← Back to Library

Going deeper into layer zero: Must-know for the cyber industry insiders

Ross Haleliuk · Venture in Security · ·12 min read
Commentary by Hex Index staff

Ross Haleliuk offers a provocative reframing of the cybersecurity landscape, arguing that the industry's fragmentation isn't a failure of execution but an inevitable byproduct of shifting infrastructure foundations. Rather than chasing the latest threat vector, Haleliuk suggests we look at the "layer zero"—the underlying platforms like cloud providers, operating systems, and identity managers—that dictate the rules of engagement for every other security tool. This perspective is vital for busy leaders trying to cut through the noise of 5,000+ vendors, as it explains why certain categories explode overnight while others stagnate.

The Architecture of Opportunity

Haleliuk's central thesis is that security is not a standalone product but a function of where you sit in the technology stack. He writes, "The entities best positioned to deliver real security are the ones building the core technologies." This is a sharp observation that challenges the traditional vendor mindset. Instead of trying to bolt security onto a platform, the most effective solutions are often those baked directly into the foundation by the platform owners themselves.

Going deeper into layer zero: Must-know for the cyber industry insiders

The author defines this foundational tier with precision: "Layer zero refers to the foundational layer of infrastructure and technology that other tools depend on. It's where control points often emerge - identity platforms, cloud service providers, and operating systems." By identifying these specific actors—AWS, Microsoft, Okta, and others—as the true gatekeepers, Haleliuk shifts the focus from the symptoms of insecurity to the structural causes. This framing is effective because it moves the conversation away from "better tools" to "better architecture."

"For those who own layer zero, adding security is often just an architectural decision (a toggle, an API extension, a bundle, etc.), while for everyone else, namely the vendors operating on top of these platforms, delivering security becomes a negotiation with the underlying layer."

This distinction explains the power dynamic in the market. Vendors that do not own the layer zero are constantly negotiating for access, whereas the platform owners can simply toggle a feature. Critics might argue that this view underestimates the agility of third-party vendors who often innovate faster than massive conglomerates. However, Haleliuk's point about the "negotiation" dynamic holds up when we consider how often security startups are acquired or shut down when the platform owner decides to enter the space.

The Cycle of New Markets

One of the most compelling aspects of Haleliuk's analysis is the historical pattern he identifies. He notes that "Every time a new foundational layer emerges, we see the same pattern when a large number of cybersecurity companies get created to take advantage of that shift." This isn't random; it's a predictable response to new attack surfaces created by infrastructure shifts. Just as the rise of personal computers created the endpoint layer and virtualized compute created the cloud layer, Haleliuk suggests that AI is currently forming the next layer zero.

He connects this to the sheer volume of the industry, stating, "If you zoom out far enough, the 5,000+ cybersecurity vendors today aren't a sign of market inefficiency; they're a solid proof that we've had dozens of layer-zero shifts over 40 years, and each created its own cottage industry of 'missing controls.'" This is a powerful recontextualization. It suggests that the market isn't broken; it's simply reacting to decades of rapid technological evolution. This mirrors the dynamics seen in the platform economy, where every new delivery mechanism (like the browser) eventually spawns its own security ecosystem.

"When the foundation changes, thousands of new problems appear: posture, visibility, misconfigurations, gaps between old and new workflows, fragmented APIs, and inconsistent policy models."

The author argues that the explosion of vendors is a direct result of these new problems. While this is a strong structural argument, it does gloss over the issue of vendor fatigue. For security teams, the result of this "cottage industry" is often a fragmented toolset that is difficult to manage, regardless of how logical the creation of each tool may be.

Why Foundations Can't Be Secure Enough

Haleliuk tackles a common misconception: that if platforms were built with stronger security from the start, the need for external tools would vanish. He dismisses this as unrealistic, writing, "Layer zero optimizes for reliability, scale, economics, and user experience, not for the edge cases enterprises run into." This is a crucial insight for executives who might expect their cloud or OS provider to solve all their security headaches.

The argument is that layer zero providers cannot prioritize security above all else because it conflicts with their core business model. "Doubling down on security often reduces compatibility, increases support burden, and complicates core workflows, something that makes these players sell less of their core products." This trade-off is inherent to their existence. They must serve the entire world with a single architecture, which inevitably leads to generic security controls that are too shallow for complex enterprise needs.

"The majority of security problems are really misconfiguration problems (which is probably why CSPMs and identity automation products have been exploding in growth)."

This observation explains the rise of Cloud Security Posture Management (CSPM) tools. The complexity of modern infrastructure creates a gap between what the platform offers and what the enterprise needs. Haleliuk suggests that this gap is not a bug but a feature of the system. A counterargument worth considering is that as platforms mature, they are indeed becoming more secure by default, potentially shrinking the market for posture tools. However, as Haleliuk notes, the demand for flexibility in large enterprises ensures that misconfiguration will remain a persistent challenge.

