Welcome to Venture in Security! Before we begin, do me a favor and make sure you hit the “Subscribe” button. Subscriptions let me know that you care and keep me motivated to write more. Thanks folks!

Over 1,940 copies of my best selling book “Cyber for Builders: The Essential Guide to Building a Cybersecurity Startup” have been delivered by Amazon so far. This book is unique as it talks about building cybersecurity startups. It is intended for current and aspiring cybersecurity startup founders, security practitioners, marketing and sales teams, product managers, investors, software developers, industry analysts, and others who are building the future of cybersecurity or interested in learning how to do it.

Get your copy now

It is becoming clear to many that while starting a cybersecurity startup is now easier than ever, the bar for what has the potential to succeed is continuing to go up. A lot of the foundational problems have been solved, and many of those that remain almost feel to be beyond something that can easily be addressed by building a better tool. To make matters worse, security leaders are becoming more and more hesitant to buy new products. Partly, this is because of their desire to reduce the number of vendors, but factors such as budget size also play a role. For startups, this means that it’s becoming harder than ever to acquire new customers, grow revenue, and reach the milestones their investors are expecting. 

Usually, people say that to build a company, one needs to find a problem area that is painful enough for someone to want to solve it. I think this view is overly simplistic: there are hundreds of problems in security, but buyers of security solutions need to ruthlessly prioritize. Just because something is a problem, it doesn’t mean CISOs are going to dedicate time and effort to solving it. Moreover, even if a startup can find a good pool of early adopters, it may fail to get enough customers to build a successful company. There are many factors to consider; this piece will briefly touch on a few of them. 

“Land and expand” trap in cybersecurity

To get started, every new company needs to find a wedge, a unique way in. Finding a strong initial wedge is critical because regardless of how big the founders’ vision may be, they will have to identify early adopters willing to work through the initial sub-optimal experiences, bugs, and gaps in the product. If there is already an established competitor that solves the problem at hand really well, buyers have little incentive to consider working with early-stage startups instead. Let’s say the founders are lucky to have found an idea that doesn’t have a good solution yet. What then? 

While the list of problems a startup can tackle is nearly infinite, the list of problem areas in security is finite. When the startup identifies an opportunity for the initial entry, it knows that over time it will need to expand into other, adjacent areas. This strategy is usually called “land and expand”: start by selling a small feature, and over time broaden the coverage thus growing the number of capabilities and displacing the legacy solutions. 

This approach makes sense, and frankly, it’s not like there are many other ways of doing it. The challenge is that while from the perspective of an individual founder, the whole picture looks like this,

what buyers experience looks more like this. 

Every vendor the enterprise is working with wants to expand its offerings, and as a result, is trying to displace all other tools solving adjacent problems the company is relying on. While every startup has likely picked a different wedge, in the end, every appsec vendor wants to own all of the application security, every endpoint security company wants to do everything needed to secure endpoints, every identity security company wants to own all of the identity, and so on. This means that startups aren’t just fighting to displace legacy security providers, but also to outcompete and consolidate the offerings of other early-stage players. 

Buyers of security solutions have been forced to deal with tens of vendors for quite some time, and they have become very apprehensive about adding “just one more”. This is a big problem for new cybersecurity startups. 

When founders are validating their ideas before deciding what to build, they often reach out to CISOs and ask what problems they are tackling. Security leaders usually provide a long list of important concerns (it’s rarely just one or two). While founders have learned to validate if something is indeed a real problem, and if there would be a willingness to pay for new solutions, two questions that are becoming more and more critical to ask during the initial validation are:

• “You are saying that X is a problem. I am curious - is this problem so urgent and important that you are willing to add another new tool to your already complex environment, or are you more comfortable waiting until your existing vendors add something that solves this problem?”

• “What would a “good enough” solution for this problem look like?”

These simple questions, if asked at the right time, could spare many passionate entrepreneurs from building solutions that address important problems but that would struggle to gain any traction. 

Declining average contract value

Another side effect of the growing number of vendors coupled with the “land and expand” strategy is the ever-declining average contract value (ACV). Here is what it looks like: 

• New security needs are emerging daily, and CISOs have little choice but to look for solutions, be they new capabilities from their existing vendors, or net new tools altogether. The problem is, that security budgets aren’t bottomless, and while they are not declining, they haven’t been rapidly growing either. And, where security budgets are increasing - this increase is typically eaten by the existing vendors (i.e., if the security budget is increasing 10% every year, that’s not exactly an extra 10% to spend as most vendors the company is already paying for will raise their prices).

