The Custodian · A Founder's Story · Session One · Cybersecurity

You're About to Pay for a Decision You Haven't Made Yet.

The decision that cost you most probably felt right when you made it.

The Setup

Sarah is a founder. Sixteen months into building a cybersecurity product that gives mid-market companies visibility into their third-party vendor risk — the suppliers, contractors, and SaaS platforms with access to their systems. No dedicated internal security capability required. No six-month implementation. A dashboard that risk and finance leadership can act on without needing a security team to interpret it.

She has a technical background. She understands the threat landscape. She has built something that demonstrably works.

She agreed to a 30-minute conversation because a mutual contact said it would be worth her time. She doesn't know what the Custodian is.

Step One — The Recall

Custodian Before I show you anything — I want to ask you something first. In the last 18 months, is there a decision you made that felt completely right when you made it — you had good reasons, you committed fully — and then somewhere down the line it cost you in a way you didn't see coming?
Sarah Yes. About ten months ago I decided to spend most of my time building relationships with CISOs. They're the ones who understand the vendor risk problem most acutely. They gave us extraordinary feedback — detailed, technically precise, deeply validating. Every conversation confirmed we were solving a real problem. We spent four months in that world. Then I looked at our pipeline and there was nothing in it. Not a single commercial conversation. CISOs loved the product. Not one of them could approve a purchase without taking it to a CFO who hadn't heard of us.
Custodian Did you have good reasons when you made that decision?
Sarah Yes. Build relationships with the people who feel the pain most acutely. Standard advice. The logic made complete sense.
Custodian So you weren't careless.
Sarah No.
Custodian And you weren't short on knowledge about how enterprise security products are sold.
Sarah No. I'd studied the space. I knew the buyers. I thought I was doing everything right.
Custodian Then here's the question I actually want you to sit with. What if you couldn't have seen it? Not because you missed a data point — but because at the moment you made that decision, those consequences were structurally invisible to your picture of the situation.

Sarah goes quiet. She's been carrying this as a go-to-market failure. That framing just shifted.

Step Two — Causality

Custodian When you built relationships with CISOs, your picture of the buying decision was built from a reasonable assumption: the person who understands the problem most deeply is the person who drives the purchase. That assumption is correct for most markets. It's structurally false in mid-market cybersecurity. Here's why. The CISO in a mid-market company — a company without a mature security function, without a dedicated security budget line, without an established procurement process for security tools — is not the economic buyer. They are the technical validator. The economic buyer is the CFO or CEO, who is being asked to spend money on a risk they haven't personally experienced yet and can't easily quantify. Your product was built for the CFO to understand. Your relationships were built with the person who couldn't get the CFO in the room.
Sarah So it's not that I was talking to the wrong people entirely.
Custodian Correct. CISO relationships are necessary — they provide technical credibility and internal advocacy. But in your market, technical credibility doesn't close. The buying decision lives with a broader coalition — CFO, COO, risk committee, sometimes the board — whose primary concern is not the threat landscape but the cost of addressing it versus the probability of needing to. Your picture of the sales motion was built from large enterprise security — where CISOs have established budget authority and procurement processes built for them. That picture had no data from the buying coalition structure of a mid-market company without a mature security function.
Sarah So I wasn't selling to the wrong people. I was selling to one part of the decision and missing the rest of it.
Custodian You were building the technical leg of a coalition that needed three or four legs before it could move. And you had no visibility into the other legs because your picture wasn't built for that structure.
Sarah I'm not thinking badly. I'm thinking from the wrong market structure.
Custodian You're thinking from the only structure you had. Which is exactly the problem.
"The cost wasn't inevitable. It was a visibility problem. And visibility problems have structural solutions."

Step Three — The Restructuring

Custodian If you had seen that consequence clearly before you committed — not as a vague risk, but as a specific lived cost: four months of relationship-building that produced no commercial pipeline, a product that was loved by people who couldn't buy it, and time you couldn't recover at pre-seed — what would you have done?
Sarah I still would have built CISO relationships. You need them for technical credibility and internal advocacy. But I would have done it differently. Every CISO conversation would have ended with one question: who in your organisation owns the decision to spend on this? And I would have been working to get in front of that person — with the CISO in the room as the validator, not the decision-maker. I was treating the CISO as the end of the sale. They're the beginning of the second half of it.
Custodian And the cost?
Sarah Avoidable. Entirely.
Custodian Notice what just happened. Your decision wasn't wrong. The timing of when you encountered the consequences was the problem. You paid a significant price after the commitment — a price you could have accounted for before it, if the consequences had been visible while they were still actionable.

