Coffee Cup Cheers, Security Gang. Let’s talk about the decade that shaped your budget before you ever touched it.

If you’ve been anywhere near a cybersecurity budget meeting in the last five years, you’ve probably asked yourself some version of this question:

“Why do vendors keep raising prices when my budget barely moves?”

It’s a fair question.
A painful question.
And an important one — because the answer isn’t “inflation” or “greedy vendors” or “supply and demand.”

The truth is more structural and far more consequential:
cybersecurity pricing today wasn’t designed by CISOs, or CFOs, or even the vendors themselves.

It was designed by the economic environment that shaped the entire tech industry between 2015 and 2022.

To understand why CISOs now feel boxed in by unpredictable renewals, consumption overages, and per-endpoint price explosions — you have to understand the world that shaped vendor behavior long before those vendors shaped your budgets.

This is that story.

The Decade of Cheap Money and Explosive Valuations

To make sense of today’s cybersecurity pricing, we need to travel back to what I call the Zero-Interest Decade — roughly 2012 to early 2022. The cost of capital was near zero, venture funds were flush with cash, and the playbook for software was straightforward:

Recurring Revenue = Predictable Revenue = High Valuations.

When money is cheap, investors don’t hunt for companies that are profitable —
they hunt for companies that are predictable.

Predictability comes from ARR, not one-time perpetual licenses.

That’s why founders pitching cybersecurity startups in 2017–2021 didn’t talk about:

• malware detection efficacy

• deep inspection

• machine learning tuning

• faster forensic workflows

They talked about:

• Net Dollar Retention (NDR)

• Gross Margin

• ARR expansion rates

• Contracted Annual Recurring Revenue (CARR)

These weren’t buzzwords — they were survival metrics.

A VC partner described the era like this in a panel I attended:
“If your revenue wasn’t recurring, you didn’t get funded. Plain and simple. ARR wasn’t a preference — it was an identity.”

Cybersecurity didn’t stand apart from this movement — it became the poster child for it.

Why Vendors Shifted — And Why It Made Perfect Sense (Back Then)

Put yourself in the mindset of a cybersecurity founder in 2019.

Threats are skyrocketing.
The cloud is exploding.
Zero Trust is the shiny new promise.
Every Fortune 500 board wants “cyber resilience.”

But raising capital for growth requires demonstrating:

• recurring revenue

• predictable cash flows

• low churn

• high retention

• high expansion

And what drives all four?

Subscription models.

Perpetual licenses — once the backbone of enterprise security — were an investor’s worst nightmare. They created:

• uneven revenue cycles

• unpredictable bookings

• high dependency on new sales

• low ability to forecast

• difficult margin expansion

Subscription solved all of those.

This is why, between 2017 and 2023, nearly every major cybersecurity firm:

• abandoned perpetual licensing,

• switched to annual or multi-year subscriptions,

• built usage-based billing, and

• gated features to unlock upsell opportunities.

Not because CISOs wanted it.
Not because it improved outcomes.
But because it aligned with the financial reality of the era.

When one founder was asked why his company eliminated perpetual licenses, he said something that stuck with me:

“In cybersecurity, your product improves as the customer grows. Why shouldn’t the revenue reflect that?”

From an investor’s point of view?
It’s logical.

From a CISO’s point of view?
It’s a budgetary nightmare.

And this is where the collision began.

Cybersecurity Demand Exploded — But Pricing Exploded Faster

Here’s an important nuance often missed in shallow analysis:

Cybersecurity sales growth wasn’t just driven by demand.
It was driven by unit price expansion embedded in the subscription model.

Demand was absolutely real:

• ransomware surged

• supply chain attacks became geopolitical events

• cloud adoption created blind spots

• regulators added teeth (GDPR, NIS2, HIPAA, CIRCIA)

• boards became cyber-aware (finally)

But the shape of revenue growth reveals something else:

Growth didn’t just come from more customers.

It came from extracting more revenue from existing customers.

This happened through:

• per-endpoint pricing

• per-user pricing

• per-GB ingestion

• per-cloud-workload

• per-policy tiering

• new “premium detection” SKUs

• new platform bundles

• auto-escalators

• support tiers replacing former baseline support

A CISO at a multinational once told me in confidence:

“We didn’t grow 40% last year. Our bill did.”

That’s the heart of the problem.

Demand drove adoption.
Subscription pricing amplified revenue.
Growth metrics blended the two.

The result?
Vendors celebrated “explosive expansion,” while CISOs tried to explain why the same tool cost 2× or 3× what was originally budgeted.

The Flat-Budget Paradox: When Two Economic Realities Collide

Now let’s shift perspectives — into the enterprise.

CISOs budget inside a world defined by:

• annual planning cycles

• CFO expectations for cost controls

• board mandates to minimize operational variance

• procurement policies designed for stable multi-year agreements

• the unspoken pressure to “do more with less”

None of these structures can absorb unpredictable, consumption-driven pricing models.

A CFO sees cybersecurity as:

• OPEX

• stabilizable

• predictable

• incremental

• risk mitigation, not revenue generation

So they expect budgets to grow:

• 0% during down cycles

• 3% in normal cycles

• 5–7% in aggressive cycles

But subscription pricing models often grow:

• 20–50% organically

• 30–120% with cloud expansion

• 60–200% with mergers or acquisitions

• unpredictable spikes with data ingestion increases

You can’t reconcile those worlds.
Not structurally.
Not philosophically.
Not mathematically.

One security leader told me:
“I walk into every Q4 budget review knowing I’ll have to explain vendor behavior I didn’t choose.”

That’s not mismanagement.
That’s misalignment baked into the economics.

Vendors Aren’t the Villains — They’re Playing the Game They Were Born Into

This is important:
The economic forces that shaped pricing models didn’t make vendors malicious — they made them responsive to investor incentives.

Inside a cybersecurity vendor, you’ll find:

• product managers pushed to create new “value tiers”

• CFOs modeling pricing changes to maximize NDR

• sales leaders under pressure to hit aggressive ARR quotas

• boards expecting growth that outpaces the market

• investors grading companies on retention and expansion

If a vendor doesn’t expand revenue per customer, investors will say the company is “under-monetizing.”

If revenue doesn’t scale with usage, investors will say “the model isn’t aligned with cloud maturity.”

If customers don’t adopt premium SKUs, investors will question “feature adoption strategy.”

This isn’t greed — it’s the incentive architecture.

A VP of Sales once explained his pressure like this:

“When revenue is recurring, every year you start behind because you’re measured on ARR growth. If we don’t expand existing customers, we don’t meet targets. It’s that simple.”

The problem isn’t the people.
It’s the system they’ve inherited.

And CISOs inherited the consequences.

And This Is the Moment the Crisis Formed…

By the time we entered 2023–2025, every force that once favored subscription economics began reversing:

• interest rates rose

• capital tightened

• boards demanded efficiency

• CFOs demanded stability

• enterprises pushed back on cost overruns

• cyber budgets flattened despite rising threats

The era of “growth at any cost” died.
But the pricing structures it created did not.

That is the core tension CISOs are living through today:

Budgets stabilized.
Subscriptions did not.

Part I ends here — at the birthplace of the modern cybersecurity budgeting crisis.

Leave a comment