Hello, Cyber Builders đ
Last week, I started a series on go-to-market and cybersecurity. The key idea was that you need to build trust with your market and customers to sell a cybersecurity product.
This week, I want to focus on the second kind of trust: trust with your partners and ecosystem. These are the people and organizations you need to build bigger, stronger cybersecurity companies over time. Analysts, channel partners, consulting firms, marketplacesâevery cybersecurity company has to work with at least one of these.
-
Rethinking Indirect Channels in a Cloud & AI World
How cloud and AI have changed the role of resellers and local partners, and why you still need trusted local relays to scale your security sales. -
From Features to Outcomes: How Analysts Really Think
Why analysts like Gartner and Forrester donât care about one extra feature, but about outcomes, use cases, and clear roadmaps your customers can execute. -
How to Work With Consulting Partners as a Startup
What consulting firms actually sell, how they influence RFPs and vendor selection, and how startups can share expertise to build credibility without over-investing. -
Turning Marketplaces Into Growth Engines
How security marketplaces from AWS, Microsoft, CrowdStrike, Palo Alto, and others work, why platform consolidation matters, and how startups can pick the right platform to go deep with.
NotebookLM (sorry for the typo, AI is not yet that perfect even itâs impressive) Here is also the audio interview format generated with Notebook LM
Letâs start with indirect channel partnersâprobably one of the most misunderstood partner types for startup founders. They are changing rapidly, with even more transformation ahead in the coming years.
I remember when, as a software publisher or network appliance vendor, the only way to reach customers was through regional resellers. This was because IT systems were deployed on-premise within enterprises and required significant expertise to set up, install, configure, and train users. It was a real skill to install Windows NT, deploy software, set up databases and application servers, and configure everything. You had to be âat your customerâ, traveling with your car to their offices.
Things have changed dramatically with the cloud, where deployment is no longer a barrier, and everything is accessible via a mobile phone or laptop. Now, with AI, the landscape is evolving further. AI agents are no longer just systems of record with forms, reports, and databases; they are becoming real workers, producing incremental output and functioning almost like employees. This shift deserves its own deep dive, which weâll tackle in a future post.
Given these changes, many foundersâespecially those from technical or security backgroundsâask:Â Why should I partner with local players at all?Â
The answer is simple: you need a local trust relay for your company. If youâre based in one city but want to sell security solutions to large, mid-size, or small enterprises, you need someone local. This person helps the company understand why your tool is better than alternatives and how it fits their needs. Local presence matters.
Thereâs also the cost of sales to consider. You canât hire a global army of SDRs and salespeople to cover every country. To scale as a security entrepreneur, you need local relays who understand customer culture, how projects get approved, how purchasing decisions are made, and who have their own networks.
So how do you actually start building these partnerships and earning their trust?
First, you need early references. Youâll have to sell directly to your first 20 or so mid-market companiesâclosing those âŹ50kâ100k deals yourself. This proves your product fits the market, addresses a real need, has genuine use cases, and shows low churn.
Many founders make the mistake of thinking that signing a partnership means the partner will start selling right away. Thatâs not how it works. If youâve ever worked in retail, you know that just putting a product on the shelf doesnât mean it will sell.
You need to invest in partner marketing. Train them. Provide tools, animations, discounts, webinarsâresources they can reuse. Crucially, you need to generate leads and share them with your partners. This is often confusing for founders:Â Why should I do all this work, incur these costs, offer a 30% discount, and then hand over the lead for them to close?
The answer is that building a sales machine with partners takes time. Youâre laying the foundation for trust. Once that trust is established, partners will replicate your success. Theyâll take the deals youâve closed together and apply the same approach to their other customers. But to reach that volume, you have to set up all these elements first.
The second type of partnership you need is with analysts. We all know their names: Gartner, Forrester, KuppingerCole, Omdia, and many others (like the great Francis Odum). These firms specialize in screening markets, categorizing them with acronyms (Iâve already covered this in my 12 cybersecurity platform categories), and providing insights into what matters in a given offeringâand what doesnât.
Analysts have a significant influence on cybersecurity. Most customers donât have the expertise to sort through all the options, so they rely on analysts for guidance. Analysts create plans, offer advice, and share research. Their insights help move the whole market forward.
Yet, I frequently hear security founders dismiss analysts with comments like, âThis is nonsense. We donât need them. They donât understand what we do. Weâre better than the rest, and weâll prove it.â This reaction reveals a fundamental misunderstanding of what analysts actually do.
Founders often assume itâs a technological gameâwhere detection rates, threat analysis, and benchmark performance are the only metrics that matter. They expect analysts to act like a scientific review committee, evaluating products solely on technical superiority.
