidents that evade prevention controls. EPP products are delivered as software agents, deployed to endpoints, and connected to centralized security analytics and management consoles. EPPs provide a defensive security control to protect end-user endpoints against known and unknown malware infections and file-less attacks using a combination of security techniques (such as static and behavioral analysis) and attack surface reduction capabilities (such as device control, host firewall management and application control). EPP prevention and protection capabilities are deployed as a part of a defense-in-depth strategy to help reduce the endpoint attack surface and minimize the risk of compromise. EPP detection and response capabilities are used to uncover, investigate and respond to endpoint threats that evade security protection, often as a part of broader threat detection, investigation and response (TDIR) capable products.
Exposure assessment platforms (EAPs) continuously identify and prioritize exposures, such as vulnerabilities and misconfigurations, across a broad range of asset classes. They natively deliver or integrate with discovery capabilities, such as assessment tools, that enumerate exposures, like vulnerabilities and configuration issues, to increase visibility. EAPs use techniques like threat intelligence (TI) to analyze an organization’s attack surfaces and weaknesses, and prioritize treatment efforts for high-risk exposures by incorporating threat landscape, business and existing security control context. Through prioritized visualizations and treatment recommendations, EAPs help provide direction for mobilization, identifying the various teams involved in mitigation and remediation. EAPs are primarily delivered as self-hosted software or as a cloud service, and may use agents for exposure information collection.
Extended detection and response (XDR) delivers security incident detection and automated response capabilities for security infrastructure. XDR integrates threat intelligence and telemetry data from multiple sources with security analytics to provide contextualization and correlation of security alerts. XDR must include native sensors, and can be delivered on-premises or as a SaaS offering. Typically, it is deployed by organizations with smaller security teams.
External Attack Surface Management (EASM) market refers to solutions that continuously discover, inventory, and monitor an organization’s internet‑facing digital assets from an attacker’s perspective. These platforms identify unknown or unmanaged assets, exposed services, misconfigurations, and vulnerabilities across cloud, SaaS, on‑premises, and third‑party environments. EASM solutions contextualize external exposures with risk scoring, threat intelligence, and business relevance to help organizations prioritize remediation efforts. The market exists to help cybersecurity teams proactively reduce exposure by maintaining visibility of their internet-facing assets. Who are the target users of External Attack Surface Management (EASM) Software? Typical users include cybersecurity teams, vulnerability management professionals, risk managers, and IT security leaders in organizations of all sizes. EASM solutions are especially valuable for enterprises with complex, distributed environments, frequent cloud adoption, or multiple subsidiaries and third-party relationships. Executives responsible for organizational risk and compliance also benefit from the enhanced visibility and reporting capabilities these platforms provide. What are the core capabilities of External Attack Surface Management (EASM) Software? Asset Discovery and Inventory: Identification of internet‑facing infrastructure (e.g., domains, subdomains, IPs, cloud assets, SaaS, APIs, certificates, shadow IT) Asset Attribution & Ownership Mapping Technology Fingerprinting (e.g., frameworks, CMS, web servers, open‑source components) Third‑Party and Subsidiary Mapping Continuous Monitoring & Change Detection: Change Detection (new services, DNS changes, IP reassignments, open ports) Asset Lifecycle Tracking (new, modified, decommissioned assets) Certificate Monitoring (expiration, weak cryptography, unauthorized issuance) Exposure & Vulnerability Identification: Open Port and Service Enumeration Configuration and Security Misconfiguration Detection Known Vulnerability Mapping (CVE/CWE) Insecure Protocol and Cipher Detection Unprotected Cloud Storage & APIs Expired or Weak Certificates Exposed Secrets (tokens, API keys) Risk Prioritization & Contextual Analysis Risk Scoring (asset‑level and organization‑level) Business Context Mapping (e.g., production vs dev, internet‑facing criticality) Exploitability Context Attack Path Visualization Integration with Threat Intelligence Feeds Attacker‑View Asset Mapping Known Attacker Techniques mapping (MITRE ATT&CK alignment) Remediation & Workflow Enablement Remediation Guidance (e.g., automated attack surface reduction suggestions) Integration with Ticketing Systems (e.g., ServiceNow, Jira) Security Tool Integrations (e.g., SIEM, SOAR, vulnerability scanners) Ownership Assignment & SLA Tracking Evidence and Verification of Fixes Reporting & Visualization Executive Dashboards Technical Analyst Views Asset and Risk Heatmaps Exposure Trends Over Time Custom Report Builder What are the benefits of External Attack Surface Management (EASM) Software? EASM software helps organizations proactively reduce their cyber risk by maintaining comprehensive visibility of all internet-facing assets and exposures. Security teams benefit from automated discovery, prioritized remediation, and streamlined workflows, enabling faster and more effective risk reduction. Executives and risk leaders gain confidence through real-time dashboards, trend analysis, and clear evidence of remediation, supporting stronger governance, compliance, and organizational resilience against external threats.
