8 Security Startups to Watch in 2022
Cloud security, API security, and incident response are among the issues up-and-coming security companies are working on.
![group of people working together on a project group of people working together on a project](https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/bltfcb8450c90c5bbc8/64f15265670959761ce4c9ee/startups.jpg?width=700&auto=webp&quality=80&disable=upscale)
Source: Prostock-studio via Alamy Stock
The changes in how organizations operate and the threats they face have exacerbated some challenges for security teams and created new ones. And there is no shortage of new infosec startups working to develop the technology to address businesses' needs.
"I see no signs of a decrease in the rate at which new companies are coming into cyber," says Rik Turner, principal analyst at Omdia. "The pandemic may even have accelerated them or simply refocused some of the founders' plans to address the changing market."
Chenxi Wang, managing general partner at Rain Capital, says organizations are working to innovate in several areas of security.
"Companies are focused on securing and protecting the modern infrastructure," she explains. As organizations move away from traditional data centers and traditional applications, the demand for tools to protect modern infrastructure — cloud, serverless, DevOps, microservices — has grown significantly. More new companies are building products to try and meet it.
Cloud security is a major area of venture capital investment, Gartner reported in a recent whitepaper. Venture capital investments in cloud security have grown 338.6% since 2016 and reached more than $7 billion in 2020. Of that, $2.49 billion was invested in 2020. Digital transformation and cloud adoption accelerated that year, of course, during the pandemic.
But the growth of cloud security has not slowed. Many of the startups here focus on cloud security in different capacities. Some are focused on the unique nature of incident response in the cloud; some aim to build technology that detects issues in public cloud workloads.
Other trends evident in modern startups include growing concerns about supply chain security, API security, and evolving authentication away from the traditional password. These security companies are seeking new ways to tackle the biggest problems organizations face.
All of the companies listed here were founded in 2017 or later. Read on to learn more about security's up-and-coming companies to watch.
Tel Aviv-based Mitiga was founded in 2019 to create a cloud-based incident readiness and response tool for cloud and hybrid environments. So far the company has raised $32 million in funding, Crunchbase reports.
Mitiga's technology falls into a category that will grow in importance as more organizations operate in cloud-based environments, says Rain Capital's Wang, who notes she is an investor in the company. Whether they have a traditional or cloud environment, businesses will want to have a detection and response capability in which they pull logs from different devices to see what happened — but that process will look different for cloud-based logs, she explains.
"When you move your stuff to the cloud, when your infrastructure is no longer on-premise … the way logs are generated is very different," says Wang. In other words, they can't be used for investigations in the same way.
The startup's technology was built with the idea that cloud and hybrid incidents require a new approach, and organizations need a different approach for handling security incidents in the cloud. While other companies are focused on the future of cloud security, she notes, they often have a different kind of technology, and incident response is just one component of it.
"Mitiga is purely incident response," Wang explains. "Other companies are focused on identity behavior and figuring out what the identity-based incidents are. Others are looking at data access and figuring out incidents with respect to data access."
She anticipates "cloud incident response" could become a new category of security tech.
Omdia's Turner points to Cycode as a startup to watch. The company was founded in 2019 and has so far raised $80.6 million in funding, its latest round a Series B of $56 million.
Cycode focuses on supply chain security, "which has clearly grown in importance as a result of all the headline-grabbing stories of 2021," says Turner, pointing to the SolarWinds, Codecov, and Log4j incidents as prominent examples.
The company's software supply chain technology aims to provide teams with greater visibility and security throughout the software development life cycle (SDLC). As DevOps becomes more complex, so, too, does managing policies across the SDLC. Large organizations have multiple teams using different tools, making things even more complicated. Cycode offers a product that applies and enforces governance and security policies across all teams and tools.
Beyond that, the company also builds technology to detect and prevent infrastructure-as-code misconfigurations. Another tool scans to find hard-coded secrets in the SDLC, and its source code leakage tool aims to detect proprietary code exposures. The products in Cycode's lineup aim to make software more secure, which Turner notes is a growing trend among new companies.
r2c aims to make software more secure and reliable through a product called Semgrep, an open source static analysis tool for modern programming languages that's widely used by application security teams who appreciate its usability, Rain Capital's Wang says.
