Forrester

The 10th annual JFrog SwampUp user conference was held in the idyllic Napa Valley, far from swamps and mosquitoes but full of “frogs” (what JFrog employees call themselves). The conference is kept small and intimate by design. This gave customers, analysts, press, and investors the ability to interact directly with JFrog management and each other. The theme of the event was that the AI evolution is here, and organizations must adopt or be left behind. This was not news for participants, many of whom were platform or application engineers responsible for the enablement or development of AI/ML applications. But JFrog’s announcements differed from those of its competitors, including an emphasis on application trust, supply chain integrity, and agentic development releases. The JFrog Platform Attempts To Leap Toward The Agentic Era Product announcements demonstrated a cohesive strategy to bring trust to the world of DevOps, DevSecOps, MLOps, and agentic development. JFrog’s feature announcements, ranging from generally available (GA), in beta, and coming soon, were well received by customers eager to explore their potential. JFrog may have challenges, however, in successfully executing across such a broad spectrum of areas. Some of the announcements that might hop JFrog ahead the most are: JFrog AI Catalog is a central hub for open-source, proprietary, and internally developed models that provides visibility into provenance, training datasets, licenses, and vulnerabilities. AI inventory, portfolio management, and discovery are shaping up to be hotly contested areas, with major players such as SAP, Salesforce, and ServiceNow all staking claims as well as security players and specialized startups. JFrog has an advantage in being closer to the ground truth of what is actually being deployed, but to differentiate itself in this market, it will need to bring in even more contextual portfolio information — capabilities, finances, risks, etc. JFrog’s Agentic Software Supply Chain Security applies its advanced security and curation capabilities to agentic development via a JFrog MCP Server and GitHub integrations to shift development teams to a proactive security approach. In addition, the JFrog local SAST MCP allows developers to get feedback on first-party code weaknesses in its integrated developer environment (IDE), and developers can prompt the AI agent (e.g., GitHub Copilot) to generate fix suggestions based on context fed by JFrog. Currently in alpha, the feature mimics those of other SAST vendors rather than leaping forward. JFrog Fly is the company’s agentic developer platform and an MCP server that works with multiple IDEs, including VS Code and Cursor. Integrated with GitHub and observability, Fly provides a chat interface that allows users to query, promote, and roll back existing releases based on specifics of the code (e.g., “Which features were added to this release?” or “Deploy the release that added styling to the user field”). Fly includes an audacious reimagining of the software development process, making versioning automatic and version names obsolete. This makes for a slick demo but may introduce confusion for JFrog clients who don’t want to give up their semantic versions or who need to support back-level software. JFrog introduced three layers to increase AppTrust capabilities in the age of agentic development and increased supply chain attacks. The first layer is “application” as a new object in the platform to track application ownership, compliance, governance, etc. “Evidence” is the second layer, and part of the system of record and lifecycle policies are the third. AppTrust pulls in GitHub’s artifact attestations for verifiable chain of custody from the artifact creation through software deployment, which is important for organizations that want to achieve SLSA level 3. System-of-record scope for JFrog is more limited than some. JFrog focuses on binaries, auditability, and provable attestations (i.e., cryptographic signing) for build artifacts and steps in the software development lifecycle (SDLC). That’s less ambitious than what some other DevOps platforms mean by “single source of truth”: connecting business value to the SDLC. It plays to JFrog’s strengths, however, and allows the company to work well with its partners, which may have other viewpoints — and which may, themselves, claim to be the system of record. JFrog’s system of record will take some of the burden off of development teams, especially those undergoing an audit, and may make it easier for auditors to check the box. That’s a win. Attackers Provided A Timely Reminder Of The Importance Of Software Supply Chain Security There was a last-minute addition to the last keynote on day one. The JFrog research team gave a detailed description of the Node Package Manager (NPM) supply chain attack that they had discovered the day before. Attackers compromised NPM maintainers with a believable two-factor authentication reset phishing campaign. JFrog, Aikido, and the open-source community were able to minimize the impact of what could have been a major payday for attackers with serious implications for organizations and individuals. JFrog has struggled to be seen as more than its artifact repository system. That’s made it vulnerable to all-in-one vendors that include adequate artifact management in their solutions. In addition, JFrog strives to be seen as an application security solution by enterprise security professionals. JFrog’s announcement boosted its security cred and showed how organizations can and should help protect the developer community. Forrester clients can schedule an inquiry or guidance session to break down the JFrog announcements. There is also an upcoming opportunity to connect with Forrester analysts (and your peers) in person: Technology & Innovation Summit North America on November 2–5 and Security & Risk Summit on November 5–7, both in Austin, Texas. Each event is packed with visionary keynotes, informative breakout sessions, interactive workshops, insightful roundtables, and other special programs to help you master risk and conquer chaos. source

