Licensed for Distribution

Market Guide for Vulnerability Assessment

7 August 2023 - ID G00755176 - 23 min read

By Mitchell Schneider, Craig Lawson, and 1 more

Vulnerability management remains a critical security operations activity that helps organizations identify assets,
mitigate threats and meet compliance mandates. Security and risk management leaders can use this guide to
understand VA technologies as part of a broader exposure management program.

Overview
Key Findings
Vulnerability assessment (VA) technology buyers have evolved from tools that only identified vulnerabilities to those that also proactively
assess, manage and report the risks posed by those weaknesses.

The majority of leading VA vendors have added external attack surface management (EASM) capabilities either organically or through
acquisition.

The dominance of point solutions for vulnerability prioritization still persists, and in many cases can provide better functionality than what is
built-in to existing VA solutions.
 VA vendors face increasing competitions from cybersecurity validation products, such as breach and attack simulation and automated
penetration testing. Enterprise VA vendors are also integrating VA with these validation approaches.

Recommendations
Security and risk management leaders responsible for security operations who are selecting and operating VA solutions must:

Evaluate VA solutions’ capabilities for assessment coverage and depth, and support of stand-alone product integrations to fill in the gaps
across the vulnerability life cycle, and to assist in remediation automation.

Leverage vulnerability prioritization technology (VPT) solutions to aid in implementing a risk-based vulnerability management (RBVM)
approach. A tool’s ability to bring the results on a consolidated platform for prioritization and treatment (e.g., patching and other
compensating measures) is also important to enhance operational efficiency.

Combine active network scanning with agent-based scanning as the primary deployment method and leverage passive and API-based
scanning to augment the existing capabilities, and to have real-time visibility with improved asset coverage. This is the main deployment
model many organizations are moving toward with the exception of OT use cases.

Identify vendors offering a combined solution if your organization is resource-constrained or wants to consolidate vendors. More VA vendors
are adding prioritization, attack surface management and attack path mapping capabilities to their products — either complementary or
through an add-on module.

Market Definition
VA solutions identify, categorize and prioritize vulnerabilities as well as orchestrate their remediation or mitigation. Their primary focus is
vulnerability and security configuration assessments for enterprise risk identification and reduction, and reporting against various compliance
standards (see Note 1). VA can be delivered via on-premises, hosted and cloud-based solutions, and it may use appliances and agents.

Core capabilities include:

Discovery, identification and reporting on device, OS, software vulnerabilities and configuration against security-related criteria
 Establishing a baseline for systems, applications and databases to identify and track changes in state

Reporting options for compliance, control frameworks and multiple roles

Standard capabilities include:

Pragmatic remediation prioritization with the ability to correlate vulnerability severity, asset context and threat context that then presents a
better picture of true risk for your specific environment

Guidance for remediating and configuring compensating controls

Management of scanner instances, agents and gateways

Direct integration with, or API access to, asset management tools, workflow management tools and patch management tools

Market Description
VA technology typically supports security operations; network asset and system visibility; and compliance use cases. Security use cases include
vulnerability and security configuration assessments for enterprise risk identification, reduction and reporting against various compliance
standards. Compliance use cases are still a strong driver and include meeting scanning requirements for regulatory or other compliance
regimes, such as the Payment Card Industry Data Security Standard (PCI DSS) or the National Institute of Standards and Technology (NIST).
These requirements can also include application assessment of the infrastructure in scope of the compliance standard.

VA can be delivered via an on-premises solution based on software, appliances, agents, the cloud, hosted solutions and/or a hybrid of these
options. Moreover, it is widely available from managed security service providers (MSSPs), some managed detection and response (MDR)
providers, consultants and outsourcers. VA is also offered by some endpoint protection platform (EPP)/endpoint detection and response (EDR)
vendors.

Adjacent to VA, VPT uses the utility of VA telemetry, asset criticality context, environment context and multiple, preintegrated threat intelligence
sources to augment vulnerability data via advanced analytics. This combination enables organizations to have fundamentally different views of
their specific cyber risks. VPT saves significant time over trying to do this analysis manually. It also provides better insight and context because
acting on these prioritized results will substantially reduce an organization’s attack surface, with the least amount of time and the most efficient
use of staff resources.

Prioritization, though a stage in RBVM, is of prime importance for effective risk and threat reduction. In essence, it is directly aiding in the
reduction of your organization’s attack surface (see Innovation Insight for Attack Surface Management). The leading disruptors in the
prioritization capability remain the pure-play VPT vendors. That said, prioritization concurrently exists as a feature in all the major VA vendor
offerings, either natively or as an add-on capability.

