Y Combinator showcased a fresh batch of cybersecurity, privacy, and trust companies as part of its Summer 2022 Demo Day on September 8-9. Just like we've done for the previous two batches since Strategy of Security has been around, we'll take a deeper look at every company in this batch with a connection to the cybersecurity ecosystem.
The Summer 2022 batch was intentionally smaller than Y Combinator's recent batches. This is no surprise — YC warned everyone batch sizes were being reduced by 40% back in August. The surprise was this: the Summer 2022 batch still included 13 companies in cybersecurity, privacy, or trust. That's consistent with the Winter 2022 batch, which included 12 companies.
Companies in the Summer 2022 batch that are in (or around) the domains of cybersecurity, privacy, and trust include:
-
AccessOwl: Provisioning and management of access to SaaS applications for a company's workforce.
-
Allero: Code scanning in CI/CD pipelines to perform security, code quality, and compliance checks before deployment.
-
AiPrise: Integration and orchestration of identity verification and Know Your Customer (KYC) checks across multiple providers.
-
Ballerine: An identity and risk management platform that allows companies to automate workflows for customer onboarding, transaction monitoring, credit underwriting, and more.
-
Chainsight: An API for Web3 background checks.
-
Conversion Pattern: Tracking for user analytics and measurement of ad spend without cookies.
-
Derisk: Cryptographic key custody software that secures cryptocurrency assets for businesses.
-
Notebook Labs: Decentralized, anonymous, and verifiable identity for Web3.
-
Oneleet: Pentesting services delivered through a combination of AI and human expertise.
-
Openline: An open source customer data and orchestration platform.
-
Overwatch: Detection and management of business risks that could impact an enterprise company's operations, supply chain, or reputation.
-
Slauth.io: A platform that secures access to cloud infrastructure.
-
TrueBiz: Background checks for businesses.
Admittedly, 13 companies is a bit of a stretch. Eight of these companies operate at the intersection of cybersecurity and adjacent domains (fraud and risk, for example).
Hybrid cybersecurity companies are big these days — look no further than Cloudflare or the host of cybersecurity startups building on Snowflake. Hybrid companies absolutely should not be dismissed because they aren't "pure" cybersecurity companies. So, we'll include the hybrid companies here.
On to the analysis of the 13 cybersecurity, privacy, and trust companies in YC's Summer 2022 batch.
AccessOwl
What does the company do?
AccessOwl orchestrates provisioning and management of access to SaaS applications for a company's workforce. The product's interface is Slack-first, which allows people to request and approve access directly within Slack.
Where do they fit into the cybersecurity ecosystem?
Provisioning, deprovisioning, and management of access are clearly features of an Identity Governance and Administration (IGA) platform. AccessOwl is focused on SaaS applications, a narrow but important slice of the market.
What are their challenges?
The IGA market is incredibly competitive, both among incumbents and earlier stage startups. SailPoint, ForgeRock, and Oracle are all market leaders with growing businesses. SailPoint received a Thoma Bravo-powered jolt of energy earlier this year.
Financing and M&A activity in IGA has been one of the busiest segments in the cybersecurity ecosystem. BalkanID, Clear Skye, Frontegg, Opal, Pathlock, and Zilla have all raised large rounds in 2022.
Why could this be a big company?
IGA is a wide open market right now. The value of IGA products to mid-sized companies through enterprises has been clearly established — to a point where SailPoint was worth $6.9 billion to Thoma Bravo. Any product that stands out and gains traction in this market has the potential to be a big company.
Allero
What does the company do?
Allero scans code in CI/CD pipelines to perform security, code quality, and compliance checks before deployment. It's a CLI-based tool for use by developers.
The company's value proposition is to "ensure only compliant code makes it to production." It's counter-intuitive to think that preventing software from reaching production is valuable, but that's definitely the case here.
Where do they fit into the cybersecurity ecosystem?
Allero fits broadly into Application Security. I would argue it also intersects with Governance, Risk, and Compliance (GRC).
The product focuses on the quality and adherence of code to standards — not the code-level vulnerabilities tools like Snyk are after. Allero is somewhat of a meta-layer: it can be configured to check if Snyk security scans are part of the CI/CD pipeline.
What are their challenges?
Inertia and apathy are probably bigger challenges for Allero than any competitive product. Organizations are still embracing the idea of developer-friendly application security. Unfortunately, it's going to take more time for this to catch on.
