When a product reaches the end of its lifecycle, companies typically create simple tables mapping products to migration paths, target dates, and release milestones. While operationally necessary, these tables often fail to capture the complex nature of EOL decisions. As George Bernard Shaw aptly said, “The single biggest problem in communication is the illusion that it has taken place.” These simplistic EOL tables create precisely this illusion-providing the comfort of a decision framework without addressing the strategic nuances.
Consider a neighborhood bakery that supplies all baked goods to a large grocery store chain. After a change in ownership, the new bakery manager reviews the product lineup and identifies a specialty pastry that appears to be an underperforming outlier-purchased by only a single customer. With a purely product-centric analysis, discontinuing this item seems logical.
However, this pastry happens to be a signature item for the grocery chain, which purchases substantial volumes across the bakery’s entire range. When informed about the discontinuation, the grocery store explains that their customers specifically request this specialty pastry. The bakery manager refuses to reconsider, emphasizing that the product isn’t profitable enough and the production line is needed for more popular items.
A few weeks later, the bakery learns that the grocery chain has decided to replace them entirely with a new vendor capable of meeting all their needs. The interaction was handled so poorly that the grocery store, despite being a major customer, isn’t even inclined to renegotiate-they’ve moved on completely.
This scenario vividly illustrates a common but critical strategic error: viewing products in isolation rather than considering their value in customer relationships. The quantitative analysis reveals the magnitude of this mistake:
All Other Products: $680,000 annual revenue, 22% margin
Total Account Value: $692,000 annual revenue, 21% blended margin
Risk Assessment: Discontinuing the specialty pastry put $692,000 at risk, not just $12,000
Outcome: Complete loss of the account (100% revenue impact vs. the expected 1.7% impact)
The bakery manager made several critical errors that we see repeatedly in product EOL decisions. They treated each pastry as an isolated product rather than part of a larger strategic relationship. They failed to recognize the pastry’s importance to their major client. They made decisions based purely on aggregated sales data without customer segmentation. They approached the conversation without empathy or alternatives. And they prioritized immediate resource allocation while overlooking long-term consequences.
A Framework for Better Decisions
To avoid similar mistakes, organizations need a comprehensive approach that evaluates EOL decisions across dimensions that understand the whole business, here is an example of how this might work in our bakery example:
Customer relationship impact should be the primary consideration in any EOL decision, weighing approximately 40% in the overall assessment. This includes evaluating the aggregate revenue from all products with shared customers, the customer’s classification and business importance, the probability of triggering a broader portfolio review, and what C-level relationships are tied to the product.
Product economics matter but must be viewed holistically, accounting for about 25% of the decision weight. Consider the product-specific recurring revenue and growth trajectory, any “door opener” and account protection value, ongoing engineering and operations expenses, volume and complexity of support tickets, and margin trajectory over time.
Technical considerations evaluate the maintenance burden against potential disruption, weighing approximately 20% in the decision process. Assess technical debt quantification, resources allocated across engineering and support, systems that depend on this product, estimated customer transition effort, and infrastructure and stack viability.
Market position provides critical competitive context, contributing about 15% to the decision framework. Consider the percentage of customers actively using the product, strength of the unique value proposition, fit with long-term product vision, and segment growth trajectory.
Note: These % figures are really intended as examples rather than strict guidelines.
These four dimensions provide a balanced view of a product’s strategic importance beyond immediate financial metrics. The bubble chart above illustrates their relative weighting in the decision process, emphasizing the outsized importance of customer relationships.
Three Product Archetypes and How to Handle Them
Most EOL candidates fall into one of three categories, each requiring a different approach:
Strategic anchor products have high customer relationship impact despite potentially challenging economics or technical debt. Like the bakery’s specialty pastry, they may appear unprofitable in isolation but protect significant broader revenue. Organizations should retain these products despite costs, as they protect broader customer relationships and associated revenue streams, though pricing adjustments might be considered if necessary.
Legacy systems typically have balanced profiles with high technical maintenance burden but moderate customer impact. They often represent technical debt accumulated through growth. The wise approach is to modernize rather than discontinue to maintain customer relationships, creating migration paths that preserve core functionality while reducing technical debt.
True EOL candidates have low customer attachment and minimal dependency chains. Their strategic value has diminished over time as the market has evolved. These products can be considered for end-of-life treatment with appropriate migration paths and thoughtful customer communication, ensuring smooth transitions to alternatives.
The radar chart above illustrates how these three product archetypes compare across the four dimensions. Strategic anchor products show high customer relationship impact, legacy systems typically have high technical burden but moderate customer impact, and true EOL candidates score low across most dimensions.
Implementation: Making It Work in Practice
Successful EOL decisions require collaboration across the organization through a structured process. Begin with thorough data collection across all dimensions, then integrate perspectives from Sales, Customer Success, Product, Engineering, and Support. Project different transition timelines and potential impacts. Present multidimensional analysis to secure leadership alignment. Develop thoughtful communication that acknowledges the full context.
As the bakery example illustrates, EOL decisions are fundamentally about managing complex trade-offs. The framework shifts the conversation from “Should we discontinue this product?” to “What is the strategic value of this product to our customers and business?”
By moving beyond simplistic spreadsheet analysis to a multidimensional approach, organizations can make EOL decisions that enhance rather than damage customer relationships, technical architecture, and market position.
Remember Shaw’s warning about the illusion of communication. Your EOL tables may give the appearance of strategic planning, but without considering all dimensions, they’re merely operational checklists that risk overlooking critical strategic value. The true measure of EOL success isn’t operational execution but customer retention and long-term business impact.
We cannot do everything; the French have a saying, “To choose something is to renounce something.” This also holds true for Product Managers. How we choose is important, especially in a startup where resources are finite.
The larger the organization, or the more political it is, having a framework that we use for decision-making helps us both increase the chances of good decisions and defend the uncomfortable decisions that must be made.
The highest priority of a product manager is to be a good custodian of the engineering resources. This means we must ensure they have the information they need to make the right engineering investments; otherwise, we are wasting the most valuable asset in the organization.
The next highest priority is to ensure that the sales and support team has what they need to keep the funnel full. This might include marketing materials, product roadmaps, one-on-one customer engagements, or a myriad of other inputs to the sales process that enable the field to support teams to jump-start the revenue engine.
With that said, if all we do is focus on those two things, we fail. Product management is about solving a specific business problem in an elegant and timely manner. This requires research, customer interviews, designs, and roadmapping. Once we unblock engineering, sales, and support, we must shift our priority to optimizing the conversion funnel.
We need to prioritize optimizing how each stage of the sales funnel works while ensuring the existing sales, support, and engineering processes function as needed.
The path to success involves balancing immediate needs with long-term strategic goals and continually refining the process to ensure that the product not only addresses current market needs but is also positioned for future growth and success. This also requires us to continually assess, as independently as we can, how the organization is doing on these metrics so we can make sure how we prioritize evolves with the ever-changing needs of the organization.
As the product manager, you are in many respects the general manager for the business. If you get too focused on a task mindset, simply put, you will miss the forest through the trees, which for a small company can be the difference between death and success.
The Decision Engine
What makes this funnel particularly powerful is that each stage generates critical information that fuels better decision-making. As a product manager, you’re not just moving customers through stages—you’re creating a decision engine that systematically improves how you allocate resources and prioritize efforts.
When focusing on filling the funnel, every piece of messaging that resonates or falls flat gives you data that refines your market understanding. The leads that convert tell you which pain points matter most; those that don’t reveal gaps in your value proposition. This creates a natural feedback loop where better market understanding leads to more effective messaging, which generates higher-quality leads, further enhancing your understanding.
This pattern continues as prospects move toward contracts. Here, you learn precisely where your offering stands relative to alternatives. Which features accelerate decisions in your favor? What competitive gaps slow down contract signing? These insights should directly influence your product prioritization decisions, creating a virtuous cycle where enhanced differentiation speeds contract closure.
Product Design: The True Driver of Sales Velocity
Looking at our funnel, it’s tempting to see words like “quickly,” “successful,” and “renewals” as purely sales-driven metrics. In reality, these outcomes are fundamentally shaped by product decisions. Each “quickly” in our funnel represents not just a sales process optimization but a product design imperative.
