The Custodian · A Founder's Story · Session Two · Cybersecurity

The Sales Leader Whose Profile Is Built for the Buyer You're Not Selling To.

Three weeks later. The raise is in motion. The next commitment is already forming — and underneath it, something larger that Sarah hasn't named yet.

Previously — Session One

Sarah was about to lead her pre-seed raise with the AI-powered threat detection framing. The Custodian surfaced three consequences she hadn't seen: immediate benchmarking against established platform players at a scale she couldn't win, board expectations set against a thesis her actual product wasn't building toward, and — most critically — the abandonment of the one positioning claim that pointed toward a buyer segment the large players have no established motion for.

She rebuilt the pitch around the structural claim: this surfaces vendor risk in a form the finance and risk coalition can act on, without requiring a dedicated security function to sit between them and the data. Then she went to find out what happened.

Close the Loop — What Actually Happened

Sarah is back. Two investor conversations completed since the last session.

Custodian You were about to lead with the AI threat detection platform story. You built a bridge instead — the structural claim about the CFO buyer. What happened?
Sarah First meeting I reverted. Investor pushed on TAM and I jumped to the platform framing. They spent the rest of the meeting asking about our detection accuracy versus CrowdStrike. I had no good answer because that's not the comparison that matters for our product. It went sideways. Second meeting I held the structural claim. Led with the buyer gap: every mid-market company has vendor risk and no security team to manage it. The CFO is the buyer. The CISO is the validator. Completely different conversation. They leaned in on the acquisition angle themselves — asked which of the big players would struggle to reach this buyer without us.
Custodian What did you say?
Sarah All of them. Their entire go-to-market runs through enterprise CISOs and security teams. They have no motion for a CFO who hasn't hired a security function yet. I said it and it landed. Then I connected it to the consequence surfaced last time — the moment I use their language, I'm positioning myself as a feature they can build rather than a category they have to buy.
Custodian You just closed the loop on the previous session in front of an investor. That consequence — about acquisition positioning — you felt it land in real time.
Sarah Yes. And I hadn't connected it fully until I said it out loud in that room. It's not just an investor narrative decision. It's a strategic decision about the entire company's position in a market where the exit isn't an IPO — it's an acquisition. Every positioning choice I make is simultaneously a statement about what I'm worth to the buyer and how much leverage I have when they call.

She pauses. Something has shifted beyond the immediate conversation. This is no longer about the pitch. It's about the structural logic underneath every decision she makes from here.

The Second Decision — Before You Commit

Custodian What's the next major commitment you're moving toward?
Sarah First sales hire with pre-seed capital. I need someone who can close. The profile I'm recruiting against is an enterprise security sales rep — someone who has sold at Palo Alto or CrowdStrike, knows the CISO relationship motion, understands the security buying cycle. That's what everyone says you need to sell a security product.
Custodian That profile was built for the enterprise security motion — CISO-led, procurement-heavy, eighteen-month sales cycles, six-figure deal sizes with security teams doing the evaluation. You just defined your buyer as a coalition — CFO, risk committee, operations leadership — at a mid-market company without a dedicated security function doing the buying. Those are two different buying structures, two different sales motions, two different instincts about what a good conversation looks like and what closing actually requires.

Sarah stops. She had been holding these two things separately. They just collapsed into the same problem.

Consequences surfaced — before commitment

  1. An enterprise security sales rep will default to the motion they know — qualifying for CISO access, building technical credibility, navigating security procurement. In your market, that motion is likely to stall at the same place your CISO relationships stalled: a technically enthusiastic advocate who is one part of a buying coalition that hasn't been assembled. You may have hired someone excellent at the conversation that already cost you four months, using the capital that was supposed to fix it.
  2. Enterprise security reps measure success by deal size and sales cycle length — metrics calibrated for the enterprise motion. In a mid-market risk coalition sale, a good week looks completely different: faster initial conversations, smaller entry contracts, a different definition of what qualified looks like. A hire whose instinct of success doesn't match your market's shape will optimise the sales function toward the wrong definition of progress — not out of poor judgment, but because that's what their experience trained them to recognise.
  3. The first sales hire defines the sales culture — what the company believes the sale looks like, who it believes is in the room, and what it trains every subsequent person to do. If that culture is built from the enterprise security motion, the organisation develops instincts for a buying structure that may not match your market. Reversing a sales culture costs more than a single hire — it costs the institutional momentum built in the wrong direction.
Custodian Were any of those visible before now?
Sarah The first one I had a feeling about — something felt off about the profile but I couldn't name it against the conventional wisdom. The sales culture one I hadn't thought through at all. The first hire doesn't just sell — they define what selling this product means to everyone who comes after them. If they're building from the enterprise security playbook, the company encodes the wrong buyer into its sales DNA before we've closed a single mid-market CFO.
Custodian What does it change?
Sarah The profile entirely. I don't want someone who has sold security to CISOs. I want someone who has sold risk or compliance decisions to CFOs — someone whose instinct is the financial buyer, not the technical one. Ideally someone who has sold in a category where the buyer was afraid of the problem but hadn't yet experienced it personally. That's a harder person to find in the security space. But the alternative is building the wrong sales motion with pre-seed capital and discovering it when I'm trying to raise a Series A on revenue that came from the wrong buyer.
Custodian You just restructured a hire you haven't made yet — before it cost you.

