Contrast Security launched Application Detection and Response (ADR) in August of 2024, and now, in a new Gartner research note, ADR is a topic. The 2025 Gartner® Implement Effective Application and API Security Controls (accessible to Gartner clients only)*, by William Dupre, discusses today’s complex problem:
As stated by Gartner in their research, “Web applications, mobile applications and APIs are subject to increasing volumes of complex attacks. Security architects responsible for application security must use an appropriate mix of mitigating technologies to secure applications and APIs.”
At Contrast, we agree. Application-layer attacks are happening more than ever, and traditional defenses cannot solve today’s issues alone.
As the Gartner research says, “No single security platform or solution implements the highest level of protection for all of the attack categories. Some organizations will be able to start with a single solution, but will require greater security capabilities over time due to changes in threats and the application landscape.”
Get the Gartner Magic Quadrant™ for SIEM.
See where the market is heading — and how to get ahead.
In fact, Contrast research shows that web application firewall (WAF) and Endpoint Detection and Response (EDR) solutions miss a significant number of application layer attacks. Point-in-time scanning technologies like Static Application Security Testing (SAST) and Software Composition Analysis (SCA) create an overwhelming number of false positives, create slowdowns and lead to exploitable vulnerabilities in production code.
The advice from Gartner is, “Security architects must work with developers, business owners and other architects to determine which security components will be most appropriate for reducing risk. A clear understanding, among all parties, of protection levels and solution options is key. Threat modeling exercises with a diversity of roles will help identify relevant, risk-based controls.”
At Contrast, we agree that the goal is to reduce risk, and we believe the best way to do that is with layered security that includes runtime protection, stopping attacks as they happen. We believe organizations should not expose their applications to the internet without the ability to see how they are attacked in real time. The mix of Application Security (AppSec) testing and ADR creates the best observations, the best workflows and the best security. At Contrast, we put that trove of data into the Contrast Graph to streamline security for developers and operations.
Gartner calls out several technologies, including ADR, stating that “This is a type of web application or API protection solution that monitors and analyzes the runtime behavior of an application to identify and respond to potential attacks. Such solutions have evolved from runtime application self-protection (RASP) products and typically instrument the running application or monitor the underlying kernel to understand system activity.”
After decades of practice, Contrast can say with certainty that instrumenting the running application is the key to a modern AppSec posture. The ADR technology allows organizations to quickly evolve their security: detecting application layer attacks, responding to them and then remediating the underlying vulnerability with AI assistance.
We believe a WAF alone can be easily bypassed — something that’s also in the Gartner research: “[Consider] ADR or RASP solutions to augment a WAF for exploit protection.”
The full Gartner document can be found here (for Gartner subscribers only).
Why it matters
In our opinion, the 2025 Gartner report supports our strong case: Application and API security cannot rely solely on perimeter defenses or scanners. Protection must be contextual, responsive, and architecturally aligned with the way modern software is built and deployed.
Contrast ADR delivers on that vision — bridging the gap between detection and response, and arming security teams with the tools they need to stop real attacks in real time.
* Gartner, Implement Effective Application and API Security Controls, William Dupre, Apr 10, 2025.
GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved. Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.
