We have already seen 1the comparison of SPARK Matrix 2023-2024. The comparison will help you while choosing an insider risk management product that fulfills your security needs. It will allow you to compare product performance over three years (2023-2025), providing you with greater clarity into the product capabilities and real-life performance. So, without further ado, let us begin the comparison.
The toppers retaining/improving their spots are: Cisco, Exabeam, Gurucul, DTEX, Mimecast, Proofpoint, Sailpoint, Rapid7, and Bottomline. Some of them have broken into the leader quadrant the year they were launched. Some have moved up from strong contenders, and some companies have remained “as is.” They have neither progressed nor regressed. Let us start with the newcomers.
Cisco (Splunk): The Cisco (Splunk) product offers various capabilities that have propelled it to the leader of the pack. These include automatic classification and prioritization of potential threats; extensive user and device monitoring; and the ability to easily integrate with users’ existing technology stack.
Venkatesh Kopparthi, analyst, QKS Group, elaborates on how Cisco achieved this. “The company offers a robust integration of Splunk’s advanced UEBA and SIEM capabilities with Cisco’s XDR and threat intelligence ecosystem. This blend delivers high-precision insider threat detection through unsupervised ML, contextual analysis, and automated response workflows—key factors recognized in the 2025 SPARK evaluation.”
Mimecast: Mimecast’s product focuses on the human risk factors. The company’s 2024 acquisition of Elevate Security allows it to leverage the risk capabilities offered by the latter’s security platform to provide more targeted interventions and training. The product can also integrate with users’ existing technology stack. This ability allows users to implement security without additional expenditure.
Gurucul: Gurucul was a “strong contender” in 2024 and is a leader in 2025. This rise is owing to its ability to provide contextual awareness and activity. It achieves this by differentiating anomalous and usual user behavior. It is also equipped with 10,000 pre-built content libraries and pipelines that work out of the box. It is also equipped with a dynamic risk engine that uses 240 attributes to draw up customizable risk scores that can be adjusted in real time.
Those that stayed on as leaders
Bottomline: Bottomline’s solution combines behavioral profiles, business rules, and ML models to enable precise detection of known and unknown threats. Its patented record and replay technology tracks every interaction to create an audit trail that enables improved analytics and investigation efficiency.
DTEX: DTEX InTERCEPT Platform offers the AI3 assistant, which uses NLP to guide investigations to allow the analysts to quickly answer complex questions and reduce investigation time. It also offers 200 use cases and dashboards, all fully customizable. It can also seamlessly integrate with various important security tools like Microsoft Defender, CrowdStrike, and other SIEM platforms.
Proofpoint: Proofpoint’s IRM solution is equipped with a centralized console that enables efficient incident management and threat hunting. It also offers an analytical engine that flags anomalies by establishing baselines for user behavior patterns. The solution can easily integrate with a wide variety of security tools, including SIEM solutions and DLP systems.
SailPoint: Sailpoint’s IRM solution offers proactive risk simulations and what-if scenarios to enable users to proactively detect and mitigate threats. It also offers integrated alert systems and response workflows to enable users to quickly address potential threats.
Rapid7: Rapid7’s platform collects data from a variety of sources, including endpoints and cloud applications, to provide granular visibility into user and device behaviors. This visibility allows organizations to detect anomalous behavior indicating threats. It also offers a structured and automated incident response workflow to deliver contextual alerts that allow quick threat prioritization and mitigation.
DoControl: DoControl’s product provides a unified platform for managing data access and insider threats. It achieves this owing to its extensive monitoring and control capabilities across various SaaS applications. The platform also offers deep contextual analysis of user action from various sources. This analysis helps differentiate anomalous behavior from “normal” ones. This differentiation is crucial for accurate-er threat detection while reducing false positives.
The missing ones
These companies are LogRhythm, HUMAN, IBM, Ekran, Vectra, Crisp, and Secure Passage. All of them had participated in the 2024 study but are rather conspicuously absent from the 2025 study.
The stay puts
The most prominent names that are still classified as “strong contenders” are Microsoft, Fortinet, and OpenText.
Microsoft: Microsoft has been a strong contender in 2024 and is a strong contender in 2025. A likely reason is that while it offers strong capabilities like a configurable insider risk management framework with a wide array of pre-built policy templates and a privacy-by-design architecture that ensures user anonymization to balance risk management and compliance requirements, it is also dependent on Microsoft 365 audit logs for data ingestion. This reliance can cause delayed real-time alert generation. In addition, the solution’s effectiveness relies on the precise configuration of detailed policies and integrations. Organizations lacking dedicated IT or insider risk expertise may face gaps in advanced threat detection and user/device monitoring.
As per Venkatesh “The solution offers a deeply integrated, privacy-respecting approach to insider risk within Microsoft 365 environments, but its relatively limited applicability to heterogeneous IT landscapes and dependence on E5 licensing are the likely reasons behind the company missing out in the Leaders quadrant.”
Fortinet: The likely reasons for Fortinet are probably the product’s comprehensive nature, which may be complex for organizations without dedicated cybersecurity teams and/or resources. In addition, customizing the software as per the user’s needs may require help from additional resources like in-house developer teams. In addition, while the software offers strong integration capabilities, users with legacy stacks may face challenges while leveraging the product’s features.
So how can the company progress? Venkatesh says, “ To progress into the Leaders quadrant, Fortinet may need to enhance behavioral analytics depth, broaden UEBA capabilities, and reduce deployment complexity to appeal to diverse IT environments beyond its core strengths in network and DLP.”
OpenText: OpenText’s main capabilities are maybe its biggest challenge. While it offers extensive features and capabilities, the same may lead to increased complexity for organizations with limited IT resources.
The IRM market is also witnessing rapid changes due to emerging technologies like AI. This, coupled with previous challenges like hybrid workforces, means vendors and users have to keep up to date with the latest in everything. Hope this will help you.