Consider the pilot stage. Moving through pilot “quickly” isn’t just about sales execution—it’s about how you’ve designed the product to be deployed, configured, and integrated. A product that requires weeks of professional services to set up creates an inherent velocity constraint that no sales process can overcome. Your architectural decisions directly determine how rapidly customers can reach value.
Similarly, moving to full production quickly depends on how you’ve designed for scalability from the beginning. Does your product require painful reconfiguration when moving from pilot to production? Have you anticipated enterprise requirements for security, compliance, and integration? The deployment friction your customers experience is built into your product decisions long before the sales team encounters it.
Making customers “successful” and securing renewals are likewise outcomes of product strategy more than sales tactics. A product designed with deep customer empathy, clear use cases, and thoughtful success metrics creates its own momentum toward renewal. Conversely, even the most skilled customer success team can’t compensate for a product that doesn’t deliver measurable value aligned with the customer’s definition of success.
As a product manager, recognize that you’re designing not just features but the velocity of your entire business. Every decision that reduces friction in deployment, integration, scalability, and value realization accelerates your funnel more effectively than any sales process optimization could.
Communication: The Force Multiplier of Decision-Making
The greatest decision framework in the world fails if it remains inside your head. The biggest problem with communication is the illusion that it has occurred. As a product manager, you can never communicate too much about decisions and their rationale.
Clear communication turns good decisions into organizational alignment. When engineers understand not just what to build but why it matters to customers and the business, they make better micro-decisions during implementation. When sales understands the strategic reasoning behind a feature prioritization, they can communicate this context to customers, turning potential disappointment into a deeper relationship.
Insufficient communication of decisions and rationale inevitably leads to loss of focus and momentum. Teams begin to drift in different directions, making assumptions about priorities that may conflict with your actual intentions. You’ll find yourself having the same conversations repeatedly, wondering why people “just don’t get it.” The answer is usually that you haven’t communicated nearly as effectively as you thought.
This communication challenge often necessitates difficult conversations and realignment throughout the process. Team members may have become invested in directions that no longer align with your decisions. Having to reset expectations is uncomfortable but essential. These conversations become significantly easier when you’ve consistently communicated the decision framework and the data informing it.
Effective communication of decisions requires multiple formats and repetition. The same message needs reinforcement through documentation, presentations, one-on-ones, and team discussions. Remember that people need to hear information multiple times, in multiple contexts, before it truly sinks in. What feels like redundant overcommunication to you is often just barely sufficient for your stakeholders.
Most importantly, communicate not just the what but the why. Decisions without context are merely directives; decisions with context create learning opportunities that help your team make better autonomous choices aligned with your strategy.
Embracing Constraints
It’s worth acknowledging a fundamental truth of product management: resource constraints are inevitable regardless of your organization’s size. Even companies with seemingly infinite resources must choose where to allocate them. Google, Amazon, and Apple all discontinue products and say “no” to opportunities—size doesn’t eliminate the need for prioritization, it just changes the scale of what’s possible.
Priority conflicts and organizational challenges will always be part of the landscape you navigate. You’ll encounter competing stakeholder needs, passionate advocates for conflicting approaches, and the politics that come with any human enterprise. This isn’t a sign that something is wrong—it’s the natural state of building products in complex environments.
The key difference between effective and ineffective product managers isn’t whether they face these challenges, but how they approach them. By being transparent about the first and second-order effects of your decisions, you create trust even when stakeholders disagree with your choices. When engineering knows why you’ve prioritized feature A over feature B, they may still be disappointed but can align with the reasoning.
Perhaps most importantly, remember that few decisions are truly permanent. The best product managers maintain the humility to monitor outcomes and change course when the data suggests they should. Your decision framework should include not just how to decide, but how to recognize when a decision needs revisiting. This adaptability, coupled with transparency about your reasoning, creates the resilience necessary to navigate the inevitable twists in your product journey.
Building Decision Frameworks That Scale
As product managers, we should strive to make our analysis and decision processes repeatable and measurable. Using consistent rubrics helps ensure that the insights generated at each funnel stage don’t remain isolated events but become part of an institutional learning process.
These rubrics need not be complex—simple scoring systems for evaluating feature requests against strategic goals, or frameworks for assessing customer feedback patterns—but they should be consistent. By standardizing how we evaluate options, we create the ability to look back quarterly and yearly to assess the quality of our decision-making.
Did we ask ourselves the right questions? Did we weigh factors appropriately? Which decision frameworks yielded the best outcomes? This retrospective analysis allows us to internalize lessons and deploy improved decision processes more consistently across the organization. Over time, these rubrics become the scaffolding that supports better and faster decisions as the company grows.
Feeding the Company’s Soul
As a product manager, you are the custodian of more than just resources—you are feeding the very soul of the company. Product is where vision meets reality, where strategy becomes tangible, and where customer needs translate into business value. Each decision you make, each iteration loop you create, fuels the journey toward the company’s next milestone.
These seemingly small decisions—which feature to prioritize, which customer segment to focus on, which technical debt to address—collectively determine the trajectory of the entire organization. The funnel isn’t just a conversion mechanism; it’s the heartbeat of your business, pumping valuable insights that nourish every subsequent decision.
Your most valuable contribution isn’t the individual decisions you make, but how you architect the feedback loops that transform customer interactions into organizational learning. By systematically capturing and applying these insights, you create not just a product but an ever-evolving organism that adapts and thrives in changing conditions.
Remember that in a startup, the line between success and failure is often razor-thin. Your ability to make good decisions, informed by these iteration loops, may be the difference between reaching that next funding milestone or running out of runway. You’re not just building a product—you’re charting the course that determines whether your company reaches its destination or disappears beneath the waves.
What took the telecommunications industry a century to experience—the full evolution from groundbreaking innovation to commoditized utility status—cloud computing is witnessing in just 15 years. This unprecedented compression isn’t merely faster; it represents a significant strategic challenge to cloud providers who believe their operational expertise remains a durable competitive advantage.
The historical parallel is instructive, yet nuanced. While telecom’s path offers warnings, cloud providers still maintain substantial advantages through their physical infrastructure investments and service ecosystems.
Telecom’s Transformation: Lessons for Cloud Providers
In 1984, AT&T was the undisputed titan of American business—a monopolistic giant controlling communication infrastructure so vital that it was deemed too essential to fail. Its operational expertise in managing the world’s most complex network was unmatched, its infrastructure an impenetrable competitive moat, and its market position seemingly unassailable.
Four decades later, telecom companies have been substantially transformed. Their networks, while still valuable assets, no longer command the premium they once did. The 2024 Salt Typhoon cyberattacks revealed vulnerabilities in these once-impregnable systems—targeting nine major US telecom providers and compromising systems so thoroughly that the FBI directed citizens toward encrypted messaging platforms instead of traditional communication channels.
This transformation contains critical lessons for today’s cloud providers.
Telecom’s journey followed a predictable path:
Innovation to Infrastructure: Pioneering breakthroughs like the telephone transformed into sprawling physical networks that became impossible for competitors to replicate.
Operational Excellence as Moat: By mid-century, telecom giants weren’t just valued for their copper wire—their ability to operate complex networks at scale became their true competitive advantage.
Standardization and Erosion: Over decades, standardization (TCP/IP protocols) and regulatory action (AT&T’s breakup) gradually eroded these advantages, turning proprietary knowledge into common practice.
Value Migration: As physical networks became standardized, value shifted to software and services running atop them. Companies like Skype and WhatsApp captured value without owning a single mile of cable.
Security Crisis: Commoditization led to chronic underinvestment, culminating in the catastrophic Salt Typhoon vulnerabilities that finally shattered the public’s trust in legacy providers.
Cloud providers are accelerating through similar phases, though with important distinctions that may alter their trajectory.
Cloud’s Compressed Evolution: 7x Faster Than Telecom
The cloud industry is experiencing its innovation-to-commoditization cycle at hyperspeed. What took telecom a century is unfolding for cloud in approximately 15 years—a roughly 7-fold acceleration—though the endgame may differ significantly.
