Analysis
Trend Description
PCD leverages proactive mechanisms of defense, predictive intelligence or attack anticipation instead of focusing on detection and response. PCD may invoke periodic or randomized changes, polymorphism, or encryption of a target asset, build preemptive defensive posture changes, block lists and take other intelligence-led proactive measures. Automated moving target defense (AMTD) may be used, offering techniques that continually change system configurations, modify network architectures such as network paths and IP addresses, or morph application behavior. These automated changes make it harder for attackers to identify and exploit vulnerabilities, map a static target architecture, or establish persistence in the environment.
Sample vendors: Anjuna, Cloudbrink, Darktrace, Hypersphere, Jscrambler, Morphisec, PacketViper, Quarkslab, R6 Security, Silent Push and Veriti
Note: The sample vendors shown above do not comprise or imply an exhaustive list.
Adoption Insight: Banking, Technology and Government Lead in Deriving Business Value in Preemptive Cyber Defense
The heat map in Table 1 reveals that different industries prioritize various aspects of cybersecurity and operational efficiency based on their unique risk profiles and regulatory requirements. The banking and securities, and healthcare industries exhibit a comprehensive security posture, while government organizations focus heavily on exposure management. Technology sector adopters show a forward-looking approach by embracing emerging threats like AI and quantum computing.
| Adopter business value achieved |
Adopter industry | Detect and respond | Exposure management | SecOps efficiency | Cost savings | Human capability efficiency | Data protection | Go-to-market activities | Brand protection and regulatory protection | Regulatory compliance | Attack frustration (more takedowns/no ransomware attack) | OT security | AI-provided recommendations | Control validation | Threat detection engineering/operations |
Banking and securities | | | | | | | | | | | | | | |
Technology | | | | | | | | | | | | | | |
Healthcare | | | | | | | | | | | | | | |
Government | | | | | | | | | | | | | | |
Manufacturing | | | | | | | | | | | | | | |
Transportation | | | | | | | | | | | | | | |
Communications, media and services | | | | | | | | | | | | | | |
Insurance | | | | | | | | | | | | | | |
Retail | | | | | | | | | | | | | | |
Education | | | | | | | | | | | | | | |
Natural resources | | | | | | | | | | | | | | |
Agriculture | | | | | | | | | | | | | | |
Other (food/beverages/charity/nonprofit/utilities) | | | | | | | | | | | | | | |
Legend:
High ◼◼◼◼◻ Low |
|
Source: Gartner (November 2024)
Detect and Respond
The detect and respond metric emerges as a critical focus area, particularly for the banking and securities and healthcare sectors, which lead in this category. This high prioritization underscores the need for rapid identification and mitigation of cyberthreats to protect sensitive financial and health data. Financial institutions are high-value targets for cyberattacks; thus, they have stringent regulatory requirements and invest heavily in advanced detection and response mechanisms.
For similar reasons, the healthcare sector emphasizes swift threat detection to prevent breaches that could jeopardize patient safety and privacy. The government and technology sectors also place significant focus on enhancing their threat detection capabilities, but less so than banking and healthcare, indicating room for improvement in these areas to match the leading sectors.
Exposure Management
Exposure management stands out as a paramount concern for the government sector, with a rating that is twice that of the next closest sectors. This suggests a comprehensive approach to identifying, assessing and mitigating vulnerabilities within government systems is crucial given the sensitive nature of government data and the increasing number of threats targeting public sector entities.
The banking and securities, healthcare, and communications, media, and services industries also put a notable focus on exposure management, reflecting the high stakes of data breaches in these sectors. Effective exposure management in these industries helps in maintaining trust, ensuring compliance with regulations and safeguarding critical infrastructures against potential exploits.
SecOps Efficiency
The SecOps efficiency rating is highest for the banking and securities sector, indicating that financial institutions are not only investing in advanced security technologies, but also optimizing their operational processes to enhance the efficiency and effectiveness of their security teams. The technology, insurance, and retail sectors also show a commitment to improving their SecOps capabilities, though they lag behind the financial sector.
Enhancing SecOps efficiency is crucial for these industries’ ability to quickly adapt to evolving threats, streamline incident response processes, and reduce the mean time to detect (MTTD) and respond to security incidents.
