How startups work: a field guide for security people
Discussing ten specific aspects of startups and the tech ecosystem that security practitioners should understand
If you were to ask me three years ago if I think that security professionals should understand how startups work, I’d have answered something like a generic “It depends”. I thought that while the percentage of people in the industry who care about business, startups, and the broader ecosystem isn’t that big, people who do are more likely to become business leaders and grow into CISO or BISO (where B is for business) roles. After all, the curse of technical leaders is that at a certain point, they have to forget the technical details and use higher levels of abstraction when talking to others, and for that, a broad understanding of the business is invaluable. While that reality hasn’t changed, my thinking most certainly has.
I now believe that every security professional should understand their company's business, the way the vendor market functions, and the broader ecosystem that surrounds our industry. I have discussed parts of this in my book and in hundreds of articles. In this piece, I will cover ten specific aspects of startups and the tech ecosystem that security practitioners should understand.
Community announcement - BSidesNYC CFP is open.
In addition to amazing technical talks, BSidesNYC has a special 'Entrepreneur' track - a space for founders to share real stories and lessons from building security companies. If you're a founder, this is your chance. It’s rare to find a conference that mixes security/tech with honest startup experiences.
Three tracks are now accepting proposals:
> Technical Talks - Core conference content: red/blue team, privacy, policy, and more.
> Technical Workshops - Longer session of hands-on exercises.
> Entrepreneur Talks - Share what it's really like to build and scale a security company.
Every security professional should understand how startups work
Security is often framed as a discipline rooted in predictability, control, and risk reduction. Startups, on the other hand, operate in a world defined by the opposite - ambiguity, lack of control, and risk-taking. Oftentimes, the two seem incompatible (aside from the fact that neither founders nor security leaders get much sleep), and that is why it’s so important to understand how startups actually work. When you are evaluating a new tool or deciding which solution would be a good fit for the problem you are planning to address next quarter, chances are you are going to be looking at startups (after all, most new problems in security are generally first tackled by startups long before they even get on the radar of large platform players). When you do, you will want to have a good idea of what you are getting into.
The security industry doesn’t operate in isolation - it’s shaped by the broader forces of technology, business, and capital. That’s why it’s important to understand how venture funding influences startup priorities, how go-to-market strategy shapes product decisions, and what realistic success looks like for early-stage companies. This context gives security leaders a more accurate lens through which to evaluate vendors, predict market shifts, and engage with the ecosystem. Without this perspective, it's easy to misinterpret how the industry really works. We waste time criticizing vendors for not having features they can't yet afford to build, or assuming that funding equals maturity. When we understand the underlying dynamics, trade-offs, incentives, and constraints that are at play, we start asking better questions and seeing our industry how it is, not how we assume it to be.
Ten aspects of startups and the tech ecosystem security practitioners should understand
About startup priorities and why companies don’t begin with security in mind
Security professionals like to say that every product should be built securely from day one. In theory, this makes sense, and it would indeed be great if startups had the luxury of designing security into the product before they start building. In practice, however, it rarely works that way, and to understand why, it’s important to discuss how startups are built.
At the beginning, what we call a startup is usually a few people working out of their homes or a proverbial garage, with no money, no clear idea what they are doing, and statistically, little hope for the future. In many cases, founders are burning through their savings, hoping that they can raise some funds or less likely, close an early customer before they run out of money to pay rent. In others, they go all in with no savings, maxing out their credit cards in pursuit of their dreams. Not everyone can afford to take that much risk so plenty of people start their new ideas as side projects while maintaining their full-time employment. And, some are lucky to raise a small angel round.
Regardless of their specific situation, startups are fighting for survival, and their priorities reflect that. For these young companies, it’s all about figuring out what customers need and are willing to pay for, getting to an MVP as quickly as possible, and raising the first funding round. For their founders, it’s often about maintaining sanity amid complete uncertainty, not going bankrupt, surviving without income (and in the US, frequently without good or even any health insurance), and other basics. Security is important, but it’s not urgent until there’s something worth protecting, and certainly, it can’t be more important than survival.
Hopefully, the founders will be able to figure things out, but even if they do, security is still not going to become the number one priority. There’s the need to hire the team, figure out what to build, find a way to sell it, and put up the millions of fires that emerge every day. If the company is lucky to weather the early storms, it will be able to progress, and eventually get some help with security. For cybersecurity startups and enterprise-focused companies, this happens earlier than for others, but it’s worth remembering that most companies outside of security aren’t dealing with an inverted crossing the chasm dilemma and won’t be trying to sell to JP Morgan Chase one year into their existence.
