A Forrester Total Economic Impact™ Study Commissioned By Carbon Black, December 2023
Successful cyberattacks, such as ransomware, can have a crippling impact on an organization and its customers. Extended detection and response is the evolution of endpoint detection and response, optimizing threat detection and expediting response times for security incidents. Carbon Black empowers security professionals to conduct faster investigation and remediation of incidents, avoid downtime from debilitating breaches, streamline security operations, and drive compliance and audit efficiencies.
Cyberattackers (e.g., criminal syndicates, nation-state actors, or solo hackers) deploy a variety of techniques to breach the technology ecosystems of organizations, ranging from malware to phishing to watering holes, with ransomware being one of the more debilitating breaches.
Right now, statistics pertaining to organizational security resilience are not encouraging. Data from a 2023 Forrester security survey identified two relevant trends. First, 77% of surveyed security decision-makers reported that their firm suffered at least one breach in the prior 12 months (compared to 74% in the 2022 survey and 48% to 58% who said the same in prior years). Second, survey respondents reported that the most common type of breach in the prior 12 months was an external attack specifically targeting their organization.1
The complexity of today’s IT environments coupled with the rapidly changing nature of cyberthreats require security teams to evolve their security strategy. Because of this, security professionals want proactive, adaptive monitoring that enables them to employ more targeted and efficient threat response.2
Extended detection and response (XDR) is a comprehensive, effective approach to address today’s expanding cybersecurity breach challenges. Forrester defines XDR as the evolution of endpoint detection and response (EDR), which optimizes threat detection, investigation, response, and hunting in real time. XDR unifies security-relevant endpoint detections with telemetry from security and business tools, such as network analysis and visibility (NAV), email security, identity and access management (IAM), cloud security, and more on a cloud-native platform.3
Carbon Black is a cloud-native endpoint protection platform that empowers security teams to close the risk gap they face today with deeper visibility and the ability to tailor response to their unique environments. Carbon Black XDR builds on enterprise detection and response (EDR) capabilities to provide extended visibility, depth of telemetry, automated root cause analysis, and cross-tool threat hunting.
Carbon Black also delivers core endpoint and workload protection with next-generation antivirus (NGAV), host-based firewall, device control, vulnerability management, and remote audit and risk remediation for IT, compliance, and security.
Carbon Black commissioned Forrester Consulting to conduct a Total Economic Impact™ (TEI) study and examine the potential return on investment (ROI) enterprises may realize by deploying Carbon Black.4 The purpose of this study is to provide readers with a framework to evaluate the potential financial impact of Carbon Black on their organizations.
To better understand the benefits, costs, and risks associated with this investment, Forrester interviewed six representatives with experience in deploying and using Carbon Black for four organizations. In addition, Forrester surveyed 52 decision-makers with experience using Carbon Black products at their organizations (28 of whom use Carbon Black XDR with Managed Detection and Response [MDR]). For the purposes of this study, Forrester aggregated the experiences of the interviewees and survey respondents and combined the results into a single composite organization that is a US-based, global organization that generates $1.2 billion in annual revenue, serves customers globally, and employs 6,000 full-time workers.
Prior to using Carbon Black, interviewees noted their organizations struggled with the growth and complexity of cybersecurity attacks, insufficient visibility for endpoint security vulnerabilities, and a general sense of insufficient threat protection. Most interviewees also noted that investigating and remediating threats required significant effort with several of them experiencing a high number of false-positive alerts from their legacy tools.
After the investment in Carbon Black, interviewees noted their interviewees’ organizations orchestrated real-time responses to cyberattacks and executed on intelligent threat hunting. Leveraging behavior-based analytics, the interviewees’ organizations were able to conduct high-quality threat detection with speed and accuracy, while reducing the complexity of security operations.
Quantified benefits. Three-year, risk-adjusted present value (PV) quantified benefits for the composite organization include:
For , faster investigation and remediation of cybersecurity incidents by a 75% reduction in mean time to resolution (MTTR) might total over three years.
For , reduced downtime from a large-scale breach might total over three years.
For , streamlined security operations might total in cost savings over three years.
For , savings per audit by building in consistency into operational reporting and auditing processes might total over three years.
For , remote remediation reduced by reimaging might total over three years.
Unquantified benefits. Benefits that provide value for the interviewees’ organizations but are not quantified for this study include:
Costs. Three-year, risk-adjusted PV costs for the composite organization include:
For , Carbon Black licensing costs might total over three years.
For , deployment and ongoing support expenses might total over three years.
The financial analysis which is based on the interviews and survey found that a composite organization experiences benefits of $5.49 million over three years versus costs of $1.04 million, adding up to a net present value (NPV) of $4.45 million and an ROI of 427%.
might experience benefits of over three years versus costs of , adding up to an NPV of and an ROI of 0%.
