Building platforms in cybersecurity: select playbooks for growing “best of suite” solutions
Looking at common playbooks for building security platforms, what is hard about them, and how entrepreneurs can increase their chances of success.
Welcome to Venture in Security! Before we begin, do me a favor and make sure you hit the “Subscribe” button. Subscriptions let me know that you care and keep me motivated to write more. Thanks folks!
Over 1,865 copies of my best selling book “Cyber for Builders: The Essential Guide to Building a Cybersecurity Startup” have been delivered by Amazon so far. This book is unique as it talks about building cybersecurity startups. It is intended for current and aspiring cybersecurity startup founders, security practitioners, marketing and sales teams, product managers, investors, software developers, industry analysts, and others who are building the future of cybersecurity or interested in learning how to do it.
Everyone in cybersecurity likes to talk about platforms. Security teams look up to platforms in the hope that they can reduce the number of tools enterprises have to rely on. Founders see platforms as the Holy Grail of building a successful company, and rightfully so: without solving a variety of problems and the ability to generate at least $100-$150 million annual recurring revenue (ARR), most startups won’t be able to go public (IPO). Investors know that platform companies are incredibly risky but if they succeed, they can generate impressive returns, substantially higher than the so-called point solutions. Industry analysts are excited about platforms because they cover a wide range of use cases, and resellers like the fact that they can make a lot of money selling the best-of-suite solutions.
What isn’t being talked about as often is how exactly platform companies are built, and what are the ways in which founders that make big bets attempt to get to market. In this article, I will do just that, looking at common playbooks for building security platforms, what is hard about them, and how entrepreneurs can increase their chances of success.
Thinking big from day one: setting the foundations for building a platform
Although any product could potentially evolve into a larger solution, building a platform isn’t as simple as building a small feature and adding more features over time. There are several reasons why that is the case.
First and foremost, founders must choose a problem area that is important, large, and painful enough for security teams to be willing to do a proof of value (POV). Because of the push for reducing the number of tools and the ever-expanding list of “must-have”, “revolutionary”, and “next-gen” solutions, the bar to get the enterprise simply consider the possibility of bringing in a new vendor is now substantially higher than it was just a few years ago. For entrepreneurs to have a chance of succeeding, the problem they choose to tackle must require a unique insight, or be complex enough that the competing incumbent platform player cannot solve it equally well. Additionally, startups should be looking to replace at least one (ideally - more) of the existing solutions, instead of becoming a new addition.
Second, there should be a solid number of adjacent challenges founders can address better than the competition. Historically platforms were centered around different attack vectors that are generally aligned with types of security data, such as endpoint, network, cloud, and code, as that has been the easiest way for companies to solve as many problems that can be solved by using the same data as possible. This makes sense because different types of data are owned by different teams, so a startup that requires, for instance, network, endpoint, and cloud telemetry in order to show value, will encounter many more barriers to adoption than a company that can start small and expand later after proving its value with one team. Platform-building opportunities are exceedingly rare; a big reason why we are seeing an explosion in the number of AI security startups is that people are making a bet that AI and ML security presents an opportunity for building a big platform.
Third, startups with an ambition of one day becoming a platform must make technical decisions that set the right foundations for future expansion. If they don’t pick the right infrastructure, don’t implement a scalable technical architecture, or don’t keep the cost and the trade-offs of their decision in mind, entrepreneurs can paint themselves in the corner and be forced to later re-build the underlying architectural components.
Solving one problem really well and picking the wedge
Every successful company starts by identifying a problem area founders are interested in tackling, and a unique wedge that if they execute well, could enable the startup to gain a solid percentage of the market.
Early-stage ventures have extremely limited resources, and in order to move fast, they need to focus on what matters. Many cybersecurity founders with an ambition of building a platform end up spreading themselves too thin too early. By doing that, they end up building products that are “Jacks of all trades and masters of none”: they can solve many problems, but neither of them is good enough to be loved by the users. To set solid foundations for a security platform, startups need to instead solve one problem, and do it really well for their customer segment; better than anyone else on the market. This is, of course, easier said than done: there is always pressure from customers and investors to broaden the area of focus as soon as possible.
