Hype Cycle for Security Operations, 2025
ARCHIVED
23 June 2025 - ID G00830791 - 114 min readBy Jonathan Nunez, Darren Livingstone
Security operations technology and services defend IT/operational technology systems, cloud workloads, applications and other digital assets from attack by identifying threats and exposures. This Hype Cycle helps security and risk management leaders strategize and implement SecOps capabilities and functions.
Analysis
What You Need to Know
Organizations are investing in new cybersecurity capabilities to strengthen their defences. At the same time, they are demanding greater performance and value from their existing tools and services to address an increasingly complex and expansive threat landscape. Cybersecurity leaders must prioritize the development of adaptive security programs that can rapidly detect and mitigate threats. These programs should also enable precise response capabilities to protect increasingly complex and distributed infrastructure. Both new solutions and existing solutions are being enhanced with AI, to deliver improved performance and increased throughput.
The Hype Cycle
The importance of taking a proactive approach to security operations continues to be a key strategic change for organizations that have highly complex environments, especially those that have chosen to implement a cloud-first strategy. This year’s Hype Cycle highlights the maturation of several traditional security operations technologies, alongside the emergence of new entrants aiming to redefine the security operations landscape. The evolving paradigm prioritizes proactivity and scalability as some of its core advantages.
Notable themes in this year’s Hype Cycle include:
- Technologies supporting threat exposure management programs are advancing across several critical areas, including expanding asset visibility, enhanced prioritization capabilities and innovative approaches to accelerating risk reduction initiatives.
- Threat detection, investigation and response (TDIR) providers are now promoting AI-powered event triage automation, offering improved detection accuracy and more efficient incident response processes.
- Technologies like exposure assessment platforms and threat intelligence products and services have evolved. They now offer a unified platform that consolidates previously disparate products and services, simplifying adoption and delivering greater value to organizations.
- End users are accelerating the deployment of both custom-built and commercial off-the-shelf AI solutions, with a primary focus on optimizing resources to enhance security operations centers.
As enterprise infrastructure expands, security operations leaders are increasingly seeking enhanced asset visibility and innovative strategies to boost organizational resilience against rapidly evolving threats designed to bypass existing security controls. While this transformation affects multiple facets of security programs, organizations this year are shifting their focus from traditional vulnerability management to a more comprehensive exposure management approach (see How to Grow Vulnerability Management Into Exposure Management). When implemented effectively, exposure management serves as a valuable foundational data source for improving all security operations (SecOps) activities. At the same time, it facilitates a shift toward an adaptive security framework, enabling cybersecurity decision making to be driven by risk rather than theoretical models (see Transform SecOps via Proactive Exposure Management and Threat Defense).
Threat Exposure Management
This year’s Hype Cycle highlights notable achievements in technology markets closely aligned to threat exposure management (TEM). Key areas of progress include, but are not limited to:
- Cyber asset attack surface management (CAASM) and external attack surface management (EASM) aim to provide greater internal and external visibility of digital assets across an enterprise. CAASM has the added advantage of unifying assets sourced from a variety of security and IT tools into a single point of access, simplifying asset management. EASM adopts an external perspective to continuously discover and inventory internet-facing assets, thereby establishing and evaluating externally exposed risks. In unison, these solutions hope to solve the asset visibility problem internally and externally. However, both markets are considered “obsolete before plateau” on this year’s Hype Cycle. Their promised functionalities are now being incorporated into other, adjacent markets, such as exposure assessment platform (EAP) and adversarial exposure validation (AEV).
- Traditionally, enterprises have relied on penetration testing to meet compliance requirements. However, they are increasingly seeking services like penetration testing as a service (PTaaS) to enable continuous security testing, benefit from rapid scheduling, facilitate real-time communication and integrate seamlessly with DevOps workflows. Alternatively, automated penetration testing, red teaming and breach attack simulation tools have evolved into AEV tools. These tools provide easy deployment, automation and realistic scenarios for reliable assessments. Regardless of the deployment model chosen, security operations leaders must govern the use of these tools and services within a formalized offensive security program. For maximum effectiveness, offensive security program goals must be closely aligned to the broader TEM goals for continued maturation.
- Exposure assessment platforms (EAPs) have emerged from the convergence of several technologies. Vulnerability assessment tools have incorporated attack surface management (ASM) capabilities, while ASM tools are now aggregating data from a broader range of sources. Additionally, attack simulation tools are expanding their functionality to include ASM features. They are designed to enhance visibility by enumerating and prioritizing exposures such as vulnerabilities and misconfigurations across multiple asset classes and attack surfaces. While EAPs can be used in conjunction with vulnerability assessment solutions, they can also replace the numerous vulnerability scanners organizations may have, limiting technology sprawl. Today, many EAP solutions already include some variation of CAASM, EASM and automated security control assessment (ASCA) functionality.
- ASCA solutions are designed to enhance visibility and governance over enterprise security controls across diverse attack surfaces. These solutions are often optimized to account for today’s volatile threat landscape, enabling enterprises to implement effective mitigations as near-term or compensatory alternatives to full remediation.
Threat Detection, Investigation and Response
In today’s rapidly evolving cyberthreat landscape, organizations face the dual challenge of defending against increasingly sophisticated attacks while managing the operational costs associated with comprehensive security measures. Threat detection and response mechanisms now form a comprehensive arsenal of tools to identify and mitigate complex threats like ransomware and identity-based attacks. Key components include:
- Endpoint detection and response (EDR)
- Network detection and response (NDR)
- Extended detection and response (XDR)
- Digital forensics and incident response (DFIR)
- Cybersecurity incident response management (CIRM)
- Threat intelligence (TI)
- Digital risk protection services (DRPS)
These solutions provide proactive threat detection, facilitate automated incident response and deliver comprehensive visibility across networks and endpoints, thereby fortifying an organization’s overall security posture.
- Managing the financial aspects of cybersecurity is crucial, as data management, security tools and services can prove costly. Solutions like managed detection and response (MDR), co-managed security monitoring services and telemetry pipelines offer cost-effective and scalable technologies. These security services reduce the need for extensive in-house expertise and lower data management costs. As a result, organizations can maintain robust protection while optimizing both their security budgets and operational effectiveness.
- XDR solutions offer the promise of turnkey protective monitoring technologies, allowing organizations to accelerate time to value when establishing a TDIR capability. Many XDR providers now include the point data collection and enforcement technologies like EDR, NDR, security orchestration and automated response (SOAR), TI and security information and event management (SIEM) systems. In addition, they offer out-of-the-box threat detection logic to enhance security operations. However, larger teams that have implemented XDR are acknowledging some limitations in flexibility and customizability. As a result, there is renewed interest in SIEM solutions to address these gaps. Similarly, the growing popularity of the Open Cybersecurity Schema Framework (OCSF) has the potential to undermine the value proposition of XDR. By providing a standardized framework for managing security data, OCSF benefits the entire security operations center (SOC) from data engineers to SOC investigators.
- TI has long been a mature market; however, recent developments in adoption and innovation have significantly increased its perceived value. Organizations have expanded their requirements and use cases for TI, resulting in more stakeholders benefiting from threat-informed decision making. Digital risk protection services (DRPS) are considered “obsolete before plateau,” as their core capabilities have become standard features within the TI market. This integration provides buyers with a unified console for consuming, investigating and reporting on a broad spectrum of threats.
- Cybersecurity incident response management (CIRM) technologies have been newly introduced in this year’s Hype Cycle. Their primary goal is to help organizations manage the increasing volume and complexity of security incidents. These solutions also aim to reduce response times and enhance communication and collaboration across teams. Larger organizations tend to realize greater benefits from these technologies, primarily due to the scale of their infrastructure and the corresponding incident workload. In contrast, smaller enterprises may encounter obstacles in adoption as successfully operationalizing these technologies often requires a higher level of organizational maturity. Enterprises not yet prepared to implement CIRM tools should focus on building and maturing their incident response processes by leveraging existing ticketing functionalities within native tools such as ITSM, SIEM, SOAR or XDR.
Expanding Artificial Intelligence Use Cases for Security Operations
Security operation technologies leverage multiple AI techniques and continue to expand new use cases for existing techniques such as predictive modeling. AI SOC agents capture a new wave of technologies leveraging generative AI foundational models, promising transformative results. Additionally, cybersecurity AI assistants are seeing increased adoption as enterprise security programs pilot new use cases to evaluate the effectiveness of their outcomes.
Cybersecurity AI assistants entered the Hype Cycle last year. This category of technology aims to transform security operations by automating routine tasks, allowing security professionals to focus on activities that require advanced expertise. AI assistants automate resource-intensive tasks, synthesize threat intelligence and generate remediation suggestions, enabling teams to focus on strategic initiatives. The primary focus of these tools is to assist the human operator in their operational tasks. According to the 2025 Gartner Cybersecurity Innovations in AI Risk Management and Use Survey, 42% of cybersecurity leaders reported that their organizations are piloting or currently using AI assistants for threat detection and response, while another 46% plan to enable it next year.
AI SOC agents have been recently introduced to the market with the primary aim of alleviating cybersecurity resource constraints and workforce challenges. These agents automate the completion of routine tasks, such as security event triage, enabling teams to scale more efficiently. As a result, security professionals can redirect their focus to critical activities that require human expertise, including incident response, threat hunting and advanced analysis. The recommendation is to leverage these technologies to augment the operator, so they can refocus on other tasks that require critical thinking.
Predictive modeling in cybersecurity offers a shift toward proactive cybersecurity strategies that leverage predictive modeling and data science. This approach is designed to proactively anticipate and detect threats before they can impact the organization, helping to prevent the costs associated with data breaches while simultaneously maintaining a robust security posture. The primary focus of this technology is to deliver early warning signals of imminent threats, enabling organizations to proactively mobilize resources and intervene before any impact occurs.
Evaluating the Hype Cycle
Some key recommendations for evaluating this year’s Hype Cycle:
- Organizations must transition from traditional vulnerability management to continuous threat exposure management (CTEM). SecOps leaders should utilize exposure-management-oriented technologies, data and processes as a strategic pathway toward CTEM maturation. Prioritize EAP solutions as the central technology for orchestrating exposure data. However, be cautious of vendor marketing claims, as capabilities can vary significantly between vendors. Ensure that selected solutions closely align with your organization’s specific requirements to maximize effectiveness.
- Conduct rigorous testing of AI capabilities, even when they are integrated into established technologies. Since these new features may not be thoroughly validated, it is essential to independently assess their effectiveness before relying on vendor claims.
- Evaluate TDIR-capable technologies and services for their flexibility and modularity to ensure they can support the evolving needs of your security program as it matures. Ensure these providers also include threat intelligence and DRPS services to curate better threat detection and enable faster and more accurate incident response.
- Benchmark best-of-breed approaches for emerging technologies and new AI use cases. Assess the value of specialized tools against the advantages of consolidated offerings from larger providers, particularly in areas where the technology has reached maturity.
Innovation Trigger
Cybersecurity vendors continue to innovate as this year’s Innovation Trigger sees two new entries — AI SOC agents and CIRM. Security operations leaders can expect to see more solutions focused on augmenting and assisting security operations teams, aiming for improved resource and performance optimization. The challenge becomes assessing what is truly necessary in the context of helping meet your organization’s goals — rather than just gravitating to vendors with the best marketing.
Simultaneously, the adoption of exposure-management-related technologies, such as adversarial exposure validation (AEV) and automated security control and assessment (ASCA), has increased, moving these innovations further along the curve. This underscores the increasing need to enhance the visibility, testing and governance of security controls in order to better prioritize exposure findings and strengthen overall organizational resilience.
Peak of Inflated Expectations
This year’s Peak of Inflated Expectations features several technologies supporting a CTEM program — exposure assessment platforms (EAPs), cyber-physical systems (CPS) security and penetration testing as a service (PTaaS). While these offerings promise to elevate exposure assessment and validation capabilities, they are not sufficient on their own. Effective results also require well-defined processes and skilled personnel. The complexity of implementing CTEM in the face of rapidly expanding attack surfaces may place heightened demand for new or more advanced skill sets. However, many organizations lack the expertise necessary to navigate these challenges effectively.
Trough of Disillusionment
Feature consolidation is a key theme in the Trough of Disillusionment this year, with several siloed products being marked as obsolete — CAASM and DRPS in particular. This is not to say these offerings aren’t necessary — their core functionality is still being offered by larger platform providers (such as EAP and TI solutions), which allows customers to consolidate purchasing and accelerate time to value.
While one-third of the Hype Cycle entries in this section are now considered obsolete, the majority of the remaining offerings are TDIR-focused solutions, including DFIR, ITDR and XDR. Despite each solution’s moderate to high benefit rating, organizations continue to encounter obstacles that hinder the full realization of their promised advantages. Common challenges include integration and customization difficulties, dependency on effective cross-team collaboration and the complexity of operationalizing products and services. Successful implementation of these technologies is contingent on well-defined requirements, processes, strategic coordination across teams, as well as close alignment with security program goals.
This year’s developments underscore the rapid evolution of the cybersecurity industry, as many offerings once considered “core” are now struggling to gain expected traction and are increasingly being integrated as features within broader solutions.
Slope of Enlightenment
Products and services in the Slope of Enlightenment are experiencing increased adoption, driven by improved consumer understanding of their functionality and ongoing vendor enhancements, based on end-user feedback. These factors are contributing to greater satisfaction during regular use.
This year, several Hype Cycle entries have shown significant improvements in capabilities offered, market maturity and customer adoption:
- Co-managed security monitoring services
- Managed detection and response services
- Network detection and response
- Threat intelligence products and services
- Offensive security programs
- Security orchestration and automated response
- External attack surface management
Evaluate these capabilities to address maturity gaps within your security program, whether the goal is to improve threat detection or operationalize threat intelligence.
Plateau of Productivity
Endpoint detection and response (EDR) along with security information and event management (SIEM) systems remain the only markets to reach the Plateau of Productivity this year. These solutions are widely trusted by many security operations teams to support and achieve their core objectives. The fast-paced nature of the cybersecurity industry sees technologies struggle to assert their dominance to the extent of becoming mainstream, like EDR and SIEM.
While EDR remains a cornerstone of modern security operations, it is also subject to the broader trend of platformization observed in this year’s Hype Cycle. As a result, EDR may increasingly be integrated into comprehensive TDIR solutions such as XDR. This shift allows customers the opportunity to obtain EDR capabilities as part of a consolidated technology purchase.
Meanwhile, SOC investigators can anticipate increased productivity through the integration of AI capabilities, such as AI SOC agents into SIEM platforms. This will act as an innovative SIEM add-on that helps organizations simplify complex automations, combat alert fatigue by automating security event triage and incident response efforts.
The Priority Matrix
Organizations that evaluate business risks prior to investing in security operations services and capabilities are better positioned to determine appropriate solutions and allocate resources effectively. This approach enables organizations to maximize risk reduction and respond effectively to incidents that may negatively impact productivity, brand reputation — or both.
Technologies and services that align to security operations rarely provide immediate benefits. Such capabilities should be considered consumable. In other words, these solutions must be integrated into a well-defined process to achieve their full effectiveness. Security risk should be managed in line with organizational priorities but firmly anchored in addressing the specific organization’s threat landscape.
