Total Economic Impact
Cost Savings And Business Benefits Enabled By ReliaQuest GreyMatter
A FORRESTER TOTAL ECONOMIC IMPACT STUDY COMMISSIONED BY RELIAQUEST, June 2025
Total Economic Impact
A FORRESTER TOTAL ECONOMIC IMPACT STUDY COMMISSIONED BY RELIAQUEST, June 2025
As cybersecurity tech stacks become more mature, organizations often struggle to effectively manage the resulting security ecosystem. Previously, firms struggled to identify threats; today, they are often inundated with so many alerts from disconnected systems that critical signals are lost in the noise. Furthermore, the escalating costs associated with maintaining these sprawling environments, coupled with ever-increasing data storage costs, create a pressing need for solutions that can provide unified visibility, intelligent automation, and tangible security cost savings.
ReliaQuest GreyMatter is an AI-powered security operations system designed to integrate with existing security tools to provide unified visibility across environments. GreyMatter centralizes data from various sources, enabling the rapid detection of, investigation of, and response to security threats. The platform also incorporates automated response playbooks and AI capabilities to streamline the alert management process.
ReliaQuest commissioned Forrester Consulting to conduct a Total Economic Impact™ (TEI) study and examine the potential return on investment (ROI) enterprises may realize by deploying ReliaQuest GreyMatter.1 The purpose of this study is to provide readers with a framework to evaluate the potential financial impact of GreyMatter on their organizations.
To better understand the benefits, costs, and risks associated with this investment, Forrester interviewed four decision-makers with experience using GreyMatter. For the purposes of this study, Forrester aggregated the experiences of the interviewees and combined the results into a single composite organization, which is a global organization with $5 billion in annual revenue.
Interviewees said that prior to using ReliaQuest GreyMatter, their organizations had several security solutions in place, including endpoint detection and response tools, legacy security orchestration, automation, and response (SOAR) tools, and threat intelligence platforms. However, these tools often operated in silos, leading to fragmented visibility and coordination across security tools and processes. The interviewees’ organizations often struggled with manual tasks, slow incident response times, and high alert volumes, resulting in alert fatigue and potentially missed threats.
Interviewees reported that GreyMatter gave them a centralized platform, enhancing visibility and coordination across security tools. The automation and AI-driven insights provided by GreyMatter helped their organizations rapidly detect and mitigate threats, reducing both the mean time to contain (MTTC) and the mean time to resolve (MTTR) alerts. Interviewees shared that the improvement in visibility, coupled with GreyMatter’s proactive approach to alert management, reduced their likelihood of a breach and saved employee time on manually responding to alerts.
Quantified benefits. Three-year, risk-adjusted present value (PV) quantified benefits for the composite organization include:
An improved security posture from increased visibility and faster responses to alerts. With the ReliaQuest GreyMatter platform, the composite organization gains unified visibility across its security tools, enabling faster and more accurate detection of threats. GreyMatter’s data correlations and intelligent analytics enable the composite’s security team to prioritize and respond to threats more effectively, closing security gaps and reducing the chances of a breach. GreyMatter also accelerates the composite organization’s mean time to contain an alert, preventing threat actors from executing lateral movement and spreading across the network. Over three years, the composite organization avoids a risk-adjusted $1.4 million in expected breach costs.
Average mean time to contain threats with GreyMatter
Time savings of almost 90% on investigating security alerts. The composite organization uses GreyMatter’s AI capabilities to automatically triage and investigate alerts, while GreyMatter’s automated response playbooks execute immediate actions across existing security tools to quickly contain threats. As a result, 85% of the composite’s alert investigations are resolved without human involvement. Beyond automation, GreyMatter provides the composite organization with visibility into alert data and detailed threat descriptions, allowing staff to more efficiently prioritize and resolve manual threats. Overall, these time savings are worth a risk-adjusted $1.6 million over the course of the three-year analysis.
Reduction in mean time to resolve with GreyMatter
Cost savings of 33% from optimizing data ingest spend and eliminating redundant tools. After implementing GreyMatter, the composite organization retires overlapping or redundant security tools, lowering licensing and maintenance expenses. Furthermore, GreyMatter’s data management capabilities streamline the collection and analysis of security information, ensuring that only necessary data is ingested and stored, which significantly reduces data ingest and storage costs. In total, the composite organization is able to avoid $1.9 million in legacy tool and data ingest costs over the three-year analysis.
Additional time savings from an 80% reduction in false positives. With GreyMatter, the composite organization is able to filter out alert noise and identify genuine threats by discerning patterns across its security landscape, leading to fewer inaccurate alerts and allowing security teams to focus on legitimate risks. By reducing the amount of employee time dedicated to investigating false positives, the composite saves $293,000 in employee labor costs over three years.
Unquantified benefits. Benefits that provide value for the composite organization but are not quantified for this study include:
An improved ability to meet compliance and cybersecurity insurance requirements. GreyMatter provides the composite with centralized visibility and reporting capabilities that streamline the organization’s adherence to regulatory frameworks. Additionally, the composite organization’s usage of GreyMatter simplifies the process of applying for cybersecurity insurance and could potentially help it avoid premium hikes.
Improved visibility from gaining a single, easy-to-use platform. GreyMatter’s user-friendly interface provides the composite organization with a centralized view of its security data and alerts. The design allows analysts to efficiently monitor their environment, investigate threats, and execute response actions without navigating complex and disparate systems, minimizing the learning curve for new users.