Return on investment (ROI):
Benefits PV:
Net present value (NPV):
Payback (months):
Net MTTR reduction for investigating security incidents by Y3:
Reduction in risk of large-scale security breach:
Reduction in FTE hours for security incidents by Y3:
Time savings per audit for cybersecurity compliance:
From the information provided in the interviews, Forrester constructed a Total Economic Impact™ framework for those organizations considering an investment Carbon Black.
The objective of the framework is to identify the cost, benefit, flexibility, and risk factors that affect the investment decision. Forrester took a multistep approach to evaluate the impact that Carbon Black can have on an organization.
Forrester Consulting conducted an online survey of 351 cybersecurity leaders at global enterprises in the US, the UK, Canada, Germany, and Australia. Survey participants included managers, directors, VPs, and C-level executives who are responsible for cybersecurity decision-making, operations, and reporting. Questions provided to the participants sought to evaluate leaders’ cybersecurity strategies and any breaches that have occurred within their organizations. Respondents opted into the survey via a third-party research panel, which fielded the survey on behalf of Forrester in November 2020.
Interviewed Carbon Black stakeholders and Forrester analysts to gather data relative to Carbon Black.
Interviewed six representatives and surveyed 52 respondents at organizations using Carbon Black to obtain data about costs, benefits, and risks.
Designed a composite organization based on characteristics of the interviewees and survey respondents.
Constructed a financial model representative of the interviews and survey using the TEI methodology and risk-adjusted the financial model based on issues and concerns of the interviewees and survey respondents.
Employed four fundamental elements of TEI in modeling the investment impact: benefits, costs, flexibility, and risks. Given the increasing sophistication of ROI analyses related to IT investments, Forrester’s TEI methodology provides a complete picture of the total economic impact of purchase decisions. Please see Appendix A for additional information on the TEI methodology.
Readers should be aware of the following:
This study is commissioned by Carbon Black and delivered by Forrester Consulting. It is not meant to be used as a competitive analysis.
Forrester makes no assumptions as to the potential ROI that other organizations will receive. Forrester strongly advises that readers use their own estimates within the framework provided in the study to determine the appropriateness of an investment in Carbon Black.
Carbon Black reviewed and provided feedback to Forrester, but Forrester maintains editorial control over the study and its findings and does not accept changes to the study that contradict Forrester’s findings or obscure the meaning of the study.
Carbon Black provided the customer names for the interviews but did not participate in the interviews.
Consulting Team:
Erach Desai
Forrester interviewed six decision-makers who oversee the monitoring and incident management of cybersecurity and network services for four organizations. All of the interviewees were experienced with deploying and overseeing the usage of Carbon Black across their organizations. In addition, Forrester surveyed 52 decision-makers with experience using Carbon Black products at their organizations (28 of whom use Carbon Black XDR with MDR). For more details on the survey respondents, see Appendix B.
Prior to the deployment of Carbon Black, interviewees’ organizations struggled with the growth and complexity of cybersecurity attacks, insufficient visibility for endpoint security vulnerabilities, and a general sense of insufficient threat protection. Most interviewees also noted that investigating and remediating threats required significant effort with several of them experiencing a high number of false-positive alerts from their legacy tools.
Most of the interviewees also noted that their organizations experienced a significant cyberattack (primarily a ransomware attack) that prompted them to seek out and evaluate a cloud-based detection and response solution. Both interviewees and survey respondents noted how their organizations struggled with common challenges, including:
The interviewees and survey respondents searched for a solution that could:
Based on the interviews and survey, Forrester constructed a TEI framework, a composite company, and an ROI analysis that illustrates the areas financially affected. The composite organization is representative of the six interviewees from four organizations and the 52 survey respondents, and it is used to present the aggregate financial analysis in the next section. The composite organization has the following characteristics:
Description of composite. The composite is a US-based, global organization that heavily relies on its network to meet customer and internal user needs. It generates $1.2 billion in annual revenue, serves customers globally, and employs 6,000 full-time workers. Employees work under a hybrid work policy; most are affiliated with headquarters or regional offices, though there is also a healthy mix of remote workers.
Deployment characteristics. Prior to deploying Carbon Black, the composite organization relied on a combination of on-premises AV and antimalware tools with some SIEM capabilities to protect its 6,000 endpoints. The firm implements Carbon Black to protect against threats, detect and respond to them, and audit its extended network landscape. Forrester opted to model endpoints only for this composite, though most organizations will also install Carbon Black agents on servers and virtual machines. The composite configures its Carbon Black deployment with MDR to supplement its internal security team.
In terms of the effective impact of the Carbon Black solution, the composite derives 80% of the effective value in Year 1, 90% in Year 2, and 100% in Year 3. This is due to ongoing learnings from the usage of a newer technological situation. After implementing Carbon Black, the composite organization retires its legacy software.
For , $0 in revenue.
For , $0 full-time employees with 0 endpoints deployed.
