Just over a week ago, I had the pleasure to speak at the Accel Cybersecurity Summit hosted by the VC firm Accel in Bangalore. This was my first time visiting India, and I had a great time despite the traffic which I must admit is truly crazy. Now that my brain has recovered from jet lag, I would like to share several learnings from the event along with my observations about the cybersecurity startup ecosystem in India, and explain why I am hopeful about its future.

Photos from Accel Cybersecurity Summit

Welcome to Venture in Security! Before we begin, do me a favor and make sure you hit the “Subscribe” button. Subscriptions let me know that you care and keep me motivated to write more. Thanks folks!

Lastly, over 2,650 copies of my best selling book “Cyber for Builders: The Essential Guide to Building a Cybersecurity Startup” have been distributed to the readers so far.

Get your copy of "Cyber for Builders"

India’s changing reality

Before I talk about my take on India’s cybersecurity ecosystem, let me share some of my observations about the state of the country.

When you live in the US and especially in the Bay Area, the primary way you learn about India is through talking to Indian immigrants. The number of Indian immigrants stuck in the failing US immigration system is high, and thus it is easy to fall into the trap of thinking that the best Indian talent is dreaming of moving to the United States. Last week I learned that that is not the case. At Accel’s event, I met all kinds of people. Some have worked for over a decade in the Bay Area and even got US citizenship only to move back so that they can work on building the Indian tech ecosystem. Others studied in some of the best US colleges and moved back home after getting a few years of work experience in the world’s top tech companies. There were also plenty of those who had an opportunity to relocate to the US but decided that they were better off working in global companies from India and building their career there. On the plane back to San Francisco, I was sitting next to a woman who, as I've learned, has been living in Dallas for over 10 years but decided that there is no reason for her to get US citizenship. Of course, some had to move back because of H1B visa issues, but these were the minority. The many conversations I had at the event last week have made me realize that the world has changed and that the India many people (including myself) have in their mind is not the same India that people live in today.

There was indeed a time when anyone from India working in technology with ambitions of ever realizing their true potential was looking to immigrate to the United States or the United Kingdom. Over the past decade or two, that has changed. Technology ecosystems like Bangalore offer people plenty of opportunities to grow and build global companies and do all of it without having to permanently relocate to any other country. At least that has been the sentiment of the people I met at the event last week, and I found it to be very interesting.

Another assumption that is no longer true (at least not in the way people think), according to multiple people I spoke to, is that Indian engineers are cheap and easy to hire. Although that is still the case for fresh graduates, experienced engineers command high compensation. Top AI engineers, for example, can make well above USD $100,000, while top CTOs can make upwards of USD $300,000. This is because in 2024, entry-level people compete locally but senior talent competes globally, and global competition drives prices up.

These aren’t groundbreaking learnings but for me personally, they’ve challenged a lot of my assumptions and changed the way I see the tech ecosystem in the country.

Why India has the potential to become an important player in the global cyber ecosystem

Access to talent

India was projected to become the world’s leading country in the number of software engineers by 2023. The law of large numbers makes it clear that even though not all university graduates have the skills necessary to write good-quality code, there are more than enough of those who do. As software engineering becomes more and more competitive, it would make sense that many quality software engineers will start moving into security.

The shift is already underway. Having accumulated solid experience working in open source and making money on bug bounties, India’s security practitioners are gaining more and more recognition in the industry globally. While in the past, India was primarily a destination for low-skills, Tier 1 SOC analyst outsourcing (I have previously referred to India as a “global SOC”), it has now become a place where many global, and in particular - American players go to find the top cybersecurity talent.

Resourcefulness & hustle

It’s not enough to have talent; in order for entrepreneurship to thrive, talented people need to also be hungry. There are plenty of places that employ some of the smartest people on the planet who are not hungry enough to take risks and strike up on their own. India doesn’t have this problem: one of the most impressive characteristics of the country’s startup ecosystem is its resourcefulness and hustle. Don’t take me wrong, there are people in India who for a variety of reasons prefer to play it safe, or can never afford to take risks. However, the country of 1.4 billion citizens benefits from the law of large numbers; even if only 0.5% of people are willing to hustle, that would amount to roughly 7 million, or nearly ten times the population of San Francisco.

