Market Guide for Network Traffic Analysis

Market Guide for Network Traffic Analysis

Published 28 February 2019 – ID G00381265 – 23 min read

Network traffic analysis is a new market, with many vendors entering since 2016. Here, we analyze the key NTA vendors to be considered by security and risk management leaders.


Key Findings

  • Applying behavioral analysis to network traffic is helping enterprises detect suspicious traffic that other security tools are missing.
  • The barrier to entry in this market is low, and the market is crowded; many vendors can monitor traffic from a SPAN port and apply well-known behavioral techniques to detect suspicious traffic.


To improve the detection of suspicious network traffic, security and risk management leaders should:
  • Implement behavioral-based network traffic analysis tools to complement signature-based detection solutions.
  • Include NTA-as-a-feature solutions in their evaluations, if they are available from security information and event, firewall, or other security products.
  • Focus on scalability (can the solution analyze the volume of traffic in the network?); efficacy of detection (perform a proof-of-concept trial in the environment); and price (at this early stage, market pricing varies widely).

Market Definition

Network traffic analysis (NTA) uses a combination of machine learning, advanced analytics and rule-based detection to detect suspicious activities on enterprise networks. NTA tools continuously analyze raw traffic and/or flow records (for example, NetFlow) to build models that reflect normal network behavior. When the NTA tools detect abnormal traffic patterns, they raise alerts. In addition to monitoring north/south traffic that crosses the enterprise perimeter, NTA solutions can also monitor east/west communications by analyzing network traffic or flow records that it receives from strategically placed network sensors.

Market Description

Dozens of vendors claim to analyze network traffic (or flow records) and to detect suspicious activity on the network. To develop a scope of vendors, we have applied the following criteria.

Inclusion Criteria

Vendor must:
  • Analyze raw network packet traffic or traffic flows (for example, NetFlow records) in real time or near real time
  • Have the ability to monitor and analyze north/south traffic (as it crosses the perimeter), as well as east/west traffic (as it moves laterally throughout the network)
  • Be able to model normal network traffic and highlight anomalous traffic
  • Offer behavioral techniques (non-signature-based detection), such as machine learning or advanced analytics, that detect network anomalies
  • Be able to emphasize the threat detection phase, rather than the forensics — for example, packet capture (PCAP) analysis — phase of an attack

Exclusion Criteria

We exclude solutions that:
  • Require a prerequisite component — for example, those that require a security information and event (SIEM) or firewall platform
  • Work primarily on log analysis
  • Primarily use rules, signatures or reputation for detection capabilities
  • Are based primarily on analytics of user session activity — for example, user and entity behavior analytics (UEBA) technology
  • Focus primarily on analyzing traffic in Internet of Things (IoT) or operational technology (OT) environments

Market Direction

Throughout 2019, NTA vendors will need to develop their solutions in two primary categories:
  • Detection
  • Response
In the detection category, we expect vendors to continue investing in the machine learning (supervised and unsupervised) techniques that many providers are offering today. Much of the innovation in these areas will not be noticeable to customers; however, vendors must continually invest in detection techniques to have a high degree of efficacy in detecting suspicious network traffic.
Improvements in the response category will be more noticeable. Although the primary use of NTA tools is detection, organizations expect more help from the tools when it comes to investigating and mitigating an incident. There are two broad categories under response:
  • Automated response
  • Manual response
Some types of alerts are good candidates for automated response. For example, if the detection tool has a high degree of confidence that an endpoint has been compromised, that endpoint can be automatically isolated from the network. For incidents that cannot be automatically blocked or handled, the NTA tool and/or third-party tools can provide incident response capabilities.
Responding to more-complex and targeted attacks is primarily about attack investigation and threat hunting, and NTA solutions should develop their capabilities in these areas. Already, many solutions generate metadata and provide the ability to search it, so that incident responders can more quickly respond to attacks and investigate threats. Solutions also capture and store some packets, so that incident responders can perform basic forensics functions, such as going back in time to understand host activity around the time of detection. We expect more vendors to deliver improved threat-hunting features, as they upgrade user interfaces (UIs) and deliver more contextual information to the incident responders.

Market Analysis

Here, we analyze the segments of the NTA market.
Pure-Play NTA Companies: The vendors in this category are mostly smaller specialty companies. Their primary focus is on the detection use case; however, many are working on enhancing their response capabilities.
Network-Centric Companies: Several companies that have historically targeted network use cases, such as network performance monitoring and diagnostics (NPMD; see “Magic Quadrant for Network Performance Monitoring and Diagnostics”), have developed solutions to address security use cases. These network-centric solutions were already monitoring network traffic, and these vendors have applied analytical techniques, such as machine learning, to detect anomalous traffic. We expect more network-centric vendors to develop solutions that target the security market.
Others: A few vendors do not fit cleanly in the two categories defined above. For example, large, diversified network security providers, such as Cisco and Hillstone Networks, also offer NTA solutions. Cisco has Stealthwatch, and Hillstone has the Server Breach Detection System. Two vendors that originally began as network sandboxing companies, FireEye and Lastline, have diversified their product portfolios by adding NTA solutions. FireEye now sells SmartVision and Lastline offers Breach Defender. We expect other network security vendors to follow the path of the vendors listed here and enter the NTA market.

Representative Vendors

The vendors listed in this Market Guide do not imply an exhaustive list. This section is intended to provide more understanding of the market and its offerings.

Market Introduction

Table 1 highlights the NTA vendors that met our inclusion criteria and were not eliminated by our exclusion criteria (see Note 1).

Table 1: Representative Vendors in NTA

Enlarge Table
Product, Service or Solution Name
Awake Security
Awake Security Platform
Corelight Sensor
Corvil Security Analytics
Enterprise Immune System
Fidelis Cybersecurity
Fidelis Elevate
Hillstone Networks
Server Breach Detection System
HPE Aruba Networks
IronNet Cybersecurity
Lastline Defender
HighBar SS8
Cognito Detect
Source: Gartner (March 2019)

Vendor Profiles

Awake Security

Based in Sunnyvale, California, Awake Security’s solution uses a combination of supervised and unsupervised machine learning and other analytical techniques to detect suspicious traffic. The product can be deployed all-in-one (sensor and analytics) in a single unit or in a distributed fashion, where the sensor and the analytics hub are separated. The sensor can be deployed as a physical or virtual appliance across IT, OT and IoT networks, as well as in the cloud to protect Amazon Web Services (AWS), Azure and Google Cloud Platform (GCP) workloads. Awake uses machine-learning-based, encrypted traffic analysis to find threats in encrypted data, without needing to decrypt. Awake does not provide a decryption engine for Secure Sockets Layer/Transport Layer Security (SSL/TLS) traffic.
Awake does not block attacks natively. Awake’s approach is to integrate with orchestration solutions (e.g., Splunk Adaptive Response or Demisto) or endpoint solutions (Carbon Black) to perform quarantine or trigger remediation playbooks. For example, customers use these mechanisms to block domains and IPs at the firewall or proxy and to take devices offline. Awake sells the solution as an annual subscription, based on aggregate throughput. Virtual appliances are available at no charge, and physical devices are available for a fee.


Based in Columbia, Maryland, Bricata’s detection capabilities include signature and behavioral techniques (including supervised, but not unsupervised, machine learning). It uses two IDS/IPS engines, Suricata and Zeek (Bro), simultaneously. Suricata provides signature-based threat detection. Zeek enables stateful, behavior-anomaly-based threat detection. Bricata also licenses Cylance’s INFINITY technology for threat detection. Zeek generates network metadata that populates Bricata’s repository. The repository comes with a threat-hunting environment for manual threat detection.
Bricata’s architecture is composed of two main elements. Sensors (physical or virtual) are deployed on the network and perform PCAP, metadata generation and intrusion prevention system/intrusion detection system (IDS/IPS) functions, including dropping packets. A Central Management Console (CMC) repository is typically deployed in a data center. The CMC processes and analyzes the data collected from the sensors, and it provides an interface for threat hunting. Bricata does not decrypt SSL/TLS traffic, although it provides a built-in mechanism for JA3 fingerprinting of SSL sessions.
Bricata offers subscription licensing based on the aggregate throughput of the traffic being monitored. Customers purchase physical sensors and CMCs; however, virtual instances are free of charge. Hardware warranty, software maintenance and Bricata support are included in the subscription price. Higher levels of support are available at an additional charge.


Headquartered in San Jose, California, Cisco plays in the NTA market with Cisco Stealthwatch. Stealthwatch’s data source is primarily NetFlow records and is deployed as a physical appliance, a virtual appliance or a SaaS solution. Through its Flow Sensors, Stealthwatch provides Layer 7 application visibility by gathering application information, along with on-demand PCAP. Stealthwatch can also ingest data from cloud platforms, such as AWS, Azure and GCP, as well as from Kubernetes environments. It also has the option to run on-demand PCAP. Full PCAP is not natively supported. Stealthwatch leverages various techniques for analytics, including signature-based detection, statistical analysis, and both supervised and unsupervised machine learning. Cisco integrates with Cisco Talos Intelligence Group for threat intelligence feeds.
Stealthwatch is sold as a term-based subscription based on the necessary flows per second, network device count or total monthly flows, depending on the product and deployment infrastructure. The subscription includes virtual flow collectors and the management console; however, additional fees are required for the appliance-based version of the product. The cloud version of Stealthwatch uses a combination of sensors for customer premises and API connectivity to flow sources in public clouds. Stealthwatch is integrated with the Cisco Identity Services Engine, which allows it to quarantine hosts. Stealthwatch does not decrypt traffic, but uses Encrypted Traffic Analytics (ETA) to detect malware and ensure cryptographic compliance. The product’s core market is midsize-to-large enterprises.


Headquartered in San Francisco, California, Corelight’s solution is based on open-source Zeek (formerly known as Bro). Corelight has added enhancements that focus on scale, manageability and data enrichment. The solution consists of a range of physical and virtual sensors. These sensors analyze network traffic across multiple protocols, execute in-line detection analysis, and forward the events and parsed data logs to a customer’s SIEM or data lake. The Bro/Zeek scripting framework provides an optional feature that allows customers to write their own detection content. This is a popular approach for advanced customers that can optimize detection capabilities for their own environment.
Corelight’s detection capabilities include heuristic analysis and statistical analysis, but no machine learning. However, some Bro/Zeek customers have used the Python machine learning library to do both supervised and unsupervised machine learning. Corelight also performs some simple pattern-matching (signaturelike) detection. Corelight does not collect and analyze NetFlow or IPFIX records; however, the Corelight sensors generate metadata, which can be stored and analyzed for forensic analysis using third-party tools. Corelight does not decrypt SSL/TLS traffic, although it provides a built-in mechanism for JA3 fingerprinting of SSL sessions.
The solution is licensed on a subscription basis, which includes service and support, as well as hardware, software and a technical account manager. Enterprise support (e.g., hardware replacement) is available separately.


Based in Dublin, Ireland, Corvil is an NPMD vendor that has adapted its IT operations solutions for NTA with a solution called Corvil Security Analytics. It operates on metadata derived from raw network packets, applying signature-based detection using Snort rules, proprietary rules, protocol analysis and reputation-feed-based traffic matching. The reputation-feed-based traffic matching leverages feeds from Emerging Threats ETPro IP and Domain reputation feeds, as well as (SSL Blacklist). Corvil offers basic, unsupervised machine learning, but it does not provide supervised machine learning. Corvil Security Analytics is sold as a hardware appliance, and can be complemented by host-based software sensors.
Corvil Security Analytics is priced on a perpetual-license basis, with customers choosing the appropriate appliance type based on network traffic rates. Hardware appliances support up 80 Gbps line rate capture and up to 300TB of storage. The use of the Corvil virtual sensor is free. Corvil appliances can decrypt SSL and TLS traffic, and they support JA3 fingerprinting of SSL sessions. The product’s core market is the large enterprise.


Based in Cambridge, U.K., and San Francisco, California, Darktrace’s Enterprise Immune System is built on unsupervised machine learning technology. The company states that it relies on more than 50 unsupervised learning approaches. Darktrace can be deployed to secure physical (IT and OT), virtualized, infrastructure as a service (IaaS) and SaaS environments. Deployment options include Darktrace appliances, software sensors and connectors that are installed passively in the customer’s network or cloud. A master appliance correlates behavior across the organization’s infrastructure. Darktrace Antigena, an optional product that provides autonomous response capabilities, uses multiple techniques (e.g., TCP Reset, applying Active Lists via firewall integrations) to automatically mitigate threats to the customer’s environment.
The pricing model for Darktrace software is a subscription service based on the size of the company and the distribution of the deployment. A popular service option is the Threat Intelligence Reports, which analyze the most significant threats detected by Darktrace’s technology. Pricing for Antigena Network is 50% of the license value for the Enterprise Immune System.


Based in Seattle, Washington, ExtraHop started as an IT-operations-focused NPMD vendor. The company has expanded its focus to security buyers, by adapting its packet analysis technology for the NTA market. The product, Reveal(x), performs real-time stream processing of raw network packets and applies its unsupervised machine learning algorithms to detect behavioral anomalies. The metadata extracted from the packets is tracked, allowing Reveal(x) to identify behavior indicative of an attack by comparing against a number of proprietary unsupervised models. Reveal(x) is sold as a hardware appliance or a virtual appliance.
Licensing for Reveal(x) is on a subscription basis, priced by the number of critical assets that are being monitored. The physical appliances are sold as a separate one-time cost, while virtual and cloud appliances are free. Hardware appliances support up to 100 Gbps line rate capture and up to 2PB of storage. Reveal(x) can ingest third-party threat intelligence feeds, based on the standard Structured Threat Information eXpression (STIX) format. The solution supports SSL/TLS and perfect forward secrecy (PFS) traffic decryption at line rate.

Fidelis Cybersecurity

Based in Washington, D.C., Fidelis offers a security platform (Fidelis Elevate) that combines IDS, NTA, network sandboxing, web and email data loss prevention (DLP), endpoint detection and response (EDR), asset classification, and deception. The Fidelis Elevate platform collects Layer 7 metadata for many protocols. Fidelis primarily uses supervised learning for north/south network traffic analysis. It leverages unsupervised machine learning to build a risk score (Alert Threat Score) for each alert, helping with event triage. The solution includes a threat intelligence feed to catch identified attacks and supports open-source and third-party threat intelligence sources. Fidelis supports event-triggered, full PCAP and can store up to one year of metadata for retrospective analysis.
Metadata can be aggregated from multiple sensors in an appliance (Fidelis Collector) and stored for one year or longer. The solution can send TCP resets, or block if deployed in-line, and can integrate with Fidelis’ endpoint and response solution for additional response capabilities. The vendor offers multiple physical and virtual sensors, including a generic one for all protocols, and specialized versions for mail, web, cloud and data center traffic. Fidelis does not decrypt SSL/TLS traffic.
Fidelis Cybersecurity uses a traditional, perpetual-sale model for its physical appliances, with an annual support fee. The solution can be complemented with managed detection and response (MDR) and threat-hunting services. The vendor offers its cloud management solution as a subscription.


Based in Milpitas, California, FireEye’s SmartVision solution can be implemented as part of FireEye Network Security, as well as non-FireEye environments. SmartVision uses a combination of signatures, machine learning and heuristics, as well as its MVX engine (primarily sandboxing technology) to detonate suspicious objects moving over Server Message Block (SMB) protocols. SmartVision includes FireEye’s IPS engine. FireEye leverages an indicator correlation engine, along with a custom signature database with rules generated from cyberattacks. SmartVision also relies on machine learning capabilities. Customers can deploy SmartVision on FireEye NX appliances or on virtual appliances. SmartVision does not decrypt SSL/TLS traffic.
When enabled on an NX appliance, SmartVision is capable of monitoring network traffic in north/south and east/west directions, and all detections occur on the NX sensor directly. The pricing model for the SmartVision Edition is a subscription based on aggregate throughput. As many as 20 virtual sensors are provided for free. Service and support are included in the price of the subscription.


Based in the Czech Republic, GREYCORTEX’s MENDEL solution uses behavioral techniques (supervised and unsupervised machine learning) and signature-based detection. A detection rule set that it licenses, the Emerging Threats ETPro, is one aspect of its signature-based capability. Sensors (physical and virtual) are deployed in the customer’s network, and they forward flow records, application metadata and signature-based events to collectors that analyze the information. Sensors and collectors can be combined in a single appliance. MENDEL is capable of decrypting SSL/TLS traffic.
GREYCORTEX has also developed a solution for monitoring OT networks. It provides visibility into several protocols that are common in SCADA environments, and it also uses machine learning and signature-based detection mechanisms. GREYCORTEX mainly targets Europe, the Middle East and the Asia/Pacific (APAC) region. Two pricing models are available. Customers can purchase the sensors and collector appliances and purchase a perpetual software license. Alternatively, they can purchase a subscription, which includes monthly fees for the appliances and service and support.

Hillstone Networks

Based in Beijing, China, Hillstone Networks is a network security vendor, with a regional headquarters in Santa Clara, CA. The vendor introduced its NTA product, named Server Breach Detection System (sBDS), with two appliances in 2017. Hillstone’s NTA product extracts Layer 7 metadata and applies clustering, an unsupervised learning algorithm, to identify deviation from normal activity. sBDS also includes an IPS and an antivirus engine. It also implements some limited deception features (for example, emulating the answer of a web server). Each appliance embeds a management and monitoring interface, and centralized cloud monitoring is also available (Hillstone CloudView). sBDS integrates with Hillstone firewall to add blocking capabilities. Hillstone sBDS does not decrypt SSL/TLS traffic.
Hillstone NTA primarily targets the data center, with many dashboards focused on this use case. The vendor prices its NTA solution using the traditional appliance model, with upfront cost for the hardware, and subscription and support as yearly fees. It also offers NTA as a service, where the cost of the devices is included in the yearly subscription.


Based in Santa Clara, California, HPE-Aruba has acquired Niara, which had been targeting UEBA opportunities in 2017. Since 2018, HPE/Aruba has been repositioning the Niara technology, now known as IntroSpect, to compete in the NTA market. The solution is available in two packages: IntroSpect Standard (the NTA product) and IntroSpect Advanced (adds UEBA and log source features). IntroSpect collects and analyzes packet level information, as well as logs, and it provides user attribution and investigative support. The product is integrated with Aruba’s ClearPass NAC offering to provide automated response; however, HPE-Aruba also sells it as a stand-alone solution. Detection relies heavily on behavioral techniques (supervised and unsupervised machine learning, heuristics, and statistical analysis), and it includes a rule engine that can be programmed to look for specific conditions. IntroSpect does not decrypt SSL/TLS traffic.
Key components of IntroSpect’s NTA solution include Real Time Packet Processing (RTPP) and a centralized Analyzer. The RTPPs can be physical or virtual appliances. Customers purchase RTPP (virtual appliances are free) and the Analyzer appliance, along with a software license subscription for the Analyzer (based on the number of users, systems and devices in the customer’s network).

IronNet Cybersecurity

Based in Fulton, Maryland, IronNet’s solution uses sensors that are implemented in the customer’s network and an analytical back end that can be hosted on-premises, in the IronNet cloud or in AWS. Historically, the sensors have been physical appliances, although IronNet plans a virtual sensor for 2019. The solution supports full PCAP and stores approximately three days of PCAPs and approximately 90 days of session metadata. IronNet’s detection capabilities are based on signatures, machine learning and other analytical techniques. The solution has an add-on capability that enables enterprises to share behavioral intelligence with peer enterprises and, optionally, with government to enhance the detection of industry-sector-wide campaigns. IronNet’s sensors do not decrypt SSL/TLS traffic. However, they can analyze the SSL/TLS traffic and identify malicious activity during a session.
IronNet targets large enterprises that are concerned about attacks from nation states. Customers must purchase the hardware sensors and the associated software. They pay a flat monthly fee for the analytical back-end component.


Based in Redwood City, California, Lastline’s Lastline Defender solution uses a combination of techniques, including supervised and unsupervised machine learning, deep learning, deep packet inspection, NetFlow record analysis, and other analytics to detect malicious network behaviors and suspicious traffic. Lastline’s sandbox technology is embedded in its Defender solution to analyze files and determine whether they contain malware. The sandbox analysis is also used to feed training data to Defender’s detection capabilities. The solution has a flexible deployment model. Customers can install Lastline sensors on their networks and use the Lastline cloud to support the detection capabilities. Alternatively, customers can install all Lastline components on-premises, and they can protect workloads in public clouds. Lastline can inspect SSL/TLS traffic when deployed in-line as an explicit proxy.
Lastline can automatically respond to (for example, block) incidents that it detects. It also has several technology partnerships that enable customers to automatically respond to incidents detected by Defender. The solution has integrations with endpoint vendors, including Carbon Black and Tanium; network vendors (Check Point, Palo Alto Networks and Fortinet); SIEMs; security orchestration; automation and response (SOAR) solutions; and email and web gateways. The pricing model is a per-user/per-year subscription. Software sensors are provided free of charge. These sensors include the Suricata IDS and are enhanced with Lastline’s custom protocol analysis, as well as components that perform email inspection and static file analysis. Lastline sensors can be deployed in-line for blocking malicious traffic or deployed as a span/tap on the network, and deployed as mail transfer agents (MTAs).


Headquartered in Kennebunk, Maine, Plixer offers the Scrutinizer product for NTA. Scrutinizer is deployed on-premises with hardware or virtual appliances, but can also be deployed in a private cloud, a hybrid cloud and as SaaS. The solution’s primary data source for analytics is flow data, in addition to collecting data from VMware ESXi, Cisco ACI and AWS flow logs. Plixer does not natively support full or on-demand PCAP, nor the decryption of packets. Scrutinizer leverages signature-based detection, heuristic detection and statistics analytics, but does not support supervised or unsupervised machine learning. Heuristic detection involves analyzing traffic behavior, with persistent flow risks assessments as an example. Scrutinizer supports threat intelligence feeds for host and domain reputation, as well as offering historical forensics for incident responses.
For on-premises virtual and hardware deployments, the product is sold as either a three- or five-year subscription and is based on the number of devices exporting flows and metadata. For SaaS deployments, a three- or five-year subscription plan is also available and is based on the volume of collected data. Scrutinizer’s flow support has been extended with vendor-specific templates for a number of hardware vendors, including Cisco, Juniper and Palo Alto Networks, giving them access to a broad set of metadata. Plixer Scrutinizer is also sold to IT operations for performance monitoring and is a fit for midsize and large enterprises.

HighBar SS8

Based in Milpitas, California, SS8 is a security company that was recently acquired by private equity firm HighBar. SS8’s NTA solution is available in the form of virtual appliances, both for the sensors and for its centralized management and monitoring platform (Security Analytics Platform). SS8 sensors sit out of band, and extract Layer 7 metadata from raw network packets. The technology uses unsupervised machine learning to highlight outlier devices on the network. It also leverages more-traditional signatures to detect known attacks. SS8 does not decrypt SSL/TLS traffic.
SS8 licenses its solution in the form of a subscription, based on the total average traffic throughput and the duration of data retention. Its largest target markets include industrial, financial and governmental agencies in North America.


Headquartered in San Jose, California, Vectra’s NTA product (Cognito Detect), uses hardware and virtual sensors to forward and store a proprietary set of traffic metadata to the analytic engine (Cognito Brain). The vendor’s detection engine combines supervised and unsupervised machine learning algorithms to detect attacker behaviors. It uses several deep-learning models (e.g., recurrent neural networks and long short-term memory) when necessary. The vendor also implements heuristics for known bad behaviors (such as port scan detection) and enables customers to import specific indicators of compromise (IOCs) to quickly identify a recent prominent attack. Vectra aggregates individual alerts into security incidents for an individual host, with on-demand, full PCAP for forensics investigation. The vendor also offers a dedicated view called Attack Campaigns to track attacks across the enterprise network. Vectra partners with other security vendors, endpoint protection, firewalls, SIEM and SOAR to provide response capabilities. Vectra does not decrypt SSL/TLS traffic.
Vectra offers specialized detection for data center and cloud use cases. It sells sensor hardware (virtual sensors are provided free of charge), then licenses its technology per concurrent active device, with different prices for clients and servers. Support is included in the per-device subscription. The vendor also offers additional subscriptions, such as regular reviews performed by vendor’s security analysts, or a recently launched, cloud-based metadata search engine, Cognito Recall.

Solutions in Adjacent Markets

Below is a list of vendors we are tracking that did not qualify for inclusion in this Market Guide.

IoT and OT Specialization

  • Armis
  • Cyberbit

NTA as a Feature

  • IBM QRadar (Network Insights)
  • LogRhythm (NetMon)
  • Palo Alto Networks (Cortex XDR)


  • AizoOn
  • Gigamon (ICEBRG acquisition)
  • ProtectWise
  • SecBI
  • Vehere

Market Recommendations

Enterprises should strongly consider NTA to complement signature-based and sandboxing detection methods. Many Gartner clients have reported that NTA tools have detected suspicious network traffic that other perimeter security tools had missed.
When evaluating vendors (see Note 2), assess the following factors:
  • Scalability — Does the solution have the capacity to analyze the amount of traffic in your environment?
  • Workflow — Does the vendor provide tools natively and workflow guidance to assist in responding to its alerts? Does the vendor integrate with SOAR tools?
  • Pure-Play Versus NTA as a Feature — Is it more sensible to implement NTA as a feature from another technology vendor (for example, SIEM), or do you require a more full-featured, pure-play NTA solution from one of the vendors analyzed in this Market Guide?

Note 1Representative Vendor Selection

These 17 vendors were selected because they met Gartner’s inclusion criteria, and were not eliminated by our exclusion criteria noted above.

Note 2Gartner’s Initial Market Coverage

This Market Guide provides Gartner’s initial coverage of the market, and focuses on the market definition, rationale for the market and market dynamics.

Magic Quadrant for Endpoint Protection Platforms

Magic Quadrant for Endpoint Protection Platforms

Published 20 August 2019 – ID G00352135 – 63 min read

The endpoint protection market is transforming as new approaches challenge the status quo. We evaluated solutions with an emphasis on hardening, detection of advanced and fileless attacks, and response capabilities, favoring cloud-delivered solutions that provide a fusion of products and services.

Strategic Planning Assumption

By 2025, cloud-delivered EPP solutions will grow from 20% of new deals to 95%.

Market Definition/Description

This document was revised on 23 August 2019. The document you are viewing is the corrected version. For more information, see the  Corrections page on
An endpoint protection platform (EPP) is a solution deployed on endpoint devices to harden endpoints, to prevent malware and malicious attacks, and to provide the investigation and remediation capabilities needed to dynamically respond to security incidents when they evade protection controls. Traditional EPP solutions have been delivered via a client agent managed by an on-premises management server. More modern solutions utilize a cloud-native architecture that shifts the management, and some of the analysis and detection workload, to the cloud.
Security and risk management leaders responsible for endpoint protection are placing a premium on detection capabilities for advanced fileless threats and investigation and remediation capabilities. Data protection solutions such as data loss prevention (DLP) and encryption are also frequently part of EPP solutions, but are considered by buyers in a different buying cycle.
Protection for Linux and Mac is increasingly common, while protection for mobile devices and Chromebooks is increasing but is not typically considered a must-have capability.
While protection for virtual, Windows and Linux servers is common, the evolutionary shift from hardware servers to virtual machines (VMs), containers and private/public cloud infrastructure means that server workloads now have different security requirements compared to end-user-focused, interactive endpoints. (See “Endpoint and Server Security: Common Goals, Divergent Solutions.”) As a result, specialized tools to address the modern hybrid data center that utilizes both the cloud and on-premises deployments are diverging into a new market Gartner calls cloud workload protection platforms (CWPP; see “Market Guide for Cloud Workload Protection Platforms”). Gartner recommends that organizations separate the purchasing decisions for server workloads from any product or strategy decisions involving endpoint protection due to the largely divergent nature of their features and management.
This is a transformative period for the EPP market, and as the market has changed, so has the analysis profile used for this research. In the 2019 Magic Quadrant for Endpoint Protection Platforms, capabilities traditionally found in the endpoint detection and response (EDR) market are now considered core components of an EPP that can address and respond to modern threats (see “Market Guide for Endpoint Detection and Response Solutions”).

Magic Quadrant

Figure 1. Magic Quadrant for Endpoint Protection Platforms

Source: Gartner (August 2019)

Magic Quadrant for Endpoint Protection Platforms

Vendor Strengths and Cautions


Bitdefender is a private software company that offers an EPP and EDR in one platform, GravityZone Ultra, and one agent across endpoints, and physical, virtual or cloud servers, delivered via a cloud or on-premises management.
Bitdefender has been consistently growing its enterprise segment presence and licenses its core engine to an extensive range of security products. It launched a managed detection and response (MDR) service providing proactive alerting, assistance with alert investigation and periodic health checks. It also added a confidence score.
Bitdefender is a good choice for organizations that value malware detection accuracy and agent performance, as well as full support for data center and cloud workloads from a single solution.

  • Bitdefender has a large R&D team that focuses on threat research and that is a consistent top performer in malware protection tests.
  • Bitdefender offers a single modular agent for physical, virtual and cloud platforms, and a single SaaS console for all endpoint/server security administration.
  • Low-overhead EDR supported by several detection layers and automated response actions enable enterprises and midmarket organizations to benefit from EDR.
  • Gartner clients praise Bitdefender for its ease of use, deployment and customer support.
  • Bitdefender provides a series of features that can decrease the attack surface of the endpoint, including application whitelisting. GravityZone provides integrated vulnerability and configuration monitoring and can provide patch management with an add-on license. It also provides full-disk encryption, web content filtering and device control.

  • The Bitdefender EDR capability lacks numerous common features for advanced security operations center (SOC) users such as analyst workflow, automatic indicator of compromise (IOC) or threat feed integration, custom query and blocking rules, contextual information, and guided investigation.
  • Bitdefender Patch Management module, firewall module and sandbox analysis feature are not available for the Linux platform yet, nor do they interoperate with other client management tools for remediation purposes.
  • Anomaly detection and Bitdefender’s MDR offering are new and unproven in the market.
  • EDR capabilities are only available in the cloud platform. The app whitelisting capability is only available with the on-premises platform.
  • While Bitdefender has taken steps to grow its enterprise presence and sales operations, mind share among Gartner clients remains low.

BlackBerry Cylance

Cylance was acquired by BlackBerry, effective 21 February 2019, and now operates as a division of BlackBerry. BlackBerry has publicly communicated its vision to secure the Internet of Things (IoT) by leveraging Cylance AI technologies as an essential component. Initial plans include cross-selling of Cylance into BlackBerry enterprise accounts and integration of Cylance AI into BlackBerry’s unified endpoint management solution and QNX platform for automotive OEMs.
Cylance is best known in the market for its signatureless malware prevention using machine learning (ML). Cylance has also applied machine learning to its EDR product CylanceOPTICS. Cylance has a strong OEM business and technology integrations into nontraditional endpoint solutions, such as security gateways, industrial control systems and medical devices
Cylance now also offers on-premises and hybrid deployments along with SaaS delivery. On-premises and hybrid deployments are targeted to air-gapped environments. The newly introduced CylanceGUARD, its managed detection and response solution, provides proactive threat hunting; however, this capability was not publicly announced until after the analysis deadline for generally available features, and it was not included in the analysis.

  • Cylance’s primary strength is the use of agent-side machine-learning-trained algorithms to detect file-based malware instead of signature databases. This approach avoids the maintenance and network burden of daily updates, is more effective at detecting known and unknown malware, and doesn’t require a connection to the internet to protect. CylancePROTECT also provides memory protection and script controls for fileless malware.
  • CylanceOPTICS provides EDR capabilities to provide endpoint visibility and incident response capabilities. Cylance is well positioned to use its machine learning expertise to provide user and entity behavioral detection capabilities.
  • Response orchestrated with automated package playbooks was introduced in 2018. Playbooks allow for automatic preventive or remediation actions (e.g., terminate processes, suspend processes, delete files, delete registry keys, log off users, etc.) via Python scripts when a detection event is triggered.
  • CylancePROTECT supports Windows, macOS, AWS Linux and Linux operating systems. It can be used in virtual environments owing to its minimal system overhead.
  • Gartner clients report a good experience, effective customer support, quality of technical support, and effective malware and ransomware protection.

  • The acquisition by BlackBerry adds some uncertainty to Cylance’s execution. BlackBerry’s goals may not align with Cylance customers’ aspirations for the product.
  • The ML capabilities in CylancePROTECT have yielded good results at detecting new malware; however, CylancePROTECT is overly reliant on machine learning technology, which makes it easier to be bypassed by malware authors. Moreover, Gartner clients have reported false-positive rates in CylancePROTECT with custom or rare applications, requiring organizations to establish a whitelisting process. CylanceOPTICS is necessary to add behavioral detection.
  • CylancePROTECT and CylanceOPTICS require two separate agents with two separate installations, although an integrated agent is due in 3Q19.
  • CylanceOPTICS stores historic data on the endpoint, which makes it subject to loss if the endpoint is inaccessible. InstaQuery provides information only from devices that are online. Out-of-the-box automated remediation options are limited. CylanceOPTICS does not support Linux. CylanceOPTICS advanced threat hunting and custom behavioral rules are scripted in Python and do not leverage an easy-to-use UI.
  • Cylance does not yet offer security operations capabilities such as vulnerability and configuration assessment; however, these features are on Cylance’s short-term roadmap.
  • Cylance has not participated in tests of its antivirus effectiveness except for the NSS Labs test and VirusTotal, making it difficult for prospective customers to compare its efficacy to other solutions without a proof of concept. It is participating in the next round of MITRE evaluations.

Carbon Black

Carbon Black has recently transitioned its focus to selling and migrating customers to its cloud-based security platform, the CB Predictive Security Cloud (PSC). The company’s overall offerings consist of CB Defense (EPP), CB ThreatHunter, CB LiveOps, and CB ThreatSight on PSC, and CB Response (threat hunting and incident response) and CB Protection (application whitelisting and device lockdown) on-premises offerings.
Carbon Black maintains a strong reputation as offering one of the leading EDR solutions in the marketplace. CB Response (threat hunting) is typically found in more complex environments with very mature security operations teams. The CB Defense agent collects and sends all the unfiltered endpoint data to the cloud using a proprietary data streaming mechanism that eliminates bursting and peaks on networks.

  • Carbon Black’s single cloud console, single-agent approach to integrated EPP and EDR provides ease of use and seamless integration between core product offerings and enhanced offerings such as threat hunting (CB ThreatHunter), and endpoint query and remediation (CB LiveOps).
  • Carbon Black provides an advanced toolset (CB ThreatHunter) that has broad appeal to organizations that have mature security operations teams consisting of high-caliber and very experienced personnel.
  • Carbon Black’s CB Defense solution incorporates a blended approach consisting of both online and offline detection signatures, machine learning, software behavior monitoring, process isolation and memory protection, along with exploit prevention.
  • Carbon Black’s cloud-native console offers administrators simplified views of threats via visual alerts, triage and live remote Secure Shell access.
  • Carbon Black’s APIs and broad third-party partner ecosystem provide opportunities for SOCs to integrate Carbon Black findings into a diverse set of analytics, IT operations workflows, security operations and case management solutions.

  • The Predictive Security Cloud is the flagship platform; however, a substantial portion of Carbon Black’s installed base is still on the CB Response and CB Protection product lines, which do not include an EPP capability. PSC will be the primary platform for new features and functions.
  • Carbon Black continues to be at the premium end of cost per endpoint in terms of cost to acquire and cost to operate, especially if organizations require the EPP and the separate application whitelisting capabilities provided by CB Protection.
  • Carbon Black PSC is still missing common features such as rogue device detection. Some customers report lengthy issue resolution times and quality issues with Carbon Black’s customer support services.
  • A limited number of Carbon Black customers report endpoint device performance issues related to their CB Defense deployments, and that performance troubleshooting could be made easier in the CB Defense solution.

Check Point Software Technologies

Check Point Software Technologies is a global security vendor well known for its network firewall products. It has been a vendor in the endpoint protection market since the 2003 acquisition of Zone Labs’ personal firewall. In 2016, Check Point introduced SandBlast Agent, which provides both advanced EPP and EDR capabilities. SandBlast shares ZoneAlarm prevention technologies, but it is targeted for the enterprise; while ZoneAlarm is now targeted commercially for consumers. In addition, Check Point SandBlast also offers endpoint VPN, encryption, URL filtering and anti-ransomware products.
SandBlast is integrated with Check Point gateways via the Infinity management console for alert consolidation and data sharing.

  • All endpoint protection capabilities are managed in a single management console delivered via a cloud service or an on-premises management server.
  • Protection capabilities include memory exploit protection, behavioral protection and browser extensions for Chrome, Internet Explorer and Mozilla Firefox. These extensions provide downloaded file sandbox inspection, phishing URL protection and corporate password reuse monitoring. There is also a cloud sandbox for suspicious file detonation.
  • The EDR incident response management experience is enhanced by contextual information on process and automatic correlation of suspect events. Remediation capabilities include encrypted file restoration, full attack chain sterilization and machine isolation.
  • SandBlast Mobile for Android and iOS provides jailbreak detection, device configuration and profile monitoring, malware and man-in-the-middle attack prevention.

  • Despite its long history in the market, Check Point has struggled to gain market and mind share.
  • Only incident-related data and event forensics reports are stored in the central management system. Raw data is stored locally on the endpoint. Other enterprise-class features such as workflow, advanced threat hunting and custom rule creation are lacking.
  • Rogue client detection is limited to data stored in Active Directory. The vendor does not offer any vulnerability or configuration management capabilities.
  • Management experience is inconsistent. Investigations traverse several different interfaces, tabs and windows. Some of the user interfaces are Win 32-application-style, while other components were more modern UI designs. Policy configuration involves myriad pop-up windows. Mac and Linux searching can only be done via command line.
  • Check Point does not participate in regular testing of its effectiveness, appearing in only four tests in the past 12 months. Check Point cloud management for the SandBlast agent is new and has limited adoption at the time of publication.


Cisco offers Advanced Malware Protection (AMP) for Endpoints, which consists of prevent, detect and respond endpoint security capabilities deployed with a cloud or on-premises management console.
Cisco’s AMP for Endpoints makes use of AMP capabilities that are also available in other Cisco security offerings including threat intelligence data from Threat Grid and Talos security research. AMP for Endpoints integrates with other Cisco security products, such as secure email and web gateways and network security appliances in the Cisco Threat Response incident response console.
Cisco’s AMP will appeal to existing Cisco clients, especially those that that leverage other Cisco security solutions, and that aspire to establish security operations around Cisco products.

  • Cisco AMP is highly reputed for its threat intelligence from its well-known Talos security research team and for its exploit prevention capabilities, both used as a means of reducing the endpoint attack surface. Cisco recently licensed Morphisec to add exploit prevention.
  • Cisco AMP can perform discovery of unprotected and unmanaged endpoints that present malicious behavior based on network security information.
  • Cisco offers a broad range of managed services, including SOCs, active threat hunting, and incident support.
  • Cisco Threat Response integrates AMP and other Cisco security offerings, such as firewall, intrusion prevention system (IPS), secure email and web gateways. This allows for centralized alert consolidation and incident response, as well as intelligence sharing and policy synchronization in the Cisco Threat Response console.

  • The Exploit Prevention engine, Malicious Activity Protection engine and System Process Protection (SPP) engine are only available for Windows. Mac and Linux rely on the open-source ClamAV for signatures.
  • EDR navigation between screens is neither fluid nor intuitive to get a full understanding of the state of an endpoint or the incident and to pivot to find related items.
  • Although the threat hunting functionality has expanded, Cisco AMP still lacks certain advanced threat hunting capabilities, such as the creation of customized behavioral protections and the integration of threat feeds. Also, it lacks a community portal for collaboration with industry peers.
  • The majority of Cisco AMP deployments are deployed with another EPP solution to augment existing protection solutions and interoperate with other Cisco security solutions via Threat Response.
  • Cisco still needs to consolidate its various endpoint agents for Duo, Umbrella, AnyConnect, Tetration and AMP.
  • Cisco is new to public comparative testing, appearing in the NSS Labs test and one AV-Comparatives test. Its underlying antivirus engine (Bitdefender) is an active participant in tests.


CrowdStrike’s cloud-native architecture provides an extensible platform that enables additional security services like IT hygiene, vulnerability assessment and threat intelligence. Its app store, the CrowdStrike Store, allows customers to acquire additional security functions, such as user and entity behavior analytics (UEBA) and file integrity monitoring, through partners that exploit the same client and cloud management console.
CrowdStrike has been a leader in the fusion of products and services, with very high adoption of the Falcon OverWatch service, which provides managed threat hunting, alerting, response and investigation assistance. CrowdStrike also offers the Falcon Complete service, which provides full managed detection and response, engagement consulting for incident response and a $1 million breach prevention warranty.
In 2018, Dell and Secureworks announced a strategic go-to-market alliance with CrowdStrike and the company launched a very successful IPO, improving its overall viability.
Organizations looking for a modern, cloud-native EDR-focused EPP solution with a range of managed services will find CrowdStrike very compelling.

  • CrowdStrike continues to be one of the fastest growing and most innovative vendors in this research. It is rapidly taking market share in 176 countries, including numerous very large organizations with more than 100,000 seats.
  • Gartner clients report simple and easy Falcon deployments, in part due to the cloud architecture. CrowdStrike Falcon’s lightweight, single agent supports all environments (physical, virtual and cloud), and functions with the same agent and management console for Falcon Prevent protection and Falcon Insight EDR. CrowdStrike records most endpoint events and sends all recorded data to its cloud for analysis and detection. Some prevention is done locally on the agent via a machine learning antivirus engine.
  • Recent improvements include vulnerability detection; discovery for Amazon Web Services (AWS) and for asset inventory; and security configuration for cloud assets. They also include Real Time Response and Real Time Query to enable remote commands on suspect machines; custom indicators of attack (IOAs) for detection and prevention; and blocking of driver-level ransomware attacks. CrowdStrike has also introduced Falcon for Mobile to isolate corporate apps from unmanaged devices.
  • CrowdStrike is the first EPP vendor in this research to provide firmware visibility and vulnerability detection to reduce the risk of hardware-based attacks.
  • CrowdStrike offers a FedRAMP-certified cloud in the U.S., and recently added a Germany cloud location for EU customer data.
  • It offers agents for a broad range of endpoints and supports new Linux kernels in less than a week. It also added support for Oracle Linux and Amazon Linux.

  • CrowdStrike does not have an integrated deployment solution, but it does work well with third-party tools.
  • The full product is more expensive than other EPP solutions, but includes the OverWatch service and covers the costs of cloud data storage for EDR. Default cloud storage for full hunting and investigation data is very short (i.e., seven days) .
  • The MITRE ATT&CK evaluation showed that CrowdStrike reported more detections with OverWatch than without, and some of those are delayed.
  • The CrowdStrike/Splunk management interface is very capable, but it can be complicated; for example, searching requires the creation of scripts.
  • The vendor does not offer a personal firewall, application control capabilities, configuration guidance or patch management to improve hardening of endpoints, but it has plans to add them via the CrowdStrike Store. Also, it does not have companion network security products.
  • CrowdStrike does not offer an on-premises management console. Although it has enhanced client-based machine learning detection and pushed more Indicators of attack to the client to provide protection while offline, it still is not ideal for bandwidth-constrained or completely disconnected machines.


ESET provides ESET Endpoint Security, which is an EPP solution managed by its Security Management Center. It also provides an EDR solution called ESET Enterprise Inspector. ESET Dynamic Threat Defense — cloud-based sandboxing solution for detection of zero-day threats — and a Threat Monitoring and a Threat Hunting Service (managed services for its EDR) complete ESET’s offering in the endpoint security space. ESET provides these solutions in a bundle called ESET Targeted Attack Protection, with ESET Threat Intelligence platform as an optional add-on.
ESET will appeal to globally distributed organizations looking for a comprehensive solution, and especially organizations that require an EPP solution with a particularly lightweight agent.

  • ESET is a long-standing EPP vendor with the sixth-largest market share by seat count. It has a large presence in the small and midsize business (SMB) segment, and in the European, Latin American and Asia/Pacific regions. The vendor also has a large presence in the consumer space. ESET is a notable source of published security research, available through its WeLiveSecurity website.
  • ESET is widely known for combining a lightweight client with the consistent performance of a solid anti-malware engine.
  • ESET has a comprehensive set of capabilities, including a host-based intrusion prevention system (HIPS), ML-based detection, exploit prevention, detection of in-memory attacks and ransomware behavior detection.
  • ESET provides its console in 21 languages and localized support in 38 languages, making the solution a good fit for globally distributed enterprises and enterprises requiring support in a local language.
  • ESET customers praise the vendor’s quality of customer care and service. In some countries, ESET offers complimentary implementation services.

  • ESET Cloud Administrator is for only the SMB client base. Enterprise customers looking for full functionality can use only hosted management servers. An enterprise cloud-based management console, ESET Security Management Center Cloud, is due in 2H20.
  • Although ESET’s endpoint agent implements exploit prevention and in-memory scanning for attacks, there is no vulnerability discovery or reporting capability. These capabilities are supplied through ESET’s partner ecosystem.
  • ESET does not include application whitelisting or system lockdown capabilities in its endpoint agent; instead, applications and executables are blacklisted by file hash or through HIPS control policies.
  • The ESET macOS agent currently does not support real-time IOC search and does not integrate with EDR yet, leaving a visibility gap for many organizations. ESET macOS agent integration with EDR is due in 1H20.
  • The role-based administration within ESET Enterprise Inspector allows only two user modes and lacks case and incident management workflows.
  • Remediation options are limited. Certain remediation actions require moving from the separate Enterprise Inspector console back to the Security Management Center.


FireEye is a platform vendor that provides endpoint, email, web, network and cloud security and threat intelligence, which are managed in the FireEye Endpoint Security console. Mandiant, the service arm of FireEye, provides a full range of security services and enjoys a high attach rate with the product.
The FireEye Endpoint Security management capability is deployed as a cloud-hosted solution or as an on-premises virtual machine or hardware-based appliance. FireEye’s Helix is a security information and event management (SIEM)/security orchestration, automation and response (SOAR) solution that is included with the sale of the endpoint software.
FireEye’s appeal to Gartner clients continues to be more as a holistic security platform provider with deep cyberthreat intelligence capabilities and less so as a product-specific security vendor.

  • FireEye Endpoint Security 4.5, shipped in late July 2018, introduced its MalwareGuard machine-learning-based engine for detection of malware threats alongside its existing Exploit Guard (exploit mitigation), signature-based malware protection and intelligence-based IOC detection capabilities.
  • As a portfolio provider, FireEye has a broad set of security capabilities that allow it to integrate threat intelligence findings from across its full set of solutions and services to address multiple security use cases beyond endpoint security.
  • FireEye Endpoint Security can pull forensic and threat artifacts, and it supports the acquisition of deleted or system-protected files without interrupting the operation of the system.
  • FireEye Endpoint Security benefits from the threat intelligence from Mandiant’s breach investigation team, as well as from FireEye products’ shared threat indicators.
  • FireEye offers global managed detection and response through two services: FireEye Managed Defense is a full security services offering, and its newly launched Expertise On Demand offering enables clients to tailor engagement to their specific needs on an a la carte basis. FireEye provides a complement of consulting, advisory and training services through its Mandiant brand that helps organizations at all stages of their security maturity.

  • FireEye has yet to offer a cloud-native multitenant SaaS offering, lagging some key competitors in the EPP market.
  • FireEye Endpoint Security management console can be used for alert triage, policy management and threat investigations; however, more advanced use cases of incident handling, workflow and collaboration require the use of FireEye’s Helix Security Platform.
  • Some customers report the overall amount of time it takes to gather metadata, details and host information about a threat during an investigation is lengthy. Verbose historic data is not sent to Helix by default. Full stream-of-event data can be optionally sent to a Helix data lake or the customers’ own data storage. Otherwise, EDR data is stored on the endpoint, which makes it subject to loss if the endpoint is inaccessible. Triage packages with more info are sent to the management console only when suspicious events trigger alerts and only stored for short periods of time.
  • Manual remediation actions are very limited compared to other vendors. Support for automated configuration rollbacks or file restoration is included in the Helix Security Platform.
  • FireEye’s Threat Intelligence portal and user interface are not fully integrated into the user interface, requiring responders to manually investigate indicators in the FireEye Threat Intelligence portal.


Fortinet is a network security suite vendor that sells enterprise firewalls, email security, sandbox, web application firewalls and a few other products, including its FortiClient endpoint security software. Security Fabric enables existing Fortinet customers who are using multiple Fortinet products to have unified monitoring and control across different Fortinet devices in their network or across multiple networks..

  • Fortinet offers unified control and management across its multiple product lines through Security Fabric, and continues to focus on enhancements across the Security Fabric features. The Security Fabric-supported components are FortiClient, FortiGate firewalls, SIEM access points, secure email and web application firewalls.
  • FortiClient is easy to deploy and easy to manage.
  • Patch management is part of the FortiClient application, which also benefits from FortiGuard Labs global threat intelligence and native integration with its sandbox.
  • FortiClient quarantines objects and kills processes in real time using client-side analysis and, if present, based on the FortiSandbox verdict.

  • FortiClient is not well known to most Gartner clients inquiring about endpoint security, and we see little adoption of it outside of Fortinet’s client base. In 2018, FortiClient generated less than 1% of the vendor’s revenue.
  • The FortiClient Cloud go-to-market strategy is to target midmarket enterprises with up to 500 users. FortiClient is becoming more focused on the enterprise space, but more than 50% of its current installed base is in the midsize enterprise space, having less than 1,000 seats installed. Large enterprise will likely desire more granular policy options.
  • FortiClient, together with FortiSandbox, provides only partial EDR coverage. Full EDR recording is not provided and detection is based on the logs collected from the endpoints rather than on the event recording. Full detection, investigation and response can only be performed by combining FortiClient with FortiAnalyzer, FortiInsight and FortiSIEM.
  • FortiClient is not widely tested; it only appeared in the NSS Labs test.


F-Secure is a publicly listed security company based in Helsinki, Finland. F-Secure is known for its long track record of excellent test scores, lightweight and low-impact anti-malware detection with its cloud-based F-Secure Protection Service for Business (PSB) offering and its on-premises solution, F-Secure Business Suite. In May of 2018, the company launched its EDR solution, which provides visual investigation capabilities and visibility into application usage. In July 2018, F-Secure acquired MWR InfoSecurity. The acquisition gives additional threat hunting and advanced response functionality to F-Secure’s existing MDR solution.

  • The company’s PSB offering includes an array of features such as device control, web protection, vulnerability management and patch management. DataGuard, a ransomware protection capability, provides advanced protection of sensitive local and network folders by preventing modification, tampering or encrypting from unauthorized applications and users.
  • F-Secure Radar provides vulnerability management capabilities that are integrated in the endpoint client (on-premises and cloud), and automation capabilities are provided via the management console.
  • Clients report that F-Secure’s Rapid Detection & Response Service provides strong security specialist review, analysis and response capabilities. Its Elevate to F-Secure service enables customers to get detailed analysis and investigation help from F-Secure specialists.
  • Clients report that the F-Secure EPP solution is easy to deploy and maintain on Windows Mac and Linux.

  • F-Secure is late with an EDR capability. Threat hunting and query features in the solution were in beta deployment at the time of this analysis, and are thus immature compared to rivals.
  • F-Secure’s ransomware defense does not include the ability to roll back encrypted or infected files.
  • On-premises deployment is targeted to customers that require more controls and more deployment options. Specifically, it offers more granularity in some of the settings and more flexible configuration of the data flows to optimize virus definition traffic.
  • F-Secure’s advanced internal threat hunting tools, in beta, are currently still in a separate console.


Kaspersky is a private EPP provider headquartered in Moscow, Russia; founded and run by Eugene Kaspersky; and operated by a holding company in the United Kingdom.
Kaspersky launched its Global Transparency Initiative (GTI) framework, which offers actionable steps for organizations to ensure and verify that Kaspersky solutions meet corporate trust and compliance policies. It has also moved a large portion of its data processing operations to Switzerland to address customer concerns.
Kaspersky’s researchers also publish primary research on active risks and trends, and provide community services to enhance its own products as well as providing an annual security analysts summit.

  • Kaspersky has one of the largest geographical footprints of the vendors in this research. The vendor’s regional presence in Middle Eastern and African regions is unique in the industry.
  • Kaspersky has a large R&D team, which allows for fast and frequent incremental product updates. Kaspersky develops its own products in-house and has not used the merger/acquisition route to extend its portfolio of products and services, which now provides EPP/EDR and managed services.
  • Kaspersky’s products consistently score high in external testing and have acquired a reputation among Gartner customers for strong prevention and detection capabilities. Kaspersky offers solutions for a broad range of server and endpoint types including monitoring of Docker containers.
  • Kaspersky’s EDR approach is to focus on automated detection and response to reduce the administrator burden. Detection and response can be extended to include visibility into network traffic utilizing the Kaspersky Anti Targeted Attack Platform (KATA) network component. The Kaspersky Private Security Network (KPSN) can be used in air-gapped networks.
  • Kaspersky offers Incident Response and Managed Detection and Response (MDR) services that provide automated response as well as proactive threat hunting.

  • Kaspersky Endpoint Security Cloud (KES Cloud) was launched in September 2016, but still does not have significant traction with the Kaspersky user base; it is a simpler tool for less mature security organizations with fewer integration requirements. Kaspersky does not have an enterprise-class cloud offering; it is planned for launch in 3Q19.
  • Although Kaspersky has integrated MITRE ATT&CK classification into its Kaspersky Endpoint Detection and Response (KEDR) tool and sandbox analysis capabilities for simpler threat identification, MITRE evaluations have yet been conducted for Kaspersky’s EDR tools.
  • The automated detection and prevention approach in Kaspersky Endpoint Security for Business (KESB) means that advanced EDR functions are lacking for mature SOCs. For example, threat hunting is weak; it is not possible to create a custom detection and block rule; remediation is limited to basic actions, and there is no summary of remediation actions to take; workflow is limited; and injecting IOCs is a batch process. Also, there is no community portal to share content. KEDR and/or KATA products are required for mature organizations with SOCs. Mature organizations with an SOC need to use KEDR and/or KATA for these advanced EDR functionalities.
  • Use of Kaspersky products and services may be subject to restrictions currently in force in the U.S. and other regions for federal-regulated and government agencies. (In September 2017, the U.S. government ordered all federal agencies to remove Kaspersky’s software from their systems. Several media reports, citing unnamed intelligence sources, made additional claims. Gartner is unaware of any evidence brought forward in this matter. At the same time, Kaspersky’s initial complaints have been dismissed by a U.S. District of Columbia court. Kaspersky has launched a transparency center in Zurich where trusted stakeholders can inspect and evaluate product internals. Kaspersky has also committed to store and process customer data in Zurich, Switzerland. Gartner clients, especially those who work closely with U.S. federal agencies, should consider this information in their risk analysis and continue to monitor this situation for updates.)


Malwarebytes is best known for its malware removal capabilities, but it has a growing presence in endpoint protection and an emerging Endpoint Protection and Response solution. Both EPP and EDR modules are delivered via a single agent and are managed through a single, cloud-based management dashboard. Malwarebytes Breach Remediation (MBBR) provides an agentless remediation capability. Malwarebytes also offers an on-premises, managed EPP product.
Malwarebytes will appeal to organizations of all sizes that have limited cybersecurity resources and high remediation expenses.

  • Gartner clients praise Malwarebytes for its simplicity to use and its intuitive dashboard, as well as for its detection rates on long-tail malware and its malware remediation capabilities.
  • Malwarebytes provides advanced remediation capabilities such as the ability to interact with processes, view and modify the registry, send and receive files, and run commands and scripts remotely.
  • Malwarebytes’ Endpoint Protection and Response product can roll back the changes made by ransomware, including restoring files that were encrypted in the attack. This action can be performed remotely from the cloud management console up to 72 hours after the attack, without the need for any local access to an endpoint.
  • Malwarebytes enterprise products integrate with operations suites such as IBM BigFix, Tanium, Phantom, ForeScout and Microsoft’s System Center Configuration Manager (SCCM) through Malwarebytes Cloud Platform’s available APIs.
  • Its EPP capabilities do not require an internet connection to provide threat protection, allowing for protection for organizations with untethered endpoints that do not have network connectivity.

  • Malwarebytes is one of the smaller vendors in this analysis, and it lacks the scale of global operations of larger peers. Malwarebytes does not provide any managed services directly.
  • Malwarebytes does not participate in regular tests of its anti-malware effectiveness. It only appeared in the NSS Labs test.
  • Some large enterprise features, such as extensive role-based administration and support for non-Windows endpoints, are missing. Malwarebytes does not support application control or offer any vulnerability or configuration management capability.
  • While Malwarebytes has gained recognition among Gartner clients for its malware prevention and remediation capabilities, it does not offer enterprise-grade EDR capabilities beyond attack visualization. It does not retain historic data, or enable hunting queries, searching for specific processes, alert automation and customized rules for event blocking.
  • Although Malwarebytes has made some improvements to its cloud-based management dashboard, it is still lacking in visual reporting and quick-view dashboards.


McAfee is a privately held security company. In 2018, McAfee launched MVISION, which delivers new products and functionality, branding and packaging, and simplified license options to better suit different markets. Uniquely, McAfee’s standard endpoint offering provides flexibility to combine McAfee’s advanced detection capabilities, such as machine learning, credential theft monitoring, attack behavior blocking, and rollback remediation controls with native OS capabilities including Microsoft Windows Defender. McAfee’s premium endpoint offer includes McAfee MVISION EDR capability. Notably, MVISION ePO uses a brand new cloud-native back end, while maintaining a consistent administrative experience with the on-premises version of EPO.
McAfee also offers additional security capabilities including network intrusion prevention, CASB, secure web gateway, DLP and endpoint encryption, which are managed by ePO and can exchange threat information via its Data Exchange Layer (DXL).
These changes are both welcome and timely, and will enable McAfee to offer more attractive SaaS hosted options.

  • MVISION EDR capabilities are comprehensive and flexible to work alongside (not instead of) Microsoft Windows Security. MVISION EDR can also be deployed stand-alone alongside other vendors’ EPP products.
  • McAfee’s ePO management and reporting console can be consumed via a multitenant SaaS offering, hosted in a customer’s AWS tenant or on-premises data center to suit a variety of preferences.
  • MVISION EDR maps threats against the MITRE ATT&CK Framework; additionally, the automated AI-guided investigation capabilities use the MITRE ATT&CK Framework to drive faster, easier alert triage.
  • Flexible cloud storage and retention options are provided along with real-time and historic threat hunting tools.

  • McAfee has been struggling to grow its EPP installed base.
  • McAfee does not include any out-of-the-box vulnerability or configuration management capabilities.
  • MVISION EDR does not yet include an extensive remediation capability or large, advanced SOC workflow features. The user interface has numerous capabilities, but does require extra steps to switch between different SOC tasks.
  • The upgrade from older versions of McAfee ePO and McAfee VirusScan Enterprise to McAfee Endpoint Security (ENS) is not trivial and is still ongoing for some McAfee customers. Better migration tools have made this a less complex task and existing customers should upgrade ASAP.
  • Cloud data storage in the standard SKU allows for examination of only seven days of historic data. This can be extended to 90 days at extra cost, but it is still less than competing EDR products.
  • MVISION ePO SaaS has different capabilities than self-hosted ePO instances and vice versa. For example, multifactor authentication (MFA) and options to integrate with third-party SIEM, SOAR and other services are not yet available for self-hosted ePO instances. Some older McAfee ePO on-premises integrations are not yet available in the new MVISION ePO — such as granular role-based access control (RBAC) and workflow capabilities.