When developing the technology and capability roadmap for security operations, prioritize the remediation of identified issues to ensure alignment with the organization’s unique and dynamic attack surface. Concurrently, this all needs to align with modern IT architectures.
Adding complexity is neither of high priority nor of high benefit. Long-term initiatives in areas such as CSMA adoption and threat exposure management provide opportunities to optimize processes and use existing technologies, rather than relying solely on the implementation of entirely new tools. The Priority Matrix helps identify strategic initiatives with the greatest potential to deliver effective, measurable improvements to the organization’s risk profile.
Priority Matrix for Security Operations, 2025
| Benefit | Years to Mainstream Adoption | |||
|---|---|---|---|---|
| Less Than 2 Years | 2 to 5 Years | 5 to 10 Years | More Than 10 Years | |
Transformational | ||||
High | ||||
Moderate | ||||
Low | ||||
Source: Gartner (June 2025)
On the Rise
Cybersecurity Mesh Architecture
Analysis By: Patrick Hevesi
Benefit Rating: Transformational
Market Penetration: Less than 1% of target audience
Maturity: Embryonic
Definition:
Cybersecurity mesh architecture (CSMA) is an approach for architecting composable, distributed security controls with the objective of sharing data and security insights. It enables secure, centralized security operations and oversight that emphasizes composable and independent security monitoring, predictive analytics and proactive enforcement, centralized intelligence and governance, and a common identity fabric.
Why This Is Important
CSMA offers a potential solution to problems currently suffered by defense-in-depth security architectures that most organizations employ. These often consist of multiple point solutions that are poorly interconnected. CSMA addresses many challenges, including centralized exposure and security posture management, threat awareness, coordinated detection methodology and use cases, harmonized threat reporting and proactive response, efficiency of cross-tool collaboration, and the predictability and prevention of upcoming attacks.
Business Impact
CSMA aims to address the growing complexity of managing security tools, intelligence and identity solutions. Many organizations have started evolving toward a radically more flexible security architecture to prevent the impact of fast-emerging and evolving attack types, and reduce overhead caused by the proliferation and churn in security tool categories. Investing in composable, interoperable and extensible security toolsets is essential to reduce cost and increase consistency.
Drivers
- Organizations continue to be breached and increasingly require a broader perspective on the likelihood and impact of a threat, or an exposure to a threat faster. This level of detail is crucial for making better pro-business security decisions while turning operations into a more real-time cyber response team.
- IT security organizations can be overwhelmed when trying to stay ahead of new and more complex attacks, and when deploying the latest security tools to ever-expanding infrastructure. Teams are not able to implement the analytical capabilities and AI features required to be proactive and dynamic in their security enforcement and response decisions. Furthermore, these decisions are rarely fast enough to meet business needs.
- Organizations are looking for approaches such as CSMA to better integrate and interpret in more real time the outputs of siloed security technologies that operate with insufficient knowledge of other tools. Effective security and identity management requires a layered and integrated approach.
- Organizations are frustrated by the lack of integration and consistent visibility within their current security workbenches. Security and risk management leaders require an architecture that not only reacts to the current security issues (those that are visible in the organization) but also provides a coordinated and holistic approach to complex security problems.
- Creating a collaborative ecosystem of security tools will address inconsistency and help clarify and minimize the exposure that is consistent with business expectations.
Obstacles
- As vendors continue to support CSMA architecture principles for their products, vendor lock-in will likely be a concern. If a proprietary approach is employed, it may serve to block, rather than facilitate, cross-tool integration; then, gaps in coverage will likely appear, and this inflexibility will drive up costs.
- Organizations that choose to create their own CSMA construct will likely need significant engineering effort to integrate disparate products before standards mature. Additionally, they might suffer if the security industry moves toward a set of interoperability standards after significant custom integration work has been completed.
- CSMA continues to evolve in response to consumer IT advancement and security technology consolidation. Planning for the relevant flexibility required to manage this change is difficult.
- Organizations understand and acknowledge the skills gaps and challenges in the volume of work but do not have clear solutions to deal with these issues.
User Recommendations
- Add purchasing requirements that focus on integration and interoperability of multivendor tools.
- Find your main security analytics and intelligence layer platform, and connect the rest of the layers into it.
- Mature your security infrastructure by selecting product vendors who follow CSMA reference architecture, using standards such as Open Cybersecurity Schema Framework (OCSF). Ensure the vendor has fully developed advanced APIs, complete adherence to modern security standards and integrations into security partner networks.
- Evolve your identity infrastructure into an identity fabric by removing silos to achieve dynamic real-time identity capabilities that incorporate a more complete set of context and risk signals (such as device proximity, posture, biometrics and location).
- Improve your responsiveness by centralizing your policy, posture and playbook management along with building an integrated “single starting pane of glass” view for security teams.
Gartner Recommended Reading
Cybersecurity Incident Response Management
Analysis By: Eric Ahlm, Carlos De Sola Caraballo
Benefit Rating: Moderate
Market Penetration: 1% to 5% of target audience
Maturity: Emerging
Definition:
Cybersecurity incident response management (CIRM) solutions provide cyber incident response teams (CIRTs) with the capabilities required to manage the workflow, activities, forensic preservation, communication and collaboration required for handling incidents in large-scale organizations. CIRM solutions help address modern incident response (IR) challenges using integrations and automation.
Why This Is Important
CIRM allows cyber incident responders to have their own case management and workflow capabilities that allow for better overall cyber incident management, higher performance and tracking of incident resolution, and a more forensically secure system of record. This leads to greater continuity in handling, faster execution in response and the ability to collaborate with a wider range of cross-team members.
Business Impact
CIRM solutions can help CIRTs:
- Achieve better cyber incident response management capabilities than offered by basic ticketing or ITSM systems.
- Meet the demands of stakeholders and executives to be more involved in incident response management.
- Better track, report and optimize the overall incident response performance metrics and regulatory reporting for cyber incident handling.
- Reallocate supportive IR tasks (e.g., incident notifications, status updates, evidence documentation), allowing IR teams to concentrate on critical incident response actions and to reduce the response time.
Drivers
- Cyber incidents are increasing in both volume and complexity for large-scale organizations. The financial losses due to incidents are often related to incident handling from secondary teams, such as legal.
- Regulatory standards are requiring more non-cyber team members to be involved in incident handling, which drives the need for increased workflow management.
- Meeting shareholder concerns about top KPIs such as mean time to respond (MTTR) requires centralized tracking and trending data about workflow execution for incident response.
- Incidents are spanning multiple organizations in supply chain attacks, which requires close cooperation across company boundaries.
Obstacles
- CIRM solutions require a degree of client maturity in security operations, and are best-suited to support an established CIRT team.
- Many ITSM systems offer basic incident handling capabilities or cyber incident-specific modules for increased functionality. However, these often come at a premium cost point.
- Shareholder interest in improving the overall incident response performance may limit some clients from seeking CIRM solutions.
- Security operations leaders may continue to use ITSM systems, native TDIR (SIEM/SOAR, XDR) ticketing capabilities or manual methods before considering CIRM solutions.
User Recommendations
- Consider using CIRM solutions for the entire case management solution for handling cyber incidents, or only for uplifting specialized functions such as communication and collaboration from existing ticketing systems.
- Investigate CIRM solutions if your organization faces regulations that require it to notify regulators, markets or shareholders quickly about an incident.
- Use CIRM solutions in very large organizations with numerous cross-team members that find the cyber incident management difficult to execute. CIRM solutions will streamline the process and add efficiency by using automation capabilities.
Sample Vendors
BreachRX; Cydarm; CYGNVS; Cytactic; incident.io; Motorola Solutions; PagerDuty; ServiceNow; StrangeBee
Automated Security Control Assessment
Analysis By: Evgeny Mirolyubov, Jeremy D'Hoinne
Benefit Rating: Moderate
Market Penetration: 1% to 5% of target audience
Maturity: Emerging
Definition:
Automated security control assessment (ASCA) is a security technology that continuously analyzes, prioritizes and optimizes technical security controls to reduce an organization’s threat exposure. ASCA identifies configuration drift, policy and control deficiencies, detection logic gaps, poor defaults, and other misconfigurations in security controls. It then uses identified weaknesses to recommend and prioritize remediation steps to improve security against organization-specific threats.
Why This Is Important
Without optimal configuration, security tools are likely to fail to log, detect and block security threats, leading to poor return on security investments. The growing size and complexity of security stacks paired with security skills gap compounded the problem of maintaining an optimal configuration of security controls without automation. These issues are intensified by rapidly changing attack techniques, turning the required set of controls and configurations into a moving target, necessitating continuous improvements.
Business Impact
ASCA reduces the organization’s risk of business disruption and financial loss by optimizing technical security controls and reducing exposure to threats. Organizations implementing ASCA technologies enhance staff efficiency, minimize the impact of human errors, realize the potential of their security investments and improve resilience in the face of organizational churn.
Drivers
- Misconfigurations in technical security controls and overreliance on default settings are among the leading causes why attacks continue to succeed.
- Organizations lack the resources and expertise needed to fully understand and interpret thousands of configuration settings across security stacks without automation, let alone understand the resulting level of protection.
- Uncertain threats, such as the use of generative AI by threat actors, may intensify the need for optimizing existing security controls more frequently to keep up with the pace of change in attacks.
- Continuously assessing and optimizing security controls against specific threats, rather than best practices, is an effective risk mitigation strategy that ultimately reduces the organization’s exposure.
- Manual configuration reviews against best practice settings and occasional penetration tests are insufficient due to the likely impact on user experience, limited scope and low frequency.
- Meaningfully improving security posture requires going beyond compliance-driven assessments and evaluations focused on assessing the sole presence of security controls.
Obstacles
- ASCA technology delivers an automated assessment of technical security controls and their configurations, with no active validation of the hypothesis. Thus, end users must validate findings and recommendations about an effective course of resolution.
- Fully automating the process of implementing improvements based on ASCA findings is unlikely to become a reality in the near future. The heightened risk of business disruption makes most organizations hesitant about the idea of complete automation.
- The slow pace of implementing recommendations, paired with continuous assessments performed by ASCA technologies, may cause recommendations to pile up. Security leaders may already be overwhelmed, and adding yet another source of findings may be more of a hindrance than a help.
- Implementing improvements based on ASCA findings requires additional investment in people, processes and technologies, and a corresponding increase in budget. Yet, ASCA technologies rarely align with a dedicated budget and are usually an additional spend on top of existing security tools.
User Recommendations
- Do not buy a third-party ASCA tool if your incumbent cybersecurity provider offers similar capabilities included in their offering. Similarly, refrain from buying if your existing managed detection and response or cyber insurance provider offers a similar capability that meets your requirements.
- Choose a third-party ASCA provider based on its abilities to integrate with existing security controls on a sufficient level, granularity and alignment of optimization guidance with organization-specific threats, and security reporting capabilities.
- Use ASCA to shift focus beyond evaluating the presence of controls, implementing best practice configurations or adhering to compliance frameworks.
- Integrate ASCA with adjacent exposure assessment platforms and adversarial exposure validation technologies to better understand relationships between organization-specific assets, vulnerabilities, attack techniques, business context and controls.
- Align security control optimization efforts with a continuous threat exposure management program to support a repeatable process for prioritizing and implementing improvements.
- Highlight the potential for improvements in reduced cybersecurity incidents and less manual work for security control assessments to gain buy-in from teams required to respond to ASCA findings. These teams may include infrastructure security, identity, security operations, digital workspace and asset owners.
Sample Vendors
CardinalOps; Nagomi Security; Reach Security; Tidal Cyber; UST (CyberProof); Veriti; Zafran
Gartner Recommended Reading
Adversarial Exposure Validation
Analysis By: Eric Ahlm, Jonathan Nunez, Dhivya Poole, Jeremy D'Hoinne
Benefit Rating: Moderate
Market Penetration: 5% to 20% of target audience
Maturity: Early mainstream
Definition:
Adversarial exposure validation (AEV) delivers consistent, continuous and automated evidence of the feasibility of an attack. These technologies confirm how potential attack techniques would successfully exploit an organization and circumvent prevention and detection security controls. They achieve this by performing attack scenarios and modeling or measuring the outcome to prove the existence and exploitability of exposures. AEV offers extensible deployment options.
Why This Is Important
Automated penetration-testing tools and breach and attack simulation vendors have largely converged to become AEV providers. They offer easy-to-deploy products, seamless automation and growing flexibility by combining attack simulation with heavily customized and realistic scenarios. This leads to more frequent and reliable assessments and the ability to reach more diverse outcomes such as defense optimization, exposure management and scaling red-team operations.
Business Impact
AEV confirms a potential exposure to a specific threat by taking the attackers’ view. It evaluates the efficacy of attacks through deployed security controls and can highlight vulnerable paths leading to the organization’s most critical assets. This helps security teams prioritize remediation or mitigation efforts and evaluate the value of their invested technologies. It complements exposure assessments and provides a way to continuously execute attack scenarios.
Drivers
- Filter for relevant remediation actions: AEV drives urgency, which the organization should address by filtering theoretical risks (e.g., list of high-priority issues) by highlighting only attacks that are demonstrated to work.
- Red-team augmentation: Human-led red-teaming programs are difficult to initiate because they require a specific set of expertise, processes and tools that can be expensive to develop or procure. The progress in automation and the expanding number of providers help kick off red-teaming programs by starting small and demonstrating benefits early.
- Attack surface reduction: Organizations with established exposure validation programs use AEV technology primarily to ensure consistent, yet improved, security posture over time and across multiple locations.
- Exceeding compliance requirements: AEV solutions continuously validate the organization’s security posture. Organizations value more automated assessments to prepare for mandatory compliance penetration testing or augment and/or refocus human-led red team activity on more advanced scenarios. AEV solutions go deeper than assessment tools as they positively verify an exposure by simulating or running actual attacks.
- Defense optimization: AEV tools can integrate with security control technologies to determine how they are configured and how they withstand attack scenarios. They do so through the security tools’ management APIs or by reading alert logs, enabling security configuration management and improving the visibility of defense gaps.
- Support continuous threat exposure management (CTEM) program: AEV enables deeper automation of the “validation” step. Adding automation to the red team’s toolkit can also help initiate such a program.
Obstacles
- Many AEV providers don’t meet all use cases equally, often causing buyers to choose what outcomes are most desired before vendor selection.
- Although AEV vendors provide simplification of testing with predeveloped attack scenarios, buyers must commit operational resources and often new team structures to successfully reach outcomes.
- The results from AEV solutions are not often accepted by auditors as a replacement for a third-party penetration test. This forces buyers to increase their testing budget to acquire AEV solutions.
User Recommendations
- Prioritize the most impactful exposure scenarios. Assess the vendors’ capabilities to deliver simulated attacks as an easier way to convey the benefits of supporting an exposure management and resilience program.
- Integrate existing attack simulation and penetration-testing scenarios in an AEV roadmap as part of a shift from vulnerability management to a CTEM program.
- Onboard existing red teams by demonstrating that the automation helps support more interesting human-led red-teaming activities while enabling a collaborative “purple-teaming” approach helps improve threat detection, investigation and response.
- Understand the benefits and challenges resulting from the various deployment options. There are many options for testing, such as agent or agentless, that can impact results.
