The 2020 French Cyber-Security Startups Radar: our analysis

The radar shows 16 young startups created between early 2019 and August 2020. Among these startups, we can see that:

• More than a quarter focus on data protection topics: Olvid, Protected, Pineapple Technology, BusterAI
• Nearly another quarter on vulnerability management and operational security activities: Patrowl, V6Protect, Purplemet.
• Endpoint protection (Nucleon Security, Glimps) completes the podium of the main themes addressed by these new startups.

We want to raise your attention to Malizen, a startup which is positioned on threat hunting and assistance to investigations by incident response teams, a topic that is still little represented in today’s ecosystem. Moabi’s position on firmware security auditing (embedded software) is also interesting in terms of connected objects security.

These new startups most often originate from the identification of a gap in the market by one of the founders during a previous professional experience. This year, however, two companies, Malizen and CryptoNext, have emerged from research projects. This is a small but interesting figure compared to previous years, especially in a French context where the world of research and that of cybersecurity are still too separate.

The startups relationship to innovation remains stable compared to previous years. 30% of startups are disruptive and create new security solutions and 8% secure new uses (IoT, Cloud, etc.). However, the majority (62%) of startups reinvent existing solutions by proposing improvements. Despite the lack of direct innovation, these startups can be very successful if they demonstrate business agility. A perfect example is Egerie Software, which quickly tackled the issue of digitizing the Ebios Risk Manager risk analysis method developed by ANSSI.

In terms of innovation, we can emphasize cryptography, as current encryption methods are threatened by quantum computing. This is precisely the aim of Cryptonext, a startup committed to providing robust encryption solutions in the face of these new threats, as it is focusing on post-quantum cryptography. Another startup, Cosmian, is focusing on the “confidential computing” trend, which makes it possible to encrypt data stored in the cloud using a homomorphic encryption algorithm, and then use encrypted data in the cloud without having to entrust the key to the service provider. Scille is another one to follow, as it introduced the CYOK concept (Create and Control Your Own Key) through its Parsec solution, that makes the user workstation the only trusted entity that automatically generates encryption keys.

Still at the center of the CISO’s concerns, the user is offered new innovative means of being made aware of security, with Cyberzen’s augmented reality, or HIA Secure’s new authentication methods using “human intelligence”, where the user himself generates single-use codes after solving challenges consisting of a sequence of symbols and characters.

With the generalization of teleworking for all employees, the health crisis of Covid-19 has also reinforced the need to secure the terminals. New French Endpoint Detection and Response (EDR) solutions continue to emerge, such as the Nucléon startup. Some are even going further regarding innovation, such as Glimps (created by four former DGA – the French Defence Procurement Agency – employees), which is trying to revolutionize malware detection and analysis by conceptualizing the compiled code, which allows them to free themselves from the modifications induced by the compilation, the target architecture and thus detect unknown threats on non-standard systems.

Many companies want to democratize the use of agile methodologies, while integrating security into these processes remains a real challenge in most cases. Intuitem tries to remedy this by providing the necessary tools to monitor their Agile Security Framework.

Finally, with the emergence of connected objects, the need for a secure IoT platform is more important than ever, this is what Tarides proposes through its OSMOSE solution.

20 startups are leaving the radar this year, 6 less than last year. Of these exits, 5 are very fast growing (exceeding 35 employees in less than 7 years of existence) and 1 is due to a buyout. This continuity compared to last year demonstrates a growing capability of the French startup ecosystem, as some “scale-ups” are emerging in the cybersecurity field and can expect to attract the largest buyers or larger funds. As such, we are launching, together with BPI France, a first non-exhaustive monitoring of this category. The aim will be to complete the scale-ups list with the startups that will leave the radar in the coming years, due to very rapid growth.

A smaller proportion of startups are removed from the radar solely because of their seniority (20% this year compared to 37% in 2019). This year, we are seeing the first projects put “on hold” (20%, unrelated to the health crisis) and those shifting from cybersecurity to other fields (20%).

The health crisis does not seem to have shaken the willingness of startups to internationalize: this year, nearly 63% of the startups say they have customers abroad compared to 50% one year ago and 13% of the startups are thinking about going abroad. Cybersecurity is indeed a global issue and going international may prove to be an opportunity for startups, with countries where cybersecurity market is more mature or important than in France.

Regarding startup expansion targets, 55% want to expand beyond European markets. The US market is the preferred target for a third of startups wishing to expand on an international scale, and some French gems like Sqreen or Alsid have already taken this direction.

However, the Asian market should not be forgotten, which, even if it is less successful (only 18% of startups interested), can prove to be promising. It is a large market, where a targeted approach is necessary. Indeed, it may be interesting to start by targeting the economic centers of Hong Kong and Singapore, known to be good bridges between Europe and Asia. Singapore is particularly dynamic in cybersecurity with a historic investor (SingTel) and incubation structures widely mobilized, such as ICE71 or the branch of the English incubator CylonLab. However, Hong Kong remains strong, with a significant number of acceleration programs such as Cyberport and the DIP (Design Incubation Program).

