WAVE REPORT

The Forrester Wave™: Vulnerability Risk

Management, Q3 2023
The 11 Providers That Matter Most And How They Stack Up
September 19, 2023

EN Erik Nost

with Merritt Maxim, Angela Lozada, Christine Turley

Language

Summary

In our 28-criterion evaluation of vulnerability risk management (VRM) providers, we identified

the most significant ones and researched, analyzed, and scored them. This report shows how
each provider measures up and helps security and risk (S&R) professionals select the right
one for their needs.

Topics
This website uses cookies to deliver functionality and customize your experience. By using this
Vulnerability
website, you areRisk Management
agreeing to ourBolsters
use of Your Proactive
cookies. View Security Program
our cookie policy for more details.

Accept cookies
About Forrester Reprints https://go.forrester.com/research/reprints
Vulnerability Risk Management Bolsters Your Proactive Security
Program

Vulnerability management is growing up. Less than a decade ago, the norm was for enterprises to slap a

vulnerability scanner in their environment, find a bunch of problems, then point fingers when nothing got fixed

and/or common vulnerabilities and exposure (CVE) led to a breach. In 2018, Forrester urged a risk-based

approach for vulnerability “risk” management so that the unrealistic volume of remediations could be properly

prioritized and organizations could stop leaning on common vulnerability scoring system (CVSS) scores, which

were meant to determine technical vulnerability severity. Since then, organizations have observed the havoc

critical unpatched vulnerabilities like Log4Shell and MOVEit can create. They’ve also expanded their

technological footprint (from employees’ homes to the cloud) while new types of threats and vulnerabilities

continue to emerge. The definition of vulnerability now includes weaknesses beyond just CVE-defined

vulnerabilities, such as identity issues and misconfigurations. To respond to these trends, VRM vendors are

detailing how assets relate to one another in an environment and how to prioritize and operationalize

remediation efforts.

As a result of these trends, VRM customers should look for providers that:

Provide strong visibility of assets in their environment. Ingesting asset data from other security solutions,

such as endpoint detection and response (EDR) or cloud security posture management (CSPM), into your

VRM solution is now the norm. Organizations have multiple solutions that contain insights on assets and

their security weaknesses. Vulnerability assessments are now commonly provided as part of other security

solutions, particularly for endpoint and agent-related tools such as EDR. Organizations have an increasing

IoT footprint, and operational technology (OT) environments are converging within IT, leading to a greater

need to aggregate info from specialized security tools for a complete picture. Without this holistic view,

teams lose confidence that they’re focused on the most important assets and on remediating the riskiest

vulnerabilities.

Prioritize remediation efforts. To achieve an accurate reflection of remediation prioritization, customers

need to understand the relative business impact of a compromised asset, the threat likelihood of an asset

being exploited, and the strength and effectiveness of compensating controls protecting the asset. To gain

these insights, many VRM providers recommend asset values, offer threat intelligence, and ingest data

from configuration management databases (CMDBs) for asset importance. Fewer vendors integrate with

network security solutions such as intrusion prevention systems (IPSes) for compensating control

information. Attack path modeling is also now available in some VRM solutions and on the roadmap for
 several others to provide context on how attackers could exploit various exposures and bypass controls,

which can result in a breach.

Complement remediation response. Once organizations know what they have and what should be fixed

first, VRM solutions should assist in the response effort. This commonly takes the form of integrating with IT

service management (ITSM), with differentiation in the customizability of workflows based on factors

important to the organization or remediation automation. Considerations for emergency vulnerability

response should be provided upfront with little to no query language to understand impact and provide

urgent answers. Some vendors extend vulnerability response into the security operations center (SOC),

providing more integrations into SOC workflows and processes.

Evaluation Summary

The Forrester Wave™ evaluation highlights Leaders, Strong Performers, Contenders, and Challengers. It’s an

assessment of the top vendors in the market; it doesn’t represent the entire vendor landscape. You’ll find more

information about this market in our reports on The Vulnerability Risk Management Landscape, Q2 2023.

We intend this evaluation to be a starting point only and encourage clients to view product evaluations and

adapt criteria weightings using the Excel-based vendor comparison tool (see Figures 1 and 2). Click the link at

the beginning of this report on Forrester.com to download the tool.

Figure 1

Forrester Wave™: Vulnerability Risk Management, Q3 2023

Figure 2

Forrester Wave™: Vulnerability Risk Management Scorecard, Q3 2023

Vendor Offerings

Forrester evaluated the offerings listed below (see Figure 3).

Figure 3

Evaluated Vendors And Product Information

Vendor Profiles

Our analysis uncovered the following strengths and weaknesses of individual vendors.

