InfoSec Listings

The InfoSec Listings section of this directory catalogs cybersecurity service providers, practitioners, firms, and specialized resources operating within the United States information security sector. This page describes how the listing architecture is structured, what categories are represented, the standards applied to maintain accuracy, and how listings function as one component within a broader professional research process. For background on the scope and purpose of this directory, see InfoSec Directory Purpose and Scope.

Coverage gaps

No directory operating at national scale captures the full population of active infosec service providers at any given point. The cybersecurity workforce gap in the United States was estimated at approximately 500,000 unfilled positions as of 2023 (ISC2 Cybersecurity Workforce Study 2023), reflecting a sector that expands faster than credentialing and firm registration records can track. Independent practitioners, boutique consultancies operating under general LLC registrations, and government contractors operating under federal classification constraints all represent structurally undercountable segments.

Three specific coverage gaps are documented here:

1. Federal and defense-sector contractors — Firms whose primary work falls under DFARS 252.204-7012 or operates within classified environments may not appear in commercial directory listings regardless of their active status.
2. Solo practitioners without public-facing business registrations — Independent consultants holding certifications such as CISSP, CEH, or OSCP but operating without distinct firm identity are inconsistently indexed.
3. Emerging subspecialties — Service categories tied to recent NIST frameworks, such as those structured around the NIST Cybersecurity Framework 2.0 Govern function added in 2024, may not yet have a dedicated listing category with sufficient population density to be meaningful.

Researchers relying solely on any single directory — including this one — for vendor or practitioner population estimates should treat the results as a sampled subset, not a census.

Listing categories

Listings are organized across five primary classification boundaries that reflect distinct service delivery models and professional scopes within the infosec sector:

1. Managed Security Service Providers (MSSPs) — Organizations delivering continuous monitoring, threat detection, and incident response under contracted SLAs. MSSPs operate under FTC data security expectations and, where healthcare clients are involved, under HHS HIPAA Security Rule requirements (45 CFR Part 164).
2. Penetration Testing and Red Team Firms — Firms conducting authorized offensive security assessments. Relevant credentialing frameworks include PTES (Penetration Testing Execution Standard) and certifications mapped to NIST SP 800-115 (Technical Guide to Information Security Testing and Assessment).
3. Compliance and Audit Consultancies — Practitioners and firms specializing in control assessments against frameworks including SOC 2, ISO/IEC 27001, and FISMA. FISMA compliance obligations are defined under 44 U.S.C. § 3551 et seq. and administered through OMB and CISA guidance.
4. Identity and Access Management (IAM) Specialists — Providers focused on authentication infrastructure, privileged access management, and directory services security. The NSA's advisory on detecting and preventing Active Directory compromises (NSA CSI Advisory) frames the threat environment this subspecialty addresses.
5. Security Awareness and Training Providers — Organizations delivering workforce training programs, phishing simulations, and compliance education. The FFIEC IT Examination Handbook — Information Security (FFIEC) references employee training as a required control element for financial institutions.

The distinction between categories 1 and 3 is operationally significant: MSSPs maintain ongoing operational relationships with client environments, while compliance consultancies perform bounded point-in-time assessments. Conflating the two leads to misaligned vendor selection.

How currency is maintained

Listing accuracy depends on a combination of structured intake criteria and periodic review cycles. Providers listed in this directory are expected to meet baseline verifiability standards at time of submission, including:

• Active state or federal business registration
• At least 1 named, verifiable credential or framework alignment (e.g., CISSP-holder on staff, SOC 2 Type II report available, FedRAMP authorization status)
• A publicly accessible service description that maps to one of the 5 defined listing categories above

Regulatory changes affecting listing status include shifts in CISA's Known Exploited Vulnerabilities (KEV) catalog posture, updates to NIST SP 800-series publications, and periodic revisions to sector-specific mandates from agencies including HHS, FFIEC, and the SEC (which adopted cybersecurity disclosure rules under 17 CFR Parts 229 and 249 in 2023).

Listings flagged for stale data — including firms that have undergone acquisition, rebranding, or ceased operations — are marked pending review rather than removed immediately, to preserve research continuity for users tracking market consolidation patterns.

How to use listings alongside other resources

Listings function as a navigational layer, not a qualification layer. A listing entry establishes that a provider exists, operates in a defined category, and met intake criteria at a specific review point. It does not constitute an endorsement, a compliance certification, or a security assessment of the listed firm itself.

Professional researchers and procurement teams using this directory will typically cross-reference listings against:

• CISA's Cybersecurity Services Catalog for federally vetted services
• State-level licensing databases where applicable — 12 states have enacted some form of cybersecurity service regulation as of the frameworks analyzed in NCSL tracking
• Credential verification portals such as ISC2's online verification tool for CISSP holders or Offensive Security's OSID lookup for OSCP certifications

For guidance on integrating this directory with other infosec research tools and evaluating provider credentials, see How to Use This InfoSec Resource. For a complete explanation of what this directory does and does not cover at the sector level, the InfoSec Directory Purpose and Scope page provides the authoritative scope definition for this property.