CyberCompare Marktkommentar #45: Security Startup vs. Enterprise Sales Cycles, Cyber Damage, Sovereign Cloud Compass etc. pp.

Hello everyone,

today once again a potpourri of incoherent thoughts and observations, in which I have not yet succeeded in building semantic bridges.

It starts with a field report by Alex Chantavy (CEO of SubImage, Cloud Asset Visibility) about the first weeks in the incubator Y Combinator. Encouraging and at the same time frightening for anyone who is thinking about giving up their secure job to found a security startup. The predetermined breaking point in the funding process is the long enterprise sales cycle for security products, which contradicts investors’ expectations of faster proven traction.

I know this from my own painful experience: When CyberCompare was founded, I promised a minimum number of customer deals in our first half of the year in unsurpassed naivety and as an “unforced error” of our parent company GF. And then we sweated blood and water when we had many promising initiation talks and warm (virtual) handshakes in the first SteerCo, but exactly 0 contract signings . At this point, we would like to thank all customers of the first few months (you know who you are!), without whose trust we would have been buried in the backyard of the Schillerhöhe again as a failed experiment. A well-intentioned feedback in the market study is a different commitment than an order released by purchasing. This also fits with the observation that more and more security startups are being raised by 2nd or 3rd time founders and/or with seed investments from the major platforms.

At Heise Security Pro (recommended overall, by the way), I came across an interesting thread on the subject of cyber attack case numbers. The impetus for this was the discrepancy between the damages proclaimed by Bitkom (quote CISO: “Fantastrillionen”) and the figures from the BSI or TÜV, which are orders of magnitude lower. Some CISOs report increasing difficulties in getting the board of directors to increase the security budget, even if the number of unreported cases is enthusiastically pointed out. The TÜV study of ~500 German companies showed, for example, that

  • 15% were affected by a successful cyberattack within a year (2024)
  • but the vast majority of them did not suffer any damage at all and 93% of them did not suffer any serious damage.
  • So if you ask the person sitting next to you as a business grandee at the Rotary Club, you will tend to hear that the competition from China or the SPD is a bigger problem than cybercrime.

My 0.02 EUR on this: Insurers have the best figures, because they have “skin in the game”. MunichRe, for example, published the profitability of the cyber division for the first time in its annual report for 2025, which is around 3% (with ~9 billion in revenue). In my understanding, this includes primary insurance (via e.g. Ergo) and reinsurance. I therefore suspect that the premiums are relatively close to the actual risk (i.e. the average expected annual loss) at a given security level, which is assessed by the insurer before a policy is offered. I also think that the questionnaires and risk dialogues of the insurers are broadly examining the most effective measures. Conversely, what is not queried does not bring much risk reduction in case of doubt. In my experience, the argumentation about insurance coverage and policy amount (depending on the deductible, etc.) is also a feasible way to justify an upward budget adjustment vis-à-vis the CFO.

With the European Sovereign Cloud Compass, IT Capital Partners offers an in-depth comparison of 17 cloud providers with regard to political/legal and technical independence criteria.Hats off for the detailed research!

  • So far, Deutsche Telekom seems to have the most sovereign offer in the overall picture, closely followed (depending on the weighting of requirements) by StackIT, SysEleven, AWS and OVH
  • Distinguishing features with regard to security are esp. Key management (BYOK with EU-operated KMS and HSM), access options of the cloud operator (possibly at hardware level) or root CA in the EU
  • There is also a mapping to the C3A, all reviews are public with references
  • There is also an RfP template or the possibility to make your own comparisons directly.

In my perception, so far only federal authorities and the defense sector have been willing to pay for these offers. Corporations are occasionally examining the conversion of sub-areas in PoCs, possibly also in order to get into a better negotiating position vis-à-vis the hyperscalers. However, it will probably take a few more years for this to diffuse into the breadth of municipal institutions and companies.

CISA has issued a directive for American authorities from which KPIs for one’s own organization can be pragmatically derived based on 4 criteria for vulnerability prioritization and elimination (thanks for the hint, Wolfgang!). Example:

  • Top priority are KEVs that can be accessed from the Internet, can be exploited automatically by attackers and allow complete control of the victim systems (e.g. via RCE)
  • For this, an SLA of 3 days for remediation + additional forensic triage (=threat hunting as I understand it) is required
  • Advantage: Security teams only have to check whether the asset is accessible from the Internet. All other information is included with the CVE/KEV reports

Hypothesis: If the cost of vulnerability detection is close to zero, the number of newly discovered vulnerabilities is increasing, and patching (due to the availability of patches + internal processes) regularly takes longer than programming exploits, then virtual patching and micro-segmentation via IPS/WAF/NDR are more worthwhile. Feel free to refer to whether this makes sense and whether we may see a new trend there.

And how good are autonomous pen test solutions from the perspective of a pen test boutique? DoyenSec compared XBOW and Aikido in a web app test:

  • Cost per test was ~4k USD (the same for both solutions)
  • Both solutions achieved a false positive rate of ~5% on average of the tests. The findings tended to be assessed more critically than by human reviewers. Unfortunately, the True Negative Rate was not estimated
  • Doyensec concludes that both solutions currently offer a better price/performance ratio than the established SAST/DAST scanners
  • The following anecdote fits in with this with possibly broader validity: A customer is currently criticizing a renowned PenTest company because it does not provide the customer with systematic documentation on which systems have been tested with which methods (and which have not). So here is the clear advantage of automated pen test tools. Sounds almost like the story of woe of some premium car manufacturers who at some point missed out on technical progress and only relied on brand and customer inertia. Works for an amazingly long time, and then suddenly no longer.

