Where top VCs are investing in cybersecurity


cybersecurity 1073724472
Image Credits: Dong Wenjie (opens in a new window) / Getty Images

Security is one of the toughest things to get right; a hacker only needs to win once, but businesses have to get it right every single time.

Not every company faces the same field of threats. That’s what makes security particularly difficult — there are no panaceas, and the cybersecurity startup field is crowded. So much so, some entrepreneurs complain that the vast number of solutions on the market are weighing down chief security officers with a deluge of data but not the clear visibility they need.

Or, as one of the cybersecurity-focused VCs we surveyed called it: “startup fatigue.”

Many of the rising cybersecurity startups focus on the same or overlapping problems could lead to a “cybersecurity consolidation,” one that’s dictated by customers and not necessarily the businesses themselves.

But there’s usually one element that feeds into everything — data.

As hacks and breaches become more common, companies and customers alike are reevaluating their relationships with data. Customers want more ownership of their data and the ability to give it out granularly, while an increasing number of businesses are shifting away from central banks of data and leaning towards a “zero data” approach.

By minimizing the amount of information companies store or collect, it’s validation that even some larger startups don’t even trust themselves to secure data properly.

Not only that, there’s as much mistrust inside their own networks. That’s where “zero trust” comes into play — where you don’t trust, but you certainly verify. The idea is that you get no extra special access inside a company’s four walls. Many big companies, like Google, treat all employees the as if they present the same level of security risk whether they’re in the office, at home, or in a coffee shop down the street.

“You should be able to run your whole business out of a Starbucks,” said Google security chief Heather Adkins at Disrupt SF.

Why the mistrust? Because security isn’t just a technology problem, it’s a people problem. And it’s not only people creating the solutions, it’s people with the solutions to create these startups to begin with.

We asked ten leading cybersecurity VCs who work at firms that span early to growth stages to share where they see opportunity in this sector:

In addition, we did a deep-dive interview with Arif Janmohamed at Lightspeed about how he and his firm are targeting the sector and what he sees as the next-generation of cybersecurity startups. Be sure to check it out.

The future of cybersecurity VC investing with Lightspeed’s Arif Janmohamed

Now, let’s get to the data.

Answers have been edited for clarity.

Amit Karp, Partner at Bessemer Venture Partners

In cybersecurity, what are you most interested in right now from an investment perspective?

Unfortunately, the cybersecurity landscape is overcrowded with many vendors that offer point solutions. I believe CISOs are tired of deploying additional security products which for the most part have overlapping functionality. So I am very cautious with additional tools that are deployed inside the enterprise perimeter (network, endpoint, etc.).  I am looking for companies that can be deployed quickly and demonstrate immediate value to CISOs, and do not overwhelm the CISO with many new alerts.

What are the most interesting trends in the space, particularly ones you think are under-appreciated by other investors?

I think there are still many opportunities to improve application security. The combination of every company becoming a software company on the one hand and development environments becoming more chaotic on the other hand, results in many new risks and opportunities in securing your software. This includes securing third-party APIs or open-source components which are outside your control and giving developers and devops engineers more security tools while not hindering the pace of development.

Another interesting trend is micro-segmentation and authorization — with the adoption of zero-trust frameworks and authentication becoming a solved problem — deciding who gets access to what has become increasingly important.

Are there any startups in cybersecurity you wish existed, but haven’t seen yet?

I would love to see someone create a way for people to take full control of their online data and decide what services they want to share it with and for how long. You can revoke the personal data access at any time if you don’t get the desired value from the service.


Rama Sekhar, Partner at Norwest Venture Partners

What I’m excited about in cybersecurity:

  1. Cyber crime is a never-ending challenge. Attacks are increasing in frequency and sophistication. SaaS and cloud adoption have dramatically broadened the attack surface that hackers can target, so I’m very interested in startups that are cloud-first in their approach.
  2. Ransomware is also on the rise. These tricky attacks are being used to extort both small and large enterprises and a startup should exist to combat it.
  3. But the cybersecurity startup landscape is extremely crowded. With so many security products proliferating the market, the bad guys are falling back on tried and true methods such as email phishing attacks which, according to the FBI, led to $12 billion in losses in 2018. I like companies using new techniques, such as machine learning, to solve these problems. As a case in point, Agari used this approach to unmask the infamous Nigerian prince scam last year.

