CyberCompare Marktkommentar #33: Advertising for the German IT Security Association; Handout on the State of the Art 2025; Merry Christmas!

Articles, Marktkommentar /

Hello everyone

In the last few weeks, I have been able to close some of my numerous glaring educational gaps (there are still enough left), among other things by participating in the general meeting of the Federal Association of IT Security (Teletrust) for the first time. We have been a member of it since it was founded, but so far only because of the “IT Security Made in Germany / Made in EU” seal, which will hopefully somehow be perceived positively by customers. Presumably, this is secretly the case for many of the ~400 members.

And therefore at this point the confession of a repentant absent: Great event, I can only recommend. There were about 50 participants on site – and yet there was no puffing up and no sales talk, because they are among themselves in the industry association. Instead, exchange at eye level, open discussions with a department head of the BSI (Luise Kranich), and phenomenal catering. Our membership fees are well invested.

By the way, one finding from the discussion was that BSI does not (yet) have a concrete target image regarding digital sovereignty . As a subordinate body, it is still in coordination with the interior and digital ministries. It’s a pity – for me and probably many others, a “How does good look like” from a recognized institution would help as orientation. Without a target state, there is no PDCA cycle.

At the event, I also noticed that I hadn’t even read the Teletrust handout on the state of the art 2025 yet (of course, I noticed it just at the moment when one of the authors asked me for my opinion on it…). I’ve made up for that now to save myself further embarrassment. What was striking?

  • Basically, the compendium (~140 pages net) is a very complete catalog of possible technical and organizational measures, and a good argumentation aid to justify budget for security measures with reference to the state of the art. “State of the art” in information security is often referred to as a term, but in my opinion it has not been described anywhere else so far
  • The classification of each measure according to “recognition by experts” and “proof in practice” is also unique. This can probably also be used in discussions about the necessity of investments.
  • In some cases, the measures described go far beyond the common requirements of cyber insurance and also the ISO27002 controls: e.g. PKI, encryption on layer 1, PAM solution, dark web monitoring, SIEM/SOC and all conceivable cloud security tools are recommended
  • Example: “In summary, the recommended actions of a cloud security platform are at least:
  • Testing of infrastructure-as-code before provisioning resources (compliance, misconfigurations (IaC / Code Security)
  • Compliance audit and detection of misconfigurations in Cloud (CSPM) and Kubernetes (KSPM) resources against relevant compliance and recommended best practices frameworks
  • Prioritized vulnerability analysis from development to runtime (vulnerability management)
  • Visualization of possible attack paths, chaining of vulnerabilities, authorization keys and misconfigurations (CASM)
  • Inventory of cloud infrastructure components
  • Authorization Verification (CIEM)
  • Behavioral analysis and early detection of malicious activity within Cloud Accounts (UEBA)
  • Immediate detection of malicious activity by sensors within active workloads, including malware detection and file integrity monitoring (CWPP)”
  • However, it is also clearly stated at the beginning that the assessment of the proportionality of measures and risks is the responsibility of the respective operator and should not be classified in a blanket manner
  • Of course, this then raises the question of in which situation the document actually offers a concrete decision-making aid => In each individual case, the need for protection of the values must be weighed against the costs and benefits of the measures
  • When it comes to pen tests , the industry still seems to be divided, just as with SOC/MDR , the topic is described with only 1 sentence. Of course, it is also very extensive and heterogeneous. Additions to this have been announced.
  • In the section “Sensitization of users” I stumbled across the step “Safety hygiene“, here it is written: “First of all, your own regulations must be checked for actual and practical feasibility. No one may be expected to follow rules that cannot be implemented in the context of their own work, or can only be implemented with considerable difficulty.” Is this what is required in NIS-2 as cyber hygiene ? I had interpreted it differently so far. Maybe someone can teach me about hygiene standards.
  • The comparison of the ISO27000 series of standards (~100 pages, approx. 100 abstract requirements) and the BSI IT baseline protection catalogue (~4000 pages, approx. 1100 concrete measures) is also interesting.

By the way, the federal association is probably also struggling with a decline in membership due to the economic crisis… Let’s hope that this will get better again.

The new MITRE ATT&CK EDR evaluation has been published. We are also through with our evaluation, but we are still waiting for answers from the MITRE team if we have a few questions about details. In addition, I have a topic for January and make my life easier. If you urgently want to make a decision between Crowdstrike, Cynet, Trend Micro, Sophos and Co. before Christmas, you can of course sign up for a sneak preview. Unfortunately , Microsoft, SentinelOne and Palo Alto did not participate this time.

In this respect, only a few incoherent news that jumped out at me:

  • Fortinet raises the bar again when it comes to transparency about OT NIDS/IPS : For each readable OT protocol, it specifies exactly which function codes can be recognized via DPI (e.g. with Siemens S7 47 different commands can be recognized, with BACnet 130 and with GOOSE only that the protocol was used).
  • There are rumblings not only in the German automotive industry, but also at Aqua Security (~350 employees, ~1 billion valuation): The two founders have given up their CEO+CTO roles, the new management is continuing the restructuring and job cuts
  • If all this AI stuff in the specialist departments is too much for you, you can now at least put a stop to the use of AI browsers (e.g. OpenAI Atlas, Perplexity Comet) with a reference to Gartner: Cybersecurity Must Block AI Browsers for Now. Or the other way around, in an emergency, you may have to put up with the question of why the use was allowed despite known and overlapping vulnerabilities in your own company. Do not leave children and AI agents unsupervised on the playground.

I’m still collecting predictions for 2026 – if you have any ideas, feel free to contact me. For my hypotheses in 2025, I would currently still grade myself with a 4-, but I’m hoping for the last few days of the year.

