Hack Secure's first investment, Kolide, Raises $8M to Turn Application and Device Management into a Smart Database

In 2016, Hack Secure led its first syndicate investment in Kolide. We were fortunate to work with two great leads to build a powerhouse team addressing an important piece of the cybersecurity market. After 18 months of incredibly hard work, we are excited to announce that Kolide has raised $8 million in their quest to turn application and device management into a smart database.

In addition to our fundraise, we are also excited to announce Kolide Cloud, which is a powerful SaaS platform aimed at fast-growing technology companies that will provide both the visibility and actionable insights organizations need to navigate today's increasingly complex cyber security and compliance landscape. 

As founding investors and board members, we at Reverb Advisors and Hack Secure are very proud of the Kolide team for the huge strides they've made and we look forward to watching Kolide change the way security is done in the enterprise. 

How Data Science is Opening New Frontiers for the Insurance Industry

Insurance is one of the modern world’s oldest industries. Since the beginning, an insurers success has hinged on its ability to leverage statistics and actuarial science to analyze risk. But the last decade has created a perfect storm of technological evolution causing the industry to reinvent its core disciplines.

Hack Secure, in collaboration with ODSC, will be hosting a Panel at ODSC's Accelerated AI Conference on May 1st. On the panel, we’ll speak with some of the insurance industry’s leading data scientists to learn more about many topics including new lines of insurance driven by our tech-centric society (e.g. the rise of cyber insurance) and the impact vast amounts of available data sources has on modeling risk.

Hack Secure will be hosting a dinner after the panel for a more open discussion on the topic as well as a networking opportunity. 

If you would like to attend any panels, dinners, or meet-ups in the future, feel free to fill out the form below to be added to our mailing list. 

Name *
Name

Reverb Advisors is Proud to Announce that Sqrrl has been Acquired by Amazon

Sqrrl, a Cambridge, MA-based company founded in 2012, markets software leveraging big data to deliver the first best and only native cyber hunting solution. Their main product is a visual cyber threat hunting platform that combines link analysis with user behavior analytics. They combine user, entity, asset, and event data into a behavior graph which users can navigate to respond to any security incidents as well as search for undetected threats. SQRRL was founded 2012 by a team of ex NSA'ers and funded by Chris Lynch and Antonio Rodriguez of Matrix Partners.

One of the principal investors back in 2012 was Reverb’s own Chris Lynch, who has been serving on the board for the last half-decade. Lynch recruited the team to Boston, teamed with his longtime collaborator Matrix Partners and recruited many former employees from his operating days to build the management team. Lynch declined to comment on deal details, but had this to say when asked about the deal, “the acquisition of Sqrrl by Amazon, further validates Boston is the place to find real value in the big data and cyber security sectors, validates the importance of cyber hunting as a important tool in the fight against cyber threats and with the reach of Amazon ultimately makes the world a safer place.”

 

Insurance Companies Will Shape the Future of Cyber Security

future.jpg

For too long, vendors have capitalized on industry fear of breaches to sell confusing products that may or may not provide value. But fanning the flames of cyber hysteria has started to backfire.

Companies now consider potential losses from a cyber breach as a cost of doing business. CFOs are even factoring potential losses into financial projections. Rather than increasing spending on what appears to be a lost cause, more and more organizations are simply buying cyber security insurance for the eventuality of a breach.

A major advantage of cyber security insurance is the insurer is responsible for quantifying risk. This is a huge improvement over just throwing piles of cash at the latest and greatest security product. Vendors are happy to tell you what you have isn't good enough and that you need more.  And oftentimes (understandably), companies find it difficult who or what to believe.

As an industry, we’ve arrived at an interesting point. Companies no longer have to care about how much a breach will cost, just how much cyber security insurance costs.

And thus, the future of cyber security will be heavily influenced by the insurance industry.

Modeling Cyber Risk: A Tough Nut to Crack

Of course, it’s in the insurers best interest to accurately model risk and encourage companies to prevent breaches. As a result, the insurance industry is having a broader influence over how cyber security decisions get made in organizations.

As Bruce Schneier points out, it’s not about technology for threat avoidance, it’s about strategies for risk management.

 

As Bruce Schneier points out, it’s not about technology for threat avoidance, it’s about strategies for risk management. In the same way that you may join a gym to get cheaper health insurance premiums, companies will comply with insurer’s recommendations to lower cyber security premiums. The cyber security market is particularly conducive to having standards set by an external authority.