"Traditional application security products are not very developer-friendly. [This is] very security-friendly," she explains. While security is the goal, these tools usually aren't a good fit for developers and as a result, they're less effective. With Semgrep, R2C made "an extremely developer-friendly offering, and that's why they're taking off in the dev community," she adds.
The idea behind Semgrep is to bring security into the hands of engineers and teams who write code to make it more secure before it's released. It analyzes code locally on a computer or in a build environment, and developers can use existing or custom rules to find bugs in their code. Semgrep supports more than 20 modern programming languages, including Python, Ruby, and Java.
r2c was founded in 2017 and has so far raised $40 million in funding; its most recent was a Series B of $27 million in 2021, Crunchbase reports. Its tech falls into a market that focuses on active monitoring and active configuration, which Wang notes is growing in importance.
"I'm personally a big believer in application security solutions that are used more by developers than security engineers," she says. Appsec is top of mind for many pros now, especially in the wake of the Log4j vulnerability, which "made a lot of people realize they need to do better inventory of their assets and [have an] understanding of what those assets bring," Wang adds.
This identity startup, which aims to eliminate passwords, was launched in 2020 with a $30 million Series A funding round. Later the same year, it announced a $75 million Series B that brought its funding total to $105 million. Omdia's Turner also lists this as a company to watch.
Beyond Identity's founders include Netscape founder Jim Clark and network pioneer Tom Jermoluk, who teamed up to solve the problem of managing and protecting user passwords. Their approach is based on the standards X.509 for asymmetric key cryptography and TLS for encrypted communications.
Through this approach, the device is its own certificate authority, using the Beyond Identity app and cloud-based service. Users' private keys are stored locally in the secure enclave section of their iOS, iPadOS, macOS, Windows, or Android devices. The app sends authentication challenges from the cloud or through a single sign-on application. A user is bound to their device, which provides control over which devices can access SaaS apps and infrastructure.
"This is possible today because devices have native biometrics and a built-in chipset that securely stores private keys and performs high-trust cryptographic functions," Beyond Identity explains on its website.
Asset management and governance platform JupiterOne was founded in 2018 and has so far raised $49 million in funding, according to Crunchbase.
Its technology was built to help businesses manage cloud-based infrastructure and gain a better understanding of their environments with information on what's risky, what should be looked after, what must be protected now, and what is lower priority. Companies with more knowledge of their environments are better prepared to protect those assets from attack.
Admins using the tool see a continuous management console that provides information about risk and assets, Rain Capital's Wang explains. This information is overlaid with bug bounty and vulnerability data so they can see which ones are relevant.
Asset management is ripe for growth, says Wang, who invests in JupiterOne and notes the rapid growth of the market for products similar to theirs. "They are a company that really helps you understand the basics of cyber assets, all the assets that have security implications, and they do that automatically," she says.
Wiz emerged from stealth in December 2020 with $100 million in Series A funding and a goal of helping companies gain visibility into cloud-based threats.
The company was founded by experts who previously led Microsoft's Cloud Security Group and built Adallom, a cloud security startup Microsoft acquired in 2015 for $320 million. It has grown quickly: Wiz announced a $130 million Series B in March 2021; then came a $250 million Series C funding round in October 2021 that brought its total valuation to $6 billion.
Wiz's technology scans the operating system, installed software, and code libraries in cloud workloads, including virtual machines, containers, and serverless functions. It then checks against the National Vulnerability Database (NVD), vendor OVAL repositories, and other vulnerability databases to match known issues to the versions being run and prioritize them based on risk.
"Cloud security still seems to be a hot area for new startups, as the range of requirements grows," says Omdia's Turner, pointing to infrastructure-as-code security and API testing as issues that security teams are worried about.
Its researchers have also been hard at work. Wiz's cloud security research has made several headlines in the past year with discoveries of the OMIGOD vulnerabilities, weaknesses in AWS, and flaws in Microsoft's Azure platform. At this year's Black Hat Europe, Wiz researchers shared the technical details of a serious flaw they found in the Azure Cosmos DB database.
