A consulting firm founded and run by two well known cybersecurity veterans laid off six people last week, TechCrunch has learned.

Krebs Stamos Group was founded in 2021 by former Facebook chief security officer Alex Stamos and Chris Krebs, the former director of the U.S. Cybersecurity and Infrastructure Agency, who was famously fired by tweet by then-President Donald Trump.

“In our third year of operation, we’ve seen a shift in what our clients need. As a company, it’s essential for us to adapt to these changes, and as a result we had to let six of our team members go. We are immensely grateful for their hard work and dedication, and we’re committed to supporting them as they transition to new roles,” Stamos told TechCrunch in a statement. “We’re enthusiastic about the future and continuing our mission of securing some of the world’s most significant companies.”

In April, the firm had 18 employees — including the founders — according to an archived version of its website. On Thursday, the site shows only 14 team members.

The layoffs at a relatively small consulting firm show, once again, that the cybersecurity industry is not immune to the seemingly endless string of layoffs at tech companies. On May 3, cybersecurity firm Bishop Fox laid off around 50 employees, just days after throwing a party at RSA, one of the world’s biggest cybersecurity conferences. Last year, Patreon laid off five people from its cybersecurity team.

The layoffs were a surprise to some.

“It came as a shock to everyone, I know I was shocked when I heard the news,” a former employee told TechCrunch. “I thought there was a lot of work in the pipeline.”

Last year, (ISC)², a nonprofit association for “information security leaders” predicted that cybersecurity would be spared by the wave of mass layoffs, because cybersecurity teams “will be the least affected by staff reductions, as organizations anticipate an increase in cyber threats in 2023.”

The threats continue, but so do the layoffs.

