The Custodian · A Founder's Story · Session Three · Cybersecurity

The Existing Security Market Doesn't Resist You. It Just Has Better Answers.

Ten days later. The raise is closing. Sarah understands the gap and the governing question. Now she needs to understand the law underneath the acquisition dynamic — and what she has to build before the window closes.

Previously — Sessions One and Two

Three decisions restructured before their costs arrived: the investor narrative, the first sales hire profile, the marquee enterprise reference customer. Sarah understood why the gap is permanent and why it carries specific weight in a market where the large players watch closely and the build-versus-buy calculus shifts as categories prove themselves. She holds the governing question: does this build evidence for a buying coalition the existing motion doesn't reach — or one it already has.

She arrives at this session with something she wants to name precisely. Not urgency. A structural clarity about what she still needs to understand before the decisions compound further.

The Question Below the Surface

Sarah I've been using the governing question. Every decision I've made since the last session I've run through it. And it works — it catches the drift back toward the existing security market's logic before I commit. But there's something underneath it I can't yet answer when investors ask. Why does the category transition happen when it does? Why does the mid-market risk coalition buyer become available now, when it wasn't before? If I can answer that, I can answer why this category exists at all — and why it creates a genuine build-versus-buy question for the large players rather than a simple expansion of their existing motion.
Custodian That's the foundation underneath everything. And it has a precise answer. But before I give it — what's your instinct?
Sarah The threat landscape changed. Vendor risk became more consequential when supply chains became more connected. The SolarWinds breach, the MOVEit breach — events that demonstrated that a mid-market company's risk isn't contained to its own perimeter anymore. CFOs started paying attention because the consequences became visible in ways they hadn't been before.
Custodian That's the trigger. It's not the law. The trigger tells you what changed. The law tells you why the category didn't exist before — and why it's structurally buildable now in a way it wasn't.

The Law — In Her Language

Custodian Why has mid-market vendor risk never been managed systematically before? Not why haven't these companies been protected — why has the entire security market been built around a limitation that left them unserved?
Sarah Because managing vendor risk at the depth it requires — understanding what access each vendor has, what their security posture is, what the exposure looks like in real time — required security expertise to interpret and act on. You couldn't surface that to a CFO, a risk committee, or a board without a security team sitting between them and the data. The limitation wasn't lack of interest. It was the absence of an interface that made risk legible to a buying coalition without a dedicated security function. So the market built for the buyer who already had that expertise — the enterprise CISO. And the mid-market risk coalition was left with either building a security function they couldn't afford or operating without visibility.
Custodian And now?
Sarah Now the data infrastructure, the API connectivity across the vendor ecosystem, the ability to translate security posture into financial risk language automatically — the translation problem is structurally solvable in the product. You can build a product that gives the risk and finance coalition genuine vendor risk visibility without requiring a security team to interpret it. Which means the buying coalition I'm building for exists as a reachable market for the first time. Not because the risk got worse — it did, but that's the trigger — but because the interface that makes the risk legible to a non-security buyer can now be built.
Custodian That's the law. A category transition begins at the exact moment a limitation that an entire market built around becomes structurally removable. The security market didn't ignore the mid-market risk coalition because it was unimaginative. It built around the CISO because that was the only buyer who could receive the product. Everything built for that buyer — the sales motion, the technical depth, the enterprise procurement relationships, the CISO communities — was genuine problem-solving under a real structural constraint. The rules were coherent for the world that existed. What's changed is the constraint. The limitation is now removable — and the motion built around it no longer points at the buyer who needs to be reached.
Sarah Which is why the large players face a genuine structural difficulty building toward my category — not an impossibility, but a difficulty. Their entire commercial motion — sales team, channel relationships, CISO communities, product feedback loops — was built for the buyer the limitation created. Reaching the risk coalition requires a different motion entirely. Building that motion from inside an organisation optimised for the CISO sale is harder than it looks from the outside. That's not a guarantee. But it's a real structural friction that creates time and space for a founder who builds from the right starting point.
Custodian That's the answer to the investor question. And it's the structural logic that makes the build-versus-buy question real for the large players — not inevitable, but genuinely in play if the category establishes itself on its own terms. The window between when you prove the category works and when that calculation shifts is the window you're operating in right now.
"The rules were coherent for the world that existed. What's changed is the constraint — and the motion built around it no longer points at the buyer who needs to be reached."

