IT, Telecom & Cyber · Australia (Perth)

Rebalance Sourcing Toward Incident Retainers and Identity Integrations

Published May 22, 2026, 6:06 AM AWSTAPACFull category signal
Ask AI
Group-IB named Gartner vendor in incident response guide

In 60 seconds

Top move

Gartner's inclusion of Group-IB strengthens the commercial case for incident-response retainers as a predictable procurement vehicle for preparedness plus short-notice response

Key takeaways

  • Gartner's inclusion of Group-IB strengthens the commercial case for incident-response retainers as a predictable procurement vehicle for preparedness plus short-notice response.[3]
  • SonicWall's report shows persistent gaps in fundamentals (long attacker dwell, slow enterprise patching), so buyers should treat telemetry access and remediation SLAs as procurement levers to reduce operational exposure.[1]
  • 1Kosmos' Epic Toolbox designation lowers integration work for health‑system identity proofing, shifting procurement focus to pre-certified artefacts and NIST IAL2 evidence rather than heavy custom integration bids.[2]
  • Valkey 9.1 claims lower memory use and improved tooling that could reduce cloud run-costs for read-heavy services, but the release is community-driven and requires vendor-support checks before any cost assumptions.[4]
  • Tool sprawl and detection gaps reported by SonicWall increase demand for consolidated managed services and retainers that combine readiness exercises with fix capacity, not just emergency call-outs.[1]

What changed since last run

  • Added a vendor-level signal: Group-IB was named in Gartner's Market Guide for incident-response retainers; this is a new shortlist candidate not present in the previous brief.
  • New integration pathway: 1Kosmos gained Epic Toolbox designation for MyChart identity verification, introducing a lower-effort route into healthcare portals absent from the prior run.
  • Introduced an infrastructure open-source signal: Valkey 9.1's community release suggests a potential infra cost lever that was not covered in the prior remediation- and crypto-focused brief.

Key facts

  • Attackers dwell in environments an average of 181 days (report finding)
  • 77% of organisations need more than a week to patch enterprise-wide (report finding)
  • Identity, cloud and credential compromise account for the majority of actionable alerts
  • Designated for Epic MyChart identity verification
  • Claims conformance with NIST Identity Assurance Level 2 (IAL2)
  • Supports enrolment and account recovery flows inside MyChart

Why it matters

Gartner's inclusion of Group-IB strengthens the commercial case for incident-response retainers as a predictable procurement vehicle for preparedness plus short-notice response. SonicWall's report shows persistent gaps in fundamentals (long attacker dwell, slow enterprise patching), so buyers should treat telemetry access and remediation SLAs as procurement levers to reduce operational exposure. 1Kosmos' Epic Toolbox designation lowers integration work for health‑system identity proofing, shifting procurement focus to pre-certified artefacts and NIST IAL2 evidence rather than heavy custom integration bids. Valkey 9.1 claims lower memory use and improved tooling that could reduce cloud run-costs for read-heavy services, but the release is community-driven and requires vendor-support checks before any cost assumptions

Cost / money

  • Moving from emergency ad-hoc response to retainer contracts converts unpredictable incident fees into budgeted operating expense and lets buyers allocate prepaid hours to preparedness work.[3]
  • If Valkey's memory-efficiency claims hold in practice, buyers running read-heavy distributed services can reduce instance sizing and recurring cloud costs after a validated proof of concept.[4]

Supplier / commercial

  • Inclusion in Gartner's guide increases Group-IB's visibility and shifts shortlist leverage toward vendors that can demonstrate local operational centres, SLAs and prepaid preparedness offerings.[3]
  • Epic Toolbox designation gives 1Kosmos a clearer route into health-system procurement, pressuring other identity vendors to supply platform artefacts and pre-certification to stay competitive.[2]

Safety / operations

  • Long attacker dwell times and slow patching mean buyers face higher containment risk; contractual telemetry access and remediation SLAs materially improve incident detection-to-containment outcomes.[1]
  • Retainer models that include preparedness exercises, prepaid hours and local response personnel improve runbook execution and reduce coordination friction during a live incident.[3]

What to watch

  • Valkey's performance and tooling claims are community-driven; don't assume enterprise-grade support or SLAs exist—validate commercial support options before relying on claimed efficiencies.[4]
  • Vendors' 'readiness' or rapid-detection marketing claims should be validated with evidence (test artefacts, telemetry samples and SLAs) because SonicWall shows detection gaps persist despite vendor claims.[1]

