$1.5bn EV SecurityScorecard is a Cyber Security Data & Analytics leader
TL;DR - A near-term liquidity event seems likely for a key player in the high value and fast-growing sub-sector of Cyber Security Data & Analytics
If you haven’t already subscribed, join 365 smart, curious members of the Data & Analytics community by subscribing here:
Please do consider sharing this newsletter with friends or colleagues who you think may be interested. Thank you!
As ever, when I start writing an analysis of a company, I end up going down a deep rabbit hole of research.
I have been tangentially aware of SecurityScorecard for many years, but have never taken the time to really dig into them, or the broader Cyber Security Data & Analytics market, properly.
So when they appeared on my radar again this week, I thought I would take the opportunity.
My main takeaway - what a huge, high value and fast-growing sub-sector of Data & Analytics Cyber Security is. The rabbit hole is very deep!
There are several Cyber Security Data & Analytics, businesses, including SecurityScorecard, which are roughly 10 years old (or less) and worth over $1bn.
Now that’s a number that makes you sit up and take notice!
Origin Story
SecurityScorecard was founded in 2013 by chess-obsessive, cryptography PhD and former audio streaming CTO, Aleksandr Yampolskiy, and his co-founder Sam Kassoumeh. The pair met at Gilt Groupe, the online fashion retailer.
In Yampolskiy’s words:
I held various leadership security positions at Goldman Sachs and Oracle before becoming the CISO at Gilt Groupe. I was working alongside Sam Kassoumeh, (now the COO and co-founder of SecurityScorecard) and we had different kinds of tools at our disposal to help us do our jobs. However, our Marketing team would sign contracts with vendors that we didn’t think we had enough visibility around. How could we understand how working with them would put our data at risk if there was no way to really measure or even understand how secure they were? All of a sudden, my job security felt precarious. If one of our vendors was breached, our data would be accessed and I could lose my job in a heartbeat.
Needless to say, this caused Sam and I a great deal of stress (and heartburn). We wished there was a way to compute a security score and have a holistic understanding of cyber risk, similar to what credit scores help financial institutions understand the risk of individuals. This is what sparked the idea for SecurityScorecard security ratings.
We thought, “What if we could engineer a way that would allow one company a deep view into another company’s security posture that would be instant, accurate, and independently verifiable without having to ask permission or wait around for weeks for answers to important security questions?” We strongly believed there were non-intrusive ways to obtain a clearer picture of the security health of a company. It was truly a ‘lightbulb’ moment.
What does SecurityScorecard do?
It’s always wonderful to find that someone has already done the work for you, isn’t it?
This interview with ComputerWeekly does a great job of getting into the detail of how SecurityScorecard works:
At its core, the SecurityScorecard platform is a database of companies scored by various cyber risk factors, giving users insights into the security postures and risk profiles of any organisation they do business with, or care to run a search on.
How are these scores calculated? First, SecurityScorecard looks at the attack surface of an organisation from without, using non-intrusive scanning methods to collect signals about organisations.
“Just like you can walk in the neighbourhood and see a broken window or graffiti on the wall, you can deduce without walking into a house that maybe it’s not been well maintained on the inside. Similarly, for companies, there are hundreds of signals you can pick up non-intrusively,” says Yampolskiy.
“A simple example would be, you look at a website, and you see on the bottom of the site, ‘copyright 2005’. Well, it’s 2024, right? So it’s not a vulnerability, you can’t exploit it, but you just determined that they’re not updating the website proactively [so] how diligent are they going to be in resisting an attack of another sort?”
To this information it then applies a statistical model based on almost a decade of historical data to benchmark the organisation against others in its peer group, arriving at a final score. The algorithm it uses is published publicly, Yampolskiy being a big advocate for transparency in how the organisation operates.
If you want to get into the exact nuts and bolts of the ratings, you can read more about them here.
The ratings include in the order of 200 indicators, sorted into X factor categories, including:
Application Security
Cubit Score
DNS Health
Endpoint Security
Hack Chatter
Information Leak
IP Reputation
Network Security
Patching Cadence
Social Engineering
Once SecurityScorecard has gathered this data (and it’s continually scanning for updates) it analyses the data and produces the scores.
If you own, or have an IT or a compliance-related role at, a company and want to know what your SecurityScorecard security rating is, you can get yours for free here. But you will, of course, then be entering their sales funnel ;-)
As an example, here’s the rating for Benchmark Mineral Intelligence, who we profiled a few weeks ago.
You can see that currently they’re not a client of SecurityScorecard.
Beyond the free version of the product, SecurityScorecard is selling subscription access to the data, and analytics tools around it, at increasing levels of functionality and price.
This culminates in their newly release MAX product, which also combines a service layer, effectively enabling you to create an outsourced threat resolution function for your business. This looks like the productisation of LIFARS, the cyber services business they acquired in 2022.
Security Scorecard’s current position
SecurityScorecard have grown dramatically since they started, as you would expect from a company that has taken something in the region of $290m of funding in its lifetime.
Its last raise in 2021 valued the company at roughly $1bn, and it has continued to grow since then, so the current EV may be nearer $1.5bn.
As ever with US private companies, there is very little financial information in the public domain (and no mutterings about an IPO either to give us hope that we might get clarity).
One indicator we can get about the likely performance of a business comes from its employee numbers. Thanks to Live Data Technologies (thanks to Jason Saltzman there for his patience!), we can see that this year has seen a 9% decline in employee numbers at SecurityScorecard.
This may mean that the company is getting more efficient, or looking to increase profitability ahead of some kind of liquidity event, but it is unusual to see a decline in numbers across every department like this.
What next for SecurityScorecard?
Compared to some of their competitors, BitSight and Safe Security in particular, SecurityScorecard have been parsimonious when it comes to splashing their investors’ cash on acquisitions. Two small tuck-in acquisitions - LIFARS and CVEDetails - are the only acquisitions they have made so far.
Will they make more? Their track record suggests they won’t be highly acquisitive, but the LIFARS deal shows that they are thinking about other ways in which to monetise their data, so they may surprise us.
More pressing is the need to reward all of those investors who have poured money into the business.
Some kind of exit must be on the cards.
Two of their near peers, Rapid7 (2015) and CrowdStrike (2019), have IPOed. This is a potential option - a window for IPOs appears to be opening at the moment.
A combination with one of their competitors in a mega-PE-backed consolidation play is also a possibility. If I were a partner somewhere like Carlyle, EQT, KKR or Warburg Pincus I would be on the phones trying to make this happen…
Interesting links
Information Industry Data & Analytics provider Outsell is 30! Founder Anthea Stratigos has written a from-the-heart post sharing the journey, which concludes with some great advice for Data & Analytics entrepreneurs;
OAG’s blog has an insightful analysis of the future of the Aviation Data & Analytics market;
Michael Sidgmore at
has done a great job of analysing CVC ahead of their upcoming IPO:
