Vertex Ventures Israel believes that security decision makers are beginning to realise the importance of understanding whether their organisations' cybersecurity measures are effective and working as planned, and where the vulnerabilities lie, says general partner Emanuel Timor.
That is why Vertex Ventures Israel recently invested US$4 million into Breach and Attack Simulation (BAS) startup Cymulate as part of a US$7.5 million Series A round in March this year.
Israel-based Cymulate offers an automated BAS platform that simulates cyber attacks across various threat vectors, then reports on identified gaps and recommends fixes. Among the startup's recent achievements, the company recently released a module that is designed to simulate a full-scale stealthy network attack known as "Advanced Persistent Threat" by actors that have infiltrated the network and remained undetected for a long time.
Cymulate currently has more than 130 paying customers worldwide from a range of industries, including banking, financial services and insurance, healthcare, government, public services, manufacturing, retail, Internet of Things and education.
Vertex Ventures Israel is no stranger to cyber security.(please see amendment note) Investments over the years included automotive security startup Argus, which was acquired by Continental; behavioural attack detection startup LightCyber, which was bought by Palo Alto Networks; and cloud cyber security startup Meta Networks, which was acquired by Proofpoint.(please see amendment note)
But Mr Timor said that the field has become very crowded with a large number of new products, categories and startups that are all competing for the attention and budgets of enterprises. He tells The Business Times why Cymulate caught Vertex Ventures Israel's eye, and earned its investment.
What was the biggest contributing factor to invest in Cymulate?
When investing in start-ups, we look for unique founding teams, with a technical edge, developing solutions that address large and growing markets. We found all of those in Cymulate. The company is led by two talented and devoted entrepreneurs who demonstrated a unique combination of vision and ability to execute.
We believe that the software(please see amendment note) as a service-based (Saas) BAS platform developed by the company for automated and constant testing of enterprise security solutions is an emerging category that is becoming an important enabler of the security policy of enterprises.
In what way is Vertex’s investment adding value to Cymulate?
It’s the combination of the strategic dialogue that needs to be open and candid about what it takes to scale the company to the next level, maintaining leadership after investment, and leveraging on Vertex's global network to assist Cymulate in entering new markets, building partnerships and in broadening the leadership team.
What do you think is under-appreciated about Cymulate’s business?
Breach and Attack Simulation is a new and emerging category. I am not sure security decision makers realize the impact it can have on the overall security posture and readiness of an enterprise, starting from understanding whether all the investments an enterprise has made over the years in security systems are operated in an optimal manner.
What is the potential market size?
The BAS market is in its nascence. However, the budgets enterprises are devoting for testing their security systems using third-party services and vulnerability assessments are estimated to be several billions of dollars in US-dollar terms. Based on Cymulate’s estimation, any prospect who has implemented value-added systems is a potential customer to purchase BAS technology, about 100,000 prospects. The BAS technologies will optimise the market with average sale prices of US$80,000.
What attracts customers to pay for Breach and Attack Simulation solutions?
Cymulate’s customers can immediately see the returns of investment of being able to test the effectiveness of their current security controls, identifying any security gaps, and having the mitigation and remediation guidelines they need to close each gap.
Instead of waiting for periodic penetration tests and red team exercises – which are usually performed monthly, quarterly only annually – whose report they receive weeks after the fact, they gain their own repeatable, continuous, automated system, whereby they launch attack simulations daily weekly or continuously, fix their security controls, and then repeat the same sets of tests to ensure that the corrective steps they took are in fact effective.
Cymulate takes the guesswork out of cybersecurity.
What are the biggest challenges that Cymulate faces in growing its business, and what are the plans to overcome these issues?
The biggest challenges rest with its US-based competitors and the limited awareness on this emerging technology. On US-based competitors, Cymulate is countering this challenge with significant investment in thought leadership and lead generation activity, targeting US decision makers and influencers. Cymulate is also expanding the headcount of its US-based team.
About Vertex Ventures Israel
General Partners: Emanuel Timor, Ran Gartenberg, Yoram Oron, Yanai Oron, David Heller, Aviad Ariel
Focus: Early stage Israeli startups
Investments: Seed to early stage rounds, focused on deep technology startups in sectors such as big data and analytics, enterprise software, cybersecurity, automotive, cloud infrastructure, enterprise SaaS, agritech, digital health, fintech and industry 4.0
About Vertex Israel V fund:
Focus: Early stage Israeli startups
Size: US$170 million
Amendment note : An earlier version of the story said Vertex Ventures Israel and its parent, Vertex Ventures, are no strangers to cyber security. It should be Vertex Ventures Israel is no stranger to cyber security. The earlier version also stated "enterprise detection startup LightCyber, which was bought by PaloAlto" when it should be "behavioural attack detection startup LightCyber, which was bought by Palo Alto Networks"; "zero-trust networks startup Meta “ when it should be “cloud cyber security startup Meta Networks,” and "security as a service-based (SaaS)" when it should be "software as a service-based."