We are proud to announce the start of MACH37's Spring 2020 Cohort, featuring several companies from across the US and around the world addressing some of the biggest challenges in the cybersecurity industry with their innovative solutions. Over the next few months, our teams will work with mentors, attend workshops, and validate their solutions to take their companies to the next level. This experience will provide our teams with the valuable insights and connections needed to tackle the cyber challenges the world faces today and GET LAUNCHED!
Atomicorp - Mach37 Alumnae Interview with Michael Shinn
Michael Shinn, Atomicorp CEO
What opportunity did you recognize that led to the founding of Atomicorp?
Michael Shinn: The security industry was being challenged by the widespread migration to the cloud and cloud-based technologies. To me, it seemed like a classic second mover opportunity caused by a fairly disruptive change to the market. A lot of the existing cybersecurity solutions either couldn’t be used in these cloud environments -- appliances for example -- or they didn’t provide the right value to the customer. The products weren’t designed for that world. They were being bolted on and the customers weren’t happy. We saw this as an opportunity to apply some unique technology and solve the cybersecurity problems in a cloud-friendly way.
What specific value does addressing that problem provide for your customers?
Shinn: The value that customers have shared with us is a dramatic reduction in operating cost. We have been told 80% and the number has been shared with us repeatedly. That 80% is based on the fact that there are fewer security incidents they must address after installing Atomicorp. That seems like the obvious place to look for benefits for a security solution. The non-obvious benefit is the reduced dev ops costs because they don’t have to patch their systems so frequently. That has enabled dev ops to do their work without having to go through a lot of security gates.
Why aren’t current solutions addressing this problem effectively?
Shinn: For the traditional players what seems to be happening is this move to the cloud doesn’t work with their current business models. That is a substantial problem. When I talk with my peers at these companies, they are frustrated that their attempts to build cloud-based solutions have not gone well within their organizations in terms of culture, sales model, accounting and product. Cloud platforms are extremely heterogeneous. Solutions are sold by the hour. It’s not a traditional IT environment where you control the network and all of the components. The attack surface is completely different and more dynamic in a cloud environment than an on-prem environment. The problems are different. The solutions need to be different. 
It’s a more challenging environment for traditional cybersecurity companies to build products and more challenging to operate their business because they need to reinvent how they operate. Something as simple as how do you account for revenue in this new model when you are accustomed to selling enterprise licenses is an issue.For the customers, the problem is exasperated by the fact that a lot of the security products are built for security experts which doesn’t help their dev ops teams. That is not what they are looking for. They need products that are easy for non-experts to use.
What makes your approach different and better from existing approaches?
Shinn: Atomicorp products are built for cloud environments from the ground up and they are designed to be easy to use.
What about your team’s background puts you in a unique position to succeed?
Shinn: Scott and I founded Plesk in 1999 which invented a lot of the technologies that cloud providers rely on today. So we have an intimate knowledge of the technologies that make cloud possible. After we sold that company, we put a lot of thought into what we were going to do next. The idea for this company came from what we learned building those products and serving those customers. The Atomicorp product was built from experience and designed specifically for cloud providers.
You just announced a $1 million seed round. What do you plan to do with the proceeds?
Shinn: Customer acquisition and product enhancements. Priority one through five is introducing more customers to Atomicorp. We have a proven product and a lot of customers, but we are looking to introduce Atomicorp to more.
What are some of the milestones you have passed since graduating from Mach37?
Shinn:
- We have now earned more than we have spent
- We crossed the 1,000 customer mark.
- We have made some key executive hires such as VP of Sales.
You already had a product and customers when you entered the Mach37 program. What made Mach37 a good choice for you even though you already had some business momentum and customer traction?
Shinn: The robustness of the educational program was tremendous. That education would cost a lot of money. It is unlikely that a startup could afford it. The Mach37 program is like a compressed MBA and it is tailored to you needs. It is not abstract learning. It is deliverable based. You need to develop your messaging. You have to put together a budget, recruit people and build a real business. Doing that while you are in the program is priceless. I’m not sure there is an MBA on earth that does that.Secondarily, I would point out the relationships. Mach37 has done a wonderful job introducing us to good hires, advisors, investors, and service providers. It’s a very good network. Finally, it’s a very supportive environment. Building a business is hard work. They are good coaches.Learn more about Atomicorp here.
