Cyber security training platform Immersive Labs closes $75M Series C led by Insight Partners

Immersive Labs, a platform which teaches cyber security skills corporate employees by using real, up-to-date threat intelligence in a “gamified” way, has closed a $75 million Series C funding round led by new investors Insight Partners alongside Menlo Ventures, Citi Ventures and existing investor Goldman Sachs Asset Management.

The investment will be used to scale Immersive’s offering in the US and take advantage of the new wave of interest in cyber threats caused by so many people working remotely, post-pandemic. Founded in 2017, Immersive Labs now has 200 people, with joint operations HQs in Bristol, UK, and Boston, US. It plans to raise headcount to over 600 in the next two years and establish operations in new regions throughout APAC and Europe. Immersive’s ‘Cyber Workforce Optimization’ platform claims to offer board-level metrics and benchmarking to gauge how the skills inside organizations are coping.

Immersive has now raised a total of $123m in venture funding and counts HSBC, Vodafone, and the NHS as customers. The company says it is growing at “over 100% year-on-year”.

James Hadley, CEO and founder of Immersive Labs, said: “With cyber risk becoming a problem for a growing number of business functions, cybersecurity knowledge and skills should no longer be the preserve of a few technical people hidden away in a back office. Everyone from the teams who build software, to the CEO, now need to play their part in addressing a pervasive company issue. This requires unlocking and evidencing skills in a much broader group of people.”

Ryan Hinkle, managing director at Insight Partners, said: “With significant global customer and revenue growth over the last few years, Immersive Labs has established a strong position in the fast-developing cyber skills space. With influential leadership, an innovative product in a growing market, and strong user engagement, the company is in a position to continue to lead the cyber readiness market.”

Speaking to me over an interview, Hadley added: “We chose Insight Partners because they’ve got a real strength in enterprise B2B which is where we sell to CIOs and CEOs… We want to be the next Darktrace in terms of a successful UK cybersecurity company.”

The comparison might not be that fanciful. Immersive Labs came out of the CYLON cyber accelerator, similar to Darktrace, has the same investors as Darktrace, but has in fact attracted $75m for its Series C, whereas Darktrace didn’t manage that level until Series D. Darktrace has now IPO’d in the London for £1.7bn.

Hadley, a former GCHQ security researcher and trainer, came up with the idea for the cyber skills platform while leading cyber training himself. I asked him why he thinks Immersive has managed to come up with a ‘flywheel effect’ with its platform.

“People always talk about all the cyber threats getting worse, but it really is now and it’s in the public domain. We’ve got a strong belief that cybersecurity is no longer the responsibility of the geeks in the basement. Actually, it’s business-wide. And now the tidal wave is coming. Cybercrime is going to go off the scale this year and next because companies are paying the ransoms. And as a result of that, we’re putting in analytics to measure decision-making in a crisis. It’s just resonating really well with every company regardless of CIO or vertical,” he told me.

Hackers are targeting employees returning to the post-COVID office

With COVID-19 restrictions lifting and employees starting to make their way back into offices, hackers are being forced to change tack. While remote workers have been scammers’ main target for the past 18 months due to the mass shift to home working necessitated by the pandemic, a new phishing campaign is attempting to exploit those who have started to return to the physical workplace.

The email-based campaign, observed by Cofense, is targeting employees with emails purporting to come from their CIO welcoming them back into offices.

The email looks legitimate enough, sporting the company’s official logo in the header, as well as being signed spoofing the CIO. The bulk of the message outlines the new precautions and changes to business operations the company is taking relative to the pandemic.

If an employee were to be fooled by the email, they would be redirected to what appears to be a Microsoft SharePoint page hosting two company-branded documents. “When interacting with these documents, it becomes apparent that they are not authentic and instead are phishing mechanisms to garner account credentials,” explains Dylan Main, threat analyst at Cofense’s Phishing Defense Center.

However, if a victim decides to interact with either document, a login panel appears and prompts the recipient to provide login credentials to access the files.

“This is uncommon among most Microsoft phishing pages where the tactic of spoofing the Microsoft login screen opens an authenticator panel,” Main continued. “By giving the files the appearance of being real and not redirecting to another login page, the user may be more likely to supply their credentials in order to view the updates.”

Another technique the hackers are employing is the use of fake validated credentials. The first few times login information is entered into the panel, the result will be the error message that states: “Your account or password is incorrect.”

“After entering login information a few times, the employee will be redirected to an actual Microsoft page,” Main says. “This gives the appearance that the login information was correct, and the employee now has access to the OneDrive documents. In reality, the threat actor now has full access to the account owner’s information.”

While this is one of the first campaigns that’s been observed targeting employees returning to the workplace (Check Point researchers uncovered another last year), it’s unlikely to be the last. Both Google and Microsoft, for example, have started welcoming staff back to office cubicles, and some 75% of executives expect that at least 50% of employees will be back working in the office by July, according to a recent PwC study.

Threat actors typically adapt to exploit the global environment. Just as the shift to mass working over remote connections led to an increase in the number of attacks attempting to exploit remote login credentials, it’s likely the number of attacks targeting on-premise networks and office-based workers will continue to grow over the coming months.

Brazil’s Positive Ventures closes on $10M fund for impact investing

Positive Ventures, a Sao Paulo-based venture firm, has secured $10 million for its latest fund.

Positive Ventures has raised the capital from an impressive list of LPs including investor Luis Stuhlberger, founding partner of Verde Asset Management and Teresa and Cândido Bracher, who was the chairman of Itaú-Unibanco, Brazil’s largest bank.

The Brazilian venture firm’s self-described mission is to “invest in startups where every dollar of revenue is also delivering environmental or social impact.”

I spoke with co-founder and co-CEO Fabio Kestenbaum who emphasized the importance of such an investment strategy in a country like Brazil that has had its share of corruption over the years. (Kestenbaum co-founded the firm with Andrea Oliveira and Bruna Constantino).

