By clicking “Accept”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.
DenyAccept
18px_cookie
e-remove
Blog

Endor Labs Recognized by Gartner® in the 2026 Hype Cycle™ for Platform Engineering

Endor Labs has been recognized as a Representative Vendor in the 2026 Gartner® Hype Cycle™ for Platform Engineering under Software Supply Chain Security

Written by
Andrew Stiefel
Andrew Stiefel
Published on
May 21, 2026
Updated on
May 21, 2026
Topics
News
Open Source
Summarize with AI

We're excited to share that Endor Labs has been named a Representative Vendor in the Gartner® Hype Cycle™ for Platform Engineering, 2026, inside the Software Supply Chain Security category. We see this as validation of a core thesis we've held since day one: securing the modern software development lifecycle (SDLC) is a foundational platform engineering capability, not a bolt-on security tool.

We founded Endor Labs to solve a structural math problem in software engineering. Our premise was simple: developers would inevitably consume exponentially more third-party code than they could ever write or manually audit. As a result, the vulnerability backlog would scale exponentially, outpacing the capacity of enterprise AppSec teams to fix them.

Today, the rise of AI coding assistants and autonomous agents has turned that prediction into a daily operational reality.

The Shift: Supply Chain Security in the Agentic Era

Internal Developer Platforms (IDPs) have become the connective tissue between engineering velocity and organizational guardrails. In an engineering-first organization, security cannot exist as a disruptive gating mechanism at the end of the CI/CD pipeline; it has to be natively baked into the platform architecture.

This is especially critical now that AI has compressed the time-to-exploit window. Attackers are using generative models to automate malware creation and discover zero-days faster than ever, while developers are rapidly importing unvetted code suggestions, autonomous dependencies, and Model Context Protocol (MCP) servers into internal toolchains.

When the threat model shifts from deterministic human workflows to non-deterministic agentic ones, traditional AppSec paradigms completely break down. Securing the modern SDLC is no longer about running a static SAST checkbox or parsing a flat, contextless SBOM. It requires continuous, graph-based governance across source code, dependencies, CI/CD infrastructure, secrets, and the AI agents acting on behalf of your team.

Built for Context: Function-Level Reachability and Upgrade Impact Analysis

The architecture of Endor Labs is built on a simple premise: engineering and security teams need evidence to act decisively. Instead of inundating teams with isolated, context-blind alerts, our code context graph maps code, call paths across direct and transitive dependencies, container layers, pipeline configurations, and infrastructure across multiple repos and services.

This deep semantic understanding allows us to solve the exact problems we set out to tackle at our founding:

  • Function-level reachability: Traditional Software Composition Analysis (SCA) flags a vulnerability if a package exists in your package.json or pom.xml. Endor Labs goes deeper, analyzing the abstract syntax tree (AST) and call graph to determine across both direct and transitive dependencies to see if your application invokes the specific vulnerable function. If the code path isn't reachable, it's not exploitable in your environment—allowing platform teams to instantly deprioritize on average 92% of vulnerability noise.
  • Upgrade impact analysis: When a vulnerability is reachable from your code, the fix shouldn't break the build. Endor Labs performs impact analysis across your dependency graph before an upgrade is initiated. We show engineers exactly which downstream APIs or breaking changes will be triggered by a patch, turning a blind upgrade into a predictable engineering task.

And when you can upgrade safely, we offer tested and validated patches that backport community-vetted security fixes and apply them to your current version without introducing breaking changes.

Engineering-First Security at Platform Scale

This graph-based model drives the broader capabilities modern platform teams are deploying today across both human and AI-generated code surfaces:

  • Agent Governance (MCPs & Models): As teams integrate Cursor, Copilot, and custom autonomous agents, Endor Labs maps and governs the AI attack surface. We provide visibility into agent behavior and which MCP servers, tools, and LLM models are active, allowing platform teams to enforce policy gates before unvetted components access internal codebases.
  • Package Firewall: We scan every newly uploaded package to npm, PyPI, and other ecosystems and flag emerging malware campaigns in under 10 minutes, and block agents and developers from downloading malicious packages before they hit a local machine or a CI runner.
  • GitHub Actions Hardening: CI/CD pipelines are high-value targets for software supply chain attacks. Endor Labs continuously analyzes pipeline configurations for structural risks, third-party marketplace action vulnerabilities, and overly permissive OIDC or repository tokens.

What's Next on the Roadmap

Platform engineering is moving into its strategic phase, just as the underlying supply chain is only growing more complex. Over the next year, our engineering focus is directed at the frontiers of platform engineering: securing semi-autonomous cloud agent pipelines, expanding remediation deeper into the container artifact, and expanding our security tool sets for agents.

The core mission remains unchanged: give engineering and security teams the context to know exactly what is running in their environment, the policy engines to govern it, and the automation fix quickly and to stay out of the developer's way.

Want to see how Endor Labs maps and secures the modern software supply chain? Request a technical demo.

Disclaimer

Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose. GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally, and HYPE CYCLE is a registered trademark of Gartner, Inc. and/or its affiliates and are used herein with permission. All rights reserved.

What's next?

When you're ready to take the next step in securing your software supply chain, here are 3 ways Endor Labs can help:

Explore the Secure Code Prompt Library
Download 40+ AI prompts for secure vibe coding.
Take a tour of Endor Labs
Explore Endor Labs with a self-guided platform tour.
Book a Demo
See Endor Labs in action with a custom walkthrough.
📘 Secure code prompt library🧭 Take a platform tour🤝 Book a Demo

Contents

Table of Contents

Related Posts

AI SAST Finding: Path Traversal in OpenClaw via LLM Guardrail Bypass

AI SAST Finding: Path Traversal in OpenClaw via LLM Guardrail Bypass

How Endor Labs' AI SAST engine identified a path traversal vulnerability in OpenClaw's apply_patch tool tracked as (GHSA-r5fq-947m-xm57)
Learn More

Shai-Hulud 2 Malware Campaign Targets GitHub and Cloud Credentials Using Bun Runtime

Analysis of Shai-Hulud 2, a new npm supply chain attack
Learn More
Remediating Vulnerabilities vs. Maintaining Current Dependencies

Remediating Vulnerabilities vs. Maintaining Current Dependencies

Learn about the pros and cons of maintaining current dependencies, backed by a TU Delft study on 262 Java projects on Github
Learn More