My imaginary VC investment portfolio: investing in product-led cybersecurity startups shaping evidence-based security
A fantasy VC portfolio featuring five companies defining the future of security
Welcome to Venture in Security! Before we begin, do me a favor and make sure you hit the “Subscribe” button. Subscriptions let me know that you care and keep me motivated to write more. Thanks folks!
The future will be people-focused and product-led
Earlier this year, I published my investment thesis: The future will be people-focused and product-led: an investment thesis. It outlines my conviction that product-led growth (PLG) enables companies to design growth loops, expand across borders without establishing a physical presence in new markets, and offer shorter time to value to their customers which increases their satisfaction, and, ultimately, adoption of the product. PLG also allows startups to lower the customer acquisition and support costs, bringing the total cost of revenue as close to zero as possible, and enabling hockey stick growth. Most importantly, it matches the way people want to buy products and services in 2022.
“People no longer want to go through several sales demos or talk to the implementation consultant to try a new solution. They don’t want to chase sales teams to understand pricing, sign long-term contracts, or pre-pay a year of their usage ahead. The ability for people to get the capabilities they need, for however long they need them, and pay only for what they use has truly changed the customer expectations, and, subsequently, the B2B SaaS market.” —
Source: Venture in Security
As a head of product in a cybersecurity startup, I have been studying the industry and sharing many of my learnings online. Here is the cybersecurity PLG market map I’ve published on TechCrunch for those looking to understand product-led growth in cybersecurity better.
Cybersecurity will be evidence-based, not promise-based
In parallel with dissecting the industry-agnostic product trends, I have been tracking another trend that is very specific to cybersecurity. The findings were summarized in an article I co-authored with Maxime Lamothe-Brassard, the founder & CEO of LimaCharlie, titled Future of cyber defense and move from promise-based to evidence-based security.
In this article, we state that the traditional approach to security is no longer working.
“Traditionally, companies looking to secure their operations have relied on the promises of vendors to keep them safe. When a CISO (Chief Information Security Officer) would sign a contract with a security vendor, it would essentially buy a promise that the vendor would stop the breach when it happens. This approach worked, and it’s worth noting that many vendors in the cybersecurity space have been and still are doing a fantastic job preventing the most common attacks. However, with the number of attack vectors continuously growing, mature security professionals have come to an understanding that it is simply not possible to stop all breaches and prevent all ransomware, despite what the marketing materials would claim.” —
Source: Venture in Security
Then, we outline the reasons for the shift from promise-based security to evidence-based security we are witnessing today, namely:
Weak correlation between actual results and security spend
Business demands measurable results from security the way it does from other business functions
The increasing complexity of security and customer environments
Security tools proliferation makes it difficult for defenders to keep a mental model of what controls and visibility is available to them
The growing maturity of security professionals and evolution from security analysts to security engineers
Rising insurance premiums
The emergence of the new generation of service providers focused on technical consultancy, not reselling vendor tooling
The emergence of the supporting vendor ecosystem
Establishment of security frameworks such as NIST and CIS Community Defense Model
I recommend reading this admittedly long article for an in-depth analysis of the tectonic industry shift to evidence-based security.
Product-led evidence-based security
This investment portfolio combines two trends: the emergence of product-led companies in cybersecurity with the move from promise-based to evidence-based security.
At its essence, product-led evidence-based security is following the playbook of the developer tools space which brought unicorns such as Okta, Twilio, and Auth0. Two factors that are shaping the success of this approach are, among others:
The high cost of selling to security leadership (i.e., CISOs), coupled with so-called “vendor overload” where security leadership sees hundreds of tools yearly. Marketing costs are at an all-time high, and it is hard to achieve differentiation in a crowded market. Companies are forced to look for new ways to get their products adopted and think of their go-to-market strategy differently.
