My short review of “IDC Worldwide Security and Vulnerability Management Market Shares 2016”. On February 12 IDC published new report about Security and Vulnerability Management market. You can buy it on the official website for $4500. Or you can simply download free extract on Qualys website (Thanks, Qualys!). I’ve read it and now I want to share my impressions.

I think it’s better start reading this report from the end, from “MARKET DEFINITION” section. First of all, IDC believe that there is a “Security and Vulnerability Management” (SVM) market. It consists of two separate “symbiotic markets”: security management and vulnerability assessment (VA).

The structure of these markets:

• Security management products
  • Security intelligence and event management (SIEM) solutions
  • Forensics and incident investigation solutions
  • Policy and compliance solutions
• Vulnerability assessment products
  • Device vulnerability assessment products
  • Application scanners

As you can see, in this report IDC talks about vendors of very different solutions: SIEM, SAST/DAST/IAST, WAS, VM, etc.

In fact, I think it makes sense, because the boundaries between these solutions are often erased:

• SIEMization of VM: Qualys, SecurityCenter
• It’s is not always clear where the boundary between DAST, WAS and VM (Nessus has WAS plug-ins)
• Policy and compliance modes are available in the most commercial VM solutions, for example .audit-based Compliance Management in Nessus
• Some VM solutions, there is also Forensics mode

For all these different SVM vendors IDC give common recommendations:

1. Focus on prescription, not just alerting
2. Expand deployment options
3. Create more streamlined and managed services offerings
4. Support the forensics and incident investigation (FII) process

I will not write here аbout deployment options and managed services, because I do not consider it significant. But the first and fourth point are great. They are  actually about the fact SVM solutions often shows uncritical useless nonsense in the output, which can’t be used in any way (including forensics).

But this report of course is mainly about the revenue. And this revenue can be counted in different ways. Half of the extract describes how the IDC counts it. As I understand it, something like a disclaimer.

And according to this revenue it turns out that Qualys is comparable with such big SVM vendors as IBM, HPE, Dell, Splunk. It is no accident that Qualys is actively spreading this report. 😉 Situation on Device Vulnerability Assessment (or VM) market has not really changed in recent years.

Big4:

1. Qualys
2. Tenable
3. Rapid7
4. Tripwire

But it should be noted that revenue is an assessment of the company, not an indicator of product quality. Usually it correlates, but not always. IDC does not not test the products and all their recommendations are based on the survey of vendors and customers.

Alexander Leonov

Hi! My name is Alexander and I am a Vulnerability Management specialist. You can read more about me here. Currently, the best way to follow me is my Telegram channel @avleonovcom. I update it more often than this site. If you haven’t used Telegram yet, give it a try. It’s great. You can discuss my posts or ask questions at @avleonovchat.

А всех русскоязычных я приглашаю в ещё один телеграмм канал @avleonovrus, первым делом теперь пишу туда.