Microsoft is unique in the EPP space, as it is the only vendor that can provide built-in endpoint protection capabilities tightly integrated with the OS. Windows Defender Antivirus (known as System Center Endpoint Protection in Window 7 and 8) is now a core component of all versions of the Windows 10 OS, and provides cloud-assisted attack protection. Microsoft Defender Advanced Threat Protection (ATP) provides an EDR capability, monitoring and reporting on Windows Defender Antivirus and Windows Defender Exploit Guard (“Exploit Guard”), vulnerability and configuration management, as well as advanced hardening tools. The Microsoft Defender ATP incident response console consolidates alerts and incident response activities across Microsoft Defender ATP, Office 365 ATP, Azure ATP and Active Directory, as well as incorporates data sensitivity from Azure information protection.
Microsoft is much more open to supporting heterogeneous environments and has released EPP capabilities for Mac. Linux is supported through partners, while native agents are on the roadmap.
Microsoft has been placed in the Leaders quadrant this year due to the rapid market share gains of Windows Defender Antivirus (Defender), which is now the market share leader in business endpoints. In addition, excellent execution on its roadmap make it a credible replacement for competitive solutions, particularly for organizations looking to reduce complexity.

  • Defender provides malware protection using a range of techniques including behavioral, emulation, script analysis, memory scanning, network monitoring signatures and heuristics on the client, along with cloud protection engines to detect newer malware. Microsoft Defender ATP can work alongside some other vendors’ EPP or EDR agents or will step up to protect clients automatically if a third-party EPP engine fails, is out of date or is disabled.
  • Microsoft Defender ATP combines advanced EDR functionality with management and monitoring of Exploit Guard, Defender and other Microsoft products, critically Active Directory, to enable a common alert and incident response console. ATP leverages Azure infrastructure to store six months of data at no extra charge.
  • Microsoft has one of the better out-of-the-box SOAR capabilities to integrate with Microsoft and partner products and to automate repetitive tasks. Conditional access rules enable a continuous adaptive risk and trust assessment (CARTA) architecture.
  • ATP adds threat and vulnerability management, attack surface reduction (such as hardware-based isolation, application control, network protection and attack surface reduction rules) and threat analytics’ contextual threat intelligence reports. Microsoft Secure Score and vulnerability and configuration information provide weighted recommendations and actions to improve endpoint hardening, and compare the current posture with the industry and global peers for benchmarking. This score gives admins and chief information security officers (CISOs) an excellent understanding of the overall security posture relative to peers and shows improvements over time.
  • Microsoft recently launched a service called Microsoft Threat Experts to support customers’ incident response and alert analysis.

  • Defender Antivirus and Exploit Guard are included with all versions of Windows 10. However, most enterprise buyers will want ATP to provide a competitive experience in EDR functions, such as attack visibility, reporting and threat hunting, as well as vulnerability management. ATP require an E5 license. Microsoft licensing is difficult to navigate and some customers report that E5 is more expensive than competitive EPP and EDR offerings.
  • Although ATP is available for Windows 7 and 8, Microsoft’s solution doesn’t provide full feature parity with the security capabilities of Windows 10. ATP is not available for legacy XP and older. This will result in varying levels of protection in the organizations that have yet to fully migrate to Windows 10. EDR capabilities for macOS have not been released but are on the roadmap.
  • Managing Microsoft security configuration settings in Group Policy Objects can be complex, especially for security teams that do not use System Center. Microsoft’s roadmap includes consolidating all security policy objects into the security center by year end. In the meantime, customers can leverage Microsoft baselines and prebuilt GPO objects that customers deploy.

Palo Alto Networks

Palo Alto Networks is still best known to Gartner clients for its network and cloud security product lines, and this continues to be the main line of introduction for most of its customers to its EPP product, Traps.
Palo Alto completely rebuilt its EPP and created a new EDR offering with Traps 6.0 and Cortex XDR in February 2019 as a result of its Secdo and LightCyber acquisitions and internal development. This provides EDR, network traffic analysis (NTA) and UEBA capabilities that are integrated with Palo Alto’s Next-Generation Firewalls, Traps, and cloud offerings for alert triage, incident response, and hunting. Cortex XDR uses Palo Alto Networks products (such as Traps, Firewalls, etc.) as sensors to collect logs and telemetry data, or as a sensor performing collection and remediation functions only.

  • Traps provides solid exploit prevention to protect memory-based attacks that is not dependent on prior knowledge of threats.
  • Traps does not rely on daily endpoint signature updates. Traps also offers local analysis, anti-ransomware and advanced malicious-behavior-protection-covering scripts for offline protection. It utilizes the cloud-based WildFire sandbox to analyze all unknown executable files as they are loaded, acting as a secondary validation.
  • Cortex XDR collects and connects telemetry data from all Palo Alto products to correlate alerts and enable incident response actions from a single console. Cortex XDR converts related alerts into a single incident to reduce the number of alerts to be reviewed. Additionally the inclusion of network data in Cortex extends coverage into unmanaged and IoT-type endpoints.
  • Palo Alto acquired Demisto, which provides a SOAR capability to improve orchestration and automation. It also has integrations with vendors such as Splunk, ServiceNow and Phantom.

  • Palo Alto has grown its presence in the EPP and EDR market primarily through acquisition of component parts it has integrated together.
  • Traps is missing common enterprise EPP features, such as rogue device discovery, application control, USB device controls, resource utilization tuning, and extensive role-based administration. Palo Alto’s EDR capability has limited workflow and no ability to create custom block rules.
  • Palo Alto currently doesn’t offer MDR/managed EDR (MEDR) services as part of its native offering and uses partner ecosystem for delivering these services.
  • Palo Alto does not have vulnerability or configuration management information.
  • While Traps is being licensed on an agent basis, Cortex XDR is sold based on storage size and period, in contrast to an agent basis, and it can only be purchased in discrete numbers of 1TB storage. Each TB license comes with 200 agent licenses included.
  • Traps and Cortex XDR have two different management consoles; however, they are integrated to share data among each other and benefit from single sign-on for authentication, allowing analysts to switch between the two interfaces without reauthenticating.

Panda Security

Panda Security was one of the first vendors to deliver cloud-only products fused with services. The Adaptive Defense 360 solution combines an EPP and EDR product with managed services. Additional modules include system management, patch management, data control for regulatory compliance, BitLocker encryption management and a SIEM feeder service.
The first included service, 100% attestation, provides automatic whitelisting, where only trusted and approved applications and processes are able to execute. These are identified using predominantly automated processes, with additional manual inspection of the remainder by the vendor’s experts.
The second service, Threat Hunting and Investigation, is led by Panda’s own threat hunters and data scientists, with the option to add expertise via MSSP services where in-house capability is scant.
Panda recently launched a new brand, Cytomic, for more mature large enterprises. Cytomic delivers a product and service fusion that combines MDR services with an EDR functionality, called Orion, which delivers a management console for large enterprises to perform their own threat hunting reporting and investigations.

  • The 100% attestation service speeds and improves the classification and handling of all discovered executable files, whether malicious or benign, leading to fewer false positives.
  • Comprehensive telemetry from endpoints is sent direct to a cloud database with a full 12-month retention capability and threat hunting across all endpoints in real time or using historic data.
  • The new Orion and Jupyter Notebook capability, combined with an MDR service, add further appeal for organizations with SOC/threat hunting teams that want a fusion of product and services.
  • Panda Security’s Adaptive Defense 360 package represents good value and a full set of capabilities; plus, the two managed services are included as part of the product.

  • Cytomic and Orion products were only recently launched at the time of writing and are being offered only to select customers.
  • Multifactor authentication for the console is limited to Google’s authenticator service.
  • Integration with other tools and services is limited, though support is provided for export to SIEM.
  • Global presence is a goal for Panda Security; however, its current installed base is limited outside the EMEA region and tends to comprise small and midsize businesses.
  • The Panda EDR capability without Cytomic is a very raw UI compared to competitive tools that are not linked to the MDR service. Services exposed to the administrator, such as remediation, are limited. The dependence on Jupyter Notebooks is a unique feature that can enhance the flexibility and usability of the Orion product, but will require training for the uninitiated.


SentinelOne is a part of the new wave of private EPP solution providers that has rapidly grown over the past few years. Its solution is designed around an EDR agent that provides behavioral protection, and is offered both on-premises and cloud-managed. SentinelOne provides an MDR services via its Vigilance offering.
SentinelOne protection and detection logic resides on the endpoint agent, and the focus of the solution is on providing actionable insight without requiring manual analysis. SentinelOne was one of the first vendors to offer a ransomware protection warranty based on its behavioral detection and file journaling features.
SentinelOne is a match for organizations looking to augment existing EPP solutions with detection capabilities or to replace a legacy EPP with a newer approach to endpoint security.

  • SentinelOne’s single-agent design provides fully integrated file and behavioral anti-malware, and EDR functionality. Recommended remediation actions are very clear and concise and can be executed from the management console.
  • Agent performance is very good, particularly since the agents do the majority of the correlation on the endpoint.
  • Vulnerability scanning is provided with the status of endpoints in the main dashboard. SentinelOne supports discovery of unmanaged endpoint-based network scanning, including IoT-type devices. Discovered devices are also cross-corelated with common vulnerabilities and exposures (CVE) info for vulnerability analysis.
  • SentinelOne’s “true context” offers real-time endpoint visibility for investigation. It also supports automated threat intelligence ingestion.
  • SentinelOne supports endpoint rollback functionality by leveraging shadow copy to return a file to a previously known-good state.

  • SentinelOne’s market presence is mostly in North America and EMEA.
  • The vendor does not participate in regular malware prevention testing, although it does participate in the MITRE ATT&CK test and the NSS Labs test.
  • SentinelOne does not offer application whitelisting, nor does it offer sandboxing for suspicious file analysis (local, network or cloud).
  • While SentinelOne offers broad platform support, it does not support rollback on Linux and Mac due to operating system limitations.
  • Workflow capabilities for large teams are limited. The EDR tool provides few guides or global contextual info. Watchlist alerts are limited to minimum three hours between runs, and thus, are not real time.


Sophos offers a large integrated suite of security solutions spanning endpoint, mobile, network, email, public cloud, web, and managed detection and response. The company’s flagship offering in the EPP space, Intercept X, has propelled Sophos beyond its SMB roots and increased its brand awareness in enterprise organizations.
In November 2018, Sophos entered the EDR market with Intercept X Advanced. Intercept X utilizes machine learning from its Invincea and SurfRight acquisitions and organically developed features. In January 2019, the company acquired DarkBytes, a startup specializing in endpoint forensics, to provide enhanced EDR capabilities. DarkBytes is now a foundational element of Sophos’ managed detection and response services.

  • Intercept X clients report strong confidence in not only protecting against most ransomware, but also in the ability to roll back the changes made by a ransomware process that escapes protection.
  • The analysis output of Intercept X deep learning algorithms is readily available, visually appealing to users and provides customers a demonstrable way to validate their use of deep learning.
  • The exploit prevention capabilities focus on the tools, techniques and procedures that are common in many modern attacks.
  • The Sophos Central cloud-based administration console manages other aspects of the vendor’s security platform from a single console, including disk encryption, server protection, firewall and email gateways.
  • Intercept X provides a simple workflow for case management and investigation for suspicious or malicious events.

  • Intercept X Threat Cause Analysis is not available for clients that use the on-premises version of Sophos Endpoint Protection. Indeed Sophos is intentionally focused on Sophos Central as the primary offering, and Sophos customers should expect it to receive the majority of development efforts.
  • Customers should examine Intercept X EDR features in the Sophos Linux edition and determine if they fit their needs from a feature parity perspective.
  • The Intercept X EDR workflow provides basic collaboration; however, customers must investigate whether their current offering provides advanced collaboration across incident response teams.
  • Intercept X EDR full-journal forensic snapshot is stored on the endpoint, making it susceptible to tampering and difficult to query. Advanced hunting and custom detection rules require Forensic Console. The forensic console capability from the DarkBytes acquisition is not yet integrated into the Sophos Central management console or its on-premises console, and must be deployed separately with a separate agent. (An integrated agent is now in early access and is expected to be fully generally availability in September.)
  • Some customers report that agent installs and software updates in low-bandwidth locations can be problematic.


Symantec is an industry veteran and continues to be the leading competitive threat mentioned by other vendors in this research. Broadcom, a global semiconductor provider, announced an agreement to acquire the enterprise security business of Symantec on 8 August 2019.
Symantec launched Complete Endpoint Defense that includes Symantec Endpoint Protection 15 (SEP 15) cloud-managed EDR, and attack surface reduction capabilities, all delivered through a single agent. Symantec EDR has the largest EDR market share of the traditional vendors. In 2018, Symantec made a number of acquisitions including Javelin Networks to protect Active Directory, Appthority to provide mobile application testing and catalog of known-good mobile applications, and Luminate Security, which provides secure remote access to data center applications.
Symantec’s strategic direction is to provide an Integrated Cyber Defense (ICD) Platform to unite the broader portfolio of security products (including DLP, Web Security Service [WSS] and CASB) with a consolidated agent, data and reporting platform for monitoring and incident response (ICD Manager).
Symantec remains a solid competitor and a good choice for most organizations.

  • Symantec has embraced a cloud-first strategy with the introduction of its latest product updates, including SEP 15 and EDR, which provide a cloud-based console with feature parity to the on-premises management console and ability to run hybrid scenario.
  • Complete Endpoint Defense introduces new features such as deception breadcrumbs to improve detection of active attackers, application whitelisting capabilities, vulnerability detection and remediation, and a VPN. SEP 15 also introduced automated posture assessment including vulnerability management and remediation technology.
  • Symantec EDR is a capable EDR tool with extensive APIs for integration and automation with other security and system management tools.
  • Symantec provides a very comprehensive endpoint security solution, Symantec Complete Endpoint Defense (CED), which covers multiple areas to include anti-malware, EDR, app isolation, app control, Active Directory defense and cloud connect defense on PC, Mac, Linux and mobile devices. Symantec also offers vulnerability remediation and endpoint management, mobile security (SEP Mobile), and a managed EDR service.
  • Symantec’s broad deployment across a very large deployment population of both consumer and business endpoints provides it with a very wide view into the threat landscape across many verticals.

  • The acquisition by Broadcom was not factored into this analysis as the acquisition has not closed. The acquisition by Broadcom adds some uncertainty to Symantec’s execution. Broadcom’s goals may not align with Symantec’s customers’ aspirations for the products.
  • Symantec’s has undergone numerous management changes over the past several years, including the recent departure of its CEO and replacement of several key managers. Symantec has been gradually losing market share as the market becomes more competitive, and it has lost its first place in market share by seat licenses to Microsoft.
  • Although Symantec has made significant investments in integrating its various products into a more cohesive middleware platform called Symantec Integrated Cyber Defense Exchange (ICDx), it is still lacking a universal incident response environment. However, Symantec does offer a rich set of APIs to integrate with other security tools.
  • Symantec EDR is missing advanced functions for large enterprise customers, such as case management workflow, remote shell response function (due 1Q20) and rapid pivot capabilities from one query to another. EDR does not provide blocking rules although automated actions can be scripted for specific detections. The user interface lacks guided investigation tips or contextual information, which makes it difficult to use for mainstream buyers. EDR and SEP are different management consoles.
  • SEP 15 Cloud console is relatively new and, although Symantec reports 55% of customers are using cloud, the vast majority are not using SEP 15 Cloud console. SEP Cloud is not FedRAMP-certified.

Trend Micro

Trend Micro has recently revised its suite of endpoint protection products, introducing a combined EPP/EDR solution for endpoints, Apex One, as an upgrade to OfficeScan. Apex One enhances fileless malware detection and EDR functionality. Concurrently, Trend has also an expanded its cloud management capability, reaching feature parity across SaaS and on-premises. This now includes a fully cloud-hosted sandbox solution.
Trend Micro also offers two tiers of managed MDR services and has extended its MSP network.
Trend Micro was one of the first vendors to recognize the divergence in server protection strategies and to create a specific product line called Deep Security to address server protection.

  • Apex One retains the vulnerability assessment and virtual patching technology and adds detection classifications based on the MITRE ATT&CK matrices, automated response options, and new threat hunting options for organizations with proactive hunting teams.
  • Deep Security for servers is tailored specifically for server workloads including virtualized workloads and containers. Trend is the only vendor in this analysis that offers laaS marketplace consumption models for burstable workloads.
  • Vulnerability management includes prioritization guidance linked to virtual patching to mitigate late-breaking threats and before traditional patches become available, with low impact or risk to the endpoint.
  • Geographical presence in all global regions is a strength, and Trend also has an extensive partner and managed service capability in most regions. Regional hosting meets local/regulatory needs. It also provides more localization support and double-byte character set support than other vendors.
  • Comprehensive OS support is provided in both the latest server and endpoint products, with an unusual capability to protect legacy and out-of-support OSs for customers with older systems.

  • EDR capabilities are more limited than some of the class-leading products. Notable omissions are extensive remediation options, advanced threat hunting, customizable behavioral rules and alerts, and workflow. The investigation capability is complicated for a solution aimed at the midmarket.
  • Trend has not fully leveraged the OS-provided Antimalware Scan Interface (AMSI) detection engines and other Windows 10-specific security enhancements; this is planned for 2H19.
  • Servers and endpoints use different management consoles, although they both report into Apex Central.
  • Trend customers wishing to migrate to Apex One must upgrade their local management server or migrate to the cloud management service. Customers with older perpetual licenses must pay to upgrade to cloud management.

Vendors Added and Dropped

We review and adjust our inclusion criteria for Magic Quadrants as markets change. As a result of these adjustments, the mix of vendors in any Magic Quadrant may change over time. A vendor’s appearance in a Magic Quadrant one year and not the next does not necessarily indicate that we have changed our opinion of that vendor. It may be a reflection of a change in the market and, therefore, changed evaluation criteria, or of a change of focus by that vendor.


Check Point Software Technologies was added back this year due to changes in the inclusion criteria.


Endgame and Comodo did not meet the minimum business licenses inclusion criteria.

Inclusion and Exclusion Criteria

Gartner methodologies restrict the number of vendors in a Magic Quadrant to 20 vendors. In most markets, this is a reasonable restriction; however, the EPP market has more than 30 credible vendors. We changed the inclusion criteria this year to exclude smaller vendors.
Inclusion in this Magic Quadrant was limited to vendors that met these minimum criteria:
  • The vendor’s nonconsumer EPP must have participated in independent, well-known, public tests for accuracy and effectiveness within the 12 months prior to 30 June 2019, or be a current participant in the VirusTotal public interface. Examples include MITRE ATT&CK Evaluations, Virus Bulletin, AV-TEST, AV-Comparatives, NSS Labs and SE Labs.
  • The vendor must have a minimum of 4.5 million deployed licenses, protecting nonconsumer endpoints.

Honorable Mentions

Gartner surveyed 24 vendors for this analysis, and it was difficult to pare down the list to 20 vendors. The following vendors offer competitive products in this market with unique qualities and capabilities that clients may find valuable, but failed to meet all the inclusion criteria.
Cybereason is one of the new crop of vendors in the EDR market that have added EPP functionality. Its core differentiator is its cross-machine correlation engine that automatically combines alerts from all impacted endpoints into single alert for automated threat detection and that allows threat hunters to envisage attacks across multiple devices. It simplifies hunting for threats with a syntax-free UI. Cybereason provides a comprehensive EPP solution with both definition-based and machine learning detection. The same single agent also provides EDR capabilities with script control, behavioral analysis and deception techniques. Cybereason has made significant enhancements to both visibility and detection capabilities with a strong focus on the MITRE ATT&CK Framework. The company provides on-premises, cloud and managed service offerings. Unfortunately, it did not meet the market presence inclusion criterion, which required a minimum threshold of 4.5 million centrally managed license instances.
Comodo’s cloud-managed EPP product differentiators include a 100% file attestation capability, which resolves all unknown files, and a capability to run unknown or risky applications in a software-based isolated container. Comodo also offers a maturing EDR product. Recent improvements include: strengthened security policy for file-less attacks; improved HIPS; rule optimization to reduce false positives; detection of credential theft; and improved agent performance. Comodo also provides vulnerability and patch management and a network of cloud-delivered sandboxes for file analysis. Unfortunately, it did not meet the market presence inclusion criterion, which required a minimum threshold of 4.5 million centrally managed (excludes consumer) license instances.
Endgame is one of the new crop of vendors from the EDR market that have added EPP functionality. Its core differentiator is ease of use and good efficacy test results with multiple major labs. Endgame provides a single-agent architecture and has feature parity across Windows, macOS and Linux. As well as providing full event fidelity, Endgame’s EDR features remediation of exploits via guided response actions to revert damage to the system. Recent enhancements include: Reflex, an autonomous behavior detection engine and Artemis 3.0, which is a chatbot that provides security admins with a natural language interface for hunting and guided investigation and remediation. Endgame also provides instrumentation for detailed examination of PowerShell and other scripts. Unfortunately, it did not meet the market presence inclusion criterion, which required a minimum threshold of 4.5 million centrally managed license instances.
The enSilo Endpoint Security Platform provides both EPP and EDR in a single, lightweight agent. enSilo features automated EDR response and vulnerability patching capabilities including virtual patching for latest threats. Stand-out features of enSilo’s solution include patented technologies around code-tracing exfiltration detection and ransomware prevention. The vendor has automated incident response playbooks with actions that function across multiple types of endpoints and operating systems. enSilo provides full support for Windows Linux and OSX and has comprehensive support for down-level and legacy OS versions. enSilo is developing solutions for containers and serverless workloads. The platform can be deployed either in the cloud or on-premises. Protection and detection operate on the endpoint, not in the cloud, which makes it a good choice for disconnected endpoints. Unfortunately, it did not meet the market presence inclusion criterion, which required a minimum threshold of 4.5 million centrally managed (excludes consumer) license instances.

Evaluation Criteria

Ability to Execute

The key Ability to Execute criteria used to evaluate vendors were Product or Service, Overall Viability, and Market Responsiveness/Record. The following criteria were evaluated for their contributions to the vertical dimension of the Magic Quadrant:
  • Product or Service: We evaluated the convergence of EPP and EDR products, cloud delivery and the fusion of managed services with the product. We also evaluated the ability of the vendor to provide timely improvements to its customers and licensing models such as perpetual license versus subscription.
  • Overall Viability: This includes an assessment of the financial resources of the company as a whole, moderated by how strategic the EPP business is to the overall company.
  • Sales Execution: We evaluated the vendor’s growth rate in licensed seats relative to the size of the organization and the installed base.
  • Market Responsiveness/Record: We evaluated vendors by their market share in total customer seats under license.
  • Marketing Execution: We evaluated vendor’s execution of marketing initiatives such as social media interactions, fresh marketing messages, tradeshow representation, product testing participation, and press, which resulted in driving a differentiated brand awareness.
  • Customer Experience: We evaluated vendors based on reference customers’ satisfaction scores as reported to us in an online survey, and through data collected over the course of over 2,100 endpoint-security-related Gartner client interactions, and through Gartner Peer Insights.
  • Operations: We evaluated vendors’ resources dedicated to malware research and product R&D, as well as the experience and focus of the executive team.

Table 1: Ability to Execute Evaluation Criteria

Enlarge Table
Evaluation Criteria
Product or Service
Overall Viability
Sales Execution/Pricing
Market Responsiveness/Record
Marketing Execution
Customer Experience
Source: Gartner (August 2019)

Completeness of Vision

The key Completeness of Vision criteria in this analysis were Market Understanding and Offering (Product) Strategy scores:
  • Market Understanding: This describes the degree to which vendors understand current and future customer requirements, and have a timely roadmap to provide this functionality.
  • Marketing Strategy: This refers to a clear, differentiated set of messages consistently communicated throughout the organization and externalized through the website, advertising, customer programs and positioning statements.
  • Offering (Product) Strategy: When evaluating vendors’ product offerings, we looked for an approach to product development and delivery that emphasizes market differentiation, functionality, methodology and features as they map to current and future requirements. These include:
    • Management capabilities: This is the provision of a centralized, role-centric console or dashboard that enhances the real-time visibility of an organization’s endpoint security state. It provides clearly prioritized alerts and warnings, and provides intuitive administration workflows. Vendors that have delivered a cloud-first model with feature parity to an on-premises management platform are given extra credit.
    • Hardening: This refers to the ability to detect rogue network agents that do not have the EPP agent installed via a network scan; vulnerability and configuration guidance to reduce the attack surface; as well as the ability to provide application control and ease of configuration of the EPP product.
    • Incident prevention capabilities: We evaluated the test results of vendors to detect common file-based attacks, and gave extra credit for enthusiastic and consistent test participation.
    • Detection and remediation: We look for vendors that provide educated guidance for customers to investigate incidents, remediate malware infections and provide clear root cause analysis. Vendors that focus on lowering the knowledge and skills barrier through guided response tools, and easy to-understand-and-use user interfaces are given extra credit here.
    • Supported platforms: Several vendors focus solely on Windows endpoints, but the advanced solutions can also support macOS with near parity of the features delivered in both clients, notably in the activity and event monitoring areas of EDR.
    • Product and services fusion: We evaluated the range of vendor direct services to support EDR deployments and incident response, from light monitoring to full managed detection and response and on-the-ground incident responders.
  • Innovation: We evaluated vendor responses to the changing nature of customer demands. We accounted for how vendors reacted to new threats, invested in R&D and/or pursued a targeted acquisition strategy.
  • Geographic Strategy: We evaluated each vendor’s ability to support global customers, including localization, as well as the number of languages supported.

Table 2: Completeness of Vision Evaluation Criteria

Enlarge Table
Evaluation Criteria
Market Understanding
Marketing Strategy
Sales Strategy
Not Rated
Offering (Product) Strategy
Business Model
Not Rated
Vertical/Industry Strategy
Not Rated
Geographic Strategy
Source: Gartner (August 2019)

Quadrant Descriptions


Leaders demonstrate balanced and consistent progress and effort in all execution and vision categories. They have broad capabilities in advanced malware protection, and proven management capabilities for large-enterprise accounts. However, a leading vendor isn’t a default choice for every buyer, and clients should not assume that they must buy only from vendors in the Leaders quadrant. Some clients believe that Leaders are spreading their efforts too thinly and aren’t pursuing clients’ special needs. Leaders tend to be more cautious and only gradually react to the market when Visionaries challenge the status quo.


Challengers have solid anti-malware products, and solid detection and response capabilities that can address the security needs of the mass market. They also have stronger sales and visibility, which add up to a higher execution than Niche Players offer. Challengers are often late with new capabilities, lack some advanced capabilities, or lack a fully converged strategy, which affects their Completeness of Vision when compared to the Leaders. They are solid, efficient and expedient choices.


Visionaries deliver in the leading-edge features — such as cloud management, managed features and services, enhanced detection or protection capabilities, and strong incident response workflows — that will be significant in the next generation of products, and will give buyers early access to improved security and management. Visionaries can affect the course of technological developments in the market, but they haven’t yet demonstrated consistent execution and have yet to accumulate significant market share. Clients pick Visionaries for best-of-breed features.

Niche Players

Niche Players offer solid anti-malware solutions, and basic EDR capabilities, but rarely lead the market in features or function. Some are niche because they service a very specific geographic region or customer size, while some focus on delivering excellence in a specific method or combination of protection capabilities. Niche Players can be a good choice for conservative organizations in supported regions, or for organizations looking to deploy an augmentation to an existing EPP for a “defense in depth” approach.


The endpoint protection market is undergoing its biggest transformation in the past 20 years. Three disruptive trends are at play in this transformation:
  • There has been a shift from client/server architecture to more agile cloud-native solutions and services (see “Innovation Insight for Cloud Endpoint Protection Platforms”).
  • The failure of traditional approaches to address the volume of portable, executable file-based attacks, and the shift to fileless attacks, has opened up the market to new approaches including machine learning and behavioral detection.
  • The security mindset has shifted to acknowledge that prevention alone is not enough; security and risk management leaders must be able to more easily harden endpoints and perform more detailed incident response to resolve alerts.
As a result, security and risk management leaders responsible for endpoint protection must reevaluate their endpoint protection solutions and make plans to address the changing market landscape.
Specifically security and risk management leaders responsible for the security of networks and endpoints should:
  • Evaluate cloud-delivered solutions, seeking a truly elastic and agile cloud-native architecture.
  • Favor solutions that are supported by a range of vendor-delivered service options, such as incident response assistance and managed detection and response services.
  • Seek fully integrated EPP solutions with EDR capabilities that use the same detection funnel, data repository, management console and agent.
  • Ensure that EPP detection capabilities include more-modern behavioral approaches that are immediately adaptive to detect or block new attack techniques.
  • Favor vendors that can help harden the endpoint against attacks that target vulnerabilities and common misconfigurations.

Market Overview

The rapid growth of frequent disruptive attacks such as ransomware and the migration of more persistent attackers to fileless techniques, combined with the growing security skills shortage, has ushered in a new age for endpoint security solutions.
The most disruptive change is the shift from LAN-managed endpoint security solutions to cloud-delivered solutions. Cloud-delivered products reduce the maintenance burden of EPP solutions, specifically the crucial task of staying on the latest releases. Too many customers are suffering breaches because they simply do not have the time to update to the latest EPP version. However, not all cloud-delivered solutions take full advantage of modern cloud architectures to deliver adaptive and extensible solutions to address the continuously changing threat landscape. (See “Innovation Insight for Cloud Endpoint Protection Platforms.”)
The integration of and endpoint detection and remediation capability is the second most significant trend in the EPP market; in many cases, with solutions having feature parity across the board under a single agent and console. EDR brings critical incident response visibility, search, a threat hunting capability, and, most importantly, a better detection capability that is based on behavior modeling rather than IOCs. Known-attacker behavior is a much smaller and more stable detector of malicious intent than traditional IOCs (see “Market Guide for Endpoint Detection and Response Solutions”).
The skills requirement of EDR solutions compounded by the skills gap in most organizations is an impediment to the adoption of EDR in the mainstream market. As a result, product vendors are increasingly offering a fusion of products and services ranging from light incident response and monitoring through full managed detection and response and consultative incident response services.
Finally, there has been a great deal of investment made into endpoint hardening. Solutions are increasingly providing application and device control, vulnerability and configuration management, patching, and community portals where administrators and incident responders can share insights and proactive detection and reactive hunting rules.


The Magic Quadrant team relied on data from the following sources to complete this iteration:
  • Gartner responded to more than 1,500 client inquiries since 24 January 2018.
  • Gartner conducted an online survey of 157 EPP reference customers in 3Q18.
  • Data from more than 5,000 Peer Insights reviews on
  • Data from a 200-question survey and one-hour demonstrations provided by each vendor conducted in 2Q19.

Evaluation Criteria Definitions

Ability to Execute

Product/Service: Core goods and services offered by the vendor for the defined market. This includes current product/service capabilities, quality, feature sets, skills and so on, whether offered natively or through OEM agreements/partnerships as defined in the market definition and detailed in the subcriteria.
Overall Viability: Viability includes an assessment of the overall organization’s financial health, the financial and practical success of the business unit, and the likelihood that the individual business unit will continue investing in the product, will continue offering the product and will advance the state of the art within the organization’s portfolio of products.
Sales Execution/Pricing: The vendor’s capabilities in all presales activities and the structure that supports them. This includes deal management, pricing and negotiation, presales support, and the overall effectiveness of the sales channel.
Market Responsiveness/Record: Ability to respond, change direction, be flexible and achieve competitive success as opportunities develop, competitors act, customer needs evolve and market dynamics change. This criterion also considers the vendor’s history of responsiveness.
Marketing Execution: The clarity, quality, creativity and efficacy of programs designed to deliver the organization’s message to influence the market, promote the brand and business, increase awareness of the products, and establish a positive identification with the product/brand and organization in the minds of buyers. This “mind share” can be driven by a combination of publicity, promotional initiatives, thought leadership, word of mouth and sales activities.
Customer Experience: Relationships, products and services/programs that enable clients to be successful with the products evaluated. Specifically, this includes the ways customers receive technical support or account support. This can also include ancillary tools, customer support programs (and the quality thereof), availability of user groups, service-level agreements and so on.
Operations: The ability of the organization to meet its goals and commitments. Factors include the quality of the organizational structure, including skills, experiences, programs, systems and other vehicles that enable the organization to operate effectively and efficiently on an ongoing basis.

Completeness of Vision

Market Understanding: Ability of the vendor to understand buyers’ wants and needs and to translate those into products and services. Vendors that show the highest degree of vision listen to and understand buyers’ wants and needs, and can shape or enhance those with their added vision.
Marketing Strategy: A clear, differentiated set of messages consistently communicated throughout the organization and externalized through the website, advertising, customer programs and positioning statements.
Sales Strategy: The strategy for selling products that uses the appropriate network of direct and indirect sales, marketing, service, and communication affiliates that extend the scope and depth of market reach, skills, expertise, technologies, services and the customer base.
Offering (Product) Strategy: The vendor’s approach to product development and delivery that emphasizes differentiation, functionality, methodology and feature sets as they map to current and future requirements.
Business Model: The soundness and logic of the vendor’s underlying business proposition.
Vertical/Industry Strategy: The vendor’s strategy to direct resources, skills and offerings to meet the specific needs of individual market segments, including vertical markets.
Innovation: Direct, related, complementary and synergistic layouts of resources, expertise or capital for investment, consolidation, defensive or pre-emptive purposes.
Geographic Strategy: The vendor’s strategy to direct resources, skills and offerings to meet the specific needs of geographies outside the “home” or native geography, either directly or through partners, channels and subsidiaries as appropriate for that geography and market.

Magic Quadrant for Managed Security Services, Worldwide

Magic Quadrant for Managed Security Services, Worldwide

Published 2 May 2019 – ID G00354867 – 73 min read

Managed security services is a market that is diversifying to meet the demands of a wide range of buyers. Security and risk management leaders should identify providers best aligned to their requirements, security maturity, and organization’s vertical, size, and geographic footprint.

Market Definition/Description

Gartner defines managed security services (MSSs) as:
  • The remote 24/7 monitoring of security events and security-related data sources
  • The administration and management of IT security technologies
  • The delivery of security operation capabilities via shared services from remote security operations centers (SOCs), not through on-site personnel nor remote services delivered on a one-to-one basis to a single customer
The core service of most MSS providers (MSSPs) are 24/7 security event monitoring and response for threat detection use cases, and reporting for compliance use cases across a technology-agnostic range of log event and data sources.
In addition to security event monitoring and response services, MSSPs’ portfolios usually include one or more of the following managed services, in addition to other services that may be specific to the MSSP’s core market (e.g., IT outsourcing or telecommunications):
  • Security technology administration and management of firewalls, unified threat management (UTM), intrusion detection and prevention system (IDPS), endpoint protection platform (EPP), endpoint detection and response (EDR), secure web gateway (SWG) and secure email gateway (SEG)
  • Incident response services (both remote and on-site)
  • Vulnerability assessment and managed vulnerability management services (e.g., scanning, analysis and recommendations/remediation)
  • Threat intelligence services (e.g., machine-readable threat intelligence feeds, customer-specific dark web and social media monitoring)
  • Managed detection and response (MDR) services
MSSPs increasingly offer a wider and more varied set of services; however, Gartner clients are primarily interested in contracting MSSPs for 24/7 remote security event monitoring and response services. They are seeking to address threat detection use cases and to add additional capabilities to fill gaps in their security controls and capabilities as needed (e.g., incident response or vulnerability management). Remote technology administration and management, while offered by many MSSPs, is highly commoditized now and increasingly less important to Gartner clients interested in MSSs. Meeting compliance requirements is also rarely mentioned outside of some specific verticals and regions. As Gartner clients pursue cloud-oriented and cloud-first approaches, the scope of security monitoring service requirements is also expanding. It includes monitoring of cloud-delivered services, both SaaS and IaaS, as well as operational technology (e.g., ICS/SCADA) environments and Internet of Things (IoT) devices. This reflects the expansion of security event monitoring beyond the confines of an MSS buyer’s on-premises perimeter.

Magic Quadrant

Figure 1. Magic Quadrant for Managed Security Services, Worldwide

Source: Gartner (May 2019)



Vendor Strengths and Cautions

Alert Logic

Alert Logic, based in Houston, Texas with primary offices in Austin, Texas, London and Cardiff, U.K., Cali, Colombia, and Tokyo, provides a range of services delivered from 24/7 SOCs in Houston and Cardiff. Alert Logic’s footprint and marketing is primarily focused on North America and Europe, but it has a primary partner in Japan, and a variety if channel partners for Asia/Pacific and Latin America.
Alert Logic’s services are focused around 24/7 security event monitoring, threat detection and response, and vulnerability management of public and private cloud services (i.e., IaaS), as well as on-premises and hybrid environments. They market this approach as “SIEMless Threat Management.” Three tiers of services are available — Essentials, Professional and Enterprise — that are aimed at a range of buyers, from midsize enterprises to large, global enterprises. Additional services include ActiveWatch Enterprise and a managed web application firewall (WAF). Alert Logic has a threat research and intelligence team for feeding proprietary threat intelligence to its monitoring platform. Threat hunting as a service is an option, and professional services are available as needed to assist with security assessments, service implementation and onboarding.
MDR-type services are provided by Alert Logic using its proprietary technologies for threat prevention, detection and response, e.g., network intrusion detection, log monitoring and web application firewall. Alert Logic’s delivery platform uses Amazon Web Services (AWS), leveraging specific AWS Regions to support data residency requirements.
Alert Logic is a good shortlist candidate for buyers who are underinvested and under-resourced in key security operations capabilities like 24/7 security event monitoring and response, and vulnerability management. It is also a good candidate for companies that are mature but need to augment their existing capabilities with specific threat detection and response services. Buyers who need to support multiple cloud or hybrid environments sourced with a single provider should also consider Alert Logic.

  • Alert Logic’s services focus on the core security services, e.g., asset and vulnerability management, 24/7 security monitoring and response delivered through an easy-to-use and easy-to-navigate portal.
  • Buyers heavily invested in, or planning to migrate to, AWS and Microsoft Azure, especially those who leverage containers within IaaS, will benefit from Alert Logic’s asset and vulnerability assessment technology. It can scan traditional assets, but also support container scanning, which is a differentiator in the MSS market. In addition, AWS buyers will benefit from Alert Logic’s ability to identify configuration-based exposures.
  • Alert Logic has extensive support for providing security services for AWS and Azure customers, including asset management, vulnerability management including container vulnerability assessment, and 24/7 threat monitoring, detection and response. Alert Logic was a launch partner for AWS’ Security Hub service.
  • The tiered pricing model is easy to understand and offers an upgrade path for buyers who want to start with basic security hygiene services and grow into the security monitoring and response services. Pricing is primarily based on nodes monitored across the customer’s environment, with separate monthly recurring pricing for ActiveWatch Enterprise and managed web application firewall. Customers can purchase Alert Logic services directly from a network of reseller partners and via the AWS Marketplace.
  • Alert Logic receives higher-than-average customer reference scores for overall experience, integration and onboarding, ongoing service and support, and product capabilities. Customers willing to recommend Alert Logic to others and to renew their services are also rated positive.

  • Alert Logic’s incident response capability currently supports a limited set of response actions, like threat investigation and blocking response actions via Alert Logic’s proprietary technology stack at the network and web app layers. Support for endpoint protection (and associated response actions) was announced as beta in early March 2019 (and not assessed as part of this research), with general availability in 2Q19. Buyers looking for a service provider to also provide major incident response services via an optional retainer will need to leverage a third party via Alert Logic’s partner network.
  • Executives looking for a real-time view of the service can leverage the risk-oriented executive dashboard and reports available via the portal. However, buyers who require heavier service management, such as access to real-time SLAs or monthly reports, will need to plan for more involvement with Alert Logic as many of these deliverables are not self-service and are only produced on demand when requested.
  • Security monitoring for SaaS is currently limited to Microsoft Office 365 and Salesforce.
  • Out-of-the-box compliance reporting options are currently limited to Payment Card Industry Data Security Standard (PCI DSS) and Center for Internet Security (CIS) config benchmarks. Reporting against specific compliance regimes is available by using its log search function along with guided support documents provided by Alert Logic. Additional out-of-the-box compliance reports are on the roadmap to be added.


AT&T is a global telecommunications and IT services provider that offers a range of security device management, and security monitoring and response services for large enterprises, midsize businesses and governments. AT&T is headquartered in the U.S. (Dallas), with regional offices in the U.K. (London) and Hong Kong. It delivers managed security services from three 24/7 SOCs (one Europe-based, one Asia/Pacific-based and one U.S.-based), and four SOCs operating in a “follow the sun” model to provide 24/7 support during local business hours (two in the Asia/Pacific region, two in North America). SOCs are English-speaking, and there is a translation service available for other languages.
On 22 August 2018, AT&T completed the acquisition of AlienVault, a vendor with security information and event management (SIEM), threat intelligence, vulnerability assessment, EDR and network intrusion prevention system (IPS) capabilities. On 26 February 2019, a business unit called AT&T Cybersecurity was created that merges AlienVault’s technology and services, AT&T Cybersecurity Consulting and AT&T Managed Security Services. At the time of Gartner’s research for this Magic Quadrant, AT&T has been actively integrating the AlienVault acquisition into its MSS business and moving customers from the legacy AT&T Threat Manager platform to AlienVault Unified Security Management (USM) Anywhere. Threat Manager customers are now provided a managed threat detection service via the AlienVault USM web interface supported by AT&T security experts in its SOCs.
AT&T’s Threat Manager service is priced by events per day (EPD), with other network-based services priced based on bandwidth. AT&T offers device management through discrete managed security offerings for network security, data and application security, and mobile and endpoint security. Device management and workflow are handled through the AT&T Business Center portal. Threat intelligence is now offered through AT&T Alien Labs, an in-house threat intelligence center than combines AlienVault’s Open Threat Exchange (OTX) and AT&T’s visibility into its network. Threat Manager provides data retention for nine locations around the world to meet data localization requirements (in the U.S., Ireland, Germany, Japan, Australia, the U.K., Canada, India and Brazil). Other AT&T MSS offerings provide additional flexibility including on-premises storage. In 2018, in addition to the acquisition of AlienVault, AT&T introduced monitoring for AWS and Azure environments, self-service capabilities for customers of firewall management, and faster deployment of sensors for MSS delivery.
AT&T should be considered by organizations with a preference for telecommunications and security services sourced from a single provider, and those that require extensive correlation rule and customization that can be supported by the AlienVault USM platform.

  • AT&T, in addition to the assets and capabilities acquired with AlienVault, also has a sizable portfolio of managed security services organized according to buyer need — assessing and planning, detection and protection, and response and recover.
  • AT&T has expanded its threat intelligence beyond the insight captured via its visibility from its IP connections with the addition of AlienVault (now AT&T Alien Labs OTX) and the large threat-intelligence-sharing community around OTX.
  • As might be expected from a SIEM console experience, the reporting and event handling are strong elements of the Threat Manager portal if customers have the resources and skills to take advantage of them.
  • AT&T has good visibility with Gartner clients considering discrete MSSs. AlienVault has good visibility as a SIEM product with midsize and smaller enterprises.

  • At the time of this research, there is a lack of clarity around aspects of the AlienVault acquisition. AT&T has moved rapidly to create a unified business unit and migrate customers to AlienVault USM, but it is too early to tell how customers will react to the new platform (based on a SIEM solution interface). Additionally, AlienVault USM features a large ecosystem of MSSPs leveraging USM Anywhere and USM Appliance. It is not clear how AT&T will rationalize its own Threat Manager business alongside this existing ecosystem of now potentially competitive MSSPs.
  • AlienVault is a full-featured SIEM that requires a level of training and expertise to navigate and use, and may not appeal to MSS customers that are looking for a less complicated portal experience. Additionally, customers who have been transitioned to the AlienVault USM Anywhere portal must use a separate portal to address device management functions. AT&T has indicated unifying the portals is on its roadmap.
  • AT&T’s MSS business is heavily skewed to the North American market, with far fewer customers in the Europe and the Asia/Pacific markets. Buyers requiring a strong presence in these regions should closely evaluate AT&T’s coverage.
  • Customers offered mixed marks for satisfaction with AT&T MSSs, with many below the average compared to its competition. Overall experience and integration marks were lower than the competition, while evaluation and contracting, and service and support were above average.


Atos is an IT services-focused organization delivering digital services globally with 14 24/7 SOCs across Asia/Pacific, Europe and North America. Atos is headquartered near Paris, with regional offices in the U.S. (Purchase, New York) and Singapore. Atos provides a wide range of consulting, system integration, managed services and other offerings alongside its managed security service portfolio.
In addition to security event monitoring and response services, Atos also offers incident response (both remote, leveraging CrowdStrike among other EDR vendors, and on-premises, as required), and vulnerability assessment and vulnerability management services. An internal function provides threat intelligence capabilities for use across its services. Advanced threat detection is available as part of Atos’ Prescriptive Security SOC offering using Atos’ proprietary Codex solution as well as Interset user and entity behavioral analytics (UEBA). In addition, IT/OT/IoT SOC services are also available. Atos has a strong sales and implementation function, deployed globally and without the use of channel partners. Customized requirements from customers drive implementation time scales of up to six months, which is a process that involves chargeable consultancy and a specialized team. Atos offers SLAs that are in line with market norms. The tiered service model, which is incremental, offers a low-cost Basic tier, as well as the Standard and Premium service tiers with service options and “bolt on” advanced packages to suit specific customer requirements.
Atos is a good shortlist candidate for large European and U.S.-based multinational corporations that have complex or custom requirements across a wide sphere of security technology where threat detection and response, and vulnerability management services are key.

  • Atos has a range of experience in transformational digital business projects within large enterprises, driven by its wider range of IT services engagements.
  • Atos has a well-established model for managing security in IoT-/OT-based environments with existing partnerships with large manufacturers in the space.
  • Atos’ security analysts maintain a wide range of operations-focused security qualifications.
  • Atos supports a wide range of commercial security technologies with complementary services to manage its outputs and configuration and to promote prevention of threats.
  • Atos has introduced a degree of flexibility in its pricing structures enabling the delivery of SaaS-aligned pay-per-use operational models.

  • Atos focuses on large multinational organizations and does not target its services to midsize enterprises; service pricing caters best for the higher levels of consumption associated with larger organizations.
  • Atos’ MSS portal is focused on audit and service management functions, with customer-facing operational requirements directly met by the commercial SIEM product’s own interface.
  • Atos has limited support for SaaS applications, developing and supporting functions for widely used applications on a case-by-case basis. Buyers that plan to migrate services to the cloud should consult with Atos to ensure their security monitoring requirements can be met.
  • Atos customers report satisfaction with implementation stages, but a lack of ongoing maintenance of functions, through-life evolution and innovation in service delivery.
  • Atos is rarely mentioned by Gartner clients interested in MSSs.

BAE Systems

BAE Systems offers a range of managed security services and cybersecurity services, including security event monitoring, managed detection and response, threat intelligence, incident response and vulnerability management, in addition to advisory and other security solutions. BAE Systems’ headquarters are located in Farnborough, U.K., with regional offices in Guilford, U.K., Boston, Massachusetts and Singapore, as well as Sydney and Dubai. Services are delivered via four 24/7 SOCs located in the U.S., U.K. and Philippines.
The BAE Systems offerings focused on security event monitoring and response are Complete Security Monitoring (CSM) and Managed Detection and Response (MDR). Additional services include Vulnerability Management (positioned for enterprise customers) and Vulnerability Scanning Service (positioned to small and midsize business [SMB] customers), Incident Response, and Threat Intelligence. BAE Systems Security Management Console is its portal that provides customers with a single location for visibility and interaction to BAE Systems’ various services.
In the past 12 months, the portal has seen improvements focused on role-based access control (RBAC) and self-service features, log search, device health and management, and firewall policy management (for managed UTM customers). Data residency is addressed through a combination of in-country data centers and Azure regions depending on where the customer’s data needs to be stored.
MSS buyers that are looking for a single provider that can offer MSS combined with MDR should consider BAE Systems, particularly less mature buyers that also require services for other core security operations capabilities. More mature buyers, especially those in the banking, financial and insurance sectors, as well as the government sector, who are looking to augment their internal capabilities with advanced threat detection and response should also consider BAE Systems.

  • BAE Systems’ investments in its platform for advanced analytics, its threat intelligence capabilities and its use of orchestration and automation technologies will appeal to buyers looking for a provider that can address advanced threat detection use cases tailored to their requirements and processes.
  • BAE Systems’ can support a range of response activities, particularly when the MDR service is combined with its incident response retainer.
  • Threat hunting is now embedded as part of BAE Systems’ CSM and MDR service offerings.
  • Customers generally give BAE Systems slightly higher-than-average marks across general satisfaction, product satisfaction, and value for services; however, marks for evaluation and contracting were more mixed.

  • Vulnerability assessment and management services are not yet standardized. Vulnerability management services are offered through Outpost24, whereas vulnerability scanning is offered through Rapid7.
  • Most BAE Systems customers are in North America and Europe. BAE Systems has little footprint in other markets except where its incident response and threat intelligence services are consumed.
  • BAE Systems struggles to market itself effectively considering the investment it has made in its MSS infrastructure (e.g., delivery platform and proprietary threat detection technologies).
  • The Security Management Console offers more-limited capabilities for investigating and responding to incidents and for compliance reporting than leading competitor portals.


Capgemini is headquartered in Paris and has large regional offices in Mumbai, London and New York, as well as locations in 40 other countries. Capgemini provides a range of managed security services as part of its Cybersecurity Services business operating under the Capgemini and Sogeti brands. It has 10 SOCs internationally across Asia, North America and Europe that are leveraged to deliver services, with an eleventh due to open this year in Melbourne, Australia.
Capgemini offers a range of MSSs with security event monitoring and response powered by IBM QRadar and IBM Resilient, and vulnerability management that ranges from assessment only through to remediation for IT outsourcing (ITO) customers. Incident response is available via remote or dedicated, on-site resources. Threat intelligence is provided via an internal team that mines customer data for threats, which is supplemented with third-party threat intelligence. Capgemini has a global sales force with smaller teams of dedicated security sales professionals in all major regions providing support to the security-led areas of wider contracts. The onboarding process can be augmented with consulting services depending on service and technology requirements. Capgemini offer basic SLAs and operates service tiers of Bronze, Silver and Gold, which provide incremental levels of threat detection capabilities with an option to define tailored requirements outside of those tiers.
In the past 12 months, Capgemini has evolved its MSS business, coordinating the Capgemini and Sogeti businesses and creating a more unified go-to-market approach. On 21 February 2019, Capgemini announced the closing of the acquisition of Leidos Cyber, which extended its global footprint and services (e.g., OT and IoT security).
Capgemini is a good shortlist candidate for large global organizations that require flexibility and customization at scale in the deployment, integration and management of security technologies. Those that have localized and complex security requirements with driving factors such as data residency should also consider Capgemini.

  • Capgemini’s portal has been improved to offer a better user experience with a specific focus on customer interaction, reporting and SLA-aligned metrics.
  • Capgemini introduced the concept of the “golden hour” as a framework for providing MDR-like capabilities previously agreed with the customer. This construct allows SOC analysts to take predefined actions to contain or disrupt a threat — such as blocking threats on firewalls, SWG, SEG and user account suspension — within an hour of the threat being detected.
  • Capgemini offers an established set of IoT/OT offerings predominantly in the manufacturing, automotive and energy sectors.
  • Capgemini is able to support a wide range of commercial security solutions.

  • The roadmap for Capgemini lags many competitors, but it is evolving as Capgemini works to add offerings and capabilities in line with the market. This includes expanding capabilities to cover cloud services (IaaS, SaaS and PaaS), as well as deploying security orchestration, analytics and reporting (SOAR) technologies in its SOCs. The integration of Leidos and how it fits into the roadmap is unclear at this time.
  • Capgemini has a standard, but basic, set of SLAs for response and remediation in comparison with the market. These are considered a starting point for negotiating custom SLAs tailored to individual customers and their environments. Buyers will need to determine whether they need custom SLAs, and that these are aligned against their requirements and budgets.
  • Capgemini has limited visibility with Gartner clients for MSS-specific deals. Capgemini’s MSS deals are often included as part of end-to-end cybersecurity outsourcing or digital transformation initiatives.
  • Capgemini customers are generally satisfied with the service, delivery and product, but its overall ratings were below average compared to the competition.


CenturyLink is a telecommunications and public and private cloud service provider based in Monroe, Louisiana. It has regional offices in Singapore, London and Buenos Aires, Argentina. CenturyLink has eight SOCs including four in the U.S., and one each in London, Singapore, Buenos Aires, and India (Bangalore). The SOCs operate in a blended 24/7 and follow-the-sun model. There are dedicated North American and U.K. SOCs to support national government contracts. CenturyLink provides a range of services, with security event monitoring and response, as well as technology management services across a broad range of network and host-based security solutions. Additional services include Vulnerability & Risk Monitoring that leverages RiskSense and Qualys to provide vulnerability assessment and management, and threat intelligence services supported by the recently branded Black Lotus Labs team. Incident response services, including on-premises support, are available via a retainer.
CenturyLink uses a combination of proprietary implementations of big data platforms, commercial products and other tools. Several service tiers are available, from basic endpoint security management to advanced threat-oriented capabilities. Some data residency and staff citizenship requirements can be met with in-region SOCs and data storage. The pricing model for MSSs depends on the services contracted and includes set monthly recurring or usage-based fees; for example, threat monitoring is based on GB-per-day data.
In 2018, CenturyLink completed the integration with Level 3, including the MSS business. In January 2019, CenturyLink’s expansion into Singapore was completed with the opening of its eighth SOC. Additionally, the vendor introduced a mobile app to supplement its MSS portal, added coverage for public cloud monitoring, and improved its log monitoring services, which allowed it to deliver cost reductions to customers. It also introduced several service and pricing options for small and midsize customers.
Existing CenturyLink network services customers, from midsize to very large enterprises, IaaS and cloud service customers, as well as organizations with global service requirements, should consider CenturyLink for MSSs.

  • CenturyLink has introduced several options that should appeal to smaller organizations, with service tiers that include basic monitoring for small organizations and no-retainer-needed incident response services to managed firewall customers.
  • CenturyLink now also offers free log ingestion of 10 Gb per day and has reduced the price of log ingestion across all levels.
  • The MSS portal provides strong role-based controls, including fine-grained role mapping and access for users. Customization of dashboards is also better than typically available from other vendors.
  • CenturyLink provides extensive monitoring coverage for SaaS applications with the Cloud Security Monitoring service.
  • Reference customers give CenturyLink generally positive marks.

  • Support for advanced threat detection technologies is not uniform across network, sandbox and endpoint. Network traffic analytics via the CenturyLink network backbone is available globally, but payload analysis is not. Forensics on endpoint is available in the U.S.; packet data forensics is still in the planning stage.
  • MDR-style services are not as mature as those available from competitors. For example, managed EDR services are available only in the U.S. Other services are available as customer-specific engagements.
  • Potential customers who require access to raw log data via the MSS portal should validate that the very basic capabilities of the CenturyLink portal will meet their needs. The portal still has limited features for capturing and using assets and their business value, and does not support integrations to enable managing vulnerability scans or viewing scan results.
  • CenturyLink has low visibility with Gartner clients for stand-alone MSS deals.


Fujitsu, headquartered in Japan, has 24/7 SOCs in Japan, the U.S., Singapore and the U.K., in addition to a few non-24/7 SOCs in other countries (Finland, Germany and the U.S.). Fujitsu’s marketing and footprint for MSSs are primarily in Japan and Europe, with some focus on the North American and Australian markets.
Fujitsu’s services are focused on a standard set of managed security services, with security event monitoring and response services available either through its multitenant LogRhythm platform or deployed on customer premises as required. Fujitsu offers a number of discrete MSS offerings centered on management of various security technologies, like network and web application firewall, intrusion detection system (IDS), cloud access security broker (CASB), EDR, data loss prevention (DLP), and identity and access management (IAM). Vulnerability assessment and management services are available using a variety of popular vulnerability assessment solutions. Fujitsu’s in-house Cyber Threat Intelligence (CTI) service leverages a range of feeds — open source, commercial and third party — that are used as part of its security event monitoring service. It is available as a stand-alone offering. Incident response services are offered to complement the MSS offering, and are offered in blocks of 10 days or via a daily rate.
Fujitsu’s delivery platform is hosted in Fujitsu data centers. Fujitsu has introduced a new portal that provides a more traditional MSS experience compared to the previous portal that was a direct interface into the LogRhythm management console for security event monitoring services. Fujitsu offers 365-day raw log and event retention. Raw logs are archived after 10 days, but retrievable via request to Fujitsu’s SOC.
Buyers that are looking for flexible service delivery and high-touch technology management services should consider Fujitsu. Organizations purchasing other IT or security services from Fujitsu should consider including it in their MSS procurement shortlists.

  • Fujitsu has strong partnerships with security technology vendors that allow it to wrap a number of additional services around its security event monitoring and response service.
  • The vendor has a strong market presence and reputation in Japan, with good traction among large enterprises. Its presence in Europe is also strong.
  • Fujitsu’s flexible service delivery options appeal to large organizations that are heavy on outsourcing most of their security capabilities.
  • Fujitsu’s customers give average marks for value and above average for sales professionalism, contract negotiations, and integration and deployment.

  • Fujitsu’s offerings in emerging areas such as managed detection and response, and security monitoring of public cloud environments are weaker than most competition. For example, Fujitsu collects telemetry from AWS and Azure through log collectors that leverage native APIs, rather than direct API integration from Fujitsu’s platform and the cloud service providers.
  • The Fujitsu MSS portal, while improved over the past 12 months, is basic and offers capabilities for creating and responding to service requests and viewing incidents. Key capabilities such as scheduling of vulnerability scans, allowing users to customize reporting and dashboards, and viewing of threat intelligence feeds are not available though.
  • Real-time access to raw logs for 10 days is standard, but custom requirements for longer periods can be agreed on a per-customer basis. Fujitsu indicates access to retained logs older than 10 days may take up to five days to complete depending on the size and complexity of the retrieval request.
  • Fujitsu is rarely seen in Gartner client inquiries for discrete MSS procurement due to its low brand recognition as an MSSP.


IBM, headquartered in Armonk, New York, is both a security technology and service provider with a range of managed security and other complementary services via a global network of 24/7 SOCs. IBM has regional MSS offices in the U.S. (Cambridge, Massachusetts and Atlanta, Georgia), and in every major region around the world. IBM has five global, 24/7 SOCs, branded as X-Force Command Centers, and four non-24/7 SOCs.
IBM’s MSS offerings are focused on security event monitoring leveraging its QRadar SIEM platform, which provides unified monitoring across the customer base. QRadar form factors available to customers include shared multitenant (the default), on-premises, SaaS SIEM, or a hybrid. Other SIEM platforms (e.g., Splunk or ArcSight) can also be supported as required. Complementary MSSs from IBM include vulnerability assessment and vulnerability management through the IBM X-Force Red team, and incident response retainers, incident preparation, and threat intelligence services provided as part of the unified IBM X-Force Incident Response and Intelligence Services (IRIS). A range of advisory and professional services are also available. IBM recently introduced its X-Force Threat Management (XFTM) service that provides an integrated threat monitoring, detection and response service that leverages SIEM (primarily QRadar, but others are supported as needed), SOAR (via IBM Resilient) and third-party EDR tools. Support for data residency requirements can be addressed using the form factors described previously.
In the past 12 months, IBM introduced a mobile app to complement its web-based portal. It also improved the analytic and operational capabilities in its delivery platform and operations through the use of proprietary analytics, QRadar User Behavior Analytics (UBA) and QRadar Advisor with Watson (formerly Watson for Cyber Security), and IBM Resilient.
IBM should be a shortlist candidate for larger enterprises that are looking for a full-featured MSS with a global footprint of SOCs that can support a variety of local languages as required. Existing IBM service customers should also consider IBM MSS for any shortlists.

  • IBM offers a strong set of security event monitoring services and related offerings underpinned by the IBM Security technology portfolio. The flexibility afforded by IBM QRadar will appeal to enterprise buyers who are adopting or moving to the cloud.
  • IBM has better aligned its complementary services for threat intelligence, incident response and threat hunting among other services by combining them into the IRIS team.
  • The introduction of SOAR and advanced features within the QRadar platform for use by the IBM X-Force Security Centers should yield improved threat detection, as well as faster detection and response times.
  • IBM’s visibility with Gartner customers and MSSP buyers is oriented toward large enterprises. IBM has good visibility in the MSS market.

