The industry often portrays founders of "platform" companies as visionary entrepreneurs and those of "point solutions" as less ambitious. In reality, all "platforms" started as "point solutions" and found natural adjacencies to expand. 

I think too many people are getting hung up on the idea that they need to build a “platform” from day one. It is true that buyers expect that any new tool they add will replace a few of their existing ones. And yet, one of the most critical factors to startup success is focus, which in practical terms means solving one problem really well, for many customers. CrowdStrike started as an endpoint detection & response solution to focus on advanced adversaries. Palo Alto built a firewall. The list goes on and on. Solving one problem well to start is essential. 

Welcome to Venture in Security! Before we begin, do me a favor and make sure you hit the “Subscribe” button. Subscriptions let me know that you care and keep me motivated to write more. Thanks folks!

Over 2,600 copies of my best selling book “Cyber for Builders: The Essential Guide to Building a Cybersecurity Startup” have been distributed to the readers so far. This book is unique as it talks about building cybersecurity startups. It is intended for current and aspiring cybersecurity startup founders, security practitioners, marketing and sales teams, product managers, investors, software developers, industry analysts, and others who are building the future of cybersecurity or interested in learning how to do it.

Get your copy now

Just having an idea is not good enough

There are different ways to think about building security companies. One is to look at the Silicon Valley Small Business (SVSB) model and tackle problems that are impactful and important but do not require large, venture-scale bets. If, however, one is considering a venture-scale company, I think they need to be equally smart about how they go about it. 

While every platform started out as a point solution, there are several factors that need to be true for that opportunity to become possible. These are the market, the founders’ way of thinking, and their ability to execute. 

Large total addressable market (TAM)

If you look at platform companies, you notice one thing that’s common among all of them: they all started (or quickly moved into) a large market. Every company has servers and workstations, so endpoint detection & responses were a great starting point for future security platforms (ex., CrowdStrike). Every enterprise is worried about network security (ex., Palo Alto) and email security (ex., Proofpoint). 

The easiest way to figure out if a certain market is large enough is to see whether security teams are spending money in a given area. For example, the IoT security market is much smaller than the email security market. It’s worth noting that market size isn’t necessarily equal to importance as securing IoT is equally important. In 2024, we see many startups going after SOC automation. At first glance, it may look like that space is crowded, but since almost every enterprise or managed service provider has a security operations center, the market size is big. And, big markets present big opportunities. 

Importantly, from day one founders will be learning a lot about their market, and will likely end up pivoting. This is once again why markets matter: if they focus on the market with few promising adjacent opportunities, they may not have a good place to pivot into. 

Founder’s way of thinking

The way founders think about the idea matters. There are two ways I see people approach ideation: 

• Coming up with a small problem around which they can build a single-feature company. From there, look for ways to expand by exploring adjacent problem areas. 

• Setting their eyes on a large problem, and looking for an angle/wedge to build that initial feature so that they can enter the market. 

I think that both angles are equally valid, and in most cases, the ideation is an outcome of thinking in both directions. And yet, I think that working backward from what people believe the future is going to be like is better than starting with a small feature and thinking in what direction it can be developed later. 

Founders’ ability to execute

Having a great vision is not enough. Founders need an unparalleled ability to execute. As the cybersecurity industry exploded and became increasingly more competitive, the path from point solution to a large platform is getting increasingly harder. Startups on a path of building a platform are not only fighting against the incumbents they are looking to replace but also with mature platform players capable of buying competitors and plugging them into their well-established distribution channels. With that, the bar for founders continues to go up. Entrepreneurs must be more and more creative about how they go to market, strategize, and execute on their vision. 

Three ways of building a market leader in security 

I think that fundamentally there are three ways of building a security company: 

• Pick a partner to go to market with, by leveraging their go-to-market engine. A great example is the way Fivetran built a strong partnership with Snowflake. The main risk with this strategy is execution, as well as the potential of being taken out of the picture by the former partner. 

• Pick a company to kill. One way to do it is to analyze companies that started 10 or more years ago as they inevitably begin to fall behind the modern needs. An even more certain way of doing it is looking for companies that have an established customer base but are for one reason or another hated by a segment of their users. 

• Look for a new, greenfield market. Start by sitting alongside existing vendors and over time start directly competing with them. The challenge here is that founders are much more at the mercy of the market and much more likely to be affected by the first mover disadvantage. They have to put in a lot of effort to educate the market about their problem area, thus potentially making it easier for someone else to come in and seize an opportunity after they’ve spent time and effort evangelizing the problem with buyers, getting them to create a new budget, etc. 

