Ransomware Scare
Not a hit, but close. A peer organisation gets ransomed publicly, a board reads about it, a regulator sends a notice, or an MDR partner flags activity that looks pre-ransomware.
The board calls a meeting. The CISO is asked 'are we ready' and discovers the answer is uncomfortable. Budget that did not exist now exists.
Managed outcome or augmentation. The buyer wants demonstrable readiness, not just controls. Vendors who can frame the gap in terms the board will accept ('here is what we cover, here is what is still exposed') win.
Weeks to one quarter. Faster than normal, slower than active incident.
Feature-comparing against the buyer's existing stack. The buyer does not want a head-to-head — they want assurance that something concrete changes before the next board meeting.