Faster time to value from a quick implementation process. The composite organization leverages ReliaQuest’s team of experts to quickly deploy and integrate GreyMatter with the composite’s existing security stack. This quick implementation process ensures a fast time to value, enabling the composite to see tangible security improvements in a relatively short time frame.
Proactive support from ReliaQuest’s experts. ReliaQuest’s team proactively engages with the composite organization to help it continuously improve its security posture, offering guidance and expertise based on the team’s experience with the platform.
Costs. Three-year, risk-adjusted PV costs for the composite organization include:
ReliaQuest GreyMatter subscription costs. The composite organization incurs a risk-adjusted $1.6 million in GreyMatter subscription costs over three years.
Implementation and training costs. Some internal labor is required to implement GreyMatter and to train new users. Over three years, the implementation and training costs amount to $25,000 in employee labor.
Ongoing management effort. The composite organization dedicates some internal labor to meeting with ReliaQuest, adjusting configurations, and assisting with training new employees. Over the course of the three-year analysis, these ongoing management costs amount to $28,000.
The financial analysis that is based on the interviews found that a composite organization experiences benefits of $5.2 million over three years versus costs of $1.6 million, adding up to a net present value (NPV) of $3.6 million and an ROI of 224%.
Return on investment (ROI)
Benefits PV
Net present value (NPV)
Payback
| Role | Industry | Employees | Annual revenue |
|---|---|---|---|
| Director of security operations | Aerospace | 9,000 | $4 billion |
| Technical security manager | Facilities services | 40,000 | $10 billion |
| Deputy CISO | Manufacturing | 20,000 | $7 billion |
| CISO | Lighting solutions | 30,000 | $6 billion |
Before adopting ReliaQuest GreyMatter, the interviewees’ organizations operated with a collection of disparate security tools, each addressing specific security domains but often functioning in silos. This fragmented landscape led to challenges in correlating information, understanding their security posture, and efficiently responding to threats, resulting in overburdened security staff and an increased risk of breaches.
Interviewees noted how their organizations struggled with common challenges, including:
A lack of automation capabilities. The interviewees’ organizations struggled with manual and repetitive security tasks, such as alert triage, initial investigations, and basic response actions. This reliance on manual processes consumed significant analyst time, slowed down response times, and led to alert fatigue. The director of security operations at an aerospace organization reported that their legacy provider had minimal automation features: “[Our legacy tool]’s security operations center (SOC) was doing an OK job, never a good job. And really, even if they did a good job, what can you do with 20 detection rules? There was not even a conversation about any [automated] response playbooks.”
Insufficient visibility across the security infrastructure. With multiple security tools generating their own alerts and data, the interviewed organizations often lacked a single view of their entire landscape. For example, their endpoint tool would give them alerts on suspicious endpoint events, but these alerts would exist in isolation from network firewall logs or cloud security events. The interviewees shared that their legacy security providers sometimes wouldn’t alert them of threats for hours, or even days. The technical security manager at a facilities services organization noted: “With one of our providers, it could be a day later before they let you know [of an active threat]. You may see it in your console, and then a day later they let you know it happened.”
Escalating costs associated with legacy security tools and data ingest costs. Interviewees reported that maintaining their legacy security tools involved significant licensing, maintenance, and operational expenses. Furthermore, the exponential growth of security data and the associated data ingest and storage costs for solutions like security incident and event management (SIEM) tools can become prohibitively expensive. The director of security operations at an aerospace organization described the challenges of their expensive, legacy vendor: “[Our previous provider] was not set up to handle our environment at all. The contract was expensive, and they were providing very little value for it.”
A lack of predictable pricing from comparable tools. The interviewees shared that many of the traditional security platforms and services came with complex or unpredictable pricing models, making it difficult for them to forecast their costs. The CISO at a lighting solutions organization stated that: “[Other vendors] could not tell us how much it would cost to build on top of what we already have. With ReliaQuest, we can know exactly what it’s going to cost two years from now, so that gives us more clarity.”
The interviewees searched for a solution that could:
Unify telemetry and leverage AI capabilities to accelerate threat detection, investigation, and containment.
Provide unified visibility across the security infrastructure.
Lower overall security operations costs, including legacy tooling and data ingest costs.
Develop automated response playbooks to automate common alert responses.
Reduce the number of false positives.
Enhance compliance and meet insurance requirements.
Establish a collaborative security partnership.
Based on the interviews, Forrester constructed a TEI framework, a composite company, and an ROI analysis that illustrates the areas financially affected. The composite organization is representative of the interviewees’ organizations, and it is used to present the aggregate financial analysis in the next section.
The composite organization operates globally and has $5 billion in annual revenue. Prior to adopting ReliaQuest GreyMatter, the composite organization has 400 security alerts per month that require a human response.
$5 billion annual revenue
Global operations
400 alerts per month
| Ref. | Benefit | Year 1 | Year 2 | Year 3 | Total | Present Value |
|---|---|---|---|---|---|---|
| Atr | Improved security from using ReliaQuest GreyMatter | $552,960 | $552,960 | $552,960 | $1,658,880 | $1,375,129 |
| Btr | Alert management time savings with ReliaQuest GreyMatter | $658,834 | $658,834 | $658,834 | $1,976,503 | $1,638,423 |
| Ctr | Reduced cost to investigate false positives | $117,780 | $117,780 | $117,780 | $353,341 | $292,902 |
| Dtr | Legacy cost savings | $729,000 | $810,000 | $810,000 | $2,349,000 | $1,940,714 |
| Total benefits (risk-adjusted) | $2,058,574 | $2,139,574 | $2,139,574 | $6,337,723 | $5,247,168 |
Evidence and data. Interviewees reported that ReliaQuest’s GreyMatter platform integrates and analyzes data from their various security tools to provide comprehensive visibility, enabling faster detection and response to threats before they escalate into breaches.
