Software supply chain security startup Lineaje today announced that it has raised $7 million in a seed funding round led by Tenable Ventures.
Dreamit Ventures and Veear Capital also participated in the investment round, along with various angel investors.
Founded in 2021, the Saratoga, California-based company helps organizations secure their software supply chain, regardless of whether they are the developers, suppliers, or users of software.
Lineaje’s SB0M360 software supply chain management solution can identify all the components of software, along with their dependencies, to assess the supply chain authenticity and identify potential compromise.
Lineaje’s platform manages over 150,000 software bills of materials (SBOMs) across custom applications, open source software, commercial off-the-shelf (COTS) solutions, mobile applications, and containers.
The company is also assisting Tenable Ventures in building shareable data models to improve runtime security and mitigate weaknesses in deployed software.
The funding will allow Lineaje to accelerate go-to-market operations, expand its employee base, and invest in research and development.
Industrial control systems (ICS) cybersecurity company Opscura announced its launch on Tuesday with $9.4 million in Series A funding.
Opscura is a new brand and the company has a new global management team, but it’s not new in the ICS cybersecurity sector. The company was founded in Spain as Enigmedia and it has been around for more than a decade.
Enigmedia co-founders Gerard Vidal and Carlos Tomás will serve as CTO and VP of engineering at Opscura, respectively. David Hatchell has been named Opscura’s CEO.
The new funding round, led by Anzu Partners with participation from Dreamit and Mundi Ventures, will be used for the company’s growth and expansion in the United States.
Opscura provides solutions designed to protect industrial networks by isolating, cloaking and authenticating sensitive assets and data in operational technology (OT) networks. Its cloaking technology obscures deep OT Level 2 network and Layer 2 data without disrupting operations.
The company says its solutions enable organizations to gain deep OT visibility, provide access control capabilities between IT and OT networks, provide protection for critical legacy endpoints, and help reduce the OT attack surface.
Opscura says its solutions are designed to complement the offerings of companies such as Nozomi Networks, Claroty and Fortinet.
The ICS security firm claims to have customers in the transportation, renewable energy, government, manufacturing and chemical sectors.
About SecurityWeek Cyber Insights |At the end of 2022, SecurityWeek liaised with more than 300 cybersecurity experts from over 100 different organizations to gain insight into the security issues of today – and how these issues might evolve during 2023 and beyond. The result is more than a dozen features on subjects ranging from AI, quantum encryption, and attack surface management to venture capital, regulations, and criminal gangs.
SecurityWeek Cyber Insights 2023 | Venture Capital – We are in a period of huge turmoil. Cybercrime is increasing and becoming more destructive, driven by better organized criminals and geopolitically active nation states. And many commentators believe there is a strong likelihood of a global recession before the end of 2023.
Here we have one simple question: how will these political/economic conditions affect venture funding for cybersecurity firms during 2023?
Background
The bad news in any economic downturn is that business suffers, profits dip, staff are laid off, and budgets are cut. The better news for cybersecurity vendors is that they are somewhat insulated from these effects. Cybercrime is more likely to increase than decrease during a recession, and business must retain a strong cybersecurity posture if they wish to survive. The demand for strong and proven security controls will continue.
At the same time, the availability of capital for investment in new and growing cybersecurity firms remains constant and high, and is largely unaffected by short term economic downturns. This available capital is known in the venture capital industry as ‘dry powder’ (capital that is available and ready for use).
None of this means that all cybersecurity vendors will survive the downturn, nor that all will remain profitable. At the very least, profits are likely to dip as business is forced to do more with less resources. Dry powder isn’t money to burn, and the venture capital industry will adapt its priorities for new and further investment to the current realities.
One area that will stand proud despite economic headwinds is the cloud. “Cloud software is the deflationary force enabling productivity in a high inflation environment. Cloud-native is not an option, it’s a necessity,” wrote Battery Ventures in its State of the OpenCloud 2022 report published in November 2022.
