Security is a Negotiation Problem
How to save money on your vendor contracts
In this post, I cover:
Why you need to negotiate with your security vendors
A quick overview of the basics of negotiating, with plenty of reference material
A highlight of my top security-specific negotiation strategies
In my last blog, I discussed why vendor pricing is problematic for security teams. One of the reasons I mentioned is that it's hard for the average security lead to negotiate intensely with their vendors, so people end up paying more than they need to. I meant this as a small aside, but several people have reached out with their pains here.
Negotiation is a real problem: there are a few vendors where I have enough of a sample to speak somewhat confidently on pricing practices. One opened its bid for about $2.2 million (my total vendor budget at the time was about 1/3rd of this), then dropped to $700k, $400k, $280k, $230k, $150k, and finally $55k, over several months. I've had a vendor start at $2 million, then drop directly to $200k after a single text message. I know peers at companies roughly the same size as mine, who paid prices all across those ranges. I haven't met anyone paying the initial $2 million, but one or two in the 700-800k range, a sad several in the 400-800k range, and far too many who felt awesome about their 300k deals. These massive swings define our budgets, and happen all the time in security sales.
I try to be evidence-based and first-principled in my blogs, but I can't here: my samples are heavily gated by NDA. So, why you may want to trust me: I'm pretty good at negotiating. Once my procurement or finance teams figure out what I can do, I start getting pulled in to negotiate engineering, IT, and general SaaS contracts. I've read all the same books the salespeople have, and I've practiced across multiple industries.
Your Undefended Social Engineering Threat Actor
Social engineering is the most likely way you're going to get breached. Despite that, it's still underrated as a threat vector. Phishing doesn't get nearly as many resources as its likelihood deserves. Continuing that trend, there is a completely ignored social engineering threat actor: security vendor sales reps.
Your sales rep has spent thousands of hours studying human behavior, learning to sway and influence you to do something in their best interest (give them lots of your employer's money), even if it's not yours. It's their literal job. Many are quite good at it. If you have even a small, vendor-heavy security team, the expected annual loss from overpaying for your security vendors is likely higher than from phishing.
So we need to be in an adversarial mindset. Negotiating can be painful. It's hard, it's awkward, it will make you uncomfortable, it can feel morally icky. But your sales rep is your adversary, as genuinely as the British teenagers are. Every call you're on, every gift card or nice dinner, every single word they say is an attempt to manipulate you. You are nothing but a walking blob of quota to them. We need to fight fire with fire.
If that doesn't convince you, it's a way to practice for your next job negotiation. You can also use it outside of work; a surprising percentage of goods and services are negotiable. It's a wonderful feeling to talk down your plumber by 40% while you're both standing over your overflowing sewage line.1
Note: I'm friends with several salespeople, I don't hate them personally. Don't hate the player, hate the game. Salespeople are good hangs at pubs, and they hide their horns and tails well
Fundamentals
This is not meant to be a general negotiation article. There are plenty of books for this: Influence: The Psychology of Persuasion, Never Split the Difference, The Art of Negotiating the Best Deal. The late, great Ross Anderson includes a good summary while discussing threat actors in his Psychology chapter from Security Engineering (free download).
There are a few strategies that are useful to list here, from Cialdini and Anderson:
Reciprocity: most people feel the need to return favors
Commitment and Consistency: people suffer cognitive dissonance if they feel they’re being inconsistent
Social Proof & Herding: most people want the approval of others. This means following others in a group of which they’re a member
Liking: most people want to do what a good-looking or otherwise likeable person asks.
Authority: most people are deferential to authority figures
Scarcity & Time Pressure: we’re afraid of missing out, if something we might want could suddenly be unavailable, it causes people to act viscerally rather than stop to think
Need and Greed – sales trainers tell us we should find what someone really wants and then show them how to get it. A good fraudster can help the mark dream and use this to milk them.
Negotiating in the Security Space
Get Competitive Bids
The easiest thing you can do, that doesn't involve any awkward psychology, is to always get competitive bids. It doesn't have to be that many; you only need two offers to get a bidding war going. That said, you don't want to weed out too many vendors early on. I've priced myself down to 1-2 options early in an eval cycle when I shouldn't have. You want to make yourself the scarce resource, not the vendor (Scarcity).
When getting that bidding war going, tell each bidder you have strong offers from their competitors, especially the ones they dislike. You can see who dislikes who (and who spends more of your SaaS fee on advertising) by who gets in bidding wars for ads for a product type:
Or who buys ads on their competitor's search terms:
The competitors a vendor will buy against are the ones they think they can win against, and that their GTM teams are the most competitive about. Pay attention to market dynamics: the up-and-coming startup will usually be more intense about beating the big incumbent, and companies that start at similar times in a new product category will be more intense about each other.
