Sometimes the most successful startup ideas come from people building tools to solve their own needs. That was the case with security expert Dafydd Stuttard, better known as Daf.
Nearly 20 years ago, Duff, who lived in Knutsford, a small market town in Cheshire, northwest England, worked as a security consultant for a variety of clients.
Meanwhile, he was also building apps he could use himself to speed up routine parts of his work. He gave each tool a random name and used one for a while before moving on to another. Sometimes he would talk about the tool to others in the community, thinking they might find it useful. (Daf already had a reputation in the security community as an ethical hacker and author, so he had a receptive audience.)
One day, one of the pieces he shared with others was a tool he'd written to aid in penetration testing (named Burp, for no particular reason). The tool quickly became popular, and Daf decided to see how far he could take it.
Fast forward to today and we can see the fruits of Daf’s intuition about the value of tools.
Burp, now called Burp Suite, is the centerpiece of a drinking-themed startup called PortSwigger, which claims more than 20,000 organizations in over 170 countries, with 80,000 individuals and more than 1,000 companies and organizations using its paid enterprise version (companies include Microsoft, Amazon, FedEx, and Salesforce). Another business under PortSwigger, an education platform called Web Security Academy, has more than 1 million users, and, of course, dozens of employees outside of Daf.
The 17-year-old PortSwigger has been bootstrapped and profitable since its inception. Now, for the first time, Daf has decided to take on a significant amount of outside investment – $112 million – to take the company to the next level, with US-based Brighton Park Capital as the sole investor.
“To achieve our ambitions, we need more expertise,” Mr. Duff said in an interview. “The market is getting bigger and more complex, and our clients' needs are growing.”
“But capital wasn't the biggest driver, because we're cash-flow positive and we're very picky about the companies we work with,” he continued. This interest came not just from investors, but from potential acquirers as well.
Part of the company's success is down to Daf's own reputation and moderate accessibility.
(“Daffyd Stuttard @portswigger emailed me today in response to a question about burp extenders,” the person now known as X once commented on Twitter. “I feel like God sent me this.”
But its rise has come at a time when cybersecurity has become even more important.
A vast, complex and rapidly evolving security landscape with numerous vendor point solutions, born out of the fact that security breaches and vulnerabilities are growing at record rates and causing more damage than ever before, is changing the landscape, especially with the introduction of AI, creating more applications and approaches to address it.
But one thing that remains consistent throughout is the role of individuals with deep expertise: ethical hackers and human testers continue to play a vital role in identifying and fixing problems.
But these individuals need help and tools, and that's where companies like PortSwigger come in.
Other companies, such as HackerOne and Bugcrowd, are looking to productize the role of the individual white-hat hacker in security efforts. Daf points out that these companies aren't competitors of PortSwigger; they're partnered, and his startup provides tools to these and similar platforms that are then used by their users.
In the long term, it will be interesting to see how new technologies and architectures affect the role of individuals in addressing and solving security problems.
You might think that new innovations like AI could pose a threat in that regard, but that's not the case, at least not yet. Daf points out that there are many repetitive actions that a penetration tester may perform that could be improved through automation.
The company's sole investor agrees.
“Even with increased automation, we believe there will still be a need for penetration testers,” Brighton Park partner Tim Draeger said in an interview. “The experts understand that very well: the attack surface has expanded significantly, with APIs becoming a prime target, but when you add to that a shortage of cyber professionals with deep expertise, you need tools that enable the people who know what to do to do their job more efficiently. We see this as a key area for growth. PortSwigger gives them super powers.”