SYN Ventures and the Specialization of Cybersecurity Venture Capital

A deep dive into SYN Ventures and the rise of specialist venture capital funds within the cybersecurity ecosystem.
SYN Ventures logo

The venture capital dynamics in cybersecurity are shifting, and SYN Ventures is a force among the new class of sector specialists. You may have seen the recent news: SYN announced its $300 million Fund II on May 25, 2022 — less than a year after its $200 million debut fund. Half a billion in total capital is big news, but we're on to something even bigger here.

SYN is redefining the model for venture capital firms in cybersecurity. There's a lot behind this statement. We'll spend most of the article unpacking it in detail. The TL;DR is moving far, far beyond "Let me know how I can be helpful..." to, well, actually being helpful in specific ways for cybersecurity-focused companies.

In this article, we're going to take a deep dive into both the macro-level changes in venture capital and the micro-level details of SYN's forward-thinking approach to cybersecurity investing. Topics we'll cover include:

  • Agglomerators vs. Specialists in Venture Capital: Exploring Nikhil Basu Trivedi's abstraction of venture capital models.

  • Cybersecurity Sector Specialization: A summary of venture capital specialist funds in the cybersecurity ecosystem.

  • Value Creation Cycle: The magic behind SYN Ventures — a mutually reinforcing value cycle among investors, founders, and CISOs.

  • Evolution: The evolution from Blackstone to ClearSky Security to SYN Ventures.

  • Portfolio Construction: How SYN invests and operates as a sector specialist.

  • Fund II, Specialists, and Beyond: What's next for SYN, other cybersecurity sector specialist firms, and cybersecurity startups exploring funding options.

Ultimately, the meaning behind all of this is a choice cybersecurity founders have to make about which investors to work with and who they want on their company's cap table.

There isn't one right answer. However, understanding the choices that are available and the dynamics that are in play can make a dramatic impact on the outcome of a company.

We'll start by taking a look at the macro view and narrow it down from there.

Venture Capital: Agglomerators vs. Specialists

To truly understand the genius of SYN, we need to zoom way out and look at what's happening in overall venture capital markets today. Nikhil Basu Trivedi wrote an iconic piece entitled Agglomerators vs. Specialists. The article explains the difference between the two classes of venture capital firms — exactly the starting point we need for this analysis.

The general concept behind Agglomerators vs. Specialists is based on Ben Thompson's Aggregation Theory. I recently explored this concept in the context of cybersecurity companies, but the theory is broadly applicable. For this discussion, it's safe to use the terms "Agglomerator" and "Aggregator" interchangeably.

In the context of venture capital, Nikhil Basu Trivedi defines agglomerator firms like this:

They invest at every stage, across every sector, and they are becoming larger in fund sizes and in teams. They offer many different products to both founders and limited partners (LPs) under one roof.

Venture capital firms in the "agglomerators" category function much like the aggregators in Thompson's Aggregation Theory: they have a unique level of control over both the supply of capital (from LPs) and demand for capital (from startups).

Conversely, here's how Nikhil Basu Trivedi defines specialist firms:

On the other side are the specialist firms, either by sector, or by stage, or both. They offer specialized products to founders and to LPs.

Unlike agglomerator firms, specialist firms are intentionally focused. Focus inherently means smaller fund sizes, portfolios, and investment teams. Although this could sound like an obvious disadvantage on the surface, specialist funds can use focus to their advantage and offer value to portfolio companies in ways that are hard to match at scale.

Both models have advantages and disadvantages. The right answer depends on what a company is looking for with investor involvement, capital, exit size and type, timing, and more. My objective here isn't to tell founders what to do — it's to look at what's happening on a macro level and provide a unique perspective into the inner workings of a specialist firm.

Visually, Nikhil Basu Trivedi's model looks like this:

Source: Next Big Thing, Agglomerators vs. Specialists

Firms in the top right quadrant are agglomerators. Firms in the other three quadrants are specialists of varying types, either by stage, sector, or both. The examples above are illustrative for venture capital across the entire tech sector.

Where venture capital deviates from the Aggregation Theory model is asymmetric outcomes. Capital is commoditized (a dollar from VC Firm 1 is literally worth the same as a dollar from VC Firm 2). However, the relationships, advice, judgment, and everything else that comes with capital is not. That's why asymmetric outcomes happen — the unique combination of capital, execution, and myriad other factors that result in a company's success or failure.

