Free call

Too much cyber, too little security!

23. October 2025

The headlines are full of cyberattacks, data leaks and ransomware claims worth millions. Companies are being hit by AI-generated phishing campaigns, supply chain attacks and zero-day exploits – professionally organized and globally networked.

The security market is growing explosively – driven by NIS2, DORA, the Cyber Resilience Act and KRITIS laws. But where there is a lot of money involved, there are also providers who deliver more “cyber marketing” than security. They promise all-in-one protection, glitter with colorful brochures and buzzwords, but deliver little in terms of expertise.

So the question is:

“How do you expose the false sheep – and how do you recognize real experts?”

1. published vulnerabilities and security tools

Fake providers like to claim that they can “check everything” – but you won’t find any technical contributions or results from them.

Real experts, on the other hand, publish:

  • CVE entries (Common Vulnerabilities and Exposures):
    Anyone who discovers vulnerabilities in common software, reports them responsibly and receives CVE IDs has demonstrable technical expertise.
  • Open source tools:
    On GitHub/GitLab you will find projects that are used, improved and evaluated by the community. This is an indication of practiced professionalism, not empty promises.

Check:

  • Does the provider have CVEs in its own name?
  • Does he have open source contributions that are more than “marketing tools”?

2. expert contributions & technical depth

Fake sheep fill blogs with buzzwords: AI, cloud, zero trust – it all sounds modern, but remains superficial.

Real experts publish content that has substance:

  • Exploit analyses, proof-of-concepts, technical walkthroughs
  • Practical reports from penetration tests
  • Deep dives on malware, cryptography or cloud security

Today, it’s not just the classic blog that counts: podcasts, newsletters (e.g. Risky Business), YouTube analyses or conference reports also show how deeply someone is actually into the topic.

Check:

  • Does the provider describe real attack and defense techniques – or does it remain at PowerPoint level?

3. community & social media

Security thrives on exchange. Those who isolate themselves often only deliver what marketing allows.

  • X (formerly Twitter): still the source of exploits and zero-days.
  • Mastodon/Bluesky: increasingly the place to go for security researchers.
  • LinkedIn: useful, but beware: many self-promoters with “cyber” phrases.
  • Discord/Slack communities: often the place where tools are created and tested.

Check:

  • Does the provider have a real community presence?
  • Are his posts shared, discussed, criticized – or are they just glossy posts with no response?

4. conference and trade fair contributions

Fake providers attend conferences, take selfies and post #Cyber – but never as speakers.

Real experts speak on stages such as:

  • OffensiveCon (Berlin)
  • Troopers (Heidelberg)
  • CCC Congress (Leipzig)
  • BlackHat / DEF CON (worldwide)
  • ruhrsec (Bochum)
  • SANS Summits

Nobody presents marketing slides there – only real research, exploits and technical innovations count here.

In short: an appearance can also be bought at official conferences and trade fairs. The decisive factor is:

Was the slot purchased or allocated independently by CFP/committee – and is there technical proof?
If a slot has been paid for and no technical proof is available → Alarm signal.

Check:

  • Did the provider hold lectures or workshops?
  • If so, where?
  • Did the provider have to apply and prove himself or did he buy his slot?
  • Is there a public program/CFP entry (with committee)?
  • Is the session designated as a “sponsored” / vendor track or as a sponsor slot?
  • Do slides/video/paper/demo/GitHub/CVEs provide technical proof?

5. further indications of seriousness

  • Certifications & Skills: OSCP, OSCE, GIAC, CISSP, CISM are hard exams – no purchased logos.
  • Regulatory & compliance: Can the provider not only provide technology, but also NIS2, ISO 27001 or TISAX?
  • Transparency: Does it provide case studies, white papers, publicly comprehensible methods?
  • AI & automation: Does he use modern approaches (SOAR, threat hunting with ML) – or is he just selling “AI cyber protection” as a buzzword?

Conclusion

In a market full of promises, it is crucial to separate technical substance from marketing show.

  • If you have no CVEs, no tools, no real contributions in the community or at conferences, you should not call yourself a “security expert”.
  • Those who publish, research, share and speak at top conferences, on the other hand, show that they have real know-how.

Ask. Check.

This is the only way to expose false sheep – and protect your company from the greatest risk:

false security.

Similar posts

How to remember passwords?

The best security measures are useless if weak credentials are chosen. This raises two essential questions, which I would like [...]

Read more

26. June 2017

30 minutes to a secure WordPress blog

WordPress is still the tool of choice, especially for newbies, to quickly create a respectable website. All nice KlickiBunti, so [...]

Read more

26. June 2017

Deceptive security: antivirus and firewall

We are safe because we have a virus scanner and a firewall! This statement is often the first to fall [...]

Read more

11. July 2017

Detect phishing emails

Almost every day, users become victims of so-called phishing emails. Therefore, in this short post, I would like to point [...]

Read more

14. July 2017