The Total Economic Impact™ Of Carbon Black

Cost Savings And Business Benefits Enabled By Carbon Black

A Forrester Total Economic Impact Study Commissioned By Carbon Black, December 2023

Successful cyberattacks, such as ransomware, can have a crippling impact on an organization and its customers. Extended detection and response is the evolution of endpoint detection and response, optimizing threat detection and expediting response times for security incidents. Carbon Black empowers security professionals to conduct faster investigation and remediation of incidents, avoid downtime from debilitating breaches, streamline security operations, and drive compliance and audit efficiencies.

Cyberattackers (e.g., criminal syndicates, nation-state actors, or solo hackers) deploy a variety of techniques to breach the technology ecosystems of organizations, ranging from malware to phishing to watering holes, with ransomware being one of the more debilitating breaches.

Right now, statistics pertaining to organizational security resilience are not encouraging. Data from a 2023 Forrester security survey identified two relevant trends. First, 77% of surveyed security decision-makers reported that their firm suffered at least one breach in the prior 12 months (compared to 74% in the 2022 survey and 48% to 58% who said the same in prior years). Second, survey respondents reported that the most common type of breach in the prior 12 months was an external attack specifically targeting their organization.1

icon icon

Return on investment (ROI)


icon icon

Net present value (NPV)


Reduction in risk of a large-scale data breach with Carbon Black


The complexity of today’s IT environments coupled with the rapidly changing nature of cyberthreats require security teams to evolve their security strategy. Because of this, security professionals want proactive, adaptive monitoring that enables them to employ more targeted and efficient threat response.2

Extended detection and response (XDR) is a comprehensive, effective approach to address today’s expanding cybersecurity breach challenges. Forrester defines XDR as the evolution of endpoint detection and response (EDR), which optimizes threat detection, investigation, response, and hunting in real time. XDR unifies security-relevant endpoint detections with telemetry from security and business tools, such as network analysis and visibility (NAV), email security, identity and access management (IAM), cloud security, and more on a cloud-native platform.3

Carbon Black is a cloud-native endpoint protection platform that empowers security teams to close the risk gap they face today with deeper visibility and the ability to tailor response to their unique environments. Carbon Black XDR builds on enterprise detection and response (EDR) capabilities to provide extended visibility, depth of telemetry, automated root cause analysis, and cross-tool threat hunting.

Carbon Black also delivers core endpoint and workload protection with next-generation antivirus (NGAV), host-based firewall, device control, vulnerability management, and remote audit and risk remediation for IT, compliance, and security.

Carbon Black commissioned Forrester Consulting to conduct a Total Economic Impact™ (TEI) study and examine the potential return on investment (ROI) enterprises may realize by deploying Carbon Black.4 The purpose of this study is to provide readers with a framework to evaluate the potential financial impact of Carbon Black on their organizations.

To better understand the benefits, costs, and risks associated with this investment, Forrester interviewed six representatives with experience in deploying and using Carbon Black for four organizations. In addition, Forrester surveyed 52 decision-makers with experience using Carbon Black products at their organizations (28 of whom use Carbon Black XDR with Managed Detection and Response [MDR]). For the purposes of this study, Forrester aggregated the experiences of the interviewees and survey respondents and combined the results into a single composite organization that is a US-based, global organization that generates $1.2 billion in annual revenue, serves customers globally, and employs 6,000 full-time workers.

Gross: 75% Net: 75%

MTTR reduction for investigation of security incidents by Year 3

Prior to using Carbon Black, interviewees noted their organizations struggled with the growth and complexity of cybersecurity attacks, insufficient visibility for endpoint security vulnerabilities, and a general sense of insufficient threat protection. Most interviewees also noted that investigating and remediating threats required significant effort with several of them experiencing a high number of false-positive alerts from their legacy tools.

After the investment in Carbon Black, interviewees noted their interviewees’ organizations orchestrated real-time responses to cyberattacks and executed on intelligent threat hunting. Leveraging behavior-based analytics, the interviewees’ organizations were able to conduct high-quality threat detection with speed and accuracy, while reducing the complexity of security operations.

what types of threats.svg

Key Findings

Quantified benefits. Three-year, risk-adjusted present value (PV) quantified benefits for the composite organization include:

  • Faster investigation and remediation of cybersecurity incidents enabled by a 75% reduction in mean time to resolution (MTTR). With Carbon Black, the composite organization stops threats before they become an issue. The composite’s security teams also have the information they need to quickly decide how to respond. The composite reduces its MTTR for security incidents that require further investigation by 75% at gross and net levels by Year 3 (adjusted for the effectiveness ramp of the solution). The composite organization’s productivity for incident management improves by 72.0% in Year 1, 77.3% in Year 2, and 82.5% in Year 3. Based on more efficient incident management, this benefit is valued at more than $2.2 million for the composite over three years.