Consider the timeline compression:
What took long-distance calling nearly 50 years to transform from premium service to essentially free, cloud storage accomplished in less than a decade—with prices dropping over 90%.
Features that once justified premium pricing (load balancing, auto-scaling, managed databases) rapidly became table stakes across all providers.
APIs and interfaces that were once proprietary differentiators are now essentially standardized, with customers demanding cross-cloud compatibility.
This accelerated commoditization has forced cloud providers to rely heavily on their two enduring advantages:
Massive Infrastructure Scale: The capital-intensive nature of global data center networks
Operational Excellence: The specialized expertise required to run complex, global systems reliably
The first advantage remains formidable—the sheer scale of hyperscalers’ infrastructure represents a massive barrier to entry that will endure. The second, however, faces new challenges.
The Evolving Moat: How AI is Transforming Operational Expertise
Cloud providers’ most valuable operational asset has been the expertise required to run complex, distributed systems at scale. This knowledge has been nearly impossible to replicate, requiring years of specialized experience managing intricate environments.
AI is now systematically transforming this landscape:
AI-Powered Operations Platforms: New tools are encapsulating advanced operational knowledge, enabling teams to implement practices once reserved for elite cloud operations groups.
Cross-Cloud Management Systems: Standardized tools and AI assistance are making it possible for organizations to achieve operational excellence across multiple cloud providers simultaneously—an important shift in vendor dynamics.
Democratized Security Controls: Advanced security practices once requiring specialized knowledge are now embedded in automated tools, making sophisticated protection more widely accessible.
AI is transforming operational expertise in cloud computing. It isn’t eliminating the value of human expertise but rather changing who can possess it and how it’s applied. Tasks that once took years for human operators to master can now be implemented more consistently by AI systems. However, these systems have important limitations that still require human experts to address. While AI reduces the need for certain routine skills, it amplifies the importance of human experts in strategic oversight, ensuring that AI is used effectively and ethically.
The New Infrastructure Reality: Beyond Provider Lock-In
The fundamental value of cloud infrastructure isn’t diminishing—in fact, with AI workloads demanding unprecedented compute resources, the physical footprint of major providers becomes even more valuable. What’s changing is the level of provider-specific expertise required to leverage that infrastructure effectively.
The Multi-Cloud Opportunity
AI-powered operations are making multi-cloud strategies increasingly practical:
Workload Portability: Organizations can move applications between clouds with reduced friction
Best-of-Breed Selection: Companies can choose optimal providers for specific workloads
Cost Optimization: Customers can leverage price competition between providers more effectively
Risk Mitigation: Businesses can reduce dependency on any single provider
This doesn’t mean companies will abandon major cloud providers. Rather, they’ll be more selective about where different workloads run and more willing to distribute them across providers when advantageous. The infrastructure remains essential—what changes is the degree of lock-in.
The New Challenges: Emerging Demands on Cloud Operations
As operational advantages evolve, cloud providers face several converging forces that will fundamentally reshape traditional models. These emerging challenges extend beyond conventional scaling issues, creating qualitative shifts in how cloud infrastructure must be designed, managed, and secured.
The Vibe Coding Revolution
“Vibe coding” transforms development by enabling developers to describe problems in natural language and have AI generate the underlying code. This democratizes software creation while introducing different infrastructure demands:
Applications become more dynamic and experimental, requiring more flexible resources
Development velocity accelerates dramatically, challenging traditional operational models
Debugging shifts from code-focused to prompt-focused paradigms
As newer generations of developers increasingly rely on LLMs, critical security challenges emerge around software integrity and trust. The abstraction between developer intent and implementation creates potential blind spots, requiring governance models that balance accessibility with security.
Meanwhile, agentic AI reshapes application deployment through autonomous task orchestration. These agents integrate disparate services and challenge traditional SaaS models as business logic migrates into AI. Together, these trends accelerate cloud adoption while creating challenges for conventional operational practices.
The IoT and Robotics Acceleration
The Internet of Things is creating unprecedented complexity with over 30 billion connected devices projected by 2026. This expansion fragments the operational model, requiring seamless management across central cloud and thousands of edge locations. The boundary between edge and cloud creates new security challenges that benefit from AI-assisted operations.
Robotics extends this complexity further as systems with physical agency:
Exhibit emergent behaviors that weren’t explicitly programmed
Create operational challenges where physical and digital domains converge
Introduce security implications that extend beyond data protection to physical safety
Require real-time processing with strict latency guarantees that traditional cloud models struggle to address
The fleet management of thousands of semi-autonomous systems requires entirely new operational paradigms that bridge physical and digital domains.
The AI Compute Demand
AI training and inference are reshaping infrastructure requirements in ways that differ fundamentally from traditional workloads. Large language model training requires unprecedented compute capacity, while inference workloads demand high availability with specific performance characteristics. The specialized hardware requirements create new operational complexities as organizations balance:
Resource allocation between training and inference
Specialized accelerators with different performance characteristics
Cost optimization as AI budgets expand across organizations
Dynamic scaling to accommodate unpredictable workload patterns
These represent fundamentally different resource consumption patterns that cloud architectures must adapt to support—not simply larger versions of existing workloads.
The Security Imperative
As systems grow more complex, security approaches must evolve beyond traditional models. The attack surface has expanded beyond what manual security operations can effectively defend, while AI-powered attacks require equally sophisticated defensive capabilities. New security challenges include:
Vibe-coded applications where developers may not fully understand the generated code’s security implications
Robotics systems with physical agency creating safety concerns beyond data protection
Emergent behaviors in AI-powered systems requiring dynamic security approaches
Compliance requirements across jurisdictions demanding consistent enforcement at scale
Current cloud operations—even with elite human teams—cannot scale to these demands. The gap between operational requirements and human capabilities points toward AI-augmented security as the only viable path forward.
The Changing Competitive Landscape: A 5-10 Year Horizon
Over the next 5-10 years, these technological shifts will create significant changes in the cloud marketplace. While the timing and magnitude of these changes may vary, clear patterns are emerging that will reshape competitive dynamics, pricing models, and value creation across the industry.
Value Migration to Orchestration and Agentic Layers
Just as telecom saw value shift from physical networks to OTT services, cloud is experiencing value migration toward higher layers of abstraction. Value is increasingly found in:
Multi-cloud management platforms that abstract away provider differences
AI-powered operations tools that reduce the expertise barrier
Specialized services optimized for specific workloads or regulatory regimes
AI development platforms that facilitate vibe coding approaches
Agentic AI systems that can autonomously orchestrate tasks across multiple services
Hybrid SaaS/AI solutions that combine traditional business logic with intelligent automation
This doesn’t eliminate infrastructure’s value but alters competitive dynamics and potentially compresses margins for undifferentiated services. As Chuck Whitten noted regarding agentic AI’s impact on SaaS: “Transitions lead not to extinction but to transformation, adaptation, and coexistence.”
Increased Price Sensitivity for Commodity Services
As switching costs decrease through standardization and AI-powered operations, market dynamics shift significantly. We’re seeing:
Basic compute, storage, and networking becoming more price-sensitive
Value-added services facing more direct competition across providers
Specialized capabilities maintaining premium pricing while commoditized services face margin pressure
This creates a strategic landscape where providers must carefully balance commoditized offerings with differentiated services that address specific performance, security, or compliance requirements.
The Rise of Specialized Clouds
The market is evolving toward specialization rather than one-size-fits-all solutions. Three key categories are emerging:
Industry-specific clouds optimized for particular regulatory requirements in healthcare, finance, and government
Performance-optimized environments for specific workload types like AI, HPC, and real-time analytics
Sovereignty-focused offerings addressing geopolitical concerns around data governance and control
These specialized environments maintain premium pricing even as general-purpose computing becomes commoditized, creating opportunities for focused strategies that align with specific customer needs.
Salt Typhoon as a Cautionary Tale
The telecom industry’s commoditization journey reached a critical inflection point with the 2024-2025 Salt Typhoon cyberattacks. These sophisticated breaches targeted nine major US telecommunications companies, including giants like Verizon, AT&T, and T-Mobile, compromising sensitive systems and exposing metadata for over a million users. This crisis revealed how commoditization had led to chronic underinvestment in security innovation and resilience.