Top stories

Story 1SecurityBrief Australia

A long time ago in a galaxy far, far away…Cybersecurity was already hard

Signal strongSource-grounded
Source notes [1]Read source

What happened

SonicWall's 2026 Cyber Protect report documents persistent control failures: long attacker dwell, slow enterprise patching and widespread tool sprawl. The report provides concrete operational signals—attackers dwell for long periods and organisations often take more than a week to patch—making telemetry, remediation throughput and contractual playbooks procurement priorities. Watch whether vendors supply measurable detection-to-containment evidence and patching throughput data when engaged

Buyer takeaway

Treat the report as a strong operational demand signal for managed remediation, telemetry access and evidence-backed detection claims

Cost / money

Expect steady Opex demand for managed patching and remediation retainers because internal teams struggle to close backlogs quickly

Supplier / commercial

Vendors that can produce telemetry samples, playbooks and sustained remediation throughput will command preferred commercial positions

Safety / operations

Long dwell times and slow patching increase incident impact; contractual remedies and playbook access reduce containment time and cross-team friction

What to watch

Validate vendor detection and patching claims with test artefacts and telemetry examples rather than marketing statements

Key facts

  • Attackers dwell in environments an average of 181 days (report finding)
  • 77% of organisations need more than a week to patch enterprise-wide (report finding)
  • Identity, cloud and credential compromise account for the majority of actionable alerts

Source excerpts

Their response?
Overexposed Access is the third deadly sin
The Empire fell because of seven compounding failures
Story 2SecurityBrief Australia

1Kosmos wins Epic Toolbox identity verification spot

Signal strongSource-grounded
Source notes [2]Read source

What happened

1Kosmos has been designated for Epic Toolbox identity verification inside MyChart, allowing its proofing service to run within a widely used patient portal. That reduces custom integration work for health systems because the integration conforms to Epic's channels and claims NIST IAL2 alignment, making operational rollout simpler. Watch whether hospitals prefer pre-certified vendors to cut implementation time and professional-services costs

Buyer takeaway

Prioritise vendors with platform designations to reduce implementation effort and lower project risk

Cost / money

Pre-certified integrations can reduce professional-services and integration labour costs versus building custom connectors

Supplier / commercial

Vendors with platform badges gain easier access to health-system shortlists and can command pricing advantages on integration scope

Safety / operations

Correctly implemented identity proofing reduces account takeover and impersonation risks in patient portals

What to watch

Confirm NIST IAL2 conformance with artefacts and operational test evidence; designation does not replace technical validation

Key facts

  • Designated for Epic MyChart identity verification
  • Claims conformance with NIST Identity Assurance Level 2 (IAL2)
  • Supports enrolment and account recovery flows inside MyChart

Source excerpts

The integration is intended to let health organisations add identity proofing within MyChart rather than build separate verification connections around the portal. This can reduce integration work while aligning with Epic's recommended identity practices, according to 1Kosmos
JOSEPH GABRIEL LAGONSIN News Editor 1Kosmos has received Epic Toolbox designation for Identity Verification for MyChart, making its identity proofing service available within Epic's patient portal environment
This can reduce integration work while aligning with Epic's recommended identity practices, according to 1Kosmos
Story 3SecurityBrief Australia

Group-IB named Gartner vendor in incident response guide

Signal strongSource-grounded
Source notes [3]Read source

What happened

Group-IB was named a Representative Vendor in Gartner's guide for incident-response retainers, highlighting its retainer model that bundles preparedness work (exercises, red teaming) with short-notice response. The article stresses local Digital Crime Resistance Centres and prepaid hours as differentiators that align services with client jurisdictions. Procurement should treat retainer scope, local presence and prepaid hours mix as evaluation criteria rather than buying on price alone

Buyer takeaway

Treat retainer contracts as a combined preparedness and rapid-response procurement mechanism to reduce incident execution risk

Cost / money

Retainers let buyers spread incident response costs into predictable Opex and use prepaid hours for readiness work

Supplier / commercial

Vendors with local operational centres and documented casework can justify premium pricing and preferred slots during incidents

Safety / operations

Pre-incident exercises and local response teams reduce time-to-containment and improve cross-jurisdictional coordination

What to watch

Validate SLAs, local staffing levels and the convertibility of prepaid hours to live support under contract terms

Key facts

  • Named Representative Vendor in Gartner's Market Guide for IR retainers
  • Retainer model covers investigation, containment, eradication and recovery
  • Offers prepaid hours usable for preparedness work and local response support

Source excerpts

Group-IB said its retainer offering covers the full incident response cycle, from investigation and containment to eradication and recovery. Clients can also use prepaid hours for preparation work such as red teaming, staff training and readiness exercises, as well as live incident support
Market visibility Inclusion in a Gartner market guide can raise visibility among corporate and public sector buyers evaluating suppliers in a specific segment
Group-IB has been named a Representative Vendor in the 2026 Gartner Market Guide for Cybersecurity Incident Response Retainer Services, placing it among providers tracked in the market for round-the-clock incident response support. The guide describes cybersecurity incident response retainer services as a mix of proactive and reactive work sold on a retainer basis, including investigation, containment and eradication, with some providers also covering recovery
Story 4SecurityBrief Australia

