Generalist VC firms in cybersecurity: advantages, disadvantages, and must-knows for founders, practitioners and industry insiders
A deep look at different types of VCs that invest in cybersecurity, what this means for the founders, practitioners, and the industry as a whole.
Welcome to Venture in Security! Before we begin, do me a favor and make sure you hit the “Subscribe” button. Subscriptions let me know that you care and keep me motivated to write more. Thanks folks!
Last year, I wrote a deep dive into investing in cybersecurity titled Investing in cybersecurity: a deep look at the challenges, opportunities, and tools for cyber-focused VCs. The piece covers topics such as:
Types of VCs that invest in cybersecurity
Characteristics of security as an investment area (the presence of an external innovation factor, the challenges with evaluating the quality of products, the small supply of talent, the fact that innovation is more often acquired and not built in-house, and others)
Tools for investors to make sense of the industry (Sounil’s Cyber Defense Matrix, MITRE ATT&CK® framework, and the Gartner Hype Cycle)
I would recommend that deep dive along with other analyses for anyone interested in understanding the investment side of security, be it founders, VCs, angels, or family offices. In this article, I will offer a deeper look at the advantages and disadvantages of different types of VCs that invest in cybersecurity.
Two main types of investors in cybersecurity companies
Although there are different ways to slice and dice the investor landscape, fundamentally there are two types of VCs who fund cybersecurity innovation:
Specialist VCs - VC firms whose mandate is to invest exclusively or predominantly in cybersecurity companies. You can find many of the investors who match this criterion on the chart here.
Generalist VCs - VC firms whose mandate is to invest in companies from different industries, not just those in cybersecurity although they may have partners fully dedicated to security. VCs that fall under this bucket include Accel, Bessemer Venture Partners, Andreessen Horowitz, Sequoia, Sands Capital, and many others.
One strategy isn’t necessarily better than another, and each of these two types of investors has its pros and cons.
Cyber-focused VC firms, their advantages & disadvantages
A brief note about cyber-focused VCs
I have previously counted ~24 VCs that exclusively focus on cybersecurity; this is not including other types of investors such as private equity, angel syndicates, and professional angel groups. While Gula Tech Adventures is also counted as one of these VCs, I have defined it as a cybersecurity impact hub.
Although many of these firms are based in the US, they all have slightly different approaches to investing, look at the industry from different angles, and rely on different networks and bases of investors (LPs or limited partners). What’s common is that these VCs focus either predominantly or exclusively on cybersecurity.
Strong sides of cyber-focused VCs
High brand recognition and competitiveness
Being a firm entirely focused on cybersecurity makes it easier to differentiate and stay top of mind for the founders. When cybersecurity entrepreneurs are starting to fundraise, they will often reach out and pitch to several VC firms from their network. First-time founders would go to Google or Crunchbase and search for investors that fund cybersecurity companies; naturally, cyber-focused VCs will bubble up to the top. This level of brand recognition and discoverability makes it easier for cyber-focused VCs to attract founders who are building new products and developing new approaches to the industry.
Deep domain expertise enables cyber-focused VC firms to not only attract founders but also to efficiently evaluate potential investments. Since cybersecurity is such a complex technical field, it’s not uncommon for founders to get frustrated when a generalist VC asks them questions that appear to be basic and reveal their low familiarity with the domain. Cyber-focused VCs, on the other end, talk to security founders, attend cybersecurity events, and read industry news daily, which enables them to stay up to speed with industry developments, ask good questions, and leave a good impression on the founder. That, in turn, can make it easier for them to get into good cybersecurity deals.
Strong industry networks
Although cyber-focused VCs do not have a monopoly on CISO advisory groups, they tend to have a much deeper network in cybersecurity. Knowing the right people in the industry enables them to do a deeper due diligence on potential investments, and help their portfolio companies with introductions to design partners, resellers, and early customers.
Strong industry networks can be quite valuable when it comes to helping define the go-to-market strategy, attract senior security talent, and build partnerships with other security vendors. While some cyber-focused VCs have formalized advisory panels, CISO communities, and industry leadership councils, much of their network is invisible and consists of colleagues and personal contacts from their often many decades-long work in the field, leaders at large public security players, and founders of their portfolio companies, to name a few.
Selection and efficiency
VC firms that exclusively invest in cybersecurity see substantially more security companies than those that don’t. This naturally equips them with the ability to spot patterns, and therefore - quickly and efficiently assess the idea, the founding team, the go-to-market, and even the tech stack of the company, and compare them to those of other startups they have been seeing.
