The number one risk of any security startup is the market. Every enterprise does security differently so trying to understand if a certain problem is widespread enough to warrant a venture-scale company is an uphill battle. Security founders would do well by taking their time to talk to 50-100 security leaders and practitioners relevant to the problem they are looking to solve and understand how big the opportunity size truly is. At the same time, the market is so competitive that not acting on the hypothesis soon enough could mean that founders end up being too late to the game. 

Many security leaders feel that the industry is overly saturated with point solutions, and rightfully so: there are over 5,000 startups and counting looking to get their attention. I have previously explained why we need more startups and venture capital in cybersecurity, and what needs to change for the industry to mature. In this piece, I would like to offer another perspective on the same problem.

I think what’s making the industry look like a hot mess is not that there are too many security startups; it is that every startup is trying to pursue the same VC-scale outcome. The reality is that relatively few problems in security have markets large enough to warrant multiple venture-backed, high-growth players and even fewer problem areas allow for a public company.

Welcome to Venture in Security! Before we begin, do me a favor and make sure you hit the “Subscribe” button. Subscriptions let me know that you care and keep me motivated to write more. Thanks folks!

Over 2,150 copies of my best selling book “Cyber for Builders: The Essential Guide to Building a Cybersecurity Startup” have been delivered by Amazon so far. This book is unique as it talks about building cybersecurity startups. It is intended for current and aspiring cybersecurity startup founders, security practitioners, marketing and sales teams, product managers, investors, software developers, industry analysts, and others who are building the future of cybersecurity or interested in learning how to do it.

Get your copy of "Cyber for Builders"

Three paths for startups

VC path: a default way of building a security startup

When most people think of security startups, they usually have in mind venture-backed companies. While VC-funded businesses constitute less than 1% of the companies globally, in cybersecurity, similar to other areas of technology, that number is in high double digits.

The traditional VC model relies on power law - the idea that for investors, most bets are going to result in losses or insignificant gains while a few winners have the potential to bring outsized returns that will more than compensate for losses. Venture capitalists are in the game of identifying outliers - founders and companies that are different from the majority of the players and have an edge against the competition. The side effect of the power law model is the fact that VC-backed companies are expected to move fast - first to validate the problem space, then to build the solution, and after that, to capture a large percentage of the market before competitors move in their way. That said, there is also a first-mover disadvantage when whoever is first to market has to educate buyers about the problem space. It’s rare that the company that ends up winning the market is the first to invent something new. A case in point is current market leaders: Wiz wasn’t the first cloud security company, Okta wasn’t the first identity solution, and Palo Alto wasn’t the first firewall product. 

As with every model, venture capital has pros and cons.

On one hand, the VC model supplies ambitious innovators with the funding and expertise needed to conduct research and development, build products, and set up the go-to-market motions. While some security leaders and practitioners have strong opinions about VCs, the fact of the matter is that adversaries are moving fast, and venture capital provides R&D funding for defenders to get ahead or at least move at the same speed as the adversaries. Not all security innovations were developed by venture-backed companies, but the vast majority needed investment capital to get distributed to organizations all over the globe. I am not aware of any large security company that was able to scale without venture funding - CrowdStrike, Zscaler, Splunk, Wiz, SentinelOne, Palo Alto, and many others are all products of this very same VC model. Not only do VCs finance research and development in security, but they also accelerate the adoption of best practices. For example, it was Duo Security, a venture-backed startup, that made it possible for multi-factor authentication to reach late adopters and laggards. VCs are accelerators - of both success and failure. 

The flip side of the VC model is that the push for growth often creates incentives for broadening the focus too early, executing go-to-market playbooks that may no longer be relevant, and overspending on aggressive sales and marketing practices with a high potential of damaging trust in the industry.

In many parts of the world such as the US and Israel, the VC path has become a default way of building a security startup. It’s not uncommon to see entrepreneurs get together and raise their first round of funding without having written a single line of code. It is worth noting that not everyone is that lucky: in many, or I would even dare to say most parts of the world venture funding is not easily available.

I have written a lot about venture capital in cybersecurity so the rest of the article assumes that readers have a good idea of how it works. If you don’t or if you’re looking to refresh your knowledge, check out “Cyber for Builders” or some of the following articles:

• Generalist VC firms in cybersecurity: advantages, disadvantages, and must-knows for founders, practitioners and industry insiders

• Investing in cybersecurity: a deep look at the challenges, opportunities, and tools for cyber-focused VCs

• Corporate venture capital and cybersecurity: why Okta, CrowdStrike, CyberArk, and others invest in cybersecurity startups

The dilemma is that most security problems are too small and too niche to produce outsized, venture-scale returns. The VC model dictates that a single company should be able to return the fund but that isn’t as easy to achieve. While the mergers and acquisitions (M&A) activity in security has historically been quite dynamic, it would be an overstatement to say that all VC funds focused on security have been successful. 