This focus on operational efficiency is essential for maintaining robust security postures and ensuring rapid, coordinated responses to potential threats. Even the utilities sector, which has minimal engagement scores across most cybersecurity and operational metrics in the survey, has a relatively high score in SecOps efficiency.
While enterprises in highly regulated sectors such as banking, government and healthcare have been most likely to adopt cybersecurity solutions that adopt PCD, Gartner anticipates that the technology will become ubiquitous across nearly all industries. Current projections indicate a substantial increase in the adoption rate of PCD solutions, from 5% to 35% by 2028.
This forecast is underpinned by the escalating frequency and sophistication of cyberthreats. In addition, regulatory compliance requirements are becoming more stringent across various sectors. As these regulations evolve, organizations across all industries will be forced to implement increasingly advanced security technologies to ensure compliance.
Near-Term Implications for Product Leaders
The capabilities of detect and respond, exposure management and SecOps efficiency are highly valued by organizations in most industry verticals, making these essential components of most PCD offerings. However, beyond these three capabilities, participants’ understanding of different forms of business value rapidly fragments across industries, indicating that many of the benefits of preemptive security are still being discovered and understood. Ensure your platform provides comprehensive visibility into potential exposures and offers actionable recommendations to address them.
Along with improving the efficiency of SecOps and human capabilities, adopters leverage preemptive security to enhance security performance, not reduce costs.
The highly regulated industries have been keen preemptive security adopters, with one exception. Utilities experience many of the same cybersecurity challenges as transportation, manufacturing and healthcare but have been slow to adopt these technologies. Common challenges facing utilities include outdated systems, lack of segmentation between IT and operational technology (OT), and complex interconnected critical infrastructure.
Adoption Insight: Preemptive Cyber Defense Enhances Visibility, Operational Efficiency and Threat Management for Adopters
Overall, Table 2 underscores the multifaceted nature of cybersecurity challenges and the need for a comprehensive, adaptable approach to effectively mitigate risks. The heat map provides an overview of the interplay between business challenges and the value achieved across various security domains.
| Business value achieved |
Adopter business challenge | Detect and respond | Exposure management | SecOps efficiency | Cost savings | Brand protection and regulatory compliance | Human capability efficiency | Go-to-market activities | Data protection | Attack frustration (more takedowns/no ransomware attack) | OT security | AI-provided recommendations | Control validation | Protection over AI and quantum threats | Threat detection engineering/operations |
Operational efficiency and SOC noise | | | | | | | | | | | | | | |
Lack of visibility and ease of use | | | | | | | | | | | | | | |
Threat engineering and operations | | | | | | | | | | | | | | |
Breaches | | | | | | | | | | | | | | |
Technical environment | | | | | | | | | | | | | | |
Data protection | | | | | | | | | | | | | | |
Lack of tooling | | | | | | | | | | | | | | |
Detect and respond | | | | | | | | | | | | | | |
Moving target defense | | | | | | | | | | | | | | |
Cost | | | | | | | | | | | | | | |
Account takeover attempts and bot attacks | | | | | | | | | | | | | | |
Ransomware prevention | | | | | | | | | | | | | | |
Regulatory compliance | | | | | | | | | | | | | | |
Security posture | | | | | | | | | | | | | | |
Exposure management | | | | | | | | | | | | | | |
Reduced downtime | | | | | | | | | | | | | | |
Validations | | | | | | | | | | | | | | |
Preempt attackers | | | | | | | | | | | | | | |
Anonymous data sharing | | | | | | | | | | | | | | |
Inverse/low alert volume understanding | | | | | | | | | | | | | | |
Protect against reverse engineering | | | | | | | | | | | | | | |
Legend:
High ◼◼◼◼◻ Low |
|
Source: Gartner (November 2024)
Operational Efficiency and Security Operations Center (SOC) Noise
Operational efficiency is a critical factor that significantly impacts SecOps efficiency, detect and respond, and exposure management. SecOps efficiency is the most affected, and adopters highlighted the importance of streamlined operations in maintaining an effective security posture. Efficient operations ensure that security teams can focus on high-priority tasks, reducing the time and effort spent on routine or redundant activities. This can lead to faster incident response times and more effective threat mitigation.
