Most cyber companies simply can’t scale as fast as the new AI startups
How AI is changing what solid growth looks like and what this means for cyber startups
It’s now pretty obvious that AI is transforming the way the world works. It feels like a massive movement, and because so much capital continues to get allocated to AI, and so many smart people are dedicating their efforts to making use of it, it’s clear that the transformation is already underway. We can debate whether or not there’s a bubble, but that’s kind of immaterial to the topic I wanted to discuss today (besides, when everyone is jumping on the same opportunity, it’s always going to lead to a bubble, whether we’re talking about mortgages, bitcoin, or AI).
The topic I want to touch on instead is how AI has been reshaping the expectations around company growth (spoiler alert: it changed them completely). In this piece, I’ll discuss how AI is changing the trajectory of startup growth, and then I’ll talk about our industry and why I think that, for better or for worse, the vast majority of the cybersecurity startups won’t grow as fast as the new AI companies. I’ve initially wanted to say that “the rate of growth of cyber startups will never match the rate of growth of the new AI companies,” but then someone will always find an example that makes the point seem wrong, even if it applies to 99.99% of the market, so I would rather maintain some credibility and frame that differently.
This issue is brought to you by… Intruder.
30M Domains Later, Here’s What We Found Hiding In Shadow IT
How much Shadow IT can you uncover with only public data? We ran the experiment and the answer was: too much. From backups holding live credentials to admin panels with no authentication, these exposures stay invisible to you but wide open to attackers. Read the research to see what we found and how Intruder helps you find it first.
The new $100M ARR growth curve for AI startups
Several months ago, Bessemer published The State of AI 2025 report (if you haven’t seen it, I highly recommend giving it a read). In this report, they discuss the trends in the AI world and put forward some predictions about the coming years. It’s a good read overall, but what stood out to me is the idea that before AI, top companies would on average need ~7 years to reach $100M ARR. In the post-AI world, the amount of time has been shortened dramatically. Today, according to Bessemer, great AI startups (they call them “AI Shooting Stars”) get to $100M in 4 years, and exceptional AI companies, which Bessemer calls “AI Supernovas,” get to $100M ARR in some 1.5 years.
Image Source: Bessemer’s State of AI 2025 report
Image Source: Bessemer’s State of AI 2025 report
These are fantastic numbers. Let’s have a look at a few pieces from the report: “Supernovas are the AI startups growing as fast as any in software history. These businesses sprint from seed to $100M of ARR in no time, often in their first year of commercialization. These are at once the most exciting and the most terrifying startups we see. Almost by definition, these numbers arise from circumstances where revenue may appear vulnerable. They involve fast adoption that either belies low switching costs or signals massive novelty that may not align with long-term value. These applications are often so close to the functionality of core foundation models that “thin wrapper” labels could be thrown. And in red-hot competitive spaces, margins are often stretched close to zero or even negative as startups use every tool to fight for winner-take-all prizes.” - Source: Bessemer’s State of AI 2025 report
“Shooting Stars, by contrast, look more like stellar SaaS companies: they find product-market fit quickly, retain and expand customer relationships, and maintain strong gross margins—slightly lower than SaaS peers due to faster growth and modest model-related costs. They grow faster on average than their SaaS predecessors, but at rates that still feel anchored to traditional bottlenecks of scaling an organization. These businesses might not yet dominate headlines, but they’re beloved by their customers and are on the trajectory to making software history.
On average, these Shooting Stars reach the ~$3M ARR range within their first year of revenue while quadrupling in YoY growth with ~60% gross margins, and ~$164K ARR / FTE in their first year.
If T2D3 (triple, triple, double, double, double) defined the SaaS era, then Q2T3* (quadruple, quadruple, triple, triple, triple) better reflects the five-year trajectory we’re seeing from today’s AI Shooting Stars. These startups grow meaningfully faster than traditional SaaS, but still operate closer to SaaS benchmarks than the explosive AI Supernovas.” - Source: Bessemer’s State of AI 2025 report.
