Cybersecurity risk ratings platforms (CRRPs) represent a market with a reputation that precedes it. Of all the markets I’ve covered in my various roles at Forrester, none raises CISOs’ blood pressure quite like this one. Procurement leaders and cyber insurers haven’t helped, with cyber ratings often used as a due diligence stick — allowing beatings to continue until ratings improve. Despite all of this, the CRRP market is truly at an inflection point, with the realization that there’s value in the data collected to produce ratings, not just the ratings themselves. But this will only happen if the market can move from static scorecards to driving remediation actions that demonstrably reduce risk. This week, I released our latest research — The Cybersecurity Risk Ratings Platforms Landscape, Q4 2025 (Forrester clients only) — with the following observations:

  • The CRRP market is at a fork in the road. Seventy-eight percent of enterprise risk professionals have implemented CRRPs. High adoption signals market saturation, and most providers are responding by marketing themselves as anything but a CRRP. In turn, this saturation signals that the market is going to evolve in a dramatic way over the next 3–5 years. Providers have a choice: Stay on the yellow brick road, or break from the path that got them to where they are today. Most are evolving to deliver actionable insights, automate workflows, and coordinate remediation — steps that increasingly position them to compete in adjacent markets such as third-party risk management (TPRM) and external attack surface management (EASM).
  • Security and risk leaders will experience a seismic shift in how they consume cyber risk ratings. CRRPs are shifting to embed cyber risk intelligence into broader cyber risk management workflows. As cyber risk ratings become commoditized, security and risk leaders will need to rethink their buying patterns over the next few years. In addition, they’ll:
    1. Consume ratings data via TPRM and EASM platforms — the two primary enterprise use cases for CRRPs.
    2. Gain more affordable access to continuous monitoring, driven by customer demand and technological advancement.
    3. Work with larger players as smaller firms struggle to be heard amid ongoing acquisitions and exits to adjacent markets (primarily TPRM and EASM).

Forrester clients can read the full report here to get further insights into how this market will develop in advance of an upcoming Forrester Wave™ that will follow this report in Q2 2026. I’m also happy to talk to clients in a guidance session or inquiry to discuss more.