This is a challenge with long-term upside — it's going to happen eventually. I'd even call it existential: the least capable development shops will have to either get with the program or go out of business. Nobody knows how long it will take for the revolution to happen, but it will.
Why could this be a big company?
Many developers and engineering leaders are hard-wired to ship code fast. This often means shortcutting or bypassing security, code quality, or compliance. It's unlikely for code to be rolled back once it's deployed, which is a recipe for disaster if non-compliant code keeps finding its way into production.
Allero is a neutral, automated voice of reason: its job is to stop bad things from happening. Expectations are codified into Allero's configuration — the rules are the rules. That's a big deal because no human judgment is involved, and the rules are automatically and consistently enforced.
Everything Allero does have been a huge and recent problems in cybersecurity, including many of the trends and topics I discussed in What Developers Need to Know About the Strategy of Security. Protecting the CI/CD pipeline and the code that flows through has to get better, and Allero could be one of the companies leading the way.
AiPrise
What does the company do?
AiPrise integrates and orchestrates identity verification and Know Your Customer (KYC) checks across multiple providers.
The "integration and orchestration" part is an important distinction — it doesn't do the verifications. There are plenty of good products that do this already. AiPrise's problem space is how to manage the identity verification providers — an adjacent but tricky challenge.
Where do they fit into the cybersecurity ecosystem?
AiPrise generally fits into Identity Proofing, with the nuance I pointed out earlier about managing but not doing the validation.
What are their challenges?
Managing multiple identity verification and KYC providers is somewhat of a niche. The pain is most commonly felt by fintech companies. Many investors would question if the problem space and market is big enough to become a large company.
Niche markets and specific problems like this are YC's bread and butter, though. What seems like an obscure problem is often bigger than people expect. Solving a niche problem well also unlocks adjacent opportunities in broader domains (Fraud and Transaction Security, in this case).
Why could this be a big company?
Having a meta-layer to manage the identity verification mess is incredibly valuable for companies operating in multiple geographies. Nobody wants to integrate and maintain multiple identity verification platforms. With AiPrise, you don't have to.
Companies like Segment have proven the value and potential scale of integration and orchestration products. AiPrise could follow in similar footsteps. Segment proved orchestration for customer data and analytics was a deceptively large problem, and AiPrise could do the same for identity verifications.
Ballerine
What does the company do?
Ballerine is an identity and risk management platform that allows companies to automate workflows for customer onboarding, transaction monitoring, credit underwriting, and more.
This is one of the hybrid companies I referred to in the article's intro. The product has clear elements of cybersecurity, but it also extends well into financial services.
Where do they fit into the cybersecurity ecosystem?
A product like Ballerine spans multiple categories of the cybersecurity ecosystem, including Customer Identity (CIAM) and Fraud and Risk.
What are their challenges?
Larger financial institutions are the potential customers who feel problems with customer onboarding, transaction monitoring, and fraud acutely. Unfortunately, they're often the slowest to adopt new technology to help solve the problem. They've been forced to build their own solutions, and the result is usually a legacy technology stack that's ready to fall apart from the slightest change.
Modernization and (gasp) digital transformation is coming, though. The problems Ballerine solves are part of financial services companies' core operations, which puts new technologies higher up on the priority list when modernization finally comes around.
Why could this be a big company?
Thankfully, Ballerine can capitalize on the revolution in fintech and neobanks while it waits for larger institutions to come around. There are plenty of companies building their identity and fraud stacks from the ground up. It makes a lot more sense for them to work with a company like Ballerine than build the stack on their own.
An open and extensible platform like Ballerine might also be the antidote to skepticism from larger financial institutions. The best retort to "...but we're special" scenarios from enterprises is to let them build whatever they need on their own. Ballerine makes that possible.
In the adjacent market for digital identity, ForgeRock has proven it's possible to win over a meaningful portion of a market with an open, extensible platform. Ballerine could do the same for the intersection of identity, risk management, and fraud.
Chainsight
What does the company do?
Chainsight is an API for Web3 (a.k.a. blockchain or cryptocurrency) background checks. The company uses a direct comparison that's helpful: "Checkr for Web3."
Where do they fit into the cybersecurity ecosystem?
The company fits into my broadly defined Blockchain and Web3 domain of the cybersecurity ecosystem. They could also be grouped with traditional companies in the Background Screening market.