Cybersecurity validation technologies, such as breach and attack simulation (BAS) tools, account for another product class that assists with
prioritization via the use of attack path mapping. BAS tools give organizations a way to take the “attacker’s view” and the means to test their
exposure to attacks, leveraging existing vulnerabilities and the efficacy of the already deployed security controls.

The VA market consists of small to midsize vendors that offer VA services, and large vendors that offer VA as one component of a broader
unified security management portfolio. VPT is mostly offered by stand-alone vendors that, with their prioritization focus, are gaining market
adoption in large enterprises due to more sophisticated methods for prioritization.

Vulnerability-driven technologies are commonly seen as part of a wider ecosystem of capabilities, helping organizations understand their
exposure to threats more broadly. VA focuses on technology that is owned and operated by the organization, providing assessments into the
accessibility and exploitability of issues that exist within the software and the configuration of these platforms. Consider the risks discovered by
vulnerability tools and services in the context of broader enterprise IT, nonowned assets such as SaaS applications, other subscriptions and
social media. Awareness of business-critical functions expands beyond what an organization may own and control. It may be essential to
understand what is visible to an attacker, through attack surface assessments, and to validate the severity and accessibility of an attack to fully
appreciate the impact of and effectively prioritize discovered vulnerabilities.

Market Direction
VA is a mature market and is a mandatory component of information security management and regulatory frameworks. Outsourcers, MSSPs and
MDRs continue to execute VA for large numbers of end-user organizations and remain very popular vehicles for the consumption of VA
technology, delivered as a service.
Revenue in the VA market is concentrated among three vendors: Qualys, Rapid7 and Tenable. Based on Gartner client calls, these three also
dominate vendor visibility on enterprise shortlists. But they face credible competition from VPT vendors, which lead on prioritization features and
have also started to add more pieces of the VA process such as ticketing, configuration management database (CMDB), orchestration and
patching integrations.

VA vendors are now improving only incrementally and using acquisitions in some cases for feature expansion in recent years. For example, they
are expanding their portfolios into adjacent domains with products covering EDR, MDR, security information and event management (SIEM),
dynamic application security testing (DAST), container security, patch management, cloud security posture management (CSPM), EASM and
cyber asset attack surface management (CAASM) to name a few (see Figure 1). These have largely all happened in just the last few years. As a
result, Gartner clients have stated that some vendors have reduced investment and focus on their core VA products, with fewer updates and new
features. Concurrently for other clients, these vendors with more utility are providing ways to reduce the complexity in relation to the numbers of
vendors they are using.

Figure 1: Vulnerability Assessment Overview

In-depth assessments of databases and applications, such as ERP systems (e.g., SAP or Oracle), are not widely supported in traditional VA
solutions. Most VA vendors today provide some OT security capabilities, including from recent acquisitions to better address this use case. But
for specific mature use cases, dedicated OT VA vendors should be evaluated to determine if there is a difference between what a mainstream VA
is doing versus specialist feature sets.

VA against common platforms/major operating systems, network devices and popular third-party applications is universally covered in the
market, with only minute differences between solutions in terms of scope and coverage from the leading vendors. Differentiating solutions
based on these criteria are seldom possible. Vendors can be difficult to differentiate based on scanning accuracy and performance alone.
Gartner sees competition most often based on pricing, rather than features, along with the addition of scanning other asset types such as the
cloud, containers, mobile, OT and IoT.

These new methods of delivering IT work in fundamentally different ways to traditional IT such as the cloud, DevOps and serverless computing.
One example would be the support for covering containers and cloud security posture management. These are overlapping markets where
providers have more mature and visible solutions than VA vendors do at this point in time. To support the discovery and management of a broad
range of threats to these new methods of working, it may be necessary to reevaluate the process for dealing with discovered vulnerabilities, a
continuous process to manage threat exposures more broadly should be a consideration for organizations looking to modernize their VM
programs (see Implement a Continuous Threat Exposure Management (CTEM) Program).

