Tarpit startup ideas in cybersecurity: five ideas that killed many companies and will definitely kill more
Looking at the concept of tarpit ideas and its significance in cybersecurity
Most people in the startup world have heard the common refrain that ideas are cheap, and it’s the execution that matters. I would certainly agree. Good ideas, executed poorly, won’t lead to success. Poor ideas executed incredibly well can indeed result in a successful company (especially since great execution may involve timely and necessary pivots).
There is a third type of idea that rarely gets discussed. I am talking about tarpit ideas. I think most founders in security aren’t familiar with this concept, even though learning about it could have saved many companies from failing. In this piece, I explain what tarpit ideas are, what makes them dangerous, and what could be some of the examples of tarpit startup ideas in cybersecurity.
Definition of tarpit ideas
The concept of tarpit startup ideas has been popularized by YC specifically a great video by Dalton Caldwell and Michael Seibel titled “Tarpit ideas - what are tarpit ideas & how to avoid them”. If you are an aspiring or an early-stage founder currently ideating in cyber (or any other industry for that matter), I highly recommend watching this short half-hour chat.
Tar pits, sometimes referred to as asphalt pits, are formed in the presence of petroleum. Tar pit pools resemble freshwater ponds, and so they tend to attract animals who think they would be able to find fresh water. Instead, they get sucked into the sticky tar and die. As they start to decompose, their smell attracts more animals who then face the same destiny. In the context of startups, tarpit ideas are the ideas that seem good (it’s almost shocking that nobody else came up with them before!) but have been tried by many founders with little to no success. As YC explains, “Tarpit ideas are often not hard in obvious ways. They might seem so easy and good that it’s unbelievable that no one has done it — but when you look a bit deeper, you realize that they have been tried. Over, and over again.”
Tarpit ideas attract many founders, and that’s for a good reason: since the problems remain unsolved, buyers say that they would certainly love a solution, and there is not a large company built around this problem. Dalton Caldwell puts it really well: “It looks like you’ve come up with this amazing original idea and the death of everyone that attempted it is hard to see. All you see is a freshwater pool and you’re like “Oh, this is a wide open space for us to solve!”. Most tarpit ideas tend to be in the consumer space. Since we are all consumers, and most of the success stories we hear about are from consumer space, founders are naturally drawn to B2C. However, business-to-business (B2B) has its share of tarpit ideas, and cybersecurity is a perfect example of that.
Welcome to Venture in Security! Before we begin, do me a favor and make sure you hit the “Subscribe” button. Subscriptions let me know that you care and keep me motivated to write more. Thanks folks!
Over 3,500 copies of my best selling book “Cyber for Builders: The Essential Guide to Building a Cybersecurity Startup” have been distributed to the readers so far.
The book is intended first and foremost for builders - startup founders, security engineers, marketing and sales teams, product managers, VCs, angel investors, software developers, investor relations and analyst relations professionals, and others who are building the future of cybersecurity. If this sounds like you, you should get a copy. The book has been rated 4.9 out of 5 on Amazon based on 80+ reviews, and in 2024 it became a finalist of the SANS Cybersecurity Difference Makers Awards.
Tartpit ideas are not bad ideas
Before we look at some examples of what I think are tarpit ideas in cybersecurity, let me be very clear about a few things. First and foremost, tarpit ideas are not bad ideas. On the contrary - they are ideas that attempt to tackle important problems, ideas that feel like someone should finally do them, and ideas that get a lot of positive feedback from security leaders and security practitioners. In the YC video, Dalton & Michal explain that “A true tarpit is an idea you will be really defensive about when presented with the evidence that the idea is challenging. The funny thing is that these are not ideas where it appears like there is no hope. And, sometimes ideas in these spaces work which makes it work.” Second, the ideas I am about to discuss may or may not be tarpit ideas, but to me, they somehow look like ones. I know many great founders pursuing some of these ideas, and I am rooting for their success. That said, these ideas have killed startups before, and I am afraid they are going to kill more. With that out of the way, let’s dive into some of the tarpit ideas in cybersecurity.
