Something I speak about frequently on Invest Like the Best is the idea of life's work. A more fun way to think about it is that I'm looking for maniacs on a mission. This is the basis for our investment firm, Positive Sum, and it's the reason why I'm so enthusiastic about our presenting sponsor, Ramp.
not only are the founders kareem and eric life's work level founders certainly maniacs on a mission they have created a product that is effectively an unlock for founders and finance team to do more of their life's work by streamlining financial operations
saving everyone their most precious resource time ramp has built a command and control system for corporate cards and expense management you can issue cards manage approvals make vendor payments of all kinds and even automate closing your books all in one place Speaking from my own experience using Ramp for my business, the product is wildly intuitive, simplistic, and makes life so much easier that you'll feel bad for any company who hasn't yet made the switch.
The Ramp team is relentless and the product continues to evolve to save you time that you would never have dreamed of getting back. To me, there is nothing more interesting than technologies that reduce friction for other entrepreneurs to be able to build the thing that they want to.
So much attention has gone to cloud computing, APIs, and other ways of making life easy for founders. What Ramp has done and is doing is build yet another set of tools in this category. To get started, go to ramp.com. Cards issued by Celtic Bank and Sutton Bank, member FDIC. Terms and conditions apply. As an investor, staying ahead of the game means having the right tools, and I want to share one that's become indispensable in my team's own research, AlphaSense.
It's the market intelligence platform trusted by 75% of the world's top hedge funds and 85% of the S&P 100 to make smarter, faster investment decisions. What sets AlphaSense apart is not just its AI-driven access to over 400 million premium sources like company filings, broker research, news, and trade journals, but also its unmatched private market insights.
With their recent acquisition of Tegas, AlphaSense now holds the world's premier library of over 150,000 proprietary expert transcripts from 24,000 public and private companies. Here's the kicker. 75% of all private market expert transcripts are on AlphaSense, and 50% of VC firms on the Midas list conduct their expert calls through the platform.
That's the kind of insight that helps you uncover opportunities, navigate complexity, and make high conviction decisions with speed and confidence. Ready to see what they can do for your investment research? Visit alphasense.com slash invest to get started. Trust me, it's a tool you won't want to work without.
Ridgeline gets me so excited because every investment professional knows this core challenge. You love the core work of investing, but operational complexities eat up valuable time and energy. That's where Ridgeline comes in. Ridgeline is an all-in-one operating system designed specifically for investment managers, and their momentum has been incredible.
With about $350 billion now committed to the platform and a 60% increase in customers since October, firms are flocking to Ridgeline for good reason. They've been leading the investment management tech industry in AI for over a year with 100% of their users opting into their AI capabilities, putting them light years ahead of other vendors thanks to their single source of data.
You don't have to put up with juggling multiple legacy systems and spending endless quarter ends compiling reports. Ridgeline has created a comprehensive cloud platform that handles everything in real time, from trading and portfolio management to compliance and client reporting. It's worth reaching out to Ridgeline to see what the experience can be like with a single platform. Visit ridgelineapps.com to schedule a demo.
Hello and welcome, everyone. I'm Patrick O'Shaughnessy, and this is Invest Like the Best. This show is an open-ended exploration of markets, ideas, stories, and strategies that will help you better invest both your time and your money. If you enjoy these conversations and wanna go deeper, check out Colossus Review, our quarterly publication with in-depth profiles of the people shaping business and investing. You can find Colossus Review along with all of our podcasts at joincolossus.com.
Patrick O'Shaughnessy is the CEO of Positive Sum. All opinions expressed by Patrick and podcast guests are solely their own opinions and do not reflect the opinion of Positive Sum. This podcast is for informational purposes only and should not be relied upon as a basis for investment decisions. Clients of Positive Sum may maintain positions in the securities discussed in this podcast. To learn more, visit psum.vc. My guest today is Gilly Renant.
Gilly is the founder of Cyberstarts, a VC firm focused on cybersecurity and the world's first VC that is majorly backed by cyber entrepreneurs. Cyberstarts' $50 million first fund exploded to close to $2 billion in just three years. Gilly describes cybersecurity today as the perfect storm where global conflicts and AI advancements are creating unprecedented threats. He talks about CyberStart's Sunrise methodology, which uniquely identifies customer pain points before building solutions.
We discuss a focus on finding resilient talent, overcoming personal adversity, the evolution of the cybersecurity landscape, and Google's recent acquisition of Wiz, where CyberStarts was one of the earliest investors. Please enjoy my conversation with Gilly Renan. We're hiring a fan of Invest Like the Best to be its producer. We've grown to reach millions of people with zero marketing efforts so far. It's crazy how little we've done to spread our work, but that will no longer be true.
we want you to take every interview and get wildly creative with how you cut and extend it for our audience across every platform every great conversation should be a starting point you'll build from there You'll be judged on how well you help us spread what we do to reach the most people we can in memorable and impactful ways. To apply, go to joincolossus.com slash producer.
Gilly, I've been so excited to do this with you, in part because in the 500 or so episodes of this, I don't think I've ever talked about the thing you invest in, primarily cybersecurity. And because your personal investing story and life story is so damn interesting, we're going to go all over the place.
Maybe you can just give us the very high level state of the union in cybersecurity today. Cybersecurity for over 35 years, not happy to admit it, but that's reality. So I believe I do have a perspective on it. We live in days. where it's actually the perfect storm in cybersecurity for various reasons. And when I look back at the days I founded Cyberstarts, short of seven years, in 2018, it wasn't the case.
