My short review of “IDC Worldwide Security and Vulnerability Management Market Shares 2016”

On February 12 IDC published new report about Security and Vulnerability Management market. You can buy it on the official website for $4500. Or you can simply download free extract on Qualys website (Thanks, Qualys!). I’ve read it and now I want to share my impressions.

IDC Worldwide Security and Vulnerability Management Market Shares 2016

I think it’s better start reading this report from the end, from “MARKET DEFINITION” section. First of all, IDC believe that there is a “Security and Vulnerability Management” (SVM) market. It consists of two separate “symbiotic markets”: security management and vulnerability assessment (VA).

The structure of these markets:

  • Security management products
    • Security intelligence and event management (SIEM) solutions
    • Forensics and incident investigation solutions
    • Policy and compliance solutions
  • Vulnerability assessment products
    • Device vulnerability assessment products
    • Application scanners

As you can see, in this report IDC talks about vendors of very different solutions: SIEM, SAST/DAST/IAST, WAS, VM, etc.

In fact, I think it makes sense, because the boundaries between these solutions are often erased:

For all these different SVM vendors IDC give common recommendations:

  1. Focus on prescription, not just alerting
  2. Expand deployment options
  3. Create more streamlined and managed services offerings
  4. Support the forensics and incident investigation (FII) process

I will not write here аbout deployment options and managed services, because I do not consider it significant. But the first and fourth point are great. They are  actually about the fact SVM solutions often shows uncritical useless nonsense in the output, which can’t be used in any way (including forensics).

But this report of course is mainly about the revenue. And this revenue can be counted in different ways. Half of the extract describes how the IDC counts it. As I understand it, something like a disclaimer.

And according to this revenue it turns out that Qualys is comparable with such big SVM vendors as IBM, HPE, Dell, Splunk. It is no accident that Qualys is actively spreading this report. 😉 Situation on Device Vulnerability Assessment (or VM) market has not really changed in recent years.


  1. Qualys
  2. Tenable
  3. Rapid7
  4. Tripwire

But it should be noted that revenue is an assessment of the company, not an indicator of product quality. Usually it correlates, but not always. IDC does not not test the products and all their recommendations are based on the survey of vendors and customers.

2 thoughts on “My short review of “IDC Worldwide Security and Vulnerability Management Market Shares 2016”

  1. Pingback: A few words about Gartner’s “Magic Quadrant for Application Security Testing” 2018 | Alexander V. Leonov

  2. Pingback: CyberCentral Summit 2018 in Prague | Alexander V. Leonov

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.