Ping Li, Partner at Accel

While cybersecurity has attracted significant venture money (Accel alone has 20+ active cyber-related portfolio companies), we believe innovation in this market will continue to grow exponentially. It has to. On one hand, you have more sophisticated attackers (nation-state, etc), but more importantly, attack surfaces are constantly expanding along multiple vectors.

Among the areas he is interested in:

  • Cloud and mobile platforms have made the perimeter obsolete (i.e. Crowdstrike, Lookout, Code42, Netskope).  Microservices-based and cloud-native applications require more real-time and dynamic detection and prevention (i.e. Sysdig, Styra).
  • No longer can security be a “bolt on” – true application security needs to have security “built in” at time of development (i.e. Snyk, Semmle). Rise of API driven services have redefined first- and third-party security boundaries (i.e Risk Recon).
  • Data leakage and privacy have become core for enterprise security architectures – rise of the Chief Data Officer (i.e. Privitar,
  • OT/IoT is a growing source of vulnerabilities for enterprises and consumers as everything is now “connected” (i.e. Tenable).
  • Authentication and identity requires more sophistication while maintaining user simplicity (i.e. Callsign, Forgerock).
  • Security operations in enterprises will be driven by real-time data driven workflows (i.e. Sumologic).

Other thoughts:

Outlined above are only a select few trends that we are excited about! While I provided a few companies above, there are multiple layers of innovation for each trend and boundless start-up opportunities to build a category defining company. As soon as one attack vector is “solved,” there will bound to be another one that arises. The cybersecurity market will drive significant innovation for years to come.

Saam Motamedi, Partner at Greylock

At Greylock, we are incredibly excited about the strong secular opportunity in cybersecurity. I currently have two cybersecurity companies in stealth, and the firm has investments in companies like Sqreen, Awake, Obsidian and others. Among many fertile areas, there are three that I’m most excited about:

  • Next-generation email security. In 2019, as email moves to the cloud and attackers become more sophisticated and targeted in their approaches, legacy secure email gateway architectures which rely on signature-based approaches are less effective. As a result, business email fraud is growing as the largest driver of cyber crime in the U.S. We believe new email solutions can utilize machine learning to deliver next-generation protection against these advanced attacks in cloud email environments.
  • Vulnerability management. Security engineering teams struggle to prioritize resources against resolving an increasing number of vulnerabilities in their infrastructure. Once identified, vulnerability remediation is manual and expensive. There are several exciting young companies addressing this area by infusing vulnerability prioritization with asset and infrastructure context, and orchestrating remediation.
  • Cloud data security and governance. As enterprise data moves to the cloud and SaaS applications, new security and compliance issues get created from the lack of visibility and controls. We believe there’s a new opportunity to deliver API-based tools to discover sensitive data across an enterprise’s cloud environment and monitor and enforce appropriate data use across the entire lifecycle.

Deepak Jeevankumar, Managing Director at Dell Technologies Capital

Our key themes for cybersecurity investing in 2020 are zero trust (tech theme), bridging human capital gap (HR theme) and hybrid cloud (industry trend theme).

The big cybersecurity categories that will be changed by these themes – vulnerability management, privileged access management, application security, networking security, fraud, email security and endpoint security.

We also look for founders who are empathetic to CISO needs – there are too many startups and CISOs have a startup fatigue. Founders need to know how to message well to the CISOs and make sure their product works with the existing security ecosystem. Usually we prefer to have a former CISO or security practitioner as a part of the founding team as they bring automatic empathy to security product design.

We also like to see a non-cyber related industry trend that can provide the necessary tailwind to enable faster adoption. Examples of these non-cyber trends that have created tailwinds in the past include: SaaS, IaaS, containers/microservices, outsourcing and CI/CD.

Lenard Marcus, General Partner at Edison Partners

Fundamentally, more and more data online means exponentially increased opportunity for cyber threats. And with devices and connectivity, governance has become a key catalyst as countries have implemented laws such as GDPR, to ensure that companies are protecting the data of users.

