Seth Knox is a seasoned marketing executive with a proven track record in shaping high-impact marketing organizations for fast-growing cybersecurity and enterprise software startups including Agari, Sygate, and Fortanix.
A strong analyst relations program can be a powerful business accelerator for a cybersecurity startup. That’s especially true with Gartner, the largest and most influential tech industry analyst firm. Favorable coverage in a Gartner report can help young companies get startup funding at higher valuations, increase customer consideration, speed growth, and ultimately boost the odds of a successful exit.
That’s why early-stage cybersecurity CEOs and founders often investigate how to effectively leverage Gartner. In this blog, I draw on my experiences as a cybersecurity executive and advisor to offer them guidance on two key priorities:
- Getting your Gartner category strategy right
- Gaining early visibility as a Gartner Cool Vendor
Commentary by three former Gartner analysts—Dr. Anton Chuvakin, David Mahdi, and Richard Stiennon—offers insight into how best to navigate the firm’s inner workings. Click any topic to jump to that section.
Why the Categories in Gartner Reports Matter
Gartner organizes its market research and analysis reports by industry category, from emerging to established technologies. Many enterprise buyers rely on these reports to inform their product evaluation process and often shortlist the vendors listed within them by default.
Gartner market research reports can also play a key role in influencing cybersecurity investments. The category a cybersecurity startup chooses will determine the context in which its product is discussed, the criteria by which it is evaluated, the customer and investor personas who research it, and the way it is measured against competitors.
As an early-stage cybersecurity CEO or founder, you have several ways to approach your choice of category. As you weigh your options, review the Gartner reports in the categories you are considering to understand how they are defined and viewed by the firm. If you are a Gartner client, you can also schedule inquiries with their authors to ask how they see these categories evolving.
Thinking of Creating a New Cybersecurity Category?
When your company vision and product are especially innovative, it can be tempting to feel that you’ve pioneered a new category of cybersecurity solutions—and to expect Gartner to agree. However, be very wary of this temptation because creating a new category can be a self-defeating strategy. The categories in Gartner reports reflect not the preferences of vendors, but rather marketplace realities. A new category will not be recognized until it encompasses multiple vendors, each with numerous customers in production, generating hundreds of millions of dollars in annual recurring revenue (ARR). Along the way, the required evangelism can burn through considerable time and money that could be better spent elsewhere.
Former Gartner cybersecurity analyst Dr. Anton Chuvakin offers this simple guidance for companies thinking of creating a new cybersecurity category: “Don’t! While there are notable [and very rare] exceptions to this rule [EDR anybody?], in most cases vendor-led category creation is a risky, complicated, excessively costly, and often utterly unnecessary endeavor.”
“In most cases vendor-led category creation is a risky, complicated, excessively costly, and often utterly unnecessary endeavor.” – Former Gartner Cybersecurity Analyst Dr. Anton Chuvakin
Another former Gartner cybersecurity analyst, Richard Stiennon, adds, “There is a category-selection process that is much more important than what Gartner thinks. And that is the line item in the budget of the customer. If you go through the process of creating a new category first, you have to convince the analysts, your prospects, and customers that you have something new. Then, you have to get it in the budget and the purchase cycle begins, which could mean 24 months before you make a sale in your new category.”
What if there is no clear category fit for your product? Chuvakin points out that, “In the situation when there’s no category, an analyst may think that there’s no market need.” A mentee recently came to Chuvakin for perspective on this dilemma. “I told them there’s this other category that Gartner is thinking about, and I think you fit two-thirds into that, and that I’d rather have a ‘round peg in a square hole’ situation than no hole. So, I’ve given them advice to adjust the story, adjust the tech, and largely fit into this bucket even though it’s not a perfect fit.”
Instead of trying to create a category, evaluate the existing categories of cybersecurity solutions that closely map to your capabilities, then either choose an emerging category whose evolution aligns with your roadmap, position yourself as its next generation, or advocate for the consolidation of several categories into a single platform. I expand on each of these strategies below.
