Threat research is the highest-leverage PR asset a cybersecurity vendor owns. A well-packaged report on a real vulnerability, a novel attack chain, or a newly observed threat actor campaign will earn genuine tier-1 coverage on Dark Reading, Wired, Ars Technica, TechCrunch, Forbes, and the named security desks at Reuters and the Wall Street Journal, without a wire fee, without a press release, and without a journalist being asked to cover a product. The research is the story. Your job is to package it so a security reporter can say yes in four minutes.

I run fractional cybersecurity PR for security vendors and researchers, and the question I get most often from technical founders is not "how do we get covered" but "we have all this research, why isn't anyone writing about it?" The answer is almost never that the research is bad. It is that the research has not been packaged for journalists who cover six stories a day, do not have a PhD in your specific subdomain, and need a crisp, factual, disclosable finding in a format they can act on quickly. That packaging gap is what kills most research-led PR programs before they start. This playbook closes it.

Why research earns coverage that announcements cannot

A security reporter's job is to inform their readers about real threats. They are not looking for a reason to write about your product, and most of them will actively avoid a story that reads like a vendor pitch. What they are looking for is a real finding, reported accurately, with enough technical substance to be credible and enough translation for a general technical readership to care.

Research satisfies that need in a way no announcement does. A press release about a new threat intelligence platform tells a reporter nothing useful. A report naming a previously undocumented ransomware group, mapping its infrastructure, and attributing twelve confirmed intrusions gives them a story they can own. The vendor's name appears in the coverage not because they bought it but because they produced the finding. That is a fundamentally different kind of credibility, and it compounds. Bylines from Dark Reading, Ars Technica, or Wired sit in Google results and AI engine citations for years. Product announcements do not.

Field ruleThe research is not a lead magnet for the product. It is the product in PR terms. When you treat it as a funnel asset, journalists notice and pass. When you treat it as primary reporting, journalists compete to be first.

The four types of research that reliably earn coverage

Not all research is equally press-worthy. After running threat-research PR programs across vendors in vulnerability research, threat intelligence, DePIN security, and zero-trust infrastructure, I have found the categories that consistently convert with security desks.

Research typeWhat makes it press-worthyBest targets
Vulnerability disclosure (CVE)Named CVE, CVSS score, affected vendor confirmed, patch available or in progressArs Technica, Wired, TechCrunch Security, Dark Reading, Bleeping Computer
Threat actor / campaign attributionNamed group or new cluster, confirmed victim sectors, TTPs mapped to MITRE ATT&CK, IOCs publishableCyberScoop, Recorded Future News, Dark Reading, Reuters, WSJ security desk
Novel attack techniqueNew class of attack, reproducible PoC or responsibly withheld, clear affected surfaceArs Technica, Wired, Black Hat and DEF CON proceedings, The Register
Scale and data-driven threat landscapeOriginal dataset, non-extrapolated methodology, year-over-year comparison, surprising findingForbes, Dark Reading, Infosecurity Magazine, SC Media, Help Net Security

The common thread is original finding, not original opinion. Security reporters can instantly tell if a report is a survey of already-public information repackaged with your logo on it. They are not interested. The reports that land every time are based on something the vendor's own sensors, researchers, or reverse-engineering work produced that nobody else had.

Coordinated disclosure: the non-negotiable foundation

Before any of the PR mechanics matter, the disclosure process has to be right. This is not a legal nicety, it is a trust issue with the reporter and with the wider security community. A vendor that drops a vulnerability story without giving the affected vendor a reasonable window to patch will find security journalists reluctant to work with them again. The PR angle is secondary to the ethics, and the good news is that doing disclosure right also makes the PR angle stronger.

The standard coordinated disclosure timeline

  1. Private notification to the affected vendor. Send a clear technical summary of the finding, the affected product and version range, a severity assessment, and a proposed disclosure date. Ninety days is the broadly accepted window, established by Google Project Zero and widely followed.
  2. Vendor acknowledgment and patch development. Track the response. Most major vendors are responsive within a week. If there is no acknowledgment after two weeks, a second notice with a shorter window is reasonable.
  3. CVE assignment. If you have not already, coordinate with MITRE or the relevant CNA for a CVE ID. This is required for coverage in any serious outlet; reporters will ask for it.
  4. Embargo with journalists. Once you have a patch date confirmed, you can embargo the story with two to four reporters simultaneously for 48 to 72 hours before the patch goes live. This is when you do your PR outreach, and the exclusivity of the embargo window is what gets tier-1 reporters to invest time in your story.
  5. Public disclosure. Publish your full technical report simultaneously with patch availability. The embargo lifts, reporters publish, and the story moves.
On shortened timelinesIf the vulnerability is being actively exploited in the wild before you have reached the ninety-day window, coordinate with the affected vendor and your legal counsel on an accelerated timeline. CISA has a published policy on active exploitation disclosures. Do not sit on an actively exploited zero-day for PR timing. The community will remember, and it will cost you credibility with the desks that matter most.

