“Why now?”: a single question that decides what security startups succeed, and which fail
Taking a close look at “Why now?” - what it means, why it matters, the types of “Why now?” we see in security, and what founders need to know to succeed
Whenever I think of a problem, I ask myself “Why now?”. Why is now the time for this idea? Why is now the time for this startup? Why is now the time for the buyer to start caring? In my opinion, “Why now?” is the most important question a startup founder can answer. It is more important than the idea itself as it defines whether or not someone will care.
In this issue of Venture in Security, I am going to take a close look at “Why now?” - what it means, why it matters, the types of “Why now?” we see in security, and what founders need to know to succeed.
This issue is brought to you by… Push Security
Interested in a tailored threat intelligence briefing for you and your team?
Researchers at Push Security — known for their identity threat research and creators of the widely used SaaS attacks matrix on GitHub — are offering the opportunity to run a tailored threat briefing for your team.
These sessions are perfect for security teams concerned about the rise in infostealers, mass credential attacks, Adversary-in-the-Middle phishing, and session hijacking using stolen cookies.
During these sessions, Push’s R&D team will:
Explain how and why attackers are pivoting to the identity perimeter.
Demonstrate the latest identity attack techniques.
Share actionable insights on detecting and responding to these threats.
Leave plenty of time for Q&A!
Don’t miss out on this chance to get ahead of the latest attacker techniques and tooling!
Status quo is the strongest force that defines human behavior
The presence of a potentially better option is one of the weakest reasons for change. This may sound counterintuitive but such is the reality of human behavior: in business and life, in ninety-nine cases out of a hundred, we prefer to stick with the status quo. This makes intuitive sense - there are thousands upon thousands of options, and the only way we can avoid getting stuck in the analysis paralysis is to rely on our ability to pick what’s good enough and move on.
The same principle generally applies to software selection. What many founders don’t understand is that behind every B2B software contract, there is a history of a partnership where two companies decide to work together to achieve a common goal. Generally speaking, the more problems a vendor is solving for the buyer, and the fewer times it fails to deliver on its promises, the more valuable it is perceived. Any attempt to displace an existing vendor forces the customer to decide:
If this is the right time to sever an existing vendor relationship
If this is the right time to tackle this specific problem, as opposed to hundreds and thousands of other problems
If there are resources available to operationalzie these plans
Changing software vendors is hard. When founders think about switching costs, they tend to focus on what I would define as product-adjacent factors such as integrations, technical documentation, and onboarding support. While each of these is without any doubt critical for startup success, when an enterprise is considering switching vendors, there are many more obstacles they are forced to face:
Internal politics and change management. The larger the company, the more stakeholders are involved in decision-making and the more complex it is to get something done.
Resource allocation and process change. Founders underestimate what it takes for a large company to change a single tool. The operational burden of change management can derail the entire ROI calculation: buyers need to change established processes, update internal documentation, train employees on new technology, make adjustments to reporting and key performance indicators (KPI) dashboards, and more.
Dealing with uncertainty. An existing vendor is a known quantity: the customer knows exactly what they are going to get out of their engagement. A new vendor is always unknown and more risky, especially if that new vendor is a startup. Buyers of security products are conditioned to focus on risk reduction, and it only makes sense that they apply the same mindset to vendor selection.
Thinking about how this buying decision will impact their career. This is one of the most misunderstood yet the most important factors founders need to keep in mind. The best way to get a new tool adopted is to help buyers get promoted. The challenge is that there is always a likelihood an unproven technology will fail, and if it does, it may negatively impact a security leader’s career.
When we take all this into consideration, it is not surprising that the status quo is the strongest force in the enterprise.
Three types of “Why now?” in security
The fact that most companies have little incentive to change their security tools does not mean that there is absolutely nothing that can force their hand. What it means instead is that there needs to be a strong driver to justify the change.
There is a saying that any new product needs to be at least 10x better for it to succeed. It may be a good enough approximation but I found it rather unhelpful because what constitutes 10x improvement is very subjective. Every founder naturally believes that their idea is substantially better than what’s out there, or otherwise, they would not be taking the risk to build a startup. In my view, there are three types of “Why now?” in security that enable the creation of new companies:
A new technology makes it possible to solve problems in a meaningfully new way which makes new solutions better by definition.
Change in infrastructure makes old approaches insufficient or completely irrelevant in the new world.
Change in adversary behavior pushes companies to look for new ways to defend their environments.
Each of these three types of “Why now?” is unique and each defines the type of company that can be built around it.
New technology
The most obvious answer to the question “Why now?” is “because a new technology allows for it” (unsurprisingly, this is exactly what we are seeing today with AI). Although new technology is the most obvious “Why now?”, it’s also the weakest. Just because a somewhat better product exists, it doesn’t mean that companies are going to switch and start using it. This is especially the security case where most buyers are easily satisfied with good enough solutions from “proven” vendors.