In 2018, cybersecurity was considered a boring portion of IT. I think that what we see today is that there's a global powerhouse conflict that drives major forces into cybersecurity. It's the Ukrainian conflict. The Ghazan conflict, it's all over the world. Offensive cybersecurity became a lethal weapon or even strategic weapon for state and powerhouses involved in those conflicts. So that's one element that's making...
the cybersecurity threat vector so real, so dangerous, so available. And there's a constant drift from state-level cybersecurity weapons to criminal organization and then just... So we live in a very dangerous world, way more dangerous than it was just a few years ago. So that's one. The second element is technology. I think that we've seen the iPhone moment for AI in 2023 or maybe even 2024.
AI is not going to improve cybersecurity. It's going to redefine it. The same technology, the same LLMs, the same AI agents that you'd use to predict attacks and prevent them would be used against you. to deliver attacks at scale and level of sophistication we haven't seen before. And the methods that we developed maybe for the past 80 years, starting in World War II, would be useless because the speed...
scale and sophistication of those attacks would be something that we haven't seen before. The world is a way more dangerous place today. There's lots of risk ahead of us. I'm curious if you could analogize cybersecurity offense and defense. to simple military concepts or something like this. If I think about the evolution of kinetic warfare from muskets up through nuclear weapons or something, is there some similar escalation of the tools being used by attackers?
defenders in cyber? Have the targets changed over time? The goal of the attackers changed over time? If I were to think about the evolution of the battle, what are the key steps in that evolution? Think about modern warfare and the use of technology. It started with better analysis, better decision-making process. Then it moves to human augmentation. Think about the introduction of the first tanks in the First World War or the introduction of the Kalachnikov.
It made humans more lethal. But with AI, there are additional steps. It's the workflow automation. And then the final step where AI takes control. And if you think about a modern warfare, you think about LLMs that quickly put together attack plans that you didn't practice for, you didn't plan for, you don't have a B plan and a C plan for. They're already using AI agents to take control and launch those attacks. On a different side, that means that human augmentation would be an improvement.
For the time being, it might be enough, but it won't be a great solution for the long term. For the long term, you'd have to use LLMs to predict attack vectors in the very same way and give AI agents the control so that you have a chance to respond to those attacks in a timely manner.
That's the future we are going to. There's no question about it. If you've been a fan of the Arnold Schwarzenegger Terminator movies, that's been a science fiction future. I think this is reality today. What does that mean in terms of... attack targets what are the offensive system let's say a bad actor what are they trying to disable what are they trying to shut down what is the primary most damaging strategy of the attacker today the best offensive tactics are always how i driven how do i
apply the highest damage to you in the smallest effort, lowest cost, fastest way. And what damage is always a contextual question. Depends who you are. But we've seen examples of so many different ways to inflict pain on you. on a target. And some of those attacks had very, very simple measures that he used, but the outcome was unbelievable. Could you give an example? If you like to take off a countering and put it on his knees, that takes using conventional methods.
huge amount of resources, times, and coordinated efforts by a lot of people. If you do that through cybersecurity, you can use very simple ways like taking down nameservers for their... power stations, and you leave that country without power for a few days. It's not a highly sophisticated attack. You don't have to have an army of people doing that. And it can happen to any country any day. Now, think about...
an AI agent that's able to produce thousands of scenarios like that and execute all of them simultaneously. That's the technology today. This is not the future thing. That's today. What does that mean in literal terms?
So when you describe it that way, what comes to mind is an agent that can brute force create ways in and just try them all. One lands and is successful in its attack. Is that the right way to think about it? Or is it, if that's a shotgun approach, is it more of a rifle approach enabled by the agent in a way that wasn't possible five years ago?
The deduction model would always be as good as the data provided. Take the analogy in the drugs development industry. If you provide enough information about a certain disease. You build a LLM that can take that patient data, that can take a lot of research and offer recipes for drugs that can, for instance, heal diseases that are considered unhealable. Let's say Alzheimer.
You can use the same LLM and ask for recipes for drugs that can kill people. It's the same system. It's the same method. It's the same software. Now, think about LLM that's fed on data around the software infrastructure of a bank and an AI agent that you use to ask questions like, What are the potential breaches in my infrastructure? And how should I protect myself? It's a very useful agent. The same agent.
You can ask directly or trick to answer the question, how would an attacker breach the defenses of that bank and take that bank offline? So the same technologies that we use for the defense are the technology that would be used on the offense. You've seen that even if you put a lot of guardrails into the model, there are many ways to bypass those guardrails. And that's when AI is in a walled garden. Now you have open source models, and DeepSeq is just one example of it.
where AI is not walled garden anymore. It's in the wild. And anyone can download the model and modify the model. If I think about the average lifespan of a cybersecurity company in this...
state of the world today and let's say the next 20 years. There's that famous chart of like the average lifespan of a company in the S&P 500 that's getting shorter and shorter and shorter. Does that line look even crazier steep for cybersecurity companies if the attack and defense vectors are evolving so quickly? How can a company build enduring value? The answer is fairly straightforward. AI would redefine cybersecurity. It would replace the old ways cybersecurity solutions were architected.
the old systems of building rule-based systems and behavior-based systems so the good guys can fix misconfigurations or patch. buggy software systems, those days are gone. And founders would have to create cybersecurity companies that are AI-first and AI-native just to have a chance to build lasting, important cybersecurity companies.
And that's the reason you see existing players, major players, like our own portfolio companies. You see the level of effort that a major cybersecurity platform like with our Sierra or Island, the level of effort they put in AI, understanding and learning AI and applying AI into their platform. That's not an additive capability to the board.
