Executive Summary

With the need to manage growing volumes of security incidents, vulnerabilities, and stakeholders, organizations are finding that even best-in-class security tools can be inefficient at response coordination. They may find that using a platform-level solution to consolidate security tooling output helps ease capacity constraints on security teams by incorporating automation and standardization across the full data set. This can streamline vulnerability and incident response workflows, while also increasing stakeholder accountability and improving riskmanagement outcomes.

ServiceNow Security Operations (ServiceNow SecOps) is a centralized platform that aggregates data from multiple security tools and applies standardized workflows to manage incidents, vulnerabilities, and related security activities. By automating routing, tracking, and escalation, it enables organizations to coordinate work across security, IT, and business stakeholders with more consistency and visibility. This reduces manual effort and supports more structured execution and oversight of security processes across the enterprise.

ServiceNow commissioned Forrester Consulting to conduct a Total Economic Impact™ (TEI) study and examine the potential return on investment (ROI) enterprises may realize by deploying ServiceNow SecOps.1 The purpose of this study is to provide readers with a framework to evaluate the potential financial impact of ServiceNow SecOps on their organizations.

259%

Return on investment (ROI)

 

$14.2M

Net present value (NPV)

 

To better understand the benefits, costs, and risks associated with this investment, Forrester interviewed five decision-makers from four organizations with experience using ServiceNow SecOps. For the purposes of this study, Forrester aggregated the experiences of the interviewees and combined the results into a single composite organization, which is a financial services organization with 50,000 employees and $30 billion in annual revenue.

Interviewees said that prior to deploying ServiceNow SecOps, their organizations relied on a mix of homegrown casemanagement tools, third-party ticketing systems, internal spreadsheets, and emaildriven coordination to manage security incidents and vulnerabilities. Because these tools each operated independently and relied on informal handoffs rather than systemenforced workflows, teams had to manually coordinate work and stitch together end-to-end processes. Workflow fragmentation also led to inconsistent ownership and heavy dependence on manual followups by individual employees. This lack of systematization ultimately resulted in delayed incident response and vulnerability mitigation, reduced visibility for leadership, difficulty scaling security operations (SecOps), lack of accountability, and inconsistent compliance practices.

The interviewees said that after deploying ServiceNow SecOps, their organizations operated in a centralized, workflowdriven environment with standardized processes, clearer ownership, and shared visibility. Key results from the investment include reduced risk from mitigating overdue vulnerabilities, automation of security ticket workflows, reduced dwell time of incidents thanks to automated ticketing and better coordination, scaling of managed IT assets without a commensurate scaling in team costs, and reduction in the number of security tools with recurring costs.

Key Findings

Quantified benefits. Three-year, risk-adjusted present value (PV) quantified benefits for the composite organization include:

  • Improved vulnerability management worth $6.4 million. The composite organization improves vulnerability management workflows to more effectively identify, prioritize, and remediate security exposures across a significantly broader asset base. By centralizing findings and automating assignment and escalation, the composite reduces overdue vulnerabilities by 60%. These improvements help teams focus remediation on the highestrisk systems, accelerating risk reduction and strengthening overall security posture.

  • Improved security incident response worth $4.6 million. The composite organization improves security incident response workflows, which reduces the time and effort required to intake, triage, and coordinate response activities across multiple teams. By automating ticket creation, routing, and escalation processes, it eliminates manual steps that previously took 24 minutes per alert and replaces them with nearinstant execution. Security analysts spend more time on investigation and response rather than coordination, which results in faster response cycles and lower operational costs.

  • Avoided cost of asset management worth $1.8 million. The composite organization avoids asset management-related costs by scaling security operations to support a growing asset base without a corresponding increase in headcount. By centralizing vulnerability data across assets and automating workflows, it reduces manual effort for asset tracking, ownership assignment, and coordination. This allows the organization to manage a larger, more complex environment more efficiently, avoiding incremental labor and operating costs equal to 25% of the baseline value.

  • Avoided cost of decommissioned tools valued at $1.4 million. The composite organization reduces reliance on standalone tracking and case management tools by consolidating asset and vulnerability data into a centralized system. This lowers the costs of maintaining, extending, and integrating those tools. Over time, the composite decommissions four tools, each with an average annual avoided cost of $226,250.

Unquantified benefits. Benefits that provide value for the composite organization but are not quantified for this study include:

  • Organizational alignment and crossteam cooperation. The composite organization improves alignment across security, IT, and business stakeholders by increasing visibility into risk, remediation progress, and ownership. This supports broader participation in prioritization and stronger accountability without increasing direct involvement in daytoday remediation activities.

  • Improved decisionmaking. The composite organization improves decisionmaking by consolidating security data, workflows, and status information into a single platform, providing more timely, consistent, and trusted insight for prioritization, response, and risk-management decisions.

  • Familiarity with ServiceNow. The composite organization benefits from preexisting staff familiarity with the ServiceNow platform, which reduces friction around adoption, accelerates alignment of security workflows, and enables faster integration of security use cases into existing enterprise processes on the platform.

Costs. Three-year, risk-adjusted PV costs for the composite organization include:

  • ServiceNow fees valued at $3 million. The composite organization incurs ongoing licensing and professional services costs to deploy and operate ServiceNow SecOps, with spending increasing as the platform expands across additional security use cases and becomes more central to operations. These costs include subscriptions tied to users, assets, or devices, as well as consulting support for implementation, integration, workflow configuration, and ongoing platform optimization. These expenditures are a standard part of operating a centralized, enterprise-scale security platform.

  • Internal labor costs valued at $935,000. The composite organization incurs labor costs to implement, manage, and scale ServiceNow SecOps. Ongoing effort includes maintaining integrations, refining workflows, and supporting platform expansion across additional security domains as adoption increases. The organization also devotes time to user enablement and onboarding, with a more intensive initial phase followed by a nominal ongoing impact on operational costs.

The financial analysis based on the interviews found that a composite organization experiences benefits of $14.2 million over three years versus costs of $4 million, adding up to a net present value (NPV) of $10.3 million and an ROI of 259%.

“It’s not just about the metric improvement; it’s about being able to measure the process accurately at all. We had no automation before. Hours’ worth of work is now done instantaneously. It’s night and day — infinite cost savings if that were even possible.”