Sample Vendors
AttackIQ; Cymulate; Horizon3.ai; Pentera; Picus Security; Ridge Security; SafeBreach; SCYTHE
Gartner Recommended Reading
At the Peak
AI SOC Agents
Analysis By: Eric Ahlm
Benefit Rating: Moderate
Market Penetration: 1% to 5% of target audience
Maturity: Embryonic
Definition:
AI SOC agent solutions use AI to help augment many of the common activities found within security operations. AI SOC agents can be used to augment investigation through natural language query, false positive reduction, alert enrichment, attack path contextualization, reporting summarization and next step advisory.
Why This Is Important
Although still an emerging and mostly unproven technology, AI SOC agent tools promise security operations leaders an opportunity to augment their workforce across a wide range of activities performed by various roles. Effective augmentation can lead to reduction in time required to perform certain tasks, such as managing false positives. It can also lead to other program benefits such as reducing skill sets required to perform activities, reducing errors and increasing the overall performance of SOC operations.
Business Impact
AI SOC agents solutions may help security operations teams:
- Better manage false positives, enrich alerts, provide natural language query, generate attack timelines, report summarization and other common activities known for consuming valuable operational cycles.
- Improve overall augmentation of security operations team members performing common activities, which allows capacity for extra workloads without additional headcount.
- Reduce the skill sets required to perform some activities, which can reduce the learning curve normally required for junior team members to perform some SOC tasks.
Drivers
- Lack of resources to perform valuable security operations activities is a universal problem. Although still unproven, AI SOC agents are at the forefront for security operations leaders seeking to augment their workforce.
- Recruiting, hiring and retaining security operation team members is a challenge. AI SOC agents allow junior members to focus on more critical tasks, which can lead to better job satisfaction and retention.
- Users are often forced to make concessions on what alerts are investigated due to resource constraints. AI SOC agents promise to autoinvestigate and close out lesser alerts, leaving more time for humans to investigate alerts of greater interest.
Obstacles
- AI SOC agent tools are still emerging, and claimed benefits are mostly unproven. Diligence is required to ensure outcomes such as measurable team workflow augmentation improvements are obtainable and any AI washing is debunked.
- Vendors in this space license agents aligned to specific activities performed in the SOC. Cost models may limit the widespread use of AI SOC agents across entire team functions.
- Cost justification for AI SOC agents may be difficult for smaller teams, as the real value of the solution is providing measurable gains in the operational cycle over the current team baseline.
User Recommendations
- Before evaluating an AI SOC agent solution, baseline your current state of operations to identify larger or more common activities needing improvement. This helps develop evaluation criteria for vendor selection, as well as cost justification data.
- Initiate AI SOC agent pilots to determine use-case fit and estimate potential augmentation improvements to your team. Start with common SOC functions such as event triage or false-positive reduction.
- Consult with your larger incumbent security platform vendors such as SIEM and XDR first before considering an AI SOC agent solution, as many vendors have workflow augmentation agent capabilities on their product roadmap.
Sample Vendors
7AI; Arcanna.ai; Conifers.ai; Crogl; Dropzone AI; Exaforce; Intezer; Qevlar AI; Prophet Security; Simbian
CPS Security
Analysis By: Katell Thielemann
Benefit Rating: High
Market Penetration: More than 50% of target audience
Maturity: Early mainstream
Definition:
Cyber-physical systems (CPS) security is the overall discipline to ensure that CPS remain safe, reliable and resilient in the face of growing threats. CPS are engineered systems that orchestrate sensing, computation, control, networking and analytics to interact with the physical world (including humans). They are created as physical assets become connected to each other or to enterprise IT systems, and as automation and production robots are deployed. They may be called OT, IoT, ICS or SCADA.
Why This Is Important
CPS include everything from critical infrastructure equipment in energy, water systems, communications or smart cities, to autonomous vehicles and smart manufacturing. They connect digital technology with physical processes and outcomes, and therefore mandate a unique security approach because human safety, production reliability and resilience are paramount. CPS are increasingly targeted by attackers seeking to steal data, demand ransom, derail production or sow geopolitical unrest.
Business Impact
Unlike IT systems that create, store, transact or transform data, consequences of a successful cyber attack in CPS environments go beyond data-centric effects. They include operational shutdowns, environmental impacts, damage and destruction of property and equipment, and even personal and public safety risks. CPS security efforts therefore need to focus on human safety and operational resilience, and consider all cybersecurity best practices, the laws of physics and industry-specific engineering decisions.
Drivers
- The last few years have seen a marked increase in attacks from nation-states and extortionists alike that have led to loss of visibility or loss of control in manufacturing and critical infrastructure production environments. Because these areas are usually where value is created or essential public services are performed, CPS will continue to be targeted.
- Rapidly increasing initiatives from governments and companies alike are bringing CPS security into sharper focus. These initiatives span various domains, such as manufacturing, smart cities, utilities, healthcare, food, agriculture, public safety and transportation.
- Risks that extend to the physical world require measures above and beyond “regular” cybersecurity. Such risks include remote access, physical perimeter breaches, USB insertion, controller area network (CAN) bus injections, GPS jamming, hacking, spoofing, tampering, command intrusion and malware implantation in physical assets.
- While the domains of ”regular” cybersecurity (the “whats”) largely apply, the “hows,” “whos” and “whens” differ to account for the nature of production mission-critical environments.
- The generic OT security market has evolved into specific CPS security categories. These include:
- CPS protection platforms
- Unidirectional data flow solutions
- CPS secure remote access solutions
- Content disarm and reconstruction solutions
- Security services
- Network-centric solutions (e.g., cloaking, microsegmentation)
- Onboard diagnostics solutions
- Embedded systems security
- Supply chain security solutions
- Because of the prevalence of CPS in critical infrastructure sectors and the tight relationship between critical infrastructure and national security, governments worldwide are turning to security regulations and directives to mandate minimum security controls.
Obstacles
- Lack of awareness that CPS can be — and are — deployed in organizations outside the usual asset-intensive industries: devices like CCTV cameras, smart displays and BIMs are deployed in all organizations.
- CPS are often deployed by business units without consultation from the security team.
- Most organizations still focus mainly on cybersecurity-centric risk management.
- The lack of collaboration across siloed teams running systems such across the enterprise hampers CPS security efforts that require cross-functional collaboration.
- Many organizations do not have structured security programs or skills that sufficiently cover the scope of CPS, especially the high-value/mission-critical assets.
- Because CPS product standards that guide security design and usage are still evolving, many manufacturers value “speed to market” over “secure to market.”
- Many devices lack storage and compute power to facilitate security mechanisms.
- The omnipresence of CPS devices in buildings, cities, homes and vehicles tests the scalability of traditional security methods, which may not be able to address the risks in devices, areas or the entire value chain.
User Recommendations
- Prioritize security controls and “secure by design” practices in new procurements.
- Discover all connected assets using tools designed specifically for CPS environments, realizing that CPS may be present in office environments as well in the form of access controls, elevators, air conditioning, etc.
- Evaluate which CPS assets are high-value or mission-critical, identify specific CPS security controls already in place, and determine whether any gaps need to be prioritized based on potential organizational impact.
- Create an investment plan to update security and risk management strategies and programs in relation to CPS, starting with the high-value and mission-critical assets.
- Engage functional business leaders to establish clear risk ownership, define domain-specific controls for CPS, and balance trade-offs between growing the business and improving security.
- Evaluate the growing list of CPS security solutions, as there are more options than ever before.
Sample Vendors
Armis; Claroty; Dragos; Microsoft; Nozomi Networks
Gartner Recommended Reading
Exposure Assessment Platforms
Analysis By: Mitchell Schneider, Dhivya Poole, Jonathan Nunez
Benefit Rating: High
Market Penetration: 20% to 50% of target audience
Maturity: Early mainstream
Definition:
Exposure assessment platforms (EAPs) continuously identify and prioritize exposures, such as vulnerabilities and misconfigurations. Exposures are mapped to attack paths within a business risk context. EAPs facilitate remediation actions across a broad range of asset classes through integrations with ticketing and patching systems. They natively deliver or integrate with discovery capabilities, such as assessment tools that enumerate and centralize exposures, to increase visibility.
Why This Is Important
EAPs support continuous threat exposure management (CTEM) programs by providing a centralized view of prioritized exposures, which enables organizations to take key actions to prevent breaches. EAPs prioritize findings for remediation based on exposure severity, asset criticality, business impact, likelihood of exploitation and compensating control context.
Business Impact
Organizations adopt EAP as part of their CTEM program to address the growing number of vulnerabilities and other exposures. EAPs improve operational efficiency through consolidation of the results of exposure assessments into a central location by:
- Pinpointing critical exposures
- Prioritizing remediation efforts
- Ensuring accountability
- Streamlining management processes
EAPs offer multiple views, surfacing trends and supporting workflows to track the life cycle of exposures.
Drivers
- Organizations need a more mature approach beyond prioritizing vulnerabilities solely on Common Vulnerability Scoring System (CVSS) scores or basic prioritization techniques. EAPs contextualize these findings with cyberthreat intelligence and relevant context (e.g., asset and business context), resulting in increased actionability.
- EAPs identify the most material exposures to the organization, deduplicate findings and help prioritize treatment recommendations — whether via remediation (e.g., patching) and/or compensating controls — to avoid a potential compromise.
- EAP solutions reduce operational overhead associated with mundane or misprioritized findings through a consolidated view, making it beneficial for organizations looking to retain talent by focusing their skills on more value-added activities.
- EAP reporting into the security operation center can bolster operational efforts, such as threat detection, investigation and response (TDIR). The contextual asset enrichments and various views (e.g., attack path) aid in accelerating investigations.
- Organizations are expanding the scope of their findings to include both traditional vulnerabilities and exposures that may not be associated with CVEs.
Obstacles
- EAP solutions offer limited value when applied to broken, undefined or immature processes in your well-established vulnerability/exposure management processes or CTEM program.
- Organizations limiting EAP activities to compliance-driven mandates on CVSS severity as the defining characteristic of how serious exposures are will not realize the full value from EAPs.
- Attack path analysis can be an output of EAPs but can be achieved by leveraging other technologies, such as adversarial exposure validation (AEV). Organizations with existing investments in AEV may not perceive EAP’s attack path analysis to be of additional value.
- The EAP market comprises various segments, often overlapping with adjacent capabilities, like cyber asset attack surface management (CAASM). Even with an EAP and a stand-alone CAASM tool, or other products that provide a single source of truth for the organization’s assets, you may find yourself no better off than when you had to manage these tasks manually. Multiple prioritization engines can diminish value and add complexity.
User Recommendations
- Implement an outcome-driven approach that:
- Scopes the aspects of the business important for its success.
- Identifies what context (e.g., stakeholder needs and compliance requirements) is available to incorporate into EAP’s prioritization and evaluates if the data fidelity is high enough to be used without negative impact.
- Correlates asset context, TI, security configurations, and proprietary algorithms to calculate a more dynamic and evidence-based risk rating.
- Automates through an EAP where assessment and prioritization capabilities were in separate consoles previously.
- Shift from siloed VA tools to EAPs to unify vulnerability and attack surface management through AI-powered automation and enhanced prioritization.
- Select EAP vendors that have strong integrations with existing and planned tools to help broaden attack surface visibility, refine prioritization and streamline cross-team collaboration.
- Deploy EAPs that evaluate a range of exposure telemetry starting with endpoint and network security control configurations to create an actionable understanding of your exposure landscape.
Sample Vendors
Armis; CrowdStrike; Hive Pro; Microsoft; Qualys; Rapid7; Tenable; XM Cyber; WithSecure; Zscaler
Gartner Recommended Reading
Telemetry Pipelines
Analysis By: Gregg Siegfried
Benefit Rating: Moderate
Market Penetration: 5% to 20% of target audience
Maturity: Early mainstream
Definition:
Telemetry pipelines, sometimes called observability pipelines, are solutions that provide a uniform and holistic mechanism to manage the collection, ingestion, enrichment, transformation and routing of machine data (telemetry) from source(s) to destination(s). These solutions can be consumed on a self-managed, SaaS-managed or hybrid basis. Telemetry pipelines may be stand-alone products or part of a vendor’s broader portfolio of monitoring solutions.
Why This Is Important
When applications and services are distributed widely, and involve multiple service providers, so does their context. Telemetry pipelines enable organizations to efficiently collect, transform, enrich and route health, performance and security telemetry from sources (workloads, monitoring agents and platforms) to destinations (observability platforms, analysis and investigation tools, event management solutions and long-term storage).
Business Impact
Telemetry pipelines improve efficiency by:
- Ensuring telemetry is of sufficient quality before routing for analysis.
- Managing analysis cost by storing telemetry according to its purpose.
- Reducing the number of agents collecting telemetry at the source.
- Simplifying processing and storage by normalizing taxonomy, granularity and cardinality before ingestion into analysis tools.
- Optimizing bandwidth utilization through compression and deduplication.
- Automatically identifying and classifying telemetry as it passes through the pipeline.
- Consolidating portions of the IT and security operations toolchains.
Drivers
- Increasing volume of telemetry: Modern workloads generate significant amounts of telemetry, which can take many forms and may originate in many locations. Telemetry pipelines provide a mechanism to unify them.
- Ephemeral cloud services: Telemetry from cloud resources often must be collected immediately or it is gone forever.
- Cost: Moving and storing data can be expensive. Many telemetry insight platforms charge based on ingest volume. Applying governance to telemetry and only moving, ingesting and storing what you need can help manage costs.
- Bulk long-term storage: Cloud-based object storage has become a ubiquitous, secure and reasonably priced way to store bulk data. Some log-monitoring products have built seamless support for object storage while maintaining rapid reporting access. This reduces the need for each individual analysis solution to maintain a “cold” or “frozen” tier.
- OpenTelemetry Collector implementation: The open-source OpenTelemetry Collector software itself relies on the telemetry pipeline pattern and supports transformation, enrichment and routing to multiple destinations out of the box.
- Vendor neutrality: Telemetry pipelines allow telemetry data to be easily shared between different observability platforms, reducing reliance on particular vendors.
Obstacles
- Administrative cognitive load: Telemetry pipeline products have their own learning curve, particularly when configuring them to transform and enrich data as they pass through.
- Potential incompatibility: Given the variety of telemetry sources and analysis back ends available, choosing a telemetry pipeline product that meets current and future needs may pose a challenge.
- ROI concerns: Although the ROI is very clear when telemetry pipelines are used to reduce ingestion into a volume-based analysis tool, other benefits have a less obvious payback.
- Divided market: A groundswell of telemetry pipeline vendors focused specifically on cybersecurity use cases has broadened options for some. Bifurcating into special-purpose telemetry pipeline products for I&O and security would add complexity to an already uncertain market.
User Recommendations
- Consolidate or bridge silos of telemetry by deploying telemetry pipelines. Understanding the data that you have will support use-case adjacencies such as a telemetry data lake.
- Unify operational and security-related telemetry collection by deploying telemetry pipeline products. The analysis back ends may be different, but a reduction in agents can be a win.
- Emphasize consistency by limiting the output formats. Although telemetry pipelines are inherently many-to-many solutions, make “many to fewer” the objective.
- Use telemetry pipelines to optimize and standardize the data enrichment and transformation needs without overloading the data source.