When I ask security practitioners in the US if they are going to attend events such as Black Hat, fwd:cloudsec, or BSides Las Vegas, to name some, the answer I often hear is “No because my company doesn’t have a professional development budget that would cover it”. Cybersecurity product managers, as well as other business-focused operators, frequently miss the RSA Conference for the same reason. I understand that individual stories vary, and in some cases, people are genuinely constrained about their finances. All that said, the majority in the cybersecurity space are getting paid quite well, so the fact that they leave their personal and professional growth to their companies’ professional development bugets is not ideal.

In India, nobody is relying on professional development budgets to grow. Several hundred security practitioners, software engineers, and aspiring and early-stage founders flew from all around the country to the Accel Cybersecurity Summit. Each of them had to cover their own flights and figure out where they would stay (many ended up crashing their friend’s couches). I am a firm believer that in order to achieve their goals, people must be willing to hustle, and seeing resourcefulness and hustle in action was refreshing.

As aspiring Indian founders decide to go all in, their level of hustle only increases. Case in point is the story of Akto, an API security startup founded by Ankita Gupta and Ankush Jain. For many months, Ankita and Ankush would host training events all over the United States while living in Bangalore. Every few weeks they would take flights to spend several days in the US, give talks and organize training, and then fly back home until Ankita finally relocated to the US permanently. When I asked Ankush how he manages jet lag, his response was “You don’t - you just get used to it and learn to perform at your peak regardless”. As an underdog myself, I believe that founders who pursue their vision despite all the obstacles, deserve to win.

Early examples of success

One of the biggest barriers to success is the lack of examples that people can relate to, aspire to, and try to emulate. The reason why Check Point is credited for being the catalyst of the Israeli cybersecurity ecosystem is that it has acted as that example. When the company became public in 1996, a few things happened. First, it inspired a new generation of founders who witnessed how their friends, classmates, neighbors, and peers from the military were able to succeed in building a security company out of Israel. Second, it sent a signal to investors that Israeli startups can make it big in the global arena. Third, it created a pool of angel investors with capital to support their friends and advisors to help them get off the ground.

Getting that first success story is the hardest, but once there is one, if things are done well then others can follow. For the longest time, India had no examples of cybersecurity product companies with great exits. There were plenty of incredibly successful service providers including Infosys, a global IT service provider with a market cap of $90 billion (Rishi Sunak’s wife, Akshata Murty is worth over $500m as she is the daughter of Infosys’ founder), but no products. That changed in January 2024 when SentinelOne acquired Pingsafe for over $100m. PingSafe CEO & founder, Anand Prakash, is a perfect example that it is indeed possible to build a successful product company after developing a strong background in services. Anand used to do bug bounties, after which he became a founder of a security services firm, and ultimately - PingSafe, a product company supported by Sequoia, one of the world’s top VCs, and acquired by SentinelOne.

PingSafe's success story is the biggest exit India’s cyber ecosystem has ever seen, and it has the potential to act as a catalyst for the emergence of the local ecosystem the way Check Point did for Israel. It signals to local VCs that cyber is worth looking at; it created a pool of people with capital to support other founders, and it is a success story that other bug bounty hunters, services entrepreneurs, and engineers can aspire to emulate. What’s also great about it is that Anand further drives home the point that one doesn’t have to be an alumnus of IIT (the Indian equivalent of Ivy League) to become a successful entrepreneur.

It is worth noting that prior to PingSafe exit, Smokescreen exited to Zscaler but the terms of the transaction were not disclosed. 

Access to capital

One of the factors that impacts the ability of startups to succeed is their ability to access growth capital. The fact of the matter is that while venture investors like talking about spotting outliers and betting on underdogs, most (though not all) VCs are looking for patterns. To develop a conviction in a company, new geography, or an emerging industry, investors are looking for similar areas, parallels, and mental models from the past, where these kinds of companies worked and led to outsized returns.

Success breeds success, and once there are a few examples that something which was previously considered too risky or outright impossible can work, capital tends to start flowing. Before that happens, however, someone needs to take a risk and bet against the herd.