Incident response lead, public sector

Key Statistics

259%

Return on investment (ROI) 

$14.2 million

Benefits PV 

$10.3 million

Net Present Value 

<6 months

Payback 

Benefits (Three-Year)

[CHART DIV CONTAINER]
Improved vulnerability management Improved security incident response Avoided cost of asset management Avoided cost of decommissioned tools

The ServiceNow Security Operations Customer Journey

Drivers leading to the ServiceNow SecOps investment

Interviews

Role Industry Region Employees
Cybersecurity process manager
Agile product owner		 Banking EMEA 17,000
Incident response lead Public sector North America 80,000
Head of vulnerability management Financial services North America 100,000
Senior director of cybersecurity Manufacturing Global 300,000

Key Challenges

Interviewees said that before adopting ServiceNow SecOps, their organizations used a mix of homegrown solutions, opensource tools, spreadsheets, email, and bespoke workflows for operating security incident response and vulnerability management processes. These approaches evolved organically over time and varied across teams, resulting in fragmented visibility, manual coordination, and limited ability to scale or demonstrate control. Security teams spent significant effort managing processes and explaining status to stakeholders rather than focusing on remediation and response.

Interviewees noted how their organizations struggled with common challenges, including:

  • Lack of accountability. Interviewees said ownership of incidents and vulnerabilities was often unclear before ServiceNow SecOps. Work moved between teams through emails or informal handoffs, making it difficult to determine responsible parties with accuracy. The lack of clear ownership contributed to delays, overdue vulnerabilities, and difficulty demonstrating accountability to leaders, auditors, and regulators. The head of vulnerability management at a financial services firm said: “We didn’t always know who owned something or whether anyone was working on it. Things would just sit there, and you’d have to chase people to find out what was going on.”

  • Employee-orchestrated workstreams. Prior processes heavily depended on individuals to manually coordinate tasks, address routing issues, and follow up with other teams. Interviewees said analysts spent time creating tickets, sending emails, tracking responses, and reminding stakeholders to act. Progress frequently stalled when individuals were unavailable, and continuity suffered when staff members changed roles or left the organization. An incident response lead from the public sector said: “An analyst would have to manually create the ticket, route it, and then follow up. A lot of the process depended on people remembering to do the next step.”

  • Bespoke and siloed systems. Interviewees reported relying on custombuilt tools, opensource platforms, or disconnected point solutions for incident and vulnerability tracking. These systems required ongoing maintenance and manual data reconciliation, and they did not integrate well across security and IT teams. As a result, reporting was laborintensive, audit narratives were difficult to defend, and scaling security operations required adding complexity rather than reducing it. The senior director of cybersecurity from a manufacturing organization said: “We were using an opensource ticketing system before, and it took a lot of effort to support it. Reporting was manual, and it didn’t really scale.”

Solution Requirements

The interviewees searched for a solution that could:

  • Replace spreadsheets, email, third-party tools, and bespoke systems with a centralized system of record for security operations.

  • Provide consistent visibility into status, ownership, and progress without relying on manual reconciliation.

  • Integrate with existing security and IT tooling while minimizing custom development and reliance on fragile scripts.

  • Align security workflows with how IT and operations teams already work to improve follow-through, accountability, and cross-team coordination without the need to learn a new platform.

“Before ServiceNow [SecOps], everything was fragmented. We had different tools, a lot of manual work, and no single place you could go to understand what was happening end-to-end.”

Senior director of cybersecurity, manufacturing

Composite Organization

Based on the interviews, Forrester constructed a TEI framework, a composite company, and an ROI analysis that illustrates the areas financially affected. The composite organization is representative of the interviewees’ organizations, and it is used to present the aggregate financial analysis in the next section. The composite organization has the following characteristics:

  • Description of composite. The composite organization is a large, complex enterprise with approximately 50,000 employees and $30 billion in annual revenue. It operates across financial services, the public sector, and banking. Prior to adopting ServiceNow SecOps, the organization maintained a mediumtohigh level of security maturity, with an established security operations center (SOC), vulnerability management, and incident response functions already in place. It already used ServiceNow IT Service Management (ServiceNow ITSM) as its core enterprise service platform. But SecOps relied on a combination of homegrown casemanagement tools, opensource ticketing systems, filebased tracking, manual spreadsheet reporting, and emaildriven coordination. These approaches created operational inefficiencies, audit and compliance risk, a large number of high-risk vulnerabilities that remained open due to ownership and workflow breakdowns, data quality challenges, and limitations in scaling security operations across the enterprise.

  • Deployment characteristics. The composite organization implements ServiceNow SecOps as a central security operations platform, positioned as a system of record and orchestration layer aggregating data from multiple upstream security tools. The deployment supports incident response (SOC), vulnerability response, application security, configuration and compliance tracking, and reporting, dashboards, and executive visibility. The organization integrates ServiceNow SecOps with approximately 15 upstream security tools, including SIEM, EDR/XDR, vulnerability scanners, cloud security tools, and application security tools, using a mix of outofthebox and custom integrations. The platform serves as the central system for normalizing findings, managing workflows, and reporting across security domains.
    Core usage initially centers on approximately 50 SecOps practitioners, spanning roles such as incident response analysts, vulnerability management analysts, threat intelligence analysts, SecOps analysts, and detection and response engineers. Over time, access expands to thousands of stakeholders (e.g., IT infrastructure owners, application owners, engineering leaders, enterprise risk leaders, business operations leaders, finance leaders). ServiceNow SecOps is used as the central interface for routing, tracking, and reporting security work across the organization.

Composite Organization Assumptions

Ref. Metric Source Initial Year 1 Year 2 Year 3
R1 Revenue Composite $30,000,000,000 $30,000,000,000 $30,000,000,000 $30,000,000,000
R2 Employees Composite 50,000 50,000 50,000 50,000
R3 SecOps professionals Composite 150 150 150 150
R4 SecOps professionals focused on vulnerability management Composite 20 20 20 20
R5 SecOps professionals focused on incident response Composite 30 30 30 30
R6 IT professionals who assist with hardware asset management Composite 20 20 20 20
R7 Fully burdened annual rate for a vulnerability management or IT professional Composite $130,000 $130,000 $130,000 $130,000
R8 Fully burdened annual rate for a Tier 1 SOC analyst Composite $105,000 $105,000 $105,000 $105,000
R9 Fully burdened annual rate for a Tier 2 SOC analyst Composite $130,000 $130,000 $130,000 $130,000
R10 Managed assets Composite 80,000 80,000 92,000 105,800
R11 Vulnerabilities per asset Composite 3.75 3.75 3.75 3.75
R12 Total vulnerability population Composite 300,000 300,000 345,000 396,750
R13 High-risk vulnerabilities Composite 90,000 90,000 103,500 119,025
R14 Vulnerabilities that affect reachable assets Composite 13,500 13,500 15,525 17,854
R15 Daily security alerts Composite 3,000 3,000 3,000 3,000
R16 Daily security alerts that result in a ticket Composite 625 625 625 625
R17 Cost of a security incident Composite $100,000 $100,000 $100,000 $100,000
R18 Security breaches Composite 2.3 2.3 2.3 2.3
R19 Cost of a security breach Composite $1,700,000 $1,700,000 $1,700,000 $1,700,000