Ref. | Benefit | Year 1 | Year 2 | Year 3 | Total | Present Value |
---|---|---|---|---|---|---|
Atr | Faster investigation and remediation of cybersecurity incidents | $859,248 $859,248 | $921,902 $921,902 | $984,555 $984,555 | $2,765,705 $2,765,705 | $2,282,747 $2,282,747 |
Btr | Avoided downtime due to data breach | $588,461 $588,461 | $588,461 $588,461 | $588,461 $588,461 | $1,765,383 $1,765,383 | $1,463,415 $1,463,415 |
Ctr | Cost savings from streamlined security operations | $502,416 $502,416 | $459,780 $459,780 | $430,981 $430,981 | $1,393,177 $1,393,177 | $1,160,528 $1,160,528 |
Dtr | Audit and compliance efficiencies | $186,480 $186,480 | $186,480 $186,480 | $186,480 $186,480 | $559,440 $559,440 | $463,748 $463,748 |
Etr | Savings from reduced reimaging of devices | $46,628 $46,628 | $46,628 $46,628 | $46,628 $46,628 | $139,884 $139,884 | $115,957 $115,957 |
Total benefits (risk-adjusted) | $2,183,233 $2,183,233 | $2,203,251 $2,203,251 | $2,237,104 $2,237,104 | $6,623,588 $6,623,588 | $5,486,395 $5,486,395 |
Evidence and data. Interviewees noted that prior to having Carbon Black, their organizations went through painstaking processes to prioritize and investigate alerts — assuming that their legacy on-premises NGAV and antimalware tools even alerted them or that their security teams weren’t overwhelmed with the number of false-positive alerts with a SIEM tool. Without the ability to efficiently detect, investigate, and remediate security incidents that required further scrutiny, the interviewees’ organizations’ only option was to resort to reimaging devices out of an overabundance of caution.
Interviewees noted that Carbon Black capabilities like prioritized alerts, deep visibility and tracking capabilities, and the ability to remotely triage endpoints were critical in reducing investigation and remediation times. With Carbon Black, the interviewees’ organizations stopped threats before they could become issues and security teams received the information they needed to quickly decide how to respond to threats. Additionally, extended detection and response capabilities enabled interviewees’ organizations to skip some of the tedious, common, or repetitive detection engineering work, allowing them to focus SecOps resources on more targeted and specific incidents. Survey respondents, in general, echoed and reinforced these overall strengths.
Modeling and assumptions. This benefit is focused on how the composite improves SecOps and IT Ops productivity due to reduced security incidents and a reduction in MTTR for incidents that require investigation to avoid breaches. For the composite organization, Forrester assumes the following:
has 0 security incidents per year.
For , the fully burdened annual salary of an experienced SecOps FTE or IT Ops FTE who is focused on security is $0, which equals an hourly salary of $0. The fully burdened annual salary of the average knowledge worker for the composite is assumed to be $0, which translates to $0 per hour.
Risks. Forrester recognizes that these results may not be representative of all experiences and that the benefit will vary between organizations depending on the following:
Results. To account for these risks, Forrester adjusted this benefit downward by 15%, yielding a three-year, risk-adjusted total PV (discounted at 10%) of over $2.2 million.
For , this benefit might have a three-year, risk-adjusted PV of .
Ref. | Metric | Source | Year 1 | Year 2 | Year 3 | |
---|---|---|---|---|---|---|
A1 | Number of security incidents before Carbon Black | CompositeComposite | 1,8001,800 | 1,8001,800 | 1,8001,800 | |
A2 | Number of security incidents after Carbon Black deployment | A1-(A1*30%)A1-(A1*30%) | 1,2601,260 | 1,2601,260 | 1,2601,260 | |
A3 | Time to investigate and remediate each security incident before Carbon Black (hours) | CompositeComposite | 1212 | 1212 | 1212 | |
A4 | Subtotal: Reduction in time due to fewer security incidents requiring remediation (hours) | (A1-A2)*A3(A1-A2)*A3 | 6,4806,480 | 6,4806,480 | 6,4806,480 | |
A5 | Net reduction in MTTR with Carbon Black (adjusted for deployment ramp) | InterviewsInterviews | 60.0%60.0% | 67.5%67.5% | 75.0%75.0% | |
A6 | Time to investigate and remediate after Carbon Black deployment (hours) | A3*(1-A5)A3*(1-A5) | 4.84.8 | 3.93.9 | 3.03.0 | |
A7 | Subtotal: Reduction in time due to faster remediation of current security incidents (hours) | A2*(A3-A6)A2*(A3-A6) | 9,0729,072 | 10,20610,206 | 11,34011,340 | |
A8 | Total time savings for impacted employee and SecOps/IT Ops FTE (hours) | A4+A7A4+A7 | 15,55215,552 | 16,68616,686 | 17,82017,820 | |
A9 | Fully burdened hourly salary of SecOps/IT Ops specialist | TEI standardTEI standard | $78 $78 | $78 $78 | $78 $78 | |
A10 | Fully burdened hourly salary of average knowledge worker | TEI standardTEI standard | $52 $52 | $52 $52 | $52 $52 | |
A11 | Productivity adjustment factor | TEI standardTEI standard | 50%50% | 50%50% | 50%50% | |
At | Faster investigation and remediation of cybersecurity incidents | A8*(A9+A10)*A11A8*(A9+A10)*A11 | $1,010,880 $1,010,880 | $1,084,590 $1,084,590 | $1,158,300 $1,158,300 | |
Risk adjustment | ↓15% | |||||
Atr | Faster investigation and remediation of cybersecurity incidents (risk-adjusted) | $859,248 $859,248 | $921,902 $921,902 | $984,555 $984,555 | ||
Three-year total: $2,765,705 $2,765,705 | Three-year present value: $2,282,747 $2,282,747 |
Evidence and data. Prior to the deployment of Carbon Black, interviewees’ organizations did not have the tools or capabilities to confidently withstand a range of cybersecurity attacks. Most interviewees noted their organizations experienced a significant cyberattack — specifically ransomware attacks — that prompted them to seek out and evaluate a next-generation cybersecurity solution. More than 55% of survey respondents indicated that Carbon Black either enabled them to stop more attacks or have better visibility into attacks.
