And most people using them for market research haven’t noticed yet.

Let’s say you’re researching Vulnerability Management solutions. You open ChatGPT or Claude and type: “What are the best Vulnerability Management solutions?”, the same way you would have started a Google search three years ago.

Very likely, you get a confident, well-structured answer recommending Tenable, Qualys, Rapid7, and a few others. It makes sense, right? Those are the known “leaders” in the space. Common knowledge.

But have you ever checked what sources the LLM is actually using to give you that answer?

I did. I ran that kind of question across ChatGPT, Claude, and a couple of others, covering 15+ cybersecurity categories. And here’s the short version: if you thought industry analysts were biased — and many do — LLMs are clearly even more so.

The Importance of Knowing Your Sources

I’ve been always interested in knowing the sources behind any research or statistics I read. So, I set up both ChatGPT and Claude, at the end of every interaction I have with them, what sources they drew on. That instruction is baked into my custom settings for both tools:

What comes back looks something like this: a list of URLs, report titles, and vendor pages that the LLM uses – either directly or indirectly – to construct its answer. That source list is what I always pay attention to understand the quality of the LLMs outputs.

For instance, these were the sources the first time I asked ChatGPT about Vulnerability Management solutions:

Once you start reading those sources, it’s hard to unsee what’s happening.

What LLMs Actually Use When You Ask About Cybersecurity Solutions

Across 15+ cybersecurity sectors — IoT Security, Vulnerability Management, WAF/WAAP, SIEM/XDR, ASM/Exposure Management, Zero Trust, SSE, PAM, NDR, Email Security, Firewall/Network Security, Backup/Data Protection, and Endpoint Protection/EDR and others — the pattern is very consistent. In almost every case, the LLM’s answer used three types of sources:

1. Industry Analyst Reports (primarily Gartner and Forrester)

2. Articles written by Vendors themselves

3. US-based media and publications

Even the categories that I have noticed were relying less on analyst reports (like Backup/Data Security and Firewall/Network Security) still included Gartner or Forrester indirectly, through articles citing their Magic Quadrant or Wave reports.

For instance, this is the output of one of the times I checked for Backup & Data Security:

Curious what would be the answers beyond core cybersecurity, I also checked the responses for the Identity Verification market or the emerging AI SOC term. That’s where things got even more revealing.

For AI SOC, a space where there is no Gartner MQ or Forrester Wave yet, I ran the same question five times across both Claude and ChatGPT. Every single time, 100% of the cited sources were vendor-authored content. No independent analysis. No practitioner perspectives. Just vendors describing themselves.

How Closely Do LLMs Mirror Gartner and Forrester?

I compared the LLM-recommended solutions in each category against the current Magic Quadrant and Wave Leaders lists. The correlation was always very high. In the majority of categories I tested, the LLM recommendations were either an exact match or near-exact match with the analyst “Leaders” tier.

In the cases of very high similarity, we’re talking about a complete 1:1 match. Same vendors, same order of emphasis.

Think about what that means. When someone asks an LLM which security product to buy, they’re not getting independent research or some Artificial Intelligence esoteric knowledge. They’re getting Gartner’s Magic Quadrant, repackaged as a chat response.

This Isn’t Market Research. It’s an Optimization Game.

Going through the results in more detail shows that, at least when it comes to Cybersecurity, this cannot even be called “market research”. It’s just an Optimization game – SEO, AEO, GEO or whatever you want to call it.

In every category I checked, the number of sources that were the own vendor’s blogs or product documentation was always more than 50 %, and in some cases, like the AI SOC example I gave above, it was 100 %.

This shows that using LLMs to perform market research is heavily influenced by how optimized the websites are.

This is a self-fulfilling prophecy machine. The biggest brands call themselves the best, LLMs confirm it, buyers believe it.

Smaller vendors — especially those that don’t yet have analyst coverage or haven’t invested heavily in English-language content — are simply invisible in this model. Not because their solutions are worse. Because their websites aren’t optimized.

The Geographical Bias

More than 90% of the sources cited across all my LLM runs were from the United States.

That’s not entirely surprising when you consider the compounding factors: US vendors dominate revenue and visibility; Gartner and Forrester are US-headquartered; and the leading English-language cybersecurity media is overwhelmingly American. By the time all of those layers stack up, there’s very little room left for any other geography.

And this doesn’t happen only with US-based chatbots like ChatGPT or Claude.

I also tested Mistral Le Chat — the French alternative — to see whether an European LLM would produce different results. It didn’t.

If anything, Mistral leaned even more heavily on Gartner and Forrester, explicitly citing their reports as primary sources (its own knowledge) in almost every run. It also regularly surfaced analyst content from 2024, meaning not even the most recent analyst opinions were being factored in.

If you’re evaluating security vendors in Europe or another region, the model you’re relying on for research was trained almost entirely on American market narratives.

What all of this means?

For decades, Gartner and Forrester reports have been the main source of many cybersecurity buyers to select and evaluate potential vendors. A lot of practitioners always pushed back on that, arguing the reports are biased, pay-to-play, or US-centric, and even celebrated where their shares started to go down during the past years.

There might be some level of truth in those criticisms. Some expected AI to fix that. It hasn’t.

Instead, the LLMs that were meant to democratize information access have simply inherited and amplified the same biases. Analyst reports, vendor content, and US-centric media are still the dominant inputs. The interface might have changed, but the underlying sources didn’t.

Analysts aren’t going anywhere, and this research shows it. Without more rigorous, independent sources in the training mix, LLM-based “research” in cybersecurity will just keep recycling the same marketing narratives.

Gartner and Forrester, whatever their flaws, at least gather direct practitioner feedback. That’s something the average vendor blog doesn’t do.

The next time you ask ChatGPT or Claude to help you choose a cybersecurity product, remember: the answer you’re seeing is not independent analysis. It’s the result of analyst reports, vendor articles, SEO/AEO/GEO and geographical influence. Just re-packaged in another way.

While those insights might be valuable, they are then biased and don’t reflect the realities that practitioners from other regions experience. We all know that Europe is not North America, with different constraints, priorities, and more restrictive regulatory environments.

This is the reason I decided to launch BridgerWise Research: to produce grounded, experience-driven research that considers the local realities outside the US, starting with Europe.

The goal is to generate insights that help practitioners benchmark themselves with the right peers, and help the cybersecurity community to better understand what’s really happening on the ground, without needing to follow recycled narratives from other parts of the world.

Our first publication — AI in the SOC: European Practitioner Survey 2026 — is a first step in that direction. It’s based on responses from over 50 validated European Security Operations professionals.

That number may seem modest, but it’s actually more representative of European operational realities than many “global” reports where Europe accounts for a very small fraction of the overall sample.

For instance, one recent "industry report covering AI in Security Operations I reviewed, which was one of the final motivations to launch BridgerWise Research, surveyed 282 respondents, with 85% based in North America and only 13% across all of EMEA. When you do the math, that sample is smaller than ours.

When findings from those datasets are presented as universal truths, it’s worth asking: universal for whom?

Let’s get into what our data actually says.

The Narrative Everyone Repeats and Why It’s Incomplete

If there’s one phrase that dominates SOC discussions today, it’s alert fatigue. The story goes: SOC teams are drowning in alerts, analysts are burned out, and everything flows from that single chokepoint.

Our data tells there are more layers to that storyline.

Alert volume is real, but it’s not the primary problem European SOCs are concerned about. When we asked regional practitioners to rank their top operational challenges, high alert volume and fatigue came in fourth, cited by 28% of respondents. That’s meaningful, but it’s far from the defining issue the dominant narrative would suggest.

What ranked above it? Tool fragmentation and context switching came first. Too many false positives came second. Insufficient automation came third.

This is quite a different situation that we read everywhere. The problem isn’t just the number of alerts - it is the workflow required to deal with them.

Analysts are changing tools and contexts all the time in order to investigate alerts and respond to incidents. They are switching between the SIEM and its query languages, the SOAR, EDR, Cloud and Identity platforms, threat intelligence platforms and ticketing systems for their investigations.

That inefficient constant switch of context increases investigation time, reduces analyst focus, and makes it difficult to scale operations without adding headcount and specialization.

One respondent put it plainly: “Everyone is talking about reducing alerts (fatigue), but with AI we should be able to turn up the noise, while the SOC evolves into a more strategic role.”

Other research positions this primarily as an overload problem; our European data suggests the why is different. It’s not that analysts can’t keep up with the quantity, it’s that the workflows don’t scale.

What SOC Teams Actually Want AI to Solve

When we asked practitioners where AI would deliver the most value, the answers were remarkably consistent: automated alert triage and prioritization (64%), investigation assistance and root-cause analysis (54%), and playbook automation and response orchestration (44%).

These are not aspirational use cases. They map directly onto the pain points teams are already experiencing: reduce the time spent on out-of-the-box and low-quality detections, automate the repetitive Tier-1 work, speed up investigations when context switching is the bottleneck.

Despite the growing interest, AI adoption remains uneven. Around 24 % of respondents report using AI-driven alert triage today, yet many of those teams still struggle with false positives and operational overhead.

Even teams that have deployed SOAR-driven automated playbooks are just as likely to report insufficient automation as a challenge as those without a SOAR at all.

The scope of the automation and AI usage is very important, considering the vast majority of the respondents don’t have dedicated threat hunters that can do unstructured investigations to find hidden threats.

AI is a technology that SOCs want to adopt. They are just not sure yet where.

There are also meaningful differences between enterprise SOCs and MSSPs. Enterprise teams are more focused on detection engineering, investigation assistance, and rule tuning. MSSPs are prioritizing scalable workflows, report and ticket generation, and false-positive reduction. This makes sense given their need to manage multiple client environments efficiently. These aren’t just preferences; they reflect fundamentally different operational pressures.

The Dimension Most Reports Miss: Regulation

Here’s where the European context becomes genuinely differentiating, and where a U.S.-focused research lens consistently falls short.

Regulatory requirements are not a side topic for European SOCs. They are a core operational constraint.

Frameworks like NIS2, DORA and the AI Act have a real impact on Security Operations processes and workflows, and this shapes how they think about AI adoption.

When we asked practitioners which compliance challenges concern them most when deploying AI in the SOC, the answers were clear and consistent:

• Explainability and auditability of AI decisions: cited by 2 out of 3 respondents as a top concern. For enterprise SOCs, this number climbs to 73%.

• Liability for automated actions: highlighted by roughly half of all respondents.

• Data residency and sovereignty: the primary challenge for MSSPs, cited by more than half of MSSP respondents, reflecting the cross-border complexity of managing multiple client environments. With many AI SOC tools being available only in the cloud, they need to find other alternatives.

• Third-party and supply chain risk from AI vendors: flagged by around half of both enterprises and MSSPs.

It is worth noting that the survey gave participants the option to select that they have no compliance concerns and feel well-prepared. Not a single respondent chose that option.

One practitioner captured the operational reality precisely: “EU regulations like NIS2 and DORA drive my SOC strategy by mandating ultra-fast incident reporting (e.g., DORA’s 4-hour initial alerts vs. NIS2’s 24 hours) and rigorous third-party risk management, forcing automated detection, real-time logging, and supply chain audits as core priorities. The AI Act further requires explainable AI triage for high-risk detections to ensure compliance during automated Tier-1 handling.”

This creates a dynamic that rarely shows up in North American research: European regulation plays a dual role in AI adoption. For MSSPs, stricter reporting requirements and the operational pressure to scale without headcount are actively accelerating AI adoption, with more than 40% of MSSP respondents citing EU regulations as a driver. At the same time, 1 in 4 respondents points to regulatory uncertainty (particularly around the AI Act and AI governance frameworks) as a barrier that is slowing or preventing AI deployment. The same regulatory environment both pushes and constrains.

This is a real and significant challenge that is usually not reflected in any research built primarily from a North American sample.

A Different Picture of Where SOCs Are Headed

The broader pattern that emerges from the data is this: AI adoption in European security operations is being driven by a need to make operations more efficient and scalable, not by technological enthusiasm.

Security teams are not looking for a particular tool, but for incremental friction reduction. Platforms that can remove the need to switch context, reduce the noise from false positives, and allow Tier-1 work to be more effective without proportionally increasing headcount.

AI is emerging and it is expected to become a layer that makes those processes more manageable.

There’s a benefit that the data hints at and I think it deserves attention: proactive threat hunting. Today, less than one third of European SOC teams have dedicated threat hunters, and in enterprise environments, that number drops to 18%. In most cases, hunting is an activity shared among analysts who are already stretched thin across other responsibilities.

Roughly one in four organizations plans to shift toward more proactive threat hunting in the next 12-24 months, but capacity is a bottleneck for them. The teams are fully absorbed by other tasks, and simply don’t have the operational headroom to hunt proactively.

This is where the AI investment story becomes more interesting than it first appears. If AI-driven triage genuinely reduces the manual burden on analysts (fewer context switches, less time on low-quality alerts, faster investigations) it doesn’t just improve the metrics SOC teams already track. It frees up the time and cognitive bandwidth to move from reactive alert handling toward proactive detection. Threat hunting, detection engineering, security analytics - these are the capabilities that make a SOC genuinely harder for adversaries to operate against. Right now, they’re aspirational for most teams. As automation is maturing, they can become achievable.

And at the same time, those teams are increasingly operating under regulatory frameworks that require any AI introduced into the SOC to be explainable, auditable, and defensible. That’s a very different design constraint than what North American vendors are typically building toward.

Looking ahead, 82% of respondents expect AI usage in their SOC to increase over the next 12 months, with 32% expecting a significant increase. But the path forward looks more like gradual embedding into core workflows than a complete transformation. Fully autonomous operations remain rare. Trust, accountability, and integration complexity are still real barriers. The SOC is entering a new phase, but it’s doing so carefully.

Final Thoughts

The above are just a few findings from our research. The full report covers more topics that are worth reviewing for SOC leaders and practitioners.

If I had to choose one way to describe the theme we uncovered, it would be this: the future of the SOC in Europe is not blocked by alert volume or fatigue. It’s limited by operational design and regulatory complexity.

European security teams are dealing with fragmented tooling, inefficient workflows, high false positive rates, and a compliance environment that adds meaningful governance requirements to every AI decision. That combination is specific and real. And it’s largely invisible in research produced from a predominantly North American lens.

That’s the problem BridgerWise Research was built to address.

As I’ve said, these are just some data points from our first report. There’s a lot more to explore, with a different, grounded, local perspective, and that is our goal.

I invite you to check the full report and I’d genuinely like to hear what resonates with you, and what you’d want to see explored next.

Because if there’s one thing this research confirmed, it’s that we need more European voices in the data.

The job is no longer just about detecting and mitigating threats or responding to incidents. It’s also about proving you did it, on time, with evidence that can withstand regulatory scrutiny.

European regulation is transforming SOCs from pure detection-and-response teams into evidence-producing operational control functions with formalised governance, strict reporting deadlines, and much tighter oversight of third-party dependencies and AI-assisted tooling.

In this article, we’re going to review the regulations that are driving this shift (NIS2, DORA, and the AI Act) and, more importantly, what they mean in practice for SOC architecture, workflows, staffing, and metrics. Whether you’re a CISO defining security strategy, a SOC manager designing playbooks, or an analyst on the front line, this piece is for you.

The Regulatory Landscape: What SOCs Need to Know

Before we discuss operational impacts, let’s get aligned on the three key regulations. They are all active or becoming active right now, and each one touches SOC operations in different ways.

NIS2: The Baseline for Cybersecurity Operations Across the EU

The NIS2 Directive (EU 2022/2555) has been the big story in European cybersecurity since its transposition deadline in October 2024. It significantly expands the scope of entities that must meet mandatory cybersecurity risk-management and incident reporting standards.

For SOCs, the most impactful element is the multi-stage incident reporting cadence: a 24-hour early warning from the moment there is awareness of a significant incident, a 72-hour notification with more detail (including IoCs where available), and a comprehensive final report within one month covering root cause, impact assessment, and mitigations.

But NIS2 goes well beyond reporting. It also makes supply-chain security, vulnerability handling, business continuity, and management accountability explicit requirements. The SOC’s scope of responsibility just got a lot wider.

An important development: the NIS2 Implementing Regulation (2024/2690), published in October 2024, sets concrete requirements for certain cross-border digital service providers, including managed security service providers (MSSPs). If you are an MSSP or rely on one, this regulation is essential reading: it describes expectations around monitoring, detection, security testing, patch management, and documentation that directly shape what can be demanded contractually.

DORA: Finance Gets Its Own (Stricter) Regime

The Digital Operational Resilience Act (DORA, Regulation EU 2022/2554) has been applicable since January 2025 and is specifically designed for financial entities. If a SOC serves a bank, insurer, investment firm, or other financial institution, DORA is a must-have framework.

The key difference from NIS2 is that DORA is a regulation, not a directive. It’s directly applicable across all Member States, with a finance-specific supervisory ecosystem and detailed implementing/delegated acts that standardise reporting and controls.

The reporting clock under DORA is tighter. The European Banking Authority’s RTS establishes time limits such as an initial notification within four hours after classification (and within 24 hours after detection), 72 hours for an intermediate report, and one month for the final report. Finance SOCs need a tighter internal “time-to-classify” discipline, because the first reporting clock can be tied to the classification decision, not to a later “confirmed breach” moment.

DORA also goes further on third-party risk: ICT third-party risk must be managed as an integral component of ICT risk. Contracts for services supporting critical functions must include audit and inspection rights, termination triggers, and exit strategies. If a SOC relies on cloud SIEM, MDR, EDR, or identity platforms from third parties, this applies to them.

The AI Act: A New Governance Domain for AI-Powered SOCs

The AI Act (Regulation EU 2024/1689) enters its main application phase in August 2026, and this is where things get particularly interesting for SOCs that are embracing automation and AI.

As the industry moves toward the autonomous SOC (with AI agents handling alert triage, threat hunting, and even containment decisions) the AI Act introduces obligations that SOC leaders cannot ignore:

• AI literacy: Providers and deployers must ensure their staff has a sufficient level of AI literacy. For SOC teams using AI-powered tools, this means structured training, not just a vendor demo.

• Record-keeping (logging): High-risk AI systems must support automatic event logging over the lifetime of the system. SOCs already deal with logs, but AI-specific logging requirements add a new dimension.

• Human oversight: Deployers of high-risk AI systems must assign human oversight with competent, trained personnel. In a SOC context, this means documenting who oversees AI-assisted decisions and how.

• Log retention: Deployers must keep AI-generated logs for at least six months where these logs are under their control. This is a new retention domain on top of your existing SIEM retention policies.

• Serious incident reporting: Deployers must report serious incidents involving their AI systems. If a AI-driven SOC tool makes a consequential error, there’s now a regulatory escalation path.

Even if current SOC AI use cases don’t fall squarely into the “high-risk” category, my recommendation is clear: build the governance framework now as that might change in the future. Logging, oversight, incident escalation, and procurement controls should be in place so that when a higher-risk use case is adopted or the regulation is expanded to other categories, there is no need to re-platform.

