The Hill I’m Dying On...

I’ve spent years trying to push cybersecurity forward—not just through frameworks or thought leadership, but by putting my skin in the game. I’ve built tools, funded apps out of pocket, and launched platforms designed to cut through the noise. One example? A community-driven vendor rating system for cybersecurity conferences. No analysts. No spin. Just honest, unfiltered feedback from actual users.

None of it moved the needle. Even though I had over 100 users doing ratings at an event, and we had data-driven winners from the output of the app, not a single vendor did anything when I notified them they were a winner. Why? Because I am a one-person show, not a "firm" with the heft those research firms carry.

One vendor who shall remain nameless responded to my DM announcing their leadership in the 10ringapp, saying, "Why should I care?"

Yeah, that's right. DrZeroTrust, with over 250k folks who listen to his podcast, is not worth a vendor's time to say, "Thanks, we will put the award link on our site." And it was FREE. Not a cent was required from anyone. Woe is me, but the saddest part is that it was all an experiment for me to prove that this game is potentially hopelessly rigged.

It didn't fail because the tech failed, not because the value wasn’t there, but because the system isn’t built for change—it’s built for control.

💸 The Illusion of Progress in a Market Full of Money

Cybersecurity spending has never been higher. In 2023, global spend hit over $219 billion and is projected to pass $300 billion by 2026 (Statista). But despite that, we had more breaches in 2023 than any year on record (Verizon DBIR). The math isn't mathing there. How does this continue if we have so much "innovation" and "breach-stopping" technology?

If money solved the problem, we’d be in the clear. But instead of protecting organizations, billions go to bloated software portfolios, redundant tools, and marketing campaigns dressed up as security strategies. The only real winners in the space are the VC bro's who are laughing all the way to the bank in Silicon Valley as they fund yet another startup they know will be absorbed by the corporate borg after 3 years.

📣 Marketing Has Outpaced Innovation

Here’s the truth: the cybersecurity industry is being driven by PowerPoint, not protection.

Major vendors now allocate 35–50% of revenue to sales and marketing, while actual product development and R&D receive 10–15% (Palo Alto Networks, CrowdStrike SEC Filings). Smaller, innovative companies—those with fresh ideas and real solutions—can’t keep up with that kind of spending.

We’re building flashy booths, buzzwords, and brand stories while threat actors exploit the same gaps we were supposed to fix years ago. Participating in these trade shows requires significant investment for companies, especially startups. Costs can range from $30,000 to $150,000 for booth space, travel, and related expenses. Despite the high costs, many view these events as critical for networking and business development opportunities. Still, often those same companies "don't have funds" for other items like R&D or even basic operational costs.

One of the premier cybersecurity events, Black Hat USA, has seen insane financial success. For instance, the event has generated over $90 million in annual revenue, attracting approximately 60,000 participants. RSA 2025 consistently draws large crowds. While specific revenue figures are proprietary, the conference attracts around 45,000 attendees annually, indicating a significant economic impact through sponsorships, exhibitor fees, and ticket sales. If the average ticket price of that event were 1000 dollars per person (which it isn't), RSA would have made over 45 million dollars in one week. And that's just tickets, not all the other stuff.

The number one password for 2025 is 12345689. The most likely avenue of compromise in 2025 is phishing. We want to stop ransomware and PowerShell, but nobody wants to because "they might need it." Seriously, here we are.

📊 Analyst Firms Are Publicly Traded Businesses.

Users cling to the idea that analyst firms are the truth-tellers of the industry. But most don’t realize that these are publicly traded companies, responsible to shareholders, with revenue tied to growth, upsells, and vendor relationships. Their founders and CEOs have boards breathing down their necks, and shareholders with pitchforks and torches are ready to set the building alight if the firm doesn't deliver growth and solid numbers each quarter. Which means they have to sell, period.

Gartner, for example, cleared over $6 billion in revenue in 2023. What incentive do they have to disrupt the vendor narrative that feeds them? Would anyone with a brain shoot their golden goose in the face? No. There is a business model here, and it feeds upon itself. G2 calls it "the flywheel" of keeping vendors, users, and data constantly feeding upon itself in a self-licking ice cream cone of misery model.

This is not an analysis. It’s market theater, and it ensures that the same vendors continue to win.

🏛️ The Big Players Own the Game

The top 20 cybersecurity vendors now control over 63% of the total market (Jay McBain, Canalys), a number that has steadily climbed over the last few years. That means everyone else, over 4000 vendors in total, fight for the scraps left in that 47% market share. That used to be called a monopoly, but not in cyber. In cyber, it's "market dominance".

Microsoft dominates endpoint and identity. Palo Alto owns the network edge and SASE. CrowdStrike continues to lock down EDR (even after they bricked the internet and caused the most significant disruption in air traffic since 9/11).

Meanwhile, startups fight to be noticed—often spending 2–3x more on sales than on product—to gain basic credibility through partner certifications and analyst mentions.

We say we want innovation, but keep defaulting to the same logos.

🛑 And Yet… We All Play Along

Users often blame vendors for gaming the system. But let’s be honest—most users don’t want change either. Trying something new is risky. Going with a “Leader” in a report is safe. No one gets fired for buying the same tool everyone else is buying. As long as a CISO can point to a report and say, "Well, we bought X, which was the best in class," they can survive a fireable event when a breach occurs.

As long as that mentality persists, nothing will change. Innovation will continue to die quietly behind velvet ropes and logo walls.

⚔️ This Is My Hill

Still, this is the hill I’ve chosen. Or maybe it’s the one that chose me. Regardless seems like I will die here waving the flag of failure as the horde of shenanigan zombies continues their relentless onslaught.

I believe in transparency, empowering users with data, not dogma, and a revolution, not a rebrand, in security. And even if nothing changes—even if no one notices—I’ll keep building, fighting, and speaking the truth. Hell, I have lost contract money for fighting this narrative and telling the truth (and I know of others that have had their career threatened by vendors in this space when they speak out)—such is life—but the reality of the space has hit me directly in the bank account, y'all.

This is the truth; we all know it.

Because if we don’t challenge the narrative, we are nothing more than passengers in a machine we pretend to hate but refuse to exit.