Valkey 9.1 cuts memory use & boosts security tools

Signal moderateDirectional
Source notes [4]Read source

What happened

Valkey released version 9.1 claiming per-key memory reductions and updated ecosystem tooling for search and client libraries. The release is community-driven and lists major contributors, so the technical change is real but enterprise support and commercial SLAs are not guaranteed. Procurement should run a POC and confirm commercial support options before changing cloud sizing or support contracts

Buyer takeaway

Consider a targeted POC to verify claimed efficiency gains and confirm vendor support before procurement changes

Cost / money

If validated, memory reductions may lower instance sizing and recurring cloud costs for specific workloads

Supplier / commercial

Open-source shifts commercial negotiation toward support vendors or cloud partners rather than a single licensor

Safety / operations

Core storage changes require careful testing; tooling updates can reduce inspection overhead if stable

What to watch

Adoption depends on ecosystem maturity and commercial support; don't assume immediate enterprise SLAs

Key facts

  • Claims reduced per-key memory use for common workloads
  • Ecosystem updates include Valkey Search and Valkey GLIDE client improvements
  • Project contributors include major cloud and infrastructure firms

Source excerpts

4. The release adds support for client-side caching and transparent caching, while extending language support to C# and PHP
1 of its open source key-value database, adding updates to security, memory efficiency and operational tooling
Search module Alongside the core database release, the Valkey community has updated Valkey Search to version 1

VP Snapshot

Executive Risk & Action View

Gartner's inclusion of Group-IB strengthens the commercial case for incident-response retainers as a predictable procurement vehicle for preparedness plus short-notice response.

Overall
69
Cost
61
Supply
43
Schedule
20
Compliance
15

Top signals

30-180dcost

Signal 1: Cost / money

Moving from emergency ad-hoc response to retainer contracts converts unpredictable incident fees into budgeted operating expense and lets buyers allocate prepaid hours to preparedness work.

Signal 2: Cost / money

If Valkey's memory-efficiency claims hold in practice, buyers running read-heavy distributed services can reduce instance sizing and recurring cloud costs after a validated proof of concept.

30-180dcommercial

Signal 3: Supplier / commercial

Inclusion in Gartner's guide increases Group-IB's visibility and shifts shortlist leverage toward vendors that can demonstrate local operational centres, SLAs and prepaid preparedness offerings.

30-180dsupply

Signal 4: Supplier / commercial

Epic Toolbox designation gives 1Kosmos a clearer route into health-system procurement, pressuring other identity vendors to supply platform artefacts and pre-certification to stay competitive.

30-180dsupplier

Signal 5: Safety / operations

Long attacker dwell times and slow patching mean buyers face higher containment risk; contractual telemetry access and remediation SLAs materially improve incident detection-to-containment outcomes.

Signal 6: Safety / operations

Retainer models that include preparedness exercises, prepaid hours and local response personnel improve runbook execution and reduce coordination friction during a live incident.

Recommended actions

CategoryDue 3d

Inventory incident-response coverage and tag business units lacking a retainer or guaranteed short-notice access.

Annotated map of teams and assets without retainer coverage to inform immediate sourcing or emergency bridging decisions.

ContractsDue 21d

Issue an RFP addendum for healthcare identity suppliers requiring proof of Epic integration artefacts and NIST IAL2 evidence.

RFP responses that include integration artefacts and conformance evidence to shorten evaluation and implementation timelines.

OpsDue 21d

Run a focused POC of Valkey 9.1 against a representative read-heavy workload to measure actual memory and tooling impacts.

POC report showing measured memory usage, operational constraints, and recommended next-step procurement stance (adopt, support contract, or skip).

ContractsDue 21d

Request sample telemetry, playbooks and remediation throughput evidence from shortlisted security suppliers as part of commercial qualification.

Qualification packs from suppliers containing telemetry examples, playbook excerpts and remediation throughput metrics to support shortlist decisions.

LegalDue 60d

Negotiate contract clauses for critical security suppliers requiring telemetry access, remediation SLAs, prepaid preparedness hours and local response commitments.

Contract templates that include telemetry access terms, defined remediation SLAs, and prepaid-hours scope to support operational readiness and supplier accountability.