Technical security professionals (security engineers, security architects, and alike) are gaining the ability to advocate for solutions to the company’s problems. They can play with the product in their home lab, test if it does what it claims to do, and then recommend it at work. They have very specific problems they need solving, and are looking for transparent, evidence-based solutions to these problems.
Combining my investment thesis in PLG companies with the monumental shift in security, encouraged me to create a fantasy VC portfolio. In the part that follows, I will list five companies I would invest in.
A major theme is companies with business models that disrupt the way things have been done in the industry, making it highly unlikely (if not impossible) that incumbents will be able to replicate these models with their existing distribution channels and product lines.
While I am particularly interested in companies headquartered in the US and Canada, I have decided not to impose any geographic constraints and be open to adding companies with HQs outside of North America. Additionally, the companies selected are stage-agnostic (seed to Series B) even though my interest lies in earlier stages (seed to series A).
Companies are listed in no particular order.
My imaginary VC investment portfolio
SOC Prime
Stage: Series A
HQ: Boston, Massachusetts, United States
As organizations move from promise-based to evidence-based security, there is a strong need for transparent and comprehensive security coverage but building this coverage is not easy. Even organizations equipped with solid in-house expertise (which is already rare) find it hard to keep up with the rapidly increasing speed and scale of cyber attacks. Every organization’s environment is different, and therefore it requires custom-tailored techniques and detection logic.
SOC Prime solves these problems by delivering managed detections as code, enriched cyber threat intelligence, and the latest threat context based on the MITRE ATT&CK framework. SOC Prime curates the most up-to-date Sigma-based threat detection content from hundreds of threat researchers from all over the world and integrates with over 25 security vendors, including endpoint detection and response (EDR), extended detection and response (XDR), and security information and event management (SIEM) platforms.
As SOC Prime is leveraging Sigma, an open source format for describing signatures in a generic way so that they can be applied through multiple technologies, it is vendor-agnostic and can be leveraged by customers utilizing almost any security tool.
When it comes to threat discovery, threat hunting, detections and code, and cyber defense in general, SOC Prime is leveraging the power of collaborative cybersecurity expertise by operating a Threat Bounty Program. The program enables the worldwide cybersecurity community to monetize their Sigma-based detections via the SOC Prime Detection as Code Platform. This is powerful as SOC Prime is essentially curating a two-sided marketplace for threat detection content which creates a new stream of revenue, increasing their coverage and supplementing the efforts of their in-house researchers.
SOC Prime’s offering is very timely as it addresses the growing market need for evidence-based, comprehensive threat detection content. Their business model (SaaS subscription combined with the detections as code marketplace) creates multiple channels of revenue while Threat Bounty Program powers network effects as professionals contributing to the platform are vocal about SOC Prime in their networks.
Risks:
As SOC Prime is betting on the marketplace strategy, the more participants they attract the more critical it becomes to ensure that the quality of their detections as code will remain high. If the quality of their ruleset drops and a large number of detections won’t work out of the box and will require some fine-tuning, it will result in the loss of trust and subsequent decline in usage.
Additionally, as SOC Prime is leveraging the open-source language — Sigma, there are risks associated with the limitations of the language and the adoption it will have in large enterprises. Some other players in the space such as Pather, are offering the ability to write detections as code in Python which may be more familiar to those working in tech space.
Prelude
Stage: Series A
HQ: Washington, D.C., United States
An organization’s environment changes every second — security assessments lose their relevance an hour after they are done. As previously described, this is why we are seeing mature security teams move towards test-driven security and real-time, continuous adversary emulation. This is similar to test-driven development that has been actively used for over a decade.
Once you have instrumented your security tools and built (or accessed from providers such as SOC Prime) security coverage tailored to your organization, you need to be able to test it, find gaps, and address them.
Prelude is the first autonomous platform built to attack, defend and train critical assets through continuous red-teaming. It is designed to test the effectiveness of security controls and find the gaps in the infrastructure an organization has put in place. It accomplishes this by performing complex attack scenarios in a way that does not cause any disruption to the target systems.