Positive Ventures prides itself on being guided by the United Nations as part of its Global Compact initiative. It also has a top tier B Impact Score, meaning as a B Corp. that makes impact part of its core strategy, it’s doing pretty darn good.

The firm’s sweet spot is early-stage — Seed and Series A — ventures “that can deliver outsized impact and financial return,” according to Kestenbaum. Its average investment size is $500,000, but the firm can go up to $1.5 million in follow-on rounds. 

Positive Ventures seeks to back impact-oriented early-stage companies “building breakthrough solutions to tackle massive challenges related to inequality and climate change.”

Partner and CIO Murilo Johas Menezes is based out of the Bay Area and leads the firm’s offshore strategy and investments in companies.

Investments

Positive Ventures is sector agnostic but keeps three impact megatrends in mind when sourcing deals: 

  • Planetary Boundaries, such as recycling, carbon, sustainable systems
  • Social Resilience, such as financial services, credit, workforce upskilling and 
  • Institutional Voids, focused on emerging economies’ most pressing challenges such as education, health and rising technologies.

“If you want to bring private capital to the game to help address social and environmental challenges, we have to reward this capital,” Kestenbaum told me in a previous interview. “As such, we recognize that we have to invest in good businesses that can provide financial returns as well.”So far, Positive Ventures has backed five companies from its new fund.

One of its first investments, Labi Exames, went on to become a “yardstick for fighting Covid in Brazil,” Kestenbaum said, by delivering a fair-priced and quality alternative to test millions of uninsured low-income families in vulnerable communities.

Labi helped support companies in reopening safely by continually testing their workforce. 

“This hybrid value proposition made Labi the most admired health tech in Brazil and resulted in MRR growth beyond 600%, accelerating their Series B, which will happen in the upcoming months,” Kestenbuam noted.

Another cornerstone investment for Positive Ventures was Slang, an AI-driven app to challenge the English illiteracy in Latin America backed by Chamath Palihapitiya of Social Capital and Mexico’s AllVP. 

“Less than 3% of Brazilians speak English with proficiency, and such a void hammers their chances to get a decent job and improve income,” Kestenbaum said. “The same happens in all LATAM’s countries.”

Positive Ventures recently went on to close its largest investment thus far — in Provi, a B-Certified fintech providing education-driven loans to enable upskilling and employability for LATAM’s workforce, starting in Brazil. The company’s mission is to revolutionize education by delivering hassle-free and impact-oriented credit.      

Provi has pioneered income-share agreements (ISAs) in the region and already generated over $30 million in credit, most of which will go toward technology and healthcare courses.

Next up for Positive Ventures is a $30 million growth fund.

Woven adds to its calendar app’s $20/mo premium plan

Productivity software has had a huge couple of years, yet for all of the great note-taking apps that have launched, consumers haven’t gotten a lot of quality options for Google Calendar replacements.

This week, Woven, a calendar startup founded by former Facebook CIO Tim Campos is shaking up the premium tier of their scheduling software, hoping that productivity-focused users will pay to further optimize the calendar experience just as they have paid up for subscription email services like Superhuman and note-taking apps like Notion.

There’s been a pretty huge influx of investor dollars into the productivity space which has shown a lot of promise in bottoms-up scaling inside enterprises by first aiming to sell their products to individuals. Woven has raised about $5 million to date with investments from Battery Ventures, Felicis Ventures and Tiny Capital, among others.

“Time is the most valuable asset that we have,” Campos told TechCrunch. “We think there’s a real opportunity to do much more with the calendar.”

Their new product will help determine just how much demand there is for a pro-tier calendar that aims to make life easier for professionals than Google Calendar or Outlook Calendar cares to. The new product, which is $20 per month ($10 during an early access period if you pay for a year), builds on the company’s free tier product giving users a handful of new features. There’s still quite a bit of functionality in the free tier still, which is sticking around, but the lack of multi-account support is one of the big limitations there. 

Image credit: via Woven.

The core of Woven’s value is likely its Calendly-like scheduling links which allow single users to quickly show when they’re free, or give teams the ability to eliminate back-in-forth entirely when scheduling meetings by scanning everyone’s availability and suggesting times that are uniformly available. In this latest update, the startup has also launched a new feature called Open Invite which allows users to blast out links to join webinars that recipients can quickly register for.

One of Woven’s top features is probably Smart Templates which aims to learn from your habits and strip down the amount of time it takes to organize a meeting. Selecting the template can automatically set you up with a one-time Zoom link, ping participants for their availability with Woven’s scheduling links and take care of mundane details. Now, the titles automatically update depending on participants, location or company information as well. While plenty of productivity happens on the desktop, the startup is trying to push the envelope on mobile as well. They’ve added an iMessage integration to quickly allow people to share their availability and schedule meetings inside chat.

The product updates arrive soon after the announcement of the company’s Zoom “Zapp,” which shoves the app’s functionality inside Zoom and will likely be a bit sell to new users.

 

Where top VCs are investing in digital health

The world of healthcare has notoriously been described as “broken” — plagued with high-friction workflows, sky-high costs and convoluted business models.

Over the past several years, a long list of innovative startups and salivating venture investors have pinned their focus on repairing the healthcare industry, but its digital transformation still appears to be in the very early innings. After a record-setting 2018, however, digital health investing continued to reach meteoric heights in 2019.

Mammoth pools of capital have flooded into various sub-verticals and business models, backing collections of new B2B and B2C companies focused on optimizing healthcare workflows, improving healthcare access and offering lower-cost distribution models. Over the past two years, digital health startups have raised well over $10 billion in funding across nearly 1,000 deals, according to data from Pitchbook and Crunchbase.

