

Find out in this report how the two Continuous Controls Monitoring solutions compare in terms of features, pricing, service and support, easy of deployment, and ROI.
It delivers strong ROI as an enterprise-wide GRC platform with value realized through automation, reduced compliance effort, improved visibility, and efficient auditing.
I definitely saw a return on investment; there was a lesser number of audit headcount required, which saved us money and time on audits.
There is a measurable return on investment since we have reduced the time for Risk and Control Assessment from three to four months to approximately 30 to 40 days, which lowers costs significantly.
There was a specific issue that our other security tooling did not pick up, but XM Cyber did.
It's reduced the timescale to remediate vulnerabilities that are identified as representing a high risk.
Additionally, when needed, they help set up additional training to walk us through demos of each module to help us make the best use of MetricStream for our organization's needs.
We had to engage with senior management from time to time, but they were responsive and quick in working through our issues.
Customer support was very quick to respond anytime I needed assistance.
The customer support is fantastic; it's probably some of the best we've received across all our security vendors.
Customer support for XM Cyber is good, responsive, and it follows up on issues.
It is an enterprise-grade platform designed to support large global organizations with thousands of users, handling high volumes of risk controls, audits, issues, and assessments.
The biggest issue I have encountered with clients has been around upgrades that require re-implementing customizations to the out-of-box solutions after significant upgrades.
MetricStream demonstrates strong scalability by supporting enterprise compliance programs with large volumes of regulatory requirements, controls, assessments, evidence records, and user activity.
Its scalability is great; it's easy to deploy and fully scalable.
We have not experienced any issues with scalability or reached its limits.
MetricStream performs well in managing large volumes of data.
MetricStream is stable, but if there is an issue, it will be complicated to resolve with the support team.
MetricStream's stability is very powerful, and it can handle a lot of tasks effectively.
We have quite a complex and large IT estate, and we've certainly experienced no limitations or problems arising from the ability of XM Cyber's product to scale across that estate.
Low-code or no-code enhancements and easier integration with enterprise systems such as SharePoint, ServiceNow, SAP, or Azure DevOps could reduce implementation effort and operational time.
We desire a product that does not require development teams for customization but enables users to make configurations or adjustments with little effort.
The support quality needs significant improvement.
We push the boundaries with digital twins; I understand XM Cyber uses a similar concept of graph databases to map environments.
They could improve support because when we need to create a super case and escalate to resolve with technical support, they resolve our ticket in approximately two weeks.
The part that can be improved is the mobile exposure and the IBM i specific equipment.
MetricStream is a bit costly.
In terms of pricing, setup cost, and licensing for MetricStream, we did run into issues with insufficient licensing, but the ability to acquire new licenses was relatively quick and effortless.
My experience with the pricing, setup cost, and licensing was that it was reasonable.
We have a large, complicated estate, and in the licensing discussions, we were keen not to have the cost balloon because of the complication, the number of PCs and servers that we have.
We have had the ability to essentially write SQL code that allows us to develop a report in real time that gives us insight into various different KPIs or KRIs leveraged across the organization.
Control and compliance mapping was one of the most powerful features for NERC compliance as we can map NERC standards and requirements directly to controls, risks, evidence, and corrective actions, creating end-to-end traceability.
The best features that MetricStream offers for the automation of audits include the alerting system and the ability to attach evidence.
Our loss exposure amount has reduced significantly, leading to two big wins: our loss exposure amount has gone down, and we have direct savings from focusing our team's time on what's important, allowing them to work on other business benefits and generate value for the company.
By far, the best feature of XM Cyber is being able to map out the way vulnerabilities can be exploited based on what they call the choke points in the network where the path that a bad actor would take comes closest to assets within our environment that are most vulnerable but also most valuable.
XM Cyber allows us to quantify the risk, and we are able to track remediation, so we can quantify the risk at an executive level and also to a technical IT team.
| Product | Mindshare (%) |
|---|---|
| MetricStream | 7.4% |
| XM Cyber | 2.7% |
| Other | 89.9% |

| Company Size | Count |
|---|---|
| Small Business | 5 |
| Midsize Enterprise | 2 |
| Large Enterprise | 4 |
MetricStream is a cloud-based platform providing robust audit, compliance, and risk management tools. Users enjoy features like mobile interfaces and centralized risk libraries, though some report interface flow issues and technical support challenges.
MetricStream stands out for its audit, risk, and compliance capabilities, delivering customizable and standardized risk management across departments. Its comprehensive dashboards and reporting tools streamline compliance processes, reducing planning time and breaking down silos. Though described as a pricier option, it efficiently integrates risk elements and supports users with mobile interfaces and cloud availability. Areas for improvement include enhancing security integration, improving interface flow, and boosting support services, particularly from India.
What features does MetricStream offer?System integrators utilize MetricStream in audit and risk management, focusing on template preparation and UI testing. They assemble components like Lego pieces, but face challenges with larger solutions requiring developer participation for code alterations. Initial implementation is often delayed by India-based technical support, impacting operations. Enterprise and Operations Risk Management are commonly employed with MetricStream, highlighting its industry relevance.
XM Cyber quantifies risk for different organizational levels, enhances patching by targeting choke points, and offers precise attack simulations, optimizing management time and vulnerability resolutions.
XM Cyber empowers organizations to identify significant risks by focusing on choke points and improving patching strategies. The platform excels in providing reliable and precise simulations, informing users about critical vulnerabilities without false positives. It enhances vulnerability management and internal reconnaissance, reducing loss exposure while supporting attack surface management. Users seek improved mobile exposure capabilities and IBM i specific solutions along with better visualization and AI integration.
What are the key features of XM Cyber?XM Cyber is deployed to manage risks in internet-exposed assets and hybrid cloud environments. Its implementation allows organizations to optimize IT resources by identifying vulnerabilities in critical attack paths, thus enhancing efficiency and supporting robust security strategies across industries.
We monitor all Continuous Controls Monitoring reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.