What are their challenges?
Mostly macro: where Web3 is headed is still very much in flux. We're currently sitting in the middle of yet another crypto crash. Competition among early stage companies and protocols is intense — all the usual traits of an industry at the embryonic stage of its lifecycle.
The good news for Chainsight is that background checks are among the foundational set of services needed for Web3. It's a relatively safe bet that wherever Web3 ends up going, background checks are going to be needed.
Why could this be a big company?
Web3 fraud and scams are rampant. The problem has become a serious headwind for Web3 users, companies, and protocols. Help is desperately needed.
Chainsight isn't another "build something that exists in Web2, but now on blockchain?!" type of company. Yes, background checking services have conceptually existed for a long time. Web3 brings a different set of challenges and use cases that require a new solution.
Why is a new solution needed? Web3 has a lot of data and assets to monitor for background checks to work. According to Chainsight, the company currently monitors over 300,000 dApps and tokens, over 100 million phishing sites, and labels 25 billion blockchain transactions.
Paradigm-altering technology shifts create spaces of opportunity for new products and companies. That's exactly what Chainsight is taking advantage of in a space with massive upside.
Conversion Pattern
What does the company do?
Conversion Pattern helps companies track user analytics and measure ad spend without cookies.
"...wait, what? Why is this company on the list?!," you might ask. It's another hybrid company that crosses over into cybersecurity and privacy to solve a business problem.
Digital identity is at the core of Conversion Pattern's product, including a unique identifier for visitors and an identity resolution engine to help correlate activity across multiple sessions and devices.
Where do they fit into the cybersecurity ecosystem?
The company fits broadly into Identity Graphing and Resolution. They're really a user analytics company that happens to intersect with digital identity and privacy to solve problems for their customers.
What are their challenges?
Changes to third-party tracking and user privacy are dynamic. Requirements (and underlying tech) are evolving rapidly. The discourse is part technical, and part political. This makes for a messy situation.
Anything Conversion Pattern builds could be partially or completely wiped out by the whims of powerful companies like Apple and Google. That's also an opportunity, of course — being the company who helps other companies navigate the turmoil is incredibly valuable.
Why could this be a big company?
The end of third-party tracking is an existential crisis for marketers. Without cookies, new solutions are needed to help businesses understand their customers and measure ad spend.
It's unrealistic to expect this type of measurement for eCommerce and digital ad spend will go away just because Apple killed third-party tracking. Once people are given something, it's hard to take it away — especially when it's directly related to a company's revenue and profitability.
If the market decides Conversion Pattern is the best solution for balancing third-party tracking with the user privacy requirements of device manufacturers, they can become a big company.
Derisk
What does the company do?
Derisk builds cryptographic key custody software that secures cryptocurrency assets for businesses. Their product uses multi-party computation (MPC) to secure keys among multiple parties without anyone knowing the full key.
It's a new solution to the "not your keys, not your coin" dilemma in cryptocurrency that has found the spotlight recently. TL;DR – if a company holding digital assets implodes, there's no guarantee its users will be able to get their assets back because they technically don't hold the private keys needed to access them. That's a problem in a lightly regulated industry like cryptocurrency — the FDIC isn't there to save you.
Where do they fit into the cybersecurity ecosystem?
Like Chainsight, Derisk fits into my broadly defined Blockchain and Web3 domain. The company is also a new-generation entrant into the Public Key Infrastructure market with a specific focus on Web3.
What are their challenges?
One of the biggest challenges for Derisk is convincing cryptocurrency asset custodians it's safe to use a product from a startup to secure their private keys. Ironically, building on MPC helps address this problem because its core design principle is that nobody has to trust anyone else.
The other macro-level challenges are value capture and defensibility. Products built on top of open protocols (an entire sub-field of cryptography, in this case) often struggle to capture the value they create. It can also be challenging to build a defensible moat when part of the core IP is open and available for competitors to copy.
Why could this be a big company?
Derisk is a real life instance of the cryptocurrency "centralization vs. decentralization" debate where the decentralized solution could (objectively) be the best solution. MPC is great because it's both secure and redundant by design — excellent benefits when we're talking about securing digital assets with monetary value.
In the case of managing the private keys that protect cryptocurrencies, many people shouldn't be at either end of the trust spectrum: wholly trusting third parties or relying on ourselves to protect our digital assets. The best answer might be in the middle — spreading some, but not all, trust among a few parties and enforcing it with distributed computation.