The French cybersecurity ecosystem is in full renewal. Numerous initiatives were launched between 2019 and 2020.

In October 2019, the Ministry of the Armed Forces inaugurated the “Cyber Defense Factory“. It is a place for cross innovation between the civilian and military worlds. Based in Rennes, this facility enables startups, SMEs and academics to work together with DGA experts and military operational staff on cybersecurity issues. It will also provide access for selected companies to certain data from the government.

In addition, the Strategic Committee for the “Security Industries” sector has seen its strategic contract signed with the State. The latter includes a dedicated section for cybersecurity aimed at bringing out France’s potential in terms of cybersecurity by aligning and mobilizing the various players on policies for education, innovation and technological development. Concretely, it will promote the private/public relationships, as well as initiatives on the innovation front. The first major results are expected in 2021.

The Grands Défis initiative, which stems from Cédric Villani’s work on artificial intelligence, saw the publication of its cybersecurity roadmap in July 2020. With a 30-million-euros budget, it highlights key themes such as cybersecurity automation, SMEs security and IoT security. A call for applications has been opened by BPI France and will close in 2021. The roadmap also highlights the importance of cybersecurity, pushing for the creation of a dedicated structure to help entrepreneurs get started and support them as early as possible.

Finally, the Cyber Campus project has been validated at the highest level of the State. The creation of this emblematic site aims at bringing together the driving forces of French cybersecurity, obviously to better protect our country and its strategic assets, but also to develop its economy and promote France abroad on this theme. Innovation should be widely represented, with the presence of start-ups, demonstration areas and even initiatives to accelerate or incubate cybersecurity startups. It is scheduled to open in 2021.

Despite a major health crisis having a major impact, the vast majority of startups remain confident about their future (more than 80% of the startups surveyed).  Some client companies have even prioritized their cyber security activities to strengthen their position in this unprecedented context.

Thus, 34% of the startups surveyed stated that they were balanced in terms of business opportunities, with those lost since mid-March having been able to make up for those lost. 21% of them have even seen an increase!

A reassuring figure, to be put into perspective, as more than a third (37%) of them have suffered losses in market share, notably due to investment halt for certain clients. Some still have trouble giving their opinion due to a lack of commercial visibility (8%).

On this last point, the relevance of the sector of activity of these startups to the new challenges brought about by the health crisis is probably related. The majority of those who resist are in fact addressing issues raised by the forced generalization of remote access to information systems: data protection and secure exchanges, monitoring and protection of assets, and access management. The reorientation of their commercial efforts towards resilient sectors, such as healthcare, is probably another factor in these results.

75% of the startups surveyed also took advantage of the period to refocus on R&D or their products marketing.

These figures demonstrate the ability of startups to cope with the crisis, despite the adversity and uncertainty it brings, through their great flexibility and responsiveness capabilities. It also highlights the cybersecurity sector resilience, as it remains a key challenge for companies. Even in this period of economic crisis, they continue to seek ever more relevant and effective solutions to guarantee their security.

We compare here two fundraising periods on the whole ecosystem (cybersecurity startups and scale-ups): period 2019-2020 (from July 2019 to June 2020) and period 2018-2019 (from July 2018 to June 2019).

The qualitative resilience of the ecosystem noted above masks a more negative situation on fundraising. The 100 million euros raised in cyber security over the period 2019-2020 is far less compared to the more than 260 million euros raised in the previous one, 2018-2019.

However, the 2018-2019 period had been exceptional: 7 radar startups had raised around 10 million euros, 2 were close to 200 million euros alone. Fundraising in previous years had never reached such levels.

2019-2020 has been exceptional as well, but in a very different way. Great fundraisings took place until February: the top 4 was achieved over this period. Unfortunately, the activity was quickly impacted by the health crisis. Several surveys planned between February and April were postponed.

However, a restart was observed in April (Stamus Networks) and interesting fundraisings followed in June (e.g. Didomi, Quarkslab). These results point to a more successful end of the year.

As also foreseen by ACE-Management (please find here the interview), a lag effect of a few months in investments seems to be emerging, rather than a decrease, once again highlighting the dynamism of the cybersecurity market.

Another interesting aspect of the 2019-2020 period is that weaker fundraising is on the rise. 7 startups have raised between 2.5 and 5 million euros compared to only 3 in the previous period. Is this a potential indicator of the growing willingness of startups to raise funds early in order to accelerate their development? Or perhaps we are witnessing the preparation of the next generations of scale-ups? In any case, it is a very positive sign for ecosystem dynamic.

Given the exceptional characteristics of the two periods, it sounds difficult to draw a definitive analysis. We hope to see you next year, as it will be necessary to put those findings in perspective.

Clients also have a key role to play in the development of French startups.

In this respect, we see that companies increasingly trust French startups and support them while testing them: 70% of them carry out “Proof of Concepts” financed by their clients against 67% last year. An increase that we can only welcome, as these investments allow French gems to develop faster.

