The New Year is a time for untangling and decluttering, especially for security teams buried beneath the tangle of myriad cybersecurity tools.
The challenge of decluttering has become endemic to security teams everywhere. Consider a study released in January 2025 by IBM's Institute for Business Value, in collaboration with Palo Alto Networks, which found that organizations juggle an average of 83 security solutions from 29 vendors. A Vanson Bourne study commissioned by Barracuda Networks, meanwhile, shows that 65% of organizations believe they have too many security tools, and 53% say their tools can't be integrated.
This tool sprawl, the unchecked accumulation of overlapped, poorly integrated security products, poses a substantial barrier to security operations efficiency.
Focusing on what works
David Elfering, director of cybersecurity at transportation company Carrix, Inc., says going forward, security leaders should focus more on where they can cut security tools and be prepared to make tough decisions about which tools they can live without. "That's a decision you should always be ready to make," he says.
"I do think we are seeing rationalization," adds John Grady, principal analyst at research firm Omdia. "We've asked in a lot of studies, 'What are your challenges? What are your drivers?’ A lot of the answers come back to too much tool sprawl, too many vendors," Grady says. "However, solving tool sprawl isn't the top driver; it's usually a secondary driver. It's about better efficiency, making fewer mistakes, fewer false positives," says Grady.
Enterprises do plan to consolidate their tools, and much of that consolidation will take place through the "platformization" of enterprise security stacks. These platforms include extended detection and response (XDR) and managed extended detection and response (MXDR), as well as secure access SASE and security data pipelines.
By 2027, Gartner predicts 70% of organizations will optimize cloud-native application vendors to a maximum of three, while by 2028, 50% of MDR findings will include threat exposures, up from approximately 20% in 2025, reflecting an essential shift in how MDR services are expected to operate toward identifying conditions that make threats possible rather than only detecting threats in progress.
The great platformization
The most significant consolidation in enterprise security will currently center on three distinct but complementary platforms and services. Many secure access service edge providers have been consolidating network security functions, such as SD-WAN, secure web gateway, cloud access security broker, zero trust network access, and firewalls, into unified, cloud-delivered architectures. The market research firm Grand View Research estimates that the SASE market will grow from about $4 billion in 2024 to $17 billion in 2030, representing a 27% compound annual growth rate over the six-year period.
Enterprises are also outsourcing threat detection and response to a managed extended detection and response (MXDR) service provider for 24/7/365 managed detection and response coverage across their endpoints, networks, cloud workloads, and identities. This aims to consolidate further tooling previously required to be in-house.
Enterprises are also consolidating their fragmented security telemetry from dozens of on-premises and cloud security tools into unified security data pipelines. These pipelines intelligently route telemetry from sources to appropriate destinations, such as the SIEM for compliance, data lakes for analytics, and detection engines for threat identification. This consolidation strategy—SASE for network control, MXDR for managed detection and response, and data pipeline orchestration for unified intelligence—reduces complexity, can cut costs by 16%, and improves threat response times. "All those tools generate data, standardizing, aligning all that data is probably the highest cost of having those tools, having them all in one platform," says Wim Remes, principal consultant at cybersecurity consultancy Toreon.
Remes also adds the importance of standardization, data alignment, and integration, which can be both benefits and sources of risk when using a single platform.
Cloud native's role in streamlining cybersecurity tool sprawl
Finally, the continued shift by enterprises toward cloud-native application protection platforms (CNAPP) is also aiding consolidation efforts among security vendors. Gartner predicts that by 2029, 40% of enterprises implementing zero trust in cloud environments will turn to CNAPPs. CNAPPs consolidate cloud security posture management (CSPM), cloud workload protection platforms (CWPP), cloud infrastructure entitlement management (CIEM), container scanning, and Infrastructure-as-Code (IaC) security into a single platform. This addresses tool sprawl, in which organizations previously deployed separate point products for each discrete cloud security function.
The economic pressures driving security vendor consolidation will only intensify. This year, the fastest-growing budget category will likely not be "more tools."
Instead, it will be in vendor consolidation through platforms. Organizations will focus on consolidating security tools and leveraging automation to streamline processes, saving money and improving efficiency and effectiveness through continuous, correlated, and contextualized visibility.
Whether this improves security outcomes remains to be determined.