Leaders

Tenable sets the tone for proactive security. Tenable has focused on preventing successful attacks since its

Nessus days in the early 2000s. Today’s goal remains the same with a vision of proactively securing

growing and dynamic attack surfaces with its Tenable One platform, one of the first to embrace the

exposure management categorization. With roadmap items focusing on setting up connectors to ingest

third-party sources, its platform aims to further consolidate all cyber risks, asset types, and exposures

across the enterprise. Its focus on delivering AI capabilities will further help analysts of all skill levels

explore and understand capabilities in their attack path modeling and cyber risk insights. Tenable’s name

recognition and early-to-market platform approach of consolidating preventative events supports its

superior, persistent vision, which aligns well with the current direction of the market.

Tenable is betting on asset and exposure mapping as the next foundational element of VRM. Combining

modeling with exploitability factors, available in its external attack surface management (EASM) and asset

context metadata, helps confirm accessibility of assets. The Tenable platform covers a wide array of asset

and exposure types, which, when coupled with its in-house threat research team and breadth of exploit

threat intel, allows it to predict a range of attack types so teams can be most efficient and effective with

proactive security measures. Though Tenable’s scoring lacks intuitive transparency and customization,

reference customers cited it and reporting as game changers for how security was viewed and handled

within their organization. Tenable is a great fit for firms that want a single book of record for all vulnerability

and exposure remediation prioritizations that drive their proactive security program.

Vulcan Cyber’s innovative culture sets it apart from now-common VRM approaches. Founded in 2018,
 Vulcan Cyber’s approach is similar to many others in the evaluation: consolidate, de-duplicate, and

correlate findings to further contextualize risk. Vulcan Cyber’s differentiator is considering vulnerability’s

ripple effects across modern organizations: Today, information security team headcount remains static, but

more business stakeholders own technology decisions and maintenance. Vulcan Cyber’s differentiated

and detailed vision is to democratize risk through self-service, no-code data ingestion and AI data

mapping. It’s in the position to deliver on its vision with a strong culture of innovation, evident in

vulnerability research such as a recent publication on AI hallucinations, gamified innovation weeks with

R&D teams, and freemium versions of its products.

Vulcan Cyber supports a clear and dynamic approach to risk scoring where users can influence the factors

of technical severity, threat intel, or asset groups and create custom scripts for their own risk formulas.

Asset ownership fields are robust and map to applications as precise as organizational reporting structure

of who owns what down the chain. It makes remediation recommendations by leveraging attack path

graphs, rolling up to critical infrastructure and enterprisewide risk. The solution can ingest homegrown

tools and spreadsheets and push updates to CMDBs, although it doesn’t natively support the depth of

asset types others in the evaluation do. Reference customers raved about Vulcan Cyber’s customer

support as some of the best they’ve ever experienced. Vulcan Cyber is a great fit for organizations that

foresee technology ownership expanding throughout their business stakeholders.

Strong Performers

Microsoft’s proactive solution complements the SOC, if you do it the Microsoft way. Microsoft announced

Defender Vulnerability Management (MDVM) last year and has since tied it to E5 licensing, yet standalone

options are available. Microsoft seeks VRM differentiation via integration with its XDR solution as it

anticipates proactive and reactive teams becoming more aligned. Microsoft sees VRM evolving into

exposure management and its roadmap focuses on building out pre-breach capabilities with an experience

similar to the SOC. This includes strategic investments to natively inventory assets with a cyber asset

attack surface management (CAASM) solution and enhancing recommendations, prioritizations, and

automated remediations with AI models. Microsoft is well positioned to pioneer how AI can change VRM

teams’ day-to-day responsibilities.

MDVM excels at breaking down details on CVEs, timelines, and news updates and makes remediation

recommendations. Defender customers’ remediation prioritization further benefits by factoring in active

threats within the environment. VRM teams can block applications when risk boundaries are met and kick
off remediations directly into Intune. But users must log into MDVM to manage risk with little capabilities for

tracking outside of Microsoft’s ecosystem, and risk scores are not customizable. Reference customers were

mature organizations with novel approaches to reducing attack surface and appreciated Microsoft’s

forward-thinking product, but they wished it was more flexible with non-Microsoft integrations. MDVM’s

current iteration is a good addition to complement your VRM program, especially if you are already an E5

customer and don’t require custom remediation workflows.

