Secure, Axio, KPMG Dominate Cyber Danger Quantification Rankings

Secure Safety and Axio remained atop Forrester’s cyber danger quantification rankings, with KPMG climbing onto the leaderboard and ThreatConnect falling off the leaderboard.

See Additionally: OnDemand | Proverbial GRC: Navigating Stormy Seas with Strategic Parables

Cyber danger quantification instruments have moved past fundamental danger modeling to automate suggestions, analyze traits and orchestrate insights throughout techniques, mentioned Forrester Senior Analyst Cody Scott. Somewhat than counting on analysts to manually enter knowledge and derive insights, trendy CRQ platforms now routinely generate remediation methods, pattern analyses and cross-functional orchestration, Scott mentioned.

“These instruments have leaned extensively into automation, which in 2023 was extra of a extremely desired however nice-to-have characteristic, and now it is the usual,” Scott instructed Info Safety Media Group.

Scott mentioned CRQ instruments have begun to interchange conventional GRC platforms in lots of firms since outputs from the latter are sometimes compliance-driven and barely evolve into strategic decision-making instruments. CRQ instruments, alternatively, supply real-time management analytics, automated danger monitoring and decision-making assist grounded in measurable monetary affect, which Scott mentioned permits smarter investments.

“These CRQ instruments are coming in with steady monitoring functionality, steady danger evaluation and the financially quantified view which can be fully upsetting what GRC has achieved for organizations, as a result of it is turning into precise danger administration, not the notion of danger being managed,” Scott mentioned.

Legacy approaches to third-party danger administration depend on obscure, subjective scores to guage distributors. CRQ instruments are changing these with quantifiable monetary fashions that assess potential losses extra objectively, he mentioned, and cyber insurers are beginning to use CRQ instruments to underwrite insurance policies extra exactly, shifting away from broad danger classes to scenario-based, financially quantified evaluation (see: RiskLens, Axio Lead Cyber Danger Quantification Forrester Wave).

“CRQ has stepped in to say, ‘Look, we’re not going to sit down right here and debate on the credibility of various scores that completely different distributors are going to place on the market publicly about your organization,'” Scott mentioned. “‘Let’s truly concentrate on what you stand to lose, and let’s simply root this in {dollars} and cents so we can provide you a extra goal view based mostly on the identical insights that does not boil all the way down to a really subjective rating.'”

How Do CRQ Leaders Stand Aside From the Pack?

Main CRQ platforms combine generative AI and AI brokers to assist analysts carry out assessments and interpret complicated danger situations extra intuitively, Scott mentioned. They designed interfaces and workflows that information customers by way of assessments and simplify communication with stakeholders, particularly non-technical ones. And so they tackle a broad vary of use circumstances from cyber insurance coverage to AI governance.

“‘Do I really feel assured presenting financially quantified cyber danger outcomes to non-technical of us in a means that even I perceive and really feel assured explaining?'” Scott requested. “That is tremendous exhausting to do, however Axio and KPMG are examples of firms who’ve achieved this to such an excessive diploma that’s so useful that actually eliminates that hurdle, as a result of it is likely one of the greatest limitations to CRQ implementation.”

As CRQ capabilities turn out to be embedded throughout cybersecurity, standalone distributors will face consolidation. By 2027, the core perform of CRQ – modeling and quantifying cyber danger – will probably be absolutely automated. Customers will now not must manually estimate losses or menace chances. As a substitute, AI brokers will ship danger assessments on demand, drawing from real-time knowledge, historic losses, and organization-specific inputs.

“The entire concept of getting into and having to mannequin danger – that is going to fully go away,” Scott mentioned. “It will simply be, ‘What’s my danger?’ And the device goes to be arrange in such a means to have the ability to reply these questions quickly. That functionality is already beginning to come to play, however it will turn out to be the norm by 2027 for positive.”

From a method perspective, Forrester as soon as once more gave Secure Safety the gold, with KPMG climbing from sixth in 2023 to second this yr, Balbix bettering from fourth to 3rd, and Axio falling from second to fourth. So far as the providing is worried, Secure improved from second to first, Axio jumped from third in 2023 to second in 2025, KPMG climbed from fourth to 3rd, and ThreatConnect plummeted from first to fourth.

Exterior of the leaders, here is how Forrester sees the cyber danger quantification market:

• Sturdy Performers: Balbix, ThreatConnect, CYE;
• Contenders: X-Analytics, Zscaler, Kovrr, Mastercard.