Dry powder
Dry powder is raised from the VC industries’ limited partners (LPs). These might be pension funds, endowments, family offices, sovereign wealth funds, and corporations. “Most funds operate on a ten-year lifecycle, with funds typically being deployed over the first four or five years of a fund’s life,” explains Sidra Ahmed, investment principal at Munich Re Ventures – explaining the continued availability of investment funds despite current economic conditions.
According to Pitchbook data, there was approximately $290 billion of cumulative dry powder committed to venture capital as of the first half of 2022. It is these funds that are called on when venture capitalists invest in companies. It must be said, of course, that VC’s dry powder isn’t committed solely to cybersecurity firms although cybersecurity remains a favored investment area.
Different VC organizations tend to specialize in different areas. For example, “YL Ventures raised its $400 million fifth fund at the beginning of 2022, dedicated exclusively to investing in Israeli cybersecurity startups,” explains Yoav Leitersdorf, managing partner at YL Ventures. “This fund has been used to invest in only a small number of companies to date, all of which are still in stealth, in line with our very disciplined strategy of investing strategically in a select number of exceptional startups.”
VC organizations try to use all the funds they get from their LPs – but not at any cost. They still need to demonstrate value to the LPs. Bad investments will lead to difficulties in raising new funds, while not using the funds raised is like a business unit not using its whole annual budget – it might lead to a lower budget next year.
The difficulty for cybersecurity firms in raising investment funds in 2023 will not be because the funds don’t exist, but because the VC firms will be taking more concern over where the funds are invested.
Effect of an economic downturn
“The pace of investing is certainly going to change,” comments Ahmed. “With more uncertainty around budgets and sales cycles, investors will spend more time assessing deals that are able to withstand a time of austerity – companies with critical productions and solutions will be prioritized. There will be a lot more scrutiny of deals, valuations, and co-investors. Investors will also be focused on supporting their own portfolios.”
Jake Heller, partner at KKR and head of tech growth equity Americas, believes the impact is unlikely to be felt evenly. “We have already seen the pullback in public markets affecting fundraising for some growth and early-stage companies,” he said. “In general, we expect the tightening of funding conditions to continue into 2023; however, we believe that capital will continue to be available to entrepreneurs and management teams who are able to effectively manage costs and allocate capital to growth opportunities with high potential for returns.”
Translated to the market, this all implies that startups don’t necessarily have sales targets that they can miss and can possibly ride out a recession before they need to show sustained profits; mid-growth companies seeking growth funding are likely to suffer with lower-than-expected profits and be less attractive to VCs; while established firms preparing for an IPO will likely need to survive the recession before proceeding.
“Market conditions had a dramatic impact on 2022 funding rounds, and we aren’t out of the woods yet,” says Leitersdorf. “The fallout is trickling from the top down. IPOs dropped this year from thousands to just over 100, the lowest number since 2016. There was a near stall in growth stages and a significant slowdown in Series C and D rounds, a steep decline in Series B rounds and a struggle to raise significant Series A rounds.”
In short, money is still available for attractive startups (seed and possibly A rounds), will require deeper consideration for growth equity (B, C and D rounds), and is much more difficult for pre-IPO companies (E rounds and above). In the last case, venture firms are looking closely at M&As to consolidate and strengthen their existing investments – but in all cases (apart from startups) venture firms will concentrate on further investments in their existing portfolios.
Outlook for startups
Leitersdorf remains upbeat on the prospects for investment in cybersecurity startups in 2023. “In today’s threat landscape, cybersecurity risks have become business risks. Organizations cannot afford to be lenient with threats to their assets, and executives now understand that security has a direct impact on their company’s reputation, business continuity and revenue,” he explains.
“Therefore, security will continue to be top-of-mind, as long as attacks continue to grow and evolve, demanding new and equally sophisticated security solutions. We see that investors are still eager to invest in the most promising startups in our industry with the greatest potential to lead their categories in the future. Capital will continue to flow to this necessary sector, as new and more challenging problem spaces continue to emerge.”
DataTribe, which describes itself as a cyber startup foundry (both an incubator and VC firm), is more circumspect. Funding will be harder, but potentially higher. John Funge, MD, explains, “Looking ahead, 2023 will be a slog for startups raising money. It will take longer for startups to complete next rounds as venture firms are both focusing more attention on their current portfolio as well as being more selective in new investments.”
