Last year, we released our inaugural Forrester Wave™ on Attack Surface Management (ASM) Solutions. The ASM Wave primarily focused on visibility – the first of the three principles of proactive security. ASM’s visibility is achieved through external asset discovery and ingestion of third-party information regarding asset attributes, and both features are becoming increasingly commoditized. Yet the ubiquity of visibility options cannot alone solve proactive security. Once organizations have a comprehensive asset inventory – what are they supposed to do about it?  

Its Time To Stop Fragmenting Proactive Security   

Based on the three principles of proactive security, organizations need visibility to assess and then prioritize the breadth of their exposures (e.g. threat informed weaknesses across various asset types). This exposure prioritization is typically found in exposure management, or exposure assessment, platforms.  

But relying solely on assessments alone creates the same problem as relying solely on visibility. Organizations still need to remediate weaknesses. Just as stand-alone ASM solutions did not adequately address the other proactive principles, many exposure management solutions did not adequately address remediation. Currently, the best remediation capabilities exist in Unified Vulnerability Management (UVM) solutions.  

ASM is A Feature, No longer a Market  

The market has responded. Since our 2024 Attack Surface Management Solutions Wave, many vendors have rebranded their proactive security offerings into Exposure Management Including CyCognito and Trend Micro. Axonius has gone so far as to declare ASM dead 

ASM is still an important feature, but. it is dead as a standalone market because ASM doesn’t address all 3 proactive security principles. ASM’s value is as part of a proactive security strategy since asset discovery and hardening are prerequisites to exposure management and residual risk calculation. Organizations need to use visibility sources as their source of exposure prioritization.   

Announcing Proactive Security Platform Research 

Today, security leaders s need solutions that provide fulfillment of all three proactive security principles. ASM remains a feature in proactive security platforms, but has also spread into other solutions, like cloud security and threat intelligence.. Exposure management offers novel prioritization strategies. UVM augments remediation processes. To complete proactive security Forrester will now cover the ASM, Exposure Management, and UVM markets as Proactive Security Platforms. Forrester defines Proactive Security Platforms as:

A platform that consolidates assets and exposures with an organizational perspective, prioritizes optimal remediations, and augments and orchestrates remediation processes. 

This change in taxonomy is future proof. You will always need proactive security. This allows us to evaluate these solutions as they evolve from Solution centric to Platform centric, being offered from a variety of different types of platform providers. Even with future marketing and buzz word shifts, there will always be a need to evaluate proactive use cases and our taxonomy is future proofed against future market shifts, while providing strategic advice around your platform strategies. 

We will be kicking off our evaluative Proactive Security Platform research next month with the Proactive Security Platform Landscape. . We will cover all phases of proactive security in this research, from Visibility (provided through ASM features), Prioritization (including exposure management, but also other methods of prioritization), and Remediation.  

I look forward to sharing our landscape report Proactive Security Platforms next year. In the meantime, please set up an inquiry or guidance session to discuss how proactive security platform can supercharge your existing security programs.