On Friday, the Trump administration issued an executive order imposing a $100,000 fee on new H-1B visa applications. This directly impacts IT service providers’ practice of bringing offshore IT talent on H-1B visas to serve US companies. They aren’t the only ones impacted, though — it also challenges the similar talent model followed by tech giants such as Amazon, Google, Meta, and Microsoft. Even the US university system relies heavily on employees with H-1B visas. For IT service providers, it directly impacts their operating models and might potentially impact margins. Large Indian IT service providers have traditionally been big users of H-1B visas, but over the last few years, they’ve reduced their H-1B visa workforce to well below 50% of their US-based workforce. They do so with local hiring, nearshore centers, and automation as fallbacks. The largest IT service providers could face a $500 million increase in annual fee, however, if they choose to maintain their existing staffing practices with H-1B visas. Midtier and smaller IT service providers would face disproportionate pressure from the H-1B fee due to their higher visa dependency relative to revenue. Also, their people-centric business models leave them with little maneuverability (see figure below). If the $100K H-1B fee is enforced, technology leaders must prepare for three immediate consequences: IT service delivery costs will go up. If providers are to maintain current visa-dependent staffing models, the $100K fee will significantly inflate costs, and most will respond by sharply curtailing new H-1B petitions, effectively removing a key talent channel. This reduction in foreign talent supply, combined with the Trump administration’s directive to the Department of Labor to raise prevailing wage thresholds, will drive up employee costs across the board. Buyers should expect a 2–3% increase in onsite billing rates for new contracts as providers pass through higher labor costs and restructure delivery models. Delivery models will shift toward offshore execution. We predict increased offshoring, with Indian professionals and major IT vendors likely to intensify hiring and client support from India and other offshore countries, negatively affecting US-based delivery but potentially boosting India’s tech employment and offshore business. Technology leaders must inventory their project portfolio to see what can be effectively delivered entirely offshore — such as mainframe modernization or cloud migration — as well as actions like product development that require a global delivery model with significant staff in the same or similar time zone. Clients can also explore how to leverage their to mitigate this impact. Complex projects and innovation will suffer. Indian IT service providers will struggle to staff specialized roles that require niche talent onsite in the US, especially for projects with high collaboration intensity. This constraint will also affect US-based tech firms, as reduced access to global expertise slows cross-border knowledge exchange. Over time, the rising cost and complexity of securing work visas may make the US less attractive for international talent, impacting its role in global innovation networks. Cost Of H-1B (2025 Numbers) As A Percentage Of Annual Revenue Source: U.S. Citizenship and Immigration Services   Over the next few months, we expect to see IT service providers: Offer more remote shoring strategies. The new visa fee accelerates the shift away from the traditional offshore-onsite (global delivery) model to more remote-oriented models, such as nearshore or fully offshore models — especially for routine and commodity work. Onsite presence will shift toward senior architects, program managers, and client-facing leads, as opposed to entry-level roles. For the next few years, providers will keep most of their existing onsite base (since renewals are exempt), but the onsite part of the pyramid won’t replenish at the same rate. Instead of renewals and new ones annually, they’ll now only add new petitions that they can’t do without. Reinforce investments in AI-powered delivery to raise productivity. Providers are already investing heavily in AI delivery platforms: These platforms automate swaths of the software delivery lifecycle, led by AI-powered analysis, coding, and testing. Already they’re using agents to shorten delivery times and lower overall costs by as much as 20–30%. This visa fee will create more urgency to scale up engineer-agent delivery pods to achieve the margin benefits and productivity throughput that enterprises need. Continue the pivot to more value-aligned pricing strategies. On the managed services side, they’ll shift to more outcome-based or productivity-based contracts. Providers will look for more control over their resourcing model in lieu of price concessions. This will allow them to manage project delivery without having to worry about the costs of running managed services from onshore. Buyers will have to learn to manage project success through managing outcomes instead of through direct control over provider resources. Even if we take a macro view, we come to the same conclusion: The US will spend close to $700 billion in tech consulting and outsourcing spend in 2026. If service providers file as many H-1Bs as they filed in 2025, we’re looking at a roughly $2 billion cost impact — a ~3% hit on their margins, which is significant. The industry may partially absorb it, but it’ll likely move away from using H-1Bs. It will achieve this by forcing the global delivery models to shift further from onshore toward offshore and nearshore operations. source

Forrester is proud to announce the winner and runners-up of the 2025 Technology Strategy Impact Award for EMEA. This award recognizes organizations that exemplify high-performance IT (HPIT), continuously improving business results through technology by demonstrating alignment, trust, and adaptivity. We would like to congratulate this year’s winner, mBank S.A., and runners-up TBC Bank and Philip Morris International, which all stood out for their bold technology strategies, measurable business impact, and leadership in driving transformation. mBank S.A.: Modernizing Core Banking While Accelerating Innovation mBank S.A. (mBank) earned top honors for its five-year modernization strategy, which has redefined its core banking infrastructure while enabling parallel innovation across the business. As Poland’s first digital bank, mBank demonstrated how a technology-led transformation can deliver measurable business outcomes without compromising stability or customer experience. Here’s what differentiated mBank and led to its win: Strategic alignment that drives measurable business outcomes. mBank’s five-year IT strategy initiative was fully owned by the technology division and formally approved by both the executive and supervisory boards. It was designed to modernize core systems while maintaining uninterrupted business delivery. The initiative enabled the bank to replatform its retail and corporate core systems, launch a new e-commerce marketplace, and deploy more than half of its critical systems in hybrid cloud — all while preserving its top cost-to-income ratio of 28.2 percent. Adaptivity through phased migration and agile execution. mBank adopted a dual-shard architecture to migrate more than 6 million customers from legacy mainframe systems to a modern .NET platform, allowing gradual, risk-mitigated migration without service disruption. Agile frameworks enabled quarterly reprioritization