Because cyber-focused VCs get to see more cybersecurity startups than anyone else, they can also be much more selective when they do decide to place a bet on the company. When picking a player in a new market segment, they get the luxury of being able to evaluate multiple options, not just one or two. This increases their ability to pick a security company that is more likely to have the right ingredients for success.
Weak sides of cyber-focused VCs
Inability to respond to the cyclical nature of industries
All industries go through cycles. Although so far cybersecurity has mostly enjoyed continued growth or at the very least some level of stability despite the challenges of the global pandemic and economic downturns, it is unlikely to be the case forever.
The cyclical nature of the industries greatly impacts the VC’s ability to make bets on good companies and ensure its own survival. A fund focused on semiconductors would get wiped out when the industry was in the downturn in the early 2000s; the same was true for VCs focused on cleantech when the sector crashed. The absence of diversification increases risks for the existence of the VC firm, imperiling its ability to raise the next fund. For entrepreneurs, this can have serious implications: if their investor is in trouble, the company can be orphaned and lose the investor when it needs its help the most.
For now, cybersecurity is going strong, and with the continuing rise of cyber threats, there are reasons to be optimistic about its future. However, this does not change the fact that 100% focus on cyber can be a huge liability if something causes current trends to be reversed.
Losing a broader view of the tech market
When a VC firm focuses on one sector, it develops a deep level of expertise in that domain that gives it a competitive edge against generalist firms. Sector specialization, however, is a double-edged sword: being fully focused on security makes it likely that the firm will lose a broader view of the tech market, and fail to anticipate how emerging trends in other fields can reshape cybersecurity.
Fundamentally, several constant changes happen in the cybersecurity industry:
The emergence of new and evolution of old attack vectors,
The emergence of new approaches to security (think of extending endpoint security beyond antivirus by CrowdStrike and Cylance),
The emergence of new go-to-market strategies (think of Huntress and the way it distributes its products),
The emergence of new technologies (something that wasn’t possible before but now, due to the emergence or the evolution of the technology it becomes feasible).
Cyber-focused VCs are the first to learn about new attack vectors because they are the closest to the ground, attending industry conferences and talking to security practitioners. When it comes to new technologies, new go-to-market strategies, and different approaches to innovation, it is generalist VCs that have an edge. It’s harder for cyber-focused firms to get exposed to the trends outside of security if the only companies they look at, do diligence on, and discuss in their investment committees are cybersecurity startups. There is no easy way to bridge this gap: if the firm’s partners start spending a lot of time outside of security, it can be off-putting to their LPs who invested in the VC precisely because of its exclusive focus on the industry.
Cybersecurity lives in the broader context of trends and ideas that shape other fields, be it the consumerization of user experience in B2B enterprise SaaS, bottom-up adoption of new products in the field of developer tooling, everything-as-code approaches in IT infrastructure, the adoption of DevOps, or the rise of no-code in marketing. A lot of the innovations happen when someone looks outside of cyber and says “I wonder what would this approach look like in security?”. Narrow, domain-focused knowledge can be as much a liability as it is an asset because it can limit the VC’s ability to think outside the box and anticipate disruptive innovation.
Generalist VC firms, their advantages & disadvantages
Types of generalist VC firms investing in cybersecurity
Not all generalist VCs are made equal. When it comes to generalist VC firms that invest in cybersecurity, I observed that most players can be categorized into one of the few broad types.
Generalist VC firms without expertise in cybersecurity
First is the generalist VC firms without expertise in cybersecurity. In other words, the same partner could have invested in a consumer app yesterday, has a call scheduled with a space tech founder today, and will be looking at B2B enterprise SaaS tomorrow. Obviously, in real life partners in these funds can have some degree of specialization (consumer, B2B, blockchain, etc.), but the funds do not employ people whose job is to specifically spend their time focusing on cybersecurity.
When VCs in this category talk to security founders, they often have little idea about the complexity of this nuanced space, the critical role of trust for product adoption, trends in the channel partner space, the impact of data gravity on go-to-market, the degree to which companies that claim to be from different market segments could be doing the same thing, and other peculiarities of the security industry. These firms have a limited sample size of companies and often find it hard to grasp if whatever the entrepreneur is claiming is indeed a unique “next-gen” idea, and if it is feasible in cybersecurity. Generalist VCs with no expertise in security tend to base their investment decisions on the verifiable track record of the founders and heavily rely on the help of advisory networks to evaluate prospective bets.