Oftentimes, founders assume that because they are “building a new category”, they don’t have competition. This is a very naive take and one that in 99.9% of all cases is incorrect. Competition is always there, and it’s not necessarily what people think: for most B2B startups in and outside of cybersecurity, the main rival is Excel; the second biggest competitor is open source.
To differentiate against other players and outcompete their rivals, startups need to find a wedge - a unique angle that will enable them to find their place under the sun. A wedge can be nearly anything:
A go-to-market strategy: for example, a startup may decide to reach small and medium-sized businesses by building partnerships with managed security services providers instead of selling direct like its competitors
A technology stack, for example, the startup may be uniquely positioned to solve problems of customers who rely on a specific technology stack that other vendors overlook
A market segment: for example, the startup may build the best solution tailored to the needs of large financial institutions overlooked by its rivals
Some entrepreneurs arrive at both the problem worth solving and the wedge to gain a foothold early on in their journey while for others it may take one or more pivots.
Product-market fit expansion and going beyond the initial use case
Once the startup achieves the product-market fit with its initial offering, it needs to look for adjacent use cases that offer expansion opportunities. This is often referred to as a “land and expand strategy”: once the company has a strong foothold in the customer’s environment, it can start up-selling and cross-selling other products and services to the same organization.
There are two ways to achieve product-market fit expansion: in-house development and mergers and acquisitions (M&A). Both are fairly self-explanatory, and both come with a set of pros and cons.
In-house development enables a startup to ensure the tightest levels of integration between different platform components, resulting in significant performance wins, great scalability, seamless user experience, and low technical debt. When the company treats every building block of the solution as a first-class citizen, it results in a future-proof product that works well both in parts and as a whole. This level of performance comes at a high cost. First, developing innovative solutions requires access to top talent, and assembling, training, and managing high-performing teams is both expensive and time-consuming. This is especially the case for the so-called frontier areas of technology - fields that are so new that they simply don’t have a wide pool of prospective employees just yet. Second, developing new products takes time. This is especially the case for larger organizations where bureaucratic systems and processes can make new product development incredibly slow and costly. Lastly, in-house development is risky. Even if the company assembles the best team, and clears the unnecessary burdens so that it can move fast, there is no guarantee that the outcome is going to stack up well against the competition.
Another common method of building a platform product is M&A. For the company looking to build a platform, acquiring cybersecurity startups solves several problems. First, product acquisitions remove a lot of risks in one go. The company is buying a product that is working, and in most cases, is already being used by some customers in production, so potential delays or a risk that the final solution won’t be competitive on the market are not a part of the picture. Second, instead of having to recruit, onboard, and train individuals which can take many months, acquisitions allow companies to quickly onboard a team that has shown it can work well together. As with everything else, there are also disadvantages to pursuing the M&A path. The biggest challenge acquisitions introduce is the need to integrate all the individual components not designed to work together into one platform. Anyone who builds software products knows that every solution comes with its limitations in terms of API, latency, the ways it’s architected, and so on. Stitching together tens of disjoint tools not designed to work together from day one can result in a Frankenstein monster - a buggy solution with poor user experience and a mountain of technical debt that with time will only get worse.
Based on my observations, most companies that pursue the M&A strategy of building a platform take shortcuts and end up with poor results. An example of a player that was able to assemble a robust cybersecurity solution from acquisitions, despite the challenges this path brings, is Palo Alto Networks. The reason why Palo Alto has been successful is the amount of resources the company allocates to integrate each of the components it buys into one cohesive experience. Even then, it cannot get everything right and there are certainly gaps in how some platform components communicate with the rest of the solutions.
In-house development and mergers and acquisitions (M&A) are not mutually exclusive approaches. On the contrary, most companies that ended up succeeding in assembling a cybersecurity platform have done a mix of both, building some solutions and buying others.
Goals of security platform providers
The ultimate goals of any cybersecurity platform are to:
Be incorporated as wide and as deep as possible in the customer’s workflows, and
Build an ecosystem around its offerings.
The former can take different shapes, such as getting security teams to adopt all the pillars or components the company offers, getting security service providers to embed the platform into their business, or in some cases, leveraging the platform as a foundation for building security products. The latter comes from the realization that the platform provider is not going to be able to assemble (build or acquire) all the solutions to customer’s problems on its own. A much better approach is to carefully select the areas the company is looking to compete in, and then encourage others to build products or services on top of the platform to solve the rest.