But thatâs not what analysts do. They are market analysts, not technologists. Their focus is on how customers can achieve meaningful outcomes, not just on the technology itself. They value use cases, organizational impact, and practical guidance on structuring teams or projects to execute security programs effectively.
Itâs not about having one more feature than a competitor; itâs about articulating a clear, actionable vision that aligns with the marketâs current state. Customers want a step-by-step strategy they can implement, especially as technology evolves and new threats emerge.
They seek experience sharing, guidance, and meaningâexactly what analysts provide.
When you talk to analysts, take your time and be thoughtful. There are proven ways to work with them. Richard Stiennonâs book Up and to the Right is still a great resource, even after 15 years. I recommend reading it.
Consulting companies represent a third type of partner you need to consider. Unlike indirect channels, they typically do not resell productsâitâs not part of their business model. Margins on product resale are too low for their model, and they prioritize maintaining the trust theyâve built with customers by providing workforce and expertise.
Many consulting firms assist large enterprises in drafting RFPs, setting up evaluation labs for shortlisted vendors, and advising CISOs and their teams on vendor selection. Like analysts and channel partners, consulting companies are interested in the knowledge and insights you can offer as a vendor.
However, the wrong approach is to simply share your marketing materials with them. Instead, focus on sharing your unique perspective: Why do you believe things need to change? Why is your approach better for solving specific challenges? What sets your solution apart?
I donât believe consulting firms are inherently innovative in building groundbreaking solutions. Their core business is selling the talent and expertise of young, college-educated professionals. While they excel at this, only a limited number of individualsâusually senior partnersâare capable of producing cutting-edge content on emerging threats or trends.
These senior partners may only be invoiced for a few days per deal, but they are the ones who can provide the most valuable, high-level insights.
For startups and new vendors, engaging with consulting companies is important, but itâs not where you should focus all your efforts. It wonât have an immediate, direct impact on sales. However, if youâre targeting enterprise customers, itâs better to be known by these firms than to be unknown.
Consulting companies often host brown-bag lunches, internal labs, and meetupsâcasual events where you can share your expertise and engage in informal discussions. These are the kinds of opportunities you should pursue. Expert exchanges with their workforce, even in informal settings, can be valuable for building credibility and visibility.
Last are the marketplacesâthe newest category in the cybersecurity ecosystem. Many vendors, especially large platforms like CrowdStrike, Palo Alto, Cisco, Google, AWS, and Microsoft, offer partnership programs to join their marketplaces. These platforms attract customers by offering a wide range of pre-integrated security services, unified under a single user management, data storage, analytics, and reporting system. The goal is to simplify the customer experience: instead of managing 50 different vendors, they can consolidate most of their needs into one or two platforms.
This shift toward platform consolidation has been a major trend in the security business for years. Itâs also created significant M&A opportunities for startups, as large US companies have been acquiring three to five startups per year for the past decade.
These platform builders have dedicated teams to integrate acquisitions into their platforms, align company cultures, and streamline program managementâall to accelerate execution. However, they recognize they canât do everything themselves. There will always be gaps in their platforms, not because they lack the best product or feature, but because their strategy isnât to be the best in every categoryâitâs to be âaverage plusâ across the board.
To fill these gaps, platforms open marketplaces where independent vendors can offer their products, pre-integrated with the rest of the platform. For customers, this means if their core platform lacks a critical capability, they can connect to the marketplace and deploy what they need.
The next step for these platforms is to enable seamless purchasing: customers can hit âbuy and deploy,â and everything is handled automatically. This approach has been powerful, driving significant business for vendors like Wiz and Snyk, particularly on AWS, which has replicated the e-commerce marketplace model of its parent company, Amazon. Just as Amazon became the go-to place for online shopping, these platforms aim to become the default destination for IT security and infrastructure.
For startups, you need to be on these marketplaces. Youâll probably have to pick one platform to go deeper with, since they offer big incentives. For example, if you move part of your backend to AWS, they might give you discounts or credits as you grow your SaaS on their marketplace. Itâs a win for them and a growth opportunity for you.
If youâre building a cybersecurity company, you canât do it alone.
-
Indirect partners give you local trust and reach youâll never match with your own sales team.
-
Analysts shape how buyers think about your category and what âgoodâ looks like.
-
Consulting firms influence RFPs and shortlists long before you ever see a deal.
-
Marketplaces are becoming the default path for buying and deploying modern security stacks.
You donât need to go allâin on every motion from day one. But you do need a deliberate view of which partners matter for your segment, and in what order.
Start by proving you can sell directly. Then add the right partners, one layer at a time, so your credibility, distribution, and deal size grow together. Thatâs how you turn trust in the ecosystem into a real goâtoâmarket advantage.
Happy to discuss all these topics with the Cyber Builders community
Laurent đ
