What you're looking at
The radar has 18 axes, one for each category of security capability. Three things sit on top of those axes:
- Per-vendor dots. Each tool you add shows up as colored dots, one per axis, at that tool's score in each category. Following one color around the chart gives you a single vendor's profile.
- Your combined polygon. The filled shape blends every tool you've added into a single stack. The math behind that blend is the next section.
- A dashed outer ring. The market ceiling. What a stack of every vendor in our dataset would reach. The gap between your shape and that ring is where your coverage stops.
Below the chart, picking a category opens a ranked list of every vendor that scores in it. You can add or remove vendors from that list directly, and the radar updates as you do.
How a number gets to an axis
Inside each of the 18 categories sits a list of specific capabilities. Risk Quantification has nine: a security questionnaire, a risk register, a scoring methodology, FAIR-based loss modeling, scenario modeling, risk appetite handling, a posture dashboard, continuous control monitoring, and vendor risk assessment. Other categories are larger or smaller, with 4 to 13 entries each. There are 172 in total. Internally we call each one a cell. The chart never uses that word.
Every vendor gets rated on every cell using a 0 to 5 strength scale:
| Score | Label | What it means |
|---|---|---|
| 0 | None | Vendor does not cover this cell at all. |
| 1 | Light | Exists but basic. Often an add-on or afterthought. |
| 2 | Partial | Limited capability. Some users will hit its edges quickly. |
| 3 | Moderate | Decent capability but not the vendor's strength. |
| 4 | Strong | Solid. Competitive with category specialists. |
| 5 | Core | This is what the vendor is known for. Deep and mature. |
The number you see for a vendor on a given axis is the mean of that vendor's cell scores in that category, with zero-coverage cells counted in. So a vendor doing nine of nine cells at an average of 4.0 outscores a vendor doing three cells at a perfect 5.0. Customers feel the gaps; the math reflects that.
Worked example. SignumCyber on Risk Quantification, all nine cells: [5, 3, 5, 5, 5, 5, 4, 1, 4]. Sum 37, divided by 9, lands at 4.11. That's the number on the axis.
When more than one tool is on the chart, each cell goes to whichever vendor scores highest on it. Those per-cell maxes are then averaged into a category score. A specialist with one weak cell gets backfilled by a generalist, and both contributions count. The dashed market-ceiling ring uses the same merge against every vendor in the dataset.
Where the scores come from
Cell scores are SignumCyber's editorial assessment, calibrated against five sources. Most of the work is desk research:
- Vendor product documentation. Datasheets, architecture pages, solution briefs, official product pages. The largest single input.
- Analyst category definitions. Gartner Magic Quadrants and Critical Capabilities reports, Forrester Waves, KuppingerCole Leadership Compasses. We read these for what counts as a separable capability, not for vendor rankings.
- Frameworks. NIST CSF 2.0 sub-categories and CIS Controls v8 Safeguards anchor the taxonomy in something customers already map to.
- Public pricing and packaging. A capability sold as a separate add-on scores lower than the same capability included in the base SKU.
- Hands-on review where it was possible. Demos, trials, and detailed public documentation gave us direct exposure to some products. Not all of them. This input is opportunistic, not systematic.
The cell taxonomy itself is inherited from earlier landscape research the team built before this tool existed, then extended for the categories above. Per-cell citations are not published on the live chart. The framework structure is transparent; individual scores are aggregated judgment.
What this is good at
- The math is mechanical. Once cells are scored, every downstream number on the chart is arithmetic. No weighting, no boosts, nothing tucked behind a curtain.
- Breadth and depth count equally. A specialist doing three cells perfectly sits near a generalist doing six cells well. That matches how customers feel coverage in practice.
- Stack merging models reality. A specialist's weak cell gets covered by a generalist; both contributions count toward your combined polygon. Real stacks work that way.
- The scoring scale is published. The same 0 to 5 with the same labels (None, Light, Partial, Moderate, Strong, Core) applies to every cell of every vendor, including SignumCyber's own.
What it deliberately doesn't do
It will not tell you what's essential for your business.
Priorities depend on your data, your regulators, your threat exposure, and your business continuity needs. None of those are visible to a free tool. A tool that flagged categories as "essential" without seeing your business would be lying to you.
It will not pick a best vendor.
Scores live per category. A specialist can be a 5 in one category and a 0 in another. Crushing that into a single overall ranking erases the part of the story you actually need.
It will not give credit for features outside the taxonomy.
If a vendor ships something we don't have a cell for, it doesn't show up. Cells get added when a capability becomes market-established.
It is not a replacement for a risk assessment.
This shows what you have. It does not show what you need.
Where it falls short
- Editorial judgment is unavoidable. Drawing the line between a 4 and a 5 on a specific capability is a call. Two assessors could reasonably land one step apart on any given cell.
- Coverage is uneven. 54 vendors are in the dataset today. Major absences include Netskope and Cato (SSE / SASE), Orca (CNAPP), BeyondTrust and Delinea (PAM), SailPoint and Saviynt (IGA), Rubrik and Cohesity (backup), and Darktrace and Vectra (NDR). Adding them is in the queue.
- Newer categories move more than older ones. AI Security, ITDR, and SASE are still settling. Email Security and Endpoint Protection are mature. Expect more drift on the new stuff.
- Scores age. Acquisitions close, products ship, features get cut. The review cadence is quarterly for the most-used vendors, annual for the full set, and ad-hoc on major events. There is still lag between a vendor change and its reflection here.
- No vendor relationship disclosure yet. SignumCyber does not currently flag whether a scored vendor is a customer, partner, or competitor. A future version of this page should.
A note on self-scoring
SignumCyber sits in the dataset. We score ourselves. You should know that, and you should be able to push back.
The cells we score ourselves on map to specific, countable features:
- Risk Quantification. 688 assessment questions across 73 security domains and 11 role-based paths. 3,110 vulnerabilities with severity ratings. 601 recommendations, each scored across 9 dimensions. Full FAIR-based ALE / SLE / ARO with industry benchmarks.
- Compliance. 88% of questions mapped to ISO 27001 controls. 94% to NIST CSF 2.0. 88% to SOC 2 criteria. CIS v8.1 integration covers 18 controls and 103 safeguards.
- Program management. IRP, BCP, and cybersecurity plan generators with versioning, approval workflows, and multi-state assignment tracking.
- Where we score low, we say so. Continuous Control Monitoring is a 1: we don't auto-integrate with cloud APIs yet. Phishing simulation, on-call escalation, and live forensics are 0: we don't ship those.
If a SignumCyber cell looks inflated against that evidence, tell us and we'll defend or correct it.
Corrections welcome
If a vendor you know well looks wrong on the chart, tell us. Suggestions are not auto-applied; they're reviewed against the sources above. We do read them.
This is a starting point, not an answer
Stack Analysis is a self-serve diagnostic. It can show you what you have. It cannot show you what you need.
A real coverage review weighs your actual contracts, the features you've licensed versus the ones you've enabled, the threats your business actually faces, and the regulators you actually answer to. That is a risk assessment, and it is the foundation of SignumEssentials and SignumVantage.