OT

Cybersecurity companies tend to target large enterprises because, that’s where all the money is. supposedly. They may be missing a lucrative bet and a solution to AI-generated attacks.

In 2025, Comcast issued a report that said 95% of all cyber breaches began with someone in an organization clicking on a malicious link. It wasn’t a brilliant hacker breaking through military grade encryption, or a rogue LLM from a major AI platform discovering backdoors. It was someone not paying attention to the warning signs.

Security training is supposed to reduce that by making users more aware of those signs. That is being tested by AI-generated phishing programs massively increasing the number of attempts. A Hoxhunt survey estimated Ai has caused a 14X increase in phishing attempts in the past year.

Stopping the inevitable

The question is, with cybersecurity hitting a $328 billion market size, why is it getting worse?

Benny Czarny, CEO of OPSWAT, answers that question in a new book, “Upside Down Cybersecurity” that just came out. “The reality is that the market is not adopting this technology or it’s underlying concept fast enough.”

To be accurate, Czarny is talking about OPSWAT’s content disarm and reconstruction (CDR) technology, but based on talks with dozens of CEOs and CISOs at the RSAC Conference in April, the same complaint is made by every company in cybersecurity.

Essentially, the customers that haven’t bought into a cybersecurity service or tool is stupid. They don’t say that for publication, but they do say it. They may be missing another reason. Cybersecurity companies don’t know how to sell their products and services to the people that most need them. Conversations with customers at RSAC back that up.

Untapped SMB market

A 2022 McKinsey survey showed small to medium businesses (SMBs) represent a total market of $1.5 trillion to $2.0 trillion. That market is generally ignored in favor of Fortune 1000 companies. Moreover, the survey noted that current commercial solutions do not meet needs of SMBs and mid-market companies.

(It should be noted that McKinsey’s numbers are based on an erroneous 1998 report on the cost of the cybercrime that was overstated by a factor of between 5 and 10 times the actual number. Official total of cybercrime total less than $1 trillion, making the total available market need at less than that.)

That’s a meaningful response to Czarney’s complaint. OPSWAT’s focus is on big infrastructure. Their pricing is not transparent because, as the saying goes, “if you have to ask, you can’t afford it.” That limits OPSWAT’s market to less than 150 customers and, as he said, they are making a good living off of it. OPSWAT and the majority of the industry are still, however, leaving billions of dollars on the table.

There is evidence that better training makes a difference. Security behavior-change programs, as opposed to traditional awareness model, employees recognized and reported social engineering attacks with a 6x improvement in 6 months, and reduced the number of malicious clicks by 87%, according to a recent report by Hoxhunt. The key, however, may be providing services that block malicious links or alert users to potential danger and with little to no cost to an organization. Encouragingly enough, there are services that do exactly that.

Security at $500/month

DNSFilter processes about 170 billion DNS queries daily, blocking 200 million categorized threats. That’s millions of phishing campaigns failing to reach targets That's significant volume. They also claim to block threats an average of 10 days faster than traditional threat feeds. Significantly, their pricing model starts at $240 a year, for up to 20 users up to a minimum of $1080 per year for a large enterprise. This easily fits into the Cyber Protection Magazine Security Under $500 a Month classification.