Related Posts
Cyber Algorithms Acquired By Thycotic
Earlier this month, we announced the acquisition of Cyber Algorithms by Thycotic. Given this is the first exit from the Mach37 portfolio, I wanted to take a few minutes to reflect on its significance to us and our investment strategy.Mach37’s investment in Cyber Algorithms is a perfect example of our unapologetic bias toward investing in technical founders who embody world-class cybersecurity talent. As I articulated in my July 30, 2014 blog, Why Mach37 Loves the Hacker Community,
“the dirty little secret in start-updom is that while it can take years of technical and analytical experience to inspire truly disruptive security innovation, technical founders can buy, borrow, partner with or be taught the second set of target skills within a few months.”
When we first met Tim Brennan, we knew immediately he had that world-class talent. Together, Tim and his co-founder Josiah Smith could deliver their advanced capabilities to address a large-scale problem.Tim and Josiah did an incredible job of conceiving, developing, and validating a security analytic product from concept through acquisition. And, for them, getting it done didn’t mean they needed millions in investment capital and a large team of executives. Rather, they diligently embedded an advanced capability into a software product and engaged their target market to demonstrate product-market fit. By executing basic blocking and tackling, good things came to them – very quickly.Thycotic is one of the most promising and rapidly growing strategic acquirors of cybersecurity capabilities in our region and we are excited that Cyber Algorithms has become part of their team. Congratulations Tim and Josiah.
Cyph: Mach37 Alumnae Interview with Ryan Lester and Josh Boehm
Ryan Lester and Josh Boehm, Cyph Co-Founders
What opportunity did you recognize that led to the founding of Cyph?
Ryan Lester & Josh Boehm: Back in AIM's heyday, the two of us would often chat online using Pidgin with the OTR plugin (the end-to-end encryption setup du jour). This wasn't because we'd had any particular need for that level of privacy, but more because it seemed cool and made us feel like secret agents.
However, as "cool" as OTR seemed to us, we couldn't get any of our other friends to start using it with us; it was just too much of a pain to download and set up a new application, install some third-party plugin, generate a key pair, verify friends' public keys, learn enough crypto 101 to even understand what public key authentication meant/was/did, etc.Years later, we were working at SpaceX together, where we repeatedly witnessed firsthand the critical need to protect trade secrets from powerful adversaries and to keep strict compliance with export controls such as ITAR. During this time, Edward Snowden's leaks about the NSA's extensive digital surveillance programs also came to light.Instantly, it clicked for us that both business and consumer contexts faced an urgent unmet need for truly private communication. There were some tools and methods that existed, but from experience we'd learned that they would largely remain unadopted without a user experience that equalled or surpassed existing non-secure communication solutions.
What specific value does addressing that problem provide for your customers?
Lester and Boehm: We have no doubt that people want more security and privacy when it comes to their communication and data online — just not if it comes at the cost of their convenience or has a learning curve to it. By addressing this and making user experience second only to application security in our priorities, Cyph is making cutting-edge quantum-resistant cryptography more accessible and easier to use than ever before.Instead of the traditional painful user experience, you don't need to force anyone to sign up or install some software to communicate with them. When someone doesn't already have a Cyph account, you can simply send them a link which will work on any device with a modern web browser.On that note, the browser turned out to be a very interesting technical challenge for us. Due to the plethora of attack vectors which entirely undermine the security of web applications within the context of our threat model, initially it seemed like we wouldn't be able to offer our desired UX (in good conscience, anyway) — which brings us to our next answer...
Why aren’t current solutions addressing this problem effectively?
Lester & Boehm: Before our talks at Black Hat 2016 and DEF CON 24 on the research that went into Cyph — more specifically on something we call WebSign — providing code signing (a standard practice in native apps, and an absolute prerequisite to secure communication) within a web application was considered by the security industry at large to be literally impossible. Given that we had to invent the solution to this daunting technical problem, it isn't surprising that we're the first to address it effectively.Going forward, WebSign is an advantage that we'll most likely retain uniquely to Cyph, as we have a patent pending on the technology.
What makes your approach different and better from existing approaches?