Thinking about ideas for building a security startup

Where I don’t think the most interesting opportunities in security are

“Security dashboards”

There are plenty of startups that can be described as a “dashboard where a CISO can track X”. These are certainly much needed, but I personally struggle with the idea that simply collecting logs and providing visibility is enough to build a company. I don’t think I could feel good showing up at the door pitching yet another “dashboard that offers visibility”. 

Yaron Levi puts it really well in his piece “Visibility without action is just noise”: “Don’t get me wrong, I understand the importance of detection but showing me a million flashing alerts, a myriad of dashboards, and a never-ending stream of logs is like giving a pilot a weather map without instruments or flight controls. It’s overwhelming, distracting, and ultimately useless”. 

A thin layer of LLM implemented over the existing stack

There is a lot of excitement about AI in security, and one of the most common use cases for it is a “co-pilot for X” where X is anything from identity to SOC, product security, IT, or anything in between. I am personally very bullish about the role artificial intelligence will be playing in automating security in the future. That said, I am also quite skeptical that one can build a defensible product let alone a company by doing some thin implementation of ChatGPT on top of the existing security stack. 

First and foremost, relying solely on LLMs from vendors such as Open AI means that founders are at the mercy of the provider’s decisions, and the capabilities they are bringing to the market. Instead of staying close to their customer needs, they are forced to watch releases of Open AI to understand what they will be able to do. Second, if anyone can build the same type of solution using the same APIs, I am struggling to see what the startup would be adding on top to make the product more valuable, more unique, and ultimately more sticky for their customers. Speed of execution? User experience? Maybe, but I am not convinced that’s enough. Last, but not least, there is the question of who would buy these co-pilots and why. I refuse to believe that every enterprise is going to buy a co-pilot on top of every one of their existing tools (i.e., a co-pilot for identity, a co-pilot for SOC, a co-pilot for IT, etc.). 

All this is to say that AI does bring a lot of advantages, and enables use cases that were not previously possible. But people have to be smart about not going for the most obvious and easiest paths because they are most likely not going to be where big companies will be built. They have to go deeper than co-pilots, and deeper than chat interfaces. Dropzone, AirMDR, and many other startups are showing what’s possible with AI, and it’s clear that co-pilots aren’t an answer. 

Increasing the efficacy of some algorithms by a few percentage points

Security products are notoriously hard to test which means that founders looking to improve the efficacy of some algorithm by a few percentage points tend to really struggle to get their ideas adopted. Every once in a while someone says things like “Our algorithm can detect badness 2% better than that of the top vendor in their segment” only to be hit with a shrug and a lot of skepticism. There is no easy way to verify these incremental improvements, and more importantly, nobody is going to replace an established vendor because a competitive startup claims to be 2% better. 

What has, however, worked in the past were clearly differentiated solutions tackling advanced threats that their predecessors were missing. Even then, they would not position themselves as a replacement for incumbents from day one, but rather a complementary tool (think “land and expand” strategy). Take CrowdStrike which was focused on behavioral detection and advanced persistent threats (APTs) when the previous generation solutions were limited to signature-based detection, or companies like Abnormal Security which promised to catch advanced email threats missed by their incumbents. 

Tools only relevant to the top 1-2% of advanced security teams

Security startups like to look for early adopters among the top percentile of the most mature security teams which are frequently from cloud-native, venture-backed, technology-first enterprises. It takes time for the rest of the market to catch up with new ideas, new technologies, and subsequently, new security needs. The assumption many are making is that the market is going to mature, and so the needs of 1-2% of the enterprises will become the needs of 90%-100% of them. 

In practice, that doesn’t happen as often as we think. Rarely do the needs of the most mature security teams, especially those with an engineering mindset, translate into the needs of the mass market. When they do, it usually takes longer than founders expect, and by the time it happens many run out of money they need to compete. In addition, the experience the broader market needs is generally quite different from that expected by mature enterprises who have more resources and the ability to hire the best talent. Devoid of such luxuries, the majority of the customers are looking for ease of deployment and ease of use. 

Products that have been successful can be utilized by both engineering-centric security teams with a lot of resources, and operations-centric teams with substantially more constraints around access to talent. 

Different angles to look for promising cybersecurity startup ideas

Products suitable for the majority of the market

Over the past several decades, we have accumulated a lot of knowledge of what companies should be doing to improve their defenses. The challenge is that most of this knowledge is concentrated in the small cohort of the most mature security teams. In other words, we have been advancing the state of the art in security, but not the state of the practice. 

I think some of the most lucrative opportunities in our industry today could involve taking something that is only accessible to a small percentage of the market and making it easy to leverage for the rest of the market. A lot of the best practices today are fairly labor-intensive and require expensive and hard-to-access security engineering talent. There could be an opportunity to lower the barrier to the adoption of security through a great user experience. 

