Most of what is written about cybersecurity was written about the Fortune 500. The terminology, the playbooks, the analyst frameworks, the conference keynotes — all of it assumes a world where a chief information security officer has a team, a budget, and a board that already takes the problem seriously. That world is real. It is also, for the defense industrial base, the smallest world.
The defense industrial base in the United States is, by most counts, more than three hundred thousand companies. A handful of them are primes — the names the public knows. A few thousand more are major subcontractors with mature security functions and the leverage to negotiate. The other ninety-nine percent are something else.
They are machine shops in Ohio with forty-six employees and a vault of controlled unclassified information. They are aerospace component suppliers in southern California where the IT department is one person who also handles the phone system. They are software contractors building deliverables for federal sponsors out of a co-working space, between contracts. They are exactly the kinds of small and mid-sized firms that produce most of what the defense department actually buys — and exactly the kinds of firms that the prevailing cybersecurity wisdom was not written for.
This is the asymmetry the essay below is about. It is the reason Trivega exists.
── 01 — The geography of who actually builds defense ──
The phrase "defense industrial base" is one of those terms that flatters the listener. It suggests a coordinated infrastructure of clean rooms and SCIFs and engineers in badged buildings. Some of that is true. Most of it is not.
The actual industrial base is a long tail. A 2023 Department of Defense analysis put the supplier count above three hundred thousand, with the vast majority — roughly ninety percent by company count — falling under two hundred employees. These are the companies that produce the precision parts, the firmware, the subassemblies, the test fixtures, the application software, the engineering analyses. They are the actual industrial substrate.
They are also where the threat surface is widest.
When a foreign intelligence service wants design data on a fielded weapon system, the prime contractor is not the easy target. The prime has a security operations center, mature identity governance, a dedicated counterintelligence function. The easy target is the four-person engineering firm two tiers down the supply chain that holds the same drawings under contract — and whose entire security program consists of a Microsoft 365 license and a yearly phishing training video.
The threat does not respect the org chart. It walks straight through the smallest door it can find.
This is not a hypothesis. It is the documented operating pattern of nearly every significant compromise of the defense industrial base in the last fifteen years. The breaches everyone remembers — the F-35 design data, the cleared-defense-contractor email exfiltrations, the more recent Chinese exploitation of managed service providers — all of them moved through the small and mid-sized companies first.
If you accept that premise, the policy response that has followed is strange.
── 02 — The patchwork that was sold to them ──
For the better part of a decade, the implicit answer to "how do small defense contractors get secure" has been: they should buy what the big ones buy. Just less of it.
So a forty-person machine shop ends up running an endpoint detection product designed for environments with a security operations center to consume its alerts. They end up paying for a SIEM that requires a full-time analyst to tune. They subscribe to a vulnerability scanner whose monthly reports are routed to an email address that no one opens. They have a managed service provider that handles their helpdesk and is incidentally the most overprivileged identity in their environment.
None of these are bad tools. Most are good tools. The problem is that a security program is not a sum of tools. It is the connective tissue between them. And no one has been selling the connective tissue.
What this produces, in practice, is a patchwork. The machine shop now has:
- An endpoint product — alerting on things, mostly into the void.
- A SIEM subscription — collecting logs that no one reviews.
- A vulnerability scanner — finding issues that no one prioritizes.
- An MSP — patching things, sometimes; introducing risk, regularly.
- A compliance binder — for the auditor, lovingly maintained, rarely consulted by anyone making technical decisions.
- A phishing trainer — once a year, mostly to satisfy insurance.
- A backup product — quietly failing in places no one checks.
Each line item costs money. Each one looks reasonable in isolation. Each one, individually, is a defensible procurement. Add them up and the company has spent enough to have hired a security engineer instead — and would have been substantially safer doing so.
The thing the patchwork cannot do, by construction, is tell anyone whether the company is actually defended right now. Today. This hour. Against the threats that are actually moving in the wild. That answer is not a property of any of the tools. It is a property of how they are operated together, which is the part no one bought.
── 03 — What we mean by "defense" at this scale ──
When we use the word defense at Trivega, we mean something specific and somewhat narrow. We do not mean compliance. We do not mean a posture. We mean: a continuous, evidenced answer to the question, "is this company being attacked right now, and if so, by whom, and what are we doing about it." Continuous because the threat is continuous. Evidenced because words are cheap. Answered because the question deserves an answer, not a dashboard.
This is harder than it sounds, for a company of forty. Not because the underlying technology is exotic — most of the relevant signals already exist somewhere in the environment, scattered across the patchwork. The hardness is in the integration. Pulling those signals together. Reasoning about them in the context of the company's specific assets and obligations. Generating the response. Producing the audit-grade record afterward. Doing it without a full-time staff of humans whose entire job is the doing of it.
This is the thing the prevailing cybersecurity market has not been built to provide to small defense contractors. The prevailing market has been built to sell individual tools to individual buyers, with the work of stitching left as an exercise for the reader. For a forty-person company, that exercise is not a question of capability. It is a question of capacity. They do not have the people. They will never have the people. The economics of their business will not support the people.
So either the work of stitching gets done somewhere else — by a different kind of platform, with a different economic model — or it does not get done. And the consequence of it not getting done is the steady, unbroken pattern of supply chain compromise that has characterized the past fifteen years of defense incidents.
The market did not fail because the tools were wrong. It failed because the operator was missing. — Defense for the 99 Percent
── 04 — The thesis ──
Defense for the 99 percent is what we call our orientation. It is not a tagline. It is a constraint we put on every product decision.
The constraint says: if a thing we are building only works for a company that already has a security operations center, we are building the wrong thing. If a thing we are building requires the buyer to also be the integrator, we are building the wrong thing. If a thing we are building presumes a chief information security officer at the table, we are building the wrong thing. The buyer we are building for is the controller at the machine shop, the operations lead at the engineering firm, the founder of the four-person software contractor. They are smart, they are busy, and they are not going to grow into a CISO function. They need defense that arrives operated.
That phrase — arrives operated — is the one we keep coming back to. A defense program for the 99 percent has to come with the operator already inside it. The work of stitching the signals together, of reasoning over them in context, of generating the response, of producing the evidence afterward — all of that has to be in the box. The buyer's job is to run the business. Our job is to run the defense.
Whether we succeed at this is, in the end, an empirical question. The patent-pending architecture we have built is our attempt at the answer. We will write about it, carefully, in pieces, in the essays that follow. We will not give away the parts of it that have to remain a moat. We will, however, share enough of the operating philosophy to make clear what we mean and what we don't.
For now, the only thing we want to assert is the orientation itself. Defense is not a thing the Fortune 500 has solved and the rest are merely catching up to. It is a thing the Fortune 500 has solved for itself, with the resources it has, in the shape of a program that does not generalize to the long tail. The long tail needs a different shape. Most of the people working in it already know this. They have been telling us so for years.
We are listening. This is the work.
— —