Get Your Cyber Risk Together: Our Investment in Vulcan
Why Vulcan made us go back to invest in cybersecurity?
For many years, cybersecurity has been known as one of the core competences of the Israeli tech ecosystem. At Maor, as sector-agnostic investors in Israeli tech, it had always been obvious for us that cybersecurity should take a meaningful portion of our entire portfolio.
In Maor’s first fund, we were fortunate to collaborate with two outstanding cyber companies: (i) Medigate, which became the global leader in Healthcare IoT Security, and was eventually acquired by Claroty; and (ii) Silverfort, effectively the only vendor which provides unified protection capabilities for the identity domain, while also leading the new category of Identity Threat Detection & Response (ITDR). Silverfort is still an active portfolio company of ours, and one which makes us proud again and again.
Those two investments were made in mid-2020, when we were all in-and-out of lockdowns, and when quite a lot of people truly believed that the end of mankind could be near. But then COVID stopped being an ongoing top concern, tech investments went to the roof (and beyond), and cybersecurity specifically became one of the most-hyped sectors to invest in. Then, as growth investors, we were unable to make sense of new cyber investment opportunities for quite some time. To put it simply, everything we saw was just too early, too expensive, so we intentionally decided to back off from the cyber market for over two years.
Fortunately, the VC market has gradually shifted back to normal, and over the last year we have finally been able to seriously look again at growth-stage cyber companies. It took us some time, and a few hundred hours spent on several Due Diligences. But then we met Vulcan, and all the stars were aligned.
It is no secret that the global spend on cybersecurity is growing at some impressive pace (12.4% a year, with penetration rate being still only at 10%, according to McKinsey & Company). IT environments are becoming more complex, and hackers are becoming more sophisticated. Together, these create the perfect storm, which makes corporates all around the world consider cyberattacks as a top concern (with 40% of business leaders listing increasing cyberattacks as their #1 business risk, according to PwC). The issue is that, in parallel, it is not getting any easier to find highly qualified cyber personnel to help protecting these corporates (as global cybersecurity workforce gap has reached 3.4 million people, according to (ISC)2). This results in an almost unfair battle, in which the hackers never lose, and impossible battles push for the development of game-changing weapons.
A blast from the past: Close to two decades ago, a new product category emerged in cyber, to support IT teams in “threat detection, compliance and security incident management, through the collection and analysis of security events” (Gartner’s definition): SIEM (Security Information and Event Management) was born, just to evolve several years later to SOAR (Security Orchestration & Response) and more recently to XDR (Extended Detection & Response). This kind of solutions are (usually) not about adding another type of protection; they are here to create another layer on top of the existing cyber stack, allowing operators to supercharge their capabilities and to use the existing products more efficiently and more synergistically. And indeed, today, it is very unlikely to find a large-scale organization which does not use at least one of these tools to drive its day-to-day reactive cybersecurity operations. SIEM/SOAR/XDR were all a new kind of game-changing weapons for reactive cybersecurity. With organizations gradually becoming more mature in their security approach and capabilities, we believe the same process to also happen in the proactive domain: security teams have to re-think how to manage their cyber risk.
Cybersecurity teams must add new game-changing weapons to their tech stack to keep up to speed with the increasing sophistication of both IT environments and hackers. Vulcan provides such kind of a superweapon in the domain of proactive cyber solutions.
Historically, all you had to do to properly manage your cyber risk was just to choose your preferred Vulnerability Management vendor. This was true in the days when cyber personnel only had to deal with a well-defined, relatively uniform, on-premise network. In such environments, this kind of solutions, which combine both powerful vulnerability scanners and a management platform to visualize the findings, worked like a charm. In case of one trying to protect a code-heavy organization, s/he would probably add some strong, separate, application security solution, and that was pretty much it.
However, we’re not in Kansas anymore, and over the last decade, the IT infrastructure has been developing at a rapid pace. Today, cyber teams must also deal with vulnerabilities and risks in their cloud environments (which could consist of a few different cloud service providers), data flows, IoT equipment, identity stack, external SaaS applications, supply chain, and the list goes on and on. Each of these attack surfaces typically requires its own specialized scanner, to constantly scan for vulnerabilities and alert potential risks. So it’s easy to understand why as the universe of attack surfaces is exploding, so are the heads of some poor vulnerability managers: they simply cannot get their risk together…
This means that a paradigm shift is required for managing cyber risk: from vulnerability management to exposure management. One vulnerability scanner cannot cover everything; a single provider of sensors would never be the best across all attack surfaces; cyber personnel cannot spend half their day Ctrl+Tabbing between different dashboards; and they for sure cannot effectively prioritize themselves the risk arising to their own organization from Spring4Shell vs. the risk created by some critical vulnerability just discovered in the Chromium engine.