• CISOs know that even if they have no choice but to spend money on small features from new startups today, it’s highly likely that the larger players will start offering the same capability tomorrow. They can wait until that happens, or buy a stop-gap tool from a small startup knowing that they will soon be looking to replace it. 

• Since the number of security startups has been growing, the competition is getting more and more fierce, and founders are becoming desperate to get new logos and show their investors that they are making progress. In addition, they know that if they can execute the “land and expand” strategy well, then a customer who is only paying a small amount of money today could become a major revenue source tomorrow. 

Frequently the desire of startups to get new customers at any cost and the need of CISOs to spend the least money possible on new tools meet. When it happens, founders get to claim new logos, and security leaders get small sets of capabilities with great support. The reality is that a lot of these contracts have incredibly low average contract value (ACV). Many new security vendors aren’t fighting for hundreds of thousands and multi-million-dollar deals; they are lucky if they can get $20,000-$50,000 per year for a small feature they are selling. In most cases, that’s also the most they can charge as no buyer is going to pay hundreds of thousands of dollars for a small feature that is added as a net new tool on top of the existing security stack.

In conditions where so many startups are trying to compete in the same categories and displace the incumbents as well as one another, it is no wonder that the “expansion” part of the “land and expand” strategy often becomes a mirage. 

Selling security buyers a vision

I often meet founders who assume that they can sell CISOs and security teams a long-term vision, and get them to make a bet on the startup without having to find a solid wedge first. In other words, they build a small feature that is already offered by the incumbents, and hope they can convince a CISO to “give them a chance” because “very soon their product will be so much better than anything else out there”. From what I’ve seen, in 99 cases out of a hundred, this strategy doesn’t work. 

As I have previously explained, “Security founders must understand the difference between how these two groups make their buying decisions: 

• Only ~10% of what the investor is buying already exists; 90% (or more) is yet to be built. VCs are buying a vision of where the company could (and hopefully - will) be, assuming everything goes well. Selling to investors is about excitement, getting their eyes light up, and imagining what is possible tomorrow. 

• Over ~90% of what the enterprise customer is buying must exist today; 10% (or less) can be a future vision. Buyers know that startups are inherently risky and unstable, and a year or two later the company may be gone. By agreeing to buy from the startup, the enterprise is already taking a risk. CISOs want to know what problems the product will solve for them today. Every single founder has an inspiring vision that goes miles beyond what the product is in the present, yet the customer isn’t looking to buy that vision - its goal is to solve the problems it deals with today. Selling to enterprises is about enablement, support, response times, contract price, product capabilities, and the ability to replace parts of the current (or legacy) stack, and other pragmatic matters.” 

Because security buyers are becoming more and more pragmatic in their relationships with vendors, startups that promise to reimagine how something is done run into another dilemma. They need to start with a small feature or two to enter the market with compelling offerings and find buyers who will not only agree to buy that small feature but also buy into the founder’s view of the future. This is hard, but it’s the only way to make things work. 

I do not believe most security startups can avoid the need to come up with a strong entry point. One exception would be if they are trying to build a category leader from day one, such as what Wiz did in cloud security. Even then, unless founders are experienced entrepreneurs with access to enormous amounts of capital, trust, and support, it’s unlikely to go well. There is a reason why most category leaders such as CrowdStrike, Zscaler, Splunk, and Wiz were all founded by experienced entrepreneurs. 

Thinking about different problem areas and ideas

Category creation vs. problem and need evolution

It has become a good tradition for cybersecurity startup founders to talk about category creation. For many, it sounds like the only way to succeed in building a company is to do something completely new.

I think this view is both misleading and false.

If we were to look at the winners - the largest companies in their respective markets, it becomes clear that category creation is not the only way to go, and when it is indeed a good idea to claim a new ground, what constitutes a “category” is decided after the winners are announced. Companies do not become successful because they invent a wide variety of new concepts. Instead, they are built on one core, critical insight. For example, CrowdStrike was built on the idea that signature-based detection is no longer sufficient, and without behavioral detection, endpoints will not be secure. Vanta, on the other hand, was built on the idea that small and medium-sized businesses need SOC 2 certification so that they can sell to enterprises. Examples are plenty; what matters is that founders should be focusing on finding that one unique, core insight, and not on thinking how to create a new category. Establishing a category is a by-product of successfully executing on the unique insight that is both right and timely, and not an outcome of being the first to claim a few letters. 

