Optimism and Challenges: Tales from the European Cybersecurity startups

Listening to those working in transforming the region into a global cybersecurity leader

The Cybersecurity industry has seen a relentless growth in the past years, with some multi-billion revenue companies like Crowdstrike and PaloAlto Networks growing at incredible pace (35 % and 25 % respectively), new startups and technologies being developed and launched into the market regularly, and Cybersecurity becoming a concern for boards and investors all around the globe.

However, as I wrote in a previous article, Europe isn’t seeing most of the benefits of this boom, as the majority of the cybersecurity global leaders come from different regions.

According to The State of European Tech 2023, a report by atomico, there’s still growing optimism in the future of the region’s technology ecosystem, even though not at the levels of previous years: there is a noticeable decrease in the amount of investments as well as in the number of unique investors supporting Europe’s companies in 2023.

According to the report, the greatest challenges ahead are connected to the lack of funding, the geopolitical and macro-economic trends, competition from US & China, and regulations.

In order to face those obstacles, collaboration is key. "Europe’s ability to build and scale a tech ecosystem capable of realising its full potential requires a concerted focus from all stakeholders to address challenges that serve as barriers to progress.”, remarks the report when analysing the main issues expected by respondents in the next 12 months.

The reality is that some of the mentioned challenges are not only affecting Europe but the whole world, like the macroeconomic trends or the perceived talent shortage. However, the rest seem to have a deeper impact in the European technology ecosystem, and there are, clearly, other reasons not mentioned in the report.

What I missed in the research by atomico was the voice of the actual startups and a specific view of the Cybersecurity landscape, so I talked with several of them to understand their view on the matter.

Funding availability and the Support from Governments

Many European Cybersecurity startups rely on government contributions, rather than on venture capital, to get started. There are several national and EU-level programs that are funding local innovators. However, many of them come with limitations, like which type of expenses can be covered by the grant or defining a specific location where people can be employed.

"Originally planning to rely on public grants, we reconsidered due to the time-intensive grant acquisition process and delays in disbursements.”, mentioned Lucy Szaszkiewicz, from the Breach and Attack simulation company 1Strike.io (“First Strike”), based in Poland.

The lengthy process, the possibility the grant might not be approved and the limitations make the government funds a blessing as much as a curse in their current state. The alternative is to bootstrap or to raise money from business angels and VCs, but even this seems to be more cumbersome for European startups when compared to other regions.

“It took us more than a year close our Series A funding from local investors in my last company”, expanded Lorenzo Asuni, a marketing leader in an italian startup. “The process often is very bureaucratic, and the funds in the last 24 months are mostly focus on revenues rather than team, management, potential of technology and the market.”

Lucy also highlighted similar issues on this area, that made her company reconsider the approach and delay their fund raising due to the declining valuations in the sector in 2023.

As highlighted by atomico’s report, the lack of funding is the #1 concern regarding the future of European startups and scale-ups. Even though the experience of the interviewees seems to confirm this is an issue, this is, in my opinion, just a by-product of other, more relevant things that we are going to explore below.

Being known & Positioning themselves in the mind of potential Customers

When funding is limited, the tools to compete are as well.

“The main challenge we are facing is to get Oxibox known”, says François Esnol-Feugeas, CEO and Founder of the french-based backup startup. "We have a very strong technology with a unique value proposition and strong engagement from our partners and customers in the niches we addressed tactically. To scale, we need to raise our profile to become known more broadly as a credible alternative to the market leaders.”

What François mentions is what many European Cybersecurity companies go through. They develop excellent solutions but face challenges to position themselves in the market and in the mind of partners and customers.

This is a multi-dimensional problem, connected to funding, especially compared to American competitors, but also to the positioning of their solutions.

“It wasn’t until Gartner created a new product category that matched our proposition that we were able to get our solution considered by more potential buyers.”, mentioned Lorenzo.