Generalist VC firms with strong expertise in cybersecurity
On the opposite side of the spectrum are the generalist VC firms with strong expertise in cybersecurity. These are often top-tier and large VCs such as Accel, Bessemer Venture Partners, Andreessen Horowitz, Sequoia, Index, Insight, Greylock, Lightspeed, and Sands, to name a few. While the firm itself may invest in several different sectors or be entirely industry-agnostic, it is common for these VCs to employ people fully or partially dedicated to cybersecurity. Examples include:
Stephen Ward and Thomas Krane at Insight Partners
Bill Coughran at Sequoia
Zane Lackey at Andreessen Horowitz
David Cowan at Bessemer
Asheem Chandna at Greylock
Ravi Mhatre at Lightspeed
Sid Trivedi at Foundation Capital
Ken Elefant at Sorenson Capital
Mark McGovern at Sands Capital
Pramod Gosavi at 11.2 Capital
Ilya Kirnos at SignalFire
Harpi Singh and Dhruv Iyer at Innovation Endeavors
Andrew Smyth at Atlantic Bridge
John Vrionis and Allison Averill at Unusual Ventures
Venky Ganesan, Tim Tully, and Feyza Haskaraman at Menlo Ventures
Jordan Segall at Redpoint Ventures
Generalist VC firms with strong expertise in cybersecurity have people who spend a lot of time in this specific segment, evaluate many security companies, and build broad networks in the industry. At the same time, people in generalist VC funds maintain their ability to get insights from other verticals and horizontals, understand trends shaping a broader range of markets, and develop well-rounded perspectives about the tech scene. While a 100% cyber-focused VC firm cannot justify spending time on companies outside of security, cyber-focused partners in generalist funds get to participate in investment committee meetings with colleagues investing in other verticals. This fact alone gives them a broad view of the trends from fields outside of security and enables them to think about how (and if) the same trends will affect their field of focus.
Generalist VC firms that fall in different areas of the spectrum
A large number of venture capital firms fall somewhere in between these two extremes. Some may have partners interested in security but not able to allocate much time to it, while others hire principals or senior associates with domain expertise to help source and evaluate companies in fields where managing partners themselves do not possess the right expertise.
VCs with strong expertise in software engineering and infrastructure tools deserve a special mention because of their impact on the cybersecurity ecosystem. As security is maturing and becoming more engineering-focused, these firms help fund the infrastructure of the future. Several investors fall under this category, including reputable and well-known VCs such as SignalFire, Unusual Ventures, and Susa Ventures.
Strong sides of generalist VCs
Ability to anticipate trends from other industries
The exposure to different markets and market segments, and subsequently - different ideas, perspectives, and approaches, enables generalist VCs to think about the broad range of potential outcomes and industry development paths. Because cybersecurity exists within the context of the broader tech ecosystem, the ability to observe the dynamics in IT, infrastructure software, developer tooling, deep tech, and various segments of the B2B SaaS, is highly beneficial if one wants to bet on high-risk, and potentially high-reward, industry-defining innovations.
A case in point is the shift towards more engineering-centered approaches to security that see security become a part of CI/CD pipelines and be seen as a testable, verifiable functional requirement when building software. Knowing deeply how security functions today is without a doubt, critical. However, some may argue that the best way to predict the direction the industry is going to take is to look at the evolution of software engineering and IT infrastructure over the past few decades and try to picture the same (or similar) path for security. Generalist VCs are well-equipped to do this.
Larger pool of potential investment options
When cyber-focused VCs look at companies, they ask themselves “Is this the best cybersecurity company I could invest in?”. On the other hand, when generalist VCs are conducting their due diligence, they are forced to think broadly - “Is this the best company, regardless of the industry, I could invest in?”. The options pool is bigger, and so the number of potential outliers available to investors is also higher.
This fact has a profound implication for portfolio construction. It is not a secret that very few cybersecurity companies become public (the vast majority of exits are acquisitions), and even fewer exit at unicorn valuations. Acquisitions prices of startups that do get bought vary widely, with $100-$400 million deals being seen as a big success, especially for pre-series B transactions. Cyber-focused VCs are therefore not able to make investment decisions on the assumption that every individual investment could produce 100x multiples and return a fund. Instead, they need to be strategic and construct their portfolios with the assumption that the whole fund may not see any IPOs, just acquisitions at 5x-10x or, if they are lucky, more. This requires a different investment strategy.