Step Four — A Live Commitment

Custodian You're approaching a pre-seed raise with early product validation but a market you're still learning to sell into. What's the biggest uncommitted decision sitting on your desk right now?
Sarah How to position the product for investors. Right now we're vendor risk visibility for mid-market companies without dedicated internal security capability. That's accurate but investors keep asking about the total addressable market and I can feel them losing interest when I stay in that lane. I'm being pushed toward framing this as an AI-powered threat detection platform — broader, hotter, bigger market. It's the language investors respond to right now. But I'm not sure what I break if I lead with a story the product can't yet support.
Custodian That's exactly what the Custodian is built for. Let's map that commitment now — before you walk into the next investor conversation.

Consequences surfaced — before commitment

  1. AI-powered threat detection is a category already occupied by CrowdStrike, Palo Alto, SentinelOne, and Microsoft. The moment you describe your product in their language, sophisticated investors will benchmark you against their scale and their established enterprise motion. The question they're likely to ask — whether these players could simply build what you've built — becomes harder to answer from a platform positioning than from a specific buyer claim they don't yet have a motion for.
  2. The investors who fund an AI threat detection platform arrive at their first board meeting expecting progress against that thesis — integrations, detection benchmarks, enterprise pilots, SOC partnerships. When your next six months are spent building toward a buying coalition that includes CFOs, risk committees, and operations leadership in mid-market companies, the gap between the story that was funded and the business being built becomes a governance conversation before you've had time to prove the actual market.
  3. Your product's structural claim — that it surfaces vendor risk in language a finance and risk coalition can act on, without requiring a dedicated security function to interpret it — is a specific, testable positioning. It points toward a buyer segment the large platform players have no established motion for. The moment you describe the product in platform language, that claim disappears into a category where your differentiation is much harder to hold.
Custodian Were any of those visible to you before now?
Sarah The first one partially. I knew the competitive comparison was a risk. But I was telling myself the AI framing would get me in the door and I'd differentiate once I was in the conversation. The board expectation problem I hadn't thought through — I was so focused on getting the meeting I didn't think about what happens after the term sheet. And the third one landed differently than I expected. I was thinking about positioning as a communication problem. I hadn't seen it as a question about which buyer segment I'm building evidence for — and what that signals to investors and anyone else watching about what kind of company this is becoming.
Custodian Does it change what you're about to do?
Sarah Yes. I need to lead with the structural claim — this surfaces vendor risk in a form the people who own the budget and the risk decision can act on, without requiring a security function to sit between them and the data. Then I connect it to the market that claim creates. That's a more defensible position than borrowing language from a category I'm not actually competing in.
Custodian You just moved a cost from after your raise to before it.

Sarah sits back.

Sarah That's what this does.
Custodian Every time. For every commitment — before you make it, not after you've paid for it.

What Just Happened

Sarah didn't receive a warning. She wasn't told to be more careful or think harder. The Custodian didn't conflict with her identity as someone who understands the threat landscape, moves fast, and builds with technical precision.

It did something structurally different: it moved the cost from after the commitment to before it. The consequence was always going to happen. The Custodian changed when she encountered it.

She's not slowing down. She's not making fewer commitments. She now encounters the consequences of her decisions before she pays for them — while they're still visible, while they're still actionable, while the cost is still a choice rather than a surprise.

In cybersecurity at pre-seed, that distinction carries weight that compounds. The decisions that shape whether a founder builds a category or becomes a line item in someone else's roadmap are rarely dramatic. They're quiet — a positioning choice made under investor pressure, a buyer relationship built with the wrong part of the decision coalition, a product framed in language that signals feature rather than foundation. Seeing them before they compound is not a luxury. It's the structural condition for keeping future options open — including the ones that haven't formed yet.

Choose Your Path

Sarah's story continues across two more sessions. Or bring your own uncommitted decision — and see what the Custodian surfaces before the cost arrives.

Run My Own Uncommitted Decision No pitch. No slides. Your decision, live. Continue to Session Two Sarah's first sales hire with pre-seed capital. The profile looks right. The market structure makes it structural.