Lester & Boehm: First, as implied in our previous comment, Cyph is the only secure communication tool in the world that can run as a web app. This may sound minor, but it actually makes a huge impact on the user experience. Most people don't want to have to download and install new software for something as simple as sending a text message or joining a video call — particularly your non-technical friends who may not fully understand your frenzied rants about NSA spying. To get started with Cyph, they can just click a link.Second, Cyph is one of a tiny handful of solutions that are remotely trustworthy for secure communication -- the other major one being Signal by Open Whisper Systems -- among which Cyph is the only one to attempt to protect present-day communication from theoretical future quantum computing attacks. This may actually kind of matter, given the NSA's recent announcement.
What about your team’s background puts you in a unique position to succeed?
Lester & Boehm: The two of us have worked together and known each other for the last 20 years or so. We know our strong suits and shortcomings, and each complement the other's. We've worked on numerous cool projects and jobs together, but what generally defines our ethos to most people is the time we spent leading Software Quality Assurance at Elon Musk's SpaceX (occasionally working on the same code with Tesla Motors). It was our responsibility to ensure that all of our internal software was free of bugs, defects, and vulnerabilities; downtime could potentially cost the company millions.While our team was understaffed and we were overworked, our experience with SpaceX and Tesla was invaluable preparation for running a successful software product. We gained experience working directly with their CIOs, and of course with some of the brightest programmers in the world. While SpaceX was a large company, it retained a startup feel with open offices, flat reporting structures, and people "wearing many hats"; the whole environment was like a pressure cooker for entrepreneurship.Plus, we've noticed that saying you've worked with Elon tends to open a few doors. :)
What are some of the milestones you have passed since graduating from Mach37's fall 2014 cohort?
Lester & Boehm:
- We closed our $500k seed funding round last fall, with the lead investors being Goel Fund and Mach37's former parent company CIT
- We're now working to monetize on the enterprise side, while keeping Cyph completely free for individual end users
- We had an extremely positive code audit report from the pentesting firm Cure53: "Cyph provides security from a broad range of cryptographic attacks and very strong client-side crypto. The general conclusion of the test is that no major issues in regards to application security or cryptographic implementations could be spotted in spite of a thorough audit."
- As mentioned, we recently gave a successful talk at Black Hat and DEF CON (the two largest hacker conferences in the world)
What one aspect of the Mach37 programs did you personally find most beneficial?
Lester & Boehm: Coming from pure software engineering backgrounds, Mach37 helped immensely in spinning us up on how to run a real startup -- ("real" in the sense of being a full-time venture with external stakeholders and financial targets, rather than just a side project). A large portion of Mach37's three-month program focuses on quickly getting founders up to speed on material you would expect to see in an MBA program — particularly as it pertains to startups, fundraising, and the cybersecurity industry.
What question should we have asked but didn't?
Lester & Boehm:"How are you going to make money?"First of all, if you're an individual (i.e. not using Cyph for business purposes), access to the core product will always be free. People aren't used to paying to talk to their friends and family, nor do we believe they should have to just to ensure basic privacy. While we may eventually offer a premium tier for users who want to support us, something like that would only grant access to non-essential bonus features. The free tier of Cyph will never be less capable than paid options when it comes to privacy or security.The money comes in from licensing our software to businesses and government, either to protect their internal communications or to allow for easy secure channels to their customers/clients. One of the first industries that we've noticed crying out for an answer is the telehealth space. By law their communication needs to meet HIPAA standards and yet for many older patients the solution for that must be easy to use and absolutely intuitive.However, the biggest opportunity may very well turn out to not even be Cyph itself, but rather licensing out WebSign for entirely separate use cases. The potential utility of "secure websites" (in-browser code signing) is almost certainly broader than our narrow focus on end-to-end encrypted communication.Learn more about Cyph here.
Related Posts
Guest Blog by Michael Wellman: Virgil Security’s $4 Million Series A Round Is About More Than Just Fundraising
Michael Wellman and Dmitry Dain, founders of Virgil Security
Last month, DCInno’s Eric Hal Schwartz, in his DC's Cybersecurity Startup Scene Is Hot. Can It Get Hotter? article gave Virgil Security (and MACH37) the following shout out:
If venture investors are on fire for cybersecurity opportunities, a group of D.C.-based accelerators are cropping up to supply the fuel. MACH37 graduates around half a dozen startups from its program twice a year, with notable successes like Virgil Security, which partnered with Twilio, one of the fastest-growing cloud computing companies around, in April.