  • IBM’s introduction of a packaged MDR-like service in X-Force Threat Management is a good first step toward creating bundled offerings, but visibility in the marketplace and with Gartner clients has been minimal. Some partnerships, such as integration with Fortinet and Carbon Black have been announced, but additional partnerships have been limited.
  • IBM’s Virtual Security Operations Center Portal, while full featured, is starting to lag the competition from a user experience perspective. Customer feedback about the portal is mixed. IBM is promoting use of its mobile app as an alternative means of using the portal.
  • Buyers should carefully analyze the technology approach recommended to deliver MSSs (e.g., shared or dedicated QRadar, whether on-premises or hosted) to ensure that the approach is compatible with their IT environments, architectures and requirements.
  • IBM’s customer feedback across the board was below average compared to the competition.


NTT Security is the specialized managed security service company of the NTT Group. NTT is headquartered in Tokyo, with regional headquarters for North America, Europe and the Asia/Pacific regions. NTT operates 10 SOCs globally across the Asia/Pacific, European and North American regions. In August 2018, NTT Corporation announced a new holding company structure that will integrate NTT Communications, Dimension Data, and NTT Security into a new global business later in 2019. NTT DATA will continue as a stand-alone, listed company that collaborates with NTT.
NTT’s operating model utilizes the group companies to sell and manage relationships for clients who are delivered managed security services centrally via NTT Security. NTT MSSs provide delivery of all threat detection services (Threat Detection Enhanced and Enterprise Security Monitoring), as well as services for technology management and vulnerability assessment in all major regions. NTT offers a single service management interface to customers that provides security incident communications and case management. NTT offers incident response services that include enhanced response to threats where firewall management is performed by NTT Security and/or managed EDR is consumed by the customer. An incident response retainer, along with incident response planning and forensic services, is also available. NTT has an in-house Global Threat Intelligence Center providing internally consumed threat intelligence for MSSs, as well as stand-alone offerings like its Reputational Threat Services.
NTT’s security offerings focus on different levels of service interaction defined by the criticality of incidents as opposed to providing defined service tiers. Customers will receive high levels of analyst interaction on critical events and electronic notification for all others.
In the past 12 months, NTT has implemented its unified portal leveraging ServiceNow, integrated with the main service desk functions across NTT, and announced strategic partnerships with Symantec to provide new services like Web Security as a Service (WSaaS).
NTT appeals to larger enterprises who have purchased separate IT and networking services from other NTT group companies and those who are completing wider digital transformation projects or have specific, complex requirements that will be served across the portfolio of NTT Group companies.

  • NTT can serve a wide range of industries/verticals across geographies due to the global presence of NTT Group companies.
  • NTT’s strategy involves investing in security technology, as evidenced by its acquisition of WhiteHat Security, as well as an industry-aligned commitment to continue research and development of its services portfolio and capabilities, like advanced analytics.
  • NTT has moderate visibility with Gartner clients looking for discrete MSSs.
  • NTT’s customers provide above-average marks for several ratings like overall experience, evaluation and contract negotiations, integration and deployment, and overall service and product capabilities.

  • NTT Security is an operational unit that utilizes the NTT Group companies to sell and market its delivered services. This approach has created confusion for some Gartner clients when renewing existing MSS agreements that were originally purchased from entities prior to the formation of NTT Security (e.g., Solutionary or NTT Com Security). Postrestructuring, this concern may abate as NTT becomes more unified without individual operating companies. Clients should monitor the situation as it progresses.
  • The NTT portal is now primarily powered by ServiceNow, which provides a basic ServiceNow-style experience for many functions, like case management and ticketing; however, other legacy portals are used to provide an interface into features like log management and portal user management. APIs are available to integrate into customer environments, like case management solutions, as required.
  • NTT Security’s managed EDR offering is a work in progress. NTT Security currently supports FireEye, which will expand to include Carbon Black and CounterTack, which was previously announced as a partnership in November 2017.


Secureworks, is headquartered in Atlanta, Georgia, with offices in London, Sydney, Tokyo and Edinburgh, Scotland. It provides a range of security event monitoring and response services, in addition to technology management, vulnerability assessment and management, threat intelligence, managed detection and response, incident response (via retainer), and consulting services. MSSs are delivered from three 24/7 SOCs in the U.S. (Atlanta; Chicago; and Providence, Rhode Island); one 24/7 SOC in Kawasaki, Japan, one SOC in Edinburgh, Scotland and one in Hyderabad, India. The SOCs are supported by a center of excellence in Romania.
MSS delivery is through Secureworks’ proprietary Counter Threat Platform (CTP) that provides data collection and management, analysis, and the portal. Secureworks also has premises-based physical and virtual appliances to support log aggregation/transmission and network security monitoring. The Secureworks Client Portal provides access to services for customers. Secureworks offers customers seeking EDR services the option of fully managed services using the Red Cloak agent, or monitored EDR for Carbon Black and CrowdStrike. An additional service for proactive threat hunting is available at an hourly rate or for customers using the Red Cloak agent via Advanced Endpoint Threat Detection Elite with Active Threat Hunting. There is an add-on service for malware detection delivered in partnership with Lastline. The Secureworks Counter Threat Unit (CTU) threat research and development team provides threat intelligence to support a variety of MSS offerings, as well as stand-alone threat intelligence services. MSS pricing is based on the number and type of event sources in scope for monitoring or management. Secureworks recently introduced additional pricing models for service bundles, such as its MDR service bundle that is priced by number of employees in the buyer’s organization.
In 2018, Secureworks introduced the ability for customers to easily link their ServiceNow with the Secureworks portal, and additional APIs enable customers to integrate MSSs with the customers’ security operations infrastructure. Self-service provisioning gives customers control over which devices to bring into the scope of MSS monitoring. Secureworks also introduced its Security Maturity Model to help customers by measuring and monitoring improvements in customers’ security operations capabilities.
Secureworks should be considered by midsize through to global enterprise organizations seeking an established MSS with a consistent, shared delivery approach that offers additional complementary security operations capabilities delivered as a service.

  • Secureworks offers an incident response retainer that is popular with buyers, which provides proactive as well as remote and on-site reactive response services.
  • Secureworks’ bundling of existing services to form its MDR offering, with a simpler pricing structure based on employees and assets, has gained initial traction with Gartner clients.
  • Security orchestration and automation has been integrated into the Counter Threat Platform for SOC analysts and operations, with continued expansion of capabilities, both internal and customer facing planned over the next year.
  • Secureworks has very high visibility with Gartner clients, and is frequently included in competitive MSS deals by North America-based midsize and enterprise buyers. It also has good visibility with U.K. buyers.
  • Gartner customers largely give strong positive feedback for Secureworks’ MSS offerings across service and product quality, sales, implementation and support compared to the competition.

  • Secureworks has lower visibility compared with competitors for buyers in continental Europe and the Asia/Pacific region for MSSs.
  • Support for customer access to raw logs via the Secureworks portal for investigation and reporting is limited. Customer that require great access to logs, and long-term retention for compliance requirements must store those on-premises or in their cloud in third-party log management appliances supported by Secureworks.
  • Monitoring of SaaS solutions is still limited and support for CASB solutions is not available. Office 365 and Salesforce are supported. SaaS solutions such as Box, Dropbox, Workday and G Suite are not supported, although support for identity solutions like Okta and OneLogin are available.
  • Some Gartner small and midsize customers report frustration with Secureworks’ service delivery and account management, which they sometimes characterize as “we are too small to get attention.” Midsize and smaller enterprises should confirm how the service relationship and management process will operate and support their requirements.


Symantec, headquartered in Mountain View, California, is a security technology company that also offers a variety of security event monitoring services and complementary services as part of its Cyber Security Services business. Symantec has regional and country-level offices across the globe. It operates a global network of SOCs to provide 24/7 global coverage. Symantec offers a globally standardized approach to how its SOCs are operated, including their processes and procedures. Symantec’s Cyber Security Services core offerings address security event monitoring and response services. They also provide threat intelligence, and incident response and retainer services. All MSS agreements since July 2017 include the base terms and conditions providing MSS customers access to Symantec’s incident response retainer with zero upfront cost. Customers pay for use of the retainer on an as-needed basis. Symantec also offers Managed EDR, Managed Network Forensics, and Managed Cloud Defense using Symantec’s own technologies. A managed intrusion detection and prevention (IDP) service and a service providing security monitoring for OT and IoT devices are also available via technology partnerships and Symantec’s own technologies. Symantec’s delivery platform has been migrated from an on-premises data center to AWS, and includes its log collection and management, analytics, and customer portal.
Over the past 12 months, in addition to the delivery platform move to AWS, Symantec introduced several services that take advantage of the Symantec technology portfolio; for example, its Managed EDR service. It also implemented internal operational improvements to enhance the context around detected threats; for example, better mapping IP to host and speeding malware analysis and investigation.
Symantec MSSs should be on the shortlist for enterprise-size buyers who require regional support in North America, EMEA and Asia/Pacific, as well as existing Symantec technology customers who want managed security services for their existing technology investments.

  • Symantec has recently migrated its delivery platform to AWS. Beyond allowing it to take advantage of the benefits of using IaaS and AWS services, it will also enable Symantec to use AWS Regions to address data residency requirements, which was previously handled through contractual agreements.
  • Symantec’s technology portfolio for endpoint, network and cloud security are now being leveraged through standardized offerings in the MSS catalog. Existing Symantec customers using these technologies and looking for a service option will be well-supported, as will MSS buyers looking for a single provider for solutions and 24/7 monitoring and response.
  • Symantec is a visible competitor for MSS buyers in North America, EMEA and Asia/Pacific, and has good visibility as a shortlist candidate with Gartner clients.
  • Customers rate Symantec above average compared to competition for overall experience, evaluation and negotiations, integration and deployment, and service and support.

  • Buyers looking for a vulnerability management service to complement monitoring and response services will need to leverage a third-party service. Support for providing vulnerability assessment data for use in the security monitoring and response services is mixed. Qualys is presently supported through direct API integration; however, other vulnerability assessment vendors require manual upload of data.
  • Buyers that require their MSS hold an SOC certification should confirm the status. Symantec’s certifications are a work in progress as they transition from SOC 1 Type II to SOC 2. Certifications like ISO 27001 and PCI service provider are current as of the data of this research.
  • Symantec’s marketing of its Cyber Security Services is lagging competitors. Symantec is primarily known as a technology company and marketing of its MSS offering is not visible when compared to the software side of the business, e.g., there is visibility of technology partnerships with competing MSS firms, but no visibility of the same services being offered by Symantec MSS.


Trustwave, headquartered in Chicago, also has key offices in London, Singapore, Sydney and Tokyo among others. It delivers MSSs from 24/7 SOCs in Singapore; Manila, Philippines; Warsaw, Poland; Chicago; and Denver, Colorado; with a few other non-24/7 SOCs across the world. As part of the Singtel Group, Trustwave has a strong reach across EMEA and Asia/Pacific in addition to North America.
Trustwave offers conventional managed security services such as 24/7 security event monitoring and vulnerability management. In addition, Trustwave Managed Detection and Response (MDR) for Endpoints service offers managed Carbon Black and Cybereason EDR, as well as Darktrace for network detection and response. Managed threat hunting is also an option under the MDR set of services. Trustwave has made efforts to integrate the MDR service with its more established service areas both in terms of workflow and in offering pricing benefits to customers that choose both. The MDR service can address response actions via EDR that can be handled remotely in less than four hours with a certified digital forensics and incident response handler. For on-site incident response services via retainer, Trustwave offers consulting services through its SpiderLabs Digital Forensics and Incident Response Team. The SpiderLabs team within Trustwave also has an in-house threat intelligence capability that the company leverages for threat detection; but it does not sell this as a stand-alone feed to customers. Trustwave has several proprietary products that it can manage for customers (such as WAF, UTM, IDS), and it also supports several third-party technologies for monitoring and management.
Over the past 12 months, Trustwave has been integrating the stand-alone Singtel and other MSS businesses under the Trustwave brand, including a rebranding launch in December 2018. Trustwave introduced updates to its TrustKeeper portal in 2018, which is the primary delivery platform for the MSS. The logs and events from monitored/managed infrastructure elements are forwarded on to Trustwave’s multitenant platform that stores data in a number of its global SOC locations. Trustwave can enable local data residency by maintaining local instances of its portal within AWS Regions.
Trustwave is a good shortlist candidate for buyers, ranging from midsize enterprises to large, global enterprises, who are looking for standard managed security services with some additional advanced capabilities like threat hunting and MDR, and other complementary services.

  • The updated TrustKeeper portal offers good role-based access, language localization, custom report/dashboard creation capabilities and visibility into ticket workflow. Integration of the service workflow with customers’ Slack and ServiceNow environments is a positive feature, particularly for large organizations with dispersed teams.
  • Trustwave has a strong threat intelligence capability through its SpiderLabs team, and good professional services offerings that complement its MSS and MDR offerings.
  • The vendor’s threat detection capability is focused on analytics that delivers use cases based on a combination of Trustwave proprietary technology and TensorFlow libraries.
  • Trustwave places an emphasis on global consistency in service delivery and leveraging a point of delivery (POD) concept to provide more customer-specific attention and a vertical focus.

  • Though Trustwave supports CASBs and collects data through native APIs in Microsoft Azure and AWS, it still lags some competitors in offering cloud-specific MSSs like vulnerability and asset management, container security and cloud security posture management.
  • Though Trustwave has a global presence, its go-to-market approach in Singapore and Australia still needs better alignment with the global Trustwave platform strategy. The organizational realignment that happened in 2018 is yet to be fully realized in the field.
  • Trustwave’s MDR service is most visible via its managed EDR offering. The managed network detection and response with Darktrace and other vendors is not as visible in the market. Customers desiring a full MDR service that spans endpoints and network security need to confirm with Trustwave how it can support that requirement from both a supported vendor and integration-of-service perspective.
  • Trustwave customers reported general satisfaction, but below-average marks compared to the competition across overall experience, evaluation and contracting, integration and deployment, and service support and product capabilities.


Verizon is a telecommunications company headquartered in Basking Ridge, New Jersey, with regional offices in Reading, U.K., and Sydney. Verizon offers a range of MSSs and security consulting services using a global network of SOCs. Local business hours (i.e., “follow the sun”) SOCs are located in Ashburn, Virginia; Dortmund, Germany; and Canberra, Australia. It also has an SOC in Luxembourg that is dedicated to customers with specific data sovereignty requirements. The vendor’s 24/7 MSS SOCs are located in Chennai and Hyderabad, India. Customer data is stored in operations centers located in the U.S., Europe and Australia.
Verizon’s Unified Security Portal (USP) provides single-portal access across all services and capabilities for customers. Verizon’s MSS platform includes log management capabilities allowing clients to search 90 days of stored logs. Verizon’s MSS delivery platform includes open-source, proprietary, and commercial technologies including Splunk security data analytics, Elasticsearch for log search, and Verizon’s proprietary correlation engine and Local Event Collector (LEC). MSS pricing is based on the volume of log data ingested per day, with distinct pricing for advanced detection services. For services based on endpoint detection and response products, the pricing is per endpoint; and for network analytics, it’s per the number of flows ingested. Verizon also offers additional services like an incident response retainer, Autonomous Threat Hunting (via the Niddel acquisition), and the Verizon Risk Report (VRR).
In 2018, Verizon introduced the Verizon Risk Report, a new service to augment its MSS offerings. VRR provides daily quantitative assessments of a customer’s security posture based on Verizon threat intelligence, and oriented toward security portfolio decision makers. Verizon also acquired ProtectWise in March 2019, which provides network traffic analytics and forensics capabilities.
Enterprises and public-sector organizations, including existing Verizon network customers, should consider Verizon if they require well-established global or region-specific MSSs.

  • Verizon offers a broad range of additional security services including VRR, distributed denial of service (DDoS) protection and incident response services, among others like the Autonomous Threat Hunting service.
  • The portal offers excellent capabilities for searching incidents and logs to support investigations, extensive roles and access controls for portal users, as well as strong visualization and dashboard customization. The portal provides flexible and comprehensive log searching capabilities to end users, and there is extensive and granular support for defining and managing portal roles.
  • Verizon offers several services that support advanced threat detection and response, with an emphasis on network-based capabilities.
  • Verizon has good visibility with Gartner clients for MSSs.

  • Some MSS portal functions lag those of competitors or require additional service levels to access. Users must request reports for predefined compliance schemes from the Verizon SOC, and the portal offers MSS customers limited threat intelligence. Greater access to these capabilities requires the Verizon Risk Report services.
  • Verizon supports data residency requirements with its own resources in Asia/Pacific, Europe and North America. Customers with these requirements in Africa and the Middle East and in Latin America and South America must engage with Verizon partners in the region to support them, or leverage Verizon’s Managed SIEM offering.
  • Verizon relies primarily on Netskope CASB to monitor SaaS environments, although Cisco Cloudlock CASB is also supported. Only Office 365 is supported natively (via APIs). If other SaaS applications are able to generate and forward their own logs and events, they can be monitored.
  • Customer feedback for Verizon is satisfactory, but below average compared to its competition in areas at the beginning of the buying and onboarding stages, such as preselection activities, negotiations, and integration and deployment.


Wipro is headquartered in Bangalore, India and has 24/7 SOCs in India (8), Europe (2), North America (4) and the Middle East (1). As a global IT services provider, Wipro has a significant incumbent customer base to which it can position its MSS offering.
Wipro’s standardized security monitoring service is based on IBM QRadar (delivered in a federated, on-premises model) and Demisto SOAR (powering automation in its SOCs). In addition, Wipro offers vulnerability assessment management services through a partnership with Qualys. Data from vulnerability assessment scans is made available to customers through Wipro’s MSS portal. Wipro also offers advanced MSS offerings for IDS/IPS, network traffic analytics, network forensics, EDR, deception, breach and attack simulation, and SaaS monitoring via a robust set of technology partnerships. The company also offers several types of professional services to complement its MSS offering, such as incident response, threat hunting, forensics and malware analysis.
Over the past 12 months, Wipro has focused on internal operational improvements, and service measurement and reporting.
Wipro is a good fit for customers that are looking to consume a range of services (spanning consulting, implementation and outsourcing) from the same provider. Incumbent Wipro customers and organizations looking for more flexibility in their service approaches should consider Wipro as a shortlist candidate.

  • Wipro offers a good combination of standard and advanced managed security service offerings, leveraging its strong partnerships with established and emerging security technology vendors.
  • Wipro can cater to regional data residency requirements due to its focus on local log collection and analytics, as well as a strong global network of SOCs.
  • Wipro has strong incident detection and response SLAs that are above average in the industry.

  • Wipro’s MSS portal is still not as user-friendly as the competition — customer self-service options to manage the state and status of an event are limited.
  • Despite the use of on-premises QRadar to store customer logs and perform detections, the Wipro portal offers limited access to logs by customers. There is a limited search capability, or users can request log reports from the SOC. Users with sufficient expertise can be given access to the QRadar console for direct searching.
  • Wipro has low visibility with Gartner clients and MSS buyers.

Vendors Added and Dropped

We review and adjust our inclusion criteria for Magic Quadrants as markets change. As a result of these adjustments, the mix of vendors in any Magic Quadrant may change over time. A vendor’s appearance in a Magic Quadrant one year and not the next does not necessarily indicate that we have changed our opinion of that vendor. It may be a reflection of a change in the market and, therefore, changed evaluation criteria, or of a change of focus by that vendor.


Alert Logic


BT, DXC Technology, HCL Technology and Orange Business Services.

Inclusion and Exclusion Criteria

To qualify for inclusion in this Magic Quadrant, managed security services providers must:
  • Offer remotely delivered 24/7 security event monitoring and response services, delivered via a common, shared delivery platform that is owned, hosted and maintained by the provider, which is consumed by at least 70% of their customers; however:
    • Customers that consume services that are not delivered remotely, e.g., on the customer premises, or that are delivered remotely on a one-to-one basis per customer, are not applicable.
    • Customers that do not consume security event monitoring services, e.g., technology-only and device-management-only customers, are not applicable.
    • The delivery platform must include the following capabilities at a minimum: log/data collection and management; analytics for threat detection use cases; reporting for compliance use cases and service management; case management and ticketing; and a web-based portal to consume and interface with services. However:
      • Providers’ platforms that lack multitenancy characteristics (e.g., leverage common compute, storage, software and management) will not be included.
      • Providers that deliver their services in a one-to-one model (e.g., leveraging a customer’s own SIEM solution), on a per-customer basis, even if the technology to deliver the service is hosted for the customer by the provider, e.g., managed and hosted SIEM solution, will not be included.
      • Delivery platforms can be proprietary, leverage third-party technology (e.g., commercial off-the-shelf [COTS]), or a combination of the two. Providers that leverage a delivery platform that is owned, hosted, operated and maintained by a third party to deliver MSSs will not be included.
      • Customer interface options beyond a web-based portal, such as real-time chat, war rooms and mobile applications are not required, but may be considered if they enhance the value proposition.
  • Offer at least two of the following services that highly complement security event monitoring and response offerings:
    • Incident response services (e.g., via a retainer with the buyer)
    • Threat intelligence services (not just machine-readable threat intelligence [MRTI] or reselling third-party MRTI)
    • Vulnerability assessment and management services
    • Managed detection and response (e.g., managed endpoint detection and response)
  • Have an SOC in two or more regions where security event monitoring and response services are fully supported and delivered. However:
    • SOCs specifically designated for delivering services other than security event monitoring and response, such as providing only technology administration and management, will not be included.
    • SOCs that deliver security event monitoring but are dedicated to a specific customer base (e.g., government-only customers), while not specifically included for regional scope requirements, may be considered if they enhance the value proposition.
  • Provide evidence via region-specific marketing materials of sales, either directly or via a channel, being performed in three or more regions (North America, Latin and South America, Europe, Middle East and Africa, and Asia/Pacific).
  • Have at least 500 customers globally consuming remotely delivered security event monitoring and response services as defined previously, with a minimum of 100 customers in each of two or more regions (North America, Europe, Asia/Pacific, Middle East and Africa, and Latin and South America).
  • Have minimum annual revenue of $50 million that is generated from shared, remote security event monitoring and response services. Revenue generated by services such as technology administration and management, consulting, professional services, and technology reselling are not to be included in the above threshold.
  • In-scope service offerings and technology (e.g., a delivery platform) features and functionality must be generally available (and being sold, if a service) to MSS buyers as of 1 November 2018.
  • Be service providers that Gartner determines to be significant vendors in the market because of their market presence or service innovation.

Evaluation Criteria

Ability to Execute

Product/Service refers to the services offered, and their capabilities, for security event monitoring and response, such as the delivery platform that includes log collection and management, analysis, and customer interface methods. It also includes highly complementary services, such as vulnerability management, threat intelligence, incident response, and managed detection and response services.
Overall Viability (Business Unit, Financial, Strategy, Organization) includes an assessment of the organization’s overall financial health, as well as the financial and practical success of the business unit. It views the likelihood of the organization to continue to offer and invest in the product as well as the product position in the current portfolio.
Sales Execution/Pricing addresses the service provider’s success in the market and its capabilities in presales activities. This also includes MSS revenue, pricing and the overall effectiveness of the sales channel. The level of interest from Gartner clients is also considered.
Market Responsiveness and Track Record evaluates the match of the MSS offerings to the functional requirements stated by buyers at the time of acquisition. It also evaluates the MSSP’s track record in delivering new functions when the market needs them.
Marketing Execution evaluates the service provider’s ability to effectively communicate the value and competitive differentiation of its MSS offering to its target buyer.
Customer Experience evaluates the service delivery to customers. The evaluation includes ease of onboarding, the quality and effectiveness of monitoring and response activities, and reporting and problem resolution. This criterion is assessed by surveys of vendor-provided reference customers, Gartner’s Peer Insights, as well as by feedback from Gartner clients that are using the MSSP’s services, or that have completed competitive evaluations of the MSSP’s offerings.
Operations addresses the MSSP’s service delivery resources, such as infrastructure, staffing and SOC operations. It also includes evaluation of external operations reviews, and relevant certifications and attestations.

Table 1: Ability to Execute Evaluation Criteria

Enlarge Table
Evaluation Criteria
Product or Service
Overall Viability
Sales Execution/Pricing
Market Responsiveness/Record
Marketing Execution
Customer Experience
Source: Gartner (May 2019)

Completeness of Vision

Market Understanding involves the MSSP’s ability to understand buyers’ needs and to translate them into services and capabilities. MSSPs that show the highest degree of market understanding are adapting to customer requirements. MSSPs with market-leading vision are investing in expertise and technology to monitor and analyze a customer’s diverse range of environments (i.e., on-premises, IaaS and SaaS), as well as the external threat environment to better understand the sources, motives, targets and methods of attackers. They are also developing and introducing services that support large-scale data collection; advanced analytics, including statistical and behavioral functions; and monitoring of new data sources. The goal of these capabilities is to more effectively reduce the mean time to detect a threat, and also to drive the mean time to respond to a threat for customers. MSSPs are also keeping pace with regulatory requirements customers may face across different geographies.
Marketing Strategy evaluates the clear, differentiated messaging consistently communicated internally and externalized through social media, advertising, customer programs, and positioning statements; and is tailored to the specific client drivers and market conditions in the MSS market.
Sales Strategy addresses selling that uses the appropriate networks including: direct and indirect sales, marketing, service, and communication. It includes partners that extend the scope and depth of market reach, expertise, technologies, services and their customer base.
Offering (Product) Strategy evaluates the vendor’s approach to product development and delivery that emphasizes functionality and delivery options as they map to current and emerging requirements for MSSs. Development plans are also evaluated.
Business Model covers the design, logic and execution of the organization’s business proposition to achieve continued success.
Vertical/Industry Strategy evaluates the strategy to direct resources (sales, product and development), skills, and products to meet the specific needs of individual market segments, including verticals.
Innovation refers to the service provider’s strategy and ability to develop new MSS capabilities and delivery models to uniquely meet critical customer requirements.
Geographic Strategy evaluates the vendor’s strategy to direct resources, skills and offerings to meet the specific needs of geographies outside the “home” or native geography, either directly or through partners, channels and subsidiaries, as appropriate for that geography and market.

Table 2: Completeness of Vision Evaluation Criteria

Enlarge Table
Evaluation Criteria
Market Understanding
Marketing Strategy
Sales Strategy
Offering (Product) Strategy
Business Model
Not Rated
Vertical/Industry Strategy
Geographic Strategy
Source: Gartner (May 2019)

Quadrant Descriptions


Each of the service providers in the Leaders quadrant has significant mind share among organizations looking to buy MSSs as a discrete offering. These providers typically receive positive reports on service and performance from Gartner clients. MSSPs in the Leaders quadrant are typically appropriate options for enterprises requiring comprehensive portal-based access for interfacing with the service (e.g., responding to alerts, incident management, workflow, reporting, asset and access management, and managing other procured services, like incident response and vulnerability management) along with interaction with the MSSP for analyst expertise and advice.


In the Challengers quadrant, Gartner customers are more likely to encounter MSSs that are offered as components of an IT or network service provider’s (NSP’s) other telecommunications, outsourcing or consulting services. Although an MSS is not a leading service offering for this type of vendor, MSSs in these markets have a stronger Ability to Execute.


Companies in the Visionaries quadrant have demonstrated the ability to turn a strong focus on managed security into high-quality service offerings for the MSS market. These service providers are often strong contenders for enterprises that require access to and support for “cutting edge” technology, flexible service delivery options and strong customer service. MSSPs in the Visionaries quadrant have less market coverage compared with vendors in the Leaders quadrant.

Niche Players

Niche Players are characterized by service offerings that are available primarily in specific market segments, or primarily as part of other service offerings. These service providers often tailor MSS offerings to specific requirements of the markets they serve. This quadrant is also characterized by providers that are newer, or that have expanded beyond local and regional markets to the global MSS market, and are maturing their delivery capabilities and offerings.


Organizations should not use this Magic Quadrant in isolation as a tool for selecting providers. Gartner provides a range of toolkits and geographically contextual research to assist buyers in correctly scoping and administering an MSS selection process. MSS buyers are increasingly challenged to identify and select the best provider for their needs. Prior to starting the process to outsource security operations to a service provider, it is critical buyers understand their desired outcomes, use cases and requirements. (See “Foundational Elements to Get Right When Selecting a Managed Security Service Provider” and “How to Work With an MSSP to Improve Security.”)
When goals, use cases and requirements are not focused on prior to engaging with an MSS, an all too common result is dissatisfaction with the provider and MSS experience. Based on feedback from Gartner clients and MSS buyers over the past 12 months, the most common elements of dissatisfaction often stem from misaligned expectations and the scope of the services provided.
It is important that prospective MSS buyers focus on the outcomes they require to ensure they purchase the right services offered by the right type of providers. Buyers that require 24/7 threat detection and response use cases should highly weight an MSSP’s capabilities in those areas, in addition to its in-house threat research and intelligence capabilities. Complementary services like incident response retainers may be of importance too. MSS buyers who have requirements related to specific technologies and capabilities should focus on providers who are better at providing customization, where appropriate, in addition to standardized services.
As a result of the requirements of Gartner clients and the direction of the MSS market, Gartner has made changes to the inclusion criteria in this year’s Magic Quadrant. Comparisons to previous years is not advised (nor is a year-over-year comparison of vendor position in the Magic Quadrant generally advised). Additionally, vendors that no longer meet the inclusion criteria should still be considered when there is a need for a partner in specific regions, as well as for highly customized and specific offerings focusing on technology deployment and integration.

Market Overview

The MSS market is mature, with an estimated market size of $10.7 billion in 2018. The market continues to adapt to the challenges facing organizations around:
  • An increasingly complex IT environment that includes SaaS and IaaS, and the expansion into nontraditional IT domains
  • The growing hostile external landscape
  • The ongoing issues of a lack of talent and expertise in security
  • The needs of less mature organizations that are likely to have only ever implemented preventative security controls
These challenges are driving organization’s to focus on and improve their threat detection and response capabilities. For many organizations, the use of an MSSP enables achieving that goal.
The MSS market has a set of providers whose core business is often not security-focused, such as IT outsourcers, system integrators and telecommunications providers. For such providers, there is an increasing focus on maturing and expanding their offerings to meet changing market demands. Alongside the pure-play security service providers, there are now hundreds of smaller, geographically focused MSSPs and MDR service providers around the world offering detection-led and highly competitive services. Every week a new provider is visible in the market; either a net new provider or a provider in an adjacent market that has added managed security services. These services vary according to:
  • The core business they operate under (e.g., managed IT services or IT outsourcing, system integration, telecommunications, security technology or pure-play security services)
  • Geographic and vertical markets being targeted
  • The targeted buyer by size and maturity
This Magic Quadrant reflects the requirements of Gartner clients as well as the evolution of the global MSS market. Market trends, which are discussed in more detail below, include:
  • The adoption of core security capabilities where historic investment has been weak, for example vulnerability management, threat intelligence and incident response.
  • Moving beyond monitoring of only on-premises technologies as more organization adopt SaaS and IaaS, as well as the move by many organization to include security event monitoring and response services for OT and IoT under the remit of security operations.
  • Increasing segmentation of MSSPs focused on delivering a broad portfolio of managed security services to address the wide range of needs by larger enterprises versus those who are focused on core security operations activities.
  • Portals as the primary interface with MSSPs, but delivery models being expanded to include other channels, like mobile devices.
  • The inclusion of direct response to security events and issues and MSS provider’s adoption of emerging technologies, like SOAR, which have the potential to transform how MSSPs deliver services in the future.
There are other adjacent markets providing security services to address the core use case for 24/7 threat detection and response. Increasingly MSSPs are pivoting to compete with these markets to address buyer demands by offering the following services:
  • Managed detection and response services: Organizations are looking to address a lack of 24/7 threat detection and response — especially where there is lower maturity, and little to no investment in detection technologies and the experts needed to use those tools and perform incident response activities. Thus, MDR services are filling the demand (see “Market Guide for Managed Detection and Response Services”). Midsize enterprises are gravitating to MDR when looking for a turnkey service that fits their needs. More mature organizations with defined security operations teams look to MDR to fill gaps in their coverage, e.g., through services like managed EDR or threat hunting. MSSPs have reacted to these needs by offering services primarily focused on managed EDR and threat hunting, as well as expanded incident response services. Many of these services are customized; few are standard offerings integrated into the core MSS business.
  • Remote SIEM solution management and co-management: Larger enterprises that have invested in a SIEM solution with plans to build their own 24/7 operations, or organizations that are concerned about data residency requirements, are increasingly turning to MSSPs to take over management, operation and use of their SIEM solution. For some MSSPs, this is becoming their preferred approach as they may also be a technology reseller and integrator. Thus, they end up selling the SIEM solution to the customer, and then provide managed security services using the customer’s newly deployed SIEM solution. However, many organizations will look to an MSSP to help them when there are failed SIEM deployments, change in business direction, changing plans about building out their own SOC, and so on. Rather than lose a large deal, some MSSPs are increasingly accommodating these buyers even though it does not align with their preferred delivery model (i.e., use the MSSPs standard delivery platform).
  • Customer-owned SOC: In some geographies like the Middle East and India, regulatory requirements drive buyers toward an on-premises SOC. In other geographies, on-premises SOCs are driven less by regulations and are more about the risk tolerance of the organization, its scale and nuances of its business that makes it avoid outsourcing services to an MSSP. However, building an SOC is not a small endeavor and requires expertise to build, then operate and run an SOC. Many MSSPs are also offering a service where the SOC may be fully managed on-premises by the MSSP, or a hybrid model where some remote services are provided from a shared customer SOC alongside some on-premises staff.

Core Services for Detection and Response, Against a Broadening MSS Market

A MSS looks significantly different now compared to what it was just five years ago. At the core of most MSSP services portfolios is 24/7 security event monitoring and response, of varying degrees of maturity and sophistication. This will not change. Organizations have awoken to the need for detection and response capabilities, underpinned by continuous monitoring and visibility, to complement their investment in prevention and blocking technologies. (See Figure 2. Adaptive Attack Protection in “Seven Imperatives to Adopt a CARTA Strategic Approach”).
In addition to security event monitoring and response capabilities, the need for good security hygiene or “the security basics” is also being recognized by many organizations. Capabilities like vulnerability management and the use of threat intelligence are still challenging for many organizations. Vulnerability management is evolving toward a risk-based approach, but few MSSPs are adapting to this shift. Most still support basic vulnerability scanning. (See “Implement a Risk-Based Approach to Vulnerability Management.”)
Once, the focus of a security monitoring service was to ensure a threat was simply detected and alerted to. Now, being alerted to a threat is no longer sufficient for many organizations. Once a threat is identified, organizations are looking to service providers to take on a more active role. For some organizations that have an existing security team and internal incident response and handling expertise, only an alert may still be acceptable. Even so, the expectation now is that the alert will be context-rich relative to both the threat (e.g., broad-based malware or targeted attack, or part of a known malware campaign or threat actor) and the customer’s vertical and organization. (For example, was the targeted asset critical to the buyer? Were there unpatched vulnerabilities on the targeted asset? What’s the “blast radius” of the attack inside the organization?)
For other organization that have little to no security team and a lower security operations maturity, the expectations are that the MSSP will do more than just issue an alert and let the customer fend for itself. They need the MSSP to take an active role in analyzing, triaging, and then disrupting or containing the threat, i.e., they need the MSS to act as a first-level incident responder for them. The feedback from customers surveyed as part of this Magic Quadrant indicates that 49% of them still only get alerts as the primary form of response from their MSSP. However, 43% indicated the MSSP is taking a more active role in the response to a detected threat, either helping with containment (e.g., a more MDR-style service) or getting involved in the end-to-end detection through to containment and remediation (usually when the buyer has a broader ITO agreement with the MSSP).
If an attack was not detected and contained quickly enough, then it is important to have an incident response retainer that can provide targeted incident response services as well as support in the event of a potentially large incident. (See “Market Guide for Digital Forensics and Incident Response Services.”) Buyers are increasingly looking to their MSS to offer these capabilities as part of a more end-to-end service delivery model.
Response services beyond those described previously are being adopted by organizations on an as-needed basis to address gaps in their capabilities or to align to organizational strategy to leverage outsourcing providers where feasible. For some buyers, technology management is still an important element of managed security services. But that need is being filled by a wider variety of services providers depending on the type of technology and the delivery of the technology. We see the commoditization of technology management reaching its peak. Firewalls are increasingly being managed by telecommunications service providers as a network device. Endpoint protection is being managed by managed services providers (MSPs). And, the adoption of cloud-delivered security solutions (aka security as a service), like SWGs and SEGs, firewalls and DNS security, further erodes the value of managed technology services for buyers. (For example, when using security as a service from the cloud, the need for a provider to perform health, performance and availability monitoring, as well as software upgrades goes away as it’s now the technology provider’s responsibility.) Depending on their core verticals, MSSPs are being left to perform policy management or to expand into technology management for technologies that are not commonly delivered “as a service.” Gartner clients indicate it is challenging to find, afford and retain the expertise to operate and use technologies like SIEM, EDR and network traffic analytics [NTA] solutions.
Increasingly, the portfolios of many MSSPs are quite extensive as they look for opportunities to expand and stay “sticky” with buyers. This has both positive and negative implications for MSS buyers. For those organizations looking to outsource a wide variety of security operations, extensive MSSP portfolios are beneficial. However, this choice also must be tempered by concerns about whether an MSSP will become more of a generalist considering the broad range of technologies that it may need to manage and monitor. (It is estimated that an MSSP has to potentially support hundreds of different vendors and solutions.)

Threats No Longer Target Only On-Premises IT

As organizations move to the cloud, IT environments become more complex because of SaaS and IaaS. These cloud environments also increase the attack surface for organizations due to their complexity. Even capabilities like vulnerability management and log management in these environments require new skills and expertise that are not readily available in the market. MSSPs are being pushed to address the threats against these environments, but the variability across providers is still quite large. The monitoring of public cloud services — specifically AWS and Azure — is maturing, with basic security event monitoring available from many MSSPs. But monitoring other cloud providers, as well as offering services oriented specifically at other aspects of cloud environments (like monitoring for threats against containerization and microservices) are in their infancy.
Over the last couple of years, many MSSPs have improved their capabilities around integrating with, and consuming log and data outputs from, SaaS vendors, especially the common solutions like Office 365, Salesforce and Workday. However, many MSSPs are just applying basic use cases to SaaS (for example, looking for brute force attacks on accounts). Some MSSPs are addressing specific risks, like business email compromise (BEC), and looking for anomalous administrative activities; but this is not yet consistent. Outside of these SaaS applications, MSS buyers will be forced to leverage solutions like CASB and an MSS that can support the preferred CASB vendor. This will be needed at least until more API access from the SaaS vendors is available and MSSPs are able to support those vendors. (See “Market Guide for Cloud Access Security Brokers.”)
Operational technologies, like industrial control systems (ICSs) and supervisory control and data acquisition (SCADA), are increasingly being targeted.1 This is driving organizations to apply more scrutiny to their OT environments, and security operations teams are being pressed to expand their coverage into the OT environments, including asset and vulnerability visibility, and threat detection and response. (See “2018 Strategic Roadmap for Integrated IT and OT Security.”) IT is very different from OT, and the skills available in the market are nascent. Additional risks like safety, privacy and resiliency are also concerns (see “OT Security Best Practices”). MSSPs, similar to cloud service providers, are being pushed by buyers and existing customers to help address these risks. However, it is still very early days. There are a number of OT- and IoT-specific security technologies available on the market (see “Market Guide for Operational Technology Security”), and some MSSPs have established partnerships. Yet many of the services being introduced are highly customized and have not hit peak demand to warrant transferring them into formally established service offerings in MSS portfolios. Buyer due diligence is warranted to validate the claims being made by MSSPs about their available OT and IoT security services.

The Segmentation of the MSS Market Is Increasing

The MSS market is increasingly segmenting between those MSSPs that are primarily interested in buyers that need customization around technology and services, and those that just want a traditional shared delivery approach. Many MSSPs are aligning to one of these types of buyers, and less commonly are targeting both.
MSS buyers can generally be grouped as:
  • First timers and low-security operations maturity organizations — These are organizations that have never leveraged MSSs, or may be lower on the maturity curve. They tend to focus on 24/7 threat detection and response, and complementary services only, leaving the provider to use their preferred delivery approach (i.e., a delivery model and platform shared across the customer-base). This is where much of the MSS buyer market currently exists.
  • Digital transformers — These are organizations, usually large or very large global organizations, with varying degrees of security operations maturity, who need to improve their current security operations capabilities as part of larger, IT digital transformation projects, e.g., moving IT toward the use of cloud services. (See “Driving Digital Business Transformation for Industry Leadership: An Executive Perspective”).
  • SOC builders — These are organizations that want their own SOC, but lack the skills, expertise and time to build it themselves. These buyers may already own a SIEM solution. They want a provider that can build and support the SOC, either in a short-term model until the buyer can run it themselves (usually up to 12 months) or continually in an ongoing support capacity (fully outsourced or in a hybrid model).
  • High-maturity augmenters — These organizations have made significant investments in people, processes and technology in their security operations, but are looking for opportunities to hybridize the operations by leveraging services providers.
  • Compliance-focused buyers — These organizations simply want to meet the requirements of a common compliance standard to satisfy auditors, customers or trading regulations.
System integrators and IT outsourcers are increasingly targeting the digital transformers and SOC builders. These target organizations have specific technology-based approaches in mind and are looking for a partner that can provide assessments via consulting activities; recommend, architect, sell, and implement buyer-preferred technologies; and then operate and run those technologies for the buyers. These projects tend to be large-scale, cross-IT, multiyear efforts where the scale of activities (including MSSs) align to the provider. The first timers and high-maturity augmenters who make up the majority of Gartner clients want an outcome that provides monitoring, detection and response as a service. This is usually achieved through the use of shared services that have been optimized for delivery efficiency and are at lower price points compared to one-off and customized services.

Mobile Apps Are Emerging, but Portals Are Still Important

The number of MSSPs also offering a mobile application has increased over the past twelve months (e.g., Atos, CenturyLink, IBM and Secureworks). This is expected given the always-connected nature of organizations and the needs of multiple personas. For example, a CISO or CIO who may travel frequently and is not tethered to a laptop will benefit from any-time access to the status of the services from the MSSP. Security operations analysts who may participate in an on-call rotation as part of the incident response capability will benefit from the expediency when something is alerted to afterhours. They can get their phone, open an app and start to review the incident details, rather than having to find their laptop, connect and log into the MSSP portal, and locate the case or ticket. Obviously both use cases allow for more frequent access, if not interaction, with the MSSP. Mobile apps are not yet ubiquitous and the experience varies widely, so validating the mobile app experience of the provider, if important, should factor into the requirements for selecting an MSSP.
Portals to interface with an MSSP have not disappeared, nor has their usage. MSS buyers surveyed for this Magic Quadrant indicated 40% still use the MSSP portal daily and 26% use it at least weekly. The experience across MSSPs still varies though in light of this usage by customers. Magic Quadrant reference buyers in this research were generally neutral or just satisfied with the capabilities of their MSSP’s portal to support the day-to-day use of the portal to interface with the MSSP services. MSSPs who have been in this market for many years still offer the most mature portal experiences. Providers in markets like IT outsourcing tend to put less emphasis on the portal, favoring the portal to be used for service management above offering SIEM-like features that are required by security teams. (See “Critical Capabilities for Security Information and Event Management.”)

MSS Is Starting to Be SOAR-Powered

It’s still early days for SOAR, but the promise of improving the efficiencies and consistencies of SOC activities, as well as being able to offer more customized processes to MSS customers is compelling. (See “Innovation Insight for Security Orchestration, Automation and Response” and “Preparing Your Security Operations for Orchestration and Automation Tools.”) Some MSSPs have adopted SOAR technologies in earnest and have embedded them at the core of their delivery platforms. Based on conversations with SOAR technology vendors and MSSPs, we expect most MSSPs to adopt and embed SOAR capabilities over the next three years.
So what does this mean for MSS buyers? SOAR is not a panacea for MSS buyers. As this stage, SOAR technologies will be used by MSSPs to make their analysts more efficient and more productive (and happy) by removing mundane activities. If properly leveraged, customer experiences with their MSSs should improve when it comes to consistency and repeatability of agreed processes. Theoretically, the detection of threats should improve if MSSP SOC analysts are given more time to investigate and triage suspect events (e.g., reducing the number of false positive alerts to customers). In the future, automated response actions initiated by the MSS to the customer’s own technologies to reduce the mean time to respond might be a reality (but that’s in the infancy stage right now).


Evaluation Criteria Definitions

Ability to Execute

Product/Service: Core goods and services offered by the vendor for the defined market. This includes current product/service capabilities, quality, feature sets, skills and so on, whether offered natively or through OEM agreements/partnerships as defined in the market definition and detailed in the subcriteria.
Overall Viability: Viability includes an assessment of the overall organization’s financial health, the financial and practical success of the business unit, and the likelihood that the individual business unit will continue investing in the product, will continue offering the product and will advance the state of the art within the organization’s portfolio of products.
Sales Execution/Pricing: The vendor’s capabilities in all presales activities and the structure that supports them. This includes deal management, pricing and negotiation, presales support, and the overall effectiveness of the sales channel.
Market Responsiveness/Record: Ability to respond, change direction, be flexible and achieve competitive success as opportunities develop, competitors act, customer needs evolve and market dynamics change. This criterion also considers the vendor’s history of responsiveness.
Marketing Execution: The clarity, quality, creativity and efficacy of programs designed to deliver the organization’s message to influence the market, promote the brand and business, increase awareness of the products, and establish a positive identification with the product/brand and organization in the minds of buyers. This “mind share” can be driven by a combination of publicity, promotional initiatives, thought leadership, word of mouth and sales activities.
Customer Experience: Relationships, products and services/programs that enable clients to be successful with the products evaluated. Specifically, this includes the ways customers receive technical support or account support. This can also include ancillary tools, customer support programs (and the quality thereof), availability of user groups, service-level agreements and so on.
Operations: The ability of the organization to meet its goals and commitments. Factors include the quality of the organizational structure, including skills, experiences, programs, systems and other vehicles that enable the organization to operate effectively and efficiently on an ongoing basis.

Completeness of Vision

Market Understanding: Ability of the vendor to understand buyers’ wants and needs and to translate those into products and services. Vendors that show the highest degree of vision listen to and understand buyers’ wants and needs, and can shape or enhance those with their added vision.
Marketing Strategy: A clear, differentiated set of messages consistently communicated throughout the organization and externalized through the website, advertising, customer programs and positioning statements.
Sales Strategy: The strategy for selling products that uses the appropriate network of direct and indirect sales, marketing, service, and communication affiliates that extend the scope and depth of market reach, skills, expertise, technologies, services and the customer base.
Offering (Product) Strategy: The vendor’s approach to product development and delivery that emphasizes differentiation, functionality, methodology and feature sets as they map to current and future requirements.
Business Model: The soundness and logic of the vendor’s underlying business proposition.
Vertical/Industry Strategy: The vendor’s strategy to direct resources, skills and offerings to meet the specific needs of individual market segments, including vertical markets.
Innovation: Direct, related, complementary and synergistic layouts of resources, expertise or capital for investment, consolidation, defensive or pre-emptive purposes.
Geographic Strategy: The vendor’s strategy to direct resources, skills and offerings to meet the specific needs of geographies outside the “home” or native geography, either directly or through partners, channels and subsidiaries as appropriate for that geography and market.

Magic Quadrant for Managed Security Services, Worldwide 2018

Magic Quadrant for Managed Security Services, Worldwide

Published 27 February 2018 – ID G00325535 – 79 min read

Security and risk management leaders interested in managed security services for threat detection, security technology management and compliance concerns should use this Magic Quadrant to help identify and evaluate providers with the ability to deliver services globally.

Market Definition/Description

Gartner defines managed security services (MSSs) as “the remote monitoring of security events and security-related data sources, or the management of IT security technology along with security event monitoring, delivered via shared services from remote security operations centers (SOCs), not through personnel on-site nor remote services delivered on a one-one basis to a single customer.”
Managed security service providers’ (MSSPs’) portfolios typically include the following services:
  • Security event monitoring only, or security event monitoring along with device/agent monitoring and management, primarily in the following categories:
    • Firewalls
    • Network-based threat detection technologies, such as network intrusion detection/prevention systems (IDPS)
    • Multifunction firewalls, or unified threat management (UTM) technology
    • Security gateways for messaging or web traffic
    • Web application firewalls
    • Endpoint protection platforms (EPPs), host intrusion detection/prevention systems (HIDS/HIPS) and endpoint detection and response (EDR)
  • Security analysis and reporting of events collected from IT infrastructure and application logs
  • Reporting for service management, regulatory compliance requirements and threat detection purposes
  • Management and monitoring, or monitoring only of advanced threat defense technologies, or the provision of those capabilities as a service
  • Vulnerability scanning delivered as a service
  • Management and monitoring of customer-deployed security information and event management (SIEM) technologies
  • Incident response services (both remote and on-site)
Services, such as the ones listed below, may also be part of MSS offerings, but are not common across all providers:
  • Distributed denial of service (DDoS) protection
  • Advanced threat intelligence services (e.g., dark web monitoring)
  • Secure messaging gateways, secure web gateways and web application firewalls delivered “as a service”
  • Managed vulnerability management (e.g., end-to-end management that includes scanning, prioritization and patching on behalf of the customer)
  • Identity and access management
This Magic Quadrant evaluation primarily focuses on the services for monitored, and managed and monitored, network security devices, host-based agents, and log event analysis and reporting services for other sources required by the buyer. These functions make up the core of MSS procurements.
There are no vendors appearing in the Visionaries quadrant of this Magic Quadrant. MSS is a mature market with a core set of services that appear in most MSS engagements.

Magic Quadrant

Figure 1. Magic Quadrant for Managed Security Services, Worldwide

Source: Gartner (February 2018)325535_0001

Magic Quadrant for Managed Security Services, Worldwide

Vendor Strengths and Cautions


AT&T is a global telecommunications and IT services provider that offers a range of security device management and monitoring services for large enterprises, midsize businesses and governments. Headquartered in the U.S. (Dallas), and with regional offices in the U.K. (London) and Hong Kong, AT&T delivers services from five 24/7 SOCs (one Europe-based, one Asia/Pacific-based and three U.S.-based) and three SOCs operating local business hours (one in the Asia/Pacific region, one in Brazil and another in Europe). Customers served by an SOC operating local business hours and seeking after-hours support are routed to a 24/7 location with local language support. AT&T Threat Manager is its security event monitoring and management service, which is priced by events per day (EPD). Threat correlation and analysis is performed via the AT&T Threat Intellect platform, which leverages both commercial SIEM technologies and big data technologies and analytics, and is delivered to customers as part of AT&T’s Threat Management and Intelligence solutions. Device management is available through discrete managed security offerings for network security, data and application security, and mobile and endpoint security. Device management and workflow is handled through the AT&T Business Center portal, which also provides access to the Threat Manager view. The vendor offers threat intelligence via the AT&T Internet Protect service. AT&T supports in-country/customer premises data management in all regions, and can use local partners for device management to meet data residency requirements.
AT&T should be considered by organizations with a preference for services to be sourced from a single supplier, particularly managed network services and IT infrastructure security controls that need to be deployed, managed and monitored across the customer’s environment (both on-premises and cloud services) and the provider’s environment.

  • AT&T provides a wide scope of security-focused managed and monitoring services, with a strength in network-based security solutions. The security portfolio complements its managed network infrastructure and service offerings.
  • AT&T provides an integrated business portal where customers can access a variety of services, including accessing the Threat Manager portal along with portals for device management and vulnerability management services. The Threat Manager portal provides a strong user experience for both analysts and management personas, including customized dashboards, a risk trend feature and case management.
  • AT&T has moderate visibility with Gartner clients considering discrete MSSs.

  • AT&T provides support for Amazon Web Services (AWS) environment monitoring, but lacks support for Microsoft Azure and a limited set of SaaS providers (e.g., Office 365, Box and Salesforce are supported). Cloud access security broker (CASB) support is limited to SkyHigh Networks. Buyers should confirm support for their preferred SaaS vendors and other CASB vendors.
  • Customers wanting to leverage advanced threat detection technologies should confirm AT&T’s ability to monitor, and manage, preferred solutions as required, through either standard or custom delivery. AT&T has introduced a network-based forensic service that is only available to U.S. customers at this time due to data privacy restrictions. Customers outside the U.S. that are interested in this service should confirm future availability.
  • AT&T’s MSS business is most visible in the North American market, with lower visibility in Europe and little in the Asia/Pacific market. Buyers requiring a strong presence in the Asia/Pacific region should closely evaluate AT&T’s coverage there.


Atos is a global IT, digital service and software company with headquarters near Paris and regional offices in the U.S. (Purchase, New York) and Singapore. In addition to the vendor’s MSSs under the Cyber Security Services business, Atos provides a wide range of consulting, system integration, managed IT services and other offerings. Atos’ MSSs are delivered through a network of 14 24/7 SOCs (three in the U.K., six in continental Europe, two in the U.S., two in India and one in Malaysia). Atos recently acquired Anthelio Healthcare Solutions, providing capabilities in the Internet of Things (IoT)/OT space for managing privacy and compliance risks in the North American market. Atos provides threat intelligence and vulnerability notifications to customers using tools and services from partners like McAfee and Tripwire. Atos offers incident response and remediation activities as part of its core services in the form of forensic analysis and custom malware analysis, as well as offering optional threat hunting services and EDR leveraging CrowdStrike, for example. Advanced threat detection and monitoring services are available as part of Atos’ Prescriptive Security SOC offering, which leverages Atos’ proprietary big data analytics solution (Atos Codex) as well as technologies like user and entity behavior analytics (UEBA). In addition, IT/OT/IoT SOC services are developed and delivered together with Siemens.
Atos’ existing IT services customers and European-headquartered organizations with global coverage requirements that want a provider that can deliver end-to-end security management and monitoring services should consider the vendor for MSSs.

  • Customers requiring advanced analytics capabilities can opt for Atos’ flexible options leveraging Atos Codex, leading UEBA technologies or both.
  • Atos has a range of experience in securing transformational digital business projects within large enterprises, driven by its wider range of IT services engagements.
  • Atos supports customers that require end-to-end security management, monitoring and response, and offers standardized and customized solutions.
  • Atos partners with leading security technology vendors in areas such as network traffic analytics, endpoint protection, EDR, DDoS mitigation and encryption.

  • Atos Codex is currently only available to customers that opt for a dedicated McAfee SIEM platform. Atos indicates that adding Codex to the shared platform is on its roadmap. Customers that plan to leverage their shared SIEM platform and want advanced analytics capabilities should confirm availability.
  • Atos’ MSS portal is oriented toward reporting and dashboards to communicate information to customers, and provides limited support for bidirectional customer interaction.
  • Atos can monitor SaaS vendors supported within the McAfee Enterprise Security Manager (ESM) solution. Buyers should confirm support for monitoring of their preferred SaaS vendors and CASB solutions.
  • Atos is rarely mentioned by Gartner clients interested in stand-alone MSS engagements.

BAE Systems

BAE Systems, headquartered in Farnborough, U.K., offers a range of products and services in areas such as national defense, financial services and cybersecurity to industry and governments. The MSS group is headquartered in Guildford, U.K., with key offices in New York City, Dubai, Singapore and Sydney. Its offerings include Security Event Monitoring (SEM), Complete Security Monitoring (CSM), Managed Detection and Response (MDR), and Security Device Management (SDM). Services are delivered using five 24/7 SOCs — one in the U.K., three in the U.S. and one in the Philippines. Data residency requirements are typically met by retaining data locally and in geospecific cloud infrastructure. In the Asia/Pacific region, a local partner delivers services and cloud storage is not yet available. The BAE analytics platform uses a combination of commercial SIEM technologies and a big data and analytics, Hadoop-based platform. BAE supports common IaaS and security-as-a-service vendors such as Amazon CloudFront, AWS CloudTrail,, Cisco ScanSafe and Proofpoint. On-site and remote incident and breach response services are available via retainer.
BAE Systems has a customer base in EMEA of large enterprise businesses, primarily leveraging its CSM and MDR services, and a large small or midsize business (SMB) customer base in North America, primarily leveraging its NSM and SDM services. The vendor delivers its MSS offering using a combination of proprietary and commercial solutions, depending on the customer’s region and based on data privacy or residency requirements.
Companies in the financial services, legal, healthcare, media, critical infrastructure and defense markets that need a range of security monitoring, device management and advanced threat defense solutions should consider BAE Systems.

  • Advanced detection capabilities are supported by proprietary BAE Systems technology with its passive Network Probe Sensor and EDR agent. Customers that have not deployed commercial technologies for these functions can have these capabilities provided as a service.
  • BAE Systems’ MSS is augmented by a range of incident response services, including response and threat containment capabilities that are built into the MSS relationship, retainer-based response contracts, and incident response program development services.
  • Customer marks on BAE Systems’ threat detection capabilities are above average.

  • Most BAE Systems customers are in North America, with a small number in the Europe and Asia/Pacific regions. In the Asia/Pacific region, a partner delivers services for customers that require local data storage. Prospective customers with data residence or service delivery requirements specific to the Asia/Pacific region should validate the availability of services from BAE Systems.
  • The MSS portal offers limited reporting capabilities and management of vulnerability scans comparted to those of leading competitors. Threat intelligence is provided through a separate portal.
  • SaaS monitoring is limited to Office 365. There are no MSS integrations with CASB solutions. BAE Systems indicates that support for CASB vendors is on its roadmap.


BT is headquartered in London with key offices globally, including London, Hong Kong and Dallas. BT has six European SOCs and four Asia/Pacific region SOCs providing 24/7 service, with an additional four non-24/7 SOCs worldwide. BT provides a range of telecommunications, cloud-enabled hosting, cloud brokering and integration, and collaboration services, in addition to managed security services. BT’s MSS offerings have been under the BT Security brand name since 1Q17. BT Security’s MSS portfolio includes a range of offerings primarily within the Managed Security Services and Security Intelligence portfolios. Security Intelligence includes services such as Security Log Management (SLM), Security Threat Monitoring (STM), Cyber Security and Security Threat Intelligence. Technology management is under Managed Security Services and includes managed firewalls, DDoS, web, email, PKI and cloud security. Additional offerings include Security Vulnerability Scanning (SVS) for managed vulnerability scanning and Managed SIEM for McAfee ESM, LogRhythm and IBM QRadar customers. BT’s strategy for managed security services is evolving to emphasize its Managed SIEM and Cyber Security Platform offerings for existing BT customers and global enterprise buyers that require more one-to-one-oriented services, as opposed to delivery using a shared analytics platform that this research primarily assesses. BT has two separate portals for security technology management (Security Hub) and monitoring services (Security Threat Monitoring), which BT has been revamping over the last 12 months. Consulting services are available to meet a variety of customer demands. Incident response support, available as a retainer, is delivered in partnership with FireEye-Mandiant and other firms. BT can meet requirements for data residency with in-region/in-country service provision and citizenship requirements for SOC staff.
Global enterprises seeking global MSS capabilities to satisfy complex security requirements should consider BT.

  • BT can support customers that require integrated cloud services (hosting and/or brokering) and MSSs, especially security threat monitoring.
  • BT has many partnerships with security technology and service vendors that are leveraged to provide broad support for device management, as well as threat monitoring services. Customers requiring custom solutions will also benefit from these partnerships.
  • Customers give BT above-average marks for overall service satisfaction.

  • BT’s efforts to upgrade its portal have resulted in incremental improvements, with further enhancements planned. Customer self-service options in these portals for basic functions, like account management, ticket ownership and management, and interacting with SOC staff, are very limited compared to competitors.
  • BT’s own big data technology and advanced analytics capabilities are currently limited to buyers purchasing its Cyber Security Platform (CSP), which can be delivered as a stand-alone on-premises or hosted solution. BT indicates elements of CSP are on the roadmap to be extended to other BT Security services, such as STM.
  • BT has low visibility with Gartner clients for stand-alone MSS deals. MSSs are commonly bundled with larger networking, cloud services and cybersecurity (e.g., on-premises SOC build-outs) initiatives with BT.


