Alex and I built GTM together at Zesty. He ran sales, I ran marketing. We grew revenue from $1M to $25M in two years. After Zesty, we went separate ways: Alex scaled sales at Dataloop, I did fractional CMO work for cybersecurity startups. We kept comparing notes, and we kept landing on the same problem from opposite directions.
On the sales side, outbound response rates were collapsing. Not because the lists were bad or the sequencing was wrong. The messaging was indistinguishable from every other vendor in the inbox. On the marketing side, the same pattern: founders who genuinely believed they were differentiated, with homepages that said the exact same thing as their competitors.
We weren’t sure how widespread the problem was, so we decided to measure it.
The experiment that became a company
We started with AI-SOC, a category we both knew well. There were about 28 vendors at the time, all riding the same tailwind: SOC teams are overwhelmed, AI can automate triage and investigation, analysts should focus on real threats instead of drowning in alerts.
The pitch makes sense. The problem is that every single company was making the same pitch.
We opened their homepages side by side. The hero headlines were interchangeable: “autonomous SOC,” “AI-powered detection and response,” “automate your security operations.” The feature lists were identical: triage, investigate, respond, always in that order. The proof points were the same: “90% alert reduction” and “10x faster MTTR,” almost never attributed to a named customer.
If you swapped the logos, you couldn’t tell which company was which.
This wasn’t a sample of two or three. It was the entire category. So we built a framework to score it: seven dimensions that measure what a homepage actually communicates to a buyer, not what the founder thinks it communicates.
What the data showed us
We’ve now scored 300+ cybersecurity companies. The results were worse than we expected.
The average composite score across the market is 46.5 out of 100. Only two companies broke 75. 58% sit in a band between 25 and 50, what we call the commoditized middle: companies that have a homepage, a product description, maybe some customer logos and a demo CTA, but nothing that would make a buyer choose them over a competitor.
The AI-SOC category, the one that started this whole investigation, actually performs better than average. AI-SOC vendors score 56.0, about 20% above the market mean. They benefit from analyst consensus: Gartner and Forrester have defined the category, which gives vendors a shared vocabulary. When buyers already understand what you are, you can spend your positioning on why you’re different instead of explaining what category you belong to.
Most categories don’t have that luxury. AI Governance has 41 vendors and an average score of 43.8, below the market average, because there’s no agreed-upon definition of what the category even is. Everyone claims “holistic AI governance,” and nobody can differentiate.
The playbook is broken
Here’s what we kept seeing across 300+ companies:
Category clarity is rare. Most cybersecurity startups can’t clearly articulate what category they belong to, or they claim a category that doesn’t match what buyers are searching for. When the buyer can’t place you, you don’t make the shortlist. The companies that score highest are the ones where a buyer can understand what they do and who it’s for within five seconds.
The claims are identical and unproven. Everyone says “90% reduction in alerts.” Almost nobody attributes it to a named customer. The proof gap between top performers and the middle is the widest dimension in our scoring.
Differentiation doesn’t exist. Most homepages could belong to any competitor in the same sub-vertical. The swap test (could a competitor use this exact headline?) fails on the majority of cybersecurity homepages we scored.
These aren’t bad companies. Many of them have strong products, real customers, and genuine technical differentiation. But none of that shows up on the homepage. And the homepage is where buyers form their first impression, build their shortlist, and decide who gets a meeting.
Positioning strategy, never fully executed
As we dug deeper, we found another pattern. The strategy might exist — a positioning framework, messaging pillars, a competitive narrative. Sometimes it’s even good.
The homepage still says what it said six months ago. Sales keeps using the old pitch. The outbound sequences don’t reflect the new positioning. Even when teams try to implement, they hit a translation gap: nobody internally knows how to turn positioning pillars into homepage copy, sales scripts, campaign sequences, and competitive battlecards.
The hard part isn’t figuring out what to say. It’s making sure every touchpoint actually says it. The homepage, the sales deck, the SDR sequences, the analyst briefing, the competitive page. If the positioning lives in a doc that nobody references, it’s not positioning. It’s a file.
What we built instead
Innit Labs started with a thesis: positioning is measurable, the market is underperforming, and the gap between strategy and execution is where most companies lose.
The Positioning Gallery is a scoring system that evaluates how cybersecurity companies position themselves across seven dimensions including category clarity, differentiation, buyer focus, evidence quality, and messaging craftsmanship. It covers 300+ companies and updates as companies change their messaging.
The Gallery is the diagnostic. The engagement is where the work happens. Buyer research, competitive analysis, and market signals feed into a positioning framework, and then that framework gets executed across every touchpoint. Homepage copy, sales deck, outbound sequences, competitive battlecards. Live assets that the sales team can actually use.
We do the research. We build the framework. We build the assets. A strategy that never ships is worth nothing.
The bet
In a market where 58% of companies are invisible, positioning is the highest-impact thing a startup can fix. Not more SDRs. Not more ad spend. Not a new CRM. The foundational question of what you say and who you say it to determines whether a buyer puts you on the shortlist or scrolls past.
Most cybersecurity startups treat positioning as a one-time exercise done during a rebrand. We think it should be a system, continuously measured, calibrated against the market, and executed across every buyer touchpoint.
The gap between good positioning and invisible positioning is measurable, fixable, and worth more than most founders realize.
