The only six cybersecurity markets large VC funds actually care about and why security startups don’t have a moat
Looking at six markets for large-scale companies in security
At first glance, there are hundreds of important problems that need to be solved in cybersecurity. This, in turn, presents opportunities for thousands of security startups, making the whole security technology landscape look like a bingo card.
The reality, however, is very different. Most security problems are niche, and hence why they simply have no potential to lead to outsized, venture-scale returns. The problems that aren’t niche, tend to follow specific patterns. In this piece, I am taking a closer look at what these patterns are, and what areas of security actually constitute large markets. For those who have missed, I have previously published a piece that may act as an introduction to this deep dive - Most security startups are tackling problems that are too small for the VC model (but there are other ways to build companies, too).
Welcome to Venture in Security! Before we begin, do me a favor and make sure you hit the “Subscribe” button. Subscriptions let me know that you care and keep me motivated to write more. Thanks folks!
Over 3,500 copies of my best selling book “Cyber for Builders: The Essential Guide to Building a Cybersecurity Startup” have been distributed to the readers so far.
The book is intended first and foremost for builders - startup founders, security engineers, marketing and sales teams, product managers, VCs, angel investors, software developers, investor relations and analyst relations professionals, and others who are building the future of cybersecurity. If this sounds like you, you should get a copy. The book has been rated 4.9 out of 5 on Amazon based on 80+ reviews, and in 2024 it became a finalist of the SANS Cybersecurity Difference Makers Awards.
Two factors define if a security startup can become a serious generational public company
Having observed the evolution of the cybersecurity market for a number of years, I concluded that there are two factors that define whether or not a startup has the potential to become a serious, generational company with a successful IPO and a successful journey after the IPO (also very important). These are:
1) The size of the total addressable market (TAM), and
2) The depth of the company’s embedding into the infrastructure it is designed to protect.
Thinking about the total addressable market
Identifying venture-scale markets by thinking from first principles
There are thousands of startups, hundreds of abbreviations and product categories, and plenty of different ways to segment security companies. I would however argue that there are only five to six large markets that can produce venture-scale outcomes.
It all comes down to finding the answer to a simple question: where does all the work happen? You don’t need Gartner to think this through. In the past,
Work was happening on people’s workstations
These workstations would get connected to the internet and company resources over the network
Given that setup, there were two things businesses needed to secure: endpoints (servers, workstations, etc.), and the networks they were on. It didn’t matter what industry we would look at, the same priorities were applicable, and so endpoint and network security exploded. Companies such as McAfee and Check Point got to define what that era looked like. As time went by, attackers learned that in order to communicate, companies heavily relied on email, and so email became a critical attack vector. In the early 2000s, players like Proofpoint and Mimecast emerged to tackle email problems.
More than two decades later, network, endpoint, and email security remain foundational. However, a lot has changed. As identity became the new perimeter, the number of identity and identity security companies grew rapidly. CyberArk, a startup founded back in 1999, became the biggest identity player. A decade later, it was joined by Okta, signifying that identity security has now become a new big market.
As cybersecurity matured as a profession, Splunk, a startup founded in 2003, was able to convince the whole industry that centralizing, retaining, and analyzing logs at scale is critical for effective detection and response. And so, the fifth large market for SIEM, or Security Information and Event Management, was born.
Decades later, the top markets remain the same:
Network remains foundational despite the fact that many proclaimed that “network is dead”. As companies started to move away from traditional networks, the problems of connectivity and security came up once again. The solution which became known as Secure Access Service Edge (SASE) combined networking and security into one product.
Endpoint security remains critical for security and ransomware prevention since people still do their work on the workstations the way they did it a decade ago. For better or for worse, ChromeOS is not yet a OS standard heavily used in enterprises, and it’s unlikely to become one anytime soon.
Identity has truly become the new perimeter, and since access is now based on user and machine identity, the market has exploded.
Email security remains big because, despite the introduction of Slack, Teams, and other collaboration tools, that is still how businesses communicate with the outside world.
Security information and events management (SIEM) remains the foundational technology that allows security teams to aggregate, correlate, and analyze data, or in other words, to do their jobs.
One new kid on the block that VCs care about is cloud security:
As companies started to move to the cloud, cloud security emerged as a new player. Two decades later, we now have players such as Wiz that are centralizing that space.
After trial and error, we have learned what markets aren’t venture-scale
Over the past two decades, there have been a number of cases when investors got incredibly excited about new opportunities only to see their hopes ruined. For example,
Hopes that security for new technologies the world was excited about at a given time didn’t materialize. This includes security for mobile, security for blockchain, security for IoT, and security for Web3. As it stands, it’s not unlikely that security for AI will follow suit despite our expectations that this time, everything will be different.
