Professional Documents
Culture Documents
Vulnerability Risk Management - Forester
Vulnerability Risk Management - Forester
Vulnerability Risk Management - Forester
EN Erik Nost
Language
Summary
Topics
This website uses cookies to deliver functionality and customize your experience. By using this
Vulnerability
website, you areRisk Management
agreeing to ourBolsters
use of Your Proactive
cookies. View Security Program
our cookie policy for more details.
Accept cookies
About Forrester Reprints https://go.forrester.com/research/reprints
Vulnerability Risk Management Bolsters Your Proactive Security
Program
Vulnerability management is growing up. Less than a decade ago, the norm was for enterprises to slap a
vulnerability scanner in their environment, find a bunch of problems, then point fingers when nothing got fixed
and/or common vulnerabilities and exposure (CVE) led to a breach. In 2018, Forrester urged a risk-based
approach for vulnerability “risk” management so that the unrealistic volume of remediations could be properly
prioritized and organizations could stop leaning on common vulnerability scoring system (CVSS) scores, which
were meant to determine technical vulnerability severity. Since then, organizations have observed the havoc
critical unpatched vulnerabilities like Log4Shell and MOVEit can create. They’ve also expanded their
technological footprint (from employees’ homes to the cloud) while new types of threats and vulnerabilities
continue to emerge. The definition of vulnerability now includes weaknesses beyond just CVE-defined
vulnerabilities, such as identity issues and misconfigurations. To respond to these trends, VRM vendors are
detailing how assets relate to one another in an environment and how to prioritize and operationalize
remediation efforts.
As a result of these trends, VRM customers should look for providers that:
Provide strong visibility of assets in their environment. Ingesting asset data from other security solutions,
such as endpoint detection and response (EDR) or cloud security posture management (CSPM), into your
VRM solution is now the norm. Organizations have multiple solutions that contain insights on assets and
their security weaknesses. Vulnerability assessments are now commonly provided as part of other security
solutions, particularly for endpoint and agent-related tools such as EDR. Organizations have an increasing
IoT footprint, and operational technology (OT) environments are converging within IT, leading to a greater
need to aggregate info from specialized security tools for a complete picture. Without this holistic view,
teams lose confidence that they’re focused on the most important assets and on remediating the riskiest
vulnerabilities.
need to understand the relative business impact of a compromised asset, the threat likelihood of an asset
being exploited, and the strength and effectiveness of compensating controls protecting the asset. To gain
these insights, many VRM providers recommend asset values, offer threat intelligence, and ingest data
from configuration management databases (CMDBs) for asset importance. Fewer vendors integrate with
network security solutions such as intrusion prevention systems (IPSes) for compensating control
information. Attack path modeling is also now available in some VRM solutions and on the roadmap for
several others to provide context on how attackers could exploit various exposures and bypass controls,
Complement remediation response. Once organizations know what they have and what should be fixed
first, VRM solutions should assist in the response effort. This commonly takes the form of integrating with IT
service management (ITSM), with differentiation in the customizability of workflows based on factors
response should be provided upfront with little to no query language to understand impact and provide
urgent answers. Some vendors extend vulnerability response into the security operations center (SOC),
Evaluation Summary
The Forrester Wave™ evaluation highlights Leaders, Strong Performers, Contenders, and Challengers. It’s an
assessment of the top vendors in the market; it doesn’t represent the entire vendor landscape. You’ll find more
information about this market in our reports on The Vulnerability Risk Management Landscape, Q2 2023.
We intend this evaluation to be a starting point only and encourage clients to view product evaluations and
adapt criteria weightings using the Excel-based vendor comparison tool (see Figures 1 and 2). Click the link at
Figure 1
Figure 3
Our analysis uncovered the following strengths and weaknesses of individual vendors.
Leaders
Tenable sets the tone for proactive security. Tenable has focused on preventing successful attacks since its
Nessus days in the early 2000s. Today’s goal remains the same with a vision of proactively securing
growing and dynamic attack surfaces with its Tenable One platform, one of the first to embrace the
exposure management categorization. With roadmap items focusing on setting up connectors to ingest
third-party sources, its platform aims to further consolidate all cyber risks, asset types, and exposures
across the enterprise. Its focus on delivering AI capabilities will further help analysts of all skill levels
explore and understand capabilities in their attack path modeling and cyber risk insights. Tenable’s name
recognition and early-to-market platform approach of consolidating preventative events supports its
superior, persistent vision, which aligns well with the current direction of the market.
