Listen to any cybersecurity tool vendor and they’ll try to convince you of two things. You need their type of product for protection and theirs is the best of breed. And most of them can be very persuasive.

The result? Lots of unused (and often unneeded) security products. It’s called tool bloat and yeah, it’s a thing. So, what can companies do to defend against purchasing too many cybersecurity products?

The Strange Nature of Cybersecurity Tools

Purchasing a cyber defense product or service is a strange thing. You only know when it’s not working. If you haven’t experienced a breach, you’re never really sure if your security products are working or hackers just haven’t gotten around to you yet.

When you do purchase a new tool, the only thing you can quantify with any certainty is the cost. And with each additional tool purchased, software costs go up, labor costs go up and training costs go up. To make matters worse, it can actually be risky to have too many tools, as each additional tool has the potential to increase your attack surface.

When it comes to cybersecurity tools, not only are there diminishing returns as the number of tools goes up, but at some point, those returns turn negative. At that point, you experience addition by subtraction.

So, what are some strategies for creating a smart security tool suite?

Strategies for Managing Security Tools

Strategy #1 Cyber Defense Matrix

The Cyber Defense Matrix “helps us understand what we need organized through a logical construct so that when we go into the security vendor marketplace, we can quickly discern what products solve what problems and be informed on what is the core function of a given product.”

The matrix is created in two dimensions: functions and assets. You fill in each cell of the matrix with either people, technology or process. As long as you don’t fill in a cell twice, you shouldn’t suffer from tool bloat.

Strategy #2 Vendor consolidation

Vendor consolidation “can be a useful antidote to an overinflated suite of security tools.” Frequently, large security vendors provide a suite of tools in a cohesive and tightly integrated platform. The idea being to avoid gaps and overlap in security coverage.

Strategy #3 Least impact

A strategy that doesn’t get mentioned often enough is what we call least impact. Find tools that don’t change the way you do business by integrating them right into what you’re already doing.

An example of this is any security product that integrates seamlessly into your CI/CD pipeline turning DevOps into DevSecOps. If chosen properly, this arrangement can almost make a tool seem invisible.

With this strategy, there’s still the cost of the tool, but many of the other costs (i.e., labor, training) aren’t there. And since a highly integrated tool plays a very specific role, it’s not likely a company will be tempted to install two of them to do the same thing. Viola. No tool bloat.

If you’re in application development, one such tool that fits the least impact bill is ThreatModeler. ThreatModeler uses automation to model threats and recommend mitigations in your applications. Oh, and it integrates seamlessly into your CI/CD pipeline. To learn more about ThreatModeler, use this contact form.


ThreatModeler revolutionizes threat modeling during the design phase by automatically analyzing potential attack surfaces. Harness our patented functionalities to make critical architectural decisions and fortify your security posture.

Learn more >


Threat modeling remains essential even after deploying workloads, given the constantly evolving landscape of cloud development and digital transformation. CloudModeler not only connects to your live cloud environment but also accurately represents the current state, enabling precise modeling of your future state

Learn more >


DevOps Engineers can reclaim a full (security-driven) sprint with IAC-Assist, which streamlines the implementation of vital security policies by automatically generating threat models through its intuitive designer.

Learn more >