When we are the wrong fit, and who to call instead

You are the founder, which means you have sat through enough vendor calls to know the shape of them. The person on the other end has decided you are a fit before they have heard what you need, and the rest of the hour is them steering toward a yes. You leave the call knowing less about whether this was right for you than when you started, because nobody in the conversation was incentivized to tell you no.

That pattern is exhausting, and it is also a tell. A partner who will say yes to anyone has told you something useful about how they will run your environment later: the same way they ran the sales call, by optimizing for the contract over the fit. You do not want that running your identity stack at two in the morning.

So here is the version of that call we would rather have. There are companies we are genuinely good for, and there are companies we are not, and the honest thing is to know which one you are before money changes hands. What follows is the second list: the profiles we do not serve well, why, and who is a better call. If you see yourself in it, that is us doing our job.

Some teams have a clear, contained problem and the in-house muscle to operate whatever they buy. You have an engineer who lives in the AWS console, who already reads Amazon GuardDuty findings every morning, and who wants one specific capability dropped in and then left alone. That is a real and reasonable position. It is not us.

We run environments; we do not hand over a license and wave. Security is an operational problem, not a tool problem, which means the value we add shows up in the running: the tuning, the triage, the boring weekly discipline. If you already have the person doing that work and you only want the software, you are paying us for a layer you do not need.

Who to call instead, in that case:

• The vendor directly, for the single capability, since you have someone to operate it.
• A staffing or fractional-engineering firm, if what you lack is a few more hours of the person you already trust.
• A reseller, if procurement and licensing are the real friction and the operating is handled.

There is no shame in this. A capable in-house operator is the thing most companies wish they had. If you have one and you like how they work, the honest move is to feed them, not to route around them.

We do SOC 2 the way we do everything: as operational work, where the evidence falls out of running the environment properly and is not assembled in a panic before the audit. That model holds for the frameworks we run as our daily work. It does not stretch to every regime a regulated business might face.

If your core obligation is something heavy and specialized, the responsible answer is a specialist, not us with a confident face. A few honest examples:

• Protected health data under HIPAA, where the controls and the business agreements are their own discipline.
• Federal authorization paths such as FedRAMP, which carry process and tooling we do not run as our daily work (the FedRAMP program documents its authorization requirements).
• Payment-card scope under PCI DSS, where a Qualified Security Assessor relationship is the center of the program (the PCI Security Standards Council maintains the standard).

We can often run the cloud and identity layer underneath one of those programs, and we are glad to. What we will not do is sit in the seat that belongs to a specialist and pretend the fit is clean. If that regime is your whole reason for hiring, hire the specialist first and let us support the layer we are good at.

There is a version of buying security that treats it purely as a cost to minimize: the lowest monthly number, the thinnest scope, a box checked so a customer stops asking. Founders want confidence, not features, and the uncomfortable truth is that confidence is the one thing the cheapest option cannot deliver.

We are not the most expensive room in the building, and protecting yourself and your team does not have to be a multi-million dollar investment. What we will not do is win on price by quietly removing the operating, because the operating is the part that works. A control you bought but nobody runs is a receipt, not coverage.

If the budget genuinely is not there yet, that is a real constraint and worth respecting. The honest paths:

• Turn on the controls you already pay for, since the capability often ships inside Microsoft 365 or AWS you already own.
• Hit the security floor with internal time first, and bring in a partner once the stakes justify it.
• Come back when a customer contract or a funding round changes the math, which it usually does.

We would rather you reach that point and call us than sign something now that is too thin to mean anything.

Go back to the call that ended early. The reason that felt unfamiliar is that most of the industry is built to say yes, and a yes you cannot trust is worth less than a no you can. We say no when the fit is wrong because the alternative, taking the contract anyway, is how environments end up half-run by a partner who never believed in the fit.

The companies we serve well are small teams who want to be genuinely powerful without becoming a security shop, who want the operating handled so running the stack stops running their lives. If that is you, we should talk. If you are one of the profiles above, the better option is named here, and you should take it. Either way you got an honest answer, which is the thing the early-ending call was offering all along.

So before your next vendor hour: are you looking for a partner who will tell you when the answer is no, or one who has already decided it is yes?