However, to continue to support this ecosystem development, it is also necessary to accept the risk of transforming the trial by contracting with the solutions tested. This year, companies are finding it harder to do this quickly: 30% of them may take more than six months to sign a contract after a POC, compared with 25% in 2019. The health crisis may partly explain this situation.

Working with a startup can certainly be risky, but it is also a gamble on the future. They can provide solutions to problems to which the “traditional” market has not provided answers for many years, enable you to remain at the cutting edge, or even provide greater support for business innovation (e.g. by securing new uses), and ultimately provide major differentiators. Some countries are keen to take this type of risk, and this is less the case in France, but nothing is stopping us from transforming ourselves.

Even if it seems trivial, it is important to remember how crucial for a startup to position itself on issues that have few or no satisfactory answers on the “classic” market.

To do so, it is essential for startups to be attentive to the needs of their future clients and to position themselves on their crucial issues.

The identification should not only be technological but should also take into account criteria such as the difficulty of integrating the technology into the client’s information system, the existence of established competition or the willingness of the main principals to invest in a new technology. It is the combination of these criteria that makes it possible to identify the topics that will be the most successful on the market!

Products that require the installation of elements on many IS equipments (e.g. a new security agent on workstations) are particularly difficult to “sell” to large companies that are already equipped. More passive approaches are more attractive to them. This can be done even more easily for still rapidly evolving themes such as surveillance or analysis of IS logs.

Competition from large, well-established players can be difficult for a start-up to overcome. This is the case in the EDR market, for example, where strong differentiating arguments will be necessary to break through against major players that are already recognized. Conversely, themes such as cyber-resilience and cryptography, for example, remain under-addressed in relation to market expectations, and would therefore be easier to break through from this point of view.

Finally, the investment willingness of the principals should also be considered. Regarding cryptography, for instance, the arrival of quantum computers is still too far away for it to be part of their imminent concerns, as the horizon in the private sector is certainly around 2023/2024. Data anonymization, while keeping anonymized databases consistency (synthetic data), Data Leakage Prevention or Passwordless are also major concerns for companies, which still do not have satisfactory answers on the market. The rationalization of CISO tools, which are currently more in search of optimization than investment in nth security solutions, is a topic that will be much more considered in the short term.

This year, another 32% of the startups surveyed do not plan to raise funds, and more than half of them have never been supported in their development.

Financing and support are nevertheless interesting accelerators, even more in the extremely fast cybersecurity market, where speed of market conquest is a crucial asset (feedback from ACE-Management on the topic to be found here).

This lack of willingness to accelerators, which has been observed for several years, can partly be explained by a historical lack of specialized cybersecurity structures in France, making it more complex for startups to exchange information and to make the most of them.

However, the situation has improved and the consideration of cybersecurity at the national level is particularly accelerating this year:

• The State is mobilizing funds for innovation, particularly in the cybersecurity sector, for which the economic recovery plan provides at least 136 million euros;
• A major challenge dedicated to cybersecurity has been launched, the publication of its roadmap in July this year was followed by a call for projects from BPI France with investments of several tens of millions of euros;
• The French fund Brienne III, officially launched in June 2019 with a first round of financing at 80 million euros and managed by ACE-Management, specializes in cybersecurity. Other investors do not hesitate today to finance initiatives in this field.

So many opportunities to be used for the startups in the ecosystem, and it would be a shame to do without it today. Current events highlight even more the fact that now is the right time to turn to these accelerators, as cybersecurity appears to be an essential part of the “new world”, where teleworking will remain a long-term phenomenon.

As we have seen, initiatives for the development of cybersecurity are springing up: the State is mobilizing (cyberdefense factory, grand défi, sector contract, cyber campus…), investors and incubators are also launching private initiatives.

The state is opening up widely thanks to these initiatives and is adopting an increasingly innovative stance. We hope that this will encourage employees of concerned entities to embark on the entrepreneurial adventure. Indeed, our cyber state actors have unparalleled visibility of the threat and use tools or approaches that would be beneficial to offer to the private sector in the short or medium term. The creation of spin-offs is still too small in France compared to other countries, such as Israel and the United States, where state entities are among the first providers of startuppers.

The challenge now will be to make the most of this diversity of potential energizers of the French cyber ecosystem. The risk would be that these means of supporting the market would compete and disperse, operating in silos, to the point of causing confusion and “blurring” the messages to the players in the ecosystem.

And that would be really damaging. We are at the dawn of a pivotal year for our ecosystem: all the components seem to come together to achieve its transformation and allow it to scale up. The question now seems to be: will we collectively succeed in making this movement a reality? Because in order to do this, it seems essential to us to join forces in presence, to catalyze them towards this common goal. A role that the cyber campus could play?

And that would be really damaging. We are at the dawn of a pivotal year for our ecosystem: all the components seem to be coming together to achieve its transformation and allow it to scale up. The question now seems to be: will we collectively succeed in making this movement a reality? In order to do so, it seems essential to join forces and to catalyze them towards this common goal. Is it a role that the Cyber Campus could play?