Y Combinator hosted its semi-annual Demo Day (now two days) last week, from August 31st to September 1st. Seven cybersecurity companies were among the 374 companies in the Summer 2021 batch:
Cloudanix: Cloud security for multi-cloud environments.
ContraForce: AI-powered Extended Detection and Response (XDR) for SOCs.
Keyri: Passwordless authentication for developers.
Malloc: Spyware detection and prevention for mobile.
PlusIdentity: Privileged access management for startups.
Protego: Chargeback recovery for Latin American companies.
StandardCode: Child identity verification APIs for developers.
This article takes a deeper look at the seven cybersecurity companies, their opportunities, and their challenges going forward.
Reviewing Y Combinator's Cybersecurity Investment History
It's well understood now that Y Combinator has a successful track record of investing in B2B and enterprise companies. They've long since overcome the stigma of being a consumer-only investor.
Y Combinator is a massively successful early stage startup investor. To understand the future of cybersecurity tech startups, it's instructive to look at the companies coming out of the program as early as Demo Day.
Y Combinator's volume and success with investing in cybersecurity startups is a bit more tenuous than its overall B2B portfolio. YC has funded 55 cybersecurity companies since its first batch in 2005. Sift (formerly Sift Science) is the most successful company so far, a unicorn valued at over $1 billion and ranked 42nd on YC's top companies list. Other ranked companies include:
Salt Security, an API security platform, is ranked 65th.
Vanta, an automated compliance platform, is ranked 71st.
Veriff, an identity verification company, is 95th.
Proxy, an authentication platform, is ranked 110th.
YC's cybersecurity funding has increased in recent batches. They have funded 19 cybersecurity companies in the four batches since the beginning of 2020. That's an average of 4.75 companies per batch and 34.5% of the total cybersecurity investments in the history of YC.
Analysis of the Summer 2021 Batch
Cloudanix is a cloud security platform specifically focused on larger, multi-cloud, multi-region, and multi-environment deployments. The founders have cloud and cybersecurity experience at both startups and enterprises from previous roles at Pantheon, Gigya, SAP, Moody's, and McKesson. Aside from YC, no funding has been reported to date.
The product solves a problem of scale: managing security in large cloud deployments is gnarly, particularly with multiple engineers using multiple regions or different cloud platforms altogether. This complexity is part of the reason why companies are frequently in the news for breaches due to cloud environment misconfigurations.
The Cloudanix platform does a lot for an early stage startup: account monitoring, rule-based audit and compliance checks, event monitoring, IAM account authorization reporting and remediation, and configuration (drift) management. Any one of these features on its own could potentially be a product.
The platform offers "recipes", which are pre-built leading practices for configuring cloud services. For most non-security companies, it's difficult and time-consuming to keep up with leading practices for detailed cloud security configurations. Recipes are a helpful starting point — think of them like an 80/20 solution for comprehensively checking up on your cloud environment configurations and quickly remediating well-known issues.
Cloud security is still a new and rapidly evolving domain within the cybersecurity ecosystem. The opportunity for Cloudanix is to become the go-to platform for companies with large cloud deployments to manage security. Cloudanix has two potential paths for growth. They could choose to focus on breadth and continue to build on the multiple features in the product — truly achieving the vision of a single platform for cloud security. Alternatively, they could discover rapid growth within one (or a few) specific areas within the platform's broad feature set and choose to focus on those.
ContraForce is an Extended Detection and Response (XDR) product that uses AI to augment response. The platform pulls security data from multiple integrations to analyze for threat detection and response. Both founders have experience with cybersecurity products and managed service providers at McAfee and Armor. Building an XDR product is a natural next step from their background. Aside from YC, the only funding reported has been an economic development grant.
The company is solving a significant problem: operating a SOC is hard, and SOC analysts have the impossible task of sifting through thousands of events to find threats. They need augmentation to eliminate false positives and increase the speed which they identify and respond to real threats. Faster responses to qualified threats is valuable — you can never respond too quickly.
XDR is a newer approach to threat detection and response, thus a newer market. Larger cybersecurity product companies are also developing XDR products, including Palo Alto Networks, Cisco, Barracuda, Cynet, and more. It's an emerging market that hasn't been won yet.
One of the main challenges for a data-intensive product like ContraForce is integrations. The company has built several integrations already, starting with a Microsoft-focused approach and expanding outward to other cloud platforms and apps. The effort to add integrations will be ongoing and a potential source of competitive advantage if ContraForce can add integrations quickly.