The good news is that there are examples of companies that did exactly that: 

• Duo Security did not invent the idea of multi-factor authentication. Instead, it replaced RSA tokens which were hard to manage at scale, and made MFA accessible through the rest of the market in an easy-to-navigate, user-friendly way. 

• Thinkst Canary didn’t invent the concept of deception. Instead, it lowered the bar for any company to use honeypots in a manner that is incredibly easy and does not require advanced knowledge. 

I think the security of the future will be about great user experience. For nearly a generation, the idea was that all we need is advanced security capabilities, and then with the help of policies we can enforce “best practices” and coerce everyone into  “secure” ways of doing their work. We now know that is a recipe for failure. Instead, we need to build security into the existing workflows, in ways that make secure behavior the easiest and the most frictionless path to pursue (think of Jason Chan’s idea of going from gates to guardrails and paved roads). 

Products that decrease the need for talent

Another place to look for opportunities for innovation is taking more work off the security teams’ plates. Historically, many solutions would focus on providing visibility, which fundamentally means creating more work for already overextended and underresourced teams. 

Anywhere between 60 to 80% of the security budget is labor. If a security solution is not reducing (or worse yet actively increasing) the need for labor, it is not truly solving the problem. Founders should seek areas where most of the labor goes, and look for ways to automate them. 

Products that combine different use cases in one place

In 2024, every CISO wants their 95th tool to be their 81st tool. If a product is not replacing/consolidating any of the existing solutions in the customer's environment, it's increasingly harder to get a justification for it. 

One of the ways in which founders can identify new opportunities is by looking at the intersection between different solutions, and what opportunities consolidating them could create. 

Products that solve the core security problems

While security for LLM and other new technologies might sound exciting, the reality is that an average security leader is still struggling to address the more fundamental problem areas such as identity, endpoint security, cloud security, network security, vulnerability management, and patching, to name some. It is these core problem areas with established budgets but a long list of residual challenges that offer the biggest opportunities for innovation. 

Products that approach the problem from a different angle

Frequently, the best way to come up with a solution to a problem is to look at it from the first principles. There’s a famous story about how Stanford Students turned $5 into $650 in just two hours that illustrates the power of thinking differently. 

Fortunately, we don’t have to go all the way to Stanford to see how this can look as there are plenty of relevant examples in cybersecurity. Take, for instance, Avalor which asked a question - “What if security is a data problem?”. By taking that angle, they were able to build a solution that is different, and to find a great exit. 

Products that solve problems outside of security, but where security is an early adopter

Another category of solutions I find interesting are products that solve problems outside of security, but where security is an early adopter. Take security atomation as an example: fundamentally, security automation is a subset of enterprise automation as many other areas of the enterprise (IT, marketing, sales, engineering, etc.) all have a need to reduce manual, repetitivetasks. Security, however, feels this pain more than some other functions and therefore it is open to experimenting with new ideas. 

Problems that fall in this bucket frequently have a much larger total addressable market (TAM) than those that are exclusive to the security team. 

Closing thoughts

When we take a closer look at the largest cybersecurity companies today, it becomes apparent that there are some patterns. While all the platform players have to start as point solutions, there are some factors that distinguish the ones that grow into market leaders and the ones that don’t. Some of these factors are: 

• They all had a large market and targeted what I’d call core security problems. I’d argue that market decision is the most critical decision for any startup. 

• They built solutions suitable for the broad market, not just the top 1-2 percent of companies.

• They all, in their own ways, take work off the customers’ shoulders instead of expecting that the customer will hire a large team to service the product. 

• They each approached their problem from a different angle. Palo Alto wasn’t just building another firewall, and CrowdStrike wasn’t bringing to market another antivirus. 

• Each of these companies invested in user experience. This is especially the case for players that started in the past five years (think Wiz). 

• They all had teams of capable, experienced founders with a strong vision, skills to evangelize that vision, and an ability to move things forward.

If you like my blog, please subscribe & share it with your friends. I do this in my free time, so seeing the readership grow helps me to stay motivated and write more. I don’t send anything except my writing and don’t sell your data to anyone as I have better stuff to do.

If you are a builder - current or aspiring startup founder, security practitioner, marketing or sales leader, product manager, investor, software developer, industry analyst, or someone else who is building the future of cybersecurity, check out my best selling book, Cyber for Builders.

If you are a security practitioner, check out & spread the word about the VIS Angel Syndicate.

If your company is interested in sponsoring Venture in Security, check out Sponsorships. Thank you!

Share