Reflections from the First Half of 2025: A Year of Deepening Partnerships
As we reach the midpoint of 2025, I’m struck by how quickly the time has moved, and more importantly, by the depth and quality of our conversations along the way. Whether you joined us at our summit, took the stage alongside us at a recent event, or simply shared a candid perspective in a one-on-one exchange, I want to thank you. These interactions aren’t just moments, they are the foundation on which we build trust, innovation, and meaningful progress.
If there’s a single theme that defines the first half of this year, it’s partnerships. We've strengthened our engagement with customers, formed new strategic alliances with organizations such as KPMG and the Cyber Risk Institute (CRI), and advanced our integrations with key platforms, including ServiceNow, Qualys TruRisk, and others.
We also welcomed two outstanding executive partners to our advisory community: Elaine Bucknor and Jim Routh, each bringing a wealth of insight and a shared vision for what comes next. In addition to Oli Newbury joining at the end of last year, these industry leaders continue to add valuable voice of the customer insights to our business.
In the spirit of transparency and shared progress, I’m pleased to share the latest insights into what’s been happening across our customer portfolio, our product roadmap, and the broader cybersecurity landscape.
Thank you again for being part of this journey. As always, we’re well along the path... and somehow just getting started.
Themes from our customers
Use cases for the CISO’s three responsibilities
As our customers continue to expand the landscape of what is possible in the Panaseer platform, we often see three primary use cases where Panaseer consistently enables CISOs and their organizations to thrive.
Cyber resiliency and risk management
With Panaseer, everyone agrees on and uses the same data with added business context and ownership to better inform prioritization and process improvement. We’re seeing broader cross-functional adoption across security teams, GRC, internal audit, business, and IT. It’s resulting in attack surface reduction and improved controls effectiveness, with customers often realizing 100% improvement in coverage and effectiveness of existing controls.
GRC / board, audit, and regulatory reporting
Panaseer enables you to respond instantly to an audit with answers at your fingertips, backed by best-practice measurement. Customers are experiencing a 75% reduction in reporting time and effort. For some customers, this also includes developing customer trust, where they see cyber as a strategic differentiator, where CISOs have a part-time field CISO role, developing trust centers, and showing progress to customers (or supply chain partners).
Business partnering
Our platform empowers the CISO to expertly engage, advise, and influence stakeholders with a strategic view of how cyber risk affects the business. Customers are moving from ‘risk-takers’ to ‘business enablers’ and at the same time creating a culture of accountability and moving ‘CISO-risk’ to ‘business risk’. It’s a game changer for CISOs to have the information they need at their fingertips, translated to non-technical stakeholders. Our recent innovation helps them influence through storytelling supported by truth data and prioritization based on business priorities and risk priorities .
In short, Panaseer is allowing the CISO to thrive in all three primary roles, resulting in efficiency savings, automated compliance, teaming and collaboration, and achieving the intended residual risk position.
Panaseer 2.0
Panaseer 1.0 began as a general-purpose cyber reporting platform. As we learned about requirements from our customers, the product evolved through customization to solve a large number of data-driven cyber controls problems for many personas in many different sizes and types of organizations.
We invested heavily in modernizing and standardizing the platform over the last few years, and Panaseer 2.0 is now a standard, highly configurable controls assurance product available for all customers.
The time to deploy each of our ten cyber control domains is typically 4-6 weeks, and the platform has evolved to be a mission-critical platform bought by CISOs and used across stakeholders in security, GRC, audit, IT, and the business.
As a customer recently shared, “We hold weekly metrics calls with the CTO, SecOps & GRC using Panaseer. The appetite for more insight and data is exciting – IT has never been this engaged and collaborative with Security and Risk!”
Named by one of our customer leaders as ‘Salesforce for the CISO’, we are increasingly the system of record for the CISO and the collaboration platform providing the single source of truth data for cyber controls.
As we heard from a customer CISO, "I don’t like many tools, but I like this one. I want to get every last drop of value out of it.” Teams no longer need to bring their own data to the meeting, and data quality is democratized across the organization.
Panaseer 2.0 has also enabled cross-functional collaboration, helping make security a team sport and ensuring all stakeholders better understand their responsibilities and the business reason for achieving controls effectiveness.
Product updates
ServiceNow + Panaseer
This has been a big topic as many of our customers increase their ServiceNow investments. Panaseer coexists with ServiceNow, and our offerings are entirely complementary, with each improving the other’s capabilities.
Recently released
We continue to release new capabilities into the platform, providing richer views and monitoring controls to further enable executive communication and improve cyber health.
The Product and Engineering teams have released to date the following capabilities alongside the more day-to-day releases to ensure we continue to offer a world-class, enterprise-grade experience.
Multiple Scorecards & Scorecard Weighting
We continue to improve our Scorecard capability to simplify governance and risk management communication. The new Multiple Scorecards capability offers the ability to create as many bespoke views across your strategic goals, business units, functions, frameworks, and more as needed.
This release allows teams to distill complex data from several metrics into a single comprehensive view. Customers can also now create dashboards focused on key initiatives or align with popular Security Frameworks such as NIST CSF or CRI.
Additionally, customers can now customize the calculation of initiative-level and enterprise-level scores by adjusting the weighting of the metrics and scores used in the calculation.
