The In-App Protection market, once a niche security function confined to banking and finance, is now surging ahead as a frontline defense against a new wave of cyber threats targeting mobile and cloud-native applications. With the ubiquity of remote work, cloud deployments, and app-driven commerce, the role of in-app security has expanded well beyond simple code obfuscation, it now defines an enterprise’s posture against real-time, zero-day exploitation.
In this blog, we explore the SPARK Matrix evaluations for Q1 2023 and Q1 2024, published by Quadrant Knowledge Solutions, with a deep dive into vendor movement across the axes of Technology Excellence and Customer Impact. The following is the analysis of the recent changes, vendor moves, and what the changing landscape implies about application security’s future.
The Cornerstones of Leadership
The 2023 SPARK Matrix report identified Zimperium, Verimatrix, OneSpa, Guardsquare and Lookout as key leaders. However, Built38 and Approov are placed in the lower quadrant of the matrix as the leaders. All provided a comprehensive, multi-level defense strategy with RASP (Runtime Application Self-Protection), code obfuscation, and real-time telemetry, providing well-rounded protection for high-value applications.
Flash forward to 2024, and not only do the same names come back, but some of them have significantly moved their weight around in the quadrant. Promon leapt into the Leader quadrant in 2024, a testament to its stronger enterprise traction and enhanced runtime threat response. Build38 took its advanced RASP and lifecycle control features and made them a market-leading differentiator. Appdome made aggressive gains by emphasizing effortless CI/CD pipeline integration and mobile-first authentication smarts. Meanwhile, Zimperium maintained its dominant position, topping both axes for the second year in a row.
Build38’s rise is no accident. Their investment in Mobile XDR, zero-trust posturing, and granular lifecycle control pushed them from “tech-strong” to “impact-dominant.” It’s not just about how secure the app is. it’s about how fast and intelligently it reacts. Meanwhile, Zimperium’s stability speaks volumes about their grip on mobile-first enterprises, but if they don’t double down on multi-platform adaptability, others will inch closer.
The Rise of Code-Native Champions
Although in 2023 Appdome was recognized for their innovative architectures, 2024 formally declared them mobility-native innovators. Their no-code injection, ThreatScope™, and real-time shutdowns of attacks were game-changers, particularly for high-growth fintechs. Approov, however, saw a reversal of fortune. Once holding a Leader spot in 2023, it dropped into the Strong Contender zone in 2024, showing signs of slowed momentum in innovation or customer traction.
This is not market momentum, it’s a reckoning for established vendors. Platforms that once boasted agent-based security are now playing catch-up with agile, DevSecOps-native upstart. Appdome’s journey is a masterclass in matching the pace of agile application lifecycles, taking security where the code lives, breathes, and breaks.
The Middle-Lane Masters
Digital.ai and Verimatrix held steady in both years, though Verimatrix showed marginal improvement in customer engagement due to its XTD threat platform and flexible SaaS deployments. Digital.ai continues to serve as a comprehensive security layer embedded during app development but hasn’t dramatically shifted either quadrant direction.
They’re not declining. But they’re not surging either. And in a market defined by rapid iteration and real-time telemetry, standing still is nearly the same as moving backward. These vendors need to either infuse AI/ML into detection or bring multi-platform orchestration to the forefront if they want to retain relevance among innovation-hungry buyers.
Guarded Progress: F5, Guardsquare, and Preemptive
While F5 and Guardsquare have technological credibility, particularly for enterprise customers who appreciate integration with existing perimeter defense stacks, their mobility-focused innovation lags behind. uardsquare nudged rightward in 2024, thanks to enhanced SDK support and broader telemetry coverage, but remained within its prior zone. PreEmptive, on the other hand, has a clean, developer-friendly experience but falls short of the aggressive market penetration and advanced threat analytics that define the leaders
Let’s be honest: you can’t treat mobile in-app protection as an afterthought anymore. Security teams want it baked in, not bolted on. Unless these players commit to real-time behavioral analysis and expand their SDK-based defenses, their current quadrant position could easily erode further.
Overlooked Contenders
Promon made a significant leap from Strong Contender in 2023 to Leader in 2024. However, OneSpan slipped out of the Leader quadrant into Strong Contender territory. Jscrambler showed marginal improvement but continued to hover in the lower Strong Contender zone. However, none have cracked the code on scale or standout innovation.
Every SPARK Matrix has its quiet middle. But this group needs a wake-up call. Simply being reliable isn’t enough. They need to bring innovation to market faster, be it through AI detection, hybrid deployment models, or real-time attestation. Status quo is their biggest threat.
A Market on the Brink of Specialization
With AI-driven injection detection, mobile bot protection, and API anomaly detection as baseline requirements, the 2024 SPARK Matrix points to a greater reality: the In-App Protection market is not about providing “some security” anymore, it’s about providing the right security, at the right moment, with precision.
The 2023 vs. 2024 comparison reveals a telling trend: the vendors who have made investments in AI, ML, and automation are up and to the right. Those vendors who didn’t make the leap past old school app hardening are flat-lining or dropping quietly behind.
Why This Analysis Matters
For buyers, this comparison isn’t just about vendor ranking. it’s a strategic lens into who’s innovating, who’s adapting, and who’s still stuck in 2020. For vendors, this is a wake-up call: in a zero-trust, API-first world, your runtime response time is as important as your encryption strength.
If you’re a buyer evaluating in-app protection, this analysis should shape your shortlist. If you’re a vendor and your name hasn’t moved north-east since 2023, it’s time to ask why.
Final Thoughts
The 2024 SPARK Matrix signals a maturing, rapidly stratifying market where real-time response, CI/CD-native integrations, and behavioral protection aren’t “nice-to-haves,” they’re non-negotiable. Leaders like Jscrambler showed marginal improvement but continued to hover in the lower Strong Contender zone. Vetrimatrix, Appdome, Promon, and Zimperium have embraced this truth and accelerated. The rest? It’s time to play catch-up or risk becoming irrelevant.