The Predictable Evolution of Defense

Perhaps the most actionable part of Haleliuk's commentary is the three-step evolution he outlines for security around any new layer zero. He writes, "Step 1: Visibility and posture... Step 2: Threat detection... Step 3: Operations and incident response." This sequence is not arbitrary; it reflects the maturity of both the technology and the attackers.

He emphasizes that "history has shown that starting with runtime instead of posture for a new layer zero is a mistake." This is a critical lesson for investors and founders. When a new infrastructure layer emerges, attackers need time to understand how to exploit it. In the meantime, the immediate need is for visibility and configuration management. Haleliuk points to Wiz as a prime example, noting how they "were able to win the market despite not having all the deep-level controls that some of their competitors did on day one."

"This cycle explains why our industry is repeating the same pattern all over again, and for every new layer zero, we get posture, then detection, and then (sometimes) response tooling."

The author argues that this pattern is so consistent that it can be used to predict market winners. Companies that attach themselves to a fast-growing layer zero and follow this evolution can inherit decades of relevance. He cites CrowdStrike as a company that "needed to go super deep to observe the endpoint," which differentiated it from competitors. This depth of integration is what creates a sustainable competitive advantage.

Bottom Line

Ross Haleliuk's "layer zero" framework provides a necessary structural lens for understanding the chaotic cybersecurity market, successfully arguing that vendor proliferation is a natural response to infrastructure shifts rather than market failure. While the argument occasionally underplays the role of human error and the potential for platforms to eventually absorb more security functions, its greatest strength lies in predicting the lifecycle of new security categories. For leaders navigating this space, the verdict is clear: the most enduring opportunities lie not in fighting the platform, but in deeply embedding within the next emerging layer zero.

> "If a company can evolve into a layer zero platform, it can become a public company. I'd expand on this thought and say that another way to go public is to deeply embed into an existing layer zero, but it's that depth that creates a competitive advantage." "

Deep Dives

Explore these related deep dives:

  • Platform economy

    The article's core thesis about 'layer zero' providers (AWS, Microsoft, Google) controlling foundational infrastructure is a specific manifestation of platform economics. Understanding how platforms create ecosystems, lock-in effects, and adjacent market opportunities would give readers deeper context for why security companies both depend on and compete with these providers.

  • Trusted computing base

    The concept of a trusted computing base - the minimal set of hardware, firmware, and software components critical to security - is the technical foundation underlying the 'layer zero' concept. This gives readers the formal security engineering framework for understanding why operating systems, hypervisors, and cloud platforms have unique security significance.

Sources

Going deeper into layer zero: Must-know for the cyber industry insiders

by Ross Haleliuk · Venture in Security · Read full article

Several months ago, I proposed a concept that helps explain how our industry works and what the prerequisites are for a startup to become a billion-dollar company. I called this concept a “layer zero” because it is the foundation upon which everything else gets built. That article got a fantastic response and I’ve had tens of people reach out with comments and questions about it. Today, I am sharing a few additional perspectives that build on the original idea and make the picture around layer zero much clearer. A lot of the thoughts here are an outcome of a few back-and-forth messages I had with Bill Phelps after the original article came out (Bill brought some really great points that informed my own thinking and this piece). Thanks, Bill!

This issue is brought to you by… ZeroPath

Why Your SAST Tool Misses the Scariest Bugs

ZeroPath has discovered critical vulnerabilities in curl, sudo, and Next.js that every traditional SAST, SCA, and secrets scanning tool missed. These are some of the most scrutinized open source projects in the world, but legacy security tools left them exposed. Conventional appsec tools rely on pattern matching and static rules that don’t understand how your code actually works. They miss the business logic flaws, authentication bypasses, and chained vulnerabilities that matter most. Instead, ZeroPath learns your codebase like a security researcher would, understanding how repositories, services, and dependencies interact.

First, a quick recap.

To those of you who didn’t read the original piece, I highly recommend checking it out because it provides a broad overview of the idea foundational to this article. For those that did but need a quick refresher, here’s how I explained it: “…The entities best positioned to deliver real security are the ones building the core technologies. A cloud provider is logically in the best place to solve cloud security; an operating system vendor is closest to solve endpoint security; an email provider sees everything that flows through their infrastructure so they should be in the best position to solve email security; an identity provider already governs user access so they should be able to take care of identity threat detection and response effectively. These foundational providers own the systems that define how security boundaries are created, how access is enforced, and how data flows, so they have the ability to bake security in. It is these providers that I define ...