About wedge and why nearly every company has to start as a feature
Every week someone takes to social media to say that they are tired of too many point solutions and single-feature companies and that instead, they would like to have more platforms. While that sentiment is understandable, and it would indeed be great if there was a single platform that did everything customers need and was perfect in every sense, it ignores a single truth: every successful platform started as a point product.
Every founder has a big vision, but trying to take on an industry leader with thousands of employees with a team of five is, to put it mildly, not realistic. Startups need to find a starting point - often called a wedge - that solves an urgent pain (even if narrow), and allows them to earn trust, and then expand later. The reason no startup “solves the full problem” is because complex problems require solutions that take a long time, many people, and a lot of capital to build and take to market. By definition, no company that has been around for a year can do that.
Experienced founders who have proven their ability to execute by building at least one such point product, often try to play a different game. Instead of raising a reasonable amount of capital, picking a narrow wedge, and scaling gradually, they raise a lot of money quickly and try building a broad platform from day one. In the grand scheme of things, this isn’t that common, and people who do this usually have at least one big success on their resume. Wiz founders raised a lot of capital and consolidated the CSPM market, but that’s after their first company, Adallom, was acquired by Microsoft for $320 million back 2015. George Kurtz, Dmitri Alperovitch, and Gregg Marston raised a lot of capital to build CrowdStrike, but that’s after Kurtz sold Foundstone which he co-founded to McAfee for $86 million. Jay Chaudhry founded and sold four companies before starting Zscaler.
No matter how much funding a startup has, it still has to start with a wedge - a sharp, focused entry point, a killer feature, and a narrow use case that allows it to gain traction and grow from there. Dismissing point solutions as inherently inferior misses the fundamentals of how companies are built. It’s like saying, “To grow the workforce, we don’t need to bother with having kids, we just need to figure out a way to get more adults.” It sounds absurd because it is.
About iteration and why it’s okay to ship features that don’t solve the whole problem
Another thing security professionals often misunderstand about startups is the role of iteration. In security, the instinct is to solve problems completely, which generally means closing the gap and covering all edge cases imaginable. Startups, on the other hand, live in a different reality, one where perfection is a luxury they can’t afford.
When a startup ships a feature, it’s not because they believe it solves the entire problem. The goal is to get something that is good enough to prove customers care out of the door quickly. It has to be comprehensive enough to get a meeting, unblock a sales conversation, and learn what needs to change and where the product needs to evolve. Nobody has the right answers, and ten security engineers will have eleven opinions, so just asking “What should we build?” isn’t the way to go. The goal of shipping something is to get as much feedback as possible as quickly as possible and to keep the startup alive by proving there's demand.
What a security person might see as an incomplete solution, is often a deliberate choice to optimize for learning and speed. The fundamental conflict here comes down to mindset: security people are used to thinking in terms of control, certainty, and completeness, while startups are navigating complete ambiguity. At any given time they typically have about two years before they either hit the next major milestone or go under. The only way through is to ship imperfect functionality fast, test ideas in the real world, and adjust. Naturally, this means some features will be rough around the edges, and others will be completely missing, but that’s okay so long as the team is addressing a real pain and solving a problem someone is willing to pay for.
About market segmentation and target market and why not every product should be a fit for every customer
Several weeks ago, I came across a LinkedIn post where someone was criticizing password books (those little notebooks people use to write down their credentials) claiming they create a false sense of security and often cause more harm than good. The post went viral, with hundreds of professionals chiming in to agree. From a certain lens, that reaction makes sense. For example, if you’re thinking in terms of enterprise security, the idea of a physical password book sounds almost laughable. However, that post didn’t just reflect opinions about security practices, it revealed a deeper misunderstanding about market segmentation and target markets.
Not every product is meant for every customer. Password books are not designed for Fortune 500 CISOs, DevSecOps teams, or tech-savvy users juggling dozens of SaaS accounts. They’re not claiming to be zero-knowledge, end-to-end encrypted, biometric-enabled vaults. Instead, they are targeting a very different user base: people who may never have installed a browser extension, who write checks, and who forget their Apple ID every time they update their phone. For them, especially older adults in their 80s or 90s, a physical password book is often the most secure option available, because it's the one they will actually use.
