# Template for Planning a Strategy for a New Cybersecurity Product

[This template helps security product managers and startup founders organize their product strategy. It presents strategic questions from the [security product creation framework](https://zeltser.com/security-product-creation-framework), structured as a document you can fill out with your team. The text in square brackets is meant to guide you; remove it and replace it with your content when filling out the template.]

[Each table includes an Evidence column. Note there whether your answer is based on customer conversations, market data, team experience, or untested assumptions. Distinguishing what you know from what you believe helps you prioritize what to validate next.]

[Use this space for an executive summary that captures your perspective on the product strategy based on the answers to the questions below.]

## Strategic Market Segmentation

[Different customer types have distinct security needs. Segmenting your market by geography, industry, and size helps you prioritize where to compete first.]

| Question | Answer | Evidence |
|----------|--------|----------|
| Which geographic, industry, and size-based segments will we target first? | [Geographic segmentation recognizes that requirements differ across regions. Industry segmentation groups customers by vertical where the need is acute. Size-based segmentation considers devices, employees, or workloads needing protection.] | [Validated, informed assumption, or untested?] |
| How do security needs and price expectations differ across those segments? | [Smaller businesses have different security needs and price expectations than enterprises. Understanding these differences determines product positioning and pricing strategy.] | [Validated, informed assumption, or untested?] |
| Does our expected deal size support the sales force needed to reach those customers? | [The expected deal size affects whether you can build and motivate a sales force. Reaching consumers and smaller clients is especially costly with a direct sales force.] | [Validated, informed assumption, or untested?] |
| Which personas will evaluate, champion, and use our product, and how do their priorities differ? | [A CISO evaluates risk reduction and vendor trust differently than a security engineer assessing daily workflow fit. Both differ from a developer evaluating friction in a deployment pipeline.] | [Validated, informed assumption, or untested?] |
| How will we reach prospective customers in each market segment? | [Consider whether your current channels can access your target segments. Different segments may require different outreach strategies, partnerships, or community presence.] | [Validated, informed assumption, or untested?] |

## Product Capabilities

[Once you understand the customers your product will target, dig deeper into their needs and map them to the product's capabilities.]

### AI and Data Advantages

[If your product incorporates AI, consider what specific advantages it offers over rule-based detection and how durable those advantages are.]

| Question | Answer | Evidence |
|----------|--------|----------|
| How does our AI advantage hold up if a frontier model vendor adds similar capabilities? | [Think about a scenario in which a company offering a frontier AI model adds capabilities similar to your solution. Make sure you provide unique value even in that scenario. Understand your cost structure if you depend on third-party AI models. Consider what percentage of your value proposition survives if that happens. The most durable advantage is often workflow integration and proprietary operational data, not the AI model itself.] | [Validated, informed assumption, or untested?] |
| What proprietary data can we accumulate that others will find difficult to replicate? | [Perhaps the most durable AI advantage often comes from proprietary data that frontier model vendors lack, such as labeled threat datasets, curated detection rules, and validated ground truth. A growing customer base can create network effects if your architecture supports learning across customers. Be honest about whether your data advantage compounds or plateaus; early data advantages can exhibit diminishing returns. Data that is automatically captured through customer usage, environment-specific, and validated by incident outcomes is more defensible than data assembled from public threat feeds.] | [Validated, informed assumption, or untested?] |

### Designing for AI Agents

[Your product's users will likely include AI agents, not just people. Design APIs and automation interfaces accordingly.]

| Question | Answer | Evidence |
|----------|--------|----------|
| Can AI agents interact with our product as effectively as human analysts? | [Design APIs and automation interfaces so agents can interact with your product effectively. Consider the role your product will play in automated workflows.] | [Validated, informed assumption, or untested?] |
| How will agents authenticate, and how will customers govern what they can do? | [Most vendors today rely on API keys or service account tokens that struggle with granular scoping and audit trails. Getting ahead of this challenge can differentiate your product. Agent users also affect your pricing model. Enterprise buyers increasingly expect audit trails of agent actions, rollback capabilities for automated decisions, and controls that let customers define what agents can do autonomously versus what requires human approval.] | [Validated, informed assumption, or untested?] |

### Competitive Positioning

[If you've spotted a customer need, others may be racing to address it. Understand who your competitors are and be realistic about your moat.]