Many companies already leverage Managed Security Service Providers (MSSPs) who not only decide what hardware and software security solutions a company purchases and deploys but also respond to the cyber security incidents that a company may face. Because it is such a confusing space, customers are more willing to acquiesce to requirements for insurance, especially if it just “makes the problem go away.”

This presents a distinct opportunity for cyber security organizations and insurance companies alike. 

Challenging Current Risk Models

The biggest challenge (and opportunity), lies in how to accurately model cyber security risk. Historically, modeling in the cyber domain has been more art than science, albeit an art with some huge price tags. Despite the fact that many insurers are essentially eyeballing it, business is booming.

In 2015, premiums were estimated at $3 billion, and that number is expected to triple within four years.

But there still remains massive uncertainty around how to validate model accuracy and optimize policy pricing. Multiple analysts indicate cyber security insurers are dramatically over exposed. There is a great need for better modeling techniques to optimize pricing and margins. The accuracy of cyber risk models will ultimately determine the winners and losers of this evolving market, and unlock the tsunami of cyber risk underwriting that will ensue.

The problem is that insurance companies don’t have cyber security expertise, and cyber security professionals typically don’t know data science.

 

The problem is that insurance companies don’t have cyber security expertise, and cyber security professionals typically don’t know data science.Insurers don’t use essential data like vulnerability analysis because they don’t know how to interpret it. At the same time, cyber security professionals don’t understand that there’s a huge difference between vulnerability analysis and risk analysis; current risk models are essentially “black boxes.” They don’t clearly show how cyber data correlates with breach data, and simply assign a risk score based on “expert opinion”.

To put it plainly: there’s no way to validate the data.

Bridging the Risk Model Gap

Any model is only as good as the data that’s it’s based on, but current risk analysis has little to do with threat detection. Insurance companies and cyber security organizations need to use the right analysis on the right data to paint a better and more accurate picture of risk. One methodology is to use statistics and machine learning to correlate customer data with breach data enriched with cyber security intel.

Risk scores should not be based on expert opinions that can’t be assessed, but on statistical correlation with historical breaches.

Risk scores should not be based on expert opinions that can’t be assessed, but on statistical correlation with historical breaches. With help from the data science and cyber industries, insurance companies will slowly hone their ability to accurately model cyber risk. As they do, they’ll begin to prescribe tools, techniques, and guidance for their customers to implement in order to reduce the cost of premiums.

And because companies will want to pay as little as needed to offload as much of their risk as possible, they’ll buy the recommended tools and implement the best practices determined by the insurance companies.

Thus, the insurance industry will play kingmaker to the cyber industry’s next great companies.

If you’re working in the insurance and cyber security industry, we’ve got more resources for you in the future. Subscribe to our newsletter to get updates! hi@reverbadvisors.com

Don’t Get Played: The four things every founder needs to do when they seek funding

Some potential investment partners will look to make you a pawn in their larger game. Here’s how to avoid that fate.

I’m not going to mince words: getting funding can be stressful.

I don’t care if you’re working out of a garage and need seed money, or if you’ve got a slick team that hums and you’re seeking scale in a Series C. Finding the right partner is a perilous process, full of potentially choppy water. Within that water? Sharks.

There are four things you need to do to make sure you don’t get bit.

Raise capital specific to the demands of the company, not to the demands of the fund.

If you're going to fundraise, think carefully about what your capital objectives are.

Let’s say you’ve decided you need a million dollar seed. A million dollars is great, but where’s it going to take you? Does it take you to a place where you’re fundable into the next round, and at a premium? Does it meet your operational needs, and set you up for putting the right talent together? Think steps ahead of your current station, beyond your current round. What will your capital requirements be over time?

Companies that raise capital and don’t meet the agreed upon milestones of the financing usually don’t get follow on funding, or they’re forced to take a significant haircut. Seed capital is often hard to gauge, with firms taking too little or too much. You need to know what the fundraising is going to look like over the life of the company, not just the current financing. A million dollars might be great now, but you can’t afford to just think about the present. When capitalizing your company you must play chess, not checkers!

Now, here’s where it’s important not to be a pawn: big funds want to put capital to work. You need to be raising capital specific to the demands of your company — both its current and future demands — and not to the demands of the fund. Remember, the earlier the stage, the more punitive the round from a dilution perspective. So raise what you need plus a buffer as things always take longer than you expect.

Develop a criteria of what you need from your investment partner. (Hint: it shouldn’t just be money).

You need more than capital from an investor.

