CyberCompare Market Comment #31: Mail Filter in Practice, SIEM Magic Quadrant and Crowdstrike Strategy

Marktkommentar /

Hello everyone,

First things first: OpenAI and Nvidia have just released a large-scale partnership with CyberCompare . Together, we are investing in 2 GPUs that will be installed in 2035.

Sam and Jensen lend us the money for it and in return receive 198% of the company in the form of warrants.

In addition, Sydney Sweeney will be our new advertising ambassador, so that there is some momentum in the local security market. Running 😉.

Fortunately, much more serious reporting comes from At-Bay. At-Bay is a US-Israeli provider of an “all-round carefree” concept of cyber insurance, MDR, IR and preventive consulting.

The approach makes a lot of sense and obviously hits a nerve: In just under 10 years, > 35,000 companies have already been convinced as customers, esp. SMEs.

In a field report, a few insights have now been shared and email security solutions have also been evaluated:

  • Mimecast and Proofpoint performed better than average as email filters (~30% lower damage rates)
  • Customers with M365 or Exchange had 3 times the risk of email-based security incidents (phishing, BEC, other fraud) than Google Workspace users
  • By optimizing the DNS MX record configuration, ~7% of claims could have been avoided, as the email gateways were partially bypassed

In the long run, everything is a toaster. Toasters were once high-tech gadgets ~100 years ago that only the rich could afford. Today, you can even find one at home, thanks to technical progress and economies of scale.

Cisco is now helping to make OT Security more affordable: The OT NIDS (Cyber Vision) solution now includes the remote access solution at no extra charge. And on the switches of the “Rugged Series” OT NIDS and Secure Remote Access are included, at least for a few endpoints. It is fitting that Nozomi founder Edgard Capdevielle announced on the occasion of the sale to Mitsubishi that (a) Nozomi has only generated a positive free cash flow since 2024, and (b) would be the only profitable provider in the OT Sec industry. I can’t judge whether the latter is true, some providers do not publish figures specifically for the OT Sec segment. But it would fit with my impression that the prices only know one direction… and to the south, not only in winter.

Crowdstrike mentioned a few notable points at the investor conference:

  • New focus on medium-sized companies (from 250 employees) and the public sector, after about 40% of large corporations are already customers
  • CS becomes a bank: ~USD 230 million loan volume provided for pre-financing for customers. This works because the free cash flow margin is ~30%
  • “Flex” as a contract model is well received – customers make a commitment to costs over the term of the contract. Within this commitment to consume, customers can then flexibly access the modules that are still being developed, for example, within the contract period (similar models exist at Microsoft or AWS, for example). This makes the purchasing process easier.
  • Agentic AI is the big growth driver, with an estimated TAM of $300 billion in 2030, CS should be able to make $10 billion. This involves the protection of and against AI agents, and of course the further automation of SecOps.

There’s a new Magic Quadrant for SIEM s – in the top right corner areSplunk, Microsoft, and Google

  • In addition, Exabeam, Securonix and Gurucul (from India, promoted since the last MQ, does not yet play a role in the EU) have made it into the leader box
  • IBM is completely out, but Palo Alto and Crowdstrike are now in, similarly positioned as Fortinet. Important for tenders with DORA regulated banks/insurance companies. In this case, it must be proven to the supervisory authority that a SIEM is used. And BAFIN is probably a Gartner subscriber
  • In my opinion, the presentation coincides with the trend we see in tenders. Large customers increasingly prefer 1 platform for EDR/XDR/SIEM/SOAR instead of best of breed
  • Anton Chuvakin (Google Chronicle/SecOps, former analyst at Gartner) points out that positioning in the MQ almost never has anything to do with how much the vendor transfers to Gartner. And nothing to do with technical skills, but only with market penetration.
  • If you generally doubt the validity of the Hype Cycle, Magic Quadrant or other analyst report, you can feel confirmed in your opinion by Gartner’s Grift Is About To Unravel (“Boomer C-Suites who fancy themselves Enterprise Tech executives were happy buying off the Gartner catalog and then hitting the golf course…Meanwhile, Gartner’s home page is just an incessant amount of increasingly irrelevant “Gartner Says”).Personally, I’m still impressed by what Gideon Gartner built out of a little advice for IBM buying decisions

I’m sure everyone is watching with interest how AI can be used practically for security use cases .

