Apptega, a platform for security, compliance, and risk management, has released its 2025 State of Continuous Compliance Report. The findings indicate a maturing yet competitive market where 87% of security providers now offer compliance services, primarily through consultative and advisory work. However, providers offering compliance as a managed service demonstrate higher recurring revenue generation.

The report highlights that 44% of managed compliance providers surveyed report at least a quarter of their compliance revenue as recurring, in contrast to just 28% of consulting-first firms. Despite this, challenges persist, with 31% of providers reporting average or lower ability to differentiate their services. One in three firms struggle to consistently demonstrate value and ROI, which can limit cross-sell potential and long-term client engagement. Only one-in-four providers met their recurring revenue targets in 2024.

Rahul Bakshi, chief product officer at Apptega, noted that while demand for compliance is increasing, many providers have not yet established scalable delivery models, sustainable recurring revenue, or the market positioning required to fully capitalize on compliance as a growth driver. The 2024 report had indicated 70% provider optimism for double-digit annual recurring revenue (ARR) growth, but 2025 data suggests economic pressures may have shifted buyers towards short-term or project-based services, impacting recurring revenue.

Leading providers, according to the 2025 report, combine strong compliance offerings with automation, streamlined managed service delivery, and the ability to link compliance to broader security and business outcomes. While there is a trend towards automation, with more providers utilizing GRC and compliance automation platforms, spreadsheet use also increased, indicating an ongoing transition from ad-hoc processes to scalable systems.

Additional key findings from the 2025 State of Continuous Compliance Report include: 90% of providers report challenges with differentiation in a crowded market; 87% prioritize automation, though manual workflows remain common; 66% primarily use a GRC or compliance automation platform, while 16% still rely on spreadsheets as their main tool, with secondary spreadsheet usage up 50% year-over-year. Providers with stronger perceived differentiation tend to use GRC/compliance automation platforms or custom-built solutions.

Dave Colesante, CEO at Apptega, stated that client demand for continuous compliance, improved risk management, and greater visibility into security maturity is rising, alongside pressure for providers to generate scalable, recurring revenue. He emphasized that delivering a clear, actionable roadmap requires an end-to-end solution, which spreadsheets and disconnected tools cannot adequately provide. Bakshi concluded that operationalizing compliance as a continuous process, closely integrated with security, yields the greatest recurring revenue success for security providers.

The 2025 State of Continuous Compliance Report is based on a survey conducted from February to April of 2025, involving over 150 practice leaders and senior operators from security service providers. Apptega is a cybersecurity compliance platform used by security-focused IT providers and in-house teams to manage cybersecurity compliance programs.