Frameworks Catalog
The Cyber Frameworks Catalog enables enterprises to map, monitor, and report security control performance across critical cybersecurity frameworks and regulations. With current and historical performance that is fully inspectable, this release improves audit response.
Today, there are more than ten out-of-the-box dashboards mapped to over 200 control metrics across leading frameworks and regulations, including NIST CSF v2.0, CIS Controls v8, PCI DSS v4.0, and CRI Profile v2.
CRI Innovators
In May we were delighted to announce our collaboration with the Cyber Risk Institute (CRI), joining their Innovators Program. Many of you are using the CRI Profile to streamline cybersecurity risk management.
By integrating the CRI Profile into our platform and becoming an Innovator, Panaseer enhances its ability to automate control measurement, close compliance gaps, and generate regulator-ready reporting across multiple jurisdictions and business units.
Compound risk
The threat landscape is constantly evolving, the raw number of attacks fluctuates, but the level of sophistication always increases. AI tooling is increasing the ability to socially engineer and breach with voice and visual attacks that are hard to spot and protect against. We see these different vectors of attack through the data we gather. We also see that through data gathering, you can assess and visualize ‘stacks of risk’ – we call those Compound Risks or Toxic Combinations. Compound Risk manifests itself often in the highly publicized breaches that hit the headlines. The recent ransomware attack at Marks and Spencer is no exception.
Our Compound Risk capability can reveal areas of higher exploitability by seeing and combining threats and overlaying your business context.
Customers using this capability have moved from simple compliance views – “Is this device patched” to risk-based prioritization views such as “this device is connected to the internet, has an unpatched critical vulnerability, and the owner has failed phishing testing”.
Exciting and upcoming
Panaseer AI
We are delighted to announce the forthcoming release of our entry into AI-powered functionality. Panaseer AI leverages the platform’s ground truth data, enriched with business logic context, to automatically show key drivers of your security metric changes, saving time and effort needed to report and act based on them confidently.
We feature natural language summaries to ease cross-business communication and pair with existing Top Analysis and Compound Risk Metrics functionalities to offer best-of-breed data insight.
Panaseer’s AI provides powerful, actionable insights to support your teams in focusing on what matters most.
New Cyber Control Domains
We are investigating multiple security and digital governance areas to be our next Cyber Control Domains and want to hear from you. If you have pressing needs to measure or report on AI Governance, Application Access Management, or Third-Party Risk Management, please reach out via your CSM or by emailing the product team directly at product@panaseer.com.
Important Business Services
To support risk management and regulatory (e.g. DORA) requirements for operational resilience, we have been working closely with customers on a new “Important Business Services” capability, planned for release later this year. This capability will enable customers to map infrastructure and applications to their important business services and then view metrics across a dashboard using new “Application” and “Business Service” lenses, gaining new visibility into operational resilience.
The combination of Compound Risk Metrics and Important Business Services provides critical tools in enabling customer to prioritize their limited resources to close the most impactful control gaps. Compound Risk Metrics enables customers to identify data-driven toxic combinations of control gaps, while Important Business Services enables customers to identify data-driven business-based priorities.
As well as our marquee releases, we continue to innovate and provide continuous value across the platform. Updates to our Dashboards increased their usability by adding weighting, we’ve added customizable heatmaps, provided an Entity Data Resolution overview screen, Isolated testing for Data Connectors, and continued to innovate our Cyber Control Domains, most recently with enhanced vulnerability remediation metrics and support for scoring from vulnerability scanners.
Company updates
As I mentioned, the theme of this letter is partnership. Thank you for your continued trust and collaboration. As our customers, you are our most important partners as we continue on our journey. Alongside the work we are doing together, we have several other exciting partnerships that we have been working on this year that I would like to share with you.
In my last letter to you, I mentioned that we had kicked off our partner program. I’m delighted to share that we have embarked on a key partnership with KPMG.
In addition to joint prospecting and collaboration on initiatives, we’ve recently published a joint whitepaper and are working towards a series of executive events and digital content.
As I touched on earlier, we also partnered with the Cyber Risk Institute (CRI). At the start of the year, we heard from many of our customers that CRI was a framework they had been using with remarkable success, and when we reached out to learn more, we quickly saw why. As the CRI website says, “The CRI Profile is a cybersecurity framework developed by and for the financial sector based on globally recognized standards. It connects the dots between cyber best practices and expectations from all over the world.” In addition to a formal partnership, which includes presenting at various events in Washington, D.C., Tokyo, and Austin this year, we have also incorporated the CRI profile into our list of available frameworks. If you have completed a CRI assessment and are looking to operationalize your results, let us know.
Last and most importantly, as I mentioned above, I am thrilled to share a bit more about our new advisory board members, Elaine Bucknor and Jim Routh.
Elaine’s 25 years of cybersecurity, technology, and commercial experience have already proved instrumental in guiding Panaseer as the business continues to pursue its ambitious growth goals, expanding platform capabilities, and staying at the forefront of Continuous Controls Monitoring (CCM) technology.
Jim’s extensive experience as a transformational security leader, combined with his pioneering approach to data-driven cybersecurity, has been invaluable as Panaseer continues its mission to drive innovation in security measurement, risk management, and CCM.
I am delighted to have both on board and look forward to sharing their various contributions with you throughout the year. If you’d like to see them in action, they both recently joined a panel discussion hosted by Panaseer on a CISO’s perspective on continuous compliance and automation.
Jonathan Gill, CEO