As you seek funding, make sure that you’re developing your own criteria of what you’re looking for in a partner. One place to start: complementary expertise.

Perhaps you’re an ace coder or someone who’s got a true depth of experience in data science or cyber security. You understand the needs of the market and have the time-tested skills to build a killer product that will be truly disruptive. But there’s a problem: you don’t know the first thing about sales, or marketing said product. You prefer to build, and not to trumpet what you’ve built.

Or perhaps it’s the other way around. You’re sales-first and need a tech-savvy partner.

In each case, your needs are different, but there’s a common thread.

You need more from a partner than just money. You need help in areas that you don’t normally think too much about or focus on.

Run parallel processes and get multiple term sheets so you don’t get played.

If you randomly go to a single VC, he or she is going to take you into deep water. Be careful, because that’s where the sharks are.

Once you’re in deep water, you may find yourself drowning. Perhaps you’re in a place where you absolutely need capital — as in, you need to fund your company now, or you’re not going to eat — and this is it. This is your only offer, your only life preserver.

Well, congratulations. You played yourself.

To avoid this fate, understand the capital structure of your company, then build your criteria for who you want as a partner. Then, in the case that you want traditional venture capital, approach your prospective partners as part of a process. You’re not just going to a random venture guy whose job is to broker people and information and to get in on things.

Those guys aren’t always qualified, so qualify them yourself. Then, identify multiple investment targets prior to engagement, so you control process and structure.

Talk to several different, but qualified prospective investors. With more and better choices comes better terms and a better fit for your criteria, which at this point you’ve sharpened.

Some quick tips for your process:

  • You’re going to want to talk to VCs who invest in your space, and stage. Think about more than just the brand name of the VC firm. Dig deeper, because more important than the brand name is the specific partner you’re working with. These partners are essentially running their own franchise under that brand name.

  • Does the partner and the firm invest in your space? Do they have a good track record? Are they good for the specific stage you’re at? Do they have operating experience?

If you do this right, it will be on your terms. You’ll pick your investment partners, as opposed to you being picked.

Understand your founding team. You want people to bring different things to the table.

In a startup, there are two types of roles: you’re either building or selling.

You’re either getting customers in the door, or you’re making a product that delivers value to the customer. If you don't fill one of those roles, you don’t belong in.

It’s okay to have multiple people wear multiple hats. You can have multiple people who understand product. They can both be voices in the room, but one needs to be the final decision-maker.

It goes without saying, but make sure you have your bases covered. Any area where your founding team falls short — whether it’s functional or domain-specific — needs to be accounted for.

Complement your existing team with the right people, and make sure you find an investment partner who can help you do that.

If you follow these steps, you’re in good shape.

If you meet the capital demands of your company, develop a sharp criteria, run parallel processes, and compliment your team correctly, you’re moving in the right direction.

And you may be ready to create something life-changing.

How venture capitalists make money and why it matters to you

board room.jpg
All venture investors’ actions relate to one prevailing goal: how do you help me raise my next fund?

Successful companies require 3 ingredients: the right idea at the right time with the right team. While the first two ingredients are no doubt important, in order to achieve any level of success, it requires a great team with a common goal.

Most tech startups look to raise investment capital to finance their product development, go-to-market, and to scale growth. As you may have read in many technology-focused publications, building a large, enterprise technology company usually requires in the tens to hundreds of millions to billions of dollars in investment capital. And for every round of investment dollars raised, a company adds another team member. A board member. Their new venture investor. 

Adding the right venture investor to your company’s board can be immensely valuable. The right investor can make all the difference when it comes to: 

  • Recruiting the best team
  • Getting access to customers
  • Honing your go-to-market strategy
  • Helping your company achieve a great outcome

It’s important to remember that venture capital firms are also businesses just like the companies they invest in. While venture capitalists do want to help your company be successful, they’re really in the business of raising more venture funds.

Venture firms are driven to build the most oversubscribed venture fund and make a lot of money doing it. However, a venture fund’s business model is quite different from traditional businesses. If you learn how venture investors make money, you'll understand what motivates the decisions they'll make while working with your company.

How VCs make money: a breakdown

Venture capitalists make money in 2 ways: carried interest on their fund’s return and a fee for managing a fund’s capital. If all goes well, your company is going to experience a liquidity event in the form of an M&A transaction or an IPO. At the point of your company’s liquidity, investors are paid their equity portion of the company’s proceeds (cash, stock, etc.).