Security professionals often default to an absolutist mindset: there's one correct way to do things, and anything else is plain wrong. The real world is full of trade-offs, and understanding who a product is designed for is just as important as understanding what the product does. A lot of times we see people dismiss simple tools as “lacking innovation” without recognizing that while they may indeed be too basic for large enterprises, they can at the same time be a game-changer for SMBs. Even practices like SOC2 frequently get dismissed as “not real security” without acknowledgement that for thousands of companies, compliance certifications are the only way to get started on their security journey.
Another way to look at market segmentation is through the lens of pricing. In security, perhaps more than in many other industries, some products are intentionally expensive. High pricing may be a strategic decision to focus on the top of the market: large enterprises, government agencies, or highly regulated industries with deep pockets and complex needs. This is not discrimination against smaller companies, it’s just how segmentation works. Selling to a Fortune 50 bank is fundamentally different from selling to a 50-person startup - the problems, sales cycles, and procurement requirements are completely different. A startup trying to serve both simultaneously is unlikely to succeed at either, so some choose to focus on startups, and others - on large enterprises.
High pricing creates whitespace. When an enterprise-grade tool costs six or seven figures per year, it creates a natural opportunity for other companies to step in and build something lighter, cheaper, and more accessible for smaller customers, even if it doesn’t have all the bells and whistles. That’s how innovation happens. Startups carve out new market segments not by doing everything better, but by doing something better for someone specific. Market segmentation allows the market to be served more efficiently, and it opens the door for different types of innovation at every tier. Not every product needs to be affordable to everyone, just like not every product needs to solve every use case. What matters is knowing who you’re building for and delivering real value to them.
About sales process and why companies that employ security teams also send cold emails and do cold calling
Back in 2023, I co-wrote an article with Corin Imai titled Cybersecurity marketing: in need of fundamental change. In that admittedly aspirational piece, we explained the following.
“There is one truth that many people, regardless of the industry have yet to fully internalize: everyone is selling something. It is the nature of business - it isn’t just about building something cool and paying people’s salaries; it’s also about returns to shareholders, growing the market share, and making money.
When I say “everyone is selling something”, this very much includes companies that employ security practitioners tired of being sold to. When we hear security teams on social media complain that they are being constantly bombarded by sales messages, here’s what we picture.
The reality looks more like this.
Not only security but also all other teams (finance, operations, human resources, customer success, product, engineering, etc.) are constantly bombarded by GTM motions. Not only that, but the GTM teams at the very company security people work for, are using the same methods to sell to their customers that security teams hate. Or, to put it differently, in the B2B (business to business) space, the salaries of security practitioners who are tired of traditional GTM motions, like cold calling, are being paid from the money their company earns through traditional marketing tactics.
Welcome to the world of GTM in 2023, a world of fierce competition, short attention spans, and oversaturation of the market - a world in which the most persistent and persuasive win, and those waiting for someone to find them typically get outcompeted (especially those with less capital).”
Nearly a year and a half later, I stand by every single word in this paragraph. Since then, the competition has only intensified, and AI-powered cold calling and email outreach are becoming more and more aggressive. Security leaders are right to be frustrated with how bad it has become, but it’s worth keeping in mind the broader context in which we all live. The world has changed dramatically since the time when there were a few hundred security companies. We are now celebrating the fact that entrepreneurship has been democratized, and tech companies no longer have to be in the Bay Area for them to raise capital and have chances for success. It is indeed true - whether one is based in Madrid, Denver, or Auckland, they now have a good chance at building something impactful. The flip side of this democratization is a level of competition that was unimaginable a decade or two ago. Competition means more people starting more companies, and that leads to more noise for buyers.
It may be shocking to some, but cybersecurity has much fewer vendors than many other industries such as martech (marketing), fintech, and healthtech. Each of these categories easily has over 50,000 players globally compared to only about 6,000 security startups. For those interested in learning more about my thinking here, check out Why we need more startups and venture capital in cybersecurity, and what needs to change for the industry to mature.