Sample Vendors
Bindplane; CeTu; Chronosphere; Cribl; Edge Delta; Mezmo; Onum
Gartner Recommended Reading
Cybersecurity AI Assistants
Analysis By: Jeremy D'Hoinne
Benefit Rating: Moderate
Market Penetration: 5% to 20% of target audience
Maturity: Emerging
Definition:
Cybersecurity AI assistants leverage generative AI techniques to discover existing knowledge available from cybersecurity tools, generate content or code, and assist security teams in their daily tasks. Cybersecurity AI assistants are mostly available as companion features in existing products, but can also take the form of a dedicated front end and can integrate software agents to take action.
Why This Is Important
Most cybersecurity technology providers are now embedding a generative AI (GenAI) assistant into their existing products. These cybersecurity AI assistants deliver knowledge discovery and content creation (often as summarization or generated code/script). Their promise of improved productivity appeals to cybersecurity executives. These assistants are slowly evolving to be multimodal and agentic, which means they can be used to assemble automations to complete repetitive tasks across multiple cybersecurity tools.
Business Impact
- Organizations use cybersecurity AI assistants as part of their existing tools and conduct pilots with standalone AI assistants.
- Cybersecurity can improve operator accuracy resulting in lower business downtime and potentially less data loss due to security incidents.
- Organizations with high cybersecurity administrative turnover benefit from shorter training periods due to the advantages of these assistants.
- Cybersecurity AI assistants can help implement more secure code, fix cloud misconfigurations, generate scripts and code, and identify key security events in logging systems.
- Other use cases for cybersecurity AI assistants include the tuning of security configuration adjustment, and conducting risk and compliance identification and analysis.
Drivers
- The biggest driver of adoption is the vast availability of generative AI tools and frameworks, leading to a fast adoption by providers.
- Cybersecurity AI assistants help teams to quickly create general best-practice guidance, synthesize and analyze threat intelligence, automate the first steps in incident response, and generate remediation suggestions for application security.
- Organizations continue to experience skill shortages and look for opportunities to automate resource-intensive cybersecurity tasks.
- Cyber risk analysts need to speed up cyber risk assessments, and be more agile and adaptable through increased automation and prepopulation of risk data in context.
- More broadly, GenAI might augment existing continuous threat exposure management programs by better aggregating, analyzing and prioritizing inputs. It can also generate realistic scenarios for validation.
Obstacles
- Uncertainty about the pricing of these assistants will play a big factor in the pace of adoption. Today, only a few providers have communicated about their pricing, while many give early previews for free.
- The cybersecurity industry is already plagued with false positives. One bad “hallucination” or an inaccurate response by GenAI will cause organizations to be cautious about adoption or limit the scope of their usage.
- Best practices and tooling to implement responsible AI, privacy, trust, security and safety for GenAI applications do not fully exist yet. Security teams might be reluctant to enable GenAI features without guarantees regarding the security and privacy of their data.
- The scope of cybersecurity AI assistants is often limited to the product they are part of, creating fragmentation of insights and limiting their value.
- Organizations still require the core skill sets they are supposed to augment using GenAI. Currently, adopting GenAI will likely increase workloads before it successfully decreases them.
- As GenAI is still developing, establishing the trust required for its wider adoption will take time. This is especially true for the skill augmentation use cases, as you would need the skills you are supposed to augment in order to ensure that the recommendations are good.
User Recommendations
- Build AI literacy and develop metrics to measure the success of the pilot program.
- Be sure to have a control group to validate improvements against.
- Pick initial use cases carefully and advertise them as pilots taking the form of an integrated feature of existing tools or stand-alone products that do not replace existing tools.
- Monitor the addition of GenAI assistants from your existing providers and beware of “GenAI washing.” Don’t pay a premium before obtaining measurable results.
- Evaluate privacy features and the model architecture to ensure the security of data shared with the GenAI assistant.
- Implement a documented approval workflow for allowing new generative cybersecurity AI experiments to avoid the unmanaged sharing of sensitive data.
- Implement a policy requiring that any content (that is, configuration or code) generated by an AI is fully documented, peer-reviewed by humans and tested before it is implemented. Otherwise, consider any AI-generated content as “draft only” when used for critical use cases.
Gartner Recommended Reading
Penetration Testing as a Service
Analysis By: Mitchell Schneider, William Dupre, Carlos De Sola Caraballo
Benefit Rating: Moderate
Market Penetration: 20% to 50% of target audience
Maturity: Adolescent
Definition:
Penetration testing as a service (PTaaS) provides technology-led, point-in-time and continuous application and infrastructure testing aligned with penetration testing (pentesting) standards, which have traditionally relied heavily on human pentesters using commercial/proprietary tools. The service is delivered via a SaaS platform, leveraging a hybrid approach of automation and human pentesters (crowdsourced or vendors’ in-house team) to increase the efficiency and effectiveness of the results.
Why This Is Important
Pentesting is foundational in a security program and mandated by various compliance standards and regulations. PTaaS delivers continuous security testing via a platform that enables faster scheduling and execution of pentests, and real-time communications with testers and visibility of test results. It provides API access to enable integration with existing DevOps and ticketing solutions for workflow automation. It also provides the ability to document and track pentesting results to demonstrate progress over time to leadership/auditors.
Business Impact
PTaaS complements exposure assessments and traditional application security testing. It also provides cost optimization and quality improvement of pentesting output along with validation of exposure status. PTaaS enables organizations to elevate their security posture with continuous assessments that integrate validation earlier in the software development life cycle as compared with traditional pentesting efforts. It gives access to real-time findings delivered through a platform, which accelerates remediation and improves collaboration efforts.
Drivers
- Organizations are turning to PTaaS to deal with the increase in attack surfaces due to the accelerating use of public cloud and expansion of public-facing digital assets. PTaaS allows developers to talk to and receive guidance from pentesters instead of relying completely on scanners, such as dynamic application security testing/static application security testing (DAST/SAST) scanners.
- Organizations with limited in-house security expertise must meet their compliance and risk management objectives, in addition to improving their security posture, and therefore look to PTaaS offerings to meet these initiatives.
- In order to meet fast production deadlines, security-aware organizations must integrate a more agile way of conducting pentesting into their continuous integration/continuous delivery (CI/CD) pipelines for their DevSecOps practices.
- Gartner clients express an appetite to test on a more frequent basis to support their continuous threat exposure management (CTEM) initiatives. However, manual pentesting is cost-prohibitive in modern infrastructure (for example, infrastructure as a service [IaaS], SaaS and third-party subscriptions).
- Most organizations have a pentesting budget and often seek better ways to use their annual budget. Highly automated, technology-led pentesting has the potential to offer higher-quality deliverables for the price, or at least more frequent deliverables for the price.
- Engaging external security researchers for penetration testing can present legal challenges, such as ensuring proper authorization and compliance with computer crime laws. Additionally, manually managing payments for discovered vulnerabilities can be complex and time-consuming,
Obstacles
- Selecting a suitable PTaaS vendor in the market may be difficult, as their capabilities vary. Vendors use one or a combination of automation and human testers, which are in-house or community-led — typically vetted freelancers — to perform penetration testing for the client organization.
- Most PTaaS vendors in the market focus on internet-facing digital assets, like web and mobile applications, and APIs that may only partially fulfill client requirements.
- PTaaS vendors may not be able to support very complex environments where extensive domain expertise is needed.
- The depth and extensibility of a PTaaS is not as flexible as a statement of work (SOW)-led engagement. Therefore, if you have some special requests, and/or are seeking extensive testing, you are not going to get it with PTaaS.
- PTaaS overlaps with adversarial exposure validation (AEV), which is an adjacent market, yet they are different in terms of adoption and operation. AEV focuses on continuous, real-world attack simulations, while PTaaS emphasizes human expertise and integration with development processes for on-demand or continuous testing.
User Recommendations
- Determine which option/mix of penetration testing programs is best for your organization: compliance-driven service engagement; PTaaS; in-house red team leveraging an automated pentesting tool; or bug bounty.
- Identify and evaluate the pentesting scope and requirements that PTaaS vendors will be able to fulfill before engaging with vendors. PTaaS is well-aligned to both application testing and external infrastructure testing. Not all vendors will be able to replace internal infrastructure pentests, wireless, social engineering and physical assessments.
- Favor hybrid scanning models that combine human analysis and automation to increase both effectiveness and efficiency.
- Select a PTaaS vendor that aligns with relevant compliance requirements, and not focused only on internet-facing infrastructure and applications.
- Seek PTaaS vendors that provide customized and tailored guidance throughout the life cycle of their service to alleviate the security skills gap.
Sample Vendors
Bishop Fox; BreachLock; Bugcrowd; Cobalt; HackerOne; NetSPI; Praetorian; Siemba; Synack; TrollEye Security
Gartner Recommended Reading
Threat Exposure Management
Analysis By: Pete Shoard, Jeremy D'Hoinne, Mitchell Schneider
Benefit Rating: Transformational
Market Penetration: 20% to 50% of target audience
Maturity: Adolescent
Definition:
Threat exposure management encompasses processes and technologies that allow enterprises to continually and consistently assess the visibility and validate the accessibility and exploitability of their digital assets. It must be governed by an effective continuous threat exposure management (CTEM) program.
Why This Is Important
The diversity of modern infrastructure and reevaluation of what threat exposure is affect organizations’ ability to accurately assess cyber risks. Security teams often struggle to identify modern exposures, leaving security gaps in systems such as SaaS and cyber-physical systems (CPS) security. Threat exposure management addresses these challenges by enabling identification, prioritization and validation of issues across diverse attack surfaces and ensuring comprehensive visibility and mitigation.
Business Impact
Threat exposure management governs and prioritizes risk reduction for the modern enterprise. It requires assessment of all business-related systems, applications and subscriptions, broadening risk understanding for today’s digital landscape. CTEM programs factor in business importance, likelihood of attack, visibility of vulnerability and validation of the existence of an attack path, enabling businesses to mobilize responses to genuine, impactful risks.
Drivers
- Organizations’ vulnerability management programs often lack alignment with business criticality. Organizations focus on volume rather than scoping a target set based on their priorities, leaving them with too much to do regarding their exposure and little guidance on which action to prioritize. Threat exposure management provides business alignment through the scoping process and helps reduce volumes of irrelevant or non-business-critical issues.
- A programmatic and repeatable approach to answer the question “How exposed are we?” is necessary for organizations. Threat exposure management aims to allow reprioritization of treatments as environments shift in a rapidly changing and expanding IT landscape.
- Organizations commonly silo exposure activities such as penetration testing, threat intelligence management and vulnerability scanning. Siloed views provide little or no awareness of the complete picture of cyber risk.
- Modern IT infrastructure, including subscriptions, SaaS applications and cloud environments, has introduced a much wider, more varied set of potential exposures, making organizations susceptible. Current approaches focus too much on traditional IT and vulnerability, when a large percentage of the exposure problem is focused elsewhere.
- Vendor offerings to identify threat exposures are evolving and consolidating into exposure assessment platforms (EAP), which offer greater visibility. This means that end users will have access to new information about potential threats without having to purchase new subscriptions.
Obstacles
- The increased scope of CTEM programs over traditional VM introduces many new complexities often not previously considered or budgeted for.
- While evaluating new exposures is necessary, effective response and the ability to mobilize a gradient of countermeasures, such as threat monitoring and control configuration, is lacking. Patching is the de facto response to vulnerability discovery.
- Processes to manage end-to-end awareness (from visibility of attack vectors to response to breaches) are virtually nonexistent in most organizations, which often simply scan their networks for compliance reasons. Regulations rarely factor in the exploitability of exposures.
- Assessing the complexity of attacks requires new skill sets. Market areas, such as adversarial exposure validation (AEV), make it simple to test the out-of-the-box scenarios using simulation tools. But users need new skills to be effective at using these capabilities and customizing scenarios.
User Recommendations
- Create agreements on tackling exposure with various organizational stakeholders, as success depends on it. Automated remediation from tools is unlikely to have a significant impact.
- Communicate the risks to the board. Senior executives must be aware of existing risks, and allocate resources to prepare against potential threats.
- Implement wider, more multiplatform programs, such as CTEM, to manage exposure. Include scoping and directional exposure awareness that deals with business-critical issues, not just “fire and forget” approaches.
- Prepare response and reaction plans. Monitoring for threat exposure issues is critical to limiting the potential impact of attacks. Validating that those exposures genuinely exist and security controls are functioning as expected is useful. However, it is essential that organizations also prepare reaction plans for the issues they may find to ensure resolution paths are effective.
- Include, in your CTEM program, assets that your organization doesn’t directly own, such as social media accounts, SaaS and data held by supply chain partners.
Gartner Recommended Reading
Sliding into the Trough
CAASM
Analysis By: John Watts, Mitchell Schneider, Neil MacDonald
Benefit Rating: Low
Market Penetration: 5% to 20% of target audience
Maturity: Adolescent
Definition:
Cyber asset attack surface management (CAASM) focuses on enabling security teams to overcome asset visibility and exposure challenges. It enables organizations to obtain a near-complete view of their assets (internal and external), primarily through API integrations with existing tools, query consolidated data, identify the scope of exposures and gaps in security controls, and mitigate issues.
Why This Is Important
CAASM aggregates asset visibility from other products that collect a subset of assets, such as endpoints, servers and devices. By consolidating internal and external cyber assets, users can query to find coverage gaps and misconfigurations for security tools such as vulnerability assessment and endpoint detection and response tools. CAASM provides mostly passive data collection via API integrations, replacing time-consuming manual processes to collect and reconcile asset information.
Business Impact
CAASM enables security teams to improve basic security hygiene by finding security controls posture gaps and asset exposures across all digital assets. Organizations that deploy CAASM reduce dependencies on homegrown systems and manual collection processes to improve staff efficiency. Organizations find significant overlap with exposure assessment platforms (EAPs) and want to rationalize their tool choices to focus on continuously identifying and prioritizing exposures.
Drivers
- More comprehensive visibility into any asset owned by the organization collected through existing tools to improve the understanding of an organization’s potential attack surface and existing security control gaps.
- Quicker audit compliance reporting through more accurate, current, and comprehensive asset and security control reports.
- Consolidation of existing products that collect asset and exposure information into a single normalized view in order to reduce operational overhead of manual processes and dependencies on homegrown applications or spreadsheets.
- Access to consolidated asset views for multiple individuals and teams across an organization and integrations with other systems of record for current state visibility.
- Lower resistance to data collection from and better security visibility into potential blind spots, such as “shadow IT” organizations, installed third-party systems and line-of-business applications over which the IT department lacks governance and control. Security teams need visibility in these places, whereas the IT department may not.
- Helps IT teams improve the accuracy of their existing configuration management database (CMDB) through periodic updates of assets and attributes missed by CMDB reconciliation processes.
Obstacles
- Resistance to “yet another” tool — there are increasing overlaps with CAASM vendors and adjacent tools that provide some asset inventory and reporting, such as EAPs.
- Not all vendors have capabilities to identify and integrate with every required system for visibility and vulnerability information, nor do they ingest all asset types or normalize security events across environments into a common data model.
- Vendor response actions to prioritized issues may be limited to opening tickets or invoking a script.
- Extremely large environments are limited by some vendors’ licensing and scalability.