The aftermath was unprecedented: the FBI directed citizens toward encrypted messaging platforms as alternatives to traditional telecommunication—effectively steering users away from legacy infrastructure toward newer, more secure platforms. This government-endorsed abandonment of core telecom services represented the ultimate consequence of commoditization. Just as commoditization eroded telecom’s security resilience, cloud providers risk a similar fate if they grow complacent in an increasingly standardized market.
While cloud providers currently prioritize security more than telecom historically did, the Salt Typhoon incident illustrates the dangers of underinvestment in a commoditizing field. With innovation cycles compressed roughly 7-fold compared to telecom—meaning cloud technologies evolve at a pace telecom took decades to achieve—they have even less time to adapt before facing similar existential challenges. As AI agents and orchestration platforms abstract cloud-specific expertise—much like telecom’s reliance on standardized systems—security vulnerabilities could emerge, mirroring the weaknesses Salt Typhoon exploited.
Stakeholder Implications
The accelerating commoditization of cloud services transforms the roles and relationships of all stakeholders in the ecosystem. Understanding these implications is essential for strategic planning.
For Operations Teams
The shift from hands-on execution to strategic oversight represents a fundamental change in skill requirements. Engineers who once manually configured infrastructure will increasingly direct AI systems that handle implementation details. This evolution mirrors how telecom network engineers transitioned from hardware specialists to network architects as physical infrastructure became abstracted.
Success in this new paradigm requires developing expertise in:
AI oversight and governance
Cross-cloud policy management
Strategic technology planning
Risk assessment and mitigation
Rather than platform-specific implementation knowledge, the premium skills become those focused on business outcomes, security posture, and strategic optimization.
For Customers & End Users
The democratization of operational expertise through AI fundamentally transforms the customer’s role in the cloud ecosystem. Just as telecom users evolved from passive consumers of fixed telephone lines to active managers of their communication tools, cloud customers are transitioning from consumers of provider expertise to directors of AI-powered operations.
Enterprise teams no longer need specialized knowledge for each platform, as AI agents abstract away complexity. Decision-making shifts from “which cloud provider has the best expertise?” to “which orchestration layer best manages our multi-cloud AI operations?” This democratization dramatically reduces technical barriers to cloud migration and multi-cloud strategies, accelerating adoption while increasing provider switching frequency.
For Security Posture
The Salt Typhoon breach offers a sobering lesson about prioritizing efficiency over security innovation. The democratization of operational expertise through AI creates a paradox: security becomes both more challenging to maintain and more essential as a differentiator.
Organizations that can augment AI-driven security with human expertise in threat hunting and response will maintain an edge in an increasingly commoditized landscape. Without this focus, cloud providers risk becoming the next victims of a Salt Typhoon-scale breach that could potentially result in similar government recommendations to abandon their services for more secure alternatives.
For the Industry as a Whole
The drastic compression of innovation cycles means even foundational assets—massive infrastructure and deep operational expertise—face unprecedented pressure. Cloud providers must simultaneously integrate new AI capabilities while preserving their core strengths.
The rapid emergence of third-party orchestration layers is creating a new competitive battleground above individual clouds. This mirrors how over-the-top services disrupted telecom’s business model. Cloud providers that fail to adapt to this new reality risk following the path of telecom giants that were reduced to “dumb pipes” as value moved up the stack.
The Strategic Imperative: Evolution, Not Extinction
Cloud providers face a significant strategic challenge, but not extinction. The way forward requires evolution rather than entrenchment, with four key imperatives that can guide successful adaptation to this changing landscape. These strategies recognize that cloud’s value proposition is evolving rather than disappearing.
Embrace AI-Enhanced Operations
Providers that proactively integrate AI into their operational models gain significant advantages by:
Delivering higher reliability and security at scale
Reducing customer operational friction through intelligent automation
Focusing human expertise on high-value problems rather than routine tasks
Creating self-service experiences that democratize capabilities while maintaining differentiation
The competitive advantage comes not from simply adopting AI tools, but from reimagining operations with intelligence embedded throughout the stack—transforming how services are delivered, monitored, and optimized.
Lead the Multi-Cloud Transition
Rather than resisting multi-cloud adoption, forward-thinking providers are positioning themselves to lead this transition by:
Creating their own cross-cloud management capabilities
Optimizing for specific workloads where they excel
Developing migration paths that make them the preferred destination for critical workloads
Building partnership ecosystems that enhance their position in multi-cloud environments
The goal is becoming the strategic foundation within a multi-cloud strategy, rather than fighting against the inevitable trend toward workload distribution and portability.
Invest in Infrastructure Differentiation
Physical infrastructure remains a durable advantage when strategically positioned. Differentiation opportunities include:
Specialization for emerging workloads like AI
Optimization for performance characteristics that matter to key customer segments
Strategic positioning to address sovereignty and compliance requirements
Energy efficiency design in an increasingly carbon-conscious market
Architecture to support real-time processing demands of robotics and autonomous systems
Ultra-low latency capabilities for mission-critical applications
Infrastructure isn’t becoming irrelevant—it’s becoming more specialized, with different characteristics valued by different customer segments.
Develop Ecosystem Stickiness
Beyond technical lock-in, providers can build lasting relationships through ecosystem investments:
Developer communities that foster innovation and knowledge sharing
Education and certification programs that develop expertise
Partner networks that create business value beyond technical capabilities
Industry-specific solutions that address complete business problems
This ecosystem approach recognizes that relationships and knowledge investments often create stronger bonds than technical dependencies alone, leading to more sustainable competitive advantages over time.
The Path Forward: Three Strategic Options
Cloud providers have three strategic options to avoid the telecom commoditization trap as I see it right now:
Vertical integration into industry-specific solutions that combine infrastructure, expertise, and deep industry knowledge in ways difficult to commoditize. This approach focuses on value creation through specialized understanding of regulated industries like healthcare, finance, and government.
Specialization in emerging complexity areas where operational challenges remain high and AI assistance is still developing. These include domains like quantum computing, advanced AI training infrastructure, and specialized hardware acceleration that resist commoditization through continuous innovation.
Embracing the orchestration layer by shifting focus from infrastructure to becoming the universal fabric that connects and secures all computing environments. Rather than fighting the abstraction trend, this strategy positions providers at the center of the multi-cloud ecosystem.
Conclusion
Cloud providers face a clear choice, continue investing solely in operational excellence that is gradually being democratized by AI, or evolve their value proposition to emphasize their enduring advantages while embracing the changing operational landscape.
For cloud customers, the message is equally clear: while infrastructure remains critical, the flexibility to leverage multiple providers through AI-powered operations creates new strategic options. Organizations that build intelligence-enhanced operational capabilities now will gain unprecedented flexibility while potentially reducing costs and improving reliability.
The pattern differs meaningfully from telecom. While telecommunications became true commodities with minimal differentiation, cloud infrastructure maintains significant differentiation potential through performance characteristics, geographic distribution, specialized capabilities, and ecosystem value. The challenge for providers is to emphasize these differences while adapting to a world where operational expertise becomes more widely distributed through AI.
The time to embrace this transition isn’t in some distant future—it’s now. Over the next 5-10 years, the providers who recognize these shifts early and adapt their strategies accordingly will maintain leadership positions, while those who resist may find their advantages gradually eroding as customers gain more options through AI-enhanced operations.
The evolution toward AI-enhanced operations isn’t just another technology trend—it’s a significant shift in how cloud value is created and captured. The providers who understand this transformation will be best positioned to thrive in the next phase of cloud’s rapid evolution.
When selling security solutions to enterprises, understanding who makes purchasing decisions is critical to success. Too often, security vendors aim their messaging at the wrong audience or fail to recognize how budget authority flows in organizations. This post tries to break down the essential framework for understanding enterprise security buyer dynamics.
While this framework provides a general structure for enterprise security sales, industry-specific considerations require adaptation. Regulated industries like healthcare, finance, and government have unique compliance requirements, longer approval cycles, and additional stakeholders (e.g., legal, risk committees).
The Buyer Hierarchy
The first key concept to understand is the buyer hierarchy in enterprise security.