That's re-architecting the products to make sure they are useful and effective when the attacker is not human and is not just human augmented. It's a machine that attacks you. Can you tell the story of the first fund, which I think will probably go down as one of the most spectacular?
early stage investment funds ever. I would love you to share the numbers and the companies and just what happened. It's the sort of thing of legend now. And then I want to build on that for how you built the business afterwards. It started in 2018. The first fund was small. Tell the story of that first fund. A lot of what happened in that fund relates to
A lot of learnings and mistakes I've made earlier in life. Can you give those? Touch on like some of the major learnings and mistakes and lessons, like the key ingredients that were in place in 2018 from your experience that went into that first investment fund? In 2018, I... Just exited one of the best VCs in the world, Sequoia Capital. Amazing team. Spent a decade as a general partner and beforehand.
I've been a founder and CEO of two software companies. And my conclusion back in 2018 was that the venture model is completely broken. It's broken in so many ways. It's broken for investors. and it's broken for the entrepreneurs. Investors have spent endless amount of time asking about markets and products and technologies which founders at a very early stage at the seed stage clearly they don't have the right answer they don't have an idea and whatever they tell the investor
Anyway, it would change within a few weeks and then change again and change again and change again. And everyone is simply playing a game and dancing the dance, but they're just paying thanks to the system. It has no value, especially it has no value for the recipient of the solution.
because they are not even involved in that dialogue. So when I founded CyberStarts, I made one very important commitment to completely avoid questioning the market, the technology, the product, the competitive advantage. And focus on one thing only, which is the person ahead of me. Focus on the talent. The other thesis I had is hunting for adversities. I'm looking for people who are not straight lines, who didn't have a perfect start for their life.
and managed to overcome it and become successful, although they didn't have a perfect starting point for their life. I had a very humble beginning for CyberStart, started with a $50 million fund, super small. I mean, the first fund I was investing alone out of my office was, still is today, a shipping container I converted into an office situated in my backyard. And I invested in nine teams. And I was the lead investor in all those teams, made rebets.
in people without ideas. And many people thought that's pretty crazy. A grown-up writing large checks to people without ideas, that seems pretty odd. And then three years later, in 2021, I realized that the portfolio of those nine teams is valued over $25 billion, converted the $50 million into close to $2 billion. And more importantly... had a terrific set of companies. Companies like Wiz, a Decacom, the leader in cloud security. Amazing team. We can talk about them a lot.
Companies like Island Security that invented the enterprise browser space, and today is a company that valued at around multi-billion dollars. Companies like Fireblocks. which is the largest blockchain custody service for enterprises, which valued at $8 billion. And as you know, in our business, if you invest early on in terrific companies, if you invest early on in DoorDash or Airbnb, you'll do disgustingly well. But...
A hit rate of four or five unicorns, including one dekacone and a few other companies that each of them got acquired for hundreds of millions of dollars each. That hit rate was a proof point that there's something right about the model, about the thesis.
If you think about that outcome and you decompose it into a couple of things, a bet on cybersecurity, a bet on these nine people, a bet on the business models or the way that they approach the market, and then some other catch-all bucket, what do you think were the most important contributing factors?
to that first fund's success and the success that has continued to happen since. The hit rate's crazy. The number of huge outcomes is crazy. Maybe the fourth bucket is luck. How would you break out the reasons for the success? Luck is definitely important, but on top of luck, think woman buffet.
one said as he works harder and harder he becomes luckier and luckier so definitely luck is important but i think the major factors here are a clear thesis cyber stuff is one simple thesis one sector and uh commitment to deliver real value to the founders we partner with. The clarity of that thesis and the fact we focus just on a single sector and we own it, the founder selection criteria.
And I would love to share some example later on. And the fact that we made our decision-making process super simple by completely eliminating considerations like market, technology, product, competition. business plan, pricing, whatever it is. So we do not waste time on those things initially. We spend our time making sure that we bet on the right athletes. So luck, thesis, founder selection criteria, and then I would add two other factors.
One is the commitment we have to get the product market fit as fast and as efficient as you could. And that's the whole story of our Sunrise program. The Sunrise program means that you do not develop technology or solutions in a vacuum. that you build software, that you build software solutions that people really need and can use on a daily basis. And I would say the last element is that I'm surrounded by
four amazing partners. Each of them is adding tons of experience and value and knowledge and coming from different backgrounds. I think all those five elements, like cyber starts, what it is today. And just to continue the story of CiderStars, today, with all the humble beginning we had, we managed more than $700 million under management across five funds, four seed funds and one continuation fund. The portfolio.
value today, cumulatively, is around $45 billion, which is 50% of the worldwide market cap of private cybersecurity companies. 50%. That means that we seeded 50% of the worldwide market cap for private companies inside of security. And that's under seven years. Pretty good. Yes.
We believe in cybersecurity. Give us another seven years and let's see where we can go from here. Each of the four active funds delivered over 100% IRR to investors. So this is not just a case of one successful first fund and then... living on the success of that fund. I think that we deliver value to founders and to limited partners across all the funds systematically. Let's step through that process, starting with founder traits. So you're betting on people.
many of whom don't have an actual idea yet. And so you're really just incredibly focused on the quality of the person. What have you learned about what matters? What are you looking for? My personal experience as founder and builder taught me that startup is insanely painful.
journey. It's super hard. And like it or not, you're going to face a lot of challenges. And that made me believe I shouldn't simply look for the smartest person in the room. High IQ helps. It's not a bad thing, but it's not the most important thing. The most important thing in my view is the adversity and the ability to overcome it. For me, this is the greatest signal, the best signal for a terrific founder. Take, for instance, Fireblocks founder and CEO Michael Scholder.