He believes there will be fewer deals. “There will be a ‘flight to quality’ and the bar for attracting funding will be higher. Top startups that are hitting performance metrics will get funded at valuations not too far off historical. However, startups with a few words that previously would have gotten funded may find it hard to get funded at all — versus getting funded on less attractive terms.”
But he adds, “Historically, some of the most successful technology companies started during downturns. We don’t see it being any different this time around. It will be a tricky period to be a pre-IPO company, but likely an excellent time to be starting a new venture.”
Outlook for growth funding
Growth funding will become more difficult in 2023, and potentially more necessary. “We’ve already seen growth rounds plummeting in 2022, and this trend will most likely continue into 2023,” explains Leitersdorf. “Capital is available, but it will become increasingly expensive, and investors will prefer to use it in order to fuel innovative, early-stage startups that will require less capital at lower valuations.”
A particular problem for growth companies is in part historical. “The valuations of many growth-stage startups were significantly inflated in 2021 and were not based on sustainable growth metrics, revenue, or performance,” he continued. “Many of these growth-stage startups will be forced to raise funding in 2023 after scaling rapidly and burning through their capital in 2022. We, therefore, foresee an increase in growth rounds next year, most probably with unfavorable terms for founders, employees, and existing investors.”
But, adds Ahmed. “There is still a lot of capital available. Investors will be holding companies to their performance so we might see more down rounds into 2023.”
Bob Ackerman, founder of AllegisCyber and member of the board at DataTribe, agrees with this sentiment. “Undifferentiated and sub-critical mass cyber companies without truly compelling solutions are likely to be challenged as they go to the VC community for capital,” he said. “Investors will be materially more discriminating in the deployment of capital.”
Outlook for M&A consolidation
M&A activity has increased rapidly over the last few years. This trend will continue, driven by a number of different factors: desire among security users to consolidate their existing disparate security controls; a rush to the nearest exit point among startups; declining valuations making attractive targets; and a safe haven for further VC investments.
“The cybersecurity market is approaching bloated status,” comments Hank Thomas, CEO at Strategic Cyber Ventures. “There are too many vendors chasing the same dollars with similar technology. People in charge of purchasing decisions, often CISOs, are looking for more integrated security platforms and less point solution tools. PE firms and other later-stage investors are looking to bring in bigger players to serve as anchors for rollups and bolt on acquisitions.”
Will Lin, venture partner at Forgepoint Capital, agrees. “I believe that we’ll see security M&A significantly pick up in 2023. The main reason being that so many security companies have been created in the past couple of years. When so many of these companies, full of amazing talent, come up to the crossroads of M&A or raising their next round, I believe the market dynamics will re-shuffle in a way where M&A will be considered the best next step.”
Security vendors are seeking to support their users by consolidating point products from different vendors into integrated solutions from single vendors. “The rapid expansion of new security products has led to many organizations purchasing the ‘latest and greatest’ without having a strong integration plan in place,” explains Dave Gerry, CEO at Bugcrowd. “Without a clear deployment and integration plan, even the best security product will go underutilized. For the past few years, the industry has seen an incredible amount of M&A consolidation.”
This process will continue through 2023. “Security organizations are looking internally for ways to leverage existing tool sets or upgrade existing tool sets versus adding to their ever-growing technology stack,” he continued. “This growing need for security vendor consolidation will continue to be driven by both the cost of the security products and the limited internal resources to effectively operate the products.”
Ackerman agrees with this sentiment. “Investors will be materially more discriminating in the deployment of capital with a significant pick up in M&A activity as the market looks to consolidate point products into broader security platforms,” he suggests.
The second driver for M&A activity comes from the transition from early stage to growth requirements. Early stage is still attractive to investors — growth stage is more difficult. As startups burn through their early financing, they will find it more difficult to secure further growth funding — and may find an early exit an attractive option, bumping into the consolidation driver.