As we close out another strong year for innovation and venture investing in the sector, we asked nine leading VCs who work at firms spanning early to growth stages to share what’s exciting them most and where they see opportunity in the sector:

Participants discuss trends in digital therapeutics, telehealth, mental health and the latest in biotech and medical devices, while also diving into startups improving medical practitioner efficiency, evaluating the evolving regulatory environment and debating valuations and offering a ‘temp check’ on the market for digital health startups leveraging ML.

Annie Case, Kleiner Perkins

Although Kleiner Perkins has a long history of investing in iconic health companies, we believe it is still the early innings of digital health as a category today.

When I evaluate new opportunities in the space, I often start by thinking through how the company will move the needle on cost, quality, and access to care — the “iron triangle” of health care systems. Conventional wisdom has been that it’s impossible to improve all three dimensions simultaneously, but we are seeing companies leverage technology to shift this paradigm in meaningful ways.

It’s no longer just a promise. For example, Viz.ai is using artificial intelligence to detect and alert stroke teams to suspected large vessel occlusion strokes, enabling patients to get treatment faster. Their workflows improve access to life-saving care, deliver higher quality through reduced time to treatment (every minute counts as ‘time is brain’ in stroke care), and dramatically reduce the costs associated with long-term disability.

We are also seeing companies provide this type of tech-enabled care outside of the hospital setting. Modern Health is a mental health benefits platform that employers are making available to their employees. The platform triages individual employees to the right level of care, providing clinical care to those with diagnosable depression or anxiety, and making self-guided or preventative care available to everyone else. Their solution improves quality and access by offering mental health services to every employee and reduces the cost associated with untreated mental illness, lost productivity, or employee churn.

Heading into 2020, we’re eager to back digital health companies in new areas that leverage technology to impact cost, quality, and access. A few spaces that I’m excited about are behavioral health (mental health, substance abuse, addiction, etc), care navigation, digital therapeutics, and new models integrating telehealth, remote care and AI to better leverage medical professionals’ time.

Zavain Dar and Adam Goulburn, Lux Capital

Below are some thoughts and coming predictions on health tech broadly:

  1. Digital therapeutics continue to pick up steam — on the back of Pear and Akili, more companies push to FDA and enter the market. In addition, broader consumer platforms like Calm and Headspace look to broaden their offerings by investigating clinical approvals.
  2. At least one major pharma looks to expand its consumer surface area by acquiring one of the new digital, consumer-facing generics platform (ex Hims, Ro, NuRx).
  3. Venture funding for biotech continues to boom with at least three Series A’s of $100M or more in size.
  4. Drug discovery for neurodegeneration sees a renaissance. High-profile failings of Biogen and the beta-amyloid hypothesis sees a shift of innovation to early-stage biotech and venture creation.
  5. Big pharma has its DeepMind moment acquiring at least one machine-learning (AI) enabled drug discovery company.
  6. Clinical trial tech investments heat up; new companies and technologies emerge to make trials patients first and systems get smarter at finding the right patients at their point of care; large incumbents like IQVIA, LabCorp and PPD get acquisitive.
  7. At least three traditional Sand Hill Road tech venture firms open life science practices or raise dedicated funds.
  8. Machine learning targets chemistry driven by large advancements in transformer (NLP) models; has the time for computational chemistry finally come?
  9. HCIT sees a renaissance driven by increased CIO responsibility towards data interoperability. Companies either working on federated ML to allow systems to speak to each other or lightweight edge applications enabling rapid clinical deployment will see quick uptake and traction, until now impossible in HC.

Kristin Baker Spohn, Charles River Ventures (CRV)

In the last 10 years, digital health has exploded. Over $16B has been invested in the sector by VCs and we’ve seen IPOs from Livongo, Progyny and Health Catalyst, just in the last year alone. That said, there’s still a lot that mystifies people about the sector — there are spots that are overheated and models that will struggle to deliver venture scale outcomes. I’ve seen digital health evolve first hand as both an operator and investor, and I’m more excited than ever about the future of the space.

A few areas and trends that I’ve been following recently include:

Algorithmia raises $25M Series B for its AI automation platform

Algorithmia, a Seattle-based startup that offers a cloud-agnostic AI automation platform for enterprises, today announced a $25 million Series B funding round led by Norwest Partners. Madrona, Gradient Ventures, Work-Bench, Osage University Partners and Rakuten Ventures also participated in this round.

While the company started out five years ago as a marketplace for algorithms, it now mostly focuses on machine learning and helping enterprises take their models into production.

“It’s actually really hard to productionize machine learning models,” Algorithmia CEO Diego Oppenheimer told me. “It’s hard to help data scientists to not deal with data infrastructure but really being able to build out their machine learning and AI muscle.”

To help them, Algorithmia essentially built out a machine learning DevOps platform that allows data scientists to train their models on the platform and with the framework of their choice, bring it to Algorithmia — a platform that has already been blessed by their IT departments — and take it into production.

“Every Fortune 500 CIO has an AI initiative but they are bogged down by the difficulty of managing and deploying ML models,” said Rama Sekhar, a partner at Norwest Venture Partners, who has now joined the company’s board. “Algorithmia is the clear leader in building the tools to manage the complete machine learning lifecycle and helping customers unlock value from their R&D investments.”

With the new funding, the company will double down on this focus by investing in product development to solve these issues, but also by building out its team, with a plan to double its headcount over the next year. A year from now, Oppenheimer told me, he hopes that Algorithmia will be a household name for data scientists and, maybe more importantly, their platform of choice for putting their models into production.

“How does Algorithmia succeed? Algorithmia succeeds when our customers are able to deploy AI and ML applications,” Oppenheimer said. “And although there is a ton of excitement around doing this, the fact is that it’s really difficult for companies to do so.”

The company previously raised a $10.5 million Series A round led by Google’s AI fund. It’s customers now include the United Nations, a number of U.S. intelligence agencies and Fortune 500 companies. In total, over 90,000 engineers and data scientists are now on the platform.