Capgemini, with headquarters in Paris and regional offices located in North America, Europe and the Asia/Pacific region, provides MSS as part of its Cybersecurity Services business. Capgemini delivers services from seven 24/7 SOCs located in India (Mumbai and Bangalore), and regional SOCs in Luxembourg; Toulouse, France; Madrid; and Inverness, Scotland, for customers with data residency and sovereignty requirements. There is one non-24/7 SOC in India. Capgemini provides a variety of MSSs. Log management and security event monitoring are supported via its shared QRadar SIEM solution, with flexible options for dedicated QRadar instances. Support for five SIEM solutions (Huntsman Enterprise SIEM, Micro Focus ArcSight, McAfee ESM, RSA NetWitness and Splunk) based on customer preference or for customers wanting management of their existing SIEM tool. Customer access to services is via the MSS Portal, which provides a basic dashboard, case management and reporting-oriented interface to the services provided to customers. Capgemini provides a tiered service approach (Bronze, Silver and Gold) to MSS buyers based on level of services and support required. Additional services include management and monitoring for vulnerability scanners, firewalls, endpoint protection, NIDS/NIPS, web application firewalls (WAFs), CASB, and data loss prevention. Additional services are available that cover consulting and advisory, identity and access management, and DDoS, among others.
MSS buyers looking for flexible options for SIEM tools and a wide portfolio of device management and security monitoring services, as well as existing Capgemini customers, should consider Capgemini for MSS.

  • Capgemini offers support for a wide variety of SIEM solutions, as well as other security technologies.
  • Capgemini leverages its own threat intelligence network for gathering intelligence to complement third-party commercial sources, which is utilized by its SOC and visible to customers.
  • There is local and regional data residency and sovereignty support for European customers via dedicated local SOCs and data centers.
  • Capgemini offers specific consulting and security monitoring services tailored to customers with ICS/SCADA and IoT environments.

  • Capgemini’s portal lags competitors as its focus is on service visibility, management and reporting. Features like log searching and compliance reporting are not yet supported. Capgemini is actively adding enhancements to the portal, and has recently introduced support for multifactor authentication, a chat function with SOC staff and the ability to import vulnerability scanner data.
  • North American and Australian customers requiring that services be delivered domestically should confirm plans for future expansion of SOCs in those regions.
  • Capgemini has limited visibility with Gartner clients for MSS-specific deals. Capgemini’s MSS deals are often included as part of end-to-end cybersecurity outsourcing or digital transformation initiatives.


CenturyLink is based in Monroe, Louisiana, and has regional offices in Singapore and London. On 1 November 2017, CenturyLink completed the acquisition of Level 3 Communications, expanding its global presence and security service portfolio. CenturyLink provides telecommunications and public and private cloud services, in addition to MSSs. MSS can be acquired as a stand-alone service or as an add-on to other CenturyLink services. With the acquisition of Level 3, CenturyLink now has more than five 24/7 SOCs operating on four continents, including North America, Europe (London), Asia/Pacific (Singapore) and Latin America (Buenos Aires, Argentina, and Sao Paulo, Brazil). There are dedicated North American and U.K. SOCs to support national government contracts. CenturyLink provides a full scope of monitoring and management activities across a broad spectrum of security platforms, including next-gen firewalls, UTM systems, network and host IPS, WAF, VPN, EPP, email and web security, vulnerability scanning, threat intelligence services (from both legacy CenturyLink and Level 3), and advanced threat-oriented capabilities (e.g., network customer traffic analyzed against threat intelligence and advanced analytics for behavioral anomalies). CenturyLink uses a combination of proprietary implementations of big data platforms and other tools (such as from its previous acquisition of Cognilytics) and commercial products to collect, store and analyze customer log data and manage workflow. There are several service tiers available, from basic endpoint security management to advanced threat-oriented capabilities. Incident response, including on-site breach response services, is available with a retainer fee. Some data residency and staff citizenship requirements can be met with in-region SOCs and data storage. The pricing model for MSS depends on the services taken and includes set monthly recurring or usage-based fees; for example, threat monitoring is based on GB-per-day data.
Existing network services, infrastructure as a service (IaaS) and cloud service customers, as well as organizations with global service requirements, should consider CenturyLink for MSSs.

  • The MSS portal, which continues to see ongoing enhancements, provides fine-grained role mapping and access for users, and provides easy-to-use report creation and customization features.
  • CenturyLink offers several options for storing customer log data ranging from customer premises to regional CenturyLink data centers to commercial or CenturyLink cloud infrastructure.
  • CenturyLink’s expansion of its global SOC presence, which also increased with the acquisition of Level 3, now offers customers a local presence in four continents.
  • Customers give CenturyLink good marks for the ability to detect threats, and would generally recommend the service to other buyers.

  • All managed services are available across the globe, except for services leveraging EDR and endpoint forensic tools, which may be limited to specific tools depending on the customer’s geography. Advanced threat detection and forensics capability based on packet capture and analysis is not yet available, but is planned for 2018. Organizations seeking support for these tools, particularly use of EDR tools outside of the U.S., should validate timing and support availability with CenturyLink.
  • CenturyLink has made enhancements to its portal over the last 12 months, but the portal still has limited features for capturing and using assets and their business value, and does not currently support integrations to enable managing vulnerability scans or viewing scan results.
  • CenturyLink has low visibility with Gartner clients for stand-alone MSS deals. CenturyLink’s current focus is selling MSSs to existing enterprise customers, although it does sell discrete MSSs to non-CenturyLink customers.

DXC Technology

DXC Technology, a newly formed entity as the result of the merger of CSC and Hewlett Packard Enterprise’s (HPE’s) Enterprise Services business, is headquartered in Tysons, Virginia. The merger formally concluded in March 2017. The vendor has 16 SOCs across the Americas, EMEA and the Asia/Pacific region. DXC offers a range of security implementation and consulting services other than MSSs for enterprise and government customers. In addition to security monitoring and device management, DXC does offer additional standard managed services like managed SIEM, managed EDR, vulnerability assessment and DDoS protection, among others. The vendor differs from many other MSSPs in that it offers a range of managed services around identity and access management, such as Identity Management as a Service and Privileged Account Management. As an MSS provider, DXC is currently in a state of consolidation and change, in terms of both the technology platforms used for MSS delivery and new services that the provider is planning to introduce.
Customers requiring globally delivered MSS, especially those looking for a partner that also offers additional IT and security services, should consider DXC for MSSs.

  • DXC has a large revenue and incumbent base of security service customers, and has the ability to support large enterprise engagements across geographies.
  • DXC has a large partner network for security technologies and a strong portfolio of supported technologies, in addition to an extensive set of security-related service offerings.
  • DXC can support customers with hybrid cloud environments that require security monitoring and management services.

  • Postmerger of HPE’s Enterprise Services business and CSC, DXC still continues to support two separate portals for its MSS customers. Several key portal elements are in a basic stage or still in the process of being introduced to the customer portals (asset management, multilanguage support, reporting, etc.). A focus on log storage and search capabilities using big data technologies is currently being deployed globally.
  • Due to the merger, DXC has 16 SOCs across the world today, with a stated intention to consolidate the number of SOCs with the same local areas. Customers and prospects should carefully investigate the impact of this planned consolidation on the delivery of their service.
  • DXC, particularly as a new brand, rarely shows up on Gartner client shortlists for pure-play MSS deals.


Fujitsu is headquartered in Tokyo, with key offices in London; Munich; Lisbon; Richardson, Texas; and Sunnyvale, California. Fujitsu has a large operational presence in Europe and Japan, with 24/7 SOCs in Japan (nine total), Australia, Singapore, India, Germany, the U.K., Finland and the U.S. Fujitsu’s security portal is primarily based on its underlying delivery platform based on LogRhythm’s SIEM solution. Fujitsu has an in-house Cyber Threat Intelligence (CTI) capability, which leverages a range of commercial and open-source feeds and partnerships with third parties, that underpins the threat analytics and detection capabilities within its MSSs. The CTI capability is also delivered as a stand-alone offering. Incident response support and consultancy is available as a retainer. Advanced threat detection capabilities for endpoint and networks, as well as sandboxing, leverage technology from partners such as FireEye, Check Point Software Technologies, McAfee, Symantec and others. Malware analysis is available on a range of commercial and open-source toolsets, and forensic analysis is delivered via Fujitsu consulting and partners as needed.
Buyers, including existing Fujitsu IT services customers, should consider Fujitsu for MSSs if they are looking for a provider that offers flexibility for service delivery, or if they already have IT services that can be easily integrated and would benefit from security enhancements.

  • Fujitsu provides managed services across a wide portfolio of technologies, including firewalls, UTM, endpoint protection and encryption, IDS/IPS, WAFs, VPN and remote access services, email security, data loss prevention, and identity and access management, in addition to its CTI, threat analytics and advanced threat detection offerings.
  • Fujitsu’s reach in the Asia/Pacific region and Europe is strong.
  • Fujitsu leverages leading SIEM technologies to deliver its security event monitoring and threat analytics and detection capabilities.

  • Fujitsu’s technology integrations, partnerships and service delivery methodology for MSS are less mature compared to competing vendors.
  • Fujitsu’s security portal is based purely on access to its LogRhythm platform. Service management functionality, including ticket management, customer communications and management dashboards, lags behind competitors.
  • Fujitsu has very low visibility with Gartner clients looking for discrete MSSs.

HCL Technologies

HCL Technologies is a global IT services provider that offers a range of IT and security services aimed at buyers, primarily through broad-scope IT outsourcing engagements. HCL is headquartered in Noida, India (with regional headquarters in London and Sunnyvale, California). MSS is a part of HCL’s Cybersecurity and GRC services provided via six 24/7 MSS SOCs worldwide (four in India, and one each in Europe and the U.S.). MSS is delivered using commercially available SIEM technologies (IBM QRadar, Micro Focus ArcSight, RSA NetWitness and Splunk), chosen in consultation with the customer. SIEM solutions are leveraged for log collection and management, and real-time security event monitoring and analysis. HCL also offers dedicated managed SIEM options. The vendor provides managed EDR, with multiple technology options available to customers, in addition to threat hunting services. SecIntAl is HCL’s branding for its big-data-based security analytics and threat intelligence capability that underpins the analytics for its threat monitoring services.
HCL’s portal provides a single dashboard-oriented interface across all supported SIEM tools, vulnerability management, endpoint management and CMDB services. Dedicated views in the portal support both analysts and leader personas. HCL supports a variety of third-party security technologies. In addition to firewalls, IDPSs and secure web gateways (SWGs), it also supports a variety of solutions like EDR, CASB, network traffic analysis (NTA) and vulnerability management. Related services, like incident and breach response, are provided by select partners.
Organizations engaged in IT outsourcing and technology transformation projects, buyers looking for providers to use their preferred SIEM tool and broad-based support for security technologies, and existing HCL Technologies customers should consider HCL for MSSs.

  • MSS customers can leverage HCL’s support for security technologies across a wide range of markets for product procurement, implementation and management. HCL’s MSS delivery approach is customizable to customers’ requirements and existing security technology solutions.
  • HCL offers a lot of flexibility for buyers with broad and complex security monitoring and management requirements across on-premises, SaaS, IaaS and PaaS environments.
  • Customers generally give HCL above-average marks across acquisition, implementation and overall services.

  • HCL Technologies’ portal is mainly focused only on service visibility through predefined dashboards and reports. Search functionality has been enhanced in the last 12 months, but is limited to 30 days of online data by default.
  • Customers looking for a turnkey security event monitoring service leveraging a shared delivery platform (e.g., no preference for an SIEM solution or bringing their own SIEM tool) should confirm with the vendor which SIEM solution will be used for the service and whether it meets buyers’ requirements and supports existing technologies (security and IT log event sources).
  • HCL Technologies is rarely mentioned in Gartner client inquiries for discrete MSSs as most HCL customers procure MSSs in conjunction with other outsourcing initiatives.


IBM is headquartered in Armonk, New York, with MSS offices in the U.S. (Atlanta and Cambridge, Massachusetts); London; Brussels; and Hortolandia, Brazil. IBM offers a broad range of MSSs, security consulting and incident response, either as stand-alone offerings or as part of larger IT services and outsourcing engagements. MSSs are delivered from five 24/7 SOCs, called X-Force Command Centers: one in the U.S.; one in San Jose, Costa Rica; one in Hortolandia, Brazil; one in Tokyo and one in Wroclaw, Poland. IBM has three additional non-24/7 SOCs in India, Belgium and the U.S. IBM uses its QRadar SIEM solution to deliver unified monitoring across MSS, regardless of the location of the QRadar platform — shared multitenant, on-premises or as a service. There are four MSS tiers available, ranging from basic endpoint security to highly customized services. IBM’s advanced analytics and targeted attack detection capabilities for the network and hosts include support for customer-deployed products, IBM products (e.g., QRadar modules) and strategic partner solutions (e.g., Carbon Black for IBM Security’s Managed Detection and Response service). Threat intelligence and incident response services, as well as security consulting services, are available. Support for data residency requirements is available through European Commission Model Clauses contract language, local data centers in the customer’s region supported by EU staff out of the Poland SOC, and use of on-premises QRadar SIEM or using SIEM as a service hosted within IBM Cloud within region.
Large enterprises with global service delivery requirements looking for flexible security event monitoring technology options, and those with strategic relationships with IBM, should consider IBM for MSSs.

  • IBM’s “QRadar Anywhere” approach provides flexible options for IBM QRadar SIEM customers that require managed SIEM options. Customers can migrate from the shared MSS platform to co-managed on-premises or QRadar on Cloud, or vice versa, as strategies evolve.
  • IBM MSS delivery is supported by a range of strong threat intelligence partners, including IBM’s X-Force Security Research, third-party commercial sources and data collected via the vendor’s in-house incident response services.
  • IBM has moderate visibility with Gartner clients considering MSSs. IBM’s visibility for co-managed SIEM opportunities, however, is growing in favor of discrete MSSs.

  • Customers report the IBM sales process is uneven in its ability to engage with them effectively, such as the lack of responses to RFPs. Customers also report mixed satisfaction with IBM’s delivery of MSS services. Marks are lower than competitors in areas like overall service capabilities and overall experience.
  • Buyers should carefully analyze the technology approach recommended to deliver MSSs (e.g., shared or dedicated QRadar, whether on-premises or hosted) to ensure that the approach is compatible with their IT environments, architectures and requirements.
  • IBM offers a managed EDR service that is used for real-time threat detection and threat hunting purposes, but it has little visibility with buyers.


NTT brings together the MSS-specific resources and delivery platforms of NTT Com Security, Solutionary, Dimension Data, NTT Communications, NTT DATA and technology from the NTT Innovation Institute. NTT Security has been established as the specialized security company of the NTT Group. NTT is headquartered in Tokyo, with regional headquarters for North America, Europe and the Asia/Pacific region. NTT offers a broad range of security professional services and integration and incident response services. NTT Security has 17 24/7 MSS SOCs globally: six in the Asia/Pacific region, five in Europe and six in North America. In 2017, NTT progressed toward integrating its three separate platforms used for delivering MSS. Its new operating model is similar in nature to a channel-based approach in that NTT Security doesn’t directly sell services, instead relying on its group companies, which have varying levels of coverage and support in the different geographies. NTT is actively migrating North American and Japan customers to its new Global Managed Security Services Platform (GMSSP), while EMEA and remaining Asia/Pacific region customers continue to use the existing WideAngle and ArcSight ESM-based platforms. NTT Security MSSs are sold via the NTT Group companies of Dimension Data, NTT Communications and NTT DATA.
Customers of NTT operating companies, and enterprises seeking a large global provider, should consider NTT for MSSs.

  • NTT can bundle MSS with a wide range of security service offerings and delivery options, including broader telecommunications and IT infrastructure service offerings.
  • NTT has the ability to serve a wide range of industries/verticals across geographies due to the NTT Group companies’ global presence.
  • The new NTT Security portal (GMSSP) has a good range of roles available, with some customization and self-service capabilities available to customers. Integrations with NTT Group companies and customers to the GMSSP are supported via a RESTful API.
  • NTT has moderate visibility with Gartner clients looking for discrete MSSs.

  • NTT Security has moved its security sales team to the NTT Group companies while the delivery of the service happens through NTT Security, which is a separate group. This may create misalignment between the sales/marketing and product management/engineering functions, and may create confusion for customers that wish to purchase MSS from NTT Security.
  • Many of NTT’s EMEA and Asia/Pacific region customers are still on their older portals and delivery platforms. MSS customers should get clarity from their NTT Group company provider regarding plans to migrate to the new portal without affecting service continuity and while maintaining service features.
  • While there is a managed EDR offering with Carbon Black, FireEye and CounterTack, NTT is behind some of its competitors in introducing advanced threat-detection-oriented services relative to threat hunting and network monitoring.

Orange Business Services

Orange Business Services (Orange), headquartered in Paris and with regional offices in a wide variety of locations across the Asia/Pacific region, North America and Europe, offers a broad range of telecommunications and cloud-based IT infrastructure services, security consulting services, and MSSs. Orange’s MSSs are delivered using commercial and proprietary technologies for log management, event correlation and advanced threat detection, as well as some wider integrations with open-source big data technologies. Security Event Intelligence is the service offering for 24/7 threat detection and response. Threat intelligence is centered around malicious IP/URL/domain names curated by Orange collected from a large number of public and private feeds and sources, discoveries made on the Orange Internet backbone, and intelligence from Orange’s in-house CERT team. Services are delivered from seven SOCs (three located in Europe, one in India, one in Malaysia, and one each in Mauritius and Egypt). All SOCs are 24/7 except for the European and Malaysia SOCs, which use a “follow the sun” model. Data residency requirements are addressed on a case-by-case basis, with a majority of non-European clients being serviced from the India and Egypt SOCs.
Orange’s network and infrastructure service customers and multinational organizations, especially those with a European and Asia/Pacific business focus, seeking network-security-focused MSSs should consider Orange Business Services.

  • Orange is experienced in integrating and operating global networking and IT services with MSS.
  • Security device management services are a strong focus for the vendor.
  • Orange has a good understanding of regulatory frameworks around data privacy and residency, and caters to many different standards, especially in the European region, with a focus on France.
  • Orange customers give above-average marks for vendor and service capability satisfaction.

  • The Orange MSS portal has less self-service functionality and usability than many of its competitors, and lags behind in granular user access and control, and reporting abilities. Orange has added enhanced portal functionality over the past 12 months, focusing on search and visualization capabilities.
  • Orange has less mature capabilities in providing advanced attack analytics as part of its MSS, with a focus on sandboxing and malware analysis rather than network or endpoint-based detection approaches.
  • Orange has limited market visibility with Gartner clients for discrete MSSs.


Secureworks offers a range of MSSs and other security-specific services to customers globally. Corporate headquarters are located in Atlanta, with offices in London, Edinburgh, Sydney and Tokyo. Services are delivered from three 24/7 SOCs in the U.S. (Atlanta; Chicago; and Providence, Rhode Island); one 24/7 SOC in Edinburgh, Scotland; and one 24/7 SOC in Kawasaki, Japan. The SOCs are supported by a center of excellence in Romania that is focused on customer device management and new service innovation. MSS delivery is through Secureworks’ proprietary Counter Threat Appliance (CTA) and Counter Threat Platform (CTP), which leverages a shared big data platform and advanced analytics capabilities. Customer access to services is via the Secureworks Client Portal. A range of commercial log sources from customer-deployed technologies are supported, in addition to leveraging commercial and proprietary tools for managed network and host-based threat monitoring. Host and network-based advanced threat detection are provided through Secureworks’ Advanced Endpoint Threat Detection (AETD) service (via its proprietary Red Cloak agent or Carbon Black) and its Advanced Malware Protection and Detection (AMPD; in partnership with Lastline) service. The Secureworks Counter Threat Unit research team provides threat research and threat intelligence, malware analysis, and analytics support to the provider’s SOCs. Additional services, such as vulnerability scanning (both customer- or Secureworks-managed) and advanced threat intelligence services are also available to buyers.
Midsize, enterprise and government organizations seeking an established MSS that leverages a consistent, shared delivery approach with a global presence, and a security-focused set of offerings, should, consider Secureworks.

  • Advanced threat detection services are available for endpoint, whether leveraging the proprietary Red Cloak agent or Carbon Black, via the AETD service, which includes the ability to isolate hosts (either by the customer or by Secureworks’ SOC). Customers leveraging Secureworks iSensor in IPS mode, or via Secureworks managed firewalls, can self-initiate blocking for threats detected by the SOC.
  • Native support for IaaS monitoring in AWS and Azure is available, and includes capabilities for network and web app vulnerability management, which supports buyers requiring visibility and security monitoring in public cloud environments.
  • Secureworks offers an incident response retainer that is popular with buyers, which provides proactive as well as remote and on-site reactive response services.
  • Secureworks is highly visible with Gartner clients, and is frequently included in competitive MSS deals by North America-based midsize and enterprise buyers. It also has good visibility with U.K. buyers.
  • Gartner customers give positive feedback for Secureworks’ MSS offerings.

  • Secureworks lacks visibility with buyers in continental Europe and the Asia/Pacific region for MSSs.
  • Customers requiring raw event log retention (e.g., for compliance reporting and incident investigation purposes beyond 90 days) can opt for Secureworks’ on-premises log management offering (LogVault).
  • Monitoring for Office 365 and Salesforce is supported, but support for other popular SaaS solutions like Box, Dropbox and Workday are not yet available. There is no CASB option available.
  • Basic response services are available to AETD and device management customers, but other response services like forensics support, including malware analysis and threat hunting, require adding premium services.


Symantec is headquartered in Mountain View, California, and has six SOCs: one each in the U.S., the U.K. and Japan, and three in the Asia/Pacific region (India, Australia and Singapore). The SOCs operate on a follow-the-sun model to provide 24/7 support. Customers are assigned to a primary SOC in their region along with a global team of analysts aligned to their specific industry vertical. Symantec’s Cyber Security Services offerings include security monitoring and management, including hosted log retention, security intelligence, incident response services and security skills development services. Symantec has a broad portfolio of security technology solutions. Recent acquisitions include Outlier Security (EDR), Skycure (mobile device protection), and Fireglass (isolation technology). Symantec’s MSS SOC technology platform is based on self-developed technology. Customer event and log data are analyzed by Symantec’s global SOCs and retained in the North American data center. Symantec meets data residency requirements through contractual arrangements and the EU Standard Model Clause. Symantec MSS supports advanced threat detection via integrations with its own solutions as well as third-party products for network monitoring and forensics capabilities, and for payload analysis. MSS monitoring of EDR and forensics tools is offered for Symantec and third-party products. Incident and breach response services are available on retainer or on an ad hoc basis to buyers looking for a single provider for MSSs and response services. Monitoring capabilities are available for popular SaaS, IaaS and public cloud services. Pricing for MSS is offered in two models: based on a per-device/event source cost or on an enterprisewide license that provides unlimited monitoring up to a set limit of event sources (aka nodes).
Enterprises seeking an established MSSP with a global presence should consider Symantec.

  • Symantec has a well-established threat intelligence capability via its DeepSight services.
  • Symantec’s MSS portal offers granular role definitions and strong support for tracking and managing incident workflow.
  • The enterprisewide pricing model offers larger customers flexibility in bringing security event sources into scope for monitoring, and avoids change orders to add event sources beneath the agreed-on total for monitoring.
  • MSS customers indicate that Symantec is effective in detecting and helping to respond to advanced threats and targeted attacks.
  • Symantec has good visibility for MSS among Gartner customers.

  • Symantec primarily focuses on security monitoring now and directly offers limited device management services, primarily for IDPS, and not for other security controls. Prospective customers seeking device management services in addition to monitoring must anticipate working with Symantec partners.
  • Current integrations with vulnerability scanning products do not enable MSS customers to schedule or run scans via Symantec’s MSS portal. Customers can view scan results in the portal.
  • Symantec’s MDR-type advanced threat detection offerings, one network-based and the other host-based, are in the limited pilot/early adopter phase. Buyers interested in using one of these services will need to validate when they are available in their geography.


Trustwave, a stand-alone business within Singtel Group Enterprise, is based in Chicago, with regional headquarters in London, Sao Paulo and Sydney. Trustwave has several partnerships with regional telecommunications and service providers (e.g., Rogers Communications in Canada, Optus in Australia, Globe Telecom in the Philippines and TIS in Japan) around the globe to provide MSSs to those partners’ customer bases. Trustwave has nine 24/7 SOCs around the globe — three in North America, two in Europe (Warsaw and London), and four in the Asia/Pacific region (Manila, Philippines; Singapore; Sydney; and Tokyo). In the case of its telecom partners, the 24/7 SOCs are operated by Trustwave, some of which are in colocated facilities with the partners. Trustwave has a large portfolio of security technologies — including SIEM, UTM, network access control, application security, WAF and anti-malware — and builds MSSs around those, as well as support for a variety of third-party security products. Threat intelligence and incident response services are provided in-house from the Trustwave SpiderLabs team. Trustwave offers a managed EDR service leveraging Carbon Black and CounterTack as partners. Midmarket and small enterprise organizations, especially those with PCI DSS compliance requirements, make up the majority of Trustwave customers; however, the vendor has increased its focus on large enterprise buyers.
Telecommunications customers that have formed strategic partnerships with Trustwave, as well as companies in the retail, hospitality, healthcare and banking vertical industries, should consider Trustwave for MSSs. Trustwave is a good option for customers that need both products and services from a single provider, as the vendor has several competitive security software- and hardware-based platforms.

  • Trustwave supports a large client base that spans small and midsize enterprises, as well as larger global organizations.
  • Trustwave has expanded its global footprint through strategic partnerships with communications service providers across the Asia/Pacific region and North America, implementing a customer- and vertical-centric delivery model across the newly established SOCs.
  • The vendor’s SpiderLabs’ security research, penetration testing activities and incident response teams provide threat intelligence that enhances the value of the MSSs both through integration of the threat intelligence data directly into monitoring workflow and the SpiderLabs’ analysts serving as a higher tier of skills for advanced triage.
  • Trustwave has moderate visibility with Gartner clients looking to purchase MSSs.

  • Trustwave is planning to release an update to its MSS portal. Customers coming on board should ensure that they are getting the new portal, and that they review the rollout plan and features for that portal to ensure that it does not affect their service continuity.
  • As Trustwave continues to add support for third-party security technologies, customers should validate when and to what extent the security products they have deployed will be fully supported by Trustwave MSSs.
  • Direct support for Office 365 and Salesforce is supported via APIs; however, support for other popular SaaS vendors requires the use of a CASB solution. Trustwave claims that support for other SaaS vendors is available via API integrations, but it requires sufficient lead time (up to 45 days) for development and implementation.


Verizon is a telecommunications company headquartered in Basking Ridge, New Jersey, with regional offices in Reading, U.K., and Singapore, which offers MSSs and security consulting services. Verizon uses a global network of SOCs, with three SOCs in the U.S., four in the Asia/Pacific region (India and Australia), and two in Europe (Luxembourg and Germany). Verizon’s Unified Security Portal (USP) provides single portal access across all services and capabilities for customers. Verizon’s MSS platform includes log management capabilities allowing clients to search, index and store logs using technology based on Elasticsearch. A mix of proprietary and commercial technology including Splunk is used to analyze security data, which is ingested via Verizon’s proprietary Log Event Collector (LEC). Verizon uses regional SOCs and data retention to meet requirements for local data storage and analysis. Network Threat Advanced Analytics, which was added as a service in 2017, is available to both customers on the Verizon backbone network and also through NetFlow analysis capabilities deployed on a customer’s site. Malware analysis and network and endpoint forensics are available to buyers. Remote and on-site support for incident and breach response is provided via the Threat Intel and Response Service.
Enterprises, including existing Verizon network customers, should consider Verizon if they require well-established global or region-specific MSSs.

  • Verizon’s investment in reporting, communications features and data visualization enables clients to fully manage, interpret and investigate their security incidents within Verizon’s Unified Security Portal.
  • Netskope and Cisco Cloudlock, two leading CASB solutions, are currently supported by Verizon. Buyers with SaaS monitoring requirements should confirm support for their preferred CASB vendor.
  • Verizon has moderate visibility with Gartner clients for MSSs.

  • Verizon’s pricing model, specifically for the MSS Analytics service, is based on the data volume of log event and other data sources sent per day, measured in GB per day (management of security devices is still priced on a per-device basis). Buyers considering Verizon services should carefully analyze how much event and data volume they currently generate, and may generate, over time, to properly scope the service costs.
  • Vulnerability management in Verizon’s Unified Security Portal lags behind many competing MSSPs. Buyers should validate how Verizon integrates and leverages the data from their preferred vulnerability management solution.
  • Verizon lags behind competitors in its managed EDR service offerings. Leading EPP vendors are supported, but EDR-specific technologies are not yet supported.


Wipro provides a variety of MSSs, including security threat monitoring, infrastructure security operations and technology management, vulnerability management, incident response, identity and access management, and security consulting services. Wipro is headquartered in Bangalore, India, with offices in London, New York, New Jersey and elsewhere around the globe. MSSs are delivered from 14 24/7 SOCs, with eight in India (Bangalore, Pune, Chennai, Mysore, Bhubaneswar, Kochi, Noida and Gurgaon), two in Europe (Amsterdam and Meerbush, Germany), and four in North America (Houston, Dallas, Phoenix and Edmonton, Canada). Wipro offers security event monitoring via its multitenant ServiceNXT platform, or Wipro can support customers that bring their own SIEM solution or require a specific, dedicated SIEM tool. Wipro currently supports six SIEM platforms. Customers access the Wipro MSSs through the Cyber Defense Center (CDC) portal, which provides a single landing page for accessing services used by customers. Wipro has a broad portfolio of technology partnerships available to buyers. Flexible options are also available to meet local or regional data residency requirements and regulations.
Buyers across Europe, the Americas and the Asia/Pacific region considering MSS as part of broader IT outsourcing activities, and enterprises seeking flexible options for managing a range of security controls, including SIEM tools, across a variety of IT environments, should consider Wipro.

  • Wipro makes newer technologies such as EDR, NTA and SOAR available to buyers and customers (as well as for use internally for service delivery where applicable). Wipro made additional strategic investments in 2017 (Demisto) to complement existing investments (Vectra and IntSights). Wipro plans to introduce services leveraging breach and attack simulation, as well as deception solutions, in the future.
  • Wipro has extensive partnerships across a range of security technologies that it can implement, and manage, and can use those tools on behalf of buyers to meet their specific or customized requirements.
  • Wipro’s MSS delivery approach is highly customizable to customers’ requirements and existing technology solutions.
  • Wipro customers report positive feedback for the vendor’s overall services and experience, but the feedback for the onboarding process is less positive.

  • Wipro is in the process of moving its primary delivery model to a shared, multitenant platform, instead of leveraging customer-specific SIEM tools as its default delivery model. That transition to the shared model is still a work in progress and delivery models still lean toward per-customer-specified SIEM solutions. Buyers preferring to leverage a shared delivery platform should evaluate the architecture and implementation to ensure that it is fit for their purposes and requirements.
  • Wipro has made many improvements to its CDC portal over the past 12 months toward usability and centralization of access to services, but it still lacks the features available in many competing MSS portals.
  • Wipro has low visibility with Gartner clients’ shortlists for stand-alone MSS deals.

Vendors Added and Dropped

We review and adjust our inclusion criteria for Magic Quadrants as markets change. As a result of these adjustments, the mix of vendors in any Magic Quadrant may change over time. A vendor’s appearance in a Magic Quadrant one year and not the next does not necessarily indicate that we have changed our opinion of that vendor. It may be a reflection of a change in the market and, therefore, changed evaluation criteria, or of a change of focus by that vendor.


Capgemini, DXC Technology and Fujitsu were added.


CSC and HPE Enterprise Services were dropped, as they merged under DXC Technology.

Inclusion and Exclusion Criteria

As a remote service, MSS can be delivered to and from any location with sufficient connectivity. MSSPs that have operations in one geographic region can support customers in other regions. Gartner sees a distinct preference among customers seeking MSSs to first consider MSSPs with a presence in their country or region (e.g., North America, Europe and the Asia/Pacific region). For global enterprises, that includes a presence in multiple regions where the enterprises operate, in order to provide more local support. Local presence enables the MSSP’s ability to keep some data in specific regions, as well as to provide local business hours and access to advanced support, staffing requirements (such as specific citizenship) and local language support, among other capabilities. In addition, compliance with data residency and privacy regulations can be addressed in many cases with local operations centers.
This Magic Quadrant includes MSSPs that have met thresholds for scale (expressed as devices supported and customers) and presence (SOCs) in multiple regions, as well as a threshold for MSS revenue.
The criteria include a threshold for the number of firewalls or network-based IDPS devices under monitoring or management, and a threshold for the number of MSS customers — both distributed across multiple regions. We note that many providers, in addition to MSSs, offer other service delivery options (such as local staff augmentation) and related services, like building SOCs at a customer’s premises, which may be supported remotely by the MSSP’s SOC. However, these are not evaluated within this research. Also excluded from this analysis are service providers that offer MSSs only as a component of another service offering (such as bandwidth or hosting), and vendors that provide MSSs only for their own technologies, not for third-party technologies.

Inclusion Criteria

Vendors must:
  • Have services to remotely monitor and/or manage firewalls and UTM systems, IDPS devices from multiple vendors via discrete service offerings, and shared-service delivery resources.
  • Have firewalls/IDPS devices under remote management or monitoring for external customers that meet a minimum threshold described below.
  • Have customers, as well as monitored firewalls and IDPS devices, across multiple geographies that meet a minimum threshold described below. The thresholds for customers and devices have increased from the prior Magic Quadrant to reflect market growth.
  • Have MSS revenue of $50 million or more in 2016. The threshold for revenue has increased from the prior Magic Quadrant.
  • Have a SOC presence in multiple geographic regions.
  • Have reference accounts that are relevant to Gartner clients in the appropriate geographic regions.
  • Be service providers that Gartner determines to be significant vendors in the market because of their market presence or service innovation.
Inclusion thresholds for firewalls/IDPS devices under MSSs are 389 in the Asia/Pacific region, 2,473 in Europe, 3,709 in North America and 45 in the rest of the world (ROW). MSSPs must meet the thresholds in one of the following combinations:
  • Asia/Pacific and Europe
  • North America and the ROW
  • Asia/Pacific and North America
  • Europe and North America
Inclusion thresholds for MSS clients are 75 in the Asia/Pacific region, 118 in Europe, 355 in North America and 19 in the ROW. MSSPs must meet the thresholds in one of the following combinations:
  • Asia/Pacific and Europe
  • North America and the ROW
  • Asia/Pacific and North America
  • Europe and North America

Exclusion Criteria

Vendors that have:
  • Service offerings that are available only to end users that buy other non-MSSs
  • Services that monitor or manage only the service provider’s own technology
  • Services delivered by service provider resources dedicated to a single customer
  • Services that fail to meet the inclusion criteria

Evaluation Criteria

Ability to Execute

Product/Service refers to the service capabilities in areas such as information and log management; security event management; threat detection, monitoring and alerting; incident management and response; workflow; reporting; and service levels.
Overall Viability (Business Unit, Financial, Strategy, Organization) includes an assessment of the organization’s overall financial health, as well as the financial and practical success of the business unit. Includes the likelihood of the organization to continue to offer and invest in the product as well as the product position in the current portfolio.
Sales Execution/Pricing evaluates the service provider’s success in the MSSP market and its capabilities in presales activities. This also includes MSS revenue, pricing and the overall effectiveness of the sales channel. The level of interest from Gartner clients is also considered.
Market Responsiveness/Record evaluates the match of the MSS offering to the functional requirements stated by buyers at time of acquisition. It also evaluates the MSSP’s track record in delivering new functions when the market needs them.
Marketing Execution is an evaluation of the service provider’s ability to effectively communicate the value and competitive differentiation of its MSS offering to its target buyer.
Customer Experience evaluates the service delivery to customers. The evaluation includes ease of deployment, the quality and effectiveness of monitoring and alerting, and reporting and problem resolution. This criterion is assessed by surveys of vendor-provided reference customers, Gartner’s Peer Insights solution as well as by feedback from Gartner clients that are using an MSSP’s services, or have completed competitive evaluations of the MSSP’s offerings.
Operations covers the MSSP’s service delivery resources, such as infrastructure, staffing and operations reviews, or certifications.

Table 1: Ability to Execute Evaluation Criteria

Enlarge Table
Evaluation Criteria
Product or Service
Overall Viability
Sales Execution/Pricing
Market Responsiveness/Record
Marketing Execution
Customer Experience
Source: Gartner (February 2018)

Completeness of Vision

Market Understanding involves the MSSP’s ability to understand buyers’ needs and to translate them into services. MSSPs that show the highest degree of market understanding are adapting to customer requirements for specific functional areas and service delivery options. MSSPs with market-leading vision are investing in expertise and technology to monitor and analyze the external threat environment to better understand the sources, motives, targets and methods of attackers.
They are using that insight to improve the effectiveness of their MSS. They are also developing and introducing services that support large-scale data collection; advanced analytics, including statistical and behavioral functions; and monitoring of new data sources, such as endpoint, network and user to include in analysis. The goal of these capabilities is to more effectively find and respond to attacks, both broad-based and advanced targeted-type attacks.
Marketing Strategy evaluates clear, differentiated messaging consistently communicated internally, and externalized through social media, advertising, customer programs and positioning statements, and is tailored to the specific client drivers and market conditions in the MSS market.
Sales Strategy evaluates the strategy for selling that uses the appropriate networks, including direct and indirect sales, marketing, service, and communication, as well as partners that extend the scope and depth of market reach, expertise, technologies, services and their customer base.
Offering (Product) Strategy evaluates the provider’s approach to product development and delivery that emphasizes functionality and delivery options as they map to current and emerging requirements for MSSs. Development plans are also evaluated.
Vertical/Industry Strategy evaluates the strategy to direct resources (sales, product and development), skills and products to meet the specific needs of individual market segments, including verticals.
Innovation refers to the service provider’s strategy and ability to develop new MSS capabilities and delivery models to uniquely meet critical customer requirements. Examples include the capabilities described in Market Understanding.
Geographic Strategy addresses the vendor’s strategy to direct resources, skills and offerings to meet the specific needs of geographies outside the “home” or native geography, either directly or through partners, channels and subsidiaries, as appropriate for that geography and market.

Table 2: Completeness of Vision Evaluation Criteria

Enlarge Table
Evaluation Criteria
Market Understanding
Marketing Strategy
Sales Strategy
Offering (Product) Strategy
Business Model
Not Rated
Vertical/Industry Strategy
Geographic Strategy
Source: Gartner (February 2018)

Quadrant Descriptions


Each of the service providers in the Leaders quadrant has significant mind share among organizations looking to buy MSSs as a discrete offering. These providers typically receive positive reports on service and performance from Gartner clients. MSSPs in the Leaders quadrant are typically appropriate options for enterprises requiring comprehensive portal-based access for interfacing with the service (e.g., responding to alerts, incident management, workflow, reporting, asset and access management, and managing other procured services, like vulnerability management) along with interaction with the MSSP for analyst expertise and advice.


In the Challengers quadrant, Gartner customers are more likely to encounter MSSs that are offered as components of an IT or network service provider’s (NSP’s) other telecommunications, outsourcing or consulting services. Although an MSS is not a leading service offering for this type of vendor, MSSs in these markets tend to have a strong Ability to Execute and offer buyers capabilities when procuring services from a single provider aligns with the organizations’ IT strategy.


Companies in the Visionaries quadrant have demonstrated the ability to turn a strong focus on managed security into high-quality service offerings for the MSS market. These service providers are often strong contenders for enterprises that require access to and support for “cutting edge” technology, flexible service delivery options and strong customer service. MSSPs in the Visionaries quadrant have less market coverage and fewer resources or service options compared with vendors in the Leaders quadrant.

Niche Players

Niche Players are characterized by service offerings that are available primarily in specific market segments, or primarily as part of other service offerings. These service providers often tailor MSS offerings to specific requirements of the markets they serve. This quadrant is also characterized by providers that are newer, or have expanded beyond local and regional markets, to the global MSS market, and are maturing their delivery capabilities and offerings.


Prospective MSS buyers with threat management use cases should highly weight MSSPs’ threat research, security intelligence and threat detection capabilities.
Prospective MSS users should require a proof of concept (POC), or a demonstration of MSS offerings, to validate ease of use, effectiveness and value. Current MSS customers should leverage POCs for new offerings from their existing MSSP before purchasing.
Current and prospective MSS users should validate MSSPs’ services to address advanced attacks via network behavior, network forensics, payload analysis, endpoint behavior and endpoint forensics, or consider MDR providers that specialize in such attack detection capabilities.
Global coverage matters to global enterprises. The MSS market includes a wide range of providers available only in a single region or country. If your organization is not global and wants good local support and presence, then carefully evaluate a global MSSPs ability to “look local.”

Market Overview

The MSS market is a mature one, offering buyers a variety of options from a diverse set of providers that generally align to a core focus. MSS is provided by pure-play security providers, IT system integrators and outsourcers, and network services providers. Buyers leverage MSSPs to address requirements that include 24/7 monitoring and threat detection, security technology management, and meeting a variety of compliance requirements. The preferred approach is to leverage a shared-service model where resources and support are remotely delivered by the provider. These may be complemented by related drivers, such as access to deeper or broader security expertise than is available in-house given the industry concern about the lack of available security resources and expertise, and the ability to retain those resources, or the need to redirect existing internal resources to other higher-value security functions inside the organization. Gartner clients interested in MSSs are increasingly looking for providers with effective threat detection capabilities that can detect both broad-based as well as advanced threats, and offer incident response services that may extend all the way through to the containment and remediation of a threat, either remotely or through physical on-site support.
This Magic Quadrant reflects the requirements of customers with service needs in multiple geographic regions. MSSPs included in the evaluation meet the minimum thresholds for MSS delivery in two or more regions via in-region SOCs. MSSPs with a multiregional presence typically have a sufficient understanding of region-specific customer requirements, as well as sufficient service delivery capabilities that can scale to support global service delivery. Customers with a mix of global delivery requirements and local regulatory requirements related to, for example, data privacy, may require customized services.
MSSPs that do not meet the criteria for inclusion in this Magic Quadrant may still deliver high-quality services within a continental or geographic region or regions. When considering MSSs, Gartner customers should develop evaluation criteria that meet their specific requirements, and take geography (language, local resources, etc.) into account, where applicable.
Market trends, which are discussed in more detail below, include:
  • Moving beyond monitoring of only network-based security technologies, particularly the network perimeter, with increasing focus on the endpoint (e.g., managed EDR services)
  • Increasing movement toward more customized outcomes for buyers
  • Buyer demand for capabilities to monitoring popular SaaS applications, and public cloud services providers and IaaS
The MSS market is growing at a healthy double-digit rate — in 2016, the market grew 10% to reach $9.4 billion in revenue (see “Market Share Analysis: Managed Security Services, Worldwide, 2016”), and Gartner expects this growth rate to be in the 15% to 17% range for 2017. The MSS market constitutes approximately 60% of the overall security outsourcing market that will generate $18.7 billion revenue in 2017, growing at a CAGR of 11% through 2021. It is important to view MSS in the context of broader security outsourcing, because large enterprises are increasingly looking for hybrid engagements that include a mix of shared and dedicated service delivery components.
Demand for MSSs, from enterprises and midsize organizations, is driven primarily by a variety of factors:
  • Security staffing challenges and budget shortages: Gartner sees organizations of all sizes and geographies continuing to be challenged to attract and afford the appropriate security and risk management staff (see “Adapt Your Traditional Staffing Practices for Cybersecurity”). Also, in an increasingly hostile external threat environment (see “How to Respond to the 2018 Threat Landscape”), Gartner security and risk management leaders continue to report a lack of sufficient funding and increasing budget pressures that affect their security monitoring and operations capabilities.
  • Midsize enterprise adoption of detection and response capabilities: Midsize organizations are embracing detection and response capabilities to complement their investments in preventive security controls. These organizations are also impacted by the increasing scarcity (or affordability) of security operations talent. These organizations are looking for MSSPs to act as extensions of their security staff, instead of adding security head count. MSSPs can provide these services on a 24/7 basis, allowing customers to devote their often scarce internal security resources to higher-value activities.
  • Customized requirements: There is an increasing segmentation of the MSS market between providers that focus on a shared-service approach where offerings are homogenously applied across customers with minimal, if any, room for customization. These are generally the purview of the pure-play MSSPs. The IT outsourcers (ITOs) and NSPs that have MSS offerings are increasingly focused on providing customized solutions to larger enterprises in order to meet very specific requirements. These typically revolve around support for a wide range of security technologies, especially more “learn forward” technologies that the organization has already, or plans to, deploy, but lacks the expertise and skills to run and use those tools. The increasing demand for SOC build-outs in specific regions (e.g., Middle East and India) is also fueling the demand for customized services where MSS capabilities may be leveraged, like providing remote, out-of-business-hours support to complement the on-site provider’s staff manning the provider-run, customer-specific SOC.
  • First-time/early-cycle MSS customers: The MSS market is still attracting buyers. In both mature and emerging regions, there are organizations that are in their first cycle of building out threat detection and response capabilities. MSS forms a critical part of this because these organizations typically have low organizational competency in security and operate using lean security teams, and are therefore looking for opportunities to outsource security event monitoring, alerting and response. These “first cycle” MSS adopters are driving significant growth for the market.
  • Evolving compliance reporting requirements: Requirements such as GDPR (see “GDPR Clarity: 19 Frequently Asked Questions Answered”) as well as corporate governance policies, are directly driving stronger requirements for threat monitoring, identification and incident response capabilities. As formal compliance regimes become more stringent or more pervasive, organizations are turning to external service providers to address the need to meet compliance requirements.
  • Expansion of security event monitoring into new domains: As organizations adopt cloud services (e.g., SaaS and IaaS predominantly), concerns about the lack of visibility into these environments from a security and risk management perspective are increasing. Customers considering MSS for security services are asking about MSSP capabilities for monitoring these environments.
MSS customers and buyers continue to express dissatisfaction with MSS providers, although they represent the minority. Some of the common reasons for customers switching MSSPs or opting for another delivery model include a lack of perceived value versus the costs for MSSs, providers that fail to detect threats or generate a high-level of false positives, and poor quality of service delivery and support during critical incidents. In particular, security and risk management leaders have increasing expectations that their MSSP will act as extensions of their security capabilities or teams to provide incident investigation and response support. These organizations are not resourced to consume just Tier 1 security operations capabilities where they only receive notifications of an incident and are expected to perform their own incident triage and investigation. That may be appropriate for large enterprises with adequately resourced security teams that want, and can, maintain responsibilities for incident triage, investigation and response.
Alternatives to using an MSSP include:
  • Managed detection and response services: Organizations have been increasingly looking for threat-detection-oriented service providers that offer more turnkey monitoring services coupled with higher-touch services. MDR service providers (see “Market Guide for Managed Detection and Response Services”) are gaining increasing attention with buyers, particularly in the midsize and smaller enterprises. However, adoption by larger enterprises to augment existing capabilities, especially for advanced threat detection, is also occurring. Many MSSPs have introduced MDR-like services that are turnkey offerings using dedicated technology providers as premium services, but these are primarily focused on advanced threat detection use cases, usually via managed EDR or threat hunting. The use of network technologies for MDR-type services is starting to emerge. Gartner anticipates this trend to continue as MSSPs race to compete with the MDR providers.
  • Remote co-management of a customers’ SIEM solution: Increasingly, buyers across the midsize and larger enterprises are purchasing SIEM solutions, but looking for specific service providers to assist. Services available to the buyer range from engineering, tuning and performance monitoring of the customer’s SIEM tool, whether it’s on-premises, hosted by a provider or SaaS SIEM (see “Selecting and Deploying SaaS SIEM for Security Monitoring”), all the way to complete management and 24/7 monitoring and alerting (in effect being an MSS to the customer, just using the customer’s technology). Buyers purchase their own SIEM tools for a variety of reasons (see “How and When to Use Co-managed Security Information and Event Management”). In response to this trend, MSSPs are increasingly adding co-managed SIEM support for two to three SIEM solutions.
  • Organizations building their own, dedicated SOCs: Organizations decide to build and operate their own SOCs because they:
    • Desire more control over their detection and response technologies (either driven internally or due to regulatory requirements)
    • Require better access to their own data (for threat investigations or compliance purposes)
    • Have unique or specialized use cases or environments where more customized correlation/analytics is required (e.g., OT security monitoring requirements).
    • May be unaware of the concept of shared MSS, particularly because providers do not offer it to them. This is particularly true in emerging markets.
  • To adapt to these requirements, MSSPs are adding or expanding customized services to customers for SOC build-outs (see “How to Plan, Design, Operate and Evolve a SOC”).
Challenges to using an MSSP include:
  • Ability to deliver “integrated” incident response: MSS buyers should be aware when considering these services as most MSSPs still have limitations and barriers between the basic triage and customer notification of a potential incident, and specific incident response activities, such as collecting suspect binaries and performing analysis, which is then used to ascertain the type of threat, sophistication, attribution and scope of distribution inside an organization. Many MSSPs have incident response retainers that are required to be purchased by a customer in order to have access to these types of technical incident response functions and experts.
  • Data residency and other privacy requirements: Regulatory requirements regarding movement of and access to specific types of data may limit the scope of monitoring enterprises entrusted to MSSPs. For example, GDPR may drive more stringent requirements for MSSPs depending on the geography in which the MSS buyer operates.
  • Change in strategy to reduce outsourcing: At the enterprise level or within the security organization, a change in strategy (sometimes driven by changes in leadership) regarding the use of external services can mean that MSSs are not considered effective options.
  • Lack of customization: By definition, MSSs are meant to be standardized in terms of device management, analytics/correlation rules, and reporting and notifications. Customers that want more customization of their security operations may find that some MSSPs may be less than ideal for them if they focus on delivering shared services with little to no customization.

MSSP Landscape

The basic makeup of the MSSP vendor space has not changed fundamentally as the market is mature. There are three major types of MSSPs. Overlap between these types occurs in the market, but MSSPs tends to fall into one of the categories.
  • Pure plays: These are generally smaller, privately held MSSPs that are completely focused on security services. Most of these MSSPs tend to serve a local market or region, but not all regions around the world. New pure-play security service providers often focus on specific vertical markets (e.g., legal, healthcare providers, energy and utilities) or regulatory requirements, or advanced threat detection technologies (e.g., managed EDR services). Gartner expects existing MSSPs and other IT services firms to acquire pure-play service providers that offer threat-detection-oriented services and advanced threat detection capabilities, especially those in the MDR space.
  • NSPs: These are network bandwidth and connectivity providers that manage and monitor network security products. They often provide remote monitoring, premises-based technologies and cloud-based services through their internet connections. Buyers that consume managed telecommunications services tend to include MSS when available as firewalls and other network-based security technologies can be a core component of the outsourcing deals.
  • ITOs/system integrators/business process outsourcers: These are IT services providers that typically manage security devices as part of large outsourcing or system integrations initiatives, where it makes sense for buyers to consume MSS as part of broad infrastructure management and monitoring deals.
In addition to the above common types of MSSPs, security consulting providers and some product vendors are emerging entrants offering MSSs. Security consulting has realized that MSS and ongoing security operations contracts are more of a profitable, predictable and faster-growing revenue stream than one-off consulting projects. Many of these consultants are more active in dedicated SOC staffing services than MSS, but this is still a category of providers to watch. Also worth noting is that many IT outsourcers with security consulting businesses are also becoming more active as MSSPs, through either acquisitions or the organic build-out of capabilities.
Some product vendors such as Cisco, CrowdStrike, F-Secure, FireEye and Rapid7 (among others) also offer MSS and/or MDR services. The primary motivation for these technology vendors in entering this market has been to increase their recurring revenue by attaching more annuity-based services to one-time product sales. Also, for new product areas in security (like EDR), offering managed services allows customers to better utilize the underlying technology product (because it can be more complex and time-consuming than anticipated once fully deployed) and helps them overcome skills shortages associated with newer security technology areas. However, product vendors are still very much a niche play in the broader MSS market.

MSS Portfolio

The services that are core to MSS offerings involve vendor-agnostic monitoring and management of core security technologies, with a focus on:
  • Firewalls and next-generation firewalls (NGFs)
  • Network IDPSs and next-generation IDPS
  • Multifunction firewalls/UTMs
  • SWGs and URL filters
  • EPPs
MSSPs also tend to support a broad scope of security and non-security-type data sources for security event monitoring. The event sources may include network devices (e.g., VPN devices, routers and switches), logs from user directory services (e.g., Active Directory), and host OS logs and application-specific logs. In the past couple of years, MSSPs have introduced services to manage and monitor both proprietary and commercial technologies designed to detect and protect against advanced threats. These services analyze payloads to detect malicious software and monitor activity and behavior of network traffic (e.g., network traffic analysis [NTA] tools) and endpoints (e.g., EDR agents). In addition to monitoring, many MSSPs have management services for those technologies (usually under their “MDR services”).
MSSPs may also provide cloud or SaaS-based services, including:
  • Vulnerability scanning
  • Network-based firewall/IDP
  • Web filtering/SWG
  • CASB
  • Email security
  • DDoS mitigation
Among organizations that have deployed a SIEM solution, Gartner sees increasing interest in services to monitor or run the SIEM. MSSPs continue to add offerings to support customer-deployed SIEM to accommodate these customers, either in a more customized model or until the customer can be transitioned off their SIEM tool and onto the MSSP’s delivery platform.

Incident Response Services

Most MSSPs offer incident response capabilities to assist customers with investigation and remediation activities. Gartner clients, in light of significant breaches in the news over the last 12 months, are interested in adding retainers for digital forensics and incident response (DFIR) services. MSS customers generally look to their provider for these services in many cases. These activities are available as proactive- and reactive-oriented services, delivered primarily remotely, but on-site as needed. These services are typically available on a consulting basis, and can be purchased as needed, or via a retainer for a set number of hours, with service-level commitments for response time for both remote and on-site support. Prospective customers should confirm with MSSP candidates how much response support is available within the context of the standard monitoring services, and when engaging the incident response retainer is required (for example, does the customer have to authorize use of the hours, or is it preagreed how the MSSP can use those hours?). SLAs are also commonly provided for both remote and on-site support. Customers should confirm the SLAs provided and penalties if SLAs are missed. If the MSSP offers packaged or prepaid retainer hours for incident response activities, then customers should confirm if those hours are available for other security services if they are not needed for incident response (e.g., through proactive services).

Threat Intelligence Capabilities and Services

Requirements for how MSSs leverage threat intelligence, and what premium threat intelligence services are available, appear on Gartner clients’ RFPs with increasing frequency. Buyers are specifically interested in how MSSPs are leveraging threat intelligence (e.g., to improve the prioritization and context around detected incidents). Additionally, rather than procuring advanced or customer-specific threat intelligences services from a third party, MSS buyers are looking first at the capabilities of the MSSP, through subscription-based services. Several MSSPs have dedicated security and threat-oriented research teams to improve their visibility of the threat landscape — that is, the identities, motives, targets, and tactics, techniques, and procedures of external attackers. These services feed their MSS capabilities, but also tend to be resold as advanced threat intelligence offerings, such as customer-specific dark web monitoring services. Those that do not have their own threat research groups often use a mix of one or more third-party threat intelligence providers along with open-source threat intelligence. MSSPs are increasing their support for common threat intelligence description and sharing formats, such as Structured Threat Information Expression (STIX) and Trusted Automated Exchange of Indicator Information (TAXII). In the last 12 months, a few MSSPs have also introduced threat intelligence platforms as part of their overall delivery platforms (see “Market Guide for Security Threat Intelligence Products and Services”). As their use and the maturity of these tools increase, Gartner expects to see improved capabilities for customers to securely share and allow the MSS to consume provided threat intelligence. Buyers with requirements for this level of sharing should confirm with prospective MSSPs if they already have this capability, and if not, where it is in their roadmap.

MSS Delivery

Managed Service Portal Functionality

Buyers should apply significant focus to methods of communication with their provider, as this enables measurable recognition of value received. A key way to orchestrate efficient two-way recorded dialogue between outsourced security professionals and internal teams is through a fully featured portal. Any portal should provide multirole and granular access control, and dashboards with information preconfigured and adaptable to fit many different roles and functions within your organization, including those within senior risk management. Fully interactive incident ticketing with features for handover and resolution tracking provide buyers with a method not only to improve the service that the provider is operating through enrichment and semantic learning, but also to track and manage ROI in an area visible to both parties. Important features of provider portals also include the ability to search through security data and carry out threat hunting through fast and intuitive interfaces as well as seamless cross-service and function integrations with other security services and information, such as vulnerability scanning outputs and threat intelligence indicators.
Buyers should consider the quality and functionality of the provider portal to be a high-priority element in their decision to procure any MSS, as this becomes the outlet and store for all content that the service produces and is measured by.

Security Operations Centers

All MSSPs leverage SOCs as the physical locations to deliver 24/7 services. MSSPs use different patterns for service delivery, usually either from a SOC operating round-the-clock, using a follow-the-sun approach with operation during local business hours seven days per week, or for resiliency as needed, or a hybrid of these two models. Each has its strengths and weaknesses. For example, technically a SOC in one region can support a customer in another; however, there are potentially significant roadblocks in the form of language, time zones and regulations that need to be considered. On the other hand, better service may be achieved when the MSSP uses a follow-the-sun model which can alleviate SOC analyst quality issues that arise when analysts have to work nights and weekends (see “How to Plan, Design, Operate and Evolve a SOC”). MSS buyers need to carefully evaluate the SOC locations and operating models used by MSSPs to ensure they will meet their requirements.

Threat Detection and Advanced Analytics Capabilities

Many MSSPs claim capabilities to assist their customers in addressing advanced attacks, in addition to their abilities to detect common, broad-based threats. These capabilities may be visible as discrete service offerings or options, or as features embedded in existing offerings. They may include, for example:
  • Correlation of events with threat intelligence that can provide attribution (e.g., to a broad-based malware family versus known hacking group)
  • Analysis of activity patterns (across an MSS customer base as well as within the customer environment) to identify outliers, exceptions or deviations from baselines in security events, network traffic, or the activity of users or entities on the network
  • Analysis of user behavior to identify anomalies from normal behavior across environments (on-premises, cloud) — this is an emerging area that is currently supported by very few MSSPs
The adoption of big data technologies like Hadoop, Elasticsearch and NoSQL is permeating MSS. This makes sense as MSSPs have historically had to deal with “big data problems” — a large volume, velocity and variety of log event and other data. These technologies are being used to help MSSPs better manage and analyze the large amounts and various types of data acquired from their customers, and to make it more accessible (e.g., via real-time search as opposed to scheduled search jobs) and for longer periods of time than what has been previously available. However, the time horizon to search over those logs continues to stay relatively stable, with 90 days of online data being the norm and data older than that being relegated to warm or offline storage. The adoption of big data technologies is also fueling a drive to improve threat detection capabilities through advanced analytics; however, it’s still early days.
As big data technologies are being adopted, advanced analytics are being used in back-end systems to complement traditional real-time security event correlation and monitoring capabilities. Batch-oriented analytics that can be run over much larger datasets covering weeks or months of data, commonly using machine-learning-based approaches, are being employed. Gartner recommends that customers ask for specific information and evidence where advanced analytics is being used as a means of differentiating and comparing service offerings across providers. Most MSSPs claim that the customer won’t be able to determine, based on the alerts they are notified with, whether the event was detected using standard methods, such as correlation or threat intelligence matches, or if it was via a more advanced method (e.g., anomalous activity detected using a supervised machine learning approach). Buyers should also ask about how a provider leverages advanced analytics methods. For example, is the capability through a commercially available technology that is managed by the provider, or has the provider actually invested in R&D to customize and tune a commercial (or proprietary) analytics technology?