Analysis Of Benefits

Quantified benefit data as applied to the composite

Total Benefits

Ref. Benefit Year 1 Year 2 Year 3 Total Present Value
Atr Improved vulnerability response $1,134,000 $2,608,200 $4,284,900 $8,027,100 $6,405,755
Btr Improved security incident response $976,410 $1,952,820 $2,789,742 $5,718,972 $4,597,521
Ctr Avoided cost of asset management $386,750 $773,500 $1,105,000 $2,265,250 $1,821,050
Dtr Avoided cost of decommissioned tools $384,625 $576,938 $769,250 $1,730,813 $1,404,416
  Total benefits (risk-adjusted) $2,881,785 $5,911,457 $8,948,892 $17,742,134 $14,228,742

Improved Vulnerability Response

Evidence and data. The interviewees reported that adopting ServiceNow SecOps materially improved vulnerability response by centralizing vulnerability intake, standardizing workflows, and automating prioritization and tracking across the full remediation lifecycle. Prior to using ServiceNow SecOps, the organizations relied on fragmented, homegrown, or manual processes that interviewees said made it difficult to consistently assign ownership, track aging vulnerabilities, and demonstrate accountability. After implementation, vulnerability data from multiple sources was aggregated into a single system of record, with standardized prioritization and followthrough.

The head of vulnerability management at the financial services firm stated that consolidating vulnerability workflows into ServiceNow SecOps enabled their team to focus remediation efforts on the highestrisk systems. By improving visibility and accountability, the organization reduced overdue high-risk vulnerabilities by 60% to 70%. The interviewee attributed this improvement to normalized risk scoring, automated assignment, and escalation workflows that ensured vulnerabilities did not languish unattended.

ServiceNow SecOps also eliminated manual handoffs and delays, which reduced the time required to identify and remediate vulnerabilities. Interviewees said workflows previously relied on email chains and ad hoc coordination that often took hours or days before remediation even began. But they said ServiceNow SecOps replaced that effort with automated case creation, prioritization, and notification. In several instances, activities that previously required analyst intervention were reduced to automated actions that occur immediately upon vulnerability detection.

Interviewees also explained that having improved metrics, dashboards, and SLA tracking further accelerated remediation by making delays visible. Teams gained the ability to identify where vulnerabilities are stalled, understand which groups are responsible, and escalate issues proactively rather than reactively. Interviewees emphasized that being able to measure vulnerability aging consistently was a key enabler for driving behavioral change and improving outcomes across their organizations.

Modeling and assumptions. For the composite organization, Forrester assumes:

  • The composite discovers 300,000 vulnerabilities in Year 1, with volume growing at 15% annually.

  • The model does not assume a cumulative reduction of vulnerability backlog across years. Instead, it reflects a steady-state level of vulnerability discovery and overdue exposure, consistent with large enterprise environments where new vulnerabilities are continuously introduced.

  • The composite considers 30% of discovered vulnerabilities to be high risk, and 50% of these remain unmitigated after 30 days (“overdue”). The remaining unmitigated vulnerabilities are primarily due to ownership gaps, unclear accountability, and manual routing between security teams and stakeholders. These challenges persist due to limited workflow automation and ownership enforcement.

  • ServiceNow SecOps reduces the composite’s overdue high-risk vulnerabilities by 60%. This reflects changes to ownership assignment, automatic routing, and SLA tracking rather than automated patching.

  • With 10% of these vulnerabilities considered reachable, 6% of these considered exploitable, and a 25% probability of an exploited vulnerability becoming an incident, the average rate at which overdue high-risk vulnerabilities result in a loss is 0.15%.

  • The average cost of a security incident is $100,000.

Risks. The improvement to vulnerability response may vary with:

  • The number of overdue high-risk vulnerabilities experienced during any given year.

  • The probability that such vulnerabilities result in a security incident.

  • The average cost of a security incident.

Results. To account for these risks, Forrester adjusted this benefit downward by 20%, yielding a three-year, risk-adjusted total PV (discounted at 10%) of $6.4 million.

60%

Reduction in overdue high-risk vulnerabilities

“Aggregating vulnerability alerts into ServiceNow [SecOps] allows us to normalize risk scoring across our stack, track the exact issues that exist, identify what needs to be done to fix them, and know exactly who is responsible for applying that fix.”

Head of vulnerability management, financial services

Improved Vulnerability Response

Ref. Metric Source Year 1 Year 2 Year 3
A1 Total vulnerability population Composite 300,000 345,000 396,750
A2 Percentage of high-risk vulnerabilities Composite 30% 30% 30%
A3 Percentage of high-risk overdue vulnerabilities Composite 50% 50% 50%
A4 Percentage of high-risk overdue vulnerabilities mitigated by ServiceNow SecOps Interviews 60% 60% 60%
A5 Percentage of reachable vulnerabilities Composite 10% 10% 10%
A6 Percentage of exploited vulnerabilities Composite 6% 6% 6%
A7 Probability that vulnerability becomes an incident Composite 25% 25% 25%
A8 Cost per security incident Composite $100,000 $100,000 $100,000
A9 Percent benefit achieved Composite 35% 70% 100%
At Improved vulnerability management A1*A2*A3*A4*A5*A6*A7*A8*A9 $1,417,500 $3,260,250 $5,356,125
  Risk adjustment ↓20%      
Atr Improved vulnerability management (risk-adjusted)   $1,134,000 $2,608,200 $4,284,900
Three-year total: $8,027,100 Three-year present value: $6,405,755

Improved Security Incident Response

Evidence and data. The interviewees reported that implementing ServiceNow SecOps significantly improved security incident response capabilities by reducing false positives, accelerating alert triage, improving identification and routing, and decreasing overall mean time to remediation (MTTR). They said that prior to using ServiceNow SecOps, security incident response relied heavily on manual processes, fragmented tools, and emailbased context clarification, which slowed response times and increased analyst workload. After implementation, security incidents were automatically ingested, enriched, prioritized, and routed through standardized workflows, enabling faster and more consistent response.

