Cybersecurity has come a long way from antivirus on a CD-ROM in the early 2000s. The push to software-as-a-service simplified AV protection down to a single update click. Cyber defenses followed corporate data and mobile devices into the cloud as companies tapped storage and compute infrastructure outside their four walls, the genesis of the hybrid blueprint companies would use to survive the COVID shutdowns.
The result of this cloudification of work is a diverse landscape of cybersecurity offerings extending protection from on-premises basics to newer terrain - developer and firmware environments, and even AI algorithms. The broad range of innovation pushes information security and risk management spending to more than $188.3 billion, an 11.3% increase, according to Gartner. Given the growth opportunities available to vendors with strong product market fit, it makes sense why security venture capitalists keep mining for startup gems.
DevOps shifts security left. “Architecture and development shifts create new opportunities for security,” says James Green, General Partner at CRV and a Forbes’ 30 under 30 honoree in 2022. The startups best positioned to land funding are those with defensible moats that usually go in hand with solving tough problems others haven’t addressed. One example is integrating security with DevOps, which empowers developers to prioritize security issues and expedite remediation. “Existing Source Code Analysis solutions are not sufficient,” Green notes. CRV’s investments in Project Discovery and Tailscale put security in the hands of developers, reducing silos and remediation time.
For Aaron Jacobson, a NEA partner and Forbes’ 30 under 30 in 2016, Flox is a compelling security meets DevOps automation business. NEA led a $16.5 million A round this February in Flox. “Their build system helps developers escape the notorious ‘dependency hell’ of troubleshooting software and configurations instead of writing new code,” says Jacobson. It also helps customers secure their software supply chain by tracing the lineage of software packages in use.
AI is the buzziest moat play in security. Machine learning and AI can hinder or aid security teams. “We see AI as part of the tech fabric that can provide advanced capabilities in threat detection, incident response, and remediation,” says Oren Yunger, a former CISO who now leads GGV Capital’s security practice. For Green, this translates into opportunities for founders who build solutions that prevent data leakage, PII, prompt injection, or unauthorized access to company specific LLMs (large language models).
Alex Doll, Founding Director at TenEleven Ventures, notes they invested in HiddenLayer to protect ML models, including LLMs, from data poisoning and other attacks. He adds that larger data sets will boost the importance of data security and governance, which are problems that portfolio companies Vaultree and Immuta solve. Importantly, AI is often bundled with automation, which mimics human actions. Another TenEleven investment, Kasada, differentiates human traffic from bot traffic, which can counter financial fraud and offer clean data for precision marketing. “The only way to counter ‘bad intent’ automation will be with ‘good intent’ automation,” says Doll.
AI automation can also accelerate the spread of disinformation. Ted Schlein, Chairman and General Partner of Ballistic Ventures, views disinformation as another form of malware “more insidious than any malware that we have dealt with in modern society.” Whereas computer viruses damages corporate assets, disinformation - whether spread accidentally or maliciously - damages people. Schlein invested in Alethea to identify and uproot fake news before it goes viral.
Cloud security, compliance, identity - VCs are still funding solutions to these enduring security problems. “We see significant opportunities in cloud security solutions, compliance, identity, and automation,” says Yunger. The team has invested in more than 15 security startups, including Orca Security for agentless cloud security, Drata for continuous compliance and GRC, and Descope for drag-and-drop unified authentication. “Specifically, in today’s tough market conditions, we spend a lot of time investing in tools that we believe are must-haves for security professionals.”
Despite stingier spending, security VCs are writing checks. Founders have battled interest rate headwinds since last March when the Fed started quantitative tightening (QT), a move that has sent rates more than 5% higher. VC funding for cybersecurity fell 32.19% from $23.3 billion in 2021 to $15.8 billion in 2022, and 2023 is off to a muted start with $2.7 billion raised in the first quarter of 2023 compared to $6.5 billion in Q1 of 2022.
“Post 2021, it became a more challenging time to invest,” Green says. But the search for the next Adallom (MSFT acquisition), the next Proofpoint (PFPT) continues. Funding may slow in 2023, but the VC checks keep coming - and following those investments, sooner or later, are exits that reward funds and company insiders too. “We are still very actively evaluating and funding companies, including follow-on rounds to companies we invested in previously,” says Doll. “Security budgets are shown to be the most resistant,” adds Yunger. “Rounds are continuing to get done but at a more conservative speed.”
© 2024 Benzinga.com. Benzinga does not provide investment advice. All rights reserved.
Trade confidently with insights and alerts from analyst ratings, free reports and breaking news that affects the stocks you care about.