Security teams can use Prelude to run security tests against their attack surface to identify areas of weakness. Taking this proactive approach to security enables organizations to get ahead of real incidents, and address security gaps before they result in breaches.
The Prelude team has realized that while there are open-source tools available to perform security testing such as Atomic Red Team, they tend to focus on endpoints — Windows, macOS, and Linux. Prelude tests are intended to be delivered to endpoints, cloud environments, and beyond focusing on the holistic organization’s security posture.
Prelude started as a school “focused on helping people that are typically left behind by the labor market transition into being junior cybersecurity analysts”. While its founder does not have a background in cybersecurity, the strong team along with the company’s partnership with MITRE Foundation compensate for that.
Risks:
For the company to grow, it will need to differentiate itself from the open-source offerings, particularly Atomic Red Team which has seen wide adoption and has been integrated into several security solutions. Additionally, with the expansion of attack vectors, the Prelude team will need to ensure a broad coverage that may force them to involve outside contributors — a step that, while potentially beneficial, can backfire if not handled well.
GreyNoise
Stage: Series A
HQ: Washington, D.C., United States
Similar to how our email inboxes are flooded with unsolicited emails and spam, security professionals are bombarded with security alerts many of which are false positives created from internet background noise, such as harmless scanning conducted by security firms, threat researchers, and academics. All these detection alerts need to be manually triaged and investigated — digging through the logs and telemetry, analyzing new exploits to verify if they had been successfully executed, and understanding if the traffic comes from the background noise, or if there is indeed an individual or an institution trying to break into the organization to cause harm. These manual investigations of false positives are time-consuming, which means that the actual threats can get missed in the sea of false positives.
This is where GreyNoise comes in. GreyNoise is essentially a “spam filter” for the threat alerts which filters out benign security alerts, and enables security professionals to only pay attention to the ones that matter. The company achieves this by leveraging its network of over 5,000 passive sensors that sit in data centers across the world. GreyNoise collects, analyzes, and labels data on IPs that scan the internet which enables them to identify known or frequent IP addresses and separate them from malicious actors.
Aside from providing the necessary context to filter out false positives, GreyNoise intelligence provides security teams with an early warning system for mass exploitation attacks on the internet, and real-time IP block lists that can be used for defense.
Tines
Stage: Series B
HQ: Dublin, Ireland
With an average security team using between 15 and 130 tools, one of the most painful problems for security professionals is how to get all of them to work together. Security professionals have to perform tens of manual, repetitive tasks which consume time and prevent them from focusing on higher-value work. What makes the matter worse is that security teams are often understaffed and are forced to operate with low budgets — factors that make it even harder for them to keep their head above the water.
This is where Tines comes in with their focus on no-code and low-code automation. Tines enables security teams to automate their critical workflows, including threat intelligence enrichment, phishing attacks investigation and response, detection and remediation of malicious login attempts, vulnerability management, fraud analysis and response, endpoint detection and response, and more. Tines gives security engineers the building blocks and the fine control they need to address their unique use cases and get the automation job done. By eliminating the repetitive, manual tasks, Tines enables security teams to find time and spend more of their efforts where it can yield a higher return on investment — on taking care of their organization’s security posture.
As a vendor-agnostic product focused on no-code automation and providing security teams with full control over how they manage their operations, Tines comes with pre-built connections with leading industry vendors.
Tines was started by two senior security professionals with a focus on security operations. The company has built a great presence in the security community through relevant content, initiatives such as sponsorship of open-source projects, and the production of white papers and industry reports. Having said that, Tines is more than a product for security professionals. While it is solving the problems of security professionals that traditionally would be solved by products in the SOAR (security orchestration, automation, and response) market category, Tines does not position itself as a SOAR. By focusing on the broad use case of no-code automation, the company positions itself for leadership in automation segments outside of security.
