Open a cybersecurity vendor directory and you drown three letters at a time. EDR, XDR, NDR, CNAPP, CSPM, CIEM, CASB, DSPM, SIEM, SOAR, SSE, ZTNA, CTEM, ASM, SAST, DAST. Look one up, and two more land in your feed wearing a fresh logo and a spot on someone’s quadrant.

It reads like fifty separate problems, each with its own product and its own pitch. It isn’t. Under the soup sits a small, stable structure, and once you can see it the market stops being a wall of jargon and starts being a map you can actually read.

TL;DR: This is the first piece in a series mapping how cybersecurity actually works, for builders and practitioners who want the shape of the industry without the marketing. Start here: why roughly fifty acronyms collapse into about five platforms, the single rule that decides which categories survive on their own, and the gap that structure leaves wide open.

Start with what’s being protected

Forget the products for a second. Strip the industry down and you’re left with a short list of things worth protecting:

• Identity: who and what can act

• Compute: where code runs

• Code: what executes

• Data: what’s worth taking

• Execution context: the environment code runs in

• Control plane: governs all of it

Those are the nouns.

Then there are the verbs, the relationships between them. This service talks to that one. This user authenticates to that system. This process runs inside that container. This app depends on that library.

Most security products, most of those fifty acronyms, are a claim to sit at one vantage point and watch or control some slice of those nouns and verbs. A vantage point is just the place a tool plants itself to see: on the endpoint, in the network path, at the identity provider, in the build pipeline. Hold onto that word. Vantage is most of the game.

Fifty acronyms, about five platforms

Group the categories by the vantage they occupy, and the fifty collapse fast. Five clusters do most of the work:

• Cloud: posture and workload protection across your cloud footprint (the CNAPP family, plus the data-posture tools pulled in alongside it).

• SASE / edge: the network path and the access layer (SSE and what it contains).

• Identity fabric: who and what is allowed to authenticate, human and machine alike (IAM through to non-human identity).

• Endpoint & SecOps: the host where code runs and the correlation layer stitched over everything (EDR and the endpoint pole, feeding SIEM, SOAR, and the XDR architecture). The endpoint vendors became the SecOps vendors, so these are one pole now, not two.

• Exposure: the asset-and-weakness graph, what you have and where it’s soft (ASM, CAASM, CTEM).

That’s not a tidy coincidence. The market is consolidating toward those five, and you can watch it happen in the acquisitions: a cloud platform buys a standalone posture tool, an identity vendor folds in a non-human-identity startup, a SecOps suite swallows a threat-intel feed. Each one owns a coherent vantage, and a platform that owns a vantage can absorb every smaller category that was only ever watching the same ground from a slightly different angle.

The rule that decides what survives

Which raises the obvious question. If platforms keep swallowing categories, why do some refuse to be swallowed? AppSec, email security, and backup have stayed stubbornly standalone through years of consolidation. The reason is the rule underneath the whole map:

A category survives on its own only if its vantage is unique.

AppSec sits in the build pipeline, watching code before it ever runs. Email security sits on the mail channel. Backup sits on the storage copies. None of those vantage points is already covered by a cloud platform or an identity suite, so there’s nothing for a bigger player’s existing sensor to fold in. The categories whose vantage was shared got eaten instead, because a platform already standing in that spot could absorb them for free. CASB is the tell: it survived by straddling two vantages at once, data and the network edge, which made it useful to more than one platform rather than redundant to any.

The same rule explains a whole world that sits off this map entirely. Operational-technology security, the stuff that guards factory floors and power grids, watches a vantage no IT platform stands on: the plant network, where you monitor passively and speak industrial protocols. Unique vantage, so it stays its own pole. The IT-security map just doesn’t reach it.

The market is drawn by where you can see, not by what you protect

Here’s the reframe that makes the rest of the series click. The industry isn’t organized around what you’re protecting. It’s organized around where a tool can plant itself to watch.

That sounds like a small distinction. It isn’t. It explains why identity, the single densest and most contested thing in the whole picture, has five different categories fighting over it: lots of vantage points can catch some angle of identity, so lots of products grew there. And it explains the opposite case too. Some of the highest-value things an attacker goes after don’t sit cleanly at any one vantage, so no category grew up to own them.

This isn’t a law, it’s a tendency, and the exceptions prove the point. A few categories organize around what they protect rather than where they watch: data-loss tools chase your sensitive data across the endpoint, the network, email, and the cloud all at once, because data lives everywhere and no single vantage owns it. A few others sit above the map entirely and sense nothing, the governance and risk tools that just keep score. But the dominant logic is vantage, and the tools that follow the data are really just covering for the seams the vantage map can’t.

The gap the structure leaves

That last point is where this series is headed. The richest targets in security are often not the nouns but the bindings between them. A credential is an identity joined to a secret. A live session is an identity joined to a moment in time. An AI agent’s action in flight is code exercising real authority. These are where a lot of actual damage happens, and they fall in the seams between vantage points. The endpoint sees the process but loses the flow. The network sees the flow but can’t name the principal. The identity provider knows you at the login and goes quiet after.

No single category sits exactly on those seams. That isn’t an oversight someone forgot to fix. It’s a structural consequence of a market that organizes by vantage: if no sensor naturally stands in a spot, no category forms there, even when that spot is exactly where the risk concentrates. The gaps aren’t random. They’re where the map’s own logic runs out.

Where this leaves you

Once you read the market as vantage points instead of products, the acronym wall turns into something you can actually reason about. You stop asking which tool you’re missing and start asking a better pair of questions: what can actually see the thing I care about, and what can nothing see at all.

The rest of the series walks the map one region at a time: what we’re really protecting, how attacks move across it, where the tools reach, and where the seams swallow them. The acronyms will keep multiplying. The structure underneath them won’t.

Acronym reference

• Cloud: CNAPP (cloud-native app protection) · CSPM (cloud posture) · CWPP (workload protection) · CIEM (cloud entitlements) · KSPM (Kubernetes posture) · DSPM (data posture)

• SASE / Edge: SSE (security service edge) · SWG (secure web gateway) · ZTNA (zero-trust network access) · FWaaS (firewall-as-a-service) · DLP (data loss prevention)

• Identity Fabric: IAM (identity and access management) · IGA (identity governance) · PAM (privileged access) · ITDR (identity threat detection) · NHI (non-human identity)

• Endpoint & SecOps: EDR (endpoint detection and response) · EPP (endpoint protection) · NDR (network detection and response) · XDR (cross-layer detection) · SIEM (log correlation) · SOAR (response automation) · TIP (threat intel)

• Exposure: ASM (attack-surface management) · CAASM (asset inventory) · VM (vulnerability management) · CTEM (continuous threat-exposure management) · BAS (breach-and-attack simulation)

• AppSec: SAST (static analysis) · DAST (dynamic analysis) · SCA (software composition analysis)