Category Strategy 1 – Align with an Emerging Cybersecurity Category on the Rise
The sweet spot for an early-stage cybersecurity startup is the Innovation Trigger section of a Gartner Hype Cycle. Ideally, your category should appear in the Priority Matrix with the highest benefit rankings and shortest time to mainstream adoption, though you have limited control over this. The category should also align with your existing product capabilities and vision for its future state.
| CASE STUDY: GEM SECURITY |
| This strategy is at work in the emergence of the cloud investigation and response automation (CIRA) category, an evolution of incident response with close relationships to the EDR/XDR, SIEM, and SOAR categories. CIRA was born of the need for emerging technologies to expand investigations, forensics, and automated response capabilities for cloud assets and artifacts across multiple cloud-based providers and types of resources.
Gartner first published a Gartner Emerging Tech report on CIRA in June 2023, naming more than a dozen sample vendors including Gem Security, a relatively early-stage company with Series A startup funding. A month later, the category was featured in the Innovation Trigger section of the Gartner Hype Cycle for Workload and Network Security. In October of the same year, Gem Security was a Cool Vendor for the Modern Security Operations Center. Finally, in March 2024—less than a year after Gartner’s initial definition of the CIRA category—Gem Security was acquired at a premium valuation by Wiz for $350 million. |
Category Strategy 2 – Position Your Business as the Next Generation of an Existing Category
Cybersecurity categories go through lifecycles of creation and maturation punctuated by transformation. An established category can undergo a major shift as changes in the market and technology usher in a new generation of vendors and products that address its use cases in different ways. That approach then becomes dominant, and the cycle continues.
| CASE STUDY: AGARI |
| While I was at Agari, an email security vendor in Gartner’s secure email gateways (SEGs) category, we focused on using malware signatures and antivirus techniques. By the late 2010s, with the growing adoption of Microsoft Office 365 and G Suite (now Google Workspace) cloud email platforms, the threat landscape shifted toward social engineering and zero-day attacks that evaded SEGs. As the category grew obsolete—leading to its retirement by Gartner in 2019—we executed a positioning pivot to place Agari at the vanguard of a new wave of email security platforms that used API access and emerging technologies and detection techniques such as AI/ML to provide advanced email threat protection. |
Category Strategy 3 – Advocate to Consolidate Multiple Cybersecurity Categories into One
Some cybersecurity categories share technical synergies that allow them to be grouped together as a platform. This dovetails with the preference of buyers to get as many security controls as they can from as few vendors as possible. For cybersecurity startups with strength across multiple categories, a good strategy is to advocate that Gartner adopt a platform definition.
| CASE STUDY: SYGATE |
| In the early 2000s, I worked at an endpoint security company called Sygate. At the time, Gartner reports had covered host intrusion detection/prevention, antivirus, and personal firewall categories separately. A new customer requirement emerged, meanwhile, to prevent insecure endpoints from accessing corporate networks, a solution type that came to be known as network access control (NAC) and today is part of Zero Trust.
Sygate made a case for Gartner to combine these categories by sharing deployment data and arranging for Gartner analysts to talk to our customers about the convergence that was underway. Gartner ended up creating the new category of endpoint security, with Sygate as the top-ranked vendor in its inaugural Gartner Magic Quadrant. Sygate was subsequently acquired by Symantec, which had been a lower-ranked vendor in that report. |
The same dynamic, however, can also work to the disadvantage of startups; Richard Stiennon cautions that you should make contingency plans if the cybersecurity category you select is consolidated into a broader category with platform vendors. “If you have a unique product, watch out because the platform vendors in your space are going to see what you’re doing. If it works, if it’s good, they’ll just incorporate it as a feature.”
