Last week, March 14, Forrester presented new report about Vulnerability Risk Management (VRM) market. You can purchase it on official site for $2495 USD or get a free reprint on Rapid7 site. Thanks, Rapid7! I've read it and what to share my impressions.
I was most surprised by the leaders of the "wave". Ok, Rapid7 and Qualys, but BeyondTrust and NopSec? That's unusual. As well as seeing Tenable out of the leaders.
The second thing is the set of products. We can see there traditional Vulnerability Management/Scanners vendors, vendors that make offline analysis of configuration files and vendors who analyse imported raw vulnerability scan data. I'm other words, it's barely comparable products and vendors.
The main point of the report is that modern VRM solutions should not only detect vulnerabilities, but also have capabilities in
Well, for me it's awesome if the product has all these advanced features. But still the most important for me is how the product detects vulnerabilities. Because without detected vulnerabilities other functionality will be just useless. And if you set the existence of such features as evaluation criteria, solution with the best knowledge base, the most effective vulnerability checks, but without additional functionality will be an outsider. I also didn't like that "Vulnerability Enumeration" criteria has such a low weight.
So, Forrester used 22 criteria to evaluate 12 vendors of 12 vendors:
Why only these vendors? Vendors needed to have more than 300 enterprise customers, to be well-known among the Forrester clients and to have integrations with different Threat Intelligence sources (well, the last one is, imho, controversial). Forrester used vendor surveys, product demos and customer reference calls as information sources.
The result you can see on a picture above. In the upper left corner located vendors with the strongest current offering and strategy. Vendor with bigger market presence has bigger circle marker.
To my taste, product descriptions are high-level and chaotic, They sometimes look like vendor's marketing material, sometimes like a personal opinion. I prefer the style of Gartner with detailed pros and cons.
It's great that Forrester makes reports on this topic. But the set of products, criteria, weight, marks and product descriptions are pretty controversial. This report can be used as a list of relevant products, but I would not recommend to make final decisions based on this comparison.