M&A:

Once again a long list. Overall, I find it amazing that despite Gen AI, such high amounts are still paid for startups without a customer base. One would think that not only Hobby Vibe Coder, but also the big providers can easily (more) reprogram purely technical features and therefore the prices for them will fall. But apparently I’m on the wrong track as usual at full throttle, as you can see from the reviews.

  • Databricks (for some time now in the security business with Lakewatch SIEM, including Anthropic as a customer) buys Panther (AI SIEM/SOC), probably for > 3 billion USD. The vision: Automated SOC processes on a common platform for business processes, observability and security.
  • Accenture invests ~EUR 4 billion in OT/IoT security: In addition to a majority stake in Dragos , Netrise (IIoT firmware analysis) and RunZero (exposure management “from the cloud to the field controller”) are acquired. Dragos has a large service business (e.g. incident response) and is certainly the best access to the White House / Pentagon among OT NIDS providers.
  • Rubrik kauft Strata (IAM/IGA inkl. Agentic Identities)
  • Sailpoint acquires Entro (NHI Sec)
  • 1Password buys Apono (JIT IGA)
  • Cisco acquires Widefield (ITDR)
  • F5 kauft Surepath.AI (AI Governance)
  • Dream (a kind of Palantir alternative of ex-Chancellor Sebastian Kurz) collects another ~250 million at a 3 billion valuation
  • Ent (Supplement to EDR, designed to detect and possibly prevent the execution of programs and agents) will receive $100 million. founder has already launched RiskIQ and sold it to Microsoft, and before that Dome9 to Check Point)
  • Twenty Technologies („Software that wins in war, built for conflict, victory is the only metric”) bekommt 100 Mio. Funding für offensive cyber operations
  • Newcore (Identity Discovery + Security via Split Keys) raises ~$66 million

Vendor briefings:

Lupovis:

  • Deception and CTI from UK (more precisely: Scotland)
  • Approx. 100 customers, usually all quite sophisticated (e.g. an insurance company or MSP like Orange, Eviden)
  • Typical question from customers to be answered: Which vulnerabilities have been newly exploited in the last 6 hours?
  • 3 approaches, from the outside in:
  • Digital twins of certain firewalls or VPN gateways or similar are placed on the net as decoys by Lupovis in order to observe attacks on them and to provide customers with the information about them as CTI
  • Creation of honey subdomains whose usage is monitored (filtered)
  • Monitoring of honeypots/tokens such as files, API, or fake endpoints distributed by the customer in the on-prem infrastructure
  • Still looking for channel partners in the DACH region

Orca (Update):

  • CNAPP (agentless or via sensor, core competitor to Wiz). Particularly worthwhile in multicloud environments
  • Meanwhile ~900 customers, in the EU including SAP, Bayer, Clariant, Erste Bank and Nestlé
  • A lot has happened in terms of usability in the last 12 months
  • Compliance frameworks have the opportunity for more fine-grained requirements in cross-comparison
  • Scans incl. backend engine can be carried out in a customer environment without data leakage (e.g. for the public sector). Spot VMs are used for this purpose (no K8 clusters => lower costs/maintenance). If the VM instance is canceled by the hyperscaler, the process restarts
  • The attack path visualization not only shows the possible countermeasures to the CVE/misconfiguration (e.g. VM access possible past ZTNA solution), but also the positive effects on the risk during implementation
  • AppSec module of course with code generation (various LLM possible, also customer-specific models via MCP)
  • EU Sovereign Clouds Coming Now in the Next Few Months, Launches with CSPM
  • Still looking for MSSP / Channel Partner for the DACH region (so far DoIT Solutions, among others)

ProLion:

  • Data security solutions (such as anti-ransomware) from Austria for unstructured data (no databases) on storage from NetApp, Dell and Windows file servers
  • Approx. 100 employees, approx. 1000 customers, including the city of Nuremberg, the city of Karlsruhe, many clinics
  • Exclusively on prem on VM
  • Blocks write operations to specific file extensions typical of ransomware
  • Behavior-based anomaly detection of file read/write access and access lock (for local AD)
  • Logging of all accesses + changes
  • Recovery of individual files possible
  • Azure Local / VM u. Distributed File System auf Roadmap
  • In addition, solutions for storage cost optimization and high availability

Sonrai Security:

  • US solution for cloud PIM incl. AI Agent Security as a complement to CNAPP – functions similar to Entra ID P2, but with a focus on Azure, AWS and GCP
  • Core problem to be solved: Overprivileged NHI and user accounts incl. zombie accounts + unused services
  • Approx. 35 corporate customers, all very large (including Wells Fargo, Pfizer, American Airlines)
  • Enforces prior approval of critical access by colleagues or via approval workflows, among other things. The accesses are then limited in time
  • Register of all 3rd party users with accounts
  • Offer a free assessment, in which, for example, AI agents in cloud environments are also inventoried

As always, questions, suggestions, comments, experience reports, topic requests and also opposing opinions or corrections are welcome by email. Ditto for unsubscribing from the mailing list.

For the people who have received the market commentary for the first time: Here you can register if you are interested or install an air conditioner in the archive.

Best regards,

Jannis Stemmann

Scroll to Top