Monitoring Beyond On-Premises Customer Environments

SaaS visibility is top of mind with Gartner clients interested in MSS, with IaaS second. Use of popular SaaS like Office 365, Salesforce, Box and Workday are driving the demand. MSSPs are slowly adding support, via partnerships, for CASBs to provide SaaS security monitoring, but few Gartner clients report interest in this approach. Most clients are expecting native API-based approaches to be used as part of the core security event monitoring capabilities. The approach is mixed across MSSPs. Some claim support for APIs, others rely on the use of a CASB solution and a few offer both, depending on the level of event monitoring required by the buyer.
Most MSSPs have focused on the monitoring of assets located in public cloud services, such as AWS and Azure, by leveraging a mix of external security controls deployed in the public cloud and native API-based security integrations (e.g., AWS CloudTrail). Support for Azure has increased over the past 12 months, but AWS is still the most supported environment. Few MSSPs have support for IaaS security products like cloud workload protection platforms (see “Market Guide for Cloud Workload Protection Platforms”).
There is another dimension to cloud security, and that is security services delivered from the cloud (e.g., security as a service). Some MSSPs support established security-as-a-service technologies (e.g., SWGs and secure email gateways [SEGs]). For example, many of the pure-play providers with their own technology portfolios, and NSPs through partnerships with cloud-based SWG providers, offer management and monitoring services for those deployment modes.

Pricing Models

There are several pricing models used by MSSPs, leading to confusion among buyers as to which approach is most appropriate and making it difficult to compare pricing across competing providers. A majority of MSSPs offer a pricing model based on the type and size of the security technology to be monitored and/or managed for customer-owned security technologies, devices and other log sources. Log collection is typically priced by the number and types of sources, or by the number of events per time period (device count pricing includes implicit expectations of event volumes). There is often a clear distinction between technology that is monitored in real time and subject to alerting SLAs, and technology that is not — that is, where logs are collected and subject to reporting or querying, but not to real-time correlation and analyst review.
Alternative models are also being seen in the market. Gartner expects to see new pricing models introduced as a competitive advantage, and to reduce the complexity and friction with selling MSSs:
  • Data volume or velocity: Providers, especially those using a commercial SIEM solution as part of their delivery platform, are pricing MSSs based on the average volume of data collected over a time period (such as gigabytes per day) or the velocity of data sent to the MSS for analysis (usually measured as log events sent per second or daily). This model allows customers to pay based on the actual amount of data provided to the service provider for analysis, rather than the number or type of data sources. This is not a dominant model in the market. Issues with this model include a lack of control over the amount of data being generated (e.g., during a DDoS attack) and that not all data provides equal benefits, but customers pay the same rate for data collected and analyzed (e.g., web proxy versus DNS events).
  • Per log event source pricing: This pricing model is based on the total number of sources sending data to the MSSP. In this model, all data sources, regardless of how much log and event data they generate, are treated equally. This is sometimes provided as an enterprisewide license model too.
  • Per incident: In this approach, customers are charged based on the number of incidents that are detected and number of alerts notified.
  • Per user or asset: This approach is based on the number of users or assets inside an organization, and based on analytics activities (such as running specific algorithms against a volume of data).
Device management pricing is typically based on the number of configuration changes to be performed within a period of time. This model offers a fairly straightforward means for potential customers to determine the cost of a service and allows comparison across potential providers. A potential issue with this model is that, where customers have high-capacity event sources that are underutilized, they pay for the potential capacity, rather than actual usage of those devices.

Service-Level Agreements

Gartner clients need to be aware of the SLAs offered by MSSPs, as they are a continuing source of misunderstanding by buyers and differences exist across providers. SLAs are commonly offered for monitoring and managed services. Usually, a vendor segregates the SLAs into three to five response levels measured against a specific severity (e.g., urgent, high, medium, low). In many cases, the monitoring and response severities are aligned to managed device SLAs too.
MSS buyers need to confirm the tiers and associated SLAs for the services they plan to buy. Many MSSPs offer various tiers of service at different price points with varying SLAs (e.g., more expensive service will have shorter response times). MSS buyers should confirm the options available with the providers and evaluate which tier they are being quoted, and whether fewer tiers of service might be acceptable given the trade-offs between risks and costs. SLA rightsizing is a critical part of getting the most value from an MSSP. It is also important to confirm how the SLA is measured and calculated. For example, does the clock on an SLA start when the incident is detected by an automated system, when the incident is picked up from a queue of unassigned events by an analyst, or from the time an analyst has established that there is an incident worth notifying the customer about?
Most MSSPs offer standard SLAs; however, some negotiate SLAs on a customer-by-customer basis, while a few others still negotiate custom SLAs for each customer. MSS buyers consuming these services as part of broader IT outsourcing contracts need to be doubly cautious about defining the right SLAs. Gartner has observed several risk areas in such engagements — from providers carrying forward generic SLAs to weak service definitions to poor reimbursements and remediation. Finally, MSS buyers need to confirm whether a provider offers any reimbursements for missed SLAs. Some MSSPs offer credits against future payments for missed SLAs, but this is not common practice across the industry. These can scale to become more severe for multiple occasions of SLA noncompliance. However, there is usually a limit for how many credits can be provided, such as not exceeding a certain percentage of the total monthly or annual charges. Also, sometimes there are earn-back provisions that forgive remedies based on improved performance by the MSSP. It is important to note that, in most cases, it is the customer’s responsibility to notify the service provider of any proposed SLA violation within a set time period of the date on which the proposed violation occurred. At a minimum, the provider should have capabilities for performing a root cause analysis and offering root cause elimination as part of its SLA conformance.

MSSP Market Activity in 2017

The global MSSP market in 2017 was stable. CSC and HPE Enterprise Services formally merged as DXC Technology in April 2017.

MSSPs Not Evaluated in the Magic Quadrant

Not included in this Magic Quadrant analysis are smaller, region-, country-level and local-area MSS providers, which can include small pure plays and larger providers that do not have enough MSS business in multiple regions to meet the inclusion criteria (although they may be a good choice for buyers that don’t require a global footprint and would prefer a more “local” provider). Also excluded from this analysis are service providers that provide MSSs only for their own technologies, and that do not deliver services for third-party commercial technology (for example, MDR service providers). Providers with security services that are sold and delivered primarily with infrastructure outsourcing, staff augmentation or account-dedicated resources are also not included in this Magic Quadrant.


  • Gartner customer inquiries and information sharing related to MSSPs
  • Analyst interactions with Gartner customers via inquiries and meetings
  • Survey of MSSPs
  • Survey of MSS reference customers
  • Gartner Peer Insights

Evaluation Criteria Definitions

Ability to Execute

Product/Service: Core goods and services offered by the vendor for the defined market. This includes current product/service capabilities, quality, feature sets, skills and so on, whether offered natively or through OEM agreements/partnerships as defined in the market definition and detailed in the subcriteria.
Overall Viability: Viability includes an assessment of the overall organization’s financial health, the financial and practical success of the business unit, and the likelihood that the individual business unit will continue investing in the product, will continue offering the product and will advance the state of the art within the organization’s portfolio of products.
Sales Execution/Pricing: The vendor’s capabilities in all presales activities and the structure that supports them. This includes deal management, pricing and negotiation, presales support, and the overall effectiveness of the sales channel.
Market Responsiveness/Record: Ability to respond, change direction, be flexible and achieve competitive success as opportunities develop, competitors act, customer needs evolve and market dynamics change. This criterion also considers the vendor’s history of responsiveness.
Marketing Execution: The clarity, quality, creativity and efficacy of programs designed to deliver the organization’s message to influence the market, promote the brand and business, increase awareness of the products, and establish a positive identification with the product/brand and organization in the minds of buyers. This “mind share” can be driven by a combination of publicity, promotional initiatives, thought leadership, word of mouth and sales activities.
Customer Experience: Relationships, products and services/programs that enable clients to be successful with the products evaluated. Specifically, this includes the ways customers receive technical support or account support. This can also include ancillary tools, customer support programs (and the quality thereof), availability of user groups, service-level agreements and so on.
Operations: The ability of the organization to meet its goals and commitments. Factors include the quality of the organizational structure, including skills, experiences, programs, systems and other vehicles that enable the organization to operate effectively and efficiently on an ongoing basis.

Completeness of Vision

Market Understanding: Ability of the vendor to understand buyers’ wants and needs and to translate those into products and services. Vendors that show the highest degree of vision listen to and understand buyers’ wants and needs, and can shape or enhance those with their added vision.
Marketing Strategy: A clear, differentiated set of messages consistently communicated throughout the organization and externalized through the website, advertising, customer programs and positioning statements.
Sales Strategy: The strategy for selling products that uses the appropriate network of direct and indirect sales, marketing, service, and communication affiliates that extend the scope and depth of market reach, skills, expertise, technologies, services and the customer base.
Offering (Product) Strategy: The vendor’s approach to product development and delivery that emphasizes differentiation, functionality, methodology and feature sets as they map to current and future requirements.
Business Model: The soundness and logic of the vendor’s underlying business proposition.
Vertical/Industry Strategy: The vendor’s strategy to direct resources, skills and offerings to meet the specific needs of individual market segments, including vertical markets.
Innovation: Direct, related, complementary and synergistic layouts of resources, expertise or capital for investment, consolidation, defensive or pre-emptive purposes.
Geographic Strategy: The vendor’s strategy to direct resources, skills and offerings to meet the specific needs of geographies outside the “home” or native geography, either directly or through partners, channels and subsidiaries as appropriate for that geography and market.

Magic Quadrant for Integrated Risk Management

Published 16 July 2018 – ID G00323128 – 42 min read

Integrated risk management enables simplification, automation and integration of strategic, operational and IT risk management processes and data. Security and risk management leaders should use Gartner’s Magic Quadrant to identify solutions that support an integrated approach to risk management.


Market Definition/Description

Integrated risk management (IRM) solutions combine technology, processes and data that fulfill the objective of enabling the simplification, automation and integration of strategic, operational and IT risk management across an organization (see “Definition: Integrated Risk Management Solutions”).
To understand the full scope of risk, organizations require a comprehensive view across all business units and risk and compliance functions, as well as key business partners, suppliers and outsourced entities. As a result, new technology solutions are emerging to increase the collaborative nature of risk management, both within and external to an organization.

IRM Use Cases

There are a growing number of IRM vendors that automate various workflows in support of cross-organization collaboration for risk management. Through common functions, such as an asset repository, regulatory mapping, survey capabilities, workflow functions and data import, IRM vendors provide capabilities across the following six use cases:
  • Digital Risk Management (DRM)
  • DRM technology integrates the management of risks of digital business components, such as cloud, mobile, social and big data, and third-party technologies like artificial intelligence and machine learning, operational technology (OT), and the Internet of Things (IoT).
  • Vendor Risk Management (VRM)
  • Vendor risk management programs help organizations manage the risks of third parties with adequate controls for business continuity management, performance, viability, security and data protection. Failure to comply with these mandates can have significant customer- and service-related, audit-related, and, for some industries, regulatory repercussions that can undermine shareholder value and corporate viability. The VRM use case addresses risks to regulatory compliance, information security and vendor performance arising from enterprises’ increased use of, and reliance on, service providers and IT vendors. Solutions geared toward this use case have capabilities such as risk assessment, risk monitoring and/or risk rating.
  • Business Continuity Management (BCM)
  • Business continuity management is the practice of coordinating, facilitating and executing activities to identify risks of business disruptions, implement disaster recovery solutions and recovery plans, respond to disruptive events and recover mission-critical business operations. BCM software automates processes such as risk assessment, business impact analysis (BIA), and recovery plan development, exercising and invocation. Critical and enhanced capabilities that address BCM help organizations to initiate BCM programs and improve overall continuity capability.
  • Audit Management (AM)
  • Auditors independently and objectively evaluate, analyze and assess the effectiveness of an organization’s system of internal control, governance processes and risk management capability. The auditors provide assurance, insight and recommendations on operational improvements to the board of directors, senior management and business process owners. Auditors do this through both auditing and consulting activities. The audit management solution market automates internal audit operations, such as audit planning, scheduling, work paper management, time and expense management, reporting, and issue management.
  • Corporate Compliance and Oversight (CCO)
  • As the compliance management program scope increases, regulatory compliance and change management becomes more complicated. An increase in focus on commercial compliance (increasingly required by business partners) and organizational compliance requirements (such as ethics and corporate social responsibility) makes compliance managers’ roles challenging. Corporate compliance and oversight software supports the goals and activities of compliance leaders. CCO provides automated policy development and management, compliance risk assessment, control rationalization, assessment and attestation, regulatory change management and investigative case management.
  • Enterprise Legal Management (ELM)
  • Enterprise legal management software applications are focused on supporting legal and compliance departments, corporate secretaries, boards of directors and senior management. ELM provides better documentation, spend management, information availability and collaboration via an integrated set of applications. These applications include matter management, e-billing, financial/spend management, legal document management and business process management.

IRM Critical Capabilities

In support of these six use cases, the IRM critical capabilities provide business leaders with effective means of assessing risk and control effectiveness, identifying risk events, managing remediation efforts, and quantifying the associated risk exposure across the organization. What follows is an overview of the five critical capabilities evaluated in this report, as well as a description of their primary functions/features.
  • Risk and Control Documentation/Assessment
  • Risk statements and the related controls required to mitigate them to an acceptable level must be documented sufficiently to satisfy a number of key internal and external stakeholders — including regulators, external auditors, business partners/associates, suppliers, senior executives and board members. Statements and controls must also provide the basis for performing a comprehensive risk assessment at a strategic, operational and technological level. Features within this capability include:
    • Risk-related content, including a risk framework, taxonomy/library, key risk indicator (KRI) catalog, and legal, regulatory and organizational compliance requirements
    • Risk assessment methodology and calculation capabilities (for example, bow tie risk assessment)
    • Policy documentation and control mapping
    • Documentation workflow including authoring, versioning and approval
    • Business impact analysis/recovery plan documentation
    • Audit work paper and testing management
    • Third-party control evaluation
    • Contract management
  • Incident Management
  • Proactive management of risk incidents can lead to a reduction in business impact and inform future risk mitigation efforts. A record of incidents can be used to inform the risk assessment process and facilitate the identification of event causes. In addition, IRM solutions can integrate with external systems to identify potential risk events related to third-party risk profiles and known incidents. Features within this capability include:
    • Incident data capture
    • Incident management workflow and reporting
    • Root cause analysis
    • Crisis management
    • Emergency mass notification
    • Investigative case management
    • Legal matter management
  • Risk Mitigation Action Planning
  • When risks are assessed to be beyond defined risk tolerance levels, action plans must be developed to ensure that the appropriate mitigation steps are taken to meet the risk appetite set by the board of directors or other governance body. IRM solutions can provide support to risk professionals and business leaders in managing and testing the associated risk mitigation efforts. Features within this capability include:
    • Project management capabilities to track progress on risk-related initiatives, audits or investigations
    • Risk control testing capabilities, such as continuous control monitoring
    • Control mapping to risks, business processes and technology assets
    • Control mapping to legal requirements and compliance mandates
  • KRI Monitoring/Reporting
  • To effectively monitor risks across the organization, companies can utilize IRM solutions to aggregate and report a wide array of risk levels using key risk indicators (KRIs). Features within this capability include:
    • Risk scorecard/dashboard capabilities
    • External data integration (for example, information security vulnerability assessment data)
    • The ability to link KRIs to performance metrics
  • Risk Quantification and Analytics
  • Beyond the exercise of assessing risk from a qualitative perspective, companies in many industries (including banking, insurance and securities) seek to measure risk on a quantitative basis. Some of the quantitative analysis is used to support capital calculation requirements driven by regulatory mandates, such as Basel III and Solvency II. Other quantitative analysis methods are used to develop more precise predictive models to determine the potential for certain operational risk events, such as fraud or theft. As such, the features within this capability include:
    • “What if” risk scenario analysis capabilities
    • Statistical modeling capabilities (for example, Monte Carlo simulation, value at risk, and Bayesian statistical inference)
    • Predictive analytics
    • Capital allocation/calculation
    • Fraud detection capabilities

Magic Quadrant

Figure 1. Magic Quadrant for Integrated Risk Management

Source: Gartner (July 2018)

Magic Quadrant for Integrated Risk Management

Vendor Strengths and Cautions


ACL is headquartered in Vancouver, British Columbia, and is privately held with a minority interest held by Norwest Venture Partners. ACL’s legacy software solutions are focused on internal audit and data analytics. As such, the target buyer historically has been chief audit executive, but now has broadened to compliance, IT and risk management leaders. Its IRM solution set demonstrated for evaluation includes ACL GRC cloud platform — SaaS continuous delivery, ACL Analytics AX v.13 and ACL AN v.13. The solution set is deployed exclusively via SaaS. ACL supports clients in North America, EMEA, Latin America and the Caribbean, and Asia. Clients are primarily within the general commercial, public sector, manufacturing, professional services, financial services, insurance and healthcare industries. Technical support is provided in each region with Latin America and the Caribbean supported out of North America.

  • Geographic Strategy: ACL has invested in a wide range of geographical support and is highly rated by its references on global support coverage.
  • Sales Execution: ACL’s attention and focus to customer demand from sales teams have resulted in a smoother customer experience, as indicated by its references.
  • Offering Strategy: ACL’s rich out-of-box regulatory content combined with configurable workflows can deliver a wide range of risk data integration and reporting capabilities.

  • Product Roadmap: ACL presently has no planned focus on its roadmap to target digital business risk management and enterprise legal management capabilities.
  • Market Segmentation: ACL stated a limited focus in segmenting its marketing strategy for each distinct market segment within IRM. This will be reflected in ability to support all IRM use cases.
  • Industry Strategy: ACL started its industry-specific support effort in 2017, but it has teams only for government and financial services sectors.

CURA Software

CURA Software is the group name of the CURA governance, risk and compliance (GRC) product and related companies. CURA Singapore is the holding company for the group (CURA USA, CURA SA and CURA Australia), and CURA Technologies was the public traded company. In 2017, a structural change was made to go private by selling the Singapore holding to White Orchids. Software development for its CURA Platform remains based within India. CURA’s main target buyers are chief risk officers (CROs) and chief compliance officers. The demonstrated solution, CURA Platform version 4.0, can be deployed through on-premises, private hosted and SaaS models. CURA’s top generating verticals are government, manufacturing, banking, financial services and insurance. Primary support is provided out of respective local teams, and critical issues/development is handled by the India team. The majority (about 80%) of its customer base is in South Africa and Australia. CURA Software also has clients in the U.S., Malaysia, South America, U.K., Singapore and the Middle East.

  • Marketing Strategy: Within the critical capabilities that CURA Software supports today, the vendor presented a clearly stated view of the current market demand, as well as its evolution, and articulated a plan for how it would support such market development.
  • Sales Satisfaction: Customer references’ ratings on sales engagement and support are on the higher side of the score range.

  • Overall Viability: CURA Software’s recent business ownership change is a risk factor for its business stability. However, CURA provided clarification that the structural change is not material for its execution; the holding company and stepdown entities continue to work independently of the structural change.
  • Financial Viability: CURA’s revenue has not grown in the last few years. CURA provided the explanation that with the current restructuring, the company is poised for growth.
  • Geographic Distribution: Although having started in building out a global sales and support force in recent years, CURA Software’s customer base is dominating in only two countries.

Dell Technologies (RSA)

RSA, a Dell Technologies business headquartered in Bedford, Massachusetts, offers its RSA Archer Suite to a broad set of roles, and supports a spectrum of IRM use cases. RSA Archer release 6.3, demonstrated for this research, has a set of use-case-based solutions that can be purchased independently. RSA’s software can be deployed either on-premises or in a multitenant, private hosted environment. Implementation services are available through RSA professional services and its partners. RSA’s clients are found in North America, EMEA, Asia/Pacific, Japan and Latin America across industries such as financial services, healthcare, public sector/government, professional services, transportation, telecommunications, retail, energy and technology. Four support centers are located in the U.S., the U.K., India and Australia.

  • Vertical Strategy: RSA sells to and supports a wide client base across industry sectors.
  • Sales Strategy: RSA uses a maturity-based approach to segment targeted buyers. This approach can help customers to identify IRM implementation steps and RSA to align its sales and support experts with customer requirements.
  • Geographic Strategy: RSA offers a fuller coverage for global users and continues to invest in supporting new IRM users outside North America. This makes the RSA Archer product a well-suited candidate for large and globally distributed business operations.

  • Time to Value: Some of RSA’s references rated it less favorably in terms of deployment length, especially when implementing the RSA Archer Platform on-premises at a global scale.
  • Product/Service: The RSA Archer Platform currently does not offer native capabilities to support enterprise legal management.
  • Product/Service: The RSA Archer Platform scope of capabilities and features can be too complex for some small and medium clients.


IBM, publicly traded and headquartered in Armonk, New York, targets a broad set of buyers across the enterprise, including governance, risk management and internal audit professionals. IBM’s OpenPages Version 7.3, reviewed for this research, is offered as an on-premises, privately hosted or SaaS solution. Target buyers for OpenPages include risk and security leaders at global organizations whose short- or long-term goal is enterprisewide integrated risk management. OpenPages’ clients are located in all global regions. Approximately 50% of OpenPages’ clients are in the financial services sector with the remaining spread across energy, utilities, healthcare, telecommunications and government. IBM provides OpenPages support via nine help center facilities, with locations in the U.S. and Canada, as well as in six other countries around the world.

  • Marketing Strategy: IBM has designed its marketing to appeal to all types of buyers both in user size and industry focus.
  • Assessment and Documentation: OpenPages demonstrates effective risk assessment methodology and calculation capabilities, policy documentation and control mapping.
  • Geographic Distribution: IBM’s geographic support rating ranks as one of the highest in customer references.

  • Sales Satisfaction: Some references reported low satisfaction due to lengthy sales cycles and sales execution due to IBM, resulting in longer implementation times and frequent customization changes.
  • Industry Focus: IBM supports all industries, but as its main customer base involves financial services, implementation and support expertise are directed by and at the financial services sector.
  • Time to Value: IBM falls to the low end of the customer references’ ratings on this category included in this study, including pricing.


Headquartered in Nottingham, U.K., Ideagen is a publicly traded company quoted on the Alternative Investment Market (AIM) of the London Stock Exchange and is a leading supplier of information management software to highly regulated industries. Ideagen’s legacy solutions are focused on quality and safety management, but its newer solutions have been extended to address use cases across the IRM spectrum. Its primary solutions demonstrated for evaluation include Coruson for enterprise cloud safety and operational risk management and Pentana for audit and performance management. Ideagen solutions can be deployed in on-premises, privately hosted or SaaS environments. Ideagen’s clients are located in EMEA, North America and Asia/Pacific. Its solutions are delivered across a range of industries including healthcare, transport, aerospace and defense, life sciences, manufacturing and financial services. Support is offered primarily out of the U.K. with additional offices in Dubai and Kuala Lumpur.

  • Financial Viability: According to public financial data, Ideagen reported positive revenue growth, healthy customer base expansion, and several acquisitions.
  • Product/Service: Ideagen’s stated focus and R&D investment are primarily on the Coruson product, which has a product roadmap to support for an array of project scales.
  • Vertical Industry Strategy: Ideagen has the heritage and expertise in supporting for safety in aviation and rail transportation and quality management in manufacturing among the evaluated vendors in this study.

  • Sales Strategy: Ideagen has only been leveraging direct sales and currently has limited support for North America, which hinders its market reach.
  • Offering Strategy: Ideagen’s IRM capabilities today include basic analytics, and advanced risk data analyses require implementations via Ideagen’s APIs.
  • Marketing Strategy: Ideagen has a broad statement on future market requirements without specifics on business continuity management or full support for digital risk management.


Lockpath, privately held and headquartered in Overland Park, Kansas, offers the Keylight platform as its IRM solution. It targets the following buyers: chief information security officers (CISOs), compliance teams and CROs. Keylight 4.8, demonstrated for this research, can be deployed via SaaS, as well as in an on-premises model. The majority of Lockpath’s customers (over 70%) are on the SaaS model. Customers in healthcare, financial services and technology make up over 50% of its current installed base. Most of Lockpath’s customers are located in North America with a few spread across South America, Europe and Asia. Lockpath offers support out of its headquarters in Overland Park, Kansas. Implementation services are delivered by Lockpath’s professional services team and a network of global partners.

  • Marketing Strategy: Lockpath has wide market presence in company size and industry sector.
  • Time to Value: References have consistently reported positive results on time to value with their Lockpath IRM implementation projects, attributed primarily to Lockpath’s QuickStart program.
  • Product Capabilities: Lockpath’s Keylight platform has a full range of function across all desired IRM critical capabilities.

  • Vertical/Industry Strategy: Lockpath does not currently provide a path to support all features for legal-risk use cases.
  • Sales Strategy: Despite Lockpath’s leverage on joint sale and upsale opportunities, its sales force and channel are limited in one region — North America.


LogicManager is headquartered in Boston, Massachusetts, and privately held. LogicManager’s legacy software solutions have been focused on enterprise risk management for midsize enterprises. Its target buyers are chief risk, compliance, information security and audit officers, as well as their direct reports. LogicManager’s IRM solution set demonstrated for evaluation is offered exclusively as a SaaS platform with continuous delivery of release updates. LogicManager supports clients in North America, Asia, the U.K. and Western Europe. Banking, credit unions and other financial services combine to make up about half of LogicManager’s client base. Healthcare, insurance, manufacturing, education, energy, and civic and social organizations each encompass between 5% and 20% the client base. Technical support is provided from the Boston, Massachusetts, headquarters and from Europe satellite offices.

  • Time to Value: References frequently reported rapid deployment as a characteristic of their LogicManager projects, and a higher number of project length is reported as three or fewer months.
  • Offering Strategy: LogicManager has a stated product roadmap emphasizing simplicity and usability. It advocates designing functionalities to attract higher end-user engagement or self-service.
  • Market Understanding: Among the evaluated vendors in this study and ranked by customer references, LogicManager received the highest rating for this measure.

  • Industry Coverage: Due to its customer concentration in financial services, some customers had negative feedback on LogicManager’s expertise outside its main customer base.
  • Product/Service: Though LogicManager has large-enterprise customers, the company’s service structure is currently optimized to support midsize enterprises.
  • Geographic Distribution: LogicManager’s primary support is based in Boston, Massachusetts, a risk factor for globally distributed risk teams.


MetricStream, privately held and headquartered in Palo Alto, California, targets a wide range of buyers, including all primary C-suite executives, plus buyers such as CISOs, VRM executives and quality management executives. MetricStream’s M7 platform, demonstrated for this research, can be deployed via SaaS or a privately hosted, hybrid or on-premises model. Over 45% of its revenue comes from the financial services sector. About 45% of its customer base is outside the U.S. Support is provided from centers in Palo Alto, California; New York; London; Milan; Dubai; and Bangalore, India.

  • Financial Viability: MetricStream has dozens of investors, including Goldman Sachs among other venture capitalists. The company’s risk is rated low with a healthy financial performance by D&B Hoovers.
  • Marketing Strategy: MetricStream has a stated marketing strategy that appeals to new IRM buyers and projects designed to modernize risk management practices.
  • Market Responsiveness and Track Record: References reported higher satisfaction in their experience with MetricStream’s sales and support.

  • Product/Service: Some early MetricStream M7 platform adopters reported performance issues and lack of customization support for advanced reporting features.
  • Sales Execution/Pricing: For global distributed risk teams or large-scale projects, MetricStream’s contracting and pricing can be complex.
  • Offering Strategy: MetricStream’s M7 platform released April 2017 has aimed to serve pent-up demand for a faster and simpler IRM solution, but early reports from upgrade customers are mixed.


Mitratech is a privately owned company headquartered in Austin, Texas. Its portfolio of enterprise legal and risk management solutions serves the needs of corporations throughout their legal departments, compliance and risk functions, and executive leadership teams. The IRM solution set demonstrated for evaluation includes TeamConnect 5.1, Compliance Manager 15.02 and PolicyHub 5.0.1. Mitratech’s solution set can be deployed in both SaaS and privately hosted environments or on-premises. Clients are located in the Americas, EMEA and Asia/Pacific. Industries represented across Mitratech’s client base include financial services, manufacturing, energy/utilities and professional services. Primary support is based in Mitratech’s headquarters in Austin, Texas, with additional support teams in Houston, Texas; Blue Bell, Pennsylvania; Slough, U.K.; Swansea, U.K.; and Melbourne, Australia.

  • Market Responsiveness and Track Record: Mitratech gained the highest rating from customer references for this category among all the evaluated vendors in this study.
  • Marketing Strategy: Mitratech has a stated strategy that appeals to a wide range of enterprise buyers involved in risk management, including enterprise legal management, compliance management, and environmental, health and safety.
  • Geographic Strategy: Due to its established expertise in supporting a wide range of legal and compliance teams that typically represent multiple jurisdictions and complex legal operation requirements, Mitratech has a fuller support for all regions.

  • Offering Strategy: While the evaluated products have shared IRM elements to connect them, customers need to buy multiple products from Mitratech to support their IRM capabilities.
  • Product/Service: Mitratech currently has no support for vendor risk, digital risk and business continuity management.
  • Operations: Mitratech went through a phase of high merger and acquisition activity for technology assets, especially in 2015. Product integration, support and innovation focus across multiple products are risk factors.


Headquartered in New York City, New York, Nasdaq’s primary IRM platform, BWise, targets the following buyers: all C-suite-level executives, including corporate controllers and chief audit executives. BWise is part of a broader offering of board and governance software solutions and services. Version 5.0.1, demonstrated for this research, can be deployed in a single-tenant, private hosted environment or on-premises. BWise has customer distribution in all regions, with primary focus in North America, Europe, Asia/Pacific and Australia/New Zealand. Approximately 40% of its revenue is from the financial services sector. Support is provided across the globe but centralized in New York, the Netherlands and Portugal.

  • Geographic Strategy: Thirty percent of Nasdaq’s client base is in the U.S., 40% is in Europe, and the remainder is spread across the globe. The strategy reflects the parent company’s reach.
  • Sales Execution: A simple subscription-based or perpetual-license model (hosted/SaaS or stand-alone) along with enterprise and midtier options provides flexible spending choices for customers.
  • Overall Viability: As part of a global enterprise with extensive international experience in financial and corporate services and service partners to provide strategic information, Nasdaq is well-positioned for IRM clients.

  • Overall Viability: While gradually diversifying across IRM use cases, over 70% of deployments are focused on IT (digital) risk management, corporate compliance and audit.
  • User Experience — Reference customers noted some concerns in postdeployment customer support.
  • Product/Service: The business continuity management workflow process is limited primarily to documentation steps.


Resolver is headquartered in Toronto, Ontario, and is privately held. Almost half of Resolver customers are in financial services and manufacturing, with the remainder in education, healthcare and other businesses. Resolver Core was demonstrated for this research. Core is a “cloud first” application deployed on Amazon Web Services (AWS). Resolver targets clients located predominantly in North America (70%) and the U.K., although more international expansion is planned. The company has 24/7 emergency support coverage and scheduled support from offices in London, U.K.; Toronto, Ontario; Charleston, West Virginia; Edmonton, Alberta; Sunnyvale, California; Christchurch, New Zealand; and Hyderabad, India.

  • Overall Viability: Though initially backed with venture funding for acquisitions, Resolver does not require investment to operate.
  • Product/Service: Data visualization capabilities in incident management and risk mapping are useful to nontechnical audiences at simplifying complex relationships.
  • Sales Execution and Pricing: As a cloud-based service, Core’s pricing model is simple, based on a fixed annual fee for integrated use cases plus a platform fee for a “full user” — one with access across use cases.

  • Overall Viability: Resolver is one of the later entrants to the IRM market and possesses a limited number of IRM customers at this stage. The principal geographic focus remains North America, although some international expansion is beginning.
  • Vertical Industry: Resolver does not yet have a vertical-industry market focus, with half of client revenue from financial services or manufacturing.


Riskonnect is a privately held company headquartered in Kennesaw, Georgia, with offices in Atlanta, Chicago and London, and software development teams based in Mangalore and Ahmedabad, India. In June 2017, Riskonnect was purchased by Thoma Bravo, a U.S.-based private equity investment firm. Riskonnect acquired GRC provider Aruvio in late 2017.
Target buyers include executives who want a consolidated view of risk (for example, the CIO, CISO, CFO and other C-level buyers). Riskonnect is a pure SaaS provider and demonstrated its IRM product version 2017 release 2 for this research. Riskonnect offers its product in North America, EMEA and Asia/Pacific with particular focus in manufacturing, retail and consumer goods, healthcare, construction and engineering, energy and utility, mining and natural resources, telecom and IT, transportation and logistics, financial services, and insurance.

  • Product/Service: Riskonnect operates on the Salesforce Lightning platform and is designed as a SaaS application delivery method. This aids in rapid deployment scenarios.
  • Vertical Industry: Riskonnect has a relatively even distribution across at least four verticals (retail, manufacturing, transportation and insurance) with growth in others and provides approximately 600 APIs to support those verticals.
  • Innovation: Almost one-third of Riskonnect’s research and development is devoted to mobile capability enhancements and portal growth for simpler customer experience.

  • Deployment/Integration: While flexible, Riskonnect’s use of Salesforce Lightning as a delivery platform may influence consideration by non-Salesforce clients.
  • Innovation: Research and development spending as a percentage of annual revenue is slightly lower than many of Riskonnect’s competitors.
  • Product/Service: Riskonnect does not provide significant legal management functionality or statistical modeling capabilities.


Rsam is headquartered in Secaucus, New Jersey, and is privately held. Target buyers include boards and executives who want a consolidated view of risk and CIOs who prefer to work with a handful of vendors/partners rather than siloed applications. Rsam version 9.2 Update 3, demonstrated for this research, can be deployed in on-premises, privately hosted or SaaS environments. Rsam targets clients located in North America, Europe, the Middle East and Asia/Pacific, as well as clients in healthcare, financial services, government, retail, education and energy. Rsam has a global 24/7 support team with support offices in New Jersey, U.S., and Bangalore, India.

  • Innovation: Rsam possesses an innovative approach to building relationships between any defined “object” (person, process, technology or data) as a foundation for its IRM management, analysis and reporting approach.
  • Product/Service: Rsam architecture permits scaling the databases used and external sources linked to manage large and complex IRM deployments. Content templates across these verticals, along with vertical information service partners, also provide options for clients in many verticals.
  • Vertical Industry Strategy: Rsam has balanced distribution of customers across multiple verticals, including healthcare, financial services, government, retail and others.

  • Customer Experience: Although innovative in architecture and design, Rsam’s object-oriented approach is not immediately intuitive to nontechnical users and requires training for many customers.
  • Product/Service: Rsam does not possess functionality for legal risk management or emergency mass notifications, although some external integration to partner offerings is possible.

SAI Global

SAI Global, headquartered in Chicago, offers its Digital Manager 360 and Compliance 360 platform to the following buyers: compliance teams, risk managers and CROs, CIOs and CISOs. Digital Manager 360 version 2017.2 and Compliance 360, demonstrated for this research, are delivered primarily via privately hosted or SaaS environments. This solution focuses on sectors such as healthcare, life sciences, retail, financial services, manufacturing, energy and utilities. The client base is distributed across Europe, U.K./Ireland, Middle East/Africa, North America and Asia/Pacific. Customer support is offered in the U.K., Germany, Middle East, Asia, Australia and the U.S.

  • Customer Effectiveness: Clients continue to report high levels of satisfaction with presales and postsales support, including pricing, implementation, customization and ease of use.
  • Geographical strategy: Changes in resource commitments have improved SAI Global’s international coverage.
  • Product/Service: SAI Global possesses robust incident management capability, support for privacy compliance and General Data Protection Regulation and effective third-party connectivity for monitoring and reporting functions.

  • Product/Service: SAI Global capabilities do not include significant legal matter management, scenario analysis or statistical modeling capabilities for calculating risks.
  • Overall Viability: While SAI Global has significant deployments, growth in new clients has slowed slightly as competition stiffens and the market shifts to IRM.


ServiceNow, a public company based in Santa Clara, California, built ServiceNow governance, risk and compliance on the ServiceNow platform (platform as a service) offering. The IRM solution targets buyers such as IT security teams, risk management directors and internal audit teams. ServiceNow GRC, version Jakarta, was demonstrated for this research. It is almost exclusively deployed via a SaaS model, although on-premises is available upon request by customers. ServiceNow primarily targets North America, Europe, Asia/Pacific and Australia/New Zealand, but also has limited presence in the Middle East and Latin/South America. ServiceNow has solution consultants and industry marketing teams dedicated to financial services, healthcare, education, life sciences and government. Support centers are located in Santa Clara, California; San Diego, California; Amsterdam, Netherlands; Staines, U.K.; and Sydney, Australia.

  • Product/Service: ServiceNow possesses strong IT risk capabilities, particularly in risk and control documentation and in incident management.
  • Customer Experience: Technical support is 24/7, and ServiceNow has service centers globally and well-attended conferences and forums.
  • Geographic Strategy: ServiceNow possesses a significant global footprint and matching partner model, particularly in consulting and system integration partnerships.

  • Sales Execution/Pricing: Pricing due to bundling and subscription complexity can be challenging for clients, and customers have noted that some implementations can be more time-consuming than expected.
  • Product/Service: ServiceNow does not yet possess significant scenario planning and statistical modeling functionality for risk calculation.

Thomson Reuters

Thomson Reuters, headquartered in New York City, New York, offers a spectrum of risk-and-compliance-related technologies and services. Its IRM software and services target the following buyers: CROs and managers of enterprise compliance and risk teams. Thomson Reuters’ Connected Risk v.17.2, demonstrated for this research, can be deployed via on-premises, hosted and SaaS models. However, the majority of its customers are deployed on-premises. Thomson Reuters’ customer base is widely distributed across financial industry sectors and major geographical regions. Primary product support is delivered by service centers in the U.S., U.K., and Philippines.

  • Product/Service: The Connected Risk platform provides a toolkit-style approach for developing customer portal screens and effective integration with third-party sources of information required for monitoring, analysis and reporting.
  • Sales/Geographic Strategy: Thomson Reuters is a global company with a matching support organization. Connected Risk is also one of the lowest-cost offerings in IRM for capabilities offered.
  • Product/Service: Complementary Thomson Reuters products, such as World-Check for third-party risk information and legal management portfolio, provide an extended set of IRM input as required.

  • Vertical Industry Strategy: Connected Risk remains predominantly a significant banking and financial services IRM offering, although aggressive growth plans target manufacturing, technology and communications, and others.
  • Product Strategy: Relative product satisfaction and perceived value among Connected Risk customers score slightly lower than competitor offerings.

Vendors Added and Dropped

We review and adjust our inclusion criteria for Magic Quadrants as markets change. As a result of these adjustments, the mix of vendors in any Magic Quadrant may change over time. A vendor’s appearance in a Magic Quadrant one year and not the next does not necessarily indicate that we have changed our opinion of that vendor. It may be a reflection of a change in the market and, therefore, changed evaluation criteria, or of a change of focus by that vendor.


Not applicable because this is a new Magic Quadrant.


Not applicable because this is a new Magic Quadrant.

Inclusion and Exclusion Criteria

The inclusion criteria represent the specific attributes that analysts believe are necessary for inclusion in this research. To qualify for inclusion, a vendor must demonstrate the following:
  • The vendor must have the ability to significantly address (on an enterprisewide basis) at least 65% of the key functions/features across the five critical capabilities listed in the report.
  • The vendor must have 200 or more customers currently using its IRM solution.
  • The vendor must derive revenue from the sale of IRM solutions and related services (for example, implementation/training, software product customization and so on) in three or more of the following global regions — North America, Latin America, EMEA, Japan and Asia/Pacific.
  • The vendor must also demonstrate full support of at least three use cases, as defined above, in its generally available product(s).

Innovation Insight for Security Orchestration, Automation and Response

Innovation Insight for Security Orchestration, Automation and Response

Recent studies show that before automation can reduce the burden on understaffed cybersecurity teams, they need to bring in enough automation skills to run the tools.

Published 30 November 2017 – ID G00338719 – 24 min read

Enterprises are striving to keep up with the current threat landscape with too many manual processes, while struggling with a lack of resources, skills and budgets. Security and risk management leaders should determine which SOAR tools improve security operations efficiency, quality and efficacy.


Key Findings

  • Security operations teams struggle to keep up with the deluge of security alerts from an increasing arsenal of threat detection technologies.
  • Security operations still primarily rely on manually created and maintained, document-based procedures for operations, which leads to issues such as longer analyst onboarding times, stale procedures, tribal knowledge and inconsistencies in executing operational functions.
  • The challenges from an increasingly hostile threat landscape, combined with a lack of people, expertise and budget are driving organizations toward security orchestration, automation and response (SOAR) technologies.
  • Threat intelligence management capabilities are starting to merge with orchestration, automation and response tools to provide a single operational tool for security operation teams.


IT security and risk management leaders responsible for security monitoring and operations should:
  • Assess how SOAR tools can improve the efficacy, efficiency and consistency of their security operations by using orchestration and automation of threat intelligence management, security event monitoring and incident response processes.
  • Focus on automating tasks and orchestrate incident response starting with procedures that are easy to implement and where machine-based automation will reduce incident investigation cycle times.
  • Use external threat intelligence as a key way to improve the efficacy of security technologies and processes within the security operations program.

Strategic Planning Assumption

By year-end 2020, 15% of organizations with a security team larger than five people will leverage SOAR tools for orchestration and automation reasons, up from less than 1% today.


Security and risk management leaders responsible for security monitoring and operations face an increasingly challenging world. Attackers are improving their ability to bypass traditional blocking and prevention security technologies, and end users continue to fall victim to attackers through social engineering methods, while still failing to carry out basic security practices well. While mean time to detect threats may be trending down across industries,1 it still takes way too long. Once detected, the ability to respond to, and remediate, those threats is still a challenge for most organizations. Additionally, many security teams have overinvested in a plethora of tools. As a result, they are also suffering from alert fatigue and multiple console complexity and facing the challenges in recruiting and retaining security operations analysts with the right set of skills and expertise to effectively use all those tools. This is all playing against a backdrop a growing attack surface that is no longer restricted to on-premises IT environments.
The attack surface today encompasses multiple forms of cloud (SaaS, IaaS and PaaS) and mobile environments, and even extends to third-party organizations that are suppliers to upstream organizations. Finally, effective security monitoring requires not only tools and well-documented incident response processes and procedures, but also the ability to execute them with consistency and precision, and the capability to refine and update responses as best practices emerge. Many organizations have few, if any, of these procedures documented. Sometimes they are just monolithic and inflexible, and continue to rely on ad hoc responses over and over again.
Since Gartner’s first analysis of the SOAR space (which was initially defined by Gartner as “security operations, analytics and reporting”), the vendor and technology landscape has evolved. In 2017, many technologies claim the ability to orchestrate incident response, but present some limitations in capabilities that could deliver real overall benefits for the efficacy of an operations team. Examples of these shortcomings include a limited ability to show the big picture of organizations’ state of security or the lack of connectivity to the organization’s ecosystem of tools. Security orchestration and automation have become closely aligned with security incident response (SIR) and general operations processes. Security information and event management (SIEM) technology vendors have incorporated automated response capabilities to various levels of capabilities. Automated response is also appearing in other security technologies as a feature. The lack of centralized capabilities in the above solutions leaves security teams with a responsibility to manually collect and stitch together all this information, and work with manual playbooks for tasks related to each type of incident.
Figure 1 shows a continuous set of activities that can be performed by an SOC team by using SOAR technology. The figure reflects the use of the CARTA strategy for continuous monitoring and visibility.

Figure 1. SOAR Overview

Source: Gartner (November 2017)


SOAR Overview


Gartner defines security orchestration, automation and response, or SOAR, as technologies that enable organizations to collect security threats data and alerts from different sources, where incident analysis and triage can be performed leveraging a combination of human and machine power to help define, prioritize and drive standardized incident response activities according to a standard workflow. SOAR tools allow an organization to define incident analysis and response procedures (aka plays in a security operations playbook) in a digital workflow format, such that a range of machine-driven activities can be automated.

The Evolution of SOAR From 2015 to 2017

In 2015, Gartner described SOAR (then described as “security operations, analytics, and reporting”) that utilized machine-readable and stateful security data to provide reporting, analysis and management capabilities to support operational security teams. Such tools would supplement decision-making logic and context to provide formalized workflows and enable informed remediation prioritization.
As this market matures, Gartner is witnessing a clear convergence among three previously relatively distinct, but small, technology markets (see Figure 2). These three are security orchestration and automation, security incident response platforms (SIRP), and threat intelligence platforms (TIP).

Figure 2. Convergence of SOAR Tools
SOA: security operations automation; TVM: threat and vulnerability management

Source: Gartner (November 2017)

Convergence of SOAR Tools
The majority of solutions that Gartner tracks are mostly related to core security operations functions, such as responding to incidents, which are addressed by existing tooling (for example, a SIEM). SOAR integrates dispersed security data, and provides security teams with the broad functionality to respond to all types of threats. SOAR also enables processes that are more efficient, accurate, and allow for automation for common subtasks or an entire workflow. The primary target for a SOAR solution is the security operations center (SOC) manager and analysts responsible for incident response.
Gartner is also tracking an increasing role of SOAR functionality among TIP vendors. Indeed, SOAR’s central role in the SOC makes it ideally suited to validate the quality of the threat intelligence used in an organization. By confirming alerts as true positive or false positive, SOARs can confirm or infirm the threat intelligence used to come to that conclusion. Likewise, the SOAR can now push validated threat intelligence to all the tools and security controls in the organizations that can take advantage of the indicators of compromise for local enforcement.

Description and Functional Components

SOAR can be described by the different functions and activities associated with its role within the SOC, and by its role with managing the life cycle of incident and security operations:
  • Orchestration — How different technologies (both security-specific and non-security-specific) are integrated to work together
  • Automation — How to make machines do task-oriented “human work”
  • Incident management and collaboration — End-to-end management of an incident by people
  • Dashboards and reporting — Visualizations and capabilities for collecting and reporting on metrics and other information
In the following sections, we will review each of these functions in more detail.
What SOAR is not:
  • Governance, risk and compliance (GRC), where the focus is on managing adherence to compliance frameworks, often based on controls. Gartner has evolved GRC to be called Integrated Risk Management (IRM) now to include both IT risk management and Audit and Risk management.
  • SIEM, which provides reliable log ingestion and storage at scale, as well as normalization and correlation of events for real-time monitoring and the automated detection of security incidents.
  • User and entity behavior analytics (UEBA) or advanced threat detection, which are focused on behavioral and network analysis or the detection of indicators of compromise.
  • Threat and vulnerability management, which provides awareness for the types of threats facing an organization. TVM is focused on identifying, prioritizing and remediating security weaknesses based on potential risk and impact of vulnerabilities.
Drivers for SOAR include:
  • Staff shortage: Due to staff shortages in security operations (see “Adapt Your Traditional Staffing Practices for Cybersecurity”), there is a growing need to automate, streamline workflows and orchestrate security tasks. Also, the ability to be able to demonstrate to management the organization’s ability to reduce the impact of inevitable incidents is ever-present.
  • The explosion of unattended alerts from other security solutions: The process of determining whether a specific alert deserves attention requires querying many data sources to triage.
  • Threats becoming more destructive: Threats destroying data, the disclosure of intellectual property and monetary extortion require a rapid, continuous response with fewer mistakes and fewer manual steps.
  • The need to better understand the intersection of your environment with the prevailing threat landscape: A large number of security controls on the market today benefit from threat intelligence. SOAR tools allow for the central collection, aggregation, deduplication, enrichment of existing data with threat intelligence, and, importantly, converting intelligence into action.


Gartner sees orchestration as the ability to coordinate informed decision making, and formalize and automate responsive actions based on measurement of the risk posture and the state of an environment. SOAR orchestrates the collection of alerts, assesses their criticality, coordinates incident response and remediation, and measures the whole process. One example is the response to reported email that may be suspicious. The end user reports to the SOC a suspicious email, which would require an investigation to confirm whether sender has a bad reputation (through threat intelligence). The use of DNS tools would confirm origin of the email. The analyst would have to extract any hyperlink from the email to validate through URL reputation, or to detonate the link through a secure environment or to run attachments on a sandbox. This process would be done for every reported suspicious email to transform it to an incident. Orchestration provides enough information (automating the data collection into a single place) to help the analyst to review and decide if the situation is suspicious. If the investigation confirms an incident, it would initiate the workflow (playbook) to respond to the incident. Integration with the email system, sandbox and ticket system would provide an automated process to look at the email system to find all messages with a suspicious link or attachment. Then, the system would quarantine email that was sent to other users, while waiting for the decision of deleting or allowing access to quarantined email. Think of the process as conducting an orchestra: a conductor controls multiple musical instruments to produce not just noise, but music. Today, security teams have the problem of having to pick up and play each instrument, but they can’t play many instruments at the same time. It takes time to pick and up put down each instrument. In the world of security operations, this is called “context switching,” and it costs teams time (dead time) to orchestrate and perform each step in a process.
Table 1 outlines the main requirements for orchestration in SOAR tools.

Table 1: Summary of Orchestration Capabilities

Enlarge Table
Minimum Requirements
Basic integration
A wide range of out-of-the-box integration connectors to other security solutions. Today, the list of supported vendors might not cover all the technologies you have in your environment.
Bidirectional integration
Multiple action types can be described at a high level as “push” or “pull.” “Push” means telling a tool/device to do something. “Pull” means connecting to a tool/device and requesting information it might have. Gartner recommends that end users press their tool vendors to support a full range of both push/pull type capabilities via a well-documented and supported API, simple scripts, or programming language.
Feature-rich integration
Flexible API customization to facilitate the use of all features supported by that security vendor’s product— there are lots of functions (via API) that some security tools offer. Just because your tool is supported does not mean that all the functions are controllable via the security tool’s APIs.
Additionally, if security tools have a lot of functions presented via API, it doesn’t mean the SOAR tool can handle them all. For example, the firewall might only support adding an Internet Protocol (IP) address for blocking, and not a URL. A SOAR tool might not support requesting that a firewall return a response if it has seen a particular IP/URL/file hash.
Abstraction layer
Key to the value of SOAR tools is the availability of an abstraction layer so the analyst does not need to be an expert in specific APIs, scripts or programming language for specific tools. Rather, they can use logic and abstraction while the SOAR tool translates that into machine-specific API calls.
Source: Gartner (November 2017)


Some vendors use the terms “automation” and “orchestration” interchangeably as synonyms, although they are not the same concept.
Automation is a subset of orchestration. It allows multiple tasks (commonly called “playbooks”) to execute numerous tasks on either partial or full elements of a security process. The security operations teams can build out relatively sophisticated processes with automation to improve accuracy and time to action. For example, a SIEM could check if an IP addresses has been seen, or block an IP address on a firewall or intrusion detection and prevention system (IDPS), or a URL on a secure web gateway. It can then create a ticket in your ticketing system or connect to Windows Active Directory, and lock or reset the password for a user’s account.
Table 2 outlines the main requirements for automation in SOAR tools.

Table 2: Summary of Automation Capabilities

Enlarge Table
Minimum Requirements
Process guidance
The ability to guide through standardized steps, instructions and decision-making workflow.
Workflow with multilevel automation
Flexible workflow formalization along with a set of predefined actions, as well as enforcement, status tracking and auditing capabilities.
The ability to automate workflows, with flexibility to inject human responses into the workflow.
The ability to code some playbooks, either using some standard language like Python or using some UI that helps the definition of playbooks.
Source: Gartner (November 2017)

Incident Management and Collaboration

Another function of the SOC that the SOAR tools make more efficient is the management of the incidents and the improved collaboration between team members working together on incidents.
This major function is complex. It deals with the life cycle of the incident from the moment an alert is generated, to the initial triage, to the validation of true/false positive, to the hunting and finally the remediation. To carry on this life cycle, the SOC team needs to collaborate and use an efficient collaboration framework, while threat intelligence becomes an integral part of the data points for this process.
Incident management and collaboration comprises several activities, described in the following sections.

Alert Processing and Triage
Two key metrics for information security are the mean time to detect (MTTD) and mean time to respond (MTTR). To accomplish an efficient incident response, SOC analysts need a better way to gather supporting information from a wide range of sources to assess and determine which alerts are real incidents. SOAR technologies gather and analyze various security data. The data is then made available and consumable by different stakeholders and for use cases beyond the original purpose. Triage will ensure that incidents based on information collected from other sources will be prioritized based on criticality and level of impact.
Event collection is commonly achieved through integration with a SIEM platform. Some solutions can automatically generate incidents for investigation. This removes the need to have a human first notice an incident and then invoke a manual step to create the instance of that incident. A key advantage of deploying SOAR technology is the first pass on alerts to reduce the noise or reduce the subsequent workload of analysts.

Journaling and Evidentiary Support
Some SOAR solutions can record information about actions taken, including details of the action itself, the person taking the action and when it occurred. Such journaling can be extremely useful in complex incidents where the following characteristics may apply:
  • There are questions as to whether apparently separate activity may or may not be linked to a broader operation by the adversary.
  • The incident takes place over an extended period, and so records of activity become a reliable corporate memory.
  • There are multiple people working on an incident or action
  • Regulations and other mandates require reports to be produced
Table 3 outlines the main requirements for journaling and evidentiary support in SOAR tools.

Table 3: Journaling and Evidentiary Support

Enlarge Table
Minimum Requirements
User interface for investigation
Provide investigation timeline/screen to collect and store artifacts of the investigation for current and future analysis.
Help SOC analysts to continue the investigation/response during work shifts among analysts by keeping historical information of the incidents and notes.
Coordination of actions and decisions, particularly when easy communication is not possible (for example, due to time zone differences, work shifts or geographic dislocation).
Coordination of communication with other staff working in the same or related incidents for providing incident updates.
Source: Gartner (November 2017)

Case Management and Workflow
Two forms of security operations automation are often encountered: one focusing on automating the workflow and policy execution around security operations; the other automating the configuration of compensating controls and threat countermeasure implementation. To fully automate or semiautomate these tasks, solutions frequently provide libraries of common and best-practice playbooks, scripts and connectors covering remediation and response actions and processes. These should support the formalization, enforcement and gathering of key performance indicators of security policies. Custom workflow implementation must also be supported.
One of the biggest challenges in IT security operations capturing and retaining this “group knowledge” that exists within environments. Security operations staff often have an overabundance of notes, scripts and documents that describe in extreme detail how to perform a specific task. Additionally, these are often kept in an analyst’s own head, and not fully documented. One of the hidden benefits of SOAR is the ability to codify tribal knowledge into tools, so it can be captured and used by many others. Gartner inquiries shows that workers tend to leave companies after about two to three years, on average. Turnover hurts security operations if key people leave and you no longer have access to institutional memory.
Table 4 outlines the main requirements for case management in SOAR tools.

Table 4: Case Management

Enlarge Table
Minimum Requirements
Case management
Reconstructed timelines of actions taken and decisions made to provide up-to-date progress reports and to support post-incident reviews.
Collaboration and granular role-based access control and management
Exchange of information between teams, organization units and tiers.
Capturing knowledge base from security analysts
Build an internal knowledge base for incident resolution.
Leading products also provide a library of playbooks and processes for popular use cases, as well as access to a community of contributors.
Source: Gartner (November 2017)

Analytics and Incident Investigation Support
Proper investigation requires centralized tool that helps SOC analysts to quickly identify threats or incidents. During the process of investigation an ability to store artifacts will help through the identification and classification of threats. Those artifacts can also be used later to support further auditing demonstrating chronologically actions and data collected that resulted in a final response. The use of analytics will improve the reduction of false positive based on historical data and determination of level of risk assigned to incidents that will conduct the prioritization among many incidents.
Table 5 outlines the main requirements for analytics support in SOAR tools.

Table 5: Analytics Support

Enlarge Table
Minimum Requirements
Incident investigation
Correlate incidents, including artifacts, to cross-match activity, and either view or link related incidents. The information should then be surfaced proactively to analysts.
Use forensics to perform a detailed analysis of activity that occurred before and after a security breach.
Source: Gartner (November 2017)

Management of Threat Intelligence
Threat intelligence is becoming a significant resource for detecting, diagnosing and treating imminent or active threats (see “Market Guide for Security Threat Intelligence Products and Services”). Most SOAR tools, like many others in the security market today, include various forms of threat intelligence integration for this purpose. Some are built in, and others are able to be augmented by tools like a TIP. SOAR tools, however, allow not just themselves, but other deployed technology, to make use of third-party sources of intelligence. This can come in various forms: open source; industry leaders; coordinated response organizations, such as Computer Emergency Response Teams (CERTs); and a large number of commercial threat intelligence providers.
TIPs specialize in enabling intelligence-led initiatives in a security program as their base feature set. Today, they offer a sophisticated method for collecting and aggregating threat intelligence for use in security operations. They also have connections to existing tools, such as SIEM, firewall, secure web gateway (SWG), IDPS and endpoint detection and response (EDR).

Dashboards and Reporting

SOAR tools are expected to generate reports and dashboards for at least three classes of persona: analyst, SOC director and chief information security officer (CISO).
Because SOAR tools orchestrate incident response, have bidirectional communication with many other tools in the organization, and empower analysts, they are generating and accessing a lot of very valuable metrics that can be used for several types of reporting.
Table 6 outlines the main requirements for dashboards and reporting in SOAR tools.

Table 6: Dashboard and Reporting Capabilities

Enlarge Table
Minimum Requirements
Analyst-level reporting
Report on activity for each analyst on metrics such as:
  • Number and types of incidents touched, closed and open
  • Average and mean time for each of the phases of the incident response; for example, incident and triage.
SOC director-level reporting
Report on the efficiency and behavior of the SOC on metrics such as:
  • Number of analysts; number of incidents per analyst.
  • Average and mean time for each of the phases of the incident response; for example, incident and triage.
CISO-level reporting
Report on priorities determined by business context metrics, such as:
  • Risk management: Demonstrate alignment of risks and IT metrics that would have a logical impact on business performance due to lack of controls, impact of incidents and regulations.
  • Efficiency: Demonstrate some level of cost reduction by minimizing incident impact. Key metrics would be MTTD, MTTR and reduction of labor time through automation.
Source: Gartner (November 2017)

Benefits and Uses

SOAR supports multiple activities for security operations decision making, such as:
  • Prioritizing security operations activities: Prioritized and managed remediation based on business context is the main target of security operations.
  • Formalizing triage and incident response: Security operations teams must be consistent in their response to incident and threats. They must also follow best practices, provide an audit trail and be measurable against business objectives.
  • Automating containment workflows: This offers SOC teams the ability to automate most of the activities to isolate/contain security incidents to be conceived by the human decision for the final steps to finalize the incident response.

Adoption Rate

Gartner estimates that today less than 1% of large enterprises currently use SOAR technologies. Higher adoption will be driven by pressing staff shortages, a relentless threat landscape, increasing internal and externally mandated compliance rules (such as mandatory breach disclosure), and a steady growth of APIs in security products. Also, the potential market for SOAR today is large organizations, with managed security service providers (MSSPs) as the primary target. Over time, smaller teams facing the same security threat problems will also begin to adopt SOAR tools. The ongoing skills and expertise shortage and the increasing escalation in threat activity will hasten the move to orchestration and automation of SOC activities.


Key risks for implementing SOAR include:
  • Market direction: In the longer term, adjacent technologies that are much larger and also focus on security operations (such as SIEM or other threat-focused vendors/segments) are likely to add SOAR-like capabilities. This will be sped up by acquisitions of SOAR tool vendors (for example, IBM acquiring Resilient Systems; Microsoft acquiring Hexadite; FireEye acquiring Invotas; ServiceNOW acquiring BrightPoint Security).
  • Limited integration value: Clients will not be able to leverage a SOAR tool if they lack a minimum set of security solutions in place to provide enough information to make a decision nor automating security tasks. For example, SIEM is often a key piece of technology for the use of SOAR tools due to its complimentary nature. Today, SOAR is most viable for Type A and Type B organizations.2
  • Budget: Clients that are budget-constrained need to juggle conflicting needs of stretched budgets for all of IT, let alone security. They will likely not be early consumers of these technologies and instead will look to invest in more foundational security measures.


IT security leaders should consider SOAR tools in their security operations to meet the following goals.

