Looking for ways to promote products and services that make cybersecurity a better place: five unique case studies
There is a lot of FUD, unnecessary hype, and other questionable marketing tactics in cybersecurity. I am here to argue that it doesn’t have to be this way, looking at 5 companies as examples
Welcome to Venture in Security! Before we begin, do me a favor and make sure you hit the “Subscribe” button. Subscriptions let me know that you care and keep me motivated to write more. Thanks folks!
For someone new to cybersecurity it doesn’t take long to realize that the industry is overrun by marketing hype. There is everything - fear, uncertainty, and doubt, pay-to-play awards, unnecessary buzzwords, baseless claims of “guaranteed safety”, and what has already become a tradition - Formula 1 cars at the annual RSA Conference.
I have met many great people in the marketing community and can attest that the vast majority of them are kind, ethical, and passionate professionals who mean well. However, old-fashioned tactics, fierce competition, and the need to differentiate push even the most well-intentioned people to do questionable things. I am here to argue that it doesn’t have to be this way.
In this article, I would like to share some observations about how great cybersecurity companies build a business while adding value to the community, reducing barriers to entry for those trying to break into the field, helping train the next generation of security practitioners, facilitating knowledge-sharing among experienced professionals, and making the industry a better place for everyone. The goal is not to offer these examples as recipes but to highlight the multitude of ways players in the industry can be value-driven and practitioner-centric while building successful companies.
Disclaimer: This is not a sponsored post, and I am not directly affiliated with any of these companies although many are friends (we often share a similar mindset). Recon Infosec is a customer of LimaCharlie where I lead product, but that has not at all impacted my perception of their work - I was a huge fan even before they started using LC. All opinions are my own.
Community building and engagement
Case one: BHIS Tribe of Companies
Black Hills Information Security (BHIS), a company that specializes in penetration testing, red teaming, and threat hunting, is arguably the most well-known in the space for its work in the community. John Strand, the founder of BHIS, has built an ecosystem of companies and initiatives that all together do what is possible to advance the state of cyber defense:
Antisyphon Infosec Training disrupts the cybersecurity training industry by providing high-quality education to everyone, regardless of their level of income. Many of the company’s most popular courses are offered on the Pay What You Can scale, making them accessible to anyone in the field who is eager to learn and willing to put in the work.
Active Countermeasures is the company behind AC-Hunter™ - a network threat detection tool that continuously hunts customers’ networks to identify which systems have been breached. The company is also providing high-quality, free, vendor-neutral educational content and open source tools for those in the security field.
Wild West Hackin' Fest (WWHF), an annual cybersecurity conference, lowers the barrier of entry to the industry by offering affordable training, hands-on labs, and workshops.
REKCAH! Publishing designs comic books and self-published magazines (zines) for security practitioners and lovers of true-crime stories.
The impact of all these initiatives on the industry is hard to overestimate.
The BHIS Tribe of Companies is probably most known for the Backdoors & Breaches, an Incident Response Card Game. This game, originally inspired by Dungeons & Dragons, has a cult-like following: I have seen several conferences where tens of people would line up in front of the Black Hills table to get their copy of the card deck.
The Black Hills achieved all this without actually having a traditional marketing team. Instead, it has what, if I recall correctly, it calls “Excitement Co-Creators” - people whose role is to foster community, do good things for the industry, create useful educational content, and evangelize the vision BHIS has for the future of cybersecurity.
Case two: Recon Infosec
Recon Infosec is a managed detection and response (MDR) provider based in Austin, TX. Similar to Black Hills, it doesn’t have a traditional “marketing team”; instead, the company focuses on doing the right things for the community.
For several years, Recon Infosec ran OpenSOC - a Digital Forensics, Incident Response (DFIR), and Threat Hunting challenge that taught participants real-life incident response skills, and allowed them to compete based on practical abilities. The first event happened at DakotaCon in 2018, and since then, the project grew really big, eventually translating into several conferences across the US, and a large presence at DEFCON. Although Recon has recently decided to postpone future events to focus on its Managed Detection & Response service, the number of people whose lives were affected by OpenSOC is impossible to count.
