Disclaimer: Opinions expressed are solely my own and do not express the views or opinions of my employer or any other entities with which I am affiliated.
I’ve intentionally made all of my posts free and without a paywall so that my content is more accessible. If you enjoy my content and would like to support me, please consider buying a paid subscription:
I wrote a few years ago about how I buy tools and don’t necessarily plan to keep them. In the startup world, strict prioritization is the only way to survive. The smartest move is often to buy rather than build, especially if the tool isn’t core to your product. By outsourcing specialized challenges, like infrastructure access, to established tools, you gain immediate development velocity. The plan isn’t always to keep these tools forever, but to use them as levers to reach the next stage of growth without burning engineering cycles on maintenance.
However, the bar for buying security tools has changed since the advancement of AI. I’ve become pickier. With AI, it’s now trivial to build simple internal tools, causing many niche categories, particularly in application security and basic scripting, to disappear. For me to consider a new tool today, it has to provide substantial, non-commodity value.
But there is an even more underrated factor in the “stay vs. switch” debate: the massive, hidden cost of switching.
The Switching Cost Trap
Security leaders often fall into the trap of seeking “the best.” When a new leader takes over, they often want to swap out the existing stack. The official excuse is usually that the current product fails to mitigate specific risks. But the real reason is often personal: they want a tool they are familiar with or want to “make their mark.”
In today’s leaner environment, this is a colossal waste of time. Switching security tools isn’t just about a new license fee; it’s about the operational friction.
-
Administrative Effort: New procurement cycles, legal reviews, and contract negotiations.
-
Learning Curve: Every new tool has its own logic, interface, and query language.
-
Integration Debt: Re-wiring the new tool into your SIEM, SOAR, or ticketing workflows.
Data from 2025 shows that organizations with fragmented, “best-of-breed” stacks manage an overwhelming average of 83 security tools from nearly 30 different vendors. This complexity isn’t a badge of honor; it’s a tax. Organizations that move toward consolidated platforms can identify and mitigate security incidents 74 to 84 days faster than those struggling with fragmented environments.
Why Mediocrity is a Viable Strategy
I know many security professionals are unwilling to admit it, but it’s actually okay to use a mediocre tool as long as it gets the job done. I’ve argued before that security has too many tools and has become a community of tool administrators rather than problem solvers.
If your team is already used to a tool, and it covers the basic requirements for a low-to-medium risk area, the incremental benefit of switching to the “best” product is often outweighed by the risk of the transition. The argument that “the best tool would have prevented the breach” is flawed. You don’t know the counterfactual. In practice, security system complexity is actually a top cost amplifier.
For a medium risk, it is often better for the business to keep a cheaper, mediocre tool that everyone knows how to use than to spend millions in resources to move to a slightly better product that requires six months of tuning.
The Rise of “Good Enough” Platforms
We are seeing this play out in real-time with infrastructure platforms like Datadog. Datadog has been expanding into paging (replacing PagerDuty), incident response (replacing incident.io), and feature flags (replacing LaunchDarkly).
Are these Datadog offerings as feature-rich as the standalone winners? Probably not. They are “mediocre” by comparison. But they win because they offer simplicity and context. In 2025, organizations using consolidated platforms are generating four times greater ROI (101%) compared to those with fragmented stacks (28%). This ROI is more obvious because the goal of engineering and DevOps is efficiency.
Where Mediocrity Works (and Where it Doesn’t)
You have to be strategic about where you accept mediocrity.
-
Compliance: This is a race to the bottom. Most companies want to spend the minimum amount required to pass an audit. A tool like Vanta doesn’t need to be the “best” security tool; it just needs to be the best compliance platform that lands in the door and stays there by being “just good enough” to solve the pain point.
-
AppSec & CSPM: Many application-level categories like CSPM have become commoditized. If a tool doesn’t provide deep analytics or value beyond a nice interface and some scripts, it’s a prime candidate for “mediocrity.” It’s okay to have a product that does the basics unless your risk profile specifically demands a mature, high-end program.
-
Managed Services: If you are using a managed service (MDR/MSSP), they can often help deal with the unnecessary complexity caused by a mediocre tool. The service provider handles the headache, making the “mediocrity” of the underlying software much more acceptable.
However, you should never cheap out on credentials. With compromised credentials still being a top three attack vector and the average cost of a U.S. data breach surging to a record $10.22 million in 2025, your identity and access management (IAM) must be top-tier.
A Strategy for Startups: The Wedge of Mediocrity
For security startups, “mediocrity” can actually be a competitive advantage. If you can provide a simple, lightweight product that solves a specific compliance gap, you can land in an organization and become part of the furniture.
The goal for many should not be to build the most technically advanced product in the world, but to build one that is not bad enough to switch. If you can land, provide immediate value, and integrate easily, the high switching cost of the enterprise becomes your greatest defense.
Final Thoughts
Security leaders set the wrong expectations when they promise to prevent every breach by buying the “best” tool. This creates a business mismatch. In reality, we should be managing risk by acknowledging that some areas only require “good enough” solutions.
AI makes it easier than ever to remove mediocre tools because it reduces the implementation effort required to replace them with simple, custom scripts or platform features. But until you have a reason to move, don’t let the pursuit of “the best” distract you from actually solving problems.