The Coming Security Vendor Identity Crisis

For years, cybersecurity buyers have relied on categories to make sense of a sprawling market.

Need endpoint protection? Talk to endpoint vendors. Need email security? Call the email security companies.

Need vulnerability management, identity security, cloud security, or governance? Each category had its own established players, its own experts, and its own evaluation criteria.

That model is beginning to break down.

During a recent CYBR.SEC.CAST discussion, Crush Security CEO Joshua Jones made a prediction that within the next 18 to 24 months, virtually every cybersecurity vendor will claim to do everything.

If he's right, the industry is heading toward an identity crisis.

Watch/listen to the full podcast:

CYBR.SEC.CAST Episode 69: Crush Security

We are joined by Crush Security co-founders Joshua Jones and Josh Johnson, plus CISO John Barrow. They discuss navigating an increasingly complex vendor ecosystem where tool sprawl, contract complexity, reseller incentives, and budget pressure make buying harder. (Sponsored by Crush Security)

CYBR.SEC.MediaBill Brenner

Related:

The VAR Model Is Broken. Can AI Finally Fix Cybersecurity Procurement?

Security leaders have spent years optimizing detection and response while relying on spreadsheets, tribal knowledge, and reseller relationships to make million-dollar technology decisions. A new generation of AI-powered platforms aims to change that. (Sponsored by Crush Security.)

CYBR.SEC.MediaBill Brenner

Every Vendor Wants to Be a Platform

The cybersecurity market has always experienced some degree of category expansion. Endpoint vendors added identity features. Identity vendors added endpoint telemetry. Cloud security vendors moved into posture management, governance, and data protection.

But artificial intelligence is dramatically accelerating that trend.

Historically, expanding into a new market required significant engineering investment, specialized expertise, and years of product development. Today, AI-assisted development is lowering those barriers. Features that once required dedicated teams can now be built and deployed far more quickly.

The result is an explosion of overlap. An email security vendor may suddenly offer governance capabilities. An exposure management platform may begin advertising cloud security functionality. Identity vendors now discuss risk management, while cloud providers increasingly position themselves as security platforms.

From a business perspective, the strategy makes sense. Investors reward larger addressable markets. Customers prefer consolidation. Vendors want larger contracts and longer-term relationships.

The problem is that buyers are becoming overwhelmed. Security leaders already struggle to evaluate dozens of vendors within a single category. What happens when there are no meaningful categories left? That's the question many organizations will soon be forced to answer.

The Buyer Is Becoming the Bottleneck

For decades, the cybersecurity industry has focused on helping defenders manage risk. Now many organizations are struggling to manage choices.

The average enterprise security team is already dealing with dozens of products, multiple compliance frameworks, contract renewals, staffing shortages, and growing executive scrutiny around spending. Every new purchase requires research, comparison, justification, deployment planning, and ongoing management.

Adding more vendors with increasingly similar claims does not simplify that process. It complicates it.

The challenge isn't merely identifying which product has the longest feature list. It's understanding which capabilities are mature, which are newly added marketing checkboxes, and which genuinely solve the problem at hand.

That distinction becomes increasingly difficult when every vendor's website begins to look the same.

One of the most interesting observations from the CYBR.SEC.CAST discussion came from Crush Security CTO Josh Johnson, who noted that no human can realistically keep pace with every vendor, every feature update, every acquisition, and every product expansion occurring across the industry.

The market is simply moving too fast. Even experienced practitioners, analysts, consultants, and solution architects struggle to maintain an accurate picture of the landscape.

As a result, security leaders risk making decisions based on familiarity, marketing visibility, or existing relationships rather than objective comparisons. That creates opportunities for both innovation and confusion.

The Future Belongs to Context

Ironically, the solution to this growing complexity may be the same technology helping create it.

Artificial intelligence is enabling vendors to expand their offerings more rapidly. But it may also help buyers navigate the resulting chaos.

Rather than asking whether a vendor can perform a specific function, future evaluations may focus on a different question entirely: Is this capability the best fit for my environment?

That shift matters.

A security program built around Microsoft technologies may reach different conclusions than one built around Google. A manufacturing company may prioritize different capabilities than a healthcare provider. A mature security organization may value depth over breadth, while a smaller team may prefer platform consolidation.

Context becomes more important than category. The cybersecurity industry has spent decades organizing itself into neat boxes: endpoint, identity, email, cloud, governance, vulnerability management.

Those boxes are disappearing. In their place is a future where vendors increasingly overlap, products continuously evolve, and buyers must evaluate technologies based on outcomes rather than labels.

For security leaders, that may be both the industry's greatest challenge and its greatest opportunity.

Because when everyone claims to do everything, the organizations that succeed will be the ones that learn how to separate capability from marketing—and signal from noise.