Conversation
Highlights

How StrongestLayer Uses Transparent POCs to Displace 20-Year Email Security Incumbents

Modern B2B marketing automation has created an unintended consequence: the tactics used to generate pipeline are now architecturally identical to sophisticated phishing attacks.

Alan LeFort, the CEO of StrongestLayer, discovered this convergence while consulting on go-to-market strategy for portfolio companies in late 2024. He was researching how AI had transformed demand generation—using intent signals from platforms like Clay, crafting personalized messages at scale, spinning up lookalike domains to bypass spam filters.

“We are in this bizarro world where the techniques used by phishing and the techniques used by marketing are now 100% identical,” Alan explains. “In phishing you spin up lookalike domains because you need to trick them into going to the lookalike domain. In marketing, we do it to trick the spam filter so that you can get under the sending.”

Marketers buy intent signals to personalize outreach. Hackers harvest publicly available LinkedIn and Facebook data to craft spear phishing campaigns. Both use AI to generate perfectly branded, error-free messages. “How can we reasonably expect an employee to detect if this is a phish or if it’s a marketing email, if they use the same techniques and the same sophistication and the same AI?” Alan asks. “And the answer is they can’t.”

This insight drove Alan to join StrongestLayer as the third co-founder in late 2024, bringing go-to-market expertise to a technical team that had discovered something significant through customer feedback.

From Security Training to Email Security: A Customer-Driven Pivot

StrongestLayer’s first co-founder, Riz, initially built an AI-powered security awareness training platform. The thesis: rapidly evolving threats required AI to keep training current and maintain effectiveness against sophisticated attacks.

Early customers provided unexpected feedback: “Maybe you should pivot because you’re detecting things through your phishing plugin that email security programs that have been around for 20 years are missing.”

The second co-founder, Josh Bass—with email security experience at Proofpoint, Mandiant, and Google’s threat research team—recognized the opportunity. “Josh realized we have an email security product. We just haven’t used it that way,” Alan recalls. They rebuilt focused solely on email security in six months and launched in 2024.

But entering an established category created immediate credibility challenges. Investors repeatedly questioned whether AI could truly disrupt a market with deeply entrenched 20-year players.

The answer required reframing the problem around architectural inadequacy rather than incremental improvement.

Why N=1 Attack Datasets Break Pattern-Matching Architectures

Legacy email security solutions operate on pattern-matching—essentially the same approach used to develop vaccines. “You need to gather data, sadly, from several people that got ill and didn’t make it,” Alan explains. “That is how security research works. They monitor all these different sensors, they see weird stuff, the customer complains, they analyze the weird stuff and they’re like, oh, it was this kind of attack and it worked this way.”

The system deploys signatures based on known attacks. It works effectively—until attack diversity eliminates the pattern dataset.

“What happens when your pattern based, your pattern matching system doesn’t have the data to train itself on? Because every attack is unique,” Alan points out. “When the body of data for a given attack type is n equals 1, no pattern matching system will ever catch it.”

AI-powered attacks create exactly this scenario. Large language models function as sophisticated thesauruses capable of infinite variation. “It can take an attack and make it look like a thousand different attacks to the existing technologies.”

Harvard Kennedy School research from November 2024 quantified the shift: AI enables attackers to profile 88% of company employees using publicly available data, create targeted spear phishing campaigns at 95% lower cost, and increase click rates from 12% baseline to 60%—even among security-trained employees.

Alan contextualizes the 60% statistic: “I’m a risk taking guy, but I won’t play Russian roulette. And in Russian roulette, the odds of putting a bullet in your head are 1 in 6, 17%. Why would any executive be happy with 60?”

More critically, advanced threats (business email compromise, targeted spear phishing) currently represent 2% of total attack volume but 90% of breach value—forecast to reach 17% of attack volume by 2027.

Transparent One-Week POCs That Achieve 85% Meeting-to-POC Conversion

Rather than compete through traditional enterprise sales methods, StrongestLayer built their go-to-market around comparative proof with zero commercial pressure.