Anyone who is at least a little familiar with the Indian startup ecosystem knows that the country has been incredibly successful in the consumer space. The assumption usually is that this is because its 1.4 billion people form a huge market to sell to. That was also what I thought, but Sandesh from Seezo explained that this is a bit of a myth and only about 10% of the Indian consumer market have an annual income of over $20K. This means, most of the consumption in India is done by these people. Obviously, the consumer class is growing, but the TAM is much smaller than most people assume. This report from Blume VC provides a good overview of this fact (thanks to Sandesh for sharing it). Either way, Flipkart, Ola, Paytm, and Zomato are just some of the examples of India’s successes. Indian B2B SaaS companies are doing well and competing globally, too - Freshworks, BrowSerstack, Chargebee, and Postman are some examples. It’s hard to imagine this, but in a world where cybersecurity has become one of the hottest segments for VCs, B2B cybersecurity investing in India is still a contrarian thesis (there have been no billion-dollar security companies yet).

Accel India, the largest venture capital firm in the country (used to be the second-largest before the split of Sequoia), is making it very clear that it wants to support cybersecurity entrepreneurs. Over the past few years, it backed several security companies - Akto, Seezo, Effectiv, PrimaryIO, ProjectDiscovery, and some other security startups that are still in stealth. Last week, it organized the country’s largest cybersecurity summit attended by several hundred people (I had the pleasure of talking about building security startups with Sandesh Anand, co-founder and CEO of Seezo). Prayank Swaroop, partner at Accel, is determined to prove that India can become one of the world’s leaders in security, and focused on supporting cybersecurity and AI founders across the country. India’s other large VC firm, Peak XV Partners (formerly Sequoia), is another example of an investor who believes in the nation's cybersecurity potential and has supported PingSafe, SquareX, Quick Heal, and Privado, among others. 

Expertise in cybersecurity services

Historically, India’s focus on services was seen as a problem by VCs who prefer founders building product companies. With the rise of generative AI, services space is probably for the first time seeing attention from investors who hypothesize that services can be reinvented with LLMs. Decibel, for example, talks about “Service-as-Software, powered by AI Agents”, while Felicis explains its excitement about the services sector as follows: “The services market's immense size, highlighted by the professional and business services sector leading US GDP at $3.5T, significantly surpasses the global software market's $600B, presenting vast opportunities for Diagonal Software through AI-driven expansion.”

If the services space can be reshaped by AI agents, the question becomes who is best positioned to make this a reality? One of the potential answers is simple - people who have deep expertise in building and running services businesses, as well as expertise in software engineering. The dilemma is that most service providers are not builders, and most product engineers have little understanding of services. India has plenty of expertise in both. If the country’s entrepreneurs don’t miss this chance and find a way to disrupt the business models that have worked so well for them for a long time, they may find it possible to realize the promise of the Service-as-Software models. For example, I don’t know if pentesting will indeed be automated with LLMs but if it will, Indian engineers who have been making money on bug bounties and doing pentesting-as-a-service for many years certainly have all the ingredients to figure out how to do that. 

Expertise in building security products

I have previously explained why in my opinion, experience in building cybersecurity products is a perfect background for future security entrepreneurs. 

“Over the past year, I became convinced that software engineers with experience building security products may be even better equipped to launch cybersecurity startups than security engineers. Many full-stack, low-level OS, infrastructure, and data engineers have accumulated fantastic experience building products from concept to launch. More importantly, they know just how much the user experience, scalability, and robustness of these solutions matter to customer adoption. The way I think about it - everything can be learned, and people with a strong track record building security solutions in-house can usually figure out how to do it as a standalone company. The key is having experience in software engineering: writing a script can help automate tasks and configure existing applications, but one needs to know how to program to build new applications.” - Source: Blessed are the software engineers, for they shall inherit cybersecurity

In recent years, more and more security products have been built in Israel and India, and not in the United States. We have seen the impact that having a large number of software engineers with experience building security products has had on the Israeli ecosystem; India has the potential to take advantage of the same success factor. 

Reasonable valuations

Indian startups require less capital to get started, validate the problem, and build products. With that, their valuations are often lower which can be very attractive to prospective acquirers, especially if the quality of their products is on par with much pricier American or Israeli counterparts. This is especially important because as I have previously explained, most cybersecurity startups are better off getting acquired before series B.