Some industry-agnostic investors are indeed notorious for chasing hype with little regard as to whether or not “hot” companies are solving the problems that matter and make sense from the financial standpoint. However, a solid percentage of VCs are highly proficient in identifying outliers building companies capable of changing the trajectory of the market and becoming billion-dollar players.
Cross-sector diversification
The fact that generalist VCs are not beholden to the destiny of any one single industry, means that they are much more likely to ensure their own long-term survival.
The absence of diversification increases the risks for the existence of the VC firm, imperiling its ability to raise the next fund. Generalist VCs can maneuver and go to different sectors as they have not committed to staying exclusively in a single sector. Smart entrepreneurs understand these dynamics, so they rightfully want their investors to be around and raise their next fund. VC firms are likely to be investing at least on a pro-rata basis in their winning companies throughout the startup's lifecycle. And, the ability to provide bridge financing to the portfolio companies if they need additional support can make a big difference.
Today, we witness fields such as fintech and cryptocurrency bleed money and see company valuations sliced by as much as half, or sometimes - more. Although it hasn’t happened in security to the same degree just yet, and with growing criminal activity, constantly evolving geopolitical threats, and rising insurance premiums it is comforting to think that cybersecurity is recession-proof, I don’t think any industry is. We know that black swan events have the potential to change the state of any sector, and the society at large. When it happens, generalist VCs will be able to pivot to another industry much more easily than any sector-specific fund.
Weak sides of generalist VCs
Lack of domain expertise
One of the most impactful weaknesses of generalist VCs is the lack of domain expertise. VC firms with partners dedicated to security space do not share this weakness.
When an investment firm does not have in-house talent with experience evaluating and working with cybersecurity startups, it has several important implications.
First, the VC may struggle to make sense of the entrepreneur’s pitch: many ideas sound great at first glance but are unlikely to ever gain traction in the industry, while others may appear boring but hide great potential. Without strong domain expertise and experience operating in security, it can often be hard to tell the difference between the two. It is possible to engage external experts, and many VCs do just that. The challenge is that this expertise often comes at a high cost, and the need to have many external people involved in due diligence can slow the whole process down.
Second, the investor may not understand many of the nuances surrounding building cybersecurity companies such as high reliance on trust and its implications, the long buying journey and the role of industry analysts, and the complexity of conducting customer research. Without such understanding, it can be hard to add value post-investment, especially at the earlier stages when founders need some guidance and support to get the product to the market and get to the product-market fit quickly.
Lack of market awareness
Whether or not top-tier VCs such as Sequoia and Lightspeed focus on cybersecurity, they will still be able to attract talented founders and get into great deals. The same cannot always be said about mid-tier generalist VCs who may find it challenging to grow their awareness among the most promising cybersecurity entrepreneurs.
When founders are looking for an investor, they will typically ask their friends and do research online. Being a cyber-focused fund helps to get noticed when the founder is sifting through different options on Crunchbase, Google, or now - in ChatGPT. When it comes to personal recommendations, an outcome will largely depend on one’s network: an ex-Google founder is more likely to talk to a generalist firm, while someone leaving a cybersecurity vendor or a security operations center (SOC) may end up talking to the cyber-focused VC. Founders share their experiences with their peers, so if a firm has a portfolio of cybersecurity companies, it will naturally get more entrepreneurs from their networks. If the VC is not known as an investor in security, doesn’t have strong domain expertise, and isn’t known as a top-tier firm, it is likely to struggle to break into the cybersecurity market.
Without a strong track record backing great security companies, the VC firm may find it hard to stand out in economic conditions when cheap capital is abundant. When it does invest in security, it may allocate capital inefficiently by betting on players that do not have the chance to win in the competitive market, be it due to its lack of expertise or because of other factors.
Looking at the (imperfect) data
Objectives, background, and constraints
I was interested in understanding who are the investors that support cybersecurity startups at their earlier stages and help them win. To find an answer (or at least - some clues that would help make some generalizations), I decided to do two things:
Get the list of cybersecurity companies with over $1 billion valuation
Get the list of investors who backed them at the earliest stage, in the first two funding rounds, which is typically (but not always) long before they became unicorns
Before I share some observations and outcomes of this mini-investigation, it is worth offering a few disclaimers:
The list of companies is far from perfect. For once, the valuation alone is not necessarily the predictor of the successful financial outcome for the shareholders as these companies are yet to exit. Moreover, the information on the list I was able to find at Failory is outdated, and we will see significant adjustments as a result of the current economic downturn. For instance, Cybereason, one of the companies on the list, saw its valuation sliced by over 90% in the past founding round (I kept them anyway).