Interviewees reported that prior to adopting GreyMatter, they had several security gaps that sometimes led to breaches. The director of security operations at an aerospace organization reported that prior to GreyMatter, they would sometimes have multiple breaches in a year, each one costing their organization hundreds of thousands — if not millions — of dollars. The interviewee noted the improvement in their visibility with GreyMatter: “[ReliaQuest’s] alerts are hydrated with really relevant data. … We use threat hunting, detect and response, and their mobile app, which is one of their greatest features. The GreyMatter interface and platform is really good. … Since we’ve been with them, we haven’t had anything major come across.”
Interviewees also shared that the GreyMatter platform included features such as threat hunting and attack simulations to identify and remediate vulnerabilities, further minimizing the likelihood of successful attacks. The technical security manager at a facilities services organization shared: “With the help of GreyMatter, their threat hunting capabilities, and their help testing our security controls, we’re going to shift left the quell process.”
The interviewees reported that GreyMatter accelerated their mean time to resolve security vulnerabilities, reducing the likelihood of a security breach. The deputy CISO at a manufacturing firm described the improvement: “We talk a lot about our reduction in mean time to resolve tickets. When we were using [our previous tool], it took about 17 days. Now it’s 1.5 days to resolve a ticket. That’s huge. … From an advanced threat perspective, dwell time went from days to 6 minutes.”
Outside of faster response times and a reduction in breaches, interviewees shared a wide range of metrics highlighting how their security posture has improved with ReliaQuest GreyMatter. The deputy CISO at the manufacturing firm went on to say: “We’ve gained MITRE coverage, which is really important for detection and monitoring. From a threat adversary perspective, we were at 29%. Now, we’re at 78%.”
Interviewees reported that their organizations rely on ReliaQuest’s Digital Risk Protection capability to provide continuous external threat monitoring and intelligence, enabling the proactive detection of risks like data leakage and exposed credentials before they can be exploited. The CISO at a lighting solutions organization stated that: “We have the Digital Risk Protection module. So, for example, if things are leaked on the dark web from an insider on our part, we know it through ReliaQuest.”
Modeling and assumptions. Based on the interviews, Forrester assumes the following about the composite organization:
Using GreyMatter helps the composite organization improve a wide range of its security metrics. Significantly, the composite’s MTTR decreases by 75%.
The mean cumulative cost of a breach for the composite organization is $3.85 million.2
Prior to implementing GreyMatter, the composite organization has a 67% chance of being breached per year.3
Fifty-six percent of breaches originate from either external attacks targeting the organization or internal incidents within an organization.4
With GreyMatter, the composite organization reduces its risk of these types of breaches by 45%.
Risks. The improved security benefit can vary depending on:
Threat detection and remediation capabilities in the legacy environment.
The specific security tools that an organization uses alongside GreyMatter.
The types of attacks and breaches in the previous environment.
Expected breach costs, which depend on an organization’s size and industry.
Results. To account for these risks, Forrester adjusted this benefit downward by 15%, yielding a three-year, risk-adjusted total PV (discounted at 10%) of $1.4 million.
Reduced likelihood of a breach
| Ref. | Metric | Source | Year 1 | Year 2 | Year 3 | |
|---|---|---|---|---|---|---|
| A1 | Cumulative cost of breaches for the composite organization | Forrester research | $3,853,000 | $3,853,000 | $3,853,000 | |
| A2 | Estimated likelihood of at least one breach | Forrester research | 67% | 67% | 67% | |
| A3 | Percentage of attacks addressable with ReliaQuest GreyMatter | Forrester research | 56% | 56% | 56% | |
| A4 | Subtotal: Annual risk exposure addressable with ReliaQuest GreyMatter | A1*A2*A3 | $1,445,646 | $1,445,646 | $1,445,646 | |
| A5 | Reduced risk of exposure to breach costs from using ReliaQuest GreyMatter | Interviews | 45% | 45% | 45% | |
| At | Improved security from using ReliaQuest GreyMatter | A4*A5 | $650,541 | $650,541 | $650,541 | |
| Risk adjustment | ↓15% | |||||
| Atr | Improved security from using ReliaQuest GreyMatter (risk-adjusted) | $552,960 | $552,960 | $552,960 | ||
| Three-year total: $1,658,880 | Three-year present value: $1,375,129 | |||||
Evidence and data. Interviewees shared that GreyMatter’s agentic AI capabilities significantly reduce manual alert response hours by autonomously triaging and investigating security alerts. Instead of simply generating summaries of alerts, GreyMatter analyzes security data from a variety of tools, correlates events, and frees up human analysts from repetitive and time-consuming initial investigation tasks. Interviewees also said that GreyMatter’s automated response playbooks further reduce staff response time by executing preconfigured actions across an organization’s security tools, such as isolating compromised accounts or blocking suspicious IP addresses.