and rapid response to external events, including the pandemic and war in Ukraine. Trust built on security, resilience, and responsible innovation. The bank demonstrated exceptional resilience under wartime distributed-denial-of-service attacks and continues to lead in cybersecurity innovation. It launched real-time vishing protection and customer-facing cyber support services while maintaining zero compromises during red team testing. Its IT team cocreated business initiatives such as an embedded e-commerce marketplace and AI-powered complaint handling, reinforcing its reputation as a trusted digital leader. mBank’s transformation exemplifies HPIT in action, combining deep modernization with business agility and delivering innovation at scale with trust and transparency. TBC Bank: Reclaiming Digital Leadership Through Agile Transformation TBC Bank impressed judges with its bold insourcing and modernization of digital banking platforms across Georgia and Uzbekistan. Faced with rising competition and delivery bottlenecks, TBC Bank reimagined its architecture and operating model to reclaim its position as a regional digital leader. Here is what made TBC Bank stand out: Strategic alignment that links delivery to business value. TBC Bank restructured its delivery model around product-aligned teams, each with end-to-end ownership of strategic product domains. Agile governance and lean value trees ensured tight linkage between business goals and technology execution. The transformation enabled TBC Bank to regain its innovation edge and deliver over 30 “first in Georgia” features in 2025. Adaptivity through modular architecture and agile execution. The bank replaced monolithic vendor-managed systems with a micro-front end and microservices-based architecture. This enabled independent deployment of features and reduced time to market from nine months to under three. Quarterly business reviews and innovation funding allowed rapid pivots and experimentation, while CI/CD automation supported over 18,000 deployments annually. Trust built on reliability, transparency, and cultural transformation. TBC embedded DevSecOps, observability, and resilience into its delivery pipelines, achieving 99.86% service availability and reducing incident recovery time from hours to minutes. Internally, tech employee Net Promoter Score℠ (NPS) rose from 42% to 54%; externally, customer NPS reached 69% among affluent clients. The bank’s “you build it, you run it” model fostered ownership and accountability across teams. TBC Bank’s transformation wasn’t just technical. It reshaped culture, delivery, and strategic alignment. Its success in both Georgia and Uzbekistan positions it as a benchmark for agile, adaptive, and trusted digital banking. Philip Morris International: Scaling AI To Power Its Future Philip Morris International (PMI) demonstrated how HPIT can drive enterprisewide transformation. Through its AI@PMI program, PMI is reimagining processes across functions to support its mission of delivering a smoke-free future. PMI deserved to be a finalist for its: Strategic alignment that embeds AI across the enterprise. AI@PMI is embedded across all business units, with dedicated AI leads; formal objectives, goals, strategies, and measures; and shared ownership between IT, strategy, and people/culture. Every function developed an AI strategy aligned to PMI’s transformation goals, and AI initiatives are now integrated into budget cycles and long-term roadmaps. Adaptivity through scalable reuse and rapid experimentation. PMI is building its AI Factory, which is a reusable and scalable operating model that it launched as an internal AI marketplace, rolling out Microsoft Copilot to 35,000 employees, with 65% using the tool weekly. Emerging tech — such as agentic orchestration, digital personas, and conversational AI assistants — is actively being explored and developed for future capabilities. Trust built on governance, transparency, and a people-first approach. PMI’s AI governance oversees responsible development and scaling of AI solutions. PMI’s people-first approach includes workforce impact assessments, transparency hubs, and over 20,000 employees trained on AI literacy. The AI@PMI team cocreates with business units and external partners, ensuring trustworthy, secure, and scalable innovation. PMI’s AI strategy is embedded in every business unit, with dedicated AI leads and measurable impact targets. Its people-first approach and scaling of emerging technologies, including agentic orchestration and digital personas, make it a standout example of adaptive, aligned, and trusted IT leadership. Join Us At The 2025 Forrester Technology & Innovation Summit EMEA The achievements of mBank, TBC Bank, and PMI will be celebrated at Forrester’s Technology & Innovation Summit EMEA, taking place October 8–10, 2025, in London and digitally. Join us to hear more about the winning organizations and explore how HPIT is driving business transformation across the region. source

A lot is being thrown around right now about agentic systems, AI agents, autonomous security operations centers, and everything in between. Vendors are hyping capabilities — some that are here and now and many more that are far off in the future. Many of the clients I work with are confused about which capabilities are real now and which will come down the road. Read below for a breakdown of common questions we get about generative AI, to bring a little clarity to a confusing topic. What is generative AI? Generative AI (or genAI) is a type of artificial intelligence that is incredibly good at identifying the next most likely token in a complex sequence. This is one reason why it handles human language so well and why other, earlier iterations of machine learning did not; human language is extremely complex. It can mimic the qualities of its training data, and most of the most popular models on the market are trained on a lot of human language. In security tools, we see three common use cases for generative AI: Content creation (creating incident summaries, converting query languages) Knowledge articulation (chatbots for threat research, product documentation) Behavior modeling (triage and investigation agents) What are genAI chatbots most useful for in security? AI chatbots such as Claude, Gemini, ChatGPT (or the security equivalents, including Microsoft Security Copilot, Google Gemini, Charlotte AI, and Purple AI) are powered by large language models (LLMs) and are able to respond to open-ended questions, create nuanced language, provide contextually aware replies, and adapt to topics — especially security topics — without needing explicit programming for each scenario. While this is novel and unique, we find that practitioners just don’t use it that often. When they do, it’s especially useful for asking questions