Mod 02 · Buyer & Maturity

Who buys what, at which stage.

Four maturity stages, two persona levels, one fit matrix. The teaching beat to keep: executives buy confidence, operators buy relief.

The Maturity Ladder

Four stages of security operating maturity. Each carries its traits, common buyers, best-fit motions, and a single GTM message. Scan the strip; drop into any card for the full profile.

Stage 1

Reactive / Underbuilt

Get protected without building a full security organization.
Traits
  • Security is one of several IT hats, not a dedicated function
  • Tooling assembled tactically, often around insurance or compliance triggers
  • Limited operational telemetry; no SOC or shared one
  • Spend driven by perceived risk events, not strategy
Common buyers
IT directorMSP-led securityowner / founder
Best-fit motions
  • Managed outcome (MDR)
  • All-in-one bundles via MSP channel
  • Insurance-required minimum stack
Stage 2

Managed / Developing

Move from tool ownership to operational control.
Traits
  • Dedicated security headcount (1–5), often reporting to IT
  • Defined controls, partial process — runbooks exist but inconsistently applied
  • Multiple point tools, integration gaps obvious
  • Beginning to measure outcomes (alerts, time-to-respond) even if poorly
Common buyers
Security leadIT directorVP IT / CISO-adjacent
Best-fit motions
  • Managed augmentation (MDR + tools)
  • Workflow consolidation pitches
  • First-time SIEM or EDR replacements
Stage 3

Optimized / Scaling

Reduce complexity, improve precision, prove effectiveness.
Traits
  • CISO-led function, defined teams (SOC, GRC, AppSec, IR)
  • Measured outcomes, established metrics, regular reviews
  • Mature tool stack; consolidation conversations underway
  • Friction from sprawl: too many tools, redundant data, alert fatigue
Common buyers
CISOVP SecurityDirector of SecOpsGRC lead
Best-fit motions
  • Platform consolidation (replace N tools with 1)
  • Orchestration / control-plane pitches
  • Best-of-breed for genuinely deep wedges
Stage 4

Advanced / Threat-Informed

Operationalize threat-informed defense at scale.
Traits
  • Threat-intel-driven detection engineering
  • Adversary-relevant validation (BAS, purple teaming)
  • Mature identity-and-data governance
  • Capacity for in-house tooling; selective about third-party
Common buyers
CISO (strategic peer to CIO)Detection engineering leadThreat intel leadCyber risk officer
Best-fit motions
  • Threat-informed detection (BAS, adversary emulation)
  • Bespoke / API-first tools that fit detection engineering workflows
  • High-end MDR with co-managed model

The Two Personas

Two distinct buyer levels — executive and operational. They want different things. The pitch that lands with one rarely lands with the other.

CISO / VP Security

executive Buys confidence
Cares about
  • Defensibility to the board, auditors, customers
  • Material risk reduction (quantifiable)
  • Program coherence — fewer fights, clearer story
  • Talent retention through tool sanity
Does not want
  • Yet another dashboard nobody operationalizes
  • Tools that require team headcount the org doesn't have
  • Vendor pitches that ignore the existing stack
  • Renewal surprises
"We help you tell a coherent story to the board — fewer tools, sharper metrics, defensible outcomes."

SecOps / Engineering Operators

operational Buys relief
Cares about
  • Time saved on alert triage and toil
  • Tool quality (low false-positive rate, fits the workflow)
  • Reliable detections on the threats they actually see
  • Integration with existing pipelines (SIEM, ticketing, ChatOps)
Does not want
  • More noise to triage
  • Tools that require six weeks to deploy before any signal
  • Vendor marketing pretending the product reads minds
  • API gaps that block automation
"We absorb the toil your team is drowning in — alerts triaged, false positives suppressed, your day shorter."

The Confidence–Relief Axis

Two ordered axes: where an account sits on the maturity ladder, and what the buyer is actually after — relief from operational pain, or the confidence to defend a decision upstairs. They move together. Low on the ladder, the buyer wants relief; as the program formalizes, the purchase becomes about confidence. A pitch aimed at the wrong point on this diagonal is the most common reason strong product loses to product that simply read the buyer right.

confidence relief BUYER PSYCHOLOGY Stage 1 Stage 2 Stage 3 Stage 4 MATURITY → SecOps / Engineering Operators buys relief CISO / VP Security buys confidence

The same account buys relief early and confidence late. Win the wedge on operator relief, then re-pitch the renewal in executive-confidence language — the strongest vendors track the whole diagonal.

The Security-Ownership Ladder

Company size is the envelope; security maturity is the letter inside it. A 900-person financial-services firm under SOC 2 and customer-security review often runs a more formal security operation than a 4,000-person manufacturer still routing everything through an infrastructure director and an MSP. Headcount proxies endpoint and user scale and little else — it does not reveal who owns security, and ownership is what decides how an account buys. The ladder below tracks who owns security across the whole range — the variable a campaign actually has to match. It is the structure behind Persona Bleed: a motion inherits an enterprise persona and runs it down-market, where that persona is scarce.

