Casber Wang
In cybersecurity, AI often stands for “already implemented.” Security vendors have used AI-based technologies to use existing knowledge databases and address talent gaps. As an investor who focuses on backing expansion stage B2B enterprise startups in cybersecurity, AI, and DevOps, with recent investments in cybersecurity company Huntress and AI startup Weights & Biases, I feel fortunate to have a unique vantage point on both AI and cybersecurity companies set to take off in 2024 and beyond.
From my perspective, today’s organizations face an uphill battle when protecting their data and networks. Cyber threats are becoming more frequent and severe as potential attack surfaces multiply and hackers orchestrate increasingly sophisticated schemes. Bad actors are becoming more efficient thanks to the power of artificial intelligence (AI), perpetrating more personalized attacks and reaching a larger scale, resulting in billions of dollars in business losses.
Meanwhile, organizations of all sizes are innovating new defenses with incredible speed, often also tapping the capabilities of advanced AI. Companies are eager for solutions that enable them to step up their game. According to Gartner, global enterprise security spending will reach an estimated $188 billion this year and grow to $215 billion by 2024. Security software spending is the least likely area of IT to be cut in an economic downturn, according to Morgan Stanley.
In the coming year, they’ll seek to partner with players, enabling cybersecurity teams to enhance productivity and address talent shortages while staying on top of mounting threats.
What VCs are looking for in the next wave of cybersecurity startups
The advent of large language models (LLMs), such as ChatGPT, has brought new opportunities for AI-driven innovation within the industry. Here are some features investors will be looking for in the next crop of successful cybersecurity startups:
A proactive approach to customer education
During the cloud computing revolution, many enterprises rushed to implement cloud solutions with security as an afterthought. This resulted in some cybersecurity catch-up. So far, the inverse has been true for generative AI (GenAI). While companies are eager to reap the benefits of the technology, they are hyper-aware of the risks of exposing sensitive information or breaching customers’ trust. Concerns have grown amid high-profile data leaks at companies like Samsung. In response, many companies have been gun-shy about launching GenAI initiatives, limiting usage to a small cohort or sometimes issuing blanket bans.
The next wave of successful startups will help companies harness GenAI to improve organizational productivity while preventing attacks. But solutions are only helpful if demand exists. Rising players will also need to address widespread hesitation by proactively evangelizing for the potential of trusted GenAI and teaching customers how to use the technology safely. They’ll need enterprises to move past black-and-white approaches, bringing granularity into workflows while helping companies define their security posture. As we head toward the “second inning” of GenAI, customer education will be a requirement, not an afterthought.
Faster response to augment human talent
As enterprises face higher cybersecurity risks, they’re also navigating a shortage of qualified talent. The global cybersecurity workforce gap grew to 3.4 million workers in 2022, which didn’t shrink much in 2023 despite the downward spiral across the tech ecosystem. Meanwhile, the number of endpoints companies need to secure has multiplied with the proliferation of cloud computing, mobile devices, and remote and hybrid work. It’s not enough to secure a network perimeter; companies must manage their cyber footprint. Of course, AI is making it easier for malicious actors to step up threats across all those attack surfaces. At the same time, security practitioners are inundated with more alerts than they can handle and spend much of their focus on triage rather than remediation.
Winning solutions will address the talent gap by speeding up action against cyber threats and augmenting human capacity. AI-based tools have already been helping security teams detect anomalies and recommending solutions. New vendors focus on minimizing false positives, prioritizing the severity of alerts, and automating responses to maximize results for security teams. With its stronger reasoning capabilities, GenAI can make current techniques more efficient and effective and make platforms more accessible even to users who are not security professionals.
Huntress, our most recent cybersecurity investment, already enables a single security professional to support 150,000 endpoints by employing automation for routine incidents and routing more critical incidents to a human. As AI advances, the company is looking to expand capacity to one human per 300,000 endpoints or more. In other instances, enterprise incumbents have embraced GenAI in security assistants (e.g., CrowdStrike’s Charlotte AI and Microsoft’s Security Copilot). Other emerging cloud-native vendors leverage foundation models to power conversational interfaces that automate workflows and generate context-rich risk insights and remediation guidance.
Well-defined workflows
The promise of GenAI is vast, but the next group of successful startups is likely to start with simple value propositions. Many cybersecurity professionals are cynical after earlier AI solutions fell short of the hype. To overcome skepticism and reduce false positives, winning vendors will focus on a limited set of routine workflows in which action steps are clear and reproducible, and the process can be audited if something goes wrong. In the short-term, this will free up human security professionals to focus on more complex tasks. For example, several AI security startups help busy security professionals triage a ceaseless flow of alerts with an AI agent that mirrors the techniques of human analysts. Eventually, GenAI will help take on more open-ended workflows.
Why we’re excited for what comes next
It’s common to say that we’re in the first inning with GenAI, but the ball game may not even have begun. Up-and-coming security vendors have an enormous opportunity to serve enterprises eager to make the most of the technology and build their defenses. But they’re also facing broad hesitancy and confusion among potential customers. The companies that come out on top will tackle the situation head-on by educating customers, starting with constrained workflows and addressing issues that loom largest for enterprises, such as trust and critical talent shortages. New entrants will also have to leverage data and workflows from incumbents to scale, even as emerging companies with superior products will threaten to displace established players.
As a growth-stage firm, Sapphire Ventures is eagerly watching early-stage players emerging and are excited to partner with the next generation of cybersecurity standouts.
Comment