Replacement
Buyer state
existing tool failing or hated
Winning claim
"we do this materially better than the incumbent you already pay for"
The trap
must prove superiority AND urgency — without urgency, the renewal happens
Mod 03 · Consolidation & Displacement
The five battles.
Every successful new vendor displaces something — a legacy tool, a manual process, an in-house build, a competing budget line. There are five common patterns. Naming the one you're in is half the work.
The Five Battles
Each pattern has a buyer state that makes it possible, a winning claim that lands, and a trap that kills you if you miss it.
Consolidation
Buyer state
tool sprawl, budget pressure
Winning claim
"we collapse several tools into one"
The trap
good-enough modules underperform the best-of-breed they displace — buyer either lives with it or unconsolidates two years later
Augmentation
Buyer state
platform has a known blind spot
Winning claim
"keep your stack; add us precisely where it's blind"
The trap
if the gap isn't named precisely, the platform extends and the augmenter has no story left
Orchestration
Buyer state
tools don't work together
Winning claim
"we make existing controls operational"
The trap
a control plane without enforcement authority is just another dashboard
Managed Outcome
Buyer state
team lacks capacity
Winning claim
"buy the result, not the tool"
The trap
platform-attached managed services from the EDR/XDR giants undercut
The Buying-Motion Map
A companion table to the five battles. Each motion fits a trigger state. The winning vendor claim follows from the state, not from product features.
| Motion | Trigger state | Winning vendor claim |
|---|---|---|
| Augmentation (gap fill) | existing platform has known blind spot | "keep your stack, add us precisely where it's blind" |
| Best-of-breed wedge | specific deep capability gap | "we own this specific surface; we are the depth play" |
| Managed outcome | team lacks capacity to operationalize | "buy the result, not the tool" |
| MSP / channel-resold | SMB without security headcount | "we're the security shelf inside the IT relationship you already have" |
| Orchestration layer | controls exist but don't operate together | "we are the connective tissue making your controls operational" |
| Platform consolidation | tool sprawl, budget pressure | "we replace N tools you already pay for" |
What a coherent stack actually needs.
Six functions, not one tool per threat. A 12-tool stack can be coherent; a 40-tool stack can be chaos. The frame is the operating model, not the tool count.
Know
What exists in our environment that we have to defend?
Prevent
What reduces obvious, exploitable risk before an incident?
Detect
What reveals adversary behavior we couldn't prevent?
Respond
How fast can we contain, recover, and learn from incidents?
Govern
Can we prove our control posture to ourselves, auditors, customers, and the board?
Optimize
Can we reduce overlap, drag, and cost while keeping coverage intact?
Live consolidation movement is tracked at arena.marketsinsecurity.com (Kumite).