Identity Threat Detection and Response (ITDR) encompasses a suite of security practices and technologies dedicated to detecting, investigating, and responding to threats that target digital identities within an organization. As identity-related attacks such as compromised credentials, privilege escalation, and unauthorized access become increasingly common, ITDR solutions play a pivotal role in safeguarding sensitive systems and data. These solutions work by continuously monitoring identity activities, analyzing behavioral patterns, and identifying anomalies that may signal malicious intent. When a threat is detected, ITDR tools empower security teams to respond rapidly through measures like isolating affected accounts, enforcing multi-factor authentication, or triggering automated remediation workflows. In an era where digital identities are a primary attack vector, ITDR is essential for strengthening an organization’s overall security posture. Who are the target users of Identity Threat Detection and Response (ITDR) solutions? Primary users of ITDR solutions include security operations teams, IT administrators, and identity and access management (IAM) professionals within organizations of all sizes. Chief Information Security Officers (CISOs), compliance managers, and risk management teams also rely on ITDR to ensure regulatory compliance and reduce the risk of data breaches. These solutions are especially critical for, remote workforces, or heightened regulatory requirements. What are the core capabilities of Identity Threat Detection and Response (ITDR) solutions? Anomaly-Based Threat Detection: Tracks identity behavior to detect unusual patterns like odd login times or access spikes that may signal compromised accounts or insider threats. Real-Time Alerting: Delivers instant notifications when identity-related risks are detected, helping security teams act before damage occurs. Automated Threat Response: Takes immediate action such as locking accounts or triggering MFA to contain threats without waiting for manual intervention. What are the benefits of Identity Threat Detection and Response (ITDR) solutions? ITDR solutions help organizations proactively defend against identity-based attacks, reducing the risk of data breaches and operational disruptions. Security teams benefit from faster threat detection and response, improved visibility into identity-related risks, and reduced manual workloads through automation. Executives and compliance leaders gain confidence in their organization’s ability to meet regulatory requirements and protect sensitive information, ultimately enhancing the organization’s reputation and resilience against evolving cyber threats.
Gartner defines managed detection and response (MDR) services as those that provide customers with remotely delivered security operations center (SOC) functions. These functions allow organizations to perform rapid detection, analysis, investigation and response through threat disruption and containment. They offer a turnkey experience, using a predefined technology stack that commonly covers endpoints, networks, logs and cloud. Telemetry is analyzed within a provider’s platform using a range of techniques. The MDR provider’s analyst team then performs threat hunting and incident management to deliver recommended actions to their clients. MDR offers outcome-driven security incident management that is predicated on the detection, analysis and investigation of potentially impactful security events and the delivery of active threat disruption and containment actions to respond to and mitigate the impact of cyber breaches.
Security consulting firms are advisory and consulting services (see 'Definition: Cybersecurity' ) related to information and IT security design, evaluation and recommendations. These services are procured by various stakeholders in an organization, including boards of directors, CEOs, chief risk officers (CROs), chief information security officers (CISOs), chief information officers (CIOs), and other business and IT leaders for the purpose of obtaining and ensuring acceptable risk levels for a specific client organization.
The security threat intelligence products and services market refers to the combination of products and services that deliver knowledge (context, mechanisms, indicators, implications and action-oriented advice), information and data about cybersecurity threats, threat actors and other cybersecurity-related issues. The output of these products and services aims to provide or assist in the curation of information about the identities, motivations, characteristics and methods of threats, commonly referred to as tactics, techniques and procedures (TTPs). The intent is to enable better decision making and improve security technology capabilities to reduce the likelihood and impact of a potential compromise. Threat intelligence (TI) products and services support the different stages of a TI process life cycle. In particular, this involves defining the aims and objectives, collecting and processing intelligence originating from various sources, analyzing and disseminating it to different stakeholders within the organization, and regularly providing feedback on the entire process. These products and services support ongoing security investigations and assist in preventing future breaches by prioritizing infrastructure hardening. TI tools and services are most commonly cloud-based products and services, but can also be delivered “as a service.”
VA solutions identify, categorize and prioritize vulnerabilities as well as orchestrate their remediation or mitigation. Their primary focus is vulnerability and security configuration assessments for enterprise risk identification and reduction, and reporting against various compliance standards. VA can be delivered via on-premises, hosted and cloud-based solutions, and it may use appliances and agents. Core capabilities include: - Discovery, identification and reporting on device, OS, software vulnerabilities and configuration against security-related criteria - Establishing a baseline for systems, applications and databases to identify and track changes in state - Reporting options for compliance, control frameworks and multiple roles Standard capabilities include: - Pragmatic remediation prioritization with the ability to correlate vulnerability severity, asset context and threat context that then presents a better picture of true risk for your specific environment - Guidance for remediating and configuring compensating controls - Management of scanner instances, agents and gateways - Direct integration with, or API access to, asset management tools, workflow management tools and patch management tools