Many European Cybersecurity startups focus on solving single problems in the best possible way, while those from other regions, like US, develop their solutions within existing market categories or have enough funds to create their own quickly enough, getting then noticed by analysts which maximises their reach.

“When we launched Excalibur’s Privileged Access Management, our phone-centric solution wasn’t in line with the outdated and archaic market expectations.“, expands Ivan Klimek, Founder and CEO of the Slovak startup. “We needed to spend time in explaining why our approach was better, simpler and more affordable than the competition’s, slowing us down at the beginning of our journey.”

Everything is slower in Europe

The general opinion from the interviewees is that there’s also a different speed to market when comparing European startups to those from other regions, something that is influenced by some of the already mentioned factors.

In general, the American companies are perceived as faster as they launch products to market even when they are not fully ready, with the goal of growing fast and extend the functionality (and fix bugs) later. However, European cybersecurity startups seem to take considerable more time in refining their technology and they only go to market once a certain level of quality is achieved.

Not everyone agrees on this, though. The reality, some of them point out, it’s more connected to funding than to a particular culture, even though they do see a different approach to quality between European and American vendors.

Those that mentioned this topic, pointed out again the limited growth capital as a major reason for this slowness. American and Israeli companies can allocate funding not only to development the technology but also to market it as their early investments and series are several orders of magnitude larger than those many European startups are able to secure.

This means they aren’t able to invest in parallel in technology and market development, delaying their growth and leaving space for American companies, as they are better funded, to move to market a lot faster than Europeans.

Home-First or Global-First?

Something that’s clearly cultural and very common is that the majority of the European Cybersecurity startups have a “Home Market First” strategy, focusing their attention primarily in developing their business in their country of origin. While the European Union market has a size that could be comparable to the United States or China, no single country is big enough to be considered in the same league.

By taking time and dedicating their resources to develop their home market first, these companies are at disadvantage against their counterparts from other regions as the total addressable market for them is going to be smaller than for their global competitors. Moreover, those that are founded in smaller European countries, have an even smaller total addressable markets.

Developing beyond their own borders doesn't even seem to be a priority for those supporting local startups.

"We do not see any support to grow beyond the EU. For a company based in France, the culture and focus is addressing the French market. This hinders international development as once companies reach a certain size, it is going to be too hard to do the cultural shift needed to internationalise. There are indeed a few emerging French cyber vendors with 15 to 30M€ of annual revenue with no international presence.”, adds François to remark this point.

Growing a company in the United States, a market that shares a common language and business ecosystem and it’s the host to the largest companies in the world, has advantages that no single European country can replicate.

This is inspiring some founders to take a completely different approach. For instance, BforeAI, the company focused in predictive cybersecurity and led by the unremitting Luigi Lenguito, is centring all their efforts in developing the US market first. Similarly, while their goal is to become a leader in the EU market, 1strike.io is building global partnerships with leaders like Google, Microsoft and Oracle, to reach the global market as well.

Focusing beyond the home-market is key for any company that wants to become a global leader, and in a market as dynamic as cybersecurity, the choices are to become a leader or eventually become irrelevant. A change of culture is needed to address this and create global European-based cybersecurity companies.

Distribution and Alliances

Cybersecurity is a market where trust is paramount, and end users tend to rely on their existing suppliers when looking for new solutions. Moreover, there’s not one single vendor that can fulfil all the security needs of every customer. Therefore, partnerships and alliances are key to succeed in this market.

However, the most important alliances that cybersecurity vendors can join aren’t usually European, neither they can easily find other regional leaders that could be worth partnering with. The majority of global alliances tend to be based in the US, led by US-based vendors or focused primarily on that market, meaning that european startups face an additional obstacle when needing alliances in order to grow globally.

Developing partnerships on the distribution side is also extremely relevant in this industry. There’s almost no major Cybersecurity vendor that doesn’t rely in a network of channel partners and managed services providers to increase their revenues. According to a recent report by Matthew Ball, Chief Analyst at Canalys, 73.2 % of the total IT sales in 2024 has been generated through channel partners.

