Ever since the dawn of programming, there have been many ways to ensure that code works as intended. Recently, the whole testing process has rapidly evolved. As security breaches have become more sophisticated, software validation has become a more urgent and much more complex task.
“Everyone has a different, evolving approach,” said Alter Memmis, CEO of Picus Security. “The ultimate goal is to create a connection between them.”
Even if figuring out what the Holy Grail looks like is half the challenge of finding it, Picus believes he is well on his way to eternal happiness. The startup's platform runs a continuous validation process to root out and fix inconsistencies in the code and other network activities. Now, after gaining over 500 enterprise customers and simulating nearly 1 billion cyber attacks for companies like Mastercard, Visa, Vodafone, and banking giant ING, the company has raised $45 million in a Series C round to scale.
Prolific corporate investor Riverwood Capital led the investment, with previous backer Earlybird Digital East Fund also participating.
Picus has raised $80 million to date and has not disclosed its valuation, but it was valued at $94 million post-money when it last raised funds from investors in 2022 (a round that included Mastercard), according to Pitchbook data. Since then, the company has grown to 200 employees and tripled revenue, with key markets in the Americas leading the way. For more context, Picus competitor Simulate was last valued at $440 million.
Memis came up with the idea for Picas Security together with Volkan Erturk (the company's chief technology officer) and Dr. Süleyman Özalslan (VP of Picas Labs, the research arm of Picas). The three were friends since they studied mathematics at university, and each went in a different direction through their studies: Memis focused on business and finance, Erturk applied his mathematical talents to cyber defense, and Özalslan became an academic. They kept in touch, and one day in 2013, they got together to talk.
“We liked to exchange ideas about what the next big thing would be,” Memis said. Ertürk recalled a time when he was advising on a large-scale cyber project that had seemingly been configured correctly, but the organization was breached just a month later. Özalslan suggested that the only way to truly defend a non-static system is to test it constantly; otherwise, constantly sending code and data would result in parameters changing frequently. This is where Memis' expertise also came in handy: In the world of finance, simulations are constantly run to determine what the outcome of any action would be.
The company they founded, Picus, was one of the first in the space to focus on the idea of continuous validation and simulation testing. But because they were based in Turkey and started as early as 2013, the startup was moving against the flow of time. Back then, cybersecurity wasn't as big a market as it is today. Outside funding wasn't readily available, so Picus bootstrapped itself for the first five years of its existence while it tried to figure out how best to scale and automate its technology and prove its idea to the market.
Picus eventually relocated to San Francisco, and as security became even more of a nightmare for the organization, the idea caught on.
One of Picus' unique selling points is that it's built to address the fragmentation that's part of today's enterprise IT market. The company says it integrates with about 80 other major security partners, which feed alerts and other activity into Picus' platform. Its solution incorporates automated penetration testing, breach and attack simulations, and rule validation checks across different silos to investigate activity within a specific tool and better understand how activity in one silo relates to what's happening elsewhere. Security teams can monitor all of this from a single dashboard.
Investors were impressed by the company's acceptance that there will be proprietary systems and tools on the network, but its open approach to interacting with them.
“By taking a fresh, open approach to managing continuous threat exposure, Picus' platform empowers organizations to better understand their cyber risks and take proactive action against bad actors,” said Joe de Pinho, partner at Riverwood Capital, in a statement. “The combination of automated pentesting and continuous validation is not only a game-changer today, but it also lays the foundation for how companies protect themselves in the future.” De Pinho will join the board of directors with this round.