Cyber risk quantification (CRQ) solutions are on a mission to transform security and risk operations. The goal: a future where risk is measurable, actionable, and tightly integrated into business strategy. Some solutions emphasize picking up where legacy governance, risk, and compliance (GRC) implementations fall short and provide data-driven risk reporting, continuous monitoring, and third-party risk assessment. Others emphasize improving tactical cyber risk operations such as exposure management, threat modeling, and risk-informed remediation. Increasingly, CRQ solutions are extending across both dimensions — marking a new era of cyber risk management technologies.

What’s Changed Since Our Earlier CRQ Evaluation?

Overall, CRQ solutions today look very different from solutions two years ago, and they cover entirely new territory than they did when they were first introduced. Not only do they address more use cases than before, but more vendors have also entered the market. Key highlights include:

  • CRQ is about managing risk, not just quantifying it. While the category title emphasizes “quantification,” this is expressly done to differentiate CRQ’s analytical approach from traditional, qualitative methods that unfortunately dominate GRC and security disciplines. Quantification becomes the engine to normalize risk data, prioritize actions, and enable trade-off decisions. Several vendors have expanded into adjacent markets and now offer CRQ-powered capability for vulnerability and exposure management, threat intelligence, third-party risk, cyber insurance, application security, control monitoring, and compliance assessments.
  • Intelligence and integrations lower CRQ’s level of effort. CRQ critics point to the methodology and proclaim that risk is either too complex to model (it’s not) or requires too much data to trust the outputs (it doesn’t). Vendors have invested in commercial and public risk data, augmenting these insights with tailored benchmarks to provide defensible outputs out of the box to get practitioners started. Integrations across common security tools add increased precision by better enumerating the attack surface and continuous monitoring changes.
  • Third-party risk management (TPRM) is one of CRQ’s fastest-growing use cases. Despite being a top cause of breach, third-party risk often gets the short end of the stick due to competing risk priorities. CRQ vendors are increasingly providing dedicated TPRM offerings to counter this problem by quantifying exposure to and from third parties. Differentiated vendors also provide the ability to streamline third-party questionnaire assessments, either natively or through integrations.
  • Buyers favor CRQ approaches aligned to industry standards. Differentiated vendors evade the “black box” perception by demonstrating transparent CRQ methodologies and detail-rich user experiences. Most vendors (seven out of 10) in our assessment base their CRQ models on recognized standards — most commonly FAIR — while three use proprietary models. Buyers will occasionally see vendors criticize FAIR, but keep in mind that this is usually a marketing move against other vendors that use FAIR rather than true faults in the FAIR methodology itself.

Modern CRQ Solutions Stand On Three Pillars

CRQ solutions differentiate themselves in three key capabilities: analytics, insights, and automation.

  1. Analytics power proactive defense. CRQ leverages advanced analytics for risk forecasting, predictive modeling, and scenario analysis, making it possible to anticipate threats before they materialize.
  2. Insights connect risk to business value. By translating technical risk into real-time contextualized business impact, CRQ platforms empower leaders to understand loss scenarios and make informed decisions that matter to the bottom line.
  3. Automation drives efficiency and scale. Seamless API integrations, automated data ingestion, and continuous control monitoring mean that organizations can keep pace with operational changes and regulatory demands without manual overhead.

The Forrester Wave™: Cyber Risk Quantification Solutions, Q2 2025, is now live! Clients can use this report for more insights on the market and the 10 vendors that matter most. Tailor the evaluation to your own needs by using the “Compare vendors” button on the web page. And schedule an inquiry or guidance session with me for additional insights.