Finding co-founders to build a cybersecurity startup: notes for aspiring security entrepreneurs
Looking at co-founder dating, the role of VC as matchmakers for startup entrepreneurs, and why founding teams have an advantage over the traditional duo founders
Welcome to Venture in Security! Before we begin, do me a favor and make sure you hit the “Subscribe” button. Subscriptions let me know that you care and keep me motivated to write more. Thanks folks!
Also, over 1,475 copies of my best selling book “Cyber for Builders: The Essential Guide to Building a Cybersecurity Startup” have been delivered by Amazon so far. This book is unique as it talks about building cybersecurity startups. It is intended for current and aspiring cybersecurity startup founders, security practitioners, marketing and sales teams, product managers, investors, software developers, industry analysts, and others who are building the future of cybersecurity or interested in learning how to do it.
In the past two years, I’ve had many conversations with people in my network interested in building startups about finding a co-founder. In this piece, I am sharing my thoughts about finding a technical or a business co-founder and looking at adjacent topics such as founder dating, the role of VC as matchmakers for startup entrepreneurs, and why founding teams have an advantage over the traditional duo founders.
Why look for a co-founder
Before we discuss looking for a co-founder, let’s first have a brief look at why a security entrepreneur would even need one. I have met several solo founders, some of whom have been able to build fairly successful startups. Yet, although building a company as a solo founder can be done, it isn’t necessarily the best way to get started.
The way I think about it, there are no rules that cannot be broken:
It is possible to build a successful cybersecurity startup out of Eastern Europe (SOC Prime, a company that started in Ukraine is a great example),
It is possible to fully bootstrap a profitable product company respected by security leaders and practitioners globally (Thinkst Canary, a company out of South Africa is a prime example of that),
It is possible to build a security company without having deep expertise in the cybersecurity domain (Vanta did it quite well), and
It is certainly possible to build a security company as a solo founder (Pedro Castillo of Devo is one of several people who have shown us that the outcome can be impressive).
The question isn’t if it can be done; the question is if taking a certain path is helping, or impeding the probability of positive outcomes. In the early days of a startup, the odds of success are incredibly small and anything founders can do to stack the cards in their favor early would be the right thing to do.
Building a startup is a hard and in many ways lonely journey. In the world of information overload, it takes time and a lot of effort to break through the noise, find the right problems to solve, find investors who can best help the company accomplish its mission, and convince industry insiders that they should care about whatever the company is offering. Employees joining early-stage ventures are taking a risk, and founders naturally feel responsible for their livelihood. Knowing that the next funding round is never guaranteed and that the company may not get to product-market fit even when everyone tries hard and does their best, can feel demoralizing.
Having co-founders offers a sounding board, makes it possible to think bigger and broader when looking for ways to solve hard problems, and helps to not destroy their family lives. The latter may sound random, but it isn’t: having strong teams can greatly reduce the amount of stress entrepreneurs will be under, and the number of challenges founders end up bringing home to their loved ones. All this is before even considering that the amount of work an early-stage company needs to do is insurmountable - it’s not just customer discovery and building product, but also sales, fundraising, hiring, marketing & brand building, partnerships, operations, and more. Having several people who can own different areas greatly increases the chances that the startup will succeed.
Finding a co-founder: it’s all about relationships forged when working together
Two simple stats illustrate how critical it is to choose the right co-founder:
Founders spend more time with their co-founders than they do with their partners, and
On average, building a public company takes 8-10 years while the average length of a marriage before divorce is 8 years (granted, the median length of the marriage is much longer - 21 years).
If you are going to be spending most of your time in the next decade with a person (or several people), it is important that you don’t simply enjoy each other’s company, but can also work well together. I find it fascinating how many times in life I would get excited about meeting a smart, well-rounded person, only to find them absolutely impossible to work with later. This can happen for many reasons - some people are unwilling to commit, unable to organize their time, have trouble working in teams, get discouraged too easily, and so on.
