Mod 03 · Consolidation & Displacement

The five battles.

Every successful new vendor displaces something — a legacy tool, a manual process, an in-house build, a competing budget line. There are five common patterns. Naming the one you're in is half the work.

The Five Battles

Each pattern has a buyer state that makes it possible, a winning claim that lands, and a trap that kills you if you miss it.

01

Replacement

Buyer state

existing tool failing or hated

Winning claim

"we do this materially better than the incumbent you already pay for"

Recent example

Next-gen email security replacing legacy SEG. The buyer is already paying for email security; the new vendor outperforms the incumbent on the threats that matter now. Won only when the SEG renewal is months away — otherwise the inertia wins.

The trap

must prove superiority AND urgency — without urgency, the renewal happens

02

Consolidation

Buyer state

tool sprawl, budget pressure

Winning claim

"we collapse several tools into one"

Recent example

CNAPP absorbing CSPM, CWPP, CIEM, and container security as standalone line items. The platform extends faster than the specialists can scale; the surviving wedges are runtime, attack-path, identity context, and data context.

The trap

good-enough modules underperform the best-of-breed they displace — buyer either lives with it or unconsolidates two years later

03

Augmentation

Buyer state

platform has a known blind spot

Winning claim

"keep your stack; add us precisely where it's blind"

Recent example

ITDR extending IAM because authentication isn't attack detection. The IAM platform isn't displaced; its blind spot is. Won when the gap is named in terms the IAM vendor can't credibly claim to close in the next release.

The trap

if the gap isn't named precisely, the platform extends and the augmenter has no story left

04

Orchestration

Buyer state

tools don't work together

Winning claim

"we make existing controls operational"

Recent example

SOAR connecting findings, owners, and actions across an existing detection stack. The value the buyer is paying for isn't visibility — it's enforcement. Lose the enforcement claim, lose the deal.

The trap

a control plane without enforcement authority is just another dashboard

05

Managed Outcome

Buyer state

team lacks capacity

Winning claim

"buy the result, not the tool"

Recent example

MDR replacing the need to staff a 24/7 SOC. The buyer wasn't buying a tool; they were buying not running a tool. The platform-attached MDR from the EDR vendor wins when it's bundled into the renewal the customer already approved.

The trap

platform-attached managed services from the EDR/XDR giants undercut

The Buying-Motion Map

A companion table to the five battles. Each motion fits a trigger state. The winning vendor claim follows from the state, not from product features.

Motion Trigger state Winning vendor claim
Augmentation (gap fill) existing platform has known blind spot "keep your stack, add us precisely where it's blind"
Best-of-breed wedge specific deep capability gap "we own this specific surface; we are the depth play"
Managed outcome team lacks capacity to operationalize "buy the result, not the tool"
MSP / channel-resold SMB without security headcount "we're the security shelf inside the IT relationship you already have"
Orchestration layer controls exist but don't operate together "we are the connective tissue making your controls operational"
Platform consolidation tool sprawl, budget pressure "we replace N tools you already pay for"

What a coherent stack actually needs

Six functions, not one tool per threat. A 12-tool stack can be coherent; a 40-tool stack can be chaos. The frame is the operating model, not the tool count.

Know

What exists in our environment that we have to defend?

Prevent

What reduces obvious, exploitable risk before an incident?

Detect

What reveals adversary behavior we couldn't prevent?

Respond

How fast can we contain, recover, and learn from incidents?

Govern

Can we prove our control posture to ourselves, auditors, customers, and the board?

Optimize

Can we reduce overlap, drag, and cost while keeping coverage intact?

Live consolidation movement is tracked at arena.marketsinsecurity.com (Kumite).