Bootstrapping: the hard way of building a security startup

The idea behind bootstrapping is simple: instead of getting money from external investors, some founders choose to self-fund their company. This path is thought to provide entrepreneurs with a lot of flexibility and control over their startup: since there are no externally imposed growth objectives, no playbooks they are expected to execute, and no board member seats are taken by VCs, founders of bootstrapped companies can truly own their own destiny.

As with everything else, bootstrapping in cybersecurity comes with advantages and disadvantages. Aspiring entrepreneurs often think that the main advantage of self-funding is that they get to reserve equity but I personally don’t see it that way. I think that the number one advantage of bootstrapping is the fact that it forces founders to think about the business side from day one. Haroon Meer puts it best - not having VC capital forces a reality and honesty sooner. It acts as an accelerator for founders to build products that customers really need and are willing to pay for. It forces founders to move faster to build products and ruthlessly prioritize what is truly essential, knowing that the sooner they can ship it, the sooner they can start selling it. It also forces founders to arrive at clear positioning quickly: VC-backed startups have a runway to figure things out, while many founders of bootstrapped companies are racing against time and depleting their personal savings. Last but definitely not least, bootstrapping allows founders to focus on their customers instead of investors. Raising money from VCs, keeping investors appraised about the progress, providing regular updates, and projections, preparing for board meetings, and all the other overhead associated with being a venture-backed company take the precious founders’ time away from building and selling their products.

While there are plenty of arguments to consider bootstrapping for cybersecurity startups, there are even more reasons to not do it. For example,

• To build a cybersecurity product startup, founders need capital. They cannot simply hack something with no-code tools and convince a large enterprise to pay for it. One common way entrepreneurs try to bootstrap security startups is by offering services while trying to build the product. Using revenue from services to fund building products creates lots of distractions for founders who are forced to prioritize a theoretical future product against the very real today’s service revenue.

• Building a product while growing services to fund it or while burning personal savings puts the company far behind its venture-backed competitors who can afford to be laser-focused on building the product and have the resources they need to move fast. Eventually, this compounds, and whoever ships more high-quality code faster is more likely to iterate faster, offer a more complete product, and have a better product offering.

• Most large enterprises are unlikely to buy products built by self-funded early-stage startups due to security, risk management, and procurement requirements. Building a robust security program, getting a SOC2 certification, conducting regular penetration tests, and checking off other requirements of large enterprises require cash reserves which most bootstrapped startups do not have. That said, security practitioners are used to using free open source software like Nmap, Nessus, Snort, etc. so there is not necessarily a correlation between the shiny boxed software and trustworthiness. The very nature of open source enables security companies to build trust by making their solutions available for inspection. 

There are several great companies in security that choose a path of bootstrapping, including Thinkst Canary which achieved over $19M in ARR without venture funding, Wazuh, a company that builds an open source cybersecurity platform, and nzyme, started in 2023 by Lennart Koopmann, former founder of Graylog.

One of the biggest proponents of bootstrapping in cybersecurity is Haroon Meer, Founder & CEO of Thinkst Canary. Someone who hasn't met Haroon, hasn't followed his blog, or hasn't listened to a few of his podcasts, may mistake his stance about venture capital for being anti-VC. That isn’t at all the case. I agree with Haroon that both VC funding and bootstrapping are tools, and different tools may be more appropriate for some markets, stages, geographies, and types of companies. For instance, it may be smart to start by bootstrapping and only raise external capital once there are stronger signs of demand and a clearer story. It can also be best to raise the first round from angels. However, if founders are planning to build a large platform in a competitive market, they usually have to raise a lot of capital. The same is true for companies that require large investments in infrastructure (Cloudflare and Wiz have no choice but to raise capital).

