Client: Varonis, data security, insider risk, and email security at enterprise scale. Engagement: A Varonis Threat Labs long-form story for a practitioner audience, with sales enablement as a secondary use case. Our role: Cyberou wrote and revised the piece with Varonis and published it on the Varonis blog under their brand.
Summary
Varonis needed a cybercrime story that sales could actually send: something a skeptical security reader would finish, not a brochure dressed up as research. The ask was not “more content.” It was a single durable explanation prospects could reuse in their own heads after one read.
The published piece maps organised cybercrime as a subscription-shaped economy: recurring fees, kits, marketplaces, and brokered access, explained in language that still reads like Threat Labs. For GTM, the win is practical: one credible URL reps can paste into email or Slack when a thread turns to organised cybercrime and data risk.
- Written for practitioners first, GTM second
- Published on Varonis Threat Labs
- One link reps can drop after a call
Challenge
The awkward truth: generic “cybercrime is bad” content does not help a rep when a prospect asks how stolen data, bots, and access brokers actually fit together. The prospect is trying to build a mental model. Most vendor articles skip straight to fear, then straight to product, and leave the model empty.
Varonis wanted a piece that explains how cybercrime runs like a subscription business (monthly fees, kits, marketplaces) without sounding like marketing wrote it over a researcher’s shoulder. If it felt like a product pitch, their audience would roast it on day one, and the whole programme would become a liability instead of an asset.
Threat Labs content also carries a reputational bar. Claims need to survive scrutiny from people who spend time in abuse communities and incident response channels, not just from a friendly internal review. That constraint shaped how aggressively we could simplify without lying by omission.
Approach
We mapped the criminal economy the way an analyst would: phishing-as-a-service, OTP bots, infostealer markets, access brokers, rented malware. Then we threaded each section to what a defender can observe, not what a vendor wishes were true: signals in logs, recurring tradecraft patterns, and the economic logic that keeps the ecosystem alive.
Drafts went through Varonis review in rounds that looked like real editorial work: tighten claims, fix tone, remove anything that sounded like it was trying to win an argument instead of explain a system. The goal was publishable authority, not “hot take” engagement bait.
If you zoom in on what we were optimising for internally, it was clarity under pressure: a busy CISO skimming on a phone should still walk away with a mental model they can reuse in a meeting the same afternoon.
Results
The article shipped and stayed live: one credible URL reps can paste into email or Slack when a thread turns to organised cybercrime and data risk, without asking the reader to sit through a long walkthrough first. That was the win we were chasing.
Qualitatively, the outcome is less about a single metric on a dashboard and more about reducing friction in sales conversations. When a prospect asks “how does this underground economy actually work,” the answer becomes a link, not an improvised monologue that varies by rep.
For Threat Labs, the durable asset is the same as always: a piece that still reads cleanly months later, because it is built from structure and observation rather than from whatever was trending that week.
Source
- 5 Ways Cybercrime Has Become a Subscription Business · Varonis blog