In our view, this entangled mesh of attack surfaces, posture management sensors, and vulnerabilities, invites an upper layer executing an open-garden approach also in the proactive domain. And this is where Vulcan kicks in, delivering a Unified Cyber Risk and Posture Management platform. To be fair, this product category is still in the making. Some would argue that it will eventually arise from the convergence of a few existing categories, such as CAASM, ASPM, and RBVM.
Without getting too technical, let’s briefly note some key capabilities of such a platform:
(i) Consolidating all risk data, from all kinds of sensors, into a single pane of glass- one dashboard to rule them all- to avoid Ctrl+Tabbing every other minute between different posture management tools;
(ii) Deduping and coordinating alerts from multiple sensors and providing a true prioritization of vulnerabilities and risks, considering the actual business context and exploitability, and drawing the potential exact attack path graphs, to make sure you deal only with what’s most important;
(iii) Enriching the risk data with the best remediation intelligence, to ensure you apply the most suitable and efficient remediation measures;
(iv) Seamlessly integrating to the existing IT workflow platforms and offering automated playbooks, to verify less time is spent on administrative work and more time is invested in truly managing the risk;
(v) Allowing a ‘collaborative’ security approach, connecting different security and IT teams together, and letting them communicate easily through the platform, to get things done- simply and quickly;
(vi) Providing integrated tools for C-level reporting, to make sure everyone is informed on cyber risks, with the right level of granularity and full transparency; and
(vii) Leveraging all the above to ultimately improve the cyber posture of the organization and provide a holistic visibility to “what is still missing”.
Now all these features sound great, but what we especially liked in Vulcan’s product was the fact that it also delivers the right balance between flexibility and ease of onboarding. On one hand, with a few hundred integrations available out-of-the-box, a pure cloud-native architecture, and a robust pre-defined risk assessment engine, onboarding Vulcan can literally take a few hours. But, on the other hand- if you wish to tweak the risk scoring algorithm to better fit your organization’s specific approach- no worries- it’s totally configurable; If you wish to add a new exotic data integration- go for it- just use Vulcan’s ConnectX, a no-code universal interface, to integrate virtually any external sensor you’d like. Considering the other solutions out there in the market- which are either rigid and un-adjustable, or services-heavy and therefore slow and costly to deploy- we saw Vulcan’s innovative offering as a no-brainer.
And actually, we were not left alone with this view, as Vulcan has been accumulating more and more industry recognition, most recently with Forrester recognizing Vulcan as one of only two ‘leaders’ in its recent Forrester Wave report for Vulnerability Risk Management, Omdia naming Vulcan a ‘leader’ in its recent Omdia Universe for Risk-Based Vulnerability Management (RBVM), and SINET listing Vulcan as one of the most-innovative and compelling cyber security products of 2023. As such, it is no surprise that dozens of organizations, from mid-size startups to Fortune500 corporates, chose Vulcan to run the day-to-day of their security teams.
And yet, in 2023, a cyber solution cannot only be great, it must also deliver a strong ROI. In times of shrinking budgets, only the products which create a clear financial value would make it through the procurement process. And Vulcan indeed delivers also on this topic. With Vulcan, implementation and maintenance costs are minimal, less headcount is required in the IT and security teams to manage the same amount of assets, and potentially less cyber solutions are needed to get the same perceived coverage. All this results in Vulcan’s total cost of ownership (TCO) being superior to all other alternatives, while its impact on reducing remediation turnaround times is substantial. Looking to improve your cyber posture and save money at the same time? Look no further- try Vulcan!
Thanks to its unique architecture, Vulcan’s TCO is by far superior to all other alternatives in its space, and its impact on reducing remediation turnaround times is substantial.
And last but for sure not least, the great Vulcan’s team- Vulcan is led by a strong founding team- Yaniv, Roy and Tal, which later onboarded a group of veteran professionals to form a well-structured organization suitable for hyper-growth. Similar to Vulcan’s product, we believe that Vulcan’s team holds a balanced set of capabilities required for a long tech journey: The team is extremely strong on the tech front, but on the same time also extremely focused on G2M and shows outstanding marketing and sales skills; they have an impressive long-term vision, but still excel also in short-term execution; they are extremely hungry and ambitious, and yet also humble enough- an absolutely rare combination that we appreciate a lot.
Maor is proud to co-lead Vulcan’s latest $34m round, in collaboration with our new friends from TenEleven, and to partner again with YL Ventures and Dawn Capital.
We look forward to our joint journey of making the digital world a less-vulnerable place!