Let's start with the company so you understand the context. But Fireblocks is the leading crypto asset custody service for enterprise. It's valued at around $8 billion, thousands of customers, including... BNY Melon and B&B Paribas and ABN Ambro. Fireblocks was my first investment in Cyberstarts in 2018, June 2018. We invested $3 million and that was the seed for Fireblocks. It's an $8 billion company today.
And Michael's personal story is that he immigrated to Israel from the former Soviet Union as a child. He grew up without a father raised by a single mother. And he learned early on in his life to navigate through uncertainty, moving to a new country, learning a new language, learning how to deal with things and push through challenges. I loved it. I thought that's the most important thing.
Michael is a friend, he's a brilliant guy. But I'm sure that there are people out there with higher IQ. But that's not what's important. When he started the company, just a few months after the first investment, we got into the first crypto winter. Six out of the 10 first design partners of Michael went bankrupt. So how do you deal with that? That's a major blow to your plan. Design partners are so important to build a solution.
And he had to simply rethink about the entire plan, about the focus and who the customers are. I think that his childhood experience, the roughness in him, the life experience that you'd face challenges.
and you'll manage to overcome them, that's what kept him moving forward and overcoming those challenges and building an amazing business. How much of your evaluation of these people is effectively just saying, tell me your life story? And that if they literally just answered that question in detail, it would be all you need.
And if it's not all you need, what else do you need? It's part of what I need. It always goes there. But I learned that what's important in the story is not the what. It's the why. It's not about what you did. It's about why you did. Why you choose to do that. Why you pick.
job a and not job b why you pick that partner in life not another partner it's always about the why so it's not just about a unique heartbreaking life story it's spending time with an individual and understanding the way they make decisions, the way they analyze the situation, what drives them, what really makes them tick.
It's not so much about what they did and what accomplishments they managed to achieve, etc. It's always nice to know that, but that's not what's important. If you think about the next step, you select someone, they've got this personality type that you love. You then go on a hunt for...
the right problem. And maybe this is just the excuse to talk about the sunrise methodology that you've established. Walk us through that process. I want to highlight how strange this is relative to, if you think about the outcome so far, I'm not aware of another early stage investor that's this systematic.
with this high a hit rate in such a narrow field. And so I think spending extra time on the methodology from here, let's just assume you can find great people, which I know is hard, but you've got a batch of great people. What was the origin story behind Sunrise? How did it come to be? I think that in order to tell the full story of the sunrise, I have to go back to 1997 and my first startup experience. By that time, I just finished a decade of service at the Israeli NSA in 8200.
tell you more about it in a few minutes. And by the way, the 8200 formation years for myself and got to work with a set of people. And in many ways, those were the years where the cybersecurity market in Israel was... created. I worked with folks like Shlomo Kramer, who is the founder of Checkpoint and Cato Networks today, and Gil Shred, the Checkpoint CEO and founder, was just two years older than I am, and we heard many stories about him.
The officer that was sitting next to my office was Nir Tsuk from Palo Alto Networks. So those were formation days. And I left the service and started a company. And we raised money from Sequoia Capital. So that was the first time I encountered into Sequoia Capital. Pierre Lamont was on my boat. We didn't have a clear idea what we want to build.
One of the first technologies we thought to develop the company around was a challenge response system that would distinguish between a human and a bot and a machine. Years after, I realized that the name for that technology is CAPTCHA. So... We had the luck to invent Captcha and build the first working prototype of Captcha. I hired two 16-year-old kids. At that point, we were not well-funded enough. I hired two 16-year-old kids. Later, you know, Ohad Pressman.
was the CTO of Chegg and Eyal Navron, who later became the CTO of Hippo Insurance. Two very successful companies and two very smart individuals. But their first real project in a commercial world was to build the first capture. So we built the first capture.
And we tried as hard as we can. And we couldn't find a business model for the technology. And that taught me a lesson. And we had to pivot into something else. And luckily, we pivoted into the web application firewall space. We were the first team to build a web application firewall.
that was the path that company perfecto technology that later renamed into sanctum managed to build itself and that company later merged with watchfire and it got acquired by ibm but that lesson of capture that you can invent and build a very impactful technology almost every person on the planet uses and still you're unable to find a business model for the technology that lesson convinced me that i was completely wrong about the way i approach my startup starting with the technology
and then search who has a problem that that technology solves. The process should be reversed, completely reversed. We should first look at what are the important pain points in a market, find the customers, find who's willing to spend money. on solving that problem, and then go and build a solution that mere mortals can use. And that shift in order, as simple as it sounds, I think that's what made CyberStarts as successful as it is, and that's what helped.
all those amazing founders really feel the full potential of their talents. We continue to evolve the Sunrise methodology because it's not just around product market feed. It's actually a program that takes an entrepreneur from day one, from inception. through the first three or four years of running their business. But the early days of the sunrise is all around focusing on finding the most important pain point in the market. And you do that by going out and speaking with large organizations.
making sure you understand their priorities, what gives them the most and only that. Can you describe that piece specifically in some detail? The tactical method for who you're talking to, how many people you talk to, how often you do, like the real details here. I think it's such an interesting process. So keep in mind that our company is B2B SaaS. So all of them sell to large organizations. So obviously large organizations are the customers and they are who you like to ask the questions.
And the best person to ask is the chief information security officer that oversees the security operation for that business. The idea behind Sunrise process is that you are going to chase pain and identify pain. That requires a lot of smartness. Because if you're going to ask, go out and ask the chief information security officer. This week, what's your biggest pain? You'll get one answer. You ask the same person the same question in a week, you get a different answer.