Venture capitalists make money in 2 ways: carried interest on their fund’s return and a fee for managing a fund’s capital.

Investors invest in your company believing (hoping) that the liquidity event will be large enough to return a significant portion: all of or in excess of their original investment fund. Once an investor has returned their investor’s capital, they begin to earn carried interest on the returns in excess of their fund size.

Carried Interest

Carried interest is the most lucrative way a venture investor makes money. Traditionally, venture investors earn 20% carried interest on their fund. That means if a fund’s size is $100mm, venture investors earn $0.20 on every dollar earned over $100mm. So if a venture fund can return $300mm on their $100mm fund, they will earn $40mm in carried interest (($300mm return - $100mm original investment) * 20% = $40mm).

Successful companies require 3 ingredients: the right idea at the right time with the right team.

Management Fees

The second way venture investors make money is from a management fee. A venture fund is a pool of capital invested by high net worth individuals, fund of funds, endowments, retirement funds, etc. These investors in a venture fund are known as Limited Partners or LPs. When a venture fund raises capital, it charges its LPs a fee for having venture investors invest and manage investments in startups.

Traditionally venture funds will charge their investors 2% per year of the total value of a fund. Using the previous example of a $100mm fund, the venture firm will earn $2mm per year to pay salaries and other operational expenses of the fund ($100mm * 20% = $2mm per year).

Management fees become more lucrative to venture investors when a venture firm manages multiple funds simultaneously. Typically venture firms try to raise a new fund every 2 to 3 years with the lifespan of a fund being 7 - 10 years. Oftentimes, you’ll see in tech publications that “Great VC” has just closed its new $100mm fund called “Great VC II”.

This means that Great VC has raised its second fund and is likely still managing its first fund: Great VC I and now Great VC II. Let’s assume that Great VC has two active funds at $100mm each. Assuming the same 2% fee, Great VC is making $4mm per year in fees for managing two $100mm funds (2 funds * $100mm * 2% = $4mm).

Picking your investor strategically

All venture investors’ actions relate to one prevailing goal: how do you help me raise my next fund? As demonstrated above, an actively managed fund creates a steady income stream for venture investors. If investors can layer multiple active funds on top of one another, the income stream becomes even more lucrative.

In order to accomplish a successful fundraise, venture investors need to show traction. Traction in the business of venture capital comes in the form of liquid capital returns in excess of the size of their fund, or more likely, the perception of liquid returns that have the potential to return their fund many times over.

As an entrepreneur raising capital, you need to be as strategic as possible when adding an investor to your team. Never forget: size matters. The size of the fund your investment is coming from. The size of the investment you’re asking for. The size of the valuation you’d like to get for that investment. All of these data points will indicate an investor’s actions.

For those raising their first round of capital, taking money from a large fund could pose potential optionality problems if a lucrative sale opportunity arises early in the lifecycle of your company. Typically investors will include a blocking right in your investment agreement that gives them the ability to say yes or no to a sale or even a future fundraise for your company.

Never forget: size matters. The size of the fund your investment is coming from. The size of the investment you’re asking for. The size of the valuation you’d like to get for that investment.

As an example, let’s stick with our Great VC investors and say that they led your seed round for $1mm at a $5mm post-money valuation. Otherwise put, they purchased 20% of your company for $1mm.

In this example, the founders and team own 80% of the company’s equity (which includes any employee stock options and option pool). Over the course of the first 12 - 18 months building your company, a potential acquirer comes along to buy it for $30mm. That would mean, if sold, the investor would earn $6mm (20% * $30mm = $6mm) and the founders and team would earn $24mm (80% * $30mm = $24mm).

That’s a life changing amount of money for the founders and a good return on stock options for employees. However to Great VC, who has to return a $100mm fund, $6mm return from one of their investments only gets them 6% of the way to returning their fund. If you, the founders, decide to take the money off the table and sell your company, the investor has to make a decision on either going along with the sale of the company or convincing you to forego the sale and continue building your company into an asset of greater value.

To sell your company or to continue raising? That is the question

Rather than selling, Great VC would likely prefer your company raises its next round of financing. They may tell you that this offer is an indicator of having the right tech at the right time and we are on our way to a $1B exit. That logic could totally be true. There is no way of knowing unless you try. But my point is to make sure you’re aware of why the venture investor may be telling you to go long with your company.

...the ABC’s of venture capital: Always Be Closing your next fund.