As threats proliferate, so do new tools for protecting medical devices and hospitals

Six months after an episode of “Homeland” showed hackers exploiting security vulnerabilities in the (fictional) Vice President’s pacemaker, Mike Kijewski, the founder of a new startup security company called Medcrypt, was approached by his (then) employers at Varian Medical Systems with a unique problem. 

“A hospital came to the company and said we are treating a patient and a nation-state may attempt to assassinate the patient that we’re treating by using a cybersecurity vulnerability in a medical device to do it,” Kijewski recalled.

At the time, there were no universal solutions to those types of security threats — so companies were left to cobble together one-off solutions for their devices, which is what Kijewski’s former employer likely attempted to do.

Ever since, Kijewski became obsessed with the security holes that exist in the foundation of the healthcare industry’s practice — the devices used to diagnose and treat patients.

“My partner Eric Pancoast and I looked into the problem of medical device cybersecurity and we found two things,” says Kijewski. “Number one there were no regulations forcing medical device companies to use cybersecurity protections at all. Number two, any given company has only one core competency — maybe two. And are medical device vendors going to have cryptography and cybersecurity competencies?”

Medcrypt was launched in 2016 to ensure that medical device manufacturers wouldn’t need to be cryptographic experts. The company is graduating from the latest batch of Y Combinator (after raising a $3 million seed round from Eniac Ventures and other investors) with a pitch to secure medical devices using just a single line of code.

It’s a technological necessity thanks to new guidelines from the Food and Drug Administration requiring medical devices to include security features like encryption, signature verification, and intrusion detection.

By inserting a single line of code into the software of a device, Medcrypt can provide the security manufacturers need at the device level, according to Kijewski.

The company not only encrypts the data on the device, but it also provide intrusion detection services by analyzing medical device metadata to identify standard device behaviors and deviations from that behavior, Kijewski said.

Medcrypt is one of a growing number of startups that are securing medical devices and hospital networks as the threats to the healthcare system proliferate.

Other startups are working on protecting hospital networks. Companies like Medigate, founded by ex-Israeli officers from the Israeli Defense Forces, which just raised $15 million from investors including YL Ventures and US Venture Partners; and Cylera, which is backed by Samsung Next and launched from the DreamIT healthcare accelerator are two such companies.

By 2017, Beckers Health IT and CIO Report counted over 107 technology companies pitching cybersecurity solutions to healthcare practitioners and medical device manufacturers.

It’s little wonder so many companies are pouring in to close the (data) breach in healthcare, given the scope of the problem.

A 2018 report from Experian cited by U.S. News indicated that 233 breaches were reported to the Department of Health and Human Services, media, or state attorneys general in the period from January to June 2017. And for the 193 attacks where the scope of the breach was calculated, roughly 3.2 million patient records were affected.

Experian predicts healthcare cybersecurity spending will be a $65 billion industry by 2021.

Still, some of the security problems that hospitals face can be solved with some fairly basic updates. Indeed, perhaps the most critical — and the one that left hospitals most exposed — is just ensuring that their technology can accept patches and security upgrades. Many of the attacks that crippled health networks came down to an inability to upgrade their Windows operating systems.

Sometimes, all it takes is tightening the screws to make sure the machines don’t fall apart.

“Connected medical devices — from patient monitors, MRIs and CAT scanners to infusion pumps and yet-to-be invented devices — are critical to the delivery of healthcare today and are revolutionizing the care of tomorrow,” said YL Ventures founder Yoav Leitersdorf in a statement announcing Medigate’s 2017 financing. “These devices are inherently different from traditional IT endpoints and can’t be protected by currently available products and practices. With the pandemic of cyberattacks targeting healthcare providers, far too many connected devices are left vulnerable and exposed, putting patient health and privacy at risk.”

 

After twenty years of Salesforce, what Marc Benioff got right and wrong about the cloud

As we enter the 20th year of Salesforce, there’s an interesting opportunity to reflect back on the change that Marc Benioff created with the software-as-a-service (SaaS) model for enterprise software with his launch of Salesforce.com.

This model has been validated by the annual revenue stream of SaaS companies, which is fast approaching $100 billion by most estimates, and it will likely continue to transform many slower-moving industries for years to come.

However, for the cornerstone market in IT — large enterprise-software deals — SaaS represents less than 25 percent of total revenue, according to most market estimates. This split is even evident in the most recent high profile “SaaS” acquisition of GitHub by Microsoft, with over 50 percent of GitHub’s revenue coming from the sale of their on-prem offering, GitHub Enterprise.  

Data privacy and security is also becoming a major issue, with Benioff himself even pushing for a U.S. privacy law on par with GDPR in the European Union. While consumer data is often the focus of such discussions, it’s worth remembering that SaaS providers store and process an incredible amount of personal data on behalf of their customers, and the content of that data goes well beyond email addresses for sales leads.

It’s time to reconsider the SaaS model in a modern context, integrating developments of the last nearly two decades so that enterprise software can reach its full potential. More specifically, we need to consider the impact of IaaS and “cloud-native computing” on enterprise software, and how they’re blurring the lines between SaaS and on-premises applications. As the world around enterprise software shifts and the tools for building it advance, do we really need such stark distinctions about what can run where?