Several interviewees described improvements in alert triage and reduction of manual effort thanks to higherfidelity alerts. The incident response lead from the public sector explained that analysts at their organization previously had to manually create and route tickets for alerts, which took 20 to 30 minutes per alert. But they said with ServiceNow SecOps, highfidelity alerts automatically generate and route tickets, allowing analysts to focus on investigation rather than administration. The same interviewee emphasized that while the total volume of alerts is influenced by upstream detection tools, using ServiceNow SecOps dramatically improved how quickly alerts could be triaged and acted upon once generated.

Interviewees also noted that streamlining investigation and decision-making reduced the impact of false positives. Automated enrichment, standardized workflows, and visible case histories helped analysts more quickly determine whether alerts represented true security incidents or could be safely closed without further investigation. As a result, analysts spent less time chasing lowvalue alerts and more time on legitimate threats, which improved overall efficiency even when alert volumes remained steady.

Interviewees also said ServiceNow SecOps improved identification and routing of security incidents by replacing ad hoc communication with automated, rulesbased workflows. They explained that incidents previously routed through manual email chains or informal handoffs are now automatically assigned to the correct response teams based on incident type, severity, and impacted assets. Several interviewees said that once an incident reaches a defined stage, ServiceNow automatically triggers task assignment, approval requests, or escalation to ensure incidents do not stall due to unclear ownership.

These workflow improvements directly contributed to reductions in MTTR. Interviewees consistently reported that incidents that previously took hours or longer to progress through identification and coordination now advance immediately through automated routing and response steps. Improved metrics, dashboards, and SLA tracking enabled teams to identify bottlenecks and continuously refine their incident response processes. Visibility into how long incidents spent in each stage made it easier to spot delays, follow up with responsible teams, and adjust workflows to improve performance over time. Interviewees emphasized that simply being able to measure response stages consistently was a critical enabler of ongoing improvements to incident response effectiveness.

Finally, interviewees also said that automation within ServiceNow SecOps allowed security teams to redirect analyst effort toward highervalue work. By eliminating manual ticket creation, routing, and status tracking, analysts gained the ability to focus on investigation, containment, and remediation activities. Interviewees noted this shift not only improved response times but also enhanced analyst effectiveness and reduced operational friction across the broader security operations function.

Modeling and assumptions. For the composite organization, Forrester assumes:

  • The composite has 3,000 security alerts daily.

  • Of these alerts, 625 become tickets.

  • ServiceNow SecOps reduces the organization’s manual ticketing by 95% (from 30 minutes to 6 minutes per ticketed alert).

  • The average fully burdened hourly rate for a Tier 1 SOC analyst is $50.

  • The composite’s productivity recapture rate is 75%.

  • The composite’s average exposure window per breach is 48 hours.

  • ServiceNow SecOps reduces this window by 0.83% (24 minutes) per breach.

  • The average cost of a breach for the composite is $1.7 million. This includes the direct costs of remediating and hardening against a similar attack vector, the costs of notifying customers, and the costs of regulatory penalties and legal fees.

  • For simplicity, Forrester assumes there is a linear relationship between the composite’s dwell time and incident costs. This approach does not reflect potential variations in impact based on response timing.

Risks. The improvement to security incident response may vary with:

  • The number of security alerts.

  • The number of tickets produced from these alerts.

  • The average fully burdened hourly rate for a Tier 1 SOC analyst.

  • The percentage of productivity recaptured.

  • The number of breaches experienced annually.

  • The dwell time of incidents resulting in a breach.

Results. To account for these risks, Forrester adjusted this benefit downward by 20%, yielding a three-year, risk-adjusted total PV (discounted at 10%) of $4.6 million.

95%

Reduction in ticket-handling time

“With ServiceNow SecOps, an alert goes off, a ticket’s created, and it’s routed. It’s already halfway through the process right after the alert has come in.”

Incident response lead, public sector

Improved Security Incident Response

Ref. Metric Source Year 1 Year 2 Year 3
B1 Security alerts R15*365 days 1,095,000 1,095,000 1,095,000
B2 Security alerts that result in a ticket R16*365 days 228,125 228,125 228,125
B3 Time saved per ticket with ServiceNow SecOps (hours) Interviews 0.4 0.4 0.4
B4 Fully burdened hourly rate for a Tier 1 SOC analyst R8/2,080 hours $50.48 $50.48 $50.48
B5 Productivity recapture rate TEI methodology 75% 75% 75%
B6 Subtotal: Labor savings from improved capacity B2*B3*B4*B5 $3,454,725 $3,454,725 $3,454,725
B7 Exposure time per breach (hours) Composite 48 48 48
B8 Reduction in breach exposure window B3/B7 0.83% 0.83% 0.83%
B9 Cost of a security breach R19 $1,700,000 $1,700,000 $1,700,000
B10 Subtotal: Avoided breach-related at-risk loss from automation R18*B8*B9 $32,453 $32,453 $32,453
B11 Percentage benefit achieved Composite 35% 70% 100%
Bt Improved security incident response (B6+B10)*B11 $1,220,512 $2,441,025 $3,487,178
  Risk adjustment ↓20%      
Btr Improved security incident response (risk-adjusted)   $976,410 $1,952,820 $2,789,742
Three-year total: $5,718,972 Three-year present value: $4,597,521

Avoided Cost Of Asset Management

Evidence and data. Interviewees reported that ServiceNow SecOps enabled their organizations to manage a growing population of corporate assets, such as employee machines, servers, and cloud workloads, without a proportional increase in asset management headcount, helping them avoid significant operational costs. Interviewees consistently emphasized the value was not derived from reducing assets or security scope, but from more efficient scaling of security operations to keep pace with unrelenting growth in corporate assets without additional headcount.

Several interviewees described rapid growth in assets under security management due to increased infrastructure, cloud adoption, and containerization. The head of vulnerability management from the financial services organization explained that after centralizing vulnerability and asset data in ServiceNow SecOps, the organization expanded the number of assets actively tracked and governed by approximately 50% without adding dedicated vulnerability management staff. The interviewee attributed this outcome to automated ingestion, standardized workflows, and centralized tracking that eliminated the need for manual asset reconciliation and followup.

Similarly, the senior director of cybersecurity from the manufacturing firm noted that ServiceNow SecOps enabled consolidation of assetrelated security activities — spanning vulnerability management, incident response, application security, and infrastructure security — onto a single platform. By using one system of record tied to asset ownership and context, security teams avoided duplicative effort across tools and teams, reducing the operational burden typically associated with asset growth.

