Structuring founding teams to win in security: a data-driven look
A look into different types of founders and effective ways to structure founding teams in security
Ideal backgrounds for cybersecurity startup founders
I often discuss the rise of security engineering and why we need to bring software engineering principles, systems, and processes to cybersecurity. In these discussions, I have also mentioned that security engineers have the potential to become great founders. Indeed, we need more security practitioners who understand security at a fundamental level to reshape the fear, uncertainty, and doubt (FUD)-infested industry. And yet, the most optimal background for technical founders is not security engineering.
This issue is brought to you by… Vanta
Live webinar: AI & Security Maturity with John Hammond & Vanta
Join John Hammond—cybersecurity researcher, practitioner, and content creator with nearly two million YouTube subscribers—and Matt Cooper, Vanta’s Director of GRC, for a fireside chat on AI, security maturity, and the top security risks in 2025.
They’ll explore the evolving landscape of cyber risks and share insights drawn from their work with organizations at every stage of security maturity.
Tune in on Feb 18 for:
A deep dive into 2025’s top cyber risks, including the impact of AI
Actionable insights to refine your security priorities
Strategies tailored to your organization’s security maturity level
A live Q&A at the end
Don’t miss this chance to future-proof your approach to cybersecurity.
Welcome to Venture in Security! Before we begin, do me a favor and make sure you hit the “Subscribe” button. Subscriptions let me know that you care and keep me motivated to write more. Thanks folks!
The most optimal background for technical founders is not security engineering
It's not enough to understand security problems, it's important to be able to solve them in a way that others can easily consume. Not all security engineers can build the back end and front end of a product, or even develop a prototype to show to prospects and gather feedback. The “security engineer” job title itself has different flavors at different companies: at some, it is used to describe people who build detections and configure security solutions, at others, security engineers write scripts and work on automation, while at a few they build internal security tools. The subset of security engineers who are builders do indeed make great founders. For example,
Josh Liburdi and the Brex team built Substation, an open source toolkit for creating highly configurable, no maintenance, and cost-efficient data pipelines.
Coinbase team deployed an in-house platform that ties together security tooling and log sources to scale detection and response security operations.
Piotr Szwajkowski and the Rippling team built their own SIEM.
Security engineering teams at companies such as Okta, Meta, Google, Netflix, Microsoft, and several others have also built and frequently open sourced security tooling. Security engineers can indeed learn by developing security tools that solve problems of their companies, and then use their learnings to build security startups. Panther Labs is one of several examples where this exact approach has resulted in a platform the market really needed.
The challenge is that very few security engineers have experience building products that can be made available to broad groups of users. Software engineers, on the other hand, are perfectly suited for this task.
I have observed that software engineers with experience building security, dev tools, or infra products make the ideal technical co-founders of cybersecurity product companies. Not only do they have the understanding of security that is so critical for developing innovative solutions, but also they have the skills to design, build, and ship scalable and user-friendly software. Not surprisingly, this is partly why so many startups are originating in Silicon Valley and Tel Aviv. These ecosystems have access to capital and security talent, and they also have a solid number of software engineers experienced in building security products. This is especially the case for Israel. The Bay Area is a fantastic place for AI/ML engineers, engineers with deep experience in networking, and large-scale infra. As far as expertise in threat detection, this is where in my opinion the US talent isn’t as competitive as Israeli (not because it’s not good enough but because there’s simply not enough of it available).
Experience in product and sales in security provides a great foundation for business-focused cybersecurity founders
While building a great product that solves the problem well is important, it is not enough. Cybersecurity startup founders need to have a deep understanding of the market, and they need to be able to sell the product. Not only that but things like keeping track of financials, managing payroll, overseeing operations, fundraising, as well as analyst, investor, and public relations are also incredibly important. Someone on the founding team should be focused on building a company, not just a feature or a product.
Experience in product management and sales in cybersecurity provides a great foundation for business-focused cybersecurity founders as it enables them to:
Learn the nuances of building products in the industry.
Understand the customer needs, as well as common obstacles and barriers to adoption.
Develop familiarity with how the buying decisions are made, which factors are taken into account, and what can impede the startups’ ability to sell to enterprises.
