Hello everyone
let’s talk about money: With a survey (which is as informal as usual and not statistically reliable), I approached the question of how well you actually earn in cybersecurity sales. A few snippets:
- Yes, American or Israeli providers (especially as long as they are in the expansion phase) also earn the best in the DACH region. ~130-150 thousand EUR/a “On Target Earnings” (OTE) were mentioned for beginners up to 250-300 thousand EUR/a for veterans with 100% quota fulfillment and up to 450 thousand EUR/a for sales management over several countries. In addition, there are stock options (restricted stock units or similar).
- Similar sums are now probably also possible with (rather smaller) system houses if you sell well
- For German manufacturers, the total compensation is then more likely to be 90-120 thousand euros at the start and also lower in the final expansion stage. Of course, the financing by VCs is usually less generous, there are no megabucks slumbering in the coffers. Stock options: None.
- Variable share for US providers rather 50% of the total remuneration, for German providers 10-20%. For most providers, this is probably measured purely by revenue, for channel partners by margin.
- “We are lead machines”: In one conversation, the demand was told to put 3 conversations with new customers at C-level per week in the calendar. The goals often become unattainably high after 2-3 years, which reduces the actual remuneration and the accelerator clauses are more theoretical in nature at the latest.
- And: Times are getting worse. For suppliers from the EU, Trump is the best seller, for US manufacturers, who have tended to overhire in the past, digital sovereignty is increasingly a showstopper in tenders. The large customers are already all surrounded and supplied with solutions, but the high sales effort is not worthwhile for smaller organizations. This leads to more pressure overall and less personnel requirements. In the meantime, the lawyer is standard for separation of personnel. People who leave can hardly find equally well-paid jobs (of course, this does not apply to the rainmakers with a resilient customer network).
A flash shot of the State of the German-speaking Security Market in a few figures also fits in with this:
- Managed SOC award for a public contracting authority. Tech stack not predetermined, coverage of IT and OT, less than 3k endpoints. 78 bidders download the tender documents, 14 bidders are taking part in the participation competition
- Tender for a security awareness training platform + phishing simulation, less than 5k users. 75% price reduction between the initial offer (not the list price, mind you) and the final price with the same scope of services.
For all those who have been traumatized by regular contact with sales personnel, Jonathan Price strikes back in Security is a Negotiation Problem : “I have a maturity model of subscriber cohorts, lower being less mature: 1. My wife 2. My parents 3. Sales reps trying to sell me things 4. Actual people, bless you all.”
- At the beginning, he confirms the phenomenon that prices for security solutions are negotiable like at a bazaar, with examples of price reductions > 90% between the initial offer and the final price. Obviously, this is not only a remarkable state of affairs for B2B industries in the DACH region.
- Of course, made possible by low variable costs for software solutions. But also driven by incredible competition and the fact that purchasing decisions in large organizations are strongly influenced by how widespread the security solution is, while the technical performance is difficult to assess (in contrast to automation technology clearly specified on the basis of standards, for example).
- After all, as a CISO, it is a career risk to take an unknown solution if you then become the victim of a cyberattack. Providers without strong brands thus have a huge incentive to win large enterprise customers as “logos” – whatever the cost. Otherwise, it will be difficult to be mentioned at all by Gartner or Forrester => self-reinforcing effect.
- The article contains many good and also a few ethically borderline negotiation tricks, feel free to take a look and then think for yourself how far you want to go in which situation.
Microsoft tries to do the balancing act between American and European interests and is of course happy to help us with sovereignty (thanks for the hint, Frank!):
- Partnerships (future joint ventures?) in Germany with Delos/SAP and Arvato, among others, to offer Azure services in European-controlled data centers. Of interest are technical measures that should allow a continuation even if Microsoft services are switched off. That would then actually be sovereignty in my understanding: No one-sided dependence, no blackmail. Big if true. Attractive conditions are also to be offered commercially => That remains to be seen.
- Promises to take legal action against instructions from the US government to shut down contracted services in Europe or to release EU data. The fact that Microsoft has initiated several lawsuits against US governments (including against the first Trump administration) and has already successfully defended itself in court against access to EU data by US authorities is thrown into the balance.
- Expansion of data center capacity in 16 European countries by approx. 20% / year (according to current estimates, significantly less than in the USA)
- Designation of a Europe CISO (but reporting to the global CISO)
Deep Instinct , on the other hand, is in the process of restructuring – unsurprisingly:
- The topic of AI-based malware detection is nothing new 10 years after its founding. The technical lead over the ubiquitous AV has melted away more and more
- Most customers do not want an additional agent on top of the existing AV/EDR on the systems
- In the MITRE ATT&CK evaluation Turla (2023), it was shown that the protection function of Deep Instinct is no better than that of SentinelOne, Crowdstrike or similar. Detection of downstream steps (esp. Exfiltration) is of course much worse. Deep Instinct did not participate in the tests after that.