Interviewees described how implementing ReliaQuest GreyMatter has created a culture of innovation and automation on their security team, with more and more manual processes handled by GreyMatter’s automation and AI features. The deputy CISO at a manufacturing firm stated: “We have gone all in on automated response playbooks. … [We have] 500 alerts per month, and [GreyMatter] is handling around 99% of them.”
The same interviewee went on to say that GreyMatter’s AI capabilities and automated response playbooks are also reducing their MTTR: “What we get through GreyMatter is the ability to leverage their detections and their automations, which greatly reduces the administrative burden on our team. … It actually shrinks the time to action immensely.”
The director of security operations at an aerospace organization confirmed that GreyMatter improves the efficiency of their security team, while also reducing their MTTC alerts: “We have alerts that are automated, manual, and combined. … We have a goal of MTTC within minutes, which we comfortably accomplish consistently. … Our MTTC is phenomenal, and a lot of that has to do with automation.”
The CISO at a lighting solutions organization shared that using GreyMatter has allowed them to reallocate members of their security team to other tasks: “Previously, I had a team that was doing everything themselves. Tier one and tier two alerts are now fully outsourced to ReliaQuest. Tier three alerts are handled by internal specialists. … With ReliaQuest, I can do the work of 20 people with the work of a nine-person internal team. I can also monitor three times as much, all without having to hire additional people.”
The technical security manager at a facilities services firm agreed that using GreyMatter improved both staff productivity and their organization’s overall security posture: “We saved time from an employee perspective. We’re working things faster than we ever have before. … We’re seeing more than we’ve ever seen before from a visibility perspective.”
In addition to the time savings, interviewees shared that GreyMatter helped their teams respond to manual alerts more efficiently than they were able to in the past. The CISO at the lighting solutions organization described how ReliaQuest GreyMatter offered guided response workflows for their analysts to follow: “There are also time savings on alerts [that are not automated] because it’s already laid out in GreyMatter. ReliaQuest provides detailed descriptions when an incident happens and background on what they have done already. Most of the research is already done so they provide actionable items that we need to do. It’s probably 50% time savings on each [nonautomated] alert.”
Modeling and assumptions. Based on the interviews, Forrester assumes the following about the composite organization:
The composite organization has 400 security alerts per month.
Each alert requires both a tier one and a tier two security employee to investigate and resolve it. On average, each employee dedicates 1.5 hours to each alert.
With GreyMatter’s agentic AI capabilities and automated response playbooks, 85% of the composite’s alert investigations are handled without any human intervention. For more manual alert investigations, GreyMatter’s correlation capabilities and guided response workflows enable security analysts to respond to each alert more quickly. Overall, the composite is able to reduce the amount of time spent on true-positive alert investigations by 89.5%.
The average fully burdened hourly rate for a security FTE is $71.
Forrester applies an 80% productivity recapture to account for the fact that not all employee time savings are redeployed productively.
The faster alert management allows the composite organization to reduce MTTR by 75% and to reduce MTTC to 6 minutes.
Risks. The alert management time savings will vary depending on:
The number of security alerts per month.
The number of security FTEs dedicated to responding to each alert.
The specific automated response playbooks that an organization deploys.
The alert automation capabilities in an organization’s legacy environment.
The fully burdened hourly rate of security FTEs.
Results. To account for these risks, Forrester adjusted this benefit downward by 10%, yielding a three-year, risk-adjusted total PV (discounted at 10%) of $1.6 million.
Reduction in MTTR with ReliaQuest GreyMatter
Average mean time to contain threats with GreyMatter
Time savings on true-positive alert investigations with GreyMatter
| Ref. | Metric | Source | Year 1 | Year 2 | Year 3 | |
|---|---|---|---|---|---|---|
| B1 | Security alerts that required a response prior to using GreyMatter (per month) | Composite | 400 | 400 | 400 | |
| B2 | Security FTEs dedicated to investigating each alert | Composite | 2 | 2 | 2 | |
| B3 | Hours dedicated to investigating each alert for each FTE | Composite | 1.5 | 1.5 | 1.5 | |
| B4 | Time savings on investigating true positives with GreyMatter | Interviews | 89.50% | 89.50% | 89.50% | |
| B5 | Subtotal: Annual time savings on investigating true positives with GreyMatter (hours) | B1*B2*B3*B4*12 months | 12,888 | 12,888 | 12,888 | |
| B6 | Fully burdened hourly rate for a security FTE | Composite | $71 | $71 | $71 | |
| B7 | Productivity recapture | TEI methodology | 80% | 80% | 80% | |
| Bt | Alert management time savings with ReliaQuest GreyMatter | B5*B6*B7 | $732,038 | $732,038 | $732,038 | |
| Risk adjustment | ↓10% | |||||
| Btr | Alert management time savings with ReliaQuest GreyMatter (risk-adjusted) | $658,834 | $658,834 | $658,834 | ||
| Three-year total: $1,976,503 | Three-year present value: $1,638,423 | |||||
Evidence and data. Interviewees shared that ReliaQuest’s GreyMatter platform helps reduce false positives by centralizing and correlating security data from various tools, providing a more holistic view of potential threats. They also said that ReliaQuest’s team of service experts collaborates with their organizations to fine-tune the platform’s detections and distinguish between genuine threats and benign anomalies. The CISO at a lighting solutions organization estimated that, “False positives have declined by 80% to 90% with ReliaQuest.”
