The Signal

Vendor replacement is now the fastest-growing buying motion in the DoGood network. Roughly 1 in 5 priority submissions in the last 30 days name an incumbent vendor the IT leader is actively trying to replace. In December that figure was closer to 1 in 10.

The replacement language is consistent across categories. MDR providers, EDR stacks, SIEM platforms, identity tools, even hyperscaler line items. These are not budget-constrained leaders shopping for cheaper. They are leaders inside multi-year contracts who have decided the incumbent is the problem and the renewal date is the deadline. Pipeline is forming behind decisions that were made months before any RFP gets written.

From the Network

"Current vendor is up for renewal in December and we are unhappy with current solution."

— CIO, Automotive

"We currently have MDR support from a major provider, but we are in our final year and looking for replacements."

— VP of IT and CISO, Higher Education

"New VP inherited high Snowflake spend with no controls and is now reviewing the full Microsoft stack alongside it."

— IT Leader, Manufacturing (paraphrased)

Three industries. Three different incumbents. The same conclusion: the renewal is not happening.

The Context

Forrester's 2026 CISO recommendations and Info-Tech's Security Priorities 2026 both put vendor sprawl reduction at the top of the list this year. Fortra's 2025 State of Cybersecurity survey found 40% of organizations are already consolidating tools and vendors, with another 21% planning to start. Gartner pegged the broader consolidation cohort at 75% back in 2022, but the curve has steepened: the leaders who were planning are now actually moving, and they are doing it on the renewal calendar rather than waiting for budget cycles.

The headlines are catching up to what the network already knew. Every analyst report frames consolidation as a strategy. Inside the network, it shows up as something simpler. A leader naming an incumbent and saying the contract ends in nine months.

Bottom Line: When 1 in 5 buyers walk into a renewal meeting already planning to leave, the displacement window is open right now. Vendors who wait for the RFP are already late.

What to Do About It

Audit your top three security and infrastructure contracts this week. For each one, write down the renewal date, the named owner, and one honest sentence about whether the incumbent is solving the problem. If any of those sentences hedges, start the alternatives conversation now, not 60 days before the renewal.

See what your peers are evaluating before the market catches up. Get access

The CXO Brief is powered by the DoGood network — 5,000+ IT leaders sharing what they're actually working on.

Know a CIO who needs this? Forward it — they can subscribe here.

Keep Reading

© 2026 The CXO Brief.
Report abusePrivacy policyTerms of use
beehiivPowered by beehiiv