According to many of the interviewees, this is one of the most challenging aspects that they cybersecurity startups face. Even though once a partners network is in place, the growth can become exponential, the beginning of this journey requires resources and dedication that not every company has, as recruiting and onboarding a channel from scratch takes considerable amount of time.

Figuring out how to leverage alliances and partnerships to support their growth continues to be something that many European Cybersecurity startups still need to figure out and the majority of them don’t seem to know how. This is a major obstacle for any company that wants to establish themselves as a leader in their industry, and it’s a key factor in the road to success of the vast majority of today’s global cybersecurity companies.

Winds of Change?

"We are of the belief that local governments and associations are progressively recognizing the significance of cybersecurity and are actively taking measures to bolster the industry. Notably, numerous organisations are emerging, demonstrating operational efficiency and unwavering commitment.”, commented Lucy, showing there’s hope ahead. "Examples include Cyber Made in Poland, the World Economic Forum, and the European Cyber Security Organisation (ECSO). These entities are contributing significantly to the advancement of cybersecurity, fostering collaboration, and enhancing the overall resilience of the European cyber landscape."

Not everybody shares the same enthusiasm, as Francois noted above, but the majority is optimistic about the future. All of them are in different stages of raising funds and/or implementing strategies to grow their companies beyond their home markets.

For instance, Oxibox is raising funds for the first time, and one of their goals is to do exactly that: increase their market recognition and develop a plan to grow outside of the french borders.

“We are going to double the number of people by the end of this year and hire senior and experienced management to go beyond and establish Excalibur globally”, mentioned Ivan.

Another example is BforeAI, who I mentioned before, that has recently finalised raising funds and are experiencing an incredible recognition in the US, which is inspiring other European startups to go Global-First or to at least consider globalisation as part of their strategies, like Christopher Humfries, Malizen’s CEO, recently pointed out.

The way forward for the European Cybersecurity landscape

There seems to be a general optimism about the future of European Cybersecurity startups, and some news seem to support that feeling. For instance, even though growth capital is less available in Europe than in the United States, that seems to be slowly changing, fuelled by both private and public initiatives.

The European Innovation Council has a fund of 10 billion EUR to support startups and new, and European countries are starting to launch their own to support the development of new businesses in the region, like the German DeepTech & Climate Fonds (DTCF). Private investment firms are also raising capital to levels that weren’t available before.

While American VCs invest all over the world, are mainly (or only) focused in Europe, and if those funds grow, that might start to turn the tide.

Funding isn’t the only topic to address, though. Strategy is a more relevant area to re-think and as more companies in the region consider a “Global-First” approach, that inspires others to follow. This could spark a change from the usual “Home-Market” focus of many to a more aggressive strategy that will pave the way for additional growth.

That change in approach requires the right talent and ambition, which is an issue highlighted by some of the interviewees, as they have not been able to find yet experienced people that have already successfully led European cybersecurity companies to global markets successfully.

That’s a scarce resource, as the globally successful European cybersecurity entrepreneur is, indeed, a “rara avis”. If there aren’t that many EU-based cybersecurity companies that made it globally, there’s then even less people that can share their experience in doing so and help the current innovators to achieve new heights.

The way forward requires these startups to focus in a more aggressive growth strategy supported by a route to market that involves distribution and alliances, and with a strong positioning focused on benefits and solving customers’ problems. If this is supported by the right talent, and the ecosystem helps with funding, support and removing obstacles, the opportunities outweigh the challenges, and there will be reasons ahead to be optimistic.

If this happens, and there seems to be reasons to believe it will, it’s very probably there’s going to be several of them becoming leaders in their industries within the next 2 years, and that, in my opinion, would be a great thing for the whole sector.

Subscribe here for free to Ignacio's new posts and support my work.