The proactive security market is consolidating further as exposure management vendor Tenable announced its intent to acquire Vulcan Cyber, a unified vulnerability management (UVM) vendor that specializes in third-party vulnerability collection, vulnerability response, and application security posture management. This acquisition demonstrates how vendors are reacting to CISOs’ continued need to unify and consolidate their fragmented arsenal of security tools.

Tenable plans to complete the acquisition by the end of March 2025 for $147 million in cash and $3 million in restricted stock units. Forrester estimates Vulcan Cyber’s annual recurring revenue at around $25 million with about 100 enterprise customers. This acquisition underscores Tenable’s commitment to enhancing vulnerability response, complementing its recent announcement of adding support for integrated patch management capabilities.

As attack surfaces expand across cloud, devices, and applications, security teams face the challenge of managing diverse security posture assessment tools that identify various assets and assess vulnerabilities. This fragmentation makes vulnerability prioritization and remediation tracking challenging. UVM companies such as Vulcan Cyber consolidate and unify vulnerability sources from cloud security, vulnerability scanners, endpoint security, and more to aid in the prioritization process. This unification allows teams to apply prioritization methods and orchestrate and track remediations effectively. This acquisition further aligns with Forrester’s research on proactive security, which is made up of three core principles: visibility, prioritization, and remediation.

Vulcan Cyber’s model of unified vulnerability management, which ingests third-party vulnerabilities and improves response, addresses areas where Tenable has traditionally not been as strong. Forrester expects Tenable to prioritize integrating Vulcan’s third-party connector ecosystem into its Tenable One platform and leveraging Vulcan’s application security posture management (ASPM) capabilities. This integration will enable Tenable One customers to pull in more diverse vulnerability sources, from static application security testing/dynamic application security testing to cloud security providers, ultimately improving remediation response workflows and insights.

UVM solutions have recognized the advantage for security leaders of being able to ingest, aggregate, deduplicate, and triage findings from various vendors and types of application security testing tools. ASPM solutions such as Vulcan Cyber advance this approach by correlating issues discovered during development and testing with application deployment and runtime information. The contextualized prioritization focuses development and DevOps teams on addressing only the most important business-impacting issues, thereby enhancing development productivity and minimizing risk. Moreover, Vulcan Cyber’s ASPM offering further allows Tenable to capture a larger share of the application security budget.

With this acquisition, Tenable has expanded its vulnerability management to enhance remediation. Vulcan’s workflow engine allows security and IT teams to build and deploy custom playbooks that automate prioritization and remediation process, reducing manual overhead. Tenable One can leverage Vulcan’s ability to seamlessly bridge vulnerability data with DevOps toolchains.

This acquisition marks Tenable’s fifth in three years, following purchases in data security (Eureka Security), cloud security (Ermetic), attack surface management (Bit Discovery), and exposure management (Cymptom). The proactive security market is expected to continue consolidating through acquisitions and the unification of vulnerabilities and assets from disparate tools.