Tenable is betting on asset and exposure mapping as the next foundational element of VRM. Combining
modeling with exploitability factors, available in its external attack surface management (EASM) and asset
context metadata, helps confirm accessibility of assets. The Tenable platform covers a wide array of asset
and exposure types, which, when coupled with its in-house threat research team and breadth of exploit
threat intel, allows it to predict a range of attack types so teams can be most efficient and effective with
proactive security measures. Though Tenable’s scoring lacks intuitive transparency and customization,
reference customers cited it and reporting as game changers for how security was viewed and handled
within their organization. Tenable is a great fit for firms that want a single book of record for all vulnerability
and exposure remediation prioritizations that drive their proactive security program.
Vulcan Cyber’s innovative culture sets it apart from now-common VRM approaches. Founded in 2018,
Vulcan Cyber’s approach is similar to many others in the evaluation: consolidate, de-duplicate, and
correlate findings to further contextualize risk. Vulcan Cyber’s differentiator is considering vulnerability’s
ripple effects across modern organizations: Today, information security team headcount remains static, but
more business stakeholders own technology decisions and maintenance. Vulcan Cyber’s differentiated
and detailed vision is to democratize risk through self-service, no-code data ingestion and AI data
mapping. It’s in the position to deliver on its vision with a strong culture of innovation, evident in
vulnerability research such as a recent publication on AI hallucinations, gamified innovation weeks with
Vulcan Cyber supports a clear and dynamic approach to risk scoring where users can influence the factors
of technical severity, threat intel, or asset groups and create custom scripts for their own risk formulas.
Asset ownership fields are robust and map to applications as precise as organizational reporting structure
of who owns what down the chain. It makes remediation recommendations by leveraging attack path
graphs, rolling up to critical infrastructure and enterprisewide risk. The solution can ingest homegrown
tools and spreadsheets and push updates to CMDBs, although it doesn’t natively support the depth of
asset types others in the evaluation do. Reference customers raved about Vulcan Cyber’s customer
support as some of the best they’ve ever experienced. Vulcan Cyber is a great fit for organizations that
Strong Performers
Microsoft’s proactive solution complements the SOC, if you do it the Microsoft way. Microsoft announced
Defender Vulnerability Management (MDVM) last year and has since tied it to E5 licensing, yet standalone
options are available. Microsoft seeks VRM differentiation via integration with its XDR solution as it
anticipates proactive and reactive teams becoming more aligned. Microsoft sees VRM evolving into
exposure management and its roadmap focuses on building out pre-breach capabilities with an experience
similar to the SOC. This includes strategic investments to natively inventory assets with a cyber asset
attack surface management (CAASM) solution and enhancing recommendations, prioritizations, and
automated remediations with AI models. Microsoft is well positioned to pioneer how AI can change VRM
MDVM excels at breaking down details on CVEs, timelines, and news updates and makes remediation
threats within the environment. VRM teams can block applications when risk boundaries are met and kick
off remediations directly into Intune. But users must log into MDVM to manage risk with little capabilities for
tracking outside of Microsoft’s ecosystem, and risk scores are not customizable. Reference customers were
mature organizations with novel approaches to reducing attack surface and appreciated Microsoft’s
forward-thinking product, but they wished it was more flexible with non-Microsoft integrations. MDVM’s
current iteration is a good addition to complement your VRM program, especially if you are already an E5
Brinqa is customizable and extensible, but deriving its full value takes time. Brinqa has provided
cybersecurity risk posture solutions since 2009. It envisions VRM teams evolving into risk operations
centers (ROCs) that operationalize proactive activities to respond to events around decreases in posture
the same way an SOC may, which is outlined in detail through its vision. To support its strong vision, Brinqa
has increased its focus on cloud and application security as decentralized business units increasingly
deploy their own cloud and containerized application environments. While competitors are just beginning
to build out connectors, Brinqa offers a large variety. But its roadmap did not detail enhancements to
connectors, relying on enterprises to fine tune, configure, and manage integrations; this provides
Brinqa’s risk graph ingests an array of customizable risk factors that create risk scores. Customers can
create new risk factors and apply them toward defined assets or risk context. Business-ownership mapping
is available through identity solutions or ingesting homegrown tools. Exploitability factors are based on
what’s provided, so users can provide their own context for risk prioritization like threat intel and controls
from IDS/IPS. Reference customers highlighted Brinqa’s flexible and extensible platform but complained
about lengthy and complex implementations, which the vendor has acknowledged and worked to address
with a recent release. Brinqa is a solid choice for modern enterprises that need to customize unique factors
about their environment — especially application development — and incorporate them when
Balbix leverages CAASM to calculate risk but needs better remediation orchestration. Balbix launched in
2015 as an AI-driven cybersecurity platform to help organizations make better decisions on dispersed data.