Risk register

RiskTriggerMitigation
Valkey's performance and tooling claims are community-driven; don't assume enterprise-grade support or SLAs exist—validate commercial support options before relying on claimed efficiencies.Valkey's performance and tooling claims are community-driven; don't assume enterprise-grade support or SLAs exist—validate commercial support options before relying on claimed efficiencies.Confirm exposure with category, contracts, and operations before the next supplier commitment.
Vendors' 'readiness' or rapid-detection marketing claims should be validated with evidence (test artefacts, telemetry samples and SLAs) because SonicWall shows detection gaps persist despite vendor claims.Vendors' 'readiness' or rapid-detection marketing claims should be validated with evidence (test artefacts, telemetry samples and SLAs) because SonicWall shows detection gaps persist despite vendor claims.Confirm exposure with category, contracts, and operations before the next supplier commitment.

CM Snapshot

Category Manager Decision Detail

Today's priorities

Inventory incident-response coverage and tag business units lacking a retainer or guaranteed short-notice access.

because Group-IB's Gartner inclusion highlights retainers as an operationally real procurement mechanism that closes preparedness and response gaps.

Due 3d

high

CM move

Use this as the immediate supplier or contract action to move before the next sourcing gate.

Issue an RFP addendum for healthcare identity suppliers requiring proof of Epic integration artefacts and NIST IAL2 evidence.

because 1Kosmos' Epic Toolbox designation lowers integration work and buyers should demand the same pre-certified artefacts to reduce implementation effort and vendor profession...

Due 21d

high

CM move

Use this as the immediate supplier or contract action to move before the next sourcing gate.

Run a focused POC of Valkey 9.1 against a representative read-heavy workload to measure actual memory and tooling impacts.

because claimed per-key memory savings and tooling changes could translate to ongoing infra cost reductions but require validation in your environment before procurement decisions.

Due 21d

high

CM move

Use this as the immediate supplier or contract action to move before the next sourcing gate.

Request sample telemetry, playbooks and remediation throughput evidence from shortlisted security suppliers as part of commercial qualification.

because SonicWall and incident-response guidance show detection and remediation claims vary in reality, so evidence-based qualification reduces supplier execution risk.

Due 21d

high

CM move

Use this as the immediate supplier or contract action to move before the next sourcing gate.

Supplier radar

SecurityBrief Australia

high

Observed supplier signal

Inclusion in Gartner's guide increases Group-IB's visibility and shifts shortlist leverage toward vendors that can demonstrate local operational centres, SLAs and prepaid preparedness offerings.

Commercial implication

Inclusion in Gartner's guide increases Group-IB's visibility and shifts shortlist leverage toward vendors that can demonstrate local operational centres, SLAs and prepaid preparedness offerings.

Next step: Validate the source-backed signal with incumbents and alternates before the next award or pricing decision.

SecurityBrief Australia

high

Observed supplier signal

Epic Toolbox designation gives 1Kosmos a clearer route into health-system procurement, pressuring other identity vendors to supply platform artefacts and pre-certification to stay competitive.

Commercial implication

Epic Toolbox designation gives 1Kosmos a clearer route into health-system procurement, pressuring other identity vendors to supply platform artefacts and pre-certification to stay competitive.

Next step: Validate the source-backed signal with incumbents and alternates before the next award or pricing decision.

Negotiation levers

Inventory incident-response coverage and tag business units lacking a retainer or guaranteed short-notice access.

When to use: because Group-IB's Gartner inclusion highlights retainers as an operationally real procurement mechanism that closes preparedness and response gaps.

Expected outcome: Annotated map of teams and assets without retainer coverage to inform immediate sourcing or emergency bridging decisions.

Commercial mechanism to carry into the next supplier conversation

Issue an RFP addendum for healthcare identity suppliers requiring proof of Epic integration artefacts and NIST IAL2 evidence.

When to use: because 1Kosmos' Epic Toolbox designation lowers integration work and buyers should demand the same pre-certified artefacts to reduce implementation effort and vendor profession...

Expected outcome: RFP responses that include integration artefacts and conformance evidence to shorten evaluation and implementation timelines.

Commercial mechanism to carry into the next supplier conversation

Run a focused POC of Valkey 9.1 against a representative read-heavy workload to measure actual memory and tooling impacts.

When to use: because claimed per-key memory savings and tooling changes could translate to ongoing infra cost reductions but require validation in your environment before procurement decisions.

Expected outcome: POC report showing measured memory usage, operational constraints, and recommended next-step procurement stance (adopt, support contract, or skip).

Commercial mechanism to carry into the next supplier conversation

Request sample telemetry, playbooks and remediation throughput evidence from shortlisted security suppliers as part of commercial qualification.

When to use: because SonicWall and incident-response guidance show detection and remediation claims vary in reality, so evidence-based qualification reduces supplier execution risk.

