Since our industry is undergoing continuous consolidation, it is not surprising that discussions about platforms vs. point solutions often dominate the discussions in public media. This duality is also a wrong way of looking at cybersecurity because, in reality, there are four buckets under which cybersecurity companies usually fall, not two. 

The credit for the original idea belongs to Fernando Montenegro, a friend and one of the most thoughtful industry analysts covering cybersecurity. Fernando and I had a great chat at Black Hat, and what came out of that conversation inspired me to write about this topic on Venture in Security. Thank you Fernando for the discussion, and for your feedback and additions to the article. 

This issue was brought to you by… Wiz.

New AI-SPM Buyer’s Guide: What to look for in an AI Security Solution 

AI security is becoming a must-have for any comprehensive cybersecurity strategy. 

This new AI-SPM Buyer’s Guide cuts through the noise and highlights the key features you should look for when evaluating solutions, including: 

• Key AI security challenges and how to address them 

• Key features and requirements to include in your evaluation  

• How to build an RFP  

  Get the Guide

Welcome to Venture in Security! Before we begin, do me a favor and make sure you hit the “Subscribe” button. Subscriptions let me know that you care and keep me motivated to write more. Thanks folks!

There are four, not two groups of security products

To understand the cybersecurity ecosystem, it’s helpful to view it as an intersection of two parameters: 

• Types of products by areas of focus: point product (narrow), or platform (broad). 

• Types of products by depth of coverage: good enough (shallow), or best in class (deep). 

When looked at on a grid, these parameters produce four quadrants: 

• Best in class point products

• Best in class platforms

• Good enough platforms

• Good enough point products

Let’s have a closer look at each of the four. 

Best in class point products

When we hear people talk about best in class or best of breed security products, what they mean is best in class point solutions. These are hyper-focused products, typically offered by startups, that solve one well-scoped, well-defined problem better than their competitors. 

The willingness of buyers to procure solutions from best in class point products is dependent on several factors: 

• The startup is addressing an important problem, and there are no equivalent offerings from platform players. Both of these criteria must be met in order for the customer to buy. If the problem is not pressing enough, buyers would often ignore the offering altogether or wait until their platform vendor of choice adds their implementation of the solution. 

• The startup is addressing an important problem, and while there are equivalent offerings from platform players, the customer is particularly worried about this area and wants the best solution they can find. The reason Abnormal, Material, and Sublime are able to get deployed next to incumbent email security vendors is the same - because customers really care about email security.

• The buyer is comfortable with the additional perceived risk of dealing with a smaller vendor that may lack the apparent stability of established vendors. This affects product roadmaps, financial risk, potential gaps in non-functional aspects of the product, and more.

I have observed that customers are only truly incentivized to buy best in class point solutions to address their security needs since, if they cared to get something only in order to check the compliance box, good enough platform providers are usually… Well, good enough. 

Best in class platforms

Best in class (best of breed) platforms is a group that encompasses very few companies, known for solving a broad range of use cases well. 

To build a best in class platform, a company generally first starts with a best in class point product. “I think too many people are getting hung up on the idea that they need to build a “platform” from day one. Buyers indeed expect that any new tool they add will replace a few of their existing ones. And yet, one of the most critical factors to startup success is focus, which in practical terms means solving one problem really well, for many customers. CrowdStrike started as an endpoint detection & response solution to focus on advanced adversaries. Palo Alto built a firewall. The list goes on and on. Solving one problem well to start is essential.” - Source: Every successful security platform started as a point solution.

Another dimension of best in class platform is that these vendors usually work in problem spaces where there are strong positive network effects in terms of data/telemetry at scale. If one needs planetary-scale reach into insights in order to achieve best in class results, this favors vendors that have built a more platform-centric approach.

After achieving product-market fit with the initial solution and capturing the market share, the company needs to expand into adjacent areas while continuing to build leading products in new areas. This is easier said than done: as startups grow into established players, they become slow to move, bureaucratic, and more often than not lose their ability to innovate. Driven by their desire to make things happen anyway, they often follow one of the following patterns: 

• Launching new products that are substantially lower quality compared to their original offering that made the company successful. The bar for what can be used as an upsell for existing customers often continues to go down the longer the company has been in business and the more solutions it offers. 

• Acquiring other best of breed startups but failing to integrate them into one cohesive offering. The more they do it, the more likely it is that their product will become a Frankenstein-like monstrosity where individual components don’t talk to one another. Jerich Beason puts it well in his LinkedIn post. 

