Should you research what everyone else is researching? In security, the instinct is to find the novel “blue” ocean. But sometimes the most impactful work happens in crowded spaces.

Check out my prior entries in this series: Research ROI: Floors & Ceilings & Research ROI: Problem, Scope, Impact

I recently read the Harvard Business School Case Study on Wiz. One aside caught my eye:

In the early decision to pivot to a cloud security product, the Wiz team also effectively decided to enter an existing market, rather than try to create a market around a new product. The move “to a red ocean strategy was counterintuitive,” Herzberg said.

A Red Ocean strategy involves:

• Competing in existing market space
• Beating the competition
• Exploiting existing demand
• Making the value-cost trade-off
• Aligning the whole system of a firm’s activities with its strategic choice of differentiation or low cost

It struck me that Red Oceans abound in security research. Just in recent history, I’ve seen froth around:

• vulnerabilities in openclaw
• prompt injection
• vulnerable and malicious Agent Skills
• malicious npm packages
• public exposure of MCP servers
• malicious models on Hugging Face
• the evergreen idea of “a ton of secrets leaked in location Y” (h/t Truffle)

These Red Oceans tend to snowball. One researcher inspires another to look at the same problem, or one just barely adjacent. Companies who focus on marketing-driven-research¹ jump in. Vendors publish derivative works - with or without citation. The regular characters push FUD: to boost their profile, sell you something, or just because they don’t know any better.

That being said, these research oceans are red for a reason! There is chum in the water.

So, how can you responsibly and successfully navigate researching in a red ocean?

There are two tricks.

The first is to identify if you have something to add by diving in. This can fall into a few categories:

1. Ability to scale beyond state of the art. For example, expanding piecemeal research like malicious skills to an entire ecosystem.
2. A unique perspective, often the intersection of your expertise with details. For example, applying a strong malware detection engine to a new class of tool.
3. A differentiated right to win, often based on unique data or unique capabilities. For example, reviewing prevalence of a supply chain attack against representative data. Or using long-term data collection to perform unique retrospective analysis.
4. A compelling narrative, often focused on real world impact versus abstract risk. For example, I worked on a project where we investigated the venn diagram of secrets and AI through the lens of the AI Top 50. The mechanics of the research were simple, but the target scope drove meaningful analysis and industry influence. We identified the patterns of secrets leakage in AI, and were able to identify major gaps in secrets tool coverage.

The second trick is executing with integrity once you’ve decided to wade in:

1. Cite generously, both your inspirations and high quality adjacent research. Do good enough work that citation doesn’t fuel insecurity.
2. Find opportunities to collaborate, instead of duplicating work.
3. Focus on actionable guidance, and progressing the industry. Make sure you answer the implicit question of “so what”

The ROI of Red Oceans

Red oceans offer an opportunity for differentiation. They also offer a chance to work in conversation with competitors and the industry. The built-in audience and proven market demand mean your research can have immediate impact, but only if you bring unique value.

The trick is to avoid low leverage follow-on research, and instead respond to the existing hype and demand with differentiated work. Know what you’re adding, execute with integrity, and focus on moving the industry forward.

Sometimes the best research isn’t about finding a novel lane, but about swimming smarter in a crowded one.