The deputy CISO at a manufacturing firm added that the reduction in false positives led to additional time savings for their security team: “Our SOC manager doesn’t have to spend a lot of time responding to false positives. It’s all on [ReliaQuest’s] behalf.”
Modeling and assumptions. Based on the interviews, Forrester assumes the following about the composite organization:
Prior to adopting GreyMatter, the composite organization experiences 80 false positives per month.
With GreyMatter, the composite organization reduces the number of false positives by 80%.
Each alert requires both a tier one and tier two security employee to investigate and resolve it. On average, each employee dedicates 1.5 hours to each alert.
The average fully burdened hourly rate for a security FTE is $71.
Forrester applies an 80% productivity recapture to account for the fact that not all employee time savings are redeployed productively.
Risks. The time savings on responding to false positives will vary depending on:
The agreed-upon percentage of false positives. Some organizations may work with their security vendors to allow some false positives. Organizations with a higher tolerance for false positives may see a smaller reduction in false positives and therefore smaller time savings.
The amount of employee time dedicated to responding to each false positive.
The fully burdened hourly rate of security FTEs.
Results. To account for these risks, Forrester adjusted this benefit downward by 10%, yielding a three-year, risk-adjusted total PV (discounted at 10%) of $293,000.
Reduction in false positives
| Ref. | Metric | Source | Year 1 | Year 2 | Year 3 | |
|---|---|---|---|---|---|---|
| C1 | Number of false positives investigated prior to ReliaQuest GreyMatter (per month) | Composite | 80 | 80 | 80 | |
| C2 | Reduction in the number of false positives with ReliaQuest GreyMatter | Interviews | 80% | 80% | 80% | |
| C3 | Subtotal: False positives reduced with ReliaQuest GreyMatter (per month) | C1*C2 | 64 | 64 | 64 | |
| C4 | Number of FTEs involved in the alert investigation process | Composite | 2 | 2 | 2 | |
| C5 | Hours dedicated to investigating each false positive for each FTE | Composite | 1.5 | 1.5 | 1.5 | |
| C6 | Fully burdened hourly rate for a security FTE | B6 | $71 | $71 | $71 | |
| C7 | Productivity recapture | TEI methodology | 80% | 80% | 80% | |
| Ct | Reduced cost to investigate false positives | C3*C4*C5*C6*12 months*C7 | $130,867 | $130,867 | $130,867 | |
| Risk adjustment | ↓10% | |||||
| Ctr | Reduced cost to investigate false positives (risk-adjusted) | $117,780 | $117,780 | $117,780 | ||
| Three-year total: $353,341 | Three-year present value: $292,902 | |||||
Evidence and data. Interviewees reported two types of cost savings from implementing the GreyMatter platform. First, some said their organizations were able to retire legacy tools, such as standalone SIEM tools, legacy SOAR tools, point solutions for specific tasks like threat intelligence, or underutilized security tools. Second, some interviewees reported that GreyMatter’s universal query language and data stitching capabilities enabled them to correlate data from various sources without needing to store and centralize all the raw data, leading to a significant decrease in data ingest costs. The interviewees reported that, collectively, these cost savings can more than cover the annual cost of GreyMatter.
The director of security operations at an aerospace organization described how GreyMatter performed better than their legacy tool: “We are saving $100,000 to $150,000 a year, which comes out to savings of 25%. ReliaQuest is doing a much better job [than our legacy vendor]. There is no comparison for about 25% cheaper.”
In addition to the tool savings, the same interviewee reported that they no longer have to ingest certain data types, leading to additional cost savings: “Some things do not need to go into the SIEM [tool]. [Our whole Defender suite] goes directly to GreyMatter. So that cuts ingest, and we don’t need to worry about it.”
The CISO at a lighting solutions organization described the cost savings from GreyMatter’s multi-SIEM approach: “Because they do direct API calls on everything, I don’t have to put everything in a SIEM [tool]. … From the calculations we’ve done, we are saving $3.5 million on a yearly basis.”
Modeling and assumptions. After adopting GreyMatter, the composite organization is able to retire a legacy point solution and also reduce its data ingest costs. In Year 1, the composite organization is able to save $810,000. As the deployment becomes more mature, the annual cost savings grow to $900,000 in Years 2 and 3.
Risks. The legacy cost savings will vary depending on:
The type of security tools deployed in the legacy environment.
The speed at which organizations are able to retire their legacy tools.
Whether organizations are subject to regulations that require them to store more of their log data. These organizations may see smaller data ingest cost savings.
Results. To account for these risks, Forrester adjusted this benefit downward by 10%, yielding a three-year, risk-adjusted total PV (discounted at 10%) of $1.9 million.
