The cost of cybercrime is growing at an alarming rate of 15% per year, designed to reach $10.5 trillion by 2025. To meet the challenges this poses, organizations are turning to a growing range of AI-based tools to complement their existing security software and the work of their security teams. A startup called today Cymulate — who has built a platform to help these teams automatically and continuously test their networks against potential attacks with simulations and provide guidance on how to improve their systems to prevent real attacks — announces a significant round of growth funding after seeing strong demand for its tools.
The Tel Aviv-based startup, with a second base in New York, has raised a $70 million Series D that it will use to continue expanding globally and invest in expanding its technology (both organically and potentially through acquisitions).
Today, Cymulate’s platform spans both on-premises and cloud networks, providing breach and attack simulations for endpoints, email and web portals, and more; automated “red teaming”; and a “purple pooling” mechanism to create and run various security breach scenarios for organizations that don’t have the resources to dedicate people to a live red team – overall a “holistic” solution for companies that want to make sure they get the most of the network security architecture they already have in the worlds of Eyal Wachsman, CEO of Cymulate.
“We’re giving our customers a different approach to how they do cybersecurity and get insights [on] all products that are already networked,” he said in an interview. The resulting platform has found particular appeal in the current market climate. While companies continue to invest in their security architecture, security teams are also feeling the shrinking market, affecting IT budgets and sometimes headcount in an industry already facing a skills shortage. (Cymulate cites data from the US National Institute of Standards and Technology which estimate a shortfall of 2.72 million security professionals in the global workforce.)
The idea with Cymulate is that it’s built something that helps organizations get the most out of what they already have. “Finally, we’re giving our customers the ability to prioritize where they need to invest, in terms of closing the gaps in their environment,” Waxman said.
The round was led by One Peak, with Susquehanna Growth Equity (SGE), Vertex Ventures Israel, Vertex Growth and strategic backer Dell Technologies Capital also participating. (All five also supported Cymulate in its $45 million Series C last year.) Relatively speaking, this is a big round for Cymulate, doubling its total fundraising to $141 million, and while the startup hasn’t disclosed its valuation, I understand from sources that it’s around the $500 million mark.
Wachsman noted that the funding comes after a big year for the startup (the irony being that the ever-escalating cybersecurity problem and growing threat landscape is good news for the companies created to combat it). Revenue has doubled, although it would not disclose any numbers today, and the company now has more than 200 employees and works with around 500 paying customers in the corporate and mid-market, including NTT, Telit and Euronext, up from 300 customers a year ago.
Wachsman, who co-founded the company with Avihai Ben-Yossef and Eyal Gruner, said he first came up with the idea of building a platform to continuously test an organization’s threat posture in 2016, after years of working in consulting. in cybersecurity for other companies. He found that no matter how much effort his clients and outside consultants put into architecting security solutions annually or every six months, those gains are potentially lost every time a malicious hacker makes an unexpected move.
“If the bad guys decided to infiltrate the organization, they could, so we had to find a different approach,” he said. He looked to AI and machine learning for the solution, complementary to everything already in place in the organization, to build “a machine that allows you to test your security controls and security posture, continuously and on demand, and get the results instantly … one step ahead of the hackers.
Last year, Wachsman described Cymulate’s approach to me as “the largest cybersecurity consulting firm without consultants,” but in reality the company has its own large in-house team of cybersecurity researchers, white-hat hackers who try to find new holes – new bugs, zero days, and other vulnerabilities—to advance the intelligence that powers the Cymulate platform.
These insights are then combined with other assets, e.g MITER ATT&CK frame, a knowledge base of threats, tactics and techniques used by a number of other cybersecurity services, including others building continuous validation services that compete with Cymulate. (Competitors include FireEye, Palo Alto Networks, Randori, AttackIQ and many others.)
Cymulate’s work comes in the form of network maps that detail a company’s threat profile, with technical recommendations for remediation and mitigation, and a summary that can be presented to finance teams and management who can audit security spending. It also has built-in tools to perform security checks when integrating services or IT with third parties, for example in the case of a merger and acquisition process or when working in a supply chain.
Today, the company focuses on network security, which is big enough on its own, but it also leaves the door open for Cymulate to acquire companies in other areas like application security — or build one for itself. “It’s something on our roadmap,” Wachsman said.
If potential M&A leads to more fundraising for Cymulate, it helps that the startup is in one of the few categories that will continue to get a lot of attention from investors.
“Cybersecurity is clearly an area that we think will benefit from the current macroeconomic environment, compared to perhaps some of the more capital-intensive businesses like consumer internet or food delivery,” said David Klein, managing partner at One Peak. Within this, he added: “The best companies [are those] which are critical to their customers… They will continue to attract very good odds.”