For as long as programming has existed, we have had a plethora of methods to ensure the code works as intended. These days, that entire testing process has been kicked into high gear: The growing sophistication of security breaches has turned software verification into a much more urgent task — and a far more complicated one.
“Everyone has a different, evolving approach,” said Alter Memis, the CEO of Picus Security. “The holy grail is creating a connection between them.”
If understanding what the holy grail looks like is half the challenge of finding it, Picus believes it’s well on the way to eternal happiness. The startup’s platform runs continuous validation processes to root out and fix inconsistencies in code and other network activity. Now, after picking up more than 500 enterprise customers and simulating some 1 billion cyberattacks for the likes of MasterCard, Visa, Vodafone and the banking giant ING, it has raised $45 million in a Series C round to expand its business.
Riverwood Capital, a prolific enterprise investor, is leading the investment. Previous backer Earlybird Digital East Fund is also participating.
Picus has now raised $80 million to date, and while it is not disclosing its valuation, in 2022, when it last raised funding from investors (a round that included MasterCard), it was valued at a modest $94 million post-money, according to PitchBook data. Since then, the company has grown to 200 employees and tripled its revenues, with key markets in the Americas leading the way. For more guidance, a competitor of Picus’ called Cymulate was most recently valued at $440 million.
Memis came up with the idea for Picus Security with Volkan Ertürk (its CTO) and Dr. Süleyman Özarslan (the VP of Picus’ research arm, Picus Labs). The three have been friends since they were studying mathematics in university, and the academic work took them each in different directions. Memis doubled down on business and finance; Ertürk parlayed his mathematical leanings into cyber defense; and Özarslan became an academic. They all stayed in touch, and one day in 2013 they got to talking.
“We liked to exchange ideas about what might be the next big thing,” Memis said. Ertürk recounted how he was advising on a huge cyber project that appeared to be configured correctly, yet only a month later, the organization got breached. Özarslan suggested that the only way to really help defend a non-static system was to test all the time: The constant shipping of code and data just changed the parameters too often otherwise. Here is where Memis’s expertise also kicked in: The world of finance continually runs simulations to determine what the outcomes for any action might be.
Picus, the company they founded, turned out to be one of the first in the field to focus on the idea of continuous validation and simulation testing. But they were in Turkey and starting as early as 2013, however, meant that the startup was swimming against the tide — cybersecurity wasn’t as big as it is today. Outside funding did not come fast, and Picus was bootstrapped for the first five years of its life as it worked on the best way to scale and automate its technology and prove its idea to the market.
Picus eventually relocated to San Francisco, and as security became a bigger nightmare for organizations, its ideas caught on.
One of Picus’s unique selling points is that it is built to work with the fragmentation that is part and parcel of the enterprise IT market these days. The company says it has integrations with some 80 other major security partners, which funnel alerts and other activity into Picus’ platform. Its solution incorporates automated penetration testing, breach and attack simulation, and rule validation checks across the various silos in order to investigate activity both within specific tools, and so to have a better understanding of how activity in one silo might be related to something happening elsewhere. Security teams can observe all of this on a single dashboard.
Accepting that there will be proprietary systems and tools on a network but taking an open approach to interacting with them is what caught the eye of investors.
“By taking a fresh, open approach to continuous threat exposure management, Picus’ platform empowers organizations to better understand their cyber risks and be proactive against bad actors,” Joe De Pinho, partner at Riverwood Capital, said in a statement. “Their use of automated pen-testing alongside continuous validation is not only a game-changer today, but also lays the groundwork for how enterprises will safeguard themselves in the future.” De Pinho is taking a board seat with this round.
Keep reading the article on Tech Crunch