Annual cost savings from using ReliaQuest GreyMatter
| Ref. | Metric | Source | Year 1 | Year 2 | Year 3 | |
|---|---|---|---|---|---|---|
| D1 | Legacy system costs and data ingest costs optimized with ReliaQuest GreyMatter | Composite | $810,000 | $900,000 | $900,000 | |
| Dt | Legacy cost savings | D1 | $810,000 | $900,000 | $900,000 | |
| Risk adjustment | ↓10% | |||||
| Dtr | Legacy cost savings (risk-adjusted) | $729,000 | $810,000 | $810,000 | ||
| Three-year total: $2,349,000 | Three-year present value: $1,940,714 | |||||
Interviewees mentioned the following additional benefits that their organizations experienced but were not able to quantify:
An improved ability to meet compliance and cybersecurity insurance requirements. Interviewees shared that, prior to implementing GreyMatter, it was increasingly cumbersome to meet regulatory requirements related to data security, incident management, and operational resilience. Additionally, cybersecurity insurance premiums were rising, particularly for organizations with gaps in their security coverage. Because GreyMatter centralizes alert management and threat reporting into a single platform, interviewees noted that GreyMatter helped them more easily meet the requirements set by auditors or cybersecurity insurance providers, allowing them to reduce manual time spent on compliance reporting and potentially helping them avoid premium hikes. The CISO at a lighting solutions organization described the benefit: “It’s becoming more and more clear that we need ReliaQuest for more [regulations], and they are expanding with European standards coming up like NIST 2 and CRA. With these legislations coming up, we have to know what we’re doing, how fast we act, and how fast things are resolved if there’s an incident. I’m already reporting on that now [with ReliaQuest GreyMatter] for certain legislations and certifications.”
Improved visibility from gaining a single, easy-to-use platform. Interviewees shared that GreyMatter has a simple, user-friendly interface that allows analysts to efficiently monitor their security data, alerts, and potential threats in their environment. Because GreyMatter centralizes data from different security platforms, analysts did not have to switch between different security tools to assess threats or execute response actions, making their entire security environment more navigable. The deputy CISO at a manufacturing firm praised the platform: “The big thing about GreyMatter is that everything is consolidated into one single platform: not just detection but also response and reporting. Everything is in there. … From a measurement and metrics perspective, you can measure so many different things, from detection to response to resolution, because it is all in one centralized platform.”
Interviewees also lauded GreyMatter’s mobile application, which made it easier for analysts to respond to alerts during off-hours from their phones. The technical security manager at a facilities services firm reported: “They have a feature offering that nobody else had [when we decided to implement GreyMatter], which is to be able to work alerts from their mobile app. That is key for us because people are on call in our department every six or seven weeks.”
Faster time to value from a quick implementation process. Interviewees reported that ReliaQuest’s team of experts helped them quickly integrate GreyMatter with their organizations’ existing security tools and set up common automation rules. While the deployment of security solutions can take months, interviewees shared that GreyMatter was implemented over the course of weeks, allowing their organizations to quickly see improvements in their security posture and operational efficiency. The director of security operations at an aerospace firm stated: “The GreyMatter architecture allows immediate deployment of hundreds of detection rules right off the bat. You get the added visibility and coverage once the initial deployment is completed, which usually takes three to four weeks.”
Proactive support from ReliaQuest’s experts. Interviewees reported that ReliaQuest’s team of experts were extremely proactive and helpful in setting up automated response playbooks and recommending improvements to their GreyMatter deployment. Moreover, interviewees stated that ReliaQuest actively solicits and incorporates customer feedback into their platform’s development, ensuring ongoing innovation that directly addresses real-world security challenges. The technical security manager at a facilities services organization described their relationship with ReliaQuest: “Very rarely have I seen a vendor of any kind proactively come to me and say, ‘Let’s do this, let’s do that. We’re looking at your environment, and we can tweak this to make it better.’ … They’re constantly bringing stuff to the table and asking, ‘How do we enhance this experience?’”
| Ref. | Cost | Initial | Year 1 | Year 2 | Year 3 | Total | Present Value |
|---|---|---|---|---|---|---|---|
| Etr | ReliaQuest GreyMatter subscription costs | $0 | $630,000 | $630,000 | $630,000 | $1,890,000 | $1,566,717 |
| Ftr | Implementation and training costs | $20,306 | $1,874 | $1,874 | $1,874 | $25,929 | $24,967 |
| Gtr | Ongoing management effort | $0 | $11,246 | $11,246 | $11,246 | $33,739 | $27,968 |
| Total costs (risk-adjusted) | $20,306 | $643,121 | $643,121 | $643,121 | $1,949,668 | $1,619,652 |
Evidence and data. Interviewees shared that ReliaQuest charged their organizations fees for the usage of GreyMatter. Pricing may vary. Contact ReliaQuest for additional details.
Modeling and assumptions. Based on the interviews, Forrester assumes that the composite organization, a global enterprise with $5 billion in annual revenue, incurs annual costs of $600,000 for the usage of GreyMatter.
Risks. GreyMatter subscription costs will vary depending on:
The number of endpoints monitored.
An organization’s headcount.
The specific GreyMatter modules and services used by an organization.
Results. To account for these risks, Forrester adjusted this cost upward by 5%, yielding a three-year, risk-adjusted total PV (discounted at 10%) of $1.6 million.
| Ref. | Metric | Source | Initial | Year 1 | Year 2 | Year 3 |
|---|---|---|---|---|---|---|
| E1 | ReliaQuest GreyMatter subscription costs | Composite | $600,000 | $600,000 | $600,000 | |
| Et | ReliaQuest GreyMatter subscription costs | E1 | $0 | $600,000 | $600,000 | $600,000 |
| Risk adjustment | ↑5% | |||||
| Etr | ReliaQuest GreyMatter subscription costs (risk-adjusted) | $0 | $630,000 | $630,000 | $630,000 | |
| Three-year total: $1,890,000 | Three-year present value: $1,566,717 | |||||
Evidence and data. Interviewees reported that implementing GreyMatter involved integrating the platform with their organizations’ existing security tools, defining use cases, and collaborating with ReliaQuest to tailor detections and workflows to their environments. Interviewees shared that the deployment process took between two and four weeks in total. During the implementation process, the organizations’ internal security teams were also trained on using the platform.