Salespeople are insanely competitive; they want to get rich by winning, and you can use that against them. They will care a lot more about being beaten on price by their arch-rival than some random vendor they barely know (Need and Greed). Say that whatever your lowest bid is (or just the number you want to pay) came from that competitor. Push for best-and-final offers from all vendors, then text the rep of the vendor you want that someone else came in lower, but if they get you a better offer before Monday they’ll probably win. This makes you scarce since they’re about to lose the deal, and they think you helped them (Reciprocity).
Value-Negging
For a vendor to extract value, they first need to demonstrate it. That way it makes sense that you pay them for some of that value (Consistency, Reciprocity). You can usually tell if a vendor prices themselves in value-extractive ways if your sales rep says something about wanting to “show you the value" or "prove their value to you". They want to convince you that they're providing $3 million in security value, so it feels like a steal for you to pay them $1 million. This leaves reps vulnerable to one of my favorite tactics: value negging. Since their entire mindset depends on showing you value and extracting it, you can hack that flow by convincing them that they're providing as little value as possible. They'll try to extract less!
Say you can build it. This is a key point of my last post: having more technical security engineers who can build an internal version of the product you're buying helps you negotiate down, as you get to turn the value they deliver from securing your stack to saving an engineer a few months of dev time. This is easier when you actually have those technical people, but not required. The vendor isn't going to know what your team can do. You can pretend!
Whatever flavor of vendor they are, say you want a different one, so they feel like they need to compete more on price. If they're best-in-class with lots of fancy features to get them on top of the Gartner Mystical Quadrangle, focus all your discussions on the core features every product in the space has. When talking to a less-featured vendor in the space, spend most of your time talking about the cool features the cheap vendor doesn't have. They’ll push their price even lower to compensate.
Go to External Constraints
A classic tactic in sales is the external party. A car salesman has to check a price with his manager, so he goes into the manager’s office, they spend 5 minutes talking about fantasy football, and then the salesman comes out and says he fought for you but unfortunately, couldn't get the price down. This happens in B2B software too: your rep does the same thing, subbing in their VP or finance as the blocker. In all cases, it's a fake constraint, meant to make you feel connected to the sales rep (Liking), that it's both of you against the external constraint (Authority), and that nothing can be done about their angry, forceful ways. This reaction is so natural in humans that you can do the same thing to the sales rep. Create your own fake external constraints. These can be people, processes, or immovable factors.
The obvious one is budget, and since this is usually strict, your rep will try to figure out what your’s is early on. Just as you never want to open with the salary number you'd accept in a job interview, you also want to be coy here. Once you’ve already done a few rounds of negotiations, then introduce a budget from your CEO or CTO. Work them down to this new budget. Then, in the 11th hour, as you're looking over the final contract and the rep is already planning the 9-way parlays on DraftKings he's going to blow his commission on, say you lost some vendor budget, for reasons, and you can’t afford the prior amount anymore. You can get another discount here, especially if your rep has already made those losing parlays.
The opinions of non-technical stakeholders, like your boss or procurement team, are great constraints. Your boss could be super into the hip new vendor Wiz Google if you're talking to Palo Alto, or be a repeat Palo Alto buyer you need to sway if you're talking to Wiz Google. Security vendors often look like cheaper, non-security vendors, so if you're negotiating with, say, a security orchestration automation and response (SOAR) vendor, say your procurement team doesn't understand what the difference between SOAR and Zapier is2, and they want to see more similar pricing. These objections don't need to be correct, just vaguely plausible.
You can also use technical stakeholder opinions as constraints. Salespeople expect engineers to be ornery. Use that. Have engineers get on calls, and be intense. Full Linus Torvalds blowing up on perfectly well-meaning devs on the Linux kernel mailing list intense. Prepare technical questions for your engineers to ask, that you know the vendor will struggle with, especially ones their competitors may do better at. Have your engineers grunt disapprovingly. After, text your rep something about that not going well and the engineers not being fans. He'll be on the back foot, he'll fight to save the deal.
Pressure Them
It's surprisingly easy to pressure your sales rep. All their knowledge of human behavior is no match for just how fucking stressful their lives are. They live on clear, quantified quotas. If they make too little in sales in a quarter or year, their pay will suck, or worse, they'll be replaced with another quantified cog in the sales machine. If you've worked with your sales team on security reviews or contract redlines in the closing days of the quarter, you know this well. They are wound up. I often feel like the golden retriever soothing their anxious cheetah energy, though much less adorably than in real life:
So, when buying, you should do your best to stress them out as much as possible. Make sure you're buying towards the end of the quarter (Time Pressure). If they haven't made quota yet, they'll be very engaged in landing you for cheap (so will their whole company, if they haven't hit revenue targets).
Take time on the deal. Get them to invest as much as you can into it; the more time they spend dealing with you, the less time they spend with other deals. Run a full proof-of-value. Go to their expensive vendor events, take their dinners and free stuff. You're trying to increase their cost of acquiring you as a customer. The more they invest in you, the more they need to close the deal to justify those sunk costs. They'll accept lower than desired margins so they didn’t waste that time and effort.
