I don't know if there are other solutions similar to what BMC Helix Cloud Security does today. We are not evaluating others because we haven't found a gap for not using BMC Helix. 

We do some consulting engagements for clients who are evaluating other third-parties that come from their vulnerability management space, but they are not cloud security or cloud construct security native. We sometimes do feature by feature bake-offs, but they are not really equivalent.

The remediation of vulnerabilities can be a tedious process because you have identification. There are a lot of companies use standards to identify vulnerabilities, i.e., Nessus, Qualys, and Rapid7 who are great at identifying, but not great at helping operations to fix vulnerabilities. This is because it takes a three-legged stool: 

1. You have to know what is the asset that is actually impacted by the vulnerability. Sometimes, you only have an IP address and don't even have the name of the asset. So, you have to track down where does it reside. Especially in a large enterprise that has multiple sites or data centers that might be in the cloud, where does it reside? 
2. You have to identify how to remediate the vulnerability. Some vulnerabilities are maybe a patch bought from a vendor, a combination of patches from a vendor (e.g., Microsoft or Red Hat plus an application patch), or a configuration change. You might have to toggle a registry key in addition to applying a patch. Can I actually apply that remediation to the system? Do I have a mechanism to apply at scale? This is where BMC Helix helps. It is able to integrate with a detection system, such as a vulnerability scanner, then understand and get the vulnerability identifiers (the metadata) from those scanners. It is able to associate it with known patches from multiple vendors. They might be Microsoft, Red Hat, IBM, or HPE. BMC can identify and relate the vulnerability to specific actions that vendors have identified from the patches. 
3. The ability to apply at scale with thousands of endpoints. That remediation to affect the actual vulnerability. In the old days, InfoSec would detect the vulnerability and send a spreadsheet to operations. Now, there is no manual process in-between. It's all automated to the extent that they feel comfortable either fully automated or having a human in the loop for approvals and change management.

BMC was the first one that we started evaluating. We liked it so much that we stuck with it.

They provided a 14-day free trial for us. We had 14 days to connect to our information, scan it, and get familiar with the tool. It was a nice little treat to take it for a test drive around the block for 14 days.

Yes, we did evaluate other options, and we're still in the process of doing it more. Because everything that I'm reporting to right now is based on our POC that was done with this product