If You Do Need to Create a New Cybersecurity Category
To reiterate, think carefully about whether a new category of cybersecurity solutions is truly necessary. If you decide that it is, analyst firms want real-world evidence. As a lead Gartner data security analyst, David Mahdi was involved in the launch of several new cybersecurity categories during his tenure. “Gartner needs proof … it’s not enough that you have some product that’s been built and you have a great demo. When shown new tech, the first question I would ask is, do you have this deployed? And what use cases are you solving,” said Mahdi.
| CASE STUDY: FORTANIX |
| When I was at Fortanix, we successfully pursued a dual strategy of positioning ourselves as a next-generation vendor in existing data security categories while influencing the creation of a new confidential computing category of cybersecurity solutions. As part of the strategy, early vendors in the space including Fortanix created the Confidential Computing Consortium (CCC) along with Intel, Google, Microsoft, and Red Hat. Our evangelism included vendor-neutral educational content as well as joint briefings with Gartner analysts on definitions, terminology, and customer deployments. Gartner ultimately incorporated confidential computing into its Data Security Gartner Hype Cycle with Fortanix as a sample vendor and named us a Cool Vendor as well. |
To provide that all-important proof for a new category, I often send inquiries to Gartner analysts asking if they want to be connected with customers on specific topics. I’ve also submitted case studies for document reviews with the analyst I’m trying to convince as a way to deepen their familiarity with both the technology and its real-world impact.
Becoming a Gartner Cool Vendor in Your Category
Once you choose your category, your next objective is to secure a coveted Gartner Cool Vendor designation, a validation of your potential to offer unique, market-disrupting solutions for critical business challenges. Being associated with an existing “cool” category can help. In fact, an early-stage cybersecurity company whose category is in the Innovation Trigger stage of a Gartner Hype Cycle has a reasonable chance of being featured in a Gartner Cool Vendor report within a year if it goes about things the right way.
While positive coverage in any Gartner report can pay significant dividends, Cool Vendor is an ideal target for cybersecurity startups. It requires less effort and is achievable much sooner than other Gartner reports such as Gartner Magic Quadrant or Gartner Market Guide. Gartner Cool Vendor reports are also published more frequently, offering selection opportunities twice yearly, and have a much lower bar in terms of revenue and customer requirements. As Anton Chuvakin notes, “The Cool Vendor nomination is a lot more about the analysts’ collective opinions rather than a ‘scientific’ scoring methodology.”
“The Cool Vendor nomination is a lot more about the analysts’ collective opinions rather than a ‘scientific’ scoring methodology.” – Former Gartner Analyst Dr. Anton Chuvakin
Offering insights into emerging technologies and industry trends, Cool Vendor reports are used by both investors and buyers to identify niche players with the potential to drive significant business value or lead emerging categories. I’ve personally seen the benefits of receiving a Cool Vendor designation at four of my previous companies, including closing series B/C rounds at a higher startup valuation, getting shortlisted by large customers, and helping sales close deals.
It’s important to note that a company can be selected as a Gartner Cool Vendor only once—but that one time can make all the difference.
How the Cool Vendor Selection Process Works
There are three requirements for a company to be named a Gartner Cool Vendor:
- Its solution must be unique.
- It must address a real-world business challenge.
- It must do so in a way that can disrupt a market.
Each Gartner Cool Vendor report covers from three to five companies within a single category. Any analyst can nominate any early-stage vendor for consideration, and multiple analysts can submit the same vendor, which helps the candidacy. While nominees are not required to be Gartner clients, it is rare for a nonclient to be selected.
David Mahdi, who nominated a dozen cybersecurity companies for Cool Vendor during his time at the firm, explained the process. When analysts have briefings from early-stage vendors, they take note of the particularly interesting ones so they are ready with a list of potential nominees when the Cool Vendor call for papers comes around.
When analysts have briefings from early-stage vendors, they take note of the particularly interesting ones so they are ready with a list of potential Cool Vendor nominees.
Making that kind of impression with specific Gartner analysts and helping them make a case for your selection is the key to Cool Vendor success.