VA capabilities are offered in the stand-alone VA market, as well as adjacent markets in which VA capabilities are being used to supplement
other threat detection and response capabilities. For example, EPP/EDR vendors have added some levels of VA as part of their broader offerings
to assist with threat detection, investigation and response use cases, and to offer another level of visibility into the systems under the scope (see
Decoding Vulnerability Management: A Stand-Alone Tool vs. a Technique in Endpoint Protection). Although the VA feature may appear to be the
same as the capability offered by VA vendors, the extent of vulnerability coverage and ability to assess assets included are often not as broad as
with a VA tool. Gartner does not see these vendors as competitive in the general VA market.
Market Analysis
Vulnerability Assessment
The core, and critical, focus of most users is still around traditional VA. This technology has existed commercially for more than 20 years and, as
such, has had a long time to develop and mature. In recent years, VA vendors have added more coverage in areas of network, mobile, OT, cloud,
and attack surface management. An ongoing evolution of VA is that several providers are offering various levels of sophistication of vulnerability
prioritization. Prioritization by a VA vendor can be a good starting point for small and midsize clients using a homogeneous environment of a VA
vendor for security testing. Also, buying an add-on product from the same vendor helps vendor consolidation, and sometimes cost, with less
effort placed on new training and tool deployment. This is a key area of innovation that end users are strongly advised to seek out in their
procurement cycles and prioritize in the future.

VA vendors have evolved from just scanning to providing support throughout the RBVM process, by offering tighter integrations with other tools
or native modules to bring in efficiencies across the RBVM process. Some VA tools offer asset management or CMDB enhancement features,
and most tools offer remediation automation through either built-in modules, a portfolio product or direct integration with patch management,
security orchestration, automation and response (SOAR), SIEM tools, etc.

Prioritization does decrease the number of vulnerabilities that need remediation right now, but for large enterprises, this goal is strengthened by
orchestration. This is especially so for organizations that are working toward maturing their VM programs by moving from periodic scans to
continuous scans. For large organizations, automation plays an important role in achieving timely remediation.

VPT
VPT tools have significantly changed the VA market. Today, these solutions mainly address critical gaps in VA solutions in how they can better
postprocess the often sheer volume of telemetry produced by VA solutions. Most VPT tools started with a focus on prioritization but are now
evolving into vulnerability intelligence tools to fuel various aspects of VM as described in How To Implement a Risk-Based Vulnerability
Management Methodology.

Today’s VPT tools generally do not run assessment activity themselves; instead, they agnostically leverage the often multiple existing sources of
telemetry that end users already have in place. Tools that create vulnerability telemetry — for example, traditional VA tools, dynamic web
application testing (DAST) and penetration testing data — are supported by these VPT solutions.

They use primarily two other forms of data: threat context via threat intelligence and your organization’s asset criticality context. Threat
intelligence on attacker activity, vulnerability use in malware and internal asset exposure provide a fundamentally better view of operational cyber
risk for an organization to understand their cyber risk and take key proactive actions to prevent breaches.

A third form of prioritization is attack path mapping. Attack path mapping is understanding if and how the attacker targets your organization,
what path they could potentially take to get in, if and how they are moving laterally and what systems the attackers are bypassing due to invalid
security controls/configuration. However, attack path mapping does not necessarily have to validate the security flaws to build attack paths.
Essentially, ingesting vulnerabilities, assets and active directory information to a cloud instance, then calculating the paths based on potential
migration paths, doesn’t mean it is executing binary on the asset or actually taking over an account or elevating privileges.

Collaborating data from any and every security testing tool positions that vendor as an “intelligence” aggregation and dissemination source for
the organization. This helps to significantly reduce the noise and identifies and prioritizes which vulnerabilities need to be aggressively treated
via remediation or mitigation.

Many organizations make good use of web application firewall (WAF), intrusion prevention system (IPS), multifactor authentication (MFA) and
network segmentation controls to reduce the risk severity of vulnerabilities when patches are not available or are taking more time. VPT solution
output can provide excellent insight and inputs into how to tune these types of compensating controls to function more effectively. Some VPT
vendors also collect data from various network and endpoint security controls. However, utilizing this data for vulnerability severity reduction is
an evolving area for most vendors today.