- Tools that can be integrated with a CAASM product do not exist within an organization or lack an API or may be prevented from integrating by the teams that own them.
- Reconciliation processes that conflict with source systems may not be resolved easily within the CAASM vendor tooling.
User Recommendations
- Evaluate CAASM as part of EAPs rather than as a stand-alone offering.
- Take advantage of proof-of-concept opportunities and free versions of products and subscriptions to “try before you buy,” as CAASM products are nondisruptive and easy to deploy.
- Sign contracts with smaller pure-play providers for no more than one year, considering the evolution of the market beyond stand-alone capabilities.
- Inventory all available APIs that can be integrated with the CAASM product you are considering while also ensuring that you have read-only or low-privilege user accounts available to integrate.
Sample Vendors
Armis; Axonius; Balbix; CrowdStrike; Cyclops Security; JupiterOne; Qualys; Rapid7; Sevco Security; Tenable
Gartner Recommended Reading
Digital Forensics and Incident Response
Analysis By: Carlos De Sola Caraballo
Benefit Rating: Moderate
Market Penetration: 20% to 50% of target audience
Maturity: Mature mainstream
Definition:
Digital forensics and incident response (DFIR) retainer services help organizations assess and manage the impact of a security incident. DF services assist with forensic response, aid in forensic information gathering and advise on proactive best practices for avoiding a breach. IR services assist with breach investigation, triage and impact classification. These capabilities are delivered as professional services, supported by technology services from the same provider.
Why This Is Important
DFIR services are a strategic investment to strengthen organizations’ ability to resolve cybersecurity incidents, both proactively and reactively. Advanced attacks, such as ransomware, require specialized skills in investigation, negotiation, forensics and response. For most organizations, having highly specialized experts on payroll for limited usage doesn’t make sense. DFIR providers can help augment response capabilities through contracted services.
Business Impact
DFIR services are increasingly critical to an organization’s strategic incident response planning. Improper handling of response postbreach can lead to extended impacts and losses. Regulatory fines, legal fees, lawsuits, brand devaluation and customer attrition can all be affected by how a breach is handled. Having a robust DFIR capability in place will elevate the response capabilities of the organization, allowing for proportional responses aligned to avoid real impacts.
Drivers
- The increased risk of cyberattacks against organizations has reflected the need to invest in a DFIR provider to react, remediate and recover the business infrastructure.
- Businesses require rapid response to incidents with a highly detailed investigation and accuracy to be able to minimize the impact of a breach — reducing any downtime and meeting any regulatory or insurance-driven needs.
- DFIR providers offer the expertise required to help organizations recover from security incidents quickly. They provide guidance on security control reconfiguration and granular details regarding the true impact of a breach, without the overhead of directly attracting, compensating and retaining specialist staff.
- Certain clients need assistance in the chain of custody. This is a process that proves that evidence used to prosecute a cybercriminal is legitimate and not edited fraudulently. Most DFIR suppliers can help deliver this if requested, while some even provide litigation support.
- Compliance drivers such as DORA and NIST2 often compel clients to engage with a DFIR provider.
- Cyberinsurance carriers often require clients to engage with a DFIR provider to reduce the risk, and thus the cost, to the insurance company. Insurance companies may offer reduced premiums if their preferred DFIR provider is used.
Obstacles
- DFIR is a postbreach activity and does not prevent attacks. It requires higher than average maturity in the cybersecurity program to invest in services aimed at minimizing the time to recover, and not preventing incidents, making it hard to justify if the organization doesn’t experience an incident.
- DFIR vendors have different approaches to providing response and forensics capabilities, which can create confusion for clients. Vendors should use a combination of human and technology approaches and identify which approach best suits the needs of the buyer.
- Understanding DFIR roles and responsibilities when responding to incidents is critical to the success of the program. Organizations must understand what constitutes a call-out and what does not.
- It can be challenging to understand the engagement strategy with the DFIR supplier since some use a retainer, a zero-hour retainer or a pay-for-retention contract.
- A DFIR contract won’t solve the problem of the internal cross-team collaboration required for response. Business decisions about an incident, and internal coordination of the response, can be an obstacle since DFIR won’t fix the source of the problem but instead propose changes and solutions.
User Recommendations
- Evaluate purchasing a prepaid IR retainer if the budget allows this. DFIR buying options can be confusing. Prepurchasing retainers can maximize investment and increase priority and access to services to support your DFIR requirements in case of an incident.
- Evaluate the DFIR services for breach planning and avoidance services in addition to postbreach response services.
- Involve your DFIR provider in your cybersecurity maturity. This can enhance an organization’s other security investments. DFIR providers’ business deals with breaches. The lessons learned from breaches can enhance your cybersecurity defense with more-sophisticated use cases, threat detection and even playbooks.
- Keep in mind that an agreement with a DFIR provider is not a replacement for the buying organization having its own IR process in place.
Sample Vendors
Accenture; BlueVoyant; Booz Allen Hamilton; CrowdStrike; Google (Mandiant); IBM; Kroll; NCC Group; Verizon
Gartner Recommended Reading
Identity Threat Detection and Response
Analysis By: Mary Ruddy
Benefit Rating: High
Market Penetration: More than 50% of target audience
Maturity: Adolescent
Definition:
Identity threat detection and response (ITDR) is a discipline that leverages tools and best practices that secure the identity and access management (IAM) infrastructure itself from attacks. Various ITDR tools can enforce administrative user hygiene, detect threats, respond to different types of attacks or restore normal operation as needed.
Why This Is Important
Identity is foundational for security operations (identity-first security). Therefore, IAM infrastructure must be operated with a security mindset as threat actors are targeting the identity infrastructure itself. Credential abuse is a top attack vector, according to the 2025 Data Breach Investigations Report by Verizon Business. Organizations must increase the maturity of their process for protecting their IAM infrastructure. ITDR can add additional layers of security to IAM and cybersecurity deployments.
Business Impact
Securing your IAM infrastructure is mission-critical for identity and security operations. If your accounts or IAM infrastructure itself are compromised, attackers can take control of your systems and disrupt operations. Protecting your IAM infrastructure is a top priority. “Business-as-usual” processes that seemed adequate before attackers targeted identity tools directly are no longer sufficient. This can require multiple ITDR-enabling tools, which may include tools already within the organization’s portfolio.
Drivers
- More sophisticated attackers are actively targeting the IAM infrastructure itself. For instance:
- Administrator credential misuse is now a primary vector for attacks against the IAM infrastructure.
- Attackers can use administrative permissions to gain access to the organization’s global administrator account or trusted SAML token-signing certificate to forge SAML tokens for lateral movement.
- Modern attacks show that conventional identity hygiene is only part of the solution. There is no such thing as perfect prevention. Multifactor authentication and entitlement management processes can be circumvented, and the supporting/enabling tools generally lack mechanisms for detection and response if something goes wrong.
- ITDR is needed as an additional layer beyond immutable data vaults, access management (AM), identity governance and administration, privileged access management, security information and event management, and a security operations center or outsourced managed detection service.
- IAM and infrastructure security controls have major detection gaps. IAM is traditionally used as a preventive control, whereas infrastructure security is used broadly but has limited depth when detecting identity-specific threats. ITDR demands more specific capabilities that operate with lower latency than general-purpose configuration management, detection and response tools.
- Ensuring the integrity of IAM infrastructure requires organizations to deploy a more granular govern, identify, protect, detect, respond and recover loop. This includes combining foundational practices with ITDR:
- Govern, a new element of the NIST CSF 2.0 framework, to ensure that ITDR activities are effective and evolve with your organization.
- Identify threats in your environment, to ensure your ITDR program meets current requirements.
- Protect your IAM infrastructure with hygiene. At minimum, this includes IAM infrastructure administrative accounts. Broader end-user entitlement management is a key part of an overall IAM program.
- Detect indications of abnormal identity activity quickly and accurately before material damage is done.
- Respond to incidents with appropriate levels of automation, both to block the activity and to make needed changes to policies and configuration posture to avoid recurrences.
- Recover quickly, in the rare circumstances when this is necessary.
Obstacles
- ITDR requires coordination between IAM and security functions, which can be difficult for some identity teams without a security orientation.
- Awareness of IAM administrator hygiene, detection and response best practices is low. Organizations tend to operate identity tools in silos, which prevents them from sharing risk signals and prioritizing overall hygiene activities.
- Multiple capabilities are required to fully protect the IAM infrastructure. These include closely monitoring configuration changes to root IAM administrator accounts, detecting when IAM tools are compromised, enabling rapid investigations and efficient remediation, and the ability to quickly revert to a known good state. This requires multiple vendors.
- There are many different tools with ITDR capabilities that vary widely in their strengths. Therefore, organizations will need to choose multiple tools to achieve full coverage.
User Recommendations
- Include an ITDR strategy in your formal IAM program. Prioritize securing the IAM infrastructure with tools to discover and monitor identity attack techniques, protect identity and access controls, detect when attacks are occurring, and enable fast remediation.
- Look for capabilities in existing and new specialized tools that will provide visibility across your IAM ecosystem, prioritize remediation efforts, and demonstrate (over time) a reduction in the attack surface. Leverage multiple tools to provide all needed IDTR capabilities.
- Leverage current and emerging IAM standards to orchestrate your IAM infrastructure to operate more as an identity fabric that shares risk signals so that it is easier to detect identity threats. Direct the alerts generated by ITDR capabilities to your centralized security operations center.
- Mature organizations can use the MITRE ATT&CK framework to correlate ITDR techniques with attack scenarios to ensure that at least well-known attack vectors are addressed. Above all, prevent administrator accounts from being compromised.
- Combine foundational identity hygiene, such as reducing standing privileges, with ITDR. Manage security posture and configuration of user directories and token generators.
Sample Vendors
Cisco; CrowdStrike; Delinea (Authomize); Gurucul; Microsoft; Netwrix; Proofpoint; Semperis; SentinelOne; Silverfort
Gartner Recommended Reading
Predictive Modeling for Cybersecurity
Analysis By: Yogesh Bhatt, Akif Khan, Jonathan Nunez
Benefit Rating: Moderate
Market Penetration: 20% to 50% of target audience
Maturity: Adolescent
Definition:
Predictive modeling is a forward-thinking approach that utilizes data analysis and supervised machine learning to forecast events or outcomes before they materialize. By analyzing extensive cybersecurity data, predictive modeling empowers cybersecurity teams with the likelihood of adversarial actions targeting an organization. In cybersecurity, it has traditionally been applied in fraud detection or vulnerability assessment and recently expanded to threat intelligence and risk management.
Why This Is Important
Predictive modeling helps organizations to prioritize security efforts based on which vulnerabilities are more likely to be exploited before data is exfiltrated based on early suspicious patterns. With threat intelligence, it enables more automated security decisions, such as blocking malicious activity based on patterns of anomaly. When done well, it also aggregates and analyzes data from local business context, improving its accuracy. Aggregating and analyzing data from various sources, including threat intelligence feeds, social media and the dark web, allow organizations to identify patterns, which helps detect potential threats early.
Business Impact
In today’s digital ecosystem, cyberthreats are becoming more advanced, persistent and disruptive. Traditional cybersecurity methods rely more on reactive measures — taking action after incidents occur. By analyzing data from various sources, predictive modeling helps identify patterns and anomalies, allowing cybersecurity teams to proactively identify, score and address potential risks, and protect the organization and reduce its exposure to threats.
Drivers
- Predicting cyberattacks and removing exposures most likely to be exploited can reduce the costs associated with data breaches, such as financial losses, reputational damage and regulatory penalties. The average cost of a breach for an enterprise is in the multimillion dollar range.
- Traditional cybersecurity measures have been more reactive in nature, responding to threats after they have occurred.
- Cybersecurity leaders seek a proactive, data-driven approach that leverages predictive modeling to gain foresight. This enables them to not only defend against existing threats, but also anticipate and remediate potential vulnerabilities before they are likely to be exploited, thus maintaining a proactive security posture.
- Predictive modeling enables forward-looking organizations to stay ahead of emerging threats by continuously learning from new data, their own context and signals to adapt their security program.
Obstacles
- Data quality and availability: Effective predictive modeling requires high-quality, comprehensive data, which can be challenging to obtain due to data silos, incomplete datasets or lack of access to necessary information.
- Complexity of implementation: Developing and integrating predictive models into existing cybersecurity frameworks can be complex and resource-intensive, requiring specialized skills and expertise.
- Limitation: Predictive models may generate false positives or negatives, leading to unnecessary alerts or missed threats, which can undermine trust in the system for lack of frameworks to properly test and measure efficacy of predictive modeling.
- Threat landscape complexity: Organization and cybersecurity providers only access a subset of the threat actors activity, based on past detection, which limits the scope of what the predictive models can do, especially for newer attack vectors.
- Privacy and ethical concerns: The use of extensive data for predictive modeling raises privacy and ethical concerns, particularly regarding the collection and analysis of sensitive information and providers having access to data.
- Cost of implementation: The financial investment required for developing, deploying and maintaining predictive models can be a barrier, especially for smaller organizations with limited budgets.
- Integration with existing systems: Ensuring that predictive models work seamlessly with existing cybersecurity tools and infrastructure can be challenging, requiring significant effort and coordination.
User Recommendations
- Invest in quality data: Access high-quality, diverse data to improve predictive models’ accuracy.
- Establish an AI literacy program: Develop or hire specialized skills and expertise in data science and cybersecurity to effectively implement, fine-tune and manage predictive modeling solutions.
- Prioritize a buy approach: Set your sights on a buy approach for predictive modeling instead of building one, especially if you do not have AI skills and resources
- Start small and scale: Begin with pilot projects to test predictive modeling approaches, benchmark their efficacy on improving cybersecurity metrics, then gradually scale up based on results and organizational needs.
- Focus on integration: Ensure predictive models are compatible with existing cybersecurity tools and infrastructure to maximize their effectiveness and ease of use.
- Continuously update models: Regularly update and fine-tune models to adapt to evolving threats and incorporate new data.
- Manage alerts: Implement strategies to handle false positives and negatives effectively, such as refining model parameters and using supplementary analysis tools.
- Evaluate cost-benefit: Assess the financial implications and benefits of predictive modeling to ensure it aligns with organizational goals and resources.
- Monitor and measure impact: Continuously monitor the performance and impact of predictive modeling on cybersecurity outcomes to meet your objectives.
Digital Risk Protection Services
Analysis By: Mitchell Schneider, Jonathan Nunez
Benefit Rating: Moderate
Market Penetration: More than 50% of target audience
Maturity: Early mainstream
Definition:
Digital risk protection services (DRPS) are technology-led services that enable brand protection, third-party risk assessment and external-facing threat discovery and VIP monitoring. It offers technical responses to identified risks. They provide visibility into the surface web, social media, dark and deep web sources to identify potential threats to critical assets and provide contextual information on threat actors, their tactics, techniques and procedures for conducting malicious activities.
Why This Is Important
Modern attacks, from commodity exploits to highly curated and sophisticated fraud schemes, are prevalent and effective as threat actor delivery modalities have been commensurately commoditized (across the clear, deep and dark web). DRPS leverage these modalities to discover and mitigate the risks which may directly impact business operations or reputation. These services typically require specialized skill sets to operate and are most often consumed as an outsourced function.