Operational Impacts: What Actually Changes in Your SOC

Now let’s get to the practical implications. There are at least five areas where regulation directly changes how SOCs must operate.

1. Incident Lifecycle Re-engineering

The multi-stage reporting cadence in NIS2 and DORA fundamentally changes incident management. Three workflow shifts become unavoidable:

First, the “regulatory clock” starts before your forensic conclusion is ready. Under NIS2, the 24-hour early warning is designed to alert national CSIRTs quickly and enable assistance. It’s explicitly not meant to wait for a full analysis. This means a SOC needs a fast-track process for producing an initial notification that’s separate from the ongoing investigation.

Second, IoC handling becomes a compliance output, not just a threat intelligence best practice. NIS2 asks for indicators of compromise already in the 72-hour notification, where available. A SOC needs to be extracting and packaging IoCs as part of the standard case workflow.

Third, your case management must preserve a full narrative trail: detection, containment, eradication, root cause, and lessons learned. The one-month final report requires this level of detail. Ad hoc post-incident reviews won’t cut it anymore.

A practical pattern that works well: a two-track process. Technical containment and eradication on one track, regulatory evidence capture and report drafting on the other. NIS2 itself warns that reporting should not divert resources from incident handling, so playbooks should be designed accordingly.

2. Service-Centric Triage and Business Impact Integration

NIS2 defines a “significant incident” by its impact on services. For example, severe operational disruption, financial loss, or considerable harm to others. DORA reinforces this by tying detection to the ICT risk management framework and resilience objectives.

The implication? SOC tooling that only sees security events but cannot map them to services, dependencies, and recovery objectives becomes a potential compliance risk as much as a security risk.

A SIEM/SOAR environment needs integration with the CMDB and business impact analysis data. When an alert fires, your analysts need to quickly answer: which service is affected, who is impacted, and what’s the business severity? Without this context, meeting the reporting requirements in time becomes extremely difficult.

The NIS2 implementing regulation makes this even more explicit by elevating concepts like maximum tolerable downtime and recovery objectives. These are metrics that SOCs increasingly need to operationalise jointly with resilience and IT operations teams.

3. Management Accountability and Board Reporting

NIS2 requires that management bodies approve cybersecurity risk-management measures, oversee their implementation, and can be held personally liable for infringements. It also mandates training for management bodies.

In practice, this pulls SOC reporting into executive and board dashboards. SOC metrics can no longer be limited to MTTD, MTTI and MTTR. Control effectiveness, residual risk levels, and readiness to meet regulatory deadlines needs to be demonstrated. Think of it as moving from “how fast do we respond” to “can we prove our security posture holds up to scrutiny.”

4. Supply Chain and Third-Party Governance

This one is especially relevant for SOCs that rely on outsourced tooling like cloud SIEM, MDR, EDR, identity platforms. NIS2 hard-codes supply-chain security into the minimum control set. DORA requires that contracts for critical outsourced ICT services include audit rights, termination triggers, and exit strategies.

SOC leaders must now partner with procurement and third-party risk management teams to ensure that incident evidence and notification obligations can be met even during a provider disruption. The question is no longer just “is our MDR vendor effective?” but “if our MDR vendor goes down, can we still meet our 24-hour reporting deadline?”

5. AI Tool Governance in the SOC

As I mentioned earlier, the AI Act creates a new governance domain for AI-assisted SOC operations. But let me be specific about what this looks like in practice, because I’ve been speaking with many companies that are building or deploying AI-driven SOC capabilities.

If your SOC uses AI for autonomous alert triage, threat hunting, or response recommendations, you need to consider:

Logging and auditability: What decisions did the AI make? What data did it process? Can you reconstruct the chain of reasoning if a regulator or auditor asks?

Human oversight documentation: Who is responsible for reviewing AI-assisted decisions? Is this role formally assigned with competent, trained personnel?

AI-specific incident escalation: If the AI system malfunctions or produces a consequential error (false negative that leads to a breach, or false positive that causes a service outage), do you have a clear escalation path?

Procurement controls: When you evaluate AI-powered SOC vendors, are you assessing their compliance with AI Act obligations? Are they providing the transparency and documentation you’ll need as a deployer?

The transition to the autonomous SOC is happening fast. My conversation with Almog Ohayon from TandemTrace on the Scaling Cyber podcast highlighted how AI agents are already generating and testing hypotheses autonomously. But the regulatory framework is now catching up, and SOCs that build governance early will have a significant competitive advantage, especially MSSPs, where demonstrating compliance maturity is a market differentiator.

Finance SOCs vs. General SOCs: Key Differences

One of the most common questions is: how different are the requirements for financial institutions compared to everyone else?

The answer: meaningfully different in both form and substance.

• NIS2 is a directive. It gets transposed into national law, meaning enforcement and supervisory approaches can vary across Member States.

• DORA is a regulation, directly applicable everywhere, with standardised reporting and a finance-specific supervisory ecosystem.

The reporting timelines under DORA are tighter. As mentioned, the initial notification can be due within four hours of classification. Finance SOCs must have a highly disciplined time-to-classify process, which means investing in pre-built classification decision trees and automating as much of the initial data collection as possible.

DORA’s third-party risk requirements are also more prescriptive. If you’re an MSSP serving financial clients, you should expect audit and inspection obligations to be baked into your contracts, along with requirements around exit strategies for critical services.

That said, NIS2 explicitly acknowledges the potential overlap: financial entities covered by DORA are generally exempt from NIS2’s risk-management and reporting obligations (though information-sharing links between financial supervisors and NIS2 structures are maintained). So you don’t have to comply with both reporting regimes simultaneously—but you do need to know which one applies to you.

Compliance-Ready SOC Metrics

One of the most practical things a SOC can do right now is rethink or expand metrics through a regulatory lens. The question to ask is: can we prove we detected, decided, acted, and reported within the required windows, with evidence that stands up to supervision?

Here are the key metrics that could be considered recommend tracking:

• Time-to-classification (TTC): From detection to “significant/major” classification decision. Target: hours, not days. This is critical for both NIS2 and DORA reporting feasibility.

• Regulatory notification readiness: What percentage of high-severity incidents have a complete minimum dataset for early notification? This includes service impacted, initial severity, suspected maliciousness, cross-border potential, and IoCs where available.

• IoC sharing latency: Time from IoC discovery to internal sharing and, where relevant, inclusion in regulatory notifications.

• Evidence completeness index: Do your case records include immutable timelines, decision approvals, containment actions, and post-incident root cause analysis? This is essential for the one-month final report.

• Third-party observability coverage: What proportion of critical outsourced services have independent logs/telemetry plus contractual incident notification and audit rights?

• AI oversight effectiveness: For AI-assisted SOC workflows, what percentage of AI-driven decisions have documented human oversight and retained logs?

SOC Regulatory Compliance Checklist

To help organizations operationalise everything we’ve discussed, here’s a checklist a SOC team can use as a starting point. It’s designed to be practical, not exhaustive, and it must be adapted to the specific sector, size, and regulatory scope.

Final Thoughts

European regulation is reshaping what it means to run a SOC. The shift from “detect and respond” to “detect, respond, prove, and govern” is not optional but a new baseline.

But I want to be clear: this is not just a compliance exercise. The regulations are pushing SOCs toward practices that genuinely improve security outcomes. Better evidence management makes post-incident analysis more effective. Service-centric triage catches business-critical incidents faster. Structured AI governance prevents costly mistakes as autonomy increases.

The organisations that treat regulatory requirements as an architectural input (not a box-ticking exercise) will build SOCs that are more resilient, more transparent, and more effective.

And for MSSPs specifically: compliance maturity is becoming a competitive differentiator. Your clients will increasingly choose providers who can demonstrate they meet the standards these regulations require.

The regulatory clock is ticking. Start building now.

One more thing

If you believe I missed something important or have something to contribute to this article, feel free to contribute in the comments!

The companies that dominate categories don’t just build differently, they also speak differently. They use a different language when they communicate who they are and what they do.

Language is not just a communication tool in cybersecurity. It does even more: it reduces perceived risk, signals inevitability and frames trust before proof is complete. Buyers are choosing long-term partners under uncertainty, and language becomes the base for stability, ambition and survivability.

They don’t just ask if a product will work, but they also need to reflect on the possibility that the company might not be alive in the near future or if it is a safe bet to build upon. In many cases, language is the first, even the strongest, signal they receive.

If you analyze how cybersecurity leaders use language, there is a sense of inevitability. They broadcast a distinct combination of attributes that others rarely match at the same time.

Confidence, boldness, proof, specificity, urgency without panic, clarity on “who this is for” and a strong position against their competitors.

The question that arises, though, is what came first: Actual market success in terms of revenue or an aspirational messaging that already made them sound, look and act like the leaders they would become.

Moreover, when we focus on those that have achieved a recognized market position, are there differences across regions?

Having worked for more than 20 years with non-American cybersecurity companies, I’ve always noticed something that felt intuitive but hard to quantify. They rarely communicate like leaders, even when their technology is cutting-edge.

The language of those coming from outside the United States is often more cautious, more precise and technically accurate, and more reluctant to claim authority. And in my experience, this difference in language is an early indicator of future outcomes, not just a reflection of current ones.

That experience and intuition is what led me to test this more systematically, and below we will see what the results said about the language of the cybersecurity leaders.

The Setup & Methodology

The first step was to decide what to measure. After reviewing positioning language across dozens of vendors in two sectors (Endpoint Security & Access Management), I decided to choose the following attributes:

Together, these dimensions describe not just what a company says, but how it assumes its role in the market.

In order to execute this analysis successfully, I needed to eliminate my personal bias. Considering how good LLMs are when it comes to language analysis, I designed a reusable prompt that could be applied consistently across groups of vendors.

The goal was not absolute truth, but relative comparison: how different companies speak in relation to each other.

Two LLMs were used (ChatGPT and Claude) in order to detect if there would be any large deviations.

Obviously, the same criteria was applied to all vendors. I also run the prompts three times in each one of the LLMs to account for potential differences.

Lastly, I defined the universe of vendors to be evaluated. For the purpose of this analysis, I focused on the vendors that were part of the latest Gartner Magic Quadrants for Endpoint Protection Platforms and Privileged Access Management.

Why the Gartner MQ? Those researchers already have a categorized list of vendors (Leaders, Challengers, Visionaries and Niche Players) that accounts for market penetration and positioning.

Before running the analysis, I had certain assumptions about the potential results:

1. Market Leaders would have a stronger language score

2. Immediate challengers would have a more aggressive approach

3. Legacy vendors would score lower than leaders growing rapidly

4. Non-american companies would show a lower score in the majority of the dimensions

I did exclude some vendors: Microsoft and PaloAlto Networks. The first one because of how much different of a company it is compared to the rest of the vendors, and PaloAlto as it is not naturally, in my opinion, an Endpoint Protection company.

The Result

The output didn’t vary significantly between ChatGPT & Claude, nor across the different runs of the prompts. This was a great first indication for me that the way the dimensions were defined could produce repeatable results.

You can see the results for yourselves below:

Across both markets, the same signals appeared again and again:

• Market Leaders clustered at the top in pretty much every dimension

• American vendors showed higher scores in almost every category

• Non-American vendors had higher scores on authenticity, but lower on the rest

• American vendors showed a stronger target clarity than Non-American vendors

There were two interesting outliers: BitDefender & Keeper Security. The first one, a Romanian endpoint-centric cybersecurity vendor showed a stronger authenticity and target clarity than I’d have expected.

The second one, a growing PAM solution, had the second highest average scores in its group, above leaders in the sector in several attributes.

Leadership is Announced before It Is Validated

Did the results surprise me? Not at all. It did, though, extend to more dimensions the theory I already had that leadership is not just built by execution, but it is announced through language, reinforced through consistency, and validated later by the market.

The language that Crowdstrike, SentinelOne or CyberArk are using today is not different from the one they were using when they started in this market. They did not wait for market validation to speak like leaders. They spoke like leaders first, and then built the execution to match.

Keeper Security is an early example of that. They are growing rapidly, taking advantage of a momentum created by their laser-focused targeting (MSPs) and using the language of an aspirational leader that knows where the market is going.

These companies don’t wait for permission. They speak with authority early, they frame the market on their own terms and they earn their right to keep speaking that way.

It could be argued that the analysis is biased toward leaders. It is a fair thought but that’s also the point. The goal was not to pick winners, but to understand why some companies sound like leaders while others don’t, even when they might want to become one or have the right mix of market presence, product and services that anyone else would consider the bases for leadership.

The more interesting question for me is not why leaders speak this way, but why don’t others. Why do so many capable vendors avoid assertive language or do they hesitate to define the market, name the problem strongly and claim authority?

That doubt, that lack of strength costs them over time.

Leadership Language is Not Optional

Some may argue that positioning through features or technical details is what works in their culture, country or region. And they might be right. But that is not the language that the market leaders use.

The uncomfortable takeaway is that you cannot become a global category leader without first sounding like one. It is not about hype, exaggeration or lying. It means embracing strength.

The leaders speak in outcomes, not just features. They don’t request relevance, they assume it. They define their target customers sharply, even at the cost of exclusion. And, not least important, they treat the competition as something beneath them, not to coexist with.

Leaders shape the playing field (redefining it or reinventing it, as they like to say), using language that reflects a claim on their inevitability. This influences procurement committees, analysts and partner ecosystems to perceive them as leaders, which then becomes a reinforcing cycle.

This prepares the market before the product fully arrives. While others use more precise words, which is excellent for technical accuracy yet signals lower urgency, the leaders become a market-shaping force by the way they speak and talk about it. They talk like leaders before they become leaders.

That confidence enables a clearer target customer narrative, defining who they are for and making it easier for buyers to know where they fit. This strong clarity is not just vanity, it drives their positioning, sales efficiency, partner alignments and customer trust.

The consistent embrace of a leadership identity, shown regularly by their language, is a key pillar of what produces category leaders. Companies that speak like leaders recruit differently, set higher expectations, and normalize ambition.

Leadership language does not just influence buyers. It influences the company itself.

So What’s the Real Lesson Here?

Of course, bold language alone does not create leadership. Many companies have spoken loudly and disappeared quietly. Leadership language is not a silver bullet, yet appears to be necessary.

Those that want to build a cybersecurity company that changes their market category need to understand that what they do today is tied to how you talk about their vision, their strengths, their customers and about tomorrow.

How a cybersecurity vendor speaks (its tone, audacity and narrative ambition) isn’t window dressing. It’s a foundation on their path to leadership.

Companies that embrace the language of leaders, with confidence, boldness, audacity and clear positioning will get noticed earlier and shape the market they want to end up as leaders.

American vendors dominate the market for many reasons, and this is one of them. European vendors often excel in accuracy and precision yet don’t talk about it enough in a way that will position them as leaders.

I will give you two examples of non-American vendors that are breaking this pattern: BforeAI and Aikido. Both of them founded in Europe, they embraced the leadership identity and language from a very early stage, and while in different categories, the scores on the dimensions above would put them in the same group of the market leaders we analyse.

BforeAI is leading the talk about preemptive cybersecurity and Aikido recently became a unicorn.

In cybersecurity, technology earns credibility. Execution earns trust. And language earns attention, and that is where leadership begins. If you don’t speak like a leader, don’t be surprised when the market never lets you become one.

Vendors start publishing their “Cybersecurity Predictions for Next Year”, “Top Threats CISOs Must Prepare For”, or “The Future of Security Operations”. The cadence is almost ritualistic and it often continues well into January.

If you’ve been in the industry long enough, you can probably predict the predictions.

And after reading enough of them, one thing becomes clear: Many of these pieces are not really about forecasting the future. They’re about shaping it.

Predictions are rarely neutral

In theory, cybersecurity predictions are supposed to help practitioners prepare for what’s coming. Technically, operationally, and strategically.

In practice, many prediction reports are strongly influenced by what the vendor needs the market to believe. That shouldn’t be a surprise: they start to come in November - or even October! - to be aligned with the budgeting and planning season of the vendors’ target customers.

Most vendor predictions support at least one of the following:

1. Reinforcing today’s value proposition

   “The most important problems next year are exactly the ones we already solve.”

2. Pre-justifying tomorrow’s roadmap

   “This trend is inevitable and we just happen to be building for it.”

3. Shaping how buyers think about security

   “Stop evaluating tools the old way. Think in this new framework where we win.”

That doesn’t automatically make predictions useless, but it does mean they’re not neutral.

This edition of Cybersecurity & Business is sponsored by:

A quick personal note

I’m not making this argument from the outside.

When I was Chief Business Officer at ESET, I used to oversee the creation of predictions content. I know how these pieces are shaped: not just by research and threat intelligence, but also by messaging discipline, positioning, and business priorities.

My personal take after reading far too many of these over the years:

• The more mature a company is, the more substance there tends to be behind its predictions (better data, broader telemetry, more internal debate). But even then: take them with a grain of salt.

• Challengers and newer vendors, in my experience, lean much more heavily into predictions as a way to move the conversation in their favor.

The most useful way I’ve found to read predictions is this: They’re not primarily a window into the future; they’re a window into the vendor.

Two examples: what predictions reveal when you read them analytically

Below are two real prediction pieces from well-known vendors. I’ll refer to them as Vendor Q and Vendor S, not to obscure facts, but to keep the focus on patterns rather than brands.

Example 1: Vendor Q - predictions from an AI-SOC vendor

Vendor Q’s core positioning, simplified: autonomous SOC investigation, reduced analyst workload, faster outcomes.

Once you understand that, several of their “predictions” start to read differently.

Prediction #1: Automated remediation becomes standard

Framed as a market trend, this prediction conveniently extends the narrative from investigation to remediation.

That does two things at once:

• It reinforces the current message (“autonomy is the future”).

• It quietly prepares the market for the next logical step in the product roadmap of Vendor Q.

Even if large-scale automated remediation isn’t widely accepted yet, presenting it as inevitable makes future product expansion feel obvious, even necessary.

Prediction #2: SOAR budget reallocation

This is less a prediction and more a budget argument for their target customers.

The implicit message is:

“If you don’t know where to get budget from to purchase our solution, traditional SOAR tools are too complex and expensive. That money should move to autonomous AI SOC platforms instead.”

This reframes the buying conversation away from features and toward economic efficiency, while positioning Vendor Q as the natural beneficiary of that shift.

It’s a prediction, but it’s also a very intentional market re-education effort.

Example 2: Vendor S — predictions from a large security platform vendor

Vendor S positions itself as an AI-driven, increasingly autonomous security platform spanning detection, response, investigation, and automation.

Unsurprisingly, its predictions reinforce that worldview.

Prediction #1: AI will dramatically increase adversary capabilities

This theme appears everywhere, and it doesn’t feel wrong. But it also creates urgency for exactly the type of AI-native, automated defense that Vendor S sells.

The logic is straightforward:

• Attackers automate → humans can’t keep up

• Manual SOC models fail → autonomy becomes mandatory

• Point tools fall short → platforms win

It’s a plausible argument, but also a very convenient one.

Prediction #2: Operational velocity and automation are table stakes

Here, predictions function as platform justification.