Expected outcome: Qualification packs from suppliers containing telemetry examples, playbook excerpts and remediation throughput metrics to support shortlist decisions.

Commercial mechanism to carry into the next supplier conversation

Talking points

Gartner's inclusion of Group-IB strengthens the commercial case for incident-response retainers as a predictable procurement vehicle for preparedness plus short-notice response.
SonicWall's report shows persistent gaps in fundamentals (long attacker dwell, slow enterprise patching), so buyers should treat telemetry access and remediation SLAs as procurement levers to reduce operational exposure.
1Kosmos' Epic Toolbox designation lowers integration work for health‑system identity proofing, shifting procurement focus to pre-certified artefacts and NIST IAL2 evidence rather than heavy custom integration bids.
Valkey 9.1 claims lower memory use and improved tooling that could reduce cloud run-costs for read-heavy services, but the release is community-driven and requires vendor-support checks before any cost assumptions.

Supplier radar

SupplierSignalImplicationNext stepConfidence
SecurityBrief AustraliaInclusion in Gartner's guide increases Group-IB's visibility and shifts shortlist leverage toward vendors that can demonstrate local operational centres, SLAs and prepaid preparedness offerings.Inclusion in Gartner's guide increases Group-IB's visibility and shifts shortlist leverage toward vendors that can demonstrate local operational centres, SLAs and prepaid preparedness offerings.Validate the source-backed signal with incumbents and alternates before the next award or pricing decision.high
SecurityBrief AustraliaEpic Toolbox designation gives 1Kosmos a clearer route into health-system procurement, pressuring other identity vendors to supply platform artefacts and pre-certification to stay competitive.Epic Toolbox designation gives 1Kosmos a clearer route into health-system procurement, pressuring other identity vendors to supply platform artefacts and pre-certification to stay competitive.Validate the source-backed signal with incumbents and alternates before the next award or pricing decision.high

Negotiation levers

  • Inventory incident-response coverage and tag business units lacking a retainer or guaranteed short-notice access.because Group-IB's Gartner inclusion highlights retainers as an operationally real procurement mechanism that closes preparedness and response gaps.Annotated map of teams and assets without retainer coverage to inform immediate sourcing or emergency bridging decisions.

    high confidence

  • Issue an RFP addendum for healthcare identity suppliers requiring proof of Epic integration artefacts and NIST IAL2 evidence.because 1Kosmos' Epic Toolbox designation lowers integration work and buyers should demand the same pre-certified artefacts to reduce implementation effort and vendor profession...RFP responses that include integration artefacts and conformance evidence to shorten evaluation and implementation timelines.

    high confidence

  • Run a focused POC of Valkey 9.1 against a representative read-heavy workload to measure actual memory and tooling impacts.because claimed per-key memory savings and tooling changes could translate to ongoing infra cost reductions but require validation in your environment before procurement decisions.POC report showing measured memory usage, operational constraints, and recommended next-step procurement stance (adopt, support contract, or skip).

    high confidence

  • Request sample telemetry, playbooks and remediation throughput evidence from shortlisted security suppliers as part of commercial qualification.because SonicWall and incident-response guidance show detection and remediation claims vary in reality, so evidence-based qualification reduces supplier execution risk.Qualification packs from suppliers containing telemetry examples, playbook excerpts and remediation throughput metrics to support shortlist decisions.

    high confidence

What to do / What to watch

What to do now

  • Inventory incident-response coverage and tag business units lacking a retainer or guaranteed short-notice access.

    Why: because Group-IB's Gartner inclusion highlights retainers as an operationally real procurement mechanism that closes preparedness and response gaps.

    Owner: Category

    Expected outcome: Annotated map of teams and assets without retainer coverage to inform immediate sourcing or emergency bridging decisions.

    [3]

Next few weeks

  • Issue an RFP addendum for healthcare identity suppliers requiring proof of Epic integration artefacts and NIST IAL2 evidence.

    Why: because 1Kosmos' Epic Toolbox designation lowers integration work and buyers should demand the same pre-certified artefacts to reduce implementation effort and vendor profession...

    Owner: Contracts

    Expected outcome: RFP responses that include integration artefacts and conformance evidence to shorten evaluation and implementation timelines.

    [2]
  • Run a focused POC of Valkey 9.1 against a representative read-heavy workload to measure actual memory and tooling impacts.

    Why: because claimed per-key memory savings and tooling changes could translate to ongoing infra cost reductions but require validation in your environment before procurement decisions.

    Owner: Ops

    Expected outcome: POC report showing measured memory usage, operational constraints, and recommended next-step procurement stance (adopt, support contract, or skip).