Improve Security Operations Efficiency and Efficacy

SOAR tools offer a way to move through a task, from steps A to Z. For example, if a process takes an hour or two to perform, having a way to reduce that to 15 minutes offers a significant improvement in productivity. This is beneficial because:
  • Performing the task faster equals better time to resolution. The longer an issue is left unaddressed, the worse it can become, leaving the organization in a potentially risky situation for longer periods of time. Ransomware, for example, is a threat that can get exponentially worse with time.
  • Staff shortages are a critical issue for many organizations. The ability to handle processes more efficiently means that security analysts can spend less time with each incident and will thus be able to handle more incidents, allowing response to more incidents despite fewer resources being available.
  • Automation and orchestration allow your tools to work together to solve issues, versus operating in isolation with no context, which requires a lot of manual work to perform required tasks.

Product Selection

Security and risk management leaders should favor SOAR solutions that:
  • Allow orchestration of a rich set of different security (and nonsecurity) technologies, with a focus on the specific solutions that are already deployed or about to be deployed in an organization.
  • Promote an easy integration of tools not included in the out-of-the-box integration list.
  • Offer the capability to easily code an organization’s existing playbooks that the tool can then automate, either via an intuitive UI and/or via a simple script.
  • Optimize the collaboration of analysts in the SOC; for example, with a chat or IM framework that make analysts’ communication more efficient, or with the ability to work together on complex cases.
  • Have a pricing cost that is aligned with the needs of the organization and that is predictable. Avoid pricing structures based on the volume of data managed by the tool, or based on the number of playbooks that are run per month, as these metrics carry an automatic penalty for more frequent use of the solution.
  • Offer flexibility in the deployment and hosting of the solution, either in the cloud, on-premises or a hybrid of these, to accommodate organizations’ security policies and privacy considerations, or organizations’ cloud-first initiatives.

Better Prioritize the Focus of Security Operations

Prioritization is perennially a key problem. Favor SOAR tools that can help select the top 10 things to be doing today if you have 100 you can potentially do. Efficiency will not fix poor prioritization. SOAR tools can help with this by using external context, like threat intelligence, to help drive processes that have more context so that better decisions can be made in security operations. The goal is working smarter, not harder.

Don’t “Boil the Ocean” — Focus on Critical Security Processes and Use Tools Such as SOAR to Evolve From There

Security teams are regularly tasked with fixing all things, all the time, 24/7, everywhere — but with the same budget and staffing as last year. This is clearly untenable, yet is a persistent observation we have with security operations teams in client inquiries. For security operations, we recommend focusing on executing well on key incident response processes, such as malware outbreak, data exfiltration and phishing. Focus on processes to address these types of situations very well, and then use this well-executed base to expand into other areas.

Representative Vendors

IBM (Resilient Systems)
Microsoft (Hexadite)
Resolve Systems
ServiceNow Security Operations


1 M-Trends showed MTTD reduced from 146 to 99 days between 2016 and 2017. See FireEye, M-Trends Reports,  “M-Trends 2017.”

EDR — Benefits, Concerns and Issues

EDR — Benefits, Concerns and Issues

Published 17 July 2018 – ID G00319345 – 23 min read

Security and risk management leaders increasingly look for detailed visibility, actionable insight and tailored remediation endpoint capabilities. But misunderstanding and overestimating the capabilities of EDR offerings and the effort needed to leverage them can cause more issues than they solve.


Key Findings

  • Endpoint detection and response (EDR) solutions remain very complex to operate.
  • For all the vendor and industry talk of AI and machine learning, EDR solutions continue to rely primarily on the oversight of highly skilled humans to identify and resolve issues.
  • Typical organizations that face normal budget and staffing challenges are ill prepared to leverage and maximize the benefits of EDR solutions by themselves.
  • Organizations with low maturity endpoint maintenance and management programs experience higher EDR workloads.
  • Detecting and responding to incidents or events caused by vulnerable applications or operating systems reduce the value of having an EDR solution vis-a-vis a vulnerability-scanning platform.
  • Managed EDR solution provider capabilities vary dramatically among vendors and regions.


SRM leaders who are weighing the deployment of an EDR solution must:
  • Establish well-defined security operations and incident response programs with mature vulnerability and patch management processes already in place.
  • Focus on post-event analysis and response capabilities rather than active hunting, detection and response; this is especially true for Type B and Type C organizations.
  • Deploy EDR as an active detection and response platform and plan to incorporate a managed EDR solution to complement their internal capabilities.
  • Shortlist providers that offer technical assistance in incident response to supplement staffing.


Organizations have long had the ability to look at detailed log and forensics data from their network and perimeter solutions. Operational data from firewalls, gateways, proxies, networks and other sources have been part of the routine post-event forensics analysis process for many years, with organizations often leveraging security information and event management (SIEM) solutions as their central repository and analysis platform.
Until the advent of EDR, the traditional approach of collecting forensic data from endpoints has been on a reactive basis, where a forensics tool would be deployed to target post-event endpoints and the data collected would depend on what the operating system logged. EDR provides organizations deep granular endpoint data that they have been accustomed to getting from network and perimeter solutions.

Table 1: EDR — An Overview of Principal Benefits, Concerns and Issues

Enlarge Table
Recording of context-rich endpoint event and state information.
Pricing of EDR solutions remains at a premium.
Incident data collection and analysis occur post-event with limited incident response automated capabilities.
Option to store collected data on endpoints themselves, centralized servers, the cloud or as a hybrid of these.
Requires the installation, management and updating of yet another agent.
EDR provides very limited to no contextual insight outside of the endpoint data it collects, requiring manual intervention to correlate data with such external sources as firewalls, CASB, etc.
Data retention periods can support the operational needs of different organizations.
Support of EDR capabilities varies by platforms and versions of operating systems.
Knowledgeable staffs with EDR experience are extremely difficult to find and come at a premium.
Ability to search collected data to identify issues on one or many endpoints at a time.
Requires staff with strong knowledge of endpoint operations to obtain benefits.
Vendors and managed service providers offer staff augmentation, but capabilities and costs vary dramatically.
Currently available solutions now appeal to a broad segment of organizations with differing technical abilities.
AI and machine learning remain mostly marketing terms rather than actual product capabilities.
Contrary to many clients’ understanding of the products, EDR does not resolve fundamental security and operational issues within organizations, nor does it eliminate the need for basic hygiene and patching.
Source: Gartner (July 2018)

EDR Benefits

EDR agents are akin, in their most basic form, to flight data recorders, or “black boxes,” on airplanes. Black boxes record all of the technical and operational data of aircraft including heading, speed, altitude; positioning of the landing gear, ailerons, flaps; weight, center of gravity; plus much other technical data including pilot conversations. Black boxes do not record passenger conversations.

EDR Solutions

EDR solutions record all of the technical and operational data of endpoints including IP, MAC, DNS data, connected USB device information, network connections and ports, running processes, device drivers, threads and their related metadata, windows services, loaded DLLs, CMD and PowerShell command history and memory contents and much more. EDR solutions do not record such application data as what is typed in a Word document or email, although they may scan files for malicious macros. EDR solutions can store all of this data or only the most critical elements either on on-premises-located servers, on endpoints themselves, in the cloud or as a hybrid of them depending of vendor solutions.
This data is typically stored for a period ranging from a few days to several months. EDR solutions provide organizations with the ability to analyze and search such detailed endpoint data by using filters and Indicators of Compromise (IOC) along with other data sources and search parameters.
Organizations can use EDR solutions to search for traces of malicious software and activity, patching data and other endpoint-related activities and can even help answer such day-to-day operational questions as how often a particular application has been used in the past month on a single endpoint or on all the endpoints in a department or across the organization. The questions that can be answered with an EDR solution are quite boundless, but most organizations use EDR specifically to address security-related questions, because that is where EDR solutions provide some of their unique visibility and insights — and ultimate value.
Most, but not all, EDR solutions provide capabilities that can manually or automatically remediate or trigger remediation processes, alert conditions on endpoints either from within or as parts of an integration with such third-party tools as system patching and updating solutions. Levels of capability vary dramatically between vendor offerings. One example of an automated remediation is one in which — on the detection of ransomware activity on an endpoint — the network drivers for that endpoint are disabled to prevent the spread of the ransomware.

EDR Appeal Crossing Organizational Types

EDR solutions have become more broadly available from both next-generation vendors and traditional endpoint protection platform (EPP) providers. As a result, EDR solutions have transitioned their appeal from being the sole purview of Type A or lean forward or leading-edge organizations to Type B and even Type C organizations.
Type A organizations represent the smallest group of organizations. They adopt new technologies very early in the adoption cycle and have the budgeting and staffing resources to configure and implement new technologies and solutions rapidly within their environment. These organizations tend to focus on best-of-breed solutions that best address their business, technology and security needs and have the capacity to integrate, develop and build custom-made components as required. They see the use of technology as a competitive differentiator. Their tolerance for operational risk is high and their approach to technology change is to run projects in parallel by tasking multiple teams to work on technology and business changes simultaneously.
Type B organizations represent the largest group of organizations. They typically experience budgeting and staffing resource constraints and, as a result, focus on overall value by weighing the risks of the early use of new technology against the benefits. Their goal is to stay relatively current on technology without getting too far ahead of or behind their competition and focus on technology deployments that improve their organization’s productivity, product quality, customer service and security. Type B organizations typically wait for a technology to become mainstream before considering implementation. They tend to be moderate in their approach, frequently using benchmarks within their industry to justify their investments in technology. Type B organizations balance innovation with reasonable caution when selecting new solutions. This is the highest growth market for EDR at this time.
Type C organizations represent the second-largest group. They typically view technology as an expense or operational necessity and use it as a means to reduce costs. These organizations experience severe budgeting and staffing resource constraints and, as a result, prefer simple-to-deploy and -use integrated solutions with managed service add-ons that can best complement their minimal staff. These organizations wait for technologies to become absolutely stable and for costs to acquire and operate to reach the lowest quartile before committing to purchase. They focus on prevention rather than on detection and response capabilities and on solutions that are integrated and offer a complement of managed services. EDR is typically deployed in Type C organizations when available in conjunction with an EPP solution. This market is one that demonstrates very slow growth for EDR.

EDR Concerns

EDR solutions provide enhanced capabilities over traditional endpoint security solutions and can create a force multiplier of staff, but these capabilities have their drawbacks.

EDR Capabilities Come at a Significant Cost

While product costs have on average dropped by roughly 35% per year over the past four years, products remain priced at a premium versus other endpoint solutions even today. They typically range from one to three times the cost of a traditional full EPP suite.
Many of the renewal quotes that Gartner has reviewed over the past 18 months do not always show pricing reductions that are in step with the market. This means that organizations that are renewing an EDR solution originally acquired three years earlier often have to put in significant effort to push pricing down to today’s market price averages (typically seen in new deployment quotes). The initial quote offered for a renewal is often only slightly reduced or perhaps offered at exactly the same or even slightly higher pricing than what was negotiated in the initial purchase several years earlier.

EDR Agent

An additional cost to consider is the distribution of other agent endpoint software. While most EDR agents are relatively small and represent minimal impact on system memory and CPU resources, they do represent yet another component that needs to be distributed and managed on the endpoint. While there have been minimal reports of agent issues due to updates of endpoint software components or the operating system itself, from time to time clients have reported issues that have temporarily locked systems until refreshed.
Significant capability differences also exist between EDR agents available by vendors for Windows 10, 8, 7, XP (if available); Windows Server version; Mac and Linux. Mobile device agents are currently not available or offer very elementary capabilities. Some EDR agents can record only some of the endpoint activities on some operating systems and not on others. Other agents have limited or no prevention or remediation capabilities on some platforms. This can result in a patchwork of security solutions that are inconsistent across organizational assets.
Finally, EDR solutions can only monitor systems that have the EDR agent installed. That can limit visibility in an environment containing populations of BYOD where the EDR agent has not been deployed. Plus EDRs for cloud workloads like containers and Internet of Things (IoT) devices are currently not available, which limits visibility into critical operational components.

Perceived Versus Actual Implementation

A simple way to explain the perceived versus the actual implementation of an EDR solution is by way of an analogy. I enjoy fishing. My young son also enjoys fishing. Our idea of father-and-son fishing is quite simple: My son gets his movie-character-themed fishing rod, we buy a small container of worms and we visit my friend at his lakefront cottage. We fish right off the dock. Within 10 minutes, my son usually has caught nearly a dozen fish — admittedly very small fish — but the excitement and energy are at a high peak. After that engaging means of activity, he is pretty much done fishing for the day. As far as fishing is concerned, we accomplished our goal with minimal effort and maximized our fun in the process. Success!
Most organizations expect their EDR solutions to operate in a very similar way to my son’s experience of fishing. Open up the console, have just about anyone enter “ransomware” or some other generic search term and all of the key events will be triaged and organized from severe to benign with a pull-down list of automated and contextualized remediation conveniently available right beneath their fingertips. All that is left to do is to click away and all the organization’s security problems will be solved. Unfortunately, the reality is quite different.
While it is true that many EDR solutions now provide simple guided search operations, most organizations still do not know what they really need to search for. Also, the work of reviewing or even obtaining some form of a basic understanding of what a particular event means entails that triaging and assigning a severity and then determining the best course of action remain the responsibilities of the console operator.
Continuing with the fishing analogy, operating an EDR solution is in fact much more like my experience of fishing with my friend. He is by all accounts a truly expert fisherman. He could easily have his own TV show if only he had better jokes. When I go fishing with him, it is a lot of work for me. It turns out that fishing is serious business after all — and it requires a lot of planning.
The first question he always asks me is, “Which fish do you want to catch today?” My answering “the one that lives in the water” is never a good reply and puts a serious damper on the start of our day. So I have learned over the years to turn the tables around and use his expert knowledge to start things off in a better way to help me determine what fish we should be fishing for that day. I start by asking him questions like: “Which fish can we find in this lake?” “Which of these fish would be most active based on the time of the day we will be going out?” “Which fish would be most active based on the temperature, position of the sun, the wind, etc.?”
In fact, I am using my friend to guide me down the assessment process to identify our target fish. Once we have determined the fish we are looking to catch, I then use my friend to guide me down the next set of decisions, such as where we will go to catch this fish, which rod, line, lure, etc. we will use, at what depth we will cast our lines and so on. He is my expert coach and without his help I would never have any hope of actually catching the fish we had decided was our target for that day.
While EDR solutions are being sold and deployed in more typical Type B and some Type C organizations, the unfortunate truth is that, even with all the marketing emphasis and industry talk of AI and machine learning being applied within EDR solutions, AI and ML are still at a very early stage of maturity, and EDR vendors still expect your organization to have talented experts operating the console.

AI and ML Gone Missing

Today, EDR solutions do not come with an EDR version of my friend bundled in like an “analyst in the box.” They do not come with a coach to guide you through various analysis or decision trees within their products directly unless they are directly bundled with a managed detection and response offering, which is a fancy way of saying that they will provide talented staff to help you with your EDR deployment.
AI and ML are overhyped and overused marketing terms that unfortunately do not have any standardized connotations regarding actual capabilities within EDR solutions. As a result, each vendor claim must be thoroughly vetted to ensure that the organization’s understanding of the capabilities provided by the solution is in fact realized in the product.
The unfortunate reality is that operating EDR for most organizations is more like my going fishing without my friend and expecting to catch the target fish with zero experience, knowledge or the proper tools: essentially relying on just plain luck. EDR provides very rich and very complex data that requires advanced knowledge, understanding and experience to analyze and understand.
This is why most Type B and Type C organizations — often after several months of frustration — tend to eventually reconsider their EDR deployment as an incident-response-focused solution rather than as a platform by which they are guided in their efforts to conduct active threat hunting, detection and response, because they lack those capabilities.
Using an EDR solution as a post-event endpoint data analysis tool is the way the majority of organizations end up using their EDR deployment. However, this is not usually what organizations had in mind when they originally purchased their EDR solutions.

Cloud or On-Premises

As noted previously, EDR solutions can store all or only the most critical data elements it collects either on an on-premises server, on the endpoint itself, in the cloud or as a hybrid of them depending on the vendor solution. The typical concern over storing data in the cloud relates to the disclosure of sensitive data about the day-to-day operations of endpoint software to a third-party outside the organization. While most organizations have embraced cloud-based solutions for many of their IT and security workload needs, some types of clients in specific verticals still prefer to maintain their data on-premises or within specific geographies when using the cloud.
Most vendors cannot accommodate such specific geographic requirements as hosting both data collection and analysis outside the U.S. This can impact data compliance requirement within regions. But the main benefits of cloud storage include lowered complexity in deploying solutions, elimination of on-premises server hardware/software and maintenance, ease of scaling to larger or smaller workloads and access to data even when an endpoint is off or is compromised. This comes at a cost.
Cloud storage requires that organizations decide on their retention periods upfront. Retention periods can be from a few days all the way up to six months. The longer the retention period, the more visibility into past events and also typically the higher the cost for storing data. The upload of the endpoint data to the cloud can have an impact on outbound data throughput. While some solutions offer compressed data streams or a form of load balancing of data upload over longer periods of time, large environments with restricted networks or chokepoints can experience bursting issues.
Cloud-based solutions can also pose challenges in the integration of security and operational data from such other existing solutions as directory and inventory services, network devices, perimeter solutions and SIEMs as well as in creating workflows with ticketing services, update and patching. They may require opening additional connections and ports on the perimeter to support uni- or bidirectional communications.

EDR Issues

EDR solutions provide visibility into how an event occurred and, as a result, can tell an endpoint’s overall story. These findings can be used to help determine the overall condition of the endpoint, the potential root cause and also if other endpoints within the environment exhibit similar symptoms. A remediation can be put into action using EDR and other solutions. This part is a good side of EDR.

Getting to the Root of Problems

In a typical incident-response-focused deployment, this analysis, or creating the narrative of the story line, is conducted at some period of time after a situation has taken place and may have already spread. The trigger of the investigation is often when a user reports experiencing an issue with the system or perhaps the operations team notices a degradation of service. In this manner, EDR is used to review the events leading up to the issue and assisting in determining the root cause.
EDR does speed up this investigative process, but there is still a high level of skill involved in performing the investigation. Given enough time, even a poorly staffed EDR solution can successfully search the collected endpoint data and resolve some issues because it is limited to the investigation of a clearly identified target. While this approach resolves issues and does provide value, it rarely elevates an organization’s overall security posture, as it is a very reactive and inconsistent approach to security. It also does not provide for the proactive detection and containment of threats in real time, which means an organization will remain vulnerable to evolving threats.
Most EDR solutions provide very limited note taking within events, workflow tracking, ticketing (internal or external) or even basic role-based access control (RBAC) to assign specific administrative and oversight entitlements to EDR operations staff or a managed service provider. This lack of capabilities results in a poor experience when investigating events that require multiple analysts to resolve, such as after-hours investigations, leveraging a managed service or third-party incident response provider or when there is a need to create an action that is outside the EDR solution itself, such as when an update or patch is required on an endpoint.
Third-party integration, when available, is conducted through APIs and typically requires knowledgeable staff to code the integration or a consulting engagement with a third party to build the component. Report generation is usually focused on the technical aspects of incidents that are difficult to communicate to other stakeholders within the organization, such as line of business leaders and senior management.
EDR solutions rarely incorporate such asset critical data as “this system belongs to the CEO or has PCI data” or activity data sourced from other solutions in the organization, such as active directory information, network and firewall logs and other data sources to help prioritize events. EDR operators often have to connect to multiple consoles to pull this asset and any operational and risk-related data and have to use external systems to keep track of their investigations. And although user and entity behavior analytics (UEBA) have become integrated with many security solutions, EDR has yet to leverage this innovative and potentially valuable source of data analysis.

Do You Patch?

Type B and Type C organizations often struggle with system management, patching and updating. This results in environments that have limited protections even against well-known vulnerabilities and threats.
Organizations deploying EDR solutions in such environments can expect to experience significantly increased strains on their operations staff and systems responsible for endpoint management because many of the resolutions to issues identified by EDR are to remove malicious software, patch or update an application or service, or perhaps even reimage an entire systems in situations where no other option is possible, which can result in data loss if the system was not backed up.
Using EDR to catch basic threats that should be blocked by baseline security hygiene measures is the wrong use of EDR. Doing so will ultimately not result in a better security posture for the organization.

Can You Staff?

Many Type B organizations struggle with finding operational budgets to adequately staff an EDR deployment and have difficulty in finding qualified individuals with the depth of knowledge and experience required to operate an EDR solution even on a basic level. While organizations are typically capable of finding perimeter security or network security staff at reasonable market rates, the skills required to do perimeter or network analysis tasks are not easily transferable to endpoints.
Perimeter and network event data differ greatly from endpoint software operations collected by an EDR solution and, as a result, perimeter or network staff require significant training to become proficient in understanding, analyzing and remediating endpoint issues. Endpoint experts with experience with EDR deployments remain rare commodities.

Augmenting Your Staff

Managed security services (MSS) have been part of the security outsourcing landscape for many years, taking care of the day-to-day operations of IT and IT security solutions within their client organizations. A new breed of MSS that offer managed EDR has evolved over the past few years to address skills and staffing shortages in this market. These solution providers often offer one or more tiers of services with different SLAs and capabilities.
One example is that of a very high-level and low-touch model, where the role of the service provider is to act more like a backup or supplement to an already-staffed EDR operations team. In this capacity, they do not perform day-to-day activities but rather offer additional oversight and reporting and can complement the existing client’s team during incidents. This form of managed EDR is typically inexpensive and includes retainer fees when additional assistance is required by the client, such as during the response to an incident.
Another example, at the other extreme, is that of a low-level very high-touch model where the solution provider, from a remote office, actively investigates security threats using data collected by the EDR and other security solutions and programmatically contains or mitigates threats using the elements that make up the security technology stack in the client’s environment. In this capacity, the solution provider is an integrated extension of a client organization’s existing capabilities. This form of managed EDR is typically significantly more costly and can run many times the cost of the EDR solution itself, depending on the capabilities required.
Managed EDR solutions have become more widely available over the past 18 months, with some EDR vendors providing their own capabilities themselves or via their reseller or system integrator network. However, the quality and availability of the detective, investigative and remediative services vary dramatically between vendors and regions.

Vendor Lock-In and Vendor Risk

Over time, EDR solutions become intertwined with security and operations teams and it becomes difficult to switch out to another vendor, especially when a lot of customized scripts for responses and workflow have been created due to the amount of work required to re-create them. While this isn’t necessarily bad, there are currently too many vendors in this market and many will not survive long term. Also, there are limited paths to exit for small vendors because all of the existing incumbent EPP vendors have created their own EDR solutions, which is traditionally an exit path for small vendors.
This means that vendors who have traction currently either have IPO ambitions or are opting to go for additional series of venture-capital-backed funding to fuel growth. Vendors who have not secured market share or a niche of client deployments are at risk. Clients using these vendors should consider establishing plans in the event that their vendor disappears.

EDR Does Not Mean Protection Is Improved

Organizations need to consider all of the factors highlighted in this research when contemplating an EDR solution to ensure that their EDR deployments meet their operational and security ambitions. Deploying an EDR solution in and of itself does not eliminate the need to deploy other security solutions, nor does it imply that security will improve without significant effort or cost.


Over 700 inquiry calls on the topic of EDR.
Analysis as part of the EPP Magic Quadrant and EPP Critical Capabilities

Windows Advanced Threat Analytics

Gartner – Magic Quadrant for Web Application Firewalls

Gartner – Magic Quadrant for Web Application Firewalls



The WAF market is growing, driven by the adoption of cloud WAF services. Enterprise security teams should use this research as part of their evaluations of how WAFs can provide improved security that’s easy to consume and manage, while respecting data privacy requirements.

Strategic Planning Assumptions

By 2020, stand-alone web application firewall (WAF) hardware appliances will represent fewer than 20% of new WAF deployments, which is a decrease from today’s 35%.
By 2023, more than 30% of public-facing web applications will be protected by cloud web application and API protection (WAAP) services that combine distributed denial of service (DDoS) protection, bot mitigation, API protection and WAFs. This is an increase from fewer than 10% today.

Market Definition/Description

This document was revised on 3 September 2018. For more information, see the  Corrections page.
The web application firewall (WAF) market is being driven by customers’ needs to protect public and internal web applications. WAFs protect web applications and APIs against a variety of attacks, including automated attacks (bots), injection attacks and application-layer denial of service (DoS). They should provide signature-based protection, and should also support positive security models (automated whitelisting) and/or anomaly detection.
WAFs are deployed in front of web servers to protect web applications against external and internal attacks, to monitor and control access to web applications, and to collect access logs for compliance/auditing and analytics. WAFs exist in the form of physical or virtual appliances, and, increasingly, are delivered from the cloud, as a service (cloud WAF service). WAFs are most often deployed in-line, as a reverse proxy, because, historically, that was the only way to perform some in-depth inspections. There are other deployment options. The rise of cloud WAF services, performing as reverse proxies by design, and the adoption of more-recent transport layer security (TLS) suites that require in-line traffic interception (man in the middle) to decrypt, have reinforced the use of reverse proxy.
Cloud WAF service combines a cloud-delivered as-a-service deployment with a subscription model. Cloud WAF service providers may offer a managed service, and, for some, it is a mandatory component of using the WAF. Some vendors have chosen to leverage their existing WAF solutions, repackaging them as SaaS. This enables vendors to have a cloud WAF service available to their clients more quickly, and they can leverage the existing features to differentiate from cloud-native WAF service offerings with a more limited feature set. One of the difficulties with this approach is simplifying the management and monitoring console, inherited from the comprehensive WAF appliance feature set to meet clients’ expectations for ease of use, without shrinking security coverage. Gartner defines cloud web application and API protection (cloud WAAP) services as the evolution of existing cloud WAF services (see “Defining Cloud Web Application and API Protection Services”). In the long term, cloud WAF services, which were built from the beginning to be multitenant and cloud-centric, avoid costly maintenance of legacy code. They also provide a competitive advantage, with faster release cycles and rapid implementation of innovative features. Some organizations consuming cloud WAF services built from WAF appliances do it to acquire a unified management and reporting console.
This Magic Quadrant includes WAFs that are deployed external to web applications and not integrated directly on web servers:
  • Purpose-built physical, virtual or software appliances
  • WAF modules embedded in application delivery controllers (ADCs; see “Magic Quadrant for Application Delivery Controllers”)
  • Cloud WAF service, including WAF modules embedded in larger cloud platforms, such as content delivery networks (CDNs), and cloud WAF services delivered directly from infrastructure as a service (IaaS) platform providers
  • Virtual appliances available on IaaS platforms, as well as WAF solutions from IaaS providers
API gateway, and runtime application self-protection (RASP) are adjacent to the WAF market, and might compete for the same application security budgets. This motivates WAF vendors to add relevant features from these markets, when appropriate. For example, cloud WAF services often bundle web application security with DDoS protection and CDN. The ability of WAFs to integrate with other enterprise security technologies — such as application security testing (AST), web access management (WAM), or security information and event management (SIEM) — is a capability that supports its strong presence in the enterprise market. Consolidation of WAFs with other technologies, such as ADCs, CDNs or DDoS mitigation cloud services, brings its own benefits and challenges. However, this market evaluation focuses more heavily on the buyer’s security needs when it comes to web application security. This includes how WAF technology:
  • Maximizes the detection and catch rate for known and unknown threats
  • Minimizes false alerts (false positives) and adapts to continually evolving web applications
  • Differentiates automated traffic from human users, and applies appropriate controls for both categories of traffic
  • Ensures broader adoption through ease of use and minimal performance impact
  • Automates incident response workflow to assist web application security analysts
  • Protects public-facing, as well as internally used, web applications and APIs
Gartner scrutinizes these features and innovations for their ability to improve web application security beyond what a network firewall, intrusion prevention system (IPS) and open-source/free WAF (e.g., ModSecurity) would do, by leveraging a rule set of generic signatures.
Gartner has strengthened this year’s inclusion criteria for the web application Magic Quadrant, to reflect enterprises’ changing expectations when selecting WAF providers (see Inclusion Criteria). Updated criteria include a requirement to get minimal revenue outside of a vendor’s home region, which led to the exclusion of some of the more local vendors.

Magic Quadrant

Figure 1. Magic Quadrant for Web Application Firewalls

Source: Gartner (August 2018)

Magic Quadrant for Web Application Firewalls

Vendor Strengths and Cautions


Akamai is in the Leaders quadrant. Clients looking for a cloud WAF service that can support web-scale applications and combine multiple web application security features often add Akamai to their shortlists when price sensitivity is low, especially when they already use Akamai as a CDN.
Akamai is a global CDN provider with headquarters in Cambridge, Massachusetts. It has more than 7,500 employees, with a growing team dedicated to web application security. In addition to its WAF (Kona Site Defender), Akamai offers additional security services, including application access control (Enterprise Application Access), managed DDoS scrubbing service (Prolexic), API gateway (Akamai API Gateway), and DNS services (Fast DNS). The WAF can be augmented with optional add-ons, including IP reputation, volumetric DDoS protection options, and two bot mitigation subscriptions (Bot Manager and Bot Manager Premier). Akamai also offers a trimmed-down, and lower-cost, version of Kona Site Defender, called Web Application Protector (WAP).
Recent news includes the release of Bot Manager Premier as a separate option, providing mouse and keyboard activity analysis, along with a mobile software development kit (SDK). Kona Site Defender has improved its management options for multiple applications, and has updated reporting and real-time analytic dashboards.
Kona Site Defender is a good shortlist candidate for all use cases in which WAF delivered from the cloud is acceptable, and low price is not the highest priority, especially for existing Akamai CDN customers.

  • Product Strategy: Akamai demonstrates a sustained commitment to develop and improve its web application security solutions. The vendor also grows its threat research and security operations center (SOC) team at a good pace.
  • Product Offering: the broad portfolio of Akamai’s cloud services, appeals to organizations looking for an easy way to deploy controls in front of a diverse set of applications. Many customers using Kona Site Defender are using other services, especially the CDN.
  • Geographic Strategy: Akamai is a global infrastructure provider with especially strong presence in North America, and good visibility in European shortlists too.
  • Managed Services: Akamai offers professional services to help harden the security configuration of Kona Site Defender. It also provides a managed SOC, which can monitor incidents.
  • Capabilities: Akamai applies automated analytics and triage on the entire traffic it processes for clients to tune their signatures and gather threat intelligence to create new protections. It has released a first version of API security features that customers find promising.
  • Customer Experience: Customers using Akamai managed security services and customers using the WAP product cite a lower-than-expected rate of false alerts.

  • Market Segmentation: Akamai’s WAF is available as a cloud service only. For organizations that are simply not comfortable with cloud security solutions, or where prospective clients’ assessments determine that compliance and regulatory restrictions limit its use, Akamai does not appear on client shortlists.
  • Pricing and Contracting: Akamai Kona is an expensive product, especially when bundling multiple options, such as Bot Manager subscriptions. Clients continue to cite pricing as a barrier. Gartner analysts have observed an increase in complaints from prospects, and from existing clients. Organizations frequently consider using a second WAF brand, because it would be too expensive for them to deploy Akamai’s solution. The less-expensive WAP solution has not yet fixed this issue.
  • Customer Experience: The most-vocal complaints from clients target the poor policy management system, which is leaving clients frustrated by a dated policy and no useful way to test the updated rules. They also would like to see more improvements in the monitoring and reporting, as well as improved notification options.
  • Technical Architecture: Akamai has historically lagged behind some of its competitors in security automation. It has published a first version of an API to manage Kona’s security configuration, which is still in beta.
  • Capabilities: Akamai lacks a positive security model, with the exception of its API protection module. Customers using WAP cannot use Bot Manager.

Amazon Web Services

Amazon Web Services (AWS) is in the Niche Players quadrant. It serves almost exclusively AWS clients, and invests significantly in continuous improvements to its WAF solution.
AWS is a subsidiary of Amazon, based in Seattle, Washington. It is a cloud-focused service provider. It offers a large portfolio of cloud workloads (EC2), online storage (S3, EBS and EFS), database, and artificial intelligence (AI) frameworks. Its security portfolio is not as well-known, but includes identity and access management (IAM; Cognito), managed threat detection (GuardDuty) and HSM (AWS Cloud HSM). AWS Shield provides managed DDoS protection, and its WAF product is simply called AWS WAF.
AWS WAF can be delivered through AWS Application Load Balancer or through Amazon CloudFront as part of the CDN solution. AWS WAF is not limited to protecting origin servers hosted on Amazon infrastructure. AWS also partners with WAF vendors and offers their solutions in the AWS marketplace.
In recent months, AWS has released managed rules, a feature that allows clients to deploy sets of rules managed by third-party WAF vendors. The vendor has also recently released AWS Firewall Manager, which allows it to centralize the deployment of WAF policies and managed rules set. Also, AWS Config, the vendor’s configuration monitoring service, can monitor AWS WAF rule sets (RuleGroup).
AWS customers looking for an easy way to add runtime protection in front of their applications hosted on AWS should consider deploying AWS WAF, especially when combined with AWS Shield, and with one, or multiple, set of managed rules.

  • Capabilities: With managed rulesets, AWS customers have access to more than a dozen sets of rules from established WAF or managed security service (MSS) vendors that are automatically updated. Because they can deploy multiple rulesets simultaneously, it is easy, even if it comes at a cost, to provide multiple layers of defense, or to test multiple providers.
  • Customer Experience: Existing AWS customers appreciate being able to quickly deploy and enable AWS WAF. Customers give good scores to the autoscaling and built-in integration with Cloudfront.
  • Capabilities: AWS WAF helps organizations in a DevOps mode of operation with the full-featured APIs and CloudFormation automation. AWS customers can provision a set of WAF rules for each stack, or provision a set of WAF rules, and automate the association of those rules with a new stack.
  • Roadmap Execution: AWS continues to regularly improve its WAF, releasing relevant features to close existing gaps, such as the recent firewall manager, at the time they are announced.
  • Sales Execution: AWS WAF is integrated in AWS Shield Advanced. For customers not using AWS Shield Advanced, AWS charges per use for AWS WAF are based on how many rules customers deploy and how many web requests are inspected.

  • Marketing Strategy: AWS WAF’s reach is mainly limited to AWS workload protection, where it competes with cloud WAF services and virtual appliances. As more clients consider a multicloud strategy, AWS WAF is less likely to be on WAF shortlists.
  • Capabilities: AWS WAF lacks bot detection techniques, relying on reputation-based controls. Customers need to deploy AWS API Gateway to get dedicated API security features, because AWS does not parse JavaScript Object Notation (JSON) or XML. The vendor does not offer managed SOC for AWS WAF as part of its SiteShield managed services offering. Its DDoS Response Team (DRT) focuses on DDoS response only.
  • Product Strategy: Despite numerous corporate security initiatives, the WAF product remains mostly a siloed product. The vendor does not yet have a dedicated threat research team to add new protections to the WAF. AWS WAF does not leverage AWS AI capabilities, the use of machine learning for web app security is built-in only for DDoS protection.
  • Customer Experience: Customers would like to be able to whitelist a specific rule from the managed ruleset. Currently, they can only disable the entire ruleset, and have trouble identifying why a rule was triggered.
  • Customer Experience: Clients cite logging and reporting as a weakness. They cannot get detailed logging, aggregated events and mention occasional delays in getting the logs. Some clients also request integration with SIEM.

Barracuda Networks

Barracuda Networks is in the Challengers quadrant. Barracuda has good visibility for its WAF deployment over IaaS, and for existing Barracuda customers, but focuses on catching up with market leaders.
Barracuda Networks (CUDA) is based in Campbell, California. Barracuda is a known brand in security and backup markets, especially for midsize enterprises. In addition to network firewalls, its product portfolio includes email security and a user awareness training tool (acquired from Phishline in January 2018). The vendor also offers DDoS protection. The vendor delivers its WAF line in physical or virtual appliances. It is also available on the Microsoft Azure, AWS and Google Cloud Platform (GCP) platforms.
In November 2017, Barracuda agreed to be acquired by private equity firm Thomas Bravo. The acquisition was completed in February 2018. Barracuda has recently released Barracuda WAF-as-a-Service, its self-service cloud WAF. This release follows its DDoS protection service (Barracuda Active DDoS Prevention Service). The vendor has improved its integration on Microsoft Azure for better scalability, and made its virtual appliances available on Google Cloud Platform. It has also worked on its ability to work with continuous integration tools, and has made significant updates of its management API, improving the ability for Barracuda WAF to be deployed programmatically.
Barracuda is a good shortlist contender for midsize enterprises and existing Barracuda customers. It offers interesting solutions for organizations in North America and Europe, developing a multicloud strategy.

  • Offering Strategy: Barracuda remains one of the most visible WAFs on Microsoft Azure. Customers are then more likely to select Barracuda in multicloud strategy for unified management.
  • Pricing Strategy: Barracuda Cloud WAF as a Service includes DDoS protection at no additional charge.
  • Product Offering: With the release of the WAF appliance 1060, Barracuda now supports throughput as high as 10 Gbps.
  • Technical Support: Gartner clients across multiple regions give excellent scores to Barracuda’s customer support. Barracuda partners cite the vendor’s focus on customer satisfaction as the reason they choose to sell Barracuda WAF.
  • Capabilities: Barracuda’s offer of the free WAF add-on Vulnerability Remediation Service is attractive to Barracuda’s targeted small or midsize business (SMB) customers, which often lack the time, money and expertise to support an in-house application scanning program.

  • Sales and Marketing Execution: Barracuda struggles to adapt to the multiplication of meaningful competitors. Its visibility in shortlists is shrinking, and the vendor has lost market share during the past 12 months.
  • Customer Experience: Many customers have complained about Barracuda’s WAF appliance user interface (UI). They cite a long learning curve, difficulties locating features buried in submenus and longer-than-necessary amounts of time spent updating the configuration.
  • Market Responsiveness: Barracuda has been late to the market in providing cloud WAF as a service. Prospects should scrutinize the vendor’s infrastructure and point-of-presence availability across regions, as well as investigate the vendor’s ability to meet enterprise-class SLAs for availability, because the solution remains a recent addition.
  • Capabilities: Despite recent improvements, Barracuda WAF lags behind the leaders in bot mitigation and advanced analytics for anomaly detection. Its predefined list of good bots is limited to a few search engines.
  • Capabilities: Barracuda WAF lacks access management features and support for Oauth.
  • Capabilities: Barracuda WAF lags behind the leaders in security monitoring. It lacks automated alert aggregation in the real-time log view, and users report that they would like to see more improvements.


Citrix is in the Challengers quadrant. Most of Citrix sales for WAF are an add-on to an existing ADC deployment, but Citrix’s attach rate for the WAF option is lower than 50%. Gartner rarely sees Citrix participating in a pure-WAF competition with other vendors.
With more than 9,600 employees, Citrix (CTXS) is a global provider with a broad portfolio of virtualization, cloud infrastructure and ADC solutions. The vendor is co-headquartered in Santa Clara, California, and Fort Lauderdale, Florida. The NetScaler ADC portfolio includes hardware (MPX), software (VPX), containerized (CPX) and multi-instance (SDX). All of those ADC options offer WAF (NetScaler AppFirewall) and Secure Sockets Layer (SSL) virtual private network (VPN) as modules. WAF is also available as a stand-alone product.
In 2017, Citrix introduced the Web App Firewall (initially called NetScaler Web App Security service) as its cloud WAF service, and refreshed its hardware product line.
NetScaler AppFirewall is a good choice for Citrix clients that value high-performance WAF appliances.

  • Sales Execution: Citrix licenses its products and service through multichannel globally, which makes Citrix the No. 2 ranked ADC vendor (by revenue). This creates opportunities for selling a WAF module on top of its ADC appliances. Existing ADC and Citrix-based application customers like the tight integration of the AppFirewall module.
  • Capabilities: NetScaler’s ability to scale appeals to large organizations. NetScaler TLS’s decryption capabilities and integration with Thales and SafeNet hardware security modules (HSMs) are often key differentiators in prospect comparative testing.
  • Customer Experience: Customers score highly the support they receive from system integrators and service providers. They also praise improvements in API-driven manageability.
  • Customer Experience: Surveyed customers welcomed NetScaler management and analytics service (MAS), and give good scores to the Security Insight dashboards.

  • Product Strategy: Citrix faces intense competition from many large and small vendors on its leading products. Acquisitions have been a significant part of its growth strategy. However, most of the recent acquisitions (CedexisInx, Norskale, Contrade and Unisdesk) have little to do with security and will take attention from innovating on the WAF technology.
  • Sales Execution: Citrix rarely competes in dedicated WAF deals, and its overall visibility has continued to decrease. The vendor mostly sells AppFirewall as an add-on to customers primarily interested in its ADC features, or in high-performance environments.
  • Technical Architecture: Most Citrix clients use NetScaler AppFirewall as a software option on top of an ADC physical appliance. Gartner rarely sees Citrix being deployed on IaaS, such as Amazon and Microsoft. Google Cloud is not supported.
  • Capabilities: AppFirewall does not include advanced bot mitigation and anomaly detection options.
  • Market Responsiveness: The pace of WAF features release on Netscaler has been slow for a few years now, except for TLS decryption-related capabilities. Although Citrix is only now catching up to its competitors in cloud WAF delivery, it has not gained visibility in shortlists against other cloud WAF vendors. Citrix cannot match competitors’ offerings, because it does not bundle CDN with its cloud WAF.
  • Customer Experience: Many customers would like better ways to handle false alerts (false positive rate). Citrix ability to block bots gets a low score. Clients would also like to see better documentation for the WAF advanced features.


Cloudflare is in the Challengers quadrant. As more applications move to the cloud, and a growing number of organizations consider multicloud options, the appeal of Cloudflare’s bundled service continues to grow.
Headquartered in San Francisco, California, Cloudflare is growing quickly, with more than 700 employees. The vendor’s primary offering is a combination of DDoS protection and a CDN offering. Other products offered as a service include DNSSEC, Bot Mitigation, SSL, Rate Limiting and Orbit for securing Internet of Things (IoT) devices. Cloudflare stands out for its service delivery, which usually uses the self-service model, allowing its clients to make quick and easy configurations through wizards. Although Cloudflare’s brand is associated with its inexpensive service plans for consumers, the vendors have a sizable enterprise customer base, through a higher-priced custom Enterprise plan.
In recent months, Cloudflare announced changes promoting unlimited and unmetered DDoS protection for all of its customers. This can benefit clients by not punishing the customer for the amount, time and size of the DDoS attack. It also released a tunnel mode (Argo Tunnel), multiprotocol support (Spectrum) and some authentication brokering features, integrating with a number of identity providers (Cloudflare Access).
Cloudflare is a good shortlist candidate for internet-exposed applications in global organizations with customers in multiple regions that are concerned with the risk of DDoS attacks.

  • Technical Architecture: Cloudflare is a provider with 15 Tbps capacity and 152 data centers worldwide. This infrastructure not only supports the high performance of the applications, it promotes a close-to-the-edge security protection capability.
  • Customer Experience: Customers typically score the ease of use and implementation of the WAF and DDoS solution highly. Customers also praise the vendor’s DDoS mitigation capabilities. Cloudflare has a large base of technically savvy individuals who use its solution for personal web applications, and then become internal sponsors when their organizations consider a cloud WAF.
  • Market Responsiveness: Cloudflare continually develops new capabilities related to better user experience in ease of use and implementation. Cloudflare has announced Spectrum, which is expanding DDoS protection beyond web servers to include other TCP-based services. The vendor also occasionally acquires technologies to more quickly serve new features, as they did when they acquired Neumob’s mobile SDK.
  • Capabilities: The recent addition of Cloudflare Workers enables customer to host web applications on Cloudflare’s infrastructure, which should appeal to smaller organizations. The vendor also provides an easy-to-reach, “I’m under attack” button. This automatically enables a set of protections, and is convenient for emergency reaction.
  • Capabilities: Cloudflare has recently released the ability to assign rules per uniform resource identifier (URI), improving its ability to provide more-granular control without damaging the security posture for the entire application. Its keyless SSL technology offers interesting support for customers that want to store their private keys on their preferred HSM solutions.
  • Geographic Strategy: Cloudflare is one of the few global providers with local points of presence in China.

  • Market Segmentation: Cloudflare offers WAF as a cloud service only. For organizations with restrictions on cloud services, or in locations where the appetite for cloud services isn’t high (e.g., the Middle East and Asia regions), Cloudflare can’t address use cases that require on-premises physical or virtual appliances. The lack of WAF appliance might penalize them for the nascent hybrid web application deployment use cases (partly on-premises and partly cloud-hosted), where more-conservative organizations highly rank the ability to get unified management and reporting for the WAF solution.
  • Customer Experience: Many customers, especially the larger organizations, rated Cloudflare alert and reporting low. The vendor lacks an automated aggregation of alerts for faster incident triage. Some customers complain of occasional API instability, as well as a higher-than-expected frequency of local performance degradation.
  • Capabilities: Cloudflare’s management console presents restrictions on offering more-granular configuration capabilities, such as building custom-made rules. In addition, the management console’s role-based access shows its limits when users want to define the per-app role, or when auditing management actions.
  • Capabilities: Cloudflare still lags behind some of its competitors for bot management. It lacks an easy way to manage good bots. Despite a recent initiative to learn from the large amount of data the vendor processes, Captcha remains the most frequent technique Cloudflare uses to block bots. This hurts the user experience. The WAF also lacks an automated positive security model, which could prove useful, especially for high-risk pages or API-driven applications.
  • Product Strategy: Gartner observes thatCloudflare’s security roadmap appears to aim at good-enough security, with a focus on pervasive, commercial off-the-shelf (COTS) web applications (e.g., WordPress and Magento). Its web application security threat research team efforts are targeted at quick reaction in case of a new attack campaign. However, when it comes to using new protection techniques based on in-house threat research, the vendor is less proactive than its leading competitors.

Ergon Informatik

Ergon Informatik is a Niche Player. The vendor is mostly visible in Switzerland and Germany, with slow international developments in financial institutions from other countries. Ergon provides WAF appliance only. Its roadmap execution is primarily driven by incremental improvements.
Ergon Informatik is a software engineering and consulting company, headquartered in Zurich, Switerland, and it has 280 employees. The vendor has developed a full suite of products to serve existing clients. The product portfolio is centered around the Airlock Suite, which includes the Airlock WAF, a WAM solution (Airlock Login) and a more-comprehensive IAM solution (Airlock IAM).
Latest news includes the release of Airlock WAF 7.0, at the end of 2017, with the addition of Geo-IP, and automatic whitelisting learning. It has integrated Kibana for the reporting and real-time dashboards, and added support for more log formats, including JSON and Common Event Format (CEF).
Ergon Informatik is a contender worth considering for large banking and financial enterprises in need of a WAF appliance.

  • Customer Experience: The vendor continues to get good feedback from faithful customers and resellers, who trust the company and praise its ability to be close to its clients. They almost always use the vendor’s IAM features and mention them as a differentiator.
  • Vertical Strategy: Ergon Informatik’s strongest presence is with banking and other financial institutions, where it can provide a large number of satisfied references.
  • Market Execution: Despite its smaller size, Ergon is a profitable company that enjoys growth at a rate that exceeds the WAF appliance market as a whole.
  • Customer Experience: Customers give good scores to Airlock WAF for its API security capabilities, and to the combination of access management features and content inspection on JSON and REST payloads.
  • Capabilities: The recent addition of geo-IP goes beyond blocking, and allows traffic to be redirected, based on the source’s region or country. Clients liked the real-time monitoring and logging upgrade, which provides the flexibility to build their own dashboards and advanced searches in log. Support for the CEF format improves the ability to integrate with SIEM vendors.
  • Capabilities: With the addition of automating whitelisting learning, Ergon Informatik now offers a comprehensive set of controls for positive security models, in addition to the already-available URL and cookie encryption features. It also provides predefined templates for known commercial applications, such as Microsoft Exchange.

  • Product Strategy: Ergon is not a good choice for hybrid or cloud-native web applications. It does not offer cloud WAF or DDoS protection services, and has not shown any intention to pursue a cloud WAF service strategy. The vendor lacks centralized management for its WAF appliances, and its WAF virtual appliances are unavailable in the IaaS marketplace.
  • Market Segmentation: Ergon is not the best fit for smaller organizations. It offers only two hardware appliances (Medium and Large). Most customers mention that the deployment is not the easiest possible, and the management interface can be complex, especially for novice users.
  • Geographic Strategy: Ergon is predominantly visible in Swiss and German shortlists, with the exception of some rare appearances in Asian financial institution shortlists. The vendor has limited direct presence outside Western Europe. Prospects from other regions should first assess the ability of the vendor to provide support in their time zones and, if necessary, in local languages.
  • Capabilities: Airlock offers limited, role-based management with four predefined roles, and experimental command line interface (CLI)-based possibility to add custom roles. Its management API feature is not yet complete.
  • Capabilities: Airlock still lacks third-party or in-house threat intelligence feeds. Its generic rule set is updated only during firmware updates. This limits the ability of customers to benefit from ad hoc, emergency-released protections in case of a new attack campaign. The vendor also relies on integration with IBM Trusteer to provide bot mitigation.
  • Market Responsiveness: Ergon Informatik’s roadmap delivery contains a higher mix of continuous improvements of existing features.


F5 has moved from the Leaders quadrant to the Challengers quadrant. It continues to participate frequently in client shortlists for WAF appliances beyond its ADC customer base. The company is in the middle of reinventing itself for a cloud-first world, but has yet to reproduce the success it built in past years as a strong WAF appliance provider in the cloud WAF segment.
Based in Seattle, Washington, F5 is known for its ADC product lines (Big-IP and Viprion). The vendor employs more than 4,300 employees, which includes a small business unit dedicated to security products.
F5’s WAF is primarily consumed as a software option, Application Security Manager (ASM), which is integrated in the F5 Big-IP platform. The F5 hardware Big-IP appliance product line can also run a license-restricted (yet upgradable) version of the full software to act as a stand-alone security solution (such as a stand-alone WAF). F5’s security portfolio includes a WAM solution, Access Policy Manager (APM), web fraud protection (WebSafe), and a DDoS mitigation solution, DDoS Hybrid Defender (DHD).
Under the Silverline brand, F5 delivers cloud WAF and DDoS protection. Two flavors of the service are available: Silverline Managed WAF and self-service WAF Express, with a threat intelligence add-on (Silverline Threat Intelligence). All Silverline services rely under-the-hood on Big-IP technology.
In recent news, F5 launched a dedicated solution to handle TLS traffic decryption for inbound and outbound traffic (the F5 SSL Orchestrator). The vendor has launched a WAF product called “Advanced WAF.” It includes, in addition to what is also available in ASM, a mobile SDK, specialized features for fraud prevention through form fields obfuscation, bot mitigation, application-layer DoS and API security features.
F5 is a good shortlist contender for large-scale WAF appliances, and for scenarios requiring unified management.

  • Marketing Strategy: As its legacy ADC appliance market declines, F5 has identified security as one of the core markets for its new messaging. The vendor has publicly committed to reinforce its investment in security.
  • Technical Architecture: F5 supports AWS, Azure, Google Cloud, OpenStack and VMware Cloud. The support for multicloud with unified management appeals to the organizations building a hybrid architecture.
  • Capabilities: Clients continue to mention iRules as a reason to select, and to stick with ASM WAF. They also mention the depth and breadth of features available on the platform.
  • Customer Experience: Customers of the managed WAF services give good scores to their interactions with the professional services, and managed SOC teams. Surveyed customers like the multiple managed rulesets from F5, which can be deployed quickly on the top of AWS WAF.
  • Customer Experience: Several customers mention the user community and vendor support as strong assets.

  • Product Strategy: With the existingSilverline product segmentation, F5 links its self-managed Silverline Express with the lower tier of the market, but positions it at a price point that’s much higher than its direct competitors. Gartner analysts see that as a missed opportunity for F5’s product strategy and its current portfolio gap. Larger enterprises are more likely to get in-house SOCs than midsize organizations, and most enterprises prefer self-service WAF options. F5 does not yet provide a fully-featured, and easy-to-manage self-service WAF.
  • Sales Execution: Gartner analysts observe limited adoption of Silverline products, and low visibility in cloud WAF shortlists.
  • Product Strategy: With Advanced WAF, F5 risks frustrating its core customer base, which has used WAF as a module of their ADC for years. They now fail to get the best security features, even when purchasing the “best” bundle, and need to get an additional security license upgrade.
  • Cloud WAF Service: Silverline’s infrastructure significantly lags behind its direct competitors. It lack a presence in South America, Middle East, Africa and China. It serves the entire Asia/Pacific (APAC) region from a single data center, hosted in Singapore.
  • Customer Experience: Many customers mention the need of the UI refresh, because it can be complex. They noted some improvement with the recently released hierarchy of policies.
  • Operations: F5 continues to experience big changes in its leadership, including a new lead for security business unit. Prospective clients should monitor early signs of strategic shift that could affect the investment on the appliance product line.


Fortinet is in the Challengers quadrant. The vendor continues to grow its market share in the WAF appliance segment, with improved security capabilities. It is slowly catching up on the cloud WAF segment, with an initial release in 2017.
Based in Sunnyvale, California, Fortinet is a large firewall vendor that offers a broad portfolio of security and network solutions. The vendor’s almost 5,000 employees include approximately 1,000 in R&D. Fortinet’s portfolio includes a firewall (FortiGate) that constitutes most of the vendor’s revenue, a WAF (FortiWeb), a threat intelligence service (Fortinet TIS), a SIEM (FortiSIEM), and a sandbox (FortiSandbox). FortiWeb is available as a physical or virtual (FortiWeb-VM) appliance, and on AWS and Azure IaaS platforms. FortiWeb subscriptions include IP reputation, antivirus, security updates (signatures and machine learning models), credential stuffing defense and cloud sandboxing (FortiSandbox).
Recent Fortinet’s corporate strategy shift articulates the concept they named “Security Fabric.” It consists of integrating many solutions from Fortinet’s portfolio with, for example, unified visibility gained collecting telemetry from every deployed product.
In late 2017, Fortinet launched a first version of a cloud WAF service (FortiWeb Cloud). FortiWeb 6.0, released in May 2018, integrates closely with the FortiGate FortiOS 6.0. This release adds machine learning algorithms to improve anomaly detection, which deprecates the automatic application learning. FortiWeb now support Google Cloud and VirtualBox hypervisor.
FortiWeb is a good shortlist candidate for organizations looking for a WAF appliance, especially when deployed in hybrid scenarios, and for Fortinet’s existing customers.

  • Sales Execution: FortiWeb’s visibility in shortlists has improved, especially in Fortinet’s customer base.
  • Capabilities: Fortinet delivers strong threat intelligence, supported by the large team of its Fortiguard Labs, a shared resource for all Fortinet’s products. The vendor has strong ability to quickly deliver, and automatically deploy new targeted signatures, even before the attacks have gained enough scale to be visible globally. With FortiWeb 6.0, security analysts can search for attacks usingcommon vulnerabilities and exposures (CVE) IDs.
  • Marketing Strategy: Fortinet applies the same strategy to FortiWeb that drove FortiGate’s success. It offers a comprehensive portfolio of hardware appliances (eight models, ranging from 25 Mbps to 20 Gbps), and it wins on good price/performance ratio. The vendor also improves its WAF by leveraging global R&D efforts, to quickly mature its WAF solution, despite being a relatively recent entrant on the market. Recent release of FortiWeb Cloud now offers a solution to Fortinet’s large customer base of midmarket enterprises.
  • Capabilities: FortiWeb’s recent use of machine learning algorithms to complement ad hoc signatures and detect attacks from their behavior is promising. The syntax analysis pass on the request helps catch false alerts that could result from the new technique.
  • Capabilities: FortiWeb is a good choice to protect file-sharing services, because it offers comprehensive options and integration for malware detection. The WAF can inspect for malware, as well as integrate with Fortinet’s sandboxing solutions.

  • Cloud WAF Service: Fortinet has been late releasing a first version of a cloud WAF service, which is still unproven, especially in its ability to avoid and mitigate false alerts. FortiWeb Cloud has more limited capabilities than its appliance counterpart, and it lacks available peer references.
  • Organization: The vendor has a modest increase of its WAF R&D department this year. Its investment in WAF remains less important than for other products in Fortinet’s portfolio, and is relatively small, compared with some of its direct competitors.
  • Market Segmentation: Fortinet is not yet visible in shortlists for web-scale organizations trying to protect their core business-critical applications, and for cloud-native web applications that heavily leverage continuous integration.
  • Customer Experience: Some customers would like Fortinet to go one step further and unify the centralized management for WAF and firewall. Today, you need two separate management platforms for FortiWeb and FortiGate. They also would like better documentation in the form of “how-to,” especially on recent features, and better change control.
  • Capabilities: FortiWeb lags behind leaders in bot mitigation. The vendor does not offer, nor does it integrate with DDoS protection service.
  • Capabilities: FortiWeb’s machine learning does not work in high-availability deployments. In the initial version, the UI exposes a lot of the internal mechanics behind the machine learning engine. Although it compares nicely with other vendors’ “black box” approaches, and this helps with the credibility of the engine, which can be intimidating and lengthen the learning curve.


Imperva is in the Leaders quadrant. The vendor is one of the most visible in both the appliance and cloud WAF service segments. Imperva frequently wins on the basis of security features and innovation. Imperva can provide strong WAF functionality as a traditional appliance and cloud WAF service, but faces stronger competition for its cloud offering.
Imperva is an application, database and file security vendor, with headquarters in Redwood Shores, California. Its portfolio includes database security products (SecureSphere Data Protection and Database Audit and CounterBreach), a WAF appliance (SecureSphere WAF), and a cloud WAF service (Incapsula). Imperva also offers managed security services and managed SOC.
SecureSphere can be delivered as physical and virtual appliances. It is also available on AWS and Microsoft Azure marketplaces. The vendor also offers managed rule sets for AWS WAF.
In recent months, Imperva saw changes in its executive team, including a new CEO and CFO, followed by an internal reorganization to refocus on a cloud-first strategy. The company recently announced the acquisition of Prevoty, a RASP vendor. The vendor continued its investment in Incapsula infrastructure with new points of presence, refreshed some SecureSphere hardware appliances, and released Attack Analytics, a new real-time event management solution for Imperva SecureSphere and Incapsula.
Imperva is a good shortlist candidate for all kind of organizations, especially large enterprises looking for high-security WAF appliances, or organizations planning to transition their applications from on-premises to the cloud.

  • Marketing Strategy: Imperva’s offers a flexible licensing for organizations with a mix of on-premises and cloud-hosted applications. It allows the vendor to target a wider range of use cases and organizations, and to better manage the transition from WAF appliance to cloud WAF service.
  • Sales Execution: Imperva is one of the only vendors providing both WAF appliances and cloud WAF service to achieve strong visibility in shortlists and large customer bases for both segments.
  • Customer Experience: Gartner clients using SecureSphere continue to praise customer support. They’ve noted some improvements in Incapsula’s bot mitigation.
  • Capabilities: Incapsula and SecureSphere benefit from the shared threat intelligence from ThreatRadar.
  • Capabilities: Imperva has recently released attack analytics to get unified and improved monitoring for SecureSphere and Incapsula. The vendor has also made available a first version of role-based administration for Incapsula.
  • Geographic Strategy: Imperva has strong WAF presence in most geographies, and offers effective support across most regions. Recent presence has been especially strong in the APAC region.

  • Market Responsiveness: Imperva is experiencing a lot of organizational changes, which could be the source of a slower pace of release, especially for the SecureSphere product line.
  • Cloud WAF Service: Customers wish that Incapsula supported single sign-on (SSO) features, such as SAML 2.0. They also would like better and more-flexible canned reports.
  • Capabilities: Customers considering Incapsula to replace SecureSphere often notice the lack of feature parity. The cloud WAF service cannot yet match the depth and breadth of security function covered by the appliance product line.
  • Pricing: SeveralGartner clients cited higher-than-competitive prices for Imperva WAF SecureSphere, and to a lesser extent for Incapsula.
  • Cloud WAF Service: Incapsula’s infrastructure does not include any point of presence in China, and its infrastructure lags behind other cloud-native WAF services in South America and Africa.
  • Customer Experience (WAF Appliance): SecureSphere customers report that the management console remains complex when using the more advanced capabilities. Customers frequently mentioned that deployment often requires professional services to effectively implement the offerings at scale. They also would like to see closer integration between Attack Analytics and the WAF management consoles, and more-unified management capabilities between SecureSphere and Incapsula.
  • Customer Experience (Cloud WAF Service): Some customers complain about Incapsula’s limited cross-sites and multidomain management and reporting, especially when multiple applications share the same IP address. Surveyed customers and resellers indicated that they did not get the same quality of support for Incapsula, compared with what they are accustomed to with Securesphere. They cite too many canned and not necessarily helpful answers as a first response when contacting support.


