Over the past few years, we (at axc) navigated through the early-stage startups cyber ecosystem. The cybersecurity market went from a not so trendy niche sector to a word that is on everyone’s lips (👋 VC friends). Digitalization, cloud switch, COVID19, remote policies, macro-politics & co have been the catalysts of such market development. As the need extends, the market congests itself and problems appear. Setting obstacles on the path for cybersecurity startups.

I wanted to share my thoughts regarding cybersecurity startups and financing, market complexity, lack of education, product development challenges, copy/paste GTM strategy and more.

TL; DR: even though the European cybersecurity market will have to overcome many obstacles in the coming years (talent, education, funding etc.), we remain confident that we, in Europe, have the ability to create global cybersecurity leaders. And we want to fund them at axc.

The market: big players, growing needs, and insufficient resources

Let’s start with the basics: every study shows that both the global and European cybersecurity markets are booming. Orange reported that the market grew by more than 8% in 2021 in Europe and long-term previsions indicate that this is just the beginning (±10% CAGR till 2027).

More budgets are dedicated to cybersecurity services and solutions, but it is still insufficient and companies seem to be undereducated at all levels. IBM stated that still ±85% of cybersecurity breaches were due to human errors in Europe in 2022, which demonstrates a lack of skills and understanding inside companies to face cyberthreats and set up best practices. Some startups are trying to address this pain, such as Mantra or SoSafe but the need is still huge just as the market depth. This is also highlighted by corporates’ spendings, more than 30% on services and ±20% for skilled staff (crucially lacking).

The sector remains particularly addressed through services and consulting firms are therefore responsible for more than 30% of cybersecurity budgets and guide the spendings to their liking. The sector remains

A US-based oligopoly is emerging. On the software and solution side, the market is monopolized by a handful of players (Top 20 cybersecurity solutions companies represent ±$267Mds market cap). Most of these players are US-based (Palo Alto, Fortinet, Okta etc) and overall you won’t be able to find a EU-based company in the top 20. Those players are pushing hard to keep their lead, and keep on acquiring to either strengthen their position in their market (Okta’s purchase of Auth0) or attack new ones (Palo Alto with Bridgecrew Technology).

European players are hardly scaling. This US oligopoly leaves little room for new players to become global ones. Startups in Europe are either (i) acquired by big US players at their early stages (we saw it internally with Alsid being acquired by Tenable) ; or (ii) failing to strongly differentiate with similar bigger bundled solutions offered by latest incumbents.

Regarding M&A, macro stakes in cybersecurity are too big for the processes to be easy. Few EU corporates have enough resources to buy startups at VC wanted price (Thales acquiring two European startups for €120M) and cyber successes often go abroad (US or Israel). But exiting a cybersecurity startup outside the EU is not that easy, state bodies are interfering which make processes harder and so with smaller success rates.

It is even more blatant at seed stages. The number of acquisitions from VC-backed cybersecurity startups has broken up the record once again in 2022, with 178 acquisitions so far (source: Crunchbase). 45 of them were European based startups and most of those acquisitions happened after seed or series A rounds. ±60% of the acquisition (27 over 45) were carried out by actors outside the EU.

The cyber sector is not free of talent shortages. At (pre-)seed stages, we mostly bet on teams. But development issues and market complexity do not help to incentivize talents to come into cybersecurity startups. In France, 45% of companies indicate that they are struggling to fill open positions in this discipline. Too few schools are delivering cybersecurity paths and even if initiatives are coming off the ground such as *L’école 2600,* dedicated formations are not enough. Same for reconversion paths. Lots of entrepreneurs in the cyber scene come from research laboratories or cyber state bodies (ANSSI in France), because you need a deep understanding of the stakes to bring new technologies and value in the existing solutions panel. We need to better {train/educate} people and make the cybersecurity path sexy to more diverse new talents. It’s the first key to success for any startup scene.

On the financing side, there is still room for improvements to cover the funding gap. Even if we saw the amount of money increase in this sector those past few years, it is still not enough if we compare these figures to the US or the Israeli markets. We deeply need to educate funds on the market and bring new investors into the ecosystem to finance European projects and avoid ending last in the gold (cyber) rush. As explained by the EIB, ‘the European market lags significantly behind the United States by about €1.75 billion per year’. Surely, the maturity and complexity of the market make the learning curve longer for VCs to get into the space, but the success of the sector in Europe also depends on the financing of great stories. We definitely need cybersecurity role models.

When it comes to investing in cybersecurity startups as a VC, you may find yourself too often disappointed, especially if you look for classic VC stuff. Cybersecurity is not yet sexy.