Notebook Labs
What does the company do?
Notebook Labs is building decentralized, anonymous, and verifiable identity for Web3. The company calls it "KYC for crypto," which loosely means it's doing identity proofing.
This might sound similar to Chainsight, but the nuances are important. Notebook is an on-chain store of verified identity information (a smart contract). It's integrated with an NPM package versus an API for Chainsight. Bigger picture, Notebook also seems to be building towards a fully self-soverign identity store, not just an identity proofing service.
Side Note: They also use AiPrise, another company we discussed earlier, for identity proofing during user onboarding.
Where do they fit into the cybersecurity ecosystem?
Notebook is another company that maps to the Blockchain and Web3 domain. They're also similar to an Identity Wallet, although technically implemented as a smart contract.
What are their challenges?
Web3 identity is an extremely competitive segment. Multiple other companies, including several funded by YC (Spruce and Magic, for example) are building in and around the same identity wallet vicinity.
Why could this be a big company?
Identity for is one of the biggest opportunities up for grabs in Web3. Several attempts have been made, and new companies keep getting better and better.
Balancing verifiable identity with user privacy and decentralization is a tricky thing to do. It's also the right thing to do. Notebook can be a big company if it pulls this off.
Oneleet
What does the company do?
Oneleet is a pentesting service delivered through a combination of AI and human expertise. The platform includes tools to execute and manage the pentest, plus a marketplace of talent to guide, validate, and report the results.
Where do they fit into the cybersecurity ecosystem?
The company sits at the intersection of Penetration Testing, Professional Services, and Crowdsourcing. It's part technology platform and part professional services marketplace.
What are their challenges?
Forward-thinking professional services firms have caught on to the idea of productized penetration testing services. Companies like Bishop Fox, NetSPI, Praetorian, Synack, and more have all raised significant capital to address this exact problem.
The challenge is also an opportunity for Oneleet. Companies that began as traditional professional services firms have to deal with organizational and culture change to bend their offerings into productized services. Oneleet is one of the first companies with the opportunity to build a productized service from the ground up.
Why could this be a big company?
The productization of cybersecurity services is one of my favorite topics (more on this soon...hint hint). Naturally, I'm excited about what Oneleet is doing.
I talked extensively about this topic when analyzing Mandiant's shift towards productized services. Substitute Oneleet for Mandiant, and it's exactly the reason they could become a big company:
Building a successful productized services business to address an important societal issue like cybersecurity attacks is an interesting problem to solve. In the process, Mandiant may also revolutionize the delivery model for professional services in the industry.
A shift towards productized services is bound to happen, especially in cybersecurity. Too many incentives are aligned for this not to happen: labor shortages, budget constraints, speed of delivery, and never-ending fear are a recipe for innovation. The question is whether Mandiant will be the company to execute this strategy and successfully capture the value.
Bigger picture, the company describes itself as "your security department as a service." That obviously means a lot more than pentesting. The ceiling here is high. Anyone who accomplishes this will become a massive company in the process.
Openline
What does the company do?
Openline is an open source customer data and orchestration platform. It takes customer data and interactions from multiple sources to personalize experiences and automate support.
Like Conversion Pattern, you might be wondering why this company made the list. Same reason: digital identity is at the core of the product. From their YC company profile:
Third-party tracking and analytics tools do not work in the current world of GDPR, HIPAA, CCPA, ad blockers, and cookie deprecation. We allow you to get the most comprehensive view of your customers without sending personal identifying and/or usage data to third parties.
Identity and privacy are enablers for everything else Openline does.
Where do they fit into the cybersecurity ecosystem?
Openline fits broadly into Identity Graphing and Resolution. More broadly, they're a customer data platform.
What are their challenges?
Competition. Cliché, I know. Customer data platforms is a competitive space in tech. The The Forrester New Wave™: B2B Standalone CDPs, Q4 2021 report evaluated 14 companies. That's a lot of companies already, and newer startups haven't made the list yet.
Competition alone isn't cause for concern, though. The market for customer data platforms is an emerging one (hence the "New Wave" terminology by Forrester). Companies and buyers are still sorting out the features they value most.
Why could this be a big company?
The macro-level shift is clear: companies are moving away from building and maintaining their own customer data platforms. Combine this trend with ripple effects from privacy regulations and Apple's ban of third-party tracking cookies, and you've got an important problem space that needs solutions.