about product documentation or doing research on particular threats or vulnerabilities. Outside of this, however, there’s not often a lot of reason to go to the chatbot, so it doesn’t get used. What is considered table stakes for genAI capabilities in security tools? Outside of the chatbot use case, there are a few common ways that genAI is implemented in security tools today; in most cases, they are directly integrated into the analyst experience. Most often, this looks like: Summarization: providing a summary of alerts, vulnerabilities, and risks. Report writing: writing up reports on threat intelligence, incidents, the latest risks, etc. Code writing: generating patches, exploits, queries, or other code. Script analysis: understanding and explaining code or a script. Language translation: translating between natural languages, query languages, or code. What are AI agents used for in security? The past year and a half was a true step change in genAI use cases for security. The introduction of AI agents, particularly for triage and investigation, is paving the way for major changes to how practitioners work. AI agents are narrowly focused tools that follow strict instructions to carry out specific tasks. The agent is limited in what it can do, and it reacts to defined triggers, such as receiving a specific alert or indicator of compromise to evaluate. It’s very important to note that invoking AI in a function is not the same thing as an AI agent. For example, if a vendor has a feature in its product that builds an incident summary using generative AI, that is not necessarily an AI agent. It could simply be an invocation of an LLM in a particular function. The specific focus, task, its ability to manage state (aka perform multiple steps while maintaining memory), and encapsulation is what makes an AI agent differentiated from an invocation in a function. There are many examples of AI agents on the market today, like those from CrowdStrike, ReliaQuest, Intezer, and Red Canary, among others. These AI agents are task agents — they accomplish specific tasks, often within the incident response process. Task agents are very good at doing one particular thing because they are trained on specific data and are given a series of prompts that are tested and validated to ensure that they accomplish the correct task each time. For example, a triage agent for phishing may have built-in prompts that tell it to evaluate any email it is provided by extracting all indicators of compromise, checking them for reputation, and then providing a verdict and summary of its findings. Through thorough training, rigorous testing, and iterative improvement of the prompts used, early data shows that triage agents like these have been very successful at resolving false positives automatically (in specific cases). Importantly, the combination of use case- (triage, investigation, etc.) and domain-specific (endpoint, identity, email, etc.) task agents must come before trying to solve bigger problems like building an AI that can complete the entire incident response lifecycle. It’s a lot like the transition we faced when moving to the cloud: Instead of building a monolith, building microservices resulted in a more scalable, reliable, and accurate result. Similarly, task agents that are specific to the use case they accomplish and domain they are built for result in better outcomes. This also leads us to the next phase: agentic. What is agentic AI used for in security tools? Agentic AI is a system of AI task agents working and communicating together to accomplish a broader goal. The agents communicate via agent-to-agent communications. An agentic system for security operations could look like a combination of triage agents, investigation agents, and response agents. For example, an agentic system could orchestrate a phishing triage agent to validate a true positive phishing attack, then work with an endpoint triage agent and an endpoint investigation agent to verify that the phishing attack landed on an endpoint and escalated privileges. From there, the agents can provide context to an endpoint response agent, which will then provide the analyst with all the information they need to make an informed decision for response. Don’t trust the hype: This is a work in progress and far from ready today While agentic systems may sound like a panacea, right

Forrester is proud to announce the winner and runner-up of the 2025 Enterprise Architecture Award for EMEA, recognizing organizations that exemplify outcome-driven architecture practices. We’re honored to have The Open Group co-judge this year’s Forrester EA Award again. This year’s submissions showcased how EA teams are driving measurable business impact through agility, innovation, and strategic alignment. Philip Morris International is the winner of the 2025 EA Award for EMEA, with Saudi Telecom Company the runner-up. These organizations demonstrate how enterprise architecture (EA) can be a strategic multiplier, enabling transformation, accelerating delivery, and embedding governance without slowing innovation. Winner: Philip Morris International — EA As A Catalyst For Transformation Philip Morris International (PMI) is undergoing one of the most ambitious transformations in its industry, shifting from a tobacco company to a science- and technology-driven leader in smoke-free products. Its EA team has become a strategic enabler of this change, embedding architecture into delivery, innovation, and governance across the enterprise. PMI empowered this transformation with a federated model comprising more than 200 architects in more than 30 domains worldwide. PMI has transformed architecture into a strategic enabler of business agility. Over the last few years, the EA team has evolved from a governance function into a strategic delivery partner, aligning 85% of the portfolio with target landscapes and accelerating reuse of global platforms. This shift improved delivery speed and solution quality, with 80% of solution architects targeted for certification by year’s end. Modular architecture unlocks faster market response and revenue growth. A domain architect led the decomposition of monolithic systems into nearly 100 modular products within the digital consumer experience platform. These reusable components, built on canonical data models and microservices, empowered teams to respond rapidly to market shifts and streamline transformation. EA drives measurable cost savings and operational efficiency. Through the application impact maximization initiative, PMI decommissioned 300 applications in 2024 — 130% of its rationalization target — freeing up budget and reducing complexity across the IT estate. Generative AI is being industrialized through EA-led governance and design. PMI’s EA team co-led the development of PMI’s genAI factory, delivering