Skip to content
Perspectives

Forgepoint Forward Q1 2025: What’s Ahead in Application Security Posture Management (ASPM)

Preisha Agarwal, Rey Kirton

February 17, 2025

  • Blog Post

Forgepoint Capital is excited to announce the second edition of Forgepoint Forward for Q1 2025: What’s Ahead in Application Security Posture Management (ASPM). 

About Forgepoint Forward

Forgepoint Forward is a quarterly series capturing critical categories for innovation and investment while spotlighting the startup landscape. Created for entrepreneurs, information security leaders, and the broader information technology community, each report combines extensive primary and secondary market research along with expert opinions and insights from our community of CISOs, CEOs, executives, and Global Advisory Council members.

Key Insights

Our latest report explores the state of Application Security (AppSec) and Application Security Posture Management (ASPM), drawing on market analysis and insights across the Forgepoint portfolio and beyond.  

AppSec growing pains

While shift left and DevSecOps have matured as disciplines and made software development significantly more secure in recent years, AppSec still faces notable obstacles. Three persistent challenges stood out from our research and analysis:  

  1. Security-Development Misalignment: There is tension between many security and development teams due to the often oppositional nature of rapid agile development and legacy Application Security Testing (AST) practices like manual testing. This creates a counterproductive dynamic between the two teams- friction instead of synergy. 
  2. Alert Fatigue: Organizations from enterprise to SMB are utilizing more software than ever to implement, manage, automate, and scale internal and customer-facing business functions. Security teams face expanding attack surfaces and alert fatigue as tool sprawl creates an overwhelming number of vulnerability alerts with rampant false positives that often require manual validation.  
  3. A Lack of Unified Visibility: The combination of misaligned security-development dynamics and the deluge of AppSec alerts creates a need for unified ASPM tools. Organizations require centralized visibility to promote trust between teams, mitigate tool sprawl and false positives, and alleviate alert fatigue.  

Here’s what Forgepoint’s community of CISOs, CEOs, and AppSec experts had to say about the challenges they see from the front lines:  

  • “At the core of the AppSec problem is the mindset of the engineer. The business drives them to produce at a certain pace, so they do not make security matters a focal point within the development journey.”

    Andres Andreu Deputy CISO - Hearst  

  • “Software developers have long been the first line of defense against threat actors, but they are sent to battle with little knowledge, inadequate tools, and KPIs that are at odds with AppSec goals and outcomes. The contemporary CISO needs to focus on the strategic elimination of core categories of vulnerabilities rather than a continuous loop of putting out spot fires.”

    Pieter Danhieux CEO – SecureCodeWarrior 

  • “There has to be trust between security and developer teams…nobody wants to waste time.”

    Jerry Kowalski CISO – Jefferies

Mapping the ASPM Market

ASPM vendors have entered the market to provide solutions that fill observability gaps and streamline alert management. In our research, we identified four key market categories along with two adjacent categories: 

ASPM Market Map
  1. Aggregators offer real-time application observability and AppSec risk visibility, often integrating with developer workspaces. Companies like Tromzo and Armorcode integrate with legacy and open-source code scanning and testing tools while vendors like Arnica and Cycode replace them with native security tooling.  
  2. Remediation-centric tools accelerate AppSec risk remediation. Many vendors- like Seemplicity– provide guidance and possible fixes in a unified interface, while vendors like Mobb.ai offer AI-powered remediation automations.  
  3. Prioritization and Triage vendors prioritize vulnerabilities and inform remediation strategies with agentless tools, AI-based capabilities, and reachability analysis. Vendors like Avalor (Zscaler) generate custom risk scores based on the impact of vulnerabilities.  
  4. Unified Vulnerability Management platforms centralize correlated findings, threat intelligence, and contextual analysis, generating reports for compliance and risk management. Companies like Vulcan Cyber identify code owners and assign remediation tickets through integrations with tools including Jira and ServiceNow.  

Adjacent Categories 

  1. Workflow Automation tools deliver secure consolidated workflows, integrating security tools throughout the SDLC to promote speed, transparency, and efficiency.  
  2. Runtime tools prioritize vulnerabilities that are exploitable in runtime, analyzing how data flows through code blocks, functions, methods, and symbols.  

“What ASPM tools are doing is starting to bridge the gap between security and software engineering in a way that facilitates safer coding...They are providing a more seamless experience for a software engineer to introduce safer mechanisms in their code. This is about creating a safe set of business practices as opposed to just a set of business practices.”