Their POC structure: run for one week behind the customer’s existing email security solution. No commitment required. Just visibility into what’s being missed.

At one company under 1,000 seats running a top-three market share leader, they surfaced approximately 80 advanced threats in one week. “We’re not finding low hanging fruit. They’re all taking care of the low hanging fruit really well,” Alan clarifies. The focus is sophisticated attacks that pattern-matching architectures structurally cannot detect.

This transparency approach delivers 85% conversion from first meeting to POC, and 100% from qualified POC to technical win in 2024 (Alan acknowledges these are early-stage numbers).

The strategy extends beyond sales process. Unlike security vendors protecting methodologies behind NDAs, StrongestLayer publishes full product demos on YouTube. “Rather than hide it behind NDAs and whatnot, we’re putting our demos out to the world,” Alan says. “I’m going all in on velocity.”

The underlying thesis: when competitive advantage comes from continuous AI model improvement velocity rather than static IP, transparency accelerates customer trust faster than secrecy protects your moat.

Stage-Matching ICP to Sales Cycle Constraints

Despite email security being universally needed, StrongestLayer deliberately excludes Fortune 500 accounts from their initial ICP. The decision is operationally pragmatic.

“When their procurement team is bigger than your whole company, not a good scene,” Alan explains. With approximately 30 employees, they cannot sustain 18-month enterprise sales cycles against their burn rate.

Instead, they target 1,000-10,000 seat companies—enterprises with full SOC2 and compliance obligations but without Fortune 500 procurement complexity. “They have all the compliance obligations of a large Fortune 100, Fortune 500, but they don’t have the budget, they don’t have the staff, they don’t have the team size, they don’t have the tools available to them. And, but they have all the obligations.”

The explicit constraint: “We kind of said our ICP has to be for 6 month deal size or less. And as we get bigger, as we raise more money, it expands outwards.”

Alan frames this as a broader principle: “We should think about ICPS as being stage dependent that map to the maturity of the company.” Select based on what current resources can execute, not aspirational positioning.

Operational Reality-Based Messaging Bifurcation

StrongestLayer messages CISOs and security operations teams differently despite selling identical technology. The distinction maps to divergent daily operational contexts.

CISOs hear about emerging risk profiles and architectural inadequacy of existing solutions. They’re “always firefighting” and may show “natural reticence” to revisiting problems they believe solved. The message focuses on why the threat landscape shift makes current solutions structurally insufficient.

Security operations teams hear about eliminating investigation toil. Specifically: the 70% false-positive rate on user-submitted potential phishing attempts. “When we’ve talked to users, they said 70% of those user submissions are not actual real threats, but they have to investigate them because compliance and monitoring and all those things.”

Alan positions this as freeing analysts from waste: “Imagine that 70% of the work that your skilled, seasoned engineers that are in short supply because you don’t have the budget is just a waste of time, a tail chasing exercise.”

Their technology reduces this to near zero. Same product, identical security stack, completely different value propositions based on what each persona encounters operationally.

Category Displacement Through Architectural Inadequacy Claims

StrongestLayer’s positioning avoids vendor-specific criticism in favor of generational architectural arguments. “We’re not saying that those are bad companies. I came from one of the very big companies. I was an exec there, I ran a business unit there,” Alan notes. “But generationally, the attack type, that change means that their architecture that they’ve built, that they’ve perfected over 20 years doesn’t meet the problem of the moment.”

This framing enables displacement without requiring customers to admit poor prior decisions. The incumbent solution worked effectively for 20 years—and remains effective against the attack types it was designed to handle. The problem is structural: pattern-matching architectures cannot detect threats with n=1 datasets, regardless of vendor execution quality.

For early-stage companies attacking established categories, this offers a framework: demonstrate that fundamental shifts in the problem space render entire architectural approaches insufficient. Prove the claim through direct comparison rather than marketing assertions. Remove evaluation friction through transparent POCs. Match ICP selection to stage-based sales cycle constraints.

The displacement strategy isn’t about better features. It’s about shifts in the threat landscape that make architectural generation more relevant than vendor reputation—and systematically proving that thesis holds in customer environments.