A $6mm return on a $30mm exit only gets their fund 6% of the way to being returned ($6mm / $100mm = 6%). If you instead raised a $6mm Series A at a $30mm post-money valuation, the investor gets to go back to their LPs and show how their investment has created a 5x uptick in value over 12 -18 months (($30mm - $5mm) / $5mm = 5x). That kind of uptick becomes investor deck material for their LPs.

Your company has become an indicator of a positive investment they’ve made tracking to potentially offer a massive return for the fund. Great VC might then suggest to their LPs “How about writing us another check for Great VC Fund III so you can continue getting access to these types of deals?” The suggestion to contribute to another fund is also known as the ABC’s of venture capital: Always Be Closing your next fund.

Understanding how the money is made

The point of this piece isn’t to say venture investors are bad. Rather, a good investor with the right motives and alignment with your company can be extremely helpful. Just make sure you’re cognizant that venture investors are running a business like you.

If you’re raising venture investment, it’s important that you, the entrepreneur, are educated on the business of venture capital. The more you understand about the motives driving your investor, the better prepared you’ll be to handle the inevitable conversations that will arise on your journey of building a successful company.

Cyber Security Practitioner Series: DNS Analytics, What It Is And Why Is It Important?

We are proud to sponsor and support Hack Secure's ongoing mission to cultivate and support the U.S. cyber security community. Part of that sponsorship is working with Hack Secure to connect with cyber security leaders to share their thoughts on different aspects of the security landscape.

For their next installment in the Cyber Security Practitioner Series, they interviewed AlphaSOC co-founder Chris McNab about DNS (Domain Name Server) analytics, it's importance, and what AlphaSOC is doing about it. 

To check out the interview click the link below:

The Secret to Building a Successful Company

As an entrepreneur, my goal is to build successful companies. My assumption is that you’re reading this because you want to build a successful company too. So what’s the secret? Define what success means to you.

For the past 3 years I’ve had the opportunity to work in venture capital. I talk to entrepreneurs every day who are looking to raise early stage investment funding. The question that I lean on to learn how an entrepreneur views success is: Why are you building this company?

I hear all kinds of answers. Some “want to change the world”, some have felt the pain of the problem they’re trying to solve, some are looking to escape their current job, some think they have the next disruptive technology while others want to be the next Snapchat, Facebook, Amazon, etc. None of these answers are right or wrong. Rather, these answers are informative of what’s important to the entrepreneur and the potential choices they’ll make in the future.

In my opinion, all of these answers can be distilled into two categories: ego and money.

We live in a startup culture where we’re enraptured with on-paper success. We love reading about the latest fundraising announcement that floods our daily newsletters, blogs and twitter feeds. We can’t stop talking about “Unicorn” companies who have been valued at over $1B. We idolize the founders and investors who have built these iconic brands and go to conferences to learn more about how they built their “Unicorn”.

Indexing on big valuations as an indicator of success is the ego part of building a company. The larger the valuation and the more capital a company has raised leads to more publicity for the company’s brand, founders and investors. However, viewing fundraising as a measure of success misses the mark on what I would consider the most important metric: maximizing shareholder return. Otherwise known as... Money.

Every time an entrepreneur raises capital, at a higher valuation, the ability to generate liquidity for their shareholders becomes much more difficult. Shareholders (that includes founders, investors, employee option holders) are looking for a return on their investment (time spent working at the company and dollars invested). As a company’s valuation increases, the entrepreneur’s options for creating liquidity for their shareholders decreases as the number of acquirers able to pay for the company decreases.

Raising money and increasing one’s valuation is not necessarily a bad choice so long as the entrepreneur is cognizant of how they’re going to be able to create a considerable amount of additional value that they can ultimately return to their shareholders in the form of liquid capital.

When setting out to start a company, we all strive to build something successful. The real questions is, what do you consider success? My advice to entrepreneurs is, if you want to build a successful company, focus more on figuring out how you’ll ultimately create liquid value for yourself and the rest of your shareholders as opposed to boasting about that flashy fundraising valuation.

Cyber Security Practitioner Series: Information Security as a Revenue Driver for the Enterprise

We are proud to sponsor and support Hack Secure's ongoing mission to cultivate and support the U.S. cyber security community. Part of that sponsorship is working with Hack Secure to connect with cyber security leaders to share their thoughts on different aspects of the security landscape.

The first interview in this series is with Brian Castagna, Director of Information Security at Oracle Bare Metal Cloud. Brian is a big advocate for leveraging a strong information security program as a revenue driver. Check out his interview with Hack Secure to learn more.