Investment firms and venture capitalists can signal whether a cybersecurity tech vendor is a budding unicorn or a snake oil peddler by the size of their bets. But given how hot the market is these days, the betting action knows few bounds. It seems as if any company can gain unicorn status even while holding the weakest cards.
"There is clear frothiness in the market, even after the recent market pullback, but the overall sentiment remains strong for cybersecurity investments," says Nitin Chopra, managing director of Shasta Ventures, an early-stage venture capital firm focused on enterprise software and security.
Even so, warning signs do exist, and they clearly signal a hard stop to investors.
"There are a handful of red flags for me that steer my attention away from investments. It starts with a startup asking for crazy valuations," says Deepak Jeevankumar, managing director at Dell Technologies Capital. "You can't ask for Snowflake-like multiples without similar SaaS metrics to justify them."
Ignore the red flags at your peril, for the market teaches harsh lessons to investors and companies alike.
"The industry can be an unforgiving place for companies and investors alike if the quality of their products isn't clear for all to see," says Maxim Manturov, head of investment research at Freedom Finance Europe, a European subsidiary of the Nasdaq-traded Freedom Holding Corp (FRHC). "This makes questionable technological frameworks a red flag for investors."
It's all well and good that investors and venture capitalists are honing their algorithms and investment processes to ensure better returns. But this also means that cybersecurity firms seeking financial backing must address red-flag issues before investors spot them.
Here are seven red flags that signal investors to pass on your company.
1. Founders with black-hat hacking histories. The problem lies with an absence of trust.
"Black-hat cybersecurity experience can be valuable for cybersecurity companies and can lead to standout products. However, we invest in founders as much as in companies, and we value the integrity of the founders we invest in," says David Magerman, managing partner at seed stage funder Differential Ventures. "We don't want to reward bad behavior with our investing, and we also want to believe we can trust the integrity of our founders through our relationship with them."
2. Trend chasers. Turns out that investors prefer substance over style.
"As early-stage investors, we look at companies with staying power and secular trends," says Chopra. "I tend to shy away from companies that are ambulance-chasing the latest breach in the news and tend to gravitate toward companies that are building towards solving fundamental problems in security."
3. A focus on lesser security concerns. Align your focus on the market with metrics that justify your approach.
"For example, IoT/OT security has long, inefficient sales cycles. The network perimeter is moving to the cloud, so a focus on network security doesn't justify high valuations," Jeevankumar says. "Threat intelligence, while important, is just a feature for other products, like SASE, XDR, or API security. In other words, if a startup isn't focused on major security concerns such as cloud security, DevOps, work-from-home, or zero trust, I am much less likely to invest."
4. A solution in search of a problem. It's important that your product actually solves a real-world problem.
"There are a ton of companies out there that monitor or assess or analyze, but very few that actually alert and then fix a cyber-risk or attack," says Stephen Rodriguez, venture partner at Refinery Ventures, which focuses on investing in the information technology, digital health, and human capital technology sectors. "This is crucially important as in the event of a cyberattack, [when] the attackers are able to move far too fast for a software solution that heavily relies on humans to react."
5. Heavy reliance on products developed by ex-military or ex-government people. It may be a great product, but will it sell?
"Often these are people who aren't tested properly by a market environment," says Sameet Mehta, managing general partner at Granite Hill Capital Partners. "With the right connections and corruption, they might get lucky with government contracts, but often those companies really don't have any capability of running a real P&L."
6. Offensive, rather than defensive, solutions. Investors aren't sold on the value of white-hat attacks.
"Many investors hesitate to invest in offensive solutions, and it is our policy to avoid them entirely," says Ofer Schreiber, partner and head of the Israel office at YL Ventures. "We invest exclusively in defensive B2B cybersecurity solutions — a sector that is full of promise without ethical qualms and far less potential controversy."
7. Products that add bloat to stacks. For all the advancements made to date, there's just too many disparate tools in stacks already.
"Security decision-makers are gravitating toward solutions that consolidate security over bloated stacks of disparate tools. This is swallowing up smaller startups that focus on point solutions, and larger industry heavyweights are acquiring and merging with other cybersecurity startups to become industry giants," says Schreiber.
The Way Forward
Bottom line, investors are looking to invest in cybersecurity companies that firmly pin their vision and innovations to real-world needs and have the metrics to prove they can deliver.
"We expect the teams who approach us to build out large visions that can compete in a market of giants," Schreiber says. "We are looking for entrepreneurs motivated enough to disrupt a big market and make a real change — this requires stamina, passion, grit, competitiveness, and vision. Lacking any of these will give us serious pause and shake our confidence in their ability to see their vision through."