Interviewees who were present at the time of their organizations’ ransomware attacks recalled how the incident essentially brought their organizations to their knees. They recalled how external specialist firms were brought on to navigate the incident. These firms introduced them to Carbon Black. The comprehensive protection afforded by Carbon Black helped the interviewees’ organizations prevent known and emerging threats. All of the interviewees said their organizations had not experienced a successful cyberattack since deploying Carbon Black.
Modeling and assumptions. This benefit is focused on the revenue the composite retains by reducing the downtime when being targeted by debilitating cybersecurity events. For the composite organization, Forrester assumes the following:
Based on revenues of 0 and 0 employees, might generate $0 in revenues per hour.
might retain $0 of its revenues annually by avoiding downtime due to a large-scale data breach.
Risks. Forrester recognizes that these results may not be representative of all experiences and that the benefit will vary between organizations depending on the following:
Results. To account for these risks, Forrester adjusted this benefit downward by 15%, yielding a three-year, risk-adjusted total PV of just under $1.5 million.
For , this benefit might have a three-year, risk-adjusted PV of .
Ref. | Metric | Source | Year 1 | Year 2 | Year 3 | |
---|---|---|---|---|---|---|
B1 | Number of large-scale data breaches per year | Forrester researchForrester research | 11 | 11 | 11 | |
B2 | Average length of a large-scale data breach (hours) | 2 weeks*5 days/week*12 hours/day2 weeks*5 days/week*12 hours/day | 120120 | 120120 | 120120 | |
B3 | Risk of a data breach before Carbon Black | Interviews and surveyInterviews and survey | 30%30% | 30%30% | 30%30% | |
B4 | Reduction in risk of a breach with Carbon Black deployed | Interviews and surveyInterviews and survey | 40%40% | 40%40% | 40%40% | |
B5 | Revenue per hour | CompositeComposite | $384,615 $384,615 | $384,615 $384,615 | $384,615 $384,615 | |
B6 | Avoided revenue loss with Carbon Black | B1*B2*B3*B4*B5B1*B2*B3*B4*B5 | $5,538,456 $5,538,456 | $5,538,456 $5,538,456 | $5,538,456 $5,538,456 | |
B7 | Operating margin | CompositeComposite | 12.5%12.5% | 12.5%12.5% | 12.5%12.5% | |
Bt | Avoided downtime due to data breach | B6*B7B6*B7 | $692,307 $692,307 | $692,307 $692,307 | $692,307 $692,307 | |
Risk adjustment | ↓15% | |||||
Btr | Avoided downtime due to data breach (risk-adjusted) | $588,461 $588,461 | $588,461 $588,461 | $588,461 $588,461 | ||
Three-year total: $1,765,383 $1,765,383 | Three-year present value: $1,463,415 $1,463,415 |
Evidence and data. Prior to having Carbon Black, interviewees noted their organizations utilized multiple solutions for detection and remediation, most of which were on-premises or installed on endpoint devices. Supporting multiple toolsets, which included the inefficiency of working with on-premises only solutions, required a larger staff of SecOps and IT Ops professionals in addition to annual training, etc. This approach to cybersecurity increased capital expenses, degraded endpoint performance, and created a complex layer of vendor management that distracted from mission-critical security tasks.
With the deployment of Carbon Black, interviewees benefited from using a single cloud-native agent, dashboard, and data set. With Carbon Black, the interviewees’ organizations were able to streamline security operations, allowing SecOps and IT Ops professionals to focus on higher-value-added work.