Our investments in cybersecurity are based on the following key areas of opportunity:

1) MDR (Managed Detection and Response): this may be one of the more clear opportunities. The companies in this category really hit at the heart of the problem in cyber which is, the hackers are ahead and have had success compromising even the best technologies. Therefore, it’s best to have human eyes and hands behind the technology to kill an attack.  Edison had a great deal of success with eSentire (, which was one of the first MDR companies.

2) Endpoint Security: There is a tremendous need to manage and monitor a company’s network by ensuring the safe connectivity of the devices to which it connects. While there are many offerings, the key theme will be an ability to manage and protect data. Endpoint security has to take data at rest into account, networks, devices, VOIP connections … everything connected to the internet.

3 ) Phishing: While it may appear a bit mundane, anti-phishing email security is a great investment opportunity. Email is one of the top threat vectors and there have been numerous incidents in which financial leaders in businesses large and small have been infiltrated via email. According to research by Verizon, email continues to be the most common threat vector (96%) used by cyber-criminals to carry out attacks against organizations across various industries.

4) Countercyclical trends around e-commerce: Ecommerce is growing so rapidly because bricks-and-mortar is dying. It’s a very costly way to do business. Amid a potential economic downturn, we expect the transition to ecommerce to increase in speed.  This thesis led to our focus on technologies that fortify ecommerce websites and payments.

And a fifth opportunity unique to a specific vertical…

5) The move to connect almost everything in hospitals is creating yet another more vertically-focused opportunity to provide software and services to hospitals. IP-based medical devices also require protection. Companies like Medcrypt must now sell into entities that have never purchased cyber products yet will soon be forced to wrap their product offerings with cyber security software to ensure product safety.

And overall:

In making investments in this space, you’re trying to find entrepreneurs who are forward-thinking yet have strong market awareness. You’ve got to be sure the product is open architecture that interoperates with other products as we move from data silos to cyber vendors aligning to fight against cyber threats.

We will always focus on the product/market fit. eSentire, for instance, didn’t lose one customer in the first three years after we invested. The company initially started with a focus on hedge funds and later expanded more broadly into financial services. The team then focused on adding energy and legal verticals and did not miss a beat.  The company theme was industries with extremely valuable assets on their networks, yet cyber protection was not their core competency.

The technology too, of course, has to be superior. There have also been no computer hacks at eSentire in this time either. A good cyber security company provides managed network security because hackers are doing so well at infiltrating. You need a second set of eyes behind the product. The prowess of hackers to infiltrate a single device, makes managed detection response a very attractive segment within security and should continue to fuel its growth.

Arun Mathew, Partner at Accel

We’re seeing a lot of vendor fatigue in the market. Increasingly, CIO’s & CISO’s are consolidating the number of security vendors they’re working with. It’s important to have a platform strategy, including a compelling insertion point and a product roadmap that can support multiple use cases over time.

In terms of specific categories within security, we’re very excited about the migration to the cloud & an emerging sector around SaaS operations management or SaaS Ops, which our company, BetterCloud, is pioneering. SaaS is redefining how software is used & managed within the enterprise, and we believe it represents a new and unmanaged security vector that will be interesting and important to pay attention to over time.

Matt Carbonara, Managing Director at Citi Ventures

What are you excited about in cybersecurity?

  • Products that pull signal from the noise from the overwhelming set of data and alerts that security teams are drowning in.
  • Products that integrate with existing systems and elements in order to avoid deploying new agents while accelerating time to value.
  • Hybrid and multi-cloud security – whether multiple public clouds or public and hybrid cloud, the new enterprise reality is a multi-cloud environment. With that, the need for security and governance across these environments is critical and a high priority. Included in this is container security as containers and Kubernetes are the leading solutions for cloud portability.

Any important trends you are following in the industry?

  • Building security into products and then into the software development process itself.
  • The expanding role of identity in security. There is a view that “identity is the new perimeter,” which is more granular, robust and allows real-time identities to grant privileges and access to enterprise systems and resources.

Matt Robinson, Vice President at TCV

We’re always on the lookout for broader technology innovations with disruptive potential for better solving old known and new unknown problems across industries.