Another cool paper on this comes from Crowdstrike + Meta (the first time I read the combination):

  • First, malware samples were executed in the Falcon sandbox (including EDR/AV Killer, ransomware, infostealer)
  • Then the JSON logs were fed into the AI model
  • Subsequently, ~600 multiple choice questions were asked for analysis (e.g. “What should be the next step to determine whether IP address XY is used by attackers?”)
  • The best models (Claude Sonnet, Llama4) answered the questions correctly in about 25% of the cases. Low at first glance, but how would the cross-comparison with human analysts have been? The results are about 10x as good as random guessing. And the models were not even trained on security use cases, but the standard LLMs. Personally, I would probably have failed at the 5% hurdle in the best FDP manner
  • Similar tests were also carried out to evaluate threat intelligence reports. As expected, the results were even better here (40-50% for all tested models), as the essential information is already in the CTI text.
  • All test data is publicly available to allow further benchmarking
  • Microsoft also offers a test environment for AI models with Sentinel log data and incidents (ExCyTIn-Bench). If I understood correctly, however, the published model benchmarks should be taken with a grain of salt: GPT was used (and not human analysts) to generate questions and correct answers. This makes it at least somewhat suspicious that GPT is also ahead in the benchmark.

M&A Corner:

  • Jamf (Apple MDM) is bought by Francisco Partners (PE) for $2.2 billion
  • VEEAM buys Securiti (DSPM/DLP) for around USD 1.7 billion
  • Dataminr (Threat Intelligence / Crisis Information) buys CTI competitor ThreatConnect for ~US$ 300 million
  • Imprivata (Healthcare Security) kauft Verasint (ITDR)
  • Panther (SIEM) acquires Datable (Pipeline Mgmt.)

Notes from vendor conversations:

Mitigant.IO:

  • German startup for cloud security: And not only CSPM and KSPM, but at its core an attack emulation (i.e. the same playing field asPicus, Safebreach, AttackIQ, XMCyber, SentinelOne, Pentera, Hadrian, Horizon3…)
  • ~5 customers, including a DORA-regulated leasing provider
  • Uses the configuration data of the cloud environments (tapped via API, i.e., no agent installation) to test attacks
  • Focus on misconfigurations that are exploited via API calls (not on PoC exploit code of CVEs in applications or OS)
  • Changes could of course be undone via rollback
  • Already cover an estimated 80% of MITRE ATT&CK Cloud Matrix and MITRE ATLAS
  • Roadmap: Integration with common EDR/SIEM (for rule creation) and CI/CD pipelines (for DevSecOps), testing in digital twin instead of production
  • We have also already concluded (sales) partnerships with Genua and Secunet => For customers who like to work with larger players. Overall hats off, very cool!

Moabi (Update):

  • Small but fine French provider of product security solutions – highly topical, of course, due to CRA
  • Moabi was one of the first providers for the source code composition analysis of binaries in the IIoT environment, i.e. also of embedded ECUs. Competitors e.g. Cybellum, Black Duck or OneKey
  • Approx. 10 corporate customers, including Airbus, MBDA, Thales, Renault, Forvia
  • Special feature: Even without existing source code, reverse engineering makes it possible to create the SBOM, identify vulnerabilities and list necessary licenses
  • Different OS (incl. RTOS), processor architectures (e.g. Motorola 68xyz), languages and file formats are taken into account in order to identify insecure code (theoretically also 0-days) and to validate the exploitability of vulnerabilities
  • In addition to SaaS and private cloud, on prem and airgapped operation (with offline updates, especially for Aerospace & Defense) is also possible. This ensures that your own code or information about existing vulnerabilities in your own control units/sensors or the like is not shared
  • Automated risk analysis gem. ISO 27005 for individual files is also included
  • Licensing based on fixed prices, i.e. independent of the number of scans, users or development projects
  • Could use a reinforcement of the sales team. Who would have thought I’d ever say😉 something like that

Revel8:

  • Awareness startup specializing in AI-supported cyberattacks (are there any others?) from Germany, similar to Adaptive
  • Almost 100 corporate customers, approx. 25 employees
  • Playlist of deepfake attack scenarios individually for each company and for each employee, e.g. video call to payroll, helpdesk, change of bank details
  • Also covers channels like WhatsApp and LinkedIn
  • Feel free to give it a try: In the demo, I was called by a Bosch GF who wanted to convince me to transfer an invoice to a SW provider.
  • For customers, not only public videos etc. can then be used for training purposes, but dedicated recordings can be used so that the speech seems even more natural (and not slightly stilted as in most public appearances)
  • Founders all come from Celonis

Enclosed is also my current wallpaper, which was set up for me by colleagues for some unknown reason after they followed my stock tips. Possibly suitable for know-it-alls in one’s own circle of acquaintances.

As always, questions, suggestions, comments, experience reports, topic requests and also opposing opinions or corrections are welcome by email. Ditto for unsubscribing from the mailing list.

For the people who have received the market commentary for the first time: Here you can register if you are interested or test the immutability of the archive.

Regards

Jannis Stemmann

Ready to make your cybersecurity more affordable?

CyberCompare is your independent partner to make IT, OT and IoT security easier, clearer and more affordable.

With our established cybersecurity ecosystem, you achieve cybersecurity excellence and increase your resilience: With us you save time and money but never lose focus.

Get in Touch

Get in Touch

Associations and industry collaborations

Scroll to Top