Where mine and Haroon’s perspectives differ is when it comes to the degree to which the product alone can be used as a vehicle for growth. Haroon believes that having a great product with a great user experience can be a recipe for success and long-term market leadership. After all, this is exactly the path that Thinkst Canary has chosen - and the path that enabled Haroon and the team to build a leader in the deception space. While I do think that having a great product that customers love is critical, the market & nuances surrounding it matter a lot. When Thinkst Canary started, they were going against several VC-backed competitors. Fast forward to today, and Thinkst hasn’t only survived but also arguably became the winner in its segment. In my opinion, Thinkst Canary has proven something much less obvious: in smaller markets, being backed by VCs can hurt the company more than help. In my view (and I am sure Haroon would disagree), what enabled Thinkst Canary to succeed is the combination of two factors:

• They built a great product

• They did it without raising venture funding (even though they had plenty of opportunities to do it).

I think Thinkst succeeded partly because it’s not a venture-backed company so it could move at a slower pace, preserve its authentic way of doing business, and continue growing without having to meet VC expectations of exponential revenue growth at all costs, year after year. Companies that raise a lot of capital in a smaller market are at a disadvantage because VC expectations are high but customer demand isn’t. It is worth emphasizing two things. First and foremost, these are just opinions, and we’ll never know if this is indeed how things would have turned out if the Thinkst team wasn’t world-class in what they do. Second, it is easy to conclude what was the right decision in hindsight, but when everyone around Haroon was raising VC money and he didn’t, nobody could have predicted the outcome. Thinkst was just a company challenging playbooks and looking for its own way - a way that would enable it to grow while solving important problems. 

For those interested in hearing Haroon’s perspective about building great products and companies, I recommend checking out one of his latest talks - “More Love, Less War?”.

Source: Thinkst Canary

Pros and cons of the VC path and bootstrapping and Silicon Valley Small Business (SVSB) as an emerging model for building companies

When most people think about building a security company, they naturally see the two potential models they can follow: VC-backed startups and bootstrapped startups. The venture capital perspective has been disproportionately represented in the industry: most content about building startups is produced by VCs or VC-backed founders, most events about entrepreneurship feature VCs as speakers, and the majority of the founders we get to hear from represent VC-backed startups. Whenever someone talks about alternatives to the VC model, the only option that gets mentioned is bootstrapping, and even that is tough: with exception of Haroon, there aren’t many advocates for bootstrapping who have built successful product companies.

The main shortcoming of the VC model is its reliance on power law and the impact this has on the trajectory of security startups. Rapid growth is not bad and moving fast, adding new capabilities, and expanding in new markets can benefit everyone at once - the founders, the investors, and the customers. Wiz is a perfect example of this: the company has raised a lot of capital, and deployed it incredibly well, making the lives of customers much easier, and helping enterprises consolidate their cloud security tools. The issue with the venture model is that for it to work, it requires big problems with large markets. In cybersecurity, on the other hand, most problems are fairly niche - and most markets are smaller, usually much smaller than founders pitch to VCs. As a result, the VC model can often be harmful to security startups because many of them have no way whatsoever to satisfy the expectations of investors for “triple triple double double” growth. Features packaged as products aren’t that big of a problem unless these are venture-backed features and investors expect a single exit to return the whole fund.   

The main shortcoming of bootstrapping, on the other hand, is that it necessitates a short path to revenue - something cybersecurity startups usually don’t have a way to accomplish unless they start offering services. Building security products requires capital - one cannot simply stitch a tool in no-code and start pitching it to security teams. Buyers of security solutions go through an in-depth due diligence process that a new startup can only pass if it has enough money to build its product right from the start. Moreover, most enterprises see bootstrapped startups as high risk, often too high for them to meaningfully engage. 

In the past several years, we have started to see a new model for building companies - different from both the traditional VC playbook and bootstrapping. This model, often called Silicon Valley Small Business (SVSB), may be a great fit for a large number of security startups, and as such, it deserves a discussion. The Silicon Valley Small Business (SVSB) model offers a recipe to address the shortcomings of both the traditional VC, and bootstrapping models. 

Taking a closer look at the SVSB model for startups

Origins and scope of the SVSB model

In March 2023, while the startup market was still suffering and trying to adjust to the new reality,  Anu Atluru, angel investor and operator who spent two years at Clubhouse as its first head of community, published an article titled “The Rise of the Silicon Valley Small Business”. In this piece, Anu argues that “Many founders are rethinking what can feel like a one-size-fits-all, Silicon Valley approach to building startups. They’re embracing a more diverse set of paths and experimenting with a middle-ground approach—one that combines the fiscal discipline of small businesses with the scaling ambition of Silicon Valley.” Anu puts forward the concept of what she calls “Silicon Valley Small Business”.