Instart has moved from the Visionaries quadrant to the Niche Players quadrant. The vendor’s security roadmap has seemed to stagnate. WAF is positioned as an add-on to the CDN and performance optimization platform, and its visibility in shortlists remains limited.
Headquartered in Palo Alto, California, Instart (until recently named Instart Logic) employs 200 employees, and came out of the stealth mode in 2010. Instart offers a bundle of cloud services, including CDN, WAF and DDoS protection. The vendor’s core marketing message for its WAF (InstartWeb App Firewall) is about being “endpoint aware,” facilitated through a lightweight JavaScript agent (Nanovisor), which is injected into HTTP traffic and analyzes aspects of client-side web browser behavior. Instart offers rule tunings and 24/7 SOC as an option. Instart’s team continually analyzes logs for its clients with a tool called Helios, which the vendor uses to update its client policies.
In recent months, Instart has completed a new round of $30 million funding. Product-related news includes the launch of a self-service rule feature, enabling clients to create their own traffic processing and WAF rules. Instart has continued to grow its infrastructure, adding more than 15 points of presence across all regions.
Instart is a valid shortlist contender for the vendor’s existing clients, and for organizations that need to quickly combine performance optimization and security features in front of their cloud-native web applications.

  • Organization: Instart is part of a new wave of web app security vendors developing easy-to-deploy, cloud-native solutions. The lack of technical debt from legacy solution allows the vendor to try new approaches, such as the Nanovisor, more easily.
  • Viability: Instart continues to grow quickly, demonstrating its ability to attract new customers. It is well-funded to further enhance its solutions in the future.
  • Vertical Strategy: Instart continues to be visible in shortlists for small and large e-commerce companies. Customers from these organizations report that they selected Instart for its ability to combine security features with the performance optimization and anti-advertisement blocking features for which they were primarily looking.
  • Customer Experience: New customers continue to be satisfied with the ease of deployment when collaborating with the vendor. They also mention high-quality vendor support.
  • Capabilities: Instart has released a bot mitigation feature, priced separately from the WAF. It is too early to judge the quality of the feature. However, customers from Instart’s top verticals, e-commerce and online media, are heavily targeted by bots, and welcomed the new feature.
  • Capabilities: Instart management provides a fully featured API, which facilitates its integration in dynamic application ecosystems. When adding a new feature, such as the custom rule creation, a related API is also available.

  • Product Strategy: Instart positions its WAF as an add-on, and sells it mostly to its existing customer base for its other products, who don’t conduct in-depth evaluation of the security modules. The vendor has yet to demonstrate that it is interested in more than selling security as a commodity to its IT customer base.
  • Organization: Instart is a growing company, but has experienced organizational hiccups recently, with a change of CEO and internal reorganizations intended to overcome slower-than-investor-expected growth and market awareness. As the vendor prepares for its IPO, it might be distracted from innovating in the security space. Its WAF development team is one of the smallest among the vendors evaluated in this research.
  • Capabilities: Instart does not offer API security features. It does not parse JSON or XML payloads, does not offer authentication features, or integrate with identity providers to enable SSO, using SAML protocol.
  • Geographic Strategy: The vendor still has a low visibility in shortlists, especially outside the U.S. Prospective customers should first verify the availability of local skills, assess their need for support in their native language and ask for local peer references. The vendor has not yet deployed points of presence in China.
  • Capabilities: Instart does not provide a fully featured, self-service option. Although customers can now create their own rules, they still need the vendor for on boarding. The role-based access control (RBAC) feature is reputed to be quite limited. Configuration tuning quickly requires a request to Instart’s team. Many clients point out the poor documentation and scarcity of available technical resources.
  • Customer Experience: Customers would like to see more improvements in the reports, as well as more customizable dashboards. Because the WAF lacks integration with ticketing systems, AST and most SIEM technologies, organizations faces difficulty integrating it into their enterprise incident workflows.


Microsoft is in the Niche Players quadrant. The vendor has released a first version of WAF, which offers baseline protection to web applications, and is visible mostly in its customer test initiatives. The vendor needs to demonstrate a continued commitment to improving the solution and building a more-feature-rich WAF.
Based in Redmond, Washington, Microsoft is a one of the most well-known IT brands, with a diversified and broad portfolio. Microsoft Azure, its IaaS solution includes virtual machines (VMs), storage and database services. Its WAF (Azure WAF) is built on the top of its application delivery solution (Azure Application Gateway) integrates with other Azure products, such as Azure Traffic Manager (ATM) and Azure Load Balancer (ALB). Azure WAF is priced per gateway and per hour, as part of the Application Gateway consumption-based model.
Azure Portal and Security Center are the management solutions for Azure Application Gateway and for Azure WAF.
In 2017, Microsoft made its WAF available globally.
Microsoft Azure WAF is a good choice for organizations looking for an ad hoc WAF available immediately while deploying workloads on Microsoft Azure.

  • Sales Strategy: Azure WAF is bundled with the Application Gateway, making it easy for clients to enable it, while deploying the underlying application delivery infrastructure, and providing protection to their applications right away.
  • Capabilities: Azure WAF includes a fully featured REST API for managing the WAF configuration.
  • Capabilities: The vendor can parse JSON and XML payloads, and apply security rules to this content.
  • Geographic Strategy: Now that Azure WAF is available globally, it benefits from Microsoft’s global infrastructure of data centers, with multiple points of presence in all regions, except Africa and the Middle East.

  • Organization: Microsoft is still building its WAF team, which is relatively small, when compared with the challengers and leaders in this research. Prospective buyers should get references to validate expected capabilities.
  • Product Strategy: At this point in time, Azure WAF consists mainly of a repackaged ModSecurity engine, using ModSecurity core rulesets (CRSs). Although many WAF offerings have started with similar approach, the vendor must continue to demonstrate its commitment to developing the WAF beyond basic.
  • Capabilities: As with any recent introduced product, customers should expect that Azure WAF lacks some of its competitor features. It lacks integrated CDN, bot management and user credential abuse detection. It cannot block based on geolocation or inspect malware.
  • Customer Experience: Rule propagation can take several minutes. WAF onboarding, based on deploying an Application Gateway virtual appliance, is more complicated than its cloud-native WAF’s competitors.
  • Customers Experience: Because of the limited number of deployments to protect applications in production, the feedback on Azure WAF is scarce. Early adopters mention initial scalability issues, because Microsoft’s WAF is built on VMs in the back end, and the lack the ease of autoscaling that other cloud-native WAFs offer.
  • Technical Architecture: Azure WAF is built on the top of Azure Application Gateway. It lacks autoscaling features, requiring the use of an Azure load balancer (Traffic Manager) to dynamically route the traffic between Azure WAF’s instances in multiple data centers.


Oracle is in the Visionaries quadrant. Although the product is relatively recent, and feedback is scarce, Zenedge, its recently acquired WAF solution, uses machine learning to risk score events as a differentiator in this market.
Oracle is a large provider of applications, databases and cloud services, with headquarters in Redwood, California. Originally known for its database products, Oracle now offers a broad portfolio of solutions, including IaaS (Oracle Cloud Infrastructure [OCI]). Oracle offers multiple products in security, notably comprising Identity and Access Management (IAM), Cloud Access Security Brokers (CASBs), Security Information and Event Management (SIEM), compliance, data security, and managed security services. Oracle acquired Dyn, a managed domain name service (DNS) service provider, in 2016. Oracle then acquired Zenedge, a cloud-native WAF provider, in February 2018. Zenedge is now a relatively small team, part of OCI, and the WAF product has been rebranded as Oracle WAF. Oracle continues to offer Oracle WAF as a managed service.
Zenedge was under evaluation for this market research before the acquisition. Recent product news includes the release of a bot mitigation solution, combining JavaScript challenges, Captcha and rate limiting, and improved management API.
Oracle WAF is a good shortlist candidate for organizations looking at a managed cloud WAF service, especially those looking for new ways to detect anomalies.

  • Market Responsiveness: Surveyed customers liked the vendor’s responsiveness to feature requests, and the regular product improvements.
  • Market Execution: Through OEM agreement, the vendor has quickly acquired a sizable customer base.
  • Customer Experience: Although the solution is still recent, early feedback on the new bot manager features are promising. The vendor’s team in charge of managing the WAF also get good scores from surveyed customers and resellers.
  • Capabilities: Oracle WAF leverage statistical analysis to create a risk score for suspicious queries, and trigger alert, or blocking actions, based on this score. Feedback from customers indicates that this feature enables them to better tune the WAF configuration, and to focus on important events.
  • Capabilities: As Zenedge is now part of Oracle, it can get visibility on a big chunk of traffic, which could be useful to further improve the learning algorithms and, therefore, the quality of Oracle WAF’s detection.
  • Support: Contacted customers confirmed to Gartner analysts that the acquisition had no impact on the quality of their interactions with Zenedge team.

  • Product Strategy: Zenedge, a relatively small startup, has been acquired by Oracle, which is a cloud provider and a large enterprise. In other network and application security acquisitions, Gartner analysts have observed that a cultural chasm, and potential conflicts in roadmap priorities could slow down feature delivery. Prospects, especially those protecting applications not hosted on Oracle cloud, should request commitment on the vendor’s roadmap delivery, in case required capabilities are missing at the time of purchase.
  • Technical Architecture: Oracle WAF infrastructure lacks points of presence in China, the Middle East and Africa. It has a limited number of points of presence in South America and Asia. Oracle infrastructure is global, so the vendor might quickly increase the number of available points of presence for Oracle WAF.
  • Capabilities: Although many features are available with a self-service portal, Oracle recommends to its customers to connect with Oracle Dyn managed services team to onboard new applications. Oracle WAF does not yet integrate with SIEM vendors. Logs can be exported in a comma-delimited flat file (.csv) format, or pulled through an API, but are not available in CEF or over syslog.
  • Customer Experience: Customers would like to see improvements in Oracle WAF’s reporting. The event view, which is different from the active-learning view, where the risk score appears, does not aggregate individual alerts into attack or attack campaign, resulting in a large number of alerts.
  • Product: Some early clients highlighted that Zenedge WAF, prior to the acquisition, was still a work in progress, lacking some expected features. Oracle Dyn has a smaller team for WAF-related threat research, compared with many of its leading competitors.


Radware is in the Visionaries quadrant. This vendor has robust technical capabilities delivering consistently most of its technology through on-premises, as well as cloud-based, and good understanding of the DevOps environment. However, the vendor lags behind the leaders in being visible in WAF shortlists.
Based in Tel Aviv, Israel, and Mahwah, New Jersey, Radware is a DDoS protection and application delivery and security provider, employing nearly 1,000 people. Alteon, its ADC platform, continues to contribute significantly to its revenue. However, Radware’s security portfolio drives the vendor’s growth, with a DDoS mitigation appliance (DefensePro) and a cloud DDoS mitigation service (Cloud DDoS Protection). Radware also offers a specialized security solution for carriers and service providers (DefenseFlow). Its WAF, AppWall, may be deployed as a physical or virtual appliance, as a module on top of Radware’s ADC appliance (Alteon) or, using the same technology as part of Radware’s Cloud WAF Service. The Radware Cloud Security Services is a fully managed service that delivers security protection through three categories of protection: cloud DDoS protection service, application protection (cloud WAF service and cloud web acceleration service), and cloud CDN.
Recent announcements on Radware products include the release of AppWall to support Microsoft Azure. Radware has also introduced security policy templates (customizable) to accelerate the WAF deployment and improve its bot mitigation feature.
Radware is a good shortlist candidate for most organizations, especially those that want strong positive security and want to deploy the same security levels across hybrid environments. Organizations with high-security use cases, or applications that are unlikely to be compatible with a whitelisting approach should engage in security testing, as part of the evaluation of the technology.

  • Capabilities: Radware’s Emergency Response Team (ERT) leverages in-house threat research and provides 24/7 managed SOC, in addition to ad hoc support, when Radware’s customers are under attack.
  • Product Strategy: At the heart of the AppWall WAF technology is Radware’s automatic policy learning. Radware’s engine tracks changes and updates to the application and updates the policy, also leveraging integration with AST solutions to implement virtual patches in case of new vulnerabilities. This also works for APIs.
  • Customer Experience: Radware customers praise the combination of high-efficacy DDoS protection and WAF. Users of the AppWall appliances are satisfied with the level of effort required to tune the positive security model.
  • Market Execution: Many customers of Radware’s WAF were initially DDoS protection customers, or purchase the WAF and DDoS protection offers all together. Radware’s good reputation in the DDoS protection space reflects positively on its WAF prospects.
  • Cloud WAF Service: Radware customers, relying on the vendor to manage the WAF, express satisfaction with the vendor’s professional service and incident response (ERT) teams.
  • Vertical Strategy: Radware has good visibility in media and retail organizations, two vertical segments combining large-scale web applications, budget constraints and relatively small security teams.
  • Marketing Strategy: The vendor regularly publishes threat reports as a tool to raise awareness about issues. However, this also incidentally demonstrates the efficacy of its approach.

  • Customer Experience: Although comments on support are generally positive, customers in the APAC regions are less satisfied with the timeliness of the response from Radware’s support for issues that require more than a canned answer.
  • Cloud WAF Service: Managed WAF is not the preferred option for many customers; however, it is the main option for Radware cloud WAF service. Radware cloud WAF service clients express interest in further improvements of the self-service management capabilities.
  • Customer Experience: Radware’s customers cite a need to improve the AppWall UI. It scores low on surveys, and the most frequently cited issue is its lack of intuitiveness, when searching for a configuration option. Customers also comment on the lack of out-of-box reports related to compliance. These reports are available on APSolute Vision reporter, Radware’s dedicated reporting solution.
  • Capabilities: Some prospects encountered challenges successfully implementing Radware’s positive security approach.
  • Market Execution: Radware is not as visible in U.S. shortlists as many of its competitors. Organizations evaluating AppWall should focus on their evaluation of the vendor’s capabilities, relative to their requirements, rather than on the overly aggressive communications from the vendor and its channel partners, who frequently exaggerate capabilities relative to leading competitors.
  • Customer Experience: Radware customers continue to be dissatisfied with the training and documentation on AppWall, mentioning that it lengthens the learning curve when trying to deploy the technology, implement new features or understand whether there’s a configuration issue.

Rohde & Schwarz Cybersecurity

Rohde & Schwarz Cybersecurity is in the Niche Players quadrant. Its WAF appliance product line bundles several advanced security features, resulting in most deployments being in blocking mode. The vendor struggle with market reach beyond its home country, and its cloud WAF offering has made little progress.
Headquarted in Munich, Germany, Rohde & Schwarz is a large electronics group. The vendor has acquired several vendors to build Rohde & Schwarz Cybersecurity, which has almost 500 employees. Its WAF business unit, DenyAll, was acquired in 2017, and employs nearly 90 people. In addition to the R&S Web Application Firewall, Rohde & Schwarz Security’s products include R&S Unified Firewalls (acquired from German company gateprotect), a network firewall targeting midsize enterprises and endpoint security solutions.
A key concept in the DenyAll WAF is the use of graphical workflow to configure traffic processing and inspection. Workflow view is a diagram, where administrators can drag-and-drop controls, response modifications and other actions. The DenyAll WAF is available on AWS and Microsoft Azure. R&S Cloud Protector is the cloud WAF service solution.
In addition to the rebranding, recent news include a refresh of the WAF appliance product line, active-active high availability and improved processing of JSON payloads.
Rohde & Schwarz Cybersecurity is a good shortlist contender for organizations looking for a WAF appliance, combining ease of use and in-depth security features, especially those located in Europe.

  • Customer Experience: Rohde & Schwarz customers like the graphical workflow, backed up by a more traditional view. Former DenyAll rWeb users noted that the addition of a web security engine in the new WAF product improved their results.
  • Product Strategy: Following the acquisition, the DenyAll team maintained an open security culture, participating in events where they let penetration testers try to hack or pass through the WAF. R&S WAF is also one of the only products evaluated in this research with an official bug bounty program.
  • Capabilities: DenyAll WAF includes multiple analysis engines and leverages user session risk scoring to ensure accurate detection and low false-positive rates.
  • Capabilities: Building on previous enhancements to its reporting solution, Rohde & Schwarz has improved its investigative capabilities by enabling attack replay and dedicated investigation dashboards.
  • Capabilities: R&S Cloud Protector offers predefined configurations only using the management console, like most cloud WAF services built on the foundation of a WAF appliance. However, customers can fully manage the WAF, using the API.
  • Customer Experience: Customers continue to give positive feedback about presale and postsale local support.

  • Market Responsiveness: The number of new features released on R&S WAF and R&S Cloud Protector has been severely limited for a few years now. Smaller vendors evaluated for this research have achieved significantly more during the same period, especially when it comes to the development of a cloud WAF service.
  • Marketing and Sales Execution: Even though the acquisition gave DenyAll access to Rohde & Schwarz’s sales force, the vendor is losing market share.
  • Capabilities: The acquisition by Rohde & Schwarz did not lead to significant investment in the DenyAll small threat research team. DenyAll WAF does not automatically deploy ad hoc signatures, following an attack, relying on the generic engine, and leaving customers to guess from the detailed log information whether the alert triggered is related to recent attack campaigns.
  • Capabilities: Rohde & Schwarz does not offer unified centralized management for its WAF appliance and R&S Cloud Protector. The vendor offers limited bot mitigation, compared with many of the vendors evaluated in this research.
  • Geographic Strategy: R&S WAF is not visible in shortlist outside its original home market, France, and Germany. Prospective customers outside of these countries should verify the availability of peer references.
  • Customer Experience: Many customers have complaints about the Java-based UI, and would like to see faster transition to the web-based management promised for years. They also note that bot mitigation could be better.

Vendors Added and Dropped

We’ve updated the inclusion criteria to reflect enterprise’s more demanding requirements. Part of the change is a new requirement for vendors to have a customer base outside of their home region.
We review and adjust our inclusion criteria for Magic Quadrants as markets change. As a result of these adjustments, the mix of vendors in any Magic Quadrant may change over time. A vendor’s appearance in a Magic Quadrant one year and not the next does not necessarily indicate that we have changed our opinion of that vendor. It may be a reflection of a change in the market and, therefore, changed evaluation criteria, or of a change of focus by that vendor.


  • Microsoft (Azure)
  • Oracle (acquired Zenedge)


  • NSFOCUS, Penta Security, Positive Technologies and Venustech were dropped, due to updated and more-demanding inclusion criteria.

Inclusion and Exclusion Criteria

WAF vendors that meet Gartner’s market definition/description are considered for this Magic Quadrant under the following conditions:
  • Their offerings can protect applications running on different types of web servers.
  • Their WAF technology is known to be approved by qualified security assessors as a solution for PCI DSS Requirement 6.6, which covers Open Web Application Security Project (OWASP) Top 10 threats, in addition to others.
  • They provide physical, virtual or software appliances, or cloud WAF service.
  • Their WAFs were generally available as of 1 January 2017.
  • Their WAFs demonstrate global presence, and features/scale relevant to enterprise-class organizations:
    • $12 million in WAF revenue during 2017; able to demonstrate that at least 200 enterprise customers use its WAF products under support as of 31 December 2017.
    • And, the vendor must have sold at least 40 net-new customers in 2017.
    • Or, $7 million in WAF revenue during 2017, and two years of compound annual revenue growth of at least 30%growth.
  • The vendor must provide at least three WAF customer references for WAF appliances, or three customer references for cloud WAF service, or both, if the vendor offers both solutions.
  • The vendor must demonstrate minimum signs of global presence:
    • Gartner received strong evidence than more than 5% of its customer base is outside its home region. Vendors appearing in Gartner client inquiries, competitive visibility, client references and the vendor’s local brand visibility are considered.
    • The vendor can provide at least two references outside its home region.
  • The provider offers 24/7 support, including phone support (in some cases, this is an add-on, rather than being included in the base service).
  • Gartner has determined that they are significant players in the market, due to market presence, competitive visibility or technology innovation.
  • Gartner analysts assess that the vendor’s WAF technology provides more than a repackaged ModSecurity engine and signatures.
  • The vendor must provide evidence to support meeting the above inclusion requirements.
WAF companies that were not included in this research may have been excluded for one or more of the following reasons:
  • The vendor primarily has a network firewall or IPS with a non-enterprise-class WAF.
  • The vendor is primarily a managed security service provider (MSSP), and WAF sales mostly come as part of broader MSSP contract.
  • The vendor is not actively providing WAF products to enterprise customers, or has minimal continued investments in the enterprise WAF market.
  • The vendor has minimal or negligible apparent market share among Gartner clients, or is not actively shipping products.
  • The vendor is not the original manufacturer of the firewall product. This includes hardware OEMs, resellers that repackage products that would qualify from their original manufacturers, and carriers and internet service providers (ISPs) that provide managed services. We assess the breadth of OEM partners as part of the WAF evaluation, and do not rate platform providers separately.
  • The vendor has a host-based WAF, WAM, RASP or API gateway (these are considered distinct markets).
In addition to the vendors included in this Magic Quadrant, Gartner tracks other vendors that did not meet our inclusion criteria because of a specific vertical market focus and/or WAF revenue and/or competitive visibility levels in WAF projects, including A10 Networks, Alibaba, Alert Logic, Array Networks, Avi Networks, Beijing Chaitin Technology, Brocade, DBAppSecurity, DB Networks, ditno., Indusface, Kemp Technologies, Limelight, ModSecurity, NGINX, NSFOCUS Penta Security, PIOLONK, Positive Technologies, Qualys, Sangfor, SiteLock, Sucuri, Threat X, Trustwave, Venustech, Verizon and Wallarm.
The adjacent markets focusing on web application security continue to be innovative. This includes the RASP market and other specialized vendor initiatives. Those vendors take part in web application security, but often focus on specific market needs, such as bot mitigation (Distil Networks, PerimeterX, Shape Security and Stealth Security), or take an alternative approach to web application security (e.g., Signal Sciences and tCell).

Magic Quadrant for Disaster Recovery as a Service

Magic Quadrant for Disaster Recovery as a Service



Published 12 July 2018 – ID G00336410 – 45 min read

The disaster-recovery-as-a-service market consists of hundreds of providers, all with different approaches and capabilities. This creates immense complexity around vendor selection. Infrastructure and operations leaders should use this Magic Quadrant to help evaluate providers of DRaaS.

Market Definition/Description

This document was revised on 20 July 2018. The document you are viewing is the corrected version. For more information, see the  Corrections page on
Gartner defines the disaster recovery as a service (DRaaS) market as a productized service offering in which the provider manages server image and production data replication to the cloud, disaster recovery run book creation, automated server recovery within the cloud, automated server failback from the cloud, and network element and functionality configuration, as needed. Source servers supported must include a combination of both virtual and physical. To be considered DRaaS versus other options that enable do-it-yourself recovery, all elements of the service must be included in the service offering contract between the provider and customer, and offer a standardized SLA for recovery.
Services may be delivered by the provider as a fully managed offering, as an assisted recovery offering or as self-service:
  • Fully managed services are those where the provider is solely responsible for all aspects of the service offering.
  • Assisted recovery is where the provider is responsible for the recovery infrastructure and manages data replication. The customer is responsible for run book creation and operating the recovery solution in the event of a recovery exercise or following an actual disaster declaration. Solutions where the provider is able to take control via a support process, but does not assume full management responsibility for all services for exercising or event declaration, fall into this category.
  • Self-service offerings are those where customers are willing to share increased responsibility for action, such as recovery configuration activation and shutdown, managing virtual machine (VM) replication, recovery plan creation, and updates. It supports greater control by end users over the server image replication, failover and failback procedures. Service providers must make tools available to accomplish these tasks, but they do not have a responsibility to operate the tools.
The fiscal responsibility for all infrastructure utilized must be on the provider, versus using customer-owned assets, independently procured cloud infrastructure as a service (IaaS) or other separate hosting contracts. This last factor is what separates self-service offerings from true “do it yourself” (DIY) cloud-based solutions, where, although you may purchase the tools from a single provider, you are responsible for all of the cloud-based infrastructure for recovery.

Current Market

As stated in the 2017 iteration of this Magic Quadrant, DRaaS is now a mainstream offering. In fact, Gartner estimates it to currently be a $2.40 billion worldwide business, and it is expected to reach $3.73 billion by 2021. Yet its mainstream status does not make it less complex for potential customers to choose which offering is best for them.

Key Differences in This Year’s Magic Quadrant

Some minor changes in the 2018 Magic Quadrant are associated with the DRaaS definition itself. Examples include the requirement for automated failback, and a delineation between DRaaS and products or solutions that enable cloud-based disaster recovery through a variety of means. There is now a further focus on those vendors that serve clients who wish to procure DRaaS separately, instead of as part of a larger data center outsourcing solution.
Larger changes were made with the purpose of the DRaaS Magic Quadrant as a tool to assist Gartner end-user clients in evaluating DRaaS providers. The biggest changes for 2018 materialized in the form of evolved inclusion and exclusion criteria, and even greater emphasis on the “value for money” when it comes to support for heterogeneous platforms.

Inclusion and Exclusion Criteria

Several providers who were in the 2017 DRaaS Magic Quadrant were excluded in 2018. Their exclusion should not be interpreted as their offerings being inferior — in fact, in many cases, the opposite is true. Rather, the new inclusion and exclusion criteria served two purposes:
  • Bring additional focus in terms of Gartner client buyer persona.
  • Help answer the simple question, “If I want DRaaS and only DRaaS, which providers are the most relevant?” by differentiating further tangential service offerings related to traditional disaster recovery, workplace recovery, data center outsourcing (DCO), cloud-enabled managed hosting or managed services on public cloud — many of which have Magic Quadrants of their own.
Some specific examples made in 2018 include requirements related to a need for direct sales to be the primary focus versus channel partners, such as managed service providers (MSPs), value-added resellers (VARs) and system integrators (SIs). We made a further distinction between industrialized and repeatable DRaaS offerings versus customized disaster recovery, and added a requirement that most existing customers of the DRaaS service provider have more than $50 million in revenue.
As a result of these changes, the number of service providers from last year decreased significantly. It is also important to make note that because the types of providers are also fewer, the degree of differentiation for certain attributes can be affected. Consequently, we do not recommend comparing last year’s placement with 2018’s. More details and information on the excluded organizations are in the Dropped Vendors section.

Value of Heterogeneous Platform Support

Mainframe, UNIX, and other proprietary, heterogeneous platforms have experienced a rapid decline in terms of need, per Gartner end-user inquiry trends. The trailing 12 months saw less than 50% of the client interest on these topics compared to the prior period. In the past, the ability to support platforms like mainframe and UNIX was considered a differentiator because there were few providers in the marketplace selling DRaaS-only offerings for those platforms. The DRaaS market continues to evolve where that is becoming less of a buying factor due to end-user plans to replatform or migrate the associated applications to SaaS. When plans to replatform or migrate from those legacy platforms are not in place, the client may find that using colocation for those one-offs is better from a total cost of ownership (TCO) perspective. Or when the client is very large, the initiative evolves from DRaaS to a larger DCO opportunity. Consequently, less credit was given to providers by virtue of having non-x86 DRaaS support, and greater emphasis was placed on the comparative value associated with competing options.

Magic Quadrant

Figure 1. Magic Quadrant for Disaster Recovery as a Service

Source: Gartner (July 2018)

Magic Quadrant for Disaster Recovery as a Service

Vendor Strengths and Cautions


Bluelock was founded in 2006 as a managed hosting and IaaS provider. In the past four years, the company has primarily invested in and focused on its DRaaS offerings for U.S.-based midsize and large companies. Bluelock is not large in terms of scale. However, where it continues to stand out is its very hands-on and consultative, business-focused sales approach and in its customer onboarding process. Through this “Bluelock Experience,” the organization helps clients gain constituent alignment, recovery assurance and colocation recovery integration. On 15 March 2018, Bluelock was acquired by InterVision as a complement to its existing managed services offerings.
Primary Support Approaches: Fully managed via Bluelock, or assisted after initial onboarding by Bluelock.
Primary Workloads Supported: Virtual x86 with integrated colocation capabilities for non-x86 workloads.
Regional Recovery Presence: Two locations in the U.S. — Indianapolis, Indiana, and Las Vegas, Nevada.
Customer Complexity: Experienced with supporting up to 75 server images in combined physical and virtual environments, and over 300 server images in virtual-only environments.
Recommended Use: U.S. companies that desire a business-related, high-touch approach toward DRaaS and have heterogeneous workloads that require not only colocation, but also integration into a recovery plan.

  • Bluelock supports a “roll back” option (only available for DRaaS Ready) that will allow the client to bring the DR site online to act as the production site. The production site then acts as the DR site with reverse replication between the two maintained.
  • Customer satisfaction is often a strong point with Bluelock, which may be related to the zero turnover in customer-facing support staff throughout 2017.
  • Recovery Assurance — the process of fully managing onboarding, DR Playbook creation and maintenance, and recovery response, and providing attestation of successful recovery testing — is a core offering and a focus for most of Bluelock’s customers.

  • Although its portal interface, known as Portfolio, is very good, its lack of overarching orchestration across physical and virtual platforms shows that Bluelock’s focus is still on fully managed offerings, where its internal teams can overcome the lack of a centralized automation capability.
  • Bluelock clients are responsible for all security monitoring and management of the virtual machines within their Virtual Datacenter while running during a failover event.
  • While Bluelock takes a very consultative approach to selling its solutions, it leverages partners for advanced services such as performing application dependency mapping and business impact analysis for customers.
  • The two included tests are only sandbox tests that are conducted during business hours. Those tests do include project management, playbook validation, debriefs and test certificates. However, full-scale failover tests or advanced tests will require either more advanced testing options negotiated upfront or additional time and materials (T&M) engagements.

C&W Business

C&W Business operates in over 20 countries in the Caribbean, Latin American and North American regions. Its customer support centers offer both Spanish and English interactions. Technical support services are also provided in both languages. The company operates as a subsidiary of Liberty Latin America. The foundation for much of C&W’s differentiation with respect to DRaaS is rooted in its multicountry network connectivity capabilities, as well as its commitment to full service for IBM-based platforms and x86 environments.
Primary Support Approaches: Fully managed, although self-service is an option.
Primary Workloads Supported: Physical and virtual x86, UNIX (AIX, Solaris), and IBM i.
Regional Recovery Presence: Seven regional data centers — Miami, Florida; the Cayman Islands; Panama (two); Curaçao; and Bogota, Colombia (two).
Customer Complexity: Experienced with support of up to 200+ server images, with multiple database and application cluster environments.
Recommended Use: When regional needs, especially network connectivity and hybrid recovery, are priorities for low- to medium-complexity environments, or when organizations have a desire for complete data center outsourcing.

  • C&W Business has a focus on “medium-complex” clients, which often includes applications and platform variations such as Oracle DB, IBM i and fully managed services.
  • With an onboarding timeline that completes in as little as 14 days, C&W Business can quickly initialize new client environments.
  • It is one of the few service providers that offers IaaS-based DRaaS solutions for AIX/iSeries.

  • C&W Business only offers credits for SLA penalties after monthly availability is lower than 99.6% or their response time surpasses three hours.
  • For fully managed services, implementation and additional test fees listed by C&W Business are charged on a per-VM basis and were the highest of any vendor in the Magic Quadrant. However, all contracts do include three tests per year as a way to offset the need for additional tests.
  • Clients are free to change their choice of recovery data centers utilized from any of the six locations. However, they will still need to relocate data, unless they have utilized the additional-cost option to proactively have data resident in multiple locations.


CloudHPT is the cloud solution division of BIOS Middle East Group. It is headquartered in the United Arab Emirates and principally serves the Gulf Cooperation Council (GCC) region. It was founded in 2002, and its business is focused on cloud services for IaaS, DRaaS and backup as a service (BaaS) for both customer environments and major SaaS providers.
Primary Support Approaches: Fully managed.
Primary Workloads Supported: Physical and virtual x86.
Regional Recovery Presence: Four data center locations: two in the U.A.E. (Dubai and Abu Dhabi) and two in Saudi Arabia (Jeddah and Riyadh).
Customer Complexity: Historically fewer than 140 servers for DRaaS itself, but adept with handling regional networking limitations and political aspects.
Recommended Use: Organizations with data residency requirements in the Middle East.

  • CloudHPT deploys workload discovery tools during the sales engagement, which are used to help enable onboarding and capture changes to the environment during the contract period. The service offering also includes monthly virtual test (noninvasive) and a full annual disaster recovery (DR) test without additional charge.
  • CloudHPT is one of the only MSPs that can meet the needs of clients with in-country requirements within Dubai and Saudi Arabia. It also has some existing clients configured for recovery to Amazon Web Services (AWS) and Microsoft Azure — within and outside of the Middle East.
  • The vendor has a strong focus on disaster avoidance through proactive security information and event management (SIEM) capabilities, as evidenced by its SIEM as a Service, which is included in its DRaaS offering for the first 100 days.

  • CloudHPT will begin to see more competition as larger players gain greater in-country presence in the region. While some of this risk has been partially mitigated through automation and partnerships, potential customers must factor that into the sourcing decision.
  • Geopolitical risk in the region can alter — and has altered — plans for expanded service locations.
  • CloudHPT is thinner in its leadership ranks than most in the Magic Quadrant. Prospective clients are encouraged to inquire about succession planning in order to reduce potential risk.


Expedient is a colocation, cloud and data center IaaS provider headquartered in Pittsburgh, Pennsylvania. It was founded in 2001. Expedient provides DRaaS to clients hosted within its data centers and separately as a service for customers hosting their production workloads on-premises or in other locations using On-Site Private Cloud appliances.
Primary Support Approaches: Fully managed.
Primary Workloads Supported: Physical and virtual x86.
Regional Recovery Presence: Midwest, mid-Atlantic and Northeastern portions of the U.S.
Customer Complexity: Experienced with support of up to 600+ server images, with dedicated infrastructure in up to three locations.
Recommended Use: Organizations that prefer Expedient’s regional locations and local staff along with compute resources that can be utilized for more than just DR.

  • Expedient’s Push Button DR can rapidly fail over entire sites with minimal interruption to external service availability by leveraging Border Gateway Protocol (BGP) during failover instead of making DNS modifications.
  • Although a regional player, Expedient mitigates the risk of there not being resources for clients in the event of a regional outage by not oversubscribing clients across its resource pools.
  • Customer references repeatedly stated that the buying process featured quick turnaround for proposals, and that sales engagements weren’t “pushy.” References most often reported functional capabilities as the key factor in choosing Expedient over other providers.

  • Expedient’s pricing is on the higher end of the spectrum. Proposals contain cost protections for Expedient’s data center costs and software costs that are similar to those found in colocation provider contracts.
  • Gartner believes Expedient’s sales proposal collateral and commercial service description structures can be confusing in areas and could potentially lead to unintentional misinterpretation. Examples include the degree in which compute resources are “committed” and the extent to which RTO/RPO-specific SLAs are included.
  • While localized resources for sales and support are available in the areas that Expedient supports, outside of those areas of focus it provides remote staff, just as many other providers do.


The IBM Resiliency Services portfolio consists of over 13 services that fall into categories including advisory services, business continuity, backup and data protection, facilities and data center services, and disaster recovery. The latter includes traditional options like traditional disaster recovery and work area recovery, as well as new offerings such as Cyber-Resilience Services, Resiliency Orchestration (which has evolved from its 2016 Sanovi Technologies acquisition) and Disaster Recovery as a Service.
Primary Support Approaches: Fully managed.
Primary Workloads Supported: Physical and virtual x86, UNIX (AIX, Solaris, HP-UX), IBM i, IBM Z, storage area network (SAN) replication, and database appliances.
Regional Recovery Presence: Over 100 IBM Resiliency Data Centers spanning North America, Latin America, Europe, the Middle East, Africa and Asia/Pacific, and a global presence for Orchestrated DRaaS for IBM Cloud in 19 countries.
Customer Complexity: Experienced in supporting clients with complex heterogeneous environments, over 1,000 server images, involving two recovery locations, four recovery tiers, 200+ database instances and 300+ application recovery runbooks.
Recommended Use: Organizations that desire fully managed DRaaS and global support for IBM hardware offerings, and organizations that need additional related services in addition to DRaaS.

  • IBM is one of three vendors in this Magic Quadrant with significant non-x86 workload and mainframe recovery experience. Moreover, IBM has supported more than 1,000 recoveries since 1989.
  • IBM is the strongest in the field of MQ providers in terms of depth and breadth across its overall Resiliency Services portfolio. This can well serve clients who wish to evolve recovery options over a longer period of time as business needs change.
  • IBM is well-positioned over the longer horizon in terms of supporting clients with fragmented, distributed environments across several platforms. This is due to IBM’s long-term strategic vision and skilled engineers and project managers.

  • Gartner clients and customer reference sentiment consistently point to issues with IBM DRaaS prices being too high in relation to value. This is true for DRaaS related to both UNIX and mainframe too.
  • IBM has had widespread marketing around cognitive-related disaster resiliency, bolstered by its strategic assets, like Watson and The Weather Company, for several years. This can be confusing for clients, because DRaaS-specific contracts themselves don’t exhibit demonstrable mapping to those capabilities in terms of unique service levels. Similarly, newer Recovery Orchestration service offerings can be confusing to potential customers because of multiple usage scenarios. It is sometimes positioned as a DIY solution that can use IBM Cloud (separate business unit), other times as a component for self-service DRaaS and sometimes truly more of a “how” IBM delivers fully managed services.
  • IBM’s customer reference satisfaction scores were low. Areas for improvement cited were linked to service and support issues and limitations regarding on-demand options for scheduling and billing.


Founded in 1994 as a website development company, and headquartered in Houston, Texas, and London, iland created its colocation and managed hosting offerings around 2000. It first delivered its VMware-based IaaS offering in 2008, with coinciding cloud-based recovery offerings. Today, the portfolio is global in nature and primarily consists of iland Secure Cloud (IaaS), iland Secure Disaster Recovery as a Service (DRaaS) and iland Secure Cloud Backup. In the past 12 months, it has expanded its geographic presence, added new fully managed support offerings and expanded the platforms it can support through the use of additional service delivery partners.
Primary Support Approaches: Self-service, assisted self-service.
Primary Workloads Supported: Primarily physical and virtual x86.
Regional Recovery Presence: Three recovery centers in the U.S., two in the U.K., one in Amsterdam, Netherlands, one in Australia and one in Singapore.
Customer Complexity: Experienced supporting up to 500+ servers under management with up to two locations under management.
Recommended Use: Organizations with compliance and/or network complexities that desire VMware-based IaaS as well as DRaaS in a self-service manner.

  • Pricing of its DRaaS services is among the lowest within this year’s Magic Quadrant.
  • The iland Customer Success Center, its online community for sharing best practices and ideas, enables self-supported customers to learn from each other’s experiences.
  • Compliance with financial, legal, healthcare, security and sovereign requirements is often necessary for DRaaS, and is enabled by iland’s compliance team and certification programs.
  • Contract lengths are flexible, varying from only month-to-month commitments up to 60 months if desired by customers.

  • Although iland has once again started offering fully managed DRaaS support, its offering is still very much oriented toward self-supported or assisted supported configurations.
  • Application integrated protection for disaster recovery is entirely up to customers to configure and support.
  • Customer references point to financial reporting within the iland console as an opportunity to improve the service capabilities.


Microsoft provides infrastructure, platform and software services as well as DRaaS through its Azure Cloud Services. Azure Site Recovery (ASR) is part of the Operations Management Suite. Microsoft built ASR internally, and then integrated the InMage technology it acquired in 2014 to now provide DR for VMware, Hyper-V and physical workloads. In the past year, Microsoft has improved its ASR cloud-to-cloud protection roadmap and improved its install experience by offering a new virtual-based appliance approach.
Primary Support Approaches: Self-service.
Primary Workloads Supported: Physical and virtual x86.
Regional Recovery Presence: Global, with more than 35 locations across the Americas, Europe and Asia.
Customer Complexity: Experienced with support of up to 300+ server images, with integrations to support application-specific replication and recovery via additional scripting.
Recommended Use: When low costs and unlimited, pay-as-you-go testing are priorities for low-complexity, x86-only environments.

  • Pricing is competitive. No long-term contracts are required to try ASR. All testing and data storage are based on actual utilization. Microsoft has significant global reach and service consistency, which is scalable for the future.
  • Microsoft has addressed some areas of customer onboarding friction by now providing a virtual ASR appliance that automates some of the previous steps required. This has resulted in improved ease of use and made the service less prone to configuration issues.
  • Gartner believes Microsoft will continue to invest heavily in ASR because the same service underpinnings are also being leveraged for its migration services. Similar investment levels are expected with ancillary add-on services like Traffic Manager, which helps clients minimize downtime for public-facing endpoints by redirecting traffic from on-premises to ASR upon failover.

  • Limitations and initial sizing considerations require upfront analysis to determine fit for purpose and TCO. Examples include the need for customers to provide on-premises configuration servers, constraints related to higher change rate workloads, compute resource usage by guest agent on the protected servers and limited failback options for physical workloads following a DR event.
  • Microsoft has made significant improvement over the last year in terms of documentation and support. However, due to the complexity of setup and operations for ASR, many customers utilize partners for initial onboarding or long-term operations. Moreover, Gartner frequently gets feedback from Gartner clients who were unable to use ASR due to missing features, and opted to buy a different product to replicate and recover workloads to Azure without the ASR portion.
  • Functionality to replicate from on-premises to more than one ASR region and the ability to use ASR between regions for Azure IaaS are not currently supported or generally available. Furthermore, Azure Backup and ASR services are bundled, but are not integrated.

Recovery Point

Recovery Point began in business under the auspices of its now wholly owned subsidiary, First Federal, in 1982. Its client base consists of commercial, civilian and secure federal agencies, and state and local governments. Its primary focus is helping customers deal with complex heterogeneous environments that include physical systems and servers, such as IBM Z, IBM i, IBM Power Systems and Oracle SPARC.
Primary Support Approaches: Most are fully managed or assisted; 20% of customers are self-service after initial onboarding.
Primary Workloads Supported: Physical and virtual x86, UNIX (AIX, HP-UX, Solaris), IBM i, and mainframes.
Regional Recovery Presence: Three data centers in the U.S.
Customer Complexity: Organizations based in the U.S. with complex heterogeneous environments and typically up to 750 servers under management.
Recommended Use: U.S.-based organizations with complex recovery needs for x86 or other platforms, organizations with U.S. Federal Information Security Management Act (FISMA) needs and those that wish to leverage tape as a secondary recovery option to DRaaS.

  • Recovery Point is one of three vendors in this Magic Quadrant that has significant experience providing recovery for non-x86 workloads and mainframes. Of the three, Recovery Point proposals have been the most competitive by a significant margin when Gartner has performed side-by-side comparison contract reviews on behalf of Gartner clients.
  • Recovery Point has invested in its own dark-fiber-based national network infrastructure, which helps lower customer costs and provides FISMA-level protection to all customers by default.
  • Recovery Point contractually commits to limit subscriptions in a radius around a customer’s location to mitigate risk associated with dilution of resources due to a regional event. Meanwhile, existing customers tout Recovery Point’s staff in terms of technical expertise, responsiveness, degree of involvement during exercises, and general willingness in terms of flexibility and collaboration.

  • Service availability is currently limited to the U.S.
  • The limited automation, high degree of personalized service, coupled by the number of platforms supported by Recovery Point could challenge its limits over the long haul, given customer growth. In addition, although Recovery Point has programs in place for employee retention, its dependencies on higher skilled and salaried employees outside major metropolitan locations is a risk.
  • Its portal is a landing page for access to native tools versus being completely integrated. However, Gartner believes this is less relevant in the immediate term for more complex environments where multiple replication tools are required — particularly when recovery is fully managed by the provider.

Sungard Availability Services

Sungard Availability Services (AS) has offered disaster recovery services for more than 40 years, and as a core competency, DR represents about half of its overall service portfolio revenue. Specific to DRaaS, customers use either Sungard AS facilities or AWS as a recovery target. In addition to server-level recovery, application recovery support is separately offered via its Managed Recovery Program (MRP). Combined with network capabilities, Sungard AS can provide fully managed, multitiered, application-level recovery for hybrid environments across Sungard AS data centers, customer premises and public cloud environments.
Primary Support Approaches: Fully and partially managed services.
Primary Workloads Supported: Physical and virtual x86, UNIX (AIX, Solaris, HP-UX), IBM i, and IBM Z.
Regional Recovery Presence: Eleven DRaaS recovery locations (not including AWS), including four in the U.S., two in Canada, two in the U.K., and one each in Ireland, France and Sweden.
Customer Complexity: Experienced in supporting clients with complex heterogeneous environments, over 1,000 server images, involving two recovery locations, four recovery tiers, and multiple databases and application clusters.
Recommended Use: Organizations that prefer fully managed DRaaS for complex environments, require global support for both x86 and non-x86 platforms, could benefit from SLA-backed recovery for the applications themselves, or desire complimentary services in the portfolio such as workplace recovery.

  • Sungard AS is one of three vendors in this Magic Quadrant with significant experience providing recovery for non-x86 workloads and mainframes. In fact, it has supported well over 3,000 recoveries since 1990.
  • Sungard AS optionally provides application recovery support provided through its Managed Recovery Program — a differentiator among those in the Magic Quadrant. It has added recovery capabilities to provide recovery for Amazon Web Services workloads as well as recovery from customer premises to AWS.
  • Sungard AS’s Recovery Execution System (RES) platform enables automated reservation of resources and recovery of hybrid recovery scenarios in conjunction with multiple third-party orchestration technologies. It also provides customers a real-time view of the recovery at both the task level and the application/server level.

  • Gartner clients and customer reference sentiment consistently point to issues with Sungard AS prices being relatively high.
  • Gartner clients and customer references also point to concerns related to limited self-service portal functionality, lack of transparency of pricing with bundled services and some operational support challenges as Sungard AS transitioned support to a more globalized delivery model.
  • In late 2017, Sungard AS launched updated services for cloud recovery to both its data centers and AWS that are positioned as more automated, price-competitive, faster-time-to-value service offerings. However, these services were not available in the market long enough to be evaluated through client feedback and customer references.
  • Most of Sungard AS’s references that participated in this year’s study were not clients recently onboarded to its DRaaS offerings, as requested by Gartner.


TierPoint was formed in 2010 when Cequel Data Centers began an acquisition campaign, purchasing smaller regional companies (Colo4 and Perimeter Technology in 2011, TierPoint in 2012, Windstream Hosted Solutions in 2015 and Cosentry in 2016). As a result, it now has over 40 facilities dispersed across 20 locations in the U.S. It provides a full set of disaster recovery services, including workspace recovery in some of its locations, in addition to offering cloud and colocation solutions to enable hybrid IT and hybrid resiliency.
Primary Support Approaches: Fully managed and self-service.
Primary Workloads Supported: Physical and virtual x86, UNIX (AIX, Solaris, HP-UX), and SAN and database replication.
Regional Recovery Presence: Twenty locations in the U.S., spread from the Northwest to the East Coast.
Customer Complexity: Experienced with support of up to 200+ server images, with multiple database and application cluster environments.
Recommended Use: When flexibility in technology choices and multiple tiers of services are priorities for medium-complexity environments.

  • Customer references scored TierPoint the highest for satisfaction among the providers in this year’s Magic Quadrant.
  • As a point to its flexibility, TierPoint will customize responsible, accountable, consulted and informed (RACI) matrices for customers (although this can require additional fees).
  • Managed customers have both an initial failover test and one yearly test included in the pricing, with the option to purchase additional tests if desired. There are no fees for disaster declarations, although usage above the reservation level is subject to usage-based billing, and there is a one-time fee per failback if that is needed.

  • The new orchestration portal interface is now developed in-house, but TierPoint is still adding features and validating the reliability of those features.
  • While TierPoint has a wide variety of capabilities, they are not uniformly available in all locations — for example, eight of 20 locations have cloud pods to support multitenant DRaaS services.
  • Customer references recommended that prospective customers understand how and when handoffs occur during implementation and exercising, as they have experienced issues with coordination during those phases.

Vendors Added and Dropped

We review and adjust our inclusion criteria for Magic Quadrants as markets change. As a result of these adjustments, the mix of vendors in any Magic Quadrant may change over time. A vendor’s appearance in a Magic Quadrant one year and not the next does not necessarily indicate that we have changed our opinion of that vendor. It may be a reflection of a change in the market and, therefore, changed evaluation criteria, or of a change of focus by that vendor.


No vendors were added in this year’s edition of the Magic Quadrant.


As indicated in the Key Differences in this Year’s Magic Quadrant section, several vendors were dropped from this year’s edition of the Magic Quadrant due to changes in the inclusion criteria. The individual reasons were either one of or a combination of the following:
  • Direct sales were less than the inclusion criteria.
  • The majority of existing customers had an annual revenue of less than $50 million.
  • The vendor did not have a large-enough or focused-enough DRaaS offering.
  • Existing capabilities were not repeatable and industrialized, as defined as the DRaaS market definition.
Vendors dropped are:
  • Acronis — Acronis, founded in 2003, has provided cloud-related recovery services for more than seven years and data recovery products for more than 14 years. Headquartered in Singapore, it operates 14 data centers globally and is primarily a partner-driven business with a focus on manufacturing, automotive, public sector and education markets. In November 2017, it launched the Disaster Recovery Cloud service to enable partners and managed service providers to resell its cloud-based DR solutions.
  • Axcient — Originally founded in 2006, Axcient provides a single solution that includes data protection, disaster recovery, archiving and test/development. It eliminates the need for multiple solutions, data centers or silos of infrastructure by extending the value of copy data management to the cloud. Axcient was purchased by eFolder on 27 July 2017, and has focused on the MSP and channel market for its DRaaS offerings.
  • Carbonite— Founded in 2005 and headquartered in Boston, Massachusetts, Carbonite has a new self-service DRaaS offering known as Carbonite Recover, which supports recovery of Windows, Linux, VMware and Hyper-V systems. Legacy environments are supported through its Carbonite Disaster Recovery offering, where recovery testing and recovery operations are largely provider-managed. It also sells Carbonite Availability (formerly known as DoubleTake) which is utilized by other DRaaS providers for physical and virtual server replication.
  • Daisy — Daisy Group is one of the largest business communications and IT service providers in the U.K. It was founded in 2001, and offers network services, nine data centers and 18 worksite recovery locations consisting of over 30 office locations in the U.K.
  • Databarracks — Databarracks was founded in the U.K. in 2002 as a full-service MSP, but in 2016, it retired some non-continuity-related services completely. It now focuses on only three areas: disaster recovery as a service, backup and resilient cloud-based infrastructure design. Its business is entirely focused on U.K. clients, with a concentration of clients related to legal, government and nonprofit organizations. In 2017, it launched a Business Continuity as a Service (BCaaS) offering to handle business continuity management and planning for customers.
  • Datto — Datto, headquartered in Norwalk, Connecticut, is a provider of backup and disaster recovery appliances, SaaS data protection and managed networking products. It was founded in 2007 and has more than 5,000 managed service provider partners that market its products worldwide.
  • Evolve IP — Evolve IP was founded in 2006 and is headquartered in Wayne, Pennsylvania. It leads with its OneCloud solution, which allows organizations to migrate multiple cloud computing and cloud communications services onto a single, unified platform. This includes virtual data centers/servers, disaster recovery, virtual desktops, IP phone systems/unified communications and contact centers.
  • Flexential (formerly Peak 10) — Flexential, formed by the merger of Peak 10 and ViaWest in 2017, is based in Charlotte, North Carolina, with 41 data centers located across 21 cities in 16 states in the U.S. It also has data centers in Alberta, Canada and Amsterdam, Netherlands. In addition to DRaaS, it offers data center and network services, managed services, and cloud-based infrastructure and object storage services.
  • Infrascale — Founded in 2011, Infrascale is primarily focused on DRaaS and leads with its mission statement, “eradicate downtime.” Using its own technology and supporting recovery on a variety of hyperscale or partner clouds, it allows for recovery of heterogeneous workloads via self-service or a combination of partner and Infrascale support. Infrascale was named “Best in Show” at the ConnectWise IT Nation 2017 conference, which focuses on MSPs.
  • NTT Communications — NTT Communications, an NTT Group company, is a separate operation from NTT DATA and Dimension Data. Its primary focus is on network and data center operations, and it offers services for cloud, data center, network, security and governance, and professional and managed services. DRaaS is one of its many managed service offerings.
  • Quorum — Headquartered in San Jose, California, Quorum offers HA Anywhere via its Quorum onQ software, a high-performance, one-click instant recovery instance that can be run in the Quorum cloud, locally via an onQ appliance or from a remote location. DRaaS services are provided via its three recovery centers in the U.S. and the U.K.
  • StorageCraft — StorageCraft is a storage and services company headquartered in Draper, Utah. It was founded in 2003, and its business is entirely focused on data protection and restoration services that are offered through value-added and channel partners. It also offers cloud services that can be utilized for disaster recovery by its managed partners.
  • Unitrends — Headquartered out of Burlington, Massachusetts, Unitrends offers its products and offerings only through authorized resellers. In 2017, it merged the individual backup and disaster recovery tools into an “all-in-one enterprise backup and continuity” product, which offers ransomware protection and cloud integration. It also still maintains a low-cost cloud recovery product, Boomerang, which allows customers to replicate workloads to hyperscale public cloud providers in a self-service manner. In May 2018, Unitrends merged with Kaseya, a supplier of IT infrastructure management products for MSPs.

Inclusion and Exclusion Criteria

The following considerations were made in selecting providers for this research. The vendor must have:
  • Services delivered in-line with the Gartner market definition of DRaaS.
  • A specialized offering in DRaaS, with at least 10% of their overall customer base being DRaaS or related DR services subscribers and/or more than 2,500 DRaaS customers.
  • Fully managed, assisted recovery, or self-service DRaaS that provides automated failover and failback capabilities from customer locations to cloud.
  • At least 50% of their customers from a revenue segmentation of greater of $50 million or greater.
  • Available and defined SLAs for customer RTO/RPOs.
  • Included DRaaS capabilities that do not require clients to sign-up for separate services from other providers.
  • Publicly offered DRaaS service(s) for at least three years and the current DRaaS services for at least 12 months, as of 1 January 2018.
  • Included DRaaS services for sale to and contracted directly to end consumers, either via click-buy, direct sales teams or through partners.
Service providers that focus their efforts on the MSP or partner market instead of directly at end users, and/or have greater than 50% of their annual sales coming from indirect (channel partners, MSP, SI) segments, will be excluded from the Magic Quadrant.

Notable Vendors

Other notable vendors in DRaaS include:
  • OVH — OVH purchased and continues to operate and evolve the DRaaS offering that is now known as vCloud Air powered by OVH. In addition to the existing capabilities (see 2017 “Critical Capabilities for Disaster Recovery as a Service”for more details), OVH has expanded its offerings to now include a Disaster Recovery Plan service that’s powered by Zerto.
  • VMware — Although VMware sold its vCloud Air and associated DRaaS related offerings to OVH in 2017, it has introduced new DRaaS capabilities with the VMware Site Recovery service, which utilizes VMware Cloud on AWS as the recovery target. This was released in November 2017, making it too new to include in this year’s Magic Quadrant.
  • Webair — Webair remains a solid choice for prospective companies that need not only x86 recovery capabilities, but IBM i as well. Although it has historically focused on the Long Island, New York and New York City metro areas, it also has recovery locations in Los Angeles, California; Montreal, Canada and Amsterdam, Netherlands. Commercially, it provides excellent value for the money, has experience with many different replication approaches and has several healthcare-related customers with signed business associate agreements (BAAs).

Magic Quadrant for Intrusion Detection and Prevention Systems



Magic Quadrant for Intrusion Detection and Prevention Systems

Published 10 January 2018 – ID G00324914 – 63 min read

IDPS continues to be absorbed by firewall placements at the perimeter, yet still offers the best detection efficacy and a central prevention, detection, and response solution on a network. Security and risk management leaders should seek innovation in advanced analytics and public cloud support.

Strategic Planning Assumptions

By year-end 2020, 70% of new stand-alone intrusion detection and prevention system (IDPS) placements will be cloud-based (public or private) or deployed for internal use cases, rather than the traditional placement behind a firewall.
By year-end 2020, 60% of IDPS deployments will be augmented with the use of analytics methods, like machine learning and user and entity behavior analytics, up from less than 10% today.

Market Definition/Description

This document was revised on 17 January 2018. The document you are viewing is the corrected version. For more information, see the  Corrections page on
The network IDPS market is composed of stand-alone physical and/or virtual appliances that inspect network traffic, either on-premises or in virtualized/public cloud environments. They are often located in the network to inspect traffic that has passed through perimeter security devices, such as firewalls, secure web gateways and secure email gateways. While detection only (i.e., intrusion detection system [IDS]) is still often used, a large number of appliances are still deployed in line to allow for blocking capabilities. They provide detection via several methods — for example, signatures, protocol anomaly detection, various methods of analytics, behavioral monitoring and heuristics, advanced threat defense (ATD) integration, and threat intelligence (TI) to uncover unwanted and/or malicious traffic and report or take action on it.
All of the aforementioned methods augment IDPS capabilities with more context to reduce both the number of alerts as well as false positives. False positives are still a concern for clients when IDPSs are in blocking mode. For detection mode, clients have justifiable concerns over how this technology is just another “event canon” generating alerts that, even if events of interest are there, are drowned out by noise. When deployed in line, IDPSs can also use various techniques to detect and block attacks that are identified with high confidence; this is one of the primary benefits of this technology. The capabilities of leading IDPS products have adapted to changing threats, and next-generation IDPSs have evolved incrementally in response to advanced targeted threats that can evade first-generation IDPSs (see “Defining Next-Generation Network Intrusion Prevention”).
This Magic Quadrant focuses on the market for stand-alone IDPS appliances; however, IDPS capabilities are also delivered as functionality in other network security products. Network IDPSs are provided within a next-generation firewall (NGFW), which is the evolution of enterprise-class network firewalls, and include application awareness and policy control, as well as the integration of network IDPSs (see “Magic Quadrant for Enterprise Network Firewalls”). IDPS capability is available in unified threat management (UTM) “all in one” products that are used by small or midmarket businesses (see “Magic Quadrant for Unified Threat Management”).
So, while the stand-alone IDPS market is forecast to start shrinking from 2017 (see “Forecast: Information Security, Worldwide, 2015-2021, 3Q17 Update”), the technology itself is more widely deployed than ever before on various platforms and in multiple form factors. The technology is increasingly ubiquitous in technology like NGFW and UTM.
In addition, some vendors such as Alert Logic and McAfee offer functionality in the public cloud in order to provide controls closer to the workloads that reside there. Gartner is tracking the growth of these deployments carefully, and will monitor their efficacy.
Stand-alone IDPSs are most often deployed for the following reasons:
  • When separation of duties means that some networking functions (firewalls) are managed by a different team managing security (i.e., IDPS)
  • Behind the firewall as an additional layer of defense to inspect north-south traffic
  • Behind an application delivery controller (load balancer) to inspect traffic allowed
  • When best-of-breed detection efficacy is required
  • As an IDPS on the internal network in line to provide protection/detection for internal assets
  • As an IDS monitoring the internal network for lateral movement of threats and other compliance mandates
  • When high IDPS throughput and low-latency performance are required
  • To provide network security separation (segmentation) on parts of the internal network where it’s easier to deploy IDPS than technology like firewalls
  • To provide additional visibility and detection capabilities in the public or private cloud
  • For network-based intrusion and threat detection using additional methods like advanced analytics (such as user and entity behavior analytics [UEBA]) to detect threats that have bypassed other controls

Magic Quadrant

Magic Quadrant for Intrusion Detection and Prevention Systems


Figure 1. Magic Quadrant for Intrusion Detection and Prevention Systems

Source: Gartner (January 2018)

Magic Quadrant for Intrusion Detection and Prevention Systems

Vendor Strengths and Cautions

Alert Logic

Alert Logic is a privately held security-as-a-service provider based in Houston, Texas. Services it offers include managed IDS, web application firewall (WAF), log management and vulnerability management. Alert Logic’s IDS is built on a Snort foundation with additional anomaly-based signatures, heuristics and supervised machine learning intelligence. It is offered in two packages: Alert Logic Threat Manager is an IDS-only offering and includes vulnerability management capabilities; and Alert Logic Cloud Defender includes out-of-band WAF and log management, along with detection based off of logs. Alert Logic’s IDS is offered as a physical on-premises appliance, with new deployments more often in the form of virtual machines deployed in hosting or cloud environments. The vendor has also invested in applying machine learning to the IDS event stream to help reduce the amount of “net events” that need to be reviewed by human analysts.
Since Alert Logic’s IDS is deployed out of band in detection mode with managed components, it does not offer a wide range of high-performance appliances. Alert Logic adds and subtracts sensors, where it makes sense for the customer’s changing network in order to meet high-throughput detection needs by scaling horizontally, not in the appliance.
  • Alert Logic is especially strong in public cloud and virtualized environments where the solution can be deployed quickly and enabled by prebuilt integrations via Chef/Puppet/Ansible.
  • Customers value Alert Logic’s ease of use.
  • Alert Logic’s capability to deploy, and to rapidly shift an existing deployment, is ideally suited for agile and DevSecOps environments.
  • Alert Logic is one of the first vendors to use analytics and machine learning to postprocess IDS event streams. This improves its ability to detect threats and incidents that take multiple days/weeks to evolve faster and with more efficacy.
  • The solution is “IDS only” and blocking requires additional solutions, using Alert Logic’s WAF or via the capability to send blocking requests to firewalls.
  • There is no “user” context in the product today, which reflects its main use case for internet-facing and cloud deployments.
  • Alert Logic doesn’t have advanced threat or sandbox integrations in the product today, limiting its ability to detect threats in network objects/files that traverse a network.


