World Chocolate Day – ESW #248

All the key numbers are right there in the title. There are currently 653 unicorns by the old method of calculating (valuation > $1bn). 28 of those are cybersecurity startups. Sorry Devo, nothing personal, but I propose we move that number so that we can continue using the term unicorns to refer to startup valuations so high, they're still rare. At $5bn, it still seems like too many! There are 108 startups valued at $5bn or more and 4 cybersecurity startups. If we go up to $8bn, we're down to 32 unicorns total, one of which (Snyk) is a cybersecurity startup. That feels about right and gives us some room to grow. So, about Devo - the original premise was, "hey, Splunk had a great idea, but what if it didn't have to be so expensive?" Turns out a lot of folks agreed with that premise and that's reflected in the size of this round and the valuation. This round was led by TCV, which has a long history of taking startups to IPO, and there's little question here - the next big milestone for Devo is likely to join competitors Splunk and SumoLogic as a public company. IPO makes a lot of sense for this market - data storage and analysis needs will always exist. Any need to pivot with the market should be much easier than, say, an endpoint vendor.

OT is niche, but it's largely an underserved niche and this round sees Dragos focusing more on international expansion. We can especially see the need for training and services in parts of the world where critical infrastructure is common but a skilled and experienced IT/security workforce isn't.

Cato Networks was very ambitious in the early days, basically aiming to be a Zscaler competitor that allowed customers more options and customization, whereas Zscaler was more "this is what you get, take it or leave it". Cato aimed to allow customers to build complex software-defined LAN/WAN with integrated security controls. In short, it's a play to outsource a large chunk of a company's infrastructure security controls, regardless of where those workloads live - private datacenter, public cloud, colocated, etc. They're currently using the SASE label, which fits well here and describes where the bulk of the value Cato adds lives in their product. It also doesn't hurt to be compared to Zscaler and other SASE offerings that seem to be doing very well in public and private markets.

This one surprised me - it's a huge round and valuation for a company I haven't heard of. This isn't new ground, either - Symantec acquired LifeLock 2 years ago to put together a similar combined offering to what Aura has here. One executive spent 10 years as a product manager at LifeLock, so they've got some industry experience on the team. They also own Pango Group, which seems to be building apps that will integrate with some of the company's identity and fraud protection services. This isn't a space I know well, but when I hear "identity protection" and "VPN apps for your phone", I don't think "massive growth opportunities".

What's better than double-blind? For an industry obsessed with visibility, a brand called "TripleBlind" makes the dad joke portion of my brain chuckle. Data security is probably one of the toughest problems in cybersecurity. Data is critical and sometimes needs to be shared. Put too many controls and restrictions around data security and it can be a productivity-killing nightmare. Worse, employees are likely to find ways around these controls, so they can get their work done. We've seen many cracks at this. Often, the recipient of protected data has to install software and somehow receive a key to unlock or decrypt the data. Usually, the data owner retains the ability to revoke access to the data, thanks to some sort of PKI infrastructure managed by the product itself. In the case of TripleBlind, the company is still at the stage where it looks like copy is being written by founders and engineers. If they're targeting healthcare, they're going to have to clean up this messaging. "TripleBlind offers proprietary cryptographically-enforced privacy for data and algorithms, allowing institutions to collaborate around the most private and sensitive data without it ever being decrypted or leaving their firewall." The value prop is that data is underutilized due to regulatory fears. TripleBlind claims to be able to open these opportunities without violating regulations like GDPR (EU privacy), PDPA (Singapore), and HIPAA (US healthcare). It's not easy to understand how they're managing to do this, and I can't find enough detail on their website to explain the technical details, workflow, or use cases related to this product. I just find things like: "Real Time Data De-Identification Without the Cost or Loss of Accuracy with Practically 0% Probability of Re-Identification" From what I can tell, it seems like a way you could hire a third-party data science firm to do some analysis of the data, without actually having access to the full data set. For example, they can pull insights out of a set of patient data, but can't pull out individual names and addresses; or tie treatments to individuals.

Seems like a good exit for Invicti, which is the company behind the popular NetSparker and Acunetix scanning tools. From the investor standpoint, vulnerability management is fairly solid - especially at the application layer. Though the underlying app layers have been changing and increasing in complexity, the presentation layer can still very much benefit from DAST scanning.

Another deal related to identity monitoring and protection. Sontiq is the parent brand of IdentityForce, Cyberscout, and EZShield. The two latter brands ring a bell, but again, I'm not sure I see huge growth opportunities here. Sontiq was created when PE firm, The Wicks Group, acquired IdentityForce. Breach Clarity and Cyberscout were later acquired and added to Sontiq in Q1 2021. TransUnion is acquiring Sontiq from Wicks. It does make sense for TransUnion to acquire these types of services. Hopefully, they're in better shape than Equifax, because they're clearly a target for adversaries looking to steal identities and personal information as well!

Piiano (get it? PII + Piano?) is another privacy engineering startup. We've seen a ton of funding rounds for privacy engineering startups, and each seem like they're doing things a bit different, or aiming at different pieces of the problem. Some aim to create safe *non-production* versions of data for developers to work with. They do this by scrubbing copies of production data, or generating fake data from scratch that matches production fields and formats. In this case, it looks like Piiano's Vault product might be serving up versions of production data modified in real-time, based on each role's needs and/or privacy requirements. Worth noting that YL Ventures is leading the (quite healthy) $9m seed round here.

This was already discussed on ASW and PSW this week, but it's a significant one. It likely didn't do much damage, as the malicious payload primarily aimed to mine Monero, and only on systems running npm installs or updates. However, it confirms our fears about the vulnerability and attraction of the growing ecosystem of package managers and app 'stores'. On one hand, organizations are incentivized to make it easy for developers to create and publish applications. After getting burned a few times, they'll likely be forced to lock down these software distribution hubs and add security inspection or scanning processes.

Fake vendor scams investors. Only 3.5% of what Theranos managed to raise. Amateurs.

Customer scams vendors. Actually, that's not exactly correct. While it is Michael Kail going to jail, the companies he received bribes and equity from seemed happy to play ball. Unfortunately, vendors are all too willing to resort to shady practices to get ahead. It's quite common for vendors to purchase awards and pay influencers to write positive things about their companies, posing as independent opinions. Along with ever-growing funding rounds, the pressure is greater than ever to hit massive growth numbers. Ethics and scrutiny should never be sacrificed in order to make numbers.

We might be on track to top $20bn in funding for cybersecurity startups by the time the year is out! We're looking at between 150 and 180 funding deals per quarter, while M&A is hovering just below that - around 120 deals per quarter. Any way you look at it, 2021 has been busy for cybersecurity startups and investors.

The WSJ story: https://www.wsj.com/articles/new-u-s-rule-would-limit-sales-of-hacking-tools-to-russia-and-china-11634759525 The export controls rule: https://public-inspection.federalregister.gov/2021-22774.pdf

Vegan dairy products are apparently a thing. Not vegan dairy *substitutes* - actual dairy that doesn't come from animals.