Rung Likely security owner Typical title SecOps maturity How they buy
Informal Owner / outsourced IT / MSP Owner, Office Manager, IT Consultant Incidental — AV, firewall, backup Bundles; insurance- and compliance-driven controls; relief from the burden
IT-managed IT, as part of infrastructure IT Manager, Director of IT Reactive, tool-light, provider-dependent Simplicity, low admin load, “works with Microsoft,” clear escalation
Outsourced IT director over an MSP / MSSP VP IT, Director of IT Monitoring and tooling run by a provider Augment, specialize beyond, or displace the incumbent provider
Emerging program First dedicated security hire Security Manager, Head of Security Co-managed; program forming Co-managed MDR / SIEM, vulnerability management, board-ready reporting
Formal SecOps Security leadership Director SecOps, CISO Internal or hybrid SOC Detection quality, response accountability, measurable outcomes
Governed model CISO + risk function CISO, CRO, board risk committee Security as business governance Consolidation, resilience, risk quantification, multi-year transformation

The trap is building a CISO-centered motion for a market that does not consistently contain CISOs. Below the enterprise, the buyer rarely wants a security philosophy — they want competent help, the phone to ring when something breaks, and someone credible on the other end. Size is the envelope. Maturity is the letter inside.

The Buying Committee

Eight roles that shape an enterprise cyber deal. The CISO is rarely buying alone — and the role that kills the deal is often the one nobody mapped.

Economic

Economic Buyer

Function in the deal

Owns the budget and the final justification. Has the authority to say yes or no to the contract. Usually does not evaluate the product directly.

Enters when

After technical validation. The economic buyer wants to see the business case, not the demo. In enterprise security deals, this is the CISO for security-budget items, the CIO for IT-budget items, the CFO for anything above a threshold.

Cares about

Outcome, cost, risk, and what gets retired or absorbed. Wants to know how this deal moves the strategic narrative.

Kills the deal when

The business case is fuzzy, the savings story is unproven, or the deal does not fit the strategy they have already committed to the board.

Technical

Technical Buyer

Function in the deal

Validates that the product actually works in the customer's environment. Runs the POC. Makes the recommendation that the economic buyer signs.

Enters when

Early in the cycle, often before the economic buyer is engaged. Owns the shortlist. In security deals, this is the SOC lead, the cloud security lead, the identity lead, or the AppSec lead depending on category.

Cares about

Capability depth, integration with the existing stack, operational cost (alert volume, false positives, tuning burden), and roadmap.

Kills the deal when

The POC reveals operational pain the demo hid, the integration story doesn't hold up, or the vendor cannot answer technical questions without escalation.

Champion

Champion

Function in the deal

Internal sponsor who feels the pain the product solves. Pushes the deal through the organisation's objections, navigates internal politics, schedules the meetings that need to happen.

Enters when

Often the first person the vendor talks to. Has to exist for the deal to move; if the vendor cannot identify the champion, the deal is not real.

Cares about

Career outcome (solving a visible problem gets noticed) and risk to themselves (a bad pick reflects on them). Will negotiate hardest on the parts that affect their team directly.

Kills the deal when

Champion leaves the company, gets reorganised, or loses internal political capital. Champion-loss is the most common late-stage deal death.

Blocker

Blocker

Function in the deal

Resists the deal. May own an incumbent tool that would be displaced, or may have a process / preference / territorial interest that the new product threatens.

Enters when

Surfaces when the deal becomes real. The earlier blockers are identified, the more options there are to neutralise; late-surfacing blockers usually kill deals.

Cares about

Maintaining their current operational footprint, avoiding the work of switching, or protecting their political position. The objection is rarely the real objection.

Kills the deal when

The blocker has veto power and the champion cannot neutralise it. Common forms: 'we standardised on incumbent X', 'we need procurement to approve a competitive process', 'security cannot approve this until SOC 2 / penetration test / etc.'

Procurement

Procurement

Function in the deal

Controls the vendor management, contract, and risk-review process. Operates on policy, not on outcome — their job is to apply the company's rules consistently.

Enters when

After the champion identifies the vendor as preferred, before the contract can be signed. In enterprise, often the longest pole in the tent — six-month procurement cycles are not unusual.

Cares about

Vendor risk (financial, security, operational), contract terms, payment terms, and process adherence. Will not advocate for the deal but can slow or kill it for non-compliance.

Kills the deal when

The vendor fails the security review, refuses to accept the standard MSA, will not provide insurance evidence, or cannot demonstrate financial viability. Often kills via inertia rather than rejection.

Finance

Finance

Function in the deal

Challenges the ROI claim, the consolidation claim, and the budget impact. Pushes for shorter terms, fewer commitments, and more measurable outcomes.

Enters when

For deals above a budget threshold or when the deal is positioned as a cost-takeout / consolidation. Always present when the CFO is the economic buyer.

Cares about

Total cost of ownership, payback period, what existing line items get retired, and whether the savings are real or theoretical. Sceptical of vendor ROI math by default.

Kills the deal when

The savings story falls apart under scrutiny, the contract structure looks unfavourable (large upfront, all-or-nothing, hard to exit), or the cumulative spend across security tools triggers a portfolio review.

