The future of Vulnerability Management
Current market update and where it's headed tomorrow | Reading time: 2 minutes
What is the Vulnerability Management market?
First, it’s important to define, at a high level, what the Vulnerability Management (VM) market is and is not.
The VM market is a mature slice of the overall cybersecurity industry where the tools identify, discover, and report on device, OS, and software vulnerabilities against security-related criteria.
A common misconception is that any security tool that produces or consumes vulnerability data is, or should be, included in the VM market. That is not the case. For example, security tools that consume, aggregate and normalize vulnerability data to ease remediation are classified into their own separate market categories called Risk-Based Vulnerability Management (RBVM) or Application Vulnerability Correlation (AVC) depending on the type of vulnerability data that is consumed. Similarly, security tools designed for identifying vulnerabilities in application source code and binaries are categorized in the Application Security market which includes subcategories for Static Application Security Testing (SAST) tools, Software Composition Analysis (SCA) tools, etc…
Market landscape
As of June 2023, there are 15 vendors/tools in the VM market:
(3) largest global VM vendors: Tenable, Qualys & Rapid7
(5) European Union-focused vendors: Outpost24, Holm Security, With Secure, EdgeScan & Greenbone
(2) open source VM projects: OpenVAS & Vuls
(5) Endpoint Protection Platform (EPP) vendors added VM capabilities: Microsoft, CrowdStrike, Tanium, ManageEngine & Secpod
Note: Security services vendors who offer managed vulnerability management as a service such as Optiv, Secureworks, AT&T Cybersecurity, etc… are intentionally excluded from the above list.
VM vendors are continuing to evolve
Over the past few years, VM vendors have added additional capabilities beyond core vulnerability management primarily driven by:
Need for more revenue and increased growth (e.g.: increasing their TAM)
Support for modern environments such as cloud, containers & Infrastructure as Code (IaC)
Support for additional attack surfaces which includes Entitlement Security & Attack Surface Management capabilities
Overload of discovered vulnerabilities which includes Risk-Based Vulnerability Management (RBVM) capabilities
Large VM vendors are leveraging M&A to boost growth
VM vendors have been acquiring new technologies since 2009 in an effort to broaden their product offerings, expand their TAM and increase their growth beyond core vulnerability management. And this trend of acquiring complementary technologies has only increased in the last few years. The chart above represents acquisitions by the largest VM vendors (Tenable, Qualys, Rapid7) since 2018.
VM market predictions
Some of the predictions below may seem obvious based on current market trends, while others may be uncertain possibilities.
I’m curious what you think. Are there any points about the VM market that I may have missed? If so, leave a comment down below with your thoughts or predictions.
Great article. You missed including SecOps Solution https://secopsolution.com which has it's own vulnerability scanner. Would be great to include that too.
Nice article - though you omitted specialised solutions like ours (StorageGuard by Continuity Software) in the storage and backup (security misconfiguration and vulnerability) space - a gap in existing OS & Network focussed tools (not running authenticated scans on the above systems).