With cybercrime on course to be a $6 trillion problem this year, organizations are throwing ever more resources at the issue to avoid being a target. Now, a startup that’s built a platform to help them stress-test the investments that they have made into their security IT is announcing some funding on the back of strong demand from the market for its tools.
Cymulate, which lets organizations and their partners run machine-based attack simulations on their networks to determine vulnerabilities and then automatically receive guidance around how to fix what is not working well enough, has picked up $45 million, funding that the startup — co-headquartered in Israel and New York — will be using to continue investing in its platform and to ramp up its operations after doubling its revenues last year on the back of a customer list that now numbers 300 large enterprises and mid-market companies, including the Euronext stock exchange network as well as service providers such as NTT and Telit.
London-based One Peak Partners is leading this Series C, with previous investors Susquehanna Growth Equity (SGE), Vertex Ventures Israel, Vertex Growth and Dell Technologies Capital also participating.
According to Eyal Wachsman, the CEO and co-founder, Cymulate’s technology has been built not just to improve an organization’s security, but an automated, machine learning-based system to better understand how to get the most out of the security investments that have already been made.
“Our vision is to be the largest cybersecurity ‘consulting firm’ without consultants,” he joked.
The valuation is not being disclosed, but as some measure of what is going on, David Klein, managing partner at One Peak, said in an interview that he expects Cymulate to hit a $1 billion valuation within two years at the rate it’s growing and bringing in revenue right now. The startup has now raised $71 million, so it’s likely the valuation is in the mid-hundreds of millions. (We’ll continue trying to get a better number to have a more specific data point here.)
Cymulate — pronounced “sigh-mulate”, like the “cy” in “cyber” and a pun of “simulate”) is cloud-based but works across both cloud and on-premises environments and the idea is that it complements work done by (human) security teams both inside and outside of an organization, as well as the security IT investments (in terms of software or hardware) that they have already made.
“We do not replace — we bring back the power of the expert by validating security controls and checking whether everything is working correctly to optimize a company’s security posture,” Wachsman said. “Most of the time, we find our customers are using only 20% of the capabilities that they have. The main idea is that we have become a standard.”
The company’s tools are based in part on the MITRE ATT&CK framework, a knowledge base of threats, tactics and techniques used by a number of other cybersecurity services, including a number of others building continuous validation services that compete with Cymulate. These include the likes of FireEye, Palo Alto Networks, Randori, Khosla-backed AttackIQ and many more.
Although Cymulate is optimized to help customers better use the security tools they already have, it is not meant to replace other security apps, Wachsman noted, even if the by-product might become buying fewer of those apps in the future.
“I believe my message every day when talking with security experts is to stop buying more security products,” he said in an interview. “They won’t help defend you from the next attack. You can use what you’ve already purchased as long as you configure it well.”
In his words, Cymulate acts as a “black box” on the network, where it integrates with security and other software (it can also work without integrating, but integrations allow for a deeper analysis). After running its simulations, it produces a map of the network and its threat profile, an executive summary of the situation that can be presented to management and a more technical rundown, which includes recommendations for mitigations and remediations.
Alongside validating and optimising existing security apps and identifying vulnerabilities in the network, Cymulate also has built special tools to fit different kinds of use cases that are particularly relevant to how businesses operate today. They include evaluating remote working deployments, the state of a network following an M&A process, the security landscape of an organization that links up with third parties in supply chain arrangements, how well an organization’s security architecture is meeting (or potentially conflicting) with privacy and other kinds of regulatory compliance requirements, and it has built a “purple team” deployment, where in cases where security teams do not have the resources for running separate “red teams” to stress test something, blue teams at the organization can use Cymulate to build a machine learning-based “team” to do this.
The fact that Cymulate has built the infrastructure to run all of these processes speaks to a lot of potential of what more it could build, especially as our threat landscape and how we do business both continue to evolve. Even as it is, though, the opportunity today is a massive one, with Gartner estimating that some $170 billion will be spent on information security by enterprises in 2022. That’s one reason why investors are here, too.
“The increasing pace of global cyber security attacks has resulted in a crisis of trust in the security posture of enterprises and a realization that security testing needs to be continuous as opposed to periodic, particularly in the context of an ever-changing IT infrastructure and rapidly evolving threats. Companies understand that implementing security solutions is not enough to guarantee protection against cyber threats and need to regain control,” said Klein, in a statement. “We expect Cymulate to grow very fast,” he told me more directly.