Even if something does become ubiquitous, it may still not manifest itself in the creation of the venture-scale security category. API security and browser security are two such examples. It is hard to argue that APIs have become foundational for the way the world operates, and no one is going to argue that securing APIs is not important. Similarly, browsers have indeed turned into a new operating system, a window into SaaS applications most people rely on. And yet, neither of the two areas has delivered the returns VCs were hoping for. The primary reason why that is the case, in my opinion, has to do with the fact that there are existing controls that address a lot of the new worries. In the case of browser security, for example, people do not unfairly expect that endpoint security solutions (EDR) will act as the last line of defense if something bad was to happen.
For the longest time, the hope was that we could find new markets and new ways to sell security. The good news is that some bets did pay off. The bad news for VCs is that these are exceptions rather than the rules and that companies that have been successful in selling to those outside of large enterprises have predominantly had to rely on services, not products.
We have learned that products targeting highly regulated industries generally get enough adoption to get an exit. However, unless the broader market is subject to the same regulation, their potential is limited. A good example of this is data loss prevention (DLP) and third-party risk management (TPRM) markets.
We have also learned that solutions targeting exclusively the most sophisticated companies have a limited market potential. One example is insider threat prevention space which is generally only relevant to companies that have already taken care of the basics or the previously discussed endpoint, network, cloud, identity, email, and SIEM needs.
Large, attractive venture-scale markets are generally industry-agnostic and skills-agnostic.
If a product can be made relevant to those outside of financial and healthcare markets, it can have a broader market potential. Some categories such as application security are almost there but not quite there. While software is indeed eating the world, many companies in healthcare, manufacturing, oil and gas, and the like do not need application security tooling (unlike endpoint, network, identity, email, and so on).
It is also important that a solution doesn’t require customers to have sophisticated technical talent to deploy it. In other words, to be truly venture-scale, the product should be relevant to both analyst-centric organizations (traditional enterprises) and engineering-centric organizations (tech-forward SaaS companies and venture-backed early adopters). As I discussed in my last 2024 article, the majority of the world’s enterprises aren’t going to be hiring security engineers anytime soon.
The depth of the company’s embedding into the infrastructure it is designed to protect
There are two types of companies that provide security:
Companies that provide security as a layer over someone else’s technology
Companies that built the stack they offer security for
These two groups are vastly different.
Companies that built the stack they offer security for
I believe that the best way to secure something is to offer security as a feature of the underlying technology. For example,
The best way to solve endpoint security is to build secure endpoints. This means that the best company to secure Microsoft devices should be Microsoft. The fact that it doesn’t work that way doesn’t disprove this point. A great example is Chrome OS, an operating system built to be much more secure than anything on Windows.
The best way to bake in identity security is to build security-first identity and access management (IAM) capabilities. I am confident that whoever will be able to take on Okta will be built that way.
The best way to solve network security is to build secure networks. Companies like Zscaler and Aviatrix, to name some, are prime examples of this approach.
The best way to solve email security is to build secure email. There were hopes that Microsoft and Google would solve email security but decades later, we’re nowhere near that reality.
The best way to solve cloud security problems is to build a security-first cloud. This includes having secure defaults and making sure that engineers don’t have to take extra steps to do things securely.
Obviously, many will argue that it’s not reasonable to expect that the same company which builds new technology will be best at protecting it. The counter-argument here is the Secure Access Service Edge or SASE category, a successful combination of networking and security.
There are plenty of advantages for a businesses to embed security into their core tech offerings:
The ability to charge substantially higher prices. Companies will always pay a lot of money to those that solve business problems connected to revenue. Connectivity (network, identity, email) or providing environments where work can happen (workstations, servers, cloud) are two such areas. Adding security on top as a feature becomes an easy sell. SASE is a good example - once the traffic is going through a single proxy, adding security capabilities is easy.
Strong moat and high switching costs. Any technology that becomes an underlying infrastructure or a connectivity tissue businesses have to rely on to function becomes nearly impossible to replace. Switching costs are sky-high, and so are the risks. I have heard of many companies complaining about the price of Zscaler or the security issues of Okta, but I have yet to find a single large enterprise that would go as far as to actually switch (please reach out if you have these examples, I’d love to learn more).
There are also plenty of cons of taking this path:
Technological complexity. It is much harder to build a browser than a browser security plugin. It is much harder to build an operating system than an endpoint security tool. It is much harder to build a network company than a network security company, and so on.
Adoption hurdles. Getting people to adopt a new solution is incredibly hard. I would even say it is impossible without there being some fundamental underlying societal or technological shifts that create a unique window of opportunity. For this kind of play, timing is everything.
Exclusivity barriers. While a company may have tens or even hundreds of security tools, it will generally only need one proxy, one email provider, and so on.
High stakes. When all employees rely on a company to do their daily work, it must be operational at all times. When an email security solution fails, there is a non-zero probability that someone can get compromised. However, when an email provider has an outage, there is a 100% probability that everyone who relies on it won’t be able to send emails. The way these two probabilities impact business operations are vastly different.
Companies that provide security as a layer over someone else’s technology
When we think of security companies, we generally think of companies that provide security as a layer over someone else’s technology. For example,
Email security is a security layer/tooling complementary to the work of email providers such as Microsoft and Google.