M&A:

  • ServiceNow buys Veza (authorization management/authorization, similar to e.g. Cyberdesk as I understand it and of course IdM suites like Sailpoint, Ping, CyberArk etc.)
  • Exciting: Identity is the new perimeter, as it is summed up by marketing trumpets. AI Agents exacerbate the problem of NHI management (e.g. attacks on delegated OAuth tokens = > Golden Agent)
  • Together with the GRC module, which has been available for some time, Servicenow is developing into an Operations+Security provider
  • Huntress (US Managed SOC on Microsoft Tech Stack, especially for SMEs) buys Inside Agent (Identity TDR)
  • Allurity (PE from Sweden, focus on Cybersec) acquires Monti Stampa Furrer & Partners (Swiss OT Sec Advisor)
  • Checkpoint raises almost USD 2 billion in new capital on the bond market => Since Checkpoint is extremely profitable, this probably heralds another acquisition
  • Savyint (IAM) raises ~$700 million in a new funding round at a valuation of approximately $3 billion
  • Proofpoint is going one step further to get the deal with Hornet over the finish line: The purchase price is now 1.8 billion (instead of the original ~1 billion) USD, that’s about 9 times the turnover. Hornet’s success story shows once again that the SME segment enables more attractive margins than the enterprise business through strong channel sales. Quote from the CEO of another provider in the industry: “The decision for small customers is not about price or features. They buy the solution that the system house brings with it and says it works.”

Vendor Briefings:

Onekey (Update):

  • Small German jewel for software and services around IoT/Product Security, esp. to comply with CRA, IEC 62443, UNECE WP.29 (Automotive Security) or similar.
  • Approx. 100 corporate customers, including Resideo, Nestlé (coffee machines), Deutsche Bahn, Swisscom, Phoenix Contact, Zyxel, Piaggio
  • Almost all TÜV organizations and Bureau Veritas use the OneKey SW
  • SCA for binaries (firmware images) and SBOMs. Core features include the assignment of text fragments to software components, and the recording of dependencies (again crucial for updates)
  • The extraction of the components is not done with Binwalk, but using an in-house developed engine. This makes it possible to highlight blind spots (e.g. encrypted partitions) in a clear-cut manner
  • Optional reverse engineering of compiled code
  • Can be installed on prem and integrated into the existing development toolchains via API => advantage that your own source code does not leave the perimeter. Otherwise SaaS also possible
  • Automatic assessment of firmware based on compliance frameworks
  • Can prioritize vulnerabilities based on customer-specific risk profiles (from TARAs)
  • Are still looking for sales partners – but these should be specialists in IoT product development / DevSecOps

Orca (Update):

  • CNAPP is a competitor to Wiz, Palo Alto, CS etc.
  • >1000 corporate customers, including SAP, Raiffeisen Bank, MAN Energy, 7Eleven, Carlsberg and Hunters (the SIEM manufacturer)
  • “Agentless first”: Security contexts such as access rights, security groups, segmentation, events & logs, container registries, etc. are queried via the Control Plane APIs (A/C/D/KSPM, CIEM). What is still missing as of today: SSPM for common applications, so far focus on IaaS/PaaS
  • In addition, snapshots of workloads (containers, VMs) and source codes including libraries can be scanned for vulnerabilities (SAST, SCA)
  • All of this is used to assess the risks of assets and derive measures
  • There is also a sensor for Cloud/Application Detection + Response (or those from SentinelOne, CS, PAN etc. can be integrated)
  • Backend can be hosted by customers in their own AWS account
  • Charming: From Orca you can also patch directly or, for example, change the Terraform codebase without having to change the GUI
  • Other features: Attack path display, compliance reporting for common frameworks
  • Are you still looking for MSSP partners in the DACH region, feel free to contact me if you are interested (but also challenging, should have experience with SW development and the usual toolchains)

Secfix:

  • Simple GRC solution from Germany (financing by Commerzbank, among others), focus on ISO27001 / NIS2 / GDPR etc. for startups + smaller companies
  • Essentially, of course, checklists of the frameworks + the link to evidence with status display
  • Integrations with cloud hyperscalers, M365, Jira, etc.
  • Approx. 5 years on the market, in the meantime already 350 SMEs as customers

Tenfold:

  • IGA from Austria, huge success story + also very likeable: Only about 35 FTE, but almost 2000 existing customers across all continents
  • Ideal for SMEs: No scripting knowledge required for integrations, comparatively easy onboarding using the wizard
  • Rights management for M365 groups (e.g. AAD DC admins) possible
  • Audit-proof rights granting or revocation in self-service, multi-control principle + without ITSM tool
  • Periodic recertification (rights check) of applications, file servers, external MA => Here I still lack assistant functions for managers to offer a decision-making aid (is the combination still plausible, what does the SAP authorization mean, what was the original reason for the rights application, possibilities for queries…)
  • Overview of all access rights for each user or for a specific asset such as directories possible
  • We also offer perpetual licenses with maintenance contracts (but this is probably only in demand in the DACH region)

As always, questions, suggestions, comments, experience reports, topic requests and also opposing opinions or corrections are welcome by email. Ditto for unsubscribing from the mailing list.

For the people who have received the market commentary for the first time: Here you can register if you are interested or send a Christmas greeting to the archivist.

Thank you very much for the loyal attention + the numerous feedbacks, many greetings, relaxing holidays to all and then a good start into the new year!

Jannis Stemmann

Ready to make your cybersecurity more affordable?

CyberCompare is your independent partner to make IT, OT and IoT security easier, clearer and more affordable.

With our established cybersecurity ecosystem, you achieve cybersecurity excellence and increase your resilience: With us you save time and money but never lose focus.

Get in Touch

Get in Touch

Associations and industry collaborations

Scroll to Top