And then another week, you'll get another answer. And they're not playing games. They're just being human. There are other ways to identify pain. For instance, one of my most favorite questions is, who's the vendor you hate the most? Because if you don't like a vendor, that's a big motivation for you to displace that vendor. Another important observation is words are cheap. So don't look at what the customer says. Look at what the customer does.
Which means if you are running security for a large bank, you probably manage budgets of hundreds of millions of dollars. And if you claim that there's one thing that... inflicting a lot of pain for you you worry about that you think that your bank is at risk and you haven't done anything about it probably not as important as you claim
So you probably have done something. You have downloaded an open source package to start out. You put two consultants to develop a temporary solution. You had real conversation with Palo Alto Networks or WEEZ to see if they can solve that. issue for you. You've done something. So we are asking them not about their opinions, but what they actually did to try and deal with that pain point.
Eventually, we reverse the power balance in the conversation because we are not asking for favors. We are telling those organizations, hey, this is a new CyberStarts team. That new team would spend about $100 million. in the next three years on engineering alone to build one solution. That's the average for a cyber starts company, $100 million R&D budget for three years. What is the one thing that you care about that you'd like us to solve with our $100 million?
You don't need to spend anything on that. We are giving you essentially $100 million off balance sheet to solve one pain point for your organization. And I found out that when you give people $100 million virtually, they listen and they think.
And then you take those answers and you're not having one conversation or two conversations. I think that to have a meaningful, a statistically meaningful outcome, you need to talk to dozens of organizations. You speak with dozens of organizations and you make a choice. This is the one pain point I'm going to go after.
And then you do another round of conversations, assuming you go after that pain point and ask them questions, how a solution would look like. Because you really like the solution to be loved by the users. And only then, and sometimes it takes six months, only then you start to build software.
And if you think about the typical startup, when they get money from VCs, they start to get pressure to build software and push forward and hire people. And my approach is almost the opposite. Sit tight. Don't get too excited. This is your last chance. to pick the right problem to go after. So let's make sure we pick right. The outcome is that they build software that solves a major pain point. It's verified with dozens of real customers. And they've built a solution that people would love.
because they talked to those people before they started to build code. Now, it doesn't work every team, but as I think I've demonstrated, the success rate is quite high. If I back up now and think about the process so far, it's the identification of these people that have this super resilience history and gene.
It's the application of the Sunrise program to start identifying and then ultimately pick a problem that's super valuable using these unique set of questions. What's the next phase? Are these things built in a distinctive way relative to the normal startup that you've observed before? Or is it at that point a standard software?
building exercise it's a standard software building exercise but perfectly done because you start on the end and walk backwards it starts with the end in terms of value what value the customer would like to produce with that piece of software The silence process doesn't end at six months. It's a full simulation of everything you're going to face in the next three or four years as a founder, as a company.
And how do you deal with it? And how do you architect your company in the best way to run as fast as visible in the first three or four years? So if you demo the product and then they didn't take you for product evaluation, why is that? If I tell you, the man from the future tells you that they evaluated the product and didn't buy it, why is that? We use a lot of simulations that assume failure and forces the founders to really analyze the situation, assuming a failure.
and build their company to deal with it. So it's not just about product. It's about go-to-market team. It's about pricing. It's about channel strategy. It's about maybe location of headquarters. Those are many, many elements that are being evaluated, examined during the time of the sunrise. One of the things that is incredibly interesting to me is how you must drive low cost of capital for these companies because of your involvement.
I would imagine you've got all sorts of other investors with deep pockets that desperately would love to sort of blindly fund companies that are partnered with you at seed at the series A or the series B or beyond. How do you help the companies manage their future financing? And how do you think about how aggressive to be on valuation?
how much capital you raise in dilution. This is a really interesting part of what you've built with such a high hit rate. We think a type of start of coinvestors as partners. I don't take them lightly and we are fortunate to have amazing co-investors that have backed repeatedly our portfolio companies and give tons of respect to their contribution and their support of the companies.
Cyberstats can be as great as we like, but there are other smart, capable, knowledgeable people in the world, and we're happy to get their help. So we are definitely in the early days. We are highly involved in fundraising and helping our companies to finance their growth.
My approach is that it is expensive to build important companies. Important companies are typically not cheap. When I hear founders getting advice like, keep down valuations, make sure you don't raise too much money, my approach is your first priority as a CEO.
is to have enough money that you can build the right product, hire the right sales teams. That's expensive. So in order to raise enough money, the valuation should be high as well because no founder would sell 50% of the company in Series A, not in Series B.
So I'm all for raising a lot of money, assuming you've built the right product and you have the right team so you can scale and take on the opportunity. How do you think about pricing at Seed for yourself? What's the right way to think about this? How much variance is there between?
The valuation at which you've tended to enter companies, has that changed a lot since 2018? It almost didn't change in seven years. We typically see two type of deals. So if you like the pricing menu of two items, we see one market for... First time entrepreneurs, people who, that company is the first experience as founders and executives. And then there's a different price, a different market for repeated entrepreneurs. What are those prices roughly? For first time entrepreneurs, we've seen...
see deals that anywhere between the 15 to 20 million dollars post money. And for repeat entrepreneurs, I see a broader range starting from the 40, 50 million dollars range. And sometimes it's going up.
quite crazy you don't mind paying it because of the extra information you have about the founder on a repeat basis i do mind i've passed on deals where the price went crazy And that's what I'm telling entrepreneurs, that their job is to make sure that they are the most important company in each of their investors' portfolio.