    [4]
  • Request sample telemetry, playbooks and remediation throughput evidence from shortlisted security suppliers as part of commercial qualification.

    Why: because SonicWall and incident-response guidance show detection and remediation claims vary in reality, so evidence-based qualification reduces supplier execution risk.

    Owner: Contracts

    Expected outcome: Qualification packs from suppliers containing telemetry examples, playbook excerpts and remediation throughput metrics to support shortlist decisions.

    [1][3]

Longer view

  • Negotiate contract clauses for critical security suppliers requiring telemetry access, remediation SLAs, prepaid preparedness hours and local response commitments.

    Why: because combining contractual telemetry access with prepaid preparedness and SLAs transfers operational risk to suppliers and improves time-to-containment during incidents.

    Owner: Legal

    Expected outcome: Contract templates that include telemetry access terms, defined remediation SLAs, and prepaid-hours scope to support operational readiness and supplier accountability.

    [1][3]

What to watch

  • Valkey's performance and tooling claims are community-driven; don't assume enterprise-grade support or SLAs exist—validate commercial support options before relying on claimed efficiencies
  • Vendors' 'readiness' or rapid-detection marketing claims should be validated with evidence (test artefacts, telemetry samples and SLAs) because SonicWall shows detection gaps persist despite vendor claims
  • Valkey's performance and tooling claims are community-driven; don't assume enterprise-grade support or SLAs exist—validate commercial support options before relying on claimed efficiencies.: Valkey's performance and tooling claims are community-driven; don't assume enterprise-grade support or SLAs exist—validate commercial support options before relying on claimed efficiencies
  • Vendors' 'readiness' or rapid-detection marketing claims should be validated with evidence (test artefacts, telemetry samples and SLAs) because SonicWall shows detection gaps persist despite vendor claims.: Vendors' 'readiness' or rapid-detection marketing claims should be validated with evidence (test artefacts, telemetry samples and SLAs) because SonicWall shows detection gaps persist despite vendor claims
  • Gartner's inclusion of Group-IB strengthens the commercial case for incident-response retainers as a predictable procurement vehicle for preparedness plus short-notice response
  • SonicWall's report shows persistent gaps in fundamentals (long attacker dwell, slow enterprise patching), so buyers should treat telemetry access and remediation SLAs as procurement levers to reduce operational exposure
  • 1Kosmos' Epic Toolbox designation lowers integration work for health‑system identity proofing, shifting procurement focus to pre-certified artefacts and NIST IAL2 evidence rather than heavy custom integration bids
  • Valkey 9.1 claims lower memory use and improved tooling that could reduce cloud run-costs for read-heavy services, but the release is community-driven and requires vendor-support checks before any cost assumptions

Market pulse

IndexLatestChangeAs of
Palo Alto (PANW)320 +0.00 (+0.00%)May 21, 2026, 10:10 PM
CrowdStrike (CRWD)285 +0.00 (+0.00%)May 21, 2026, 10:10 PM
Zscaler (ZS)195 +0.00 (+0.00%)May 21, 2026, 10:10 PM
Fortinet (FTNT)72 +0.00 (+0.00%)May 21, 2026, 10:10 PM
  • Palo Alto: Palo Alto's performance signals enterprise demand trends for managed detection and retainer pricing in the sector
  • CrowdStrike: CrowdStrike sentiment reflects demand for endpoint telemetry and managed detection, tying to retainer and remediation sourcing strategies

Sources

Inline citations jump here. Expand a source to read the excerpt, the AI interpretation, and the original link.

[1] A long time ago in a galaxy far, far away…Cybersecurity was already hard

securitybrief.com.au · n.d.

Expand

AI reading

SonicWall's 2026 Cyber Protect report documents persistent control failures: long attacker dwell, slow enterprise patching and widespread tool sprawl. The report provides concrete operational signals—attackers dwell for long periods and organisations often take more than a week to patch—making telemetry, remediation throughput and contractual playbooks procurement priorities. Watch whether vendors supply measurable detection-to-containment evidence and patching throughput data when engaged

Buyer takeaway

Treat the report as a strong operational demand signal for managed remediation, telemetry access and evidence-backed detection claims

Cost / money

Expect steady Opex demand for managed patching and remediation retainers because internal teams struggle to close backlogs quickly

Supplier / commercial

Vendors that can produce telemetry samples, playbooks and sustained remediation throughput will command preferred commercial positions

Safety / operations

Long dwell times and slow patching increase incident impact; contractual remedies and playbook access reduce containment time and cross-team friction

What to watch

Validate vendor detection and patching claims with test artefacts and telemetry examples rather than marketing statements