Tarpit startup ideas in cybersecurity
A single pane of glass for cybersecurity (aka “the only dashboard CISOs will need”)
The biggest tarpit problem in the cybersecurity industry is the search for the Holy Grail - the only system that would track everything security teams have to track, or in other words, a single pane of glass.
As the infrastructure is becoming more and more complex, and the number of tools to monitor and secure it continues to grow, IT and security leaders are becoming overwhelmed with the sheer amount of products operating in their environment. While each of these tools made sense on its own, all combined they are simply impossible to navigate: each product needs to be configured, and each generates some insights that require teams to monitor yet another UI and take actions when a high-priority alert, a potentially important detection, or a critical finding is triggered. Given all this complexity, it is not surprising that the idea of bringing everything into one place is so appealing.
At first glance, consolidating different tools into one unified view should not be that hard. All we would need is to aggregate all the logs, and all the detections in one place, and then correlate them in a way that would make it unnecessary to even open those “other” products. In practice, that’s easier said than done. Although most products now offer the ability to export data to external destinations, each of them has knobs and turns that need to be adjusted - or else they won’t do what they were designed to do.
What makes matters worse is the fact that every single vendor would like to become that one dashboard where security teams are going to do their work. When every product in the company’s environment is fighting to become “the one”, security teams are naturally surrounded by 50+ “single panes of glass” (or as one CISO said, “single glasses of pain”). And, any startup that chooses to focus on becoming this single pane of glass will struggle immensely especially if this becomes their main selling point.
A single executive reporting and metrics dashboard or a co-pilot (aka “the only tool CISOs will need to do their job”)
A variation of the “single pane of glass” idea is a single executive reporting and metrics dashboard (or since recently - CISO co-pilots). The pitch usually goes as follows: security teams have many products, and each of these products focuses on addressing a single slice of the problem. The only way to understand how all these tools add value is to unify all the metrics and business-level insights in the one and only dashboard CISOs would be tracking. Nowadays, this pitch sometimes extends into offering a so-called CISO co-pilot, a place for security leaders to ask questions and get the answers they need.
In a way, this idea is what emerges when security leaders give up on the aspiration to bring all of the security into one place (a single pane of glass) and decide that the best they can do is to bring all the metrics about their distributed stack into one place instead (a single dashboard) or introduce an intelligence layer on top of all that mess (a co-pilot).
At first glance, this idea makes sense for a startup. Security leaders are often confident that they would “definitely pay for having everything they need in one place”, and founders are happy to oblige. The devil, as always, is in the details.
First and foremost, while CISOs crave this unified dashboard, they typically struggle to find the budget for it. This is because while security budgets aren’t usually shrinking, neither are they bottomless. When CISOs have to make tough decisions and decide which need will get funded first, a tool for making charts and graphs will always get pushed to the bottom of the priorities list, far below detection and response, or increased headcount. Every security purchase has to be tied to security outcomes, and sadly making management lives easier is not a business priority.
Second, we simply can’t abstract away all the complexity of security in a single dashboard, a single co-pilot, or another widget for a security leader. There are indeed many moving pieces, and the solutions that work are indeed hard to implement - simplifying the environment, consolidating tools, building high-performance teams, and so on. The idea that some magic tool can hide all the pain behind a dashboard (or a chatbot) is not realistic, and it’s not how CISOs work. As Yaron Levi points out in a great article that should be a mandatory read for every founder, “CISOs don’t usually sit in the middle of mission control center, watching endless dashboards [ or a “single dashboard” for that matter ], waiting to see when someone is not behaving properly so they can get off their chair and go to beat them over the head with a stick.”
Third, every CISO has a different idea about what constitutes the most important metrics, what they should be focused on, and where they need the most help. They are right to do so: not only every company is different, with a unique environment, its crown jewels, and a different mindset. On top of these objective differences, most security leaders have their own beliefs which are highly correlated with their origin story, and the function they are most familiar with. Trying to come up with a one-size-fits-all solution never worked and most likely never will.
A detection and response tool that is more accurate than whatever is offered by the industry leader (“aka a better detection and response algorithm”)
Another tarpit idea that is more common than many realize is building a detection and response tool that is supposedly more accurate than whatever is offered by industry leaders such as CrowdStrike, Microsoft, Palo Alto, Wiz, or any other. The pitch usually is that the existing products generate too many false positives, and some 0.1-5% improvement in efficacy will result in material changes to the quality of detection, and subsequently to the customer experience.