reusable AI components such as digital personas. These components aim to reduce development effort, accelerate time to value, and improve user satisfaction. The EA team also automated the software approval process, cutting review time from days to seconds. Runner-Up: stc group — EA Driving Strategic Clarity And Digital Leadership Saudi Arabia’s leading digital enabler, stc group, is executing a bold digital strategy through its DARE 2.0 framework, and its EA team is central to that journey. EA is embedded across planning and execution, enabling agility, cost optimization, and innovation at scale while delivering measurable business outcomes. Aligned with agile initiatives, stc group has transitioned from a centralized to a federated model, enhancing flexibility by allowing business groups to operate independently while sharing information across the organization. Some of the EA initiatives implemented by stc include: Enterprisewide cost optimization through strategic rationalization and infrastructure modernization. stc’s EA team led a comprehensive application portfolio assessment that identified 44 consolidation opportunities, streamlining operations and reducing complexity. By transitioning 30% of new workloads to consumption-based hardware and migrating servers to lower-cost hypervisor solutions, the initiative delivered over $115 million in operational expense savings. Data-driven architecture powering new revenue and improved customer experience. Under the NorthStar initiative, the EA team developed a scalable analytics ecosystem that increased Net Promoter Score℠ (NPS) by 20%, generated 2–3% net-new incremental revenue, and delivered 6x ROI. The architecture supported more than 860 million transactions and doubled self-service adoption. Disaster recovery framework modernization that enhances resilience and compliance. The team brought 170 business-critical applications under a modern disaster recovery framework, conducting over 510 architecture assessments and 170 drills. This ensured business continuity and regulatory compliance across 16 departments. EA-scaled innovation through generative AI and agile architecture. stc’s EA team introduced AI-powered root-cause analysis for RAN auto-healing, enabling real-time processing and proactive ticket resolution. Agile architecture practices supported initiatives such as its OSS Next Gen program and its journey to the cloud. Using an iterative approach, stc’s team developed over 100 advanced analytics use cases, continuously improving them based on feedback. Join Us At Forrester’s Technology & Innovation Summit EMEA Congratulations to both firms on their achievements! Their stories show how EA can be a strategic multiplier for transformation, innovation, and resilience. Want to learn more? Join us at Forrester’s Technology & Innovation Summit EMEA (October 8–10 in London and digitally) to hear directly from the winning organizations and explore how EA can drive business outcomes in your organization. source

On Friday, the Trump administration issued an executive order imposing a $100,000 fee on new H-1B visa applications. This directly impacts IT service providers’ practice of bringing offshore IT talent on H-1B visas to serve US companies. They aren’t the only ones impacted, though — it also challenges the similar talent model followed by tech giants such as Amazon, Google, Meta, and Microsoft. Even the US university system relies heavily on employees with H-1B visas. For IT service providers, it directly impacts their operating models and might potentially impact margins. Large Indian IT service providers have traditionally been big users of H-1B visas, but over the last few years, they’ve reduced their H-1B visa workforce to well below 50% of their US-based workforce. They do so with local hiring, nearshore centers, and automation as fallbacks. The largest IT service providers could face a $500 million increase in annual fee, however, if they choose to maintain their existing staffing practices with H-1B visas. Midtier and smaller IT service providers would face disproportionate pressure from the H-1B fee due to their higher visa dependency relative to revenue. Also, their people-centric business models leave them with little maneuverability (see figure below). If the $100K H-1B fee is enforced, technology leaders must prepare for three immediate consequences: IT service delivery costs will go up. If providers are to maintain current visa-dependent staffing models, the $100K fee will significantly inflate costs, and most will respond by sharply curtailing new H-1B petitions, effectively removing a key talent channel. This reduction in foreign talent supply, combined with the Trump administration’s directive to the Department of Labor to raise prevailing wage thresholds, will drive up employee costs across the board. Buyers should expect a 2–3% increase in onsite billing rates for new contracts as providers pass through higher labor costs and restructure delivery models. Delivery models will shift toward offshore execution. We predict increased offshoring, with Indian professionals and major IT vendors likely to intensify hiring and client support from India and other offshore countries, negatively affecting US-based delivery but potentially boosting India’s tech employment and offshore business. Technology leaders must inventory their project portfolio to see what can be effectively delivered entirely offshore — such as mainframe modernization or cloud migration — as well as actions like product development that require a global delivery model with significant staff in the same or similar time zone. Clients can also explore how to leverage their to mitigate this impact. Complex projects and innovation will suffer. Indian IT service providers will struggle to staff specialized roles that require niche talent onsite in the US, especially for projects with high collaboration intensity. This constraint will also affect US-based tech firms, as reduced access to global expertise slows cross-border knowledge exchange. Over time, the rising cost and complexity of securing work visas may make the US less attractive for international talent, impacting its role in global innovation networks. Cost Of H-1B (2025 Numbers) As A Percentage Of Annual Revenue Source: U.S. Citizenship and Immigration Services   Over the next few months, we expect to see IT service providers: Offer more remote shoring strategies. The new visa fee accelerates the shift away from the traditional offshore-onsite (global delivery) model to more remote-oriented models, such as nearshore or fully offshore models — especially for routine and commodity work. Onsite presence will shift toward senior architects, program managers, and client-facing leads, as opposed to entry-level roles. For the next few years, providers will keep most