Key facts

  • Attackers dwell in environments an average of 181 days (report finding)
  • 77% of organisations need more than a week to patch enterprise-wide (report finding)
  • Identity, cloud and credential compromise account for the majority of actionable alerts

Source excerpts

Their response?
Overexposed Access is the third deadly sin
The Empire fell because of seven compounding failures

Used in this brief

  • Next 2-4 weeks — Request sample telemetry, playbooks and remediation throughput evidence from shortlisted security suppliers as part of commercial qualification.. Rationale: because SonicWall and incident-response guidance show detection and remediation claims vary in reality, so evidence-based qualification reduces supplier execution risk.. Owner: Contracts. KPI: Qualification packs from suppliers containing telemetry examples, playbook excerpts and remediation throughput metrics to support shortlist decisions
  • Next quarter — Negotiate contract clauses for critical security suppliers requiring telemetry access, remediation SLAs, prepaid preparedness hours and local response commitments.. Rationale: because combining contractual telemetry access with prepaid preparedness and SLAs transfers operational risk to suppliers and improves time-to-containment during incidents.. Owner: Legal. KPI: Contract templates that include telemetry access terms, defined remediation SLAs, and prepaid-hours scope to support operational readiness and supplier accountability
  • Vendors' 'readiness' or rapid-detection marketing claims should be validated with evidence (test artefacts, telemetry samples and SLAs) because SonicWall shows detection gaps persist despite vendor claims
Open original source

[2] 1Kosmos wins Epic Toolbox identity verification spot

securitybrief.com.au · n.d.

Expand

AI reading

1Kosmos has been designated for Epic Toolbox identity verification inside MyChart, allowing its proofing service to run within a widely used patient portal. That reduces custom integration work for health systems because the integration conforms to Epic's channels and claims NIST IAL2 alignment, making operational rollout simpler. Watch whether hospitals prefer pre-certified vendors to cut implementation time and professional-services costs

Buyer takeaway

Prioritise vendors with platform designations to reduce implementation effort and lower project risk

Cost / money

Pre-certified integrations can reduce professional-services and integration labour costs versus building custom connectors

Supplier / commercial

Vendors with platform badges gain easier access to health-system shortlists and can command pricing advantages on integration scope

Safety / operations

Correctly implemented identity proofing reduces account takeover and impersonation risks in patient portals

What to watch

Confirm NIST IAL2 conformance with artefacts and operational test evidence; designation does not replace technical validation

Key facts

  • Designated for Epic MyChart identity verification
  • Claims conformance with NIST Identity Assurance Level 2 (IAL2)
  • Supports enrolment and account recovery flows inside MyChart

Source excerpts

The integration is intended to let health organisations add identity proofing within MyChart rather than build separate verification connections around the portal. This can reduce integration work while aligning with Epic's recommended identity practices, according to 1Kosmos
JOSEPH GABRIEL LAGONSIN News Editor 1Kosmos has received Epic Toolbox designation for Identity Verification for MyChart, making its identity proofing service available within Epic's patient portal environment
This can reduce integration work while aligning with Epic's recommended identity practices, according to 1Kosmos

Used in this brief

  • Gartner's inclusion of Group-IB strengthens the commercial case for incident-response retainers as a predictable procurement vehicle for preparedness plus short-notice response. SonicWall's report shows persistent gaps in fundamentals (long attacker dwell, slow enterprise patching), so buyers should treat telemetry access and remediation SLAs as procurement levers to reduce operational exposure. 1Kosmos' Epic Toolbox designation lowers integration work for health‑system identity proofing, shifting procurement focus to pre-certified artefacts and NIST IAL2 evidence rather than heavy custom integration bids. Valkey 9.1 claims lower memory use and improved tooling that could reduce cloud run-costs for read-heavy services, but the release is community-driven and requires vendor-support checks before any cost assumptions
  • Supplier / commercial: Epic Toolbox designation gives 1Kosmos a clearer route into health-system procurement, pressuring other identity vendors to supply platform artefacts and pre-certification to stay competitive
  • Next 2-4 weeks — Issue an RFP addendum for healthcare identity suppliers requiring proof of Epic integration artefacts and NIST IAL2 evidence.. Rationale: because 1Kosmos' Epic Toolbox designation lowers integration work and buyers should demand the same pre-certified artefacts to reduce implementation effort and vendor profession.... Owner: Contracts. KPI: RFP responses that include integration artefacts and conformance evidence to shorten evaluation and implementation timelines
Open original source

[3] Group-IB named Gartner vendor in incident response guide

securitybrief.com.au · n.d.