VPT tools perform analytics and prioritize vulnerabilities by using threat intelligence, organizational asset context and risk modeling approaches
such as attack path analysis. This is also an area where advanced analytics methods are being used, such as machine learning (ML). This
permits more granular and intelligent remediation strategies than the more simplistic severity approaches, especially at scale and when
remediating with constrained resources. ML is also being used by some providers to help predict the likelihood that a vulnerability will be
exploited “in the wild” (see Exploit Prediction Scoring System (EPSS), FIRST). This allows organizations to prioritize and focus on higher risk
scenarios as early in the cycle as possible.
Another point of differentiation among VPT vendors lies in their reporting and dashboarding capabilities. With all the ingested data from
disparate sources, there’s a great opportunity to slice and dice the vulnerability data to provide more threat-focused and outcome-driven metrics
as well as benchmarking capabilities. Further progress would be to provide more performance indicators, the ability to add actual business data
(monetary values) and to offer dashboards that provide risk ranking based on an organization’s functional risk, value and cost (see Tracking the
Right Vulnerability Management Metrics). An interesting use case applicable to this capability is customers who end up using multiple VA tools,
or different vendors for agent and network scanning or different vendors for infrastructure and web applications. VPT products can be helpful in
consolidating and prioritizing the results from multiple vendors into one single location to improve visibility and operational efficiency.

Some VPT vendors provide patching and SOAR integrations, which in some cases overlap with existing VA tools’ native or add-on capabilities.
Organizations should evaluate and leverage remediation automation from more tightly integrated products.

Finally, not only the largest, more visible VA vendors, but many other smaller emerging vendors all have various levels of VPT functionality built
into these tools now. While efficacy varies, Gartner recommends first to review the VPT functionality in your existing products to see if this meets
your needs in lieu of deploying another solution.

Adjacent Markets
EASM
EASM has been an emerging product set that supports organizations identifying risks originating from your internet-facing assets and systems
that organizations may be unaware of. VA tools have always had the capability to assess external assets. However, this is rarely used and when
it is, it is focused predominantly on known assets and hasn’t had a remit to assess all assets, including all sanctioned and unsanctioned assets.
Gartner’s Innovation Insight for Attack Surface Management describes our evolved thinking toward organizations needing to move to a more
holistic view of the attack surface and how EASM needs to be considered in that context.

However, during this research cycle, many of the most visible VA vendors have now added EASM to their existing platforms, with some at no
cost to users, making it an excellent additional capability centered around better visibility of an organization’s environment. Over the years,
Gartner has observed the EASM market being absorbed into multiple markets, including some that are emerging, such as digital risk protection
services (DRPS) and breach and attack simulation (BAS), as well as the VA market — the latter particularly due to the size and scale of the
existing VA vendors’ market presence.
Security and risk management leaders with a stand-alone EASM tool should now reevaluate the use of stand-alone products as having EASM
natively integrated from existing solutions, such as VA because it may help deliver better productivity gains and potentially increase volume-
based discounting on a procurement cycle the organization is already committed to.

CAASM
CAASM is an emerging technology area focused on enabling security teams to overcome asset visibility and exposure challenges. It enables
organizations to see all assets (internal and external), primarily through API integrations with existing tools, query consolidated data, identify the
scope of vulnerabilities and gaps in security controls and remediate issues. Core use cases for CAASM include: asset profile consolidation,
visibility gap analysis, security control reporting, audit/compliance reporting, security asset management and issue prioritization.

CAASM can be used to help increase the accuracy of asset inventories. In addition, they ingest vulnerabilities from various source systems and
overlay them with asset information and asset dependencies to provide a better, prioritized approach to patching. CAASM tools focus on asset
use cases for security teams, rather than ITSM use cases, and can bidirectionally integrate with a CMDB, such as a data source and can be used
to augment or remediate issues within a CMDB dataset. CAASM is a technology that when combined with other established technologies (e.g.,
VA, CMDB, firewalls and endpoint management) and emerging technologies (e.g., EASM and DRPS), forms the basis for a more automated
attack surface management process by security teams.

Breach and Attack Simulation

BAS vendors have been evolving in recent years. These vendors have technology that is deployed at various parts of the environment and use
agents and/or virtual machines to actively test the environment for exposures, simulating common methods used by attackers (see Quick
Answer: What Are the Top Use Cases for Breach and Attack Simulation Technology?). These tools are being positioned more as security control
validation tools and not as VA solutions. However, there is overlap with VA in some functionality, as BAS tools assess the environment by
enumerating a range of vulnerabilities without needing to use a VA tool or import telemetry from one to perform exploitation testing.

