Cybersecurity threat scores platforms (CRRPs) is a market with a fame that precedes it. Of all of the markets I’ve lined in my varied roles at Forrester, nothing will get CISOs’ blood strain up as a lot as this one does. Procurement leaders and cyber insurers haven’t helped, and used cyber scores as a due diligence stick to permit beatings to proceed till scores enhance. Regardless of all of this, the CRRP market is really at an inflection level, with the conclusion that there’s worth within the information collected to provide scores, not simply the scores themselves. Nonetheless, this may solely occur if the market can transfer from static scorecards to driving remediation actions that demonstrably cut back threat. This week, I launched our newest analysis on the Cybersecurity Danger Scores Platforms Panorama, This fall 2025 (Forrester shoppers solely) with the next observations:
- The CRRP market is at a fork within the street. Seventy-eight p.c of enterprise threat professionals have applied cybersecurity threat scores platforms inside their enterprise. Excessive adoption indicators market saturation, and most suppliers are responding by advertising and marketing themselves as something however a cyber scores platform. In flip, this saturation indicators that the market goes to evolve in a dramatic approach over the following 3-5 years. The suppliers have alternative: keep on the yellow brick street, or break from the trail that bought them to the place they’re as we speak. Most are evolving to ship actionable insights, automate workflows, and coordinate remediation; steps that more and more place them to compete in adjoining markets like third-party threat and exterior assault floor administration.
- S&R leaders will expertise a seismic shift in how they devour CRR. CRR platforms are shifting to embed cyber threat intelligence into broader cyber threat administration workflows. As cyber threat scores develop into commoditized, safety and threat leaders might want to rethink their shopping for patterns over the following few years, and can:
- Devour scores information through third social gathering threat administration (TPRM) and exterior assault floor administration (EASM) platforms, as they’re the 2 use circumstances most enterprises use CRR platforms for;
- Have extra reasonably priced and prepared entry to steady monitoring, pushed by buyer demand and technological development; and
- Work with bigger gamers, as smaller companies wrestle to be heard, and the continued acquisitions and exits to adjoining markets (primarily TPRM and EASM).
Forrester shoppers can learn the full report right here to get additional insights into how this market will develop upfront of the upcoming Forrester Wave which follows this report in Q2 2026. I’m additionally joyful to speak to shoppers in a steerage session or inquiry to debate extra.