Overall, I think this report does a great job outlining how building software companies is different today compared to some 2-3 years ago. At the same time, for me, it raised a lot of questions, the biggest of which is “So… what does this mean for cyber?”.
Cyber startups in the age of AI
AI changes the speed of shipping products, but not so much the speed of GTM
Paraphrasing Dave DeWalt a bit, in cyber, product is the game of inches, but GTM is the game of miles. This has been the case five years ago, and whether you like it or not, it’s even more the case today. The most technologically superior products rarely win against better distribution (for once, that’s why startups often struggle where large vendors just bundle new capabilities into their platforms).
AI has, without any doubt, made it faster for companies to ship new products, faster to iterate, and faster to learn what works and what doesn’t. However, in cyber, shipping features quickly hasn’t been a problem (for once, Israeli startups have figured that out). Growth in our industry is all about distribution, and distribution, in turn, is all about trust.
Security moves with the speed of trust, not the speed of shipping new features. Interestingly enough, as AI is accelerating the speed of shipping new features, it’s actually slowing down the speed of trust, so POCs can become longer. Enterprises are questioning how exactly AI is being used, what it will do with their data, and so on, and getting the answers only extends the amount of time it takes for startups to close deals.
Some security startups may become “AI Shooting Stars,” but the majority will remain in that “Cloud Centaur” spot
Let me first say that ARR is a funny metric these days, as some companies in our industry have been rumored to be pretty creative about how they define it, allowing them to boast numbers far higher than the amount of money that was flowing into their bank accounts. The peculiarities of the non-GAAP term “ARR” aside, the fact of the matter is that security revenue isn’t often a flywheel. Enterprise sales (and most cyber companies sell to enterprises) are a slog, with sales cycles often spanning more than 6-12 months. It’s pretty hard to become an “AI Supernova” when the POC is going to take 9 months, and the first purchase may come from the “innovation budget”.
I have no doubt that some security startups will indeed be able to move through procurement faster. And yet, (and I am sorry for having to say this), it most likely isn’t going to be because of AI. At the end of the day, AI-powered vulnerability management is probably going to go through the same procurement cycle (plus even more checks and steps) as vulnerability management, and AI-powered SIEM will most likely go through the same process as a regular SIEM. From what I’ve seen and from what I know, AI-native companies do often offer superior experience, and some problems that can now be solved with the help of AI were previously completely unsolvable. And yet, procurement teams are still taking them through the same series of steps as before (and then some).
Then there’s the fact that many security products don’t need AI. Ironically, for non-AI companies, it may take less time to get through the POC compared to their AI-native counterparts. The bottom line is that while some security startups may become “AI Shooting Stars”, the majority will remain in that “Cloud Centaur” spot. They will still be growing, they will still be durable businesses, and they’ll often still have fantastic exits, but they’ll look different than these “AI Supernovas,” which brings me to one of the most interesting points of this article: venture capital.
It’s not that security startups are bad investments; they’re just different
It’s not that security startups are bad investments; they’re just different, and these differences are structural. Security is slow because, by its very nature, it is about reducing risk, and everything new is risky. Trust always decides the pace in cyber. For those interested in this topic, I previously wrote several deep dives about trust in security, including Why there are so many cybersecurity vendors, what it leads to and where do we go from here and Time to trust: what it is, why cybersecurity startups must shorten it to accelerate growth, and how to do it.
Growth in security is slow, and it requires a lot of patience. Take, for example, Zscaler, which recently celebrated crossing $3B ARR - an astronomical number for most cyber companies. What most people don’t realize is that it took Zscaler 10 years to get to $100M in ARR, and then just 5 more to $1B in ARR. A decade to $100M ARR is surely not an “AI Supernova,” but nobody is going to argue that Zscaler is not a huge success. CrowdStrike, founded in 2011, did $250M ARR in 2019, during the year it went public (it took them 8 years to get to that number). Today, 6 years later, the company’s ARR reached $4.66B. These numbers show that growth in security is about consistency, hard work, and the compound effect of trust. It is not about growth hacks or marketing gimmicks; it’s about continuous value delivery and discipline. Companies that went for something else (rapid scaling, etc.) have historically struggled to build lasting business.
