Forrester has just completed a comprehensive assessment of vulnerability management products. The Forrester Vulnerability Management Wave report is now live. If you are a subscriber, please see here for the full report.

In Forrester’s 53-criteria evaluation of vulnerability management vendors, we found that the market is rife with mature products. In particular, we found that Qualys leads, with Rapid7, McAfee, nCircle, and Lumension following as Leaders.  

Qualys showed itself to be the leader of the pack in this evaluation. Qualys pioneered the SaaS hybrid delivery model of vulnerability management, combining fully-managed scanner applications with a security console hosted in the Qualys cloud. Once considered radical, this service model is now used by some of the largest organizations in the world. Qualys delivers vulnerability assessment, application-level scanning, and configuration compliance auditing. It’s worth noting that their offering provides concrete mappings from a wide list of regulations to actual IT controls.  

We found several other vendors offering competitive solutions.  Rapid7 is the up-and-comer, with an impressive 50%-plus year-over-year growth over the last two years. In addition to its solid technology, it is the only vendor in this evaluation whose application-scanning capabilities can handle Ajax and Web 2.0 technologies. Rapid7 recently signed OEM deals with two of the largest security and service vendors in the industry, which should give them a boost in the market.

nCircle was another strong vendor. While its technology struggles with integration and complexity issues, nCircle’s configuration compliance product is among the most sophisticated on the market today. nCircle would be a good choice for enterprises that have advanced compliance and risk analytics needs.

Established vulnerability management vendor McAfee delivers strong risk management capabilities, including one of the most UI-conscious interface designs, and solid support for translating vulnerability knowledge into meaningful risk metrics. McAfee’s application-scanning capability was relatively weak at the time of the evaluation. But upcoming releases may remedy this situation.

Finally, Lumension distinguished itself with its unique product portfolio, being the only vendor in this evaluation that has its own endpoint patch management functionality, PatchLink, and its own GRC product. Lumension’s strategy is to deliver a consolidated platform to manage the life cycle of vulnerabilities — from discovery to analytics to remediation. Because of the expanse of its product portfolio, Lumension has the potential to challenge the top players in the vulnerability management market.

These leaders were followed by several vendors at the “Strong Performers” level.  Tenable Network Security, while lacking enterprise support features such as executive reporting, advanced risk analytics, and integration with related products, nevertheless offers strong vulnerability assessment capabilities for the technology-minded buyer.  eEye’s vulnerability assessment product, Retina, has many desirable features, such as wireless scanning, diverse scan templates, and an extremely flexible reporting portal, and is attractively priced. Despite going through some growing pains as new management overhauls its products, government clients and value-conscious organizations will find it a compelling option. Critical Watch, a relative newcomer to the market, offers several distinct and innovative features, including a CEM structure that provides a flexible yet powerful organizational framework for managing scans, reports, and analysis.

This market is evolving to meet the maturing needs of clients. Once concerned only with pure network vulnerability assessment functionality, the market is shifting to include adjacent technology areas, such as risk management and remediation. Today, both vulnerability assessments and endpoint configuration compliance are considered core functionality. Application-level scanning, targeting Web applications and databases, is quickly becoming a must-have item. And as buyers start to shift from assessment-only capabilities to advanced risk-based analytics and remediation management, those functionalities are fast becoming the newest differentiators.

An IT security organization should follow these strategies with respect to vulnerability management: a) Consider vulnerability management an essential IT functionality, b) Combine vulnerability assessment with remediation and active protection, and c) Treat Vulnerability Management as part of your greater IT GRC strategy.