SMB
- Employees
- < 250
- Revenue
- < $50M
- Deal size
- $5K–50K
- Cycle
- Days–weeks
Owner, IT generalist, or an outsourced MSP — rarely a dedicated security hire.
Product-led, marketplace, and channel/MSP-fulfilled. Bundled, not bought à la carte.
Buyer maturity and the buying committee say how an organisation buys. Firmographics says which organisations show up to buy in the first place — size band, revenue, employee count, regulated posture, and adopter type. The durable shape of the buyer set a vendor can credibly serve.
The market sorts into five durable bands by size and revenue. Each carries its own security owner, deal size, sales cycle, and dominant motion. The envelope is firmographic; what travels inside it is not. A motion built for one band rarely survives a move to the next.
Owner, IT generalist, or an outsourced MSP — rarely a dedicated security hire.
Product-led, marketplace, and channel/MSP-fulfilled. Bundled, not bought à la carte.
First dedicated security hire scaling to a small team — Security Manager / Head of Security, often co-managed with an MSSP.
Inside sales plus channel; co-managed MDR and SIEM. The contested middle of the market.
CISO over a dedicated SecOps function; internal or hybrid SOC.
Field sales, SE-led proof of concept, GSI and SI alliances.
CISO plus a risk function and compliance; a board risk committee in the room.
Field plus GSI, anchored on compliance and driven by references.
Agency CISO / IT director, gated by certification — FedRAMP, StateRAMP, CMMC.
GovCon channel, contract vehicles, certification-gated procurement.
Size and maturity overlap but are not the same axis. A 200-person fintech under customer-security review buys like an enterprise; a 4,000-person manufacturer routing everything through an MSP buys like an SMB. Read the band as the envelope, then read the maturity ladder for the letter inside it — chasing the logo without reading the band is the root of the enterprise mirage.
The same band contains buyers at different points on the diffusion curve. Adopter type decides when an account moves and what argument moves it. The chasm sits between the early adopter and the pragmatist — most categories die in it.
A breach, a new threat class, a board mandate, or a hunt for competitive edge.
The frontier, design-partner status, and to be first.
Tech, crypto, well-funded startups, security-forward financial services.
Analyst coverage, peer references, and a clean ROI story.
Proven, low-risk, reference-able, and integrated with what they already run.
The bulk of mid-market and enterprise — the far side of the chasm.
A compliance mandate, an audit finding, a cyber-insurance requirement, or an incumbent reaching end-of-life.
Simplicity, low switching cost, and the comfort that everyone else already has it.
Regulated followers and traditional industries.
Regulation, a breach, an insurance denial, or a contractual requirement.
Minimum viable compliance on the lowest-friction path.
SMB in unregulated verticals and under-resourced public sector.
Inheriting an early-adopter pitch and running it at the late majority is a textbook persona bleed: the message that wins the frontier reads as risk to the follower, who wants proof, not novelty.
Regulation is the single firmographic attribute that overrides size. It changes where the budget comes from, how long the cycle runs, and what triggers the purchase. Heavily regulated demand is mandate-driven, not discretionary — slower to land, but it does not evaporate when the quarter turns. Compliance is the most durable budget anchor in the market.
| Posture | Where the budget comes from | Cycle | Dominant trigger | Cross-ref |
|---|---|---|---|---|
| Unregulated | Discretionary IT / security spend | Shortest — ROI-gated | Breach fear, growth, efficiency | — |
| Lightly regulated | Sales-driven compliance (SOC 2, PCI-adjacent) | Moderate — review-gated | Customer security review, audit | Compliance |
| Heavily regulated | Mandated compliance line item | Longest — procurement-gated | Regulation, mandate, audit finding | Verticals |
The trap is reading a regulated mid-market account as a small deal because its headcount is small. The regulation, not the org chart, sets the band — and the wedge that lands is the mandate the buyer cannot ignore.