How Cybersecurity Practitioners Evaluate Vendors

TL;DR: Here’s how a real cybersecurity practitioner evaluated IAM vendors, and it wasn’t through AI search queries

Everyone in cybersecurity marketing seems to be having the same conversation right now, which is whether to spend money getting their brand cited by the flagship models such as ChatGPT, Claude, Perplexity, and Gemini. This includes publishing llms.txt files, restructuring website pages around question-and-answer formats, and seeding mentions on high-authority sites the crawlers love, hoping you begin to show up in LLMs as an answer to people’s questions.

HubSpot’s recent LinkedIn campaign on AEO demonstrates how the narrative for digital marketing is evolving. While there’s truth to the cannibalization of search engines by LLMs, the cybersecurity world is different when it comes to where buyers want their answers. Cybersecurity answers need a point of view, emotional honesty, and the weight of lived experience behind them.

The logic feels airtight when you first hear it. Most buyers use these tools every day, so vendors should show up inside them. It’s hard to argue with that value proposition when it’s on a slide with compelling visuals and data points.

But it completely misses the reality of how cybersecurity practitioners evaluate vendors selling complex products for very specific use cases. Practitioners use AI every day to compress documents they already have, sharpen their own thinking, and pressure-test work already done. There’s very little evidence they trust the models for the nuanced, use-case-specific judgment that vendor evaluation requires.

However, there is substantial data on how cybersecurity buyers use third-party publishers and peer communities for conducting their research, all the way down to the topic and format level.

I’m not saying to skip doing AI optimization work entirely. Last summer, I wrote a few pieces on the fundamentals and still believe it should be part of any serious digital content strategy to build brand awareness. But not for pipeline generation, where the ROI pressure is real.

Large language models have consumed roughly two decades of indexed web content, which means the vendors who dominated SEO, analyst coverage, and trade press for fifteen years are sitting on a citation moat that no challenger is climbing this year, or possibly next.

If you are the incumbent, congratulations, the LLMs already love you, and your content is showing up. If you are anyone else, you are paying a tax to compete in a channel where the leaderboard was set before you arrived.

Even if your content does show up in an LLM answer, the buyer probably won’t act on it. Security practitioners are buying the way they have for a few years now, quietly, on trusted security publisher networks and peer communities. Three reasons keep coming up:

• Practitioners have been burned by the gated-asset bait-and-switch too many times. Download a “research report” and you get a thirty-page product pitch in a trench coat. Register for a “technical deep dive” webinar and the first fifteen minutes are corporate intro slides. Senior practitioners have learned that owned media is a controlled environment where the vendor decides what counts as evidence, and the form fill exists to feed a BDR sequence, not to deliver value. The cost is reputational on the practitioner’s side — every form fill triggers a quarter’s worth of LinkedIn messages and cold calls — so the bar to submit one has climbed permanently.

• Owned media cannot tell them the one thing they actually need to know, which is what the vendor’s deployment looks like at month eighteen. A vendor’s site will show the architecture diagram, the customer logo wall, the analyst quote, and the ROI calculator. It will not show the SE who left after the contract closed, the integration that broke when the customer upgraded their ERP, or the renewal conversation where pricing doubled. Practitioners know the interesting information lives in the places the vendor does not control — peer Slacks, analyst calls under NDA, off-the-record conversations at dinners — and owned media is structurally incapable of surfacing any of it.

• The audience on a vendor site is the wrong audience for the decision. A practitioner reading a vendor’s blog post is alone with the vendor’s framing. A practitioner reading a piece on a publisher network is reading alongside named CISO commentary, analyst voices, competing vendors covered in the same category, and peer reactions in the comments or the adjacent webinar. The decision a senior leader is making is a comparative one, and comparison cannot happen inside a single vendor’s walled garden. Going to owned media to evaluate a vendor is like asking the defendant to summarize the trial.

Ironically, the big players know this and are increasing their budget on third-party platforms, because that is where buyers go deep with due diligence.

Let me walk you through how this played out for one buyer we have anonymized. And so as not to call out any vendors, we have changed their names too.

Maya runs security engineering at a mid-market financial services firm. Her story covers six vendors over six weeks without a single form fill or LLM query in sight. We have a close relationship with Maya through both our editorial and community platforms, and we used our proprietary technology to make sense of her intent across BankInfoSecurity, DataBreachToday, ISMG Roundtables, and the CyberEdBoard peer community, including in-person and informal interactions she shared with us in strict confidence.

Maya allowed us to republish her journey on the condition that we keep her name and employer confidential. This kind of research happens every minute across the ISMG media network.

Maya’s CFO came back from an audit committee meeting with a board mandate to tighten identity governance across the ERP and finance stack within ninety days. Maya did what experienced practitioners do, which is read for a week before letting any vendor frame the problem for her. She began with three pieces across BankInfoSecurity and DataBreachToday. She told us we have the widest variety of content available, and enjoyed that we put practitioner analysis, named CISO commentary, and analyst voices in one place. This first step took her ten days. Three pieces, no forms, no LLM prompts. Then she started evaluating six vendors.