Here are the core characteristics of companies that choose to pursue the SVSB model:

“1. Founding teams may look like that of a “traditional” Silicon Valley startup. They’re native to Silicon Valley ethos, skills, and playbooks. But beneath the surface, they’re different. They value autonomy and flexibility. You might see more solopreneurs and studios (and LLCs instead of C-corps) taking multiple shots. They envision a range of potentially good outcomes—not binary, all-or-nothing scenarios. Many peers who’ve founded or worked at high-growth VC-backed startups are now considering starting an SVSB.

2. Teams stay small and run fast for as long as they can. I define a Silicon Valley Small Business as having 20 or fewer employees (and often fewer than 10). In my experience, startup teams above this size are forced to operate very differently—much slower, with more bureaucracy and less alignment. Below this threshold, there’s little hierarchy, redundancy, or purely managerial roles. And a savvy, small team can still create leverage and punch above its size.

3. They’re growth-oriented and going for efficient scale. Unlike small businesses (and contrary to the common characterization of teams that bootstrap), SVSBs aren’t just trying to build “lifestyle” businesses or modest passive income streams. They want to scale as quickly and efficiently as possible. Many of them know how to scale businesses, and their desire to do so separates them from traditional small businesses. Their focus on profitability and efficiency while scaling separates them from the traditional SV startup.

4. They try to bootstrap to profitability instead of relying on venture capital. They’re VC-literate yet aren’t charmed by the potential status, signal, or stability. They bootstrap until they see signs of VC-compatibility. Or perhaps they raise the equivalent of a friends and family or pre-seed round but not much more. With less money going in, there’s a lower bar for financial return. Moreover, “success” doesn’t require a billion-dollar exit. Making millions is a win (and thousands keeps the team afloat).” Source: “The Rise of the Silicon Valley Small Business”. 

I highly recommend reading Anu’s piece to understand the model she put forward, the inputs she has considered, and the assumptions she’s made.

Pros and cons of the SVSB model for cybersecurity startups

As with every model, there are always reasons to be cautious. It is rarely smart to try and blindly follow any “recipe” or “playbook”. Instead, entrepreneurs have to think from first principles, understand the implications of the decisions they are making, and choose the path that is most likely to take them to the outcomes they are looking to attain. Let’s briefly examine some of the pros and cons of the SVSB for security startups.

Many security problems are niche and not really suitable for venture scale. While founders may be able to convince VCs to make a bet by adding a slide showing that the total addressable market (TAM) is measured in billions or even trillions of dollars (is it though?), it's not easy to take a small feature and distribute it at scale. In cases like these, founders may be better off picking the SVSB model: raising a small round (probably not bootstrapping for the reasons I previously discussed), keeping the valuation low, keeping the team small and efficient, and trying to scale fast while keeping the return expectations in check.

Even companies solving broad security problems with large TAMs are still highly likely to struggle with the distribution of their products. If we know that success in cybersecurity most often looks like an acquisition by one of the large players (Palo Alto, Okta, CrowdStrike, Zscaler, Tenable, Microsoft, Google, etc.), it may make sense to optimize for the criteria that are more likely to help a startup succeed (i.e., get acquired) from day one. 

It is worth emphasizing that the SVSB model doesn’t advocate against venture capital - instead, it promotes the idea of not raising too much and too early. These two problems are precisely what I think kills a lot of security startups: they start by solving a niche problem, often for a very mature subset of customers, and as soon as they see the signs of traction, they go out and raise a lot of capital on the assumption that “the rest of the market will soon mature and start needing this capability”. By starting slow, raising less, and taking the time to actually size the market, founders may be able to avoid getting into situations when the valuation skyrockets too quickly and companies become un-acquirable. For more about this specific problem, check out my other article titled “Startups that target mature security enterprises should be especially careful about their fundraising strategy”.

Other pros of the Silicon Valley Small Business model potentially include:

• Mode independence for founders. It is easier to be independent (at least relatively) when a startup has raised less capital or only raised capital from angels and not institutional VCs.

• It may be easier for founders to have a meaningful financial outcome for themselves since getting acquired for under $50M is easier than getting acquired for over $100M and transactions above $300-$400M are incredibly rare.

• Keeping in mind the elements of the SVSB model can give founders the benefit of developing higher confidence before they create VC expectations they may not be able to meet. For some, the traditional VC model is still going to be preferred, but others may find alternatives equally or even more compelling.