The incident response lead from the public sector shared that automation allowed their organization to process security events tied to a large and growing asset base without meaningfully increasing analyst workload. Automated ticket creation, routing, and task assignment meant that analysts no longer had to manually identify impacted systems, determine ownership, or coordinate remediation steps. As a result, the organization gained the ability to absorb additional assets and alerts while keeping staff levels largely stable, redirecting analyst effort to highervalue investigation and response activities.

Interviewees also highlighted that improving asset visibility indirectly reduced costs by preventing inefficiencies associated with incomplete or inaccurate asset data. With ServiceNow acting as a centralized hub, asset context (e.g., system criticality, network exposure, ownership) became consistently available during both vulnerability response and incident response. The senior director of cybersecurity from the manufacturing organization emphasized this normalization reduced the time needed to reconcile disparate asset inventories, which is a task that previously required manual effort across multiple teams as environments scaled.

Finally, interviewees noted that ServiceNow SecOps reduced reliance on external services and specialized labor to manage asset growth. They explained that by standardizing processes and enabling internal teams to operate the platform, their organizations avoided the need to continuously add contractors or specialized staff as asset counts increased. The head of vulnerability management at a financial services organization said that while their company’s overall technology environments continued to expand, using ServiceNow SecOps allowed it to “hold the line” on operational staffing by making assetrelated security work more repeatable, transparent, and automated.

Overall, interviewees said ServiceNow SecOps helped their organizations avoid assetmanagement cost growth by decoupling asset expansion from headcount growth, which enabled security teams to manage larger, more complex environments with existing resources while maintaining or improving security outcomes.

Modeling and assumptions. For the composite organization, Forrester assumes:

  • The composite has 20 vulnerability professionals and 20 IT professionals manage its assets on a regular basis.

  • With ServiceNow SecOps, the composite’s number of managed assets increases 50% without the need to increase resources.

  • The average fully burdened annual rate for a vulnerability management professional is $130,000.

  • Each professional is able to recover 50% of their productivity via the efficiency gains of ServiceNow SecOps, equating to a net productivity improvement of 25% related to asset-based vulnerability management.

Risks. The value of avoiding asset management costs will vary with:

  • The current capacity constraints of vulnerability management teams, as reflected by their degree of overallocation.

  • The average fully burdened rate for vulnerability management professionals.

  • The rate at which the organization deploys ServiceNow SecOps.

Results. To account for these risks, Forrester adjusted this benefit downward by 15%, yielding a three-year, risk-adjusted total PV (discounted at 10%) of $1.8 million.

25%

Net productivity improvement of asset management teams

“We’ve continued to grow the environment — more assets, more data, more integrations — but we haven’t had to add the same number of people, because the platform standardizes and automates how we handle that scale.”

Senior director of cybersecurity, manufacturing

Avoided Cost Of Asset Management

Ref. Metric Source Year 1 Year 2 Year 3
C1 Total vulnerability management and IT professionals who support asset management R4+R6 40 40 40
C2 Growth in assets without growth in headcount Interviews 50% 50% 50%
C3 Fully burdened annual rate for a vulnerability management or IT professional R7 $130,000 $130,000 $130,000
C4 Productivity recapture rate Composite 50% 50% 50%
C5 Percent benefit achieved A9 35% 70% 100%
Ct Avoided cost of asset management C1*C2*C3*C4*C5 $455,000 $910,000 $1,300,000
  Risk adjustment ↓15%      
Ctr Avoided cost of asset management (risk-adjusted)   $386,750 $773,500 $1,105,000
Three-year total: $2,265,250 Three-year present value: $1,821,050

Avoided Cost Of Decommissioned Tools

Evidence and data. Interviewees reported that deploying ServiceNow SecOps enabled their organizations to decommission multiple legacy security tools and homegrown systems, reducing tool sprawl and avoiding ongoing costs associated with maintaining fragmented security technology stacks. They said that prior to using ServiceNow SecOps, their organizations’ environments were characterized by bespoke tools, opensource platforms, and siloed systems that required significant manual effort, specialized support, and duplicative workflows. After migrating to ServiceNow SecOps, the organizations retired systems, centralized incident response and vulnerability management, and reduced operational complexity and reliance on external support.

The head of vulnerability management from the financial services firm explained that ServiceNow SecOps replaced three to four internally built or bespoke tools that had been used for vulnerability tracking, reporting, and lifecycle management. These tools required constant maintenance, manual reconciliation of data, and ad hoc reporting. By consolidating these capabilities into ServiceNow SecOps, the organization eliminated the need to sustain parallel systems and significantly reduced the effort required to manage and maintain its overall tooling environment.

Interviewees emphasized that tool decommissioning also reduced indirect costs, including time spent on manual data aggregation, crosstool reconciliation, and report generation. Several said that prior to using ServiceNow SecOps, their organization depended on spreadsheets or exported data from multiple tools to produce reports for auditors, executives, and operational teams. After consolidation, reporting was handled through centralized dashboards and standardized workflows, allowing teams to retire reporting tools and manual processes previously required to bridge gaps between systems.

The incident response lead from the public sector described a similar consolidation pattern, noting that ServiceNow SecOps replaced the fragmented ticketing and coordination mechanisms their organization evolved over time. By using ServiceNow SecOps as the primary system for security incidents, the organization reduced its dependence on homegrown workflows and manual coordination methods, avoiding the ongoing costs of sustaining and updating custom solutions.

Across interviewees, tool rationalization emerged as a key contributor to cost avoidance. Rather than layering ServiceNow SecOps on top of an already complex tool ecosystem, interviewees said their organizations consciously used it as a system of record that allowed them to retire older tools and bespoke solutions. This consolidation reduced licensing overlap, support contracts, and internal maintenance burden while simplifying SecOps and improving consistency across teams.

Modeling and assumptions. For the composite organization, Forrester assumes:

  • The composite decommissions two tools in Year 1, and one additional tool each following year for a total of 4 decommissioned tools by Year 3.

  • Each tool requires an average of $200,000 in annual recurring fees.

  • Each tool requires the labor of 0.25 FTEs.

  • The average fully burdened annual rate for an FTE who manages a tool is $105,000.

Risks. The value of decommissioning legacy tooling may vary with:

  • The number of decommissioned tools.

  • The ongoing costs of decommissioned tools, including subscription fees, licensing payments, service and maintenance fees, or other ongoing costs (e.g., paid integrations, add-ons).

  • The ongoing internal labor required to maintain tools and whether such support is provided by employees or external parties.