Figure 1: The Buyer Hierarchy
This pyramid structure represents who typically makes purchasing decisions at different price points:
At the base of the pyramid are Security and IT Managers. These individuals make most purchase decisions, particularly for:
Standard solutions with established budget lines
Renewals of existing products
Smaller ticket items
Solutions addressing immediate operational needs
Moving up the pyramid, we find Security and IT Directors who typically approve:
Larger deals requiring more significant investment
In security sales, it’s crucial to distinguish between two key players:
The Champion: This person is chartered to solve the problem. They’re typically your main point of contact and technical evaluator – often a security engineer, DevOps lead, or IT admin. They’ll advocate for your solution but rarely control the budget.
The Buyer: This is the person who owns the budget. Depending on the size of the deal, this could be a manager, director, or in some cases, the CISO. They make the final purchasing decision.
Understanding this dynamic is critical. Too many sales efforts fail because they convinced the champion but never engaged the actual buyer.
The Budget Factor
Another critical dimension is whether your solution is:
Pre-budgeted: Already planned and allocated in the current fiscal year
Unbudgeted: Requires new budget allocation or reallocation from other initiatives
Figure 2: Budgetary Timing Diagram
This distinction dramatically impacts who needs to approve the purchase. Unbudgeted items almost always require higher-level approval – typically at the CISO level for any significant expenditure, as they have the authority to reallocate funds or tap into contingency budgets.
The Cross-Organizational Challenge
A critical dimension often overlooked in enterprise security sales is cross-organizational dynamics.
When security purchases span multiple departments (e.g., budget from Compliance, implementation by Engineering), the buyer hierarchy becomes more complex. Moving funds between departmental budgets often requires executive approval above the standard buyer level.
Different departments operate with separate success metrics, priorities, and approval chains. What solves one team’s problems may create work for another with no benefit to their goals. These cross-organizational deals typically extend sales cycles by 30-50%.
For vendors navigating these scenarios, success depends on mapping all stakeholders across departments, creating targeted value propositions for each group, and sometimes elevating deals to executives who can resolve cross-departmental conflicts.
The Cost of Sale Framework
As solutions become more enterprise-focused, the cost of sale increases dramatically.
Figure 3: Cost of Sale Diagram
This framework illustrates a critical principle: The cost of sale must be aligned with the buyer level.
For solutions with a higher cost of sale (requiring more sales personnel time, longer sales cycles, more supporting resources), vendors must sell higher in the organization to ensure deal sizes justify these costs.
Key components affecting cost of sale include:
Sales personnel salary
Number of accounts per sales rep
Sales cycle length
Supporting resources required
This explains why enterprise security vendors selling complex solutions must target the CISO budget – it’s the only way to recoup their significant cost of sale.
Relationship Dynamics and Timing Considerations
While understanding the buyer hierarchy is essential, most successful enterprise security deals don’t happen solely through identifying the right level in an organization.
Figure 4: Cost of Sale Diagram
Two critical factors often determine success:
Relationship Development: Successful sales rarely happen in a transactional manner. They require:
Building trust through consistent value delivery before the sale
Understanding the internal politics and relationships between champions and buyers
Developing multiple organizational touchpoints beyond just the champion
Recognizing the personal career motivations of both champions and buyers
Timing Alignment: Even perfect solutions fail when timing is wrong:
Budget cycle alignment is critical – engage 3-6 months before annual planning
Crisis or incident response periods can accelerate purchases or freeze them
Organizational changes (new leadership, restructuring) create both opportunities and risks
Regulatory deadlines often drive urgent security investments
The most effective security vendors don’t just target the right level in the hierarchy – they strategically time their engagements and invest in relationship development that transcends organizational charts.
Practical Application
For security vendors, this framework provides practical guidance:
Know your buyer level: Based on your solution’s price point and complexity, identify your primary buyer persona (Manager, Director, or CISO)
Target champions appropriately: Ensure your technical messaging resonates with the people who will evaluate and champion your solution
Align marketing to both: Create distinct messaging for champions (technical value) and buyers (business value)
Understand the budget cycle: Time your sales efforts to align with budget planning for better success with larger deals
Match sales approach to cost structure: Ensure your go-to-market approach and resources match your cost of sale
By aligning your sales and marketing efforts with these buyer dynamics, you’ll significantly improve your efficiency and close rates in the enterprise security market.
Ever been in a meeting where someone drops terms like “TEE,” “TPM,” or “FIPS-certified” and everyone nods along, pretending they understand? Yeah, me too.
“Some discussions would be so much easier if people knew the definitions of ‘TEE’, ‘TPM’, ‘Secure element’, ‘Secure enclave’, ‘HSM’, ‘Trusted computing’, ‘FIPS(140-2/3)-certified’, ‘Common criteria’, ‘security target’, etc. Plus now the marketing-oriented term ‘confidential computing’ is used to mean a variety of things with varying security properties.”
He’s right – the security tech space is a mess of overlapping terms, marketing buzzwords, and genuine technical concepts. So I threw together a guide to sort this stuff out.
What’s Actually Different Between These Things?
At their core, these technologies do three things:
Minimize what code you need to trust (the TCB)
Create isolation between different parts of a system
Establish trust across different machines
A TPM is not the same as a TEE. Intel SGX is not identical to AMD SEV. And no, slapping “FIPS-certified” on your product doesn’t automatically make it secure.
The Real-World Impact
When your vendor says they use “Confidential Computing,” do you know what that actually means for your data? Could be anything from “your data is encrypted in memory” to “we’ve got a fancy marketing term for standard virtualization.”
The differences matter. A secure element in your phone has around 10-50KB of trusted code. A standard Linux kernel? About 27.8 MILLION lines. One of these is much easier to secure than the other.
When Things Break
Even the most certified security tech fails. Hardware Security Modules (HSMs) with FIPS 140-2 certification—supposedly the gold standard for cryptographic security—have been compromised by design flaws. Look at the 2015 Safenet HSM vulnerability where API flaws in the PKCS#11 interface allowed full key extraction. Attackers with authenticated access could exploit weak key derivation mechanisms to extract the very keys the HSM was designed to protect.
Bottom line: No security technology is perfect. Each has its place, limitations, and potential failure modes.
As Winston Churchill observed, “He who fails to plan is planning to fail.” Understanding what’s under the hood of these technologies isn’t just academic—it’s essential for building systems that can actually withstand the threats they’ll face.
The evolution of technology operations has always been driven by necessity. From the early days of single system operators (sysops) managing physical servers through hands-on intervention, to today’s complex landscape of distributed microservices, containers, and serverless functions, each operational paradigm shift has emerged to address growing complexity.
The Journey of Operational Evolution
From the hands-on Sysops era of the 1960s-80s when operators physically managed as as little as few to 10s of servers each, to the System Administration period of the 1990s when centralized tools expanded reach to hundreds of systems, technology operations have continuously transformed. DevOps emerged in the mid-2000s, leveraging Infrastructure as Code to manage thousands of systems, followed by SRE practices in the 2010s with error budgets and self-healing systems handling tens of thousands of containers. Looking ahead to 2025, AI-Driven Operations promises autonomous management of millions of components.
Each transition has been driven by necessity – not choice – as technology’s relentless complexity has overwhelmed previous operational models.
The Machine Concept Has Transformed
What’s particularly interesting is how we use the word “machine” has changed dramatically. In the early days, machines were physical servers with stable operating systems and predictable maintenance schedules. Today, with serverless computing, the very concept of a server has become fluid – functions materialize only when triggered, often lasting mere seconds before vanishing.
This ephemeral nature of modern computing creates unprecedented coordination challenges that exceed manual and even moderate automation approaches to management.
The Limits of Current Approaches
Even advanced DevOps and SRE practices are struggling with the scale and complexity of today’s systems. Many vendors have responded by adding AI or ML features to their products, but these “bolt-on” enhancements only provide incremental benefits – analyzing logs, detecting anomalies, or generating suggestions for known issues.
What’s needed is a more fundamental reimagining of operations, similar to how cloud-native architectures transformed infrastructure beyond simple virtualization.
