The Sins of Security Vendor Research

Nov 12, 25
The Sins of Security Vendor Research

Security vendors produce an incredible portion of the actionable research that drives the cybersecurity industry, shaping how we understand threats, allocate budgets, and define best practices. Too often, though, that research falls into familiar traps.

I highlight these “sins” to build media literacy, not shame vendors. It’s not just about research puritanism either! It’s in your own best interest to avoid these sins, lest you alienate your desired audience.

Disclaimer: I recently moved into a research role. I’m writing this in a personal capacity, and sincerely trying to avoid these sins in my own work.

Sin 1: Fear, Uncertainty, and Doubt

Security marketing still leans too hard on fear. Some research seems written mostly to spook executives into signing purchase orders. Every new campaign is “the most sophisticated ever.” Every vulnerability is a “critical risk.” Sensational statistics, generally presented without crucial context, fall in this camp as well.

But when the takeaway is “be afraid”, and the only solution is “buy our product”, you give up credibility. Good research earns trust by explaining impact and context. If a threat didn’t materialize in the wild, say so. If the fix is basic hygiene, highlight that too.

There is a related offense: Highlighting novelty, ignoring impact. I love clever technical details, but often it just doesn’t matter. Calling out creativity from threat actors is all fine and well, but if it fizzled in the wild that’s the essential detail. Shiny doesn’t mean significant.

I find it hard to trust any vendor I can tell is trying to scare me, and you shouldn’t either.

Sin 2: False Novelty

Not every piece of research needs to be entirely novel, but it should be accurate. Too often, vendors repackage existing work with a fresh headline (and byline). Techniques that were documented years ago get presented as groundbreaking, and sometimes it’s hard to tell whether the work reflects pure ignorance or a desire for attention. Make sure to work in time for a literature review, or at least a quick Google/AI search, early in your process.

If you found a minor new detail, by all means share. But it doesn’t give license to ignore overlap with other work. Showing how you build on (and go beyond) existing research will build your credibility and show your excellence.

Failing to cite prior art isn’t just sloppy, it’s deceptive. It confuses readers. It disrespects the community. It diminishes us all.

There’s also the naming problem. Everything gets a Brand Name now. Naming can clarify when done right, but when it’s done excessively and arbitrarily it adds noise we don’t need.

Interested in getting the most out of security research?
Check out my talk from fwd:cloudsec USA 2025: You Are Not Netflix: How to learn from conference talks

Sin 3: Correlation, not Causation (statistical sins)

Some research connects dots that don’t belong together. A spike in one data source suddenly “proves” a trend. A handful of shared indicators is called attribution. The urge to tell a neat story often wins over the discipline to say “we don’t know.”

Research demands restraint. Assumptions are fine when they’re labeled as such! The problem comes when you present speculation as fact. Readers take these claims at face value, and the landscape gets muddied.

Misattribution is the worst version of this. Not every campaign targeting cryptocurrency was the DPRK.

Sin 4: Selling Out to Marketing

The line between research marketing and Marketing is precarious. Good marketing can effectively amplify research, and good research is a wonderful form of marketing. But it’s essential that as a researcher, editorial discretion remains in your hands. The best vendors let research stand on its own. It’s too easy to miss the mark with bombastic marketing or forced coverage of uninteresting developments.

A solid foundation of technical work empowers marketing. When marketing content couches itself in research’s reputation and brand, credibility erodes.

Balancing marketing and research is challenging, but you’ll lose the most informed part of your audience quickly once you shove marketing into the research RSS feed.

Unfortunately, it would only take a week to see each of these sins demonstrated by industry research teams. Let’s make them rare mistakes. Vendors have the resources and visibility to push content out broadly, but that privilege comes with a responsibility for meaningful, nuanced research.