Brinqa is customizable and extensible, but deriving its full value takes time. Brinqa has provided

cybersecurity risk posture solutions since 2009. It envisions VRM teams evolving into risk operations

centers (ROCs) that operationalize proactive activities to respond to events around decreases in posture

the same way an SOC may, which is outlined in detail through its vision. To support its strong vision, Brinqa

has increased its focus on cloud and application security as decentralized business units increasingly

deploy their own cloud and containerized application environments. While competitors are just beginning

to build out connectors, Brinqa offers a large variety. But its roadmap did not detail enhancements to

connectors, relying on enterprises to fine tune, configure, and manage integrations; this provides

customization but costs valuable time.

Brinqa’s risk graph ingests an array of customizable risk factors that create risk scores. Customers can

create new risk factors and apply them toward defined assets or risk context. Business-ownership mapping

is available through identity solutions or ingesting homegrown tools. Exploitability factors are based on

what’s provided, so users can provide their own context for risk prioritization like threat intel and controls

from IDS/IPS. Reference customers highlighted Brinqa’s flexible and extensible platform but complained

about lengthy and complex implementations, which the vendor has acknowledged and worked to address

with a recent release. Brinqa is a solid choice for modern enterprises that need to customize unique factors

about their environment — especially application development — and incorporate them when

operationalizing their VRM program.

Balbix leverages CAASM to calculate risk but needs better remediation orchestration. Balbix launched in

2015 as an AI-driven cybersecurity platform to help organizations make better decisions on dispersed data.

It has evolved its vision to improve data visibility with CAASM, speed up vulnerability risk mitigations with

VRM, and speak business stakeholders’ language with cyber risk quantification (CRQ). Balbix developed its

own CRQ model based on breach impacts and notably avoided factor analysis of information risk (FAIR)

models. Balbix is building upon its innovation strategy by leveraging proprietary data such as its own asset

fingerprinting. It demonstrates a commitment to R&D, with product/engineering roles accounting for over

60% of staff, 35% of which focus on data science and AI/ML. But it lacked formal adoption methodologies

and documentation for DIY implementations.

Balbix has a broad connector strategy in addition to its own scanning capabilities from agents, which can

infer SBOM data, and a network analyzer. It has a clean interface that educates various personas across

the organization on risk and technical problems arising from vulnerabilities, leveraging breach impact

scores senior officials understand. But to remediate vulnerabilities, it lacks automation capabilities through

patch and configuration management systems integrations. Reference customers loved the partnership

and influence on the roadmap they have with Balbix product teams. Balbix is a good fit for organizations

that want to ditch common vulnerability scanners and input data from other security solutions to gain a

picture of assets and quantify risk without FAIR models.

NopSec is ideal for teams beginning their VRM transformation. NopSec was founded in 2013 as an

offensive security company and evolved into a VRM vendor with plans for an exposure management

platform. It originally used predictive intel to exploit vulnerabilities as primary inputs for proactive measures

and now incorporates asset criticality and business context to gain a more complete risk picture. A recent

round of funding can support an innovation strategy that includes enhancements from penetration-testing-

as-a-service (PTaaS) and breach-and-attack (BAS) vendors and the building of its own attack path mapping

and adversarial emulation capabilities. It has a dedicated data science team working on AI models to

contextualize remediation recommendations. But NopSec has yet to establish wide brand recognition even

though its solution has historically been and continues to be on par with other VRM players.

NopSec’s connector strategy includes a self-described dedication to quality that includes bidirectional

functionality. Quality connector integrations provide rapid time-to-value (TTV) for simple implementations,

but organizations experienced in vulnerability management that need to bring their own data may find

implementations can take longer. For remediation orchestration, NopSec displays provider

recommendations that are accessible with some click throughs, which is below par based on others in the

evaluation. Reference customers liked the transparency and indisputable information NopSec displays to

remediation teams and business stakeholders. NopSec is a good choice for VRM teams that need to

change the status quo for VRM and already have common security tools.

Rapid7 doubles down on a platform approach instead of best-of-breed connectors. Rapid7 has long been

known for vulnerability management capabilities with a reputation of supporting the cybersecurity

community through open source tools and community research. This translates well to its vision to be a

practitioner-first platform. While all others in this evaluation have detailed plans for building out connectors

to ingest more data in their solution, Rapid7 primarily focuses on discovery and inventory within its

ecosystem. Its detailed roadmap counts on its technology being able to scale and keep up with rapidly
 evolving customer requirements and the point solutions that address emerging risks and technologies. To

further support this vision, Rapid7 introduced a friendly Cloud Risk Complete licensing model, which gives

customers easy access to all products within their proactive security suite.

