There are a few certainties in life: taxes, death, and getting hacked. Attacker tactics, techniques, and procedures (TTPs) always evolve, which means companies will need new cybersecurity tools with improved capabilities. While the incumbents will fulfill some of those features, we should expect a vibrant ecosystem of cybersecurity startups challenging the status quo this year.
However, with today’s shift from the “irrational exuberance” of 2021 to a frozen venture capital market through 2023, we’re all wondering what the venture market will look like in 2024, and what effect it will have on new and existing cybersecurity companies.
From irrational exuberance to survival of the fittest
In 2021, interest rates were low, venture capital was plentiful, and valuations were sky-high. Cybersecurity startups raised massive rounds of funding with sometimes exorbitant valuations. This era was a blessing and a curse for founders. The blessing: raise plenty of cash to deliver on the vision. The curse: the pressure of generating revenue to “grow into” the valuation. For those who watched the HBO show Silicon Valley, recall the episode where the founder was panicked because he had to raise a “down round.”
In April 2022, early indicators made clear the markets were shifting towards a recession, if not by the technical definition, then at least in the sense that budgets were tightening among security buyers and revenue forecasts would subsequently be revised downwards. Well-executing companies aggressively cut expenses, reducing their burn, and extending their runways.
For example, a big lesson I learned from my past life is that companies can’t “cut” their way through a recession, they must sell their way through it. Well-executing companies therefore reallocated the money saved from cost reduction efforts towards revenue generating efforts, hiring more quota carrying sales reps, and creating incentives for channel partners.
Companies such as ours, with product market fit that truly addresses a need could efficiently reallocate funding towards sales initiatives. However, companies that struggled to find their niche in the current market were in trouble. Companies uncertain how to sell their product, or worse, the product does not yet meet the needs of a paying customer, it’s very difficult a company to sell their through a recession. Need drives demand, so it’s important to have a product that both truly addresses the current threat landscape – especially in terms of recent news-making attacks – and preemptively improves security for buyers.
Investment climate for Series B and beyond companies
Upon raising a Series A/B/C venture round in 2021, investors pressured security founders to deliver growth at all costs. Burn multiples and sales efficiency metrics were not as important as top line growth, because top line growth was the single biggest contributor to a company’s valuation.
In 2023, going into 2024, that mindset has completely shifted to prioritizing sales efficiency. Suddenly, CAC payback, net sales efficiency, and burn multiples are king. The assumption is that venture for Series B and beyond companies will continue being tight, and investors are willing to pay a premium for slightly slower growth, but highly efficient sales motion.
In addition, there’s a significant amount of uncertainty on the impact that LLMs and Generative AI will have on critical cybersecurity processes and workflows. Later stage companies are under pressure to prove that the core product and intellectual property is defensible against a GenAI-era startup.
Investment climate for pre-seed, seed, and Series A companies
The economics for early stage companies is completely different than later stage companies. Writing smaller checks means an investor can spread the risk across more startups, with the hope that one or two of those investments will pay off. However, early stage companies are burdened to prove they aren’t just some wrapper on top of ChatGPT. In fact, some term sheets now include clauses that require founders to immediately disclose if they are using ChatGPT or LLMs generally to ensure there’s sustainable intellectual property under development.
What to expect in the year ahead
Here’s what I predict will happen among security startups in 2024:
- Only the toughest survive. The companies that effectively navigated the “valley of death” that was 2022-2023 will enter 2024 in a much stronger position to fundraise by balancing growth and sales efficiency.
- Pricing models shift. We should expect companies will prioritize growing revenue from their existing customer base through changes to their pricing and packaging, for example, adopting usage-based pricing to drive expansion.
- Some companies will struggle to find new funding. The companies that raised massive rounds in 2021 but struggled to efficiently grow their revenue are now underwater or flat – their current valuations are below or equal to their 2021 valuations. These “zombie” companies will struggle to raise their next round, have no clear path to an IPO, and will have to drastically cut burn via layoffs and look to be acquired, likely by private equity. In rare cases we’ll see the “phoenix effect” where a lean-and-mean company can extend their runway and build an efficient go-to-market machine.
- Others will simply go out of business. Companies that raised a round in 2021 but have failed to achieve a product market fit will go out of business or be sold for pennies on the dollar as an acquihire.
There’s a lot of noise in the cybersecurity market: threat actors filing breach notifications to the SEC, the marketing hype around generative AI, and the reality that organizations are struggling with building effective security programs. Buried in all of that is the question of whether certain security tool vendors will still be in business in 2025. We should expect significant pruning of the cybersecurity market over the next 12 months, where only the fittest survive, and CISOs must prepare for significant disruption to their security tools.
Snehal Antani, co-founder and CEO, Horizon3.ai