Source: Getty Images/KTSDESIGN/SCIENCE PHOTO LIBRARY

The original cloud software thesis

In his book, Behind the Cloud, Benioff lays out four primary reasons for the introduction of the cloud-based SaaS model:

  1. Realigning vendor success with customer success by creating a subscription-based pricing model that grows with each customer’s usage (providing the opportunity to “land and expand”). Previously, software licenses often cost millions of dollars and were paid upfront, each year after which the customer was obligated to pay an additional 20 percent for support fees. This traditional pricing structure created significant financial barriers to adoption and made procurement painful and elongated.
  2. Putting software in the browser to kill the client-server enterprise software delivery experience. Benioff recognized that consumers were increasingly comfortable using websites to accomplish complex tasks. By utilizing the browser, Salesforce avoided the complex local client installation and allowed its software to be accessed anywhere, anytime and on any device.
  3. Sharing the cost of expensive compute resources across multiple customers by leveraging a multi-tenant architecture. This ensured that no individual customer needed to invest in expensive computing hardware required to run a given monolithic application. For context, in 1999 a gigabyte of RAM cost about $1,000 and a TB of disk storage was $30,000. Benioff cited a typical enterprise hardware purchase of $385,000 in order to run Siebel’s CRM product that might serve 200 end-users.
  4. Democratizing the availability of software by removing the installation, maintenance and upgrade challenges. Drawing from his background at Oracle, he cited experiences where it took 6-18 months to complete the installation process. Additionally, upgrades were notorious for their complexity and caused significant downtime for customers. Managing enterprise applications was a very manual process, generally with each IT org becoming the ops team executing a physical run-book for each application they purchased.

These arguments also happen to be, more or less, that same ones made by infrastructure-as-a-service (IaaS) providers such as Amazon Web Services during their early days in the mid-late ‘00s. However, IaaS adds value at a layer deeper than SaaS, providing the raw building blocks rather than the end product. The result of their success in renting cloud computing, storage and network capacity has been many more SaaS applications than ever would have been possible if everybody had to follow the model Salesforce did several years earlier.

Suddenly able to access computing resources by the hour—and free from large upfront capital investments or having to manage complex customer installations—startups forsook software for SaaS in the name of economics, simplicity and much faster user growth.

Source: Getty Images

It’s a different IT world in 2018

Fast-forward to today, and in some ways it’s clear just how prescient Benioff was in pushing the world toward SaaS. Of the four reasons laid out above, Benioff nailed the first two:

  • Subscription is the right pricing model: The subscription pricing model for software has proven to be the most effective way to create customer and vendor success. Years ago already, stalwart products like Microsoft Office and the Adobe Suite  successfully made the switch from the upfront model to thriving subscription businesses. Today, subscription pricing is the norm for many flavors of software and services.
  • Better user experience matters: Software accessed through the browser or thin, native mobile apps (leveraging the same APIs and delivered seamlessly through app stores) have long since become ubiquitous. The consumerization of IT was a real trend, and it has driven the habits from our personal lives into our business lives.

In other areas, however, things today look very different than they did back in 1999. In particular, Benioff’s other two primary reasons for embracing SaaS no longer seem so compelling. Ironically, IaaS economies of scale (especially once Google and Microsoft began competing with AWS in earnest) and software-development practices developed inside those “web scale” companies played major roles in spurring these changes:

  • Computing is now cheap: The cost of compute and storage have been driven down so dramatically that there are limited cost savings in shared resources. Today, a gigabyte of RAM is about $5 and a terabyte of disk storage is about $30 if you buy them directly. Cloud providers give away resources to small users and charge only pennies per hour for standard-sized instances. By comparison, at the same time that Salesforce was founded, Google was running on its first data center—with combined total compute and RAM comparable to that of a single iPhone X. That is not a joke.
  • Installing software is now much easier: The process of installing and upgrading modern software has become automated with the emergence of continuous integration and deployment (CI/CD) and configuration-management tools. With the rapid adoption of containers and microservices, cloud-native infrastructure has become the de facto standard for local development and is becoming the standard for far more reliable, resilient and scalable cloud deployment. Enterprise software packed as a set of Docker containers orchestrated by Kubernetes or Docker Swarm, for example, can be installed pretty much anywhere and be live in minutes.

Sourlce: Getty Images/ERHUI1979

What Benioff didn’t foresee

Several other factors have also emerged in the last few years that beg the question of whether the traditional definition of SaaS can really be the only one going forward. Here, too, there’s irony in the fact that many of the forces pushing software back toward self-hosting and management can be traced directly to the success of SaaS itself, and cloud computing in general:

  1. Cloud computing can now be “private”: Virtual private clouds (VPCs) in the IaaS world allow enterprises to maintain root control of the OS, while outsourcing the physical management of machines to providers like Google, DigitalOcean, Microsoft, Packet or AWS. This allows enterprises (like Capital One) to relinquish hardware management and the headache it often entails, but retain control over networks, software and data. It is also far easier for enterprises to get the necessary assurance for the security posture of Amazon, Microsoft and Google than it is to get the same level of assurance for each of the tens of thousands of possible SaaS vendors in the world.
  2. Regulations can penalize centralized services: One of the underappreciated consequences of Edward Snowden’s leaks, as well as an awakening to the sometimes questionable data-privacy practices of companies like Facebook, is an uptick in governments and enterprises trying to protect themselves and their citizens from prying eyes. Using applications hosted in another country or managed by a third party exposes enterprises to a litany of legal issues. The European Union’s GDPR law, for example, exposes SaaS companies to more potential liability with each piece of EU-citizen data they store, and puts enterprises on the hook for how their SaaS providers manage data.
  3. Data breach exposure is higher than ever: A corollary to the point above is the increased exposure to cybercrime that companies face as they build out their SaaS footprints. All it takes is one employee at a SaaS provider clicking on the wrong link or installing the wrong Chrome extension to expose that provider’s customers’ data to criminals. If the average large enterprise uses 1,000+ SaaS applications and each of those vendors averages 250 employees, that’s an additional 250,000 possible points of entry for an attacker.
  4. Applications are much more portable: The SaaS revolution has resulted in software vendors developing their applications to be cloud-first, but they’re now building those applications using technologies (such as containers) that can help replicate the deployment of those applications onto any infrastructure. This shift to what’s called cloud-native computing means that the same complex applications you can sign up to use in a multi-tenant cloud environment can also be deployed into a private data center or VPC much easier than previously possible. Companies like BigID, StackRox, Dashbase and others are taking a private cloud-native instance first approach to their application offerings. Meanwhile SaaS stalwarts like Atlassian, Box, Github and many others are transitioning over to Kubernetes driven, cloud-native architectures that provide this optionality in the future.  
  5. The script got flipped on CIOs: Individuals and small teams within large companies now drive software adoption by selecting the tools (e.g., GitHub, Slack, HipChat, Dropbox), often SaaS, that best meet their needs. Once they learn what’s being used and how it’s working, CIOs are faced with the decision to either restrict network access to shadow IT or pursue an enterprise license—or the nearest thing to one—for those services. This trend has been so impactful that it spawned an entirely new category called cloud access security brokers—another vendor that needs to be paid, an additional layer of complexity, and another avenue for potential problems. Managing local versions of these applications brings control back to the CIO and CISO.