Detect and respond capabilities also benefit from improved operational efficiency. Efficient processes and workflows enable adopter security teams to quickly identify and respond to threats, minimizing the potential damage caused by cyberattacks. Automation and orchestration tools can play a significant role in enhancing operational efficiency by automating repetitive tasks and enabling seamless coordination between different security functions.
Exposure management is another area that is linked to operational efficiency among a number of adopters. Efficient processes for vulnerability assessment and patch management can help organizations quickly identify and remediate vulnerabilities, reducing the attack surface and minimizing the risk of exploitation. Streamlined adopter workflows and automated tools can enhance the speed and accuracy of these processes, ensuring that vulnerabilities are addressed promptly.
Lack of Visibility
Lack of visibility is another critical challenge facing case-based field research (CBR) participants who cite several key cybersecurity business values, particularly exposure management, detect and respond, and SecOps efficiency. Exposure management is the value most often linked to lack of visibility, indicating that adopters struggle to identify and manage vulnerabilities across their digital assets. Without adequate visibility, it becomes challenging to monitor network traffic, detect anomalies and understand the full extent of the attack surface. This lack of insight can lead to delayed responses to threats, increasing the risk and duration of successful cyberattacks.
Effective threat detection relies heavily on the ability to monitor and analyze data from various sources in real time. When visibility is compromised, it hampers the ability to detect malicious activities promptly and respond effectively. This can lead to prolonged dwell times for attackers within the network, increasing the potential for data breaches and other security incidents.
Adopters highlighted that preemptive cybersecurity products significantly enhanced their visibility into potential threats and vulnerabilities.
SecOps efficiency is another business value named by adopters facing visibility challenges. Security operations centers (SOCs) rely on comprehensive visibility to manage and coordinate security efforts effectively. The lack of visibility can lead to inefficient use of resources, as security teams may spend more time investigating false positives or chasing down incomplete data.
Threat Engineering and Operations
Lack of effective threat engineering and operations is a challenge facing adopters who value SecOps efficiency, exposure management, and detect and respond capabilities. Among these, SecOps efficiency is most strongly linked, highlighting the critical relationship between robust threat engineering practices and maintenance of an effective security posture. Adopters recognize that threat engineering and operations address a broad range of cybersecurity business challenges, particularly when combined with efforts to improve visibility. This comprehensive approach ensures that organizations can effectively identify, assess and mitigate threats, thereby strengthening their overall security framework.
From the remaining adopter business challenges, the importance of OT as part of cyber-physical systems (CPS) security will escalate over the next three years. This will be driven by the convergence of IT and OT environments, the expanding attack surface of CPS, regulatory imperatives and the financial ramifications of cybersecurity incidents.
Additional Business Challenges
Beyond the top three observations discussed in this section, Table 2 highlights several other critical areas, including breaches, the technical environment, and data protection. Breaches significantly impact detection and response as well as exposure management, underscoring the need for advanced threat detection and incident response capabilities.
The technical environment also plays a crucial role in supporting security measures, emphasizing the importance of regular updates and scalable security solutions. Data protection remains paramount, and is linked to data protection measures as well as detection and response, necessitating strict policies and compliance with regulations. Interestingly, some types of business value, such as AI-provided recommendations and brand protection, are not associated with these challenges by any participants, suggesting that these functions may not be as heavily affected by the broader security landscape.
Near-Term Implications for Product Leaders
Visibility is a critical challenge for adopters who value key cybersecurity benefits such as exposure management, detect and respond, and SecOps efficiency. However, while there are significant organizational concerns about protection from ransomware attacks, most adopters who cite ransomware as a challenge do not currently value these preemptive tools as major risk mitigators. Product leaders offering preemptive solutions should integrate further with security orchestration and automation platforms, and SOC services. Focus on automating repetitive tasks to streamline operations and enhance coordination between different security functions.
The finding that AI-provided recommendations and brand protection are rarely or never associated with most business challenges shows that while certain security measures are viewed by adopters as universally critical, others are considered more context-dependent. Adopters are seeking further evidence of contextually aware, tailored solutions to address specific organizational needs in areas such as operational efficiency and detect and respond. Product leaders should ensure that the AI-driven insights are fed into security information and event management (SIEM) platforms to enrich the quality of data and automate response mechanisms.