of their existing onsite base (since renewals are exempt), but the onsite part of the pyramid won’t replenish at the same rate. Instead of renewals and new ones annually, they’ll now only add new petitions that they can’t do without. Reinforce investments in AI-powered delivery to raise productivity. Providers are already investing heavily in AI delivery platforms: These platforms automate swaths of the software delivery lifecycle, led by AI-powered analysis, coding, and testing. Already they’re using agents to shorten delivery times and lower overall costs by as much as 20–30%. This visa fee will create more urgency to scale up engineer-agent delivery pods to achieve the margin benefits and productivity throughput that enterprises need. Continue the pivot to more value-aligned pricing strategies. On the managed services side, they’ll shift to more outcome-based or productivity-based contracts. Providers will look for more control over their resourcing model in lieu of price concessions. This will allow them to manage project delivery without having to worry about the costs of running managed services from onshore. Buyers will have to learn to manage project success through managing outcomes instead of through direct control over provider resources. Even if we take a macro view, we come to the same conclusion: The US will spend close to $700 billion in tech consulting and outsourcing spend in 2026. If service providers file as many H-1Bs as they filed in 2025, we’re looking at a roughly $2 billion cost impact — a ~3% hit on their margins, which is significant. The industry may partially absorb it, but it’ll likely move away from using H-1Bs. It will achieve this by forcing the global delivery models to shift further from onshore toward offshore and nearshore operations. source

The cybersecurity industry is in the middle of a land grab as AI security M&A heats up. In just 18 months, eight major vendors — including Check Point, Cisco, CrowdStrike, F5, and Palo Alto Networks — have spent upwards of $2.0 billion acquiring startups focused on securing enterprise AI. AI for security is already poised to disrupt the industry, but these acquisitions show that security for AI is every bit as important. While the individual deal sizes can’t match up to the larger deals we’ve seen throughout 2024 and 2025, such as the Wiz and CyberArk acquisitions, these tuck-ins show that cybersecurity M&A isn’t slowing down. Why AI Security Is Suddenly A Board-Level Priority Enterprise AI adoption has exploded. From customer-facing chatbots to internal coding copilots and autonomous agents, AI is now embedded in core business processes. But legacy security tools weren’t built for this — they don’t understand prompt injection, model tampering, or AI-specific data leakage. Security vendors saw the gap, and instead of building AI security capabilities from scratch, they bought them. Who Bought What And Why Here’s a snapshot of the deals that are reshaping the market: Acquirer Acquired company Deal value Strategic purpose Palo Alto Networks Protect AI $650 million Launch Prisma AI resilience CrowdStrike Pangea $260 million Extend Falcon with AI detection and response Cisco Robust Intelligence ~$500 million (estimated) AI model validation in security cloud Check Point Lakera ~$300 million Embed runtime guardrails for large language models and agents F5 CalypsoAI $180 million Add inference-layer defenses to app security suite Cato Networks Aim Security $300–350 million Integrate AI governance into SASE platform SentinelOne Prompt Security ~$250 million Monitor genAI use within XDR offering Tenable Apex Security ~$105 million Extend risk management platform to AI attack surfaces For the acquirers: These AI security M&A deals are about more than technology. They’re a race to collect talent, reduce time to market, and maintain competitive positioning. Vendors needed innovative products, PhD-level experts, and signs of early traction with Fortune 500 customers. Most importantly: They wanted to avoid being the only major player without an AI security story. For the acquired: The macroeconomic and geopolitical environment is volatile. Protectionist policies — in every region and country — make it tough to be an early-stage vendor that can’t build or staff to meet every country’s sovereignty requirements. Couple that with budget pressure for CISOs, and suddenly, exiting early and taking shelter within a well-capitalized mega-vendor seems like a pretty smart move. What This Means For CISOs The good news: AI security capabilities are coming to the platforms you already use. You won’t need to stitch together point solutions or build from scratch. You’ll get AI model scanning, prompt filtering, agent sandboxing, and AI-specific data loss prevention all integrated into your firewall, extended detection and response (XDR), or secure access service edge (SASE) suite. The challenge: Integrations take time, so none of this will come to your favorite platform on day one, but these acquisitions should — not will, but should — be faster to integrate than some others. The acquired companies are smaller, have fewer products, and most are cloud-native platforms with comprehensive API capabilities. The platform story isn’t always unicorns and rainbows, though. The longer view: Securing generative AI (genAI) is today’s problem, but agents are here, and agentic is just around the corner. I’ll be delivering a keynote with my colleague Jess Burn at Forrester’s Security & Risk Summit 2025 titled “The CISO Of The Agentic Future,” which explains how securing agents and agentic AI will change security programs. Come see us in Austin on November 5–7. What To Do About It Here’s what you’ll need to do — as these capabilities come to your existing solutions — to solve for these use cases: Start with discovery and genAI’s detection surface. Nothing in security happens without visibility: You need to know where genAI exists across your technology estate. Understanding applications, users, models, and data, as well as how each intersects, is the starting point for your detection surface. Build cross-team bridges. AI security isn’t just a CISO’s problem: You need to work with data scientists, developers, innovation teams, and compliance officers. Align policies for AI usage, model development, and acceptable inputs/outputs. Revisit vendor contracts and roadmaps. Ask your vendors how they’re integrating their acquisitions. What features are available now? What’s coming next? Will AI security be bundled or sold separately? Push for clarity on service-level agreements, support, and pricing. Don’t rely solely on technology. AI security tools help, but they’re not enough. You still need policies, training, and oversight. Update acceptable use and data confidentiality policies, educate employees on AI risks, and establish governance frameworks. source