Modeling and assumptions. This benefit captures the combined cost savings from support and training efficiencies by consolidating vendors into one cloud-based Carbon Black solution. For the composite organization, Forrester assumes the following with the savings reduced by 5% in Year 2 and Year 3:
has 0 endpoints (devices).
might save 0 hours in Year 1 from ongoing support of legacy security solutions.
might save 0 hours of training in Year 1 by consolidating on Carbon Black.
might redeploy 0 SecOps or IT Ops FTEs in Year 1 by moving to a cloud-based solution.
might redeploy 0 SecOps or IT Ops FTEs in Year 1 by moving to Carbon Black with MDR.
For , the fully burdened annual salary of an experienced SecOps FTE or IT Ops FTE who is focused on security is $0.
might save $0 per year in subscription costs by decommissioning legacy tools on an adjusted basis.
might save 0 FTE hours in Year 1, 0 FTE hours in Year 2, and 0 FTE hours in Year 3 by mostly redeploying FTEs to higher-value-added work.
Risks. Forrester recognizes that these results may not be representative of all experiences and that the benefit will vary between organizations depending on the following:
Results. To account for these risks, Forrester adjusted this benefit downward by 15%, yielding a three-year, risk-adjusted total PV of just under $1.2 million.
For , this benefit might have a three-year, risk-adjusted PV of .
Ref. | Metric | Source | Year 1 | Year 2 | Year 3 | |
---|---|---|---|---|---|---|
C1 | Time saved from supporting legacy security solutions (hours) | SurveySurvey | 4141 | 3939 | 3737 | |
C2 | Training time savings by consolidating on Carbon Black (hours) | SurveySurvey | 360360 | 342342 | 325325 | |
C3 | Fully burdened hourly salary of SecOps/IT Ops specialist | TEI standardTEI standard | $78 $78 | $78 $78 | $78 $78 | |
C4 | Subtotal: Cost savings from support and training of legacy solutions | (C1+C2)*C3(C1+C2)*C3 | $31,278 $31,278 | $29,718 $29,718 | $28,236 $28,236 | |
C5 | Number of SecOps/IT Ops FTEs not required due to Carbon Black being on the cloud | SurveySurvey | 1.61.6 | 1.41.4 | 1.31.3 | |
C6 | Number of SecOps/IT Ops FTEs not required due to MDR with Carbon Black | SurveySurvey | 1.31.3 | 1.21.2 | 1.11.1 | |
C7 | Fully burdened annual salary of SecOps/IT Ops specialist | TEI standardTEI standard | $162,000 $162,000 | $162,000 $162,000 | $162,000 $162,000 | |
C8 | Subtotal: Cost savings enabled by Carbon Black and MDR | (C5+C6)*C7(C5+C6)*C7 | $469,800 $469,800 | $421,200 $421,200 | $388,800 $388,800 | |
C9 | Retired subscription costs | SurveySurvey | $90,000 $90,000 | $90,000 $90,000 | $90,000 $90,000 | |
Ct | Cost savings from streamlined security operations | C4+C8+C9C4+C8+C9 | $591,078 $591,078 | $540,918 $540,918 | $507,036 $507,036 | |
Risk adjustment | ↓15% | |||||
Ctr | Cost savings from streamlined security operations (risk-adjusted) | $502,416 $502,416 | $459,780 $459,780 | $430,981 $430,981 | ||
Three-year total: $1,393,177 $1,393,177 | Three-year present value: $1,160,528 $1,160,528 |
Evidence and data. The interviewees noted that cost of maintaining compliance was far easier to bear than the expense of dealing with noncompliance issues. Additionally, organizations with a highly complex security infrastructure faced an average breach cost that was $2.15 million higher than those with lower complexity environments.6
With the audit and remediation capabilities included with Carbon Black, interviewees noted their organizations could take advantage of a number of prebuilt queries or design their own to establish proactive IT hygiene and establish consistent reporting and auditing processes. This allowed the interviewees’ organizations to enforce endpoint configuration and compliance policies, as well as provided visibility into software license inventory and any unwanted browser plug-ins. These capabilities were important, as the interviewees’ organizations faced stiff penalties from vendors if they either were underlicensed or violated government regulations, such as the EU’s General Data Protection Regulation (GDPR) or the U S’s Health Insurance Portability and Accountability Act (HIPAA).
Modeling and assumptions. This benefit combines the efficiencies achieved for audit and compliance processes relative to an organization’s cybersecurity infrastructure by using Carbon Black audit and remediation capabilities. All of the key modeling assumptions for this benefit were derived from the survey. For the composite organization, Forrester assumes the following (Note: Given the nature of these metrics, they are not linearly scaled by organization size):
has 0 audits per year.
Risks. Forrester recognizes that these results may not be representative of all experiences and that the benefit will vary between organizations depending on the following:
Results. To account for these risks, Forrester adjusted this benefit downward by 10%, yielding a three-year, risk-adjusted total PV of nearly $464,000.