Packaging research for journalists who are not your PhD peers

The biggest gap I see between good research and zero coverage is translation. Your technical report is written for other security researchers. The journalist version is written for someone who is smart, technically literate, and covering ransomware, cloud security, and critical infrastructure on the same deadline. Here is what the journalist version needs to contain.

The journalist brief: five sections, two pages maximum

  • The one-sentence finding. What did you find, in plain language, in a single sentence. Not "we identified a novel attack surface in widely deployed enterprise software" but "a flaw in Product X versions 4.2 through 6.1 lets an unauthenticated attacker gain root access over the network, affecting an estimated 40,000 internet-exposed instances." That sentence is the story.
  • Who is affected and why they should care. The sectors, the scale, and the real-world consequence of exploitation. If nobody cares, nobody covers it.
  • What you found and how. Two to four paragraphs on the research process, in accessible language. This is the credibility layer that separates your report from a vendor blog post.
  • Current status. Is a patch available? Is this being actively exploited? What should affected organizations do right now? Reporters always ask this, so answer it before they have to.
  • Your expert, available for quotes. Name the researcher, their specific expertise, and confirm they are available to brief the reporter on background or on record. A named researcher with a track record of conference talks, prior CVEs, and a visible profile increases the story's credibility and the reporter's confidence that this is real.

The full technical report goes as a PDF attachment or a link to a staging URL the reporter can access under embargo. The journalist brief is the cover document. Do not make the reporter excavate the one-sentence finding from forty pages of technical appendices.

On embargo mechanicsSend the journalist brief and the full report together. Specify the embargo datetime in UTC, the patch availability datetime, and confirm that you are offering this to a small number of reporters simultaneously, typically two to four. Do not offer exclusive coverage to more than one outlet at the same time; if two reporters publish simultaneously that is fine. What is not fine is telling each reporter they have an exclusive when they do not. That relationship ends fast.

The security desks that matter and what each one wants

Every major outlet with a security desk has a different editorial appetite. Pitching the wrong type of story to the wrong desk wastes a relationship. Here is the working map I use for threat-research placements, informed by the Dark Reading coverage guide and ongoing work with cybersecurity clients.

OutletBest forWhat they need
Dark ReadingPractitioner-facing technical findings, threat intelligence, vulnerability researchStrong technical substance, MITRE mapping, practitioner relevance
Ars Technica SecurityNovel attack techniques, CVE disclosures affecting consumer software, technically rich narrativesReproducible or clearly explained technique, good sourcing
Wired SecurityNation-state campaigns, significant CVEs, stories with broad societal stakesScale, named victims where possible, strong researcher credibility
TechCrunch SecurityStartup-relevant disclosures, cloud and SaaS vulnerabilities, breach newsConsumer or enterprise relevance, patch status, rapid turnaround
CyberScoopGovernment, critical infrastructure, threat actor attributionPolicy angle, CISA or FBI coordination where applicable
Bleeping ComputerRansomware, malware analysis, active exploitationIOCs, sample hashes, affected version ranges, fast turnaround
SC Media and InfosecurityEnterprise security programs, compliance angle, CISO audienceBusiness impact framing, risk quantification
Forbes and WSJ security deskLarge-scale breaches, significant threat campaigns with business impactNamed companies, executive quotes, financial or operational impact

The pitch to each desk is not the same pitch. Dark Reading wants the MITRE ATT&CK mapping and the IOC list. Wired wants the societal stakes and a named researcher with a track record. Forbes wants a business-impact number and a company name. Customizing for the desk is not optional, it is the minimum bar for a reply. More on building these pitches is in the cybersecurity PR guide for 2026.

Building a research-led PR calendar

One-off research drops are fine. A recurring research cadence is what builds a brand. The security vendors that own a beat, the ones where reporters proactively reach out when something happens in that space, are the ones that publish on a schedule and make their researchers available consistently.

A workable annual cadence for a security vendor looks something like this: two to three major CVE or threat-actor disclosures timed around the embargo and patch cycle; one annual threat landscape report timed ahead of RSA or Black Hat to capture the conference media cycle; one to two conference-season briefings at DEF CON, Black Hat, or mWISE where you brief reporters in person and set the agenda for what you are working on next; and quarterly practitioner-focused research notes, shorter and more frequent, that keep your researchers visible on desks like Dark Reading and Help Net Security without requiring a full embargo cycle each time.

On conference timingBlack Hat's media briefing requests typically open in April for an August conference. RSA media briefings open in December for a May conference. If you have research you want covered at the conference, you need to be in the briefing queue early, with a formed story, not a placeholder. Conference coverage is highly competitive and reporters book their briefing slots weeks in advance.