Because at the end of the day, they fight for attention and bandwidth and access. And when the investor ownership goes down significantly, it's hard to become the most important company in a portfolio when an investor owns 5% of their cap table. High prices, in my view, are double-edged swords for entrepreneurs at the early stage. How many other places do you think, in addition to cyber...
this method could be applied successfully? Or is there something still in 2025 really distinctive about cyber versus other spaces that make it by far the most fertile ground for applying something like Sunrise? I believe that in any field where there's relatively uniformity of buyers, that's applicable. I would assume it's applicable for fintech, it's applicable for gaming, maybe even applicable for medical devices. But you need a fairly active ecosystem.
not just from end users' perspective, but also from an M&A perspective. That's important as well, because not all your companies would go public. In the past 12 months, we've sold five portfolio companies at cumulative value of $2.5 billion. That's important as well.
How would you rate today's environment for prospective returns? Your returns have been crazy high. Do you think the next five years have the chance for similar returns or have prices made earning those kinds of returns in the market itself much harder?
Achieving amazing returns has always been super hard. It would continue to be hard. But I believe that with everything said earlier about the perfect storm in cybersecurity, the introduction of AI and the way it's going to redefine cybersecurity, I believe that the opportunity is there. obviously the
quality of the talent we see is always getting better. And that's what keeps me so optimistic, just to see the endless stream of smart, eager, hardworking young individuals who are determined to build the next solutions.
Speaking of those individuals, we talked a little bit earlier. I'm just so fascinated by the questions that you ask as you're identifying these people. And I'm thinking to your time with Mike and Doug at Sequoia, again, famous for asking people about their early lives and whole life stories. Are there any other favorite questions that you have to ask people to understand them?
as deeply as possible that we haven't talked about. I always speak with founders about their superpowers. What do they perceive as their superpower? What makes them confident that they can win the game? You speak with a founder.
speak with an individual for a good hour. You've got a fairly good perspective of what you think is their superpower. And it's fascinating to listen to the way they perceive themselves. And I found out that some of the best founders are completely unaware of their superpowers. They are so natural in that. They don't mean to use them. They are just so great at that.
And a superpower can be anything. A superpower can be, you know, simply the type of person that people are dying to be their friend. You don't notice that. You think that that's a gift everyone has. You don't realize that this is your gift and that what paved you the way.
to be successful. In many cases, the superpower they claim they have is not necessarily the real superpower they have, but it shows you the way they view their weaknesses. Because the superpower they are aware of, they pay attention to, they had to develop it. And they had to develop it in compensation for something else.
So that tells you a lot about the person ahead of you. What if you had to answer that question for yourself? First of all, congratulations. You're a fast learner. That's great. A few things, but I would say let's take self-confidence. It's one answer I would give. I'm sure this is something I've developed over time. I wasn't natural in that. It took time. And it was as compensation to a very insecure child that grew up in a small town in Israel that didn't feel...
really appreciated for his talents and didn't feel that he's part of something bigger. And I think only when I was 13 for my bar mitzvah, I got a Commodore 64 computer. That opened up a whole new world for me. i started to get to know people with the same mindset speaking about the 80s i hop on a bus and went to computer geeks gatherings in tel aviv when i was 14 or 15.
And I think that only when I joined the Israeli NSA, when I was 18, I really found out that I'm part of something bigger. I felt that I belonged to that group of people. So it took time to develop that self-confidence. Beforehand, there was always a gap between the way I felt about myself and the type of feedback I got from the people around me. What do you think the hidden superpower is? That's your true number one, but you're not as consciously aware of. My endless hunger.
I'm never happy. I'm never satisfied with whatever I achieve. I always look at the next step. I finish climbing on one peak of the mountain. I immediately look beyond that mountain and look for the next peak to climb. It's very daunting because I tell myself it would be nicer if I could just take a rest and enjoy the view from the peak of the mountain I just climbed. And I find very little satisfaction in that. Where do you find satisfaction? Making impact.
on people that I really care about. The founders I partner with are people that I really care about. My partners at Cyber Starts, Leo, Emily, Ilah, Adam, are people that I care about. Trying to leverage the past 35 years of being in the different sides of cybersecurity.
going through so many different experiences to really make impact on their life. We have the opportunity, given the timing here, to talk about an incredible investment, Wiz, that of course is the item of the news of the last, I don't know, year. in the venture world, an incredible outcome in the acquisition from Google. We won't talk so much about the outcome as the process and your experience and story of working with the company. We've talked a lot in our interview about
why you do what you do, the process by which you found founders, what you look for in them, the process to find product market fit, the Sunrise methodology, et cetera. And here we have the ultimate case study in why these ideas are powerful in combination. So I would love to just hear the story from your perspective. You're right. We is, in many ways, is the front window type of use case for the Cyber Starts recipe for building an important company. And for me...
The wheel story really holds many of the key ingredients for building an important cybersecurity company. I'll talk about a few elements. I hope that I'll do that in the right order. But most importantly, I think it's picking a really important... pain point, and getting to perfect product market fit. If you look at Weez, the four founders, Asaf,
Ami, Roy, Non. I think that the Wiz journey started eight years before founding Wiz in 2012. There was just a bunch of young guys, 27, 28 years old, straight out of the army. Asaf had spent maybe a year with McKinsey, but really inexperienced team. And they started Adelon, a cloud security company. And that journey was quite short. In three years, they sold the business to Microsoft, joined Microsoft.
in 2015 and spent five years at Microsoft building the Microsoft cloud security business, brought it to a decent size of a billion dollars in revenue, and then they left Microsoft in 2020. And at that point in time, They were the most experienced team, in my view, worldwide in running a cloud security business. And they started a company which wasn't called Wiz, it was called Beyond Networks. And they had a very, very different idea.
