Cyber risk quantification (CRQ) vendor SAFE announced that it acquired unified vulnerability management vendor Balbix. The acquisition helps SAFE grow its proactive security platform.

Proactive security platforms support all three principles of proactive security: visibility, prioritization, and remediation. Balbix ingests data from other vulnerability sources for visibility, prioritizes high-risk vulnerability and misconfigurations, and helps orchestrate response processes.

SAFE debuted its exposure management offering in August 2025, with intentions to expand its CRQ offering toward a proactive security platform. CRQ solutions primarily help teams with prioritization. Teams can financially measure their risk exposure based on breach scenarios from exploited vulnerabilities and then prioritize remediations based on how much they reduce that exposure. This acquisition helps SAFE improve remediation via Balbix’s asset intelligence and prioritization engine and brings in more vulnerability data sources.

Expect More Consolidation Of CRQ And Proactive Security Platforms

Some vendors have already experimented with combining CRQ and proactive security. Vendors such as CYE have layered CRQ with exposure management and proactive security platforms. Vulnerability management incumbents like Qualys continue to double down on risk, highlighting the need for teams to establish a risk operations center. We expect more CRQ and proactive security platform convergence in these two markets, which have already seen significant movement in the past year with other acquisitions such as Tenable/Vulcan Cyber, Check Point/Veriti, and Dataminr/ThreatConnect.

Remediation Statuses Will Be Tracked By Risk Management Teams

Whether remediations are done, risk-accepted, incomplete, waived, or transferred is a risk management function; risk teams will take more ownership of vulnerability status reporting. CRQ will help them also assess the cost of remediating versus the cost of exposures being exploited. Meanwhile, we expect the other proactive security functions of visibility and prioritization to become increasing responsibilities for the security operations center, with CRQ as an input.