Last week, Virgil Security closed a $4 million Series A investment. I’ve long contended that funding news isn’t really news, but what makes it interesting this time is that we’re a MACH37 company – the first MACH37 company to close a Series A round. And that is news! Let me explain why…Our lead investor was KEC Ventures out of NYC. Oher institutional investors included Charge Ventures in NYC, Bloomberg Beta out of San Francisco, Sparkland Capital from both Silicon Valley and China, plus NextGen Venture Partners which, while originally DC-based, now has a national footprint. Notable individual investors included Ray Rothrock and Matt Grimm. Ray Rothrock is practically the godfather of West Coast cybersecurity investing; he led the Series A and Series B investments in PGP Corporation back in the day, and, more recently, led the Series A investments in CloudFlare. Matt Grimm was, until recently, a partner at the San Francisco-based Mithril Capital Management. Our ability to draw national and international funding to a Northern Virginia startup further validates Virginia’s investment-driven model for economic development. The combined vision of former CIT leader Pete Jobse, Delegate Tag Greason, and the Northern Virginia Technology Council (NVTC), plus the sustained support offered by Governor Terry McAuliffe, the Virginia’s Secretary of Technology Karen Jackson, and the Center for Innovative Technology (CIT) brought MACH37 into existence. Without the opportunity that MACH37 provided us to distill our underlying business case, Virgil Security would potentially simply not exist today. Because of all of their efforts, the $50,000 that MACH37 invested in Virgil in the fall of 2014 just drew 80 times that in private investment – with most of it coming from outside the DC area but with much of it to be spent in the DC area! Our ability to draw this investment into the greater DC area also helps demonstrate that Virginia’s recent focus on cybersecurity is aligned with the future we need to create. And we’re trying hard to do our part. Our mission at Virgil Security is to #SecureTheFuture. For Virgil, that means ensuring that the future is cryptographically secure, but, for all of us, that means ensuring that the future is economically secure. To help further both goals, Virgil Security is working with the University of Virginia’s College at Wise to create a curriculum which will better enable Virginia graduates to find and fill the tens of thousands of unfilled cybersecurity jobs in Virginia, the hundreds of thousands in the United States, and the million plus around the world. So, while funding news isn’t normally news, I think this particular bit of funding news represents something bigger. And in our view, it’s a story worth sharing.- Michael W. Wellman
Virgil Security Raises a $4 Million Series A
virgil-co-founders-with-rick-gordon
Virgil Security Co-founders Michael Wellman (left) and Dmitri Dain (right) Ring the Mach37 Bell to Celebrate Reaching Escape Velocity; Rick Gordon Joins In the Celebration
On October 7th, Virgil Security closed a $4 million Series A investment, led by KEC Ventures. KEC is a venture firm founded by Jeff Citron, who also founded Island ECN, Datek Online and Vonage. For those of you who are close to Mach37, you know I have been promising for many months that we have several companies ready for Series A investment. Virgil was one of them.As I thought about using this blog to crow about our investment strategy (we actually hunted for a company that offers easy-to-implement encryption infrastructure) or in some way hype-up just how smart we are at Mach37, a conversation I had last week caused me to think better of it. Virgil’s CEO Michael Wellman offered the key insight. As I was verbally high-fiving Michael, he took a characteristically humble look at the company's journey so far and remarked:
“You know Rick, it used to be that if you worked hard, had talent, OR got lucky, you could make it to the NFL (National Football League). These days, to make it you need to work hard, have talent AND get lucky to even have a chance.”
And, so it is with technology start-ups. The hidden truth is that entrepreneurs can have talent, make every right decision, and work their butts off, but if serendipity does not smile the company will fail.In the case of Virgil, I can point to a handful of inflection points that relied heavily on just being in the right place at the right time. I can say the same for Invincea and Lookingglass, two companies I was intimately involved with during their early struggles that have since achieved similar inflection points. However, the truth is that all of these companies still have additional milestones to achieve before any of us can declare victory.So, instead of trying to convince you that the Mach37 team is smarter than we really are, I’ll just say that we feel really fortunate to have had the opportunity to invest early in Virgil. It is a company that has the world class talent and drive required to be successful AND was able to create the necessary luck along the way to close its Series A.