Banks create value by first winning customers and then deepening those relationships through meaningful experiences that foster loyalty and retention. However, Forrester’s new Total Experience Score rankings — covering 60 banking brands across France, Germany, Italy, the Netherlands, Poland, Spain, Sweden, and the UK — reveal a concerning reality: Many European banks’ brand promises aren’t resonating, and customer experience remains stubbornly mediocre. So what’s falling short — and which banks are getting it right? What Is Forrester’s Total Experience Score? When companies consistently deliver experiences that align with their brand promise — for both customer and noncustomer segments — they create a unified and compelling total experience. That’s exactly what Forrester’s Total Experience Score captures. By combining our new Brand Experience Index (BX Index™) with our well-established Global Customer Experience Index (CX Index™), this composite metric indicates brands’ ability to acquire new customers and serve existing ones, and how brand and customer experiences work together to shape perception. The Total Experience Score reflects the perceptions formed by customers and noncustomers through their interactions with a brand. The Big Picture: Few Banks Truly Stand Out When we mapped the performance of 60 European banking brands across Forrester’s Total Experience Growth Grid — segmented into four quadrants — leading, plateauing, churning, and lagging — only 19 earned the “leading” distinction. The top-performing brand was the UK-based Nationwide Building Society, with a score of 62.7, while the French bank Société Générale landed at the bottom with 40.7. Here are some key insights: Total Experience leaders consistently outperform peers on both BX and CX. Brands such as ING (Germany, Spain, Poland), ASN Bank (Netherlands), Handelsbanken (Sweden), Nationwide Building Society (UK), Crédit Mutuel (France), and Banca Mediolanum (Italy) consistently outperform peers on both BX and CX. This demonstrates the strong connection between brand and CX. A prospect’s perception of a brand — shaped by marketing, media, and peer reviews — influences whether they trust it to meet their needs. Once they become customers, their lived experience with the company reshapes that brand perception, either reinforcing or eroding it. This BX/CX duality drives loyalty, as strong brand equity attracts customers while great CX retains them. When trust is established, it can even buffer the impact of occasional missteps, helping brands maintain long-term relationships. European banking brands face a persistent challenge: a wide perception gap between customers and noncustomers. In 2025, 18 banking brands scored more than twice as high with customers as with noncustomers on total experience, highlighting a disconnect between brand promise and broader market perception. For example, Le Crédit Lyonnais (LCL) in France showed a staggering 36.4-point gap. This disparity makes it difficult for banks to attract new customers, as noncustomers often don’t buy into the brand promise. Forrester’s BX Index™ reveals that while customers tend to view banks more favorably — thanks to direct experience — noncustomers remain skeptical, especially in markets like France and the Netherlands where BX gaps are widest. In the Netherlands and Sweden, only 6% of noncustomers consider any bank top-of-mind when seeking a new provider. However, there’s a silver lining. Brand perceptions often improve once individuals become customers, underscoring the importance of delivering on brand promises early and consistently to drive acquisition and retention. Customer experience is improving, but remains only “OK” on average. Forrester’s CX Index measures how well a brand’s customer experience strengthens the loyalty of its customers. In European banking, we’re seeing modest improvements. Four countries — France, Netherlands, Spain, and Sweden — saw average gains of roughly two points, Italy saw a smaller increase of 0.5 points, and CX scores remained flat in three countries – Germany, Poland, and the UK. Despite these incremental gains, the overall picture remains lackluster. On average, only British and Polish banks deliver “good” CX, while most other countries hover at an “OK” level. Notably, Swedish banks are falling behind, offering “poor” CX. Banks are making progress on ease and effectiveness, but emotion — the most powerful driver of customer loyalty — remains the weakest link. Many banks struggle to evoke positive feelings such as confidence, respect, or contentment. In markets like Sweden and Germany, several brands are in an “emotional deficit,” generating more negative than positive emotions. European Banks Must Raise The Bar The good news? The roadmap is clear. Improving both brand experience and customer experience starts with focusing on what matters most to customers — and ensuring that banks not only make compelling promises but consistently deliver on them. For a deeper dive into the European Banking Total Experience results — including each brand’s Total Experience, BX, and CX scores; the drivers of BX and CX; the key components of brand experience; and the emotions that drive loyalty the most — check out our country-specific reports or connect with us through a guidance session. Not a Forrester client yet? Reach out to our sales team to learn how we can support your strategic goals. source

BoxWorks 2025 brought together Box customers and partners in San Francisco this past September 11–12 with key announcements that underscore Box’s commitment to AI and its power to transform unstructured data … i.e., content. Box’s vision has been consistent for years: one source of truth with unified, secure content storage. Box is now layering an AI foundation into its core content platform. The company does not view AI as just an add-on to an existing content management system but envisions it as an integral part of a core offering, available to all clients. This foundation includes model flexibility, optical character recognition (OCR), secure retrieval-augmented generation, vector embeddings, markdown conversion, and support for multiple file types. Top Announcements Box Automate: Box Automate (expected beta in early 2026) is a new AI agent-based workflow tool that will allow humans and agents to work together. Automate has an intuitive interface and provides a range of building blocks to build workflows, identify outcomes, use sophisticated conditional branching, and orchestrate actions across both agentic and nonagentic workflows. It integrates with existing Box capabilities such as document generation and e-signature and can extend into third-party applications via APIs. While Box has had its Box Relay routing/task management tool for several years, it has lacked a