Cloud Defense Listings

The Cloud Defense Authority listings index organizes professional service providers, vendors, and specialist firms operating within the cloud security and cyber defense sector across the United States. This page defines what qualifies for inclusion, how verification status is assigned, where known gaps exist in coverage, and how the listing taxonomy is structured. Accurate navigation of this directory depends on understanding those boundaries before interpreting any individual entry.

What listings include and exclude

Listings in this directory represent organizations providing cloud security services as a primary or substantial secondary business function. Qualifying categories include managed detection and response (MDR) providers, cloud forensics firms, incident response retainer services, penetration testing firms with documented cloud-environment competencies, compliance advisory practices, and cloud security architecture consultancies.

Excluded from inclusion are general-purpose IT staffing agencies without a defined cloud security practice, solo practitioners operating outside a registered business entity, and product-only vendors whose offerings carry no associated professional services component. Software-as-a-Service (SaaS) security tools that are not bundled with a human service delivery model do not qualify as service listings under this framework.

The service boundary distinction follows the shared-responsibility model described by the National Institute of Standards and Technology in NIST SP 800-145, which separates infrastructure obligations from service-layer obligations across IaaS, PaaS, and SaaS deployment contexts. Listings are classified against that model to distinguish firms operating at the infrastructure layer from those focused on application-layer or governance-layer services.

Federal contractor eligibility is noted where a listed provider holds a FedRAMP-authorized product or an active authorization to operate (ATO) under NIST SP 800-53 Rev 5 controls. This distinction matters for public-sector procurement decisions, where FedRAMP authorization is a threshold requirement for cloud service providers supplying federal agencies.

Verification status

Listings carry one of 3 verification tiers that indicate the depth of source-checking applied to a given entry.

1. Claimed — The organization submitted its own information. No third-party or documentary confirmation has been applied. Claimed listings reflect the provider's self-reported service scope, certifications, and geographic reach.
2. Cross-referenced — The listing has been matched against at least one named public registry, such as the Cloud Security Alliance (CSA) STAR Registry, the GSA FedRAMP Marketplace, or a state business registration database. Cross-referenced status does not constitute an endorsement.
3. Documented — The listing is supported by verifiable public documentation, including published third-party audit reports, active regulatory certifications (such as ISO/IEC 27001 or SOC 2 Type II), or confirmed federal contract vehicles.

Verification status is displayed at the listing level. Readers conducting due diligence for procurement or compliance purposes should treat even Documented listings as a starting point, not a substitute for direct organizational vetting. The Cloud Defense Directory Purpose and Scope page defines the policy framework governing how status designations are assigned and revised.

Coverage gaps

No directory of this scope achieves uniform coverage across all geographies, firm sizes, and specializations simultaneously. Known structural gaps in these listings include:

• Small and mid-market regional firms — Providers operating below approximately 25 full-time employees in secondary markets are underrepresented relative to their actual market share. Firms in states outside California, Texas, Virginia, and New York are disproportionately concentrated at the Claimed tier due to reduced public registry footprints.
• Emerging specializations — Service categories that crystallized after 2022, including cloud-native application protection platform (CNAPP) advisory services and AI/ML pipeline security consulting, have thinner listing density than legacy disciplines such as perimeter security or compliance auditing.
• Public sector-exclusive providers — Firms whose contracts are predominantly classified or governed by Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7012 may have limited publicly verifiable information, producing gaps at the Documented tier.
• Incident response retainers — IR retainer providers frequently operate under non-disclosure terms that restrict public disclosure of client engagements, limiting cross-referencing against public case records.

Users identifying unlisted providers that meet the qualification criteria described above can reference the How to Use This Cloud Defense Resource page for the submission and review process.

Listing categories

The directory taxonomy uses 6 primary service categories. Each category maps to a distinct functional role within the cloud security service sector and carries separate qualification criteria.

1. Managed Detection and Response (MDR) — Continuous monitoring, threat detection, and response services delivered against cloud-hosted environments. Providers in this category are expected to demonstrate SIEM integration capability and documented mean time to respond (MTTR) metrics.
2. Incident Response (IR) and Forensics — Firms specializing in post-breach investigation, evidence preservation, and remediation. Alignment with NIST SP 800-61 Rev 2 incident handling phases is the primary qualification standard.
3. Compliance and Audit Advisory — Practices supporting organizations through FedRAMP authorization, HIPAA cloud assessment under HHS guidance, PCI DSS v4.0 scoping, and SOC 2 readiness.
4. Penetration Testing and Red Team Services — Firms conducting adversarial simulation against cloud environments. Relevant practitioner certifications include OSCP (Offensive Security) and GPEN (GIAC).
5. Cloud Security Architecture and Consulting — Advisory firms scoping security reference architectures across IaaS and PaaS environments, including zero-trust network design.
6. Identity and Access Management (IAM) Services — Providers specializing in privileged access management, federated identity, and cloud entitlement review aligned with the NIST NIST SP 800-207 zero-trust architecture guidance.

Providers offering services across 2 or more of these categories are listed under a primary classification with secondary categories noted. Cross-category listings appear in relevant filtered views within the Cloud Defense Listings index.