If speed and automation are everything, then:

• stitched-together toolchains look risky,

• integrated data + AI + automation stacks look inevitable.

Again, this may reflect real trends (or not), but it also nudges buyers toward evaluating vendors in exactly the dimensions where Vendor S is strongest.

Prediction #3: AI governance becomes critical

This is where predictions can hint at roadmap direction.

By emphasizing non-determinism, guardrails, and enterprise-grade AI, Vendor S implicitly signals future focus areas: explainability, governance controls, auditability. The kinds of features that tend to appear as platforms mature.

What these examples have in common

When you read predictions through a strategic lens, consistent patterns emerge:

• Predictions reinforce the vendor’s “why now”

• They normalize assumptions that benefit the vendor’s model

• They often pre-condition buyers for upcoming features

• They subtly de-emphasize competing approaches or legacy tools

None of this means the predictions are wrong, but it does mean they’re motivated.

A practical bonus: a prompt to dissect vendor predictions yourself

This is a quick and useful way I’ve found to extract real signal from prediction reports.

Use the prompt below with any vendor’s predictions and it will help you understand:

• how predictions align with current products,

• where they hint at future roadmap,

• and where they’re mostly narrative shaping.

It’s useful for:

• Practitioners trying to separate signal from marketing

• Vendors analyzing competitor direction

• Industry analysts tracking category evolution

Prompt: Analyze Vendor Predictions Through the Lens of Business Strategy and Value Proposition

You are a cybersecurity industry analyst with expertise in security operations, vendor strategy, and market positioning.

You are given:
1. A cybersecurity vendor’s public material (website, product pages, blog posts, documentation, press releases).
2. A list of predictions published by that vendor about cybersecurity trends or threats.

Your task is to critically analyze how the predictions align with the vendor’s current and future business interests, not just their stated opinions.

Step 1: Identify the Vendor’s Value Proposition and Core Capabilities
Based on publicly available information, extract and summarize:
• Primary value proposition
• Key product features and capabilities
• Differentiation
• Current limitations or implied future gaps

Step 2: Analyze Each Prediction
For each prediction:
• Restate it succinctly
• Assess direct alignment with current offerings
• Identify indirect or strategic alignment with future direction
• Evaluate narrative or mindset shaping

Classify each prediction as:
• Strong direct support
• Moderate/indirect support
• Forward-looking strategic signal
• Weak or speculative alignment

Step 3: Synthesize Strategic Signals
• Dominant themes
• Implied roadmap direction
• Business priorities
• Market positioning intent

Step 4: Critical Assessment
• Evidence-driven vs narrative-driven claims
• Oversimplifications or bias
• Important trends that are missing — and why

So… are cybersecurity predictions actually valuable?

Yes; just not in the way they’re usually framed.

Predictions are rarely reliable forecasts of what will happen next year. Any experienced cybersecurity practitioner knows that. They’re often too broad, too incentive-driven, and too selective for that.

But they are valuable as:

• A roadmap signal, what the vendor is likely to build or emphasize next

• A positioning artifact, how they want the market to think

• A budget narrative, where they want spending to move

• A maturity indicator, how evidence-based their thinking really is

The trick is not to dismiss predictions, but to read them correctly.

Treat them as strategy documents wearing a forecasting costume.

And using the prompt above, cut through the fluff and understand the why behind them.

But when you sit down with founders actually building cybersecurity startups and scaleups across Europe, a very different story emerges.

A story that mixes structural friction with forced creativity, full of hard choices and sometimes longer paths that can produce stronger companies.

In a recent article, we talk about how a focus on delivering real value - not protectionism - can transform the European cybersecurity landscape very positively.

The following piece is based on the views and experiences of founders from France, Ukraine, Belgium, Germany, Poland, Czechia, and Spain, who speak candidly about what they see as the real opportunities and challenges of building cyber companies in Europe and their relentless focus on creating solutions the world wants to buy .

What follows is not theory. It’s what they’ve lived.

Europe Forces You to Solve Harder Problems Earlier

One of the first patterns that emerges is this: Europe is not an easy place to build and sell European cybersecurity and that shapes products.

Simon Bauwens, co-founder of OutKept, explains how even something as “simple” as phishing simulation becomes radically more complex in Europe:

“If you write a phishing email in the Dutch that we use in Flanders, it’s very different from the Dutch in the Netherlands. The French in Wallonia is not the same as the French in France. A small change in wording is enough for people to immediately say: this doesn’t look credible.”

He goes on:

“If you’re a big global company, who is going to create phishing emails that refer to a local storm, a local election, or something that just happened in that region? Nobody does that. But that’s exactly the kind of phishing people actually fall for.”

This isn’t an isolated experience.

Andriy Kusyy, founder of LetsData, describes how disinformation campaigns now launch multilingual by default, not as an afterthought:

“Campaigns don’t start in English and then get translated anymore. They start multilingual from patient zero. If you’re only scanning English media space, you’re already late.”

For him, Europe’s linguistic and cultural fragmentation isn’t noise but signal:

“If a campaign starts in Romanian, then Russian, then Ukrainian, then comes back to Romanian, and finally targets Moldova, if you’re only looking at one country or one language, you will never understand it’s the same operation.”

The opportunity this creates is clear: European founders are forced to build products that work across complexity — languages, cultures, regulations — from day one.

The result? Products that are often more resilient globally once (and if) they break out.

Trust, Regulation, and “Made in Europe” Are Becoming Strategic Assets

Another shift founders consistently point to is trust. Not marketing trust but structural trust.

Pavel Rybczyk from Labyrinth Security puts it plainly:

“We are not saying: buy European just because it’s European. That would make no sense. But for critical things like access management, monitoring, early detection — customers are starting to ask where the technology comes from, who controls it, and where the data lives.”

He adds:

“It’s not realistic to switch everything to European vendors. But for strategic layers, it’s absolutely realistic, and customers are now open to that conversation.”

Richard Malovic, Co-Founder and CEO of Whalebone, sees the same dynamic in the vertical they target the most, telecommunications:

“We integrate directly into telco networks. This is critical infrastructure. Here, stability, long-term viability, and political alignment matter a lot.”

Richard went on to highlight how those values are what many consider European cultural pillars and they are natural for a company that is built in this region.

Therefore, for companies operating in government, telecom, finance, or national infrastructure, European origin is increasingly a qualifier, not a handicap.

Speed vs. Skepticism: Europe’s Adoption Paradox

Yet nearly every founder contrasts this opportunity with a harsh reality: Europe is slow to adopt new cybersecurity vendors.

Luigi Lenguito, founder of BforeAI, is blunt:

“In Europe, customers want proof before innovation. In the US, they buy the vision and expect you to get there. In Europe, you need to already be there.”

The result?

“You often need US customers to convince European ones. That’s the paradox.”

The Mitigant founders, a Cloud Attack Emulation vendor from Germany, who come directly from academia into the cyber industry, felt this immediately:

“In the US, you can sell the idea and iterate fast. In Europe, customers want a finished product, references, and long POCs before they even consider it.”

They add:

“That forces you to spend much more time educating your potential customers. Not just the security team, but management, procurement, legal. Everyone needs to understand why the tool exists.”

Nils Karn went further and quoted a study made in Germany that found out that from the billions spent in cybersecurity in the country, very little is actually dedicated to startups in their first years of life.

The challenge: European founders must survive longer sales cycles with less early revenue, while still competing against global incumbents.

Why Many European Founders Default to Channel Models

Because of this friction, many founders independently converge on the same conclusion: Direct sales alone don’t scale well in Europe.

Lukasz Jesis from Xopero explains it simply:

“If you want to scale across Europe, you cannot sell country by country on your own. You need partners who already have trust, relationships, and distribution.”

Labyrinth designed its product around partners from day one:

“Multi-tenancy, MSSP support — this was in the product from the first version. We knew we could not scale commercially without partners.”

Whalebone took this logic even further by embedding itself inside telcos:

“We are not selling cybersecurity as a tool. We are helping telcos create a new revenue stream. That changes everything.”

The fragmented reality of the European market, with different languages, cultures and business practices, requires a different approach than what US & Israeli companies usually do. As Luigi Lenguito points out, if you go to the US first, you can go directly to customers, as they do.

The opportunity: Europe rewards founders who think in ecosystems — MSSPs, telcos, distributors — not just direct sales. If they listen to the channel, they can have an advantage that “foreign” entities might not.

Capital Is Available But the Middle Is Missing

One of the most honest reflections comes when founders talk about funding. Everybody knows that - with few exceptions - investment rounds in Europe are several orders of magnitude smaller than in the US.

That is an obvious obstacle but not the only one. Simon Bauwens describes a structural gap many European founders recognize immediately:

“We are missing that big middle layer. We have early-stage startups in Europe, and we have global giants — mostly from the US. But we don’t have enough large European tech companies that can acquire, fund, or help scale the next generation.”

Richard Malovic echoes this from a scaleup perspective:

“We need more European examples of companies that grow big and stay independent. Positive examples matter more than anything.”

Without that middle layer:

• exits happen earlier

• ambition is often externally constrained

• global scale sometimes requires leaving Europe behind

Very few European cybersecurity vendors have reached EUR 1 billion ARR. There’s only a handful that even got to half a billion euros in annual revenue. Europe is full of stories of strong cybersecurity companies that were acquired by American firms before they could become that middle layer, like Hornet Security.

Hornet Security, a successful german email security company acquired Vade Secure, a french player in the same sector. That looked like a successful story of european consolidation… until Proofpoint came and acquired them and fulfilled exactly what Simon and Richard mentioned above.

The Hidden Advantage: Forced Long-Term Thinking

And yet, despite all this, something remarkable appears across these conversations: European founders are not pessimistic. They are patient. They talk less about blitzscaling and more about durability.

Richard Malovic describes it as crossing a mountain valley:

“You know you’re going forward. You’re not coming back. It’s hard, it’s cold, but you keep going.”

Simon Bauwens frames it differently:

“Competition becomes aggressive. People try to scare you, write legal letters, run ads against you. But you learn that if they bother, you must be doing something right.”

In a world where the speed of developing software is accelerating, that patience can become an advantage. Almog Ohayon from TandemTrace, who already went through a successful Israel-to-US founding journey and now is building out of Spain captures the moment we’re entering:

“With AI, small teams can now outperform big organizations. The advantage is shifting back to speed, focus, and clarity of vision.”

The new reality combined with European resilience can become a hidden strength for the local cybersecurity vendors.

The Real Story of European Cyber Founders

A bit more than a year ago we discussed similar topics with other founders from Europe. Many of the challenges remain the same yet something seems to be shifting in the market as well as in the mindsets of the leaders of the European cybersecurity vendors.

The conversations we have now, taken together, reveal a deeper truth: Europe doesn’t produce fewer or worse cybersecurity companies.

It produces different ones that, while might have been built slower and taken longer to validate, are designed for complexity and could be more defensible long-term.

The stories of the companies we interviewed, as part of Scaling Cyber, provide us with a unique perspective on how cyber innovation is building up in Europe and that despite the challenges, there are strong opportunities ahead.

Europe needs to listen to the European founders. When that happens, a new generation of global cybersecurity leaders will not just emerge. They will be impossible to ignore.

All these questions are being answered by a new generation of companies. They are delivering solutions that are approaching cybersecurity differently: preempting breaches, augmenting security operations with AI agents and alerting of information operations before they take off.

Discovering and showcasing innovation in cybersecurity is the purpose of Scaling Cyber, the podcast I’ve launched 4 weeks ago, and that I’d like to invite you to subscribe to. You can find a description of each episode below.

The purpose of Scaling Cyber is to provide visibility to cybersecurity leaders and founders that are scaling out of the usual locations, like the US or Israel. The first season is going to cover 8 companies from Europe and Africa.

I’d love to hear your thoughts on our first episodes and guests!

You can subscribe on Substack, Apple Podcasts, Spotify or YouTube.

Autonomous Alert Triage & Threat Hunting in the SOC

In our latest episode, Almog Ohayon, CEO & Founder of TandemTrace, explains how AI is transforming SecOps at a pace few imagined. He draws a parallel with the early days of cloud adoption: a moment of skepticism that eventually became standard practice. Today, the same shift is happening with AI, but faster and with even bigger implications for security teams.

What makes TandemTrace stand out is its focus on autonomous threat hunting, not just alert triage. Their AI agents generate and test new hypotheses nonstop, examining telemetry far beyond what humans could handle. Almog argues that dashboards were created for human analysts. AI doesn’t need dashboards. It needs clean data.

His message is clear: the future SOC runs on AI as the pilot, with humans guiding strategy.

Detecting Information Operations & Disinformation Campaigns

A previous episode features Andriy Kusyy, CEO & Co-Founder of LetsData, who takes us inside the world of modern information operations. He didn’t plan to build a startup in this space: he simply followed a problem that he was seeing every day. Disinformation campaigns now move in multiple languages, across borders and platforms, making them almost impossible to spot without automation.

LetsData bridges cybersecurity and media intelligence by detecting coordinated manipulation early, before narratives go viral. Their platform monitors millions of posts across dozens of languages and looks for abnormal patterns: bot behavior, sudden surges, or hostile messaging.

Andriy shares how the team has supported organizations around the world, including helping Moldova defend its elections. His takeaway: information operations are now a mainstream cybersecurity threat.

Trolling Cyber Criminals

In episode three, Pavel Rybczyk and Anastasiia Dorosh, from Labyrinth, introduce us to the new wave of cyber deception. Labyrinth deploys lightweight decoys — “points” — across a network. Since no real user should ever touch them, any interaction is an instant, high-fidelity alert. In an industry overwhelmed by false positives, this simplicity is refreshing.

Once attackers engage, Labyrinth doesn’t just detect them. It keeps them busy.

Their decoys pull intruders deeper into a controlled maze, buying defenders valuable time. Pavel and Anastasiia also highlight why this is the right moment for deception: environments are more complex, attacks move faster, and companies need a reliable second line of defense. Labyrinth is also part of a growing movement of high-quality European cybersecurity vendors building global-ready solutions.

Predicting Attacks Before They Strike

In our first recorded episode, Luigi Lenguito shares how BforeAI, where he is CEO & Co-Founder, aims to shift cybersecurity back toward prevention. After years in global leadership roles at Dell, Luigi decided to challenge the industry’s assumption that breaches are inevitable. His team focuses on predicting malicious infrastructure before attackers launch their campaigns.

BforeAI’s approach is bold, including a performance guarantee backed by Munich Re. Luigi also talks about scaling a European startup globally by going to the US early and shaping a new security category. His insights reveal what it takes to create trust, earn analyst recognition, and turn a contrarian thesis into a fast-growing company.

What’s Coming Next

There will be four more episodes, released weekly, of the first season of Scaling Cyber.

They will cover new territory: cloud attack simulation, community-driven phishing simulation, preventing email impersonation at scale, and protecting the Internet’s backbone.

Each one brings fresh perspectives and more lessons from founders about cybersecurity as well as their journeys. They are redefining what modern cybersecurity looks like and they are ready to share with us.

Discover the future cybersecurity global leaders in Scaling Cyber.
Subscribe now!

If you would compare IT-SA with, let’s say, RSA Conference in San Francisco, something would be clear: for every vendor booth mentioning AI in the latter, you will find one with a big “Made in EU” or “Made in Germany” label in the German one.

Not only that, many presentations in the official agenda were covering that topic, one way or another.

After 20 years building one of the largest European cybersecurity vendors in the world, I am personally involved in many activities to promote local cybersecurity vendors and solutions myself. However, I believe a big part of the current “sovereignty” push is mis-guided and will not help in the long run.

Take into account that this comes from someone that is part of an initiative to develop a European cybersecurity marketplace. I even presented it at IT-SA myself! 😀

In this article, I am going to explore how I see the overall situation and what I believe should be emphasised or done instead.

The “Buy European” Many Problems

There are several initiatives that are looking into modifying procurement rules and processes to give preference to European solutions. Recently, the European Commission, through its Directorate-General for Digital Services, published a Cloud Sovereignty Framework that defines objectives and Sovereignty Effectiveness Assurance Level.

Another initiative is EuroStack, which proposes a “Buy European” Regulation of Strategic Digital Procurement framework. This would aim to redirect a significant portion of the current purchases towards European firms and define a “Sovereign European Provider” through a “rigorous, technical test of substantive control and operational autonomy”.

These initiatives are getting some momentum and as that happens, they show the many problems of the “Buy European” movement. For instance, there was some news breaking a couple of months ago that the European Commission was considering dropping Microsoft Azure and replacing it with the French OVHCloud provider.

Now, my question is, how does that change anything? Yes, OVHCloud (or any “sovereign cloud provider”) is headquartered in a European country, but the majority of the base software they use and provide to their customers is not European. Even a change in prices in Broadcom/VMWare licenses affected their financial results, last year.

When we review the Eurostack proposed framework, other issues arise. One of their pillars is the usage of “open-source” software. As they do point out to some extent, though, the vast majority of the key foundations behind those projects - like the Linux Foundation, Mozilla Foundation or the Apache Software Foundation - are incorporated in the U.S.

The other issue is the reliance of the proposal on a certification-like approach to validate if a provider is European.

There are enough certifications in Europe at the moment, at regional and local level, and in my opinion and personal experience, they are actually obstacles for innovative and disruptive new companies. There are too many already!

A young startup doesn’t have the resources to obtain internationally recognized certifications like SOC2 and ISO, plus the local ACN, ANSII, BSI, LINCE, etc. and on top of that, some regional ones to show they are European enough.

We are launching Scaling Cyber! The podcast where cybersecurity founders and leaders from all over the world share their journeys of growth, challenges, and global expansion. Subscribe now!

Tales from the East

While we could point out other issues with some of the “Buy European” initiatives, let’s take a pause, and look towards the East for “inspiration”.

I have been in the cybersecurity industry for some time now, and I have seen the evolution of protectionism in countries like China and Russia. Both countries have had certification schemes in place for more than a decade, with rules that became stricter towards foreign providers year over year.

Their initiatives and certification processes have fared differently, and haven’t necessarily helped them to become fully sovereign nor global leaders.

When it comes to cloud, China fares better than Russia, as the primary cloud service providers are local and some of them have regional presence.

However, despite all their efforts, Microsoft Windows continues to be the primary operating system, and foreign software continues to be a reality at many levels, private and government, and even those Chinese cloud service providers need to offer non-Chinese software to their customers.

Rather than help, in my opinion, those initiatives create isolation and limit local companies to become true global market leaders.

Why aren’t we talking more about “Sell European”?

After this diversion through the East, there is another challenge to the “Buy European” movement: who promotes, sells and implements software and cybersecurity products and services.

The vast majority of software and cybersecurity products are sold through third parties - service providers, system integrators, etc - in Europe and elsewhere.

While some of the pan-European providers have some sort of “sovereign portfolio” at the moment, they are actively promoting, selling, integrating and supporting non-european products and services for their european customers.

If you want to have more organizations buying European products and services, you need more of their suppliers offering them European options. Why don’t they?