more robust workflow engine. Box Automate will help fill this feature gap. While Automate will coexist with Relay for some time, expect that Box Automate will be the future path for workflow within Box. Box Extract: Box Extract extends Box’s intelligent document processing (IDP) capabilities allowing users to build and manage end-to-end data extraction processes. Extract is designed for the power users who would operate extraction workflows (i.e., for legal teams, finance, or operations), while Extract brings advanced OCR (such as hand-writing detection and table extraction), does math calculation, identifies and extracts metadata and taxonomy information, and provides confidence scoring. Extract also provides a document graph to help understand entities and parties in large, complex documents. Box Extract is built by the team from Alphamoon, the IDP provider acquired by Box in 2024. Extract Agents and APIs are available now, with the full Box Extract management console expected to be released in beta this November. Enhancements to Box Apps: Box Apps (a no-code metadata and app design tool launched in early 2025) will be enhanced with natural language queries available on app metadata views and more data visualization. AI agents will also now be available in Box Apps. The agents could be Box-provided agents (such as Q&A, Compose, Extract, Search, and Research) or custom-built agents using Box Extract or Box AI Studio. Apps will also be embeddable in other applications such as Salesforce. Expect these new capabilities to be generally available over the next few quarters. Box Shield Pro: Box Shield Pro is a new add-on module for Box Shield customers that will bring enhanced threat analysis, ransomware detection, and AI classification. The threat analysis capabilities will provide security teams with summaries and analysis to provide more insights and help them focus on threats. The ransomware detection protects information beyond Box, helping protect end users’ endpoints by detecting file activities that could signal an attack. Anomaly detection from these endpoints can compel an admin to act and terminate a session, lock users out of a device, and identify the files that have been affected. AI-based classifications can inspect content, using context to define sensitivity and going well beyond rule-based approaches using keywords or text strings. This AI-based approach can look at nuances and take the overall meaning of a document into account, not relying on just rules and policies. It also understands context based on the author and who it is shared with. Classification labels are automatically applied, along with options for watermarking. This classification agent can also look at older managed documents, not just net-new ones added to Box. Box Shield Pro is expected to be generally available in 2025. What It Means For Box Customers Access to approachable AI optimized for enterprise content: Box has always invested in intuitive user interfaces and makes usability and simplicity priorities. This extends to its AI evolution, as well. Box customers have an opportunity to put a range of AI and AI agent capabilities into the hands of their end users, providing them with confidence that their information will remain secure, governed, and used appropriately. Box customers should look at their licensing tier to understand exactly what they’ll get as these new capabilities roll out and determine if it makes sense to look at more comprehensive licensing to get the full swath of AI innovation, rather than trying to build it themselves. source

As the world moves forward, some things really should stay behind — like ’80s shoulder pads, popcorn ceilings, and fondue fountains at weddings. Other things are classics, however, and beg to be brought back. One such example is old research I led way back in 2011, which generated significant interest from — and value for — our clients. As my recently formed international security and risk research team ramped up, we agreed to revive it. It is with a lot of excitement that I’d like to introduce the Executive Spotlight: Top Priorities For APAC And EMEA Security And Risk Leaders, H1 2025. In this research, we identify the top priorities that matter to our clients in APAC and EMEA, based on hundreds of requests for guidance from our security and risk (S&R) Forrester Decisions clients in the first half of 2025 (see the figure below). Not only does this help us fine-tune our future research agenda and activities, but our clients are always interested in what their peers are doing with the view to validating or improving their own priorities, shaping their cybersecurity strategies, and learning from others. In my career, I’ve learned to never underestimate the power of taking the time to share and learn from others. In this blog, I will share with you some key insights: AI security tops the priority charts, followed by governance and human-centered priorities. It comes as no surprise that across APAC and EMEA, AI has topped the list of priorities, followed by governance, risk, and compliance (GRC); human risk management; third-party risk management; and quantum security. Leaning into the governance and human-centered elements of a security program helps to shape a more holistic approach that’s focused on oversight, governance, people, process, and technology. APAC clients diverged slightly, with a unique focus on quantum security. Quantum security was the third top requested guidance topic in APAC. The interest is unsurprising with China leading in quantum-secure communications, operationalizing national-scale quantum networks like satellite-based “unhackable” links. Furthermore, many other APAC governments are investing heavily in quantum capabilities, while setting regulatory expectations for quantum-safe practices. In parallel, threat actors in the region are intensifying “harvest now, decrypt later” tactics. We uncovered notable absences from the priority hit list. Globally, Forrester’s S&R clients are getting involved in programs like AI ethics and governance; however, this hasn’t yet trickled to our APAC and EMEA S&R leaders. With regulatory pressure mounting — as well as the need to align security to the rest of the AI risk management strategy — S&R leaders must become more involved. We were also surprised that enhancing security operations capabilities wasn’t top on the hit list. My team and I are relentlessly committed to our clients, our research, and each other. With our global S&R colleagues, we look forward to serving you in the above capacities. Forrester’s APAC and EMEA S&R clients who have questions about risk-, security-, or privacy-related topics can connect via inquiry or guidance session to our experts: Jinan Budge, Paul McKay, Tope Olufon, Madelein van der Hout, Enza Iannopollo, and Meng Liu.   source