The few companies that are able to pull this off, buy themselves time to reign as best of breed platforms. In my opinion, there are now two of these in security. One common factor that makes platforms stay best in class longer is when they are run by their founders passionate about solving real problems well. 

Good enough platforms

Most platforms that remain in business, eventually turn into good enough platforms, even if they started as best in class. This is absolutely normal and expected. The reality is that most companies over time lose passion and become pretty average in what they do. If by then they have already established themselves as trusted vendors, this won’t be a problem for their growth: since cybersecurity is based on trust, they can continue growing for many years until eventually hitting a plateau. 

When people in the industry talk about “best of breed” vs “best of suite” products, what they usually mean is “best of breed point products” vs “good enough platforms”. The reality of security is that good enough is often good enough unless customers are particularly worried about an attack vector in question. Unfortunately for many companies, that doesn’t apply to most areas of security so once a company has implemented a good enough platform, it will have a low willingness to consider point products competing in the same market and addressing the same problem. 

Good enough point products

Lastly, there are good enough point products. These are the solutions tackling a specific problem without being the best in class in what they do. 

This category deserves a deeper discussion since whether or not companies that fall in this bucket survive in the long term depends on a variety of factors. 

• Although founders of the majority of point products think of their creations as best of breed, the harsh truth is that most of them aren’t. The vast majority of point products are at best good enough. This is not in any way to say that they are bad, not valuable, don’t solve problems, or that they lack a unique angle. The economic concept of “inferior goods” applies here: these are adequate substitutes for a “higher quality” product at a lower price point.

• If the driver for purchasing is compliance, and security isn’t a big concern, then it doesn’t usually matter if the product is good enough or best in class: as long as it checks the right box, it solves the problem. 

• If the driver for purchasing is security, then good enough point products would have a particularly tough time competing. This is because the only time a security team would consider integrating a standalone point product into their stack is if it is best in class. 

In 2024, security teams are not actively in the market for new products. Companies are looking to replace as many of the disjoint tools with platforms, automate as many of the manual tasks as possible, and achieve as much with the least resources as they can. The process of adding another security vendor by itself is incredibly hard and few organizations are willing to go through it just for another small solution. I anticipate that in the coming years, good enough point solutions will struggle to get adopted and in most cases won’t survive. 

Secular trends and market movement in the cybersecurity space

The market is not static: things evolve all the time as new companies come in, old startups exit and both economic and geopolitical forces change the way the industry behaves. The following are four secular trends that tend to be true regardless of the external context. 

I observe that 

1. Point products want to become platforms. To do this, they seek to expand from their initial point of entry (wedge) and build solutions that address more use cases. This is beneficial to the customer for potentially accelerating time to benefit from new functionality but is also beneficial to the vendor for increasing their “stickiness” with that customer through increased switching costs.

2. Most best in class point products become good enough platforms. Very few companies are able to maintain the level of quality and innovation they had when they built their initial use case. Every new addition, whether it is built in-house or added via an acquisition, tends to take the product closer to the “good enough” quadrant. 

3. Over time, the best in class becomes good enough. This is true for both point products and platforms. Customer expectations change and as soon as what was seen as “revolutionary” and “next-gen” becomes commoditized, it turns into the new normal, the new baseline. 

4. Good enough point products get quickly pushed out by good enough platforms. This has happened in areas like Secure Access Service Edge (SASE) and is bound to happen in other markets such as  Continuous Threat Exposure Management (CTEM). 

Image source: Cavell

Image source: Elad Erez on Twitter/X (this thread in Hebrew is the best analysis on CTEM I have seen to date). 

On that note, I highly recommend subscribing to Elad’s LinkedIn and English/Hebrew X pages for some stellar analysis of the market and the cybersecurity startup ecosystem. 

If you like my blog, please subscribe & share it with your friends. I do this in my free time, so seeing the readership grow helps me to stay motivated and write more. I don’t send anything except my writing and don’t sell your data to anyone as I have better stuff to do.

If you are a builder - current or aspiring startup founder, security practitioner, marketing or sales leader, product manager, investor, software developer, industry analyst, or someone else who is building the future of cybersecurity, check out my best selling book, Cyber for Builders.

If you are a security practitioner, check out & spread the word about the VIS Angel Syndicate.

If your company is interested in sponsoring Venture in Security, check out Sponsorships. Thank you!

Share