Getting the platform to be incorporated as wide and as deep as possible in the customer’s workflows
Every platform has a cornerstone solution - the first use case where it started. AWS started with Amazon Elastic Compute Cloud or EC2; CrowdStrike first built the endpoint detection and response (EDR) capability, and Palo Alto Networks used to be a firewall company. When the first solution becomes just one of many, platform providers become laser-focused on ensuring that customers will adopt as many of the other offerings as possible. This is because it’s not merely the presence, but the adoption of multiple solutions that turns a company into a platform. There are many startups and large players that offer a wide variety of products but customers only buy one of them, in spite of all the marketing efforts.
To understand just how important it is for platform players to show that what they build is being actively used, it’s worth taking a look at the example of CrowdStrike. In the Q2 of the 2023 earnings call, the company’s CEO George Kurtz, dedicated a good amount of time to discuss the adoption of CrowdStrike as a platform. The product now has over 20 modules, and according to the earnings call records, as of June 2023, the number of deals involving eight or more modules rose 80%+ year over year. About 63% of all customers have five or more modules, while 41% have six or more and 24% have seven or more.
Building an ecosystem around the platform’s offerings
While getting the security teams to use as many capabilities as possible is predominantly a product and a sales problem, building an ecosystem around the platform’s offerings is a much more delicate matter. Companies typically tackle it by:
Making it easy to build on top of their platform
Funding solutions built on top of their platform
Helping to start new companies built on top of their platform
To encourage security practitioners and software engineers to build on top of the platform, it first and foremost needs to be designed with this use case in mind: scalable, accessible, and API-first. The company needs to make it possible for builders to easily find its API and technical documentation, get the necessary training, and, if required, hands-on support from the vendor. The easier it can make the process of building new tools, the more successful it will be. For example, in September 2023, CrowdStrike announced CrowdStrike Falcon Foundry, the cybersecurity industry’s first no-code application development platform. According to the company’s press release, “With Falcon Foundry, customers and partners can harness the data, automation, and cloud-scale infrastructure of the CrowdStrike Falcon platform to easily create their own custom applications in order to solve an infinite number of security and IT challenges”.
Funding solutions built on top of the platform
Another way to encourage ecosystem creation is by providing capital to those looking to build their own solutions, be it products or services, on top of the platform. This can be done through different mechanisms of which the most common is corporate venture capital (CVC) funds.
“Starting in 2019, we have seen a rise in corporate venture funds run by cybersecurity companies. In April 2019, Okta launched Okta Ventures - a $50 million fund. In August 2019, CrowdStrike announced the launch of Falcon Fund, a 20 million dollar early-stage fund in partnership with Accel. Then, after the pandemic hit and companies were adjusting to a new normal, the CVC launch spree was paused until 2022. In May 2022, CyberArk announced the launch of CyberArk Ventures – a $30 million global fund designed to support cybersecurity innovation. As recently in September 2022, SentinelOne launched S Ventures - a $100M fund to invest in enterprise cybersecurity startups. It’s worth noting that in 2017, Palo Alto Networks also announced a $20 million security venture fund, but there is no publicly available information about the fund or any of the investments they were able to make since inception. Chad Kinzelberg, senior vice president of Business and Corporate Development at Palo Alto Networks at the time of the announcement, appears to have left the company in 2018.
Companies in this category commonly have a marketplace of solutions that offer a broad range of security capabilities. It’s interesting to observe the intersection between portfolio companies of the CVCs and integrations listed on their marketplaces:
CrowdStrike Falcon fund lists 14 portfolio companies; 5 of them are already integrated into CrowdStrike Marketplace: Tines, ThreatWarrior, Talon, Sixgill, and DoControl.
Three out of four companies listed in the portfolio of the newly established S Ventures are already listed as SentinelOne marketplace partners with joint solution briefs: Torq, Armorblox, and Noetic Cyber.
One of the three CyberArk portfolio companies - Zero Networks - is already on the CyberArk marketplace.