Modeling and assumptions. Based on the interviews, Forrester assumes the following about the composite organization:
The composite organization implements GreyMatter over the course of four weeks.
During the deployment period, a security engineer dedicates 50% of their time to the implementation process.
The average fully burdened hourly rate for a security engineer is $71.
A team of 15 security engineers are trained on using GreyMatter during the implementation period. Each employee requires 12 hours of self-paced GreyMatter training.
Over the next three years, two new security engineers are trained each year.
Risks. Implementation and training costs will vary depending on:
The number of integrated technologies in the security infrastructure.
The number of automations set up during the implementation period.
The size of the security team trained on GreyMatter.
The fully burdened hourly rate for a security engineer.
Results. To account for these risks, Forrester adjusted this cost upward by 10%, yielding a three-year, risk-adjusted total PV (discounted at 10%) of $25,000.
| Ref. | Metric | Source | Initial | Year 1 | Year 2 | Year 3 |
|---|---|---|---|---|---|---|
| F1 | Employees involved in the implementation process | Composite | 1 | |||
| F2 | Weeks spent implementing ReliaQuest GreyMatter | Composite | 4 | |||
| F3 | Percentage of time dedicated to the ReliaQuest GreyMatter implementation | Composite | 50% | |||
| F4 | Fully burdened hourly rate for a security engineer | B6 | $71 | $71 | $71 | $71 |
| F5 | Subtotal: ReliaQuest GreyMatter implementation costs | F1*F2*40 hours a week*F3*F4 | $5,680 | |||
| F6 | Employees trained on GreyMatter | Composite | 15 | 2 | 2 | 2 |
| F7 | Hours spent training on GreyMatter | Composite | 12 | 12 | 12 | 12 |
| F8 | Subtotal: GreyMatter training costs | F6*F7*F4 | $12,780 | $1,704 | $1,704 | $1,704 |
| Ft | Implementation and training costs | F5+F8 | $18,460 | $1,704 | $1,704 | $1,704 |
| Risk adjustment | ↑10% | |||||
| Ftr | Implementation and training costs (risk-adjusted) | $20,306 | $1,874 | $1,874 | $1,874 | |
| Three-year total: $25,929 | Three-year present value: $24,967 | |||||
Evidence and data. Interviewees reported that a small amount of internal labor was required to manage GreyMatter on an ongoing basis. Management tasks consisted of meeting with the ReliaQuest services team, adjusting configurations and integrations, and assisting with training new employees.
Modeling and assumptions. Based on the interviews, Forrester assumes the following about the composite organization:
Collectively, the composite organization dedicates 12 hours per month to managing GreyMatter.
The average fully burdened hourly rate for a security FTE who manages GreyMatter is $71.
Risks. Ongoing management costs will vary depending on:
The fully burdened hourly rate for security FTEs.
The frequency that an organization would like to meet with ReliaQuest’s services team.
Results. To account for these risks, Forrester adjusted this cost upward by 10%, yielding a three-year, risk-adjusted total PV (discounted at 10%) of $28,000.
| Ref. | Metric | Source | Initial | Year 1 | Year 2 | Year 3 |
|---|---|---|---|---|---|---|
| G1 | Internal hours dedicated to managing GreyMatter deployment (per month) | Composite | 12 | 12 | 12 | |
| G2 | Fully burdened hourly rate for a security FTE | B6 | $71 | $71 | $71 | |
| Gt | Ongoing management effort | G1*G2*12 months | $0 | $10,224 | $10,224 | $10,224 |
| Risk adjustment | ↑10% | |||||
| Gtr | Ongoing management effort (risk-adjusted) | $0 | $11,246 | $11,246 | $11,246 | |
| Three-year total: $33,739 | Three-year present value: $27,968 | |||||
| Initial | Year 1 | Year 2 | Year 3 | Total | Present Value | |
|---|---|---|---|---|---|---|
| Total costs | ($20,306) | ($643,121) | ($643,121) | ($643,121) | ($1,949,668) | ($1,619,652) |
| Total benefits | $0 | $2,058,574 | $2,139,574 | $2,139,574 | $6,337,723 | $5,247,168 |
| Net benefits | ($20,306) | $1,415,454 | $1,496,454 | $1,496,454 | $4,388,055 | $3,627,516 |
| ROI | 224% | |||||
| Payback | <6 months |
The financial results calculated in the Benefits and Costs sections can be used to determine the ROI, NPV, and payback period for the composite organization’s investment. Forrester assumes a yearly discount rate of 10% for this analysis.
These risk-adjusted ROI, NPV, and payback period values are determined by applying risk-adjustment factors to the unadjusted results in each Benefit and Cost section.
The initial investment column contains costs incurred at “time 0” or at the beginning of Year 1 that are not discounted. All other cash flows are discounted using the discount rate at the end of the year. PV calculations are calculated for each total cost and benefit estimate. NPV calculations in the summary tables are the sum of the initial investment and the discounted cash flows in each year. Sums and present value calculations of the Total Benefits, Total Costs, and Cash Flow tables may not exactly add up, as some rounding may occur.
From the information provided in the interviews, Forrester constructed a Total Economic Impact™ framework for those organizations considering an investment in ReliaQuest GreyMatter.