| Question | Answer | Evidence |
|----------|--------|----------|
| What specific pain points does our product address that current solutions miss? | [Think beyond generic security requirements. Be specific about which gaps exist in products currently available to relieve infosec-related pain points.] | [Validated, informed assumption, or untested?] |
| Where does a competitor offer more value, and where do we have an advantage? | [Be realistic about your moat. Your differentiation might lie in expertise, product capabilities, or go-to-market abilities. Decide whether you have the resources to close gaps or should focus where you'll prevail.] | [Validated, informed assumption, or untested?] |

### Category Creation

[Answer these questions if you are considering creating a new product category rather than positioning within an existing one. Category creation is attractive but rare in practice, and carries costs that category participants avoid.]

| Question | Answer | Evidence |
|----------|--------|----------|
| Is the problem genuinely unserved by existing categories, or can we position within an adjacent one? | [Most startups that claim to be creating a new category are solving a real problem that fits within an existing one. Recognizing that fit is a strategic advantage, not a concession.] | [Validated, informed assumption, or untested?] |
| Can our target buyer explain this category to someone who has never heard of it? | [If buyers cannot explain the category to their boss, they cannot get budget for it. Category creation carries the cost of teaching the market the problem exists before you can sell the solution.] | [Validated, informed assumption, or untested?] |
| What happens when a platform vendor adopts our category name and bundles a competing capability? | [Once you have invested in market education, a larger vendor with broader distribution can adopt your category name and outspend you on awareness. The creator does not necessarily win the category they defined.] | [Validated, informed assumption, or untested?] |

### Minimum Viable Product and Build Decisions

[Enterprise security buyers are usually risk-averse about immature products. Determine the smallest feature set that will attract your first customers.]

| Question | Answer | Evidence |
|----------|--------|----------|
| What is the smallest feature set that will attract our initial customers? | [An MVP that works for a design partner may still feel too raw for formal procurement. Consider what enterprise buyers need to feel confident in your product.] | [Validated, informed assumption, or untested?] |
| Which capabilities will we build ourselves, and where will we integrate or partner? | [Focus engineering resources on capabilities that differentiate your solution. For example, you might consider integrating with established providers for commodity functions such as authentication or log ingestion.] | [Validated, informed assumption, or untested?] |

## Sales Engagement and Go-To-Market

[Your decisions on market segmentation and product capabilities must account for your sales force's reach, expertise, and motivations.]

### Direct Sales and Channel Strategy

[Consider whether you can reach prospective customers directly through your company's sales force, or whether a channel partner is more effective.]

| Question | Answer | Evidence |
|----------|--------|----------|
| Where has our sales team gained traction, and what drove those wins? | [Understanding past traction helps identify repeatable sales patterns. Consider what security knowledge your salespeople should possess and whether to pair less specialized reps with technical sales engineers.] | [Validated, informed assumption, or untested?] |
| Can we reach customers directly, or is a channel partner more effective for our deal size? | [Building and managing a large sales organization for numerous small deals is a significant operational challenge. A reseller channel may be more effective for reaching consumers and smaller clients.] | [Validated, informed assumption, or untested?] |

### Bottom-Up Adoption and Open Source

[Not all security products reach customers through a traditional sales team. Some gain their first foothold through free tiers or open-source components.]

| Question | Answer | Evidence |
|----------|--------|----------|
| Does a bottom-up adoption model fit our solution, and how will we measure organic usage? | [Some products gain their first foothold when an individual user signs up for a free tier or deploys an open-source component. Measure adoption using usage-oriented metrics such as active integrations or API calls.] | [Validated, informed assumption, or untested?] |
| If we open-source a component, what will we keep proprietary to sustain monetization? | [Open-sourcing can accelerate adoption, but giving away too much undermines monetization. Give away too little and the open-source project won't attract the community you need.] | [Validated, informed assumption, or untested?] |

### Design Partners and Proof of Concept

[Even before your product formally enters the world, there is much to learn from discussions with prospective customers.]

| Question | Answer | Evidence |
|----------|--------|----------|
| What objections or concerns have prospects raised about our product ideas? | [Discussions with prospective customers validate assumptions regarding market segmentation and desired features. They also help identify early adopters willing to test early versions.] | [Validated, informed assumption, or untested?] |
| How will we structure POCs to demonstrate differentiated value within a defined timeframe? | [Define success criteria upfront with the prospect and time-box the evaluation. Ensure the POC tests your differentiated capabilities rather than generic features competitors also offer.] | [Validated, informed assumption, or untested?] |

## The Pricing Model

[Pricing your product correctly is as essential as having the right set of features and reaching customers through a skilled sales force.]