Business Impact
DRPS proactively identify external-facing risks from social-media-related artifacts, provide open and dark web findings, and support third-party risk initiatives. They aim to associate all relevant malign activity on the public internet, enrich those findings with threat and business context, and perform technical responses to evict certain threats when possible (takedowns). DRPS and threat intelligence significantly overlap and, according to Gartner, are not currently viewed as distinct markets. Instead, DRPS is considered a component of a broader threat intelligence offering.
Drivers
- DRPS have been driven by their ability to support a range of use cases and user roles. Example use cases include digital footprinting (e.g., mapping internal/external assets and identifying shadow IT), brand protection (e.g., impersonations, doxing and misinformation), account takeover (e.g., credential theft, lookalike domains and phishing sites), data leakage detection (e.g., detection of intellectual property, personally identifiable information, credit card data, credentials) and high-value target monitoring (e.g., VIP/executive monitoring).
- Complexities in managing digital risks are key reasons why organizations can benefit from DRPS. These complexities include an expanding attack surface, a more hybrid workforce, higher reliance on e-commerce, regulatory compliance, cloud assets, digital business transformation, a volatile threat landscape and the magnitude of information derived from monitored risk and security activities (e.g., preextortion related to ransomware).
- Demand for DRPS is also driven by the accessibility of such offerings for small or midsize enterprises that originally couldn’t benefit from threat intelligence (TI), due to the lack of specialized skills and resources for security, including the time needed to perform follow-up actions. This is because of the less technical and more accessible nature of the intelligence made available by many DRPS providers, as well as the availability of a managed service type of offering.
Obstacles
- Vendors in the DRPS market continue to struggle to key differentiate themselves, due to the continued increase in new market offerings. Furthermore, vendor capabilities vary and may be limited in their ability to provide a comprehensive solution for common market use cases. Some vendors have a best-of-breed approach, whereby they focus heavily on single DRPS use cases (e.g., VIP/executive monitoring), whereas most other vendors have expanded to support more than one use case. Moreover, there are variations in the types and scope of takedowns and related investigations DRPS vendors support.
- DRPS is now a predominant feature of almost all the large TI vendors, and overlaps with other complementary markets, such as managed security service providers/managed detection and response (MDR) providers. These markets are experiencing increased competition, and buyers are wanting to spend less money; therefore, consolidating services into an existing procurement vehicle seems plausible for many organizations.
User Recommendations
- Evaluate the capabilities and features of DRPS offerings and match them to the needs of your organization’s security programs and business risks. Ask vendors what threats they cover and whether they focus on a specific use case or many (e.g., phishing, dark/deep web monitoring, data leakage and/or social media protection).
- Prioritize DRPS offerings that are consolidated with other external threat services and products, such as security threat intelligence solutions. The net value of correlated and enriched DRPS and threat intelligence data affords greater curation on delivery across security operations.
- Assess vendors based on takedown success rates, the ability to work with internet service providers and registrars, and integrations with your existing technologies for automated validation of findings.
- Prioritize solutions that include managed services in their offerings (especially if there are resource constraints), that can predict and prevent issues from occurring in the first place, and have SLAs that ensure the fastest remediation time.
Sample Vendors
Axur; BforeAI; BitSight; Bolster AI; Check Point; CybelAngel; Cyble; QuoIntelligence; SOCRadar; ZeroFox
Gartner Recommended Reading
XDR
Analysis By: Eric Ahlm, Franz Hinner, Thomas Lintemuth
Benefit Rating: Moderate
Market Penetration: 20% to 50% of target audience
Maturity: Early mainstream
Definition:
Extended detection and response (XDR) delivers unified security incident detection and response capabilities. XDRs integrate threat intelligence, security events and telemetry data from multiple sources, with security analytics to provide contextualization and correlation of security alerts. XDR must include native sensors. XDR can be delivered on-premises or as a SaaS offering, and is typically deployed by organizations with smaller security teams.
Why This Is Important
XDR offers a platform approach for threat detection, investigation and response (TDIR) by using an ecosystem, rather than a best-of-breed approach. XDR vendors, for the most part, manage the complex dependencies normally associated with building a detection stack through their use of native APIs, automation and detection content. Several XDR vendors now offer basic SIEM-like functionality as part of their ecosystem solutions.
Business Impact
The relative ease of use of XDR to discover and triage common threats reduces the need for internal skill sets and could reduce staffing levels needed to operate a more complex solution, such as SIEM. XDR can also help reduce the time and complexity associated with security operations tasks through a single centralized investigation and response system.
Drivers
- XDRs appeal to organizations with modest maturity needs, due to the detection logic, mostly vendor-provided, that generally requires less customization and maintenance.
- XDRs appeal to organizations looking for improved collaboration across the security stack components, as well as those looking to lower the administration requirements of more complex TDIR solutions.
- Overall operations reduction drives buyers to XDR solutions, since the vendor takes on many responsibilities involving managing stack dependencies, scaling workflows and providing detection content.
- Purchasing a platform product like XDR simplifies the vendor acquisition and integration challenges associated with a best-of-breed strategies.
Obstacles
- XDR’s limited extensibility creates obstacles for clients who wish to build highly customized detection and monitoring use cases using solutions outside of the XDR vendor’s preferred open ecosystem.
- Expanding an XDR detection stack’s capabilities through the addition or replacement of security controls will be limited by the vendor.
- An XDR’s SIEM component may lack functionality found in best-of-breed solutions, such as long-term storage, system of record, reporting and audit or log connector support.
- XDR may be a poor choice for high maturity security operations centers (SOCs) that require role-based dashboards, advanced workflows and large-scale enterprise architectural capabilities.
User Recommendations
- Evaluate the actual operational complexity reduction in an XDR solution by comparing how current workloads are reduced by the vendors’ use of automation, AI, alert enrichment or other time-saving capabilities.
- Evaluate using scaling functions included in the XDR product, such as automation and knowledge augmentation, to drive efficiencies in common operation functions associated with threat detection and response.
- Evaluate XDR with SIEM capabilities as a possible migration candidate for organizations with limited SIEM use cases, considering it as a replacement for their existing primary SIEM.
- Include the knowledge services provided by the vendor for common detection upkeep as part of the solution cost justification.
- Favor security products that provide APIs for information sharing and that allow automated actions to be sent from an XDR solution.
- Buy a managed detection and response solution on top of an XDR product when your organization needs more than vendor provided integrations and playbooks including daily operational support for threat detection and response.
Sample Vendors
Cisco; CrowdStrike; Fortinet; Microsoft; Palo Alto Networks; SentinelOne; Sophos; Stellar Cyber; Trellix; Trend Micro
Gartner Recommended Reading
Climbing the Slope
Offensive Security Programs
Analysis By: Dhivya Poole, Mitchell Schneider, Jonathan Nunez
Benefit Rating: Moderate
Market Penetration: 20% to 50% of target audience
Maturity: Mature mainstream
Definition:
Offensive security programs are a proactive cybersecurity practice that develops repeatable and consistent processes to simulate cyberattack techniques to identify security weaknesses. This approach employs similar tools and techniques to cybercriminals to boost security resilience by identifying threat exposure and stress-testing systems and processes. Key methods include penetration testing, red teaming and bug bounties, all designed to reveal potential security gaps comprehensively.
Why This Is Important
In today’s evolving threat landscape, cybersecurity professionals must adopt an attacker’s view to stay ahead. Offensive security is crucial for simulating cyberattacks, revealing weaknesses and proactively evaluating an organization’s defenses. They provide the “how” by detailing actionable steps to assess the exploitability of your exposures, before threat actors cause financial loss or reputational damage. This enables organizations to proactively fix weaknesses, enhance security, build trust and refine incident response plans.
Business Impact
Running an offensive security program can significantly benefit businesses by improving their overall cybersecurity posture, reducing the severity risk and enhancing their ability to respond to cyberthreats. Offensive security raises awareness across the organization, fostering a robust security culture, and provides actionable reports with recommendations for remediation, thus ensuring effective safeguarding of enterprises.
Drivers
The demand for offensive security is driven by several key factors:
- Proactive identification and validation of threat exposures, preventing costly breaches and minimizing financial, reputational and operational losses.
- Strategic investment to provide clear insights into high-risk and impactful threat exposures to improve operational efficiency, demonstrating the ROI of proactive measures.
- Illumination of the impact of cyber risk on business operations, aiding informed decision making, prioritizing initiatives that effectively reduce impactful threats.
- Routine security testing to ensure compliance with regulations (such as HIPAA, PCI DSS), thus avoiding penalties and enhancing consumer trust and brand reputation.
- Demonstrated commitment to resilience, support for strategic decision making, and contribution to building cyber resilience by helping leadership prioritize resources and align efforts with regulatory expectations (such as DORA, NIS2).
- Support for growth and operational excellence, embedding resilience into organizational culture and enabling secure business objectives.
Obstacles
- Testers face an expanding attack surface like cloud computing and IoT, and new attack surfaces like use of AI, making it harder to identify and secure all potential entry points.
- Offensive security teams must be proficient in a diversity of assessments, each requiring specific skills, techniques and knowledge. Maintaining expertise across all domains is a challenge.
- Communication and reporting technical findings in an actionable manner can be challenging, especially with a knowledge gap between testers and their audience.
- Testers must adhere to a growing number of strict security standards, regulations and ethical guidelines, which can be resource-intensive and time-consuming.
- Assessments often occur in dynamic environments where target systems, security controls and configurations change rapidly, requiring testers to remain agile and adapt in real time.
- Rapidly advancing adversarial tactics make it difficult for offensive security practitioners to keep pace.
User Recommendations
- Define the scope of an offensive security program by prioritizing finite resources on critical testing or attack surfaces.
- Balance internal teams for routine activities like penetration testing and employing external experts for specialized tasks, such as red teaming, to manage costs, ensure unbiased perspectives and satisfy compliance requirements.
- Implement use-case-based testing for the program. Penetration tests offer broad coverage, bug bounties provide in-depth exploration to uncover hidden vulnerabilities, and red teaming simulates advanced threat scenarios and threat actors to improve incident response readiness and resilience.
- Develop well-tested and governed processes for reporting, where technical findings are converted into actionable insights, thereby increasing its value to the organization while also facilitating risk-reduction approvals.
- Use frameworks (e.g., Cyber Kill Chain, MITRE ATT&CK, TIBER- EU) and tools (e.g., AEV) to ease adherence to security standards and regulations. Regular updates and audits maintain compliance without excessive resource use.
- Invest in and integrate threat intelligence to anticipate advanced adversary techniques.
Gartner Recommended Reading
Co-Managed Security Monitoring Services
Analysis By: Pete Shoard
Benefit Rating: Moderate
Market Penetration: 20% to 50% of target audience
Maturity: Mature mainstream
Definition:
Co-managed security monitoring offers services that are delivered remotely. These services can manage an individual or an ecosystem of client-owned SIEM, extended detection and response (XDR), endpoint detection and response (EDR), identity threat detection and response (ITDR) or other TDIR-capable products. These products generally provide an operational platform for the delivery of threat detection and alerting, incident investigations, and managing mitigating response to security incidents.
Why This Is Important
Co-management offers buyers the opportunity to increase their internal security skill sets while still having the support of an experienced service provider. Such an approach increases the speed at which they can achieve greater security maturity and gives them the flexibility to build capabilities and mature internal staff in ways not available via a more “fully managed” approach. This approach helps to create a distinction between outcome-driven services and technology-driven detection and response services.
Business Impact
Organizations make purchases of threat detection, investigation and response (TDIR)-capable products such as security information and event management (SIEM), but often struggle to operate them effectively. Detection and response is critical to the success of any security strategy. Midsecurity and midmaturity buyers recognize continuous monitoring needs and are adopting more accessible tools, such as EDR and XDR. Co-managed services provide security operations center (SOC) maturity in areas like creation/tuning of detection content, platform maintenance and lightweight investigation.
Drivers
- Buyers require the ability to continuously build and update detection content and reporting within their TDIR-capable technologies because they have non-security-related use cases that require them to own the infrastructure. These use cases include being able to access reports, create custom rules or dashboards, and conduct HR or legal investigations. Using these technologies requires expert knowledge of the threat landscape and other data manipulation skills, which are hard to acquire and retain.
- Specifically, the complexity of TDIR-capable technologies and configuration requirements means that many buyers do not have the in-house expertise to build, configure and maintain.
- Compared to turnkey services, such as managed detection and response (MDR), co-managed security monitoring provides buyers greater flexibility and customization in configuring a dedicated detection and response capability. As an organization’s security maturity increases and internal skill sets grow, co-managed security monitoring often becomes the preferred follow-up pathway or additional service add-on to MDR. Co-managed security monitoring provides resources to triage the large volume of alerts and threats discovered by TDIR-capable technologies in a cost-effective manner.
- Buyers may already have a service provider or systems integrator; co-managed security services often coexist with service providers operationally supporting TDIR capabilities.
- Many buyers have adopted, or plan to adopt, SaaS security monitoring offerings as part of a bundle of capabilities with broader infrastructure investments, and will be migrating from legacy on-premises technologies or alternative SaaS providers because of this. The associated security monitoring requirements of these migrations can be complex and may benefit from the support of experienced managed providers.
Obstacles
- Aligning long-term SOC team development goals with a co-managed service is difficult. While co-management provides easy acquisition of SOC skills, long-term planning for internal development of staff requires forethought and a defined roadmap.
- Co-managed monitoring services typically offer only a first line of triage and investigation and not the full process of managing security incidents. No matter how much incident management support a provider offers, there is always some level of response that is the responsibility of the customer.
- Owning your TDIR-capable solution may be a preference, but can take a significant amount of time to deploy and get operational. Co-managed services rarely provide a fast turnaround related to deployment and value realization.
- The complexity of adopting an already deployed solution can increase cost. Planning for the process of changing providers or asking providers to adopt existing technology is essential to avoid wasting time and budget.
User Recommendations
- Identify details of use cases early to establish requirements for log data, TDIR and any compliance reporting needs to ensure the project costs are well-controlled.
- Check whether a service overlay is required since SaaS platforms often offer lower overheads for technology maintenance.
- Consider the impact on, and plan to sustain, long-term SOC skills and training requirements when using co-managed services.
- Differentiate the requirements aligned to the management and maintenance of the technology from those regarding the maintenance and design of detection and reporting content. Decide which components are best aligned with the support you seek from a service.
- Build a RACI when using infrastructure and co-managed service providers, specifying clear and appropriate escalation paths and responsibility definitions. Include details to resolve potential conflicts in incident resolution responsibilities.
Sample Vendors
AT&T; BlueVoyant; Capgemini; IBM; NCC Group; ReliaQuest; Talion; Vodafone; Wipro
Gartner Recommended Reading
MDR Services
Analysis By: Andrew Davies
Benefit Rating: High
Market Penetration: More than 50% of target audience
Maturity: Mature mainstream
Definition:
Managed detection and response (MDR) services provide customers with remotely delivered, human-led, modern security operations center (SOC) functions. These allow organizations to rapidly detect, analyze, investigate and actively respond through threat disruption and containment. MDR providers offer a turnkey experience using a technology stack that covers endpoint, network, logs and cloud. This telemetry is analyzed by the provider’s experts, skilled in threat hunting and incident management.
