Every year, the Gartner Magic Quadrant shapes purchasing decisions across the security industry. Buyers use it as a shortcut. Vendors use it as a badge. And for the most part, it does what it says: it tells you who the major players are, who has the broadest feature set, and who analysts believe has the strongest market position and vision.
The 2026 Magic Quadrant for Cyber-Physical Systems Protection Platforms just dropped. The Leaders are the names you would expect — established vendors with strong asset discovery, industrial protocol support, and detection capabilities. They deserve their recognition. But if you are using this report to make a buying decision, there is a question it does not answer.
What the MQ Actually Measures
Gartner evaluates vendors on two axes: ability to execute and completeness of vision. In practice, for the CPS space, that means things like: How many protocols do they support? How broad is their asset inventory? How strong is their detection and analytics? What is their market presence and customer base?
These are legitimate questions. Visibility is foundational. You cannot protect what you cannot see. Asset inventory in OT environments is genuinely hard — hundreds of device types, legacy protocols, systems that have not been touched in fifteen years. The vendors that do this well have earned their position.
But here is what does not appear anywhere in that evaluation framework:
When an attacker touches your network, does it enforce inline — or only alert?
The Test Nobody Runs
There is a meaningful difference between a platform that sees an attacker and one that stops them. Detection tells you something happened. Enforcement changes what happens next.
Most of the platforms recognized in the CPS MQ are, at their core, visibility and detection tools. They monitor traffic, build asset inventories, identify anomalies, and generate alerts. Some integrate with downstream enforcement tools — firewalls, switches — to take action. That integration chain works, until it does not. Until the SIEM is overwhelmed. Until the playbook is not configured for this specific scenario. Until a human needs to approve the response.
In an OT environment, that lag is not an inconvenience. It is the window the attacker needs.
Asset Management Is Not Enough. Enforcement Is Not Enough Either.
The honest answer is that you need both — and you need them on the same platform, without orchestration in the middle.
Asset management tells you what is on the network, what it is doing, and what normal looks like. That is the foundation. But the moment something abnormal happens, you need a system that acts — not one that tells you to act.
Ask your current vendor this question: “If a device that has never been seen before connects to my OT network right now, what happens in the next five seconds — automatically, without a human in the loop?”
If the answer involves alerts, dashboards, or playbooks that need to be triggered, you have a detection tool. That is useful. It is not sufficient.
How to Use the Gartner MQ Correctly
Do not throw the MQ out. Use it for what it is good at: identifying which vendors have broad visibility, deep protocol support, and strong asset inventory capabilities. Those things matter.
Then ask a second set of questions that the MQ does not answer:
- Does enforcement happen inline, at the wire — or out-of-band, through policy?
- What happens if the orchestration layer is unreachable?
- Is blocking automatic at first detection, or does it require downstream tool integration?
- Can the platform act on an attacker who never touches a decoy or trips a known signature?
The MQ tells you who can see. You still need to ask who can stop.
PacketViper does both. Asset management that builds a real-time picture of everything on the network — and enforcement that acts at the wire, automatically, without waiting for orchestration. Not because the MQ requires it. Because stopping an attacker in five seconds is a different problem than detecting one in five minutes.