The data about investors isn’t great either. I used Crunchbase to look up VCs, angels, corporate VCs, and family offices who backed the future unicorns at the earliest two rounds. Unfortunately, it is common to have some data missing, especially because most early-stage investments are done by angels and syndicates in ways that do not attract much attention or become public knowledge. Yet, this is the best I could do - please do feel empowered to add corrections/comments to the Excel sheet; I left the commenting ability open on purpose.
More important than data imperfections is the fact that early-stage investing is highly nuanced, and who gets to back different companies is largely dependent on the networks of the founders, their backgrounds, geographic location, whether they are first-time or experienced entrepreneurs, market conditions, and so on. It would be a mistake to look at the flat data and assume that there is enough context to make any definitive assertions.
Observations and conclusions
Based on Crunchbase data, Insight Partners, Cyberstarts, Y Combinator, Andreessen Horowitz, General Catalyst, and Lightspeed Venture Partners are listed as early investors in 3+ cybersecurity unicorns; so is Shlomo Kramer, a cyber-focused angel and a co-founder of cybersecurity companies Check Point and Imperva, as well as Cato Networks. Notably, Shlomo can also be credited with laying the foundations of what is known today as the cybersecurity market. Bain Capital Ventures, Cerca Partners, Coinbase Ventures, First Round Capital, IA Ventures, Kleiner Perkins, New Enterprise Associates, S28 Capital, Sequoia Capital, WndrCo, and YL Ventures, according to the same dataset, have all invested in the first institutional round of at least two present-day cybersecurity unicorns.
When we think about the role of cyber-focused investors in the ecosystem, what the numbers seem to show is quite interesting. On one hand, it doesn’t appear that VCs who exclusively invest in cybersecurity have the unique ability to identify and back future leaders of the industry. On the other hand, it is also clear that being funded by VCs with security expertise (whether or not it’s the only area they invest in) does make a big difference for the company. Although it may be tempting to look for clear boundaries of what “cyber-focused” means, that would also be a big mistake: as Crunchbase data shows, there are many, many nuances. Several of the top-tier VCs such as Insight Partners, Andreessen Horowitz, and Lightspeed Venture Partners have developed deep expertise in security among other areas of tech. Quite a few other investment firms that aren’t known as either top-tier VCs or cyber-exclusive investors, have also shown interest and built decent expertise in security.
All this makes it hard to compare cyber-focused VC firms to generalists or make any general observations. What is clear to me is that cybersecurity entrepreneurs should be looking for investors who can grasp the problems they are trying to solve, and who can become long-term partners on their journey, providing as much value as they can to help the company grow.
It’s worth emphasizing that early-stage founders looking to raise a seed round or a Series A should look beyond the logos on the VC firm’s websites. When they see a logo of a successful company in somebody’s portfolio, it’s important to understand when and how the investor in question backed this company. Have they led the round at the beginning of the journey, when it was unknown if this company has any chance to do anything of value? Or, was it much later, as a small check to get on the cap table of the already winning startup? The former isn’t necessarily better than the latter, but it can inform decision-making differently. It goes without saying that this only applies to VCs who invest cross-stage or at the early stages; naturally, a VC focused on later-stage companies will not be investing in seed/Series A rounds.
For those interested in diving deeper, the spreadsheet with data can be found here: Cybersecurity Unicorns and Their Early-Stage Investors. Feel free to add your ideas, clarifications, and corrections as comments to the sheet.
Closing thoughts
When cybersecurity entrepreneurs are starting to look for funding options, whether or not a VC firm they are talking to specializes in cybersecurity, is of little importance. What is critical is to find partners who can help the company grow and enable it to reach its fullest potential. Sure, signaling is important, but at the end of the day, everything is about people and their willingness to help. Getting investment from a less-known VC where partners are genuinely excited about the company and are willing to spend time helping the founders navigate the complexity of building a company can be much more advantageous in the long term than getting a great logo with partners who can’t offer as much of their time. In some cases (say, for a second or third-time founder who knows what he or she is doing), the opposite may also be true.
Cybersecurity entrepreneurs should understand the value proposition, strengths, weaknesses, and trade-offs of being funded by different VC firms, and make their decisions based on that. Sometimes, the right path may be to not look for VC funding altogether - everything depends on the founders, their ambitions, and the kind of company they are trying to build.
Resources
The Top Posts page collects top Venture in Security resources generalist VCs, founders, practitioners, security leaders and industry insiders can find most valuable.