It is the year 2022. One hundred years after T.S. Eliot wrote The Wasteland, we find ourselves lost in a wasteland of information security buzzwords. If we grab a handful of dust from this parched land, what trends do we see? This edition of my annual Infosec Buzzword Bingo elucidates the current zeitgeist through which buzzwords are most popular among security startups.
I surveyed 100 infosec companies’ websites1, the vast majority of which are startups who raised VC funding in the past nine to twelve months. The idea behind the bingo card is to take it with you on physical journeys through vendor halls or virtual quests through vendor websites and see whether you can replace your existential dread with a cry out into the void of “Bingo!”.
For even more fun, see what your cursed cyber startup would offer by trying out my Infosec Startup Tagline Generator (built on Compute@Edge), which includes all the “best” buzzwords from this years' cohort: https://brightly-willing-guinea.edgecompute.app/
Without further introduction, below is the 2022 Infosec Startup Buzzword Bingo card – read on if you want more analysis:
The top word this year was automated and its variants (automatically, automation, automates), which makes it the reigning champion since 2019. And everyone is now a platform, the second most popular word, even startups who do not actually offer a way to build or run anything on top of what they created (especially when their only creation is an MVP to raise their seed round).
Does this mean we will soon see a new word to indicate true platforms? I vote for flatform. Flatforms are shoes with thick soles but without heels, while platforms have thick soles as well as heels, making them far more precarious for perambulation and therefore making the distinction worthy of the “true platform” vs. “startup deeming themselves a platform on incredibly shaky semantic grounds.”
The following table lists the rest of the top 25 buzzwords and includes the number of companies who cited the buzzword, along with whether the buzzword was on prior bingo cards:
But the top words don’t tell the entire story. What merits inclusion on the bingo card is not just absolute popularity, but whether the buzzword is on the rise in usage, too. So, it behooves us to look at which buzzwords are en vogue and which are on their way to the clearance bin.
Which buzzwords are on the rise?
Let’s start with the zeitgeisty words on the bingo card itself. Solutions are now far more dynamic (+2,200% from the prior bingo card), finally acknowledging the nature of complex systems and the continuous nature of spacetime under general relativity. Vendors are also asking you to place your trust in Zero Trust (+183%) tools, split between tools aligned with a zero trust philosophy and those that fall under the namesake market category and collection of technical capabilities. How fun for practitioners who are already struggling to understand wtf either of those mean.
While some buzzwords are arguably obnoxious but innocuous, some buzzwords are supposed to mean real things and misappropriation of them is a scourge for practitioners. For instance, the buzzword agentless (+113%) has drifted from its true meaning, like one instance in which the purportedly agentless solution is an agent that lives inside your app instead of alongside it. Practitioners who read agentless and assume they will be adopting something lightweight and unobtrusive – without embedded hooks into the underlying system – will be understandably shocked upon implementation.
Similarly, the labels for fancy math like machine learning and AI are misused and abused to such a degree that they are rendered meaningless. While machine learning appears to be sliding into boring territory (-11%), vendors seem to be pivoting to labeling their linear regression models as AI (+58%). There is actually nothing wrong with regex or deterministic, conditional logic – it often works better than fancy math – but labeling it as ML or AI is simply disingenuous.
Our cursed timeline demands that if startups want to raise funding from today’s VCs, labeling their wares as AI or ML is a lamentable prerequisite. Nevertheless, they should at least elucidate the approach without technobabble or, even better, share data points to prove why AI is superior to deterministic approaches (whether in terms of efficacy, speed, or scale) for practitioners’ sake.
Then there are buzzwords like cloud-native (+170%) which are also supposed to mean real things, but the market map by the Cloud Native Computing Foundation looks like a conspiracist’s feverish ramblings and so I think its misuse is less appalling. If you don’t want a solution for cloud-native, many vendors also offer straight-up native (+108%) solutions that belie their nature as bolt-on tools or are trying to make “can run in Kubernetes like most other Linux software” sound special. Alas, after reading their marketing fluff, I question whether these vendors are even reality-native.
Following the lead of the Webb Space Telescope, security professionals now seek to discover (+79%) things like the oldest and most distant objects in the universe such as unpatched mainframes cowering pitifully in the COVID-vacated company headquarters. Security pros also want to optimize (+100%), although most invocations of the word on startup vendor sites were not accompanied by measurement that would help evaluate efficacy. How strange.
