For as long as coding has existed, we have had a plethora of methods — white-hat testers, software, and more — to validate that code works as it was intended. These days, all that has been kicked into high gear: the growing sophistication of security breaches has turned the process of software verification into a much more urgent task — and a far more complicated one.
“Everyone has a different, evolving approach,” said Alter Memis, the CEO of Picus Security. “The holy grail is creating a connection between them.”
If understanding what the holy grail looks like is half the challenge of finding it, Picus believes it’s well on the way to eternal happiness. The startup’s platform runs continuous validation processes to root out and fix inconsistencies in code and other network activity. And now, after picking up more than 500 enterprise customers and simulating some 1 billion cyberattacks for the likes of MasterCard, Visa, Vodafone and the banking giant ING, it’s announcing a Series C of $45 million to expand its business.
Riverwood Capital, a prolific backer in enterprise technology, is leading the investment with previous backer Earlybird Digital East Fund also participating.
Picus has now raised $80 million to date, and while it’s not disclosing valuation, for some context on that, in 2022, when it last raised funding from investors (a round that included MasterCard), it was valued at a modest $94 million post-money, according to PitchBook data. But since then, the company, based out of San Francisco, has grown to 200 employees and tripled its revenues, with key markets in the Americas leading the way.
Memis came up for the idea for Picus Security with Volkan Ertürk (its CTO) and Dr. Süleyman Özarslan (the VP of Picus’ research arm, Picus Labs). The three were friends going back to their university days studying mathematics, academic work that took them each in different directions. Memis doubled down on business and finance; Ertürk parlayed his mathematical leanings into cyberdefense; and Özarslan became an academic. They all stayed in touch, and one day in 2013 they were chatting.
“We liked to exchange ideas about what might be the next big thing,” Memis said. Ertürk recounted how he was advising on a huge cyber project that appeared to be configured correctly, yet only a month later, the organization got breached. Özarslan suggested that the only way to really help defend a non-static system was to test all the time: the constant shipping of code and data just changed the parameters too often otherwise. Here is where Memis’s expertise also kicked in: the world of finance continually runs simulations to determine what the outcomes for any action might be.
Picus, the company they founded, turned out to be one of the first in the field to really focus in on the idea of continuous validation and simulation testing. Starting as early as 2013, however, before cybersecurity ballooned into the global priority that it is today, and in Turkey to boot, meant that the startup was swimming against the tide. Outside funding did not come fast, and Picus was bootstrapped for the first five years of its life as it worked on the best way to scale and automate its technology and to prove out its idea to the market.
Picus eventually relocated to San Francisco, and as security became a bigger nightmare for organizations, its ideas caught on.
One of Picus’s unique selling points is that it is built to work with the fragmentation that is part and parcel of the enterprise IT market these days. The company says that it has integrations with some 80 other major security partners, which funnel alerts and other activity into Picus’s platform. Its solution incorporates automated penetration testing, breach and attack simulation and rule validation checks across the various silos in order to investigate activity both within specific tools, and so to have a better understanding of how activity in one silo might be related to something happening elsewhere. Security teams can observe all of this on a single dashboard.
Accepting that there will be proprietary systems and tools on a network but taking an open approach to interacting with them is what caught the eye of investors.
“By taking a fresh, open approach to continuous threat exposure management, Picus’ platform empowers organizations to better understand their cyber risks and be proactive against bad actors,” said Joe De Pinho, partner, Riverwood Capital, said in a statement. “Their use of automated pen-testing alongside continuous validation is not only a game-changer today, but also lays the groundwork for how enterprises will safeguard themselves in the future.” De Pinho is taking a board seat with this round.