Prepared for
Tech & Cyber
Hero Finding
The platform holds the second-highest CTEM leadership score in the market, but a 4-point satisfaction gap between current and churned users reveals a deployment-fit ceiling that governs retention.
Current users rate the platform with high satisfaction, and a strong majority believe it can lead the CTEM category: second only to a large enterprise platform. Churned accounts tell a different story: low satisfaction and a deeply negative NPS, driven primarily by implementation complexity and coverage gaps. The gap signals a fit-dependent retention profile rather than a broad product quality problem.
80%
CTEM leadership potential (target platform)
8.3/10
Current user satisfaction (n=22)
+46
Current user NPS
Study Design
N=32 enterprise security professionals · director level and above · current users and churned accounts.
The sample was designed to span both active users and churned accounts, enabling direct comparison of satisfaction trajectories and identifying the fit conditions that drive retention versus displacement.
Sample segmentation
Current Users · 22
Churned Accounts · 10
Interview guide · core topics
- Security stack composition, category prioritization, and budget allocation trends (historical and forward)
- Platform use case adoption: core monitoring, cloud security, active directory, and emerging CTEM capabilities
- Customer satisfaction scoring and NPS by user cohort (current users vs. churned accounts)
- Platform strengths and weaknesses, unaided and aided, with verbatim depth probes
- Contract structure: pricing models, contract duration, annual spend, and price sensitivity thresholds
- Sales cycle dynamics, implementation complexity, and buyer persona mapping
- Competitive positioning: CTEM category leadership potential benchmarked against six alternatives
- Switching costs, displacement risk, and 3-year spend trajectory by segment
Recruit criteria
- CISO, Director of Security, or Security Architect at enterprise organizations
- Decision-maker, committee member, or significant influencer on cybersecurity software purchases
- Current or past user of a CTEM, VM/VA, or CAASM platform
- Operating in hybrid cloud environments across regulated and non-regulated industries
Key Findings
What the diligence surfaced.
Five signals shaped the investment team's view of the competitive moat, the retention dynamics, and the commercial growth ceiling.
8.3
Current user satisfaction (out of 10)
+46
Current user NPS
-100
Churned account NPS
80%+
Rate switching away as difficult
64%
Expect to increase platform spend
01
Current users are deeply satisfied and commercially committed: 64% plan to increase spend, 68% are on 3-year contracts.
A strong majority of current users rate satisfaction at 8 or higher. 64% expect increased spend over the next 3 years, driven primarily by asset base growth and new module adoption. 68% are on 3-year contract terms, and a strong majority rate switching away as difficult, creating strong net revenue retention fundamentals for the investment thesis.
02
Churned accounts reveal a deployment-fit threshold: low satisfaction and a deeply negative NPS, driven by complexity and coverage gaps.
Past users rate satisfaction in the low range (versus high satisfaction for current users) and all rated NPS in detractor territory. Primary churn drivers: product coverage limitations (60%), integration challenges (30%), and pricing concerns (30%). Organizations without sufficient security resources or those expecting broad coverage at low complexity are not the right customer profile. The churn signal is a fit problem, not a product quality signal.
03
Price tolerance is strong at the enterprise tier: more than a third accept higher price increases, and only 5% would switch at any price increase.
A strong majority tolerate moderate increases and more than a third accept higher increases, with only 5% willing to consider alternatives at any price increase. This pricing resilience concentrates in organizations above an enterprise revenue threshold, which represent the large majority of current users, and correlates directly with high satisfaction scores. The enterprise segment supports material price power.
04
CTEM category budget momentum is accelerating: forward expectations match VM/VA for the first time.
Historically, VM/VA led budget increases (66% over the past 3 years) while CTEM lagged (34%). Looking forward, 63% expect CTEM budget increases over the next 3 years: equal to VM/VA at 63%. CTEM is reaching category parity in enterprise security budget prioritization, which is the primary demand-side tailwind in the investment thesis.
05
The platform spans four security categories but only a minority of current users self-identify their usage as CTEM.
A strong majority of current users deploy the platform for VM/VA and attack surface management. Only a minority actively recognize their usage as CTEM. Customers are executing CTEM workflows while budgeting under legacy categories, creating an uncaptured re-anchoring opportunity: CTEM budget allocations are growing at a strong pace, but the platform is not yet claiming that budget framing for the majority of its installed base.