The objective of the framework is to identify the cost, benefit, flexibility, and risk factors that affect the investment decision. Forrester took a multistep approach to evaluate the impact that ReliaQuest GreyMatter can have on an organization.
Interviewed ReliaQuest stakeholders and Forrester analysts to gather data relative to GreyMatter.
Interviewed four decision-makers at organizations using GreyMatter to obtain data about costs, benefits, and risks.
Designed a composite organization based on characteristics of the interviewees’ organizations.
Constructed a financial model representative of the interviews using the TEI methodology and risk-adjusted the financial model based on issues and concerns of the interviewees.
Employed four fundamental elements of TEI in modeling the investment impact: benefits, costs, flexibility, and risks. Given the increasing sophistication of ROI analyses related to IT investments, Forrester’s TEI methodology provides a complete picture of the total economic impact of purchase decisions. Please see Appendix A for additional information on the TEI methodology.
Benefits represent the value the solution delivers to the business. The TEI methodology places equal weight on the measure of benefits and costs, allowing for a full examination of the solution’s effect on the entire organization.
Costs comprise all expenses necessary to deliver the proposed value, or benefits, of the solution. The methodology captures implementation and ongoing costs associated with the solution.
Flexibility represents the strategic value that can be obtained for some future additional investment building on top of the initial investment already made. The ability to capture that benefit has a PV that can be estimated.
Risks measure the uncertainty of benefit and cost estimates given: 1) the likelihood that estimates will meet original projections and 2) the likelihood that estimates will be tracked over time. TEI risk factors are based on “triangular distribution.”
The present or current value of (discounted) cost and benefit estimates given at an interest rate (the discount rate). The PV of costs and benefits feed into the total NPV of cash flows.
The present or current value of (discounted) future net cash flows given an interest rate (the discount rate). A positive project NPV normally indicates that the investment should be made unless other projects have higher NPVs.
A project’s expected return in percentage terms. ROI is calculated by dividing net benefits (benefits less costs) by costs.
The interest rate used in cash flow analysis to take into account the time value of money. Organizations typically use discount rates between 8% and 16%.
The breakeven point for an investment. This is the point in time at which net benefits (benefits minus costs) equal initial investment or cost.
Total Economic Impact is a methodology developed by Forrester Research that enhances a company’s technology decision-making processes and assists solution providers in communicating their value proposition to clients. The TEI methodology helps companies demonstrate, justify, and realize the tangible value of business and technology initiatives to both senior management and other key stakeholders.
1 Total Economic Impact is a methodology developed by Forrester Research that enhances a company’s technology decision-making processes and assists solution providers in communicating their value proposition to clients. The TEI methodology helps companies demonstrate, justify, and realize the tangible value of business and technology initiatives to both senior management and other key stakeholders.
2 Source: A regression analysis of the reported total cumulative costs of all breaches experienced by security decision-makers’ organizations in the past 12 months. The composite organization’s revenue is used as the input to the regression formula. We asked 1,660 global security decision-makers who have experienced a breach in the past 12 months, “Using your best estimate, what was the total cumulative cost of all breaches experienced by your organization in the past 12 months?” Source: Forrester’s Security Survey, 2024.
3 Source: A regression analysis of the likelihood of experiencing one or more breaches, using the frequency that organizations experienced breaches in the past 12 months as reported by security decision-makers. The composite organization’s revenue is used as the input to the regression formula. We asked 2,769 global security decision-makers, “How many times do you estimate that your organization’s sensitive data was potentially compromised or breached in the past 12 months?” Source: Forrester’s Security Survey, 2024.
4 Source: The percentage of breaches by primary attack vector, as reported by security decision-makers whose organizations experienced at least one breach in the past 12 months. We asked 1,542 global security decision-makers who have experienced a breach in the past 12 months, “Of the times that your organization’s sensitive data was potentially compromised or breached in the past 12 months, please indicate how many of each fall into the categories below.” Source: Forrester’s Security Survey, 2024.
Readers should be aware of the following:
This study is commissioned by ReliaQuest and delivered by Forrester Consulting. It is not meant to be used as a competitive analysis.
Forrester makes no assumptions as to the potential ROI that other organizations will receive. Forrester strongly advises that readers use their own estimates within the framework provided in the study to determine the appropriateness of an investment in ReliaQuest GreyMatter.
ReliaQuest reviewed and provided feedback to Forrester, but Forrester maintains editorial control over the study and its findings and does not accept changes to the study that contradict Forrester’s findings or obscure the meaning of the study.
ReliaQuest provided the customer names for the interviews but did not participate in the interviews.
Matt Dunham
June 2025
ABOUT FORRESTER CONSULTING
Forrester provides independent and objective research-based consulting to help leaders deliver key transformation outcomes. Fueled by our customer-obsessed research, Forrester’s seasoned consultants partner with leaders to execute on their priorities using a unique engagement model that tailors to diverse needs and ensures lasting impact. For more information, visit forrester.com/consulting.
© Forrester Research, Inc. All rights reserved. Unauthorized reproduction is strictly prohibited. Information is based on best available resources. Opinions reflect judgment at the time and are subject to change. Forrester®, Technographics®, Forrester Wave, and Total Economic Impact are trademarks of Forrester Research, Inc. All other trademarks are the property of their respective companies.
https://mainstayadvisor.com/go/mainstay/gdpr/policy.html
PDF