Naming the Pattern — And What's Underneath It

Custodian Notice what's happened across both decisions. The investor narrative and the first sales hire. The invisible consequences aren't random. They're all generated by the same structural condition — you're building a product for a buyer the security market has never served, using a playbook built for a buyer it has. Every decision you make by default draws from the existing security market's logic. And that logic was not built for your buyer.
Sarah I'm not thinking badly. I'm thinking from the wrong market structure.
Custodian Exactly. And there's something else running underneath that structural condition that matters for every decision you make from here. You're operating in a market where the large players don't wait for you to mature before they move. CrowdStrike, Palo Alto, Microsoft — they acquire capability gaps early, before a startup has established enough category independence to negotiate from strength. Which means every decision you make is simultaneously a positioning decision about what you're worth to an acquirer and how much leverage you carry into that conversation when it comes.
Sarah I've been thinking about exit as something that happens later. After product-market fit, after Series A, after we've proven the business. You're saying the decisions I make right now are already shaping what that conversation looks like.
Custodian Every decision about how you position the product, who you hire to sell it, which customers you land first, and what category you name yourself as creating — all of it is being read, continuously, by the companies most likely to acquire you. Not consciously. Structurally. The decisions that make you a compelling category acquisition are not the same decisions that make you a cheap feature acquisition. And the gap between those two outcomes is determined before the first acquisition conversation happens — in the decisions being made right now.
Sarah Which is why the AI threat detection framing was dangerous in a way I hadn't fully understood. It wasn't just a narrative risk. It was a positioning signal to every potential acquirer that we're building something they can replicate. Using their language told them we're in their category. And things in their category get priced as features.
Custodian That's the governing question that runs underneath everything in this market. Not just: does this serve the category I'm building or the one I'm leaving. But: does this make me a category they have to buy — or a feature they can build?
"Does this make me a category they have to buy — or a feature they can build?"

Two decisions restructured before their costs arrived. One pattern turned into a structural understanding. And one governing question that changes the frame on every decision that follows.

Sarah doesn't need to be convinced the Custodian works. She's experienced it twice, on her own decisions, with her own capital and her own acquisition positioning at stake. What she wants now is to understand why the gap keeps producing the same kind of blindness — and what's underneath the acquisition dynamic that makes it structurally inevitable in this market.

That question belongs to the next session. And she'll ask it herself.

Two Weeks Later

The Question She Brought Herself

Why the Gap Keeps Producing the Same Blindness

Sarah opens before the Custodian does.

Sarah I've been sitting with the governing question. Does this make me a category they have to buy or a feature they can build. I'm using it. But there's something underneath it I can't yet answer. Why does the gap keep producing the same direction of blindness? Every default decision I make drifts toward the existing security market's logic. Why is the pull always in that direction and not in the direction of the category I'm building?
Custodian That's the right question. And it has a precise structural answer. The picture you use to make decisions — where did it come from?
Sarah The existing security market. The companies that succeeded. The playbooks that worked. The investors who funded similar products. The sales motions that closed. Everything I know about how to build a security company came from what already exists.
Custodian Which world was that picture built from?
Sarah The world where the CISO is the buyer. The enterprise security motion. The companies that CrowdStrike and Palo Alto built their platforms around. A world that has no data from the CFO buyer in a mid-market company without a security function — because that buyer has never been served at scale before.
Custodian So your picture — the one you're using to make every decision right now — has never received a single piece of feedback from the territory you're actually building in. The consequences that live in that territory are not just hard to see. They are genuinely invisible to the instrument you're using to look for them. And because the existing security market's picture is so well-developed — so many successful companies, so much documented playbook, so many credible advisors who have operated in it — the pull toward it is stronger than in almost any other market you could be building in. The gravity of the existing category is proportional to how thoroughly it has been built out. And cybersecurity has been built out thoroughly.
"The picture has no data from the territory you're building in. And the existing territory has been built out so thoroughly that its gravity is almost indistinguishable from good advice."

