The boring half of the cyber war.
The spectacular hand gets the attention and the capital. The cost lives in the other hand. Here is the evidence, and the number we built to name it.
Enterprises do not buy invulnerability. They buy defensibility.
No serious company in the Fortune 500 runs security on the belief that every breach can be prevented. It runs security as a business optimization problem. Which risks to reduce, transfer, accept, and whether it can prove it made defensible decisions.
AI broke the discovery bottleneck. The validation bottleneck is still human.
Discovery scaled by an order of magnitude. The people doing downstream validation, mapping, evidence, exceptions, and proof work did not. The widening gap is the addressable cost.
The unit of new work is not the patch. It is the paperwork behind it.
Every newly visible vulnerability creates a chain: validate exploitability, map to affected suppliers, answer security questions, update risk, document the exception, and produce evidence.
One enterprise. One workstream. A forty-four-person factory.
The administrative layer is enormous and barely optimized. It is mandatory, dated, and growing faster than headcount can.
Inbound questionnaires per year for large security teams, often 200 to 400 questions each.
One insurer model showed third-party risk alone producing roughly forty-four full-time people of work.
Security services spend in 2026. The prize is the labor pool, not only the GRC software line.
The Cyber Admin Tax Index.
For every dollar of realized cyber loss, enterprises spend a multiple proving, managing, and administering security. The index is computed from run data, not surveyed.
The benchmark becomes useful when the work itself produces it.
Run the work, measure the cost, and prove the curve moving down.