Cybersecurity risk ratings platforms (CRRPs) is a market with a reputation that precedes it. Of all the markets I’ve covered in my various roles at Forrester, nothing gets CISOs’ blood pressure up as much as this one does. Procurement leaders and cyber insurers haven’t helped, and used cyber ratings as a due diligence stick to allow beatings to continue until ratings improve. Despite all of this, the CRRP market is truly at an inflection point, with the realization that there is value in the data collected to produce ratings, not just the ratings themselves. However, this will only happen if the market can move from static scorecards to driving remediation actions that demonstrably reduce risk. This week, I released our latest research on the Cybersecurity Risk Ratings Platforms Landscape, Q4 2025 (Forrester clients only) with the following observations:
- The CRRP market is at a fork in the road. Seventy-eight percent of enterprise risk professionals have implemented cybersecurity risk ratings platforms within their enterprise. High adoption signals market saturation, and most providers are responding by marketing themselves as anything but a cyber ratings platform. In turn, this saturation signals that the market is going to evolve in a dramatic way over the next 3-5 years. The providers have choice: stay on the yellow brick road, or break from the path that got them to where they are today. Most are evolving to deliver actionable insights, automate workflows, and coordinate remediation; steps that increasingly position them to compete in adjacent markets like third-party risk and external attack surface management.
- S&R leaders will experience a seismic shift in how they consume CRR. CRR platforms are shifting to embed cyber risk intelligence into broader cyber risk management workflows. As cyber risk ratings become commoditized, security and risk leaders will need to rethink their buying patterns over the next few years, and will:
- Consume ratings data via third party risk management (TPRM) and external attack surface management (EASM) platforms, as they are the two use cases most enterprises use CRR platforms for;
- Have more affordable and ready access to continuous monitoring, driven by customer demand and technological advancement; and
- Work with larger players, as smaller firms struggle to be heard, and the continued acquisitions and exits to adjacent markets (primarily TPRM and EASM).
Forrester clients can read the full report here to get further insights into how this market will develop in advance of the upcoming Forrester Wave which follows this report in Q2 2026. I’m also happy to talk to clients in a guidance session or inquiry to discuss more.