Agglomerators and specialists have two different approaches to the same objective: generating the best possible outcomes from their investments. As Nikhil Basu Trivedi discusses in his article, it's still too early to tell which investment model is going to win in the long term.

For us, the most interesting part is looking under the hood at how venture capital specialization works in cybersecurity and how SYN is making it happen. That's where we're headed next.

Sector Specialization: Cybersecurity Funds

Two years into the current decade, venture capital specialization is an emerging theme within the cybersecurity ecosystem. The emergence of new cybersecurity-focused firms and a total of over $2 billion in capital raised from LPs is definitive data to back this trend.

Chris Behrens, a Principal at SYN Ventures, summarized the explosion in capital raised by cybersecurity-only VC funds in 2022 alone:

Rewinding back to 2020 and 2021, two notable cybersecurity-focused firms also raised large funds:

  • NightDragon: $750 million (NightDragon Growth I, 2021)

  • ForgePoint: $450 million (Forgepoint Cybersecurity Fund II, 2020)

That's another $1.2 billion on top of the fresh $1.5 billion in capital raised in 2022. In combination, the total is at least $2.7 billion.

Remember, I'm being super stingy about this calculation. The firms behind the math are strictly cybersecurity-focused firms. When broadened to firms that invest in cybersecurity and other industries, the total number is obviously much larger.

My purist stance is to illustrate a point: the new generation of sector specialists in cybersecurity has raised a lot more capital than most people realize. This is a meaningful milestone because it legitimizes the movement towards specialization in cybersecurity venture capital.

This is where things get even more interesting. Now that we've established specialist funds are a legitimate force in cybersecurity, it's time to go deeper on how one of the best funds operates. Welcome to SYN Ventures.

Value Creation Cycle: Founders, CISOs, and Leadership Team

To understand the genius of SYN, we first need to look at the value creation cycle the founding partners have spent over 20 years creating. The model transcends any particular fund or investment that SYN does. It's one of the enduring ingredients to the success of the firm — and more importantly — the founders they work with.

Jay Leek and Patrick Heim are both former CISOs at companies ranging from Fortune 9 (McKesson), to Blackstone (managing $170b AUM when Jay joined in 2012), to tech companies and startups (Salesforce and Dropbox). On top of their world-class practitioner credentials, they're equally accomplished investors at Blackstone, ClearSky Security, and now SYN Ventures.

Without question, the founding partners bring a unique combination of skills, experience, and relationships to the firm. What matters more, though, is how they put all of this to use. SYN's polymathic cybersecurity investor-practitioner specialization allows them to bring cybersecurity leaders into the picture as true equals in the value creation cycle.

The standard model in venture capital is a bi-directional relationship between investors and founders. Expanding the circle and creating value for cybersecurity leaders, a critical stakeholder in the overall equation, makes a massive difference for everyone involved. A truly balanced system of value creation across three stakeholders is nearly impossible to create, and certainly not something that can be done overnight.

Let's unpack SYN's value creation model in detail and explain all of the moving parts. The value for each of the three stakeholders deserves further explanation. We'll start with CISOs — the linchpin of SYN Ventures.

CISOs

CISOs want to work with the SYN Ventures team and portfolio companies because of peer connections and access to innovation. SYN has built has a powerful network effect that's still underrated by many people today.

SYN's network exists because CISOs want to collaborate with other CISOs. That may seem obvious, but it's only possible under a unique set of circumstances. Plenty of people want to create a network of the top CISOs in the world. Few people have the trust and permission to do it. SYN Ventures is one of the rare places that does.

The core of SYN's network is a CISO board of advisors. Members of the board aren't publicly disclosed, but it's an eclectic mix of leaders that range from large enterprises to high-growth tech companies.

The mix is important because it helps peer CISOs openly share experiences and learn from each other about what's being done in companies at varying levels of maturity and scale. SYN's focus on quality over quantity also matters. The objective is to have a small group of CISOs that is deeply engaged instead of a large group with lower engagement and less camaraderie.

The board of advisors gets together in person 2-4 times per year alongside SYN portfolio companies and curated speakers to talk on a loose agenda, build relationships, and understand each other's challenges. Participation in the advisory board is a way for CISOs to see what's happening in the most cutting edge environments.

The idea of access to innovation may seem nebulous, but it's highly functional in practice. For a CISO, the hard part about finding innovative new companies to work with isn't discovery — it's filtering. CISOs get bombarded by companies all the time. How do they separate the signal from the noise and narrow down who they should pay attention to? That's where the SYN Ventures team steps in.