Cool Vendor Tip 1 – Figure Out Why You’re Cool and Tell the Right Analysts
If you can’t clearly articulate why your company is “cool,” you can’t expect Gartner analysts, who talk with hundreds of vendors with cybersecurity solutions, to figure it out for you. As a starting point for your campaign, try writing your own “Why Cool” paragraph as you think it should appear in the Gartner Cool Vendor report. Explain how your solution meets each of the three selection criteria—uniqueness, real-world business value, and disruptive potential.
Next, identify the analysts who author Gartner reports in your category and appear likely to agree with your approach. Use all of the tools and mechanisms Gartner offers to engage with these analysts, including briefings, inquiries, document reviews, emails, face-to-face meetings at Gartner conferences, and SAS days (if you can afford them) to reinforce the story you’ve built about why you’re cool.
Cool Vendor Tip 2 – Develop One or More Gartner Analyst Champions
For a Gartner analyst, making a Cool Vendor nomination means more than throwing a name into a hat. As part of the selection process, they actively make a case to their peers that this company stands out from all the other cybersecurity innovations on the list. To commit to that kind of effort, they need to be fully convinced and inspired by the unique value of your solution.
“Having a Gartner analyst champion specifically is a hard must,” says Anton Chuvakin. “Without this, the Cool Vendor process won’t work for you. Unless one or more analysts are genuinely impressed by your tech and what you do for clients, this won’t work!”
To find your champion or champions, pay close attention to the questions and comments of the analysts with whom you’re doing inquiries and briefings. Target those who show the most enthusiasm and increase the cadence of inquiries, briefings, and information you communicate to them about your business. In parallel, research all the Gartner Cool Vendor reports in your category and which analysts authored them. Some analysts tend to be more active and better at the Cool Vendor process than others.
“Having a Gartner analyst champion specifically is a hard must.” – Former Gartner Analyst Dr. Anton Chuvakin
When you’ve found your Gartner champions, it’s perfectly appropriate to ask explicitly for a Cool Vendor nomination. If you can, time the request after you’ve shown them something particularly impressive or had a big customer win. Once they’re on board, ask them what kind of information you can provide to help them make a strong submission. It’s also worth asking if there are other analysts they would recommend approaching about submitting your name.
Cool Vendor Tip 3 – Arm Your Champion with Ample Information
“Give your analysts as much information as possible,” recommends Dave Mahdi. “Don’t be shy. Share as much as possible, because they have to fill a form. If the form looks anemic, the probability of you getting picked is very low.”
As some analysts may be more open than others about sharing details of their submission, your best bet is to be proactive in offering ample information about your company, revenue, employee count, product, customers, and strategic partnerships, as well as data on the cybersecurity industry trends supporting your approach.
“Give your analysts as much information as possible. Don’t be shy.” – Former Gartner Lead Data Security Analyst David Mahdi
Document reviews play a valuable role at this stage. Gartner includes an unlimited number of document reviews (within reason) with its standard client contract at no additional cost. By scheduling an inquiry session to receive detailed feedback on internally produced content relevant to your candidacy, you can guarantee that the analyst engages more deeply with your differentiators and validation.
Cool Vendor Tip 4 – Keep Trying
There are many Cool Vendor submissions during each cohort and the competition can be intense. If you aren’t selected on your first try, stay engaged with your champions to encourage them to resubmit you for the next round. Ask them what additional or updated information might make your submission stronger and try to provide them with the resources to get you over the finish line. You can also try to get a different analyst to nominate you if you think they would be a better advocate.
As the top market research and analysis firm in the tech industry, Gartner wields tremendous influence among both buyers and investors. By developing the right strategy for your early-stage cybersecurity company and executing it effectively, you can position yourself at the forefront of your category—and accelerate your path to industry leadership.
More about the author: Seth Knox is a seasoned marketing executive with a proven track record in shaping high-impact marketing organizations for fast-growing cybersecurity and enterprise software startups. As the founder of Acceleration Marketing Group, Seth is dedicated to helping early-stage cybersecurity companies devise and implement marketing strategies that drive explosive growth.