I have found that when a new technology is used to address an existing problem where there are already many alternatives, it generally fails to get widespread adoption. This is because unless there are strong arguments for companies to switch away from their existing tools, the status quo typically prevails. As an example, I am personally not convinced that most LLM-enabled tools which do the exact same thing that a previous generation was able to do without LLM, will revolutionize security or gain widespread adoption. Many of them will get acquired, but most are unlikely to make a real dent in the industry or transform into a multi-generational security company.
On the flip side, when new technology is used to solve a problem that is well-understood but that previously was not solved well, it can lead to great results. The key here is that the problem should be well understood but it should not have a “good enough” solution.
In most cases, startups are built around new technology as an answer to “Why now?” are iterative, incremental improvements that make great acquisition targets. They tend to struggle to gain widespread market adoption. This is because customers have a choice whether to adopt 10x better or different technologies, and most don’t really care to do it. However, when monumental shifts happen that redefine how technology works, it does create opportunities for innovation and value creation. For instance, AI today enables effective automation of manual processes which, in turn, can change the entire business models of how technology is built. As an example, it may be possible today to build highly scalable, product-first managed detection and response (MDR) companies in ways that weren’t possible before which may very well present the strongest yet answer to the “Why now?” question.
Change in infrastructure
Change in infrastructure is the type of “Why now?” where customers don’t really have a choice but to adopt a new solution. This happens when something changes so fundamentally that it’s simply not an option to ignore this new reality. The rise of the public cloud changed the way software is built, used, and procured, thus creating demand for new security solutions. The global pandemic and the rise of remote work created a variety of major architectural shifts, accelerating cloud migration and forcing companies to adapt to hybrid work - once again, creating demand for new security solutions. The rise of collaboration platforms such as Teams, Zoom, Sharepoint, and Notion also changed the way people work, naturally creating demand for new security solutions.
Infrastructural shifts are the strongest type of “Why now?” and as such they tend to create opportunities for the emergence of billion-dollar companies. Okta, Zscaler, and Palo Alto are perfect examples of this phenomenon (I will discuss these in depth later).
Change in adversary behavior
I have frequently explained that one of the factors that make cybersecurity unique is the presence of an active, well-motivated, and well-funded adversary. Consequently, by far the strongest “Why now?” for security startups is a change in adversary behavior.
Let me preface what I am about to say with this: I have absolutely no intent to glorify attackers. That said, I find it absolutely bewildering that while defenders constantly get distracted by some shiny new technologies or angry about some new regulatory move or the lack thereof, attackers are laser-focused on what brings results. In other words, if some tried and true attack method is easy and produces the results they are looking for, adversaries have zero reasons to move toward more “modern” methods. That said, as infrastructure changes and enterprises continue to raise the bar by implementing more and more robust defenses, attackers have no choice but to evolve.
When adversary behavior changes, these changes lead to one of two outcomes:
If the new adversary behavior can be effectively detected by retrofitting or upgrading legacy solutions, the changes create limited opportunities for startups. At best, startups built to address these gaps get acquired early and become features of larger platforms. Those who aren’t as lucky simply get outcompeted by the good enough platform solutions.
If the new adversary behavior requires a completely different approach to detection and response, or a completely different architecture of the solution, this can create a tremendous opportunity for new startups. Not only can this enable unparalleled value creation, but those who can seize the opportunity will often be able to create billion-dollar companies. CrowdStrike, Palo Alto, Abnormal, and Material are some examples of companies that illustrate this point (I will also discuss them in depth later in the article).
Six case studies that illustrate this thinking
Okta: infrastructure shift
Okta, which launched in 2009, had a slow start. Okta was founded when cloud adoption was still in its early stages, and identity management was not a priority for most enterprises. Many organizations were still heavily reliant on on-prem Active Directory setups, making Okta's cloud-first approach a challenging sell at the time.
Things started to shift around 2014-2015 when Microsoft began aggressively pushing Office 365 (now known as M365). As more companies adopted cloud-based tools like Office 365, the need for a reliable identity and access management solution became clear, and Okta was well-positioned to ride the wave. The fact that Microsoft itself struggled to bring its identity solutions into the new, cloud-native, and SaaS-native era, made the case for Okta much stronger. The broader SaaS explosion (Salesforce, Workday, Slack, etc.) created more demand for centralized identity solutions that worked across multiple applications. Okta's agnostic approach (not tied to a specific vendor like Microsoft) made it an attractive choice for organizations managing heterogeneous SaaS environments.
The case of Okta shows that infrastructure shifts that surpass the limitations of the leading solution (in this case on-prem AD) are the strongest possible drivers for change. If customers were able to easily extend Active Directory to satisfy their needs, it is highly unlikely that Okta would have stood a chance in the market.