For , this benefit might have a three-year, risk-adjusted PV of .
Ref. | Metric | Source | Year 1 | Year 2 | Year 3 | |
---|---|---|---|---|---|---|
D1 | Number of audits | CompositeComposite | 66 | 66 | 66 | |
D2 | Time per audit (hours) before Carbon Black | SurveySurvey | 55 | 55 | 55 | |
D3 | Audit time savings with Carbon Black | SurveySurvey | 20%20% | 20%20% | 20%20% | |
D4 | Fully loaded hourly cost of an audit | AssumptionAssumption | $1,200 $1,200 | $1,200 $1,200 | $1,200 $1,200 | |
D5 | Avoided noncompliance fines | Forrester researchForrester research | $200,000 $200,000 | $200,000 $200,000 | $200,000 $200,000 | |
Dt | Audit and compliance efficiencies | (D1*D2*D3*D4)+D5(D1*D2*D3*D4)+D5 | $207,200 $207,200 | $207,200 $207,200 | $207,200 $207,200 | |
Risk adjustment | ↓10% | |||||
Dtr | Audit and compliance efficiencies (risk-adjusted) | $186,480 $186,480 | $186,480 $186,480 | $186,480 $186,480 | ||
Three-year total: $559,440 $559,440 | Three-year present value: $463,748 $463,748 |
Evidence and data. Prior to having Carbon Black, interviewees noted their organizations’ IT professionals had the limited ability to remotely access devices to diagnose and remediate incidents. With rudimentary tools for detection and remediation, the only option of the interviewees’ organizations was to resort to reimaging devices out of an overabundance of caution. While this was an effective way to resolve these incidents, it was highly inefficient and organizations with hybrid workers incurred the costs of downtime, plus shipment expenses.
Interviewees noted that Carbon Black enabled their organizations to remotely diagnose and resolve most threats with confidence without requiring wasteful and inefficient reimaging.
Modeling and assumptions. This benefit quantifies the savings derived from reduced reimaging of devices due to the Carbon Black solution. For the composite organization, Forrester assumes the following:
requires 0 devices to be reimaged each year.
For , the fully burdened annual salary of an experienced IT technician is $0, which equals an hourly salary of $0. The fully burdened annual salary of the average knowledge worker for the composite is assumed to be $0, which translates to $0 per hour.
Risks. Forrester recognizes that these results may not be representative of all experiences and that the benefit will vary between organizations depending on the following:
Results. To account for these risks, Forrester adjusted this benefit downward by 5%, yielding a three-year, risk-adjusted total PV of nearly $116,000.
For , this benefit might have a three-year, risk-adjusted PV of .
Ref. | Metric | Source | Year 1 | Year 2 | Year 3 | ||
---|---|---|---|---|---|---|---|
E1 | Number of devices requiring reimaging with legacy solutions | CompositeComposite | 230230 | 230230 | 230230 | ||
E2 | Reduction in reimaging with Carbon Black | SurveySurvey | 55%55% | 55%55% | 55%55% | ||
E3 | Time required for IT technician to reimage each device (hours) | SurveySurvey | 88 | 88 | 88 | ||
E4 | Fully burdened hourly salary of service desk IT technician | TEI standardTEI standard | $45 $45 | $45 $45 | $45 $45 | ||
E5 | Fully burdened hourly salary of average knowledge worker | TEI standardTEI standard | $52 $52 | $52 $52 | $52 $52 | ||
E6 | Productivity adjustment factor | TEI standardTEI standard | 50%50% | 50%50% | 50%50% | ||
Et | Savings from reduced reimaging of devices | E1*E2*E3*(E4+E5)*E6E1*E2*E3*(E4+E5)*E6 | $49,082 $49,082 | $49,082 $49,082 | $49,082 $49,082 | ||
Risk adjustment | ↓5% | ||||||
Etr | Savings from reduced reimaging of devices (risk-adjusted) | $46,628 $46,628 | $46,628 $46,628 | $46,628 $46,628 | |||
Three-year total: $139,884 $139,884 | Three-year present value: $115,957 $115,957 |
Interviewees and survey respondents mentioned the following additional benefits that their organizations experienced but were not able to quantify:
The value of flexibility is unique to each customer. There are multiple scenarios in which a customer might implement Carbon Black and later realize additional uses and business opportunities, including:
Flexibility would also be quantified when evaluated as part of a specific project (described in more detail in Appendix A).
Ref. | Cost | Initial | Year 1 | Year 2 | Year 3 | Total | Present Value |
---|---|---|---|---|---|---|---|
Ftr | External: Carbon Black configuration fees | $0 $0 | $273,000 $273,000 | $273,000 $273,000 | $273,000 $273,000 | $819,000 $819,000 | $678,911 $678,911 |
Gtr | Internal: Deployment and ongoing support expenses | $4,118 $4,118 | $146,678 $146,678 | $142,560 $142,560 | $142,560 $142,560 | $435,917 $435,917 | $362,388 $362,388 |
Total costs (risk-adjusted) | $4,118 $4,118 | $419,678 $419,678 | $415,560 $415,560 | $415,560 $415,560 | $1,254,917 $1,254,917 | $1,041,299 $1,041,299 |
Evidence and data. Interviewees stated that their companies paid annual subscription fees based on the products or product packages utilized.
