In musical notation, “al niente” means fading until sound is barely perceptible, usually to end a significant piece of music, such as the ending of Tchaikovsky’s reflective and somber 6th Symphony. And that is how the Cybersecurity Risk Ratings market is likely to proceed over the coming months. Ratings will not fade away to nothing overnight, but their influence will diminish as the intelligence that drives risk reduction becomes the primary source of value for vendors and users alike.

In 2021, when I last authored a Cyber Risk Ratings Wave™ , I said this market wasn’t ready for enterprise primetime. While these platforms provided plenty of data and some insight, they lacked the ability to translate those signals into action.

With the publication of The Forrester Wave™: Cybersecurity Risk Ratings Platforms, Q2 2026 this week, that limitation became indisputably clear.  Reference customers I spoke to, along with vendors themselves, are now looking beyond ratings-as-an-outcome.  Instead, they are focused on how the data they’ve been using can drive actual risk reduction.

As this evolution continues in re-focusing the cybersecurity risk ratings market, the 2026 evaluation revealed that:

  • Third party cybersecurity risk management is the dominant future use case. Vendors have visions dominated by their role in providing insight, and orchestrating action for third party risk management programs. Platforms are being re-designed to be fully-fledged third-party risk management solutions for cybersecurity audiences. Relative to prior iterations of this evaluation, many reference customers already use cybersecurity risk ratings for this use case, and a lot less for monitoring their own enterprise footprint.
  • AI’s potential has yet to be fully exploited. Most firms in the market were able to show the types of AI enabled document analysis, issues summarization and resolution suggestions that have become standard in the broader Third-Party Risk Management market. However, the prospect of chaining AI agents together to execute entire processes, a key requirement to enable agentic workflow, remains a roadmap aspiration for now. Only a few vendors demonstrated the use of AI agents to take these critical execution actions within their third-party risk programs. Using AI agents to perform actions such as testing findings resolution, executing commands to delve further into data and driving issue creation in workflow tools remain a rarity. While a lot of practitioners’ work is being automated, the automation has not yet delivered the actionable intelligence aspirations yet.
  • Threat intelligence depth is the key differentiator for future success. As we say in our proactive security research, being able to use the data to drive prioritization is fundamental to using these solutions successfully. Scanning external infrastructure can only tell you so much. Significant threat intelligence depth is required in addition to this data to help you pinpoint the issues you need to prioritize. This is especially the case when you have limited resources.  Vendors who demonstrate depth in threat intelligence will be uniquely positioned to bridge the gap between the generally siloed SOC teams, vulnerability management teams and GRC and third-party risk professionals, helping them communicate effectively about the risks that really matter.

I will be writing about this market evolution over the coming months. For now, Forrester clients can read the Wave here. Customers wishing to discuss the implications of the evolution of this market category, how it impacts the current design of their third-party risk programs can schedule a guidance session or inquiry with me to discuss further.