They thought to go and secure satellite offices with secure one access, et cetera, you know, some sort of a business that never took off. And at Beyond Networks, we looked at the customer feedback and it was an important problem for customers. But it didn't have a very important ingredient, which is it was important. It wasn't urgent. And at the early stage, as much as you like to go after large market size and important pain point, the most important thing in my mind.
is to go after an urgent pain point that generates sense of urgency. And sense of urgency is almost everything you need as a small venture, because that means that things would happen fast for you. You get to more... customer engagements, you learn faster, you improve faster, you'll be able to build your revenue faster. And we didn't have that with the secure one access idea. And the wisdom was smart enough to really pivot.
into a space the new everywhere, which is cloud security, and renamed the company Weez. And we ran our Sunrise program, which is all focused on getting feedback, making sure that we understand the pain point, building the right solution. that mere mortals can use. And three months later, they had a product which would generate a sense of urgency. They spoke with customers and those potential customers, prospects, wanted to bring them in. And then I learned a very important lesson.
about the four customer profiles. When you sell a product, you're going to face four personas. The person that has the pain point, that has the problem, the person who... has the budget to pay for a solution to solve that. The person that has the authority to decide on the product or solution, and the fourth person is the person that would actually use the product. Now, as a startup,
If those four personas map into a single person in real life, that's a mega hit. And that was the case of Wiz. If those four personas are mapped into four real people, there's... One real person that has the problem, one real person that has the budget, one real person that has the authority, and a fourth person that actually used the product, don't do that. Go and pivot.
If you map into two people, that would be a very nice company. If you're mapped into three people, that's a borderline. You may or may not like to pursue that. So for Wiz, it was a single person. It was the CISO. The CISO has the problem that the CISO, the Chief Information Security Officer, had the authority to decide on a cloud security solution. They obviously had the budget. And most importantly, they had the AWS credentials that enabled them to really deploy the product.
So Wiz was able to do something very unique just because all those four personas mapped into one real-life person and Wiz built a really cool technology. They managed to build a product that during the first call with a prospect. They could ask for the AWS credentials and within the call show them real value for their own organization, not in a demo environment. And that really accelerated things for Weez. And in three months, we faced one major dilemma.
We could go for a low entry point price product to get a lot of logos and build with from the ground up, bottom up, or what people in Silicon Valley call PLG. product-led growth or go after very large deals, enterprise deals to begin with, and grow the ARR, the top line. Unlike the common wisdom within Silicon Valley, we decided to go for
the large deals, scrap PLG, and go for real enterprise deals to begin with. We thought that by growing our top-line ARR, we would be better off. We would have real commitment. by highly sophisticated customers we would attract attention from outside investors we would attract attention from
go-to-market talent. And that would enable us to build a significant business. And while we spent the first 12 months building a product, the next four quarters were quite unusual. The company closed a million dollars in ARR in the first quarter of selling the software. $2 million, I think $8 million, and then $25 million in the fourth quarter. It was an incredible company from the moment we actually launched our go-to-market.
those three reasons. Focus on the urgent, not the important. Build a product that has a terrific product market fit for one person, one real person that owns the budget, the authority, and the ability to use the product. And we went and sold that to large organizations at a high price point. Can you say a little bit about how you won such early involvement with a team that was obviously so strong? The ongoing lesson from the stories that have come out since the acquisition news.
is some of the very high multiples, nominal revenue multiples that were paid by subsequent round investors who nonetheless earned an incredible return, even though they paid high multiples. And I'm curious what you learned from watching that dynamic unfold, having been the earliest investor in the business. That actually was an old lesson.
I learned at Sequoia many years ago that the expensive deals, the pricey companies, are pricier from day one. They are always expensive. They are expensive at the seed round, they are expensive at the A round, they are expensive at the B round. The worst reason. for a venture capitalist to pass on an opportunity is for price. Because it's part of those companies' DNA. Pick a company. All of those companies.
were expensive. Airbnb was expensive. Instagram was expensive. So if you're going to pass on an opportunity just because of price, you're going to pass on all the good companies. Yes, Wiz was super expensive to begin with and attracted a lot of attention and became...
the fastest unicorn, the fastest company to go to $100 million, the fastest company to get to $500 million. And this year, when we get to a billion-dollar ARR, it's probably going to be the fastest SaaS company to get to a billion-dollar ARR.
But that's part of the DNA. It's a fast company. Watching that just convinced me that as an investor, a high-priced company is actually a good thing, not a bad thing, if justified. Is there any other novel lesson? I love the three points that drove the success that you outlined.
And I love the idea that the high price thing is an old lesson. Are there any other new lessons that Wiz taught you that are unique to your experience with that specific company? The productivity at Wiz, if you look, was second to none. And when I looked at the number of engineers relative to the number of products and the number of capabilities we delivered annually. It was amazing. And when I look at the way we source engineers, there's always a debate.
How do you pick the best engineers? And who are the best engineers for your business? And I discussed that with Roy Resnick, the VP of R&D of We, is one of the co-founders, one of the four co-founders. And he had a super special way to source engineers. He would not just source smart engineers who has been in good companies beforehand, terrific education, etc. He would source people that their hobby is writing code. He would source people that on a weekend...
assuming they are married and have kids, if they have a couple of hours of quiet time, they would not go reading or watching a Netflix series or listen to music. They would go and write code. Those are the people you like to hire. When you have 100 of these guys, it's like having 300 or 400 terrific engineers. Because you know the rule that a great software developer is probably 10 times better than a good software developer.