AI-Native: A New Operational Paradigm
An AI-native platform isn’t just software that applies ML algorithms to operational data. It’s a new foundation where intelligence is deeply integrated into orchestration, observability, security, and compliance layers.
In these systems:
Instrumentation is dynamic and context-aware
Security is adaptive, learning normal communication patterns and immediately flagging and in even some cases quarantining anomalous processes
Compliance shifts from periodic audits to continuous enforcement
The timeline above illustrates how each operational era has enabled engineers to manage exponentially more systems as complexity has grown.
This diagram shows the widening gap between human management capacity and system complexity, which AI-native operations will ultimatley address.
The Human Role Transforms, Not Disappears
Rather than eliminating jobs, AI-native operations redefine how engineers spend their time. As a result, we will ultimately see the concept “force multiplier engineers” who will build advanced AI-driven frameworks that amplify the productivity of all other developers.
Freed from repetitive tasks like scaling, patching, and log parsing, these professionals can focus on innovation, architecture, and strategic risk management.
The Inevitable Shift
This transition isn’t optional but inevitable. As systems become more fragmented, ephemeral, and globally distributed, conventional approaches simply can’t keep pace with the complexity.
Those who embrace AI-native operations early will gain significant advantages in reliability, security, cost-efficiency, and talent utilization. Those who hesitate risk being overwhelmed by complexity that grows faster than their capacity to manage it.
What do you think about the future of AI in operations? Are you seeing early signs of this transition in your organization? Let me know in the comments!
Imagine yourself as a pilot at 30,000 feet when an engine begins to sputter. You don’t panic—your training activates, you follow your checklist, and take control. For Certificate Authorities (CAs), incidents like misissued certificates or security breaches create similar high-stakes scenarios. They’re unexpected, critical, and unforgiving. Preparation isn’t just advisable—it’s essential. In the Web PKI world, where trust is paramount, improvisation isn’t an option.
These high-stakes scenarios aren’t rare exceptions—browser distrust events occur approximately every 1.23 years. Since 2011, over a dozen CAs have been distrusted, with poor incident response handling featuring prominently among the causes. These aren’t just statistics; they represent existential threats to CAs and the trust system underpinning secure internet communication.
Mozilla’s new CA Incident Response Requirements policy addresses a history of delayed responses, insufficient analyses, and unclear communication that has plagued the ecosystem. By incorporating Site Reliability Engineering (SRE) concepts, CAs can transform incidents into opportunities to strengthen resilience. Let’s examine the new policy, take a quick look SRE concepts and how they enhance it, and analyze real-world examples from Let’s Encrypt and DigiCert to illustrate best practices—and pitfalls to avoid.
Why the Mozilla Policy Matters: Trust at Stake
Incidents are inevitable. Whether a certificate misissuance, system failure, or security exploit, these events represent critical moments for CAs. Losing browser trust, as DigiNotar did in 2011 or Symantec by 2017, is catastrophic. One moment, you’re essential to Web PKI; the next, you’re a cautionary tale.
The evidence is clear: since 2011, CAs have experienced over 10 major incidents—averaging one every 14 months. More than half—over 57%—of these distrusts stem at least in part from delayed or mishandled responses, not just the incidents themselves. Each costs trust, revenue, or both (as DigiNotar’s bankruptcy demonstrated). The pattern reveals that your response defines you more than the incident itself. A prepared CA can recover and even strengthen its reputation. An unprepared one faces severe consequences.
Mozilla’s policy addresses the cycle of late notifications and superficial fixes that have damaged CAs previously. Structured timelines ensure transparency and accountability—essential elements for maintaining trust.
2025 Policy: Your Incident Response Framework
The new Common Incident Reporting Guidelines (effective March 2025) establish a the following framework for incident handling:
72-Hour Initial Disclosure: Three days to publicly acknowledge the issue, outline initial actions, and assess scope of impact.
14-Day Full Report: Two weeks to deliver a standardized, comprehensive Root Cause Analysis (RCA), detailed timeline, and prevention plan.
These aren’t just arbitrary deadlines—they’re designed to break the pattern of delays and ambiguity that has undermined trust in the WebPKI ecosystem. The policy establishes specific templates, report formats, and update requirements that formalize the approaches already taken by the most resilient CAs.
The requirements emphasize “candid, timely, and transparent” reporting—values that separate successful incident responses from catastrophic ones. What’s more, reports must demonstrate “a detailed understanding of root causes” and “clear, measurable explanations” of remediation actions.
The incident lifecycle follows this structure:
SRE: The Enhancement for Resilience
Mozilla provides structure, but Site Reliability Engineering (SRE)—pioneered by Google—offers tools that elevate your response. Two SRE concepts align perfectly with Mozilla’s requirements:
Automation: SRE emphasizes automating repetitive tasks. For the 72-hour disclosure, automated monitoring can identify issues immediately, while scripts—such as certificate revocation tools—activate without delay. Speed becomes your advantage.
Blameless Postmortems: The 14-day RCA isn’t about assigning blame—it’s about learning. SRE’s blameless approach investigates what failed and how to improve, converting every incident into a growth opportunity.
Automation in this case might look like this:
Together, Mozilla’s timelines and SRE’s methodologies establish a framework that’s proactive rather than reactive.
Case Studies: Preparation Demonstrated
Let’s Encrypt: Prepared When It Mattered
In 2020, Let’s Encrypt encountered a bug in their domain validation logic. Their response exemplified best practices:
Early Detection: Proactive monitoring and periodic reviews identified the issue quickly, before external parties did.
Automation in Action: They revoked 1.7 million certificates within hours due to their readiness.
Data-Driven Decisions: They were able to immediately identify which certificates had been replaced versus which were still in active use.
Transparent Communication: Regular updates and a thorough postmortem kept stakeholders informed.
Strategic Delayed Revocation: For certificates that couldn’t be immediately revoked without major disruption, they filed a separate delayed revocation incident with clear timelines.
They met CCADB’s deadlines with margin to spare and emerged stronger. Their preparation proved invaluable—and it was no coincidence. Their systems were designed from day one to handle such scenarios, with automation built into their core operations.
DigiCert: Caught Unprepared
DigiCert’s misissuance incident tells a contrasting story. An external party discovered the problem, and their response faltered:
Manual Processes: Without automation, revocations progressed slowly and required customer intervention.
Insufficient Planning: They struggled, facing subscriber resistance and legal complications, including a Temporary Restraining Order (TRO) from a customer.
Reactive Decision-Making: They initially announced a 24-hour revocation window, then extended it to 5 days as complications mounted.
Customer Impact: They did not know how many of their customers were ready to rotations, and so they had to treat everyone the same, amplifying disruption.
Design Issues: The initial fix appeared to be applied at the user interface level rather than addressing the core validation system—suggesting insufficient engineering practices.
Commercial CAs might argue their enterprise model makes automation harder than Let’s Encrypt’s, but complex customer relationships actually make preparation more critical, not less. The TRO demonstrates how business constraints amplify—rather than excuse—the need for rigorous incident readiness.
The contrast is instructive. Let’s Encrypt’s readiness maintained stability; DigiCert’s lack of preparation created vulnerability and legal complications that set a concerning precedent for the industry.
Implementing the New CCADB Requirements
To meet the new CCADB incident reporting requirements effectively, CAs should implement these eight critical capabilities:
Create Templated Response Plans: Develop standardized report templates aligned with CCADB’s new formats, with designated owners for each section.
Establish Monitoring Triggers: Implement automated monitoring that can identify potential incidents early and trigger response workflows.
Build Certificate Inventory Systems: Maintain comprehensive real-time data about certificate status, usage, and replacement to enable rapid impact assessment.
Create Tiered Revocation Capabilities: Implement automation for certificates with lifecycle management while maintaining processes for manual customers.”
Prepare customers and technology: Implement back-end changes, and work with customers to adopt systems that have been designed to meet these requirements.
Develop Blameless Postmortem Processes: Create structured processes for conducting Root Cause Analysis using methodologies like “5 Whys” and Fishbone Diagrams.
Create Revocation Automation: Implement systems to quickly revoke certificates in bulk with minimal manual intervention.
Align Legal Agreements: Ensure contracts include provisions for certificate revocations and incident response cooperation.