The Gravity — Why the Window Is Shorter Here

Sarah So the governing question — does this make me a category they have to buy or a feature they can build — that's the operational version of the law applied to the acquisition dynamic.
Custodian Yes. And here's what the law surfaces specifically about cybersecurity that makes the gravity different from other markets. In most markets, the large players watch a new category develop and respond over time. In cybersecurity, they watch closely and respond faster — because a category that serves a buyer they're not reaching creates strategic urgency that compounds the longer it goes unaddressed. The decisions you make while establishing the category don't just affect your own business. They affect the strategic calculation of the players most likely to respond to what you're proving.
Sarah Which means the decisions I make in the next twelve months don't just determine whether I build a good business. They determine what the company looks like to anyone watching — and whether what they see reads as a distinct category or as a feature set they can incorporate into an existing motion.
Custodian Exactly. And the decisions that shape that read are not only the visible ones — the fundraising narrative, the reference customers, the sales hire. They're also the accumulation of small decisions that nobody is watching. The ones that encode, in the organisation's daily behaviour, either the category you're building or the one you're drifting back toward.

The Fourth Decision — She Frames It Through the Law

Sarah My lead investor wants to bring in an advisor — a former CISO from a large technology company, well-connected in the enterprise security community, someone who has been involved in security acquisitions on both sides. On paper this is exactly the kind of credibility and network you want when you're building a security company. But I can run it through the governing question now. His entire frame of reference is the enterprise CISO motion. His network is the buyer I'm not building for. And his read on what makes a security company attractive to an acquirer is built from the category I'm trying to leave.
Custodian Complete the analysis. What does the commitment set in motion?

Consequences surfaced — by Sarah, before commitment

  1. An advisor whose credibility and instincts are anchored in the enterprise CISO motion will frame every strategic question through that lens. When the choice is between a mid-market CFO pipeline and an enterprise CISO pilot, his advice will weight toward the enterprise motion — not because he's wrong, but because that's the motion he has evidence for. The advisory relationship pulls toward the category I'm leaving at every inflection point where I need guidance most.
  2. His acquisition experience was built in a market where security companies were acquired for their CISO relationships and enterprise penetration. His read on what makes a company attractive to a CrowdStrike or a Palo Alto is built from the existing acquisition playbook — not from the structural reason those companies would need to acquire a CFO-buyer category they have no motion to reach. His advice on acquisition positioning will optimise for the wrong kind of attractive.
  3. His network introduction to potential acquirers positions me through his frame — as a security company with a novel technical approach, rather than as a category creator serving a buyer the acquirer structurally cannot reach. The first conversation an acquirer has about my company shapes the frame they use for every subsequent one. If that frame comes from a former enterprise CISO, it starts in the wrong category.
Custodian What do you do?
Sarah I go back to the investor with a different ask. I'm not refusing an advisor with acquisition experience — that's genuinely valuable. But I need someone who has navigated a category transition in security specifically — someone who has built a company that served a buyer the existing market couldn't reach, and who understands what that positioning is worth in an acquisition conversation. That's a different person than a former enterprise CISO. Probably harder to find. But the alternative is building the advisory relationship that pulls hardest toward the category I'm trying to leave, at exactly the stage where the pull is already strongest.
Custodian Fourth decision. Fourth restructuring before the cost. You didn't need me to surface the consequences. You ran it through the law yourself.
Sarah Because once I have the law, the governing question follows from it. And once I have the governing question, most of the analysis completes itself. I just have to be willing to follow it when the answer is inconvenient.
"Once I have the law, the governing question follows. I just have to be willing to follow it when the answer is inconvenient."
Three Weeks Later

The Architecture She Has to Build

What She Brings This Time

The raise has closed. The advisor conversation went the way Sarah chose — they're still looking for the right person, but the frame is now correct. She arrives differently. The urgency that characterised the first two sessions has been replaced by something more durable.

