Pitch Deck Teardown: MedCrypt’s $25M Series B deck

In September, the FBI warned that more than half of connected medical devices in hospitals had known critical security vulnerabilities, and these flaws are leading to a surge in attacks on the healthcare industry. As Carly Page reported, MedCrypt raised a $25 million round to help device manufacturers think security-by-design when creating the next generation of medical devices.

The company is a Y Combinator graduate that provides software for anything the U.S. Food and Drug Administration would consider a medical device where cybersecurity could be a concern, from insulin pumps and heart rate monitors to AI-based radiology tools and autonomous robots. I’m sure we can all agree that we don’t want to live in a world where people get blackmailed so hackers won’t send their critical health devices on the fritz, so let’s take a look at the story MedCrypt shared with its investors to raise its Series B.

---

We’re looking for more unique pitch decks to tear down, so if you want to submit your own, here’s how you can do that. 

---

Slides in this deck

The MedCrypt Series B deck is a tidy 12-slide deck. The company’s COO, Vidya Murthy, who shared the deck with me, said that it’s as-pitched, except that some of the customer adoption information has been redacted. Makes sense; security is sensitive business, and I imagine keeping the customer list under your hat might be a smart move. The company does claim that three of the top five device manufacturers use their products.

1. Cover slide
2. Problem slide
3. Target audience/market size slide
4. Opportunity slide
5. Mission slide
6. Product slide: Vulnerability tracking
7. Product slide: Behavior monitoring
8. Product slide: Cryptography
9. Product slide: MedISAO
10.  Team slide
11.  Summary/traction slide
12.  Closing slide

Three things to love

MedCrypt’s slide deck shows that it is a mature organization with a broad product lineup and even the beginnings of an ecosystem influence play. The deck is pretty unusual in that it is missing a fair amount of information that I’d expect to see in a deck from a company at this stage, but the narrative is clean and (mostly) easy to follow.

A surprising amount of the deck focuses on the company’s product lineup, with four of the 10 content slides dedicated to that. It makes sense to tell the story of a company through its products, but the deck itself doesn’t do a great job of that; it’s obvious that it needs a voice-over to contextualize this information.

Rallying the industry

This slide is at once very good and pretty lacking. When it first came up, I was confused about what MedISAO was and why it was on the company’s slide deck. It shows that this deck was designed with a voice-over in mind rather than being readable on its own. This slide comes after three slides that explain MedCrypt’s products and uses the same design. Perhaps that should have been the tip-off that this is also one of the company’s products, but I found it confusing at first. Why is it good that the FDA recommends ISAO memberships? What the hell even is an ISAO? (I had to Google it; it’s an information sharing and analysis organization). Why is it important that MedISAO is good for MDM? (I know, I know. I had to Google that, too: medical device manufacturer). Yay, sales pipeline, I suppose?

When I visited the MedISAO website, it finally clicked. The site’s FAQ states that “MedISAO is organized by MedCrypt, Inc., a healthcare-first cybersecurity company.”

So! We got there in the end, which isn’t really a good thing to say about a pitch deck. What is tremendously impressive, though, is that if MedCrypt is able to be the central repository for sharing security information across all medical devices, it has an opportunity to keep a finger on everything that’s going on across its entire industry. It’s a really powerful position to be in.

Of course, there’s nothing on this slide about how successful it is so far, and its website says “MedISAO does not publish a complete list of member organizations, but you can see a partial list of members on the home page.” It’s hard to gauge whether this is a mature, successful initiative that’s helping cement MedCrypt in its space or a website the company flung up over a couple of afternoons. I would have loved to see some metrics here, specifically about the value of the sales pipeline from the site and what impact it has.

A gut punch of an opportunity slide

This slide is an absolute slam dunk. It doesn’t take a lot of imagination to see how there’s an enormous market with a lot of money at stake.

One of the big questions an investor asks themselves is whether there is a market for a product or company. Regulatory shifts can be a powerful driver for adoption. For example, before GDPR legislation went into effect in May 2018, every website in Europe and every company that wanted to do business with EU countries very quickly needed to make changes. That created a booming industry for web development houses that specialized in privacy.

Well, it seems like the same is happening in the medical device industry; this slide claims that more than $1 trillion worth of devices need to get secured to be in compliance. Unlike web development, however, this is a pretty specialized industry. If you thought GDPR was wild, get a load of HIPAA. On top of that, it’s often non-trivial to update the firmware on embedded electronic devices (that’s part of the reason we are in this mess in the first place).