Direct access to venture partners who are also CISO practitioners is a clear benefit. Having a trusted advisor who understands both sides of the table just an email or phone call away is very nice to have amid a CISO's daily chaos.

The collaboration goes deeper, though. The SYN team methodically keeps a pulse on the priorities and challenges for each CISO in their network. The relationship isn't just a one-way broadcast of portfolio companies to every CISO in the network. It's a nuanced and highly tailored matching process.

That's how the magic of filtering works. The SYN team can sit in between CISOs and companies, understand the needs and benefits of both, and make introductions when a clear benefit exists for everyone involved. Instead of directly talking with hundreds of companies per year, they get a curated list via the unique lens SYN has of the entire ecosystem.

Being part of a network that's carefully managed and maintained by the SYN Ventures team is incredibly valuable for CISOs. The value speaks for itself — connections and access to innovation makes participation a clear win.

Founders

Founders want to work with SYN because of the value their CISO network and practitioner experience brings. At a macro level, venture capital firms can typically help founders with three things:

  • Capital: Making direct investments in the current round and recruiting follow-on investors for later rounds.

  • Recruiting: Helping companies hire engineers, sales teams, leaders, and more.

  • Customers: Generating leads, finding early customers, and increasing ARR more quickly than a company could do on its own.

Providing capital is essentially table stakes. SYN has plenty of that already. The value the SYN team focuses on is helping portfolio companies find more customers.

The results of SYN's customer focus are phenomenal. According to Jay Leek, SYN typically represents a material portion of new ARR in the first 12 to 24 months after they invest in a company. That's...a lot of revenue gain for early stage companies during a critical period of growth.

Why and how this revenue growth happens is important. Most security products are sold through top-down, CISO-led sales. As a result, sales are large with a high annual contract value (ACV).

I have previously written about the emerging model of bottom-up, product-led growth in cybersecurity companies (HashiCorp, in this example). While a bottom-up growth model is possible, it's also a nascent and emerging sales model that's incredibly difficult and time-consuming to pull off.

If a company doesn't already have an intentional bottom-up growth strategy with the groundwork and traction to make it possible, the only other option for growth is the traditional top-down model. That's totally fine — most security software gets sold this way. It's also the reason having SYN on the cap table makes a ton of sense.

The "how" part of SYN's customer focus happens in a couple different ways. Direct introductions to CISOs is the obvious one. That's where the value of having a strong and healthy CISO network makes a huuuuuuuge difference. A warm introduction that directly addresses known challenges a CISO is having makes for a much easier sale.

The less obvious (but equally valuable) contribution is the SYN team putting their CISO-practitioner hats back on. They use their experience to help companies understand customer problems, align messaging and value propositions, and get more deals done.

As a founder, having people with extensive CISO experience on your side is hugely valuable for understanding what customers want, prioritizing features, crafting marketing messages, making sales, and more.

Leadership Team

If all goes well, the value SYN's team creates for CISOs and founders comes back around to its partners and LPs in the form of returns. That's the thesis SYN and ClearSky Security were built on, and it's proving out nicely so far.

The three-way value creation model helps a lot when making investment decisions. Growing a large CISO network and keeping a pulse on their objectives helps the investment team at SYN know what's relevant and top of mind for CISOs. When an investment opportunity aligns directly with a CISO priority they've heard first-hand, the decision to invest (and the probability of a successful return) becomes a lot more clear.

Operational experience as CISO practitioners also makes a huge difference. As CISOs, Jay and Patrick have deployed half a billion dollars in security technologies. When you've lived the pain of running a security organization and implementing products, your judgment about when a product is useful or not becomes quite discerning. It also helps founders of the companies they invest in to avoid the perils and pitfalls you can only learn by doing.

SYN's executive team, venture partners, and investment team are equally as impressive. The benefit of having two CISO practitioners as founding partners is that other experienced practitioners want to work with them. SYN's leadership team is packed full of iconic cybersecurity executives, a few of which include:

  • Art Coviello, Former Executive Chairman and CEO at RSA, Board Member at Synchrony Financial (NYSE: SYF), Tenable (NASDAQ: TENB), Mandiant (NASDAQ: MNDT), Cybereason

  • Ryan Permeh, Co-Founder and former Chief Scientist at Cylance, former Chief Scientist at McAfee

  • Dan Burns, Co-founder and former CEO at Optiv

  • John Watters, President and COO at Mandiant

  • Pradeep Aswani, Entrepreneur and investor with multiple exits (Cloud Harmonics, Securematics, VPN Dynamics, HPN, OneSecure)

  • Adrian Peters, CISO at Vista Equity Partners

Another unexpected outcome of having operational expertise, a world-class senior leadership team, and a network of CISOs is that other venture capital firms want to include SYN in their cybersecurity company investment rounds. Including SYN is a no-brainer when they bring so much more than just capital.