Openline's open source platform could be a major advantage over competitors with proprietary platforms. Open source companies in adjacent markets (ForgeRock, GitLab, and HashiCorp, to name a few) have proven this model can be successful to the point of becoming a public company.
Overwatch
What does the company do?
Overwatch helps large enterprises detect and manage business risks that could impact their operations, supply chain, or reputation.
Where do they fit into the cybersecurity ecosystem?
The company sits at the intersection of Enterprise Risk Management and Risk Ratings. An important nuance is that Overwatch's risk profiling is mostly outward-facing. That is, it's focused on external risks that could impact a company, not internal risks within the company itself.
What are their challenges?
The problems they're solving are huge, gnarly ones. That's a challenge in the best possible way — exactly the type high potential early stage startups should be going after.
The difficulty with solving hard problems is that they're sometimes too hard to move the needle. Finding and surfacing relevant business risks among a sea of global activity is challenging.
The product has to do a great job of justifying continued spend — too many false negatives or false positives could cause enterprise buyers to lose trust and revert to old ways.
Why could this be a big company?
Third party risk is a huge problem for every enterprise company. Entire departments are dedicated to monitoring, managing, and auditing partners, suppliers, territories, and more.
However, their approach is typically reactive and narrow in scope (think vendor risk assessment questionnaires and the like). This behavior is partly a relic of legacy thinking, and partly because advanced tech didn't exist to monitor risk on a global scale. Overwatch can be a big company because it changes the game completely.
The company already has amazing customers (Stripe and Goldman Sachs were mentioned publicly) for an early stage startup. They will undoubtedly draw the attention of many more companies who want to be proactive about managing enterprise risk.
The three-person founding team deserves special mention, too — their backgrounds are incredible. A company like Overwatch can't be started by just anyone. Subjects like geopolitics, global supply chain risks, financial crimes, and others are highly specialized. This looks like a unique team solving a unique problem at a unique time in the world.
Slauth.io
What does the company do?
Slauth.io secures access to cloud infrastructure. The product scans IAM configurations for each of the three large cloud infrastructure providers, generates a map of access, identifies potential vulnerabilities, and recommends remediation actions.
Where do they fit into the cybersecurity ecosystem?
The product maps to Cloud Infrastructure Entitlements Management (CIEM) within Cloud Security.
For clarity, Slauth.io isn't an authentication service like Okta or Ping. It's focused on analyzing and identifying issues with access control, not performing the day-to-day authentication or authorization of users.
What are their challenges?
Cloud Infrastructure Entitlements Management is dangerously close to the broader Cloud Security Posture Management (CSPM) market that awesome companies like Wiz, Orca, and more are well on their way to owning. It's an open question whether access control is a standalone problem or a subset of the problems CSPM platforms monitor and remediate.
Why could this be a big company?
Access to cloud infrastructure is one of the top security weaknesses and causes of cloud-related breaches. Unit 42 at Palo Alto Networks went deep into this subject if you're interested in the data behind it.
Two identity protection companies (Attivo and Preempt, conceptually similar products) had nice exits in the past year (to SentinelOne and CrowdStrike, respectively). This category is gaining visibility as an important capability beyond core IAM systems.
An effective solution to cloud infrastructure access is a strategic acquisition target at minimum, and potentially an even larger company.
TrueBiz
What does the company do?
TrueBiz performs background checks for businesses. Traditionally, this is both a lengthy and laborious requirement that financial institutions are required to perform when doing business with corporate entities due to Know Your Business (KYB) legislation. TrueBiz automates away the paper pushing and makes the verification process both faster and easier.
Where do they fit into the cybersecurity ecosystem?
The company maps to Background Screening with a specific focus on businesses, not individuals.
What are their challenges?
Large financial institutions are typically slow to adopt new technologies, so it might be a while before TrueBiz can make a dent in a meaningful number of enterprise accounts.
Like Ballerine, the good news for TrueBiz is there are plenty of emerging fintech startups that would be glad to use their service for KYB while building a stack from the ground up.
Why could this be a big company?
Tech for performing business background checks is lagging behind its consumer counterparts. The potential for financial institutions to eliminate manual processes and headcount is a powerful incentive, too. If TrueBiz can build a product that is legitimately better than other products, it can become a big company.