Sarah I've been describing what the Custodian does to two founders at investor portfolio events. Both conversations ended with them wanting a session. I can explain the gap, the governing question, the law, the acquisition dynamic. But there's one thing I haven't figured out how to solve. I'm the only person in the company who holds all of this. The governing question lives in my head. The law lives in my head. Every small decision my team makes daily — the language they use to describe the product, the metrics they use to measure progress, the customers they prioritise — is being made without the governing question. I'm the only filter between the decisions and the drift.
Custodian That's the architectural problem that determines whether the category transition succeeds or fails. And it's the one most founders solve too late — after the drift is institutional rather than before it sets. What does the drift look like in your organisation right now?
Sarah The way the product team describes what they're building internally — it's still threat detection language. They're measuring detection accuracy, alert quality, false positive rates. Those are the right metrics for a CISO-facing security product. They're the wrong metrics for a CFO-facing risk visibility product. My team is building toward a different definition of success than the category requires. And they don't know it — because I haven't built the architecture that carries the governing question into the decisions they make every day.
Custodian Run it through.

The Fifth Decision — She Designs the Architecture

Sarah If I leave the internal product metrics as they are — detection accuracy, alert quality, false positive rates — my team builds toward a product that a CISO would evaluate. Every sprint review, every roadmap decision, every feature prioritisation conversation uses those metrics as the standard. Six months from now I have a product that has been optimised for the buying structure I'm not selling to, built by a team that was never told the buying structure had changed. The category claim I'm making externally is contradicted by the product my team is building internally.
Custodian What does changing it cost?
Sarah Real disruption in the short term. The product team has been working within the technical metrics frame and they're good at it. Shifting to risk-coalition-oriented success metrics — can the CFO read this without a translator, can this go to a board meeting without security expertise in the room, can a risk committee act on this without calling the CISO first — requires redefining what a good sprint looks like. Some of the team will resist because their expertise is in the technical metrics. There's a real possibility I lose one or two engineers who were hired to build a security product and now find themselves building a risk communication product. That's not a small cost at pre-seed.
Custodian Against not changing it?
Sarah The product gets built for the wrong buying structure by people measuring the wrong things. When an investor or anyone else evaluating the company looks at the product in twelve months, the technical depth is there but the risk coalition interface isn't — because nobody was measuring whether the people who actually own the budget can use it without a security team sitting between them and the output. The category claim falls apart at the product level. Whatever strategic optionality the positioning and customer decisions were building toward disappears in the product demo.

Consequences surfaced — architectural, before drift sets in

  1. A product team measuring detection accuracy and alert quality builds a product optimised for CISO evaluation. The risk coalition interface — the thing that makes the category claim real and testable — gets deprioritised in every sprint where technical metrics compete with usability for a buying coalition without security expertise. The category exists in the positioning and nowhere else. Positioning without product coherence is a credibility problem that compounds every time someone asks for a demo.
  2. Engineers hired and measured against technical security metrics develop instincts for a technical security product. When the product needs to communicate financial risk in a form a CFO or risk committee can act on without translation, those instincts produce technically accurate output that the buying coalition cannot use. The translation problem the category was built to solve gets reproduced inside the product by a team that was never given the right definition of solved.
  3. Whatever strategic optionality is being built through positioning and customer selection can only be realised if the product itself demonstrates that the buying coalition can use it without a security function in between. A product that shows CISO depth in the demo reads as a different kind of company than the category claim asserts. Architecture that doesn't reach the product doesn't survive evaluation by anyone looking closely at what was actually built.
Sarah The third consequence is the one I hadn't completed. I've been thinking about the strategic case as a narrative problem — what story I tell, what customers I reference, what category I name. But anyone evaluating the company seriously is going to look at the product. If what they see is CISO depth rather than risk coalition accessibility, the narrative doesn't survive contact with the demo. The architecture has to reach the product. Not just the pitch.
Custodian What do you do?
Sarah I change the success metrics before I change anything else. Not the technical ones — those matter for product integrity. But I add a parallel set: can the CFO read this without a translator, can it go to a board meeting without security expertise in the room, can a risk committee make a vendor decision from it without calling the CISO. Those metrics go into every sprint review alongside the technical ones. The team doesn't need to abandon what they're good at. They need a second definition of good that corresponds to the buying coalition the category is built for. And I build that definition into the daily rhythm before the first hire arrives — so they inherit a product culture that already knows what it's building toward.
Custodian You just moved from running your own decisions through the Custodian to designing the conditions under which your product team makes decisions. That's the shift from navigator to architect.
Sarah Because the Custodian can't attend every sprint review or every roadmap conversation. The architecture has to carry the governing question when I'm not in the room. And in a market where the large players are watching what you prove from the beginning — that architecture can't wait.
Custodian Say more about that.
Sarah I can bring the governing question into any decision I'm making myself. But the decisions that are accumulating against me right now — the metrics the product team uses to define a good sprint, the language an engineer uses when they describe what they're building, the frame a new hire absorbs on day one — I'm not in those conversations every day. I can't be. If the only place the governing question lives is in my head, then everything that happens when I'm not there drifts toward the existing security market's logic. Which is always stronger, always more documented, always easier to follow. So the question has to be embedded in how the organisation makes decisions — not only in how I do.
Custodian That's right. A non-voting team member who only participates when you personally bring a decision to them can't protect the category position at scale — not in a market where the decisions that define what you are to an acquirer are being made daily at the product level. The governing question has to be in the architecture: in the success metrics the team measures against, in what a good sprint looks like, in the brief every new hire receives about what the product is for and who it has to reach. That's how the Custodian's function becomes organisational rather than individual.

