A large portion of the vendor security market is venture capital-funded. Founders raise money to build and grow companies that overwhelmingly get acquired by larger cybersecurity companies.

Private equity (PE) firms also have a large stake in the cybersecurity market. PE firms pick up moderate-performing companies and combine them with other moderate-performing companies. This is in the hopes that 1+1=3, from an investment standpoint.

This market cycle, where point products and features masquerading as products get acquired into platforms, has been the dominant force setting the market pace for the past 20 years. This cycle shows no sign of changing or stopping.

The Palo Alto Platform Debate

Recently, Palo Alto’s CEO, Nikesh Arora, felt the need to do some defensive explaining around PANW’s current market strategy. At the end of this LinkedIn post, he strikes a match, which finds some dry tinder.

…we feel confident that in the next five years point solutions will become a thing of the past.

This is clearly hyperbole, right? Nikesh knows how the market works. In fact, as an acquisition-driven company, Palo Alto depends on a healthy ecosystem of competitive point products to fuel their growth! For some perspective on Palo Alto’s dependence on the startup ecosystem,

For some market perspective on the size and health of the security startup ecosystem,

Palo Alto has no less than three major platforms. The company’s firewall platforms, Cortex, and Prisma, have all been around for many years, making it difficult to claim that platformization (a real word, apparently) doesn’t work. Further bolstering the strategy, PANW’s incredible growth over the period that these platforms were built is well-detailed by

Symantec and McAfee’s corpses are often dragged out and placed on display as evidence that platformization doesn’t work, but those companies were built during a very different time. Building a simple integration required dozens of meetings, contracts, and the exchange of proprietary information. Today, nearly all products are API-first SaaS and integrations are built in hours. Honestly, it’s a miracle McAfee made ePolicy Orchestrator work at all in the 2000s!

(pssst, it still exists, BTW)

Share

A Challenger Approaches

This left me scratching my head. There are tons of cybersecurity platforms on the market. Sure, many of them make compromises and probably aren’t considered ‘best-of-breed’ in some categories, but to say there is no such thing as a cybersecurity platform? I don’t get it. Perhaps his next statement is a clue?

There is ZERO appetite within the enterprise to purchase all of their cybersecurity from the same vendor.

Any statement that goes to such an extreme is impossible to disagree with. It’s a strawman - there aren’t any vendors trying to be everything to everyone, unless we consider VARs vendors. There are plenty of categories I just don’t see Palo Alto venturing into. The cybersecurity market is full of niches and nuanced products that will never make sense as part of a larger platform.

Even within Palo Alto itself, there isn’t a single dashboard or platform. Panorama, Cortex, and Prisma are all separate platforms with separate UI/UX. This makes sense - each platform has separate buyers and use cases, each with its own UI/UX needs. Mashing it all together into a single console would be a mess.

What’s a platform?

A platform doesn’t have to cover every use case and product to be a platform.

Personally, I define a platform (in the enterprise B2C software sense, at least) as multiple, highly integrated products that can be accessed and leveraged via one cohesive UI/UX. Pricing often also enjoys some discount over purchasing the software separately. Platforms should generally benefit the buyer in terms of cost and convenience, but like anything else, there are examples of badly executed platforms. As companies grow, business diversification is often necessary to achieve growth goals.

Zscaler has a platform. Crowdstrike has a platform. Trend Micro has a platform. Sophos has a platform. I think it is fair to say that platforms are common and successful. Perhaps the confusion here is that a well-integrated platform closely resembles a point product.

For some more perspective, let’s play with the opposite extreme as a thought exercise.

Share The Cyber Why

There Is No Such Thing as Best of Breed

The vast majority of security point products are created by early-stage, VC-dependent startups. Selling a minimum viable product to a Fortune 100/500/1000 can be tricky to pull off. Enterprise features are often missing in MVPs, but startups target large enterprises because they have a small sales team with big numbers to hit. They ain’t gonna get there with a 4-5 digit ACV, and large enterprises fling a lot less when the cost is big.