Test Incident Response Regularly: Conduct simulations of different incident types to ensure teams can meet the required reporting deadlines.
These systems shouldn’t be created during a crisis—they must be built, tested, and refined during normal operations to ensure they function when needed most.
Your Next Steps: Building Resilience
Ready to implement these principles? Follow this straightforward approach:
Create a Response Plan: Define roles, responsibilities, and timelines—your organization’s crisis protocol.
Automate Critical Functions: Implement detection and remediation tools—prioritize speed.
Develop Learning Processes: Conduct blameless postmortems to strengthen systems.
Prioritize Clear Communication: Share updates with stakeholders consistently, even during difficulties.
This isn’t complex—it’s disciplined. And for CAs, discipline is fundamental.
Preparation Is Essential
Incidents occur without warning. With a robust plan, automation, a learning orientation, and transparent communication, you can manage them effectively. Mozilla’s policy and Google’s SRE practices provide both structure and methodology to succeed. Let’s Encrypt demonstrated its effectiveness; DigiCert illustrated its necessity.
Don’t wait for an incident to expose weaknesses in your process. Preparation isn’t optional—it’s how you transform a crisis into an opportunity to demonstrate excellence. Plan systematically, automate intelligently, learn continuously, and you’ll build a CA that doesn’t merely survive but thrives.
Want to learn more? Mastering Incident Reporting in the WebPKI class covers mistakes and misconceptions: slides can be found here
I’ve been involved in the Web PKI since the mid-‘90s, when SSL certificates carried five- or ten-year lifetimes—long-lasting credentials for an internet still a wild west. Issuance was manual, threats were sparse, and long validity fit that quieter era. Thirty years later, we’ve fought our way to a 398-day maximum lifetime—today’s standard as of 2025—thanks in part to Apple’s bold 2020 move to enforce 398-day certificates in Safari, dragging resistant CAs into a shared ballot after years of clinging to the status quo. Yet some certificate authorities, certificate consumers, and industry holdouts still resist shorter lifetimes and tighter data reuse policies, offloading breaches, increased risk, and eroded trust onto users, businesses, and the web’s backbone. This 15-year struggle got us to 398; now it’s time to push past it.
Core Argument
The journey to shorter lifetimes spans decades. The TLS Baseline Requirements set a 60-month cap in 2010, but by 2014, internal debates among browsers and CAs ignited over whether such spans were safe as threats ballooned. Progress stalled—pushback was fierce—until Apple threw a wrench in the works. Announced earlier in 2020, effective September 2020, they declared Safari would reject certificates issued after August 31, 2020, with lifetimes exceeding 398 days, blindsiding CAs who’d dug in their heels. Only after that jolt did the CA/Browser Forum pass Ballot SC-42 in 2021, codifying 398 days as a shared requirement—proof that CAs wouldn’t budge without external force. Earlier, Ballot 185 in 2017 had proposed cutting lifetimes to 27 months, Ballot SC-22 in 2019 explored short-lived certificates, and Ballot SC-081 in 2025 is expected to reaffirm 398 days as the maximum, with a long-term target of 45–47 days by 2029 (SC-081v2). That’s 15 years of incremental progress, built on 30 years of evolution—Last time Apple’s push broke CA inertia enough to land us at 398, and I am confident without that action we would not be where we are yet. Yet risks like “Bygone SSL” linger: valid certificates staying with old domain owners after a sale, opening doors to impersonation or chaos.
Automation made this possible—and Apple’s 2020 edict accelerated it. Let’s Encrypt launched in November 2014, revolutionizing issuance with free, automated certificates; the ACME protocol, drafted then and standardized as RFC 8555 in 2019, turned renewal into a background hum. Today, CAs split into camps: fully automated players like Let’s Encrypt, Google Trust Services, and Amazon, versus mixed providers like DigiCert, Sectigo, and GlobalSign, who blend proprietary and ACME based automation with manual issuance for some. Data from crt.sh suggests over 90% of certificates now use automated protocols like ACME. Apple’s push forced CAs to adapt or lose relevance, yet many clung to old ways, agreeing to 398 only post-ballot. That lag—resisting automation and shorter spans—doesn’t just slow progress; it externalizes risk, burdening the WebPKI with overstretched certificates and outdated practices.
What Problem Are We Solving Anyway?
Well for one certificates are snapshots of a domain’s status at issuance; that 13-month span lets changes—like ownership shifts or domain compromises—linger unreflected, while 45 days would keep them current, shrinking an attacker’s window from over a year to mere weeks. “Bygone SSL” proves the point: when domains change hands, old owners can hang onto valid certificates—sometimes for years—letting them spoof the new owner or, with multi-domain certs, trigger revocations that disrupt others. History teaches us that reusing stale validation data—sometimes months old—leads to misissuance, where certificates get issued on outdated or hijacked grounds. Tighter allowed reuse periods force regular revalidation, but when CAs or companies slack, the ecosystem bears the cost: spoofed domains impersonating legit sites, breaches exposing sensitive data, and a trust system strained by systemic hits.
Browsers show us the way—back in the ‘90s, updates came on floppy disks on magazine covers, a manual slog that left users exposed until the next trip to the store; today, automatic updates roll out silently, patching holes and keeping security tight without a fuss. Certificates should mirror that: automated renewal via ACME or proprietary tools manages 398 days now and could handle 45 effortlessly, shedding the old manual grind—an incremental evolution already underway. Yet some cling to slower cycles, offloading risk—leaving the WebPKI vulnerable to their refusal to fully embrace automation’s promise. The proof’s in the pudding—Kerberos rotates 10-hour tickets daily in enterprise networks without a hitch; ACME brings that scalability to the web. Legacy systems? Centralized solutions like reverse proxies, certificate management platforms, or off-device automation bridge the gap—technical excuses don’t hold.
We’ve hit 398 days, but Zeno’s Dichotomy still grips us: advocates push for shortening, hit “not ready,” and stall at the current max—halving the gap to robust security without ever closing it. Each delay lets inertia shift risk onto the system.
Critics’ Refrain
Critics cling to familiar objections. “Legacy systems can’t handle frequent renewals”? Centralized automation—proxies, management tools, off-device solutions—proves otherwise; their inertia spills risk onto the ecosystem. “Smaller players face a competitive burden,” implying the web should shoulder that risk? Shared tools and phased transitions even the odds, yet their lag, like SHA-1’s slow death, threatens everyone. “Why not focus on revocation, DNSSEC, or key management instead”? Revocation’s a pipe dream—three decades of flops, from CRLs to OCSP, show it crumbling at scale, with privacy holes, performance drags, and spotty enforcement, as DigiNotar’s failure left unpatched clients exposed. DNSSEC and key management complement, not replace—shorter lifetimes cut exposure fast, while those build out. “It’s too rapid”? Two decades of automation—from proprietary solutions to ACME—and 15 years of debate say no; 398 days took effort, 45–47 is next. “We’re not ready”? That’s an impossible hurdle—security leaps like SHA-2 to TLS 1.3 came by diving in, not waiting, just as parents figure out diapers post-birth. Stalling at 398 doesn’t shield risk—it dumps it on the rest.
Pushing Beyond 398 Delivers Concrete Gains When Inertia’s Beaten:
Benefit
Description
Enhanced Trustworthyness
Frequent renewals keep data current, cutting misissuance—laggards can’t dump stale risks on the WebPKI.
Shorter Exploitation Window
45 days caps attacks at weeks, not 398 days—orgs can’t offload longer threats.
Lower Misissuance Risk
Tight reuse forces fresh checks, slashing errors CAs push onto the system.
Rapid Policy Transition
Quick shifts to new standards dodge inertia’s drag, keeping the PKI sharp.
Stronger Baselines
90%+ automated renewals set a secure norm—holdouts can’t undermine it.
Collective Accountability
Deadlines force modernization, ending the pass where a few’s inaction risks all.
Conclusion
Shorter lifetimes and tighter reuse periods—break the cycle: fresh data, capped risk, no more offloading. A phased, deadline-driven approach, like SC-081’s framework (targeting shorter spans by 2029 in SC-081v2), forces the industry to adapt, hones automation where needed, and drives security forward—waiting five more years just fattens the risks we’ve already outgrown.
