From the desk of someone who has had to earn every reply from scratch.
The real problem is not your subject line.
When a CISO gets an email from Pablo Alto-bar Networks, there is a baseline of credibility before they read a single word.
When they get an email from you, a vendor they have never heard of, credibility starts at zero.
In cybersecurity it can start below zero. 🙂
Unknown vendors carry suspicion by default. These are people whose job is to distrust unsolicited contact. (Trust me.)
So the question is not “how do I write a better cold email“.
The question is “how do I manufacture enough credibility in the first three seconds that someone decides not to delete this.”
Everything below is how we actually do it.
How to pre warm accounts?
If you want better reply rates, stop thinking about the email as the first touch. Treat the email as the moment you cash in work you did earlier.
The highest leverage move is making sure your name is not completely foreign when the email lands.
Te obvious one: run LinkedIn sponsored content to the target account list for three to four weeks before direct outreach starts.
Not product ads. Thought leadership. A benchmark report, a research finding, a framework.
They might not click. That is fine. The impression is the point. When the SDR email arrives, your company has a chance of being vaguely recognisable rather than totally alien.
That small shift changes behaviour. It moves you from “who is this” to “I think I have seen something from them”.
Then do the second layer. Have the SDR connect on LinkedIn before emailing. No pitch in the connection request. Just connect.
If they post and you have something genuine to say, engage once. Now your email arrives attached to a face, a profile, and a real human signal. Ten minutes per account. Worth it.
The opening line is the only line that matters.
Senior security buyers do not read cold emails. They scan the first sentence, decide if it is relevant, then either continue or delete.
My best performing opening lines share one pattern. They prove you understand something specific about their world that a generic sender would not.
No:
“I hope this finds you well.”
“I noticed you are the CISO at Company.”
“We help companies like yours reduce risk.”
YES:
“The SEC incident disclosure window is 4 business days and most GRC leads in your space are quietly panicking about it.”
“You have just crossed 3,000 employees and that is usually where identity sprawl starts outpacing the tools that were fine at 1,000.”
“You posted 3 cloud security roles last week which usually signals a gap you are trying to close. Curious what prompted it.”
Each one says: I am not blasting this to 10,000 people. I looked at your situation.
That alone drives disproportionate replies.
One hard rule in cybersecurity: never reference anything that smells like surveillance.
No “I saw you visited our site”.
No “I noticed you were researching on G2.”
Security people react viscerally to that. Stick to public signals: job posts, filings, press releases, regulatory context, industry events.
The line between “did their homework” and “this person is watching me” is thinner than you think.
The value before ask framework
Unknown brands do not get to ask for time in email one. The first email earns the right to ask later.
Here is the structure that works when you start from zero trust.
Email 1: give value with zero ask.
Send something useful: a short brief, a framework, a checklist, a specific finding. End with a line that removes friction, something like “Thought this might be relevant given what you are navigating. No response needed.”
That phrasing reduces pressure and often increases replies because it feels like a gift, not a trap.
Email 2, 7 days later: light follow up and one more deposit.
Reference what you sent. Add something new. Still no meeting ask. Ask permission to share the next useful thing. The psychological difference matters.
Email 3, day 14: the soft ask.
Now you have deposited twice without withdrawing. “If any of this is relevant, I would welcome a 15 minute conversation. Not a demo, just a conversation about what you are seeing.”
That framing consistently converts better than “Can we book 30 minutes for a demo.”
Email 4, day 21: the honest close.
“I will stop filling your inbox. If timing shifts, I am easy to find.”
No guilt. No fake urgency. This closes with dignity and it often produces the highest quality reply, the “Not now, come back in Q3” response that keeps the door open.
Loom videos: the cheat code people underuse
A 90 second personalised Loom often converts around three times better than text in our sequences.
Not because video is magic. Because it signals effort, humanity, and specificity in a world full of templated outreach.
The formula works because it is simple:
15 seconds custom intro referencing something specific.
60 seconds genuinely useful content, a quick framework, a finding, a walkthrough.
15 seconds low pressure next step.
The common mistake is trying to make it polished. Do not.
A slightly informal one take video converts better than a produced corporate clip. One feels like a person did something for you. The other feels like marketing, because it is.
Put Loom in email two or three, not email one. Use it as an escalation of personalisation, not the opening move.
How to get social proof when you have none.
If you are unknown, you cannot hide behind analyst badges and household logos.
Fine.
Build credibility with smaller, sharper signals.
Peer specificity:
“I have been speaking with a few security leads in your space and the pattern I keep hearing is X.”
You do not need to name names. You need to signal you are in the conversation.
Specific outcomes without naming the customer:
“A financial services customer cut mean time to detect from 14 days to 6 hours in 90 days. Happy to share the architecture choice that drove it.”
Specific numbers land harder than vague claims.
Research level third party validation:
If your work was cited or covered, use it. Earned media is borrowed credibility and it is fair game.
Your people’s credibility:
If you have a former CISO, a known researcher, someone with recognised experience, their reputation should front run your brand.
Signatures matter. Background matters. Security buyers will trust people before they trust logos.
The channel mix that actually works for unknown brands
Email alone is a losing game when you are unknown. You need multiple touches from different directions.
The pattern that works most reliably is LinkedIn, then email, then phone. Not all at once.
LinkedIn first because it establishes a human presence.
Email second because it carries value in a format people can forward internally.
Phone third because by then your name has shown up twice and the call is no longer fully cold.
For VP and CISO level contacts, email and LinkedIn do most of the work. Cold calling C level security leaders aggressively can create a negative reaction that is not worth it.
Use the phone as a confirmation touch once there is some warmth.
The one exception is a genuine warm intro. If you have a second degree connection, use it.
A good intro is worth more than twenty cold emails. Make it a habit to check for mutual connections before any Tier 1 push.
The operational truth: volume is the enemy
When reply rates are low, the reflex is to send more.
More emails, more contacts, more sequences. In cybersecurity that usually makes things worse.
Low reply rates are rarely a volume problem. They are a relevance problem, a timing problem, or a trust problem.
Volume does not fix those. It scales them. It also damages sender reputation and burns your database.
The mindset shift is simple maths.
Improving reply rate from 3% to 9% produces the same output as tripling volume, without the unsubscribes and without turning your SDRs into spam operators. Better beats more.
Cap Tier 1 SDRs at 30 to 40 accounts. Make every touch count. Measure replies and meetings booked, not emails sent and calls made.
The one metric to watch
Track reply rate by first line variant.
Not open rate, which is noisy post MPP.
Not click rate, which depends heavily on asset type and buyer stage.
Reply rate is the cleanest signal that a real human decided your message was worth responding to.
Run at least three opening line variants per sequence. Track for 30 days. Kill the worst. Test a new challenger. Keep doing it quarterly.
Over 12 months, you build a first line playbook that is validated against your actual ICP, not generic advice.
That institutional knowledge compounds. And somewhere along the way, the trust problem starts solving itself because your name is no longer unknown.
That is the goal. Keep earning attention until you no longer have to earn it from scratch.
Leave a Reply