Welcome to Venture in Security! Before we begin, do me a favor and make sure you hit the “Subscribe” button. Subscriptions let me know that you care and keep me motivated to write more. Thanks folks!

Introduction

It is common to hear that there are “too many vendors” in cybersecurity, and that “we don’t need 200+ products in the same category doing the same thing”. What is rare is seeing analysis as to why there are so many similar vendors - what is driving the establishment of the new companies, and fueling the cybersecurity gold rush. 

The number of security providers is indeed mind-boggling - IT-Harvest Dashboard, the largest cybersecurity vendor database, counts 3231 companies across 17 categories. Given that it may take a year or two for a new startup to get on the analyst’s radar, the number of companies is definitely higher. 

In this article, I am looking at some of the factors that lead to the emergence of hundreds of “me too” startups, why relatively few businesses in the industry fail and equally, few win big, and why there are only 18 pure-play cybersecurity companies listed on the US stock exchange. 

Source: MomentumCyber

Why there are so many vendors in cybersecurity, what it leads to and where do we go from here

The market opportunity is big 

I want to get obvious out of the way: the market opportunity in cybersecurity is big. Gartner predicts that the end-user spending for the information security and risk management market will reach $267.3 billion in 2026, with a constant compound annual growth rate of 11% between now and 2026. NightDragon, a cyber-focused VC firm, notes that with $6 trillion in losses from cyberattacks, the market opportunity for innovators is $400B - making it the largest asymmetric theater ever. The number of cyber breaches is growing, and so do the total losses. However, these are the facts known to anyone (or most people) working in the industry so I will instead move on to cover the less obvious. 

Heavy reliance on trust has several far-reaching consequences

Everything in cybersecurity relies on trust. The significance of trust shows from the very first day of the company’s existence: it takes time for a new startup to establish a trusted relationship with early adopters who can become its first customers or design partners. It is not that people in the industry have trust issues; the reason trust is so critical is the level of impact cybersecurity solutions can have on the enterprise. 

Think this way: an answer to any of the questions a startup founder asks about the company’s security posture (what tools the team is using, how everything is connected, where the gaps are, and so on) can be easily exploited by the adversary. Those are the exact same questions an attacker would want to have answered as well. If the product the startup is offering fails to prevent what it was designed to prevent, the consequences for the customer can be catastrophic. Moreover, the security startup itself can become a Trojan Horse if it gets exploited by malicious actors (remember the Kaseya ransomware attack of 2021). These are just some of the reasons why relatively few security leaders are comfortable being guinea pigs for new solutions, and why everyone is looking for reference customers, SOC2 compliance, and a long list of signs that someone credible already trusts the product. 

The problem of trust also manifests itself in long sales cycles, comprehensive trials, the need to test every solution in a home lab before bringing it to work, small-scale initial deployments, and other unique characteristics of the buying process in security. All of this combined leads to a chain reaction with far-reaching consequences.  

First of all, it takes a long time for innovations in the industry to become mainstream. Blitzscaling (moving fast to capture the market) isn’t a thing for cybersecurity innovations: in B2B, companies take time to develop confidence in new solutions, while in B2C few people are willing to spend on security at all. This, in turn, means that by the time a new approach to security is mainstream, tens (or even hundreds) of entrepreneurs around the world have learned about the original idea, and built a “me too” company backed by investors who, as I will explain later, want a chance to place a bet in a “hot” space. Since the startup that initially pioneered the new approach or the solution had to educate the market about the problem, it 1) was at a disadvantage, 2) had to pick a narrow and well-targeted customer segment to start with, knowing that its resources are limited, and 3) could not establish a trusted relationship with a large number of prospects. All this has likely enabled many “me too” companies to spring across different geographies, market sub-segments, and industry verticals. Not everyone can come up with a new idea, but most can think of a way to build an already existing idea for a (hopefully) somewhat different customer. 

Trust is an important factor on many levels, including when it comes to buying security tools from other countries. While ideas and innovation can and do happen anywhere around the globe, would an American company trust a startup from Slovenia to secure it? Maybe, but it will always prefer a US-based provider. Would a French company trust a startup from Japan? Possibly, but not as much as a startup from Paris. Cybersecurity innovation is global but trust isn’t. 

This slow and trust-based cycle of new product adoption in cybersecurity means that no single company can capture a large percentage of the market. In many industries, one or a few businesses that moved fast, end up dominating the market (think cloud or personal computers). In cybersecurity, a single leader does not have a double-digit market share: the largest cybersecurity player Microsoft with roughly $15B in 2022 is still less than 10% of the total market; Palo Alto represents roughly 3%, CrowdStrike - close to 1.5% and so on. 