But having great software developers, that their hobby, their sole hobby is writing code, that's a force multiplier. And I think we've realized that and capitalized on that. Is the outcome satisfying? I think I told you as part of the interview that I'm never satisfied. Just testing it. The answer is no. And I know that you're going to laugh and say, okay, I really feel that. But again, it's hard to live life twice. I wish I could.
I would A-B test that decision again. But I think it's setting the bar super high to get from zero to $32 billion valuation within... Five years. I didn't check history books, but I guess that's pretty good. But I can think about a few other companies that has the potential, at least, to break that record.
I dare to predict, again, assuming these transactions go through and get approved, et cetera, and that's the real final outcome. My guess is that within 10 years, somebody would break that record. Do you think it can be broken in cybersecurity specifically? Yes. Why? Why do you think that's possible? Just because it's changing and so big? Because you have all the ingredients. You've got the market size. You've got the evolving pain point, fast-moving landscape.
and a lot of talent, a lot of experienced talent, not just on the engineering side, but also on the business side. And I think that you have some experienced investors as well. So I think that you've got the ingredients. Now, luck should be in the mix as well.
And therefore, I think that within the next decade, we would see that record getting achieved and broken by a new player. I think it's very, very feasible. If it happens, I wouldn't be surprised if you're involved from the very earliest stages and if the Sunrise methodology and your approach works again.
I appreciate that. If you think about the stories of resilience that you look for in your founders, it's a nice thing to say. Can you tell me the story of the hardest episode of resilience that you've had to personally go through? Yeah. Before starting CytoStarts, I lost my daughter, my 19-year-old daughter, in a terrible tragedy. And the war just posed for me. And it was very easy to stop everything and focus on the endless pain I felt.
I managed to found the power and the strength to keep on going, build CyberStarts and focus on building that organization and legacy. And that really helped me to continue. live with the pain, but continue to live. How is that possible? Everyone listening, myself included, with children knows that's the single worst thing one could imagine. How is it possible to get beyond something like that?
I think it's very, very difficult to give advice to hopefully nobody has to deal with that tragedy. It's really the most painful thing that you can go through. For myself, I did that instinctively. I didn't spend time to think about it. make a decision i just did it in a way i managed to live with terrible emotions that previously i wouldn't imagine i can contain them and live with them and over time i taught myself to live with the pain not fight the pain
just wait for the pain to ease. And I think that working with younger people on innovation, on solving real-world problems, on building solutions, that's what kept me younger and healthier. I love the message of focusing on young people and building things for others. It seems like your orientation and your satisfaction and your strategy and your search and your work is very other oriented. Anything you would say.
to other investors out there that hear that part of your story and that's the piece that appeals to them most, helping other people and what they build and how they do their work. I really think that there's many ways to become a terrific investor. I don't think there's one canonical way to get there.
By the way, it's not enough just to be first. You also need to be right. That's the difference between an investor and a terrific investor, being right. But again, there are many ways to hell, but there's also more than one way to heaven. My recommendation is to really find your passion and do something that's not just profit generation or work. Do something that's a life project for you when I look at.
Cyber security, cyber security is not an investment area. It's not an area of interest for me. It's a life project. It's really important for me. And I think that's the best thing you can feel about anything you do, that it's super, super important for you. You really care about it. If you think about the future of cyber, what?
challenges, evolutions, things that might happen excites you most or worries you most? I guess both. It's not the way I think about cybersecurity future. I don't keep a category of domains, et cetera. It's a common misconception to think about cybersecurity as a market.
Standalone, there is no cybersecurity market. Cybersecurity is always a derivative of something else, of a new technology or a new business. So if cloud is new, you need cloud security. And if autonomous vehicles are new, you need autonomous vehicle security. Take, for instance, our conversation about AI. AI for short redefines cyber security. It already does it, but you couldn't predict it. So an investor that focuses on cyber security, early stage investment, I'm not.
concerned about figuring out the best, the most important things, opportunities of domain inside the security. I'm confident they will introduce themselves. The same as... cloud introduced itself, IoT security introduced itself, mobile security introduced itself, AI security introduced itself. I'm focused on picking the right talent, picking the right athletes, partnering with them and making sure that you use the right system.
see our conversation on Sunrise to really build solutions that real customers, real users would love. If we do that, everything else would fix itself. It's totally remarkable what you built in a short period of time. I'm sure the CyberStart story is in its infancy in that.
We'll be able to do this in five years and a whole new set of challenges will have arisen, like you said, probably unpredictable. Thank you for doing this with me. When I do these, I always ask the same traditional closing question. What is the kindest thing that anyone's ever done for you? The kindest thing that someone has done for me is a couple of years ago.
My son told me that he spent a lot of time thinking about it, and he realized that I'm his best friend. For me, that was probably the best thing anyone could tell you. It's not just about being a dad, it's the ability to... create this level of trust and emotional connection that makes someone feel that you are his best friend. And when it comes from your son, that's the kindest thing you can hear from anyone. Close to 500 times. I've never heard that answer. These answers tend to cluster.
in a couple of key themes, variants of key themes, three or four. I've never heard that one. With a son of my own, it hits you right in the face. All that must have gone into that thing he told you, really a beautiful, amazing place to close. Gilly, thanks so much for your time. Thank you, Patrick. Really enjoyed it. If you enjoyed this episode, visit joincolossus.com where you'll find every episode of this podcast complete with hand edited transcripts.
You can also subscribe to Colossus Review, our quarterly print, digital and private audio publication featuring in-depth profiles of the founders, investors and companies that we admire most. Learn more at joincolossus.com slash subscribe.