For more about Okta, check out this great read.
Crowdstrike: shift in adversary behavior
George Kurtz co-founded Foundstone, a company known for its vulnerability management and consulting services, and sold it to McAfee in 2004. After the acquisition, he stayed at McAfee for about six years, serving as the CTO. During that time, he saw firsthand how traditional antivirus solutions, which relied heavily on signature-based detection, were becoming ineffective against modern threats. Along with Dmitri Alperovitch (who was at McAfee as well), George recognized that attackers were using more sophisticated techniques - fileless malware, advanced persistent threats (APTs), and exploits that didn’t rely on known signatures. This gap in the market inspired them to start CrowdStrike in 2011.
CrowdStrike’s big innovation was its cloud-native architecture and focus on behavioral analysis rather than signature-based detection. Falcon, their endpoint protection platform, used machine learning and threat intelligence to detect malicious activity in real-time, making it much harder for attackers to evade detection. That shift from reactive to proactive defense really set CrowdStrike apart from legacy antivirus players.
The case of CrowdStrike shows that changes in adversary behavior can be a powerful answer to “Why now?” for security companies. The gap created by the way attackers were outpacing the traditional defenses wasn’t a feature or two that McAfee could easily add. Instead, it was a shift that required a different approach. CrowdStrike founders understood that, and they delivered on it.
Here is another important observation: CrowdStrike did not start by going head-to-head against legacy endpoint security players. Although the company truly took off after CrowdStrike added next-gen antivirus to their offering, they were at first addressing the needs for behavioral detection and APT threat hunting on top of MacAfee and other antivirus players, not instead of them.
For more about CrowdStrike, check out this episode of Inside the Network with Dmitri Alperovich.
Palo Alto: shift in infrastructure which caused a shift in adversary behavior
Before Palo Alto, most companies relied on traditional firewalls that focused primarily on ports and protocols. But by the mid-2000s, infrastructure was becoming more complex with the rise of web-based applications, SaaS, and more sophisticated network traffic. Traditional firewalls struggled to provide visibility and control over this new landscape because applications weren’t tied to specific ports anymore, making it easy for attackers to bypass legacy defenses. Adversaries also started evolving their tactics, using application-layer attacks, encrypted traffic, and more stealthy techniques that traditional firewalls simply couldn’t catch.
This is where Nir Zuk (Palo Alto’s founder) saw an opportunity. He recognized that the old model of firewalls wasn’t keeping up. Palo Alto introduced the concept of the Next-Generation Firewall (NGFW) in 2007, which combined application-level inspection, deep packet inspection, and integrated threat prevention. This allowed organizations to see and control traffic based on applications, users, and content, not just ports and IP addresses.
Palo Alto’s timing was perfect - as enterprises started adopting cloud services and web-based apps, and attackers became more sophisticated, the need for more advanced network security was critical. Their NGFW became the go-to solution, riding the wave of these infrastructure changes and new attack vectors.
Palo Alto Networks’ rise was tied to the shift in infrastructure which in turn caused a shift in adversary behavior. Similar to CrowdStrike, Palo Alto couldn’t easily come into the enterprise and tell buyers that their existing solutions (Check Point firewalls) weren’t good enough. At the same time, although Palo Alto was a different firewall, it was still a firewall, so it could not hope that it could co-exist with Check Point over an extended period (a strategy that worked really well for CrowdStrike). To bridge the gap, Palo Alto took an evidence-based approach: they would convince enterprises to deploy their solution in a monitoring-only mode next to the Check Point firewall, and after some time they would show customers the threats Check Point solution missed. This was a brilliant strategy that allowed them to illustrate the value they bring and displace the incumbent (Check Point).
Zscaler: shift in infrastructure
Zscaler’s journey wasn’t an overnight success either. Jay Chaudhry, the founder, had a vision that the future of enterprise security would move away from traditional perimeter-based models (firewalls, VPNs) to a cloud-native, zero-trust architecture. However, back in 2008 when Zscaler was founded, the market wasn’t quite ready for that shift. Jay’s belief in this future was so strong that he invested $50 million of his own money to fund Zscaler through the early, tough years.
For the longest time, enterprises were clinging to their on-prem hardware and firewalls, and the concept of routing all traffic through the cloud for security was a hard sell. As cloud adoption grew and remote workforces became more common, the legacy perimeter-based model started showing cracks. VPNs were slow and clunky, and attackers were finding ways to exploit them. That’s when Zscaler’s approach of offering secure, direct-to-cloud connections with zero-trust access controls started to resonate. It took time, but both Zscaler and the market evolved together. Enterprises began realizing that the cloud-first, zero-trust model was the future, and Zscaler was already there, fully built and ready. That early investment and long-term vision paid off, turning Zscaler into a category leader once the market caught up.