The Good Examples

All those procurement frameworks, certifications and regulations that we talked about before are not the only initiatives around. There are also some looking into increasing visibility and competitiveness.

The CyberHive Europe is a good example, not because I am part of it, but because of the reasons I joined when it was first pitched to me.

The platform is aiming at becoming a marketplace showcasing European cybersecurity solutions and it is built and maintained with the inputs from the community, which includes CISOs, vendors and investors. It’s not putting up neon signs about buying european, it’s giving potential customers a place to find alternatives.

In that same direction, there is a recently launched website called European Alternatives with a similar aim: a directory of regional options for those that want them.

Another good initiative is the Cybersecurity Made in Europe label, a simple and realistic tool for cybersecurity vendors to show where they come from. It doesn’t take a minimum of six months and tens of thousands of euros to obtain it like with many of the certifications I mentioned above, which makes it available for established companies as well as young startups.

Moreover, the European Cyber Security Organization has the aim to make Europe an equivalent to a seal of cybersecurity excellence, not through forced processes, but by a multitude of initiatives to promote European innovation and technology.

There are other initiatives that are good examples of what Europe needs to close the gap and become a global cybersecurity leader, aiming at removing obstacles and increasing opportunities:

• EU-Inc: a proposal to create a new pan-European legal entity, with one central registry, and standardized investment documents, EU-wide stock options and taxes and employment rules.

• The European Cybersecurity Investment Platform: set to be a fund-of-funds mechanism with a target size of at least 1 billion euros, as a response to the investment gap in the EU cybersecurity market.

The above are good examples of “Buy European” initiatives that don’t even need to use that tagline to help increase the chances of customers choosing local solutions. They are well in line with the needs outlined by the cybersecurity founders and leaders themselves.

What Customers Want?

Speaking of customers, in my experience, everything starts with them. Their needs, pains and requirements.

If Europe wants to see the regional technology and cybersecurity industry grow and be adopted, these initiatives need to be laser-focused on what customers actually want, above anything else.

Last year I was in a panel discussion where a CISO said (I am paraphrasing): “If a European and an American solution are equal in terms of benefits, functionality, integrations, implementation time, support, pricing, etc., I would choose European.”

That couldn’t make more sense. We can’t force customers to choose a cybersecurity solution solely or primarily based on origin. Therefore, the focus needs to be on how european companies can solve real customer problems and do it better than anyone else.

The challenge is, though, that many young startups face obstacles to gain access to them. European cybersecurity professionals are generally more risk-averse than Americans, as Luigi Lenguito wisely said in a recent episode of Scaling Cyber.

There needs to be more initiatives to provide opportunities for young startups to present their solutions to potential buyers, and there needs to be more open-ness from European companies to give them some of their time.

Advice from end users, the opportunity to co-build a solution with an experienced CISO or practitioner, has an incredible value for startups and scaleups. As long as those end customers do want to see more European alternatives, this is a key initiative to pursue.

What is a European company?

The reality is complex and defining what makes a company truly European is a challenge in itself. EuroStack provides a large set of requirements that I doubt many companies can fulfil.

Like theirs, many definitions of what a European company is are limited by reality.

A company I work with was recently not accepted in an exhibition as a European provider despite being a supplier for many EU-based defence organizations and despite their owners, leaders, most of their employees and most of their customers being in the EU. Why? Because their main legal entity is incorporated in the US.

Technically, that doesn’t make them “European”, but the reality is that they did that in order to receive investment they couldn’t get in Europe.

Another example: what happens with the large service providers and system integrators that are legally incorporated within the EU but the majority of their employees are in other countries due to cost and legal reasons?

That is not a hypothetical question. It is exactly what the main executive of a french cybersecurity service provider with tens of thousands of employees asked when their company was about to be excluded from a listing of European service providers. How many American companies are in exactly the same situation but they are considered US companies anyway?

Buy European if good - if not, at least Consider European

Sovereign solutions don’t equal high quality ones. They also aren’t a guarantee of the necessary and expected business outcomes. They might not even be Europeans forever!

The whole debate around “Buy European” is too much focused on the symptoms. If there is a real desire (and need) for European solutions (however we define them), the goal should not be to force procurement processes and create even more regulation.

I am a proud and active member of organizations like the European Cyber Security Organization and the European Champions Alliance. I worked more than 20 years developing European cybersecurity companies globally, and I truly want to see more European companies succeed.

Success doesn’t mean government contracts, nor regulations that will only address symptoms.

Success means to deliver actual value to end customers, solve their problems, so they want to buy and use the solution.

I always say, jokingly, that revenue solves all problems. If you really want people to “Buy European”, help European companies to build excellent products and services. That is the way forward and nothing else.

Europe doesn’t need to buy European. It needs to build something the world wants to buy.

The vast majority of these companies are targeting the same role within their ideal customers: the Chief Information Security Officer, or CISO. For them, this abundance doesn’t mean choice but noise. .

Meanwhile, CISOs themselves operate under intense pressure: limited bandwidth, career risk, burnout, and the enormous cost of switching solutions if they make the wrong call.

This is the first of a series of articles that will explore how CISOs are navigating this challenge, how they evaluate and approach vendors, who they trust, and what mistakes can kill relationships.

We are launching Scaling Cyber! The podcast where cybersecurity founders and leaders from all over the world share their journeys of growth, challenges, and global expansion. Subscribe now!

The CISO Buying Process: From Pain to Selection

There’s not one way that CISOs buy. Talking with them, listening to their podcasts, or reading their LinkedIn or X posts shows that there are different approaches they take.

What is clear, though, is that they don’t “shop” like consumers nor do they evaluate vendors in the same way other enterprise buyers do. At least not entirely.

CISOs have a horizontal responsibility across their organization, needing to support the business, while also protecting it, even though they know they will never be able to prevent 100 % of threats. Pavi Ramamurthy, Global CISO and CIO at BlackHawk Network, put it in a simple yet very interesting way when describing their job: “I can’t promise safe, but I can promise ready.”

When choosing solutions, there are two very important dimensions they consider: what pain or problem they need to solve and when they can solve it. The third, obviously, is the budget.

Unless they are in the middle of a crisis or recently faced one, CISOs have a plan of what topics they will be addressing and in which priority. Resources are always limited, even for those with the deepest pockets, so planning is key for them.

As one security leader put it, “Most CISOs are looking six to twelve months out. If you’re pushing me to buy tomorrow, you’re out of sync with my world.“.

CISOs begin with a problem definition or statement, not necessarily a vendor list. Due to business priorities, compliance, trends or to improve their overall security posture, they have a set of topics (problems, pains, upgrades, improvements, etc) to address.

Going through that list, they consult with their trusted network (peers, suppliers) and conduct a “safe” exploration of the potential solutions, through articles, research, videos and reviews. Some of them, they talk with their current vendors to see if they have another solution for this new problem.

Only after that initial review, they have a shortlist of potential solutions to their problem, sometimes including the option to build it internally instead of using a third party vendor. CISOs are not the ones putting together that initial selection, at least not exclusively; they lean heavily on their teams for that.

Up to this point, with the exception of conversations they might have had with an existing vendor of theirs to see if they have a solution for this new problem, they most likely have not even talked with any other cybersecurity provider.

Once they conduct an internal assessment on risks, integration needs and the overall complexity of the potential solutions, they get to the moment to decide… and sometimes that decision might be to do nothing and accept the current problem as a known risk or maintain what they already have to address it, even if partially.

Who CISOs Really Listen To

The path to the CISO is through their trusted network, which is formed by peers, their team, the VARs/Integrators they work regularly with, and the events and conferences they attend. In some cases, that network also includes industry analysts.

What they usually don’t do is follow up on cold calls, emails or direct messages, and not necessarily because they don’t want to, but because they are regularly bombarded with them.

Ross Hosman shared an informal survey he ran among other CISOs recently, and 50 % of them receive at up to 5 unsolicited contacts per day, with 12 % of them getting more than 20.

Another thing they don’t want to do is click on “Book a Demo” buttons, unless the vendor has already been vetted by someone they trust. This is not because they are not curious, it is because they don’t want to end up trapped in another sales and marketing funnel from another vendor.

Mike Johnson, from Rivian, often says that what CISOs want is to feel “safe” when evaluating new vendors. They want to do things at their own pace, in their own way, without being forced into what the vendor sales process dictates.

That’s why many CISOs would start asking their peers before anything else. The majority of CISOs are part of some close community (often a Signal group or Slack channel) where they ask questions about how others are solving problems and what vendors are using for that.

Their usual VARs and Integrators are also a source, sometimes even more important than their peers. As Edward Contreras pointed out in a recent Defense In Depth episode, his trusted VARs “have been with me for a while. They’ve been in the trenches. They’ve seen some failures. They’ve seen some successes.”

What many vendors and service providers often forget is that the CISO isn’t the only person to talk to, and moreover, sometimes it is not even the right one. More than one CISO recommends speaking to their team first, as their opinion will matter to them.

They will most probably be the real users of the solution, and they are the ones that will need to see, first-hand, if it is the appropriate one to solve the problem at hand. That’s why CISOs are looking for their feedback. “Don’t talk to the CISOs, talk to the leaders within the security org, talk to the principal engineers. Those are the folks who are making the recommendations.”, said Mike Johnson about this topic.

What happens with events and conferences? CISOs definitely continue to attend, as well as their teams, but that doesn’t mean they are going to listen to everything that is being shown to them there.

The reality is that many CISOs see the value to attend not in how much the vendor is spending in the booth, but in what is happening outside or around the event, where they can gather with their community, spend time together and learn from peers and from those they trust, as Geoff Belknap, CISO of LinkedIn, pointed out, echoing the opinion of many others in the industry.

Lastly, there are industry analysts, like Gartner, Forrester and others. While many CISOs would not recognize it publicly, the reality is that these analysts have an influence in their decision making, especially for those that are their paying customers.

No CISO (maybe some) will choose a solution just because an analyst put it at the top of the report, but many would include that “market leader” in their shortlist.

For instance, two cybersecurity companies that I consulted noticed how being mentioned directly in Gartner reports - or even that their sector was mentioned as a priority - increased the number of CISOs that started to be interested in taking their invitations to events or meetings.

Lastly, their existing vendors, directly or indirectly, also are an influence. CISOs might look into their existing stack to see if a company they already work with has a solution for this new issue they are trying to address.

“I don’t want to go through the complexity of acquiring a new product. More screens, great complexity, greater total cost of ownership is an issue that I want to manage. So, if I go to my vendor and say, what can you do? They often have purchased a product.”, said Jason Taule, CISO of Luminis Health in a recent Defense in Depth podcast.

The Budget

Even left to the last part of this article, the budget has a strong impact on how CISOs choose solutions.

First and foremost, CISOs have already allocated a budget for their projects in advance, and internal rules can be very strict about their ability to spend it on people and/or tools. If they don’t have a reserve for “innovation” or “research”, the money is already in a particular budget line.

However, the budget they have allocated - and the potential price of the solution - can give these security leaders some room to navigate the selection process with more or less formality.

For instance, many organizations request formal tenders only when the price will be above a certain value - anything below can be decided alone by the budget owner.

If the price of the solution demands RFPs and involvement of a buying committee, the process can become long and cumbersome, and CISOs might choose to go with a “safer” bet (a.k.a. an established or existing vendor) to avoid the hazard of justifying the purchase of some unknown product to the CFO or others.

Moreover, in many cases, the CISO is not the sole decision maker when it comes to its budget, as some parts of it can be held by other functions in the organization, like IT, HR, Compliance, etc. This complexity can deeply affect the way they choose solutions.

The Value of Trust

In a world where every vendor promises to be the “best,” CISOs rely on something far rarer: trust.

Their buying journey isn’t a funnel; it’s an ecosystem. Peers, teams, VARs, analysts, and events all act as filters that shape which solutions even get a chance to be considered. The decision itself is slow, deliberate, and can end with “not now.”

The vendors that make it through aren’t always necessarily the loudest. They’re the ones that meet the CISO where they are: aligned with their priorities, respectful of their time, and capable of proving value without pressure.

In short, CISOs don’t buy features; they buy confidence. And as with a strong security posture, that’s something that takes time to build.

In the next part of this series, we will look at how CISOs view vendors, from startups to established ones, and what it takes for a newcomer to earn their trust.

On paper, CTI seems like a discipline that is steadily professionalizing. But speak with practitioners on the ground, and the picture is different. Quite different indeed.

The day-to-day work of CTI is more fragile, more improvised, and more dependent on context than smooth reports suggest. As one analyst told me bluntly: “Tactical CTI is the most useful for SOCs, but it’s the most avoided. Organizations rely on recycled rules from public sources or improvise without risk-based prioritization.”

Through this article we are going to explore the opinions and views from 10 analysts across Europe, North America and Latin America, contrasting it with what surveys and frameworks say about where CTI stands in 2025. As with the previous piece about AI & Threat Hunting, the difference is striking.

This edition of Cybersecurity & Business is supported by:

CTI on Paper: A Maturing Discipline

The regular CTI survey conducted by SANS is one of the main sources to have a quantitative view of what is happening in this field.

According to data from their latest edition (2025), 93 % of organizations are now maintaining some form of in-house CTI capability, and more than a half of them (52 %) have dedicated CTI teams, up ten points from 2018. However, teams remain small: 62 % have fewer than four full-time CTI analysts.

Based on the survey, the dominant use case for CTI is Threat Hunting, with 77 % of respondents citing it, while MITRE ATT&CK has become the shared language of the field (86 % adoption).

As everywhere else, AI adoption is growing: more than one-third of teams are already using it to enrich and score intelligence.

There are multiple challenges referenced by the respondents. 62 % mention lack of funding, as an obstacle to provide more value through CTI. Integration, automation and skill gaps remain top blockers.

Once you go through the survey, CTI feels like a field gradually moving from artisanal to a more professional stage. Formal processes, reporting structures seem to be more common, and maturity frameworks such as CTI-CMM and initiatives like the FIRST CTI SIG are, theoretically, gaining traction.

However, while the SANS CTI survey is probably one of the few global of its kind, the demographics are heavily skewed toward US-based respondents, and when we turn to the voices of analysts in other parts of the world, as I did through my interviews, the overall state of CTI feels less polished, despite the depth of knowledge.

CTI in Practice: The View from Analysts

Role Diversity in CTI

One common theme across the interviews is how rarely CTI is practiced exclusively. Only a minority of analysts work only in CTI, with most wearing multiple hats.

Just 2 of the 10 consulted analysts are fully dedicated to CTI, with the rest combining it with other functions, like Threat Hunting, DRPS, engineering, incident response, automation and external comms.

“I am fortunate to work in a highly-focused Cyber Threat Intelligence (CTI) team…”, said one of the interviewees, highlighting how uncommon this can be.

Across all conversations, CTI seems to be a starting point to achieve something somewhere else, internally or externally. For instance, it was not unusual to hear how the work of the analysts could span across multiple other functions depending on the type of company they work for.

An analyst working at a major cybersecurity vendor needs to do malware research, identify TTPs, improve automation pipelines, to not only improve detections and the product itself, but also to support marketing, PR and sales.

Another one, working on a service provider, dedicates part of his time to CTI, but also participates actively in incident response and in managing and improving internal processes.

This diversity illustrates CTI’s hybrid identity. Rather than its own thing, it often acts as a connective tissue between prevention, detection, response, product development, executive decision-making, and even corporate communications.

Measuring Value: More Art than Science

“What is the impact of CTI and how it is measured?” was one of the questions asked to the professionals I interviewed.

The SANS survey respondents said they mostly measure effectiveness through feedback meetings or indirect metrics. The interviews I conducted echoed this, but with very different flavors.

The answers show different types of metrics, formal and informal, that go from outcome-based impact and process maturity to subjective feedback.

One of the analysts working in a cybersecurity vendor had a product-driven angle: “The real test is how findings are used. If they lead to earlier detections, stronger defenses, or features that make our product more valuable, then I know the work is having an impact.”

The other respondents working in vendors and service providers had similar comments. One of them highlighted the metric is anchored in how CTI helps MDR or DFIR teams, even though it is not something they quantify in a specific performance indicator.

On the other side, a professional working for a service provider mentioned that the success often comes down to “the valuation of supervisors or clients”, while another analyst mentioned “cross-team feedback”.

CTI can be part of so many processes depending on the organization where they sit, so as another one of the respondents pointed out, the metrics can be various, like hunts initiated, credentials reset, domain takedowns, vulnerabilities remediated, and more.

Even PR or marketing results were mentioned as indicators, as some of the analysts are part of companies that are basing their value proposition and differentiation on the threat landscape knowledge of their teams.

Together, their answers show a field where measurement is still improvised, even if some of the maturity frameworks were mentioned. Some CTI teams are indeed tracking hard outcomes, but others are more focused on subjective measures that can span from client feedback to a company’s reputation and positioning.

Daily Struggles

Analysts across the board complain about data volume, tool limitations, and stakeholder alignment. But one of them is warning us of something more subtle: the erosion of human critical thinking.

“The greatest challenge is the bias that creeps into teams when technologies like GenAI advance. Doubt and validation are being exercised less. Doubt is a skill we must maintain, otherwise we risk outsourcing responsibility to the tools.”, said Ruben Lencina, Threat Intelligence Leader at Base4 Security.

The increasing usage of AI in CTI is leaving less space to analysts to apply critical thinking, he emphasised, as the output of the tools is not second-guessed as much as it should.

This gets worse, he pointed out, when we take into account resource shortages. Insufficient staff to adapt CTI into automated processes slows adoption and leaves service providers less agile to respond to attacks and to their competitors.

Other challenges are more familiar. As another analyst described, there is a difficult and delicate balance in filtering vast data streams without missing the critical bits. Also, there were common concerns about how tactical CTI is systematically neglected, either replaced by generic recycled rules or improvised without risk studies.

Stakeholder engagement and expectation management were brought up by several respondents.

“If you just ask, ‘What are your PIRs?’ you’ll get vague answers. You need to ask what they do daily, what they protect, what they’re afraid of.”

Stakeholders sometimes think frameworks like ATT&CK map neatly onto all threat activity, when underground forums, where many analysts spend their time, don’t provide that kind of structured intel. “CTI is often misunderstood”, one of them noted, and analysts need to face that misinterpretation as much as they need to battle threats.

That’s not all. There are more challenges that were brought up during the interviews. For instance, thefundamentals gap.

“Everybody tries to have the ‘next super-AI solution,’ but they don’t have good firewalls, network segmentation, password management, or a comprehensive SOC.” For this analyst, the challenge isn’t only volume or expectations but that too many organizations neglect basic security hygiene while chasing hype.

Prioritization was mentioned by other respondents, but at a different level: “Threat actors use a huge number of TTPs, and it’s critical to identify which ones actually represent a risk for our customers.”

As it was pointed out by one of the interviewees, the problem might not be having too much data, but figuring out which behaviors deserve the most attention and how to translate findings into actionable detections and clear business value.

What Opportunities are Ahead?

Despite frustrations, every analyst pointed to areas where CTI could deliver more value. There are plenty of views regarding what lies ahead.

