Brand, Price, Performance
Mike Rothman insinuated in his Security Incite blog yesterday that OEM AV vendors other than the "big brands" are licensing their engines entirely on price. That is just not the case - if it were, MSSPs would all be running Clam, or freeware.
There are three reasons why IT buyers choose technology: price, brand and performance. The appliance manufacturers and managed security service providers (MSSPs) that we work for are the industry leaders and they make their decisions based on performance. They are more than willing to pay for highly-optimized, heuristics-based engines, and superior malware databases (like those owned by Kaspersky and Authentium, the two largest in the world).
Why? Because there are significant cost-savings to be gained from implementing better technology approaches that are unrelated to the base cost per unit, or cost per event of the OEM license. These companies, many of whom run thousands of square feet of Linux or freeBSD boxes, run very extensive technology bake-offs and often pay more to license in a particular engine because their TCO analysis shows it makes sense.
In most situations we're deployed in, our AV engine sits alongside many better-known "brands". In every one of these situations, our engine has consistently outperformed the branded offering in every one of four key respects: 1) size of memory footprint, 2) size of database, 3) event throughput, and 4) malware detection rate.
Recently, the Authentium engine not only stopped all major variants of the Warezov worm, but we stopped the Storm virus heuristically as well - without requiring an update. At a though-put rate of nearly four billion emails a week, that's a lot of money saved, and a lot of customer email sorted and delivered without delay. The big "brands" sitting right alongside our engine did not fare nearly as well - which is why they continue to pour money into branding, while we pour money into R&D.