A friend of mine, namely Antide “xarkes” Petit, came up with a pretty good rule of thumb that I think should be elevated into a law, Antide’s Law:
> If it’s unclear what a cyber-security company is doing, what they’re doing is pretty clear.
For example, take a look at Offensive Con 2025 and 2024 sponsors. Amongst them, you can find:
– Catalyst Security: “Catalyst Security is a growing team of highly experienced vulnerability researchers, working on solving the most challenging problems in support of our customers.”
– SAFA: “Leveraging human and machine intelligence, SAFA zooms into cyber threat flashpoints, keeping you protected now and into the future.” as well as “SAFA’s progressive approach to cybersecurity means we’re not content to see clients tread water; we strive to keep them ahead of cyber threats. Our in-house research, along with the latest technologies, lets you see what’s coming and proactively adapt.”
– Vigilant Labs: “It’s a need to know thing.”
– Binary Gecko: “Binary Gecko GmbH provides tailor made cybersecurity solutions and services. Our international team is made up of world class, highly technical professionals with a proven track record in the field. We strive to tackle every problem with a holistic and in depth approach.”
– Secfence: “Secfence has been the pioneer of Information Security in India for almost a decade. We are a research- based organization and we take pride in innovating and pioneering many techniques and methodologies in Information Security. Along with our in-house research teams, we have formed global alliances to bring the latest and the best technology to our clients.”
It’s not obvious what services those companies are providing, so it’s pretty obvious what services they’re providing: exploits/capabilities.
Of course, it isn’t a universal law. For one, it doesn’t apply to megacorporations, as they too tend to have meaningless blurbs on their websites as well. For example, while “Capgemini helps businesses imagine their future and make it real with AI, technology and people.” doesn’t means much, what they’re providing is information technology consulting and outsourcing, like providing skip tracing services for enforcement and removal operations for the ICE. Also, sometimes, it’s simply a company being abysmally bad at marketing.
Note that the contrapositive isn’t true, a minority of companies are pretty open about what they’re doing, like CrowdFense or Epsilon. And finally, some companies like Zerodium are so (in)famous that everyone knows more or less what they’re doing.