Their focus is validation against control techniques against attack frameworks, like MITRE that covers a range of vulnerabilities and on a smaller
subset of vulnerabilities that can be exploited in a breach. Importantly, BAS tools do not focus on finding all vulnerabilities. Instead, they
concentrate on those that can be reliably exploited and then report in detail how security controls can adequately address the common
vulnerabilities and exposures (CVEs) discovered. This can be yet another critical aspect of vulnerability prioritization as this level of testing,
unlike with VPT, is active versus passive.
In the context of this research, BAS helps end users by providing an “attackers’ eye view” of their environment, including how an end user’s
existing suite of compensating controls can be bypassed in their environment. Security and risk management leaders can also use simulation
breaches as input into follow-up prioritization activities involving “what actions to take next.” These actions range from configuring/updating
compensating controls, such as Intrusion Detection and Prevention Systems (IDPSs) and WAFs, to network segmentation and, of course,
patching. They can also highlight the configuration issues of these controls.

BAS tools are an effective way to get internal security control context as a key use case. As part of a CTEM framework, they are a way to
“validate” the impact of high-risk vulnerabilities to your environment (see Implement a Continuous Threat Exposure Management (CTEM)
Program). BAS tools can identify gaps and identify/improve the right compensatory controls to better prevent, detect and respond to threats.
VPT vendors also integrate with various network and endpoint security controls to get internal context.

An interesting use case would be to automate and orchestrate across VA, VPT and BAS to provide consistent and rapid proactive threat
protection. An example of this as an outcome here would be in translating vulnerabilities (CVE’s) into the Mitre ATT&CK framework (TTPs). This
would provide a fundamentally better view of operational cyber risk for any organization.

Technology Mapping
Vulnerability management (VM) is a foundational element for security operations teams that want to reduce their threat exposure. How critical
VA is to the VM vulnerability management process often varies considerably based on the size, infrastructure makeup and maturity of the
organization.

Some organizations deploy VA in a stand-alone capacity, providing audit or assessment capabilities to assess risks or to measure compliance.
Others use it in a more operational capacity to assist IT operations in prioritizing and verifying that things such as patches have been
successfully applied. Others integrate VA into their DevSecOps processes, so that VA is applied to applications continuously as they are
developed and deployed. Many organizations do both. However, the buying center is often the security organization/audit organization. IT
operations participate in the configuration assessment.

Actual risk reduction is the ultimate success of any VM program, and there are multiple solutions that assist in achieving the goal. Any tool that
helps provide better visibility and reduce exposure in the least amount of time is the one to invest in right now. Sadly, this cannot be achieved by
only using VA tools, since VM brings a lot of dynamic parts together in terms of people, process and tools. There needs to be the right mix of
integrated and enabling toolsets that work through the entire vulnerability life cycle. Figure 2 aims to capture the moving parts of an RBVM
program and capability provided by each of the technologies in that vulnerability life cycle phase.

Figure 2: Gartner’s Risk-Based Vulnerability Management Methodology

Representative Vendors
The vendors listed in this Market Guide do not imply an exhaustive list. This section is intended to provide more understanding of the market and its
offerings.

Vendor Selection
The 40 vendors listed in Table 1 of this Market Guide provide mature capabilities covering VA and VPT (see Note 2). The list contains technology
companies, not service providers. Gartner lists the vendors who have received the most client interest (judged by searches on gartner.com and
client inquiries).

Table 1: Representative Vendors (Vulnerability Assessment and Vulnerability Prioritization Technology)

Vendor Product or Solution Name

Alfa Group RHD VM

Armis Security Armis Asset Vulnerability Management

Autobahn Security Autobhan Security

Balbix Balbix Security Cloud

Brinqa Brinqa Attack Surface Intelligence Platform

Vendor Product or Solution Name

Continuity StorageGuard

CrowdStrike CrowdStrike Falcon Spotlight

Fortra (Digital Defense) Frontline Vulnerability Manager (Frontline VM)

Epiphany Systems Epiphany Intelligence Platform

Flashpoint Vulnerability Management (VulnDB)

Flexera Software Vulnerability Manager

Greenbone Networks Greenbone Enterprise Appliances/Cloud Service

Hive Pro HivePro Uni5

Holm Security Holm Security VMP

Vendor Product or Solution Name

Intruder Continuous Vulnerability Management

Ivanti Ivanti Neurons for RBVM

Cisco (Kenna Security) Cisco Vulnerability Management (formerly Kenna.VM)