It has evolved its vision to improve data visibility with CAASM, speed up vulnerability risk mitigations with
VRM, and speak business stakeholders’ language with cyber risk quantification (CRQ). Balbix developed its
own CRQ model based on breach impacts and notably avoided factor analysis of information risk (FAIR)
models. Balbix is building upon its innovation strategy by leveraging proprietary data such as its own asset
fingerprinting. It demonstrates a commitment to R&D, with product/engineering roles accounting for over
60% of staff, 35% of which focus on data science and AI/ML. But it lacked formal adoption methodologies
infer SBOM data, and a network analyzer. It has a clean interface that educates various personas across
the organization on risk and technical problems arising from vulnerabilities, leveraging breach impact
scores senior officials understand. But to remediate vulnerabilities, it lacks automation capabilities through
patch and configuration management systems integrations. Reference customers loved the partnership
and influence on the roadmap they have with Balbix product teams. Balbix is a good fit for organizations
that want to ditch common vulnerability scanners and input data from other security solutions to gain a
NopSec is ideal for teams beginning their VRM transformation. NopSec was founded in 2013 as an
offensive security company and evolved into a VRM vendor with plans for an exposure management
platform. It originally used predictive intel to exploit vulnerabilities as primary inputs for proactive measures
and now incorporates asset criticality and business context to gain a more complete risk picture. A recent
round of funding can support an innovation strategy that includes enhancements from penetration-testing-
as-a-service (PTaaS) and breach-and-attack (BAS) vendors and the building of its own attack path mapping
and adversarial emulation capabilities. It has a dedicated data science team working on AI models to
contextualize remediation recommendations. But NopSec has yet to establish wide brand recognition even
though its solution has historically been and continues to be on par with other VRM players.
NopSec’s connector strategy includes a self-described dedication to quality that includes bidirectional
functionality. Quality connector integrations provide rapid time-to-value (TTV) for simple implementations,
but organizations experienced in vulnerability management that need to bring their own data may find
implementations can take longer. For remediation orchestration, NopSec displays provider
recommendations that are accessible with some click throughs, which is below par based on others in the
evaluation. Reference customers liked the transparency and indisputable information NopSec displays to
remediation teams and business stakeholders. NopSec is a good choice for VRM teams that need to
change the status quo for VRM and already have common security tools.
Rapid7 doubles down on a platform approach instead of best-of-breed connectors. Rapid7 has long been
known for vulnerability management capabilities with a reputation of supporting the cybersecurity
community through open source tools and community research. This translates well to its vision to be a
practitioner-first platform. While all others in this evaluation have detailed plans for building out connectors
to ingest more data in their solution, Rapid7 primarily focuses on discovery and inventory within its
ecosystem. Its detailed roadmap counts on its technology being able to scale and keep up with rapidly
evolving customer requirements and the point solutions that address emerging risks and technologies. To
further support this vision, Rapid7 introduced a friendly Cloud Risk Complete licensing model, which gives
customers easy access to all products within their proactive security suite.