This process may be actively promoted by the VC industry. “A new wave of innovation is needed in the security industry. Things have become stale,” explains Thomas. “VC investment will still drive innovation since larger companies often lose the ability to innovate, especially in security. As a result, we will see large entities acquiring VC backed companies earlier as established PE backed platform companies make tuck in and bolt-on acquisitions to remain relevant.”
Leitersdorf expands on this possibility. “Large security vendors such as Microsoft, SentinelOne, Akamai, CrowdStrike, IBM, CyberArk and Okta are strengthening their corporate development divisions and doubling down on in-house investment funds (CVCs), looking for strong talent and tech,” he said. “These venture arms of large security vendors will most likely become increasingly active in both investments and M&A deals in the coming years and make the option of acquisition more attractive for struggling startups.”
One effect of a downturn in the economy is that company valuations are lowered. This is already happening, and is likely to get worse in 2023. On December 14, 2022, the Federal Reserve raised interest rates by half a point — and US stock markets fell. The intention was to put a curb on high inflation rates, but it simultaneously increases the likelihood of a recession in 2023.
If this happens, company valuations will go lower. This in turn will make companies with good products but reduced valuations an attractive target for larger companies with money — and of course VC firms. VC firms will likely be driven to use their dry powder on their own existing portfolios rather than look for different companies in which to invest.
The current market conditions look set to promote increasing M&A activity through 2023. “The current state of the global economy will also encourage hyperscalers to move toward an M&A cyber strategy,” summarizes Simon Chassar, CRO at Claroty. “Furthermore, start-ups will struggle as we see less investment from PE or VCs, therefore creating an opportunity for some of the larger cash-strong security control companies to gain market share at a relatively low price.”
What VCs look for…
2023 will be a year when the VC firms have money to invest, but the economic conditions will force them to be careful where they invest it. Cybersecurity will remain an attractive sector, but the security vendors will need to work harder to get new funding. Two questions come to mind: which security sectors are most attractive to the investors, and how do they choose a specific vendor?
Favored cybersecurity sectors
Heller believes that continuing digital transformation will provide new opportunities. “We believe that digital transformation, which has been accelerated by the global pandemic, will continue to create significant opportunities and challenges across industries and geographies,” he said. “These broader trends span new methods of collaboration, workforce transformation, cloud migration, automation and testing, supply-chain disruption, and digital adoption.”
Sidra says her firm is focusing on data and the threats it faces. “With rapid cloud adoption, companies are struggling to understand where their data sits and how to put sufficient security and controls around it.” Furthermore, she adds, “The penalties regarding sensitive data being breached are increasing at an exponential rate globally, making it even more of a priority for companies to be sufficiently protected.”
And there are new and still evolving threats to data. “As more companies adopt machine learning and analytical models to make data-driven decisions,” she continued, “there is now a need to protect data (and the models we build on the data) from being compromised. There are also questions around the validity of data and how to discern true data and information from coordinated disinformation campaigns and narratives.”
Leitersdorf adds identity to data as an area attractive to investors. “Malicious cyber actors have focused their most egregious attacks on two specific vectors in the past two years – data and identity,” he says. Attackers have leveraged the gaps, misconfigurations and problems surrounding credentials, identity, and access provisions to steal data. This will continue.
“Therefore,” he continued, “we have been focusing our attention on innovative security solutions that strive to tackle these problems and ensure that organizational security postures are strengthened accordingly.”
Favored companies
While different VCs may be attracted to different cybersecurity sectors, they must still choose which individual companies to support. “A large part of the decision is based on the management team and our perception of its ability to execute on the vision effectively, and evolve that vision over time,” said Ahmed. “Other criteria include tech differentiation, product vision, competition, size of market and TAM [total addressable market], and path to exit.”
Leitersdorf takes an almost identical stance. “The technology must be remarkable, deep, and innovative – that’s a given. However, even the most groundbreaking idea and cutting-edge tech won’t develop into a top-tier startup without an exceptional team,” he explained.
“We invest in strong teams that combine determination, talent, and an unrelenting passion for solving the most acute problem spaces in cybersecurity. The cybersecurity market is saturated with startups solving niche problems, and we’re looking for founders that stand out, go big and break the mold.”
