Cyber Defense Matrix 2.0 · Asset Row · Applications
Applications
Software, SaaS, APIs, and code. The row where shadow IT lives and where detection coverage degrades fastest.
Applications is the second original Cyber Defense Matrix row, covering internally developed software, commercial apps, SaaS platforms, APIs, and the code that produces them. In modern stacks it is the row where shadow deployments accumulate fastest and where detection coverage historically lags — application logs are notoriously under-ingested relative to endpoint and network telemetry.
Scope of the Applications row
Applications includes every software artifact the business runs on: SaaS apps (Salesforce, Workday, ServiceNow, Slack, M365, Google Workspace), internally developed web and mobile applications, commercial on-prem software, APIs (internal and external), and the CI/CD pipelines and source code that produce the above. In CDM 2.0 the AI/ML asset row is separate — custom ML models sit there, not on Applications, because their security profile is genuinely different.
The row does not include the compute that hosts the applications (Devices or Cloud depending on architecture), the network paths between them (Networks), or the data they process (Data). A single incident usually touches multiple rows simultaneously — an application-layer attack that exposes customer data is an Applications incident with Data impact.
Tooling per function column
GOVERN × Applications covers application ownership, software asset management, SaaS lifecycle governance, and secure-development policies. Tools: Zylo, Productiv, Torii for SaaS governance; PolicyIQ, Apptega, or GRC modules for SDLC policy.
ANTICIPATE × Applications is light — app-layer threat intel tends to be embedded in other feeds rather than standalone. IDENTIFY × Applications is big: application inventory, SaaS discovery, API discovery (Salt, Akamai API Security (formerly Noname), Traceable, Wallarm), SBOM management (Anchore, Chainguard, Snyk). PROTECT × Applications covers WAF (Cloudflare, Fastly, F5, Akamai, Imperva), RASP, API security gateways, DAST/SAST in the pipeline, and SaaS-native security configuration (SSPM: AppOmni, Obsidian, Valence).
DETECT × Applications is the weakest cell. Application logs exist but are rarely ingested at useful granularity, and app-layer anomaly detection is immature. RESPOND × Applications is mostly ticket-driven — there is no dominant tool category. RECOVER × Applications is handled by deployment tooling (Kubernetes rollback, feature flags, CI/CD rollback procedures) and data-side backup.
SaaS as a first-class application problem
For most organizations, SaaS now accounts for more of the Applications attack surface than internally developed software. The SaaS-security posture-management category (SSPM) emerged in the last five years to address the gap — platforms like AppOmni, Obsidian, Valence, and Adaptive Shield assess configuration drift, over-permissive sharing, and third-party app OAuth grants across the SaaS estate. A program with strong internal-app security and no SSPM has an Applications row that is green in cells that do not reflect the modern risk surface.
The 'You Already Own the Fix' pattern on SaaS: organizations buying a full Okta or Entra tenant rarely enable the SaaS-governance features (access certifications, lifecycle automation, app-specific policies) they are paying for. These features require configuration investment but not new tool spend.
API security as its own concern
APIs have become their own security discipline. The traditional WAF + perimeter model does not cover the volume, variety, and authentication complexity of modern API estates. Dedicated API-security platforms (Salt, Traceable, Akamai API Security, Wallarm) discover undocumented APIs, detect business-logic abuse, and enforce authentication policies at the API layer. For organizations with externally exposed APIs, this is the single biggest under-investment cell on the Applications row.
Frequently asked
Is SaaS on the Applications row or the Cloud row?
SaaS sits on Applications. The Cloud row is for cloud workloads you operate (IaaS, PaaS, containers, serverless). SaaS is application software you consume. Salesforce, Workday, and M365 are Applications; the AWS account running your custom microservices is Cloud.
Where does source code security fit?
On Applications. Source-code scanning (SAST), dependency scanning (SCA), secret detection, and pipeline security (Snyk, GitHub Advanced Security, GitLab Ultimate, Semgrep, Chainguard, Sonatype) all secure the software that ends up as Applications. CI/CD pipeline compromise is an Applications incident.
Is a WAF a PROTECT × Applications tool?
Yes. Cloudflare, Fastly, F5 ASM, Akamai Kona, Imperva — all primarily PROTECT × Applications, with secondary coverage on DETECT × Applications through attack telemetry. Modern edge platforms also contribute to PROTECT × Networks, but the canonical home is Applications.
Is AI-powered chatbot (e.g., a Copilot) on Applications or AI/ML?
The consumer-grade integration sits on Applications (the product you use). The model behind it sits on AI/ML. If you are securing prompt flows, model outputs, and training data, you are working the AI/ML row. If you are securing authentication, access, and audit logs for the chatbot product, you are working Applications.