Why This Is Important
The cyberthreat landscape is in constant movement, and the complexity of attacks against organizations is escalating. Most organizations lack the resources, budget or appetite to build and run their own 24/7 SOC function, required to help them protect and defend against attacks that increasingly impact and cause more damage to operations. MDR services enable organizations to mature their threat detection and response coverage.
Business Impact
MDR services combine people, process and technology, translating security issues into business-focused risks, impacts and outcomes, reducing complexity and allowing increased security maturity through turnkey adoption. Organizations that have not invested in threat detection and response capabilities are at greater risk from the impact of cyber incidents. The challenge of finding, acquiring and retaining the necessary expertise and threat detection, investigation and response products makes building an adequate internal capability onerous.
Drivers
- Buyers increasingly require fast adoption of mature capabilities that would have taken a long time to build or buy and have been prohibitively expensive to operate. MDR delivers a turnkey solution for those who have no desire to build and maintain internal capability or require capability quickly.
- MDR services enable organizations to focus on outcome-driven response as they provide the expertise to interpret and deliver against a set of requirements in a turnkey format. Ultimately, this delivers relevant and actionable business outcomes.
- The expansion of an organization’s IT infrastructure and digital footprint, moving into a broader set of providers and technologies, puts pressure on organizations to maintain visibility across an ever-broader set of attack surfaces. MDR providers offer high-fidelity threat detection and coverage of a wide range of data sources, technologies and SaaS platforms.
- MDR providers allow for remotely delivered mitigative response actions, enabling buyers to respond and mitigate issues faster and with less impact to their business, although the level of autonomy granted to vendors varies according to the trust level. With the improved access to MDR service providers’ portals, clients can validate the response for some scenarios, and possibly execute it.
- With the variety of business-driven risks that organizations are paying attention to, MDR providers are expanding their capabilities to include threat exposure management. The combination of this, with a traditional detection and response capability, is enabling visibility for clients across on-premises, cloud and SaaS environments.
Obstacles
- The vastly different approaches by providers to offer MDR services often cause buyers to question how strategically to engage a provider.
- Technology vendors with threat detection, investigation and response-capable solutions offer closely named but often more light-touch overlay services, such as managed endpoint detection and response (EDR), and co-managed security information and event management (SIEM). This increases buyers’ confusion.
- Misaligned expectations and a lack of effective internal processes to consume MDR outputs lead to performance issues with MDR service providers and failed engagements.
- Not assigning staff as the point of contact to the service can cause challenges. Segmentation of operational responsibilities and building effective response processes, if not defined effectively, usually leads to dissatisfaction with services.
- New competition from AI agents and assistants promising to replace an MDR service poses a hurdle.
User Recommendations
- Focus on outcomes, not technologies. Organizations underinvested in technologies capable of threat detection and incident response (TDIR) such as EDR should favor contract vendors that provide the tools and deliver the desired outcomes.
- Ensure that your MDR provider supports additional security services as your security maturity improves and business-driven risks change, so you don’t need to add additional vendors at a later time. These services include exposure management, penetration testing as a service (PTaaS) and cyber asset attack surface management (CAASM).
- Assess if the MDR service deliverables focus on completeness, actionability and options for service provider follow-up incident response and threat-hunting activity.
- Buy MDR for scalable repeatable use cases, co-managed to allow internal security teams to address custom requirements.
- Examine co-managed security monitoring service offerings when adjacent capabilities are required to support the management and expansion of your own TDIR investments, such as EDR and SIEM.
- Buy MDR services that offer a migration path to more self-service in the future. Looking for vendors that have open communication channels with analysts and delivery teams can support that goal.
Sample Vendors
Accenture; Arctic Wolf Networks; Critical Start; eSentire; Expel; Fortra; Optiv; Rapid7; Red Canary; Sophos
Gartner Recommended Reading
SOAR
Analysis By: Eric Ahlm, Craig Lawson
Benefit Rating: Moderate
Market Penetration: 20% to 50% of target audience
Maturity: Early mainstream
Definition:
Security orchestration, automation and response (SOAR) solutions combine incident response, orchestration and automation, and threat intelligence (TI) management capabilities in a single solution. SOAR tools can be used for many security operations tasks, such as documenting and implementing processes, supporting security incident management, applying machine-based assistance to human security analysts and operators, and better operationalizing the use of TI.
Why This Is Important
SOAR tools are extensible development platforms for organizations that wish to craft their own automation playbooks for scaling a wide variety of use cases within security operations. Current buyers tend to be more mature organizations with the resources to invest in their own development teams to support SOAR requirements. For other organizations, consuming automation onboard existing technologies has become more common than acquiring dedicated SOAR technologies.
Business Impact
SOAR solutions can help clients:
- Reduce errors in handling incidents by codifying activities
- Scale security operations by adding efficiency in handling various repetitive tasks and activities
- Reduce errors in workflow execution by codifying processes and actions
Drivers
- SOAR can improve the process and execution speed of repetitive tasks that often torment SOCs, especially tasks that consume time and require little human expertise. This frees teams to spend more time on critical tasks and activities.
- SOAR can increase alert fidelity and actionability by adding more context and data enrichment. This helps reduce noise due to the high volume of alerts that needs to be handled by the SOC team.
- Security orchestration and automation (SOA) as a capability is increasingly needed by security operations. SOAR solutions offer flexible SOA in the platform. However, SOA is also becoming more available as canned, baked-in functionality in other security technologies, such as email security solutions, to help improve both analysis and triage and automate responses to attacks.
Obstacles
- SOAR requires both development and ongoing operational cycles to maintain, similar to other coding development practices. As such, not all activities will warrant the investment in SOAR development and maintenance.
- There are fewer vendor options for SOAR platforms in the market due to acquisitions and the featurization of automation into other larger platforms.
- SOAR solutions often lack the ability to help scale highly dynamic or nondeterministic activities
User Recommendations
- Consider consuming automation features onboard larger security platforms first. Stand-alone SOAR platforms should be the exception for clients with generalized automation requirements.
- Assess the availability of development skill sets internally to develop SOAR’s required functionality. Security leaders should also review the time and cost this may add to the total cost of owning a SOAR toolset.
- Involve the entire security organization when scoping requirements for SOAR. Organizations must look beyond simply plugging a new technology into SIEM and engage with wider security.
- Select an appropriate product based on buyer understanding and its applicable use cases, such as SOC optimization, threat monitoring and response, threat investigation and hunting, and TI management.
- Implement well-defined processes and playbooks before acquiring SOAR. Although SOAR promotes a lot of benefits, not every security organization is ready for SOAR tools and a considerable amount of time is required to develop playbooks.
Sample Vendors
BlinkOps; Cisco (Splunk); Cyware; D3 Security; Google; Palo Alto Networks; ServiceNow; Swimlane; Tines; Torq
NDR
Analysis By: Thomas Lintemuth, Charanpal Bhogal, Jeremy D'Hoinne
Benefit Rating: Moderate
Market Penetration: 20% to 50% of target audience
Maturity: Early mainstream
Definition:
Network detection and response (NDR) products continuously monitor network traffic to detect anomalies and threats using behavioral analytics. NDR products include automated responses via integration with third-party cybersecurity products and less commonly directly. NDR is offered with hardware and software sensors. Management and orchestration consoles can be software or SaaS.
Why This Is Important
NDR identifies all devices communicating on the network, network activity to/from these devices, baselines of typical activity, and abnormal activity, all without the need for signature-based controls. NDR detects lateral movement of attackers, command and control activity, and data exfiltration. The placement on the network means NDR catches what other controls miss, and it will not cause downtime and can be tuned to prevent false positives impacting operations.
Business Impact
NDR assists with risk mitigation by exposing the network attack surface. Machine learning (ML) algorithms detect incidents that are missed by signature-based detection techniques. Automated response capabilities enhance the effectiveness of incident responders. NDR facilitates faster and more thorough incident investigations, combining threat hunting and contextualization of alerts with drill-down capabilities.
Drivers
- Detect breach activity: NDR complements traditional preventative controls by detecting incidents based on deviations from baseline. This enables security teams to investigate breaches without relying on manual controls.
- Contextualize alerts: SOC analysts are inundated with high volumes of events to the security information and event management (SIEM). NDR is great at providing contextual detail for devices that are involved once an event is considered an incident.
- Low risk, high reward: Deploying NDR products is a low-risk project, because the sensors are deployed out of band. They don’t inject a point of failure or a “speed bump” for network traffic. Enterprises that implement NDR products as a proof of concept (POC) often report high degrees of satisfaction, because the tools provide much-needed visibility into network traffic and enable even small teams to spot anomalies.
- Monitor hybrid and cloud traffic: A key functionality for NDR is the ability to monitor IaaS traffic and some site-specific events in SaaS traffic (Microsoft 365). Organizations expanding their cloud presence use NDR to avoid creating gaps in their ability to monitor interactions among all their systems, whether hybrid or singularly IaaS.
- Eliminate visibility gaps: NDR records every network packet that crosses its sensors. Properly deployed and scoped NDR generates a list of all assets that are communicating on the network.
- Passive detection: NDR is deployed out of band so attackers have little ability to know they are being observed. This also makes it nearly impossible, unlike endpoint detection and response (EDR), to disable their monitoring.
Obstacles
- As most attacks happen at the endpoint, NDR identifies fewer incidents than EDR. Enterprises with a lower-maturity security operation program might struggle to justify the expense, compared with more-prolific detection products.
- NDR has not developed a solid reputation for automated response. Response capabilities are usually actioned manually, if at all, after review from the security team as opposed to an automated response from the NDR system.
- NDR products require tuning to the environment in which they are deployed. This necessitates ongoing human resources to achieve maximum benefit.
- NDR is expanding beyond just network analysis, developing competition for budget with consolidated platforms such as SIEM and extended detection and response (XDR).
User Recommendations
- Develop a strong understanding of the overall traffic patterns to support proper implementation and gain maximum value from NDR.
- Plan sensor types and deployment locations so that the most relevant network traffic can be analyzed. Proper positioning of the NDR sensors is critically important to achieve complete visibility and control the cost of the deployment.
- Tune out false positives in the implementation phase — false positives may be triggered by vulnerability scanners, shadow IT applications and other factors that may be specific to your environment.
- Plan for ongoing tuning, as new detection models are deployed from the vendor.
- Select network sensors with the appropriate throughput capacity to negate overloaded ports or dropped packets.
Sample Vendors
Corelight; Darktrace; ExtraHop; Gatewatcher; NetWitness; Stamus Networks; Trellix; Trend Micro; Vectra AI
Gartner Recommended Reading
External Attack Surface Management
Analysis By: Ruggero Contu, Elizabeth Kim, Franz Hinner, Mitchell Schneider
Benefit Rating: Moderate
Market Penetration: 20% to 50% of target audience
Maturity: Early mainstream
Definition:
External attack surface management (EASM) refers to the processes, technology and managed services deployed to discover internet-facing enterprise assets and systems and associated exposures. Examples include exposed servers, public cloud service misconfigurations and third-party partner software code vulnerabilities that adversaries could exploit.
Why This Is Important
Digital transformation initiatives have accelerated the expansion of enterprises’ external attack surfaces. Cloud adoption, supply chain risks, remote/hybrid working and IT/operational technology/Internet of Things (IoT) convergence are some key changes increasing exposure to external threats. EASM helps identify internet-facing assets that threat actors may target to support more prioritized exposure/vulnerability and threats management. It aims to provide risk information relevant to digital assets in the public domain that are exposed to threat actors, enabling organizations to address the most critical exposures first.
Business Impact
EASM provides valuable risk context and actionable information to security and risk management leaders. EASM delivers visibility through four primary capabilities:
- Asset discovery/inventory for external-facing assets and systems
- Monitoring for internet-facing enterprise exposures (cloud services, Internet Protocol addresses, domains, certificates and IoT devices)
- Analysis to assess and prioritize vulnerabilities and other exposures discovered
- Mitigation and incident response through prebuilt integrations with ticketing systems and security orchestration automation and response tools
Drivers
- Requirement to understand what organizations are exposed to from an attacker’s point of view.
- Need for a more comprehensive inventory of internet-facing digital assets, particularly in response to regulations such as the EU’s General Data Protection Regulation, standards set by the National Institute of Standards and Technology in the U.S. and popular metric frameworks such as DevOps Research and Assessment.
- Digital business initiatives, such as cloud adoption, application development, hybrid working and convergence of IT with cyber-physical systems, present new enterprise risks.
- Demand to quantify third-party risks arising from activities such as mergers and acquisitions and integration of supply chain infrastructure.
- EASM’s adoption as part of different security platforms, such as threat intelligence (TI), adversarial exposure validation (AEV) and exposure assessment platforms (EAP), supporting more precise scoping and actionability.
Obstacles
- Low perceived value, with EASM leveraged for single use cases rather than multiple areas
- A fast-evolving market due to significant consolidation — a challenge for buyers investing in startups that eventually get acquired, creating potential instability/risks
- Already overburdened vulnerability management (VM) capabilities and teams concerned about adding to workloads
Analyst Notes: While EASM capabilities are a consistent part of an overall threat and exposure management program, EASM functionalities are nowadays mainly offered as part of broader security solution sets, such as EAP, AEV and cyberthreat intelligence (CTI). As a result, we are positioning EASM’s time to plateau as obsolete (before reaching the plateau in this Hype Cycle).
User Recommendations
- Review available EASM capabilities arising from converging markets, in areas such as TI, AEV and EAP. Alternatively, maximize the business value (or ROI) of EASM capabilities embedded within XDR solutions or a Workspace platform provider with whom you may already have an existing commercial relationship, as its functionalities may suffice.
- Focus on provider capabilities such as breadth of coverage (discovery), accuracy, prioritization efficacy and level of automation in supporting remediation activities, as they vary considerably from vendor to vendor.
- Select an EASM technology or service provider based on the recognized use-case priority, but also integration strategy to support TI, threat hunting, VM and/or security testing/validation activities.
- Aim your EASM investment fits into broader capabilities, such as with EAP, where external and internal exposure management is combined.
- Consider EASM a key capability if primary business revenue is driven by externally facing web services.
Sample Vendors
BitSight; BreachLock; Censys; CyCognito; Hadrian; Palo Alto Networks; Pentera; SOCRadar; watchTowr; ZeroFox
Gartner Recommended Reading
Threat Intelligence Products and Services
Analysis By: Jonathan Nunez
Benefit Rating: High
Market Penetration: More than 50% of target audience
Maturity: Mature mainstream
Definition:
Threat intelligence (TI) services provide organizations with relevant context and insight about the cyberthreat landscape by documenting tactics, techniques and procedures; and by profiling attack campaigns, threats and threat actors. TI products deliver tools to assist organizations in aggregating, collecting, curating and operationalizing their own TI and potentially sharing it with outside entities.
Why This Is Important
Security leaders have an obligation to understand the organization’s threat landscape. They must ensure their security solutions are updated with the latest threat content and provide contextual information to their teams as it helps inform overall risk. TI provides the means for an organization to maintain visibility of its threat landscape and build timely, accurate and actionable insights that can be applied before, during and after threats present themselves to the organization.
Business Impact
- TI products and services are applicable in every industry, across security functions and controls, because every organization has unique risks, making them susceptible to cyberthreats.
