How Cyber Risk Ratings Platforms Have Evolved - And Why Bitsight is a Leader

Forrester blog banner

Bitsight was named a Leader in The Forrester Wave: Cybersecurity Risk Ratings Platforms, Q2 2024 for a third consecutive time.

Click here to download The Forrester Wave: Cybersecurity Risk Ratings Platforms, Q2 2024.

We are incredibly proud to be highlighted as a Leader, and our placement in this report is validation of our ongoing effort to help risk and security leaders identify exposure, prioritize investment, communicate with stakeholders, and mitigate risk.

In this article, we explain how security leaders can benefit from Cybersecurity Risk Ratings platforms, the underlying data that powers them, and why Forrester named Bitsight a Leader in the market.

What is a Cybersecurity Risk Ratings Platform? Why Can it be Useful?

Security leaders need solutions that help them identify and mitigate risks in their own organizations and broader third party supply chain, including vendors, suppliers, and business associates. Attackers continue to exploit known vulnerabilities and target critical third party suppliers to gain access to sensitive data or inflict operational harm. Companies are losing money and their reputations. Cyber risk is truly business risk.

A Cybersecurity Risk Rating (CRR) solution is a critical capability to enable any organization’s cybersecurity risk management strategy. Forrester defines a CRR platform as:

A platform that collects, aggregates, attributes, and synthesizes various cybersecurity indicators from an entity’s externally observable digital footprint into a single, observable metric or score. These platforms use a consistent scoring methodology to create an overall, point-in-time rating of the entity’s current external cyber risk exposure and posture.

According to Forrester, the majority of CRR customers now use these platforms to enhance their third-party cyber risk assessment and monitoring capabilities. They also note that more CRR providers are “leaning into Attack Surface Management Methods (ASM)” to support customer needs. This use case expansion reflects the growing reality that Forrester points out: Cybersecurity Ratings have assumed a "very real position" among regulators, insurance providers, governments, contracts, and all kinds of business relationships today. In other words, the organizations that are evaluating and regulating the enterprise are leveraging the CRR, driving more use from the enterprises themselves. In fact, 77% of organizations have or are in the process of adopting CRR.

As the quality, transparency, and consumption models for the insights underlying the CRR have matured, security leaders are leveraging both the rating and the data behind it to improve their own security performance. As such, the platform is evolving from a governance and reporting tool to an operational one helping solve threat exposure challenges for security and risk leaders. It helps these leaders create real business value for the organization through a straightforward equation: reduce the likelihood of experiencing a cybersecurity incident, communicate that performance through a broadly adopted and well-understood metric, and enhance the reputation of their organization across the global marketplace.

Forrester Report Cover 2024

Why was Bitsight named a Leader in Cybersecurity Risk Rating Platforms?

There are a number of CRR platforms available today. But not all solutions are created equal.

For the third consecutive assessment, Forrester named Bitsight a Leader in Cybersecurity Risk Rating Platforms. Bitsight received the highest overall score and the highest possible score in 18 criteria. Of particular note was Bitsight’s strategy, receiving differentiated scores in Vision, Innovation, Roadmap, Adoption, and Partner Ecosystem among other criteria.

Why did Forrester name Bitsight a Leader? There are 5 main reasons why we think we stood out.

1. Our Ratings are Built on Historic, Meaningful, Unique Data Sets

Founded in 2011, Bitsight’s cybersecurity ratings platform is based on innovative approaches to collecting cybersecurity performance data and mapping organizational assets.

Bitsight discovers assets and collects unique and differentiated cybersecurity performance data, including exposure, vulnerability, and threat data. We combine active data collection tools like our proprietary internet scanner, Bitsight Groma, with passive data collection techniques like honeypots, malware emulators, and one of the world’s largest sinkhole infrastructures to continuously observe change across digital infrastructures.

More importantly for risk and security leaders, we are relentless in our pursuit of attributing those findings – assets, vendors, infrastructure, security observables – to entities. Over 100 technical researchers, combined with our AI attribution engine, Bitsight Graph of Internet Assets (GIA), to provide actionable visibility into real-time vulnerabilities: Shadow IT, malware, endpoint security, 4th party relationships, file sharing, hardware/software lifecycle management, IoT, exposed credentials, mobile application security, vulnerabilities, and IPv6 infrastructure. This provides security leaders with critical, meaningful insights they simply can’t get anywhere else.

As Forrester notes, “how a vendor discovers, attributes, and validates assets and findings sets the good apart from the great.” Bitsight received the highest possible scores in criteria related to Asset Discovery and Attribution and Data Sources.