Perhaps inspired by the car industry, security vendors will offer you an engine that is powerful to accelerate (+53%) whatever things are being done. And two new words reflect changing concerns: security vendors, like chiropractors perhaps in many ways, want to help you fix your posture across the software development lifecycle – and ideally across your personal human lifecycle, too, to maximize customer lifetime value.
In terms of needless superlatives, vendors increasingly boast of being world-class (+200%) and unmatched (+1,100%) which perhaps better describes a sports champion. And a security solution is ideally frictionless (+233%) and effortless (+700%) because who needs the laws of thermodynamics?
Which buzzwords are on their way out?
Our long national nightmare with threat being used in every sentence in infosec may finally be waning if its 26% drop in usage holds true across the industry (if only we could eradicate the term “bad guys” with similar efficacy). Similarly, fewer vendors talk about advanced (-27%), complex (-40%), unknown (-19%), or targeted (-60%) attacks now and less than 10% of vendors are even mentioning zero-day (-20%) vulns. I can only hope this means the median is countering their natural cognitive bias and focusing on a more realistic threat model.
There is also less focus now on whether a solution is next-gen (-20%) or robust (-29%), perhaps suggesting that security buyer personas have realized that copy-pasting old solutions to new environments with new problems is insufficient and that prevention isn’t a panacea. Offering intelligence (-26%) isn’t the differentiator it purportedly used to be and, perchance having beheld the lambent light of reason, no one mentions dark (-100%) as in “dark web” anymore.
Which buzzwords will people yell at me on Twitter for not including on the bingo card?
Multi-cloud, DevSecOps, XDR, shift left, supply chain, SASE, SBOM – yes, yes I hear you but not enough vendors included them on their home page and product pages to merit inclusion on the card. No, I did not forget about them (DevSecOps and XDR each only had 12 vendors mentioning them; the rest of those listed have even fewer representative vendors).
I invite you to set up prediction markets on which buzzwords are likely to make the bingo card next year and then peer pressure vendors into including them during your own leisure time.
Which buzzwords are the weirdest?
My favorite buzzword this year is definitely wowful for obvious reasons although best-in-breed must win as the most amusing typo (which perhaps reveals the quality of their wares). Supercharge is a fun new verb that emerged among seven vendors this year and the six vendors who used harden are far more mature than I.
Two vendors presumably took inspo from the #FreeBritney movement and used toxic to describe the things they help ameliorate. Two vendors have solutions which are multidimensional, presumably to stop dreaded wormhole attacks and events only known relative to the motion of observability wetware.
One vendor described their solution as omniscient, not specifying whether their interpretation of omniscience is compatible with immutability2 (which could make it incongruent with the cloud-native buzzword as well as classical deities). Someone, not content with describing APIs as “shadow”, threw all dignity to the wind and invented the term zombie APIs.
And finally, one vendor said their solution is zero-ops and I must invoke Heidegger to ask, “Why are there [ops] at all, instead of Nothing? That is the question.” Or should we follow Nishida Kitarō and ponder whether zero-ops means “[ops] affirms itself through its own self negation”3?
DevOps, or Zero-Ops, the two great ends of Fate,
And True or False, the subject of debate,
That perfect or destroy the vast designs of state —
When they have racked the developer’s breast,
Within thy pipeline most securely rest,
And when reduced to Rust, are least unsafe and best.4
Thanks to Adrian Sanabria and the Mad Tinkerer for feedback on this post, and to Mark Teodoro for porting my Python script into C@E (don’t blame him for the Geocities styling).
I did not survey their entire website, only the main page and product pages. If buzzwords appear in blogs, for instance, that isn’t captured. The goal is to hone in on how infosec startups presently present themselves to the market. ↩︎
Kretzmann, N. (1966). Omniscience and immutability. The Journal of Philosophy, 63(14), 409-421. ↩︎
Krummel, J. W. (2018). On (the) nothing: Heidegger and Nishida. Continental Philosophy Review, 51(2), 239-268. ↩︎
My glorious spoof-poem is inspired by the poem “Upon Nothing” by John Wilmot, 2nd Earl of Rochester: https://www.poetryfoundation.org/poems/53720/upon-nothing ↩︎