Gartner published its Hype Cycle for Cyber-Risk Management, 2026 (G00846807) in April. DeNexus is named as a Sample Vendor in the CPS Risk Management category — alongside Claroty, Darktrace, Dragos, Egerie, Nozomi Networks, Radiflow, and SecurityGate.
We’re not sharing the report. Gartner’s licensing rules govern that, and we respect them. What we are doing is telling you what it says, what it means, and — more importantly — what it means for the industrial organizations and insurers navigating this market right now.
Unless otherwise noted, all Gartner data and statements below are sourced directly from G00846807.
What the Report Says About CPS Risk Management
Gartner defines CPS Risk Management as the discipline that ensures the unique security and safety risks of cyber-physical systems — OT, ICS, SCADA, IoT, IIoT — are effectively managed. Unlike enterprise IT risk, CPS risk has a physical dimension: a successful attack doesn’t just expose data, it can shut down production, damage equipment, and create health and safety consequences.
Gartner estimates the category at 20–50% market penetration with Adolescent maturity. That is their assessment of adoption among the target audience — and it reflects a market that has moved past early adopters into real enterprise deployment, though not yet commoditized. Organizations are buying, implementing, and learning.
The drivers Gartner identifies are ones we’ve seen directly in the field:
Attacks are moving from IT to operations. Gartner notes “a marked increase in attacks moving from enterprise IT systems to impact operations and production environments in manufacturing and critical infrastructure organizations.” This is where value is created, where disruption hurts most, and where traditional IT-centric risk management falls short.
Insurance companies are mandating OT cybersecurity controls. Gartner states directly: “Insurance companies increasingly mandate cybersecurity controls in CPS environments before approving policies.” The insurance market is no longer a passive observer of OT risk — it’s an active driver of how industrial organizations manage it.
What the Report Says About Cyber-Risk Quantification
CRQ gets its own category in the report. Gartner positions it at the Peak of Inflated Expectations, with a High benefit rating and 5–20% market penetration.
That combination tells a specific story. Buyer interest is real and accelerating. Budgets are moving. But the market is also entering the phase where expectations collide with execution — where overclaimed tools get exposed and credible platforms get rewarded.
Gartner’s guidance to buyers is direct: start with a small number of high-consequence threat scenarios connected to specific business decisions, not enterprise-wide modeling. Define clear decision objectives before building models. Use transparent assumptions and ranges rather than seeking false precision from limited data. Integrate results into budgeting and governance so outputs actually influence decisions.
That guidance maps closely to what DeNexus’ DeRISK CRQ is built to deliver: financially expressed risk output designed to support decisions, not just produce dashboards.
The obstacles Gartner identifies — poorly defined or asset-centric risk scenarios that fail to reflect realistic threat events; overconfidence in limited or fabricated input data leading to false precision; complex modeling disconnected from specific business decisions — are failure modes we have spent years engineering around.
Where DeNexus Sits
DeNexus maps across both Gartner categories — CPS Risk Management and Cyber-Risk Quantification — and sits at the intersection where neither list fully reaches.
The CPS Risk Management category is anchored in OT visibility and detection — identifying what’s connected, what’s vulnerable, what’s happening. Vendors like Claroty, Dragos, and Nozomi Networks, most of whom are also our integration partners, do this well. What the category doesn’t fully address is the financial translation of that OT risk — the Value at Risk, what it means in dollars, for decisions, for capital allocation, for the business.
The Cyber-Risk Quantification category delivers that financial translation — expressing cyber risk in monetary terms that executives and boards can act on. The OT gap is in the depth of the model: industrial environments, with their unique asset profiles, process dependencies, safety systems, and physical-world consequences, require a fundamentally different approach to loss modeling than IT-centric risk frameworks were designed for.
DeNexus plays across both categories. DeRISK CRQ brings OT Cyber-Physical Risk Quantification to the intersection of CPS Risk Management and Cyber-Risk Quantification — 300+ implementations across power generation, manufacturing, and critical infrastructure, in environments where the risk isn’t just to data, it’s to operations.
What This Means for Industrial Organizations
If you’re a CISO, CRO, or operations leader at an industrial company, the Gartner report is pointing to three things that you should already be feeling in your day-to-day:
Your board wants cyber risk in financial terms. Heat maps and maturity scores don’t answer the question a CFO asks before a budget conversation. Gartner explicitly validates CRQ as the mechanism for bridging that gap — and that the market is at the stage where credible tools exist.
Your insurer is changing the rules. The mandate for OT cybersecurity evidence is no longer theoretical. It’s in renewal conversations, in policy terms, and increasingly in pricing. Organizations that can demonstrate OT Cyber-Physical Risk Quantification have a structural advantage at the underwriting table.
Your production environment is the target. The shift in attacker focus from IT to OT is documented, accelerating, and not going to reverse. Risk management programs that still treat OT as a subset of IT are operating with a blind spot.
What This Means for the Insurance Market
For underwriters and risk managers on the insurance side, the Gartner report validates the market pull that’s been building for years.
Gartner places CPS Risk Management at 20–50% penetration — their estimate, and one we consider optimistic relative to the OT Cyber-Physical Risk Quantification subset of that market. The category is real and growing. But precise, actuarial-grade OT Cyber-Physical Risk Quantification — the kind that underwrites a policy — remains significantly less widespread than the broader CPS Risk Management space Gartner measures.
The answer requires data that doesn’t come from IT questionnaires. It requires asset-level visibility into OT environments, financially expressed risk output, and output that actuaries can work with. That’s what the recently launched DeNexus’ DeRISK UWA delivers.
A Note on What This Recognition Means to Us
We’re proud of the mention. We’re also clear-eyed about what it represents.
Being in a Gartner vendor list alongside seven other companies means the category is being watched. It doesn’t mean the race is won. The Hype Cycle is a map of where the market is heading — it’s not a finish line.
What the 2026 report confirms is that the category DeNexus has been building in is real, is growing, and is now attracting the attention of enterprise buyers, regulators, and insurers at scale. That’s the market we’ve been preparing for.
300+ CRQ deployments. A platform built for OT from day one. Insurance-grade output that underwriters can act on.
The work continues.
Want to see DeRISK in action?
Request a demo and see how industrial operators and insurers are using DeRISK for OT Cyber-Physical Risk Quantification.