I think it’s critical that before people commit to building a company together, they collaborate on something smaller that allows them to see what working together would feel like. This could be launching an open-source project, doing customer discovery and collaborating on a minimum viable product (MVP), or even organizing an event together. What’s important is going through the motions of brainstorming, planning, executing, and iterating on something together so that you can better understand the other person’s communication & work style, have transparent discussions about it, and see where the relationship evolves.
Look for people who are already doing the thing you want them to do and pay attention to their character
I believe that people can best be evaluated by looking at their track record, not by talking about their aspirations. Let me explain what I mean by this.
There are many people out there who are great at talking and painting the most incredible pictures of what they could be doing. Although storytelling is a critical skill for a good founder, what matters more in my opinion is the ability to make things happen. By examining what a person has done in the past, it’s much easier to think about what they could be capable of in the future. Note that I think about a track record in the broadest possible sense, and what I care about is what the individual has done, not what they achieved.
When I think about a technical co-founder, I think of a person who is already building. They don’t need to be building a company - but they could be pursuing some passion projects on the side, consistently contributing to open source projects (or maybe even launching their own), or at the very least, they are doing something truly incredible as a part of their work. To me personally, side projects are always more convincing because they show that a person is self-driven, motivated & willing to do work without having someone pay for it. I love seeing people being active in their area of interest - be it security events, Discord channels for practitioners, or their local BSides.
When I think about a business co-founder, I think of a person who is already doing something about their interests. They could be angel investing or advising startups, organizing events, speaking or writing about their areas of interest (product, go-to-market strategies, operations, building companies, etc.), building relationships with security leaders and investors, and so on. They could be pursuing some side projects, looking for ways to make money using no-code and low-code tools, and the like.
Skills are important, but they can be learned; what doesn’t change just because a person wants to start a company is the character. In my view, the best co-founders are obsessed with their craft, resourceful to make something out of nothing, and hungry to make things happen when nobody expects they can. I believe that character, values, and beliefs trump hard skills and expertise: those who are driven to learn everything they need to succeed, in a short time can teach themselves a new language, new framework, or new technology.
The easiest way to judge character is to look at small things - how people behave, how they talk, and what excites and frustrates them. Do they show up on time to appointments? If not - what will change when they need to hop on a customer call at 5 a.m. or 10 p.m. because they are in a different time zone? Are they always late, or do they like to cancel and reschedule their commitments? If so - what will change when a customer is waiting for an answer about their deployment? Do they deliver on their promises? Are they willing to do what it takes to accomplish their goals? Do they get angry when the world doesn’t respond the way they expected? Do they have the ability to critically reflect about themselves, their surroundings, and their role in things that happen around them? I have seen founders who take a week to get back to a prospect interested in buying their product, unleash on an employee because they had a bad morning, or don’t feel the urgency when a bug is blocking a customer from being able to accomplish a critical task.
As someone who grew up in an orphanage on another side of the planet, moved to Canada in his early twenties without speaking a word of English, and built a career in product despite having no degree from a prestigious school or background in computer science, I always bet on an underdog. I love people who have had something to overcome, something to fight for, something to stand for. I like knowing that a person went through a crucible of some kind - has taken risks, has tried something different, has challenged the status quo, has pushed themself to do what’s uncomfortable. I believe that over the long term, the drive, strong character, resourcefulness, and perseverance will always outperform those who can only work well if they are given all the ingredients they need to be successful.
Co-founder dating: being intentional when looking for co-founders
In the US, many entrepreneurs meet their future co-founders at work, which offers a perfect opportunity to see the quality of one another’s work in action. In Israel, a place for co-founder matching is often the military, although many cybersecurity founders go back together all the way to high school. All of these create natural opportunities to build great friendships that can later lead to starting a company together.
Not everyone, however, is so lucky: some people find themselves in a place where they don’t know anyone in their immediate network who would be interested in starting a company together. This can happen for many reasons:
potential co-founders could already be working on their own startups,
the timing might not be right (a prospective co-founder could have just become a parent, got a mortgage, started a lucrative job at a large corporation, etc.), or
a person might not be interested in the cybersecurity industry.
It’s also not uncommon to find people who haven’t been exposed to a large group of people they can pick from. For example, having spent my product career working at small and medium-size startups, I have a more narrow network of former colleagues than someone who has worked as a PM at, say, Google and Microsoft.
