Security Buyers Don't Reply to Fear — They Reply to Specifics
Every security buyer's inbox is full of the same email: a scary statistic, a vague threat, a demo link. They delete it without finishing the first sentence, because they read better threat intelligence before breakfast than anything a cold email can paraphrase. What does stop them is rarer and harder to fake: a concrete observation about their own environment that they can verify in thirty seconds — the public-facing stack you actually looked at, the attack pattern currently working through their specific industry, the gap that's visible from the outside if anyone bothers to check.
That kind of opener can't come from a template. It has to be assembled per prospect, which is exactly the motion Lemlist is built for — liquid syntax variables that compile research fields into a different first line for every contact, and LinkedIn steps that put a real researcher's face behind the message before the email ever arrives. ColdRelay supplies the layer Lemlist doesn't: the secondary domains, mailboxes, and dedicated IPs the campaign sends from. This guide covers how to wire the two together and turn research into replies.
Why Run Lemlist on ColdRelay Infrastructure
Lemlist's whole value proposition is personalization depth — liquid variables, personalized images, even per-prospect landing pages. But it sends from whatever mailboxes you connect; it doesn't provision domains, configure DNS, or carry the deliverability of the sending identities. For a security vendor, that's the expensive gap. An observation-led email takes real research minutes per prospect — and if the mailbox behind it sits on a shared tenant with sloppy authentication, the gateway quarantines your best work the same as everyone's worst.
ColdRelay closes that gap. You provision dedicated mailboxes on isolated Azure tenants with dedicated IPs, with SPF, DKIM, and DMARC pre-configured — ready in about an hour, with no warmup period before sending. That last part matters more to this audience than any other: a prospect who can verify your observation about their stack can also verify your headers, and an email claiming security expertise from a domain with broken DMARC contradicts itself before the second paragraph.
The pairing is additive, not competitive: ColdRelay is the infrastructure layer — domains, mailboxes, dedicated IPs — and Lemlist is the sending and sequencing layer on top, where the personalization and multichannel steps live. You keep Lemlist's liquid variables, LinkedIn touches, and campaign reports — you just send the research from mailboxes built to land.
Visit Lemlist →Connecting ColdRelay Mailboxes to Lemlist
Provision a research-sized pool on ColdRelay
Observation-led outbound is low-volume by design — you can only research so many prospects per day, so size the pool to the research throughput, not the other way around. Most security vendors running this motion start with 15-40 mailboxes on 1-2 secondary domains, kept separate from the corporate domain that signs your advisories and reports. ColdRelay supports 100-150 mailboxes per domain, and everything provisions on isolated Azure tenants with dedicated IPs in about an hour, with SPF, DKIM, and DMARC already configured.
Connect the mailboxes as Lemlist sending accounts
Export the mailbox credentials from the ColdRelay dashboard, then in Lemlist add each mailbox under your email accounts via SMTP/IMAP. Each ColdRelay mailbox connects as its own sender, so campaigns can distribute sends across the pool and replies thread back to the right identity.
Cap each mailbox at 2 outbound/day and leave lemwarm off
Set every account's daily sending limit in Lemlist to 2 outbound emails, mirroring ColdRelay's per-mailbox budget — 4 sends/day total, split 2 outbound + 2 warmup. ColdRelay's warmup runs continuously as part of that budget, so don't enable lemwarm on these mailboxes; double-warming adds volume the budget doesn't account for, and the mailboxes are campaign-ready from day one without it.
Build the observation fields, then map them to liquid variables
Before touching the campaign builder, do the research pass: for each prospect, capture two or three checkable fields in your CSV — the public-facing technology you observed, the industry attack pattern currently relevant to them, the specific exposure your finding implies. Then in Lemlist, map those columns to liquid syntax variables in step one, so the opener compiles into a different, verifiable sentence per prospect. Use liquid conditionals to route prospects with a stack observation to one opener and prospects with only an industry-pattern field to another — never let a contact receive a template with an empty bracket where the research should be.
Add LinkedIn steps before the email, then launch and read the campaign report
In the same Lemlist sequence, put a LinkedIn profile visit and a connect or comment step ahead of the first email. Security buyers check who's emailing them — when the sender's profile shows a real researcher who engaged with their content two days earlier, the observation in the email reads as diligence instead of automation. After launch, use Lemlist's campaign reports to compare reply rates by observation type, and shift the research effort toward whichever class of specifics is actually earning responses.
The Cybersecurity Lemlist Playbook
Open with something the prospect can check in thirty seconds
The test for every first line: could the recipient verify it themselves before finishing their coffee? An observation about their public-facing stack, their published security page, or a pattern hitting their specific industry this quarter passes. A statistic about average breach costs fails. Build your Lemlist liquid variables around fields that pass the test, and cut any prospect from the list whose row can't fill one.