Secure Brings Automation, Agentic AI, Actual-Time Telemetry

Secure Safety prioritized automating the info consumption course of by integrating telemetry from all kinds of cybersecurity instruments, which co-founder and CEO Saket Modi mentioned helps the corporate ingest and analyze real-time safety knowledge from shopper environments. Secure additionally developed agentic generative AI techniques designed not simply to detect danger, but in addition to advocate and even execute remedial actions.

Not like conventional cybersecurity distributors that solely have entry to their very own product knowledge, Modi mentioned Secure aggregates and harmonizes knowledge throughout a shopper’s safety stack, which is processed by way of frameworks together with FAIR and MITRE ATT&CK to ship correct, scenario-based danger modeling. As a substitute of periodic or static assessments, Secure presents steady, real-time updates to its danger fashions as new knowledge flows in (see: Secure Safety Buys Cyber Danger Quantification Vendor RiskLens).

“We’ve all of that knowledge coming in, after which we therapeutic massage that knowledge utilizing open requirements like FAIR and MITRE ATT&CK to do situation mapping after which produce what the chance of the situations is,” Modi instructed ISMG. “So, there’s the complexity of bringing all of that knowledge collectively and that in a steady means, in a real-time means, after which altering your danger situation based mostly on that.”

Forrester mentioned Secure clients need enhancements in asset and publicity tagging at scale and a greater strategy to export and format knowledge after performing customized queries. Modi defined that Secure has adopted a contemporary, generative AI-driven strategy to reporting, which is likely to be unfamiliar to some customers. As a substitute of conventional static dashboards, customers generate personalized reviews by interacting with AI brokers.

“We use GenAI brokers the place you go and say, ‘Hey, I am in search of this, this, this, this,’ then you must tweak that question that you just’re speaking and based mostly on that, you get a specific PDF report,” Modi mentioned.

Axio Pursues Ease of Implementation, Customizable Insights

Axio reengineered the CRQ onboarding course of into a light-weight expertise in order that customers can interact with the platform in simply 5 minutes and start deriving invaluable insights, mentioned CEO Scott Kannry. The corporate addressed the “signal-to-noise” drawback by processing huge datasets to advocate probably the most impactful subsequent steps, serving to organizations transfer from passive perception to proactive enchancment.

Somewhat than offering one-size-fits-all knowledge, Kannry mentioned Axio’s platform adjusts fashions based mostly on the distinctive attributes of the shopper group. This ensures the loss estimates and menace situations offered are straight relevant, growing their credibility and usefulness. For purchasers, this personalization interprets into extra correct danger forecasting and better-informed decision-making, he mentioned (see: Re-Defining Banking’s Distinctive Cyber Danger).

“Traditionally talking, the method to implement has been arduous, grueling, months-long,” Kannry instructed ISMG. “And because of that, most individuals have mentioned, ‘Regardless of the advantages, I simply do not have the effort and time to decide to it, so sorry.’ We have actually, actually modified that when it comes to very light-weight, wizardized implementation scheme the place an organization and a person can get began in 5 minutes.”

Forrester criticized Axio for restricted menace and vulnerability intelligence capabilities and for taking too lengthy to construct and roll out new options. Kannry mentioned Axio has launched 38 new options prior to now yr and continues to speculate closely in its product highway map. Kannry mentioned Axio’s platform is technically able to incorporating menace intelligence knowledge and plans to incorporate these capabilities sooner or later.

“We have prioritized the issues that I’ve talked about, as an alternative of both increase or wiring in some kind of a menace and vulnerability functionality,” Kannry mentioned. “So, that’ll be coming. We have simply taken a unique strategy to innovation. It isn’t that we will not do it. We simply have achieved it a unique means to date.”

KPMG Excels with Intuitive Interface, Taking up Danger Administration

Forrester mentioned KPMG’s imaginative and prescient of creating CRQ extra correct, accessible and actionable at scale displays its deep understanding of contemporary danger administration challenges, and excels at offering subtle onboarding and guided assist. KPMG’s extremely intuitive interface and in-depth in-product steerage to assist technical and nontechnical customers conduct danger analyses from begin to end, in keeping with Forrester.

However KPMG must broaden its assist for integrations and automations, and its cyber insurance coverage evaluation providing, to satisfy clients’ wants, in keeping with Forrester. Bettering KPMG’s supporting companies will assist clients with extra focused safety evaluation wants, and Forrester identified that generated information aren’t as polished because the on-screen view when extracting a report.

A spokesperson instructed ISMG that KPMG executives weren’t accessible for extra remark.