“It not only defines the vulnerabilities, it also prioritizes the actions and the remediation path. That combination is what keeps us from considering alternatives.”— Director of Security, Financial Services enterprise
Crosstab · Budget Momentum
CTEM is reaching budget parity with established VM/VA: the single largest demand-side tailwind in the investment thesis.
Security budget increase expectations by category (current platform users): historical 3-year performance vs. forward 3-year outlook. CTEM shows the largest swing from historical underinvestment to forward parity with VM/VA.
| Increased · Past 3 years (%) | Expect increase · Next 3 years (%) | |
|---|---|---|
| Vulnerability Management (VM/VA) | 66% | 63% |
| Attack Surface Management (CAASM) | 56% | 66% |
| Threat Exposure Management (CTEM) | 34% | 63% |
| Breach Simulation (BAS) | 31% | 34% |
N=22 current platform usersCTEM delta: +29pp swing from historical to forwardCAASM delta: +10pp swing
Voice of Customer
What current users value, and why churned accounts left.
A representative set spanning current users (high satisfaction) and churned accounts (low satisfaction), selected to illustrate both the deployment fit profile and the primary failure modes.
Current User · Attack Path Differentiation
“It's the simulation of realistic external threats as continuous threats. Very strong in simulating and analyzing lateral movement in the network. Nothing else in our stack does this at this level of depth.”
— CISO, Technology sector
Current User · Multi-Environment Coverage
“The breadth in cybersecurity for mid- to large-enterprise needs in a multi-cloud landscape, unlike a hyperscaler stack that works on one cloud only. That breadth is the differentiator for our environment.”
— Director of Security, Manufacturing sector
Current User · Implementation Reality
“It's very complex to implement. You need a very strong orchestrated configuration initially. That process was a challenge, but the output once fully deployed was worth the investment.”
— Security Architect, Retail sector
Churned Account · Coverage Gap
“They don't have a wide and deep sort of coverage of the actual vulnerabilities: not the same depth as what we moved to. That coverage gap was the primary reason we made the switch.”
— CISO, Healthcare sector
Churned Account · TCO Pressure
“The total cost of ownership and annual increases were becoming too much. We couldn't justify the spend relative to what we were getting at our scale and team size.”
— Director of Security, Finance sector
Strategic Implications
The moat is real, defensible at enterprise scale, and contingent on deployment fit.
Three moves that shape the investment thesis: widening the viable customer profile, closing the CTEM category awareness gap, and protecting enterprise pricing power against incumbent expansion.
01
Build deployment success infrastructure to close the fit gap: the churn pattern is a profile problem, not a product problem.
Current users who successfully deploy report high satisfaction and strong NRR. Churned accounts (low satisfaction, deeply negative NPS) consistently cite implementation complexity and resource requirements. A formalized deployment readiness assessment and expanded professional services capacity would reduce churn risk without requiring product changes. The priority is screening the buyer profile, not re-engineering the product.
02
Accelerate CTEM category re-anchoring to capture the budget shift already underway in the installed base.
Only a minority of current users identify their usage as CTEM, yet a majority expect to increase CTEM budget allocations. Customers are executing CTEM workflows while budgeting under VM/VA or attack surface management categories. Repositioning messaging to anchor on CTEM allows the platform to claim incremental budget that is already being allocated within its own installed base.
03
Protect enterprise pricing power by building the large-account moat rather than expanding downmarket prematurely.
Price tolerance concentrates in the enterprise revenue tier (the large majority of current users). Expanding into organizations without mature security infrastructure accelerates the churn profile seen in past users. Enterprise-focused GTM and pricing should be preserved; any mid-market motion requires a distinct deployment model with lower implementation complexity.
Risk register
| Enterprise platform ecosystem dominance (89% CTEM leadership perception) | HIGH |
| Churned account profile expanding to mid-market without deployment fit controls | HIGH |
| CTEM self-identification gap limiting category budget capture in installed base | MED |
| 6-9 month sales cycles (50%) slowing new logo velocity | MED |
| Vulnerability depth gap vs. established VM incumbents for coverage-first buyers | LOW |