This slide is an absolute slam dunk: It doesn’t take a lot of imagination to see how there’s an enormous market with a lot of money at stake (and a lot of money to spend) — with a ticking clock. It’s a perfect storm, and MedCrypt has built a boat that just might be able to weather it.

Strong summary slide

Personally, I’m not a fan of READING LARGE AMOUNTS OF TEXT IN ALL CAPS; it’s shouty and reader-unfriendly. It also means that people who are adept at speed-reading aren’t able to use their speed-reading skills. That aside, this slide is a great one to end on. It includes a huge amount of really good information: It summarizes the market opportunity, products, number of customers and previous fundraises, and helps set the tone for the Q&A at the end. Another approach would have been to move the summary slide to the beginning of the deck to set the tone, but it works either way.

In the rest of this teardown, we’ll look at three things MedCrypt could have improved or done differently, along with its full pitch deck!

Three things that could be improved

What struck me was the vast amount of information MedCrypt isn’t sharing. This is a growth deck, which means that the company probably has a tremendous amount of data around its products. Not including any of that seems borderline incompetent.

Where are your metrics?

I know I included this slide above as a great example of a summary slide. And it is. The problem is that Slide 11 is the only place where MedCrypt actually includes any numbers at all and only the number of customers, at that. There’s nothing about revenue, number of devices tracked, number of attacks averted, whether customer adoption is increasing or slowing down, etc. Incidentally, the company also doesn’t cover its business model or pricing structure, which seems like quite an oversight.

The long and short of it is that I don’t really know what to make of this; perhaps MedCrypt is a storytelling-forward company that doesn’t rely heavily on metrics. The one thing to be very aware of, however, is that the vast majority of VC firms are very metrics-forward. As Peter Drucker would say: You can’t improve what you don’t measure.

It’s been a long time since I saw a pre-seed pitch deck this devoid of metrics. For a Series B round, the founders should be embarrassed not to include any of this in their deck; this is bread-and-butter, Startups 101 stuff, and as an investor, I’d be skeptical whether this is a company worth taking a closer look at.

So, er, what’s next?

Apart from slides 6-9, which capture the status quo of MedCrypt’s product, there’s nothing about the company’s vision for the future. That’s a pretty damning oversight; fundraising is all about the future, about how much money you are raising and what you’re going to do with the money. MedCrypt already has three products (four, if you include MedISAO), so it isn’t immediately obvious what’s going to happen next. Is the company going to launch three more products? Is it bolstering its existing lineup? Is it conquering new, international markets? Is it going after new customers or is the main go-to-market to expand its footprint with its existing customers? There are precisely zero words in the entire deck about what happens next. 

Good storytellers can weave the past, present and future together, so I’m just about willing to let the team off the hook. Perhaps it is using each product slide to talk about its metrics, status quo and future plans. You know what would have been a really good way of telling these stories though? Slides, with graphs and timelines and plans.

 

Sort out those acronyms, please

Throughout the deck, the slides are littered with acronyms that may be unfamiliar to the reader. I do like a good TLA, and I love brevity on slides even more, but it’s good practice to explain what a three-letter acronym (TLA) is the first time you use it for an audience that may not be 100% familiar with the language used in a particular deck.

In this deck, you may be able to get away with “API” (application programming interfaces are the bread-and-butter of the modern software world) and “FDA” — the federal drug administration should be common enough knowledge. MDM, CRM, SBOM and ISAO were all used throughout. Not making your readers work for it seems like a courtesy.

Worse, on Slide 8 of the deck, the company suddenly uses “crypto.” Ironically, that is probably a correct use of the word; “crypto” is meant to be short for cryptography. However, as someone who sees dozens of decks and oodles of tech stories every week, “crypto” has grown to be shorthand for cryptocurrencies and blockchains. Perhaps that one is a niche complaint, but the point I want to make is that the rule of thumb for good communication is to ensure that the message received is as close as it can be to the message intended. Put yourself in your audience’s shoes, and do a tiny bit of extra work to double down on clarity of communication. Even if the mistakes and misunderstandings are minuscule, they are so fantastically easy to avoid that we may as well avoid them.

The full pitch deck

---

If you want your own pitch deck teardown featured on TC+, here’s more information. Also, check out all our Pitch Deck Teardowns and other pitching advice, all collected in one handy place for you!