Modeling and assumptions. For the composite organization, Forrester assumes the following:
deploys Carbon Black to 0 devices.
might incur Carbon Black configuration fees of 0.
Risks. Forrester recognizes that these results may not be representative of all experiences, and that the costs will vary between organizations depending on the following factors:
Results. To account for these risks, Forrester adjusted this cost upward by 5%, yielding a three-year, risk-adjusted total PV (discounted at 10%) of just about $679,000.
For , this cost might have a three-year, risk-adjusted PV of .
Ref. | Metric | Source | Initial | Year 1 | Year 2 | Year 3 | |
---|---|---|---|---|---|---|---|
F1 | Carbon Black with MDR subscription fees | CompositeComposite | $0 | $260,000 $260,000 | $260,000 $260,000 | $260,000 $260,000 | |
Ft | External: Carbon Black configuration fees | F1F1 | $0 $0 | $260,000 $260,000 | $260,000 $260,000 | $260,000 $260,000 | |
Risk adjustment | ↑5% | ||||||
Ftr | External: Carbon Black configuration fees (risk-adjusted) | $0 $0 | $273,000 $273,000 | $273,000 $273,000 | $273,000 $273,000 | ||
Three-year total: $819,000 $819,000 | Three-year present value: $678,911 $678,911 |
Evidence and data. Interviewees stated that using Carbon Black in a production mode was quite straightforward. Initial deployment involved installing agents, testing, deploying to machines, and monitoring and adjusting rules.
Modeling and assumptions. For the composite organization, Forrester assumes the following, with all key survey metrics adjusted for the size of the composite:
utilizes $0 full-time SecOps and/or IT Ops professional for $0 hours initially and in Year 1.
utilizes the equivalent of 0 FTEs who spend 30% of their time dedicated to maintaining and upgrading the Carbon Black platform.
For , the fully burdened annual salary of an experienced SecOps FTE or IT Ops FTE who is focused on security is $0, which equals an hourly salary of $0.
Risks. Forrester recognizes that these results may not be representative of all experiences and that the benefit will vary between organizations depending on:
Results. To account for these risks, Forrester adjusted this cost upward by 10%, yielding a three-year, risk-adjusted total PV of just over $362,000.
For , this cost might have a three-year, risk-adjusted PV of .
Ref. | Metric | Source | Initial | Year 1 | Year 2 | Year 3 | |
---|---|---|---|---|---|---|---|
G1 | Carbon Black deployment and training time (hours per FTE) | SurveySurvey | 1616 | 1616 | 0 | 0 | |
G2 | Effective number of FTEs for deployment and training | SurveySurvey | 33 | 33 | 0 | 0 | |
G3 | Fully burdened hourly salary of SecOps/IT Ops specialist | TEI standardTEI standard | $78 $78 | $78 $78 | $78 $78 | $78 $78 | |
G4 | FTE hours required for ongoing maintenance of Carbon Black platform | Interviews and surveyInterviews and survey | 0 | 0.80.8 | 0.80.8 | 0.80.8 | |
G5 | Fully burdened annual salary of SecOps/ITOps specialist | TEI standardTEI standard | $162,000 $162,000 | $162,000 $162,000 | $162,000 $162,000 | $162,000 $162,000 | |
Gt | Internal: Deployment and ongoing support expenses | (G1*G2*G3)+(G4*G5)(G1*G2*G3)+(G4*G5) | $3,744 $3,744 | $133,344 $133,344 | $129,600 $129,600 | $129,600 $129,600 | |
Risk adjustment | ↑10% | ||||||
Gtr | Internal: Deployment and ongoing support expenses (risk-adjusted) | $4,118 $4,118 | $146,678 $146,678 | $142,560 $142,560 | $142,560 $142,560 | ||
Three-year total: $435,917 $435,917 | Three-year present value: $362,388 $362,388 |
The financial results calculated in the Benefits and Costs sections can be used to determine the ROI, NPV, and payback period for the composite organization’s investment. Forrester assumes a yearly discount rate of 10% for this analysis.
These risk-adjusted ROI, NPV, and payback period values are determined by applying risk-adjustment factors to the unadjusted results in each Benefit and Cost section.