How does inertia externalize risk in the WebPKI? When CAs lean on stale data, companies settle for 398 days, and stragglers resist progress, they turn trust into a punching bag—ripe for abuse. Thirty years in, with 398 days locked and over 90% automated, the tools sit ready—only will falters.
Zeno’s half-steps got us here, but “not ready” is a fantasy—no one masters security before the plunge, just as parents don’t ace diapers pre-birth; we’ve evolved through every shift this way. Browsers don’t wait for floppy disks anymore—certificates can’t linger on yesterday’s pace either. I’ve watched the WebPKI battle from the Wild West to now—let’s rip inertia’s grip off with deadlines that stick and lock in 45 days to forge a trust that outlasts the past’s failures.
I’ve been mulling over what security might look like ten years from now, especially as AI-based workloads and robotics take on bigger roles. Growing up, I’d hear my father talk about his work on communication satellites, where triple redundancy was his way of seeing risk managed, not dodged. That perspective, paired with lessons from automotive, aerospace, nuclear, and space industries, feels like a compass as we rethink security in an AI-driven age. It points us toward a future where security isn’t a rigid barrier but a digital immune system—alive, adaptive, and resilient.
Learning from the Physical World
In industries like automotive and aerospace, every piece is built to perform—and to fail without falling apart. Cars layer airbags, antilock brakes, and sensors; airplanes stack redundant systems to keep flying when one falters. Nuclear plants and space missions go deeper, with containment designs and fail-safes that tame the unthinkable. My father’s satellite work ran on this: three layers of backup meant a glitch wouldn’t kill the mission. The takeaway? Strength comes from managing risk, not avoiding it. That mindset, forged in physical systems, would be our starting point for tackling the wild unknowns ahead.
Seeing Security Like a Living Thing
The era of a fixed perimeter is over. Zero trust has rewired our thinking, but as AI powers complex workloads and human-AI robotics step into the fray, static defenses will clearly not cut it. Security is evolving further into an immune system—and we’ll finally see real adaptive defenses land. This isn’t just weak AI bolted onto old walls; it’s a stronger rethink—systems that scan for threats, learn from them, and adapt on the fly. We’re already seeing hints—AI supply chain risks, like models coming with malware, or agenetic workloads escaping containers—which will push this shift. Much like antibodies in the body, these systems won’t just block attacks but hunt for anomalies, isolate them, and strengthen themselves against the next wave. Picture a network that doesn’t wait for breaches but runs silent simulations, sniffing out weak points and patching them—or a robotic assistant that locks down if its sensors detect and confirm an anomaly, echoing the overlapping safety nets of a car or my father’s redundant circuits.
This shift matters most with AI’s wild card: emergent behavior. As systems grow more general, simple parts can spark unexpected outcomes—think of a flock of birds veering as one or a traffic jam born from a few slow cars. In AI and robotics, these surprises could turn risky fast. Drawing from aerospace and nuclear design, we can bake in safety—redundancy, real-time monitoring, adaptive controls—so the system acts like an immune response, spotting odd patterns and neutralizing them before they spread. By 2035, this could redefine security for not just AI but all critical infrastructure—power grids, finance, healthcare, robotic fleets—marrying physical resilience with digital smarts.
How It Holds Everything Together
Resilience beats perfection every time—systems that bend, learn, and bounce back are what endure. Right now, our tech is a messy mix of old and new, full of cracks where risks hide. A digital immune system faces that head-on, and its role only grows as AI and robotics weave deeper into society. With workloads and machines going vertical—powering healthcare, governance, daily life—security becomes the thread holding it together, fast enough to let us steer it toward securing what matters, not just patching what’s broken. Picture a corporate network that senses a phishing attempt, quarantines it like a virus, then “vaccinates” itself by updating defenses everywhere—all while leaving a clear trail to prove what happened. Or a smart city where traffic, power, and robotic responders hum with AI-driven immunity—self-correcting, redundant, and naturally spitting out the artifacts needed to meet compliance obligations, not as an afterthought.
Where It’s All Heading
As we leave perimeter defenses behind for systems secure by design, the wisdom of automotive, aerospace, nuclear, and space industries lights the way. Fusing their lessons with an AI-driven immune system, we’ll build technology that’s tough, trustworthy, and ahead of the curve—keeping problems from spilling outward. Security won’t be static; it’ll be a pattern that keeps adjusting. My father used to say, “If you want to change the world, you have to see it as it is first.” Seeing our systems clearly—flaws and all—is how we’ll shape a future where they don’t just endure uncertainty but thrive in it.
My grandfather’s love of science fiction was his portal to tomorrow’s world—and it became mine. Together we’d pore over books like Asimov’s I, Robot, imagining futures shaped by machines. In the 1940s, when Asimov explored the complexities of artificial intelligence and human-robot relationships, it was pure speculation. By the 2000s, Hollywood had adapted these ideas into films where robots went rogue. Now, in the 2020s, the narrative has flipped—The Creator (2023) depicts a future where humanity, driven by fear, attempts to exterminate all AI. Unlike Asimov’s cautionary tales, where danger emerged from technology’s unintended consequences, this film casts humanity itself as the villain. This shift mirrors a broader cultural change, once, we feared what we might create; now, we fear who we have been.
As a security practitioner, this evolution gives me pause, especially as robotics and machine learning systems grow ever more autonomous. Today’s dominant approach to AI safety relies on alignment and reinforcement learning—a strategy that aims to shape AI behavior through incentives and training. However, this method falls prey to a well-known phenomenon in optimization known as Goodhart’s Law: when a measure becomes a target, it ceases to be a good measure. In the context of AI alignment, if the reward signal is our measure of success, over-optimization can lead to unintended, and often absurd, behaviors—exactly because the reward function cannot capture every nuance of our true values.
Much like early reinforcement learning schemes, Asimov’s Three Laws were a structural control mechanism—designed not to guide morality but to constrain outcomes. They, too, failed in unexpected ways when the complexity of real-world scenarios outstripped their simplistic formulations.
This raises a deeper question: If we now view ourselves as the existential threat, can we truly build AI that serves us? Or will our fears—whether of AI or of our own past—undermine the future we once dreamed of?
Today’s creators display a similar hubris. Once, we feared losing control of our inventions; now, we charge ahead, convinced that our intelligence alone can govern machines far more complex than we understand. But intelligence is not equivalent to control. While Asimov’s Three Laws attempted to impose hard limits, many modern AI safety strategies lean on alignment methods that, as Goodhart’s Law warns us, can degrade once a target is set.
This blind trust in alignment resembles our current approach to security. The slogan “security is everyone’s responsibility” was meant to foster vigilance but often dilutes accountability. When responsibility is diffuse, clear, enforceable safeguards are frequently absent. True security—and true AI governance—demands more than shared awareness; it requires structural enforcement. Without built-in mechanisms of control, we risk mistaking the illusion of safety for actual safety.
Consider containment as an illustrative example of structural control: by embedding hard limits on the accumulation of power, data, or capabilities within AI systems, we can create intrinsic safeguards against runaway behavior—much like physical containment protocols manage hazardous materials.
If we continue to see ourselves as the existential threat, then today’s creators risk designing AI that mirrors our own fears, biases, and contradictions. Without integrating true structural safeguards into AI—mechanisms designed into the system rather than imposed externally—we aren’t ensuring that AI serves us; we are merely hoping it will.
The Luddites were not entirely wrong to fear technology’s disruptive power, nor were they correct in believing they could halt progress altogether. The error lay in accepting only extremes—total rejection or uncritical adoption. Today, with AI, we face a similar dilemma. We cannot afford naïve optimism that alignment alone will save us, nor can we succumb to reactionary pessimism that smothers innovation out of fear.
Instead, we must start with the assumption that we, as humans, are fallible. Our intelligence alone is insufficient to control intelligence. If we do not design AI with structural restraint and built-in safeguards—grounded not in fear or arrogance but in pragmatic control—we risk losing control entirely. Like robust security practices, AI safety cannot be reduced to an abstract, diffuse responsibility. It must be an integral part of the system itself, not left to the vague hope that collectively we will always do the right thing.