UpGuard
01 · Market and trends

Market and trends

  • → TPRM is growing 1.5 times faster than cybersec: $7–9 billion$20 billion by 2030.
  • → Drivers: supply chain breaches, regulators (DORA / SEC / APRA), AI.
  • → TPRM programs are maturing: dedicated software ↑ 19% YoY, manual methods (Excel / Google Sheets) ↓ 29%.

Size and context

  • Global TPRM market in 2024-2025: $7–9 billion (Grand View Research, OpenPR, Strategic Market Research).
  • Forecast by 2030: $20 billion, CAGR ~15–17%.
  • TPRM is growing 1.5 times faster than the overall cybersec market.
  • TPRM programs are maturing: use of dedicated TPRM software ↑ 19% YoY (2025 vs 2024), manual methods (Excel / Google Sheets) ↓ 29%.
  • BFSI – the largest vertical segment.
  • Cloud-deployment leads; on-premise is only for heavily regulated industries.

Key trends

Supply chain breaches

60-98% of companies are associated with at least one vendor that has had a breach in the last 2 years. Breach-through-vendor has become the dominant attack vector.

Regulatory pressure

DORA (EU, 2025), SEC Cybersecurity Rules (US, 2023), APRA CPS 230 (AU, 2025), NIS2 (EU) - all require formal TPRM. Vendor Risk is no longer a 'good to have'.

From point-in-time to continuous

Only 50% of companies conduct continuous monitoring of vendors. Annual questionnaires no longer work: in a year, a vendor can change its posture several times.

AI is changing the operating model

AI-driven assessments, automated questionnaire validation, remediation playbooks. All players (Bitsight, SecurityScorecard, UpGuard) launched AI wrappers over their platforms in 2025-2026.

Maturity is growing, manual methods are dying out

According to Venminder 2025: use of dedicated TPRM software ↑ 19% YoY, manual methods (Excel / Google Sheets) ↓ 29%. Companies are moving away from manual processes to dedicated solutions – an opportunity for UpGuard.

Fourth-party and beyond

Not just direct vendors, but also vendors' vendors (4th-party) and SaaS used by employees (shadow IT / shadow AI). The category is expanding from 'TPRM' to 'extended supply chain risk'.

Key go-to's for UpGuard

UpGuard on a rising tide
  • Make DORA / APRA / SEC the main story for 2026: landing pages, campaigns, and sales materials for each regulator.
  • Boost the 'continuous monitoring vs annual point-in-time' narrative – capture the audience from GRC tools and ratings-only solutions.
  • AI is a hygiene factor, but it's still worth mentioning: place it prominently, along with the outcome of using UpGuard.
  • Develop pillar content on 4th-party risks and shadow AI – there's no clear leader in this category yet.

Sources: Grand View Research, OpenPR, Strategic Market Research; Venminder – State of TPRM 2025 Survey. The figures vary by methodology – the range reflects the difference in TPRM definitions.