There are a few important factors that work against the SVSB model. First and foremost, founders who opt for smaller outcomes from day one are often less ambitious and subsequently, they may be less likely to push hard and do what needs to be done to get to their goal. When highly driven entrepreneurs looking to change the world are shooting for the stars, often the worst thing that can happen is that they land on a moon. If someone is starting a company that aims for smaller outcomes, they might get too comfortable and certain that a smaller outcome is possible, and therefore they might more easily get outcompeted by others. Second, it may not be easy to find investors willing to bet on this model. After all the VC model does require outsized returns, and so unless new funding options emerge, the only path founders attending to operationalize the SVSB model in security would have is angel investors. Lastly, being based in the world’s most active startup ecosystems such as the Bay Area, New York, and Tel Aviv, naturally biases people to pursue the traditional VC path. It requires stoic determination and character to even consider alternative models, especially the ones that are relatively unproven such as the SVSB.

In short, for people who are driven to realize their fullest potential and achieve the biggest impact they can, the traditional VC model will continue to be the right choice. But, it’s important to keep in mind that many cybersecurity startup founders would have been happier taking a different path.

SVSB as the likely future of security startups

As I have previously explained, every industry trends towards monopolization. Cybersecurity is not an exception, and we are starting to see how in nearly every segment, there are one or two leaders that are so deeply embedded into the infrastructure that they seem nearly impossible to compete with. In cloud security, it's Wiz. In endpoint security, it’s Microsoft and CrowdStrike. In identity it’s Okta. The list can go on and on but one thing is clear: for most startups, it’s becoming harder and harder to compete with these segment leaders. Moreover, in order to find a wedge, startup founders have no choice but to start by building solutions complementary to these large platforms (many in the industry call these “missing features”).

As we go into the future, I anticipate that this trend will only become stronger. There will always be the need for security innovation, so despite the commonly voiced dreams, I don’t think we will ever see fewer startups. I think there will be many more startups; what is likely to change is their scale. 

I am starting to think that in the coming decades, we will see more and more small-scale security companies. Think lean teams of 5-20 people looking to solve hard security problems in the format of precisely Silicon Valley Small Businesses. Most founders are likely going to be building features and add-on plugins that can be acquired and then integrated into larger platforms, or even function as small, independent, value-added complements to big players.

This idea is not new, and there are already plenty of models for it in other areas of tech, from Shopify to Salesforce and the marketplaces of cloud providers. I first started thinking about this when I was describing the data gravity effect, but with the rise of AI, I think the likelihood of the future shaping up that way is only increasing. What’s more likely -

• That every security team will deploy 50+ disjointed AI copilots on top of their existing security tools?

• That new solutions with a thin value prop of “automating X” will replace all the existing tools in everyone’s security stack?

• That large companies will suddenly become great at innovating and satisfying everyone’s niche needs? or

• That large companies will continue to do most of the work and will end up opening up their platforms to small startups to build complementary tools on top?

I don’t think there’s the right answer, but I’d bet on the latter. It’s no surprise that companies like CrowdStrike and Snowflake are launching startup incubators and designing incentives for aspiring founders to build on top of their platforms. Similar to how Salesforce allows thousands of small developer shops to sell their plug-ins that extend the capabilities of the platform, so will the providers of security in the future allow small startups to sell their offerings on top.

It’s key to understand that smart security platform players aren’t betting on being “the best” at everything security. Instead, they are betting on becoming distributors of security solutions. It’s this power of being effective distributors that makes it possible for them to plug in any startup’s product and just start selling it (which is precisely what they are doing today through acquisitions).

The Silicon Valley Small Business (SVSB) model is a very likely future for security as an industry. Not a certain one, but a very likely one. Most security startups will likely tone down their ambitions and realize that going public is highly unlikely. Some will (and should!) still do it, and some will succeed, but most founders can achieve the mission they are looking to achieve, without getting swayed by the illusory dreams of building a security unicorn.

Deciding between the three models

Which of these three models is the most appropriate for a security startup? Unfortunately, the only appropriate answer to this question is “It depends”. Here are a few thoughts that might be helpful for early-stage founders trying to decide between different models: 

• If the total addressable market (TAM) is small, it may make sense to raise a small round from angels, and/or a modest round from VCs while keeping the valuation reasonable. This approach can give founders enough capital to build a product and grow their company while validating if there are any opportunities for them to expand the TAM. 

• If the founders are unsure what the TAM size is, it may also make sense to raise a small round from angels, and/or a modest round from VCs while keeping the valuation reasonable. This buys founders time to figure things out without creating unreasonable expectations from VCs. 