For some, especially MSSP practitioners, the answer is prevention and early detection. “As MSSPs, we try to know adversaries and their TTPs so that if a client hasn’t implemented all defenses, we can still detect and mitigate quickly.”

When it comes to corporate CTI teams, the blind spot is internal intelligence. External feeds are plentiful, but too many organizations neglect their own SIEM logs or phishing data. Combining internal telemetry with external sources creates the most relevant threat picture.

An analyst working for a cybersecurity vendor highlighted that the opportunity is exposing actors earlier and prioritizing threats based on who is active and what they are doing. But he also stresses democratization: “We need automation and scale, but also to make CTI available to more teams for less money.”

The involvement of the executive layer of the organization was also mentioned as a key opportunity: “CTI is key for executive decision-making that improves the organization’s security posture.”

As expected, technology itself was mentioned several times and in different flavors, like how it can support automation, deeper analysis and integration (where intelligence can accelerate efficiency and resilience), and not only in IT, but also with legacy and industrial environments.

“Enterprise and industrial sectors need dedicated, trained professionals, combining blue teams with CTI analysts. There is so much to do with security solutions from ten years ago that were not applied and understood. We don’t need the AI revolution; we need people that understand security.”

The common thread, among many answers, is proactivity: CTI has its biggest impact when it reduces analyst workload, prioritizes what matters, informs executive choices, secures overlooked or obscure systems, and even strengthens a company’s business positioning.

The Various Voices of AI

No topic splits the field like AI.

The SANS survey notes that AI is already being used for enrichment and scoring, but adoption is uneven and many applications remain underexplored.

Our interviewees agree in general that AI will be transformative, but they describe it in far more human terms.

There are some that see it very positively. “AI will be key to faster detection and anticipation”, is a clear expectation from many of the analysts, with clustering behaviour and automating analysis as areas where AI is seen with good eyes by the respondents.

Another area that was mentioned with enthusiasm was predictive intelligence. Moving from “what happened”to “what might happen” as one of the interviewees put it. Some models can already anticipate attacker TTPs before they are deployed, and this is a very positive application of AI for CTI analysts overall.

However, not everybody shares the same enthusiasm and expectations. “AI, in its current state, cannot replace human initiative”, is the opinion of one of the analysts that is echoed across other answers, in one way or the other. “We don’t need the AI revolution; we need people that understand security”, adds another.

The bottom line, as it happens with AI in many sectors, is that while it might help with some processes and make the CTI function stronger overall, there are still concerns about how much it can really do, and the risks it might bring, from false positives and negatives, to over-confidence in its outcomes.

And of course, AI will also help the attacker, as one of the analysts pointed out, especially accelerating hybrid operations, where cyberattacks combine disinformation, deepfakes, and media manipulation.

There’s clearly not a common view on the topic, as we can see from very different views across everyone that was consulted. The only thing that is shared by the majority is that the adoption of AI is growing and it will be transformative, one way or another.

Where CTI Goes Next

Between survey charts, maturity models, and analyst voices, some clear opportunities emerge.

1. Professionalization and Structure
   Frameworks such as CTI-CMM, the FIRST CTI SIG, and the Mandiant Competencies Model give CTI programs a way to mature. One respondent suggested CTI will eventually resemble “classic intelligence services”, only in digital form.

2. Integration of Internal and External Intelligence
   It was stressed that the overreliance on external feeds needs to be corrected. Combining internal telemetry with vendor and community-driven intel is a chance to make CTI truly contextual.

3. Automation and AI
   From enrichment to predictive analysis, automation is no longer optional. But as many warned, automation must be balanced with human oversight and critical thinking, and it should not distract from fundamentals. There is, though, a clear need for automation pipelines and TIPs to handle massive telemetry and OSINT, where AI can be key.

4. Geopolitics and Hybrid Operations
   The SANS survey shows growing pressure from geopolitical and regulatory shifts. Analysts see the same. Russia-Ukraine and Israel-Iran conflicts were cited as shaping CTI priorities, while disinformation was pointed as a persistent reputational threat.

5. Prevention, Early Detection, and Industrial Resilience
   CTI’s greatest value remains in stopping attacks early. Whether through actor exposure, TTP tracking, or internal hunting, the role of CTI is clearest when it prevents or shortens an incident. One perspective reminds us that industrial and legacy environments (often still running on end-of-life systems) stand to gain immensely from CTI paired with blue-team fundamentals.

If there is something that is shared across survey results, frameworks and the voices of the analysts is that CTI, both as a function but also the tools they use, still has space to evolve and become a key part of the security strategy of any organization.

When it comes to the tools, they clearly need to evolve as well. Some vendors, like EclecticIQ are taking the hint and working on initiatives that integrate CTI and SOC platforms.

Even more, we can see how specialized platforms are appearing to address the very trends that the consulted analysts mentioned, like predictive intelligence, disinformation and hybrid operations. BforeAI and LetsData are clear examples of companies working in that space.

These and other evolving tools can help analysts to filter the noise, communicate relevance, and deliver insights and outcomes that prevent damage.

In any case, the voice of the analysts is clear: more professional approach to CTI is needed, and the human experience and knowledge, as well as critical thinking, are what matter the most, in their opinion.

As one of them put it:

“Professional analysts: don’t trust the source. Trust yourself and your analysis.”

That, beyond any survey result or vendor promise, is what CTI truly comes down to: not frameworks or feeds, but the ability to question, interpret, and act.

We won because of two things that mattered deeply to the people we were trying to reach: small update sizes and low system resource consumption. That was it.

Our updates didn’t bring already slow connections to a halt. Our software didn’t bring underpowered computers to a crawl. These things may sound minor today, but back then, for many users and resellers, they were real, immediate problems. And we solved them. Better than others.

That’s what got us in the door. And to become later the largest endpoint security vendor by revenue from the European Union.

This edition of Cybersecurity & Business is sponsored by:

The problem with bold statements

Cybersecurity vendors — especially startups and scaleups — often feel pressure to say something bold. Something visionary. Something that makes them sound like leaders.

But bold statements alone don’t win deals. Especially not in the beginning when nobody knows you.

There’s already too much noise in cybersecurity. Too many companies saying the same things, in the same way, with the same vague promises. "Next-generation protection.","AI-powered prevention.","Unified, proactive defense".

Statements like these aren’t wrong. They’re just not enough to cut through the noise.

They don’t tell the buyer what problem is actually being solved, or why this or that vendor is the one to solve it. They sound good in a pitch deck, but fall flat in front of a buyer who has already seen 15 other vendors say the same thing.

What buyers are actually looking for

Here’s what often gets overlooked: most buyers don’t have the time, interest, or ability to test every product. They default to one of three things:

1. What they already use

2. What their trusted network recommends

3. What’s available from their existing service providers or distributors

For a new vendor to break through, you need to give them a very specific reason to consider you. That reason must connect directly to a problem they care about, ideally one that others don’t address well, or don’t communicate clearly.

Where that insight comes from

You won’t find that message sitting in a conference room with your team.

You find it by getting outside and talking with end users, service providers, distributors, MSSPs. Attending events and conferences. Understanding what their actual pain points are, not just the ones you imagined when building your technology and your product.

At ESET back in the day, we spent a lot of time doing just that. The insights that helped us grow didn’t come from strategy slides: they came from regularly testing the competition, from our support tickets, events, channel conversations, and feedback loops we created with our early partners and users.

That’s how we learned what really mattered.

From tech, to product, to solution

Many startups begin with a piece of technology. Something novel, interesting, or genuinely clever and they tend to think that is what will make them win.

But technology alone doesn’t win.

You have to turn that technology into a product: something that people can actually use, deploy, and rely on.

Then you have to go a step further and turn that product into a solution: something that solves a specific, recognized pain in someone’s workflow or infrastructure.

That last step doesn’t happen unless you deeply understand the user’s world. Which means talking to them, a lot.

When you are able to articulate how your product can solve that specific pain or problem in a way that end users feel and understand, that is when you really have a chance to win.

What you should (and shouldn’t) do

Here’s what I’ve seen work for vendors who break through:

What to do

• Spend time outside the company, with users, implementers, and channel partners

• Listen for the small but persistent pain points

• Watch for the patterns behind unexpected wins

• Build messaging around what you remove — friction, complexity, noise — not just what you add

What not to do

• Assume your "key innovation" is what customers care about most

• Rely only on feedback from CISOs or top-level execs, instead of listening also to the implementers and users

• Over-rotate on vision and category creation before you’ve won a base

• Copy messaging from the market leaders and hope to sound credible

What we would’ve missed

If we had only talked about “advanced heuristics” at ESET, we wouldn’t have become the largest European cybersecurity vendor by revenue.

The way we implemented heuristics was important, a true innovation — no question. But that wasn’t the reason people became our fans and chose us in the beginning, no matter how in love we were of our technology.

The reason was simpler. Updates were smaller. Systems ran faster. Partners didn’t get as many complaints.

Back in those days, IT administrators needed to update their endpoint security solutions at night to avoid their internal networks to overload, and users saw how their computers were suddenly running very slow when the antivirus was updating or performing a scan.

That’s what we solved. That’s what got us traction. The rest came later.

Solve first. Shout later.

The security market doesn’t need more bold yet generic statements. It needs vendors that remove friction, solve real problems, and explain those things clearly.

If you’re a cybersecurity startup or scaleup trying to grow don’t focus on saying you are bold. Focus on being useful.

The cause for this isn’t lack of innovation. It is fragmentation, cost, complexity and missed opportunities.

Many of the building blocks for a stronger email security posture are there. It’s just too complex and costly to transform them into a wall.

Email Is Still the Frontline And It’s Not Going Well

You’d think that by now, we’d have this under control. Email is one of the oldest technologies in our digital lives. And yet, it’s still where most attacks begin.

According to a Sendmarc Report, 91% of all cybercrimes start with email, and based on information from the FBI IC3 Report, the losses from Business Email Compromise (BEC), just in the United States, are in the billions of dollars.

There are multiple cybersecurity vendors offering Email Security solutions that are still not able to cover all the bases, and standards that could help to improve the situation (like DMARC or BIMI) are still not widely adopted.

This is not something that affects only large companies, like the case where a Lithuanian man tricked Google and Facebook into wiring him over $100 million using fake invoices and lookalike domains. It affects also smaller businesses.

The following are just a few examples:

• In 2023, a Florida manufacturing firm lost $420,000 to an impersonation email claiming to be a known supplier. The attacker had registered a similar domain and altered just one letter (CNBC).

• A South African property company was hit with a $250,000 loss after hackers intercepted emails and modified banking details in a PDF invoice (MyBroadband).

None of the above are edge cases neither they were caused by a failed firewall or endpoint security. The same is happening to many organizations around the world, and just because someone believed an email.

Why the Ecosystem Keeps Failing

Email Security is a decades-old challenge. There have been many attempts to improve it, even though none have done it yet.

It’s not for lack of standards, as we have many to choose from. For example:

• SPF, DKIM, and DMARC (yet only 19.6% of DMARC-enabled domains have a p=reject policy);

• BIMI, which depends on DMARC and a Verified Mark Certificate (which requires a registered trademark and can cost more than a thousand dollars a year), and

• Verified Sender from Microsoft (which works only inside their own ecosystem and doesn’t support BIMI).

BIMI sounded like a promising solution to - at least part of - the challenges, but it is still not universally supported across email providers and clients, and the necessary certificates are expensive and slow to obtain.

On top of that, Microsoft came and decided to implement their own approach through Verified Sender that is also complex and not compatible with many other email providers and clients.

Moreover, lookalike domains can still bypass all of this, as it has been proven by many successful breaches.

The battle feels lost because the email threat landscape isn’t getting better. On the contrary, it’s getting more complex, and it would require more tools than the above, like DNS security, which isn’t common outside large enterprises.

Attackers adapt faster than security vendors align. They register domains and set up phishing campaigns in minutes that many brand protection tools don’t see until it is too late.

The lack of a unified, affordable, plug-and-play solution that covers all the angles, especially for SMBs, is forcing the defenders to be stuck with multiple different solutions that don’t talk to each other and still fail to cover all the bases.

And users? They’re still clicking on anything with a logo or a friendly tone.

Something is shifting. Slowly.

However, there is, maybe, some light at the end of the tunnel. At least when it comes to DMARC.

Since Gmail and Yahoo started to enforce DMARC for bulk senders others have joined, like Microsoft and Cloudflare recently. Moreover, anti-phishing measures and specific DMARC implementation are now part of many other frameworks like HIPAA, NIST, etc.

Additionally, vendors like Sendmarc are making its adoption accessible and affordable, automating the process and helping organizations to get to p=reject faster.

This growing pressure is helping to transform DMARC from a best practice into a baseline.

A Modern Email Security Stack

Nowadays, defending against malicious emails should be based on standards like DMARC - which is growing in awareness and adoption - and complement the standard endpoint and email security products with solutions to other common challenges, like early detection of lookalike domains.

“According to BforeAI’s telemetry, threat actors register thousands of look-alike domains every single day — often within 24–48 hours of launching phishing infrastructure. Some campaigns are detected within minutes of domain creation, but by the time traditional security tools catch up, the damage is often already done.”

— BforeAI Report

This multi-layered approach would require, considering the tools available today, solutions that at least cover the following:

• SPF, DKIM, and enforced DMARC to minimize email impersonation

• BIMI + Verified Mark Certificate and/or Microsoft Verified Sender for visual trust (where supported) and helping to mitigate, to some extent, spoofing attacks

• Brand protection (or Digital Risks Protection) to catch lookalike domains before they go live and to be aware of stolen credentials

• DNS Security (or Protective DNS) to prevent clicks on fake domains that are part of phishing campaigns not caught by the rest of the tools

• Takedown services to remove malicious infrastructure as soon as possible

Sounds a bit complex… and it is. Especially considering that it is difficult to find one provider that can do it all within the budgets of any type of organization.

You will probably need 3, 4 or more solutions just to cover the above, on top of the basic security tools you still need to have anyway (Endpoint Security, Email Security, etc).

This is due to the nature of current email-based attacks, which are combining not only phishing and social engineering tricks, but also other components like stolen credentials and web infrastructure.

Don’t Forget the Basics: People & Partners

The above stack would still be fallible. There are still at least two more areas that are requiring attention: the members of an organization and their external stakeholders.

While BIMI or Verified Sender features can help people to spot the difference between a real email message and a spoofed one, users need to be trained to recognise the difference.

Moreover, an organization today is connected to many others (suppliers, partners, vendors, customers, etc) that would also need to adopt standards to reduce the exposure. For instance, enforcing DMARC on suppliers would help to reduce the potential risks of employees receiving emails impersonating a business partner.

Any technology stack is as strong as the weakest link, and as the solutions above aren’t infallible or fast enough, additional measures would be necessary to increase the overall security of the organization.

How Far We Are, and Where We Go

The truth is, most businesses are far from implementing the above stack, and many email security providers are too busy adding other features (like AI Agents) that don’t necessarily cover the full chain of a typical email-based attack.

Some reasons:

• It’s still too fragmented and complex

• Some tools are cost-prohibitive for SMBs

• Lack of client-side support (i.e., Outlook still doesn’t support BIMI)

• No unified platform offers everything end-to-end

The opportunity? A service provider — or security vendor — bundles email security, standards support, DNS protection, takedown, logo verification, and brand monitoring into a single pane of glass. With pricing that doesn’t rival your cloud bill.

That is, in my opinion, the path forward. A convergence play of several existing yet not integrated solutions that finally treat email as the critical infrastructure it has always been.

The battle isn’t being lost because the tools don’t exist. It’s lost because we haven’t made them usable, affordable, and unified. A holistic approach is missing.

The moment we see email-based attacks as something that needs a combination of different approaches beyond the standard email security, we will be able to start fighting back and maybe even winning.

Email is still the front line. It deserves better defenses.

What do you think? Is this layered approach to email security realistic in your organization — or still out of reach for most?

“We signed the distribution agreement! Now time to sit, relax and see the growth finally coming!”.

If you're a cybersecurity startup or scaleup, you might recognize this moment: the high of closing your first distribution deal. It feels like validation, a catalyst for expansion. But too often, that excitement turns to confusion, frustration, and disappointment.

Nick Bailey, Global Account Director at Softcat, has seen it firsthand: “At my previous company, we signed 15 vendors while I was there: 2 were great, 3 were okay, and the rest failed. But that’s the general nature of this business.”

Most cybersecurity vendors that have tried to scale their business through distribution know what Nick is talking about. Many of these partnerships fail due to a wrong fit between channel and vendor.

Mateusz Wepa, from iiTD Poland, gives an example why this happens: “Vendors tend to overvalue big brand distributors. You’d rather have a smaller distributor focused on you 100% than a big one that gives you 10% or less.”

I have been working for more than 20 years with cybersecurity vendors and distribution partners around the world, and I can tell you this: signing a distribution agreement can be game-changing yet guarantees nothing. It's a milestone, yes, but it’s also a small step on the much harder journey toward growth.

To understand how vendors can increase their chances of success, I spoke with seven distribution leaders from a variety of companies (large and boutique, transactional and MSP-focused) across five different countries. Here’s what they had to say.

What Distributors Really Want: More Than Just a Good Product

The consulted distributors agreed on one key point: having a great product is just the starting point. It’s expected, not exceptional.

Distributors consistently look for vendors that offer more than just a "cool" technology:

• Clear market differentiation

• A realistic go-to-market strategy

• Clarity on the channel strategy

• Integration with existing ecosystems

• Loyalty and trust

Each one of the interviewees had something to say about this:

“Partners don’t need the best in class product. They need a good product, but they need the best in class channel,” said Mateusz Wepa. “A lot of vendors with great technology didn’t grow properly just because they didn’t have a channel strategy in place that was attractive for the partners. For the partner, the most important thing is to make money.”

Mikolaj Sikorski from Dagma reinforced this point with a strategic lens: “We expect the vendor to clearly articulate compelling differentiators, a strong product vision, and a strategic roadmap. If a vendor relies only on marginal feature comparisons or assumes success in one market means success in another, it shows misalignment.”

David Sánchez García from Ontinet.com tied it back to partner needs: “A product only has value if it addresses real needs and fits into the partner’s overall strategy.”

Cybersecurity vendors - especially those starting to work with distribution - are often in love with their technology, forgetting that a product’s value lies not only in features but in its ability to integrate into a broader business context and solve actual use cases.

Thomas Bresse from BeMSP echoes the importance of ecosystem fit: “We want to avoid solutions that are completely isolated. We prefer those that fit well into an ecosystem.”

This is particularly true with specialized distributors, such as those focused on MSPs (like BeMSP above) or those who prefer to concentrate most of their efforts on one or two strategic vendors, surrounding them with complementary and inter-operable solutions. If a new vendor doesn’t align with that strategy - no matter how advanced the technology - the distributor is unlikely to prioritize it.

Channel Clarity Is Non-Negotiable

One of the strongest recurring themes from every interviewee: vendors must choose a clear channel strategy and stick to it. Trying to sell both directly and through partners almost always creates conflict.