| Question | Answer | Evidence |
|----------|--------|----------|
| Does our pricing model reward customers when our product reduces their risk? | [Consider whether consumption-based pricing aligns better with customer value than seat-based models. If your solution reduces security incidents, ensure your pricing model doesn't penalize that outcome through reduced usage fees.] | [Validated, informed assumption, or untested?] |
| How will customers predict and control their costs, especially during incidents? | [Consumption pricing requires careful design. Consider implementing cost-spike protections during incident response periods to maintain customer trust when they need your product most.] | [Validated, informed assumption, or untested?] |
| Are we pricing based on customer-perceived value, not just our costs? | [The marginal cost of your software might be minimal, but if the product addresses a significant pain point in a unique way, customers may pay substantially more. Your sales team needs maturity to position product benefits.] | [Validated, informed assumption, or untested?] |
| Does our pricing structure support sales compensation that motivates our team? | [Watch for mismatches in subscription products where the salesperson's goals focus on quarterly targets while commission trickles in gradually over years.] | [Validated, informed assumption, or untested?] |
| How does our pricing model work when AI agents, not just people, are consuming our product? | [AI agents don't use seats or log in through portals. If customers meter agent workflows by API call volume or automated actions, your pricing model needs to accommodate usage patterns that differ from human users. Consider whether your value metric still aligns with customer value when the "user" is software acting autonomously.] | [Validated, informed assumption, or untested?] |
| How will we retain existing customers and expand within their accounts over time? | [Retaining and expanding within existing accounts is often more valuable than acquiring new ones. Growth driven by customers discovering new uses is healthy; growth driven by switching costs is fragile.] | [Validated, informed assumption, or untested?] |

## Product Delivery and Operations

[Enterprise customers will likely have software development workflows that need to interact with or integrate with your product.]

| Question | Answer | Evidence |
|----------|--------|----------|
| How deeply will our product integrate with customers' CI/CD and DevOps workflows? | [Understand these integration requirements early. Your product may need to fit into existing pipelines without adding friction.] | [Validated, informed assumption, or untested?] |
| What effort is needed to deploy, configure, and maintain our product over time? | [Customers will be hesitant to commit to a product that requires complex configuration or imposes significant overhead. Implement reasonable, secure defaults.] | [Validated, informed assumption, or untested?] |
| Do we have the staff to handle complex customer implementations at scale? | [Security products requiring complex integration need skilled consultants or implementation specialists. If your company lacks a strong services component, this may become a bottleneck.] | [Validated, informed assumption, or untested?] |
| Can we offer hosting options that meet customers' data residency requirements? | [Enterprise customers may need deployment within specific geographic regions or within their own environments. Determine how each client's data and application instances will be isolated.] | [Validated, informed assumption, or untested?] |
| Can customers deploy and configure our product entirely through infrastructure-as-code and APIs, without manual console steps? | [Enterprise buyers increasingly expect infrastructure-as-code support and full API coverage as procurement prerequisites. Products requiring manual configuration through a web console are increasingly frowned upon.] | [Validated, informed assumption, or untested?] |
| Does our product support policy-as-code workflows so customers can manage security policies through version-controlled code? | [Many enterprises manage security policies through version-controlled, declarative code. Products with GUI-only policy management may be viewed as operational risks by teams that have adopted this approach.] | [Validated, informed assumption, or untested?] |
| What are the responsibilities between our team and the customer for monitoring, upgrades, and support? | [Clarify which ongoing support or maintenance tasks your firm will provide and which the customer handles. Clear delineation prevents friction after the sale.] | [Validated, informed assumption, or untested?] |

## Earning Customers' Trust

[Companies purchasing cybersecurity products hold their vendors to a higher security standard than most other suppliers.]

| Question | Answer | Evidence |
|----------|--------|----------|
| What security assurances will buyers require when purchasing our product? | [Buyers expect you practice what you preach, and their third-party risk management processes will scrutinize your security posture.] | [Validated, informed assumption, or untested?] |
| How will our security program scale as our customer base grows? | [For a startup, this might mean using compliance automation platforms or engaging a fractional security leader. As your company grows, your program should mature alongside expectations.] | [Validated, informed assumption, or untested?] |
| Which compliance frameworks are table stakes, and which provide differentiation? | [SOC 2 has become table stakes. Beyond that, consider AI governance, data privacy regulations, industry-specific certifications, and government frameworks.] | [Validated, informed assumption, or untested?] |
| How will we reduce third-party risk management friction in the sales cycle? | [Understanding purchasing workflows early helps remove friction. Be prepared to provide SBOMs, evidence of signed build artifacts, and documentation of secure development practices.] | [Validated, informed assumption, or untested?] |
| If we serve customers in regulated industries or the EU, how will we address data sovereignty and applicable regulations? | [Data sovereignty has shifted from preferred to mandatory in financial services, healthcare, and government sectors. Enterprise buyers in these sectors may require customer-managed encryption keys and deployment options that prevent vendor plaintext data access. Regulations such as the EU AI Act, NIS2, and DORA create compliance obligations that can affect vendors selling into EU-regulated sectors, including those based outside the EU.] | [Validated, informed assumption, or untested?] |
| Have we secured our own software supply chain and published a vulnerability disclosure policy? | [Publishing a vulnerability disclosure policy signals maturity and openness. As your company grows, a bug bounty program can further demonstrate confidence in your product's security posture.] | [Validated, informed assumption, or untested?] |