One way to meet a prospective co-founder is to be intentional about it by doing the so-called co-founder dating - a process of meeting people with the intent of finding someone to build a cybersecurity company with. Co-founder dating is incredibly common in Israel where cybersecurity entrepreneurs attend events, ask for introductions, and conduct informal “reference checks” to see if a person they are talking to could be a solid business partner. In the US, this practice for some reason is less common: the overwhelming majority of companies are started by friends or former colleagues. I think it’s a big miss: although it makes total sense that people who have worked, studied, or served in the military together would become friends and could start exploring what problems are worth solving, co-founder dating can also be a great way to start a company.
Importance of the initial problem discovery & validation
I’ve observed a sentiment in the security community that one needs to experience pain firsthand to identify a problem worth solving. I think this isn’t necessarily the case: whether a person experienced a problem themselves, or found a problem area by interviewing security leaders and practitioners, in both cases they should be looking to validate the severity of the issue, what types of customers does it affect the most, the size of that market, and the willingness of buyers to pay for solving the problem.
Ideation, customer discovery & problem validation are especially critical for ideas in cybersecurity. This is because every organization does security its own way, and depending on where one spent their career, they may have drastically different ideas about problems in security. A security engineer from an SF-based, venture-backed high-growth cloud-native startup will think of security differently than a senior analyst from a multi-million retailer headquartered in New York, which is even more different than a perspective of someone who has worked for a managed security services provider (MSSP) that serves hospitals in Texas. Each of their ideas is equally relevant and equally valid, so the question isn’t who is right: it is what problems are worth solving, and which of these solutions are best built by building a product company (some may very well be best implemented as open source projects, service providers etc.). Starting a cybersecurity company without proper validation is akin to moving from a cloud-native startup in SF to a bank in Boston, and jumping straight away to implement the tools that worked for the former company, without taking the time to understand the nuances of the new environment, how the business makes money, what are its crown jewels, and the risk it faces.
Anyone with a background that requires them to launch products, should have the tools to do the ideation, customer discovery & problem validation well. For those new to the problem, here are some ideas and frameworks for structuring the process:
A brainstorming framework for aspiring founders by Bessemer Venture Partners
Discovering ideas for impactful startups by Innovation Endeavors
Role of VCs in co-founder matching
In mature and rich tech ecosystems such as San Francisco in the US and Tel Aviv in Israel, venture capital firms play a critical role in building companies that extends far beyond their function as capital suppliers. Due to the nature of their work, VCs, especially those focused on early-stage companies, have wide and deep connections in the community. They know who is already experimenting and prototyping early solutions, who is raising capital, who is considering building a company, and who could be a good founder material if they were to find a strong person to work with.
VCs are connectors - they help startups find partners and early customers, build relationships with potential acquirers, and even help aspiring founders find a co-founder. Security practitioners interested in starting a company at some point would greatly benefit from thinking long-term and building relationships with investors in their area of focus. Some of the ways to do it are by offering assistance with due diligence and evaluating tools from the practitioner's point of view, helping to understand trends in the security space, and making introductions to people in their network working on early-stage ideas.
Founding teams over duo co-founders
Although it is widely assumed that standard founding teams consist of two people - a technical & a business person, history has shown that founding teams of 3-4 people are often the ones that end up building industry-defining companies. From Check Point, Palo Alto Networks, CrowdStrike, Lacework, and Netskope to Snyk, Wiz, and Cloudflare, some of the most influential players in the cybersecurity industry were started by teams of three to four people (Orca Security has 8 co-founders!).