Recent breakthroughs in AI/ML capabilities unlock deep value in cybersecurity through improved identification, correlation, and automation of vulnerabilities, data, and responses. We see evidence of this in examples like Crowdstrike in endpoint protection and our recent investment in Vectra in network protection. We believe a number of other security sectors are next to benefit from AI/ML disruption such as SIEM, application security, data protection, and SOAR.

As this disruption occurs, we believe the fragmented security landscape will begin to consolidate. Larger, modern security companies will recognize security data density as an asset to which they can apply AI/ML models to create a unified solution to protect enterprises’ multi-faceted threat vectors, deepening their competitive moats and delivering greater customer value.

Enrique Salem, Partner at Bain Capital Ventures

Privacy is a significant concern for enterprises and consumers alike, and the increasing complexity of what constitutes a violation makes traditional data privacy measures less effective. In the B2B space, which is where we primarily invest, we’re seeing the emergence of AI-powered products that help contain data sprawl – a major liability for security, IT and compliance teams who are working to comply with regulations like HIPAA and GDPR. On the consumer side, we’re starting to see more and more products that help consumers control their data footprint across the web.

With the proliferation of IoT and “bring-your-own-device” (and -peripheral, e.g. headphones, Bluetooth devices) allowances, enterprises face increased security risks because security agents can’t always be installed. As a result, there’s a huge need for products that can effectively inventory and monitor devices connected to a network, regardless of whether those devices have an agent installed.

Last, with enterprises’ ongoing migration to the cloud, we’re seeing a meaningful opportunity for low-friction cloud security – in other words, security products that can integrate via cloud service APIs as add-ons to existing services. We think there are a few important features that make these kinds of products particularly compelling and ripe for adoption. API integration enables a seamless installation and the ability to show value quickly. API integrations also allow such products to leverage machine learning in a stateless manner, respecting data privacy while delivering smart, accurate security automation to reduce both breaches and SOC fatigue. Finally, this class of products can aggregate data across multiple platforms to enrich context for better security decisions.

More TechCrunch

Welcome back to TechCrunch’s Week in Review. This week had two major events from OpenAI and Google. OpenAI’s spring update event saw the reveal of its new model, GPT-4o, which…

OpenAI and Google lay out their competing AI visions

Expedia says Rathi Murthy and Sreenivas Rachamadugu, respectively its CTO and senior vice president of core services product & engineering, are no longer employed at the travel booking company. In…

Expedia says two execs dismissed after ‘violation of company policy’

When Jeffrey Wang posted to X asking if anyone wanted to go in on an order of fancy-but-affordable office nap pods, he didn’t expect the post to go viral.

With AI startups booming, nap pods and Silicon Valley hustle culture are back

OpenAI’s Superalignment team, responsible for developing ways to govern and steer “superintelligent” AI systems, was promised 20% of the company’s compute resources, according to a person from that team. But…

OpenAI created a team to control ‘superintelligent’ AI — then let it wither, source says

A new crop of early-stage startups — along with some recent VC investments — illustrates a niche emerging in the autonomous vehicle technology sector. Unlike the companies bringing robotaxis to…

VCs and the military are fueling self-driving startups that don’t need roads

When the founders of Sagetap, Sahil Khanna and Kevin Hughes, started working at early-stage enterprise software startups, they were surprised to find that the companies they worked at were trying…

Deal Dive: Sagetap looks to bring enterprise software sales into the 21st century

Keeping up with an industry as fast-moving as AI is a tall order. So until an AI can do it for you, here’s a handy roundup of recent stories in the world…

This Week in AI: OpenAI moves away from safety

After Apple loosened its App Store guidelines to permit game emulators, the retro game emulator Delta — an app 10 years in the making — hit the top of the…

Adobe comes after indie game emulator Delta for copying its logo

Meta is once again taking on its competitors by developing a feature that borrows concepts from others — in this case, BeReal and Snapchat. The company is developing a feature…

Meta’s latest experiment borrows from BeReal’s and Snapchat’s core ideas

Welcome to Startups Weekly! We’ve been drowning in AI news this week, with Google’s I/O setting the pace. And Elon Musk rages against the machine.