Expand

AI reading

Group-IB was named a Representative Vendor in Gartner's guide for incident-response retainers, highlighting its retainer model that bundles preparedness work (exercises, red teaming) with short-notice response. The article stresses local Digital Crime Resistance Centres and prepaid hours as differentiators that align services with client jurisdictions. Procurement should treat retainer scope, local presence and prepaid hours mix as evaluation criteria rather than buying on price alone

Buyer takeaway

Treat retainer contracts as a combined preparedness and rapid-response procurement mechanism to reduce incident execution risk

Cost / money

Retainers let buyers spread incident response costs into predictable Opex and use prepaid hours for readiness work

Supplier / commercial

Vendors with local operational centres and documented casework can justify premium pricing and preferred slots during incidents

Safety / operations

Pre-incident exercises and local response teams reduce time-to-containment and improve cross-jurisdictional coordination

What to watch

Validate SLAs, local staffing levels and the convertibility of prepaid hours to live support under contract terms

Key facts

  • Named Representative Vendor in Gartner's Market Guide for IR retainers
  • Retainer model covers investigation, containment, eradication and recovery
  • Offers prepaid hours usable for preparedness work and local response support

Source excerpts

Group-IB said its retainer offering covers the full incident response cycle, from investigation and containment to eradication and recovery. Clients can also use prepaid hours for preparation work such as red teaming, staff training and readiness exercises, as well as live incident support
Market visibility Inclusion in a Gartner market guide can raise visibility among corporate and public sector buyers evaluating suppliers in a specific segment
Group-IB has been named a Representative Vendor in the 2026 Gartner Market Guide for Cybersecurity Incident Response Retainer Services, placing it among providers tracked in the market for round-the-clock incident response support. The guide describes cybersecurity incident response retainer services as a mix of proactive and reactive work sold on a retainer basis, including investigation, containment and eradication, with some providers also covering recovery

Used in this brief

  • Cost / money: Moving from emergency ad-hoc response to retainer contracts converts unpredictable incident fees into budgeted operating expense and lets buyers allocate prepaid hours to preparedness work
  • Supplier / commercial: Inclusion in Gartner's guide increases Group-IB's visibility and shifts shortlist leverage toward vendors that can demonstrate local operational centres, SLAs and prepaid preparedness offerings
  • Safety / operations: Retainer models that include preparedness exercises, prepaid hours and local response personnel improve runbook execution and reduce coordination friction during a live incident
Open original source

[4] Valkey 9.1 cuts memory use & boosts security tools

securitybrief.com.au · n.d.

Expand

AI reading

Valkey released version 9.1 claiming per-key memory reductions and updated ecosystem tooling for search and client libraries. The release is community-driven and lists major contributors, so the technical change is real but enterprise support and commercial SLAs are not guaranteed. Procurement should run a POC and confirm commercial support options before changing cloud sizing or support contracts

Buyer takeaway

Consider a targeted POC to verify claimed efficiency gains and confirm vendor support before procurement changes

Cost / money

If validated, memory reductions may lower instance sizing and recurring cloud costs for specific workloads

Supplier / commercial

Open-source shifts commercial negotiation toward support vendors or cloud partners rather than a single licensor

Safety / operations

Core storage changes require careful testing; tooling updates can reduce inspection overhead if stable

What to watch

Adoption depends on ecosystem maturity and commercial support; don't assume immediate enterprise SLAs

Key facts

  • Claims reduced per-key memory use for common workloads
  • Ecosystem updates include Valkey Search and Valkey GLIDE client improvements
  • Project contributors include major cloud and infrastructure firms

Source excerpts

4. The release adds support for client-side caching and transparent caching, while extending language support to C# and PHP
1 of its open source key-value database, adding updates to security, memory efficiency and operational tooling
Search module Alongside the core database release, the Valkey community has updated Valkey Search to version 1

Used in this brief

  • What to watch: Valkey's performance and tooling claims are community-driven; don't assume enterprise-grade support or SLAs exist—validate commercial support options before relying on claimed efficiencies
  • Next 2-4 weeks — Run a focused POC of Valkey 9.1 against a representative read-heavy workload to measure actual memory and tooling impacts.. Rationale: because claimed per-key memory savings and tooling changes could translate to ongoing infra cost reductions but require validation in your environment before procurement decisions.. Owner: Ops. KPI: POC report showing measured memory usage, operational constraints, and recommended next-step procurement stance (adopt, support contract, or skip)
  • Valkey's performance and tooling claims are community-driven; don't assume enterprise-grade support or SLAs exist—validate commercial support options before relying on claimed efficiencies
Open original source

[5] Palo Alto

finance.yahoo.com · n.d.

Expand
Open original source

[6] CrowdStrike

finance.yahoo.com · n.d.

Expand
Open original source
More from IT, Telecom & CyberBack to Executive View