By the way, in contrast to the supposedly widespread fear of imminent job losses due to AI, I rather suspect that one or the other colleague is actually eagerly waiting for an AI agent to finally take his job away from him and he can then pursue his eccentric hobbies with a fat severance payment without always having 😉 to take sick leave.
But what can AI agents actually do independently in reality? Brij Pandey has tried her hand at a pyramid of “Agentic AI” capabilities and assignment of tools. Of course, the boundaries are a bit vague, but the questions are already clear: Where do the instructions to be given by humans end, where do the independent decisions and actions begin, how ramified is the decision tree, how large is the “team” of coordinated agents, how recursively can loops be run and the process optimized?
If this is halfway true, then the highest of feelings at the moment is the independent programming of a functioning Pong game or websites in a few minutes, instructed by natural language. A tool of choice for this is, for example, DevinAI. So, it can only be a matter of a few days until the thing negotiates with the colleagues when the server may be patched and then does it itself on the weekend.
M&A Corner:
- Certainly the most spectacular deal in this list: Hornetsecurity (email/workspace security from Germany, the one with the speakers at it-sa) is bought by competitor Proofpoint . Classic consolidation – Hornet brings about 150 million in sales, which is generated by >100k corporate customers, primarily SMEs, of course. Valuation is expected to be around EUR 1 billion.
- Palo Alto Acquires ProtectAI (Security for… AI)
- Orca buys Opus (vulnerability aggregation, deduplication and remediation, of course with AI agents, focus on cloud infrastructure)
- Upwind (CNAPP) buys Nyx (Runtime Detection & Response). Funny, actually you could have thought with Upwind’s marketing that the solution could do this before.
- Allurity continues to strengthen, this time with Croatian MSOC/PenTest provider Infigo IS
- The recruiting and project placement platform CyberR buys the French CyberTee (similar business model, placement of freelancers to companies looking for jobs)
Notes from vendor conversations:
Axiad:
- American provider for the management of FIDO tokens and/or PKI as a Service – everything you need to implement phishing-resistant authentication. Comes with its own software for the workflows
- Of course, this is only interesting for complex environments, i.e. where you can’t just cover everything via Windows Hello for Business
- Approx. 80 corporate customers, all big fish with US headquarters, including Boeing, Visa, Shell, Raytheon, NASA
- Of course, with integrations for all common hardware tokens, identity providers + directories, IAM/PAM solutions. And, of course, with a risk assessment of user and machine identities (such as over-privileging or compromise via dark web checks).
- The axiad solution is never in the direct path of authentication => In the event of failures, access is still possible (but no longer the output of a replacement ubikey, for example)
- Available in Europe e.g. via Accenture
Scanner.dev:
- US SIEM Startup. Focus: Customers who already have Splunk, Azure Sentinel or similar, but are looking for a cost-effective and fast addition to high log volumes
- Approx. 25 corporate customers (all seemed very tech-savvy / cloud-native to me, including Lemonade, Ramp)
- High-volume log and event sources (firewalls, DNS, WAF, Cloudtrail, VPC Flow) are forwarded to S3 buckets
- The cost advantage is stated to be approx. 80% compared to the pure Splunk solution. The founder witnessed how Splunk costs increased a hundredfold at one of his last employers, and probably saw a business opportunity there
- At the same time, the threat hunting queries via serverless functions are many times faster than AWS Athena or Cribl (the Cribl founders are also investors in scanners)
Cyberhaven:
- US scale-up for DLP / DSPM / DDR, also for unstructured data such as CAD data, process data, source code. So competition to Cyera, Varonis, Microsoft Purview, Proofpoint etc.
- Approx. 250 customers, including Mattel, SpaceX, ConocoPhillips
- Of course, based on a graph database to store classifications and events such as data accesses via copy+paste and different file formats (founders were previously at Crowdstrike, Palo Alto and Wiz, among others)
- Allows a simple display of the history of each information record
- Architecture: Central Policy Management (GCP Tenant) + Endpoint Agents, which then also enable the blocking of user actions
- The API connectors for IaaS/SaaS applications are probably still expandable
- In the EU sales so far via Orange, further channel partners are being sought (let us know if necessary)
Compass Security:
- Swiss provider (with German subsidiary) of pen tests and MDR/incident response, approx. 70 employees, most of them pen testers
- We operate our own cyber range, which is also used for training, laboratory tests and international competitions (including the European Cybersecurity Challenge)
- Organize bug bounty programs for customers and take over contract processing and quality assurance
- MDR: So far still small scope. Target group SMBs, specialized in Microsoft environments and Defender/Sentinel. 10 employees that map on-call duty outside office hours in shifts
As always: Questions, suggestions, comments, experience reports and also opposing opinions or corrections are welcome by email. Ditto for unsubscribing from the mailing list.
For the people who have received the market commentary for the first time: Here you can register if you are interested or admire the archive.
Best regards
Jannis Stemmann