What to do when research crosses the crisis line

Research-led PR and crisis comms overlap more than founders expect. If your research uncovers an active campaign against critical infrastructure, a zero-day being exploited in the wild, or a breach at a named organization that has not yet disclosed publicly, the PR program is not the first call. The first call is legal counsel, followed by CISA or the relevant national CERT if critical infrastructure is involved, followed by the affected organization directly.

The scenario I see most often is a vendor whose research team discovers evidence of an active intrusion at a third party, and the founder wants to go straight to a reporter with the story. That path, without the proper disclosure steps, risks legal exposure, harm to ongoing investigations, and a complete loss of trust with the security journalism community. The full framework for navigating that territory is in the cybersecurity breach crisis comms guide. Read it before you need it.

Field ruleThe security desk gives you credibility no product story can buy. But it withdraws that credibility just as fast if you short-circuit disclosure, sensationalize findings, or publish IOCs that tip off a threat actor before defenders have patched. The community has a long memory on both sides of that ledger.

The economics of a research-led PR program

Research-led PR is not free, but it is one of the most capital-efficient earned media programs a cybersecurity vendor can run. You are not buying placements. You are investing in researcher time, report production, and the PR operator who packages and places the work.

The cost structure typically looks like this: your researchers produce the finding as part of their normal work; the PR layer is packaging, media training for the named researcher, building and maintaining journalist relationships on the relevant security desks, and running the embargo logistics. A fractional cybersecurity PR operator running that program costs $5,000 to $12,000 per month. A full agency running the same program costs $15,000 to $45,000 per month. The research itself, already produced, is the asset the operator is placing, not something they manufacture.

The return is coverage in outlets where a sponsored placement would cost $20,000 to $50,000 per article, with less credibility and a disclosure label that signals to readers it is paid content. Earned coverage from research compounds differently: it is cited by other journalists, picked up by aggregators, referenced in analyst reports, and increasingly cited by AI engines when buyers in your category ask who the credible vendors are. That compounding is why I treat research-led PR as the core of the cybersecurity PR program, not a nice-to-have add-on to a standard announcement cadence.

SJ
Shilika Jain

Fractional PR and ghostwriting for Web3, AI, DePIN and cybersecurity founders. 50+ protocols and security vendors placed across Forbes, CoinDesk, Cointelegraph, Dark Reading, Decrypt, The Block and Wired, with coordinated disclosure programs and research-led earned media built from the ground up. View full profile → · Book a 30-min teardown →

Frequently asked questions

How does threat research turn into press coverage?
The research is packaged as a two-page journalist brief containing the one-sentence finding, affected scope, researcher credibility, and patch status, then offered under a 48-to-72-hour embargo to two to four relevant security reporters simultaneously. The reporter gets an exclusive window to brief, ask questions, and publish at embargo lift. The vendor gets tier-1 earned coverage without paying for placement. The full packaging mechanics are in the cybersecurity PR guide for 2026.
What is coordinated disclosure and why does it matter for PR?
Coordinated disclosure is the practice of privately notifying an affected vendor of a vulnerability, giving them a defined window, typically 90 days, to develop a patch, and only publishing publicly once a fix is available or the window expires. It matters for PR because security journalists will not cover research from vendors who skip this process. The community has a shared norm, and violating it damages your relationship with the desks you most want to work with. Doing it correctly also makes the coverage moment cleaner: patch available, CVE assigned, researcher named, story ready to tell.
Which outlets cover threat research and how do I pitch them?
Dark Reading covers practitioner-facing technical findings and threat intelligence. Ars Technica Security covers novel attack techniques and significant CVEs. Wired covers nation-state campaigns and findings with broad societal stakes. CyberScoop focuses on government and critical infrastructure. Bleeping Computer moves fast on ransomware, malware analysis, and active exploitation with IOCs. Each desk wants a different angle so the pitch is never the same document. The detailed desk-by-desk breakdown is in the Dark Reading coverage guide.
How much does a cybersecurity PR program focused on research cost?
A fractional senior operator running a research-led cybersecurity PR program costs $5,000 to $12,000 per month. A full agency covering the same scope runs $15,000 to $45,000 per month. The research itself, produced by your team, is the asset being placed. The PR layer is packaging, journalist relationship management, embargo logistics, and media training for the named researcher. The earned coverage value typically exceeds the equivalent spend on sponsored placements by a significant margin, and unlike paid content it carries no disclosure label.
What should I do if my research uncovers an active breach or exploited zero-day?
Stop before pitching any journalist. The first step is legal counsel, then CISA or the relevant national CERT if critical infrastructure is involved, then private notification to the affected organization. Going to press before those steps exposes you to legal liability, can tip off threat actors, and destroys your credibility with security journalism desks permanently. The full crisis comms framework for these situations is in the cybersecurity breach crisis comms guide.

Running a security research team with findings that deserve coverage? Start with cybersecurity PR for the full program, then read the cybersecurity PR guide for 2026 and the breach crisis comms playbook. The full playbook library covers pitch guides, pricing, and the earned media stack.