ManageEngine Vulnerability Manager Plus

Microsoft Microsoft Defender Vulnerability Management

Nanitor Nanitor Platform

NopSec Unified VRM

NorthStar NorthStar Navigator

Nucleus Security Enterprise Vulnerability Management

Vendor Product or Solution Name

Outpost24 Farsight

Qualys Qualys VMDR

Rapid7 Nexpose Vulnerability Scanner/InsightVM

RedSeal RedSeal Network/Cloud

Rezilion Software Supply Chain Security

Runecast Runecast Analyzer

Seconize Technologies Seconize DeRisk Center

Secureworks Secureworks Taegis VDR

ServiceNow ServiceNow Vulnerability Response

 Vendor Product or Solution Name

Skybox Security Vulnerability and Threat Management

Tanium Tanium Comply

Tenable Tenable Security Center/Tenable Vulnerability Management/Tenable Lumin

Tufin Vulnerability Prioritization and Management

Veriti Unified Security Posture Management

Intrinsic (Vicarius) TOPIA

Vulcan Cyber Cyber Risk Management Platform

WithSecure WithSecure Elements Vulnerability Management

Source: Gartner (August 2023)

Market Recommendations
Every vulnerability has a life cycle, and each of the phases of this life cycle are important to achieve risk reduction:

Select a VA tool with comprehensive coverage. Most VA tools are strong in identifying and scanning vulnerabilities and system configurations.
Select a vendor that can align with your organization’s computing architecture to provide wide support for your IT assets (in terms of numbers
of classes of assets, such as endpoints, servers, storage, networking, mobile and security).

Implement a risk-based vulnerability management approach by leveraging either inbuilt or a dedicated VPT tool to perform critical
prioritization functions. Exploitability; prevalence in malware and exploit kits; presence and configuration of existing security/compensating
controls; asset context; and active exploitation by threat actors are critical qualifiers in assessing cyber risk. Prioritization has become a
feature of the major VA vendors’ solutions. Sometimes, the vulnerability prioritization capabilities offered by the VA vendors may not be as
comprehensive as a stand-alone, pure-play vendor.

Customers should evaluate workflows and integrations provided by VA tools for remediation. If these capabilities are missing, then VPT tool
vendors can also be evaluated for orchestration in addition to prioritization. Evaluation of this capability is also important, but more so for
organizations with VA tools that lack remediation automation.

BAS today does not offer better breadth when compared to VPT, but rather depth. It methodically evaluates how a vulnerability can be
exploited and provides accurate insight where a threat actor could move next in your environment, and what else they can do with that
vulnerability should it be exploited. They also provide output using open frameworks like MITRE ATT&CK, allowing for security operations
teams to prioritize the configuration of their existing compensating controls to pressing threats known to exist from the BAS assessment.

Organizations that are planning to have a substantial remote workforce should evaluate the scanning and patching ability of VA vendors’
agent-based solutions. The VA features present in endpoint products can also be evaluated for such use cases, since EPP/EDR agents can
focus on providing immediate mitigation or remediation using compensatory controls to reduce the attack surface. Some of these EPP/EDR
vendors offer acceptable assessment functions but remain limited to only assessing where their agents are deployed.

Note 1: Gartner’s Initial Market Coverage

This Market Guide provides Gartner’s initial coverage of the market and focuses on the market definition, rationale for the market and market
dynamics.
Note 2: Vendors
Vendors included in this Market Guide represent a broad section of the technology providers that provide all, or a portion of the major
components described in the research. Some vendors have a longer track record in the marketplace, while others have emerged using new
technologies. Vendors were identified by analyst interactions in the market, as well as through external research of publications and other public
sources.

© 2024 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates. This publication may not be
reproduced or distributed in any form without Gartner's prior written permission. It consists of the opinions of Gartner's research organization, which should not be
construed as statements of fact. While the information contained in this publication has been obtained from sources believed to be reliable, Gartner disclaims all
warranties as to the accuracy, completeness or adequacy of such information. Although Gartner research may address legal and financial issues, Gartner does not
provide legal or investment advice and its research should not be construed or used as such. Your access and use of this publication are governed by Gartner’s
Usage Policy. Gartner prides itself on its reputation for independence and objectivity. Its research is produced independently by its research organization without
input or influence from any third party. For further information, see "Guiding Principles on Independence and Objectivity." Gartner research may not be used as input
into or for the training or development of generative artificial intelligence, machine learning, algorithms, software, or related technologies.

About Careers Newsroom Policies Site Index IT Glossary Gartner Blog Network Contact Send Feedback

© 2024 Gartner, Inc. and/or its Affiliates. All Rights Reserved.