Governance & Risk Management , Security Operations , Vulnerability Assessment & Penetration Testing (VA/PT)
Picus Security Receives $45M to Enhance Exposure Management
Riverwood Capital Leads Investment in Security Validation Firm to Grow in AmericasA security validation startup led by an ex-Turkish Treasury official raised $45 million to correlate insights and provide a unified risk management platform for clients.
Picus Security said the Series C investment from Riverwood Capital will allow the San Francisco-based company to expand its capabilities in attack surface management, automated penetration testing and breach simulation, according to co-founder and CEO Alper Memis. From there, Memis said, Picus wants to correlate insights across these tools to give organizations a unified view of their cyber risk.
"We are the pioneers in breach and attack simulation, but in the last 18 months, we really evolved our technology more like a platform with helping organizations to address exposure management," Memis said. "The idea is to create a platform so that organizations can understand their cyber risk. And we got great perception from the market, and that also translates to the investor community."
Correlating Products to Better Understand Risk
Picus Security, founded in 2013, employs 233 people and has raised $80 million in five rounds of outside funding. The company has been led since inception by Memis, who previously spent 11 years in the Turkish Treasury analyzing the financial markets and formulating debt management and borrowing strategies. Memis said the funding will help Picus invest in product innovation and global expansion (see: New AI Bot Could Take Phishing, Malware to a Whole New Level).
Memis said Riverwood Capital's valuable cybersecurity expertise and network of decision-makers will help Picus sharpen its market strategies and achieve faster growth. The alignment in vision between Picus and Riverwood is a key factor in their partnership, and Memis said Riverwood's experience will be pivotal in helping Picus scale.
"They can help us by reaching a network of decision-makers in a more effective way," Memis said. "We are a product-first company. We love to build products. But how you can bring these products to the market in a more efficient manner? Riverwood has this experience."
Picus will work on providing deeper integration with other cybersecurity products to improve data correlation and create a unified platform that gives organizations a clearer understanding of their cyber risk and the steps needed to mitigate it, he said. Correlating data from various security controls will help companies better understand their cyber risk, according to Memis.
"We would like to correlate all the insights from the different products that we have and provide a unified, holistic, end-to-end cyber risk understanding of the organization that we call exposure prioritization," Memis said. "How I can correlate all the insights and give more meaningful results to the organization? Did I have time to focus on the things that matter most to them? There's a lot of research that we already started working on."
Unleashing More Resources in the United States
Picus wants to increase its footprint in the Americas from 25% of total sales to 50% within two or three years by investing in more sales, marketing and customer success personnel, Memis said. The United States is a key target for Picus due to the size and the maturity of the cybersecurity industry. Fifty percent of global cybersecurity spending comes from the U.S., according to Memis.
"Organizations are telling us, 'I need to invest into five or six different products to understand my cyber risk.' It may be possible from a budgeting angle. It may not be possible from the staffing side of, 'Who's going to manage all these different products?' So, correlating different insights and giving them a unified view of the cyber risk - there's great interest in that in the Americas."
Memis said Picus primarily targets large enterprises in sectors such as banking, finance and insurance, where understanding cyber risk is particularly challenging in complex environments. The company has emphasized a "land and expand" strategy, beginning with one product and growing into a platform-based solution, according to Memis.
The firm competes against traditional breach and attack simulation and security validation players such as SafeBreach, AttackIQ, Horizon and Pentera, as well as vulnerability management players such as Tenable, which now offers exposure management. Memis said Picus differentiates itself by offering a platform that combines breach and attack simulation with automated pen testing and attack surface management.
"In the next two to three years, we will see some of the bigger names like Tenable also coming into this part of the cyber risk assessment," Memis said.
Despite the funding, Memis said, Picus aims to maintain efficiency by ensuring that its revenue growth is not overly reliant on burning through its funding. The company aims to maximize output with minimal resource expenditure and hopes - for instance - to get $30 million in returns with just $10 million in cash.
"You should be part of the solution," Memis said. "You need to have them understand how they are going to fix these gaps in a more automated manner. These are things that we are looking for in order to create value for the CISO community."