We’re quick to celebrate the extraordinary victories of Israel’s multiplying cybersecurity unicorns, but every success story must start somewhere. The early days of any young startup decide how successful it can be, which is why we’ve developed a focused, value-add program to support cybersecurity founders during this most critical stage and maximize their potential in building market-leading companies.
However, the early stages of cybersecurity company-building are often shrouded in mystery, only coming into the light for fundraising and feature announcements. This leaves many entrepreneurs we speak with asking what exactly cybersecurity companies are achieving behind the curtain to earn these huge victories.
Though every company’s journey is unique, we can tease out trends and patterns to establish performance benchmarks for the cybersecurity ecosystem as a whole. To most entrepreneurs, however, the sensitive data required to understand the early success of a company is often unavailable or obscured. Moreover, the industry has yet to formally define proxies for growth and momentum beyond fundraising — leaving cybersecurity founders aiming for landmarks without guideposts.
Entrepreneurs require guideposts to aspire to when building large companies, and critical customer and revenue expectations can be best established by looking at what already successful cybersecurity companies have accomplished. Such metrics have been previously established for wider areas of technology, such as SaaS.
Leveraging our experience and resources, we collect this knowledge to keep our founders informed with the most up-to-date cybersecurity-specific metrics for long-term and large-scale growth. We hope that sharing these unique insights into early-stage cybersecurity companies — based on our own portfolio companies’ average performance — will help entrepreneurs in the wider Israeli ecosystem more confidently build their budgets and roadmaps with industry evidence.
Image Credits: YL Ventures
What should revenue look like over the first few years?
Though today’s investors are growing more aggressive, $500,000 in annual recurring revenue (ARR) is a traditional baseline requirement for a successful Series A from strong investors, and hitting that mark quickly should remain every entrepreneur’s goal. Hitting this target indicates product-market fit and customer willingness to commit to your solution.
When it comes to contracts, timing can provide important insight into the quality and performance of the sales pipeline. On average, successful companies will have closed their first paying customers in the U.S. within 12 months of their seed round.
Discounting variances in pricing, the best companies we’ve seen are able to reach the $500,000 benchmark in less than 18 months. From there, top-performing companies can expect to gain momentum and reach $1 million in ARR in 18 to 24 months. Such momentum is contingent on a number of factors for Israeli cybersecurity entrepreneurs, but growth is mainly reliant on how well founders connect with relevant customers outside the Israeli market.
Serial entrepreneurs with a prior foot in the door tend to have an advantage on this front. However, well-connected, value-add investors can help entrepreneurs achieve this milestone by opening their global networks and making meaningful introductions. YL Ventures has developed a Venture Advisory Board of over 100 cybersecurity luminaries and executives of Fortune 500 companies, a wellspring of industry advice and insight that gives our founders access to the decision-makers themselves.
What should an average contract look like?
Average contract value (ACV) is top of mind for many cybersecurity founders at the beginning of their journeys. Many often ask for this data to set their pricing and help navigate contract negotiations with new customers.
While ACV is certainly interesting to review internally, it serves as an otherwise misleading point of comparison. Cybersecurity goods and services, not to mention their business models, sales motions and customer profiles, are far too divergent to compare across the cybersecurity industry. Moreover, this revenue-focused approach overlooks potentially meaningful relationships with non-paying customers, such as design partners, as well as when paying contracts are actually established.
While accounting for variance in product and pricing models, most top-performing cybersecurity companies should be able to charge in the mid-five-figure range after approximately 18 months and approach six figures in ACV by the two-year mark. As they mature, growth-oriented companies develop additional features and improve their ability to secure large enterprise customers and increase their bargaining power. Therefore, despite these divergences, we can still expect these improvements to increase ACV over time.
Many entrepreneurs, especially in the early stages of securing paying customers, may feel out of their depth when building contracts and negotiating. Every business relationship is unique, and even serial entrepreneurs with prior experience can feel extraordinary pressure when nurturing them. It’s especially important for founders to consult with experienced and trustworthy sources to ensure that they are on the right track. Value-add investors can offer this through round-the-clock access to business development and industry experts.
When should customers start paying?
When it comes to contracts, timing can provide important insight into the quality and performance of the sales pipeline. On average, successful companies will have closed their first paying customers in the U.S. within 12 months of their seed round. The best companies achieve this even faster.
Nonetheless, as a rule of thumb, companies should aim to secure at least one paying customer one full year from initial funding. Following that, growth-oriented entrepreneurs should think bigger and aim for logos in the double digits. Based on our experience, companies should aim to have at least 10 paying customers around the 18-month mark.
We should add the caveat that cybersecurity companies operating in traditional and heavily regulated sectors such as banking and healthcare ought not feel discouraged by their number of contracts. Traction works differently in these sectors, where customers are often bigger and resistant to change. In such circumstances, our business development team tends to advise founders to pay more attention to the size of accounts instead.
When is the right time to hire key executives?
Whether you start with marketing or sales leaders, your first go-to-market (GTM) executive hires may be the most important people in determining the success or failure of your company after your co-founders. This is why we emphasize the strategic importance of hiring one early and having a plan to build a team. This hire is critical for establishing product-market fit, generating early customers and logos, and, ultimately, the ARR necessary to grow into a large company.
Moreover, the skill-intensive processes involved require time, focus and energy, often at the expense of other core founder responsibilities. On average, successful founders tend to typically make their first GTM executive hire within the first year of securing seed funding.
We also emphasize the importance of key product and customer success executive hires. Many successful teams feature a product leader as one of the co-founders, which can provide a tremendous jumpstart. However, this is hardly the only pathway to success, and we’ve seen other high-performing companies secure this hire within 15 months.
Customer success roles often come later, around the time a company has secured double-digit paying customers. The current average is around two years, but even the most successful companies may regret not building managed customer success teams earlier to promote faster growth and avoid churn.
Have you hired enough people?
Full-time employee metrics provide truly fascinating insight into the soul of a company. Critically, it can tell us if founders will have recruited more than just their personal circle. The cybersecurity community is famously tightknit, and securing at least a handful of employees by launch is expected for just about any cybersecurity company. Successful companies tend to reach 25 full-time employees by the 18-month mark and double that around the two-year mark.
In closing
The rush of business-building requires founders to pause and admire their achievements. For those leading such a taxing process, these benchmarks provide critical opportunities for celebration and orientation. After over 10 years of researching industry performance for our portfolio founders and measuring their progress, we’re thrilled to share a compilation of our findings for the wider community.
These blueprints are essential for helping us partner with founders to help them secure market leadership and grow large companies. Our team has seen firsthand how practical guidance and support, including guideposts like these, help visionaries remain focused, confident and achieve their goals faster. We hope this does the same for you, too. It’s never too early to think big, and, with the right support, launch the next industry titan.