Second, and most importantly, establishing a new category requires a lot of work - educating the market, making buyers aware of the importance of a specific attack vector, convincing CISOs to allocate a new budget line item for whatever it is the startup is building, etc. All this requires a lot of capital - capital that is diverted from building the best product, and executing the go-to-market strategy. It is usually smarter to not be the first - but to enter the market after someone else has already spent the money doing all this groundwork. A great example of this is the playbook executed by Wiz.

Security for foundational problem areas vs. security for niche needs

Every enterprise has a number of problems that I consider to be foundational. To this list, I would add endpoint, cloud, email, application, and network security, identity and access management, asset and vulnerability management, and compliance. While it doesn’t mean that other areas of security are less important, I have seen plenty of times that a company would not be paying attention to, say, third-party risk management until it has a solid endpoint security program. 

The great news is that these problem areas are known, and have existing budgets. An easy way to understand what the biggest budgets are being allocated to is to observe where there are either large publicly traded corporations, or successful companies owned by private equity firms. This list, sadly, does not include IoT, blockchain, mobile, or OT/ICS security, nor do we see a sea of successful threat intelligence companies. The bad news is that all these areas are insanely competitive. Security for foundational problem areas is dominated by large players - Microsoft, Palo Alto, CrowdStrike, SentinelOne, Okta, and Wiz, to name a few. There are also plenty of successful companies that don’t get much air time but that continue to make money year after year. Mimecast and Proofpoint are two such examples. 

Does all this mean that there is no opportunity to build new solutions that address foundational security problems? Not at all; in fact, most startups are going precisely after these categories. The bar and barriers to entry in these market segments are sky-high. Successes happen, but for that, there needs to be a window of opportunity, not just an ability to execute. For example, when Microsoft was taking time to transition its identity solutions to the cloud-first world, it allowed Okta to come in and offer a new take on identity, quickly grabbing a big piece of the market. When it became clear that there is more to endpoint security than signature-based detection, CrowdStrike got an opportunity to execute, and did so well. When the pandemic forced nearly every enterprise to re-architect its workflows, forget about the traditional network perimeter and adopt the cloud, Wiz found a perfect opportunity to grow and become a leader in cloud security. The founders of each of these companies executed tremendously well, but I would argue that timing played a critical role in their success as well. 

Once a company becomes a market leader, success breeds success, and trying to unseat a player who is on top but hasn't yet lost the ability to execute is insanely hard. Going head-to-head against present-day leaders with great ability to execute (think Wiz, Vanta, or CrowdStrike) in 2024 just isn’t smart.

Another way to come up with new ideas is to look for niche needs. Unironically, since compliance with regulatory requirements is one of the strongest factors driving demand for cybersecurity, the vast majority of founders look at highly regulated industries such as healthcare and finance. Vertical SaaS companies (“security for automotive”, “security for space”, “security for healthcare” etc.) also fall under the same bucket, and so do companies targeting the top 1-5% of the most mature customers. The latter deserves a more detailed discussion. 

Most early adopters of security are mature security teams at cloud-native, engineering-centric organizations that are proactive and forward-thinking in the way they approach security. However, many of their problems are so advanced that they do not translate into the mass market. Early-stage cybersecurity startup founders who see signs of demand for what they are building among mature enterprises, need to discern if the problems they are tackling have the potential for mass market, or if they are more likely to remain niche. 

As a rule, to build a large security company, founders need to pick a market where the early adopter segment constitutes a small part of a larger market. If the product requires users to have advanced skills, it is likely going to remain a niche solution as the mass market doesn’t usually have these skills; it needs an easy “set it and forget it” option. 

Security for new markets vs. security for existing markets

Many people are hopeful that they can escape the competitiveness of security by focusing on new markets. 

That is easier said than done. The harsh truth is that if a market doesn’t have a large number of successful players, there is likely a reason for it. Studying the history of the segment, what startups tried to change the way it works, and what their exits looked like can offer useful insights. What we often think are genius ideas that nobody else has recognized are the same ideas that somebody else has tried before with different degrees of success. 