Adoption Insight: Preemptive Cyber Defense Adopters Highly Value Detect and Respond and Exposure Management Capabilities
The business differentiation heat map in Table 3 shows how adopters value common features and offers a consolidated view of product differentiation based on adopter feedback.
| Adopter view of product differentiation |
Adopter business value | Prevention and deception/early detection of cyberthreats | Threat detection engineering/operations and technical | Detect and respond/takedown | Automation and process improvement | Ability to overcome compliance requirements around data retention and data protection | Flexibility and adaptability | Integrations with different systems | Ability to prioritize risks | Enterprisewide coverage and deployment efficiency | Key management and dynamic encryption |
Detect and respond | | | | | | | | | | |
Exposure management | | | | | | | | | | |
SecOps efficiency | | | | | | | | | | |
Human capability efficiency | | | | | | | | | | |
Cost savings | | | | | | | | | | |
Data protection | | | | | | | | | | |
Go-to-market activities | | | | | | | | | | |
Brand protection and regulatory compliance | | | | | | | | | | |
Attack frustration (more takedowns/no ransomware attack) | | | | | | | | | | |
AI-provided recommendations | | | | | | | | | | |
Protection over AI and quantum threats | | | | | | | | | | |
OT security | | | | | | | | | | |
Threat detection engineering/operations | | | | | | | | | | |
Control validation | | | | | | | | | | |
Code processing time | | | | | | | | | | |
Legend:
High ◼◼◼◼◻ Low |
|
Source: Gartner (November 2024)
Strengths in Deception and Early Detection of Cyberthreats
Adopters whose cybersecurity business values include detect and respond, SecOps efficiency and exposure management consistently gave positive feedback in expected areas like “prevention and deception/early detection of cyberthreats” and “threat detection engineering/operations and technical.” However, they also gave high ratings in “detect and respond/takedown” and “automation and process improvement.” This indicates that adopters value products that streamline security operations and ensure robust control mechanisms. The high regard for these differentiating categories reflects adopter satisfaction with automation capabilities and the ability to validate security controls effectively.
Adopters appreciate the system integration capabilities of preemptive security products; those who cite the “detect and respond” business value are particularly likely to give positive feedback regarding “integrations with different systems” and “enterprisewide coverage and deployment efficiency.” These capabilities can serve as competitive advantages in offering comprehensive security solutions that are easily integrated with existing systems.
Adopters who cite “human capability efficiency” as a business value also give positive feedback to differentiators that involve early detection of cyberthreats and support to engineering activities, particularly in “automation and process improvement.”
Data Integrity and Local Control
Adopters acknowledge the role of preemptive security products’ differentiating features in aiding compliance requirements, particularly in the area of data protection; they also highlight a lack of association between such features and other critical areas such as OT security. Data protection encompasses a wide range of activities, including encryption, access controls, data masking and secure data storage, which are not always fully addressed by preemptive security products. As a result, organizations may find it necessary to maintain existing advanced encryption tools, data loss prevention (DLP) systems and robust access management frameworks.
Preemptive security solutions excel in identifying and mitigating threats before they can cause harm, thereby ensuring that organizations can meet regulatory standards and maintain a strong security posture. These tools are particularly effective in providing real-time threat detection and comprehensive exposure management, which are essential for compliance with stringent regulatory frameworks like the EU’s General Data Protection Regulation (GDPR), the Health Insurance Portability and Accountability Act (HIPAA) in the U.S. and the Payment Card Industry Data Security Standard (PCI-DSS).
Near-Term Implications for Product Leaders
Adopters of preemptive security products expressed a desire for enterprisewide coverage and deployment efficiency. However, those who value categories such as SecOps efficiency and exposure management rarely give positive feedback in these areas, suggesting that products emphasizing these values may not be comprehensive enough to cover all aspects of an organization’s security needs.
Product leaders should ensure that their security solutions are scalable and capable of protecting all facets of an organization by enhancing the adaptability of security measures to different environments and integrating them with various enterprise systems. Develop APIs and connectors that facilitate seamless integration with a wide range of enterprise systems and third-party security tools. Conduct thorough testing to ensure compatibility and performance across different IT environments, including cloud, on-premises and hybrid setups.