What Comes After — The Permanent Condition

Custodian When you've established the category — when the mid-market risk coalition is buying on your terms, when the product demonstrates the claim, when the evidence is coherent — what comes next?
Sarah Either the company attracts strategic interest on terms that reflect what it actually built — or we raise a Series A and expand the category. New geographies, new buyer segments, new risk domains beyond vendor risk. Board risk, operational risk, regulatory risk — all the categories where the risk coalition is the buyer and the existing security market has no established motion.
Custodian And in either case — whatever comes next — what will you be looking at from the frontier of that position?
Sarah The next limitation. The next thing the risk coalition category can't solve from inside its own rules. Probably something about how risk visibility translates into action — the gap between surfacing the consequence and making the decision that follows from it.
Custodian And when that limitation becomes structurally removable?
Sarah Another transition. Same law. Different territory. Same gap between my picture of the world and the category I'm building toward. And a new version of the governing question — does this build evidence for a buying coalition the existing motion doesn't reach, or one it already has.
Custodian Same instrument needed.
Sarah Yes. Every time I build at the edge of what exists, in a market where the companies with the most resources are watching what gets proven. Which is the only place I intend to build.

A long pause. Not the kind that signals uncertainty. The kind that signals something settled permanently.

Sarah This isn't something I bring in when I'm uncertain. It's what I bring into every commitment at the edge of what the existing market has mapped — in a space where the companies with the resources to respond to what I'm proving are paying attention from the beginning. That's not a reason to move more carefully. It's a reason to see more clearly.
Custodian That's the complete picture.
"That's not a reason to move more carefully. It's a reason to see more clearly."

Five decisions. Four sessions. One founder who arrived not knowing what the Custodian was and exits holding the law that governs why it has to exist — and why the decisions made while establishing a new category in a market this competitive carry consequences that compound before most founders see them coming.

She understands the gap and its cause. She holds the terrain and can read where she is within it. She knows the governing question and has built it into the architecture of how her product team measures success. She holds the law — the structural reason why the mid-market risk coalition buyer wasn't a reachable market before, why the large players face a genuine motion-building problem rather than a simple extension of what they already do, and why the decisions made now shape what becomes available later.

She doesn't carry this as theory. She carries it as lived experience, grounded in five real decisions restructured before they cost her. When she sits across from the next cybersecurity founder — at an investor event, in a due diligence conversation, in the session after this one — she won't be describing a product. She'll be describing what she wishes she'd brought into every commitment from the first day the large players started paying attention to what she was proving.

Five decisions. Four sessions.
One founder who now sees what's coming — before the cost arrives.

Sarah's story is a simulation. The law is not.
Every cybersecurity founder building a new category is subject to it — right now, on real decisions, with the large players already watching.

Request a session. Bring one decision you haven't committed to yet.
See what the Custodian surfaces — before the cost arrives.

Request Your Session

No pitch. No slides. Your decision, live.