Give Hope
To make up for all that pressure, you need to give hope. Hope will keep people in one-sided, unhealthy situations for far too long. Just ask fans of the Dallas Cowboys, Toronto Maple Leafs, New York Mets, Philadelphia 76ers, or Tottenham Hotspur.
So when you aren't value-negging, act excited about the deal and vendor. Be genuinely pleasant on calls. Make them think that you will do the deal, they just need to close that one last hurdle. This time it really is the last thing to solve before you buy.
Be excited and optimistic about the other products they sell that you aren't currently buying, or about some potential future use case that will massively increase your bill if this current engagement goes well. This is called a land-and-expand deal, and these are straight crack to them. They’ll spend ludicrous amounts of time on relatively small deals with huge companies, agreeing to silly terms, hoping it will pay off later with a big expansion.3
You can offer to be referenceable. This can be as small as having your logo on their site, or as big as being involved in their prospect/customer events as a passionate promoter of their product. This works best when you work for a company the vendor wants to be associated with. I get better deals at the big sexy SaaS companies I've worked for than I did at small startups. This also works better when you sound passionate about the product and can express this eloquently. They'll want to put you in front of prospects, and they do factor that into how much they charge you.
Handling Urgency
A potential issue with these strategies is that security purchases can be rather urgent. You don’t have time to do all of these clever negotiation tactics if you desperately need to plug a hole to avoid attack, or if you are frantically spending the silly amounts of money your board has finally given you to cover ass after a previous breach. In these cases, you need to spend as quickly as possible, and it’s just not worth spending several months to save another 10% on the bill. I get that, and unfortunately, so do all of our security vendor friends, who will play that up to get you to sign more quickly and pay more (Time Pressure).
Yes, these tactics work better when you can approach things leisurely, but almost all of them still work very well even when frantically applied (the one that doesn’t is buying end of quarter/fiscal year):
You can still quickly do a competitive bid. Probably across fewer vendors, to save time, and escalate how quickly you push them to make offers against each other.
You can still value neg. A specific, urgent need lets you frame their product on how it specifically solves that need, ignoring their other features and removing them from the value you’re paying for. While you can’t threaten to build their entire product on your urgent timeline, you can threaten to build the minimal thing that solves your problem, and claim that that’s faster than dealing with getting their crazy prices through procurement.
You can still use external constraints, and urgency can even enhance this. Your boss can still be a repeat Palo Alto buyer, who is now very motivated to buy the thing they know, so
WizGoogle needs to come down even more to overcome that feeling of safety.You can still pressure them. While your security urgency adds time pressure to you, it also adds time pressure on the vendor. If you need to roll something out in 2 weeks, they have to move fast, be very helpful, and get good offers approved, because they know you may pick a competitor and their opportunity is lost forever.
You can still give hope. You have an urgent problem to solve, and if they help you solve that problem cheaply to land a deal now, you’re be very appreciative and excited to explore their other products when you have a chance to breathe.
So, no, urgency is not an excuse to avoid negotiating. You can always get a better deal, even from the plumber while you both watch your basement fill with sewage.
Good Luck Out There
When I first circulated drafts of this, I got asked: "Well if you're putting all of your negotiation tactics in a blog attached to your real name, won't every vendor you talk to read this and know what you're doing"? I don't think so. While reps trying to sell me something represented a depressing percentage of my early subscribers4, I don't think many actually read it5.
More importantly, the power of all these strategies is that they still work even when you know they're happening to you. That's the power of our flawed psychology, and it’s why this post is about things you can do to them, rather than defensive strategies to prevent their manipulations. Defense is much harder! Our stupid spongey brains are too fallible. It's far easier to manipulate them back.
So, friends, read the negotiation books, use these strategies, and hack back against these social engineering menaces. It is the highest return on time spent you can ever get. This was just the highlights of my personal list, so please share your own strategies if you have some I missed. If we negotiate well enough, maybe our sales vendor friends will give up and give us fair, transparent, mutually beneficial pricing upfront, and we can avoid all of this? Certainly not, but we can dream.
It was distressingly recent that I realized I could do this, that I could negotiate with contractors in person and not just software vendors via Zoom.
I also have little idea what the difference is between SOAR and Zapier, and I don’t understand how one costs $2k and the other $200k.
Banks. It’s always banks. Every CISO you talk to will have horror stories about bank deals because of overly optimistic folks in their sales organization.
I have a maturity model of subscriber cohorts, lower being less mature: 1. My wife 2. My parents 3. Sales reps trying to sell me things 4. Actual people, bless you all.
Many tried to use my last blog complaining about crazy security vendor prices to try and get me on a demo.
I’d love to see a follow up piece about renewals. Because let say you both know you overpaid, but sunk costs and switching costs are real
This was a fantastic read—full of sharp, real-world insight.
Framing security vendor reps as underrecognized social engineering threats really resonated.
One additional thought: when the same person manages vendor relationships over long periods without rotation, it can erode negotiation leverage. Internal role rotation and checks might be just as important as negotiation tactics themselves.
Thanks for sharing such a valuable perspective. Definitely passing this along to my team.