Five ways to measure a cyber security startups progress and execution from the outside
1) What’s the pricing model? If any startup tries to win your business on not charging you for “unlimited storage” and the top competitor in the field is charging a fee - This is a red flag. Storage costs money. There’s no way around it. Sure you can multi-tenant items, you can limit query capabilities, etc, but in the end Unless the business owns lots of data centers it’s impossible for them to “give away storage”. For that matter, this relates to any “unlimited” pricing model. If it’s unlimited, there’s a good chance you are going to pay the painful price when the startup has to scale to more than three customers.
2) What technology stack are they built on? You can look at the alert types being generated to figure out how much signature based detection, ML, and analytic based detection is being done. Look at the query language. Startups aren’t rewriting SQL and the sql query syntax will giveaway what’s being used on the backend. Once you have a sense for what the backend is based on how the front end operates work backwards on how it is built. Is it serverless? Is it AWS functionality? Is it Datacenter hosted? Is it batch processed? All of these little hints will tell you how much engineering effort is being sucked up on infrastructure and data engineering versus making progress on unique cyber security use cases.
3) Believe nothing - All marketer’s are liars. Glassdoor is a lie if the company is below 100 employees. Those reviews are all faked by marketing. Linkedin isn’t accurate as turnover doesn’t show up on Linkedin fast enough. People that leave a startup usually don’t update there profile until they’ve landed their next company. That means if a startup went through a layoff - you won’t be able to see it on Linkedin.
4) Pure play. The tighter and more focused the cyber security problem the more realistic the execution. If a company is telling you they can consolidate tools - Nope. If they say they are solving some super massive scale problem, Nope. If they say they are making a UI for custom dashboards, Yep. The easy stuff will get executed on. The big hairy audacious goal is bull shit. Startups simply can’t hire enough “cyber security unicorns” to build the products they are promising.
5) Ask them how many customers they have. If the number is more than 20 - it’s bullshit. The real number is probably 10% of the number they just told you. (Unless the pricing model is under $20,000 per customer, in which case 20 is probably right.)