The Rapid7 platform has customizable SOAR integrations that can initiate all sorts of changes, such as
killing non-gold images and searching for vulnerable applications and containing them. It provides
dashboards and information around how to query celebrity vulnerabilities enriched by robust contributions
from its community vulnerability threat research. But asset risk scores in InsightVM are subjective
aggregate sums of vulnerability risk scores, which adds confusion to what’s most important and avoids a
true risk approach. The company did not demonstrate extensibility and intuitiveness of asset criticality
scores during the evaluation. Reference customers did appreciate Rapid7’s no-nonsense licensing and
billing. Rapid7 is suitable for organizations that want to consolidate their security suite under one vendor
Qualys goes all-in on vulnerability remediation orchestration. While other VRM vendors intentionally leave
remediation processes segregated from VRM solutions, Qualys believes they should be tightly integrated.
Its vision recognizes that remediations will only take teams so far; teams also need single-source
ecosystems providing unified views of risk. Its prior focus on remediation leaves its product roadmap
largely focused on proactive activities already available in other solutions, like EASM, attack path analysis,
and cyber risk quantification. But reference customers cited a strong history of delivering on planned
enhancements. Qualys’s product suite also allows use case extensibility with add-ons like cybersecurity
asset management (CSAM) to support business contextualization and EDR to support VRM and SOC
integrations.
Qualys provides lots of remediation customizations like customizing assignment rules into ServiceNow and
integrating service-level agreement (SLA) recommendations between ITSMs and Qualys. It can autoresolve
tickets when scans validate a remediation and the ticket is still open, meaning users don’t need to wait for
the ticket status to change. Qualys is the only solution in this evaluation with native patch management
capabilities, albeit as an add-on. Its analyst experience is also top notch, offering seamless, modern UX
across the platform. But factors required for enhanced remediation prioritization, such as expanded details
on asset criticality, need to be purchased as an add-on like CSAM. Reference customers appreciated the
name recognition that comes with Qualys and its ability to deliver on roadmap items. Qualys is a superb fit
for organizations that are primarily concerned with automating the vulnerability remediation process.
Contenders
Cisco excels at predicting threat likelihood but lacks a complete risk picture. Kenna’s emphasis on data
science was instrumental in transforming the way teams managed vulnerabilities before Cisco acquired it
in the summer of 2021. In the spring of 2023, Kenna was rebranded as Cisco Vulnerability Management,
after releases focused on Cisco integrations and Kenna’s legacy vision. Cisco’s vision is to expand Kenna’s
data science heritage within its existing customer base and suite of security products, especially from Talos
threat research. But it initially plans to focus only on vulnerabilities that have CVEs assigned and doesn’t
plan to consider the entire attack chain as part of cyber posture. Its roadmap includes improving data
ingestion within its ecosystem, optimizing existing and new connectors, and expanding remediation
Cisco shines with proactive vulnerability threat intelligence, using proven machine learning to predict the
next exploitation of known CVEs. This is particularly helpful when responding to emergency vulnerabilities,
as Cisco monitors pre-NVD CVEs ahead of publication and can notify users of exploits before signatures
are written. Cisco gives teams easy insight into celebrity vulnerabilities and can show why efforts should be
placed elsewhere if necessary. Although Cisco displays superior vulnerability threat intelligence, it lags in
other risk indicators like asset relationship mapping and compensating control strength and effectiveness,
the latter of which is on its roadmap to improve. Reference customers cited Cisco’s vulnerability
intelligence as their primary use case. Cisco is a good fit for organizations that rely primarily on
Nucleus Security automates decision trees, but its vision lacks differentiation. Initially funded by the
National Security Agency (NSA), Nucleus was born out of US federal government use cases to better
prioritize vulnerabilities, eventually launching to the private sector in 2018. It aggregates, contextualizes,
and correlates asset and exposure data to provide remediation prioritization. Its strengths lie in providing
VRM teams with business context and workflow automation that support an organization’s stakeholder-
specific vulnerability categorization (SSVC) strategy. Its management team comes from S&R practitioner
backgrounds and are well-aware of the problems facing VRM, but even with plans for a threat intelligence
product, it has a reactive approach to the market. Its roadmap is focused on enhancing integrations for
Nucleus supports business context fields out of the box, which can then be used to build qualitative and
quantitative decision trees for risk tolerance guardrails that automatically assign remediations on assets as
they’re discovered. Customers can build decision tree-based logic with SSVC using a breadth of inputs
including business criticality, data sensitivity, exposure, and compliance risk, which provides strong risk
scoring transparency. But factors like exploitability relied heavily on a single threat intel source and lagged
on asset location context and attack paths. Reference customers liked the ease of customization,
implementation, and extensibility of the current offering. Nucleus is a good choice for organizations that
care about business context as part of their remediation prioritization formula and require customized
Skybox Security provides good insights on prioritization but needs modernizing. Skybox was born in 2002
as an attack emulation vendor but has since evolved that capability to incorporate CAASM and VRM. Its
vision recognizes common challenges VRM teams face, like lack of visibility and keeping up with volume.