Results. To account for these risks, Forrester adjusted this benefit downward by 15%, yielding a three-year, risk-adjusted total PV (discounted at 10%) of $1.4 million.

“We’ve standardized on one platform and reduced the number of vendors we use for threat intelligence, vulnerability management, application security, incident response, and cyber resilience.”

Senior director of cybersecurity, manufacturing

Avoided Cost Of Decommissioned Tools

Ref. Metric Source Year 1 Year 2 Year 3
D1 Cumulative tools decommissioned Composite 2 3 4
D2 Average recurring costs per tool Composite $200,000 $200,000 $200,000
D3 FTEs required to manage each tool Composite 0.25 0.25 0.25
D4 Fully burdened annual rate per tool manager R8 $105,000 $105,000 $105,000
Dt Avoided cost of decommissioned tools D1*(D2+D3*D4) $452,500 $678,750 $905,000
  Risk adjustment ↓15%      
Dtr Avoided cost of decommissioned tools (risk-adjusted)   $384,625 $576,938 $769,250
Three-year total: $1,730,813 Three-year present value: $1,404,416

Unquantified Benefits

Interviewees mentioned the following additional benefits that their organizations experienced but were not able to quantify:

  • Organizational alignment and crossteam cooperation. Interviewees said ServiceNow SecOps expanded stakeholder involvement in vulnerability management and incident response by making security risk, remediation progress, and ownership visible and understandable to a broader set of senior and nonsecurity leaders, enabling more informed prioritization and accountability discussions without requiring those stakeholders to participate directly in remediation work. The head of vulnerability management from the financial services firm said: “What this really gave us was the ability to show leadership where we stood. Instead of pulling reports together manually, we could show them in real time what our exposure looked like, what was overdue, and where the risk was.” The incident response lead from the public sector shared: “From an incident perspective, leadership can see what’s going on without us having to stop and explain it. They can see the status, what’s been done, and what’s outstanding.”

  • Improved decision-making. Interviewees reported that by centralizing security data, workflows, and status information into a single platform, their organizations gained the ability to offer more timely, consistent, and trusted information to security leaders, operational teams, and executives when making prioritization and response decisions. The senior director of cybersecurity from the manufacturing firm said, “We went from pulling data out of different tools and trying to reconcile it in spreadsheets to having a single place where leadership could see what was happening and make decisions off of live data.” The head of vulnerability management from the financial services organization stated, “Once everything was brought into one place and normalized, it made it much easier to have conversations about what actually mattered most and where we needed to focus.”

  • Familiarity with ServiceNow. Interviewees said that having prior familiarity with ServiceNow represented a meaningful benefit during the adoption of ServiceNow SecOps. Several from organizations already using ServiceNow ITSM or related workflows before deploying ServiceNow SecOps said this reduced friction associated with platform adoption and enabled faster organizational alignment around security use cases. The senior director from the manufacturing organization said: “ServiceNow was already the enterprise platform. We already had [ServiceNow] ITSM, we already had the governance, and we already had the integrations in place. So, extending it into security made sense for us.” The incident response lead from the public sector shared: “We didn’t have to introduce something completely different. People already knew how ServiceNow worked from the IT side, so we weren’t starting from zero.”

“Before, we were spending a lot of time just trying to explain what the data meant. Now, people can look at the same information we’re looking at, and the conversation starts in a much better place.”

Head of vulnerability management, financial services

Flexibility

The value of flexibility is unique to each customer. There are multiple scenarios in which a customer might implement ServiceNow SecOps and later realize additional uses and business opportunities, including:

  • Future automation and AI readiness. Interviewees indicated that implementing ServiceNow SecOps better prepared their organizations for future automation and AIdriven capabilities by establishing standardized workflows, structured records, and centralized security data. The incident response lead from the public sector explained that having consistent records and automated workflows in place enabled their organization to begin layering AI capabilities on top of existing processes rather than reworking them. They said, “Once everything is automated and tracked, you can start thinking about what else you can layer on top of it.” Interviewees noted that future automation, orchestration, and AIassisted analysis could be adopted incrementally as those capabilities mature, without requiring fundamental changes to their security operations model.

  • Vendor and architecture optionality. Interviewees indicated that implementing ServiceNow SecOps increased vendor and architecture optionality by decoupling security workflows from individual point solutions. Rather than tying incident response or vulnerability management processes to specific scanning, detection, or analysis tools, their organizations used ServiceNow SecOps as a centralized system of record that could ingest, normalize, and route data from multiple sources. The head of vulnerability management from the financial services organization said, “We’re able to take different inputs — different tools, different processes — bring it all in, track the lifecycle, and then route it back out to whoever needs to fix it.” Interviewees viewed this flexibility as an important architectural benefit, explaining that ServiceNow SecOps allowed them to preserve optionality as technologies, vendors, and security priorities change, without disrupting established workflows or retraining the organization around new systems.

  • Policy, governance, and audit adaptability. Interviewees indicated that implementing ServiceNow SecOps improved their organization’s ability to adapt to evolving policy, governance, and audit requirements by providing standardized records, traceability, and systemenforced processes. Rather than relying on bespoke or open source tools that require manual explanation and justification during audits, interviewees described ServiceNow SecOps as providing an enterprisegrade system of record that simplified compliance narratives as requirements change. The head of vulnerability management from the financial services organization explained that moving away from homegrown systems fundamentally changed how their company audits and handles regulatory reviews: “When our auditors or regulators come in, it’s a very different conversation. It’s much easier to explain how things work when you’re using builtin integrations instead of a custom solution you have to defend.”

Flexibility would also be quantified when evaluated as part of a specific project (described in more detail in Total Economic Impact Approach).

“My main goal was to get off our prior rinkydink software and get to something that’s more suitable for an enterprise.”

Senior director of cybersecurity, manufacturing

Analysis Of Costs

Quantified cost data as applied to the composite

Total Costs

Ref. Cost Initial Year 1 Year 2 Year 3 Total Present Value
Etr ServiceNow fees $220,000 $649,000 $1,188,000 $1,650,000 $3,707,000 $3,031,488
Ftr Cost of deployment and ongoing management $610,650 $73,715 $134,090 $194,465 $1,012,920 $934,586
  Total costs (risk-adjusted) $830,650 $722,715 $1,322,090 $1,844,465 $4,719,920 $3,966,074

ServiceNow Fees

Evidence and data. Interviewees reported that deploying and operating ServiceNow SecOps involves ongoing licensing fees as well as professional services costs associated with implementation, configuration, and continued optimization. These costs vary based on the scale of deployment, the number of modules in use, and the level of internal ServiceNow expertise available within the organization.