I think we’ll see more generalist VCs leaving security
Over the past decade, cybersecurity has become one of the hottest categories in tech from a VC standpoint. In just the past year alone, we’ve seen massive outcomes, from Wiz’s acquisition to the recent CyberArk deal, along with a steady stream of smaller but solid exits. Naturally, every VC watching these big M&A moments wishes they had been an early investor in Wiz. And for a while, they all acted like they were chasing the next one. Until now.
You see, Wiz is still just one company. It’s an outlier. Although VCs like to say that they are into betting on outliers, the majority want to see a path of how their investment is going to become that one in a thousand. In cyber, that can be pretty hard. Security does have great stories (Palo Alto, Zscaler, Cloudflare, CrowdStrike, and you name it), but it’s not an easy market to make sense of, especially in a world where there seems to be an easier path.
For cyber VCs, making investment decisions is simpler because their freedom of choice is pretty limited (after all, they’ve committed to their LPs that they’ll be investing capital precisely in security). Sure, they can get creative and count some drone startups as “security”, or some anti-fraud solution, or maybe even AI voice startups if they try really, really hard. Outside of that, they have to allocate capital in the industry they’ve committed to. Most importantly, they know well that for those who understand what they’re doing, slower growth in cyber doesn’t mean less potential for fantastic returns.
Generalist VCs operate under a different set of incentives. They aren’t bound to a specific vertical, and even their “specialties” tend to be broad, like SaaS, fintech, enterprise software, AI. So let’s bring back that Bessemer stat about hitting $100M ARR in 1.5 years. Now imagine a generalist VC evaluating a fintech startup with $5M ARR after 10 months versus a cybersecurity startup that’s been selling for a year and a half and is on track for $1.7M ARR. In the cybersecurity world, $1.7M at that stage is considered very good, sometimes exceptional. But when compared side-by-side with a fintech startup sprinting at 3x the revenue in less time, a generalist VC isn’t likely to be impressed. It’s not ignorance; it’s just rational portfolio decision-making. Faster growth in a bigger category is hard to argue against.
If the current trend continues, I think it’s going to drive a lot of the tourist VCs out of cyber because they just won’t be able to justify investing in “slower-growing” security companies over all these “AI Supernovas” with $10M-40M ARR after one year. Looking at this chart from Bessemer, cyber is most likely gonna stay as “Cloud Centaur” by default and by design, with few companies getting into the “AI Shooting Star” category as exceptions rather than the new norm. The cyber specialists VCs who understand the space and who underwrite deals with a good idea of how different markets evolve, I think, will not only stay but will continue to generate great returns. At the same time, I fully expect the interest from generalist VCs to dry up as they’ll continue to struggle with how to compare what’s by the new standard, “an average-looking company,” to the AI superstars.
Looking into the future
Predicting the future is never easy, but sometimes the writing is on the wall. Unless security budgets keep expanding indefinitely, and unless security buyers suddenly become less risk-averse (neither of which seems likely), security startups will struggle to compete for VC attention against the new wave of AI companies. The contrast is becoming increasingly stark as more AI-native startups report record-breaking ARR numbers. Yes, some of those figures are inflated, and many of these companies will collapse as fast as they raise, but the impact of AI across industries appears real, and so is the competition it introduces.
For now, there’s still plenty of capital flowing into security startups, but it’s likely to get harder soon. As strange as it sounds, that might actually be healthy for the industry. Once the “tourists” lose their enthusiasm for cyber, the VCs who truly understand security, and who spend real time with security buyers, should find their jobs easier. It becomes a kind of natural selection: companies solving real, urgent problems will endure, while those built on hype or weak signals will inevitably struggle.
Completely agree. That’s exactly that we have been talking about with Almog from TandemTrace recently. The speed he is building is incredible.