Most point products aren’t even usable or available to the larger general market. As previously mentioned, sales teams can’t afford to go after smaller deals. I often hear buyers complain that they can’t get anyone to return their calls or take their money, and it is often because these startups have to be picky about who they sell to. They need enough growth and the right logos to reach the next milestone. Rinse and repeat until the ARR/growth numbers are right for a decent exit.

These products are often rough and might not even work reliably at this stage. If early-stage startups manage to make a sale, it’s almost certainly at a discount. Unless it creates an immediate impression, there’s a good chance it ends up as shelfware. Surely this isn’t what we’re calling best-of-breed? Late-stage startups get closer to polished, more usable products but are also closer to exiting to a platform vendor.

So… are we most likely to find best-of-breed products within a platform? Or is there some optimal window where a startup is late-stage but also pre-acquisition that could be described as a peak point product?

Let’s jump back to another quote from Richard:

You need the best possible defenses against a real and present danger. If you compromise to reduce the burden on your purchasing department you are going to be out of a job and may be indicted by the SEC.

I think there is a misunderstanding here of how products are purchased, implemented, and used in enterprises. The “best possible defenses” (i.e., product performance) are just one factor the buyer must consider. It probably isn’t even the most important factor for most buyers. Botched and abandoned deployments are so common in the security space that getting a product deployed, working, and producing value is often a major win, regardless of product performance. The best security product in the world can’t make a difference if it never gets deployed.

Let’s say Crowdstrike was the best performer in some anti-malware tests, but SentinelOne was the best performer in an EDR/XDR test. Endpoint security platforms are tightly integrated - I can’t imagine a buyer mixing and matching both of these solutions. Honestly, I’m not even sure if it’s possible to segregate some of these functions anymore - there are many places in cybersecurity where you need a platform to avoid massive inconvenience and overhead: endpoint, cloud, vulnerability management, identity.

Usability, compatibility, and ability to integrate are critical features that weigh into “best of breed” decisions. A .NET shop’s favorite SAST tool might not work for a Java/C++ shop because language support is missing or retired. Best-of-breed is subjective - objective best-of-breed products don’t exist in many categories.

Let’s explore another way to define best-of-breed: industry analyst reports. Who are the “leaders” according to all the analyst firms? They’re all platforms.

Each buyer must individually decide what best-of-breed means to them based on their unique requirements and resource constraints. I’ve seen the same product perform amazingly for one customer and not work at all for another, because things were “too noisy” for one, and “not noisy enough” for another. Customer environments are diverse, and it’s difficult to build one product that suits everyone.

Integration is another important consideration in the buying process. “Does your product integrate with X,” will be asked on nearly every introductory sales call. Have someone with disabilities on your team? You’re probably looking for a mature, well-established platform. There’s little to no chance that a startup’s MVP will include accessibility features for folks with low vision, for example.

No Best-of-Breed, Only M&A Targets

It’s incredibly rare for point products to remain private or go public. The vast majority get acquired. Trying to advocate for point products can be painful - I regularly hear buyers bemoan that their favorite product is now part of Broadcom, Microsoft, Palo Alto, or some other platform vendor that they worry will ruin it. Buyers will search for an alternative and switch to it, and inevitably, that vendor will also exit to a larger player, leaving the buyer to repeat the cycle.

That said, the security market and threat landscape change so often that ripping and replacing solutions every few years isn’t necessarily a terrible idea for some security product categories. However, doing it across dozens of products is a considerable time and labor investment. Is all this work worth it? That depends - best of breed only exists in the eye of the beholder.

All growth paths lead to platforms. Do you think Apple is building VR headsets because they want to? They have to satisfy shareholder expectations of continued growth, and that often means differentiating by entering new markets, like VR/AR. The Apple ecosystem is the platform that bridges the path there. Palo Alto and Crowdstrike’s platform moves aren’t that different. Like Apple’s laptops, tablets, and smartphones, the network, cloud, and endpoint are ideal environments to build a platform around.

Leave a comment