ACCORD
I picked up the ACCORD framework from Jonathan Levav at Stanford last summer. Most security tools genuinely solve the problem they target but come at costs to install, configure, and live with that are unacceptable. In security we keep optimizing for completely solving the problem, when the bigger constraint is whether anyone can actually adopt the thing.
ACCORD names the six attributes a new technology has to clear:
- Advantage — measurably better than what exists
- Compatibility — fits the behavior you already have
- Complexity — easy to learn
- Observability — visible when others use it
- Risk — what happens when it fails
- Divisibility — try it in small steps
I run startup pitches, internal research, academic proposals, and client recommendations through it.
Trail of Bits gets pitched constantly by founders who want a consultancy as their distribution channel. We almost always decline. The tools we actually recommend, like Semgrep and CodeQL, won by riding demand our clients already had. If a product needs us to introduce it, it’s already failed half of ACCORD.