It is worth explicitly calling out two things here. First, while in many industries being first to market presents a solid advantage, in cybersecurity it can often be a disadvantage as new approaches and technologies do not become market knowledge quickly enough for the first mover to capitalize on it. Second, while as I have concluded, blitzscaling does not work in cybersecurity, in extremely rare cases it is possible. Wiz is the only company I know that was able to pull it off.  

Companies don’t fail at the same rate as in other industries

The trust-based product adoption and slow sales cycles mean that instead of having a limited few companies take the market by storm, we typically see several cybersecurity startups solving the same problem operate in parallel and generate enough revenues to survive. This explains another observation: cybersecurity ventures do not fail at the same rate as startups in other industries. While some that don’t reach traction do inevitably end up folding, most will find at least a handful of loyal customers - just enough to stick around for years, and sometimes - decades. A few will grow fast, but many will end up making enough money for their founders to live comfortable lives and not have to go back to a job. 

Unfortunately, I do not have the numbers to back this thought up; I tried looking for something but all I have is some anecdotal evidence and stories from a few folks who have been in the industry for a decade or two. If you are okay with this, let’s continue. 

For many people, running their own company is the ultimate expression of freedom, so it makes the idea of starting a business appealing. Because fewer security founders hear stories about failed cybersecurity startups, the risks of starting a new one are perceived as low (definitely lower than in other industries). That, in turn, drives more people to take a chance.  

Many cybersecurity startups will get acquired (and founders know it)

There are three typical ways a startup can successfully exit: by going public through an initial public offering (IPO), getting acquired, or merging with another company. I will leave discussions of SPACs and other stuff outside of the scope of this article as fundamentally, the above three will cover the available options. 

The vast majority of cybersecurity companies will not go public; there are only 18 pure-play cybersecurity companies listed on the US stock exchange today. An important factor that leads to only a small number of cybersecurity companies going public is the high expectations of the public markets when it comes to revenue growth and business expansion. The vast majority of cybersecurity companies offer so-called point solutions - tools that solve one specific security problem. The weakness of point solutions is their limited room for growth, hence companies looking to be public eventually need to build a platform - a suite of offerings that address a variety of customer problems. The majority of the 18 public players in the US - CrowdStrike, CyberArk, Fortinet, Okta, Palo Alto Networks, SentinelOne, Trend Micro, Cloudflare, and others - are all suites of products rather than point solutions (even if they once started as such). 

For best-of-breed point solutions, going public is not typically an option as no matter how they try, there is simply not enough room for continued expansion. Every few years, as new technologies and subsequently - new attack surfaces - emerge, there is a small window of opportunity to capitalize on the new trends. It typically takes 3-5 years for any new approach to be adopted, and only one or two years after it goes mainstream, the space becomes commoditized. Think about the extended detection and response approach which now counts hundreds of vendors and is considered a separate market category. Or, the zero trust approach to security which, after gaining adoption, is now packaged and sold as a “product” by tens of commoditized “zero trust vendors”. Four or five years is not enough to build a platform company and IPO. Startups offering best-of-breed tools that do not exit before their recently new segment becomes flooded with “me too” players, are caught up in survival mode, and start to stagnate. Building a platform is hard, and in some ways, it’s a chicken-or-egg problem: without already being a platform, it’s not easy to IPO at a high valuation, and without an IPO, it’s not easy to finance expansion beyond the initial one or two use cases. 

While only a few startups will go public, equally few will go through mergers. This is because mergers typically happen between large, established corporations (think of the NortonLifeLock and Avast merger of 2022). 

The most common way for a cybersecurity startup to successfully exit is through an acquisition. One of the most important reasons for it is that innovation in the space is most often bought, not developed in-house. As the pace and the areas of cybersecurity innovation are set by the offense, it is not financially viable nor possible for security enterprises to confidently predict what new areas will be relevant decades from now, and build expertise in these areas in advance. To remain relevant, large companies have to look outside - continuously acquiring new capabilities and hiring best teams, offering great exit opportunities for savvy founders, and subsequently encouraging the creation of more point solutions. Security enterprises benefit from having many players building point solutions as it enables them to let the market shortlist a few best-of-breed tools, and by taking advantage of the competitive pressure, buy them at a good price. This also works well for serial founders who, after a year or two, can move on to building a new company. 

Startup acquisitions typically fall under one of three types: team, product, and business. 

A team acquisition typically happens when a startup fails to build or commercialize a solution to a problem, but the team it assembled is so valuable that a large company would like to hire it to build its own products. Another term used to describe this is “acqui-hiring”. While this isn’t the most common type of acquisition in cybersecurity, it does happen, especially when a founding team has deep expertise in emerging technology (AI security, encryption, quantum, etc). A team acquisition typically results in the lowest exit amount of the three types. 