The Rapid7 platform has customizable SOAR integrations that can initiate all sorts of changes, such as

killing non-gold images and searching for vulnerable applications and containing them. It provides

dashboards and information around how to query celebrity vulnerabilities enriched by robust contributions

from its community vulnerability threat research. But asset risk scores in InsightVM are subjective

aggregate sums of vulnerability risk scores, which adds confusion to what’s most important and avoids a

true risk approach. The company did not demonstrate extensibility and intuitiveness of asset criticality

scores during the evaluation. Reference customers did appreciate Rapid7’s no-nonsense licensing and

billing. Rapid7 is suitable for organizations that want to consolidate their security suite under one vendor

instead of a multivendor best-of-breed strategy.

Qualys goes all-in on vulnerability remediation orchestration. While other VRM vendors intentionally leave

remediation processes segregated from VRM solutions, Qualys believes they should be tightly integrated.

Its vision recognizes that remediations will only take teams so far; teams also need single-source

ecosystems providing unified views of risk. Its prior focus on remediation leaves its product roadmap

largely focused on proactive activities already available in other solutions, like EASM, attack path analysis,

and cyber risk quantification. But reference customers cited a strong history of delivering on planned

enhancements. Qualys’s product suite also allows use case extensibility with add-ons like cybersecurity

asset management (CSAM) to support business contextualization and EDR to support VRM and SOC

integrations.

Qualys provides lots of remediation customizations like customizing assignment rules into ServiceNow and

integrating service-level agreement (SLA) recommendations between ITSMs and Qualys. It can autoresolve

tickets when scans validate a remediation and the ticket is still open, meaning users don’t need to wait for

the ticket status to change. Qualys is the only solution in this evaluation with native patch management

capabilities, albeit as an add-on. Its analyst experience is also top notch, offering seamless, modern UX

across the platform. But factors required for enhanced remediation prioritization, such as expanded details

on asset criticality, need to be purchased as an add-on like CSAM. Reference customers appreciated the

name recognition that comes with Qualys and its ability to deliver on roadmap items. Qualys is a superb fit

for organizations that are primarily concerned with automating the vulnerability remediation process.

Contenders
Cisco excels at predicting threat likelihood but lacks a complete risk picture. Kenna’s emphasis on data

science was instrumental in transforming the way teams managed vulnerabilities before Cisco acquired it

in the summer of 2021. In the spring of 2023, Kenna was rebranded as Cisco Vulnerability Management,

after releases focused on Cisco integrations and Kenna’s legacy vision. Cisco’s vision is to expand Kenna’s

data science heritage within its existing customer base and suite of security products, especially from Talos

threat research. But it initially plans to focus only on vulnerabilities that have CVEs assigned and doesn’t

plan to consider the entire attack chain as part of cyber posture. Its roadmap includes improving data

ingestion within its ecosystem, optimizing existing and new connectors, and expanding remediation

prioritization with asset priorities and compensating controls.

Cisco shines with proactive vulnerability threat intelligence, using proven machine learning to predict the

next exploitation of known CVEs. This is particularly helpful when responding to emergency vulnerabilities,

as Cisco monitors pre-NVD CVEs ahead of publication and can notify users of exploits before signatures

are written. Cisco gives teams easy insight into celebrity vulnerabilities and can show why efforts should be

placed elsewhere if necessary. Although Cisco displays superior vulnerability threat intelligence, it lags in

other risk indicators like asset relationship mapping and compensating control strength and effectiveness,

the latter of which is on its roadmap to improve. Reference customers cited Cisco’s vulnerability

intelligence as their primary use case. Cisco is a good fit for organizations that rely primarily on

vulnerability threat intelligence for remediation prioritization.

Nucleus Security automates decision trees, but its vision lacks differentiation. Initially funded by the

National Security Agency (NSA), Nucleus was born out of US federal government use cases to better

prioritize vulnerabilities, eventually launching to the private sector in 2018. It aggregates, contextualizes,

and correlates asset and exposure data to provide remediation prioritization. Its strengths lie in providing

VRM teams with business context and workflow automation that support an organization’s stakeholder-

specific vulnerability categorization (SSVC) strategy. Its management team comes from S&R practitioner

backgrounds and are well-aware of the problems facing VRM, but even with plans for a threat intelligence

product, it has a reactive approach to the market. Its roadmap is focused on enhancing integrations for

third parties and threat intelligence as well as reporting.

Nucleus supports business context fields out of the box, which can then be used to build qualitative and

quantitative decision trees for risk tolerance guardrails that automatically assign remediations on assets as

they’re discovered. Customers can build decision tree-based logic with SSVC using a breadth of inputs

including business criticality, data sensitivity, exposure, and compliance risk, which provides strong risk
 scoring transparency. But factors like exploitability relied heavily on a single threat intel source and lagged

on asset location context and attack paths. Reference customers liked the ease of customization,

implementation, and extensibility of the current offering. Nucleus is a good choice for organizations that

care about business context as part of their remediation prioritization formula and require customized

remediation workflows for certain conditions.

