Mod 02 · Buyer & Maturity

Who buys what, at which stage.

Four maturity stages, two persona levels, one fit matrix. The teaching beat to keep: executives buy confidence, operators buy relief.

The Maturity Ladder

Four stages of security operating maturity. Each carries its traits, common buyers, best-fit motions, and a single GTM message.

Stage 1

Reactive / Underbuilt

Get protected without building a full security organization.
Traits
  • Security is one of several IT hats, not a dedicated function
  • Tooling assembled tactically, often around insurance or compliance triggers
  • Limited operational telemetry; no SOC or shared one
  • Spend driven by perceived risk events, not strategy
Common buyers
IT directorMSP-led securityowner / founder
Best-fit motions
Managed outcome (MDR)All-in-one bundles via MSP channelInsurance-required minimum stack
Stage 2

Managed / Developing

Move from tool ownership to operational control.
Traits
  • Dedicated security headcount (1–5), often reporting to IT
  • Defined controls, partial process — runbooks exist but inconsistently applied
  • Multiple point tools, integration gaps obvious
  • Beginning to measure outcomes (alerts, time-to-respond) even if poorly
Common buyers
Security leadIT directorVP IT / CISO-adjacent
Best-fit motions
Managed augmentation (MDR + tools)Workflow consolidation pitchesFirst-time SIEM or EDR replacements
Stage 3

Optimized / Scaling

Reduce complexity, improve precision, prove effectiveness.
Traits
  • CISO-led function, defined teams (SOC, GRC, AppSec, IR)
  • Measured outcomes, established metrics, regular reviews
  • Mature tool stack; consolidation conversations underway
  • Friction from sprawl: too many tools, redundant data, alert fatigue
Common buyers
CISOVP SecurityDirector of SecOpsGRC lead
Best-fit motions
Platform consolidation (replace N tools with 1)Orchestration / control-plane pitchesBest-of-breed for genuinely deep wedges
Stage 4

Advanced / Threat-Informed

Operationalize threat-informed defense at scale.
Traits
  • Threat-intel-driven detection engineering
  • Adversary-relevant validation (BAS, purple teaming)
  • Mature identity-and-data governance
  • Capacity for in-house tooling; selective about third-party
Common buyers
CISO (strategic peer to CIO)Detection engineering leadThreat intel leadCyber risk officer
Best-fit motions
Threat-informed detection (BAS, adversary emulation)Bespoke / API-first tools that fit detection engineering workflowsHigh-end MDR with co-managed model

The Two Personas

Two distinct buyer levels — executive and operational. They want different things. The pitch that lands with one rarely lands with the other.

CISO / VP Security

executive Buys confidence
Cares about
  • Defensibility to the board, auditors, customers
  • Material risk reduction (quantifiable)
  • Program coherence — fewer fights, clearer story
  • Talent retention through tool sanity
Does not want
  • Yet another dashboard nobody operationalizes
  • Tools that require team headcount the org doesn't have
  • Vendor pitches that ignore the existing stack
  • Renewal surprises
"We help you tell a coherent story to the board — fewer tools, sharper metrics, defensible outcomes."

SecOps / Engineering Operators

operational Buys relief
Cares about
  • Time saved on alert triage and toil
  • Tool quality (low false-positive rate, fits the workflow)
  • Reliable detections on the threats they actually see
  • Integration with existing pipelines (SIEM, ticketing, ChatOps)
Does not want
  • More noise to triage
  • Tools that require six weeks to deploy before any signal
  • Vendor marketing pretending the product reads minds
  • API gaps that block automation
"We absorb the toil your team is drowning in — alerts triaged, false positives suppressed, your day shorter."

The Fit Matrix

Category × { best buyer, maturity, size, industry }. Filter by maturity stage to see which categories fit; filter by category for buyer details.

Filter by maturity:
Category Best buyer Maturity Size Industry fit
MDR IT director / security lead 1–2 SMB / mid-market Underbuilt verticals — manufacturing, healthcare, education
EDR / XDR CISO / SecOps lead 2–4 Mid-market to enterprise Cross-industry, baseline
SIEM SecOps / detection lead 3–4 Enterprise Regulated industries, high signal volume
SOAR Detection engineering 3–4 Enterprise Mature SOCs needing automation
CNAPP Cloud security lead / CISO 2–4 Cloud-native mid-to-large SaaS, financial services, retail
ITDR Identity lead / CISO 3–4 Mid-to-large enterprise Financial services, regulated, IP-heavy
PAM Identity / GRC lead 2–4 Mid-market to enterprise Highly regulated, finance, healthcare, government
Exposure / CTEM VM / detection lead 2–4 Mid-market to enterprise Cross-industry, especially regulated
ASM / EASM CISO / exposure lead 2–3 Mid-market to enterprise Brand-sensitive, public-facing org
DSPM Cloud security / data lead 3–4 Cloud-native mid-to-large SaaS, financial, healthcare
DLP CISO / compliance 2–4 Mid-to-enterprise Healthcare, legal, regulated (legacy installed base)
GRC / Compliance auto Compliance / GRC lead 1–3 SMB to mid-market SaaS, fintech (audit-driven)
TPRM GRC / vendor risk 2–4 Mid-market to enterprise Financial, healthcare, supply-chain-heavy
OT Security OT / plant security 1–3 Industrial enterprise Manufacturing, energy, critical infrastructure

Maturity and size overlap but are not identical. A small fintech can run at stage 3; a large industrial can sit at stage 1.