Mod 04 · Firmographics

Who fits, by shape and stage.

Buyer maturity and the buying committee say how an organisation buys. Firmographics says which organisations show up to buy in the first place — size band, revenue, employee count, regulated posture, and adopter type. The durable shape of the buyer set a vendor can credibly serve.

The Five Segment Bands

The market sorts into five durable bands by size and revenue. Each carries its own security owner, deal size, sales cycle, and dominant motion. The envelope is firmographic; what travels inside it is not. A motion built for one band rarely survives a move to the next.

B1

SMB

Employees
< 250
Revenue
< $50M
Deal size
$5K–50K
Cycle
Days–weeks
Security owner

Owner, IT generalist, or an outsourced MSP — rarely a dedicated security hire.

Dominant motion

Product-led, marketplace, and channel/MSP-fulfilled. Bundled, not bought à la carte.

Buys relief and simplicity. Security is a line item, not a function — and you reach it through the MSP, not the buyer.
B2

Mid-market

Employees
250–2,500
Revenue
$50M–$1B
Deal size
$50K–250K
Cycle
1–3 months
Security owner

First dedicated security hire scaling to a small team — Security Manager / Head of Security, often co-managed with an MSSP.

Dominant motion

Inside sales plus channel; co-managed MDR and SIEM. The contested middle of the market.

The program is forming. Wants board-ready reporting without enterprise headcount. The fastest-growing band — and the one everyone is fighting over.
B3

Enterprise

Employees
2,500–25,000
Revenue
$1B–$10B
Deal size
$250K–1M+
Cycle
3–9 months
Security owner

CISO over a dedicated SecOps function; internal or hybrid SOC.

Dominant motion

Field sales, SE-led proof of concept, GSI and SI alliances.

Buys defensibility and consolidation. A committee deal — map the whole committee or lose to the one role you never met.
B4

Regulated Enterprise

Employees
Regulation, not size
Revenue
Varies
Deal size
$500K–multi-$M
Cycle
6–18 months
Security owner

CISO plus a risk function and compliance; a board risk committee in the room.

Dominant motion

Field plus GSI, anchored on compliance and driven by references.

Compliance manufactures the budget. Demand is mandate-driven, not discretionary — the longest cycle, and the highest durability once won.
B5

Public Sector

Employees
Mandate-defined
Revenue
Budget-funded
Deal size
Vehicle-dependent
Cycle
9–24 months
Security owner

Agency CISO / IT director, gated by certification — FedRAMP, StateRAMP, CMMC.

Dominant motion

GovCon channel, contract vehicles, certification-gated procurement.

The gate is the certification, not the pitch. No FedRAMP, no conversation. Slowest, stickiest, and channel-mediated end to end.

Size and maturity overlap but are not the same axis. A 200-person fintech under customer-security review buys like an enterprise; a 4,000-person manufacturer routing everything through an MSP buys like an SMB. Read the band as the envelope, then read the maturity ladder for the letter inside it — chasing the logo without reading the band is the root of the enterprise mirage.

The Adopter Curve

The same band contains buyers at different points on the diffusion curve. Adopter type decides when an account moves and what argument moves it. The chasm sits between the early adopter and the pragmatist — most categories die in it.

Early adopter

Buys before it is a category
Trigger

A breach, a new threat class, a board mandate, or a hunt for competitive edge.

Wants

The frontier, design-partner status, and to be first.

Where they cluster

Tech, crypto, well-funded startups, security-forward financial services.

Pragmatist

Buys when peers and analysts have
Trigger

Analyst coverage, peer references, and a clean ROI story.

Wants

Proven, low-risk, reference-able, and integrated with what they already run.

Where they cluster

The bulk of mid-market and enterprise — the far side of the chasm.

Late majority

Buys when not buying is the risk
Trigger

A compliance mandate, an audit finding, a cyber-insurance requirement, or an incumbent reaching end-of-life.

Wants

Simplicity, low switching cost, and the comfort that everyone else already has it.

Where they cluster

Regulated followers and traditional industries.

Laggard

Buys only under force
Trigger

Regulation, a breach, an insurance denial, or a contractual requirement.

Wants

Minimum viable compliance on the lowest-friction path.

Where they cluster

SMB in unregulated verticals and under-resourced public sector.

Inheriting an early-adopter pitch and running it at the late majority is a textbook persona bleed: the message that wins the frontier reads as risk to the follower, who wants proof, not novelty.

The Regulated Multiplier

Regulation is the single firmographic attribute that overrides size. It changes where the budget comes from, how long the cycle runs, and what triggers the purchase. Heavily regulated demand is mandate-driven, not discretionary — slower to land, but it does not evaporate when the quarter turns. Compliance is the most durable budget anchor in the market.

Posture Where the budget comes from Cycle Dominant trigger Cross-ref
Unregulated Discretionary IT / security spend Shortest — ROI-gated Breach fear, growth, efficiency
Lightly regulated Sales-driven compliance (SOC 2, PCI-adjacent) Moderate — review-gated Customer security review, audit Compliance
Heavily regulated Mandated compliance line item Longest — procurement-gated Regulation, mandate, audit finding Verticals

The trap is reading a regulated mid-market account as a small deal because its headcount is small. The regulation, not the org chart, sets the band — and the wedge that lands is the mandate the buyer cannot ignore.