Several interviewees described how their organization’s investment in ServiceNow SecOps scaled as the platform became more central to operations. The senior director of cybersecurity from the manufacturing industry explained that their organization’s investment in ServiceNow SecOps began with incident response and expanded to include vulnerability response, threat intelligence, and cyber resilience. At the time of the interview, the organization’s annual licensing costs reflected approximately half a million devices covered for vulnerability response and nearly as many unrestricted user licenses.

Interviewees noted their organizations’ use of professional services and consulting support from ServiceNow to implement and operate ServiceNow SecOps. They used these services for initial deployment, integration with upstream security tools, workflow configuration, and platform upgrades. The head of vulnerability management from the financial services firm shared: “Our one-time implementation costs ended up equating to our annual spend on the platform once all was said and done. If we had a stronger internal ServiceNow development team, these would have definitely been lower.”

Interviewees described licensing and professional services costs as expected components of deploying ServiceNow SecOps at scale, and they consistently framed these costs in the context of operating a centralized, enterprisewide security operations platform as compared to onboarding a single-use-case tool.

Modeling and assumptions. For the composite organization, Forrester assumes:

  • During the initial period, the composite pays $200,000 in professional services fees related to implementation and deployment of ServiceNow SecOps. It pays $100,000 annually thereafter, related to solution deployment, integration of third-party tools, workflow configuration, and ongoing upgrades.

  • The composite pays $490,000 in ServiceNow SecOps licensing fees in Year 1. This increases to $1.5 million in Year 3. Licensing fees are charged on a monthly basis per user.

Risks. ServiceNow fees will vary with:

  • The breadth of the initial scope.

  • Any additional scope added to the project over time.

  • The number of devices covered for vulnerability management.

  • The number of seats required for incident response.

Results. To account for these risks, Forrester adjusted this cost upward by 10%, yielding a three-year, risk-adjusted total PV (discounted at 10%) of $3 million.

“The services team worked with us from the beginning, and we were able to hit the ground running, get things automated, and build on it from there.”

Incident response lead, public sector

ServiceNow Fees

Ref. Metric Source Initial Year 1 Year 2 Year 3
E1 ServiceNow professional services ServiceNow $200,000 $100,000 $100,000 $100,000
E2 ServiceNow SecOps licensing fees ServiceNow $0 $490,000 $980,000 $1,400,000
Et ServiceNow fees E1+E2 $200,000 $590,000 $1,080,000 $1,500,000
  Risk adjustment ↑10%        
Etr ServiceNow fees (risk-adjusted)   $220,000 $649,000 $1,188,000 $1,650,000
Three-year total: $3,707,000 Three-year present value: $3,031,488

Cost Of Deployment And Ongoing Management

Evidence and data. Interviewees reported that deploying and operating ServiceNow SecOps required internal labor investment across implementation, ongoing management, and user enablement. These costs primarily took the form of staff time devoted to configuration, integration, process alignment, and training instead of discrete technology purchases.

Several interviewees described dedicating internal resources to support initial deployment and integration of ServiceNow SecOps. The incident response lead from the public sector explained that integrating the platform with their organization’s existing security tools and automating workflows required sustained internal effort and support from a dedicated agile team focused on integrations, automations, and optimization. This work was characterized as necessary to align SecOps with existing SOC processes, rather than strict technology implementation.

Interviewees also noted there are ongoing internal labor costs associated with maintaining and evolving the platform. The head of vulnerability management from the financial services firm said internal teams spend time aligning workflows, managing integrations, and supporting enhancements as ServiceNow SecOps expands across additional security domains. These efforts continued as ServiceNow SecOps became more central to daily security operations and reporting.

Training and user enablement represented the final area of soft investment. Interviewees reported that users already familiar with the platform generally consider ServiceNow SecOps to be intuitive, their organizations required time to onboard new users, communicate process changes, and support adoption. The cybersecurity process manager and product owner from the banking industry described planning and delivery cycles that included configuration work and user preparation when new features or workflows were introduced, noting that this effort was typically incorporated into regular agile planning rather than treated as a standalone training initiative.

Interviewees said internal labor costs are a normal component of deploying and operating an enterprise security operations platform, and they consistently framed these costs as part of ongoing operational management and process maturity, rather than as unexpected or exceptional burdens.

Modeling and assumptions. For the composite organization, Forrester assumes:

  • Four professionals spend nine months assisting with the implementation and deployment of ServiceNow SecOps.

  • The average fully burdened annual rate for a deployment team member is $130,000.

  • The composite scales from 0.5 FTEs in Year 1 to 1.5 FTEs on an ongoing basis to manage ServiceNow SecOps, supporting activities such as use case expansion, user onboarding, and support for internal service tickets and general platform management activities.

  • The average fully burdened annual rate for a Tier 1 SOC analyst is $105,000.

  • Fifty stakeholders require an average of 40 hours of training to become proficient with ServiceNow SecOps.

  • The average fully burdened hourly rate for an FTE who requires training is $58.

  • An additional five stakeholders require the same amount of training each year to due to employee turnover.

  • An additional one-time labor cost of $25,000 is incurred to develop training materials.

Risks. The cost of deployment, ongoing management, and training may vary with:

  • The scope of initial deployment and any increase in scope over time.

  • The level of familiarity the responsible team members have with ServiceNow’s technology.

  • The fully burdened rates of the internal teams responsible for deployment, ongoing management, and training workflows.

Results. To account for these risks, Forrester adjusted this cost upward by 15%, yielding a three-year, risk-adjusted total PV (discounted at 10%) of $935,000.

“Really, it took our team only a couple days training, and they were done. It’s ServiceNow, they don’t make it rocket science.”

