In musical notation, “al niente” means fading until sound is barely perceptible, usually to end a significant piece of music such as the ending of Tchaikovsky’s reflective and somber sixth symphony. And that is how the cybersecurity risk ratings market is likely to proceed over the coming months. Ratings will not fade away to nothing overnight, but their influence will diminish as the intelligence that drives risk reduction becomes the primary source of value for vendors and users alike.

In 2021, when I last authored a Forrester Wave™ covering cyber risk ratings, I said that this market wasn’t ready for enterprise prime time. While these platforms provided plenty of data and some insight, they lacked the ability to translate those signals into action.

With the publication of The Forrester Wave™: Cybersecurity Risk Ratings Platforms, Q2 2026 this week, that limitation became indisputably clear. Reference customers I spoke to, along with vendors themselves, are now looking beyond ratings as an outcome. Instead, they are focused on how the data they’ve been using can drive actual risk reduction.

As this evolution continues in refocusing the cybersecurity risk ratings market, the 2026 evaluation reveals that:

  • Third-party cybersecurity risk management is the dominant future use case. Vendors have visions dominated by their role in providing insight and orchestrating action for third-party risk management programs. Platforms are being redesigned to be fully fledged third-party risk management solutions for cybersecurity audiences. Relative to prior iterations of this evaluation, many reference customers already use cybersecurity risk ratings for this use case and a lot less for monitoring their own enterprise footprint.
  • AI’s potential has yet to be fully exploited. Most firms in the market were able to show the types of AI enabling document analysis, issues summarization, and resolution suggestions that have become standard in the broader third-party risk management market, but the prospect of chaining AI agents together to execute entire processes, a key requirement to enable agentic workflow, remains a roadmap aspiration for now. Only a few vendors demonstrated the use of AI agents to take these critical execution actions within their third-party risk programs. Using AI agents to perform actions such as testing findings resolution, executing commands to delve further into data, and driving issue creation in workflow tools remains a rarity. While a lot of practitioners’ work is being automated, the automation has not yet delivered actionable intelligence aspirations.
  • Threat intelligence depth is the key differentiator for future success. As we say in our proactive security research, being able to use the data to drive prioritization is fundamental to using these solutions successfully. Scanning external infrastructure can only tell you so much. Significant threat intelligence depth is required in addition to this data to help you pinpoint the issues you need to prioritize. This is especially the case when you have limited resources. Vendors that demonstrate depth in threat intelligence will be uniquely positioned to bridge the gap between generally siloed security operations center teams, vulnerability management teams, and governance, risk, and compliance and third-party risk professionals, helping them communicate effectively about the risks that really matter.

I will be writing about this market evolution over the coming months. For now, Forrester clients can read the Wave here. Customers wishing to discuss the implications of the evolution of this market category and how it impacts the current design of their third-party risk programs can schedule a guidance session or inquiry with me to discuss further.