Andres Andreu Deputy CISO – Hearst

Shifting Market Dynamics

We additionally identified four key market trends shaping ASPM: 

  1. Converging Solutions: Many ASPM solutions are converging within, between, and around these core categories as vendors expand their platforms to address adjacent markets and offer new capabilities. This shift is driven by customer demand: customers are asking their ASPM providers to solve pain points with capabilities such as custom risk score assessments, Software Bill of Materials (SBOM) generation, and Software Composition Analysis (SCA).  
  2. Market Crowding: ASPM is becoming a crowded space as new entrants rapidly create point solutions under the broad ASPM umbrella. Product differentiation has become more difficult for vendors, buyers, and investors alike. 
  3. Slow but Steady Adoption: Zooming out, there is now a large ASPM market with a wide array of capabilities attempting to solve core AppSec challenges. Despite vendors’ best efforts to solve pressing AppSec issues, ASPM market adoption has been notably slow with only 5-10% adoption as of 2023. However, Gartner projects adoption to grow to 40% by 2025 

“Adoption is not there – developers choose not to use it. The tools that you have, if adoption is just 10%, it does not matter.”

Jerry Kowalski CISO – Jefferies
  1. Frequent M&A and an Investment Cooldown: Many legacy vendors already offer a wide array of AppSec products. Static Application Security Testing (SAST) and Source Code Analysis (SCA) are particularly mature market segments with high enterprise adoption. As large vendors enter the crowded ASPM space, those with AST and SCA capabilities- like Synopsys (Coverity and Black Duck) and Snyk (Enso Security)- have acquired ASPM startups to fill gaps in their product portfolios.  

We predict additional consolidation as more legacy players acquire early-stage startups. CrowdStrike’s acquisition of Bionic, Armis’s acquisition of Silk Security, Zscaler’s acquisition of Avalor, and Wiz’s acquisition of Dazz are some of the most notable recent deals. It’s likely that vulnerability management vendors such as Qualys and Tenable and cloud security providers like Palo Alto Networks will also enter the ASPM space via acquisitions.  

ASPM MA Activity

Investors have taken note of ASPM market activity. 2022 was a record year of VC funding with $383 million in deals. However, funding has dwindled in subsequent years as more legacy players have entered the market via M&A, exerting pressure on startups and making it more difficult for emerging players to capture market share.  

Developing the Next Generation of ASPM solutions

The ASPM market will continue to evolve as startups innovate new solutions, larger players acquire promising entrants, and customers seek help solving persistent AppSec pain points. The question remains: what will drive the next great solutions and stronger ASPM adoption? 

It comes down to innovators designing solutions that solve real pain points and meet customer needs. As development teams share more of the AppSec burden, CISOs and other decision-makers seek engineer-oriented solutions to address developer-security tensions and challenges around securing the SDLC. The recipe for success calls for efficiency and ease of use. For instance, a greater number of product and workflow integrations can reduce friction and improve adoption while AI-assisted code remediation presents opportunities- when used effectively.  

Our community of CISOs and AppSec leaders shared what they believe will set successful ASPM solutions apart in the coming years:  

  • “The point of AppSec is to make secure code. Who makes that secure code? Developers. The tools have to be for developers, not security teams.”

    Jerry Kowalski CISO - Jefferies

  • “Instead of having to go research a library that will give me input validation capabilities, I, as a software engineer, just have to make a function call to a library that is now readily at my fingertips. That's how you start to introduce security mechanisms into software engineering, because now you’re not adding a burden to that person’s day to day.”

    Andres Andreu Deputy CISO - Hearst

  • “It won’t be ‘wow, we invented this new technique called machine learning, or deep learning, or even neural networks.’ Everyone's doing that. It'll be, ‘We found a way to use deep learning that works efficiently, and sustainably.’ The differentiator probably won't be that they're doing something different than others. It's that they're doing it right.”

    Edward Amoroso CEO – TAG Cyber

Are we bullish or bearish on ASPM? Read the full report to find out

As we look ahead at the ASPM market as VC investors, are we bullish or bearish? Read the full report for our comprehensive analysis, insights on creating compelling ASPM solutions, and who we believe has the edge as incumbents take on newcomers and startups compete with enterprises.

Download the report here:  

Acknowledgments

Special thanks to the following experts for their insights and contributions:   

  • Dr. Edward Amoroso, CEO and Founder, TAG InfoSphere  
  • Andres Andreu, Deputy CISO, Hearst  
  • Pieter Danhieux, CEO and Co-Founder, SecureCodeWarrior  
  • Jerry Kowalski, CISO, Jefferies  
  • Elizabeth Lawler, CEO and Co-Founder, AppMap  
  • Alan Snyder, CEO, NowSecure  
  • Mario Vuksan, CEO and Co-Founder, ReversingLabs  

  

For Forgepoint Capital:  

Preisha Agarwal, Michael Cortez, Rey Kirton, Dr. Shane Shook, Conor Higgins, and Tanya Loh