Head of vulnerability management, financial services

Cost Of Deployment And Ongoing Management

Ref. Metric Source Initial Year 1 Year 2 Year 3
F1 FTEs needed for planning and deployment Interviews 4 0 0 0
F2 Percentage of time required for planning and deployment Composite 75% 0% 0% 0%
F3 Fully burdened annual rate for a FTE R7, R9 $130,000 $130,000 $130,000 $130,000
F4 Subtotal: Internal cost to deploy F1*F2*F3 $390,000 $0 $0 $0
F5 FTEs needed for ongoing management Interviews 0.0 0.5 1.0 1.5
F6 Fully burdened annual rate for a Tier 1 SOC analyst R8 $105,000 $105,000 $105,000 $105,000
F7 Subtotal: Internal cost to manage ServiceNow SecOps F5*F6 $0 $52,500 $105,000 $157,500
F8 FTEs who need training R4+R5 50 5 5 5
F9 Training time required per FTE (hours) Interviews 40 40 40 40
F10 Fully burdened hourly rate for an FTE who requires training R7*43%+57%*(R8*70%+R9*30%)/2,080 hours $58 $58 $58 $58
F11 Training materials costs Interviews $25,000 $0 $0 $0
F12 Subtotal: Internal training cost F8*F9*F10+F11 $141,000 $11,600 $11,600 $11,600
Ft Cost of deployment and ongoing management F4+F7+F12 $531,000 $64,100 $116,600 $169,100
  Risk adjustment ↑15%        
Ftr Cost of deployment and ongoing management (risk-adjusted)   $610,650 $73,715 $134,090 $194,465
Three-year total: $1,012,920 Three-year present value: $934,586

Financial Summary

Consolidated Three-Year, Risk-Adjusted Metrics

Cash Flow Chart (Risk-Adjusted)

[CHART DIV CONTAINER]
Total costs Total benefits Cumulative net benefits Initial Year 1 Year 2 Year 3

Cash Flow Analysis (Risk-Adjusted)

  Initial Year 1 Year 2 Year 3 Total Present Value
Total costs ($830,650) ($722,715) ($1,322,090) ($1,844,465) ($4,719,920) ($3,966,074)
Total benefits $0 $2,881,785 $5,911,457 $8,948,892 $17,742,134 $14,228,742
Net benefits ($830,650) $2,159,070 $4,589,367 $7,104,427 $13,022,214 $10,262,668
ROI           259%
Payback           <6 months

 Please Note

The financial results calculated in the Benefits and Costs sections can be used to determine the ROI, NPV, and payback period for the composite organization’s investment. Forrester assumes a yearly discount rate of 10% for this analysis.

These risk-adjusted ROI, NPV, and payback period values are determined by applying risk-adjustment factors to the unadjusted results in each Benefit and Cost section.

The initial investment column contains costs incurred at “time 0” or at the beginning of Year 1 that are not discounted. All other cash flows are discounted using the discount rate at the end of the year. PV calculations are calculated for each total cost and benefit estimate. NPV calculations in the summary tables are the sum of the initial investment and the discounted cash flows in each year. Sums and present value calculations of the Total Benefits, Total Costs, and Cash Flow tables may not exactly add up, as some rounding may occur.

From the information provided in the interviews, Forrester constructed a Total Economic Impact™ framework for those organizations considering an investment in ServiceNow SecOps.

The objective of the framework is to identify the cost, benefit, flexibility, and risk factors that affect the investment decision. Forrester took a multistep approach to evaluate the impact that ServiceNow SecOps can have on an organization.

Due Diligence

Interviewed ServiceNow stakeholders and Forrester analysts to gather data relative to ServiceNow SecOps.

Interviews

Interviewed five decision-makers at four organizations using ServiceNow SecOps to obtain data about costs, benefits, and risks.

Composite Organization

Designed a composite organization based on characteristics of the interviewees’ organizations.

Financial Model Framework

Constructed a financial model representative of the interviews using the TEI methodology and risk-adjusted the financial model based on issues and concerns of the interviewees.

Case Study

Employed four fundamental elements of TEI in modeling the investment impact: benefits, costs, flexibility, and risks. Given the increasing sophistication of ROI analyses related to IT investments, Forrester’s TEI methodology provides a complete picture of the total economic impact of purchase decisions. Please see Appendix A for additional information on the TEI methodology.

Total Economic Impact Approach

Benefits

Benefits represent the value the solution delivers to the business. The TEI methodology places equal weight on the measure of benefits and costs, allowing for a full examination of the solution’s effect on the entire organization.

Costs

Costs comprise all expenses necessary to deliver the proposed value, or benefits, of the solution. The methodology captures implementation and ongoing costs associated with the solution.

Flexibility

Flexibility represents the strategic value that can be obtained for some future additional investment building on top of the initial investment already made. The ability to capture that benefit has a PV that can be estimated.

Risks

Risks measure the uncertainty of benefit and cost estimates given: 1) the likelihood that estimates will meet original projections and 2) the likelihood that estimates will be tracked over time. TEI risk factors are based on “triangular distribution.”

Financial Terminology

Present value (PV)

The present or current value of (discounted) cost and benefit estimates given at an interest rate (the discount rate). The PVs of costs and benefits feed into the total NPV of cash flows.

Net present value (NPV)

The present or current value of (discounted) future net cash flows given an interest rate (the discount rate). A positive project NPV normally indicates that the investment should be made unless other projects have higher NPVs.

Return on investment (ROI)

A project’s expected return in percentage terms. ROI is calculated by dividing net benefits (benefits less costs) by costs.

Discount rate

The interest rate used in cash flow analysis to take into account the time value of money. Organizations typically use discount rates between 8% and 16%.

Payback

The breakeven point for an investment. This is the point in time at which net benefits (benefits minus costs) equal initial investment or cost.

Appendix A

Total Economic Impact

Total Economic Impact is a methodology developed by Forrester Research that enhances a company’s technology decision-making processes and assists solution providers in communicating their value proposition to clients. The TEI methodology helps companies demonstrate, justify, and realize the tangible value of business and technology initiatives to both senior management and other key stakeholders.

Disclosures

Readers should be aware of the following:

This study is commissioned by ServiceNow and delivered by Forrester Consulting. It is not meant to be used as a competitive analysis.

Forrester makes no assumptions as to the potential ROI that other organizations will receive. Forrester strongly advises that readers use their own estimates within the framework provided in the study to determine the appropriateness of an investment in ServiceNow SecOps. For any interactive functionality, the intent is for the questions to solicit inputs specific to a prospect's business. Forrester believes that this analysis is representative of what companies may achieve with ServiceNow SecOps based on the inputs provided and any assumptions made. Forrester does not endorse ServiceNow or its offerings. Although great care has been taken to ensure the accuracy and completeness of this model, ServiceNow and Forrester Research are unable to accept any legal responsibility for any actions taken on the basis of the information contained herein. The interactive tool is provided ‘AS IS,’ and Forrester and ServiceNow make no warranties of any kind.

ServiceNow reviewed and provided feedback to Forrester, but Forrester maintains editorial control over the study and its findings and does not accept changes to the study that contradict Forrester’s findings or obscure the meaning of the study.

ServiceNow provided the customer names for the interviews but did not participate in the interviews.

Consulting Team:

Nick Mayberry

Published

June 2026