Describe what you observed — never what you exploited
There's a bright line between "your public security posture suggests X is worth a look" and anything that reads like you probed their systems. The first is research; the second gets you reported to the very SOC you're selling to. Keep every observation to what's legitimately visible from the outside — public DNS, published pages, job posts, disclosed stack — and say plainly how you saw it. Transparency about method is itself a credibility signal to this audience.
Let the LinkedIn step carry the credibility the email claims
An observation-led email implicitly says "a competent person looked at you." The prospect will audit that claim — by checking the sender on LinkedIn. Use Lemlist's LinkedIn visit and comment steps to make sure what they find supports the story: a profile with real security work, recent engagement with their company's content, a face. The multichannel sequence isn't extra touches; it's the evidence layer for the email's premise.
Skip the gimmick personalization — this audience reads it as a red flag
Lemlist's personalized images and per-prospect landing pages convert well in most B2B — and mostly backfire here. A security buyer sees their name rendered onto an image, or a tracking-heavy custom landing page, and pattern-matches it to the phishing techniques they train employees against. Spend the personalization budget on the text layer instead: liquid-compiled observations, plain links if any, and a sequence short enough that every step earns its place.
Typical Cybersecurity Outbound Benchmarks (Lemlist + ColdRelay)
| Metric | Benchmark | Notes |
|---|---|---|
| Inbox placement rate | 95%+ | Dedicated IPs, isolated tenants, and pre-configured SPF/DKIM/DMARC — your headers get checked by this audience, not just your copy |
| Reply rate, observation-led openers | 3-6% | Checkable, prospect-specific first lines run well above the 1-2% generic security pitches earn from the same lists |
| Reply lift from LinkedIn pre-touch | 1.5-2x | Sequences with a profile visit and comment step before email one, vs. email-only sequences to matched segments |
| Outbound capacity per mailbox | 2/day | 4 sends/day total per mailbox — 2 outbound + 2 warmup; a natural fit for research-limited volume |
| Time to first campaign | Same day | ~60 minutes to provision on ColdRelay; the research pass on your first list is the real schedule driver |
What It Costs: Lemlist + ColdRelay
You pay per mailbox per month for the infrastructure, with volume tiers that drop as you scale (see the table below). Dedicated IPs, isolated Azure tenants, and pre-configured DNS are included.
Lemlist is billed separately on its own per-seat subscription covering the campaign builder, liquid variables, multichannel LinkedIn steps, and campaign reports — priced per its current plans.
Infrastructure cost scales with mailbox count; Lemlist cost scales with seats. An observation-led motion keeps both small — research throughput caps your volume long before infrastructure does, so a modest pool on 1-2 domains usually covers the whole program.
| Mailboxes | ColdRelay price / mailbox / month |
|---|---|
| 1–199 | $1.00 |
| 200–999 | $0.85 |
| 1,000–4,999 | $0.70 |
| 5,000+ | $0.55 |
Each mailbox sends 4 emails per day — 2 outbound to prospects + 2 warmup. ColdRelay provisions mailboxes on isolated Azure tenants with dedicated IPs; Lemlist handles the sending, sequencing, and inbox rotation on top.
Frequently Asked Questions
Does ColdRelay replace Lemlist?
No — they're complementary layers and you use them together. Lemlist is the sending and sequencing layer: liquid-variable personalization, multichannel sequences with LinkedIn steps, campaign reports. ColdRelay is the infrastructure layer underneath: the secondary domains, mailboxes, and dedicated IPs those sequences send from. Neither does the other's job.
Should we run lemwarm on ColdRelay mailboxes?
No. ColdRelay's warmup runs continuously as part of each mailbox's 4 sends/day budget — 2 outbound + 2 warmup — so the mailboxes are campaign-ready the day they provision, with no separate warmup period. Adding lemwarm on top would double-warm and push volume past the budget the deliverability is designed around. Cap each account in Lemlist at 2 outbound/day and let ColdRelay handle the warmup side.
Isn't per-prospect research too slow to be worth it for security outbound?
It's slow per email and fast per meeting. A few research minutes per prospect, compiled through Lemlist's liquid variables, typically produces 2-4x the reply rate of templated sends to this audience — and the per-mailbox budget of 2 outbound/day means the infrastructure never pressures you to send faster than you can research. Twenty mailboxes is 40 researched sends a day, which is a serious pipeline motion for most security vendors.
Won't our observations about a prospect's environment come across as threatening?
Only if they read like reconnaissance. Keep every observation to what's publicly visible — published stack, security pages, job postings, industry attack patterns — and state how you saw it. Framed that way, the email demonstrates diligence rather than intrusion, and the LinkedIn steps in your Lemlist sequence give the prospect a real researcher to attribute it to. What actually triggers suspicion is the opposite: vague fear with no checkable substance behind it.