Cybersecurity Listings

The listings assembled on this reference cover the full operational landscape of cybersecurity services, practitioners, vendors, and frameworks active in the United States. Each entry is organized by service category, professional qualification type, and applicable regulatory context — providing a structured reference point for procurement professionals, compliance officers, security researchers, and organizational decision-makers. The scope spans both private-sector service providers and the regulatory bodies that govern them, from federal agencies to industry standards organizations.

How to use listings alongside other resources

Listings function as a directory layer — a structured index of categorized entries — not as standalone explanatory content. To understand the regulatory and technical framework that governs a given service category, the information security frameworks reference and the cybersecurity compliance requirements pages provide the normative background against which listed entities operate.

Listings are most effectively used in conjunction with topic-level reference pages. A procurement officer evaluating penetration testing vendors, for example, would cross-reference the listing entries with the qualification standards described in the corresponding topic page — including credentials recognized by bodies such as GIAC, Offensive Security, and (ISC)². Similarly, organizations assessing security operations center providers benefit from understanding how NIST SP 800-61 frames incident handling before evaluating whether a listed SOC provider aligns with that standard.

For organizations operating under sector-specific mandates — HIPAA under HHS, NERC CIP under FERC, or CMMC under the Department of Defense — the us-cybersecurity-regulations page establishes the statutory baseline that informs which listed service categories carry compliance relevance.

How listings are organized

Listings are structured across 4 primary classification dimensions:

1. Service category — the functional type of cybersecurity service delivered (e.g., threat intelligence, endpoint protection, managed detection and response, digital forensics)
2. Provider type — whether the listed entity is a managed security service provider (MSSP), independent consultant, software vendor, professional association, training organization, or regulatory body
3. Applicable framework alignment — which published standards or regulatory frameworks the service category maps to, including NIST CSF, ISO/IEC 27001, CIS Controls, SOC 2, or FedRAMP
4. Geographic and sector scope — whether the provider operates nationally, within specific regulated industries (healthcare, finance, defense industrial base), or both

Within each service category, listings are further differentiated by whether the provider operates in offensive security (e.g., red team engagements, threat modeling), defensive security (e.g., identity and access management, firewall and perimeter security), or governance, risk, and compliance (GRC) functions such as cyber risk management and cybersecurity maturity models.

Offensive and defensive categories are treated as distinct classification boundaries. A firm listed under vulnerability management is not automatically cross-listed under incident response unless its documented service scope covers both functions.

What each listing covers

Each individual listing entry includes the following structured elements:

• Entity name and primary service type — the canonical name of the firm, organization, or body and its primary functional category
• Qualification and certification indicators — relevant industry credentials held or required, such as CISSP, CISM, CEH, or vendor-specific certifications from Palo Alto Networks, CrowdStrike, or Microsoft
• Regulatory alignment — which federal or state compliance frameworks the entity's services address, with reference to specific statutes or standards (e.g., 45 CFR Part 164 for HIPAA-covered entities, NIST SP 800-171 for CUI handlers under DFARS clause 252.204-7012)
• Service delivery model — on-site, remote, or hybrid; project-based or ongoing managed service
• Sector specialization — where applicable, the vertical industries served, including financial services (subject to GLBA and FFIEC guidance), healthcare, critical infrastructure sectors defined under Presidential Policy Directive 21 (PPD-21), and federal contractors

Listings covering cloud security providers, for example, include notation of whether the provider holds FedRAMP authorization — a standard administered by the General Services Administration (GSA) that, as of its most recent public dashboard, lists over 300 authorized cloud service offerings. Listings for cybersecurity insurance intermediaries distinguish between carriers underwriting standalone cyber policies and those offering cyber as an endorsement to existing commercial lines.

Geographic distribution

The listing set covers providers operating at national scale within the United States, with density concentrated in 5 metropolitan regions that account for the highest concentration of cybersecurity industry employment: the Washington D.C./Northern Virginia corridor, the San Francisco Bay Area, New York City, the Chicago metropolitan area, and the Dallas–Fort Worth region. The Cybersecurity and Infrastructure Security Agency (CISA), headquartered in Arlington, Virginia, identifies critical infrastructure protection as a national function, meaning that providers supporting CISA's 16 critical infrastructure sectors are distributed across all 50 states.

State-level regulatory variation shapes provider specialization in significant ways. California's CPRA (California Privacy Rights Act) and the state's IoT security law (SB-327) create distinct compliance service demand that concentrates certain data loss prevention and mobile device security providers in that market. New York's DFS Cybersecurity Regulation (23 NYCRR Part 500) imposes specific CISO appointment and penetration testing requirements on covered financial entities, driving a measurable concentration of financial-sector cybersecurity providers in the New York City area.

Federal contractor concentration in the D.C. corridor reflects the density of DoD and civilian agency procurement. Providers listed under supply chain security and third-party risk management in that region are disproportionately oriented toward CMMC compliance and the requirements of FAR 52.204-21. Listings for providers serving the energy sector — particularly those addressing OT/ICS security under NERC CIP standards — reflect geographic alignment with utility operations in the Southeast and Midwest rather than major tech hubs.