What this is, how it grades, and what isn't for sale.

An independent analyst desk that grades cybersecurity vendors on go-to-market quality rather than product features. The flagship is the Kumite — vendors ranked like fighters, sorted into leagues, divisions, and weight classes, each graded against a published rubric. It's published by heretics.io, an independent operator practice.

They evaluate the product, the vision, and the ability to execute. None of them independently grades the revenue engine itself — the distribution, the positioning, the motion-to-stage fit, the capital strategy. That's the seat we took. We're complementary to the analyst incumbents, not a substitute: they tell you whether the product is good; we tell you whether the company knows how to sell it.

Every fighter is read against the GTM Exposure Index — six diagnostic dimensions (category, positioning, motion & partners, clock & capital type, competitive aim, analyst position) plus two forward axes (GTM-native moat, and how AI cuts for or against the motion). Each dimension gets a plain grade an operator signs. There is deliberately no composite vanity score — a single number invites argument and hides the read.

The metrics are real and sourced — funding, headcount, growth, traffic, and hiring data come from CybersecTools, Return on Security, and public filings, and are cited as such. The grades, belts, and verdicts are ours — editorial opinion, marked illustrative, derived from the methodology above. That split is the whole point: the data is the inventory, the judgment is the product.

No. The belt is not for sale. Sponsors can fund the arena — the stadium, the season — but they can never fund a fight or move a grade. Independence is the entire product; the moment a belt looks bought, the property is worthless. This is a hard firewall, not a courtesy.

Yes. The Challenger's Gate lets a vendor step in and submit to be scouted and graded. That's the right to be entered and read — never the right to a verdict you like. We grade what we find. If you clear eligibility but aren't in the top of your division, you sit "in the gym," visible and unranked.

Divisions are drawn at the buyer-bake-off level — where vendors actually compete head-to-head (MDR is a division; Security Operations is its league). Weight classes map to stage and capital type (VC-growth vs. PE-value vs. public), because capital dictates behavior. Eligibility requires a primary-business match and a materiality floor; only the top of each division gets ranked and carded.

It retires from active rankings and moves to the acquirer's stable, tracked on the Consolidation Board. A premium exit and a belt are won the same way — a category you own and a motion that compounds — so we grade both paths.

The GTM Exposure Index is our outside-in grading instrument — the rubric the Kumite runs on. It reads a vendor's go-to-market from signals anyone can see (funding, headcount, hiring, traffic, positioning, category, capital type), because we don't have your books. That makes it deliberately different from Revenue Governance, the inside-out operating framework heretics runs with clients once they open the ARR, budgets, and pipeline. The Index shows where a motion is exposed from the street; Revenue Governance fixes it from inside.

Grades are editorial opinion based on the stated methodology and the sourced data — reasonable people can disagree. If a fact is wrong (a funding figure, a category, a status), tell us and we'll correct it. If you want to add context to a read, submit it through the Gate; we'll weigh it. We don't trade verdicts for cooperation. See the Terms & disclaimer for how the opinions are framed.

Markets InSecurity is published by heretics.io — an independent fractional-CMO and GTM-architecture practice. The teardowns are free and public. The paid side is the firm: fractional GTM leadership, positioning and motion engagement, and GTM-quality diligence for investors. The desk and the firm share a method, not a wallet — sponsorship and engagement never touch a grade.