“I spent ten days reading three pieces across BankInfoSecurity and DataBreachToday before I let a single vendor near the problem, and by the time I was ready to evaluate, I had a framework that was mine, not from somebody’s pitch deck.” — Maya Mayhem, Director of Security Engineering, Fortune 1000 financial services firm

The 6-week research journey across 6 very different vendors

You won’t get fired for picking this pan but you will be thrown into the fire, sauce and all when deploying it. Eighteen months, give or take. Comes with a permanent burn-in flavor your auditor will recognize anywhere

Maya needed to know whether upgrading her existing footprint could close the gap before she went looking elsewhere. She never visited the vendor’s website. She read two analyst writeups on BankInfoSecurity, pulled a Magic Quadrant excerpt republished on DataBreachToday, and searched her own Slack, where she found an eighteen-month-old thread from her predecessor scoping a deployment and walking away on cost.

Forty minutes, all on neutral ground. This is exactly where AI search would have served the incumbent and buried every challenger.

She routed around all of it by going to publishers where the conversation was about who leaves the incumbent and why.

Cloud-native, fire-native, RFP-native. Everything except on-prem-native, which is the point.

The challenger surfaced in an ISMG Roundtable Maya attended, then in a practitioner-authored editorial on DataBreachToday. She spent around eight minutes on the editorial, scrolling to the bottom. Two days later, a second piece on converged identity ran on BankInfoSecurity. Five days after that, a thirty-minute on-demand session from an ISMG webinar where one of the vendor’s financial services customers walked through their deployment in detail.

She did not visit the vendor’s site until much later, and only briefly. A challenger cannot outrank the incumbent in an LLM’s training corpus.

A challenger absolutely can show up where the buyer is already spending real time.

Already runs your SSO. Now wants to run your governance. Wears sunglasses indoors, and there’s nothing you can do about it.

Maya’s firm already used the dominant SSO and MFA vendor for workforce identity, so the CFO would have liked the consolidation. She handled this in twenty-five minutes. She sent a Slack message to her IAM architect, who had not revisited the IGA module since a sales call eighteen months back.

She then found a comparison piece on BankInfoSecurity that ran side-by-side category coverage from a practitioner lens. There was a Forrester Wave excerpt quoted in the piece. Disqualified. Her tabs never touched the vendor’s product pages.

Disqualification is also a signal, and most vendors miss it because they only watch their own properties.

You may not hear about them at the RSAC conference. You definitely will hear about them at the SAP dinner.

Maya had not seriously considered this vendor until a peer in the CyberEdBoard community mentioned a strong SAP-specific deployment at a roundtable dinner, which is the kind of offline moment that reopens evaluations all the time and shows up nowhere in any digital funnel.

She then found a customer story on BankInfoSecurity, the kind of long-form practitioner walkthrough vendors cannot replicate on their own sites because nobody trusts a customer story you host yourself.

Two days later, an ISMG Roundtable on SAP identity risk where the vendor’s name came up from the audience. She forwarded the story to her IAM architect with a one-word note.

Peer signal beats synthesis every time, and the forwarding matters as much as the reading.

The bundled wisdom that comes free with the suite. The professional services bill that does not.

The political pull toward the suite was strong because Maya’s CFO loved single-vendor relationships. She read two third-party analyst pieces on DataBreachToday comparing bundled IGA modules against specialists, then two independent practitioner blog posts on BankInfoSecurity detailing pain points with the suite vendor’s deployment timelines, both written by people who had lived through implementations and had no incentive to be polite.

A strategic piece on best-of-breed versus suite landed in front of her, served up by a content engine that had quietly learned what she cared about. She removed the bundled option from her shortlist.

That kind of unvarnished writing does not show up in a curated LLM answer.

Sees the entitlements you didn’t know you had. Also the ones your predecessor pretended weren’t there.

Late in the process, Maya hit a roundup piece on BankInfoSecurity covering emerging identity vendors and noticed one focused specifically on access visualization and fine-grained entitlement management. Two weeks later, she came back and searched for the vendor’s content. A CEO Q&A webinar from an ISMG virtual roundtable was front and center. She then looked at a twenty-minute product demo on DataBreachToday, rather than the vendor’s site, which mattered, because the same demo on the vendor’s site would have asked for her email. And she didn’t want to be bombarded with emails and phone calls before she was ready.

Then she forwarded the demo to her IAM architect and her GRC lead. Three named people at one account, thirty days, the same vendor’s content, all on third-party properties. A buying committee forming in real time. AI search ranking does not surface that.

Contact-level intent intelligence comes from ISMG’s network of 38 media properties, advisory boards, and peer communities such as CyberEdBoard.