- TI informs the business about current and potential future threats that could result in business disruption, unexpected monetary loss, reputational damage, or impact to human health and safety.
- TI solutions can be consumed in machine- or human-readable formats to enhance security technologies and an understanding of adversarial intentions, behaviors, capabilities and motivations.
Drivers
- Large security vendors are investing in TI products and services either through organic development or acquisitions. These vendors are delivering an increasing amount of threat intelligence platform (TIP) functionality to aggregate TI and manage it within a single platform offering, accelerating the adoption and utilization of TI in the market.
- TI service providers expanded their core use cases and features to include digital risk protection services (DRPS), offering organizations a single-vendor way to deliver highly curated external threat and risk information.
- Curation is in heightened demand for organizations as they grapple with increased volumes of data. Customers will continue to demand a deep understanding of the threat landscape as they work to synthesize TI into actionable insights.
Obstacles
- Many organizations have no formal TI program or dedicated analysts to use TI solutions, like a TIP, or interpret the value from custom-made TI reports. Rather, they focus on tactical indicators like IP addresses, domains and hash values, and allocate too few resources to human-readable or advanced TI solutions.
- Organizations struggle to measure and justify the value of TI solutions. Lack of TI performance reporting will increase the likelihood of TI budget cuts or prohibition of program maturation.
- Many organizations lack well-defined priority intelligence requirements (PIRs), which can lead to overinvestment in or underutilization of TI solutions.
- A saturated and seemingly undifferentiated TI marketplace creates buyer confusion and fatigue, especially in light of not having well-defined PIRs, which can hinder the vendor-selection process.
User Recommendations
- Incorporate TI solutions and services into your overall security program. Define detailed requirements and expectations for TI service providers to deliver outcomes aligned to organizational threat concerns.
- Leverage PIRs to drive TI solution needs before TI vendor engagement. This is foundational as it informs what to focus on, what to collect, who to track, and what it means to the business in terms of risk and exposure.
- Develop operational delivery metrics (ODMs) for the defensible maturation of your TI program. These ODMs should focus on metrics and outcomes that drive faster detection and response, increased efficacy in security tools, and improved efficiency in incident response.
- Consider leveraging TI services through your existing managed security services or managed detection and response providers. These providers can decrease time to value while simultaneously scaling your TI program by providing technical collection, curation, analysis and reporting.
Sample Vendors
Axur; CrowdStrike; Cyble; DuskRise; Google; KELA; Orpheus Cyber; ReversingLabs; Silent Push; Silobreaker
Gartner Recommended Reading
Entering the Plateau
SIEM
Analysis By: Eric Ahlm, Andrew Davies
Benefit Rating: Moderate
Market Penetration: 20% to 50% of target audience
Maturity: Mature mainstream
Definition:
Security information and event management (SIEM) is a configurable security system of record that aggregates and analyzes security event data from on-premises and cloud environments. SIEM assists with response actions to mitigate issues that cause harm to the organization, and satisfy compliance and reporting requirements.
Why This Is Important
Aggregating and normalizing data from various environments to centralize visibility is a core element of effective security programs. SIEM acts as a workbench by supporting an organization’s ability to identify, prioritize and investigate security events of interest, execute response actions, and report on current and historical security events.
Business Impact
SIEM solutions can impact the business by:
- Allowing organizations to identify and respond to critical security events earlier in their life cycle to reduce risk.
- Creating overall situational awareness for security issues and events, providing an efficient and trusted system of record, which can be used for operational security and compliance reporting.
- Aligning disparate technology investments and reducing the operational staffing overhead of managing security issues and incidents.
- Creating advanced and highly extensible threat-monitoring objectives more commonly associated with business risks.
Drivers
- Central monitoring of threats, as reported by multiple sources, is a primary driver for SIEM. SIEM offers a central place to monitor and investigate security alerts, as well as to support contextual information required to make an alert actionable.
- A SIEM solution can turn raw alert data into actionable intelligence through whatever analysis method works best for a given monitoring objective.
- The need to expand detection workflow to include response activities with capabilities such as security orchestration, automation and response.
- SaaS SIEM (cloud-based/native) solutions transfer the platform and infrastructure maintenance to the vendor and allow for more predictable linear budgeting for growth.
- As more assets move to cloud-centric environments, such as Microsoft Azure, Amazon Web Services (AWS), Google Cloud Platform (GCP), Oracle and many others, a SIEM solution must have awareness of the underlying environment to perform well.
- Although considered table-stakes, many organizations must comply with regulatory standards, such as General Data Protection Regulation (GDPR), Health Insurance Portability and Accountability Act (HIPAA) and SOC 2, which mandate continuous monitoring and reporting of security events.
Obstacles
- Getting a SIEM solution to perform well against detecting attacks requires dedication and sufficient staffing. Undermanaged SIEM solutions continue to plague many organizations.
- SIEM budgets and resources are constrained; however, the types of threats to monitor tend to be rather endless. As such, deciding what to monitor with the SIEM resources you have is concession engineering at its best.
- The complexity of operating a SIEM solution and all the dependencies required for TDIR performance is an obstacle for smaller organizations, who may choose to consider XDR solutions as an alternative.
- SIEM architecture at large scale may require supplemental technologies that can add to the complexity and cost of the solution. This can cause increased buyer confusion or make justifying complete SIEM more challenging.
User Recommendations
- Preplan what monitoring objectives best meet your organization’s security needs. Use those as design requirements to correctly identify important selection criteria such as analysis methods, performance, sizing and retention.
- Incorporate a learning period of alerting to determine how best to operationalize detection and response, as planning operational support for alert pipeline management without knowing how many alerts and how much work is required can be difficult.
- Ensure your cloud-based/native SIEM solution is aware of the underlying infrastructure which it monitors. A SIEM solution must understand the nuances of its native environment, such as AWS, GCP or Microsoft Azure.
Sample Vendors
Cisco (Splunk); Elastic; Exabeam (LogRhythm); Google; Gurucul; Microsoft; Rapid7; Securonix; Sumo Logic
Gartner Recommended Reading
Endpoint Detection and Response
Analysis By: Franz Hinner, Eric Grenier, Satarupa Patnaik
Benefit Rating: High
Market Penetration: More than 50% of target audience
Maturity: Mature mainstream
Definition:
Endpoint detection and response (EDR) tools monitor endpoints for unusual behavior and malicious activity to detect attacks that bypass preventive measures. EDR monitors system, process and user behavior using advanced analytics, machine learning and threat intelligence. It automates cleanup, detects suspicious events and streamlines incident response. In a defense-in-depth strategy, EDR uses AI, threat feeds and automation to prevent damage and streamline operations against emerging assaults.
Why This Is Important
- EDR delivers continuous visibility and deep post-incident analysis, crucial when advanced threats bypass traditional defenses.
- AI-driven analytics and integrated threat intelligence reduce analyst workload and enable faster, more confident threat detection and response.
- Modern EDR delivers greater business resilience by minimizing disruption and accelerating recovery from attacks.
- Broad integration with SIEM, XDR and zero-trust frameworks ensures comprehensive protection across cloud, mobile and IoT environments, extending security coverage and supporting managed detection and response services.
Business Impact
- AI-driven, proactive detection and automated response minimize damage and data loss from advanced threats, including ransomware and zero-days.
- Automation, real-time analytics and integrated threat intelligence accelerate response, reducing downtime, costs and disruption.
- EDR supports compliance with regulations like GDPR, CCPA, HIPAA and cyber insurance mandates via continuous monitoring and reporting.
- EDR reduces mean time to detect and respond to threats, secures remote and hybrid workforces and is essential for protecting sensitive data and ensuring compliance in finance, healthcare and manufacturing.
Drivers
- Evolving threats: Sophisticated attacks like zero-day exploits, ransomware and advanced persistent threats (APTs) increasingly bypass traditional prevention, driving demand for modern EDR with AI-driven analytics, threat intelligence and automated response.
- Hybrid work: The shift to hybrid work creates a diverse and complex threat landscape, requiring EDR solutions with cloud-native architectures, centralized management and real-time monitoring across distributed endpoints and networks.
- Identity-based attacks: The rise in credential theft and identity-focused threats makes integration with identity threat detection and response (ITDR) essential for unified detection, risk scoring and automated remediation of endpoint and identity attacks.
- Rapid incident response: Organizations need EDR to automate containment, remediation and forensic analysis, enabling real-time isolation of compromised endpoints and minimizing operational disruption.
- Composable security: EDR’s ability to integrate with SIEM, SOAR, IAM and firewalls enables unified visibility, orchestrated response and alignment with zero-trust and XDR strategies for adaptive, coordinated defense.
Obstacles
- Security skills gap: Leveraging EDR requires practical, hands-on expertise in threat hunting and incident response. Organizations increasingly prioritize skill-based hiring and upskilling existing IT staff through certifications and hands-on labs, as the global cybersecurity skills gap widens and AI proficiency becomes essential for combating evolving threats.
- Cloud workload integration: Cloud-native and containerized environments present unique attack vectors and operational models that traditional EDR agents struggle to address. Modern EDR solutions must offer both agent-based and agentless options, integrate with APIs and support dynamic workloads to ensure effective protection and visibility across IaaS, PaaS and SaaS environments.
- Multiplatform support: Achieving consistent EDR protection and feature parity across diverse platforms — including Linux, macOS, Windows, mobile OSs and virtualized environments — remains a challenge. Leading vendors now offer platform-specific solutions, lightweight agents and managed detection and response (MDR) to improve coverage, but gaps persist, especially for Linux and containerized workloads.
User Recommendations
- Prioritize EDR solutions with lightweight, unified agents and a centralized management console for rapid deployment and minimal performance impact across endpoints, servers, ephemeral workloads and cloud environments.
- Select EDR with prebuilt and customizable automation playbooks for detection, triage and response, leveraging SOAR integration to streamline operations and reduce analyst workload.
- Upskill teams with EDR training, certifications and hands-on labs, or use managed detection and response (MDR) services to bridge talent gaps and maximize EDR value.
- Integrate EDR with unified threat detection and incident response platforms — such as SIEM, SOAR and TDIR/XDR — to enhance visibility, automate workflows and strengthen your organization’s overall security posture.
Sample Vendors
CrowdStrike; Microsoft; Palo Alto Networks; SentinelOne; Sophos; Trend Micro
Gartner Recommended Reading
Appendixes
See the previous Hype Cycle: Hype Cycle for Security Operations, 2024.
Hype Cycle Phases, Benefit Ratings and Maturity Levels
Hype Cycle Phases
Phase | Definition |
Innovation Trigger | A breakthrough, public demonstration, product launch or other event generates significant media and industry interest. |
Peak of Inflated Expectations | During this phase of overenthusiasm and unrealistic projections, a flurry of well-publicized activity by technology leaders results in some successes, but more failures, as the innovation is pushed to its limits. The only enterprises making money are conference organizers and content publishers. |
Trough of Disillusionment | Because the innovation does not live up to its overinflated expectations, it rapidly becomes unfashionable. Media interest wanes, except for a few cautionary tales. |
Slope of Enlightenment | Focused experimentation and solid hard work by an increasingly diverse range of organizations lead to a true understanding of the innovation’s applicability, risks and benefits. Commercial off-the-shelf methodologies and tools ease the development process. |
Plateau of Productivity | The real-world benefits of the innovation are demonstrated and accepted. Tools and methodologies are increasingly stable as they enter their second and third generations. Growing numbers of organizations feel comfortable with the reduced level of risk; the rapid growth phase of adoption begins. Approximately 20% of the technology’s target audience has adopted or is adopting the technology as it enters this phase. |
Years to Mainstream Adoption | The time required for the innovation to reach the Plateau of Productivity. |
Source: Gartner (June 2025)
Benefit Ratings
Benefit Rating | Definition |
Transformational | Enables new ways of doing business across industries that will result in major shifts in industry dynamics |
High | Enables new ways of performing horizontal or vertical processes that will result in significantly increased revenue or cost savings for an enterprise |
Moderate | Provides incremental improvements to established processes that will result in increased revenue or cost savings for an enterprise |
Low | Slightly improves processes (for example, improved user experience) that will be difficult to translate into increased revenue or cost savings |
Source: Gartner (June 2025)
Maturity Levels
Maturity Levels | Status | Products/Vendors |
Embryonic | In labs | None |
Emerging | Commercialization by vendors Pilots and deployments by industry leaders | First generation High price Much customization |
Adolescent | Maturing technology capabilities and process understanding Uptake beyond early adopters | Second generation Less customization |
Early mainstream | Proven technology Vendors, technology and adoption rapidly evolving | Third generation More out-of-box methodologies |
Mature mainstream | Robust technology Not much evolution in vendors or technology | Several dominant vendors |
Legacy | Not appropriate for new developments Cost of migration constrains replacement | Maintenance revenue focus |
Obsolete | Rarely used | Used/resale market only |
Source: Gartner (June 2025)
Acronym Key and Glossary Terms
| AEV | adversarial exposure validation |
| AI | artificial intelligence |
| ASCA | automated security control assessment |
| CAASM | cyber asset attack surface management |
| CIRM | cybersecurity incident response management |
| CPS | cyber-physical systems |
| CTEM | continuous threat exposure management |
| DFIR | digital forensics and incident response |
| DRPS | digital risk protection services |
| EAP | exposure assessment platform |
| EASM | external attack surface management |
| EDR | endpoint detection and response |
| EMEA | Europe, the Middle East and Africa |
| GenAI | generative artificial intelligence |
| MDR | managed detection and response |
| NDR | network detection and response |
| OCSF | Open Cybersecurity Schema Framework |
| OT | operational technology |
| PTaaS | penetration testing as a service |
| SecOps | security operations |
| SIEM | security information and event management |
| SOAR | security orchestration and automated response |
| SOC | security operations center |
| TDIR | threat detection, investigation and response |
| TEM | threat exposure management |
| TI | threat intelligence |
| XDR | extended detection and response |
2025 Gartner Cybersecurity Innovations in AI Risk Management and Use Survey. This survey was conducted to understand how organizations are managing the cybersecurity risks of generative AI (GenAI) and AI techniques that support it. The research was conducted online from 21 March 2025 through 9 May 2025 among 302 cybersecurity leaders in the North America (n = 181), EMEA (n = 71) and Asia/Pacific (n = 50) regions. Qualifying organizations reported enterprisewide revenue of at least $250 million (or equivalent) for fiscal year 2024 and senior cybersecurity management were involved in activities related to AI cybersecurity risk management within their organization.
Disclaimer: The results of this survey do not represent global findings or the market as a whole, but reflect the sentiments of the respondents and companies surveyed.
2025 Gartner Cybersecurity Innovations in AI Risk Management and Use Survey. This survey was conducted to understand how organizations are managing the cybersecurity risks of generative AI (GenAI) and AI techniques that support it. The research was conducted online from 21 March through 9 May 2025 among 302 cybersecurity leaders in the North America (n = 181), EMEA (n = 71) and Asia/Pacific (n = 50) regions. Qualifying organizations reported enterprisewide revenue of at least $250 million or equivalent for fiscal 2024 and were senior cybersecurity management involved in activities related to AI cybersecurity risk management within their organization. Disclaimer: The results of this survey do not represent global findings or the market as a whole, but reflect the sentiments of the respondents and companies surveyed.