Questions that matter: How to spot security vaporware before it wastes your time

What you’ll learn in this post:

• What’s real and what’s just marketing
• Whether the vendor can integrate with your stack
• How to request a demo that exposes fluff
• Which companies treat implementation like a partnership

We’re in the middle of an identity security feeding frenzy. Vendors (and their generative AI-supported marketing teams) are racing to add “agentic AI,” “zero trust,” or “ZSP” to their websites, hoping to catch your eye and your budget. Walking through the expo floor at [insert identity security conference here] is exhausting. Every booth, brochure, and website is filled with this same set of business jargon. One of our customers told me “It takes hours to suss out what a piece of software actually does. Multiply that across all of the vendors out there and it just doesn’t scale.”

It’s easy to feel overwhelmed, and that’s not a personal failing. The reality is, there’s more information, more noise, and more shiny “solutions” in the market than any one person could possibly keep up with. New acronyms, new integrations, new claims — even experienced identity pros can struggle to separate real product capabilities from marketing spin.

Good questions are the antidote to bad answers. And in a world of overlapping toolsets and inflated promises, it’s smart to walk into a vendor conversation with a checklist designed to surface what’s real. It will save you time, headaches, and maybe lots of dollars.

This post is your guide to doing exactly that.

Here are the questions we recommend every IAM and security team keep in their back pocket when talking to vendors. Not to trip anyone up, but to quickly separate the signal from the noise.

1. Do you have product documentation I can review?

If they can’t share docs or use case guides without scheduling a call, that’s a red flag.

You’re not looking for a dissertation. You’re looking for just enough information to see how things work. The best vendors make it easy for you to understand what their system does, what it doesn’t, and how it plugs into your environment. Bonus points if they have an API reference or show how a proof-of-concept feature could be built.

2. What outcomes do you drive and how do you measure success?

Buzzwords are easy. Outcomes are harder.

If a vendor says they support “zero trust” or “agentic AI,” ask:

• What did that mean for your customer’s environment? Give me a specific example.
• What changed in terms of access control, risk, or operational efficiency?
• Can I see a case study, even if it’s anonymized?

If they dodge or default to vague generalities, that tells you what you need to know.

3. What kind of problems were you built to solve, and for whom?

Every company has a center of gravity. Figure out theirs.

Some tools work well in DevOps-heavy shops. Others target IT compliance. If the use case they describe isn’t core to their platform—if it feels bolted-on—it probably is. Look at the history of the product and company. If you need a real-time orchestration engine and they’ve historically focused on point-in-time governance, there may be a mismatch.

4. Is your approach modern, or just a new label on old tech?

Technology shifts, but so do techniques. And not always for the better.

You don’t use electronic data interchange anymore; you use APIs. So ask:

• Is this vendor proposing a fundamentally new approach?
• Or are they dressing up legacy models in trendier language?

Sometimes, the legacy players are the ones clinging hardest to outdated models or casting doubt on new ones to protect their status quo.

5. Will your team collaborate with us during implementation — or disappear after signature?

This one’s not about tech. It’s about trust.

Security isn’t just code. It’s people. You want to know:

• Will I get time with real engineers during onboarding?
• Do you have support or customer success folks who understand my problems, or do they just know your product?
• What happens when something breaks?

Choose vendors who treat implementation as a partnership, not just a line item.

6. Can you show this working in an environment that looks like mine?

You don’t need them to replicate your entire architecture. But you should expect more than a sandbox built for a happy path.

Here’s a smart way to phrase a demo request:

“Can you show me how this would work in a mid-size enterprise with Microsoft Entra, GitHub, and ServiceNow? Our main use case is time-bound privileged access to production systems.”

And while you’re at it, ask how they integrate with what you already use. Smart vendors lean in here; they know real-world deployments don’t start from scratch or operate in isolation. If integration looks fragile or requires replacing everything, that’s your answer. If they can’t walk you through it, even conceptually, you’re likely looking at vaporware. If you’re not sure, ask for a reference call with a customer who has had similar challenges.

Final thought: It’s not a game of ‘stump the chump’

You’re not trying to catch someone in a lie. You’re trying to figure out who’s real.

There are great companies out there solving real problems in identity security, especially around modern access orchestration and agentic AI. But finding them requires asking the right questions.

Look past the pitch. Push for specifics. And remember: security tools don’t operate in a vacuum. Choose vendors who act like long-term collaborators, not short-term closers.

Want a fresh opinion on the vendor landscape?
Book an Expert Hours Session to talk through your use case with a SGNL engineer. No pressure, just practical advice.