For , faster investigation and remediation of cybersecurity incidents by a 75% reduction in mean time to resolution (MTTR) might total over three years.

  • Reduced downtime from a large-scale data breach driven by a 40% reduction in risk. Carbon Black detects and prevents threats by collecting deep context on the data that matters in a singular view and dynamically applying behavioral analytics to this data, uncovering patterns and indicators of potential threats. This gives the composite organization granular control and flexibility to customize policies, watch lists, remediations and other actions to close their organization’s risk gap. Due to a 40% reduction in risk of a large-scale breach, the composite organization retains $5.5 million of its revenues each year. On an operating basis, the composite organization benefits by just under $1.5 million over three years.

For , reduced downtime from a large-scale breach might total over three years.

“I believe it [Carbon Black] is an awesome product and very worth it. It gives us very good insights into what’s happening. I’m a big advocate of it at our organization.”

Cybersecurity specialist, healthcare services

  • Streamlined security operations driving nearly $1.2 million in cost savings. Carbon Black enables the composite organization to streamline security operations by consolidating multiple, overlapping toolsets to a single, cloud-based platform and reducing the requisite support and training. The composite saves 6,433 FTE hours in Year 1, 5,789 FTE hours in Year 2, and 5,354 FTE hours in Year 3 by mostly redeploying FTEs to higher-value-added work. Over three years, this benefit is valued at nearly $1.2 million.

For , streamlined security operations might total in cost savings over three years.

“The very fact that we’re not in the news can give you an idea of how well it’s [Carbon Black] working. The investment in this product has definitely borne out in keeping us out of the news, first, and also making sure that we are constantly at the forefront of cutting-edge security at all times.”

Director of cyberdefense, financial services

  • Twenty percent time savings per audit by building in consistency into operational reporting and auditing processes. With Carbon Black Audit and Remediation, the composite organization quickly queries its endpoints to provide information required for audits. Being able to provide a realistic picture of organizational compliance reduces the likelihood that the composite incurs regulatory penalties. This benefit results in cost savings of nearly $464,000 over three years.

For , savings per audit by building in consistency into operational reporting and auditing processes might total over three years.

Which of the following benefits.svg

  • Remote remediation reduced reimaging by 55%. Carbon Black enables the composite organization to remotely diagnose and resolve threats via its Live Response capabilities. Live Response provides administrators with a secure remote shell in any protected endpoint, allowing them to instantly remediate issues with confidence without requiring wasteful and inefficient reimaging. Not only does this eliminate unnecessary IT work, but it also allows end users to remain productive. The composite organization saves nearly $116,000 over three years from reduced reimaging of devices.

For , remote remediation reduced by reimaging might total over three years.

“The question should be, how much is the business worth to you? We have been able to stay on top of everything with what Carbon Black gives us. So, it’s absolutely worth it.”

Information security administrator, call center services

Unquantified benefits. Benefits that provide value for the interviewees’ organizations but are not quantified for this study include:

  • Peace of mind from improved security posture. Interviewees noted that the goal for their security operations (SecOps) teams was to ensure that their organizations were not impacted by a crippling cyberattack — ever. Interviewees emphasized how Carbon Black has helped their organizations avoid cyberattacks, thus allowing the security teams to sleep well at night.
  • Proactive capabilities. Most interviewees emphasized how the proactive features of Carbon Black — especially the behavioral analytics capabilities — enabled their organizations to potentially thwart newer and more dangerous attacks.
  • Solid postsales support. Several interviewees noted the high level of postsales support provided for the Carbon Black solution that goes above and beyond that expected for day-to-day operations.

Costs. Three-year, risk-adjusted PV costs for the composite organization include:

  • Carbon Black licensing costs. The composite organization deploys Carbon Black XDR, Core Endpoint Protection, and Managed Detection and Response (MDR). Annual subscription pricing for the composite’s 6,000 devices is $260,000, which translates into a three-year present value cost of just about $679,000.

For , Carbon Black licensing costs might total over three years.

  • Deployment and ongoing support expenses. The composite incurs two internal costs. The first is related to deploying and training for Carbon Black into Year 1. The second is for ongoing in-production usage of the platform. Based on 2.5 FTEs spending 30% of their time maintaining and upgrading the platform, the composite spends just under $130,000 annually. The combined three-year cost is just over $362,000.

