[tptacek]

Companies don't trust "outsiders" to do security testing? Veracode was doing 9 figures a few years ago and was recently spun out from Broadcom for almost $1Bn.

Also, 20MM/yr is not a revenue number to sneeze at. Enterprise security is a huge and mature product space and most aspirants in it do not hit that number. These companies aren't Uber, where every dollar coming in is going back out the door with an extra couple dimes to boot.

[bryant]

Eeeep.

There's a substantial counterargument to this I need to type up. I understand where you're coming from as someone who once ran a consultancy, Tom, but from the perspective of someone who hires security firms and consumes their services—and this is essentially a TL;DR for the opinion I need to flesh out here—we don't do it because we trust. We do it out of necessity.

TODO: Bryant to flesh this out in between laundry rounds tonight.

[tptacek]

My name is Thomas.

[eganist]

Well, apologies are due as I can't seem to edit that out of my post now. Sorry for making the assumption, Thomas.

But considering the gray patina my earlier comment has developed with time, I'll withhold my point as there doesn't seem to be interest in hearing it.

[tptacek]

I actually didn't understand your comment and it was downvoted before I responded (I didn't downvote it). I just wanted to make sure people knew how to spell my name.