Risks:
Tines is a great platform with lots of potential to transform not just security operations but automation in a broader sense. By focusing on achieving market leadership in one segment (security), Tines follows the playbooks of other companies who started by establishing a strong wedge and then broadened their areas of focus outside of the initial use case.
The risks associated with this strategy are about timing: the more Tines focuses on security, the more time their competitors have to claim other fields in the enterprise.
LimaCharlie
Stage: Seed
HQ: Walnut, California, United States
First, a disclaimer: I am the Head of Product at LimaCharlie.
Cybersecurity today is undergoing a similar evolution to that recently seen in IT — the evolution that has led to monolithic enterprise technology being replaced by the infrastructure-as-a-service approach, like that offered by Amazon AWS. Not too long ago, companies had to buy their own servers, install them in local data centers, and negotiate multi-year contracts with companies like Oracle to get expensive licenses for their products. When AWS came into the picture, most companies came to realize that an assembly of disjoined tools from large vendors is unnecessary. Rather, an ecosystem of solutions encompassing the ability to self-serve, scale up/scale down, and achieve efficiency by leveraging API-first products built for scale, is much more logical.
Historically, cybersecurity professionals had to rely on boxed security products that promised to keep them safe, or, if they wanted a greater degree of control, on open-source capabilities. Both came with strong downsides: while boxed tools like endpoint detection and response (EDR), extended detection and response (XDR), and alike were inflexible and placed customer’s fates in the hands of vendors, open-source tooling came with a lack of support and confidence that are so important in security.
LimaCharlie is not another security tool — its Security Infrastructure as a Service offers a different approach to security. This approach enables security professionals to access the security tools and capabilities they need, for however long they need them, and pay only for what they use. It is an approach that is similar to how AWS or other major cloud providers deliver the components of IT infrastructure.
With LimaCharlie, security teams can assemble a security stack tailored to their organization using 100+ unique security capabilities delivered on-demand. The lightweight, best-in-class security primitives can be used to cover a variety of use cases including endpoint detection and response, log forwarding, security data storage, security automation, secure access service edge, and other core parts of the modern security stack.
This platform is powerful and flexible enough to be used by several distinct customer groups including sophisticated enterprises, managed security service providers, security startups, and incident response firms.
What makes LimaCharlie unique in the cybersecurity market is its focus on security infrastructure (it does not provide security services and does not develop its own threat detection content), and offering security primitives for core parts of the modern security stack instead of complex, boxed products — an approach similar to that of cloud providers but one-of-a-kind in cybersecurity.
Risks:
LimaCharlie is defining a new market segment — security infrastructure as a service. This requires the company to educate people in the industry about the problems leading to category creation, justify the need for a separate market segment, and convince consumers that it can solve a broad range of complex problems. Category creation is associated with high risk, although if successful, it can yield substantial returns.
Additionally, LimaCharlie is betting on the maturation of the cybersecurity industry and the growing number of security professionals looking for professional-grade security tools and infrastructure. While we are, indeed, seeing these trends, it is not yet clear if the shift is happening quickly enough for the company to sustain continuous growth in the upcoming years.
Closing: a tech stack for the future of security operations
All products in this portfolio are product-led and available self-serve, without the need to go through lengthy sales processes or attend mandatory demos. They offer technical security professionals (security engineers, security architects, detection engineers, and alike) a way to solve their problems and build a proof-based security posture.
All products in this portfolio are built to seamlessly integrate with one another, forming a tech stack for the future of security operations centers (SOC).
Security teams can access security tools, capabilities & infrastructure they need, for however long they need them, and pay only for what they use with LimaCharlie (bring all security telemetry in one place, detect and respond in real-time, access one year of full telemetry storage, send data to external destinations, and more). Then, they can use SOC Prime to establish a fully transparent, custom-tailored security coverage. With the help of Prelude, they can test their coverage to identify and close any gaps. By leveraging Tines, security teams can automate their operations and eliminate manual tasks. Lastly, by integrating GrayNoise, they can reduce false positives to focus only on what matters.