Two markets that are said to have a lot of opportunities are operational technology (OT) and small and medium businesses (SMB).

We have seen that operational technology (OT) and industrial control systems (ICS) is an incredibly tough nut to crack. Very few companies have budgets allocated to OT security, there is no clear buyer, limited amount of talent that understands the problems, a highly fragmented market with different segments having to adhere to different regulations, etc. I have recently dedicated a long-form deep dive to this area. There are indeed a few players that have been successful in OT, such as Dragos and Nozomi, but the market isn’t growing as fast as many would like. Every few years a new company emerges with hopes it can break through the intensity of the market, but so far these wishes haven’t turned out well for most of them. 

The small and medium-sized businesses (SMB) market is another one of these areas where people like to see a big opportunity. The idea is that all businesses are under attack, so SMBs will have no choice but to level up their defenses. Intuitively, that feels right. The numbers seem to suggest that there is indeed a decent market as according to the U.S. Small Business Administration,

• Most businesses are small- 99.9% of American businesses.

• Small businesses employ 61.7 million Americans, totaling 46.4% of private sector employees.

• From 1995 to 2021, small businesses created 17.3 million net new jobs, accounting for 62.7% of net jobs created since 1995.

• About 38% of small businesses use specialized software in their business operations.

And yet, although these numbers look impressive, the economics of selling to SMBs has greatly disappointed a good number of security startups. SMBs are not sophisticated buyers, so many cannot tell the difference between the value of a virtual private network (VPN) and that of a managed detection and response service (MDR). Moreover, since there is little regulatory pressure and no dedicated security budgets, the hope that SMBs can become a large market has not yet materialized. The small deployment size makes it hard to sell direct, while channel sales, which remain the best way to reach SMBs at scale, are becoming more and more competitive. One way to make the economics of the SMB market work could be to build a product designed for self-service but that doesn’t work either as SMBs aren’t actively looking for security tools and can’t evaluate them effectively. No matter where you look, there’s a dead end. The only company I know that was able to make the SMB market work for them is Huntress. Some may also bring up examples of Vanta, Drata, and Secureframe but they are sales enablement tools that make it easy for SMBs to sell to enterprises, not so much security companies (even if one of the outcomes they deliver is in fact security). 

Does all of this mean that markets such as OT and SMB are not the right places to bet on? Not at all, but founders considering them must ask themselves what will make them succeed where many others have failed. Assuming that those who tried before weren’t as smart or didn’t work hard enough is a certain path to failure. 

Security for revolutionary technologies vs. using the new technology to solve security problems

There are plenty of examples of past technologies that were seen as revolutionary - big data, mobile devices, cloud computing, blockchain, Internet of Things (IoT), and even 3D printing. Some of them truly reshaped the way our world works today, while others have for various reasons failed to deliver on their promises. 

Whatever the outcome, it’s most interesting to see how the "security for X" angle turned out. If we are being honest, the answer is mostly “not great”, at least initially. Take cloud security as an example. We look at Wiz and think that the market is hot. While it is true today, it has taken us nearly eighteen years to get here. There were some moderate successes along the way (such as Palo Alto’s acquisition of Evident.io for $300M and RedLock for $173M), but overall it has not resulted in billion-dollar companies in the first 15 years of public cloud. Over a decade after acknowledging the importance of securing IoT, we haven’t seen IoT security companies become a swiping success. Mobile security has never really taken off as a market as well which is unfortunate as we’re drowning in smishing, vishing, and other types of attacks. Blockchain and 3D security are not a thing either. We hope that security for AI will be different. It may or may not; most likely, there will be many winners but the size and shape of these victories remain to be seen. In the long term, there will certainly be Wiz of AI security, but will it happen in the next five years? I am not certain. 

Another way to generate potentially impactful ideas is to use a new technology to solve old security problems. What distinguishes the winners from losers among those who embrace this angle is whether they start with the problem or the solution. Since today the technology that is being thrown at every problem is AI, let’s use it as an example. There are two ways to find interesting ideas: 

• Look at the intersection of AI and [ pick your favorite area of security ] and ask “How would AI for identity/SOC/product security/etc. look like?”