Here is a short list of some of the companies that fall under this category:
Check Point: Gil Shwed, Marius Nacht, Shlomo Kramer
Splunk: Michael Baum, Rob Das, Erik Swan
Palo Alto Networks: Rajiv Batra, Nir Zuk, Yuming Mao, Dave Stevens
CrowdStrike: George Kurtz, Dmitri Alperovitch, Gregg Marston
Lacework: Mike Speiser, Sanjay Kalra, Vikram Kapoor
Fireblocks: Idan Ofrat, Michael Shaulov, Pavel Berengoltz
Netskope: Krishna Narayanaswamy, Lebin Cheng, Ravi Ithal, Sanjay Beri
Snyk: Assaf Hefetz, Danny Grander, Guy Podjarny, Jacob Tarango
1Password: Dave Teare, Natalia Karimov, Roustem Karimov, Sara Teare
Cloudflare: Matthew Prince, Lee Holloway, Michelle Zatlyn
Wiz: Ami Luttwak, Assaf Rappaport, Roy Reznik, Yinon Costica
SonarSource: Freddy Mallet, Olivier Gaudin, Simon Brandhof
Acronis: Serguei Beloussov, Stanislav Protassov, Yakov Zubarev
Verkada: Benjamin Bercovitz, Filip Kaliszan, Hans Robertson, James Ren
Cybereason: Lior Div, Yonatan Amit, Yossi Naar
Exabeam: Domingo Mihovilovic, Nir Polak, Sylvain Gil
Orca Security: Avi Shua, Ety Spiegel Hubara, Gil Geron, Hadas Amitay, Liran Antebi, Matan Ben-Gur, Shay Filosof, Wagde Zabit
Dragos: Jon Lavender, Justin Cavinee, Robert M. Lee
Nord Security: Eimantas Sabaliauskas, Jonas Karklys, Tom Okman
ID.me: Blake Hall, Matthew Thompson, Tanel Suurhans
Ledger: Eric Larchevêque, Joel Pobeda, Nicolas Bacca, Thomas France
Axonius: Avidor Bartov, Dean Sysman, Ofri Shur
Vectra Networks: Hitesh Sheth, James Harlacher, Marc Rogers, Mark Abene
At-Bay: Etai Hochman, Roman Itskovich, Rotem Iram, Tilli Kalisky-Bannett
Material Security: Abhishek Agrawal, Chris Park, Ryan Noon
Teleport: Alexander Klizhentas, Ev Kontsevoy, Taylor Wakefield
Immuta: Matthew Carroll, Michael Schiller, Sapan Shah, Steven Touw
Expel: Dave Merkel, Justin Bajko, Yanek Korff
Lookout: James Burgess, John Hering, Kevin Mahaffey
Claroty: Amir Zilberstein, Benny Porat, Galina Antova
Although it may be tempting to assume that first-time founders are more likely to form larger founding teams because they would be looking to compensate for the lack of entrepreneurial experience by trying to get more hands on deck, the reality shows something entirely different. Many of the entrepreneurs who choose to go for larger founding teams have past experience as founders. For instance, Wiz, Palo Alto Networks, CrowdStrike, Snyk, Axonius and many others have all been built by second, and sometimes - third-time founders who, having accumulated a wealth of knowledge of what works best, decided to have larger founding teams. Although based on my observations, Israeli founders are more likely to choose founding teams compared to the American entrepreneurs, experienced entrepreneurs in the US are starting to do more of it as well. For instance, Balance Theory, the company where I am an advisor, was started by three experienced entrepreneurs.
I personally think that having 3-to-4 strong co-founders can greatly increase the startup’s ability to succeed. Given how many areas need to be covered for the company to move fast (engineering, product, go-to-market, hiring, operations, etc.), having a diverse group of strong founders all pulling in the same direction and leveraging what they can do best can be a tremendous accelerator of growth.
Closing thoughts
The number one asset of any early-stage startup is its team: without a strong, diverse group of people qualified and motivated to execute, a startup is very likely to fail regardless of how good the idea it started with, or which VC it received funding from. Although the most organic way to start a company is to do it with friends and former colleagues, those who do not have strong potential co-founders shouldn’t worry: by working hard, intentionally doing co-founder dating, and asking investors and people in their network for introductions, they can set themselves up to build a strong team.
And, if you are looking for a co-founder, let me know - I have a good network of aspiring founders, and am always happy to make introductions or do an anonymous shoutout on social media to expand the reach (if you want). More importantly, I love to stay in the loop of what new ideas people are thinking about and working on.