A business acquisition happens when the company was able to successfully grow a business so lucrative to the acquirer that it would like to buy it. Very few acquisitions in cybersecurity fall under this category, and those that do typically see a high deal value. An example of a business acquisition is Okta’s purchase of Auth0 for approximately $6.5 billion. Both companies built sustainable business models, and both were known as successful industry players. 

The most common type of acquisition in cybersecurity is product acquisition which typically happens when a company builds a good product that is used and loved by its customers but is unable to grow fast enough to dominate the market. In product acquisition, the buyer typically wants to plug the new tool into its suite of solutions. The acquirer’s well-established sales machine can then start cross-selling and up-selling its existing customer base with the new solution, increasing revenue and executing the typical platform companies' “land and expand” strategy. Product acquisitions are commonly seen when platform players such as Palo Alto or wannabe platform companies buy point solutions and integrate them with their core offerings.

 Continuous influx of capital prevents natural selection

During the pandemic, cybersecurity was one of the fastest-growing fields. There were several drivers for this growth. First, companies realized that their existing infrastructure and security practices were not designed with remote work in mind. Second, as people were moving to work from home, cybercriminals seized the opportunity, leading to an increase in the number of cyber attacks against corporate networks by 50% between 2020 and 2021. The increased demand for defense has caused an acute talent shortage: while many other industries were laying off people, cybersecurity teams and vendors were struggling to find experienced professionals to deliver on their promises. 

It is also known that cybersecurity spending, even in times of economic uncertainty, does not trend backward. When the times are bad, cyber criminal activity is not trending downward. 2022 is the most recent example of that: the number of cyber attacks went up, and while budgets were frozen, only a few organizations made cuts in their security teams. 

Source: BlackFog

All this along with the positive outlook for the future (Gartner predicts a compound annual growth rate of 11% for the next 3 years), drove many investors to cybersecurity. This would not have been an issue if only companies solving impactful problems received funding, but more often than not this is not what we see happen. 

Reproducibly proving that one security product does a better job than the other is not easy even for experienced security practitioners, not to mention investors that rarely have deep technical security expertise. For example, a product that promises to prevent cyber risks originating from the company’s use of open source will only show its true value after it has been running in the customer environment for some time, successfully detecting and preventing the vulnerabilities that have affected other users of the same code; it cannot be easily tested during an hour-long evaluation. 

Responsible investors leverage networks of experienced security leaders to help them evaluate cybersecurity startup ideas. While relying on external help alone isn’t ideal, it is better than nothing. Unfortunately, many VC firms, solo investors (GPs), and especially - family offices, want to get exposure to cybersecurity because it sounds like a hot market, but do not have the networks or the ability to evaluate security companies. This leads to a never-ending inflow of “tourist money” - “easy” capital readily available to founders and companies that would have never passed the rigorous due diligence of VCs experienced in cyber. That, in turn, prevents the process of natural selection when only good startups can get funding to grow, flooding the market with questionable “next-gen” tools. 

Endless supply of companies coming out of Israel adds to the fire

The famous Unit 8200 of Israel's Defense Forces (IDF), the equivalent of the National Security Agency in the US or GCHQ in the UK, is responsible for offensive and defensive cyber security operations, and cyber warfare. The unit has also become the country’s main startup incubator playing a critical role in turning Israel into the country with the largest number of startups per capita. While the list of startups is in the hundreds, spanning all fields and industries and counting companies like Wix and Viber, probably the largest percentage of companies started by Unit 8200 alumni are in the cybersecurity space. This is no surprise given that the unit is focused on developing cutting-edge cyber warfare capabilities.

While the IDF provides a steady supply of entrepreneurs, the series of successful exits within the ecosystem has formed a sophisticated circle of angel investors capable of evaluating promising ideas, identifying winning teams, and getting them the support they need. Aside from the vibrant ecosystem of operators turned angels, Israel is home to a well-established venture capital ecosystem. In 2022, YL Ventures announced its $400 million Fund V, deemed the largest seed fund ever raised for cybersecurity. 

While Israel is not the only country with advanced cybersecurity capabilities, what is unique about it is the entrepreneurial nature of the service members. In the US, it is common to see the NSA, CIA, and FBI alumni move into senior security leadership roles in the private sector (such as the appointment of the former FBI special agent Jason Manar as CISO at Kaseya) or start a consulting practice. Despite the fairly mature cybersecurity technology and VC ecosystem in Washington DC, still, relatively few ex-government security leaders start their own companies. In Israel, on the other hand, it is understood that military service is temporary, and starting a business is the natural next step after it ends. 

For those interested in this topic, I highly recommend this article from SecurityWeek: From IDF to Inc: The Israeli Cybersecurity Startup Conveyor Belt. 