• Start by developing a deep understanding of the problem space. Then, understand what opportunities the new technology creates, what its boundaries are, and what problems it is most suitable for. 

The latter is more laborious but it does result in deeper insights and a higher probability of arriving at something of value. 

Choosing a market is key

I think most startups face 3 major types of risk: market risk, technology risk, and execution risk. It's always better to pick ideas with high execution risk and/or high technology risk but low market risk. This is because while founders can control execution and technology, they cannot control the market. It’s great if people have expertise and/or interest in a specific area, but regardless if that’s the case, picking the right market is critical to success. 

After founders start, they will be able to learn more, pivot or evolve their original angle, iterate on their solution, and test different messaging. What will be hard (and often, impossible) to do is to change their market. Moreover, every new person they will meet, every new problem they will learn about - everything they will live and breathe is going to be about the market they selected at the beginning. 

Some market segments in security are tough for building venture-backed startups but great for bootstrapping revenue-generating companies. A great example is deception technology which hasn’t produced notable VC-backed winners but has seen companies like Thinkst Canary thrive. Obviously, a lot comes down to their teams, product offerings, and the compound effects of the decisions they make while running the business. That said, it’s abundantly clear that when the market is too small, or when sales cycles are too long, bootstrapped companies are likely to outlive VC-backed counterparts that tend to implode from the ever-increasing expectations to grow they have no effective ways to satisfy. 

Some problem areas such as identity and cloud security are top of mind for CISOs, and as such, enjoy large budgets. These markets also attract the highest number of competitors. Select market segments are either just starting to mature (IoT security), haven’t shown a lot of growth before (mobile security), or are incredibly complex (ICS/OT security). This doesn’t mean they are bad areas to enter, but founders considering building startups in these segments must be realistic about their competitive advantages and their ability to succeed where many others have failed. 

Some markets such as email, endpoint, application, and network security have proven to be large enough to support several public companies, while many others have never seen an IPO. While past performance is never a guarantee of future results, entrepreneurs looking to build a large public player where it has never been done before must challenge their assumptions to make sure the market fundamentals have indeed evolved to enable that to happen. 

Being right on timing is also incredibly important

Another important part is being right about timing. There has to be some fundamental change, some shift in the market that creates a window of opportunity for new ideas or new approaches. Sometimes it will be a new technological advancement such as the rise of AI or cloud, but often it will be other societal and industry changes such as the move to SaaS, hybrid work arrangements, or new ways to bypass previous generations of defenses. These changes create both new problems and opportunities to finally tackle the old problems that remain unsolved. 

Closing thoughts

In 2024, finding an innovative angle to solving a hard security problem that has the potential to grow into something big is incredibly hard. Whichever solution we can think of will either target fairly advanced problems and thus have a limited market of a handful of mature enterprises, solve a well-known problem in a commoditized, hard-to-differentiate market, or require security leaders to imagine the attacks of the future in the world where they haven’t even addressed the gaps that caused many problems of the past and the present. 

Decades after starting to invest in security, we are still grappling with problems surrounding the basics such as patching, vulnerability management, and authorization, and it’s not for the lack of trying. The truth is that it’s hard to secure something that was never built with security in mind, and it’s even harder to do it within increasingly complex environments. It's equally hard to convince CISOs to pay attention to something that’s not on the list of top 2-3 priorities, and for most companies, this list has remained unchanged for many years. 

It is obvious that even though it’s hard to find a wedge and build a large security company, there will be startups that succeed. It is also becoming clear that surface-level insights are no longer enough to conceive a strong player with a high chance of winning. Combining deep technical insight with customer discovery will continue to be a key for finding ideas and starting companies that will shape the cybersecurity of tomorrow. 

If you like my blog, please subscribe & share it with your friends. I do this in my free time, so seeing the readership grow helps me to stay motivated and write more. I don’t send anything except my writing and don’t sell your data to anyone as I have better stuff to do.

If you are a builder - current or aspiring startup founder, security practitioner, marketing or sales leader, product manager, investor, software developer, industry analyst, or someone else who is building the future of cybersecurity, check out my best selling book, Cyber for Builders.

If you are a security practitioner, check out & spread the word about the VIS Angel Syndicate.

If your company is interested in sponsoring Venture in Security, check out Sponsorships. Thank you!

Share

Share Venture in Security