Aside from integrations, the company's challenges are likely to be product and pricing. The product needs to be significantly better than the existing XDR products built by larger cybersecurity product companies. ContraForce also needs to avoid being priced out of the market if larger companies reduce prices or bundle their XDR products with enterprise licensing deals.
The XDR market is an exciting problem domain with lots of potential. ContraForce has the opportunity to define itself as a premium, go-to product in the market if it can differentiate its integrations and features — particularly AI.
Keyri is a developer-focused authentication platform with a proprietary, device-based authentication protocol. The product is also focused on ease of use for end users.
The founders both have varied experiences, including investment banking, software engineering, and cryptocurrency. A founder developed an early version of the authentication technology used by Keyri at Duke University:
At the Duke Institute for Brain Sciences, I built a bulletproof HIPAA-compliant authentication layer for distributed supercomputing clusters. Keyri leverages the asymmetric cryptography architecture of that system, combined with the ubiquitous biometrics sensors on smartphones, to bring frictionless, extremely secure authentication to consumer web platforms.
Aside from YC, no funding has been reported to date.
The security and ease of use for authentication is one of the most widely discussed problems in cybersecurity — a persistent and challenging set of habits to break. Passwords have a well-documented set of problems. Magic links aren't great, either. Both mechanisms work, though, and they're commonly understood by technical and non-technical users.
Authentication products have constant tension between standards and proprietary tech. Keyri is the latter — one of their primary value propositions is a proprietary authentication layer that promises both increased security and improved ease of use.
Developer-focused authentication platforms have a proven track record with Auth0's $6.5 billion acquisition by Okta. Developer adoption was a significant reason why Auth0 gained traction and reached the level of valuation it did at the time of acquisition.
The biggest challenge Keyri is likely inertia — "good enough" versus a more advanced, user-friendly solution. Keyri also faces well-funded competition, including Transmit Security, Trusona, and other traditional authentication platforms.
Keyri can grow quickly if they're able to gain developer adoption. Auth0 followed this strategy, as have other developer-focused products in adjacent markets. The same thing needs to happen here. They can potentially become a big company if the product captures and changes a user behavior trend from passwords to a more modern authentication approach.
Malloc is company focused on building privacy technology, the first being a free consumer mobile app for Android. Antistalker detects when applications use the camera or microphone on your smartphone to identify spyware placed by stalkers or other adversaries. The founders are three accomplished women with Ph.D.s in artificial intelligence and cybersecurity. A €100,000 pre-seed investment is listed on CrunchBase.
Spyware is a huge societal problem that has been in the news a lot recently due to Pegasus infiltrating media and government officials. Smaller scale stalkers have been targeting individual victims for years. It's hard to overstate the value of reliable spyware detection.
Malloc is solving technically challenging problem because their products are limited by the APIs that smartphone device manufacturers make available to them. Proving the concept using Android and releasing a consumer app was a good strategic choice as the company is getting started.
The strategic challenge for Malloc is which direction to take the company after the Antistalker consumer app. The founders appear to have both aspirations and qualifications well beyond development of consumer mobile apps. Consumer-focused privacy apps is a large market if they choose to continue this course. Malloc could also focus exclusively on most prominent enterprise, government, media companies (the Palantir approach) to help defend against spyware like Pegasus. Either path has the potential to be a large company.
PlusIdentity is a password manager for shared logins and other credentials. The founders are both from Harvard. Aside from YC, no funding has been reported to date.
The company's target market is focused: "we’re building the best password manager for startups." They started by building a Slack app, a logical choice because startups live in Slack. Next comes a browser extension, then outward expansion of the product from there.
Managing passwords, secrets, and privileged access is a continuous problem in cybersecurity. Compromise of these credentials is a common cause for breaches.
Password management for startups is a bigger problem than many people realize. Startups are prone to bad practices because they originate as small, cash-strapped teams focused on growth and viability over security.
Despite their size, tech startups have a lot of passwords and secrets to protect. Most tech startups have to protect at least the following, and often more:
Cloud infrastructure keys
Multiple API keys
Source code keys
Admin console passwords
Test account passwords
Shared SaaS application and social media passwords
This is why startups are the starting point for the larger problem PlusIdentity wants to solve. It's best for startups to start with good password management practices early — especially if the solution is fast, affordable, and native to the platforms they're already using. The risk of not establishing good password management practices is fairly high for startups who do find traction: the problem manifests itself until it's too late to be fixed.