Source: Getty Images/MIKIEKWOODS

The future of software is location agnostic

As the pace of technological disruption picks up, the previous generation of SaaS companies is facing a future similar to the legacy software providers they once displaced. From mainframes up through cloud-native (and even serverless) computing, the goal for CIOs has always been to strike the right balance between cost, capabilities, control and flexibility. Cloud-native computing, which encompasses a wide variety of IT facets and often emphasizes open source software, is poised to deliver on these benefits in a manner that can adapt to new trends as they emerge.

The problem for many of today’s largest SaaS vendors is that they were founded and scaled out during the pre-cloud-native era, meaning they’re burdened by some serious technical and cultural debt. If they fail to make the necessary transition, they’ll be disrupted by a new generation of SaaS companies (and possibly traditional software vendors) that are agnostic toward where their applications are deployed and who applies the pre-built automation that simplifies management. This next generation of vendors will more control in the hands of end customers (who crave control), while maintaining what vendors have come to love about cloud-native development and cloud-based resources.

So, yes, Marc Benioff and Salesforce were absolutely right to champion the “No Software” movement over the past two decades, because the model of enterprise software they targeted needed to be destroyed. In the process, however, Salesforce helped spur a cloud computing movement that would eventually rewrite the rules on enterprise IT and, now, SaaS itself.

Safaricom rolls out Bonga social networking platform to augment M-Pesa

When it comes to monetizing digital social interactions, Kenya’s Safaricom has its own order. American tech companies such as Facebook and Twitter offered social networks first, then moved to commercialize them.

Through its M-Pesa mobile money product, Safaricom built one of Africa’s most robust commercial webs and now aims to leverage it as a social network.

The vehicle is the company’s new Bonga platform, something Kenya’s largest telco rolls out in pilot phase this week. An outgrowth of the Safaricom’s Alpha innovation incubator, “Bonga is a conversational and transactional social network,” Shikoh Gitau, Alpha’s Head of Products told TechCrunch.

“It’s focused on pay, play, and purpose…as the three main things our research found people do on our payment and mobile network,” she said. Gitau offered examples: pay could be using M-Pesa and SMS to coordinate anything from tuition payments to e-commerce, play spans online sports betting to gaming, and purpose includes SMS or WhatsApp chat groups that raise money for weddings, holidays, or Kenya’s informal investment groups.

“In our [Bonga] research we’ve said ‘what can we do to build upon those three network behaviors in our network that is Safaricom?,’” she said.

I recently sat in on an Alpha product development session in Nairobi and talked to Safaricom CIO Kamal Battacharya on his vision for the product late last year, as reported at TechCrunch.

“Safaricom’s unique in that we have telco services and a financial services platform that connect nearly every household in Kenya largely on the basis of trade,” he said.

“We’d actually like to move beyond M-Pesa by leveraging its power as a social network to connect people to other product solutions.”

As a telco, Safaricom­—still  has 69 percent of the Kenya’s mobile subscribers. Its M-Pesa fintech app―which generated $525 million of the company’s $2 billion annual revenues―boasts 27 million customers across a network of 136,000 agents.

Through in-house development and partnerships, the company continues to add consumer and small business-based products to its mobile and fintech network. These include digital TV, the M-Kopa solar-powered lighting kit, and Lipa-Na bill pay service.

This week Safaricom will offer Bonga to a test group of 600 users, before updating the product, allowing the initial group to refer it to friends, and then extending the platform in three phases.

Bonga Sasa will facilitate messaging and money transfer between individuals, “enabling users to send or receive money while conversing with each other,” according to a Safaricom release. For example, through Bonga Sasa a parent can send money to the child without having to leave the platform to access another money transfer tool.

Bonga Baraza, expected in mid-2018, will allow users to collect money for purpose driven events, including Kenya’s harambee collective fundraising drives.

Bonga Biashara will build on this use of social networks for commerce. Digitizing Kenya’s extensive informal trading commerce is at play here. Alpha’s research found roughly “2.5 million people doing side-hustles with a smartphone in Kenya” and 12.5 million total running small businesses on smart and USSD devices, according to Gitau.

Bonga will channel Facebook, YouTube, iTunes, PayPal, and eBay in one platform. Users will be able to create business profiles parallel to their personal social media profiles and M-Pesa accounts and sell online. Bonga will also include space for Kenya’s creative class to upload, shape, and distribute artistic products and content.

As for Safaricom’s Bonga monetization plan, it’s not an immediate priority, according to the Alpha team members I spoke to. “We’ll offer it for free for now, and it’s connected to M-Pesa, which is already monetized,” said Gitau. “The more these services grow and grow small businesses the more they grow M-Pesa..which is already profitable.”

Safaricom is exploring how to take Bonga beyond Kenya’s borders, which could include markets where both M-Pesa and Vodafone are present: currently 10 in Europe, Africa, and South Asia.