In isolation, this idea is great - any security product can certainly be improved, and we haven’t yet figured out how to reduce false positives without risking increasing false negatives. This, however, is precisely what makes this a tarpit idea: most startups that go after this space, die in slow and painful agony.
There are indeed cases when startups were successful by competing on efficacy but these generally required a new approach. When Palo Alto was able to convince their firewall alongside Check Point, it was because the world of firewalls was shifting, and the previous generation genuinely had significant gaps that could easily be demonstrated to the buyers. When Abnormal, Material, or Sublime had a lot of success being deployed in the same environment as Proofpoint and Mimecast, this was largely because 1) companies are really worried about employees clicking on malicious links, and 2) the incumbents haven’t been as effective responding to new challenges like business email compromise (BEC) or leveraging new technologies (such as AI).
Competing on efficacy is only possible if there is a bigger story behind - one about some fundamental changes in infrastructure, or advancements in technology, but even then the game is to get deployed alongside legacy tools, solve a specific high-value use case, and expand from there. It is never to go against the incumbent head-to-head. In 2024, nobody will believe a 10-people startup that their coverage on, say, the endpoint is better than that of CrowdStrike (and nobody is certainly going to run two agents side by side on their fleet to validate that). This doesn’t mean that someone can't come up with a revolutionary way to do detection; it is more about the fact that CrowdStrike has hundreds (or thousands?) of threat and malware researchers and detection engineers - and it’s just hard to imagine that a small startup can do a better job.
In cybersecurity, few people are able to test the efficacy of different vendors, and in most cases, it’s an outright impossibility. Efficacy is not a differentiator (I know many security practitioners would find it maddening but that’s just a fact of life). Distribution is a real moat, and that is why in most cases, pitching a 5%-10% better detection coverage is not going to be enough to get a demo, let alone to displace an incumbent.
A way to prevent data loss and insider threat without false positives (“aka a perfect DLP”)
Building a perfect data loss prevention is one of the most common tarpit ideas. When aspiring founders are doing CISO interviews asking what is on their mind, preventing data loss (accidental and intentional) is most certainly going to be on the list of top 10 concerns for many security leaders. They would say that anyone who can build DLP the “proper way”, so that it doesn’t generate any false positives or false negatives, and can be deployed without creating a bad experience for employees, would get rich.
That could be true, if not for the fact that a perfect DLP system is not possible. Don’t get me wrong - there are companies out there doing some impressive things in this area, so it’s not that we lack talent or imagination. The problem is that data loss prevention, as my friend once said, “helps keep honest people honest”. The only way to determine that some behavior is malicious is to understand intent, and that is not currently possible, regardless of how many log sources a tool can aggregate and correlate. When a sales employee is sending a large file via email - should they be blocked? Well, maybe not because in most cases, they are just trying to do their job. Or maybe yes, even if that would come at the trade-off of impacting their productivity and user experience? Some might say that there is certainly a way to analyze the document and decide if it should be shared, but even then - should an employee be prevented from sharing an agreement because, on the 67th page, it says “This document should be kept confidential”?
The questions are plenty but the conclusion is simple - a perfect DLP is not possible. This doesn’t mean, however, that data loss prevention is a bad market segment to enter. On the contrary, if a company has a unique angle (as some such as Cyberhaven and Harmonic, to name a few do) - it should very much pursue that, but if not - then thinking of an ideal DLP alone is not going to cut it. Security tools usually require some trade-offs between accuracy and noise. There will always be false positives and some threats that evade detection - perfect security is unattainable (most certainly without rendering tech entirely unusable with policy restrictions).
A way to change how security products are bought by enterprise customers (“aka a self-serve security marketplace”)
A growing number of security leaders and practitioners are becoming upset about the way products are bought and sold. CISOs are growing more and more annoyed by the sheer amount of sales outreach, the endless cold calling, the inability to distinguish between different tools, the complexity around simply trying what a vendor offers, and the impossibility of validating their marketing claims. All this is while vendors are realizing that the power of channel partners and industry analysts is enormous, the cost of events for security buyers is going up every year, and the market landscape is so competitive that it is outright impossible to stand out in all that noise.