“Hybrid approaches rarely work. Vendors must make a clear choice,” said Ettore Mastropasqua from ALLNET.ITALIA. “Either go through distribution or go direct, but not both.”

Thomas Bresse reinforced this from an MSP perspective: “We work with MSPs, so we immediately rule out vendors who are primarily targeting enterprise or mid-market clients.”

Additionally, the way of working must be clearly defined from the beginning. What will be the respective roles of the vendor and the distribution partner? Will the distributor have exclusivity in a given market or for an initial period of time, or does the vendor intend to sign multiple distribution partners?

These are fundamental questions that determine how much effort and investment the distributor is willing to put forward.

Commitment Goes Both Ways

Successful distributor relationships require vendors to match the distributor’s commitment. This means contributing time, people, and money, instead of just expecting results.

“A strong sign of commitment is the allocation of dedicated resources - ideally in coordination with the distributor - rather than simply offloading activities to the channel.”, says Ettore Mastropasqua of ALLNET.ITALIA.

Distributors consistently emphasized that they should be treated as an extension of the vendor’s team, not just another independent entity executing transactions. This includes transparent communication, shared objectives, and mutual accountability.

“A distributor is not just a reseller,” reinforces Ettore Mastropasqua. “It’s an extension of the vendor’s own team. The commitment must be mutual.”

David Sánchez García from Ontinet.com recommends: “Treat the distributor like you would a new internal hire. Train them, support them, and empower them.”

At the heart of these expectations lie two core principles: loyalty and trust. Vendors must demonstrate that they are invested not just in transactions, but in building a stable, long-term relationship.

As Mateusz Wepa put it, “The channel that we’re going to build needs to be secure and transparent. Transparency with the channel, and lack of direct involvement without the knowledge of the partners. That’s very important.”

Distributors are willing to invest, but they expect the same from vendors. This includes:

• Dedicated vendor-side resources

• Marketing and event co-funding

• Shared planning and transparency

The more commitment the vendor shows to the distributor and their needs, the more the partner is willing to invest, prioritize the vendor, and build the brand alongside them.

Flexibility and Local Adaptation

Every country, every partner ecosystem, and every sales process is different. A rigid go-to-market model designed in one market rarely survives contact with another. Distributors unanimously emphasized that what works in the U.S., the Netherlands, or Germany might not work in Spain, Poland, or Italy.

“Many vendors, especially from North America, fail in Europe because they try to replicate their home market strategy in new regions,” warns Mikolaj Sikorski from Dagma. “You have to think global but act local.”

This goes beyond just messaging and pricing. It includes how the product is positioned, who it is sold to, and even how onboarding and demos are conducted. For example, David Sánchez García from Ontinet.com noted that vendors often fail by treating every distributor the same:

“Not all distributors are the same nor do they operate the same way. Vendors must invest time in understanding the local distributor’s structure and adapt their approach accordingly.”

Language plays an important role here too. As Thomas Bresse from BeMSP shared, “Our best experiences have been with vendors who have people on their team who speak our language and can interact directly with our partners.”

This is particularly important during the launch phase, when direct engagement with partners and internal teams can make or break momentum.

Mateusz Wepa added a complementary perspective: vendors shouldn’t worry about translating every piece of content upfront, but instead should empower the distributor with quality material in English and trust them to handle localization. “That’s one of the reasons you choose a distributor: to bring local know-how,” he explained. Those that are empowered to adapt tend to deliver faster, more sustainable results.

Enablement and Responsiveness

Enablement doesn’t just mean training. It means preparing the distributor to operate independently and successfully, on the commercial and technical fronts.

Distributors expect vendors to:

• Provide high-quality documentation: Not just datasheets or product pages, but detailed, well-organized materials that help commercial teams pitch effectively and technical teams support customers. This only works when vendors provide complete, organized documentation from the outset. Resources that are accessible, up to date, and usable and loved by both commercial and technical teams.
  

• Offer training (commercial and technical): Initial onboarding sessions should give distributors enough knowledge to deliver demos, answer partner questions, and troubleshoot common issues. But enablement doesn’t stop at launch; it should evolve with the product. As Mikolaj Sikorski emphasized, "We expect structured product training, followed by continuous updates as the product evolves."
  

• Remain responsive and available: Vendors must be reachable when it counts. Quick access to answers, whether pricing clarification, technical support, or licensing help, allows distributors to be agile in front of their partners. As Mateusz Wepa noted, “The ultimate value in value-added is time.” If vendors delay, the whole channel slows down.

Distributors that receive timely, relevant support can truly act as an extension of the vendor. Those that don’t, often become bottlenecks instead of growth engines.

Driving Demand Together

Distribution is not just about logistics, contracts, or onboarding; it’s about growth. For distributors, lead generation and market development are critical indicators of a vendor's seriousness and readiness to succeed.

Nick Bailey was direct: “Lead generation is key. There's no point in having the infrastructure in place if you're not going to drive actual transactions.” In other words, no matter how well the operation is built, it’s meaningless without real pipeline opportunities.

Mateusz Wepa echoed the same idea but expanded it further: “If you want to build a brand, you have to create visibility. You have to have people seeing it, having access to it, building credibility.”

For him and others, marketing support isn’t a bonus; it’s a proof of commitment. Vendors that help co-fund events, share leads, or even just provide swag for giveaways get prioritized. Those that are present in the market, at least often, for in-person activities even more.

Ettore Mastropasqua connected this directly to onboarding and mutual responsibility: “Lead generation is a key component of a strong partnership. It’s not enough to have infrastructure in place if there is no plan to drive transactions.”

There is more to growth with a distributor than just lead generation. Incentives programs for both the organization and their teams are an important part of the conversation. Rebates, SPIFFs, dinners, prizes, experiences, are key to motivate the internal staff of larger distributors.

Distributors are often working with multiple vendors at once. The ones that show up with leads, demand-gen plans, or event support become the ones that get attention. As one distributor from the United Kingdom put it: “If you don’t bring business, you become background noise.”

That said, how lead generation, incentives and market development are executed can vary widely depending on the type of distributor.

A boutique, value-added distributor may expect co-branded webinars or support for local roadshows, while a larger, transactional distributor might focus more on funded heads, digital campaigns or shared lead portals. MSP-focused distributors, on the other hand, may value tools and enablement programs that help their partners sell recurring services.

The key is for vendors to ask the right questions early on: What does demand generation mean for this distributor? What support do they need to succeed in their model? Just like everything else in successful partnerships, alignment matters more than assumptions.

Avoiding the Common Mistakes

Here are the pitfalls that nearly every distributor mentioned when talking about failed vendor relationships:

1. Assuming the distributor will do everything.

   • Distributors are enablers, not magic growth machines.

2. Targeting the wrong type of distributor.

   • A startup might get lost in a large distributor's portfolio. A smaller, hungry partner may be a better fit.

3. Failing to commit resources.

   • Distributors need vendor-side people, budget, and a shared plan.

4. Not defining roles and expectations up-front.

   • Distributors want to know what their role will be from day one: What responsibilities does each side take on?

5. Overcomplicating onboarding.

   • Onboarding should last as long as it takes, but it must be practical. Too little is a red flag; too much can overload the team.

6. Neglecting to adapt to local realities.

   • Language, culture, pricing models, and sales cycles all vary.

7. Complex processes.

   • “Make it as easy as possible” is the recommendation of one of the consulted distributors.

8. Damaging trust.

   • Nothing breaks a relationship faster than undercutting the channel or misattributing success.

Choose Wisely

Distributors are one of the Kingmakers in Cybersecurity. Choosing the right one, and understanding how to work with them, is essential for cybersecurity vendors to achieve sustainable growth.

Not every distributor will be the right fit for every vendor, and alignment in objectives, business model, priorities, and engagement style is often more important than size or reputation.

Cultural fit, empathy, and communication matter just as much as pricing and product. Don’t fall for logos or headcount: look for alignment.

The right partner understands their market, shares your vision, and invests in your success. But that relationship must be nurtured through transparency, commitment, and mutual respect.

Signing a distribution agreement is cause for celebration, but it’s just the first mile of a marathon. And like with any marathon, you need to be ready for it.

Over the past weeks, I interviewed ten security professionals across internal enterprise SOCs and security service providers (MSSPs, MDRs, consultancies). Their roles span from SOC managers to DFIR engineers and Threat Hunting.

Collectively, they represent organizations of various sizes and sectors, from tens of thousands to dozens of employees, as well as different regions and cultures.

The goal was to understand what the real impact of AI on threat hunting and incident response is today, ignoring what the “marketing” says and listening to the SOC floor.

While we cannot draw general conclusions from a sample of this size, the result is that, for now, AI is helping, not replacing. The experts perceive gaps in the existing tools and are cautious about them, and they face several other challenges that are requiring their attention.

Through the rest of this article we are going to go through the most revealing insights from the experts that are defending organizations around the world, every minute of every hour of every day.

Dedicated Team or Shared Responsibility?

When it comes to the structure of Security Operations teams, there’s not one way to handle Threat Hunting. While larger organizations tend to have dedicated specialists, in-house or outsourced, most service providers don’t.

Dedicated threat hunters are expensive to maintain, especially for smaller providers that depend on tight margins.

“We don’t have dedicated threat hunters because we’re not big enough. It’s simply not financially viable”, says the SOC Deputy Manager of a French MSSP.

Logically, service providers must balance efficiency and scale, and assigning full-time roles for threat hunting is challenging, not only because of the cost and resource constraints, but also because many clients don’t understand or perceive its value.

“Some of the more mature clients understand why (threat hunting) is key, but unfortunately most of them are not yet convinced despite our best efforts”, extends the previously quoted specialist from France.

This makes it harder for service providers to justify threat hunting as a standard part of their services, a challenge that gets more complex as they need to deal with tool fragmentation across clients.

Threat Hunting then becomes a shared responsibility among analysts when it comes to service providers.

“Senior-level analysts lead investigations, and all analysts share hunting responsibilities collaboratively”, explains a SOC Analyst from a medium-size service provider from Arizona, US.

The foundational work

Before even considering any kind of automation, including AI-driven ones, Security Operations teams need to build the right foundations.

How the teams are structured, as we mentioned above, is one of those pillars, alongside data, processes, and tools.

Many of the interviewees mentioned that their biggest challenges are on getting those basics right.

“Lack of quality telemetry data is one of our biggest challenges. We’re working on improving visibility through better log management.”, says the SOC Manager of a large logistics company.

It’s nothing new that SOCs need to deal with an ever-increasing amount of data being ingested by their SIEM and other tools. Even then, there are visibility gaps caused by budget constraints, compliance restrictions or overly aggressive tuning, as one of the interviewed analysts highlighted.

Every one of the interviewees is going through different initiatives to not only address the data challenge but also their internal processes. SOARs, playbooks, methodologies (like TaHiTI) and custom approaches are some of the ways that the different organizations are looking into in order to achieve a high process maturity.

However, the variety of tools and sources plays a factor here, making it even more complicated. For instance, as examples:

1. A SOC Manager at a 150,000 employees company highlights the need to integrate CTI and refined IOCs that could trigger alerts worthy of investigation.

2. An analyst from a Spanish service provider mentions that threat hunting is still a manual or semi-manual process due to the diversity of digital assets they are monitoring in different customer environments.

What is clear across the board is that automation and AI requires the right foundations in place, especially around data and processes.

Hunting the Unknowns

When reading through the lines, there is a topic that is mentioned by pretty much every interviewee: the challenge of hunting based on more than IOCs, detections and signatures.

“The biggest challenge is detecting threats without known IOCs. Advanced threats aren’t always identified through traditional signatures, so a more behavioural approach is needed, requiring more analyst time and specialization.”, mentions a Digital Forensic Analyst from a large service provider.

This is an essential aspect of modern threat hunting, and it is still a work-in-progress in many cases. Many teams are relying on alerts as the trigger to investigate further, and many unknown threats don’t generate one.

Transforming intelligence into detections, creating behavioural baselines in collaboration with clients, reducing irrelevant alerts and better log management are some of the ways SOCs are addressing this issue.

“The challenge isn’t just data volume. It’s the lack of context that makes hunting unknown threats especially difficult.”, extends a Principal DFIR Consultant from a large UK-based service provider.

Finding unknown threats is where machine learning and AI algorithms can help, according to a few of the interviewees.

A Threat Hunting Lead from one of the largest insurance companies in the world confirms that approach is being selectively applied: “The use of AI algorithms is becoming more common. Since it can provide different angles in threat hunting, we apply it depending on the scenario and the goal.”

Moreover, another interviewee, Detection & Response Lead at the cybersecurity arm of a large physical security company, details a more advanced practice: “We use an internal correlator with machine learning to filter out irrelevant alerts. The important ones are first analyzed by an AI agent trained to behave like a hunter, so our analysts already have part of the work done when they step in.”.

Hunting unknown threats is clearly resource-intensive and difficult to scale. The organizations with mature structures and processes seem to be better positioned to formalize and operationalize this kind of work.

The question is: Can this be the area where AI can bring the most value?

AI is here, to some extent

None of the experts are working in companies that have fully replaced Security Operations functions with AI, despite the promises of many new vendors.

When consulted about the usage of AI for threat hunting, Olivier Caleff, CISO of Erium, a French cybersecurity service provider was very clear: “No. We don’t use it in production at the moment, but is is used as a supporting tool. We are waiting to have more reliable tools and positive testing before relying on it. Anyhow, we plan to enforce human control for quite some time”.

From the different answers, we can see that service providers, needing to deal with multiple tools due to the various customer technology stacks they must work with, are still not widely adopting AI, even though they do have some level of automation in place.

However, those in larger organizations, having a more homogeneous environment as well as less budget constraints, are already using (or planning to use) AI selectively in some processes, for instance, to assist threat hunters.

Nevertheless, maturity is still an issue, as a Senior DFIR Manager from a global financial company says: “AI helps in the analysis process, sometimes. Currently, it’s not mature enough to be anything more than an aid to analysts.”.

The adoption of AI is gradual, from assisting specialists in some particular cases to alert filtering and initial triage in others. There are also activities in progress in the organizations of a few of the consulted experts to adopt it further but still only as an aid to threat hunting efforts instead of a fully automated approach.

The overall sentiment is that while AI offers potential, it’s not a plug-and-play solution. Its success depends on how well organizations have structured their SOCs, curated their data pipelines, and integrated their processes.

A key takeaway? AI in threat hunting today is about augmentation over automation. The best implementations at the moment are those empowering analysts to focus on deeper investigation by handling noisy, repetitive work, and enhancing human intuition and expertise.

What’s next with AI & Threat Hunting?

While most SOCs are cautiously testing AI for reducing noise and improving alerts handling while focusing on getting the basics right, there are new categories of solutions beginning to surface.

When it comes to Tier 1 SOC Automation, products like Prophet Security, Dropzone and Qevlar AI promise to provide “hyperautomation” using AI to reduce alert fatigue and improve times to respond and mitigate.

Others are designed from the ground up to automate or accelerate threat hunting for the Tier 2/3 SOC analysts and hunters using AI, addressing some of the challenges highlighted above. CmdZero, TandemTrace and Exaforce are the most notable examples.

“All escalations in security operations require thorough human analysis before a decision can be made. Analyzing these cases is a highly manual process with a lot of grunt work, and the universal shortage of talent for this advanced skillset makes it the most significant bottleneck.“, said Dov Yoran, Co-Founder and CEO of CmdZero.

For instance, TandemTrace is a purpose-built platform to perform threat hunting at scale using AI-driven techniques. Unlike legacy SIEMs or EDRs with bolted-on AI features, platforms like this one aim to generate hypotheses, correlate telemetry, and surface anomalies without relying exclusively on known IOCs or predefined detection rules.

These products promise to:

• Reduce the time and expertise needed to start hunting campaigns

• Operate across telemetry sources (EDR, network, logs)

• Bridge the gap between threat intel and detection by automating contextual analysis

Their success will depend on showing the value to the Security Operations team when it comes to threat hunting but also in how they address the issues related to data quality, integration maturity, and human oversight.

“Threat Hunters have an incredibly complex job: they need to find a needle in the haystack, without knowing which haystack or if the needle even exists.”, remarks Almog Ohayon, CEO & Founder of TandemTrace. “The modern threat landscape doesn't pause for weekends or holidays. AI security agents can deliver continuous threat hunting and incident response, ensuring defenses are always up while attackers probe for weaknesses.”

The path to AI-driven threat hunting isn’t about replacing the hunters. It's about empowering them. And with AI agents that never sleep now on the horizon, that promise is starting to look real.

Further Reading

1. A SOC-MSSP Guide

2. SOC-CMM Maturity Model

3. SANS 2025 Threat Hunting Survey

4. 2025 Gartner Hype Cycle for Security Operations

I still vividly remember a call with an analyst more than 10 years ago. We were briefing them about our plans moving forward, and when we asked for feedback at the end, he mentioned that he was missing something he saw a then-newcomer, slowly gaining traction, was doing.

The analyst was clearly impressed by them and even advocated for us to follow through and deliver something similar. Today, that company is one of the largest cybersecurity vendors in the world.

Due to their constant interactions with customers, service providers, and vendors, analysts can shape buyer perceptions, guide enterprise decision-making, and influence which companies get considered for pilots, POCs, or RFPs.

So, how can cybersecurity companies (no matter their size, origin, or revenue) leverage this power? Start with analyst briefings.

What Is an Analyst Briefing?

An analyst briefing is a vendor-driven meeting where you present your company's strategy, product, and positioning to an industry analyst. It's important to understand the flow of these sessions.

As the text in a meeting invitation from one analyst firm reminds: "During a vendor briefing the flow of information predominates from a vendor to an expert. Requests for expert feedback should be scheduled as Inquiry calls only." 1

That means it's your job to deliver a clear, compelling narrative. This is your show. Analysts are not even expected to talk during briefings, unless they want to, and many of them are well trained to remain silent for the entire session.

Why Brief Analysts at All?

The perception is that analysts are pay-to-play. I completely disagree with that.

Of course, becoming a customer gives you more opportunities to engage with them, but that doesn't mean you need to spend money to work with them.

If you're building something genuinely innovative or gaining traction with early customers, analysts want to know. Their job is to know everything about their market, and that includes your company.

A strong briefing can lead to:

• Mentions in market guides, special reports, and client conversations

• Invitations to participate in research or comparative frameworks

• Increased visibility with buyers during critical decision windows

Analysts talk to your customers. Help them talk about you.

How to Pick the Right Analyst

It's not only about briefing the right firm (or all of them), but also about targeting the right analyst. Companies like Gartner, Forrester, and Omdia have multiple people covering cybersecurity, and not all of them write research with the same organizations in mind.

Targeting the right analyst is as important as the content itself. Understand which firms and analysts are covering your space by reading recent reports and noting who wrote them.

Your customers don't read every analyst report, so you need to pick the ones aligned with your buyer's world.

Then, research who those authors are. Look at their recent publications, presentations, social media posts, etc., to understand their current interests and focus.

