Security Posture as a Service (SPaaS): What It Is, What It Isn't, and Who's Actually Selling It
Jeff Sowell · 2026-04-20 · Security Strategy
Security Posture as a Service (SPaaS) defined: the six components every real offering must deliver, who's selling it today, and why the platform decides the economics.
What Security Posture as a Service actually means
Security Posture as a Service — SPaaS — is an emerging managed-service category where a provider continuously assesses, reports on, and improves a client's security posture across frameworks, controls, risks, vulnerabilities, and policies. It's delivered on an ongoing subscription rather than as a one-time audit engagement or a tool license.
The buyer is usually a 50-to-500-person company with a real compliance obligation but no in-house CISO. They want someone to own security posture as a monthly line item — the same way they already outsource MDR, IT support, or payroll. In return they get continuous framework status, a live risk register, evidence collected automatically from their stack, policies kept current, and a report their board can actually read.
The short version: SPaaS turns security posture from an annual project into a monthly service.
Where the SPaaS term came from
"Security Posture as a Service" didn't emerge from a Gartner quadrant or a NIST publication. It arrived from two directions at once.
From the left — posture and ASM vendors. Attack Surface Management tools (Cyble, CYE, Cycognito) started framing their offerings as posture services when customers pushed for ongoing delivery rather than scan reports. The "aaS" suffix was natural marketing gravity.
From the right — MSSPs extending beyond MDR. Providers like Arctic Wolf, Expel, eSentire, and hundreds of regional MSSPs spent the last five years scaling MDR revenue. Clients loved the monthly detection outcome, and increasingly asked: *can you also tell me whether we're secure, not just whether we're under attack?* That's posture. MSSPs extended their service lines accordingly.
Both groups arrived at roughly the same offering through different doors. The category name hasn't settled. Most providers label their version "Managed Compliance," "Continuous Compliance Monitoring," "vCISO-as-a-Service," or "Managed Security Program" — all neighbors to SPaaS, and in practice often identical.
What Security Posture as a Service is NOT
Before defining what SPaaS includes, it's worth being sharp about what it excludes. A lot of vendors stretch the label.
SPaaS is not CSPM. Cloud Security Posture Management tools scan cloud configurations. They don't deliver framework compliance, policy authorship, or risk decisions.
SPaaS is not GRC software. A GRC platform is a tool. SPaaS is a service. Drata and Vanta are GRC platforms; a consultancy that delivers SOC 2 readiness on top of Drata is arguably selling SPaaS.
SPaaS is not a dashboard service. A portal with a posture score and a monthly PDF isn't SPaaS unless there's a practitioner behind it with accountability for the outcome.
SPaaS is not MDR with compliance reports bolted on. An analyst watching for alerts isn't the same as a program owner accountable for your Security Risk Analysis or your Statement of Applicability.
SPaaS is not vCISO by another name — but it's the closest