Lastly, the SYN team is clearly committed to the model they've spent decades creating. When talking with Jay Leek, the commitment was obvious. I heard "we're in this for the long-term" several times throughout the discussion.

Why do they have this level of commitment and conviction? The founders and operating partners are all security people to the core. Security isn't some adopted industry they're investing in alongside other sectors. Security is part of who they are — something they've built their careers around. They reached the highest possible levels as practitioners. I'd bet they will reach the highest possible levels as investors, too.

Now that we've covered the inner workings of SYN's value creation cycle and stakeholders, let's take a deeper dive into how the model has evolved over time.

Evolution: Blackstone, ClearSky Security, and SYN Ventures

The evolution of what we're seeing today with SYN Ventures is an important part of the overall story. If you look at SYN in isolation without connecting a few dots, you might brush it off as a brand new fund still figuring things out. That would be a mistake.

SYN Ventures itself is just under two years old, but its roots are much, much deeper. Don't think of SYN as the new venture capital firm on the block — think of it as the best iteration yet of a model that's already been working for years.

Jay Leek has been investing in cybersecurity companies since 2012, starting during his time at Blackstone. He met Patrick in 2014 while leading an investment round in Cylance (Patrick was the lead independent director on the board). They started investing together when ClearSky Security was founded in early 2017. The path from Blackstone to ClearSky Security led to their current iteration with SYN Ventures.

Connecting the dots along this path is important, both qualitatively and quantitatively. Qualitatively, ClearSky Security was the first and only fund with two former Fortune 500 CISOs as full-time venture partners. This was still the case when SYN Ventures Fund I was raised in 2021. As of Fund II, SYN is still the only CISO-founded venture capital fund. Other venture capital funds have added former Fortune 500 CISOs to their venture teams, but SYN remains the only fund with two.

Quantitatively, things get even more interesting when we add PitchBook data into the mix. Together, ClearSky Security and SYN Ventures are the most active investors (by total number of investments) in cybersecurity over the past five years.

They have made a combined total of 46 investments in cybersecurity companies, including 17 from SYN Ventures Fund I. That's more cybersecurity investments than any other venture capital firm, including the largest agglomerator firms with billions in capital.

Investments are great, but exits are what matters. According to PitchBook, ClearSky Security's cybersecurity portfolio has had 17 exits in the past five years. A few of the exits include Mandiant (Google), Cylance (BlackBerry), Accurics (Tenable), CloudKnox (Microsoft), and Preempt (CrowdStrike).

An important caveat: I didn't include Blackstone data in the count of exits. Broadly speaking, adding the data would put the SYN team close to the top among all venture capital firms for number of cybersecurity exits during this time.

When measuring the success of an investor, these are really, really important data points. The data amounts to this: the founders of SYN Ventures are the most active investors by volume and with among the highest number of exits by quantity.

We're still early in the story of cybersecurity sector specialist firms. However, we're far enough along to start seeing a few indications of results. There aren't many firms who have as strong of a record as SYN on both sides of the investment and exit equation.

How does the SYN team create such successful results? Next, we'll look further into how they construct their portfolio and choose companies to invest in.

Portfolio Construction: The Top Two Percent

Let's get straight to the punch line: SYN gets to invest in the top cybersecurity startups in the world. That's the opportunity they have as a group of long-time practitioners and investors with an extensive network within cybersecurity. They see a lot of companies and have the judgment and experience to know how to selectively pick the best ones.

Putting data behind this selectivity, SYN invests in less than 2% of the companies they meet. As with all venture capital firms, a lot of factors play into the overall investment rate — things like timing, valuation, co-investors, and more always play a role in investment decisions.

On top of that, though, the team's expertise as cybersecurity practitioners plays a major role. When you're looking at an investment decision through the lens of a senior cybersecurity leader, the pitches just sound different. Things like the problem being solved, value, differentiators, tech, team, and more are a lot more relatable when they're based on direct experience. It's what allows the non-obvious winners to get identified.

This discerning level of judgment is also a huge advantage for founders who work with SYN: if they choose to invest in a company, you know they believe in what you're doing and are going to do everything they can to help your company win.