Although OpenSOC has been put on hold, in October 2022 the company started Thursday Defensive - a weekly event offering commercial-free discussions between seasoned cybersecurity professionals, streamed live. Thursday Defensive is a place for security practitioners to “learn the concepts, discover the tools, and meet the people protecting enterprises, governments, and institutions around the world”. Some of the guests who were generous enough to share their experiences include Matt Bromiley, Ryan Chapman, Zach Wasserman, Lennart Koopmann, Olaf Hartong, Maxime Lamothe-Brassard, Chris Sanders, Adrian Sanabria, Jon Ketchum, and others. As a loyal attendee, I would highly recommend this event to anyone working in cyber defense.
Engineering as marketing, in a way that adds value
Case three: Thinkst Applied Research
Thinkst Applied Research is a fascinating example of a fully bootstrapped, South Africa-based company known to hundreds of thousands of security practitioners worldwide. The company develops "canaries" - tools designed to quietly sit on networks, servers, and anywhere else and send alerts when someone accesses them.
Thinkst built its reputation by maintaining focus on what matters, never overpromising, and being fully transparent about the problems they solve, and - importantly - the ones they don’t. This transparency has earned Thinkst’s team the trust and respect of security practitioners.
Thinkst is uniquely great at what is often called “engineering as marketing” - using valuable, free solutions to generate awareness of the product & get people to use them. Canarytokens, described by the company as “tiny tripwires that you can drop into hundreds of places” that are “trivial to deploy, with a ridiculously high quality of signal”, can be deployed for free. This fantastic tool has received a lot of love in the community.
Most recently, Thinkst developed Thinkst Citation - a collection of information security talks, speakers, and conferences going as far back as 1969 and up to as recently as 2023. Although I haven’t seen any official announcements about it yet, I have high confidence it will be well-received in the industry.
Case four: Red Canary
Red Canary is another example of a company widely known in the community for its work. Although Red Canary is also a “canary”, there is no connection between them and Thinkst Applied Research.
Red Canary provides Managed Detection and Response but is most famous for its work on the Atomic Red Team (ART). As the GitHub page states, “Atomic Red Team™ is a library of tests mapped to the MITRE ATT&CK® framework. Security teams can use Atomic Red Team to quickly, portably, and reproducibly test their environments”.
Because ART is open source, anyone can contribute their tests and benefit from what is out there. By creating a community of security professionals who use the Atomic Red Team, and building a vibrant tribe of active contributors (almost 300 people!), Red Canary is now a widely known MDR provider in the otherwise crowded market.
Accessible product, practitioner-centered focus, and simplicity over the buzz
Case five: Tines
Every company can find its own, unique way to add value to the security community. If the above examples made you think “sure, but you can’t build a large, venture-backed startup without going bananas with marketing”, please welcome Tines, one of the leading providers of no-code automation for security teams.
Tines, a VC-backed company valued at over $300 million as of the end of 2022, built trust by adopting a practitioner-focused mindset. First and foremost, their products are accessible to anyone and easy to get started with, which is seen as a breath of fresh air in the industry where security engineers sometimes are forced to attend as many as five demos before they can get access to the product. Although the company has a well-functioning sales team, it does not bombard free users with aggressive sales calls and doesn’t employ shady marketing tactics.
The practitioner-centric focus of Tines can be seen when one visits the company’s Slack channel: many people are engaged, and security engineers, architects, analysts, and the like can easily access the support they need. Moreover, in 2022 the company established Tines Labs - a team the goal of which, among other things, is to “develop and share new public templates and research that benefit [...] customers and the wider community”.
Tines has been effective in leveraging partnerships with other cybersecurity startups, as well as producing content relevant to the industry. In 2022, for instance, Tines surveyed 1,027 security professionals and created the State of Mental Health in Cybersecurity report.
Key learning: good intent and desire to add value over marketing formulas
These are just some examples of companies doing good; there are certainly more.
When it comes to marketing and growth, there are no formulas that guarantee success. However, what is clear to me is that there are viable ways to build a business while also advancing the industry, helping more people get into cybersecurity, making it easier for practitioners to try the tools they need, removing barriers to high-quality education, and building communities of people that lift one another up.
There are many great ideas that creative people can come up with if given the mandate to do good and add value, not just “generate leads”. Importantly, all these ideas are well-differentiated, unlike, say, most vendor-run podcasts. Best of all, no budget for Formula 1 is needed.
For those who are still unsure what they can do: making products easier to try and making it painless to understand what the company does and doesn’t do are great ways to start.
Great article. Some of my favourite companies are mentioned here.