Develop empathy and build credibility which makes it easier to develop rapport with cybersecurity practitioners, leaders, and decision-makers.
Composition of founding teams: beyond the standard duo founders arrangement
The right number of founders: letting the data speak
What is the right number of founders? I don’t think there’s a right answer. The best we can do is to look at examples of successful security companies and try to extrapolate from that.
Of the three $10B+ private security companies, Proofpoint has one founder, Kaseya has two co-founders, and Wiz was started by three entrepreneurs.
Image Source: Strategy of Security
Of the $5B+ security companies that remain private, two companies (SailPoint and OneTrust) were started by solo founders, four companies (Mimecast, Ping Identity, Coalition, and Tanium) were started by two co-founders, three companies (Fireblocks, Lacework, and Snyk) were started by three co-founders, and three companies (1Password, Netskope, and StarkWare) were started by four co-founders.
The data appears to be more clear for public cybersecurity companies. If we go with Andrew Smyth’s ‘public companies that matter in cybersecurity’ list and focus on the 14 pure-play security companies from that list, we see that Gen Digital (originally Symantec) is the only company with a solo founder, and Palo Alto Networks is the only player with four co-founders. Eight of the 14 players were started by two co-founders (SentinelOne, Zscaler, CyberArk, Commvault, Fortinet, Okta, Varonis, Qualys), and four out of the 14 - by three co-founders (Rapid7, CrowdStrike, Check Point, Tenable).
Solo founders in security: building startups the hard way
Regular readers of Venture in Security know that I am not a proponent of people building startups as solo founders. In one of the previous articles, I explained that:
“Building a startup is a hard and in many ways lonely journey. In the world of information overload, it takes time and a lot of effort to break through the noise, find the right problems to solve, find investors who can best help the company accomplish its mission, and convince industry insiders that they should care about whatever the company is offering. Employees joining early-stage ventures are taking a risk, and founders naturally feel responsible for their livelihood. Knowing that the next funding round is never guaranteed and that the company may not get to product-market fit even when everyone tries hard and does their best, can feel demoralizing.
Having co-founders offers a sounding board, makes it possible to think bigger and broader when looking for ways to solve hard problems, and helps to not destroy their family lives. The latter may sound random, but it isn’t: having strong teams can greatly reduce the amount of stress entrepreneurs will be under, and the number of challenges founders end up bringing home to their loved ones. All this is before even considering that the amount of work an early-stage company needs to do is insurmountable - it’s not just customer discovery and building products, but also sales, fundraising, hiring, marketing & brand building, partnerships, operations, and more. Having several people who can own different areas greatly increases the chances that the startup will succeed.” Source: Finding co-founders to build a cybersecurity startup: notes for aspiring security entrepreneurs
The fact that I think being a solo founder is a bad idea doesn’t mean there are no successful companies in security started by solo entrepreneurs. Proofpoint, SailPoint, and OneTrust, for example, were started by solo founders and became quite successful regardless. Eric Hahn was able to grow Proofpoint into one of the only three $10B+ private security companies.
All that said, in the insanely competitive market such as security being solo is especially hard, and it's getting harder. Over the past year, we have witnessed that even when solo founders are successful in getting the company off the ground, there comes a time for them to hire professional leaders capable of taking the startup to the next level. In 2024, the founders of Panther, JupiterOne, and Greynoise hired professional CEOs and stepped back to focus on other areas such as technology, architecture, and strategy. I think in the coming year, we will be seeing more similar shifts in other startups where founders understand their strengths and are looking for the best ways to help their companies grow.
When discussing the reasons some cybersecurity startup founders decide to work solo, I often hear that they thought starting the company with someone they didn’t know well was just too risky. On one hand, it makes sense to bet on one’s own abilities which they can control, rather than bringing in another person they can’t. On the other hand, I’d argue that there is always a risk of working with others. The same is true when it comes to people we think we know. We may know someone as a good colleague, a hardworking engineer, or a smart business leader. And yet, we don’t know and can never fully predict how they would behave as founders. In my opinion, the advantages of having a solid co-founder greatly outweigh the potential risks and disadvantages.