Starting a service business in cybersecurity is relatively easy

Over the past few decades, in fields that are critical to every business’ existence such as accounting, law, marketing, sales, operations, and IT, to name a few, traditional educational systems produced enough employees to satisfy demand. Many of the professions, such as those in sales and operations, can be learned on the job. Those that require deep domain knowledge such as law and accounting, have been seen as lucrative, stable careers and therefore attracted many people over the years. Cybersecurity, on the other hand, while not entirely new, until recently hasn’t been seen as something every business would need either, There is a strong demand for cybersecurity professionals and a small supply of people who can do the job, which creates opportunities for those that are employed to do episodic “side hustles”. 

While it is hard to compute the actual numbers, anecdotal evidence shows that many security professionals experiment with offering their services “on the side”. This makes intuitive sense: cybersecurity know-how is in high demand, so if one has some free time, and deep domain expertise in the area, it makes sense to leverage that. 

Running a service business gives cybersecurity professionals two advantages: a broad view into the problems experienced by companies in different areas of the market, and the ability to establish a steady, recurring cash flow without leaving their full-time job. The former means that a security practitioner can easily see patterns and problems across a broad range of customer groups, while the latter lowers the risks of leaving their employer and striking up on their own.

When service companies that have initially been started as solo initiatives grow, they typically sign more contracts and hire people to handle an increased workload. Over time, those that are particularly successful gain the ability to use some of their resources and experiment with building products without needing to raise any capital. Many of the ideas emerge organically, from the service company’s need to automate manual steps of addressing the same problem for different customers, some start as a custom project for one customer that then gets commercialized and rolled out as a stand-alone product, while others are a result of pattern matching and experimentation. 

One way or another, the constant demand for security provides security professionals with the ability to establish their own service business, and sometimes even bootstrap building products. Most often this results in a mix of a consultancy and a software development shop, and sometimes (although rarely) leads to spinoffs of stand-alone product companies. 

Closing thoughts

I often hear that “we don’t need 200+ endpoint detection and response (EDR) vendors”; admittedly I have said that myself on several occasions. While that may very well be true, the number of security vendors is a direct result of how cybersecurity products are built and brought to market. More specifically, it is a side effect of the heavy reliance we as an industry place on trust. 

In most industries, what enables innovators to scale quickly is the credit of trust they get from their early adopters. This means that customers, hungry for innovation and eager to see a painful problem solved, will pay and use the product despite all the gaps, bugs, and potential inconsistencies. 

In cybersecurity, this does not happen as often. Vendors pioneering new solutions are forced to work hard to educate buyers why what they do is important before they can reap the rewards of their labor. Few security teams are comfortable moving fast to deploy new, unproven technologies on their networks at scale, which would enable startups to grow fast, do a land grab, and achieve market domination quickly. If we look at the second-order consequences of the buying process in security, we realize that 6-12 month-long evaluations of new technologies cannot result in having five vendors, because many more founders will try to build the same solution and sell it to people and companies within their reach. When Germans want to work with a German security provider, Americans only trust American companies, and Australians would prefer an Australian startup, trying to reduce the number of companies globally to a single digit would defy math.

As I was reflecting on the reasons we have so many vendors, it occurred to me that the number of players in the industry cannot be lower simply because of the way cyber as a market functions. Moreover, I realized that we all benefit from having so many vendors. Because cybersecurity is heavily based on trust, and companies need to do thorough evaluations before deploying something new in their environments, it would take a long time for innovation to propagate and spread around the globe if only one or two companies tackled the same issue. Imagine if all of Europe had to wait a decade before any advances in homomorphic encryption would become available to them simply because it was an American who described the first plausible construction for a fully homomorphic encryption scheme. Security teams in different parts of the world benefit from getting access to new defense technologies early, and that comes at the cost of duplicated efforts. The only way to change it is to become comfortable trusting early-stage cyber startups and letting them scale quickly, shortening POCs for new approaches and tools to a few days or a week at most - something no sane security leader would advocate for. 

Security leaders benefit from having many vendors as the fierce competition pushes companies to innovate, reduce their prices, and improve customer experience. More opportunities to start a company mean that more founders can solve impactful problems, and more can achieve sizable financial returns. More companies also mean more opportunities for investors to get exposure to cybersecurity. 

It is easy to say that “we don’t need so many tools” when we look at the list and think that “we would be fine just having the top five”. The irony is that the list of the top five vendors today is rarely the same as the list of the first five vendors that started in that space. It can take tens or hundreds of attempts by different people before leaders emerge. The next time you hear someone say “we don’t need 3000+ cybersecurity vendors”, tell them that it’s a bit more complicated. 

If you like my blog, please subscribe & share it with your friends. I do this in my free time, so seeing the readership grow helps me to stay motivated and write more. I don’t send anything except my writing and don’t sell your data to anyone as it’s dumb and I have better stuff to do. Thank you!

Share