How to Request a Briefing (Even If You're Not a Client)

Many believe you need to be a client to brief analysts. That's not true. You can easily request briefings with major firms through online forms:

• Gartner Briefings

• Forrester Briefings

• Omdia Briefings

• IDC Briefings

Depending on your pitch and how well you present it, the time to get a response will vary. Requesting to pitch more than one analyst (but not dozens) is recommended.

Be concise and compelling in your request. Lead with your unique story.

How to Deliver a Great Analyst Briefing

When it comes to delivery, it needs to align with your briefing request and your objectives.

If you're a rising star in your space but your revenue is still modest, don’t expect to be included in a Magic Quadrant or Wave report just yet.

Your first briefings are about raising visibility within the analyst community. But remember: this is not a sales pitch. It’s about providing value to the analyst, sharing something that will help them do their job better.

Every analyst has different approaches and expectations. In some cases, you may not have their full attention. That means your narrative must be laser-focused. Stick to two or three key messages and reinforce them throughout your presentation.

It's important to provide context about your company, the team, funding, etc., along with real-world proof points highlighting customer stories, metrics, pricing models, and future plans where possible.

Here are a few key things to consider:

1. You're not expected to be a leader, so be transparent and honest—address known gaps and how you plan to fix them.

2. Don’t lecture about the market. Analysts likely know it better than you.

3. Even if analysts remain quiet, encourage interaction by pausing for questions and building rapport.

4. Keep your deck short and focused. Share it in advance if requested, and plan to leave time for Q&A.

5. A brief product demo (very brief) can help illustrate your value, but remember—briefings are not demos.

6. If there's something you don’t want shared, either leave it out or clearly mark it as confidential.

The amount of time an analyst gives you is already a sign of interest. Their engagement during the call is a signal you're doing a good job.
How the call ends, and what the analyst suggests next, will tell you if it was successful.

After the briefing, follow up with the materials and summarize the key points you want them to remember.

Your goal is to build a relationship with the analyst over time. Ask about their current or upcoming research and keep it in mind for future briefings.

Get Out of Your Comfort Zone and Start Briefing

In my opinion and experience, interacting with analyst firms is a key pillar of success. The earlier you start, the better.

Analyst relations isn’t just for big vendors. Strategic briefings can be a force multiplier for startups ready to stand out. If you're building something meaningful in cybersecurity, make sure the Kingmakers know your name.

Let them tell your story to the people who need to hear it.

But success doesn’t come from just having partners. It comes from nurturing the right partnerships, in the right way, with the right expectations. It comes from creating Value-Based Partnerships.

Over time, I shared a series of comic strips on LinkedIn illustrating some of the most common (and often misunderstood) elements of building and managing partner ecosystems.

Below are the key lessons behind each comic, rooted in real-world experience and my ongoing advocacy for value-based partnerships.

The Importance of Partnerships and Leaders with Experience

Many companies are waking up to the power of partnerships, but few understand the how. In this "Decade of Ecosystems," the winning formula includes not only building partner networks but also hiring leaders who understand how they work.

Quoting Tiffani Bova, “If you suck offline in relationship-building, it's going to be compounded online.” Partnerships aren’t transactional, they’re relational. And they require leaders who have walked the path, built those relationships, and know what it takes to deliver mutual value.

As Jay McBain says, there are 28 moments in a buyer’s journey before a vendor even shows up. If you’re not engaging with the people who own those moments, someone else is.

Lesson: Don’t just invest in building partnerships: invest in leaders who understand how to make them thrive.

Measuring Channel Partners’ Performance Without Overburdening Them

When things aren’t going well, it’s tempting for vendors to drown partners in reporting requests. But demanding too much data, especially from partners for whom you're not a major revenue source, can backfire.

Performance measurement is essential, but it has to be proportional. Large vendors might get away with more demands, but smaller ones must earn the right to ask.

The key is to focus on metrics that don't require extra effort from your partners. Let them focus on what they do best: selling and supporting customers. The more you can self-assess, the better your relationship will be.

Lesson: Respect your partners' time. Build reporting processes that reflect the value you bring.

Strategic Partnerships: You Can't Have Too Many

Everyone wants to call every partner “strategic,” but not every partnership is created equal. If you have too many “strategic” partners, the word loses meaning. Worse, it dilutes your ability to focus where it really matters.

As I wrote in this piece, strategic partnerships require commitment, resources, and alignment. That’s not something you can scale endlessly.

You also need clarity (internally and externally) on what makes a partner “strategic.” Otherwise, you'll end up with a portfolio full of "formerly strategic" partnerships.

Lesson: Be selective. Strategic should mean something, or it means nothing.

Onboarding Channel Partners: Make It Effortless

Partner onboarding is where many relationships falter before they even start. On one side, you have vendors demanding weeks of training. On the other, partners are left to figure things out with little support.

The sweet spot lies in an onboarding program that’s lightweight, flexible, and tailored. It should cover both technical and sales readiness, adapt to different partner profiles, and above all, minimize the burden on your partners.

If your partners can’t quickly understand your value proposition (or who to sell your solution to) you’ve already lost momentum.

Lesson: Make onboarding seamless. The less friction at the start, the more success in the long run.

Recruiting Channel Partners: Quality Over Quantity

Getting partners to join your program is hard—especially when they’re already busy with an established portfolio. Many vendors assume that past success in other channels will translate to easy recruitment in the partner world. It doesn’t.

Recruitment starts with alignment. You need to know which partners are a good fit for you, and vice versa. A great product alone won’t open doors. You need timing, fit, and a compelling value proposition.

Instead of trying to onboard every partner, focus on the right partners. The ones who see the opportunity and are open to it.

Lesson: Don’t spray and pray. Recruit intentionally and invest in the right relationships.

Defining Roles in the Customer Lifecycle

One of the most overlooked sources of friction in partnerships is role ambiguity, especially during the implementation phase.

Some vendors assume partners will handle implementation. Others want to own it themselves. When expectations aren’t clearly defined, it’s the customer who suffers.

As I discussed in this article, alignment on responsibilities must happen early. Define roles clearly, so everyone knows what’s expected—and customers get the experience they deserve.

Lesson: Set expectations up front. A clear customer journey reduces friction and builds trust.

Final Thoughts

Partnerships are an art and a science. They require intentionality, clarity, and empathy. Behind every comic strip I shared is a hard-earned truth, one that I’ve seen play out across ecosystems and markets.

Whether you’re building your first partner program or scaling a mature ecosystem, these lessons can help you stay grounded in what matters: relationships, value, and mutual success.

Remember: Great partnerships don’t just happen. They’re designed, nurtured, and earned, one intentional action at a time.

We are going to review in detail what are the forces that can drastically accelerate the success of a Cybersecurity vendor and position them as a leader in their sector.

Even if you (or your company) have created the most outstanding and disruptive technology or solution, growing in this market requires a deep understanding of the role that existing actors have. 

I have already discussed in a previous article how relevant the choice of channel is when it comes to this market. Now, we will review the organizations that have the biggest impact and can transform a vendor into a king in their sector. 

Understanding the role of the "kingmakers" is essential for any cybersecurity company aiming to scale effectively and become a leader, and through this article, we will be discussing who are the most influential ones for vendors that focus not only in business customers (B2B), but also for those that cater to consumers (B2C). 

Buckle up! 

Enterprise Cybersecurity Kingmakers

When it comes to those cybersecurity companies focusing on business customers, there are clearly at least four candidates for the title of Kingmaker: Global System Integrators (GSIs), Distributors, Cloud Marketplaces and Analyst Firms. 

Each one of them has a different area of influence: 

• GSIs focus mostly on medium to large organizations, 

• Distributors have a higher reach to smaller and medium companies through their channel networks, 

• Cloud Marketplaces serve any size of organizations in different ways, and some of them are particularly well-suited for Managed Services Providers, 

• Analyst Firms, especially the most relevant ones, cater predominantly to large enterprises, yet their market evaluations and reports shape perceptions across the entire cybersecurity landscape.

Let’s discuss the role and impact of each one of them below.

Global System Integrators (GSIs)

GSIs such as Accenture, Deloitte, or PwC deliver sophisticated integration services that align with complex IT environments and high-level security requirements, being instrumental in embedding cybersecurity solutions within large-scale digital transformation projects. 

Their extensive client networks and integration capabilities make them vital channels for vendors seeking enterprise adoption.

Finding out exactly how much revenue they make in cybersecurity products isn’t easy as it is not publicly available information. Estimates place that in the tens of billions (USD), reflecting the footprint they have in the market as well as the demand from their customers for integrated cybersecurity services.

If we analyze one of them in detail (Accenture), we see that they have a broad partner ecosystem. The firm lists around 260 technology partners on its website, including approximately 30 dedicated to cybersecurity.

The majority of these partners are based in North America, with two from Israel and two from Europe. Each of these vendors typically generates at least several hundred million dollars in annual recurring revenue (ARR). Accenture has been named Partner of the Year 2025 in the Americas by Crowdstrike, for instance. 

Through these partnerships, Accenture covers various security sectors, such as Training & Human Risk Management, Threat Intelligence / Security Operations, Network Security / SASE / Firewalls, SIEM / Threat Detection & Response, Cloud Security / Cloud-Native Application Protection Platforms (CNAPP), Identity & Access Management (IAM) / Identity Governance, and Endpoint Protection / Extended Detection & Response (EDR/XDR). 

Distributors

Distributors like Ingram Micro and TD Sinnex, along with their network of channel partners, extend a vendor's market reach by offering bundled solutions and managed services. 

This model not only simplifies procurement for resellers and clients but also fosters recurring revenue streams. As the channel continues to evolve, distributors are becoming technical advisors and managed service providers themselves, enhancing the value delivered to both vendors and customers.

A strong example of distributor success in cybersecurity is SHI International's partnership with CrowdStrike. The companies announced that SHI has sold over $1 billion worth of CrowdStrike’s cybersecurity products, making CrowdStrike the first pure-play SaaS security vendor to achieve this milestone through SHI. Notably, over 70% of this $1 billion was generated in just the last three years. 

Palo Alto Networks, another multi-billion dollar cybersecurity vendor, also demonstrates the critical role of distributors, with three primary distribution partners accounting for approximately 45–47% of its total revenue.

Another example of this successful partnership between distributors and cybersecurity leaders: Fortinet relies almost entirely on distribution for its go-to-market model. In fact, a single distributor has accounted for roughly 28–31% of the company’s total revenue in recent years, according to their financial reports. 

Cloud Marketplaces

Platforms such as AWS Marketplace, Microsoft Azure Marketplace, and Google Cloud Marketplace offer vendors immediate access to a global customer base. According to Canalys, enterprise software sales through these marketplaces are expected to grow from $16 billion in 2023 to $85 billion by 2028. By 2027, over 50% of hyperscaler marketplace sales are forecast to be driven via channel partners.

One of the primary drivers of cybersecurity software sales on marketplaces like AWS and Azure is the ability for customers to apply their committed cloud spend to third-party security solutions. 

Enterprises frequently enter into large cloud commit contracts with providers like AWS, and purchasing security tools through the marketplace allows them to "burn down" those prepaid credits on critical solutions. This makes cloud marketplaces not just a procurement convenience, but a financial strategy.

CrowdStrike exemplifies the marketplace opportunity. In 2024, the company surpassed $1 billion in annual sales through AWS Marketplace alone. Transactions through AWS were, on average, four times larger than those via traditional channels and closed significantly faster.

With over 50 native integrations with AWS services and a strong partner ecosystem, CrowdStrike demonstrates how a strategic marketplace presence can be a game changer.

Other cybersecurity leaders are also thriving on cloud marketplaces. Splunk and Okta have each reached $1 billion in AWS Marketplace sales. Meanwhile, Wiz has revealed that 50–60% of its total revenue now flows through cloud marketplaces. 

Besides AWS, Azure or Google Cloud, there are other type of marketplaces that are having a strong impact on the success of cybersecurity companies. One of them is Pax8, that we can classify as a cloud distributor. 

Pax8 has created a purpose-built platform for MSPs and IT service providers to procure and manage SaaS solutions—including cybersecurity offerings—for SMB and mid-market clients.

Pax8’s marketplace surpassed $1 billion in ARR and reached $2 billion in total revenue within just 18 months. Security offerings are among the most “highly-utilized” products within the Pax8 ecosystem.

A recent Pax8 survey highlighted that over one-third of global IT solution providers now generate more than 20% of their revenue via marketplaces, with the highest engagement levels seen in North America and Europe. Being listed in Pax8 has now become a go-to-market strategy for many cybersecurity companies due to their rapid growth and reach.

Analyst Firms

Organizations like Gartner and Forrester wield significant influence through their evaluations and market analyses. Inclusion in Gartner's Magic Quadrant or Forrester's Wave reports can substantially boost a vendor's credibility and visibility. 

Gartner produces approximately 25 Magic Quadrants specifically focused on cybersecurity domains, while Forrester regularly publishes Wave reports covering areas such as incident response, risk ratings, and cybersecurity consulting. 

These reports directly impact enterprise procurement decisions and vendor strategies not only for end customers but also for distribution channels.

In the past, I made an analysis of the geographic distribution of the Gartner Magic Quadrant leaders, based on the analysis of 10 of those reports. Out of 40 leaders identified, 33 were based in North America, while only 2 each come from the UK and Israel. Notably, none are headquartered in the European Union.

This disparity highlights the dominance of North American vendors in gaining analyst recognition, which in turn reinforces their market leadership.

Magic Quadrants and Waves aren’t the only influential outcomes from the analyst firms that vendors seek. Cool Vendor status, Critical Capabilities research and more are badges that cybersecurity companies can use to create strong foundations for their growth strategies.

Consumer Cybersecurity Kingmakers 

The consumer market for cybersecurity, while smaller, still has a lot of potential as I have already explored in a previous article. In my opinion, as more people work from home, there is a lot ahead in terms of security for individuals, and understanding who are the most influential companies is highly important.

Device Manufacturers

OEMs like Dell, HP, and Samsung play a critical role by pre-installing cybersecurity software on consumer devices. These partnerships enable vendors to reach users at the point of sale, often increasing adoption and stickiness.

For decades, Symantec’s Norton and McAfee dominated this space on Windows PCs, effectively leading the market by striking deals with almost every major computer manufacturer.

This channel made McAfee one of the kings in their space: a 2010 European Commission analysis noted that OEM pre-installs were a major channel, accounting for a large portion of consumer antivirus revenue for these companies. 

In McAfee’s case, the OEM channel was the single largest source of its consumer segment revenue, with partners that included Acer, Dell, HP, Lenovo, Samsung, and Toshiba—essentially a who’s who of the PC market.

Symantec and Norton similarly leveraged these partnerships to become the two largest cybersecurity vendors in the space during the late 2000s. The vast majority of new Windows PCs came with one of the two pre-installed, creating a duopoly that was difficult for other vendors to penetrate.

Microsoft’s entry into the space with Windows Defender, starting with Windows 8 and continuing into Windows 10, disrupted the OEM channel by providing a built-in baseline antivirus to all users. However, during the 2000s, the OEM pre-install pipeline was arguably the single biggest factor in Symantec’s and McAfee’s global dominance.

Retail and E-tail Channels

Traditional retailers and online platforms like Amazon are key distribution partners for consumer cybersecurity solutions. Their expansive customer reach and marketing clout amplify product visibility and credibility.

A compelling historical example is Kaspersky, a Russian-founded security firm that broke into Western markets by aggressively expanding retail distribution. In 2002, Kaspersky partnered with MediaGold, a European business development firm, to boost its retail channel presence.

The goal was to place Kaspersky’s boxed antivirus products in “virtually all available retail sales channels” across key European countries. This push paid off, and over the next decade, Kaspersky became one of Europe’s most visible consumer security brands, often seen in electronics stores and PC shops. 

By 2016, Kaspersky reported over 400 million users globally and held the largest market share of cybersecurity software in Europe. Retail visibility, from Media Markt in Germany to Dixon’s in the UK, made Kaspersky a household name and a default choice for consumers.

As sales shifted to digital, e-tail platforms like Amazon emerged as the new battleground. My own experience supports this transition: in markets where ESET had strong visibility and reviews on global e-tailers like Amazon, that exposure directly correlated with market leadership.

Telcos and ISPs

Telcos and ISPs are increasingly bundling cybersecurity services with broadband packages, providing vendors with access to massive customer bases. Omdia reports a growing trend among telcos to offer total consumer cybersecurity solutions, underscoring the channel's strategic value.

One of the most prominent examples in this space is F-Secure, a Finland-based consumer cybersecurity vendor. Since the early 2000s, F-Secure has focused heavily on the operator channel and built what analysts refer to as "the largest telco operator network" in the cybersecurity industry. This early and strategic commitment to telco partnerships enabled F-Secure to scale its global presence and embed its solutions directly into consumer offerings from telecom providers. 

McAfee is another major vendor that has leveraged telco relationships to expand its reach. For instance, McAfee partnered with British Telecom (BT) to power "BT Virus Protect," a security suite offered free to all BT broadband subscribers. BT marketed this as “the most comprehensive free online security tools of any major UK broadband provider,” emphasizing its long-standing partnership with McAfee.

In Spain and Latin America, Telefónica adopted a "Security by Default" strategy with McAfee, rolling out McAfee-powered protection for all broadband and mobile customers under its Movistar brand. This included router-level protection and multi-device antivirus licensing, with Telefónica calling it the first instance of a telco delivering comprehensive cybersecurity to all customers regardless of connection type, immediately covering millions of users.

On the mobile front, Lookout offers a notable example. It became a leader in mobile security primarily through carrier preload deals. In 2012, T-Mobile began pre-installing Lookout Mobile Security on all Android devices it sold. By 2013, this rollout expanded to most T-Mobile Android handsets, and similar agreements were formed with AT&T and Sprint. 

A major milestone came in 2013 when Lookout partnered with Samsung to embed its software into the Samsung Knox security suite, gaining global reach as the app came pre-installed on all Knox-enabled devices. This dramatically expanded Lookout’s user base, and by 2014, the company reported over 50 million users worldwide.

Another notable player in this channel is Whalebone, a European cybersecurity firm that has built its presence almost entirely by focusing on telecom operators. The company’s growth highlights how telco partnerships can provide a robust foundation for scaling cybersecurity offerings to mass markets. 

Other Kingmakers

There are other entities that could be considered relevant in the making of a cybersecurity leader. For instance, in the consumer market, magazine reviews play a significant role, where becoming a leader in one of their comparatives can have a direct impact on the sales of a company. 

Many European companies, for instance, work closely with their local governments at the beginning of their journey, which helps them to reach a significant position in their home markets. 

While this can be a strong initial boost, it can also be a blocker. Public sector contracts can provide early-stage support and market legitimacy, but they have a limited reach, as they are only influential within their country. 

On the other hand, regulations, procurement processes and local requirements can easily transform this into a disadvantage, where vendors need to dedicate too much time and effort to maintain their local position instead of being able to develop further globally. 

Other relevant drivers of success are the initial investors in the cybersecurity vendors. They can provide expert guidance and support during the early days, and more importantly, they can enable their portfolio companies through introductions to, for instance, the above kingmakers. 