Board

Board / Audit Committee

Function in the deal

Does not evaluate the product. Creates the pressure that makes the deal happen — sets the expectations, asks the uncomfortable questions, signs off on the strategy.

Enters when

Indirectly. The CISO is preparing for the board meeting; the board's agenda becomes the CISO's buying agenda. After a regulatory development (SEC cyber disclosure) or peer incident, board attention sharpens fast.

Cares about

Defensibility, reportable outcomes, regulatory posture, and 'are we doing what our peers are doing'. Wants narrative and metrics, not architecture.

Kills the deal when

The strategy the deal supports loses board support. Rare to kill specific tooling directly; common to kill the budget that funds it.

The Fit Matrix

How cybersecurity categories map to buyer maturity, company size, industry fit, and GTM motion.

Filter

A category appears in multiple lanes when its buyer-maturity range spans stages. Stage 1 is conspicuously sparse — only the categories that fit Reactive / Underbuilt teams land there, which is itself an insight about cyber's addressable market at the bottom of the ladder.

MDR

Maturity 1–2
Best buyer
IT director / security lead
Size
SMB / mid-market
Industry fit
Underbuilt verticals — manufacturing, healthcare, education

EDR / XDR

Maturity 2–4
Best buyer
CISO / SecOps lead
Size
Mid-market to enterprise
Industry fit
Cross-industry, baseline

SIEM

Maturity 3–4
Best buyer
SecOps / detection lead
Size
Enterprise
Industry fit
Regulated industries, high signal volume

SOAR

Maturity 3–4
Best buyer
Detection engineering
Size
Enterprise
Industry fit
Mature SOCs needing automation

CNAPP

Maturity 2–4
Best buyer
Cloud security lead / CISO
Size
Cloud-native mid-to-large
Industry fit
SaaS, financial services, retail

ITDR

Maturity 3–4
Best buyer
Identity lead / CISO
Size
Mid-to-large enterprise
Industry fit
Financial services, regulated, IP-heavy

PAM

Maturity 2–4
Best buyer
Identity / GRC lead
Size
Mid-market to enterprise
Industry fit
Highly regulated, finance, healthcare, government

Exposure / CTEM

Maturity 2–4
Best buyer
VM / detection lead
Size
Mid-market to enterprise
Industry fit
Cross-industry, especially regulated

ASM / EASM

Maturity 2–3
Best buyer
CISO / exposure lead
Size
Mid-market to enterprise
Industry fit
Brand-sensitive, public-facing org

DSPM

Maturity 3–4
Best buyer
Cloud security / data lead
Size
Cloud-native mid-to-large
Industry fit
SaaS, financial, healthcare

DLP

Maturity 2–4
Best buyer
CISO / compliance
Size
Mid-to-enterprise
Industry fit
Healthcare, legal, regulated (legacy installed base)

GRC / Compliance auto

Maturity 1–3
Best buyer
Compliance / GRC lead
Size
SMB to mid-market
Industry fit
SaaS, fintech (audit-driven)

TPRM

Maturity 2–4
Best buyer
GRC / vendor risk
Size
Mid-market to enterprise
Industry fit
Financial, healthcare, supply-chain-heavy

OT Security

Maturity 1–3
Best buyer
OT / plant security
Size
Industrial enterprise
Industry fit
Manufacturing, energy, critical infrastructure
Category Best buyer Maturity Size Industry fit
MDR IT director / security lead 1–2 SMB / mid-market Underbuilt verticals — manufacturing, healthcare, education
EDR / XDR CISO / SecOps lead 2–4 Mid-market to enterprise Cross-industry, baseline
SIEM SecOps / detection lead 3–4 Enterprise Regulated industries, high signal volume
SOAR Detection engineering 3–4 Enterprise Mature SOCs needing automation
CNAPP Cloud security lead / CISO 2–4 Cloud-native mid-to-large SaaS, financial services, retail
ITDR Identity lead / CISO 3–4 Mid-to-large enterprise Financial services, regulated, IP-heavy
PAM Identity / GRC lead 2–4 Mid-market to enterprise Highly regulated, finance, healthcare, government
Exposure / CTEM VM / detection lead 2–4 Mid-market to enterprise Cross-industry, especially regulated
ASM / EASM CISO / exposure lead 2–3 Mid-market to enterprise Brand-sensitive, public-facing org
DSPM Cloud security / data lead 3–4 Cloud-native mid-to-large SaaS, financial, healthcare
DLP CISO / compliance 2–4 Mid-to-enterprise Healthcare, legal, regulated (legacy installed base)
GRC / Compliance auto Compliance / GRC lead 1–3 SMB to mid-market SaaS, fintech (audit-driven)
TPRM GRC / vendor risk 2–4 Mid-market to enterprise Financial, healthcare, supply-chain-heavy
OT Security OT / plant security 1–3 Industrial enterprise Manufacturing, energy, critical infrastructure

Maturity and size overlap but are not identical. A small fintech can run at stage 3; a large industrial can sit at stage 1.