Startup Failures, Thoma Bravo, Fortress InfoSec, SEC & CISOS, & Squirrely Medicine – ESW #270

$125M Series C, PE round, led by Goldman Sachs. The product is effectively a GRC and Risk Management portal that consolidates and organizes risk-related data (questionnaires, vuln scans, threat intel) from a wide range of sources. Another side project is a 'library' of 40,000+ completed product and vendor assessments aiming to cut down on the work necessary for TPRM processes. The company seems almost entirely focused on utilities, particularly electric utilities in the US. With a raise this large, I figure the plan is either to expand the ideal customer to other verticals, or to stay within the utility/manufacturing niche and expand globally. My money is on the latter.

$100M Series C, led by General Atlantic. This is zero trust (lowercase) as a metaphor, and does not appear to be related to Zero Trust Architecture. The endpoint security product claims to include a suite of capabilities, including app control, NAC, Ringfencing (?), storage control, and PAM. The company claims its product is currently used by over 23,000 organizations. How have I not heard of them and they're in 23000 orgs? Perhaps some kind of whitelabeling agreement? Kaseya is mentioned as a partner... Ah, yep: https://www.crn.com/slide-shows/security/kaseya-ransomware-attack-has-led-to-a-windfall-for-threatlocker-ceo-danny-jenkins "ThreatLocker co-founder and CEO Danny Jenkins says his company experienced record sales growth in July in the wake of the Kaseya ransomware attack and is adding 60,000 new seats a month to its application whitelisting solution." Mentions over 2000 MSPs are using them.

“We have created a model that allows us to quickly solve for a new threat vector that we may not be thinking about today.” Hasan ImaM, CEO, Obsidian Security If folks aren't thinking about this threat vector, I'm thinking, it might be tougher to sell it. This is an interesting approach. Regardless of what they call it, this is essentially CASB 2.0. Both the use cases (threat detection, account compromise, etc) and the method (API ingestion) existed with CASB 1.0. As with CASB 1.0, one of the primary challenges is whether it will work out-of-the-box with the SaaS apps you use.

$65M Series C, led by Greenfield Partners. Focused on Identity Threat Detection and Response (ITDR) and Identity Threat Prevention (ITP), both of which caused me pain to write. Not to be confused with identity THEFT protection, this is an enterprise play that will compete with PlainID and others emerging in this space.

$42M Series B, led by BOND. Sells an SDP/ZTNA VPN solution (e.g. VPN without having to publicly expose endpoints).

$30M Series B, led by Insight Partners. Appears to be joining the CASB 2.0 crowd.

$23M *Seed* round led by Oren Zeev & Bessemer. I suspect we're looking at another DSPM here, that will compete with the likes of Cyera, Polar, Eureka, & Symmetry.

$10.5M Series A, led by Tiger Global, Accel & Together Fund. Taking aim at AuthZ space & the likes of CyberArk, BeyondTrust, Delinea, etc. Founders come from Zoho.

$6M Seed, led by WestWave and CyberJunction. Product is SOC-as-a-Service (XDR) for SMBs.

$5.4M seed round led by Greyhound Capital. They're offering a continuous pen testing service that appears to be backed by a 'crowd' of contracted hackers (a la HackerOne, BugCrowd, SynAck, and Cobalt). I suspect there will be some differentiators from existing crowdsourced testing firms.

$4M Series A, led by Tech Mahindra. Israel-based "InsurTech" startup intends to offer some form of cyber insurance (likely whitelabel) for consumers, which includes an app and live support to assist with personal security incidents.

$2.7M seed round, led by Mercato Partners. They are Yet Another Threat Intel Vendor.

Thoma Bravo picked up Imprivata for $544M in 2016. A sale aiming to net $2B in 2020 was cancelled due to the pandemic. 2 years later, Thoma seems to be padding their asset with the acquisition of SecureLink. Another attempt to sell Imprivata seems inevitable.

A list of a few hundred of the biggest startup failures of all time. How many cybersecurity companies are among them? Zero. This backs up what I've been observing for years - cybersecurity defies the startup failure rate present in nearly every other market. It's perhaps worth some thinking and discussion on why security startups seem to be so much more resilient.

The title and most of the article misrepresents what's actually in the SEC proposal. It drew attention to it and it's something that should be discussed, so I suppose we can forgive Forbes on this one. - The proposed item is a requirement to DISCLOSE any cybersecurity expertise at the board level, not to require it (though admittedly, a second order effect could be that public companies are pressured to then add cybersecurity expertise to their boards) - It goes on to say that "the proposed item... would not define what constitutes 'cybersecurity expertise'" - but it does "include the following non-exclusive list of criteria that a registrant should consider" (followed by the three bullet points that the article misinterpreted)

Something I didn't see with the combination of Kenna and Cisco - the opportunity to leverage Cisco's Secure Endpoint (AMP for Endpoint, originally from the SourceFire acquisition) as a host-based vuln scan agent.

For us to recommend a competing podcast, it's going to be a good one. I wasn't familiar with Alfred Huger or his background, but this discussion was a whirlwind of nostalgia as the hosts take him through his multi-decade career. The real meat of the conversation is towards the end, however, when he shares his thoughts about what works and doesn't work in the world of cybersecurity startups.

There has been a ton of quantum hype in cybersecurity already and it looks like one of these startups is getting called out. It's not that quantum computing doesn't represent benefits and challenges for security (encryption, particularly), it's that the days of quantum computers cracking current encryption standards in seconds is still far off.

Phil Venables is a great read at the worst of times and this is quite a bit better than his worst. Though I'm left wondering how one would implement some of the metrics he suggests, they're all thought provoking suggestions.

I often run across some weird stuff, but I'm having a hard time with this one. Using nothing but a camera as a sensor, Binah claims its software can accurately measure "blood pressure, heart rate, heart rate variability (HRV SDNN and RRI raw data), oxygen saturation, respiration rate, sympathetic stress, parasympathetic activity, and pulse-respiration quotient (PRQ)" What.