Photo courtesy of Flickr/WorldRemit

Lessons from cybersecurity exits

To: [email protected]

Subject: Lessons from cybersecurity exits

Dear F0und3r:

What a month this has been for cybersecurity! One unicorn IPO and two nice acquisitions – Zscaler’s great debut on wall street,  a $300 million acquisition of Evident.io by Palo Alto Networks and a $350 million acquisition of Phantom Cyber by Splunk has gotten all of us excited.

Word on the street is that in each of those exits, the founders took home ~30% to 40% of the proceeds. Which is not bad for ~ 4 /5 years of work. They can finally afford to buy two bedroom homes in Silicon Valley.

Evident.IO Investment Rounds and Return estimates

Date

Select Investors

Round Size

Pre

Post

Dilution

Estimated Returns / Multiple of Invested Capital

Sep 2013

True Ventures

$1.5m

$5.25m

$6.75 m

22%

44X

Nov 2014

Bain Capital

$9.8 m

$18.1m

$28.0 m

35%

10.7X

Apr 2016

Venrock

$15.7 m

$35.0 m

$50.7 m

30%

6X

Feb 2017

GV

$22.0 m

$73.6 m

$95.5

23%

3.1X

My math is not that good but looks like even some VCs made a decent return. Back of the envelope scribbles indicate that True Ventures scored an estimated ~44X multiple on its seed investment. Others like Bain snagged a ~10X on the A round investment and Venrock which led the Series B round took home ~6X.

We see a similar pattern with Phantom Cyber, which got acquired by Splunk for $350 million. A little bird told me that they had booking in the range of $10 million. But before we all get too self-congratulatory, lets ask – why did these companies sell at $300 million to $350 million when everyone in the valley wants to ride a unicorn? Clearly, funds like GV, Bain and Kleiner could have fueled more rounds to make unicorns out of Evident.io and Phantom Cyber.

Phantom Cyber Investment Rounds and Return estimates

Date

Select Investors

Round Size

Pre

Post

Dilution

Estimated Returns / Multiple of Invested Capital

April 2015

Foundation Capital

$2.7m

$8.3 m

$11.04 m

14.50%

31.7

Sep 2015

Blackstone

$6.5m

$26.7 m

$33.2 m

15.90%

10.5

Jan 2017

KPCB

$13.5m

$83.0 m

$96.5 m

13.90%

3.6

(Data Source: Pitchbook)

Some of the board members might have peeked at the exit data gathered by the hardworking analysts at Momentum Cyber, a cybersecurity advisory firm. Look at security exit trends from 2010-2017. You might notice that ~68% of security exits were below $100 million. And as much as 85% of exits occur below $300 million.

Agreed that there are very few exceptional security CEO’s like Jay Chaudhry who grew up in a Himalayan village, and led ZScaler to an IPO. This was Jay’s fifth startup and he kept over 25.5% of the proceeds, with another 28.3% owned by his trust. TPG Growth owned less than 10%. After all, he himself funded a substantial part of the company (which raised a total of $110 million).  But not everyone is as driven, successful and it’s ok to sell if the exit numbers are meaningful. Remember what that bard of avon once said:

For I must tell you friendly in your ear,

Sell when you can; you are not for all markets.

(Shakespeare, As you Like It, Act 3, Scene V)

(68% of security exits occur below $100 million. M & A Data from 2010-2017. Source: Momentum Cyber)

My friend Dino Boukouris, a director at Momentum Cyber, offers some sage advice to all founders who are smitten by unicorns. “Before a founder raises their next round, I would reflect on the market’s ability to purchase companies. The exit data says it all. As you raise more capital, your exit value goes up, timing gets stretched and the number of buyers who can afford you drops.” Dino has a point, you see. As we inflate valuations, your work, my dear CEO, becomes much harder.

If you don’t believe Dino, let’s look at another recent exit, PhishMe, which was acquired by a private equity consortium for $400 million. That’s a nice number, correct? At the first look, you’ll notice that the dilution and financial return patterns are similar to that of Phantom. Except that PhishMe took 7 years and consumed $58 million of capital, while Phantom took 3 years and consumed $22.7 million. Timing and capital efficiency matter as much as exit value. It’s not just the exit value ~ but how long and how much. Back to my man, Dino who will gently remind you that for the 175 M & A transactions in 2017, the median value was $68 milion. Read that last sentence again — very slowly. $68 million. Ouch!

PhishMe Investment Rounds

Date

Round size

Select Investors

Pre-money Valuation

Post

Dilution

Returns / Multiple of Invested Capital

July 2012

$2.5m

Paladin

$10 m

12.5 m

12.20%

32.0

March 2015

$13 m

Paladin

$61 m

$74 m

13 %

5.4

July 2016

$42.5 m

Bessemer

$155 m

197 m

21%

2.0

(Data Source: Pitchbook)

Two years ago  in Cockroaches versus Unicorns – The Golden Age of Cybersecurity Startups cybersecurity founders were urged to avoid the unicorn hubris. A lot of bystanders, your ego included, will cheer you as you get higher valuations. But aren’t we all rational human beings, always making data based decisions?

Marc Andreessen will remind you that his best friend, Jim Barksdale, once said “If we have data, let’s look at data. If all we have are opinions, let’s go with mine.”   Since 2012, my VC friends have funded 1242 cybersecurity companies, investing a whopping $17.8bn. But chief information security officers say that they don’t need 1242 security products. One exhausted CISO told me they get fifteen to seventeen cold calls a day. They hide away from LinkedIn, being bombarded relentlessly.

Enrique Salem (former CEO of Symantec) and Noah Carr, both with Bain Capital are celebrating the successful sale of Evident.io. They pointed out that the founders — Tim Prendergast and Justin Lundy had lived the public cloud security problem in their previous lives at Adobe. “Such deep domain expertise allowed them to gain credibility in the market. It’s not easy to earn the trust of their customers. But given their strong engineering team, they were able to build an “easy to deploy” solution that could scale to customers with 1000s of AWS / Azure accounts. Customers were more willing to be reference-able, given this aligned relationship.”