PlusIdentity's strategy is to grow with startups:
"Our goal is to become every YC company's password manager, then grow with our users to eventually become the security & identity backbone of fast growing tech companies."
The strategy is viable and has worked for many companies, Stripe being the most famous example. For this strategy to work, the company needs to get other startups to adopt early. Once the product is entrenched, PlusIdentity needs to grow and scale its features to the point customers don't want to switch to CyberArk or other enterprise-grade password management tools when they become larger companies.
The biggest challenge PlusIdentity faces is the threat of substitutes: personal password managers like 1Password, Dashlane, and others. Their product needs to have enough appeal to make the upside of scaling with PlusIdentity higher than switching to other tools. The cutover from a personal password manager to PAM tools like CyberArk is a major undertaking. This makes it more likely startups will retain the password manager they start with long after they hit scale.
PlusIdentity's opportunity is to fill a large and important opportunity in the market. There is a relatively large gap in the spectrum of products between personal password managers (like 1Password) and enterprise-grade privileged access management platforms (like CyberArk). If their strategy of targeting startups is successful, PlusIdentity can be a big company.
Protego makes a platform to help companies in Latin America defend against chargebacks. Both founders are alumni of Rappi, a massive startup based in Colombia. They worked on anti-fraud, Know Your Customer (KYC), and chargebacks — exactly the domain Protego is in. Aside from YC, no funding has been reported to date.
A quick refresher on chargebacks from Wikipedia, as chargebacks are a somewhat adjacent topic to cybersecurity:
A chargeback is a return of money to a payer of some transaction, especially a credit card transaction.
The payer is most commonly an individual consumer. A chargeback reverses a money transfer from the consumer's bank account, line of credit, or credit card. The chargeback is ordered by the bank that issued the consumer's payment card.
Legislation enabling chargebacks is well-intentioned: it protects consumers against false charges and identity theft. However, this protection comes at an expense to merchants. People commit fraud by falsely requesting charges to be reversed, among other abuses of chargeback laws. According to Protego, chargebacks cost LatAm companies $19 billion per year. This number will increase as more transactions move online.
Protego's product currently addresses a specific step in the chargeback process for merchants: automating chargeback disputes. According to the 2014 Cybersource Fraud Benchmark Report, 60% of chargebacks are disputed with a 41% success rate. Put differently, only 2.5 in 10 chargebacks are successfully disputed by merchants — low odds. A product like Protego is clearly appealing to merchants if it can increase the odds of success and reduce the time spent submitting disputes. It's even more appealing that Protego only gets paid when chargebacks are successfully resolved.
Protego reminds me a bit of Brex — a situation where the founders are clearly domain experts building in the domain their company exists. They have an opportunity to be a large company if their product can demonstrate measurable success in chargeback disputes. The company also has an opportunity to address more of the chargeback problem space, for example: preventive measures to block purchases likely to result in chargebacks.
StandardCode is an API used by developers to verify the age of children and obtain parental consent for use of online services. The founders are HomeJoy alumni, a Y Combinator S10 company founded by former YC Partner Adora Cheung. The company lists three investors on their website (including YC). Funding amounts have not been disclosed.
The product operates in a bigger market than you might intuitively expect. As of 2021, there are 74.1 million children in the United States and 2.2 billion children globally. More importantly, the age which children start using technology is an accelerating trend that's relevant to StandardCode's growth potential. I didn't use any internet platforms until I was 12 years old (growing up in the 1990s). Today, 60% of children started using smartphones before age 5, and 31% started before age 2. This trend has been further accelerated by the COVID-19 pandemic and increased use of EdTech and gaming services.
Child data privacy laws like COPPA and GDPR-K present an interesting dilemma for tech companies. Laws set requirements for collection and handling of personal information from children under a certain age (age varies by law). Collection usually requires verifiable consent from a parent. Tech companies typically solve this by prohibiting children under a certain age (usually 13) from using their services. Exclusion is one solution, but 25% of the world's population is under age 15. A product that makes it easier for companies to reach this group of users while increasing safety and compliance is clearly valuable.
For StandardCode, it doesn't matter how often or how long children are playing games or using apps. It matters how many total children are active online and how many different apps they are trying. Every time a new child comes online or an existing child tries a new app, there is a new need for identity verification and consent. That's a huge opportunity.
StandardCode can become a large company if they capture the market for child identity verification and parental consent among developers. Success is becoming the Stripe of this market. StandardCode could potentially become an even larger company if they're able to expand the product outward to other types of verification and consent, either among children or other population segments.