Building a cybersecurity startup from scratch

If you plan to build your own cybersecurity startup, you know it’s a risk. But launching a startup in any industry comes with a reasonable level of risk – and if you know you’ve got a solution or product that adds real value to the market, it’s worth taking the leap and giving yourself a chance. 

At Black Hat MEA 2022 Mazin Ahmed (Founder and CTO at FullHunt.io) offered his experience to the audience in an ‘ask me anything’ session. Ahmed started working in security nearly a decade ago, as a bounty hunter – and he found vulnerabilities in major tech organisations including Yahoo, Facebook, Twitter, LinkedIn, and even the US Department of Defence. He then moved to penetration testing, followed by security engineering – and in 2021 he went all in and dedicated himself to building his startup. 

Ahmed shared his experience – including his mistakes – with refreshing honesty; and left us feeling inspired to pursue those ideas that just won’t stop humming in the back of our minds. 

Here are just a few of the questions he covered. 

How do I find a CTO for my startup? 

“It’s quite hard,” Ahmed said, with candour. Because finding the right CTO is different for every startup – with variables including the founder’s skillset (are you a technical person, and do you want to be the CTO for your own company?) and the type of project or product that the startup is focused on.

If you’re searching for an external candidate to take up the position of CTO, consider whether they’ve led a company before, or whether they were building tech stacks similar to the stacks you’re building. 

In short, be clear about whether they have a track record of success in the specific kind of work you’ll be asking them to do – or will they be bringing transferable skills from other projects? 

How did you have the courage to start a startup in 2021?

Ahmed conceded that 2021 was a very complicated year to launch a new business. “It was hard. It wasn’t easy at all. At that time, you couldn’t know what would happen – it was a risk.” 

But although the COVID-19 pandemic and all its associated restrictions created new challenges for business founders, he pointed out that establishing a startup is always a risk. 

One reason for that is that “it’s really hard to start a startup without funding, and it’s really hard to get funding without a product – it’s a catch 22.” 

“I had been working in security for a long time and trying to build different things in my previous company. And I thought maybe it’s time to solve this problem,” creating a holistic solution for attack surface management.

“After that, I started to build it. I used all of the savings that I had to do that.” 

And while Ahmed acknowledged it was a big risk, his perspective is that if you really want to build a business then the risk is worth it. You’ll either build something successful or you won’t – and even if you don’t, you’ll learn something valuable that you can take with you into the future. 

How hard is it to get MEA customers, competing with big, well-funded companies?

“It is hard. One thing I can see in building a startup here is that it’s way harder to build a B2B business…maybe you spend 6 months trying to close a project and at the end of that you figure out you’ve been wasting 6 months worth of emails and meetings and Zooms.”

“But being here has taught me a lot. There is a lot of potential in the market,” but often customers are looking for the cheapest possible solutions while still maintaining high expectations that their vendors will provide an excellent service and/or product.

So while the regional market holds large investment opportunities and the potential for rapid growth, Ahmed advised taking a bigger picture view: “Maybe the best approach is not to focus on a single market, but to focus globally.” 

If you find that your startup begins to gain real traction in one region, you can shift your focus there – but if not, your success doesn’t rest on that single market. 

If you had to start all over again, what would your process look like? 

To answer this question, Ahmed pointed out that he did start all over again – and the process through which he has built FullHunt has been very successful. He actually founded the company in 2017.

At that time, “I didn’t know how to build a startup,” he said. “I knew how to write code, I knew how to ship things and get people to use it and like it, but building a product is different from building a startup.” 

So when he refocused on the company in 2021, he started by listing out every single challenge he’d been observing in the market, and considering how he could solve those challenges. 

Then: 

• First, find the business use case. Why would someone choose my product instead of choosing someone else’s product? What value is my product bringing, compared to other products?
• Then make the user experience as smooth as possible and make the product as easy and approachable as possible.
• And then develop your strategy (a realistic, actionable strategy) for building out the product.

Ahmed self-funded his startup. “I could have waited another year or two for funding, and in that time I may or may not secure funding, and I may not even start.” 

So he started working extra projects for other companies, increasing his income – and using that to fund the company. He started solo, handling everything from building a product and business model to managing the project – and waited until the point at which he was able to start hiring a team. 

“Start, start, and start. If it doesn’t work, iterate and build it and reach a place where it’s working.” 

And finally, don’t focus too much on gathering certifications from expensive cybersecurity training courses. If you dream of launching your own cybersecurity startup, what you really need is experience. 

“Focus on getting the actual knowledge and trying to apply it, instead of focusing on getting a certification and having it on your LinkedIn profile.” 

What’s truly important is the ability to use your knowledge and skill in a real work environment – and then you can bring that experience into your own business, and build credibility in your market.