Orca Security has undergone serious growth since its founding in 2019. After a $20 million Series A in May 2020, the cloud security firm went on to raise a $55 million Series B later that year, and a $550 million extended Series C round in October 2021 that brought its valuation to $1.8 billion.
Its cloud security technology aims to make it easier for businesses to address security issues in their AWS, Azure, and Google Cloud Platform environments. Organizations can use Orca's tech to detect vulnerabilities, malware, misconfigurations, lateral movement risk, leaked or weak passwords, and high-risk data without relying on agents of network scanners.
The company also has an active research team focused on finding and analyzing cloud risks and problems to improve its platform. Amazon Web Services recently closed two flaws in its core service as a result of Orca's findings.
Its growth continues with a recent purchase of Web security startup RapidSec — Orca's first acquisition. With RapidSec's technology, Orca plans to add new capabilities to its cloud security platform, with a focus on understanding exposed APIs within an organization and protecting businesses from the risks they create.
Another player in the "cloud incident response" space is Cado Security, which emerged in 2020 with $1.5 million in seed funding and plans to build a cloud-native cyber forensics and response platform. Six months later, the startup closed a $10 million Series A round.
Its Cado Response platform was developed to automate data capture and processing so security teams can better understand and respond to threats in the cloud. While there are many tools to hunt for security gaps and try to prevent attackers from getting in, Cado was founded to remove the complexity from cloud investigations when attackers succeed.
In these instances, security teams must immediately respond but often don't have all the data they need to conduct an investigation. Cado's technology collects data from sources, including cloud and containers, and supports on-premise systems to give them information they need without a lot of extra effort.
Another player in the "cloud incident response" space is Cado Security, which emerged in 2020 with $1.5 million in seed funding and plans to build a cloud-native cyber forensics and response platform. Six months later, the startup closed a $10 million Series A round.
Its Cado Response platform was developed to automate data capture and processing so security teams can better understand and respond to threats in the cloud. While there are many tools to hunt for security gaps and try to prevent attackers from getting in, Cado was founded to remove the complexity from cloud investigations when attackers succeed.
In these instances, security teams must immediately respond but often don't have all the data they need to conduct an investigation. Cado's technology collects data from sources, including cloud and containers, and supports on-premise systems to give them information they need without a lot of extra effort.
The changes in how organizations operate and the threats they face have exacerbated some challenges for security teams and created new ones. And there is no shortage of new infosec startups working to develop the technology to address businesses' needs.
"I see no signs of a decrease in the rate at which new companies are coming into cyber," says Rik Turner, principal analyst at Omdia. "The pandemic may even have accelerated them or simply refocused some of the founders' plans to address the changing market."
Chenxi Wang, managing general partner at Rain Capital, says organizations are working to innovate in several areas of security.
"Companies are focused on securing and protecting the modern infrastructure," she explains. As organizations move away from traditional data centers and traditional applications, the demand for tools to protect modern infrastructure — cloud, serverless, DevOps, microservices — has grown significantly. More new companies are building products to try and meet it.
Cloud security is a major area of venture capital investment, Gartner reported in a recent whitepaper. Venture capital investments in cloud security have grown 338.6% since 2016 and reached more than $7 billion in 2020. Of that, $2.49 billion was invested in 2020. Digital transformation and cloud adoption accelerated that year, of course, during the pandemic.
But the growth of cloud security has not slowed. Many of the startups here focus on cloud security in different capacities. Some are focused on the unique nature of incident response in the cloud; some aim to build technology that detects issues in public cloud workloads.
Other trends evident in modern startups include growing concerns about supply chain security, API security, and evolving authentication away from the traditional password. These security companies are seeking new ways to tackle the biggest problems organizations face.
All of the companies listed here were founded in 2017 or later. Read on to learn more about security's up-and-coming companies to watch.
About the Author(s)
You May Also Like
CISO Perspectives: How to make AI an Accelerator, Not a Blocker
August 20, 2024Securing Your Cloud Assets
August 27, 2024