Okta Ventures list a large portfolio of 24 companies as of the time of writing; of those 12 are available on the Okta integrations marketplace: Cerby, Crosschq, Adaptive Shield, Drata, Immuta, TripleBlind, Kandji, Openpath, VNDLY, Productiv, and DataGrail.” - Source: Corporate venture capital and cybersecurity: why Okta, CrowdStrike, CyberArk and others invest in cybersecurity startups
Corporate venture funds are typically established by large, well-known cybersecurity enterprises that are either publicly traded, profitable, or well-funded. Smaller startups that don’t have tens of millions to invest in others are more likely to offer free consulting help, scholarships, or grants. For those interested in learning about corporate venture capital in cybersecurity, check out my deep dive dedicated to the topic.
Helping start companies built on top of the platform
The cybersecurity platform players that are especially driven to grow their ecosystems go further than making it easy for someone to build on top or provide capital. The above-mentioned CrowdStrike is once again a fantastic example of a company that went beyond traditional playbooks. In September 2023, around the same time when it announced Falcon Foundry, it also unveiled the launch of an equity-free Amazon Web Services and CrowdStrike Cybersecurity Startup Accelerator. In its press release, the company stated:
“Created to foster and fuel cybersecurity’s next market-defining disruptors, the new AWS & CrowdStrike Cybersecurity Startup Accelerator cohort, will offer customized mentorship, technical expertise, and partnership opportunities, as part of the AWS Startup Loft Accelerator (SLA) program. High-potential early-stage cybersecurity companies could also get funding from CrowdStrike’s strategic investment vehicle, the CrowdStrike Falcon Fund… Selected startups will be enrolled in a free 10-week no-cost program that includes office hours with AWS Cybersecurity experts and CrowdStrike executives, access to top-tier cybersecurity global investors, enablement sessions, up to $25,000 in AWS Activate … credits, among other exclusive benefits.”
The Snowflake Startup Challenge is another example of a similar strategy in action.
Platform players can be creative when looking for ways to grow the number of companies built on top of their offerings. For example, they can recruit driven, entrepreneurial individuals with strong backgrounds in cybersecurity (think the 8200 alumni) to act as founders in residence and build specific components of the platform as stand-alone offerings. Opportunities for experimentation are plenty, and as long as there is a willingness to try new ideas, companies can certainly expand both the depth and breadth of their ecosystems.
Ensuring alignment of interests
One of the reasons why building a successful security platform is hard is the fact that the platform provider operates in a state of permanent conflict of interest. On one hand, it wants to encourage others to build on top of its solutions and create a rich ecosystem of products and services (these often take the shape of a marketplace). On the other hand, the platform company often has its own offerings that compete with those offered by external parties in the marketplace. What it can and cannot do is to a large degree defined by the amount of power it holds in the relationship, and its long-term strategy. AWS, for example, is notorious for building its own version of the third-party solutions that perform especially well on its marketplace, and then aggressively promoting its offerings instead. However, because it holds so much power (32% of the cloud market is owned by AWS), developers have little choice but to look for ways to deal with this arguably unfair practice.
Navigating the state of coopetition, a simultaneous collaboration and competition, is never easy. For example, although Microsoft has all the incentives to promote its own security solutions for Azure, it still wants others to build their tools and sell them in the Azure marketplace. The same applies to other cloud providers, as well as platform players such as CrowdStrike.
Some companies have learned to navigate these challenges and align incentives quite well. One of these examples is Splunk - a company that enabled users to monetize their work through its marketplace and by doing so built a rich ecosystem of add-ons complementary to its own offerings.
Closing thoughts
Building a cybersecurity platform is incredibly hard because in order for the efforts to succeed, the company needs to convince a large number of security teams and builders (software engineers and security practitioners) that they should invest their time and effort into the up-and-coming solution. Platforms are in many ways two-sided marketplaces, and as such they share a lot of the same struggles. One of them is the so-called chicken or egg problem: without a sufficient number of customers, it’s hard to convince developers that they can make money by building on top and selling their solutions as add-ons, and without a rich variety of solutions, the startup will often struggle to be seen as a “best of suite” player.
Although there are no bulletproof playbooks for building a cybersecurity platform company, two things are clear: the push for consolidation (or “platformization”, as Palo Alto describes it) is ongoing, and the next billion-dollar security player is most definitely going to be a platform.
Love the book “Cyber for builders”, still reading it though. Am where it talks about different types of VCs