2. We Maintain a Rigorous & Validated Approach to Creating Security Ratings & Analytics

Bitsight takes great pride in our rigorous, transparent approach to creating meaningful cybersecurity ratings and analytics. Our rating measures “performance” over time – an organization’s effectiveness in preventing cybersecurity incidents. Our ratings algorithm is reviewed on an ongoing basis in a formal process overseen by our Rating and Methodology Governance Board. In addition, feedback from customers and market is reviewed by our Policy Review Board with the results of that feedback published on our website. Bitsight is the only provider with a Policy Review Board to govern and oversee the entire ratings process, including our dispute resolution process.

Our data and governance approach produces the best results in the marketplace. The Bitsight Security Rating is the only security rating with multiple independent studies showing significant, clear correlation to critical outcomes, including cybersecurity incidents, data breaches, ransomware attacks, and company stock performance. Thirteen Bitsight risk vectors (e.g. “patching cadence”) have been clearly, independently correlated with cyber incidents, which is double any other provider. We have also published our own research describing correlation to data breaches and ransomware incidents, including botnet infections, file sharing activity, work from home risks, and others.


As Forrester notes, “Bitsight leans heavily into ratings model validation and correlation studies to continuously test its ratings’ alignment with real-world incidents. It leverages a policy review board to manage finding disputes and publish case summaries publicly.” Bitsight received the highest possible scores in criteria related to Ratings Correlation Testing and Results and Ratings Dispute Resolution.

3. We are Trusted by the Global Marketplace

The world’s most risk-focused governments, regulators, investors, insurers, and enterprises rely on Bitsight data and insights to make critical decisions. The Bitsight community comprises more than 13,000 organizations across internal security performance, third party, insurance, government, and investors. Customers include 40% of Fortune 500 companies; over 20% of global governments; 180+ government agencies including global financial regulators; and insurers writing more than 50% of the world’s cyber insurance premiums.

Bitsight data and research is featured prominently in trusted publications (including numerous reports from critical market leaders like Moody’s and the Harvard Law School Corporate Governance Forum). We strictly adhere to Responsible Disclosure practices and do not share or publish individual ratings.

Forrester notes that Bitsight’s “partner ecosystem, adoption, and community strategies are centered on building and promoting trust for ratings… and supporting industry-wide research and information-sharing initiatives.” Bitsight received the highest ranking of all vendors in the Strategy category, including the highest possible scores in criteria related to Adoption, Community, and Partner Ecosystem.

4. Bitsight Delivers a Great Customer Experience with Products and Services that are Purpose-Built to Solve Exposure and Third-Party Risk Challenges

Bitsight’s products are purpose-built to serve the unique jobs of security leaders, whether they are trying to better understand their own attack surface, manage third party risk effectively, or financially quantify cyber risk. Our products are designed to help security leaders connect within their organizations or integrate with other products to reduce risk. We also support our customers in a variety of ways, with dedicated Customer Success teams, technical resources and training, and Professional Services for customers who need to fill resource gaps. We aim to provide our customers with an outstanding user experience so they can focus on identifying and remediating cyber risk.

As Forrester notes, “Bitsight best fits customers looking to centralize their ASM, TPRM, and cyber insurance use cases.” The Bitsight platform “features a collaboration dashboard to streamline interactions and planning with third parties. Its leading security performance analytics module provides deep insights into control performance. It also features a native cyber risk quantification tool that measures financial exposure based on cyber loss data.” Forrester also notes that Bitsight “enables customer success through training and support.”

Bitsight received the highest possible scores in product criteria related to Security Performance Analytics, Exposure Prioritization and Remediation, Reporting and Visualization, In-Platform Collaboration, Third Party Cyber Risk Quantification and Support, and User Experience.

5. We Have a Long-Term, Sustainable Business with a History of Leadership and Innovation and a Compelling Roadmap for the Future

Security leaders want to partner with a strong, reliable business that is investing in the future. Since founding the industry in 2011, Bitsight has grown to become the largest CRR provider by revenue. This allows us to strategically invest the most resources into our robust innovation engine. Since 2011, Bitsight has been awarded 58 patents (16 since 2022), many for our innovative approaches to organizational mapping. We continue investing in exciting capabilities (accelerated by AI) to help customers reduce exposure and increase resilience across their entire digital footprint, manage trust across supply chain and customers and help companies address new regulatory requirements like SEC, DORA, and NIS2.

As Forrester notes, “Bitsight boasts an unmatched commitment to innovation” including “the largest R&D investment compared with other vendors.” Bitsight received the highest possible scores in Vision, Innovation, Roadmap, and Market Presence.

Next Steps

We are proud of our Leader position in The Forrester Wave: Cybersecurity Risk Ratings Platforms, Q2 2024. If you think that Bitsight might be able to help you and your organization, please contact us at anytime.