The tangible result of SYN's approach to portfolio construction is an excellent set of portfolio companies. As expected, a majority of companies the portfolio from Fund I are seed and Series A companies. A few early stage examples include Halcyon, Revelstoke, and Sevco Security. SYN's portfolio also includes Transmit Security, a company I covered while discussing cybersecurity's IPO pipeline.

Bigger picture, the benefit of sector specialization is focus. I've spent a lot of time explaining how huge the cybersecurity ecosystem truly is. However, the day-to-day deal flow for new cybersecurity investment opportunities is surprisingly manageable.

According to PitchBook data, there have been 1,912 total investments in cybersecurity companies across all stages in the past five years. That's an average of 380 deals per year during this period. Total investments vary by year, with an uptick in recent years. 2021 alone had 942 investments.

That's not to say specializing in cybersecurity investments is easy, but it's possible. A high level of fluency in cybersecurity like the team at SYN has makes it much more possible. They can cover a ton of ground as a relatively small firm because they're focused.

In addition to being sector-focused, most of their investments are typically in Series A rounds (with an occasional seed round or Series B). Specializing in early stage capital is another layer of filtering that keeps their target set of companies focused.

There are plenty of great companies, founders, and qualified investment opportunities in cybersecurity alone. The challenges we face as an industry aren't getting any easier. We need to keep innovating and keep building new and better solutions to the problems we face. Expect SYN Ventures to be leading the way.

Future: SYN Ventures Fund II, Specialists, and Beyond

The future for SYN Ventures is deceptively simple: keep doing what's working. I say "deceptively simple" because it's super complex to build the highly specialized firm you see today — as we've just methodically explored.

Even with $300 million in new capital for SYN Ventures Fund II, the plan is to continue executing the same value creation model and approach to portfolio construction. The team expects to continue investing in less than 2% of the companies they meet — a healthy number that has been consistent for the entire evolution of their investments.

I expect Fund II is where we will start seeing SYN's three-way value creation cycle start to pay off. The current iteration of the model is just over a year old, even though many of the underlying relationships span a much longer period. The additional level of intention and detail about the process should make a huge difference with both investment decisions and the acceleration of growth SYN can bring to companies they invest in.

Bigger picture, challenging periods like the current economic environment are going to put the agglomerator and specialist models to the test. SYN Ventures is a fascinating case study for the future of venture capital, both within cybersecurity and tech in general. We're approaching a crux with the model for venture capital:

  • Will large agglomerator funds become the norm?

  • Is focused sector and/or stage specialization a better model?

  • Can both models productively co-exist?

In bull markets, it's hard to tell who the real winners are. A lot of companies and their investors look good when cybersecurity M&A volume and deal size is at a record level (according to Momentum Cyber, 2021 saw a record of 286 transactions for $77.5 billion in aggregate disclosed value, including 14 deals valued over $1 billion).

In the near-term, I expect large agglomerator funds could be impacted more by economic challenges than specialist funds, especially in cybersecurity. Why? Agglomerator funds rely on large exits to generate returns because of their size. Many of the largest returns happen when portfolio companies IPO.

Unfortunately, cybersecurity is facing a dilemma with current market conditions colliding with a previously healthy IPO pipeline. We're a victim of our own success — a lot of great cybersecurity companies have been built in the past decade. Now was supposed to be the time for a sustained run of IPOs and large strategic exits. Instead, we're in a holding pattern of uncertainty.

This uncertainty works against agglomerator funds more than it does against specialist funds. Based on Momentum Cyber research, 54.2% of security companies sold for less than 100 million, and only 24.2% sold for more than 300 million in the past five years. In general, exits of that frequency and size are more aligned with the focus and expected returns of specialist funds.

All of this feels like a roller coaster at times — both entertaining and gut-wrenching. We'll get through it over time. I expect the most consistent, focused, and capable companies and investors will be in the best position on the other side. SYN Ventures is exactly that, and they're playing the long game. It's an exciting story to follow as Fund II and beyond unfold.


Thank you to Jay Leek, Patrick Heim, and Chris Behrens for giving me an inside tour of SYN Ventures and reviewing drafts of this article.

Venture Capital
You’ve successfully signed up.
Welcome back! You've successfully signed in.
You've successfully subscribed to Strategy of Security.
Your link has expired.
Success! Check your email for magic link to sign-in.
Success! Your billing info has been updated.
Your billing was not updated.