• If the TAM is large enough to potentially support a public company but the founders are interested in building a smaller, focused company, the same approach might be reasonable.

• If the TAM is large enough to support a big player, the founders have strong credentials and they are determined to build a category leader, it may be best to raise a lot of capital from day one. This can give the startup the resources it needs to aggressively expand and grow. 

• If the market is new and uncertain, and founders are making a bet on the industry maturing over three to five years, they can try raising a large amount of capital but adopt a conservative approach to spending it so that they don’t run out of money too quickly. 

When it comes to building startups, there are no rules, only patterns. It is also important to size the vision based on the founder’s experience. Experienced entrepreneurs have better chances at building category leaders and pursuing ambitious, complex visions of the future, while first-time founders may be better off picking a smaller, better-defined problem they would have higher chances of success in solving. 

As time goes on and as more people adopt the SVSB model, we should start seeing solid acquisitions. As Haroon points out, the bootstrapped and SVSB models allow entrepreneurs to build at their own pace, largely at greater risk. They could well build decent exit-worthy companies: there's no reason for those exits to be $10M-$50M exits. If founders play their cards well and execute, they should be able to hit the $150-$350M mark. For the acquirer, they largely de-risk a segment and enable fast scaling. 

Closing Thoughts

Several months ago, I published a piece explaining why we need more founders and more venture capital to move cybersecurity forward. Let me be very clear: I continue to stand by the message I sent in that article. Venture capital enables folks to take big shots at building category-defining companies. Venture capital is also the only way to achieve industry consolidation. Wiz, Okta, Palo Alto, CrowdSrike, Zscaler - all the companies active as acquirers require scale that can only be supported with venture capital. Moreover, when I build my own startup, I am quite certain it is going to be a venture-scale company.

The main idea I want to get across with this piece is that most problems in security do not require venture-scale solutions. Most problems do not have, and some will never have an opportunity to produce public companies that would rival Splunk or Palo Alto. Moreover, most founders that chose the VC-backed path, would probably have been much happier if they didn’t. The issue I see today is that both those who are trying to displace billion-dollar incumbents, and those looking to solve a smaller, yet impactful problem, are choosing the same tools and going through the same recipes when building their companies. This creates a mismatch. When founders capable of executing are going after a large market with big ambitions and raising venture capital, it can indeed lead to great results. However, when the market is small, or when founders without the desire to dedicate a decade of their lives to solving a problem and doing what it takes to succeed raise venture funding, it mostly leads to bad results. When a startup looking to redefine how security is done raises a $50M seed round, that’s good, but when a company building a missing feature for the top 0.1% of the market raises a $50M seed, that’s bizarre. Venture-backed founders are better off looking to build companies, not just features or products.

I suspect that many security companies that are now quietly going out of business or being acquired for pennies on the dollar would have been successful if they had instead pursued the above-mentioned Silicon Valley Small Business (SVSB) path. Many could have raised a single round of funding and tried becoming profitable. We will never know if that’s true; maybe not never but certainly not until we see enough companies proving or disproving this opinion. Whether or not that ends up happening, it is often smarter for founders to truly understand the opportunity size before deciding how much capital they will need to seize this opportunity.

For the longest time, the traditional VC model has been the default way of building startups. I think founders should be more intentional, and opt to build companies by design, not by default. They need to start with the end in mind and pick a model best suited to help them achieve their goal. It could be that an NGO is a better way to achieve impact. Or a think tank. Some things are best managed as side projects. Others as bootstrapped service providers. A percentage is certainly best executed as VC-backed companies, but the shape of that (traditional path, SVSB, a mix of the two, etc.) needs to be decided based on the founder's desires and aspirations. Venture capital is a tool, and as such, as Haroon often points out, it solves some problems and introduces others.

If you like my blog, please subscribe & share it with your friends. I do this in my free time, so seeing the readership grow helps me to stay motivated and write more. I don’t send anything except my writing and don’t sell your data to anyone as I have better stuff to do.

If you are a builder - current or aspiring startup founder, security practitioner, marketing or sales leader, product manager, investor, software developer, industry analyst, or someone else who is building the future of cybersecurity, check out my best selling book, Cyber for Builders.

If you are a security practitioner, check out & spread the word about the VIS Angel Syndicate.

If your company is interested in sponsoring Venture in Security, check out Sponsorships. Thank you!

Share

Share Venture in Security