Governance & Risk Management
                                                    ,
                                                            Vulnerability Assessment & Penetration Testing (VA/PT)
                                                    
                    Qualys, Rapid7 Depart Forrester’s Leaderboard as Data Ingestion Takes Center Stage
                

Tenable held steady atop Forrester’s vulnerability risk management rankings while Vulcan Cyber broke into the leaders category and Rapid7 and Qualys tumbled from the leaderboard.
See Also: Challenges and Solutions in MSSP-Driven Governance, Risk, and Compliance for Growing Organizations
The way vendors deliver vulnerability management has lately shifted away from ingesting vulnerability assessment results and performing risk assessments to determine remediation priorities, said Forrester Senior Analyst Erik Nost. Providers instead want to ingest as much data as they possibly can to provide a detailed picture around asset risk and contextualize that with threat intel and compensating controls (see: Inside Look: FDA’s Cyber Review Process for Medical Devices).
“The way that we think about how we conduct vulnerability management has certainly changed quite a bit,” Nost said. “These vendors are really looking for as much data as they can to then provide a prioritization risk picture with a lot of asset centricity around it.”
The vulnerability risk management Forrester Wave replaced the version from fall 2019. Tenable once again received the highest strategy ranking. Vulcan Cyber edged out Microsoft for the second-highest score, and NopSec and Rapid7 tied for the fourth-highest rank That’s in contrast to 2019, when Tenable narrowly beat Qualys for the highest score and Rapid7 narrowly beat Kenna Security for third.
Vulcan Cyber has brought a strong culture of innovation to the vulnerability risk management market by gamifying the work of R&D teams and offering a freemium version of their product to increase traction with small to midmarket customers, Nost said. Qualys, Rapid7 and Tenable are still catching up when it comes to ingesting third-party data, which Nost said created openings for Vulcan and Nucleus Security.
“These vendors are really looking for as much data as they can.”
– Erik Nost, senior analyst, Forrester
Tenable also received the highest score from Forrester for its current vulnerability risk management platform, and Balbix, Vulcan Cyber and Brinqa got the second-, third- and fourth-highest rankings, respectively. In 2019, Tenable edged out Rapid7 for the highest current offering ranking, and Digital Defense, NopSec and Qualys received the third-, fourth- and fifth-highest scores, respectively.
Although it lacks the breadth of inputs and third-party integrations that companies such as Vulcan, Nucleus and Brinqa can provide, Tenable has created a holistic offering by taking advantage of strategic M&A to move into markets such as OT and cloud security, Nost said. Tenable’s shift from vulnerability to exposure management has been accompanied by broader coverage within homegrown solutions.
Outside of the leaders, here’s how Forrester sees the vulnerability risk management market:
- Strong Performers: Microsoft, Brinqa, Balbix, NopSec, Rapid7, Qualys
- Contenders: Cisco, Nucleus Security, Skybox Security
In the future, the definition of vulnerabilities will grow to include policy violations or unacceptable libraries that aren’t allowed in the environment through SBOM analysis. Nost also said vulnerability management providers will allow for more customization around risk scores and create an aggregated platform that provides a single pane of glass view similar to what attack surface management vendors offer.
“The classic vulnerability risk management solutions were detecting software vulnerabilities,” Nost said. “OT and IoT have very different use cases and different kinds of risks that are associated with them, which I think you’ll see emerge more and more on this platform.”
How the Vulnerability Management Leaders Climbed to the Top
| Company Name | Acquisition | Amount | Date | 
|---|---|---|---|
| Tenable | Bit Discovery | $43.8 Million | June 2022 | 
| Tenable | Cymptom | $23 Million | February 2022 | 
| Tenable | Alsid | $98.5 Million | April 2021 | 
| Vulcan Cyber | None | N/A | N/A | 
Tenable Looks at Identity, Access to Prioritize Better
Tenable looks at multiple variables that are unique to each organization to provide the context needed beyond the CVE score to effectively prioritize vulnerabilities, said Chief Technology Officer Glen Pendley. The CVE score doesn’t differentiate between system administrators and entry-level workers, and it does not consider that some machines are riskier than others based on which employee is using them, Pendley said.
The Columbia, Maryland-based company has focused on auditing the identity and access control plane to tie who’s using a machine back to the vulnerabilities found on the device, which Pendley said fundamentally changes how people look at prioritization. Tenable has focused both on getting more visibility into internet-facing assets as well as getting needed context via attack surface management to programmatically say what’s going on (see: Tenable to Buy Startup Ermetic for $265M to Safeguard Clouds).
“If there are new and novel use cases that we want to try to solve and account for, we have all the ability in the world to change how we are interacting with the system,” Pendley told ISMG. “There’s nothing stopping us from continuing to innovate because we control both sides of the equation … It’s widely known that we have the best vulnerability management data out there.”
Forrester criticized Tenable for lacking intuitive transparency and customization around its scoring. Pendley said Tenable wants to be more transparent in what criteria the company is using to generate its score, explain qualitatively why a specific vulnerability should be addressed first, and allow customers to apply their own scoring system for benchmarking or grading purposes.
“Today, a lot of it is just, ‘Here’s a number. We came up with the score. Trust us, here’s where it is,'” Pendley said. “This is where generative AI can actually help a lot by being able to dynamically generate an explanation based on the criteria and the things that we report programmatically doing from an ML perspective.”
Vulcan Cyber Brings Attacker Perspective to Risk Scoring
Vulcan Cyber has emphasized risk prioritization as well as tracking and reporting to ensure organizations focus their resources on problems that will make the biggest impact from a risk reduction perspective, said co-founder and Chief Technology Officer Roy Horev. The attack path graph tells the story from an attacker’s view of how they would take a siloed vulnerability and use it to traverse inside the organization, he said.
The company wants to go beyond giving risk scores to vulnerability and instead put together a coherent story that ensures attackers aren’t able to get to an organization’s crown jewels, Horev said. Vulcan has doubled-clicked on the ownership problem since tickets can be automated only if it’s clear which people are responsible for remediating which vulnerabilities, which requires correlation with assets in the system (see: Tackling Vulnerabilities Qualitatively, Not Quantitatively).
“You do see organizations that choose different tools for different subsets of their organization or different domains. And we do see them even doing that for the same types of assets.” Horev said. “We believe that would prevent them from getting always 100% coverage of the vulnerability domain. I think that would be our biggest differentiator against Tenable.”
Forrester criticized Vulcan Cyber for failing to natively support the depth of asset types that its rivals do. Horev said that in early 2024, Vulcan will roll out capabilities that will allow the company to quickly tap into new cyber domains as they arise without having to focus on or chase new domains themselves.
“We aim to have the platform flexible enough to address any type of assets that would be thrown at us right now or in the future because we know that the cyber domain keeps on evolving,” Horev said. “We aim to support 100% of the vulnerabilities and findings that the security team manages.”