About procurement drivers and why companies pay money for products when free open source alternatives are available
“There’s no way anyone is going to pay hundreds of thousands of dollars for a product when there is a free open source version that does the same”. A more modern way of phrasing this would be “There’s no way anyone is going to pay hundreds of thousands of dollars for a product when they can just vibe code a solution in a few hours”. These statements, while they have an element of truth, reveal a misunderstanding of how and why companies actually make buying decisions, especially in regulated or high-stakes environments. In practice, procurement is rarely about whether something can be built or is available for free; it’s about whether it is maintainable, secure, supported, scalable, and auditable. Enterprises aren’t paying for the code, they’re paying for reliability, security, compliance, continuity, and accountability. They want to know that if something breaks at 3 am, someone will fix it. They need to pass vendor security reviews, meet compliance requirements, and avoid relying on one person’s weekend project to keep a critical workflow running. Large enterprises are already complex, and having a bunch of people vibe coding their own tools and embedding them into the company stack would increase that complexity even more.
Free and DIY tools often break down at the edges as time passes, due to friction of integration, lack of documentation, no formal support, or failure to keep up with changes in the company environment, regulations, or business needs. These might not be blockers for a small startup or a tech company, but for a large enterprise, the hidden costs of ownership far outweigh the license fee of a mature product. In short, companies don’t buy software because they can’t build it, they buy it because they don’t want to own it.
Understanding this shift in perspective is key because what looks like a "shortcut" of paying a vendor, is often the most rational, risk-managed, resource-efficient decision a business can make. At the end of the day, for most companies out there security is what Amazon called “undifferentiated heavy lifting” - something that just needs to happen in the background without them having to worry about it.
About go-to-market strategy and why some products have free trials and others don’t
To many in the security industry, it seems baffling that vendors rarely make it easy to try their products, see a demo without a sales call, or even understand pricing without jumping through hoops. When a company defies this reality, offering a free tier, transparent pricing, or frictionless onboarding, it’s often celebrated as "how things should be." That framing misses the deeper reality: these choices aren’t arbitrary, they are deliberate components of a company’s go-to-market (GTM) strategy, optimized for a specific audience, pricing model, and sales motion.
Every decision, whether to offer a free trial, publish pricing, gate demos, or rely on channel partners, flows from that GTM. The GTM is never one-size-fits-all: it’s shaped by the market segment a company targets, the buyer persona, the product complexity, the founder’s worldview, and the economics of customer acquisition. A startup targeting CISOs at Fortune 100 companies might skip free trials entirely and focus on enterprise sales cycles, while a company building for mid-market security engineers could bet everything on bottom-up adoption, strong documentation, and community-led growth. There’s no universally correct strategy, only what aligns with the product and the market. Some tools, like security automation platforms, are well-suited for practitioner-led adoption. Security engineers often like to test tools in their home labs, which creates ideal conditions for product-led growth or open source distribution. The same doesn’t apply everywhere. For example, it’s unlikely someone responsible for third-party risk management is going to spin up a TPRM tool on a weekend, which is why you don’t see thriving open source TPRM projects - the buyer, use case, and procurement process are fundamentally different.
Ultimately, there are successful examples across the entire spectrum. Sourcefire was built around open source Snort and found commercial success. Wiz, on the other hand, focused on top-down sales and skipped over the practitioner-first motion entirely, and it worked. There are also plenty of startups that pursued those same strategies and failed. The key takeaway isn’t that one GTM is inherently better than another, but that alignment between the product, the buyer, and the sales strategy is everything. Saying that everything should be done a certain way misses the reality that companies generally optimize for decisions that are most likely to lead to commercial success. The fact that different companies do different things and still succeed or fail regardless of the strategy means that there is no right answer.
About ecosystem fit and why it’s okay if other platforms already offer solutions to the problem
One of the most common objections in cybersecurity product discussions is, “But X vendor already does this.” It’s an understandable reaction, after all, platform vendors like CrowdStrike, Palo Alto, Okta, Zscaler, CyberArk, Microsoft, and AWS do offer bundled feature sets that touch nearly every corner of the security ecosystem. This line of thinking, however, often misses a critical concept: ecosystem fit. Just because a big, widely adopted platform has a feature doesn’t mean that the feature is usable, effective, or positioned to solve a specific problem for a specific customer well. In reality, many features of these large platforms are generic, deeply buried, or optimized for check-the-box functionality rather than usability. Buyers often want a tool that’s dedicated, intuitive, and deeply integrated into their workflows. For instance, AWS technically provides many security capabilities, but enterprise security teams rarely actually use them to the fullest because setting them up is complex and costly, and they have not been built with user experience in mind. A product that simplifies security in the cloud, by abstracting away the pain and making it useful out-of-the-box, can create real, differentiated value.