Cisco, headquartered in San Jose, California, has a broad security product portfolio and has had IDPS offerings for many years. The Sourcefire acquisition has continued to be a positive and strong influence on Cisco’s network security portfolio, giving the company traction in the firewall market that it would not have garnered otherwise. The Firepower IDPS line also shares a management console with the Cisco firewall offerings, called the Firepower Management Center.
Cisco has 22 models of IDPS available in the 4100, 7000, 8000 and 9300 Series Appliances, and virtual appliances for VMware deployments. They range from 50 Mbps through to 60 Gbps of inspected IDPS throughput, giving Cisco a very versatile appliance range — from remote branch up to demanding data center use cases. The same IDPS is available in the Cisco Adaptive Security Appliance (ASA), labeled as “with FirePOWER Services.” Additionally, the software-based IDPS is available as an option within the enterprise firewall, Cisco Internetwork Operating System (IOS)-based routers and Integrated Services Routers (ISR) IDPSs. The Meraki MX platform also runs the Snort engine plus Advanced Malware Protection (AMP) for Networks, making its IDPS technology ubiquitous throughout its network security portfolio. It is also the most widely deployed IDPS on the market today. The continued evolution of OpenAppID and the addition of DNS security for features like inspection and sinkholing are also seen as net improvements for detection and prevention use cases.
New capabilities introduced include URL-based security intelligence and AMP Threat Grid integration. Cisco will benefit from IBM’s exit of the IDPS market as IBM is now co-selling Cisco IDPS and directing renewals.
  • Gartner’s clients that are described as advanced security with larger budgets enjoy Firepower’s usefulness as an IDS analysis/investigation tool, in addition to its utility as an in-line, blocking IDPS. Those that deploy the product in IDS mode particularly like Cisco’s Snort open rules capabilities.
  • Cisco has wide international support, an extremely strong channel and the broadest geographic coverage. Certain Smart Net-supported customers can get two-hour return merchandise authorization (RMA) response when a unit fails. In addition, thousands of partner engineers are certified on Cisco Firepower.
  • The AMP products that work closely with, and provide intelligence to, the IDPS supplies coordinated malware detection at the network, sandbox and endpoint layers. This coordination differentiates it from many competing solutions.
  • Talos, Cisco’s security research organization, has a large team researching malware and vulnerabilities and developing security content for all Cisco security products, including writing signatures and determining default blocking policies. During the evaluation period, Talos discovered 171 vulnerabilities. It is a key differentiator for this technology as it demonstrates Cisco’s continued ability to understand specific threats and the threat landscape in general as it relates to IDPS.
  • Support for its own Cisco’s Application Centric Infrastructure (ACI) architecture with its IDPS is well-implemented for heavily virtualized environments that use it, although ACI is not widely deployed yet.
  • Some Type A clients have expressed concern that IDPS innovation has slowed as Cisco works on integration with acquired capabilities and focuses on its enterprise firewall product line. Customers with these concerns should insist upon roadmap clarity that makes planned IDPS enhancements explicit. For example, the ability to take the rich telemetry and then do advanced analytics is still not in the product, despite smaller startups having this capability.
  • There are a plethora of support options available, sometimes complicating choices; and the support maintenance percentage (often based off recommended retail price [RRP] versus sale price) is on the higher end of solutions in the market today.
  • Cisco initially lagged behind other competition in introducing support for Amazon Web Services (AWS), and has yet to offer support for Microsoft Azure. It also doesn’t yet have support for a “virtual overlay” to enable coverage of agile workloads like some of its competitors.
  • Cisco does not support the full range of vulnerability assessment and management tools to allow for policy to be derived from, and priorities based on, the vulnerabilities that exist in an environment; but it does have an API that would allow for other tools to do so. Firepower Management Center, however, remains an effective way to model the types of systems on a network within the Cisco IDPS solution itself.


FireEye is a U.S.-based cybersecurity company headquartered in Milpitas, California. It is a well-known security vendor specializing in advanced threat protection, security analytics, threat intelligence and incident response. In recent years, it has expanded its product and service portfolio extensively with a mix of organic growth and acquisitions. These additions are with managed services, cloud security analytics, threat intelligence, network forensics and security orchestration, as well as via adding IPS to its most well-known solution, the FireEye Network Security (NX Series) solution, which is available as a physical or virtual appliance. The virtual appliances support a range of hypervisors, including Amazon AWS, but not Microsoft Azure.
In the past year, FireEye has improved its architecture by decoupling the IDPS (the NX Series) from the Multi-Vector Virtual Execution (MVX; for ATD/sandboxing) presenting the concept of a “smart node” (the IDPS appliance) and the “smart grid” (MVX/sandbox) with version 7.9 of the solution. Additionally, the “smart grid” MVX now supports bursting from the local instance(s) to the cloud, allowing for better scalability without the need for additional on-premises appliances. These evolutions let the solution scale horizontally for performance, and allow for better support to detect lateral movement of threat use cases (versus just north-south) and also for distributed environments.
FireEye is now competing more directly with independent IDPS technology on more use cases this year, but, primarily, its focus is on advanced threats and network elements of malware on the inside of the network.
  • FireEye NX is designed for detecting and preventing known and unknown exploits to servers and endpoints, and its focus on exploitation and malware is well-regarded.
  • The ability to automatically correlate alerts from the IDPS and MVX is a differentiator for day-to-day security operations as it can significantly reduce the alerts that security staff need in order to operate the solution.
  • FireEye has consistently proved its ability to detect advanced threats, including zero days, via its large research and threat intelligence team. All of its products benefit from this capability, including the IDPS.
  • Threat intelligence integration from existing teams, as well as subscriptions from iSIGHT Threat Intelligence (from the iSIGHT Partners acquisition in 2016), make it a very capable threat detection/prevention solution.
  • The ability to deep dive in the IDPS policy by severity, Common Vulnerabilities and Exposures (CVE), name, etc. is limited in the console compared to other IDPS solutions.
  • It does not have capabilities in application/user-based policies, and delivering these is provided by FireEye’s endpoint security (HX Series) solution.
  • FireEye NX does not have the ability to tune the IDPS policy by using vulnerability scan data.
  • The IDPS engine is still based on Snort; it would be improved significantly by using the improved Suricata engine to support higher throughput.
  • Throughput has now improved with the “smart node” architecture, but is still limited to 10 Gbps — less than a majority of its competitors.

Hillstone Networks

Headquartered in Beijing and Santa Clara, California, Hillstone Networks is a network security provider that offers NGFWs along with IDPSs. Hillstone has been shipping IDPS devices since 4Q13. At present, its IDPS customer base is predominantly located in China.
The vendor offers a total of 23 IDPS models; however, only five are available to the global market — the S-series models of appliances. These appliances range in performance from 1 Gbps to 50 Gbps, an increase in number and, in particular, in throughput over past year. Hillstone does not offer a virtual IDPS model, but it does support on-box virtual instances, including the ability to apply performance constraints on each virtual instance. IDPS signatures are developed internally and obtained from other partners.
During the evaluation period, Hillstone introduced several new models. New enhancements introduced in that period include improved antivirus efficacy, HTTPS flood request protection and better IDPS reporting. Additionally it has three new features, Abnormal Behavior Detection (ABD) engine, Advanced Threat Detection (ATD) and a cloud sandbox. ABD is Hillstone’s analytics approach that does network baselining looking for abnormal behavior. The sandbox is also interesting for the IDPS market because it allows for “fuzzy” malware behavior signatures to be used to help convict new iterations of existing families of malware.
  • Hillstone continues to be a good option for clients that are already consuming other Hillstone solutions, midmarket buyers and those located in Southeast Asia.
  • The introduction of its cloud-based “read only” console for basic monitoring and checking alerts will be well-received by midmarket clients.
  • Hillstone continues to be very competitive on price/performance metrics for IDPS across a wide scope of throughput ranges.
  • Hillstone supports a wide range of detection and prevention options with signatures, behavioral analytics, anti-malware and cloud-based sandboxing available as options.
  • There is no Active Directory integration for user-based controls and only on-box user accounts are supported.
  • General analyst work for alert processing is functional, but basic; for example, users can’t create search templates that can be reused to speed up investigations and aid in better reporting.
  • Reporting is basic and only supports PDF exporting.
  • Hillstone is active, but not visible in other non-Asia markets. Clients should ensure there is relevant and contestable support for their deployments in these markets.


McAfee, based in Santa Clara, California, has now completed its move out of Intel, creating a stand-alone company. The new McAfee company has a significant product portfolio across network, server, cloud, web, security information and event management (SIEM), network analytics, data loss prevention (DLP), and endpoint security. In November 2017, it was also announced McAfee would acquire SkyHigh Networks, a leading cloud access security broker (CASB) provider. Intel will retain a 49% equity interest in McAfee. This move to being an independent entity has been a net positive for the company. It has led to better roadmap execution and will allow McAfee to better focus and compete in the security market. Its IDPS, called the Network Security Platform (NSP), is a main element of its network security product offerings, McAfee has focused heavily on roadmap execution and integration of this range into its other portfolio of products.
The NSP is the stand-alone IDPS model line, with 18 physical appliance models that range from 100 Mbps to 40 Gbps of throughput, and three virtual models, including one specially tailored for VMware NSX deployments. In addition, McAfee has significantly enhanced the ability to operate natively in public cloud with integrations that support both detection and in-line prevention modes of operation, in the same scalable way that clients operate their cloud environments with a complementary host agent to forward traffic. Gartner sees clients deploying NSP mostly in blocking mode (for IPS), but observes a number of detection mode use cases as well. McAfee’s Advanced Threat Defense (ATD sandbox) is a natively integrated component and it supports deployments both on-premises and from the cloud. The Network Threat Behavior Analysis (NTBA) product, like ATD, can be natively integrated into an IDPS deployment, offering improved network visibility, including being able to detect threats and provide enhanced metadata to security teams. This is a leading architectural approach today.
  • Clients appreciate NSP’s sophisticated policy options, ease of deployment and performance under load; and the IDPS console continues to score well in competitive selections and independent tests.
  • Customers cite McAfee’s thorough integration with other McAfee products, including ATD, endpoint context, NTBA and Threat Intelligence Exchange, as strong positives.
  • In organizations concerned with false positive rates coming from heavy use of signatures, McAfee’s multiple signatureless inspection techniques give it an advantage over more signature-based IDPS technologies.
  • Today, McAfee’s support for public cloud deployments is leading the market for this capability, as it provides the ability to support the dynamic nature of infrastructure as a service (IaaS), which makes heavy use of immutable infrastructure.
  • McAfee is an IDPS provider that lacks a firewall line. The IDPS range is vulnerable to combined firewall plus IDPS replacements from vendors such as Cisco, Palo Alto Networks and Check Point.
  • Some clients find the user interface complicated, and it needs to evolve to adopt modern UX standards and to provide better workflow that allows people to understand the implications of policy configuration changes.
  • McAfee does not have the ability to natively tune its IDPS based on the vulnerability landscape of the client environment.
  • Some clients have reported issues when troubleshooting the product when in IPS mode to determine specifically which configuration element(s) is blocking the specific session.


NSFOCUS is headquartered in Beijing and California. It is a large regional security vendor for Asia and is expanding to other geographies. NSFOCUS offers distributed denial of service (DDoS; via its Anti-DDoS System [ADS] offering), web application scanning (via Web Vulnerability Scanning System [WVSS]), and WAF and vulnerability management (via Remote Security Assessment System [RSAS]). The vendor also offers managed security services (MSSs) on a number of its products.
The NSFOCUS IDPS has a large range of appliances, models ranging from 300 Mbps to 120 Gbps of throughput and four virtual appliances. This is an improvement over when it was reviewed for the previous Magic Quadrant, with higher-throughput chassis now available. The virtual appliances are certified on VMware, Kernel-Based Virtual Machine (KVM) and OpenStack, but not Xen. Its IDPS includes sandboxing capabilities called Threat Analysis Center (TAC), as well as application control and anti-malware, and it can also utilize reputation-based controls. Additionally, most models support a flexible licensing scheme, allowing clients to buy a chassis from a “range,” but then simply increase the inspected throughput with a licensing update — increasing throughput without having to replace the device.
  • NSFOCUS has a large client base in China with good support for region-specific applications (like instant messaging).
  • NSFOCUS has a functional threat intelligence portal for clients that includes the ability to search and visualize all the data in its threat intelligence database (for the purpose of investigations) and general information that is not found in the base logs.
  • NSFOCUS has its own ATD technology allowing it to detect malware that can be defined by policy of location and file type. If the cloud option is used, this feeds its entire intelligence network that is used by all of its clients.
  • NSFOCUS has a functional threat intelligence portal that can also be helpful for using IDPS as it has data on IP addresses, vulnerabilities and malware with the ability to configure notifications on them.
  • The core IDPS engine is signature-based and might be prone to evasion by heavily obfuscated threats.
  • There is limited ability to enforce policies based on users, but rudimentary correlation to match traffic to an internal user is possible.
  • Today, there is no support for public clouds like AWS or Azure for the product, although NSFOCUS does support a range of other hypervisors like VMware.
  • NSFOCUS only supports its own vulnerability scanner to tune the policy based on the vulnerability landscape of the client environment.

Trend Micro

Headquartered in Japan, Trend Micro is a large, global IT security vendor. It completed its acquisition of TippingPoint from Hewlett Packard Enterprise (HPE) in March 2016. The acquisition of TippingPoint has been a net positive for Trend Micro’s IDPS product, sales and marketing operations. TippingPoint is well-placed within Trend Micro in the same division as the Deep Discovery products. The top IDPS model now supports stacking with no other external hardware and can run up to 120 Gbps of inspected throughput. The new TX Series range can run up to 40 Gbps of inspected throughput in a 1U chassis, which is one of the leading traffic/chassis combination in this market. While using Intel CPU technology, field-programmable gate array (FPGA) and a switch fabric are used in the larger models to support higher throughput, lower latency and availability — all key features for use in sensitive and more demanding data center applications. IDPS content updates are provided through Digital Vaccine Labs (DVLabs). The DVLabs team also operates the Zero Day Initiative (ZDI) program, which continues to be an excellent source of vulnerability information for Trend Micro, while also supporting independent security researchers.
The IDPS is also benefiting from synergies between TippingPoint’s and Trend Micro’s research teams on malware, which is enhancing the ability of the IDPS to specifically address the network-based elements of malware threats. Additionally, the Trend Micro advanced threat (sandbox) technology for its IDPS, called Deep Discovery, now has integrations to its IDPS to be able to receive telemetry in real time that can be used for prevention and detection use cases. The Security Management System (SMS) has moved from a SQL back end to Vertica for most data storage tasks now, which significantly improves performance and enables new use cases. For example, the IDPS can natively export NetFlow to the SMS manager and to itself (rather than a separate NTA/NBA tool), and is then used for real-time and historical investigations of network traffic passing through deployed IDPSs.
Trend Micro’s IDPS platforms have gained native integrated advanced threat capabilities, a significantly larger channel with more expertise in selling security, and access to Trend Micro’s significant research resources.
  • Trend Micro continues to be one of the easiest to deploy and manage IDPSs on the market, including at very high throughput.
  • Structured Threat Information Expression (STIX)/Trusted Automated Exchange of Indicator Information (TAXII) support is now included in the SMS Manager, making it easier to operationalize machine-readable threat intelligence (MRTI).
  • While also available for end users, the DVToolkit can be used by TippingPoint support to create custom filters for end users, providing “time to coverage” value.
  • TippingPoint has always excelled at very-high-throughput and low-latency hardware, and the new 8200TX supports 40 Gbps of inspected throughput in 1U, a market-leading rate from a throughput-per-rack-unit point of view. This supports the most demanding use cases for data center and high-performance network perimeters.
  • During the evaluation period, the ZDI vulnerability disclosure program discovered roughly 700 vulnerabilities, which directly benefits all of Trend Micro’s clients with early coverage of threats.
  • SSL decryption in hardware is supported natively inside the new TX range.
  • Coverage of public/private cloud is via a separate solution with the complementary Deep Security product range, which is a host-based intrusion prevention system (HIPS)-based solution. End users should be aware that there is a difference between the two in terms of the IDPS technology used.
  • End-user context is available in SMS, but customers cannot create policy for enforcement by user at this point in time.
  • Today, the IDPS can only offload some objects (like URLs) to the ATD (Deep Discovery) for inspection. Deep Discovery has to be deployed separately, and it can stream threat telemetry directly into the IDPS via its SMS management server.

Vectra Networks

Vectra Networks is based in San Jose, California. It has been shipping its Cognito product since 2014 and is a leading example of using advanced analytics (like UEBA) for network IDS use cases. It focuses on detection of threats that have bypassed traditional controls and on detecting lateral movement of threats on the inside of an organization’s network.
The solution is available in a physical or virtual appliance form factor. The hardware sensors, called the S-series and X-series, are distributed on the network, and the management server provides the collection, deduplication, and analytics functions. Due to its behavioral nature, content updates are infrequent (often monthly) and primarily in the form of new algorithms or enhancements to existing mathematical models used to detect threats.
Vectra’s approach is innovative as it directly addresses some key issues in security operations today. First, the issue of alert fatigue, where a traditional IDS generates alerts that describe malicious activity, it also generates a large volume of alerts. Determining what is an alert and what is an incident — as the two are not the same — consumes too much time. This solution excels at the ability to roll up numerous numbers of alerts to create a single incident to investigate that describes a chain of related activities, rather than isolated alerts that an analyst then has to piece together. Second, adversary dwell time today is far too long for organizations, and having different means to detect malicious or unwanted activity is a key value proposition for Vectra. This is especially true for detecting the lateral movement of threats on a network that have already evaded other security controls.
While an IDS in terms of deployment, Vectra does have a number of other integrations with existing tools for further response actions. Example categories are firewalls, network access control (NAC), endpoint, ticketing systems and SIEM.
  • The evolution of IDS to using advanced analytics like machine learning is well-suited to the types of telemetry these technologies generate, and proves to add a different way of detecting malicious or unwanted behavior within an environment.
  • Use of virtual test access point (TAP) architecture from Gigamon/Ixia, as well as other integrations with hypervisors like VMware, allows the product to be deployed into heavily virtualized environments like public, private and hybrid cloud.
  • Management overhead of this product is minimal in comparison to many other solutions on the market.
  • Clients appreciate the lack of onerous policy work and continuous policy updates. Vectra’s algorithms require infrequent updates and little to no tuning by end users in day-to-day operations because they are based on advanced analytics.
  • This solution is “detection-centric” and has no typical prevention capabilities. It relies on integrations with other solutions like endpoint detection and response (EDR) and security orchestration, automation and response (SOAR) tools.
  • Because the product is focused on threat detection only, it cannot be used for “virtual patching” of known vulnerabilities, which is a use case that is popular with Gartner clients.
  • Vectra Networks is a startup and has yet to establish a global channel that has global reach. Clients outside of North America and parts of the EMEA geographies may receive different levels of support and not have access to same level of support from channel partners.


Venustech is a security vendor headquartered in Beijing. It was founded in 1996, and has been shipping IDPSs since 2003 and dedicated IPSs since 2007. In addition to its IDPS, Venustech has a range of security product offerings covering SIEM, firewall, UTM, WAF, database compliance and audit (DCAP), vulnerability assessment, application delivery controller, and an endpoint security solution. Venustech has a virtual IPS edition available that supports VMware and OpenStack. It also has support for the Alibaba, Tencent and Huawei clouds as deployment options.
Venustech is a good option for its existing clients consuming its other products, and large and midmarket organizations in South East Asia that need to augment existing controls with an IDPS that covers a range of threats.
  • The policy configuration interface is laid out in an easy-to-understand and -navigate manner.
  • Venustech also has a traditional anti-malware plus advanced threat detection capability in the appliance, which enables the blocking of malicious-content-based attacks, as well as other more advanced methods to detect threats, like SQL injection.
  • Support for the Chinese cloud providers gives Venustech a strong advantage for cloud deployments in that geography.
  • Venustech is seen as a follower in the IDPS market and does not have features causing disruption to its competitors in the market.
  • Venustech is almost exclusively active in the China region today, constraining its growth.
  • Venustech is not yet making use of advanced analytics to help postprocess the events that are generated by the solution.
  • Venustech is not able to use vulnerability scanning output to help derive a more effective IDPS policy.

Vendors Added and Dropped

We review and adjust our inclusion criteria for Magic Quadrants as markets change. As a result of these adjustments, the mix of vendors in any Magic Quadrant may change over time. A vendor’s appearance in a Magic Quadrant one year and not the next does not necessarily indicate that we have changed our opinion of that vendor. It may be a reflection of a change in the market and, therefore, changed evaluation criteria, or of a change of focus by that vendor.


  • Vectra Networks


  • IBM exited the IDPS market in 2017, and thus was not included in this research.
  • Huawei failed to meet revenue requirements.
  • AhnLab failed to meet revenue requirements.

Inclusion and Exclusion Criteria

Only products that meet the following criteria will beincluded:
  • Operate as a network appliance (physical or virtual) that supports both in-line intrusion prevention and/or intrusion detection of threats and network usage.
  • Apply policy based on several detection methodologies to network traffic, including methods like protocol and content analysis, signatures, security analytics, behavior analysis, historical metadata analysis and threat intelligence.
  • Perform packet normalization, assembly and inspection to support these detection and prevention use cases.
  • Provide the ability to identify and respond to malicious and/or unwanted sessions with multiple methods, such as, allow/multiple alert types/drop packet/end session, etc.
  • Adapt the policy based on correlation with vulnerability assessment tools to dynamically apply protections to protect internal and external assets found to be vulnerable.
  • Have achieved network IDPS product sales and maintenance revenue globally in the year between June 2016 and June 2017 of over $10 million in U.S. dollars.
  • Sell the product as primarily meeting stand-alone network intrusion detection and prevention use cases or materially compete with intrusion detection and prevention technology.
  • Be visible to Gartner clients and have an active presence or an office or official partner in at least two of the major regional markets — that is, North America, South America, Asia/Pacific and EMEA — and compete in those markets.
  • Have active customers buying the IDPS product(s) in the past 12 months in at least two of the major regions (that is, North America, South America, Asia/Pacific and EMEA).
Product and vendors will beexcluded if:
  • They are sold only as features of an NGFW or UTM platform.
  • They are in other product classes or markets we already identify as different, such as network behavior assessment (NBA) products or NAC products, are not IDPS and are covered in other Gartner Research.
  • They are only host IPS, such as software on servers and workstations rather than a device on the network.
This Magic Quadrant is not evaluating pure open-source technology like Snort, Suricata, Bro IDS, etc. If a vendor is using this, they must demonstrate that they are providing over and above the functionality delivered by these projects by improved packaging (hardware or software), analytics and especially additional research and security content that would take this beyond “just running Snort/Suricata/Bro IDS.”

Vendors to Watch

There are eight vendors in particular that provide capabilities that are relevant to the IDPS market, but that have not fully met IDPS Magic Quadrant inclusion criteria. Organizations that need to implement IDPS functions for supported use cases should also consider and evaluate these vendors.


AhnLab, founded in 1995 and headquartered in South Korea, is a network and endpoint security vendor. TrusGuard IPX was released in 2012. The AhnLab product portfolio includes firewalls, ATD, DDoS attack mitigation and endpoint security solutions. It is shipping three IPX appliances between 5 Gbps and 40 Gbps in range. TrusGuard IPX currently does not come in the form of a virtual appliance. Secure Sockets Layer (SSL) decryption is available for traffic visibility, and TI can be used for command and control (C&C) threat detection. Malicious URL detection/blocking is also supported.
AhnLab has the majority of its presence in South Korea today, followed by a number of other East Asian countries (such as Indonesia, Thailand and Vietnam), mostly within midmarket organizations. It is trying to expand into Latin America as well.


BluVector is a recent startup, based out of Fairfax, Virginia, and has been shipping product since January 2017. It is one of a small number of new entrants that is also making use of advanced analytics techniques (like supervised machine learning) to deliver innovation to the intrusion detection market space. The solution also supports sandboxing and other methods of object inspection for detection of various fileless and other malware threats. It has invested its efforts in the core value proposition of “detecting threats” by using robust open-source solutions like Suricata/Bro IDS for general detection capabilities, malware detection and third-party threat intelligence support. The solution is running on industry-standard x86 architecture and coupled with its own custom-developed analytics capabilities — some of which are patented and have been under development for many years under Northrop Grumman before being commercialized. The solution can run on a physical appliance or in a virtual form factor as well, allowing for use in virtualized environments including public cloud. BluVector did not meet the revenue requirements for this research.


Bricata, headquartered in Columbia, Maryland, is a startup that leverages open-source IDPS and other detection frameworks, adding software and hardware expertise to maximize performance and scalability. Its IDPS solution is based on open source that combines the Bro IDS and Suricata engines with commercial technologies, delivering signature-based and anomaly detection with network and behavior analysis. The combination achieves better detection via Suricata’s packet inspection, while Bro’s anomaly-based engine provides context around alerts and provides correlation across multiple sessions identifying interrelated events. The Central Management Console (CMC) supports a “manager of managers” deployment architecture. Bricata’s appliances ship with a large (in comparison to other solutions) amount of on-chassis storage, allowing for the collection of large amounts of network metadata and packet capture for future analysis that supports use cases like threat hunting, incident response and forensics. Bricata did not meet inclusion revenue thresholds for this research.


Corelight is a relatively new startup based on Bro IDS, or, as it’s often simply called, Bro. Many of the company’s founders both founded the Bro IDS project and also have been heavily involved in its ongoing maintenance to this day. The Bro IDS open-source project, along with Snort/Suricata, powers a number of vendors’ engines in network security today. Additionally, Bro IDS is in use by an extensive number of security practitioners and companies around the world. Corelight provides a way to get value out of this powerful and very popular solution with its dedicated appliances. It still needs to work on its ability to provide a centralized management platform, its event storage and analytics capabilities, and enterprise policy management capabilities. Corelight did not meet the revenue inclusion criteria for this research.


Darktrace is a late-stage startup security vendor with headquarters in both San Francisco and Cambridge, U.K. It is focusing on using advanced analytics, like unsupervised machine learning, to detect threats on an organization’s network. Darktrace does not orientate its technology as a replacement for all IDS use cases today. Darktrace deploys like all existing IDS technology, but then uses a number of existing and its own custom-developed algorithms and analytics to build a mathematical model of users and entities on a network, looking for outliers that are turned into alerts for analysts to then investigate. The solution is primarily subscription-based.
This approach is innovative because it helps deal with a number of pressing issues in the network security market as the technology addresses alert fatigue by generating significantly less alerts for analysts to triage. The technology can also detect active threats on the inside of a network. Alternatively, because there is no “known threat” capability, it does not rapidly detect existing known threats.
Darktrace does not deploy in line, allowing for primarily intrusion detection use cases only, but it does support response options found in IDS such as TCP resets. This feature is called Antigena and is an optional extra. It is in use by a smaller, but growing, portion of its client base. Darktrace also supports integrations with other technologies, like firewalls and EDR for further response options. Antigena can operate in three modes: recommendation, active or human confirmation. The analytics does take a period of time to begin to surface information, often measured in days and weeks, based on the mathematical model built from activity on an organization’s network. Some clients do report difficulty in getting more details on threats from the user interface, and day-to-day usage by security analysts has given feedback for improvements in this area.

Fidelis Cybersecurity

Fidelis Cybersecurity, headquartered in Washington, D.C., has been in the network security market since the mid-2000s, originally with a network DLP solution with a content and session focus. As the threat landscape over the past decade has increasingly moved to content-based threats, Fidelis has further aligned its network security offerings to also protect against an increasing range of threats, including those that can be difficult to detect using traditional packet-based technologies. Its product also now has native advanced threat integration, as well as a very credible incident response endpoint technology that was acquired from Resolution1 in 2015. It also includes strong synergies between IDPS and EDR technologies in general and clients value having credible options for these capabilities from one provider.
Fidelis also has the ability to have its appliances generate detailed metadata of network sessions that is stored to allow for analysis. This then enables effective near-real-time, as well as historical, incident investigation capabilities. Metadata storage is advantageous for historical threat hunting as well as for opportunities for correlation and detailed investigations of incidents. This is a leading capability in this market currently. This integrated metadata storage and analysis capability is seen as innovative in the IPS industry.
Fidelis does not have an extensive channel serving global markets outside of North America and Europe, so finding both resellers and contestable professional services can be difficult.


Headquartered in Shenzhen, China, Huawei, with a core strength in networking, offers a range of network security controls, including IDS/IPS, firewall, log management, advanced threat detection (sandbox) and DDoS mitigation appliances. Huawei introduced its IDS/IPS product line, called Network Intelligent Protection (NIP) System, in 2004. NIP includes six physical appliances, ranging from 600 Mbps to 200 Gbps. They have the ability to offload objects to anti-malware and sandbox engines for additional threat detection capabilities. The vendor’s IDPS currently does not come in the form of a virtual appliance, although this is expected to change. SSL decryption for visibility and TI (reputation)-based blocking is supported. Huawei did not meet revenue requirements for this research.

IronNet Cybersecurity

IronNet is a relatively new startup based out of Fulton. Maryland. It was formed by a number of industry luminaries in the area of cybersecurity with the goal of improving organizations’ abilities to detect threats that have bypassed other controls. Its technology deploys by collecting network traffic from multiple locations, including OT networks, and then applies multiple techniques to surface events of interest to security operations teams.
IronNet also uses various analytics measures to reduce “alert fatigue.” Examples of the types of threats detected are, but not limited to, suspicious beaconing, DNS tunneling, behavior changes of users/devices on the network, VPN misuse, data exfiltration and lateral movement of threat actors. As a point of visibility for a network, it also provides full packet capture to support proactive/reactive threat hunting and incident investigation and response use cases. IronNet did not meet the revenue requirements for this research.

Evaluation Criteria

Ability to Execute

Product or Service: Core goods and services that compete in and/or serve the defined market. This includes current product and service capabilities, quality, feature sets, skills, etc. This can be offered natively or as defined in the market definition and detailed in the subcriteria.
  • Product service and customer satisfaction in deployments.
  • Performance in competitive assessments and having best-in-class detection and security content quality are highly rated.
  • Competing effectively to succeed in a variety of customer placements.
Overall Viability: Viability includes an assessment of the organization’s overall financial health as well as the financial and practical success of the business unit. Views the likelihood of the organization to continue to offer and invest in the product as well as the product position in the current portfolio.
Sales Execution/Pricing: The organization’s capabilities in all presales activities and the structure that supports them. This includes deal management, pricing and negotiation, presales support and the overall effectiveness of the sales channel.
Also included is pricing including dollars per Gbps, revenue, average deal size, installed base and use by managed security service providers (MSSPs), managed detection and response (MDR) and service providers.
Market Responsiveness/Record: Ability to respond, change direction, be flexible and achieve competitive success as opportunities develop, competitors act, customer needs evolve, and market dynamics change. This criterion also considers the vendor’s history of responsiveness to changing market demands.
Marketing Execution: The clarity, quality, creativity and efficacy of programs designed to deliver the organization’s message in order to influence the market, promote the brand, increase awareness of products and establish a positive identification in the minds of customers. This “mind share” can be driven by a combination of publicity, promotional, thought leadership, social media, referrals and sales activities.
Customer Experience: Products and services and/or programs that enable customers to achieve anticipated results with the products evaluated. Specifically, this includes quality supplier/buyer interactions technical support, or account support. This may also include ancillary tools, customer support programs, availability of user groups, service-level agreements, etc.
Winning in highly competitive shortlists versus other competitors is highly weighted.
Operations: The ability of the organization to meet goals and commitments. Factors include: quality of the organizational structure, skills, experiences, programs, systems and other vehicles that enable the organization to operate effectively and efficiently.

Table 1: Ability to Execute Evaluation Criteria

Enlarge Table
Evaluation Criteria
Product or Service
Overall Viability
Sales Execution/Pricing
Market Responsiveness/Record
Marketing Execution
Customer Experience
Source: Gartner (January 2018)

Completeness of Vision

Market Understanding: This includes providing the correct blend of detection and blocking technologies that meet or are ahead of the requirements for network intrusion detection and prevention. Innovation, forecasting customer requirements, having a vulnerability-based (rather than exploit-based) product focus, being ahead of competitors on new features, and integration with other security solutions are highly rated. Additionally, handling placement on the inside of clients’ networks, deployments in public cloud, and support for using advanced threat detection and advanced analytics are considered.
Also included is an understanding of and commitment to the security market, addressing the prevailing threat landscape and, more specifically, the network security market. Vendors that rely on third-party sources for signatures or have weak or “shortcut” detection technologies score lower.
This criterion also refers to the ability to understand customer needs and translate them into products and services; that is, vendors that show a clear vision of their market — listen, understand customer demands, and can shape or enhance market changes with their added vision.
Marketing Strategy: Clear, differentiated messaging consistently communicated internally, externalized through social media, advertising, customer programs and positioning statements.
Sales Strategy: This criterion refers to a sound strategy for selling that uses the appropriate networks including: direct and indirect sales, marketing, service, and communication. It also includes partners that extend the scope and depth of market reach, expertise, technologies, services and their customer base.
Sales strategy includes pre- and postproduct sales support, value for pricing, and providing clear explanations and commendations for detection events. Also included is the ability to handle newer licensing methods that are purely subscription-based, and how this works for direct and indirect sales and channel partners.
Offering (Product) Strategy: This refers to an approach to product development and delivery that emphasizes market differentiation, functionality, methodology, and features as they map to current and future requirements. Emphasis is on product roadmap and threat detection efficacy. Successfully completing third-party testing, such as the NSS Group IPS tests and Common Criteria evaluations, is important. Vendors that reissue signatures are overreliant on potentially evadable detection methods and are slow to issue quality signatures do not score well.
Business Model: This includes the design, logic and execution of the organization’s business proposition to achieve continued success. Additionally, the process and success rate for developing new features and innovation through investments in research and development are considered.
Innovation: This criterion includes:
  • Direct, related, complementary, and synergistic layouts of resources, expertise or capital for investment, consolidation, defensive or pre-emptive purposes.
  • Innovation, including R&D, and quality differentiators, such as performance, management capabilities, and interface and clarity of reporting.
  • Features that are aligned with the operational realities of security analysts, such as those that reduce event fatigue, “gray lists” (e.g., reputation and correlation). Enterprise management capabilities,
  • The ability to monitor/instrument the IDPS with a supported API that allows for additional integration, workflow and automation options. Examples include integrations with SOAR or threat and vulnerability management (TVM) tools.
  • Support for open standards like STIX/TAXII for threat intelligence.
  • The ability to reduce the number of alerts that require security analyst interaction and security efficacy. For those that need investigation, having high levels of threat and other environment context, which allows for better decision support, enables efficiency of operational process and supports workflow.
  • A roadmap that includes moving IDPS into new placement points (for example, on the internal network or public cloud) and better-performing devices that support the reality of data centers with 10 Gbps/40 Gbps connectivity.
  • Ability to assist clients with mitigating the core issue of vulnerabilities being exploited and how this work is prioritized by understanding context from tools like vulnerability assessment tools.
  • Use of additional methods like endpoint context, ATD/sandbox integrations, metadata capture and analysis, and advanced analytics.
Geographic Strategy: The vendor’s strategy to direct resources, skills and offerings to meet the specific needs of geographies outside the “home” or native geography, either directly or through partners, channels and subsidiaries, as appropriate for that geography and market.

Table 2: Completeness of Vision Evaluation Criteria

Enlarge Table
Evaluation Criteria
Market Understanding
Marketing Strategy
Sales Strategy
Offering (Product) Strategy
Business Model
Vertical/Industry Strategy
Not Rated
Geographic Strategy
Source: Gartner (January 2018)

Quadrant Descriptions


Leaders demonstrate balanced progress and effort in all execution and vision categories. Their actions raise the competitive bar for all products in the market, and they can change the course of the industry. To remain leaders, vendors must demonstrate a track record of delivering successfully in enterprise IDPS deployments, and in winning competitive assessments. Leaders produce products that embody next-generation IDPS capabilities, provide high signature quality and low latency, innovate with or ahead of customer challenges (such as providing associated ATD technologies to make enriched IDPS intelligence), and have a wide range of models, including high-throughput models. Leaders continually win selections and are consistently visible on enterprise shortlists. However, a leading vendor is not a default choice for every buyer, and clients should not assume that they must buy only from vendors in the Leaders quadrant.


Challengers have products that address the typical needs of the market, with strong sales, large market share, visibility and clout that add up to higher execution than Niche Players. Challengers often succeed in established customer bases; however, they do not often fare well in competitive selections, and they generally lag in new feature introductions.


Visionaries invest in leading-edge/”bleeding”-edge features that will be significant in next-generation products, and that give buyers early access to improved security and management. Visionaries can affect the course of technological developments in the market, especially new next-generation IDPSs or novel anti-threat capabilities, but they lack the execution skills to outmaneuver Challengers and Leaders.

Niche Players

Niche Players offer viable solutions that meet the needs of some buyers, such as those in a particular geography or vertical market. Niche Players are less likely to appear on shortlists, but they fare well when given the right opportunities. Although they generally lack the clout to change the course of the market, they should not be regarded as merely following the Leaders. Niche Players may address subsets of the overall market (for example, the small or midsize business segment, or a vertical market), and they often do so more efficiently than Leaders. Niche Players frequently are smaller vendors, and do not yet have the resources to meet all enterprise requirements.


  • Current users of network IDPSs highly prioritize next-generation network IDPS capabilities at refresh time.
  • Current users of NGFWs look at a next-generation network IDPS as an additional defense layer, and expect best-of-breed signature quality.
  • Organizations with traditional network IDPS and firewall offerings should build and plan to execute migration strategies to products that can identify and mitigate advanced threats.
  • Organizations with flat internal networks should consider deploying IPS for “virtual patching” to help prevent the exploitation of vulnerabilities, the leading cause of breaches today.
  • Organizations should continue to improve their ability to detect and respond to threats as “prevention-centric only” approaches will fail eventually.

Market Overview

According to Gartner market research, the worldwide IDPS market in 2016 for stand-alone appliances was approximately $1.3 billion and is forecast to shrink in coming years. Data collected from vendors in this Magic Quadrant validates this range. Factors driving those estimates include:
  • The threat landscape continues to be aggressive, with the advantage on the side of threat actors. Major IDPS vendors were initially slow to address advanced targeted threats and other classes of threat. Some spending that could have gone to IDPS products instead has gone to advanced threat detection and network forensics products. With leading IDPS products now containing these capabilities, IDPS is no longer losing out due to this capability being missing.
  • NGFWs are taking a significant portion of the stand-alone perimeter IDPS market as next-generation IDPSs are absorbed into firewall refreshes and are enabled in existing IDS-/IPS-capable firewalls.
  • IDS/IPS continues to be a significant network security market, but is forecast to flatten. A large percentage of organizations have moved to collapse their IDPS for north-south use cases into their firewall and UTMs, especially in the midmarket. This has concurrently increased the amount of IDPS on networks, but has led to constraints for traditional IDPS deployments.
  • Organizations need to better address the internal use case that covers protection of internal assets, and helps detect and prevent lateral movement of threats. The “flat internal network” problem is one that Gartner sees still existing in a majority of our clients’ networks, and it is a systemic issue. If IDPS vendors can address this significant issue in organizations with better messaging and use case support, it will provide more relevance for organizations’ security operations programs.
  • Further to the point above, most breaches today occur because of the exploitation of known vulnerabilities, not zero days. Organizations are clearly not using compensating technology like IDPS to address the issues. Below are some reasons why they are leveraged by threat actors:
    • Not being able to patch systems to the same schedule of threat actors exploiting vulnerabilities
    • The absence of a patch from the vendor
    • Systems that can’t be patched due to regulatory issues and compliance mandates
    • Business-level SLAs and other functional requirements that require uptime and application functionality as the top priority
  • The term “virtual patching” has been in use for some time. With the plethora of security incidents originating from the exploitation of vulnerabilities in the past two years as a direct result of this issue, IDPS vendors need to improve how they integrate telemetry from vulnerability assessment and management tools to help users derive a more effective security policy. This one principle alone would considerably lower the attack surface of every single client that implements it (see “It’s Time to Align Your Vulnerability Management Priorities With the Biggest Threats”).
  • Organizations are adopting public cloud IaaS for their compute. Traditional firewall vendors are not showing signs of traction due to software-defined networking (SDN) and microsegmentation; but, primarily, IaaS providers are delivering basic routing, network address translation (NAT) and segmentation as part of their offerings for free or little cost. IDPS still has relevance here, as there is no sign of these providers delivering more advanced deep packet inspection (DPI) security capabilities. Concurrently, IDPS vendors are now able to deploy more effectively in these more agile compute architectures, either natively or with integration with packet brokers like Gigamon and Zentera.
  • As market penetration for these integrated and cloud-resident IDPS form factors has advanced, the IDPS appliance market is predicted to start declining in 2017, but from a large base.
  • TI integration is now pervasive in the IDPS market with vendors providing add-on integrations either for free or as an optional extra. This has added significant context and visibility for both traditional and advanced threats. It has also added to the ability for third-party integrations, extending the life of next-generation IDPSs by allowing them to perform the “block and tackle” role of outbound data exfiltration detection and prevention. Support for STIX/TAXII, however, is not uniform across the vendor landscape and IT security leaders are advised to demand from their vendors that they support open standards in their IDPS solution.
  • IDS is still a widely deployed use case. With the adaptive security architecture and now continuous adaptive risk and trust assessment (CARTA; see “Use a CARTA Strategic Approach to Embrace Digital Business Opportunities in an Era of Advanced Threats”), Gartner has, since 2014, advocated for improving the ability to detect and response, as well as prevent.
  • There are also credible ways to be running IDS and IPS that don’t involve buying an appliance per se, but in renting one that is fully managed and monitored. This suits a range of organizations, especially in the midmarket.
  • Leading vendors in 2017 have architectures that have adapted to being effective in public cloud environments, leaving them additional opportunities to expand coverage (and therefore revenue) into this large and rapidly growing market of security in IaaS environments.
  • Startups in recent years have taken advantage of a historical problem with IDPS: event fatigue. New startups are using IDS engine technology, like Snort/Suricata/Bro IDS, and are feeding this telemetry into advanced analytics and machine learning engines, which has proven effective in reducing event fatigue. This is a disruptor in this market, and Gartner expects this trend to continue.

IDPS Has Evolved

IDPSs have had two primary performance drivers: the handling of network traffic at wire speeds (either in line or in detection mode), and the deep inspection of that traffic based on more than just signatures, rules and policies to detect, prevent, and respond to threats. The first generation of IDPSs were effectively a binary operation of “threat or no threat,” based on signatures of known vulnerabilities. Rate shaping and quality of service were some of the first aspects that brought context to otherwise single-event views. As inspection depth has increased, digging deeper into the same silo of the traffic yields fewer benefits. This next generation of IDPSs applies:
  • Signatures — These are often developed and deployed rapidly in response to new threats, and are often exploit-specific, rather than vulnerability-generic.
  • Protocol analysis — This enables the IDPS engine to inspect traffic for threats, regardless of the port that the traffic is traversing.
  • Application and user awareness — It should identify applications and users specifically.
  • Context awareness — It should be able to bring multiple sources together to provide more context around decisions to block sessions. Examples include user directory integration that applies IDPS rules by the user, and application and geolocation information where you can permit, deny or monitor access, based on its origin.
  • TI reputation services — These include action-oriented intelligence on spam, phishing, botnets, malicious websites, web exploit toolkits and malware activity.
  • Content awareness — It should be able to inspect and classify inbound executables and other similar file types, such as PDF and Microsoft Office files (that have already passed through antivirus screening), as well as outbound communications.
  • User extensibility — The solution should support user-generated IDPS signature content.
  • Advanced threat detection — The solution should be able to use various methods to identify and send suspicious payloads to another device or cloud service to execute and positively identify potential malicious files.
  • Historical analysis — The solution should assist or support the short to medium traffic storage, either in full or via other means, like metadata extraction and NetFlow. This can identify applications, files, users, communications, URLs, domain names, etc. It is then used for analytics and incident investigation use cases.
  • Advanced analytics — This feature leverages what has become to be called UEBA in the security industry. For this market, vendors are using analytics to advance the use of IDS to detect threats that have bypassed other security controls.
  • Support of entry-level routing and network address translation — The solution will optionally be able to process traffic and act as a Layer 3 control and enforcement point. This means basic routing and network address translation can occur. This supports use cases in which security and performance features are paramount, and only coarse-grain firewall rules are required, using a limited-in-size rule base.
These advances are discussed in detail in “Defining Intrusion Detection and Prevention Systems.” Best-of-breed next-generation IDPSs are still found in stand-alone appliances, but have recently been incorporated into some NGFW platforms.

Advanced Threat Detection Is Now Available From Next-Generation IDPSs

Along with SSL decryption, Gartner IDPS Magic Quadrant customer references mention advanced threat detection as a feature in IDPS selections. To compete effectively, next-generation IDPS vendors must more deeply integrate ATD capabilities to step up their ability to handle targeted attack detection — for malware detection, anomaly detection, and also for outgoing communication with command-and-control servers from infected endpoints.
Gartner notes that some specialized advanced threat detection vendors have evolved their products’ capabilities to deliver basic network IDPS capabilities to complement their advanced threat solutions. If other advanced threat vendors bring “good enough” IDPS capabilities from adjacent network security areas to market, clients will have more options and new IDPS approaches to choose from. This could, in some way, cause this market to instead flatten out in revenue versus the predicted decline.

IDS Is Still Widely Deployed and Effective

Client reference surveys for this Magic Quadrant align with conclusions from our general client inquiry, where we see 20% of IDPSs deployed as IDS only (and approximately another 30% using IPS, but run their solution mostly in detection mode). It is clear that organizations are still deploying IDS technology purely for monitoring and visibility use cases, and not necessarily for blocking only. This is especially true in the network core or where any kind of blocking technology often cannot meet performance needs or will not be considered for deployment by the IT operations team. This is being driven by multiple reasons, but the need to detect intrusions and respond more efficiently to incidents is still a key investment (see “Use a CARTA Strategic Approach to Embrace Digital Business Opportunities in an Era of Advanced Threats”).
While going “in-line” with this technology is preferred for some use cases, as it at least offers the capability to block should the need arise, IDS is still a staple in a large number of environments. As CARTA highlights, detection is a critical capability. The number of breaches in recent history highlight clearly that organizations large and small are failing in their ability to perform detection and response once threats are active inside the network. IDS is still very effective at delivering threat detection capabilities in familiar ways to organizations’ security teams. If an IPS is in the mix, IDPSs concurrently have powerful uses in responding to a range of threats.
Some organizations are getting additional life out of older IDPS investments (or by making new investments in IDS) by enabling basic IDPS in the NGFW and moving their existing dedicated IDPS and IDS elsewhere in the environment, where they are tuned for those use cases. So rather than decommission stand-alone IDPSs, they instead deploy in “IDS mode,” internally or on other parts of the network for monitoring of what is generally called east-west traffic, versus the traditional north/south traffic at the internet perimeter. Detecting vulnerability exploitation, service brute forcing, botnet command and control channel activity, application identification, and so on, are all standard features of modern IDPSs and IDSs, and still have utility.

Web Application Vulnerabilities Are Still a Major Problem

Gartner recommends considering a WAF over an IDPS for protecting web applications to reduce the exposure to security threats (see “Magic Quadrant for Web Application Firewalls”). Making use of application security measures to significantly reduce the vulnerabilities during the development life cycle is even more effective (see “Magic Quadrant for Application Security Testing”).
For a long time, IDPSs have had content that can address some of the web application security issues that organizations have continued to find, often in large numbers, in their web-based applications. Coverage for the more straightforward web applications issues, like SQL injection and cross-site scripting, exists in the majority of products evaluated for this Magic Quadrant. Without an application security program or a WAF deployed, IDPS can offer some coverage of web-application-focused threats. IDPS also has access to SSL decryption options for multiple types of deployments, including inspecting inbound web traffic. Some leading vendors, like McAfee, are investing in improving their coverage of web application threats significantly in order to be able to deploy in public cloud. Alert Logic does this differently by using its WAF for blocking, but leveraging its IDS for detection use cases. Generally though, web application content can be “noisy” when enabled on IDPS, and can be more prone to false positives than what a leading WAFs are delivering today.

IDPS Has Potential in the Cloud

Traditional firewall vendors are not making an impact in terms of usage in public cloud environments like Amazon AWS, Microsoft Azure and Google Cloud. This is primarily because the built-in firewall controls are providing native integration, agility, less expensive pricing and, in general, “good enough” capabilities for the types of workloads that run in public clouds. Generally speaking, you don’t need advanced enterprise firewall features to protect server workloads in the cloud, and the ruleset is often very basic. WAF and IDPS are more relevant security add-ons for workloads running in these environments. Cloud-delivered WAF is now prevalent and still far exceeds WAF functionality delivered by cloud service providers (CSPs). No CSP today is investing in the type of advanced DPI solutions delivered by cloud-ready IDPS solutions.
Gartner expects this deployment form factor for IDPS to become a leading use case for the technology in the coming years. As the shift continues to move workloads to IaaS, so too will the relevance of advanced detection, prevention and response capabilities to security teams with workloads running in private, hybrid and public clouds. The client reference survey this year reported that approximately 30% of respondents have IDPS deployed either in public and/or hybrid cloud environments.

More IDPSs Get Absorbed by NGFWs, but the Stand-Alone IDPS Market Will Persist

With the improvement in availability and quality of the IDPS within NGFWs, NGFW adoption reduces the need for a dedicated network IDPS in enterprises (especially smaller ones) at the network perimeter. The perimeter placement traditionally is the most popular deployment location for IDPS. However, the stand-alone IDPS market will persist to serve several scenarios:
  • The incumbent firewall does not offer a viable next-generation IDPS option for reasons of security efficacy.
  • Clients continue to report significant performance impact of enabling IDPS in their NGFWs. This impact, in real-world feedback from Gartner clients, is frequently in the 40% to 80% range (depending on the IDPS policy in place) regardless of traffic profile. For environments that require sustained throughput of 10 Gbps to 20 Gbps and higher, a separate NGFW and next-generation IDPS is a sensible architecture to pursue for security efficacy and cost reasons.
  • Separation of the firewall and IDPS is desired for organizational or operational reasons, such as where firewalls are a network team function and IDPSs and IDSs are run by the security team.
  • A best-of-breed IDPS is desired, meaning a stand-alone next-generation IDPS is required.
  • Niche designs exist (as in certain internal deployment scenarios) where IDPS capabilities are desired, but don’t require a firewall. This can also apply to SDN and public cloud scenarios where routing/NAT functions are covered in the base platform and only advanced network inspection is required.
  • For internal network segmentation projects, IDPS deployments are advantageous as they happen at Layer 2 (transparently with no significant routing/switching requirements), with better reliability/resiliency, lower latency, and general equal or higher-quality security content than a transparent NGFW, and therefore are considerably easier to deploy while providing the best protection available.
While the trend is toward IDPS consolidation on NGFWs, Gartner sees anecdotal examples of organizations switching back from an NGFW to a stand-alone IDPS, where improved blocking quality and performance are required.

Endpoint Context Is Increasingly Important and Available in Leading IDPS

An interesting development over the past few years is how IDPS vendors are increasingly bringing in various levels of details from endpoints. This complements IDPSs on the network significantly. As a simple example, being able to dig into traffic by mapping the specific application on the host that is generating the traffic is a very important use case, which previously would only be possible from multiple consoles or via event processing in an SIEM. This is increasingly becoming available from IDPS vendors, like Cisco and McAfee, as built-in options. Other vendors in this Magic Quadrant, like Trend Micro and Fidelis, have the opportunity to further add significant value for organizations by making the network IDPS and IDS more effective with host context; and also the reverse, with host agents being more effective by having a complementary network option.

Developments in Threat Intelligence Have Implications for IDPSs

TI or reputation feeds have provided much-needed additional visibility, threat context and blocking opportunities for IDPS deployments. In the past few years, all IDPS vendors have added these “feeds” to their existing product lines. TI feeds have the following strengths and challenges:
  • Time to coverage — for example, a piece of malware can be inspected and TI feeds updated with detection/blocking metadata like IP address, DNS hostname or URL, which is considerably faster than the deep-soak signature testing cycle that IDPS vendors require to ship IDPS security content.
  • Improved context and visibility on the threat landscape for fast-moving threats, particularly malware and botnets.
  • Most feeds include not only the threat (for example, “botnet”), but also a score (often from 0 to 100, for example), allowing users to define the threshold of when alerting versus blocking occurs.
  • Allow for the use of relatively accurate geographic IP details for context and blocking opportunities.
  • Allow for third-party integration via IDPS vendors’ APIs of other feeds. This normally requires additional work.
  • TI feeds are proprietary in nature, and users cannot use open standards such as STIX/TAXII without additional software.
  • Like all security content, TI feeds are prone to various levels of false positives, meaning clients may often have to tune policies to avoid blocking nonmalicious traffic.
  • Most vendors, without third parties creating their own integrations or doing so from additional products, generally only use their own TI feeds. These are limited in scope and coverage of the threat landscape from that vendor only.
  • The volume of TI that is available today is staggering. There are well over 100 free (open-source) feeds and dozens of commercial and industry-led initiatives that organizations can consume. The issue is in how to target the type, volume and variety of TI so that it doesn’t:
    • Overload security operations with yet more events
    • Bring false positives from low- or semitrusted sources
    • Overload the IDPS with too much TI, which can significantly affect performance
STIX/TAXII standards are now at a point that they have gained adoption momentum of a sizable number of groups generating/consuming threat intelligence, including computer emergency response teams (CERTs), global information sharing and analysis centers (ISACs), vendors, and end users. While nascent, in the coming two to three years, we expect to see an acceleration of block-and-tackle vendors — such as firewall, intrusion prevention, secure web gateway, endpoint threat detection and response (ETDR), and SIEM tools — all supporting full implementations of these open standards. These two standards in particular will accelerate the ability to consume threat information and then act on it at time scales not previously possible, and will do so in an end user’s environment that has a mixed ecosystem of vendors.
Finally, while not meeting the definition of a next-generation IDPS, and therefore not included in this research, in-line TI appliances have appeared on the market. While niche, they serve an important purpose for some clients by aggregating larger numbers of indicators of compromise (IOCs) that are not able to be run on other network appliances like IDPS and firewalls. These are not fully featured IDPSs per se; they only offer blocking around source, destination IP address, DNS and sometimes URLs, meaning they are based purely on TI feeds. However, they often support much larger TI databases than are available from leading IDPS vendors. Example vendors are Centripetal Networks, LookingGlass and Ixia (see “Emerging Technology Analysis: Threat Intelligence Gateways”).


Gartner used the following input to develop this Magic Quadrant:
  • Results, observations and selections of IDPSs, as reported via multiple analyst inquiries with Gartner clients
  • A formal survey of IDPS vendors
  • Formal surveys of end-user references
  • Gartner IDPS market research data
Details on  STIX and  TAXII.

Evaluation Criteria Definitions

Ability to Execute

Product/Service: Core goods and services offered by the vendor for the defined market. This includes current product/service capabilities, quality, feature sets, skills and so on, whether offered natively or through OEM agreements/partnerships as defined in the market definition and detailed in the subcriteria.
Overall Viability: Viability includes an assessment of the overall organization’s financial health, the financial and practical success of the business unit, and the likelihood that the individual business unit will continue investing in the product, will continue offering the product and will advance the state of the art within the organization’s portfolio of products.
Sales Execution/Pricing: The vendor’s capabilities in all presales activities and the structure that supports them. This includes deal management, pricing and negotiation, presales support, and the overall effectiveness of the sales channel.
Market Responsiveness/Record: Ability to respond, change direction, be flexible and achieve competitive success as opportunities develop, competitors act, customer needs evolve and market dynamics change. This criterion also considers the vendor’s history of responsiveness.
Marketing Execution: The clarity, quality, creativity and efficacy of programs designed to deliver the organization’s message to influence the market, promote the brand and business, increase awareness of the products, and establish a positive identification with the product/brand and organization in the minds of buyers. This “mind share” can be driven by a combination of publicity, promotional initiatives, thought leadership, word of mouth and sales activities.
Customer Experience: Relationships, products and services/programs that enable clients to be successful with the products evaluated. Specifically, this includes the ways customers receive technical support or account support. This can also include ancillary tools, customer support programs (and the quality thereof), availability of user groups, service-level agreements and so on.
Operations: The ability of the organization to meet its goals and commitments. Factors include the quality of the organizational structure, including skills, experiences, programs, systems and other vehicles that enable the organization to operate effectively and efficiently on an ongoing basis.

Completeness of Vision

Market Understanding: Ability of the vendor to understand buyers’ wants and needs and to translate those into products and services. Vendors that show the highest degree of vision listen to and understand buyers’ wants and needs, and can shape or enhance those with their added vision.
Marketing Strategy: A clear, differentiated set of messages consistently communicated throughout the organization and externalized through the website, advertising, customer programs and positioning statements.
Sales Strategy: The strategy for selling products that uses the appropriate network of direct and indirect sales, marketing, service, and communication affiliates that extend the scope and depth of market reach, skills, expertise, technologies, services and the customer base.
Offering (Product) Strategy: The vendor’s approach to product development and delivery that emphasizes differentiation, functionality, methodology and feature sets as they map to current and future requirements.
Business Model: The soundness and logic of the vendor’s underlying business proposition.
Vertical/Industry Strategy: The vendor’s strategy to direct resources, skills and offerings to meet the specific needs of individual market segments, including vertical markets.
Innovation: Direct, related, complementary and synergistic layouts of resources, expertise or capital for investment, consolidation, defensive or pre-emptive purposes.
Geographic Strategy: The vendor’s strategy to direct resources, skills and offerings to meet the specific needs of geographies outside the “home” or native geography, either directly or through partners, channels and subsidiaries as appropriate for that geography and market.