Duo founding teams: the traditional setup
Founding teams that consist of two co-founders are arguably the most common. Outside of security, it is common to see partnerships between a software engineer and a business person, or two engineers, one of which is interested in go-to-market and sales. In security, on the other hand, there is more variety, such as:
Two security engineers
Security engineer and a machine learning engineer
Security engineer and a product/sales/marketing counterpart
Software engineer and a product/sales/marketing counterpart
Security leader and a security engineer
Security engineer and a software engineer
Two business-focused co-founders
This list can go on and on. As I have explained, I think ideally there would be at least one software engineer who can build the product and potentially grow into a CTO role, and one domain expert (technical or not) who understands the problem space, and what customers need. It’s even better if the software engineer has experience building security products and is passionate about the security space.
Founding teams of more than two co-founders: more hands on deck may be better
Although it is widely assumed that standard founding teams consist of two people - a technical & a business person, history has shown that founding teams of 3-4 people are often the ones that end up building industry-defining companies. From Check Point, Palo Alto Networks, CrowdStrike, Lacework, and Netskope to Snyk, Wiz, and Cloudflare, some of the most influential players in the cybersecurity industry were started by teams of three to four people (Orca Security has 8 co-founders!).
Here is a short list of some of the companies that fall under this category:
Check Point: Gil Shwed, Marius Nacht, Shlomo Kramer
Splunk: Michael Baum, Rob Das, Erik Swan
Palo Alto Networks: Rajiv Batra, Nir Zuk, Yuming Mao, Dave Stevens
CrowdStrike: George Kurtz, Dmitri Alperovitch, Gregg Marston
Lacework: Mike Speiser, Sanjay Kalra, Vikram Kapoor
Fireblocks: Idan Ofrat, Michael Shaulov, Pavel Berengoltz
Netskope: Krishna Narayanaswamy, Lebin Cheng, Ravi Ithal, Sanjay Beri
Snyk: Assaf Hefetz, Danny Grander, Guy Podjarny, Jacob Tarango
1Password: Dave Teare, Natalia Karimov, Roustem Karimov, Sara Teare
Cloudflare: Matthew Prince, Lee Holloway, Michelle Zatlyn
Wiz: Ami Luttwak, Assaf Rappaport, Roy Reznik, Yinon Costica
SonarSource: Freddy Mallet, Olivier Gaudin, Simon Brandhof
Acronis: Serguei Beloussov, Stanislav Protassov, Yakov Zubarev
Verkada: Benjamin Bercovitz, Filip Kaliszan, Hans Robertson, James Ren
Cybereason: Lior Div, Yonatan Amit, Yossi Naar
Exabeam: Domingo Mihovilovic, Nir Polak, Sylvain Gil
Orca Security: Avi Shua, Ety Spiegel Hubara, Gil Geron, Hadas Amitay, Liran Antebi, Matan Ben-Gur, Shay Filosof, Wagde Zabit
Dragos: Jon Lavender, Justin Cavinee, Robert M. Lee
Nord Security: Eimantas Sabaliauskas, Jonas Karklys, Tom Okman
ID.me: Blake Hall, Matthew Thompson, Tanel Suurhans
Ledger: Eric Larchevêque, Joel Pobeda, Nicolas Bacca, Thomas France
Axonius: Avidor Bartov, Dean Sysman, Ofri Shur
Vectra Networks: Hitesh Sheth, James Harlacher, Marc Rogers, Mark Abene
At-Bay: Etai Hochman, Roman Itskovich, Rotem Iram, Tilli Kalisky-Bannett
Material Security: Abhishek Agrawal, Chris Park, Ryan Noon
Teleport: Alexander Klizhentas, Ev Kontsevoy, Taylor Wakefield
Immuta: Matthew Carroll, Michael Schiller, Sapan Shah, Steven Touw
Expel: Dave Merkel, Justin Bajko, Yanek Korff
Lookout: James Burgess, John Hering, Kevin Mahaffey
Claroty: Amir Zilberstein, Benny Porat, Galina Antova
Although it may be tempting to assume that first-time founders are more likely to form larger founding teams because they would be looking to compensate for the lack of entrepreneurial experience by trying to get more hands on deck, the reality shows something entirely different. Many of the entrepreneurs who choose to go for larger founding teams have past experience as founders. For instance, Wiz, Palo Alto Networks, CrowdStrike, Snyk, Axonius and many others have all been built by second, and sometimes - third-time founders who, having accumulated a wealth of knowledge of what works best, decided to have larger founding teams.