(Source: Momentum Cyber)

You, my dear CEO, should take a page from that playbook. Because Jake Flomenberg, Partner at Accel Partners says, “CISOs are suffering from indigestion. They are looking to rationalize toolsets and add very selectively. New layer X for new threat vector Y is an increasingly tough sell.” According to Cack Wilhelm Partner at Accomplice, “Security analysts have alert fatigue, and CISOs have vendor fatigue.”  You are one of those possibly, wouldn’t you agree?

Besides indigestion and fatigue, the CISO roles have become demanding. William Lin, Principal at Trident Capital Cyber, a $300m fund pointed out that “the role of CISO has bifurcated into managing risk akin to an auditor and at the same time, managing complex engineering and technology environments.”  So naturally, they are managing their time more cautiously and not looking forward to meeting one more startup.

Erik Bloch, Director of Security Products at SalesForce says that while he keeps an open mind and is willing to look at innovative startups, it takes him weeks to arrange calls with the right people, and months to scope a POC. And let’s not forget the mountain of paperworks and legal agreements. “It’s great to say you have a Fortune 100 as an early customer, but just be warned that it’ll be a long, hard road to get there, so plan appropriately” he pointed out.

So, my dear founder, as the road gets harder, funding slows down. Look at 2017 —  despite all those big hacks, Series A funding dropped by 25% in 2017. Clearly, many of our seed funded companies are not delivering those Fortune 100 POC milestones. And are unable to raise a Series A.  Weep, if we must, but let us remind ourselves that out point solutions are not that impressive to the CISOs.

All the founders I know are trying to raise a formulaic $8m Series A on $40m pre. But not every startup that wants 8 on 40 deserves it. Revenues and growth rate, those quaint metrics matter more than ever. And some investors look for the quality of your customers.  Aaron Jacobson of NEA, a multi-billion dollar venture fund says, ”A key value driver is a thought-leader CISO as a customer. This is often a good indicator of value creation.“

Stage

Expected Revenue Run Rate

Estd. Round Size

Angel

None

Up to $2m

Series A

$1.5m to $3 m

$5m to $8m

Early VC

$5 m to $8 m

$15m to $25m

Late Stage VC

$6m to $10m

$30m to $50m

When markets get crowded and all startups sound the same, investors seek quality, or move to later stages.  They like to see well proven companies, that have solved a lot of basic problems. And eliminated riskier stumbling blocks. Like product-market fit, pricing and go-to-market issues. Naturally, the later stage valuations are rising faster. Money is chasing quality, growth and returns.

Median Post-Money Valuation by stage for cybersecurity companies (Source: Pitchbook)

The security IPOs offer a sobering view. This is a long journey, not for the faint of heart. Okta moved fast, consumed ~4X more capital as compared to Sailpoint and delivered great returns.

Company

Year Founded

Years to IPO

Total Capital raised prior to IPO

Revenues (2017)

Post Money of last round prior to IPO

Market Cap at IPO

ZScaler

2008

10

$180m

$176 m

$1.05 bn

$3.6 bn

Okta

2009

8

$231 m

$160 m

$1.18 bn

$2.1 bn

Forescout

2000

17

$159 m

$220 m

$1.0 bn

$806 mn

SailPoint

2004

13

$54.7 m

$186 m

N/A

$1.1 bn

Security IPOs (Source: Momentum Cyber, Pitchbook)

Innovating with go-to-market strategies

In the near term,  the big challenge for you, dear security founder, is selling in an over crowded market. If I were you, I’d remember that innovation should not be restricted to merely technology, but can extend into sales and marketing. We lack creativity when it comes to marketing – ask Kelly Shortridge of Security ScoreCard. She should get some kind of BlackHat award for developing this godforsaken Infosec Startup Bingo. If you find any startup vendor that uses all these words, and wins this bingo, please DM me ~ I will promptly shave my head in shame. We got here because we do not possess simple marketing muscles. We copy each other while our customers roll their eyes when we pitch them.

Sid Trivedi of Omidyar Technology Ventures wants to work with the developer focussed startups. He says, “Look at companies like Auth0. The sales efficiency on developer-focused platforms is tremendous. You can go to a CISO, CIO or CTO and point out that X number of developers are paying to use my technology. Here are their names, why don’t you talk to them? And then, let’s discuss an enterprise license for the full company?” That approach works like magic. Overwhelming majority of the software IPOs like Twilio, Mulesoft, SendGrid are developer platforms.”

If you go top-down in a hurry, you can crash and burn. I am aware of an impatient security vendor who used executive level pressure at a Fortune 50 company. They kicked their way into the POC. And got kicked out by the infosec team. The furios infosec team destroyed the vendor in a technical assessment. I was told that the product was functional but the vendor’s impatience and political gymnastics killed the deal. Let us not forget simple truth: many times CISOs turn to their subordinates for advice and decision-making, so don’t just sell to the top. Nor ignore the rest of the people in the room.

With more noise, the buyers freeze. Margins shrink. Revenues and growth slows down. Which means it’s harder to get to your milestones before your next round. Running out of cash is not fun. Nor is a down round, layoffs and such. So while this is easier said than done, please raise less and do more. And maybe, just maybe, you can keep 40% of a $350 million exit.

If you have questions or existential dilemmas, you can always find me, chatting with a friendly VC in South Park.  Or I’m always around in a trusted secure world of Signal.

Stay safe at that annual security stampede called RSA.

Kindly,

Mahendra

PS: Let’s not forget to express our gratitude to those analysts at Momentum Cyber and Pitchbook for painstakingly tracking every investment, analyzing and presenting meaningful data. They help us look at the forest, and make our journey easier. Send them a thank-you tweet, some wine, chocolates, flowers or home-baked cookies.