A Year-on-Year Comparison of the SPARK Matrix 2024 vs 2025
The world of IT Risk Management (ITRM) is changing in a seismic way. At the beginning of 2024, the market was characterized by vendors with strong foundation capabilities, i.e., asset discovery, policy governance, and risk registers. Roll forward to 2025, and the goalposts have shifted. Now it’s not only compliance, but also about continuous, contextual, and automated risk visibility.
The 2024 SPARK Matrix™ depicted a market that was still evolving, with integration and automation starting to take center stage. The 2025 report shows a market that has evolved considerably, with real-time analytics taking top priority along with AI-enabled decision support and cloud-native architecture. Here’s how things have altered.
The Core Evolution: From Static Assessments to Living Risk Frameworks
In 2024, most ITRM platforms prioritized control testing, audit readiness, and incident management. Ongoing monitoring, real-time alerting, and intelligent prioritization were nice-to-haves.
By 2025, these have become non-negotiables.
Key differentiators that shaped vendor leadership in 2025:
- AI-powered analytics and risk scoring engines
- Integration with ITSM, SIEM, and threat intelligence platforms
- Cyber risk quantification (CRQ) with FAIR and monetary impact simulation
- Continuous control monitoring (CCM) for automated evidence gathering
- Modular, no-/low-code configurations for faster deployment
“In 2025, IT risk management has moved beyond foundational risk assessments to embrace more proactive and predictive models,” notes Sahil Dhamgaye, Analyst at QKS Group. He further says that “Compared to last year, there is a stronger emphasis on integrating AI-driven analytics, continuous controls monitoring, and automated compliance workflows.”
Leaders Then and Now: Stability Meets Innovation
- 2024: Leaders driven by integrated GRC + ITSM capabilities, dynamic dashboards, and strong customer footprint.
- 2025: Doubled down on automation, AI risk scoring, and vulnerability response. Now tightly embedded with threat detection workflows, security orchestration, and policy lifecycles.
MetricStream, Diligent, Kroll (Resolver)
- 2024: Positioned as mature platforms with strength in audit workflows, compliance mapping, and flexible reporting.
- 2025: Elevated through cyber risk quantification (FAIR model), real-time dashboards, integrated remediation playbooks, and continuous policy alignment.
New Entrants to the Leadership Zone in 2025:
- SureCloud: Graduated from a strong performer to a leader by expanding its predictive analytics roadmap and strengthening low-code deployment architecture.
- SAI360: Moved from niche to mainstream with ESG-driven controls, continuous monitoring, and proactive vulnerability tracking.
- SwissGRC: Emerged as a new Leader, leveraging structured ISMS offerings tailored to European compliance standards and multi-industry needs.
“As cloud ecosystems, IoT networks, and digital supply chains grow more intricate, organizations are prioritizing real-time risk intelligence,” adds Dhamgaye. “Platforms like ServiceNow, IBM, and MetricStream are no longer just about managing IT risk; they’re about predicting and preventing it.”
The Contenders: Stagnant, Focused, or Caught in Transition
2024 Contenders That Remain So in 2025:
Common storylines across both years:
- Strong compliance modules and asset management workflows
- Limited AI adoption or sandbox environments for risk testing
- Interface and usability gaps limiting enterprise deployment at scale
Notable developments:
- LogicGate introduced advanced penetration testing and FAIR-aligned CRQ, but still lacks out-of-the-box playbooks and intuitive reporting.
- LogicManager continues to offer deep domain coverage (ITGC, SOX, Privacy Risk), but its reporting UX and customer service challenges persist.
Vendors Losing Ground (2025 Lower-Contenders):
- TruOps, Acuity Risk Management, Brinqa
- TruOps: Multi-tenant capabilities are still relevant, but the Clark AI module and native automation need maturity.
- Acuity: Good visibility and dashboarding, but lacks scalability and multilingual support.
- Brinqa: Excellent risk visualization, but complexity, lack of mobile support, and poor update communication held it back.
In contrast, Brinqa was mid-tier in 2024 with a rising trajectory due to its graph-based analytics. But by 2025, it fell to the lower tier as newer platforms embraced full-stack automation.
The Aspirants: Still Foundational in a High-Expectations Market
2024 vs 2025:
- Onspring and Allgress held onto their Aspirant positioning.
- Onspring: No-code builder with useful ITSM overlays but lacks enterprise-grade analytics or cyber quantification.
- Allgress: User-friendly platform, but outdated mobile support, AI gaps, and limited third-party integrations.
These platforms remain viable for SMBs or internal IT teams with basic risk needs, but lack the automation, CRQ, or integrations needed for true enterprise adoption.
Market-Level Shifts from 2024 to 2025
| Dimension | 2024 Emphasis | 2025 Emphasis |
| Core Capabilities | Asset discovery, incident tracking, compliance | AI-driven scoring, CRQ, automation, continuous monitoring |
| Architecture | Monolithic or hybrid GRC stacks | Modular, cloud-native, low-code configurable platforms |
| Intelligence | Manual testing, limited analytics | Predictive insights, FAIR model, real-time dashboards |
| Integration | Partial with ITSM and IAM | Full integration with SIEM, CMDB, threat intel systems |
| Use Case Maturity | GRC-centric deployments | Full ITRM lifecycle coverage + enterprise security |
| Leadership Differentiators | Documentation, audit workflows, policy mapping | CRQ, vulnerability automation, AI-powered decisioning |
Closing Thoughts: Risk as a Real-Time Discipline
If 2024 was the year ITRM platforms consolidated and scaled their policy and compliance engines, 2025 is the year they evolved into real-time decision support systems.
The best vendors are those that have embraced:
- Automation is not just for risk assessments but for remediation.
- AI is not just for reporting but for decision support.
- Compliance frameworks are not as checklists but as integrated controls tied to operational telemetry.
As cyber threats grow more dynamic and risk becomes everyone’s business, not just the CISO’s, the winners will be platforms that don’t just manage risk… but interpret it, quantify it, and act on it instantly.
“This evolution clearly highlights the growing market demand for solutions that not only identify and mitigate risks,” concludes Dhamgaye, “but also build long-term cyber resilience in an increasingly volatile threat landscape.”