The Forrester Proactive Security Platforms Landscape, Q1 2026 dropped this week. Vicarius is in it. Forty-plus vendors made the cut, from the scanner incumbents you'd expect (Qualys, Rapid7, Tenable) to the platform giants (Microsoft, Palo Alto, CrowdStrike) and a handful of startups doing genuinely new work.
I want to talk about why being on this list matters, and more importantly, why the report itself is the bigger story.
The category finally caught up
For years, the industry split proactive security into neat little boxes. ASM over here. VRM over there. CAASM, EASM, CTEM, BAS, every acronym has its own slide in some analyst's deck. Buyers were told to assemble a stack: one tool to find assets, another to score them, a third to push tickets to IT, a fourth to validate exploitability, and good luck stitching it all together.
We never bought that story. When we built vRx, the entire thesis was that detection without remediation is a report, not a security outcome. A scanner that hands you 47,000 CVEs and walks away has done roughly half the job, and arguably the easier half.
Forrester's new definition lands on the same point. They define proactive security platforms as a single layer that "consolidates assets and exposures with an organizational perspective, prioritizes optimal remediations, and augments and orchestrates remediation processes." Read that again. Consolidate, prioritize, remediate. One platform. Not three.
That's the shift. The category is no longer about finding more things to worry about. It's about closing the loop.
What the report actually says about remediation
This is the part I keep re-reading. Forrester is explicit: "opening a ticket doesn't necessarily improve security posture." They go further and call out that the differentiation now comes from a platform's ability to "directly influence the remediation or mitigation," including patch management and a control plane for security engineering.
This is a meaningful change in how analysts frame the market. For years, "integrates with ServiceNow" was treated as a feature. Forrester is now saying that ticket creation is table stakes; the real value is in platforms that can act.
vRx was built to act. vPatch handles patching across 20,000+ applications and operating systems. vShield delivers patchless protection when patching isn't possible, sitting between the OS and the application code to neutralize exploitation. vScript automates the remediation workflows that don't fit a CVE-to-patch model. vRadar finds what you didn't know was there. vIntelligence validates whether the exposure is actually reachable before your team spends a sprint fixing it.
If you've been following our roadmap, none of this is news. What's new is that a major analyst firm in our space is now describing the market the way we've been describing it since 2019.
The "shake-ups from startups" line
Buried in the market dynamics section, Forrester writes: "A crowded proactive security platform market is further congested as startups offer new approaches. Continuous security testing validates the reachability and exploitability of exposures and provides better prioritization. Correlating data on remediation owners and optimal remediation actions enhances remediation processes."
Forty vendors are in this report. Three are listed as having geographic focus across NA, EMEA, and LATAM. We're one of them. The other two are Fortinet and Microsoft.
I'm not going to pretend that's the headline finding of the report. But it tells you something about how a Series B company with roughly 100 people has been deploying. Customers in 60+ countries, on three continents, are building remediation workflows on a platform that didn't exist in this category five years ago. That happens because the product solves a problem the incumbents structurally can't.
Where the agentic story is going
Forrester names agentic AI as the "top disruptor" on the horizon. Their framing: AI in proactive security today supports existing use cases. The real disruption comes when "AI agents make remediation changes without humans in the loop." They put that two or more years out.
I'd push back gently on the timeline. We're already shipping toward that future. The hard part of agentic remediation isn't the AI; it's the substrate underneath it. You need a platform that can actually execute, with patch management, scripting, control-plane integration, and rollback. An AI agent on top of a scanner is a chatbot. An AI agent on top of a remediation engine is a coworker.
This is why the convergence Forrester describes matters so much. The vendors who built only the detection half of the loop will spend the next two years trying to bolt on remediation. We spent the last seven years building it.
What to do with this report if you're evaluating tools
A few honest pieces of advice, regardless of whether you end up looking at vRx.
Read Figure 5 carefully. The functionality-by-use-case matrix is the most useful page in the report. It separates what's primary versus secondary for each of the four core use cases (asset inventory, prioritization, remediation, unified reporting). If a vendor pitches you on remediation but only has filled circles in the prioritization column, that's a tell.
Ask vendors whether they can actually fix things. Not whether they can route a ticket, not whether they can recommend an owner, but whether the platform can apply a patch, deploy a script, or activate a compensating control. Half the names on this list cannot.
Be skeptical of "AI-powered" claims that don't translate to action. Forrester is right that most AI in this space today is an interaction layer dressed up as intelligence. Ask what the AI does that changes an outcome.
The closing loop
Being recognized by Forrester is a milestone. But the milestone we actually care about is the one where a CISO can point at a platform, say "fix this," and watch it happen. That's the loop. That's where the category is going. That's what we've been building.
If you want to see what closed-loop remediation looks like in practice, book a vRx demo. Bring your worst remediation backlog. We'll walk through it.