Local presence of acquirers

Another factor that can work incredibly well for Indian cybersecurity entrepreneurs is the fact that many (most) big security companies already have a presence in the country. Palo Alto, SentinelOne, Zscaler, Microsoft, Trellix, FireEye, and many others have well-established local teams. This fact greatly increases the chances that solid startups that solve real problems and have high-quality products can get acquired.

Although it is rarely discussed, between 70 and 90 percent of acquisitions fail, and most often the reasons have to do with culture clash and inability to absorb the acquired company. The fact that prospective acquirers already have a local presence in India, makes it much more likely they would be open to buying a startup based in the same area.

Geopolitics alignment

Geopolitics alignment is one of the key factors that impact the country’s ability to emerge as a global cybersecurity market power. India is not the only country with access to strong cybersecurity talent. China and Russia also have significant populations and a pool of solid security expertise. The problem is that, unlike India, both China and Russia are adversarial states, and hence aren’t capable of becoming suppliers of security solutions to the Western markets.

Language fluency

Another advantage India has over other nations is the fact that its engineers are fluent in English and therefore do not have to deal with language barriers faced by software developers in many other countries. Ukraine, for example, has been rapidly developing strong cybersecurity capabilities in recent years due to the need to defend against Russia. That said, the fact that for Ukrainian engineers English is not a mother tongue, is likely to inhibit their ability to become active in the international arena.

What’s interesting is that for historical reasons, people in India have been speaking British English. In recent decades, with the propagation of US pop culture, even the spoken language has started to evolve and American English is becoming more and more common.

To realize its potential, India needs to develop its own playbook

I think India has all the ingredients to become an important player in the global cyber ecosystem. However, just because someone has the potential to do something, doesn’t mean they will be successful doing it.

I don’t think Indian entrepreneurs can be successful by trying to copy recipes that worked for Israeli cybersecurity entrepreneurs. When Check Point started, the company was able to gain market leadership by solving a real problem in a new market. They did it from Israel without having to relocate to the US. Today, there is so much generational knowledge about building security companies in Israel that Israeli founders can afford to build their companies fully from abroad. Even then, the playbook that has worked well has been to start out by raising a round from local value-add VCs and establishing an R&D center in Israel, and after raising series A hiring the go-to-market (GTM) team in the US and having the CEO relocate to the East Coast of the US. That way, the CEO and the GTM team can be close to their customers, while the engineering stays in Israel.

Today, the cybersecurity industry is so competitive that it’s becoming harder and harder to scale the company without having a strong US presence. I think Indian cybersecurity entrepreneurs will need to develop their own playbook. It remains to be seen what it will look like - will it be similar to what Akto is doing (having the CEO based in the US, and the CTO visiting the US every month or so)? Could be. Or doing what PingSafe did (growing the company fully from India)? Maybe. One way or another it’s clear that for Indian cybersecurity startups, similar to ant startups in any industry, the number one challenge is distribution. The closer they get to their customers, the deeper they can build the relationship with them, the more likely they are to succeed.

Another potential way for Indian cybersecurity entrepreneurs to succeed is to leverage their unparalleled network in the Bay Area. People who have been living and working in the US for many years understand the US culture well and know how the business works here. And yet, they also have networks back home - the kind of networks that may make it possible to hire talent and build products in India.

It remains to be seen what the future of the Indian cybersecurity ecosystem will look like. One thing is clear - with all the resources at their disposal and all the factors working in their favor, it’s a great time to be a security entrepreneur in India.

If you like my blog, please subscribe & share it with your friends. I do this in my free time, so seeing the readership grow helps me to stay motivated and write more. I don’t send anything except my writing and don’t sell your data to anyone as I have better stuff to do.

If you are a builder - current or aspiring startup founder, security practitioner, marketing or sales leader, product manager, investor, software developer, industry analyst, or someone else who is building the future of cybersecurity, check out my best selling book, Cyber for Builders.

If you are a security practitioner, check out & spread the word about the VIS Angel Syndicate.

If your company is interested in sponsoring Venture in Security, check out Sponsorships. Thank you!

Share