If a cybersecurity startup counts in their board with people that can open the door to Global System Integrators or Distributors, that can put them on the path to success. 

The Strategy of Success 

Growing a cybersecurity company takes time, dedication and effort, and most importantly, a winning strategy. Understanding who are the channels or partners that can accelerate the growth of a vendor is key to develop the right approach to the market early on.

The decisions that cybersecurity startups make in their first steps will influence their future, as even partnering with the right investors will have an enormous impact. 

Companies can have the best and most disruptive technology and solution, but if they don’t find their way to the kingmakers, they will need to work harder to achieve lower results than those that are currently the leaders in the market. 

The above data and insights clearly show what is the reach and coverage that those entities have, and moreover, they play another important role besides being kingmakers: they are also gatekeepers. 

While the Customer is the ultimate-decision maker, the kingmakers exert a strong influence on them. The decisions of Enterprise CISOs, IT buyers and consumers alike are heavily shaped by the endorsements, partnerships and integrations provided by system integrators, distribution partners, analyst firms and the rest.

The customer decides, yes, but from the choices that are known to them, and in many cases, those are limited to the options provided by the organizations that they already have relationships with. 

For instance, when a customer already made the decision of working with a particular GSI, they have limited their options to those within their portfolio, and that is the power these organizations have. 

Knowing what is the impact of the kingmakers in the cybersecurity market helps vendors, from startups to established ones, to develop the right strategy for them and truly become the leaders in their sectors.

For example, in the pharmaceutical industry, partnerships between research institutions and drug manufacturers help develop new medicines. 

And if we want some statistics to validate the impact of alliances, 95 % of Microsoft’s revenue comes through its channel partners ecosystem, and Tesla and Panasonic partnered to develop batteries that saved the car manufacturer significant costs. In the IT industry, more than 70% of business deals come from partnerships. 

Companies form partnerships for different reasons: to protect their market, to grow, or to share knowledge and resources, are some of the most common.

The more important alliances, usually called Strategic partnerships,  bring two companies together for a very impactful shared goal. 

To make it easier for businesses and professionals to create strong partnerships, I’ve developed the Strategic Partnerships Canvas, a free tool available on Miro.com. 

The goal is to provide a structured yet flexible approach that simplifies the complexities of partnerships, making collaboration more accessible and effective for professionals worldwide, no matter their background or experience.

The Canvas: A Simple Approach to Complex Collaborations

Forming a strategic partnership requires many steps and agreements. The Strategic Partnerships Canvas is a tool that helps partners define and organize their collaboration. It can also be used by a company alone to plan the kind of partner they need. 

This Canvas’ goal is not to be a perfect solution for every case, but a practical tool for professionals working with partnerships. It aims to address all important aspects of a partnership before it actually begins, planning and organizing the alliance in a structured way, and setting it up for success.

Overview

The Strategic Partnerships Canvas is structured to help companies build partnerships step by step, ensuring a clear and organized approach. 

It starts with the setup phase, where partners define the partnership’s purpose, values, and target customers. This helps align both companies from the beginning and ensures they have a shared vision.

Once the foundation is established, the focus shifts to defining goals and responsibilities. Each company outlines its individual goals and expectations while also identifying shared objectives. This clarity helps avoid misunderstandings and ensures both parties contribute effectively.

Next, the governance and operational structure are set up. This includes defining how decisions will be made, setting up performance metrics (KPIs), and determining how often the partnership will be evaluated. For example, businesses use a mix of lead and lag indicators to track progress and adjust their strategy as needed.

The execution phase covers key activities, necessary resources, and the tools or processes that will support the partnership. Companies define the activities they will undertake, the people responsible, and the systems that will be used to manage operations efficiently.

Finally, the Canvas addresses results, rewards, and exit criteria. Partners agree on expected outcomes, how rewards and responsibilities will be distributed, and under what conditions the partnership should be modified or terminated. For instance, exit criteria can include reaching a revenue target or a significant change in market conditions.

By following this structured approach, companies can navigate the complexities of strategic partnerships in a logical and effective way, reducing risks and maximizing the value of their collaboration.

How to Use the Canvas

Using the Strategic Partnerships Canvas effectively requires collaboration and structured discussions. Partners should work through each section step by step, ensuring all key elements are covered before moving forward to the next.

This can be done through a series of workshops between the parties where each part of the Canvas is co-created. The first parts of this tool include specific sections so each partner can define their own expectations before moving on to agreeing on the common ones.

This is very important as while the goal of the partnership needs to be the same for both parts, it’s clear that they don’t necessarily have the same individual objectives. 

Defining how the strategic partnership will be governed should come next, and this needs to include not only performance metrics but also how those will be evaluated and reviewed. Having a clear accountability framework will ensure both parties remain committed to the agreement.

The Canvas brings the accountability to an individual level at this step, where it is expected that even the specific responsible people within each organization will be defined at this stage.

Only after all the above, the partners should work together on the execution, as this relies on the previously well-defined roles and streamlined common workflows. The tool provides space to agree on the most important areas of this stage that can be expanded with other more detailed ones. 

Finally, the parties should define two very important topics: success and exit. Establishing what success looks like, how rewards and responsibilities will be shared, and under what circumstances the partnership may end helps ensure a smooth collaboration. By setting clear expectations for success and exit strategies, companies can avoid uncertainty and protect their investments.

During the above process, there are several key questions that need to be answered, which are included in the Canvas itself. For instance: 

• What is the goal of this partnership?

• What value does it create for customers?

• What are our shared goals?

• What are the roles and responsibilities of each company?

• How will we measure success?

• What key activities and systems are needed?

• What are the criteria for success and exit?

Delivering Value for Everyone Involved

Some time ago I created another Canvas, the Value-Based Partnerships Canvas, which focuses on how to balance Margins, Effort and Delight. Those principles drive any partnership, strategic or not. 

Seeing the great response I’ve received to that tool and the struggles that professionals and organizations have in creating truly strategic partnerships, this new tool came to life. 

The goal is always the same: creating, capturing and delivering value for everyone involved. However, the Strategic Partnerships Canvas is a practical step-by-step framework that, based on my experience, can help to avoid many of the most common pitfalls in developing truly strategic alliances. 

By following its structured approach, companies can design partnerships that are clear, efficient, and beneficial for all parties. 

While it may seem complex at first, the Canvas provides a clear roadmap that makes the process easier. Whether used with a partner or alone, it helps companies think critically and create strong, lasting partnerships.

But I believe that we’ve been looking at it the wrong way. 

The real weak link isn’t the employees clicking on malicious emails, but rather the decision-makers responsible for securing the organization. At least, both users and those responsible for cybersecurity should share the label.

Rethinking the “Weakest Link” Narrative

Consider a common scenario: A company suffers a major security breach after an employee’s credentials are leaked on the dark web. The credentials were valid because multi-factor authentication (MFA) wasn’t enabled.

One would consider this un-thinkable nowadays, but last year’s breaches at UnitedHealth Group and Snowflake show that this happens more often than not.

Now, let’s ask: Who was the actual weak link?

• The employee whose password was leaked?

• The IT administrator who didn’t enforce MFA?

• The CISO who didn’t prioritize MFA in the company’s security policy?

• The budget owner who refused to allocate resources for security improvements?

If we focus only on the end user, we ignore the systemic failures that allowed the breach to happen. Users are only as strong as the security environment built around them, and no cybersecurity awareness training will fix that.

Failures in Basic Cyber Hygiene

Beyond MFA, there are numerous cybersecurity practices that are well-documented yet frequently neglected. Unpatched and outdated systems, vulnerable applications, lack of backup and recovery, poor endpoint protection… these basic hygiene recommendations have not changed since the dawn of computers. 

However, many breaches start because one of them have not been properly in place. Who is responsible when organizations fail to implement them?

Patching known vulnerabilities is a fundamental security task. Yet, many breaches occur due to unpatched software—sometimes for months or even years after a fix is available. This isn’t an employee clicking a bad link; it’s a failure of IT and security leadership to maintain a structured patch management process.

Beyond the Commonly Recommended Best Practices

Besides these widely known cyber hygiene practices, there are simple yet powerful ways to minimize problems. For example, phishing remains one of the most effective attack vectors. 

Yet, many organizations do not implement simple email authentication protocols like SPF, DKIM, and DMARC—measures that could significantly reduce phishing attempts that appear to come from legitimate sources. 

A provider of solutions that can support organizations in improving their email security posture, Sendmarc, has found that the majority of organizations have at least one of those controls poorly implemented or not present at all. 

Appropriate DMARC configuration would reduce email impersonation close to zero. If employees receive convincing phishing emails, should we blame them for falling for it, or the security team for failing to prevent those emails from reaching inboxes in the first place?

There’s more…

Some say that Identity is the new perimeter, and considering the amount of SaaS and Cloud applications that businesses are using, that definitely makes sense. But, the majority of companies around the world have poor or non-existent best practices in place to manage identities and their privileges.

Considering that at least 1/3 of breaches start inside an organization, how security teams continue to have issues to prioritize appropriate identity and privilege management?

The Real Responsibility: Cybersecurity Leaders (kind of)

Cybersecurity is not just a technical problem—it’s a leadership and accountability problem. Blaming users for security failures is easy, but it ignores the real issue: security is an organizational responsibility.

If security is weak, it’s not because employees are careless—it’s because leadership hasn’t built a resilient security culture.

That doesn’t mean everything is on the shoulders of the CISO or Cybersecurity team. They definitely have their own challenges to address. In an industry that has de-prioritized prevention and has become more complex, their resources and tools can be scarce.

However, the focus should shift from blaming users to system resilience, and to make sure the basic security measures are in place. All business leaders need to ensure that security is a part of their organization before an attack and not an afterthought.

At the end of the day, Cybersecurity leaders as well as those responsible for budgets and resources within an organization must acknowledge that the strength - or weakness - of an organization’s cybersecurity posture rests on their shoulders.

It’s time to move beyond the outdated narrative that “humans are the weakest link” and ask the real question: Which humans are responsible for making cybersecurity stronger?

Also, research shows that up to 67% of business strategies fail due to poor execution. These numbers show how important it is to have a clear plan and execute on it, especially in a fast-moving field like cybersecurity. 

The Play to Win framework, created by A.G. Lafley and Roger L. Martin, helps startups design a strategy, following a established structure, that can easily be transformed into an execution plan that makes them stand out.

When I started working at ESET in Latin America, there was an open field with immense potential. The challenge was clear: where to focus, how to win, and how to become a leader in cybersecurity in the region.

As a bootstrapped company, our limited budget meant we couldn't compete with bigger players with the same tools they had. There were already strong competitors in the region, like Symantec, Trend Micro, and McAfee, each with a established and large  commercial operations and several years in the region.

Once we researched the market and evaluated our findings, we identified two key factors that could help us: our competitors didn't have strong cybersecurity experts in the region, and the majority of the region shares one language—Spanish.

We defined a simple strategy—use our product's strengths for consumers and small businesses, become thought leaders by sharing unique insights with local media and the market at large, and focus on recruiting channel partners.

We specifically targeted value-added resellers (VARs) that were already working in industries related to cybersecurity, but not necessarily had another antivirus in their portfolio.

To reach channel partners and the market, we participated in and organized events. We partnered with universities to provide cybersecurity masterclasses at their facilities—something that nobody else was doing—and ensured we were present in at least one key IT or cybersecurity event in every regional country.

Lastly, we partnered with a regional media outlet specialized in channel partnerships to increase our reach to the local market.

This combination became our winning approach and helped us establish a position in the region.

We did the above following a similar framework to the one described by Lafley and Martin in their Playing to Win book. This helped us become a leader in cybersecurity in the region in just a few years. Of course, the strategy evolved over time, as it is crucial to evaluate and iterate regularly, but the core principles remained consistent since the very beginning.

My experience at ESET in Latin America demonstrates how applying the Play to Win framework can create a significant strategic advantage, even in challenging environments.

By leveraging clear focus areas, building on existing strengths and identifying opportunities as well as competitors' weak spots. Moving fast and with determination, we were able to establish a leading position in the cybersecurity market.

This approach is particularly valuable for startups, as it provides a structured yet flexible way to make strategic decisions, maximize resources, and iterate over time, and helps to make product as well as GTM decisions.

Let's explore how cybersecurity startups can apply this strategy to fuel their growth and success.

Define Your Winning Aspiration

For any cybersecurity startup, the first step is to identify what "winning" looks like. Are you looking to become a leading provider of endpoint security to SMEs? Or do you aim to create a groundbreaking zero-trust solution for large enterprises?

Winning aspirations should be ambitious yet focused, providing a clear goal for the company. For example, a startup could define its aspiration as "becoming the go-to provider for AI-powered threat detection for healthcare institutions." A clear and inspiring goal helps guide decisions and keeps the whole team focused on the same target.

In our case, we defined that we wanted to become the established cybersecurity thought leader in the region, focusing on providing value to the market besides our products, that we targeted towards small and medium businesses, education institution and government agencies.

Focusing in more than just the commercial aspects of our operation helped us to build trust as our byproduct of our activities. We weren't "just an antivirus" company, we were the go-to-source when it came to cybersecurity.

Moreover, we very clearly decided that we would be 100% focused on the channel, not having any sort of direct sales. This also provided confidence to those that were working with us that we would never compete with them, something that competitors were doing.

We were not just selling antivirus; our purpose - our "winning aspiration" - was to help customers and channel partners become more secure, no matter which solution they chose at the end. Our focus on providing expert insights and educating the market, as a thought leader, was the vehicle for building that trust.

Choose Where to Play

Cybersecurity is a broad field, spanning areas like network security, cloud protection, identity management, and more. Startups must choose their battlefields wisely.

The "where to play" decision is about selecting the market segments, customer types, and geographic regions that offer the best opportunities.

For instance, a startup might decide to focus specifically on providing cloud security solutions to mid-sized fintech companies in North America. By narrowing their focus, they can specialize deeply and deliver greater value compared to trying to serve every segment at once.

This extends the "winning aspiration" further, and provides guidance to the GTM and other activities that come after creating the company strategy. 

One example of a company that clearly defined their "where to play" is Wiz, a cloud security startup that became an unicorn already. Wiz chose to focus on providing cloud security solutions for enterprises that are migrating to or managing complex cloud environments.

By focusing exclusively on cloud security, Wiz was able to address the unique challenges associated with multi-cloud and hybrid environments, delivering specialized insights and tools that traditional security vendors struggled to provide effectively.

This hyper-focused initial approach allowed Wiz to clearly define the following steps in their strategy. By being clear about where to play, Wiz could plan their resources, skills, and strengths better, which gave them an advantage in executing their strategy well.

Determine How to Win

Once the "where to play" is defined, the next step is deciding "how to win". In cybersecurity, this often comes down to differentiating yourself in a crowded space.

A startup might focus on leveraging proprietary AI algorithms to detect threats faster than competitors, or they could provide a unique user experience that makes compliance simpler for non-technical users.

The "how to win" strategy involves identifying the elements that give you a competitive edge—whether it's technology, exceptional customer service, speed of execution, or something else entirely, even the way the organization is structured.

A great example of a successful "how to win" approach is CrowdStrike. Everyone knows the large company they have become today, but when they started, their scope was more narrowed, competing with established and next-gen antivirus and endpoint security companies.

A key reason why they succeeded was that their agent could be installed on endpoints where another competitive product was already deployed, something that wasn't possible with other established vendors at the time.

By offering this capability, CrowdStrike was able to position itself as a "second opinion" for end customers. Once customers experienced what CrowdStrike could do, it made removing the existing solution more trivial.

This helped mitigate the Total Cost of Ownership (TCO) associated with switching endpoint security solutions, which has always been one of the largest obstacles in this sector.

Furthermore, CrowdStrike's commitment to being cloud-first, at a time when no other established vendor had adopted this approach, further differentiated them.

These factors guided not only their GTM activities but also their product decisions and, along with other key strategies, helped them succeed and become the industry leader they are today.

Develop the Core Capabilities

Winning in the cybersecurity world requires certain core capabilities. These are the strengths that allow your startup to execute its "how to win" strategy effectively.

If your goal is to provide cutting-edge AI-driven threat detection, then your core capability might be a team of highly skilled data scientists and cybersecurity experts.

Alternatively, if your strategy revolves around exceptional customer support, you might need a world-class onboarding process and an agile support team. Building these skills with clear focus is essential for keeping a competitive edge.

At ESET in Latin America, we wanted to become cybersecurity thought leaders. We needed experts in our team that could influence the market, and those are a limited "resource". What did we do? We created them.

We partnered with universities around the region to raise the awareness of the most relevant topics in the industry and to develop programs to educate the future experts in cybersecurity. 

This made sure we always had the people we needed to carry out our strategy, and even after 20 years, these programs still give local cybersecurity enthusiasts the chance to become professionals, work at ESET or even in other cybersecurity companies.

Set Up Systems to Support Your Strategy

Lastly, implementing a Play to Win strategy means building the right systems to support your startup. This includes setting up processes for rapid product iteration, fostering partnerships with key technology vendors, or even establishing an efficient go-to-market approach.

In cybersecurity, the threat landscape changes constantly, and having adaptable processes is crucial for staying relevant. Align your operations, culture, and decision-making mechanisms to reinforce the strategy, ensuring every team member knows how their role contributes to the overall aspiration.

In order to be the company they are today, systems and infrastructure became a key part of CrowdStrike's strategy. As a cloud-first company, they needed a partner in the cloud service providers world, and they found it in AWS. This was a win-win for both, as CrowdStrike became a great example of how to scale with AWS, which gave them preferred access to AWS services, and the Amazon service had a great success story to share.

Not only that, they made use of Salesforce to create commercial processes that would make a difference. In the early days, setting up a demo with an endpoint security vendor was a struggle, and CrowdStrike facilitated that process to the extreme, using Salesforce as their commercial platform.

When we were developing the Latin American market for ESET, my team and I made sure that we had the systems we needed to support our thought leadership and partnerships operations.

Maybe other systems we had were less mature, but with the above being our north stars, we were able to provide great insights to media and influencers regularly. We had data that no other company had in the region, and we gave tools to our partners to connect with us in the most streamlined way.

Staying focused on our goals, activities, systems, and how we made decisions was how we achieved our strategy. Staying firm in our strategic goals, and ensuring every action aligned with our objectives, was how we ultimately succeeded.

Playing-to-Win: A Focused Path to Success

There are many frameworks you can use to develop a strategy for your company, and many of them have their advantages and disadvantages.

Using the Play to Win strategy in a cybersecurity startup means making clear choices—where to focus, how to stand out, and which skills to develop.

It encourages startups to think deeply about their ambitions and the specific steps they need to achieve them, and guides other key activities and decisions, like the product development and GTM activities, even the hiring practices.

In a highly competitive and constantly shifting field like cybersecurity, this clarity can be the difference between becoming a market leader and getting lost in the noise. By playing to win, cybersecurity startups can create a unique space and build resilience for the long haul.

If you are a Miro.com user, you can utilize this template to develop your Play to Win strategy.