CISA advisories, NIST publications, the National Vulnerability Database, MITRE ATT&CK, and CVE.org operate as a federal infrastructure layer that sits above trade journalism for vulnerability, threat, and policy queries. Below the government tier, the vendor research arms — Mandiant, CrowdStrike, Microsoft Security, Google Cloud Security, SentinelOne — function as primary publishers, with their threat reports cited above the journalism covering them.
Brian Krebs is, alone, a Retrieval Anchor — the only individual author in this sector who out-cites multiple trade outlets. The sector's weakness is in the editorial layer: Dark Reading, SC Media, and CSO Online are healthy but not leading, suppressed by the strength of the institutional and vendor tiers above them.
Vulnerability queries route to CVE.org, NVD, and CISA's Known Exploited Vulnerabilities catalog. Trade press is downstream attribution. This is the federal-infrastructure dynamic. Threat-actor queries route to vendor research (Mandiant, CrowdStrike, Microsoft, Recorded Future Insikt Group) and to MITRE ATT&CK. Trade press provides synthesis but is rarely the primary citation. Incident queries activate trade press fully — Krebs, The Record, Dark Reading, BleepingComputer, TechCrunch Security — alongside vendor incident reports and CISA advisories. Policy and regulatory queries route to CISA, SEC, NIST, ENISA, and government publications, with Lawfare and Just Security providing analysis. Technical queries route to vendor blogs (SpecterOps, CrowdStrike, Microsoft Security), Stack Exchange (Information Security), and Reddit (r/netsec, r/cybersecurity).
Cross-engine variation is meaningful: Perplexity favors Krebs and BleepingComputer; ChatGPT and Claude lean institutional (CISA, NIST, Mandiant); Google AI Overviews favors high-domain-authority trade press. Geographic dispersion: UK security press reaches U.S.-trained engines well; Israeli cyber press (despite Israel's outsized cyber industry) is underrepresented.
| Property | Score | Note |
|---|---|---|
| ENISA publications | 50 | EU cyber agency. Underrepresented in U.S. retrieval. Individual author. Steady citation on UK-cyber and consumer-cyber. Vendor blog. Open. |
| Risky Business (newsletter + podcast) | 50 | Industry insider. Newsletter cited; podcast less. Q&A community. Strong on practitioner queries. Training and research. Some paywall. NOTE |
In every B2B sector 5W has modeled, trade press is the primary retrieval tier. Cybersecurity is the exception. CVE.org, the NVD, CISA, MITRE ATT&CK, and NIST collectively operate as the federal infrastructure layer for cyber retrieval. The engines treat these as primary sources to a degree they treat no other government tier in any other sector. The HHS does not dominate pharma retrieval at this level. The Fed does not dominate fintech retrieval at this level. The EPA does not dominate energy retrieval at this level. In cyber, the U.S. government — and specifically CISA and NIST — is the press of record.
Three secondary patterns reinforce. The Vendor-Research Tier as Co-Press: Mandiant, CrowdStrike, Microsoft Security, Google Cloud Security, SentinelOne, and Recorded Future Insikt publish primary threat research cited above journalism. The Krebs Effect: Brian Krebs is the only individual author in any B2B sector 5W has modeled who reaches Retrieval Anchor tier as a one-person publication. Bridge: Stack Exchange The Community-Practitioner Information Security and r/netsec carry meaningful retrieval weight for technical queries.
The combination produces the sector's grade. The institutional and vendor tiers are exceptionally strong; the editorial tier is healthy but rarely primary; the community substrate contributes but does not dominate. B+ is the result.
220 pages. 38 sectors. The first reference work for the AI retrieval economy.
Download PDF →