Fortivex is a French cybersecurity firm providing penetration testing and CISO-as-a-service to financial institutions navigating DORA compliance. In 9 months of cold outreach to CISOs and CTOs at banks, fintechs and insurance companies, we generated 12 signed contracts worth €816K in new ARR — from scratch, with zero prior brand in the market.
DORA — the EU's Digital Operational Resilience Act — entered full application in January 2025. Overnight, every bank, insurance company and fintech with EU operations had a hard compliance deadline and a gap analysis that most could not fill internally. The demand signal was enormous.
So was the noise. Every cybersecurity vendor in Europe pivoted their pitch to DORA within 90 days. CISOs went from receiving 5 vendor emails per week to 50. The entire channel was flooded with "DORA compliance" subject lines, templated risk matrices, and identical decks. Response rates across the industry collapsed to near zero.
Fortivex had the product — a genuinely differentiated pentest-plus-vCISO offering built specifically for Article 26 ICT risk management requirements. But Marc and his team were engineers, not salespeople. Their pipeline was three warm introductions and a lot of waiting. The brief: break through the noise, get in front of the real decision-makers, and close 20 contracts in under 12 months.
We started April 2025 — three months after DORA took effect, when the initial frenzy had peaked and CISOs were sorting through the aftermath. Our angle: not "DORA compliance" as a feature, but gap-specific targeting. Each email identified one specific DORA article the recipient's institution was likely failing on, with evidence.
Identified 1,480 CISOs, CTOs and COOs at regulated EU financial institutions with 100–2,000 employees. Cross-referenced each against public DORA audit findings and prior breach disclosures to identify likely compliance gaps per institution.
Every email opened with the specific DORA article most likely to be problematic for that institution's size and profile — not generic compliance talk. Subject line: the article number. First line: the gap. Three sentences. No deck, no feature list.
Follow-up sequences included a 1-page ICT risk scorecard tailored to the recipient's sector, linking to one anonymised incident from their sub-sector. Reply-to-contract conversion hit 34% — prospects came in already sold on the problem framing.
The first 4 signed CISOs became reference clients. We wrote their post-audit summaries and published anonymised versions as LinkedIn articles under their names. Those articles became Fortivex's most effective sales tools — prospects cited them in their first replies.
Specificity destroyed the noise. Every other vendor sent "DORA compliance" emails. We sent "Your Article 26 ICT third-party risk gap, based on your last two disclosed incidents" emails. CISOs replied because we had clearly done the work.
The scorecard was the sales call. Recipients who downloaded the 1-page ICT risk scorecard had already self-diagnosed their problem by the time they booked a call. Average time from first reply to signed contract: 19 days.
Reference clients wrote our copy. The anonymised audit summaries we published under the names of early clients generated inbound replies from prospects who had never been in our sequences — they found the articles via LinkedIn search. 2 contracts came from entirely inbound leads generated by outbound content.
"I get 40 vendor emails a week. I replied to Fortivex's because they named a specific Article 26 gap that I had identified internally three weeks before — and had not told anyone about. That level of precision is what you want in a security partner."
20 minutes. No pitch deck. We look at your market, show you the playbook, and tell you if we can help.
Book a call