The pandemic was a gift for Jay and the team as even the slowest and the most legacy customers had no choice but to accommodate remote work. Zscaler took a bunch of their products and created a “remote work” bundle which was flying off the shelves as companies were forced to adapt to the new reality quickly.
The case of Zscaler is truly unique. First, the company was started by a legendary founder who by then would have successfully sold several security companies. Second, Zscaler didn’t respond to changes in the marketplace but anticipated them. At the time when the company started, no investor would put $50 million into a startup that wanted to build points of presence (POPs) around the world in anticipation of the future which may take decades to materialize. In my opinion, it is precisely Jay’s willingness to play a very long-term game that enabled him to build the generational company Zscaler is today. When Zscaler started, the “Why now?” was rather weak, but with time as infrastructure evolved, it became the solution market needed.
For more about Zscaler check out this interview with Jay Chaudhry.
Duo Security: new technology and changes in adversary behavior
A great example of how new technology enabled the creation of billion-dollar outcomes is Duo Security. The reason why the company story is so fascinating is that it didn’t exactly invent multi-factor authentication (MFA). MFA was already understood as a need, but it was hard to implement: shipping RSA tokens was cumbersome and labor-intensive. Duo used new technologies (it started a few years after iPhone launched and smartphones were becoming a thing) and built a lovable MFA experience that was easy to procure, easy to implement, and convenient to use. Rami McCarthy and I have previously written about Duo in one of Venture in Security articles about building security products customers love.
More important than new technology, Duo addressed a growing attack vector - account takeover. At the time, it wasn’t called that way but it was becoming a huge problem when the company started.
In the case of Duo, the “Why now?” was new technology, and the innovation they brought to the table was not about technological novelty but about user experience.
Abnormal/Material: change in infrastructure and adversary behavior
Although Abnormal and Material are still relatively young, and email security continues to be dominated by Proofpoint and Mimecast, their rise as challengers is no coincidence. This new generation of email security solutions didn’t just happen because it was possible—it happened because something fundamental changed in email.
For years, many security companies tried and failed to unseat Proofpoint and Mimecast. What made it possible for Abnormal and Material to do something no one else had? The answer lies in two key three-letter abbreviations: APIs and BECs.
Until the early 2010s, companies primarily relied on traditional Exchange servers for email. Any company that wanted to provide email security had to build a proxy and convince customers to deploy that proxy. Proxy-based inspection was resource-intensive, difficult to deploy, and, crucially, companies wouldn’t run two competing email security proxies (similar to how they wouldn’t run two firewalls). Then, around 2015, things changed. Microsoft and Google introduced APIs that made it possible to inspect email directly without requiring a proxy. Instead of days or weeks spent configuring a complex email security gateway, an API-based solution could be up and running in 20-30 minutes. This infrastructure shift dramatically reduced the friction for new entrants.
This alone wasn’t enough to get companies to switch. By the time API-based inspection became feasible, Proofpoint and Mimecast had already built robust, multi-faceted platforms. Competing with them on deployment simplicity alone would have been a losing battle. Fortunately for startups (though unfortunately for the industry), another shift was happening at the same time - the rise of business email compromise (BEC). BEC attacks began emerging in the early 2010s, but they exploded between 2016 and 2018, becoming one of the most financially damaging cyber threats. Thousands of companies were falling victim to BEC, and traditional email security solutions struggled to stop these socially engineered attacks. This created an opening. Just as Palo Alto Networks deployed alongside Check Point rather than replacing it, Abnormal and Material positioned themselves to complement Proofpoint and Mimecast rather than replace them. The idea was simple: customers could keep their existing tools but add a new vendor specifically to address the growing BEC problem.
The combination of easier deployment via APIs and urgent demand due to BEC created the conditions for a new wave of email security startups. Fast forward to today, and we’re seeing new entrants like Sublime emerge with competitive, practitioner-focused offerings, further reshaping the landscape of email security.
“Why now?” is for founders, not for VCs
Over the past several years, I have met many entrepreneurs at different stages of their journey - from those ideating and looking for new ideas to launch a company, to those scaling their startups, and naturally those going through exits. This exposure to different stories and experiences made me realize a simple truth: founders who take time to define the answer to the “Why now?” question for themselves are much more successful than those who treat it as a slide they need to prepare for VCs.
“Why now?” is the best question that reveals whether or not there is real urgency for buyers to change what they are already doing. In my opinion, asking CISOs about their priorities is useful but getting to the bottom of the “Why now?” is the single most impactful thing a founder can do. This is because security leaders can’t predict the future and anticipate what they will need two years later. They will be able to provide founders with strong signals about whether or not something is a priority today, but it's the founders' job to figure out if there is a trend, or if that’s a temporary shift.