Skybox Security provides good insights on prioritization but needs modernizing. Skybox was born in 2002

as an attack emulation vendor but has since evolved that capability to incorporate CAASM and VRM. Its

vision recognizes common challenges VRM teams face, like lack of visibility and keeping up with volume.

But its solution is to provide a security model that layers network security and policy management with

VRM, which differs from typical Forrester client use cases. Details around its roadmap are ambiguous and

scattered, broaching exposure management, EASM, and remediation workflow automation. Its roadmap

also focuses on the need to modernize its UX and enhance implementation options beyond its usual on-

prem deployments.

Skybox’s network-based approach gives it stellar abilities for evaluating the strength and effectiveness of

network controls as part of the remediation prioritization strategy in addition to providing inputs for

business context. Along with its CAASM, business context insights, simple and explainable risk calculation

views, and exploitability context, Skybox provides a suitable solution for organizations that need a better

remediation prioritization engine. But it lacks a modern UX, and workflows for remediation teams, and

implementations are still largely on-prem deployments. Reference customers appreciated how Skybox

provides a simplified way of viewing vulnerability risk as well as insights into PCI compliance. Skybox is a

good fit for organizations that require an on-premises VRM solution or a VRM solution that provides

network security posture insights.

Evaluation Overview

We grouped our evaluation criteria into three high-level categories:

Current offering. Each vendor’s position on the vertical axis of the Forrester Wave graphic indicates the

strength of its current offering. Key criteria for these solutions include breadth of offering, remediation

orchestration, reporting, and remediation prioritization.

Strategy. Placement on the horizontal axis indicates the strength of the vendors’ strategies. We evaluated

vision, roadmap, innovation, partner ecosystem, community, and adoption.

 Market presence. Represented by the size of the markers on the graphic, our market presence scores

reflect each vendor’s revenue and number of customers.

Vendor Inclusion Criteria

Each of the vendors we included in this assessment has:

Enterprise-class VRM offering and strategy. We included vendors that provide a comprehensive,

enterprise-class, standalone VRM solution.

Breadth of offering. The vendors support remediation prioritization and remediation orchestration for

multiple asset types, including cloud, endpoint, and on-premises technologies.

Forrester mindshare. The vendors have VRM mindshare with Forrester end-user organizations and

vendors. The vendors we evaluated are frequently mentioned in Forrester end-user client inquiries, vendor

selection RFPs, shortlists, consulting projects, and case studies. The vendors we evaluated are also

frequently mentioned by other vendors during Forrester briefings as viable and formidable competitors.

At least $10 million in annual category revenue. Vendors have an annualized revenue for a standalone

VRM product exceeding $10M.

Supplemental Material

Online Resource

We publish all our Forrester Wave scores and weightings in an Excel file that provides detailed product

evaluations and customizable rankings; download this tool by clicking the link at the beginning of this report on

Forrester.com. We intend these scores and default weightings to serve only as a starting point and encourage

readers to adapt the weightings to fit their individual needs.

The Forrester Wave Methodology

A Forrester Wave is a guide for buyers considering their purchasing options in a technology marketplace. To

offer an equitable process for all participants, Forrester follows The Forrester Wave™ Methodology to evaluate

participating vendors.

In our review, we conduct primary research to develop a list of vendors to consider for the evaluation. From

that initial pool of vendors, we narrow our final list based on the inclusion criteria. We then gather details of

product and strategy through a detailed questionnaire, demos/briefings, and customer reference
surveys/interviews. We use those inputs, along with the analyst’s experience and expertise in the marketplace,

to score vendors, using a relative rating system that compares each vendor against the others in the

evaluation.

We include the Forrester Wave publishing date (quarter and year) clearly in the title of each Forrester Wave

report. We evaluated the vendors participating in this Forrester Wave using materials they provided to us by

June 29, 2023, and did not allow additional information after that point. We encourage readers to evaluate how

the market and vendor offerings change over time.

In accordance with our vendor review policy, Forrester asks vendors to review our findings prior to publishing

to check for accuracy. Vendors marked as nonparticipating vendors in the Forrester Wave graphic met our

defined inclusion criteria but declined to participate in or contributed only partially to the evaluation. We score

these vendors in accordance with our vendor participation policy and publish their positioning along with those

of the participating vendors.

Integrity Policy

We conduct all our research, including Forrester Wave evaluations, in accordance with the integrity policy

posted on our website.

© 2024, Forrester Research, Inc. and/or its subsidiaries. All rights reserved.