Successful products don’t always win by being the first to offer a capability. They win by delivering value in a way that’s accessible, reliable, and tailored to the buyer’s needs. Think about how companies like Wiz have thrived despite a lot of their functionality existing in older platforms. Their success came from better packaging, better UX, and better distribution, and not from inventing cloud security posture management. Buyers don’t care who “did it first”, they care who helps them solve the problem faster, cheaper, and with less friction than other options. The fact that a big platform offers something similar to what a startup is trying to do, doesn’t mean that the problem is solved, it just validates that there is someone for whom the problem matters.
About startups competing with large enterprises and why startups often win
For many people in the industry, it doesn’t make any sense that a small five-person startup would be crazy enough to compete with a platform player like Microsoft or Palo Alto. These giant companies have all the resources at their disposal, including distribution channels, the best and brightest people, and so on. In theory, they would crush anyone trying to do something that is even slightly competitive. However, as they say, in theory, there is no difference between theory and practice, but in practice there is. Startups often win when going against the incumbents, and that is not a coincidence.
What many people don’t understand is that when a startup is competing with, say, Microsoft, it is not actually competing with Microsoft with all its might, it’s competing with a small product team. On that team, engineers work 9 to 5, product managers spend hours in meetings with their managers and managers of their managers, and managers of their manager’s managers, to align them on priorities, get buy-in from the higher-ups, and set themselves up for a promotion. When a startup is competing with Microsoft, it is competing with the bureaucracy of large corporations, with complex hierarchies and convoluted incentive systems, and a small team or two that are navigating all this internally. Good startups can move super fast because they are hungry and unencumbered by all this complexity.
For Microsoft, this small thing some team is building is most likely not mission critical, so they don’t care if it gets delayed for weeks or months, or if a set of new priorities pushes it to the bottom of the backlog altogether. For a startup, the fight is existential. This one small thing is everything the company has, and that’s why it has no choice but to focus and push through. This is also why, by the way, focus is so important for early-stage founders, and good ones understand that the moment they spread themselves too thin, they lose. Startups have to win because they don’t have another option.
About power law and why VCs aren’t purposefully preventing great ideas from being able to transform security
Every now and then, I hear security professionals say things like, “VCs need to change because they’re not funding the right ideas that make security better.” While the frustration is understandable, this statement reflects a common misunderstanding of how venture capital works. Venture capital isn’t a philanthropic initiative for fixing broken markets, it’s a financial model for generating investment returns. Expecting VCs to prioritize the betterment of the industry over financial company performance is like expecting a CISO to prioritize open source contributions for improving the industry over securing their company’s crown jewels. It may sound like a great idea, but it’s not their job and that’s not what they get paid for doing.
VCs are not activists or industry reformers; they are capital allocators. Their role is to take money from one side, typically institutional investors like pension funds or endowments, as well as wealthy individuals, and invest that capital into startups with the potential for outsized returns. Venture is a high-risk asset class, where most bets go to zero, which is why the winners need to be big enough to not only cover the losses but also generate significant gains. If nine out of ten startups fail, that one win has to return the entire fund, and then some. This incentive structure shapes how VCs evaluate ideas - it’s not about whether a problem is real or whether a solution is technically brilliant; it’s about whether the solution can scale, whether the market is large enough and whether the company can exit at a premium. Ideas that might make the industry better often struggle to get funded, but that’s not because they are not valuable, it’s because they don’t neatly fit the venture model, and they don’t get VCs promoted. Blaming VCs for not funding what we as an industry care about is like blaming a firehose for not watering our gardens (that’s not what it is for). If the goal is to improve the state of cybersecurity as a whole, the answer may lie elsewhere - in government funding, nonprofit models, public-private partnerships, or initiatives that may or may not eventually grow into businesses. Expecting traditional venture capital to change its core purpose is both unrealistic and a distraction from finding better sources of support.
Closing thoughts
I am convinced we need more security practitioners interested in business. This is partly because I genuinely believe we need more people brave enough to tackle the ever-growing list of problems we as an industry are facing, but also because the gap between the world of vendors and the world of security professionals seems too big. We need to close that gap. The more people outside of the startup community will understand how startups work, the better questions they will be able to ask. This, in turn, will naturally improve the quality of conversations we as an industry are having.
