The business world can expect to see shifts in revenue expectations, market saturation, and how providers are scaling managed compliance services over the next year or so.
This is according to Rahul Bakshi, Chief Product Officer at cloud-based cybersecurity compliance platform Apptega.The platform is focused on how continuous compliance improves security outcomes, drives business differentiation, and reduces risk.
Recently, the firm has published a review on the state of compliance. Digital Journal spoke with Bakshi to understand more, in a conversation drawing on Apptega’s second annual State of Continuous Compliance report.
Managed compliance and revenue growth
Digital Journal: This was your second annual report on compliance. What are the most surprising differences year over year?
Rahul Bakshi: We started the State of Continuous Compliance report as a maturity pulse check benchmarking data on how security providers are responding to the growing demand for compliance services, and how leading providers use the managed compliance opportunity to both grow their revenue and strengthen customer relationships. The second annual report expands on those findings, uncovering how providers grow, differentiate, and show the value of their security organizations on an ongoing basis.
2025 data changes the narrative on compliance offerings for security providers. More than 70% of respondents last year were bullish declaring aggressively optimistic double-digit recurring revenue growth expectations, which this year’s survey found did not materialize. 3 out of 4 security service providers fell short of their 2024 overall ARR goals, demonstrating that service providers are challenged to turn offerings into recurring revenue streams.
This year’s report also found that 90% of security providers face challenges standing out, despite 68% of providers rating their differentiation as above average or better. Nearly half point to a lack of marketing or brand awareness as the top issue, while 38% cite market overcrowding and commoditization. With 87% of security providers now offering some form of compliance services, a significant portion of the market is still struggling to carve out a clear, competitive identity.
Addressing market challenges
DJ: What is required to address the challenges in the market?
Bakshi: Three critical perspective shifts should be a real time focus for security providers: Amplifying the positive impact compliance brings to organizations’ defensive postures, recognizing compliance’s potential as a business differentiator when delivered as a managed service, and how these managed services enable demonstration of value over time.
Compliance frameworks like CMMC and NIST have matured over time into meaningful guidelines for reducing business risk, not just for meeting regulatory checkboxes. As this maturity only continues to increase, these frameworks are more valuable than ever in helping businesses stay resilient and demonstrate confidence to their ecosystem when continuously applied. Organizations need support recognizing this opportunity to consistently reduce business risk, creating space for security providers to step in.
Overcoming the market saturation revealed in this year’s data means security providers must recognize compliance alone is no longer a differentiator, but a necessity to keep up. Providers must further differentiate offerings to stand out and grow. Delivering compliance as a managed service moves perception towards business recognition as a security investment.
The final necessity to address differentiation challenges begins with better visibility of long-tailed return on investment in compliance as a managed service, which can pay dividends for both security providers and their customers. Internal data measurement and reporting is critical for providers in tying their work to reduced churn, recurring revenue and other growth. The same data and measurement investments are also instrumental in demonstrating improved security readiness to clients.
DJ: What’s the opportunity for security providers to invest in maturing compliance delivery into a managed service?
Bakshi: It’s a significant one. Providers offering managed compliance are more likely to generate recurring revenue – 44% say at least a quarter of their compliance revenue is recurring, compared to just 28% among those using a consulting model. The managed approach also deepens client relationships by embedding compliance into their daily operations, which creates more predictable revenue and greater retention.
Path to true managed compliance
DJ: The 2025 report discusses how compliance services are being delivered as one headwind to scaling defenses – can you elaborate?
Bakshi: Yes. Advisory and consultative models still dominate, largely because they’re easier to stand up. But they don’t scale. Managed compliance requires more process maturity and platform support, which many smaller providers are still working toward. However, we’re now seeing that smaller firms (1–10 employees) had some of the highest year-over-year growth in managed compliance adoption – up 12%. These firms are using automation and flexible delivery models to move faster than their larger peers.
While smaller providers are adopting managed compliance at a higher rate overall, the services are growing fastest among larger providers. While many large security providers have offerings in place, a sizable percentage of the market has yet to fully transition and continue to deliver compliance as a vCISO-style engagement rather than a fully managed service. The contrast highlights a market where smaller providers maintain higher adoption rates, but larger providers are accelerating their shift toward true managed compliance.
DJ: How does continuous compliance improve security outcomes, and where is the current cybersecurity falling short
Bakshi: Traditional compliance is reactive – centered around one-time audits or static frameworks. Continuous compliance introduces ongoing automation, scoring, and accountability, allowing providers and their clients to maintain readiness at all times. This not only reduces human error but also helps organizations identify and close gaps in real time. It’s why providers using continuous models report stronger automation, better retention, and more confidence in scaling revenue.
AI automation saves time
DJ: In a business environment where AI dominates conversations, where does continuous compliance fit in?
Bakshi: AI is not just part of the conversation, but part of the solution. For example, AI-powered automation is being used to reduce the time spent responding to security questionnaires, often cutting it in half. These tasks are high-friction and labor-intensive. By automating them, providers gain margin, speed, and scale. More broadly, AI helps translate compliance data into actionable intelligence, accelerating remediation and enabling providers to do more with leaner teams.
DJ: How does automated compliance lead to better protection?
Bakshi: Automation ensures that controls are continuously applied, updated, and monitored. It removes the risk of lag between policy and action, which is where vulnerabilities tend to emerge. When paired with real-time scoring, this gives organizations a clearer picture of risk and the ability to act on it before it becomes a liability. It’s not just about faster compliance, it’s about stronger security, backed by measurable outcomes.
DJ: Is there anything else in the report you’d like to discuss?
Bakshi: Differentiation doesn’t come from offering compliance, but rather how you deliver it. The providers seeing the strongest growth are those that blend automation, visibility, and service into a seamless experience for clients. Security and compliance should build on each other towards a common goal of reducing risk. MSPs, MSSPs, MDR providers and any other defender in the business of delivering improved security outcomes should be thinking how they can reduce risk by coupling new measures of success.