But its solution is to provide a security model that layers network security and policy management with
VRM, which differs from typical Forrester client use cases. Details around its roadmap are ambiguous and
scattered, broaching exposure management, EASM, and remediation workflow automation. Its roadmap
also focuses on the need to modernize its UX and enhance implementation options beyond its usual on-
prem deployments.
Skybox’s network-based approach gives it stellar abilities for evaluating the strength and effectiveness of
network controls as part of the remediation prioritization strategy in addition to providing inputs for
business context. Along with its CAASM, business context insights, simple and explainable risk calculation
views, and exploitability context, Skybox provides a suitable solution for organizations that need a better
remediation prioritization engine. But it lacks a modern UX, and workflows for remediation teams, and
implementations are still largely on-prem deployments. Reference customers appreciated how Skybox
provides a simplified way of viewing vulnerability risk as well as insights into PCI compliance. Skybox is a
good fit for organizations that require an on-premises VRM solution or a VRM solution that provides
Evaluation Overview
Current offering. Each vendor’s position on the vertical axis of the Forrester Wave graphic indicates the
strength of its current offering. Key criteria for these solutions include breadth of offering, remediation
Strategy. Placement on the horizontal axis indicates the strength of the vendors’ strategies. We evaluated
Enterprise-class VRM offering and strategy. We included vendors that provide a comprehensive,
Breadth of offering. The vendors support remediation prioritization and remediation orchestration for
Forrester mindshare. The vendors have VRM mindshare with Forrester end-user organizations and
vendors. The vendors we evaluated are frequently mentioned in Forrester end-user client inquiries, vendor
selection RFPs, shortlists, consulting projects, and case studies. The vendors we evaluated are also
frequently mentioned by other vendors during Forrester briefings as viable and formidable competitors.
At least $10 million in annual category revenue. Vendors have an annualized revenue for a standalone
Supplemental Material
Online Resource
We publish all our Forrester Wave scores and weightings in an Excel file that provides detailed product
evaluations and customizable rankings; download this tool by clicking the link at the beginning of this report on
Forrester.com. We intend these scores and default weightings to serve only as a starting point and encourage
A Forrester Wave is a guide for buyers considering their purchasing options in a technology marketplace. To
offer an equitable process for all participants, Forrester follows The Forrester Wave™ Methodology to evaluate
participating vendors.
In our review, we conduct primary research to develop a list of vendors to consider for the evaluation. From
that initial pool of vendors, we narrow our final list based on the inclusion criteria. We then gather details of
product and strategy through a detailed questionnaire, demos/briefings, and customer reference
surveys/interviews. We use those inputs, along with the analyst’s experience and expertise in the marketplace,
to score vendors, using a relative rating system that compares each vendor against the others in the
evaluation.
We include the Forrester Wave publishing date (quarter and year) clearly in the title of each Forrester Wave
report. We evaluated the vendors participating in this Forrester Wave using materials they provided to us by
June 29, 2023, and did not allow additional information after that point. We encourage readers to evaluate how
In accordance with our vendor review policy, Forrester asks vendors to review our findings prior to publishing
to check for accuracy. Vendors marked as nonparticipating vendors in the Forrester Wave graphic met our
defined inclusion criteria but declined to participate in or contributed only partially to the evaluation. We score
these vendors in accordance with our vendor participation policy and publish their positioning along with those
Integrity Policy
We conduct all our research, including Forrester Wave evaluations, in accordance with the integrity policy
© 2024, Forrester Research, Inc. and/or its subsidiaries. All rights reserved.