COMMENTARY: Security vendors sound increasingly similar right now. The dominant pitch today:
AI broke the team's existing security – and will fix it.While the vendors are right, it’s no longer differentiating. Across demos, briefings, and analyst conversations, the message repeats with minimal variation. As a result, the pitch itself has lost value.
[
SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]
This creates a practical problem for
CISOs. If every vendor appears credible at a high level, then CISOs can’t use high-level messaging to make buying decisions. We need a different lens.
I run a security company, so I have a clear position in this market. But my advice here comes from observing how CISOs evaluate across vendors, including us, our competitors, and the incumbents. They are practical, observable, and they surface risk earlier than most technical validation processes.
The reason they matter now:
AI has not simply improved security tools, it has broken a foundational assumption the industry relied on for decades, that threats exhibit repeatable patterns that defenders can detect and match. AI undermines that assumption, which in turn makes traditional evaluation frameworks less reliable.
Most CISOs already have strong processes for evaluating products. Proofs-of-concept, bake-offs, and technical requirements are well understood. But we’re often missing an equally rigorous approach to evaluating the company behind the product.
There’s a real cost to the gap.
In one case, a Fortune 500 security team spent nine months deploying a platform from a vendor that entered acquisition discussions before the proof-of-concept was even signed. The CISO learned about the deal through a news alert, and the board learned from the CISO. The result was a forced re-procurement process, a temporary coverage gap, and a loss of confidence that outlasted the technology transition.
This was not a product failure. It was an evaluation failure – and it’s preventable.
There are three lenses that consistently cut through the noise, and all of them are visible before a formal evaluation begins:
Lens One: Who the company was actually built for.
CISOs evaluate intent in threats every day, distinguishing between legitimate activity and malicious behavior. The same reasoning applies to vendors.
In practice, companies in this market tend to fall into three categories. Some are built around a funding narrative, where the product primarily serves as a vehicle toward acquisition. Others are built around a technology thesis, where there’s real innovation, but customers can become secondary once the intellectual property gains strategic value. A third group builds around the customer’s problem, where decisions consistently prioritize long-term customer outcomes.
The most reliable signal is not messaging, but structure.
Executive composition reveals a lot. A company that invests early in customer success leadership makes a structural decision that retention matters as much as, or more than, acquisition. Similarly, founders who have operated the technology they sell tend to make different tradeoffs than those who have not.
CISOs should ask directly who’s accountable for customer outcomes after the contract gets signed. The answer usually makes clear who the company was designed to serve when tradeoffs become unavoidable.
Lens Two: How the company communicates before and after the sale.
How a vendor shares information before a deal gets signed clearly indicates how they will behave after it closes.
Vendors that consistently publish useful, practitioner-oriented material signal a different operating model than those that gate information behind briefings and controlled conversations. The former tend to optimize for customer capability, while the latter often optimize for dependence.
This distinction becomes more important in an AI-driven environment, where the underlying technology evolves quickly and customers need to continuously adapt. Vendors that treat knowledge as something to distribute tend to create more resilient customer relationships than those that treat it as something to withhold.
Evaluate whether a vendor’s published content would still be useful if the company never purchased their product. If it’s a no answer, that’s a signal about how the relationship will likely function once the company signs on as a customer.
Lens Three: Whether the product was designed for a new reality, or retrofitted to the old one.
So many vendors follow the eays path and retrofit. New capabilities are layered onto existing architectures, and incremental improvements are delivered without challenging the underlying assumptions.
The result often appears modern, but behaves like an optimized version of the old system.
It’s much harder to start from first principles. That requires discarding assumptions embedded in prior architectures and designing for a different operating model. In security, categories built on pattern matching do not become fundamentally new systems by adding an LLM layer. They become faster versions of the same approach.
The distinction becomes clear when looking at workflows.
Many vendors use AI to accelerate existing processes, reducing the time required for each step. A smaller number rethink the process itself, removing unnecessary steps and restructuring how work is done. In practice, it’s the difference between compressing triage and eliminating large portions of it altogether.
CISOs should push vendors to articulate the outcomes their platform delivers in measurable terms. Not feature improvements, but operational impact. For example, a reduction in investigation time per-incident or a meaningful compression of the time between detection and executive-level decision-making.
If a vendor cannot clearly connect their AI capabilities to outcomes at that level, it’s likely that the underlying architecture has not changed, even if the interface has.
When GPSes became widely available, it did not make people better at reading maps. It made the skill largely irrelevant. More important, it changed how people made decisions, allowing for real-time rerouting and fundamentally different approaches to navigation.
A similar shift has been under way in security.
We no longer need to know whether a tool performs well within an existing workflow. It’s whether the vendor has built for the environment that CISOs are actually operating in today.
The three lenses above are not a replacement for technical validation, but they are an effective filter before it begins.
Alan LeFort, co-founder and CEO, StrongestLayerSC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