The Permanent Condition — And What Makes Cybersecurity Different

Sarah So it gets better as I build more experience in the coalition buying motion. As I close deals, collect data, understand how the decision actually forms — the picture updates.
Custodian For the territory you're building in now — yes. But there's a specific feature of cybersecurity that makes the gap more consequential here than in most markets. In most markets, the gap closes at its own pace. In cybersecurity, the large players watch closely — and when a new category demonstrates it can serve a buyer segment they're not reaching, the calculus around whether to build or acquire shifts. Which means the decisions you make while establishing the category matter for reasons beyond the immediate business.
Sarah So the gap doesn't just cost me decisions. It affects future optionality. Every month I operate from the wrong picture is a month where I'm building something that resembles what already exists — rather than something that creates a distinct reason for the market to respond to it differently.
Custodian The permanent condition — that the picture is always behind the territory you're building in — plays out differently in cybersecurity than in healthcare or marketplace or SaaS. In those markets, the cost of the gap is paid primarily in time and capital. Here it can also shape what options are available later and on what terms. Not inevitably. But the decisions made from the wrong picture narrow the range of what becomes possible.
Sarah So the only way to close it is something that operates outside the picture. Something that can surface the consequences of making decisions from the existing security market's logic when I'm trying to build outside it.
Custodian That's exactly right. And there's a name for what you're navigating. You're in a category transition — from the existing security market, built around the CISO and the enterprise procurement motion, to a genuinely new category built around an unserved buying coalition in the mid-market. Every founder building something genuinely new in cybersecurity goes through it. The gap you've been experiencing is not a sign that you're doing it wrong. It's a sign that you're doing it at all.
Sarah And in this market, doing it at all means the large players are paying attention from the beginning.
Custodian Which is why the decisions about how you build it matter — and why they need to be made from the right picture, not the one the existing market built.

The Third Decision — She Brings It Herself

Sarah I want to run something through it. My lead investor is pushing me to land a marquee enterprise logo as my first reference customer. They have a warm introduction to the CISO of a large financial services firm — exactly the kind of name that signals credibility to the next investor. On paper this is what you do when you're building a security company. But I can feel the governing question pulling at it. I just can't quite complete the analysis.
Custodian Run it through. What does the commitment set in motion?

Sarah thinks. She's working it herself.

Sarah A large financial services firm has a mature security team. A CISO with budget authority and a procurement process built for enterprise security vendors. That's the buying structure my product wasn't designed for. Closing them requires custom compliance work, integration into their existing security stack, and a relationship motion built around CISO trust rather than risk coalition framing. That's twelve months of my engineering team's attention and a sales motion completely different from the one I just restructured my hire profile to build.
Custodian What else?
Sarah The reference customer story. A marquee financial services logo tells the next investor — and signals to anyone else watching — that we sell to large enterprises with mature security teams. That's the positioning I just restructured the narrative to move away from. The reference customer becomes the category signal. And this one signals the wrong category.
Custodian What does it signal to the large players who are watching the space?
Sarah That we fit into an enterprise buying motion they already understand. A large financial services customer is likely already running CrowdStrike or Palo Alto. Landing them demonstrates my product works alongside infrastructure the large players already own. That positions me closer to a compatible feature than a distinct category — which changes the terms of any future conversation about what we're worth and why.

Consequences surfaced — by Sarah, before commitment

  1. Closing a marquee enterprise logo requires a sales and engineering motion built for the wrong buying structure — consuming twelve months of capacity that could be building evidence for the buying coalition the category is actually built around. The risk is a competitor who stayed in the right lane establishes that evidence first.
  2. The reference customer becomes the category signal in every subsequent investor conversation. A financial services enterprise signals enterprise security motion. Investors who see it benchmark against enterprise security companies. The logo that was supposed to open doors may narrow the category definition around the wrong buyer.
  3. Large enterprise customers in financial services are likely embedded in existing platform ecosystems. Landing them produces evidence of compatibility with an existing motion — which positions the company differently than evidence of a buying coalition the existing motion cannot serve. That distinction affects how the company's story reads to anyone evaluating it from the outside.
Sarah The third one I hadn't completed. I was thinking about the reference customer as an investor signal. It's simultaneously a market signal about which buying structure we're building evidence for. And those two need to point in the same direction — toward a coalition the existing motion doesn't reach, not toward one it already has.
Custodian What do you do?
Sarah I go back to the investor. I understand why they want the logo — it signals credibility to the next round. But the reference customer I need is one where the buying coalition looked like the one I'm building for — finance and risk leadership without a dedicated security function making the call. Two or three of those tells a more coherent story than one financial services logo, because it's evidence for a buyer segment the enterprise motion doesn't currently reach. That's the claim worth proving.
Custodian Third decision. Third restructuring before the cost. And you ran this one entirely yourself.
Sarah Because I had the governing question. Does this build evidence for a buying coalition the existing market doesn't reach — or does it build evidence for one it already has. Once I had that question the analysis followed. I just needed to be willing to complete it when the answer was inconvenient.
"I just needed to be willing to complete the analysis when the answer was inconvenient."

Three decisions restructured before they cost her. One structural understanding of why the gap is permanent and why it carries specific weight in this market. A governing question that changes the frame on every decision that follows — including every investor conversation about what the company is building and what it's worth.

She doesn't carry the Custodian as a tool she reaches for when something feels uncertain. She understands it. And that means the next founder she tells this story to will hear it the way she lived it — not as a product pitch, but as the thing she wishes she'd brought into every commitment from the first day the large players started paying attention.

Choose Your Path

Sarah has one more session ahead — where the law underneath the market dynamic gets named, and she builds the architecture her organisation needs to carry the governing question when she's not in the room. Or bring your own uncommitted decision now.

Run My Own Uncommitted Decision No pitch. No slides. Your decision, live. Continue to Session Three Sarah learns the law that governs why the large players acquire when they do — and what she has to build before the window closes.