Product needs: a continuous renewal

As explained above, an important part of cybersecurity ‘solutions’ are services. And we do believe that the cyber world will be hard to fully productize, as the means of attackers constantly evolve and so the best practices / means of defending. These constant evolutions of attacks type force companies to constantly iterate on defense technology and monitor the vulnerabilities with pentest and bug bounty (cc Yogosha). These constant evolutions make markets, that were thought to be mature, see new entrants appear that respond to new needs (and so create constant opportunities). VPN are a good example, with new entrants appearing all the time, presenting as the next-gen VPNs.

This continuous evolution forces startups to be more innovative and iterate faster than other industries if you want to keep up with the rhythm. This is also why lots of cybersecurity startups are next-gen something. Few solutions target new segments but are mainly trying to do better than existing solutions. The needs remain the same: Identify, Protect, Detect, Respond and Recover.

As far as product needs are concerned, the first equipped solutions are often the same (Vulnerability scan, EDR, etc). As a startup, you can either try to make a place for yourself between these tools or add another value proposition outside of their scope.

That’s why we recently invested into Seedata, a UK cyber startup helping you to find the data breaches inside your company. They mostly address mature corporates wanting to enforce breaches detection and enlarge their coverage. As corporates mature, the technical cybersecurity stack expands and new verticals appear, leading to huge opportunities on the market. That’s where new solutions enter such as vulnerability management platforms, which connect to all your existing cyber tools to analyze and prioritize vulnerabilities (Hackuity, SecurityScoreCard etc). In a similar way, new startups are offering to map your IT to easily detect vulnerabilities and onboard new stakeholders on cyber issues (ex: Oversoc in France). Those startups add a layer on top of cybersecurity tools to better manage the volume of data that these software generates (with lots of false positives, hence the need to prioritize).

The evolution of the stack makes it also hard for companies to maintain and develop new security workflows. More deployed software, more complex processes and more and more stakeholders make the development of a cybersecurity action plan difficult and poorly scalable. Some startups try to address this pain with no/low-code cybersecurity workflow builders such as Mindflow in France or Tines in Ireland.

‍

Overall, the needs and best practices evolve quickly in the cyber space, and startups need to keep up with the pace. We need to onboard new stakeholders for cybersecurity issues. It is too central an issue for only a handful of people to be responsible for it. Cyber responsibility must be extended (see the number of hacks linked to errors). To do so, startups must propose better UX/UI then what’s existing on the market. Too many tools are hardly readable by less technical people. Which makes cyber even more complicated to access.

Last but not least, the sector is particularly sensitive to norms and certifications. SOC2, ISO27001, HIPAA &co are essential for selling cyber solutions to large accounts. It’s the way to show a clean slate. These certifications are time consuming and solutions tackle this issue, helping you obtain those in no time. Vanta and Drata (US companies) are good examples but it seems that we still lack a similar European actor.

Is going-to-market in cyber harder? Yes. Should it be? No.

Simple questions, difficult answers. Over the last years, we’ve discussed GTM strategies with hundreds (if not thousands) of pre-seed/seed cybersecurity startups.

Most of the strategies that we’ve seen are direct ones, particularly because of the stakes involved in cybersecurity issues and the trust that needs to be created when selling in this sector. While selling cyber solutions, you still need to do a part of the education process and if you want to avoid it, and so reduce the sales cycle, you must find your champion. CISOs are (too) often the first target of cyber startups, which creates a growing waiting list with all the new solutions incoming (that’s why the stakeholders of cyber topics must extend).

More than any sector, you need to demonstrate asap in the sales process the ROI for your buyers and translate cyber risks into business risks, as startups such as Citalid does. Cyber budgets are growing but still being defined which can lengthen sales cycles. As a cybersecurity startup, you need to stand out quickly to show why budgets should go to a solution like yours instead of another. Customers in cyber have unique needs so you also need to adapt your offering to their maturity and understand if they are mature or over-mature for your solution.

Because of this congestion and the need for trust / education, many cyber startups are considering indirect approaches through MSSPs or consulting firms. Then again, it’s becoming harder to be on the top of the list as the waiting list is getting longer. You should have a product ready and first deployed customers for this indirect approach and it may not be relevant for (pre-)seed startups.

‍

‍

I do believe that the acquisition strategy in cyber must be more diverse, by drawing inspiration from other sectors. As an example, we’re seeing too few startups implementing product-led-growth (PLG) strategy in the cyber space. “ It may be because the market is not that ready, but there is room for this type of approach, and it must be expanded in the coming years. I strongly recommend the articles of Ross Haleliuk on this topics : “Being product-led is a journey that requires persistence, openness to learning, the ability to adjust, and a company-wide buy-in.” Particularly true about cyber.

Conclusion

Some passages are still obvious for many of us, but deep challenges remain.. This opens a huge land of opportunity for startups to innovate and bring tremendous value to the market. At Axeleo Capital, we are huge believers in the French and European founders. We have the talents, the legislation, and enough maturity to create market leaders.

If you’re building in the cyber space, reach out and we’ll always be glad to work together and reach this common goal!

‍