Startups Weekly: It’s the dawning of the age of AI — plus,  Musk is raging against the machine

IndieBio’s Bay Area incubator is about to debut its 15th cohort of biotech startups. We took special note of a few, which were making some major, bordering on ludicrous, claims…

IndieBio’s SF incubator lineup is making some wild biotech promises

YouTube TV has announced that its multiview feature for watching four streams at once is now available on Android phones and tablets. The Android launch comes two months after YouTube…

YouTube TV’s ‘multiview’ feature is now available on Android phones and tablets

Featured Article

Two Santa Cruz students uncover security bug that could let millions do their laundry for free

CSC ServiceWorks provides laundry machines to thousands of residential homes and universities, but the company ignored requests to fix a security bug.

2 days ago
Two Santa Cruz students uncover security bug that could let millions do their laundry for free

TechCrunch Disrupt 2024 is just around the corner, and the buzz is palpable. But what if we told you there’s a chance for you to not just attend, but also…

Harness the TechCrunch Effect: Host a Side Event at Disrupt 2024

Decks are all about telling a compelling story and Goodcarbon does a good job on that front. But there’s important information missing too.

Pitch Deck Teardown: Goodcarbon’s $5.5M seed deck

Slack is making it difficult for its customers if they want the company to stop using its data for model training.

Slack under attack over sneaky AI training policy

A Texas-based company that provides health insurance and benefit plans disclosed a data breach affecting almost 2.5 million people, some of whom had their Social Security number stolen. WebTPA said…

Healthcare company WebTPA discloses breach affecting 2.5 million people

Featured Article

Microsoft dodges UK antitrust scrutiny over its Mistral AI stake

Microsoft won’t be facing antitrust scrutiny in the U.K. over its recent investment into French AI startup Mistral AI.

2 days ago
Microsoft dodges UK antitrust scrutiny over its Mistral AI stake

Ember has partnered with HSBC in the U.K. so that the bank’s business customers can access Ember’s services from their online accounts.

Embedded finance is still trendy as accounting automation startup Ember partners with HSBC UK

Kudos uses AI to figure out consumer spending habits so it can then provide more personalized financial advice, like maximizing rewards and utilizing credit effectively.

Kudos lands $10M for an AI smart wallet that picks the best credit card for purchases

The EU’s warning comes after Microsoft failed to respond to a legally binding request for information that focused on its generative AI tools.

EU warns Microsoft it could be fined billions over missing GenAI risk info

The prospects for troubled banking-as-a-service startup Synapse have gone from bad to worse this week after a United States Trustee filed an emergency motion on Wednesday.  The trustee is asking…

A US Trustee wants troubled fintech Synapse to be liquidated via Chapter 7 bankruptcy, cites ‘gross mismanagement’

U.K.-based Seraphim Space is spinning up its 13th accelerator program, with nine participating companies working on a range of tech from propulsion to in-space manufacturing and space situational awareness. The…

Seraphim’s latest space accelerator welcomes nine companies

OpenAI has reached a deal with Reddit to use the social news site’s data for training AI models. In a blog post on OpenAI’s press relations site, the company said…

OpenAI inks deal to train AI on Reddit data

X users will now be able to discover posts from new Communities that are trending directly from an Explore tab within the section.

X pushes more users to Communities

For Mark Zuckerberg’s 40th birthday, his wife got him a photoshoot. Zuckerberg gives the camera a sly smile as he sits amid a carefully crafted re-creation of his childhood bedroom.…

Mark Zuckerberg’s makeover: Midlife crisis or carefully crafted rebrand?

Strava announced a slew of features, including AI to weed out leaderboard cheats, a new ‘family’ subscription plan, dark mode and more.

Strava taps AI to weed out leaderboard cheats, unveils ‘family’ plan, dark mode and more

We all fall down sometimes. Astronauts are no exception. You need to be in peak physical condition for space travel, but bulky space suits and lower gravity levels can be…

Astronauts fall over. Robotic limbs can help them back up.

Microsoft will launch its custom Cobalt 100 chips to customers as a public preview at its Build conference next week, TechCrunch has learned. In an analyst briefing ahead of Build,…

Microsoft’s custom Cobalt chips will come to Azure next week

What a wild week for transportation news! It was a smorgasbord of news that seemed to touch every sector and theme in transportation.

Tesla keeps cutting jobs and the feds probe Waymo