Initial | Year 1 | Year 2 | Year 3 | Total | Present Value | |
---|---|---|---|---|---|---|
Total costs | ($4,118)($4,118) | ($419,678)($419,678) | ($415,560)($415,560) | ($415,560)($415,560) | ($1,254,917)($1,254,917) | ($1,041,299)($1,041,299) |
Total benefits | $0 $0 | $2,183,233 $2,183,233 | $2,203,251 $2,203,251 | $2,237,104 $2,237,104 | $6,623,588 $6,623,588 | $5,486,395 $5,486,395 |
Net benefits | ($4,118)($4,118) | $1,763,555 $1,763,555 | $1,787,691 $1,787,691 | $1,821,544 $1,821,544 | $5,368,671 $5,368,671 | $4,445,096 $4,445,096 |
ROI | 427%427% | |||||
Payback period (months) | <6<6 |
Total Economic Impact is a methodology developed by Forrester Research that enhances a company’s technology decision-making processes and assists vendors in communicating the value proposition of their products and services to clients. The TEI methodology helps companies demonstrate, justify, and realize the tangible value of IT initiatives to both senior management and other key business stakeholders.
Benefits represent the value delivered to the business by the product. The TEI methodology places equal weight on the measure of benefits and the measure of costs, allowing for a full examination of the effect of the technology on the entire organization.
Costs consider all expenses necessary to deliver the proposed value, or benefits, of the product. The cost category within TEI captures incremental costs over the existing environment for ongoing costs associated with the solution.
Flexibility represents the strategic value that can be obtained for some future additional investment building on top of the initial investment already made. Having the ability to capture that benefit has a PV that can be estimated.
Risks measure the uncertainty of benefit and cost estimates given: 1) the likelihood that estimates will meet original projections and 2) the likelihood that estimates will be tracked over time. TEI risk factors are based on “triangular distribution.”
The initial investment column contains costs incurred at “time 0” or at the beginning of Year 1 that are not discounted. All other cash flows are discounted using the discount rate at the end of the year. PV calculations are calculated for each total cost and benefit estimate. NPV calculations in the summary tables are the sum of the initial investment and the discounted cash flows in each year. Sums and present value calculations of the Total Benefits, Total Costs, and Cash Flow tables may not exactly add up, as some rounding may occur.
Role | Industry | Region | Revenue And Employees | Carbon Black Solution Configuration |
---|---|---|---|---|
Head of information security Network support services manager |
Educational system | US metropolitan district | No revenue 130,000 employees and students |
Carbon Black NGAV, Audit & Remediation, and Vulnerability Management for endpoints and workloads 200 sites 50,000 to 100,000 devices deployed |
Director of cyberdefense Cyberdefense team leader |
Financial services | Global | $800 million 2,000 employees |
Carbon Black Endpoint Enterprise 20 sites; laptops, servers, VMs 50,000 to 100,000 devices deployed |
Information security administrator | Call center services | North American regional | $65 million 500 employees (not including contractors) |
Carbon Black Endpoint Enterprise with MDR 2 data centers 3,000 devices deployed |
Cybersecurity specialist | Healthcare services | Urban US | $160 million 1,200 employees |
Carbon Black Endpoint Standard and MDR 1,200 endpoints (350 servers) |
Related Forrester Research
“New Tech: Extended Detection And Response (XDR) Providers, Q3 2021,” Forrester Research, Inc., August 2, 2021.
1 Source: Forrester Analytics Business Technographics® Security Survey, 2023.
2 Source: “Evolving Security Operations Capabilities – Insights Into The XDR Paradigm Shift” a commissioned study conducted by Forrester Consulting on behalf of VMware, December 2022.
3 Source: “Adapt Or Die: XDR Is On A Collision Course With SIEM And SOAR,” Forrester Research, Inc., April 28, 2021.
4 Total Economic Impact is a methodology developed by Forrester Research that enhances a company’s technology decision-making processes and assists vendors in communicating the value proposition of their products and services to clients. The TEI methodology helps companies demonstrate, justify, and realize the tangible value of IT initiatives to both senior management and other key business stakeholders.
5 Source: Forrester Consulting Cost Of A Cybersecurity Breach Survey, Q1 2021.
6 Source: Jeff Purrington, “The True Cost of Non-Compliance,” Saviynt, May 10, 2022.
7 Ibid.
Cookie Preferences
Accept Cookies
A cookie is a small text file that a website saves on your computer or mobile device when you visit the site. It enables the website to remember your actions (data inputs, website navigation), so you don’t have to re-enter data when you come back to the site or browse from one page to another.
Behavioral information collected by our web analytics vendor is used to analyze data pertaining to visitor trends, plan website enhancements, and measure overall website effectiveness. We may also use cookies or web beacons to help us offer you products, programs, or services that may be of interest to you and to deliver relevant advertising. We may use third-party advertising companies to help tailor website content to users or to serve ads on our behalf. These companies may also employ cookies and web beacons to measure advertising effectiveness.
Please accept cookies and the collection of behavioral information to receive full functionality and enhance your experience. If you decline cookies, some features of the website may not function normally.
Please see our
Privacy Policy for more information.