Endpoint security is a security layer/tooling complementary to the work of OS providers such as Microsoft and Apple.
Identity security is a layer/tooling complementary to the work of identity providers such as Okta or Microsoft.
When security is provided as a layer over someone else’s technology, it generally follows the same pattern. It starts with visibility (vendors come to CISOs and security teams to show them the gaps in security). Once the gaps are understood, vendors seek to provide solutions (detection, response, and then automation).
As a rule, the deeper the product is embedded, the better security it can provide but the harder it is to get it adopted. For example, even though agent-based solutions offer deeper capabilities for cloud security, customers greatly preferred the ease of onboarding offered by Wiz to all the extra power provided to them by Lacework’s original agent. On the other hand, easy-to-onboard products are also easier to rip out. If someone wants to replace SentinelOne with CrowdStrike or the other way around, they better be sure they are ready to go through the pain of installing one agent and installing another one across what could potentially be tens or even hundreds of thousands of machines. On the other hand, if onboarding a new tool doesn’t affect anyone else beyond the security team, then the chances that this tool gets replaced down the road are much higher.
In absolutely ideal scenarios, companies would want the product to be as easy as possible to onboard but as hard as possible to rip out. This works well for products that target the security team (security is both the buyer and the user), and have pre-built tools for them to quickly get up and running, but make sure that the product becomes more valuable the longer it is used. One such example is SIEM solutions. They come with pre-built connectors to quickly get the data in, and the longer the company uses them, the more data they accumulate and the more familiar people become with the solution. A case in point is the story of Splunk: many complain about its pricing but comparatively few are excited about having to run two SIEM products in parallel for a few years for them to fully transition away from Splunk. Such a transition can be incredibly painful, forcing people to use two tools in parallel for long periods of time.
For security vendors, the advantages of providing security as a layer over someone else’s technology include:
Faster time to value. It’s easier to onboard a new email security tool than it is to onboard a new email provider.
Lower risk. When a security product experiences an outage, it may affect security but not the ability of the employees to do their jobs.
Easier to build. Developing a security product is much easier than buying a connectivity layer.
On the flip side, disadvantages are also notable:
Lower priority. Procuring security is much lower on the list of priorities compared to procuring tools (software, hardware, connectivity layers, etc.) companies need to operate.
Lower price. Security spend is usually a percentage of the IT spend, which is true on the high level but also on the infrastructure level. Companies will spend more on cloud than cloud security, on email than on email security, etc.
Harder sell. It’s easier for Microsoft to convince customers to pay for endpoint security than it is for a stand-alone security vendor. The same applies to just about anything. Historically, security was an afterthought for companies focused on building technologies that need to be secure. This is why there are many successful email and endpoint security companies despite the fact that Microsoft has their own offering. That said, I anticipate that over time this will change.
Easier to displace. Since security teams are usually the only ones that rely on security tools, it makes it easier to replace one vendor with another. It’s much harder to rip and replace something that touches every employee at a company.
There is more to success than these two criteria but they are foundational
I’d say that while these observations are generally true, they are not always true. There are many nuances.
What always is true is that the size of the total addressable market is critical. If the market is not big enough for a large outcome, then no matter how hard the startups try, they will struggle. We have seen that with security orchestration, automation, and response (SOAR) where several great companies have been forced to expand into other markets in order to continue growing. We have also seen that with API security companies where most acquisitions so far were less impressive than people anticipated. We’ve seen this over and over again in many markets and market segments. Even if founders start in another market, they will need to eventually pivot or expand in order to realize their growth ambitions.
When it comes to the depth with which security is embedded into the underlying tech, that’s where it gets interesting. Zscaler and Okta, both of which I would argue are not security but access and connectivity vendors, have shown that security is a strong argument for buyers. I am seeing Aviatrix, a company focused on multi-cloud networking, is leaning into the same narrative of offering networking securely. Firewall vendors (Palo Alto, Check Point, Fortinet, etc.) have over time also become connectivity and access vendors, and therefore displacing them is going to be very hard. On the other hand, security-only categories (insider threat prevention, data loss prevention, cloud security, browser security, endpoint security, application security, etc.) will have a much harder time retaining their customers.
Having a large TAM and embedding deeply into the infrastructure the company is designed to protect aren’t the only factors that matter. The team matters a lot (unsurprisingly, most successful public security companies such as CrowdStrike, Zscaler, and Tenable were all started by experienced entrepreneurs). The ability of the company to execute matters just as much, and so does the strategy (wedge) it decides to pursue. And yet, founders can hire brilliant people, iterate on different strategies, and learn how to move faster as they progress. However, executing really well with a brilliant team in a tiny market is going to lead at best to a moderate outcome (unless they pivot into a new, larger market). And, once a security company has decided how deeply it wants to embed itself into the underlying tech it aspires to protect, changing that is much harder than people realize.