In cybersecurity, we like to think of ourselves as rational decision-makers. We talk about rigorous testing, objective evaluations and selecting tools based on measurable outcomes. But the reality? We almost never get that luxury.
Most tools can’t be fully tested before purchase. The stakes are high, environments are complex and attackers don't tend to cooperate with our vendor evaluation processes.
So, buyers turn to trust signals:
- Peer recommendations
- Customer logos
- Compliance certifications
- Gartner rankings
- G2 reviews
- Founder reputation
In short, we’re buying vibes.
This isn’t a failure of due diligence - it’s a reflection of the structural realities of our function.
As Ross Haleliuk noted in his recent presentation, Navigating the Cybersecurity Industry: A Founder’s Guide, cybersecurity is shaped by three external forces: technology innovation, competition and threat actors. These map closely to the dynamics we see every day - adversaries pushing boundaries, constraints in how tech is deployed and business pressures that don’t always align with security priorities.
These forces drive urgency and uncertainty, making trust the most valuable currency in the buying process. As Ross says, “Trust is a shortcut for adoption and a way to overcome sales obstacles.” And that trust tends to come from signaling, not testing.
Now, with every vendor layering AI on top, the signal-to-noise ratio gets even worse. Most AI tools demo extremely well, but without clarity around outcomes, buyers are left with more questions than answers.
So, what can buyers do about it?
First, figure out the level of commitment you’re making to a particular tool when you implement it. Jeff Bezos calls these “Type 1” and “Type 2” decisions: Type 1 decisions are hard (if not impossible) to reverse once made, while Type 2 decisions are easy to undo if they turn out to be the wrong choice.
Making a Type 1 vendor decision shouldn’t be done lightly - it can be incredibly costly to be stuck with a vendor that no longer aligns with the needs of your cybersecurity program. That’s why buyers need tools that align with their broader strategy, not tools that try to be the strategy.
The best solutions are ones you can plug in, test and swap out without disrupting your entire cybersecurity program. That’s why vendor-agnostic orchestration and AI platforms can be such valuable enablers - no matter which tools you replace, you can keep those critical automations running.
Second, ask deeper questions and push for tangible proof. Move beyond feature lists to focus on what the tool can actually deliver in your environment:
- What’s the specific outcome this tool has delivered for customers like us?
- Can the vendor show a measurable change in a relevant metric - response time, ticket volume, etc.?
- How quickly can we go from proof of concept to real value?
- What workflows or processes will this tool improve, and where might it introduce new overhead or complexity?
- If we need to rip this out in six months, how painful will that be - for our team, our stack, and our strategy?
It’s not enough for a vendor to say, “We solve that problem.” Ask for proof from real customers - a before-and-after comparison, a live workflow or integration or a reference call prefaced with hard data.
The cybersecurity industry thrives on innovation, but it’s guided by trust.
The more we acknowledge that, the better equipped we’ll be to make tooling decisions based not just on vibes, but on what actually moves the needle.