The same goes for Heller. “Once we have found a sector we like, we generally look for companies that are market leaders or have a real competitive advantage. Cultural fit and alignment is also very important to us and in many cases, we have built relationships with the entrepreneurs and management teams we’re investing in over multiple years.”
The basic conclusion is that prospective vendors won’t get consideration without an excellent product in an expanding or vital sector. But where two attractive companies exist, the one with the stronger management team is more likely to succeed.
Summary
Acquiring venture capital in 2023 may be more difficult than it has been in recent years, but it remains viable and available. “In 2023, cyber will be softer but will remain a bright spot for investing,” explains Funge. “Compared to the nearly 24% year-on-year decline in deal activity across all verticals, cyber deal activity across all investment stages is down only 3%.”
What will change most is the decision-making process of the VC firms. They will still wish to invest, and probably at the same overall levels they have been investing. But fears of bad investments in a down economy will make them concentrate on areas that give them the greatest confidence. This may mean more money going to fewer companies. While B, C and D rounds might be left with difficult, declined, or down rounds. seed and startup A rounds might reach new heights. Any money left over will be focused into M&A.
About SecurityWeek Cyber Insights |At the end of 2022, SecurityWeek liaised with more than 300 cybersecurity experts from over 100 different organizations to gain insight into the security issues of today – and how these issues might evolve during 2023 and beyond. The result is more than a dozen features on subjects ranging from AI, quantum encryption, and attack surface management to venture capital, regulations, and criminal gangs.
Cyberinsurance and protection firm Boxx Insurance has raised $14.4 million in a Series B funding round that brings the total investment in the company to $24.5 million.
Led by Zurich Insurance, the new funding round comes hot on the heels of Boxx acquiring cyber threat intelligence platform Templarbit in November 2022, only two months after completing its Series A investment round.
Founded in 2018, the Toronto-based Boxx Insurance provides small businesses with cyber threat prediction and prevention capabilities, combined with third-party cyber insurance. The solutions are also tailored for connected households.
The company offers the tools and training necessary to increase digital resilience, along with backup, cyber monitoring, and managed firewall capabilities to prevent cyberattacks.
Boxx says it is now protecting 10,000 businesses and over 250,000 individuals. The company has offices in Canada and the US, and has grown its employee base from 5 to 36 in the last year.
Boxx Insurance’s offer is similar to that of Guardz, which emerged from stealth mode this week with $10 million in seed funding.
Guardz today emerged from stealth mode with $10 million raised in a seed funding round led by Hanaco Ventures, with additional investment from iAngels, Cyverse Capital, and GKFF Ventures.
Founded in May 2022, the Tel Aviv, Israel-based startup has developed a platform designed to protect small and growing businesses from cyberattacks, and it also helps them obtain cyberinsurance from third parties.
Guardz’s platform covers devices, email, identity, web browsing, and cloud applications, and the company also helps organizations train employees to identify phishing and other types of malicious messages.
The platform continuously monitors an organization’s internal and external digital footprint to provide real-time protection, and allows administrators to immediately take action when necessary, from a single dashboard.
According to Guardz, by providing comprehensive cybersecurity protection, its platform also makes cyberinsurance available to companies that were previously ineligible.
The solution is also offered to managed services providers (MSPs).
The startup plans to invest the new funding in platform expansion, the cyber insurance line of business, and go-to-market distribution channels.
Forward Networks, a company that specializes in security and reliability solutions for large enterprise networks, has raised $50 million in a Series D funding round.
The funding round, which brings the total invested in the company to more than $110 million, was led by MSD Partners, with participation from Section 32, Omega Venture Partners, Goldman Sachs Asset Management, Threshold Ventures, A. Capital and Andreessen Horowitz.
Forward Networks’ product creates a digital twin of the customer’s network, helping them gain insights that can be used to make better decisions and improve their network’s security, compliance and health. The platform supports AWS, Google Cloud Platform, and Microsoft Azure.
For network security, the company’s platform provides attack surface management, vulnerability management and security posture management capabilities.
Forward Networks claims to have quadrupled its customer base since 2019 and achieved an ARR growth of 139% from 2021 to 2022.