For , deployment and ongoing support expenses might total over three years.

The financial analysis which is based on the interviews and survey found that a composite organization experiences benefits of $5.49 million over three years versus costs of $1.04 million, adding up to a net present value (NPV) of $4.45 million and an ROI of 427%.

might experience benefits of over three years versus costs of , adding up to an NPV of and an ROI of 0%.

“Carbon Black, with the counterpart of having the 24/7 SOC [security operation center], allows us to feel very confident that things that are coming into our environment are carefully identified and that we’ve always got a safety blanket on our network. It allows us to sleep at night and has been worth every dollar that we have spent. I don’t think you can put a price on something like that.”

Network support services manager, educational system

Key Statistics

  • icon icon

    Return on investment (ROI):

  • icon icon

    Benefits PV:

  • icon icon

    Net present value (NPV):

  • icon icon

    Payback (months):

    <6 months<6 months
  • icon icon

    Net MTTR reduction for investigating security incidents by Y3:

  • icon icon

    Reduction in risk of large-scale security breach:

  • icon icon

    Reduction in FTE hours for security incidents by Y3:

  • icon icon

    Time savings per audit for cybersecurity compliance:


Benefits (Three-Year)

Faster investigation and remediation of cybersecurity incidents Avoided downtime due to data breach Cost savings from streamlined security operations Audit compliance efficiencies Savings from reduced reimaging of devices

TEI Framework And Methodology

From the information provided in the interviews, Forrester constructed a Total Economic Impact™ framework for those organizations considering an investment Carbon Black.

The objective of the framework is to identify the cost, benefit, flexibility, and risk factors that affect the investment decision. Forrester took a multistep approach to evaluate the impact that Carbon Black can have on an organization.

Forrester Consulting conducted an online survey of 351 cybersecurity leaders at global enterprises in the US, the UK, Canada, Germany, and Australia. Survey participants included managers, directors, VPs, and C-level executives who are responsible for cybersecurity decision-making, operations, and reporting. Questions provided to the participants sought to evaluate leaders’ cybersecurity strategies and any breaches that have occurred within their organizations. Respondents opted into the survey via a third-party research panel, which fielded the survey on behalf of Forrester in November 2020.

  1. Due Diligence

    Interviewed Carbon Black stakeholders and Forrester analysts to gather data relative to Carbon Black.

  2. Interviews And Survey

    Interviewed six representatives and surveyed 52 respondents at organizations using Carbon Black to obtain data about costs, benefits, and risks.

  3. Composite Organization

    Designed a composite organization based on characteristics of the interviewees and survey respondents.

  4. Financial Model Framework

    Constructed a financial model representative of the interviews and survey using the TEI methodology and risk-adjusted the financial model based on issues and concerns of the interviewees and survey respondents.

  5. Case Study

    Employed four fundamental elements of TEI in modeling the investment impact: benefits, costs, flexibility, and risks. Given the increasing sophistication of ROI analyses related to IT investments, Forrester’s TEI methodology provides a complete picture of the total economic impact of purchase decisions. Please see Appendix A for additional information on the TEI methodology.


Readers should be aware of the following:

This study is commissioned by Carbon Black and delivered by Forrester Consulting. It is not meant to be used as a competitive analysis.

Forrester makes no assumptions as to the potential ROI that other organizations will receive. Forrester strongly advises that readers use their own estimates within the framework provided in the study to determine the appropriateness of an investment in Carbon Black.

Carbon Black reviewed and provided feedback to Forrester, but Forrester maintains editorial control over the study and its findings and does not accept changes to the study that contradict Forrester’s findings or obscure the meaning of the study.

Carbon Black provided the customer names for the interviews but did not participate in the interviews.

Consulting Team:

Erach Desai

Cookie Preferences

Accept Cookies

A cookie is a small text file that a website saves on your computer or mobile device when you visit the site. It enables the website to remember your actions (data inputs, website navigation), so you don’t have to re-enter data when you come back to the site or browse from one page to another.

Behavioral information collected by our web analytics vendor is used to analyze data pertaining to visitor trends, plan website enhancements, and measure overall website effectiveness. We may also use cookies or web beacons to help us offer you products, programs, or services that may be of interest to you and to deliver relevant advertising. We may use third-party advertising companies to help tailor website content to users or to serve ads on our behalf. These companies may also employ cookies and web beacons to measure advertising effectiveness.

Please accept cookies and the collection of behavioral information to receive full functionality and enhance your experience. If you decline cookies, some features of the website may not function normally.

Please see our Privacy Policy for more information.