What the vendors saw

Two of the six never knew Maya existed until her RFP went out three months later. They responded cold with generic positioning and lost. Two had her at the account level, vaguely, with IP-based signal but no contact precision and no read on the buying committee. Their BDRs called the wrong people. Two had real intent intelligence, contact-level, multi-touch, with topic and committee context, and they used it well. One sent a single well-timed email referencing the exact ERP identity question she had been researching. The other syndicated thoughtful content into the ISMG media properties she was already reading. Both made her shortlist. The two that won were not the two with the best products. They were the two that showed up correctly in the channels Maya actually used.

Now, before anyone writes in, let me head off the obvious objection. Maya uses LLMs every day. She told us so. The question is what she uses them for, and the answer is the part the agency pitches keep skipping over.

There is a clean split in how she works. LLMs are genuinely useful for work that has already started, and largely useless for the decisions that haven’t been made yet. Vendor selection sits firmly in the second bucket. Almost everything else on her plate sits in the first.

The week the board mandate landed, Maya dropped the audit committee deck and the auditor’s preliminary findings into a chat window and asked for the three things her CFO was going to flag, the gaps the auditor had not flagged but would in round two, and the language to push back on the ninety-day timeline without sounding like she was dragging her feet. Forty pages compressed into something she could read on the elevator before her ten o’clock with the CFO. That use case alone, she told us, saves her a half-day a week.

Compressing the audit committee deck

She uses it the same way on inbound vendor material. A security questionnaire response comes back from a shortlisted vendor at fifty-two pages of PDF. She drops it in and asks for the four answers that are evasive, the two that contradict the vendor’s own marketing site, and the three follow-up questions she should send back. Her IAM architect used to do that read. Now her IAM architect reads the four flagged answers and goes deep on those.

Triaging an inbound vendor questionnaire

She drafts with it constantly. The CFO memo arguing against the bundled ERP module went through three passes: her bullet points in, a board-ready paragraph out, then a tightening pass, then a “make this sound less like a security person wrote it” pass. The model is not telling her what to think. It is helping her say what she already thinks in a register her CFO will actually read.

Drafting the CFO memo

She uses it as a second pair of eyes on her team’s work. A detection rule her senior analyst wrote. A Terraform module for the new IAM environment. The draft access review policy her GRC lead put together before sending it to legal. Thirty seconds of LLM review before she signs off. She catches maybe one issue in five this way, which is one more than she would catch otherwise, given the volume.

Reviewing the team’s work

And she uses it for the regulatory crosswalk problem, which in 2026 has gotten genuinely absurd. NYDFS Part 500 amendments. SEC cyber disclosure. The new identity-specific guidance from FFIEC. DORA for the European subsidiary the firm picked up last year. She runs a first-pass mapping between her existing control framework and each new requirement, then hands it to her GRC lead to audit. The mapping is wrong in places. It is still faster than starting from a blank page.

Mapping the regulatory crosswalk

Across every one of those use cases, Maya is bringing the context. The forty-page report, the questionnaire response, the bullet points, the detection rule, the existing control framework. The LLM is a force multiplier on documents she already has and decisions she has already made. It is not a discovery channel for decisions she has not made yet.

Which is exactly why she did not use one to find Sure Flint, evaluate MOOD, or build the shortlist that ended up in front of her CFO. She cannot walk into an audit committee meeting and say ChatGPT suggested the vendor. She needs a chain of evidence — analyst report, peer reference, named customer story, hands-on POC — that survives the first sharp question. The LLM answer disappears the moment someone asks where it came from.

The training data problem makes it worse for her specifically. The whole reason 2Rings made her shortlist is that access visualization as a category barely existed two years ago. The interesting part of the category is invisible to the model. The fastest-moving categories are exactly where the LLM is weakest, and those are exactly the categories Maya is being asked to evaluate inside ninety days.

Maya was on the ISMG properties for six weeks during this evaluation. She will most likely be there for the next six years, regardless of her employer. Most of our practitioners progress in their careers and gain deeper subject matter expertise in their field. A meaningful number of them will land in the CISO seat over that time. The next deal in your pipeline is probably one of them, and the deal after that, and the one after that.

So spend something on AI search optimization. Hit the basics. Make sure a model can summarize you cleanly when someone does ask. Just do not bet the pipeline on a channel where the incumbents have a fifteen-year head start in the training data and where senior practitioners are not really shopping in the first place.

The buyers are not hiding. They are on BankInfoSecurity, DataBreachToday, ISMG Custom Roundtables, and the CyberEdBoard Peer Community, where the conversations are faster, the peer signal is sharper, the analyst voices and the practitioner voices sit side by side, and the form fill is something they will get to later, if they get to it at all.

Maya was there for six weeks. The next deal in your pipeline probably is too.

That is why we built Athena, to track exactly the kind of buyer research every cybersecurity marketer wants to get their hands on. We originally developed Athena for our own campaign management team and are now sharing this proprietary research data with our customers when they syndicate their content with us.