## Platform Strategy and Ecosystem Positioning

[Will your solution integrate with existing security platforms, or do you plan to become a platform that other tools integrate with?]

| Question | Answer | Evidence |
|----------|--------|----------|
| Should we aim to build a comprehensive platform or integrate with existing ones? | [Becoming a platform creates a sustainable competitive advantage, but getting there is rare. Be realistic about whether you can provide more value as a best-of-breed point solution or as a component.] | [Validated, informed assumption, or untested?] |
| Which integrations are essential to reach our customers' procurement workflows? | [Enterprise buyers often prefer to procure through cloud marketplaces, where purchases can draw down existing cloud spending commitments. Customers also expect your product to work with their SIEM, ticketing system, identity provider, and cloud security tooling.] | [Validated, informed assumption, or untested?] |
| How do we balance ecosystem participation with competitive differentiation? | [Integration gives you distribution and credibility with a vendor's customer base, but it creates dependency. The platform vendor may eventually build your capability natively.] | [Validated, informed assumption, or untested?] |
| If a platform vendor builds our capability natively, how will we stand out? | [Platform vendors are embedding capabilities such as automated triage and investigation into their core offerings. This raises the bar for what a standalone product must deliver.] | [Validated, informed assumption, or untested?] |
| How will we help customers justify our product when they already pay for a platform that offers similar capabilities? | [When a single vendor offers network security, cloud security, and security operations under one contract, a startup needs a clear answer for why its standalone product justifies a separate purchase.] | [Validated, informed assumption, or untested?] |

## Team and Execution Capability

[Your strategy is only as strong as your team's ability to execute it. Security buyers evaluate the people behind a product, especially at earlier stages when the product track record is thin. Understanding where your team is strong and where it has gaps helps you make realistic commitments and hire intentionally.]

| Question | Answer | Evidence |
|----------|--------|----------|
| What domain expertise does our team bring that competitors lack? | [Consider both technical depth (e.g., built detection systems at a major platform) and market knowledge (e.g., sold into your target vertical). Domain expertise that maps directly to your product's value proposition is more credible than adjacent experience.] | [Validated, informed assumption, or untested?] |
| Where does our team lack the skills or experience our product strategy requires, and how will we close those gaps? | [Be specific: if your plan calls for enterprise sales but your team is engineering-heavy, that's a gap you need to close through hiring, advising, or partnering. If you need ML pipeline expertise but have mostly backend engineers, that affects your roadmap and timeline.] | [Validated, informed assumption, or untested?] |
| Do our backgrounds give us credibility with the buyers we're targeting? | [A CISO evaluating your product will ask "why should I trust these people?" Your team's prior roles, published work, and community reputation directly affect sales cycles, especially before you have customer references.] | [Validated, informed assumption, or untested?] |

## Competitive Landscape

[Map out the competitive landscape to identify where competitors are strong, where they are weak, and where your product offers distinct value.]

| Competitor | Their Strength | Their Weakness | Our Differentiation |
|-----|-----|-----|-----|
|  |  |  |  |
|  |  |  |  |

## Integration Priorities

[Identify which platform and tool integrations are essential to reach your target customers and their procurement workflows.]

| Platform/Tool | Integration Type | Priority |
|-----|-----|-----|
|  |  |  |
|  |  |  |

## About this Document

This security product planning template was created by [Lenny Zeltser](https://zeltser.com), drawing on his experience as a CISO practitioner and security product manager. The questions are derived from the [A Practitioner's Guide for Creating Cybersecurity Products](https://zeltser.com/security-product-creation-framework) framework.

This document is Copyright (c) 2026 by Lenny Zeltser. This copyright covers the template itself; any content you create using this template is entirely yours.