I think that having three people work together may be an ideal setup, especially if they bring complementary skill sets. For example,
Experienced security engineer capable of owning technical product management, pre-sales, and technical sales. This person can be the technical face of the company.
Experienced product and/or sales leader focused on go-to-market (sales, marketing, partnerships, etc.), fundraising, and operations. This person can be the business face of the company.
Software engineer with experience building security products who can own engineering (architecture, recruitment, and execution), and act as a Chief Technical Officer (CTO). This person can be more inwardly focused. Interestingly enough, this is similar to the model frequently adopted by cybersecurity startups in Israel.
Serial founders in security: increasing chances of success and different reasons for failure
When it comes to building startups, there are no rules, only patterns. I have observed that experienced entrepreneurs have much better chances at building category leaders and pursuing ambitious, complex visions of the future compared to first-time founders. Although it is tempting to assume that anyone can tackle any problem, in reality, first-time founders usually have much better chances of success if they pick better-defined problems, less competitive markets, or problems that require a lot of hustle and market education. Better defined problems do not necessarily have to lead to smaller outcomes. Take Duo Security as an example. The problem Duo has tackled was very well scoped: helping companies adopt multi-factor authentication to drastically improve their security posture. Duo was acquired by Cisco for $2.35 billion in cash - a fantastic outcome for the company and the founders who were both first-time entrepreneurs.
It is very possible to build a large security player as a first-time entrepreneur. Examples of Okta and Duo, to name some, illustrate that pretty well. And yet, the vast majority of category-defining leaders such as Splunk, CrowdStrike, Palo Alto Networks, Wiz, Zscaler, Fortinet, SentinelOne, and Tenable, were built by experienced entrepreneurs. This makes intuitive sense: having accumulated a lot of learnings and experience, they were able to execute and make their next companies much more successful than any of their previous ones. The visions and ambitions of experienced founders tend to grow incrementally as they progress on their entrepreneurial journey. After achieving one or two exits, many of them take a stab at large, previously unsolved problem areas with a high risk of failure, and subsequently disproportionately higher payoff if they succeed. This makes sense: as successful founders with exits under their belts, they no longer need to think about making money and can focus fully on achieving industry-wide impact.
The pattern that has been repeating itself is that experienced entrepreneurs are trying to build category leaders from day one. They raise a lot of capital (think $50M or more Seed) and try to get ahead of the competition quickly. Founders of Avalor, the company that was recently acquired by Zscaler, have previously built and exited Datorama (Salesforce acquired it in 2018 for around $800 million). Founders of Gutsy, a company started by the founders of Twistlock (acquired by Palo Alto Networks for $410 million in 2019), have raised an enormous $51M seed round in 2023.
More experience enables entrepreneurs to think bigger and to more easily access the support they need to make each of their subsequent companies a bigger success. They can raise much more capital on day one, they have a battle-tested core team ready to go, etc, In my opinion, one of the most critical factors that increases the chances of serial entrepreneurs for success is the network. If they have built a good reputation with CISOs and shown that the products they build work and add value, it’s highly likely that security leaders will be willing to try the new solutions they develop. The opposite is also true: founders who ruin their reputation with FUD, and unethical sales practices, are setting themselves up for failure. Integrity matters, especially for those of us planning to stay in the industry and seeing our work in security as a lifelong pursuit.
While experienced founders do often have a higher probability of success, it’s not all that rosy. I have noticed that when second- and third-timers fail, it’s generally not because of poor execution but because they try to execute the same playbooks that worked for them before. Some of them fail to recognize that the market continuously evolves and that what worked for them a decade ago isn’t probably going to work today. And, in those rare cases when old methods do work, they are rarely the most effective ones anyway.