In the backdrop of all this mess, a tarpit idea that has been gaining traction is building a cybersecurity buying platform. It may have different variations, such as:
Charging CISOs to see a list of companies they can try.
Charging vendors to be featured on the platform and offering the whole experience for free to CISOs.
Making it easier for CISOs to see what products different vendors offer and do a POC on these products within the platform itself.
These are just some examples; there are many more. Note that I am specifically talking about enterprise-focused attempts here. There are also companies targeting the underserved markets such as small and medium-sized businesses, but that’s an entirely different game and therefore it’s out of scope for this discussion.
So why is changing the way enterprises buy security products a tarpit idea? There are several reasons why that is the case, but the main two are, without any doubt, the incentive system and the problem of building marketplaces.
The current model, although it’s far from perfect, kind of works because it creates the right incentives for those who control the resources. Large enterprises rely on their trusted partners - industry analyst firms, consulting firms, system integrators, and value-add resellers who help them make decisions. Their environments are too complex to be serviced by young vendors, and their leadership is too risk-averse to trust startups that aren’t yet in the top right corner of the Gartner Magic Quadrant. Security leaders at large enterprises need to have solid justification for their decisions, and “I saw this on the marketplace” does not sound like one of them. The existing system also works for established vendors who have advantages of distribution and existing relationships with Fortune 1000 companies, be it directly or through their partners. Every vendor would like to maintain control over its sales pipeline, and that means dealing directly with the person who is in charge of the wallet or is as close to it as possible.
Unsurprisingly, the companies that struggle with the current model the most are young startups. Desperate to try anything they can, they will always be eager to support founders who can give them hope they can find new customers. The problem is that if the buyers don’t share their enthusiasm, then any efforts to change how security products are bought will be futile. This brings us to the second problem with this idea - namely how hard it is to build a marketplace.
Startups with an ambition to change how security products are bought are essentially building two-sided marketplaces, where they try to connect buyers (CISOs) with sellers (security vendors). I believe that security is a really bad market to start such a marketplace, because:
The number of security buyers is incredibly small, and they are all connected. They already exchange ideas, experiences, and perspectives (including those about vendors), before there is any platform.
The number of security vendors is incredibly high, and they are undifferentiated. This means that no buyer can find the difference between, say, 25 products that all have the same sales pitch, all offer the same features, and all supposedly solve the same problem.
Vendors have an incentive to exaggerate their claims, especially when they know that buyers would be comparing what they claim against the claims of their competitors who are also using the same platform.
There is no objective way to evaluate security tooling (hence why as I’ve discussed before, security is a market for silver bullets. In such a market, I think the old-fashioned matchmakers that build relationships, understand problems and look for solutions (industry analysts) are going to be much more effective than an automated dating platform where the buyers need to do the work and at the end, are unlikely to be happy with the results anyway (dating platforms).
Closing thoughts
Let me re-emphasize once again: the ideas I described in this article aren’t bad ideas. The problem is that the opposite is true - they are actually great ideas, but they also have been known to lead to rather sad outcomes. Everything is subjective, and what looks like a tarpit idea to me, can be a perfect opportunity for a visionary founder to reimagine the space that historically hasn’t led to great outcomes. The key here is having that vision. With a strong conviction, any of these (or any other seemingly tarpit idea) can turn into a successful, fast-growing, and highly impactful company. The warning here is not to abandon hard problems, but to think twice before pursuing them, and not to pursue tarpit ideas just because security leaders mention them in their discovery calls.
If you haven’t by now, I highly recommend watching that YC video about tarpit ideas. I am sure you will find it as insightful as I did.
Lastly, if you are a founder building in the space I labeled as “tarpit”, don’t take these opinions personally. I am wrong more often than I am right, and chances are high that this is one of these cases. I am cheering for your success (shoot me a message back with a link to what you’re up to). Best of luck!
I'd also add:
- SOC in a box
- Security information sharing platform
- Vulnerability prioritization
Absolutely worth the read for anyone building! Thanks!