Briefing — A VC market outlook on cyber for 2024

By Kirstin McIntosh

Working at US cyber fund, Paladin Capital, Mourad Yesayan has a global remit. Paladin has made 7–8 new investments every year for a decade, including some Aussie favourites with Bugcrowd, Cloud Conformity and Secure Code Warrior. Today Mourad sees more opportunities than ever in his focus area of early-stage startups — seed and Series A — because many other funds are currently sitting out on the side lines.

We were curious to ask Mourad about how he sees 2024 unfolding.

2023 has been challenging for cybersecurity funding

It’s been a tumultuous year, especially coming off the back of two record years in cybersecurity funding. 2021 was the highest year ever for cybersecurity at $23 billion, and in 2022, $15 billion went to cyber startups. However, according to Crunchbase, 2023 VC cyber funding to October 2023 totalled just $6.4 billion.

So what happened?

Back in 2020/21, a lot of funds increased their pace of investing, with funds getting deployed very quickly, and rounds started to get closer together.

We are seeing that market hangover now, combined with other market changes including:

• A challenging macro environment, with the drop in public markets and increased cost of capital hurting the ability of investors to raise new funds this year
• 30% of CISOs have a flat or decreased budget, despite huge spikes in threat activity
• Sales cycles are being pushed out, with continued increased budget scrutiny on large deals

Maybe it’s not as bad as we think

Really?

The cybersecurity sector is perceived as a defensive investment, so while overall venture funding in 2023 is down over 50%, cyber investments have not seen such extreme changes, although they are still significantly down from the two previous record years.

“Many funds are not being public about the fact that they are focusing investments on existing portfolio companies. These bridges and extensions don’t get reported.”

Once this “portfolio minding” has been taken care of, Mourad believes we will see some stabilisation in the venture capital environment.

And he is hopeful that US interest rate increases will pause, which will help investors and startups alike.

Another encouraging fact is that, according to Forbes, cybersecurity stocks have performed well in 2023, rising about +26.5% YTD, boosted by an increase in data breaches and ransomware.

What does it mean for raising early-stage funding in 2024?

It’s been said that 2023 has been the year of ‘right-sizing’ operations and valuations. Mourad expects to return to norms that were around 5–6 years ago, rather than using the past two years as a guide.

His advice to founders who want to raise in 2024:

Observe how active the fund has been on new investments in 2023

Plan to speak to more investors to get the term sheet you want

$1m ARR is still the Series A benchmark — and capital efficiency is key

While some funds might say they expect to see $US 2–3m ARR, Mourad believes that anything over $1m is a good indicator, especially if it is spread across different logos and industry verticals.

“Series A investors are not going to be worried about profitability. Instead, they are more likely to be looking at a 24 month plan, rather than 18 months.”

While many startups are growing well, they are not hitting their forecasts, so Mourad warns that you should expect your quarterly growth goals to be scrutinised.

As ARR scales beyond $5–10M ARR, what is increasingly important is a greater focus on capital efficiency:

• Cash burn relative to new ARR generation (1:1 is great, 2:1 is a concern)
• How many dollars of ARR is generated from your sales and marketing dollars

Ask your customers to help sell your Product-Market fit story

On demonstrating how to show your company has product-market fit, he has this advice:

“Play to your strengths on the best indicators you have for product-market fit. Get your customer to cooperate and share the data, and ask them directly how they justify the cost to themselves.”

Services are great if they help push product sales

When asked about the merits of a startup offering a professional services component when selling to big US companies, Mourad was enthusiastic.

“If professional services help you push product sales, I’m a fan. Customer success is free, but why not get paid for it especially if it involves integration? You can always pull it back at a later stage, but for an early-stage company, it works fine.”

GTM model — what do you look for?

For series A companies, Mourad doesn’t expect a startup to have a full sales team already established in the US. Instead, he looks more for direct selling proof points, market readiness and general business maturity.

“Solutions do tend to be translatable across geographies. What validation can we see in markets outside of Australia? We would like to determine whether you can get similar customers in the US as you have in Australia.”

He sees that direct sales in cyber are still very common for companies below $5m ARR, while channel sales don’t kick in until a startup is generating $5-$10m ARR.

A move to the US? First, think about where your company needs to be to be successful

The US is a large market so a startup should always be ready to take advantage of that, but rather than thinking about the US vs Australia, Mourad has this advice:

“It’s more important thinking about where the people need to be to be successful. I’ve seen both models work — one where the ecosystem is in Australia and the GTM team is in the US, and others where the founder has moved to the US. However, if something is a bit more frontier and in a new category, it may not matter as much about moving.”

Also, US cyber funds in the US today are bigger than they have ever been. Earlier in cyber, the deeper the investor needs to be on the subject, and that market depth exists in the US.

Key US conferences recommendations

1. Security: RSA and BlackHat are the big ones
2. Cloud: AWS re:Invent has become very useful for cloud security, with more and more investors showing up there
3. Research: Gartner conferences are less useful for early stage startups

Focus sectors for 2024

The market segments below are ones that Mourad sees have good growth potential. He prefaced this advice with the importance of calibrating with customer feedback versus rather than just following the latest hype or news cycle.

AI — Unsurprisingly, anything AI related has taken a lot of attention this year

• Ability for AI to enhance operations, as has been the focus for a while.
• Generative AI now allows you to build new, interesting features. All the AI tools are going to be used by the adversary as well, so new tools will be needed
• Huge opportunity for companies to think about how they take advantage of the democratisation of LLMs

Training and AppSec — The human element in cyber is still a huge area that needs more vendors and more tools

Cloud security — This still has much potential, as cloud adoption still growing at healthy rate

Ransomware — While pace of ransomware as a threat slowed in 2022, it has been up significantly in 2023. Organisations have multiple weak spots, and will continue to need multiple tools. This problem still has not been solved by adopting a single solution.

Cyber for small business — Bullish on this, it has a lot of growth ahead

TL;DR

While the covid-funding frenzy is definitely over, the funding market is stabilising to pre-2021 valuations, and investors values companies which are capital efficient. As a local cyber founder once said to me:

“The one common thing I’ve noticed in the Aussie startups that I know is that we make every dollar go really, really far and that’s something that doesn’t happen very much elsewhere.”

To succeed — be ready to pitch your startup vision to a lot more people. Just as importantly, share the unique and compelling reasons why your customers love your product, have a solid two-year plan, and don’t feel the pressure to have the perfect global GTM strategy.