Announcing Series C Growth Investment: From the Pioneer of Breach and Attack Simulation to Adversarial Exposure Validation Leader

Today is an important milestone for Picus Security. We’ve closed our Series C investment round, validating the hard work of our Picusers and recognizing our leadership position in the critical new category of Adversarial Exposure Validation, the new cornerstone of Exposure Management.

Several years ago, we embarked on the journey to pioneer a new security category: Breach and Attack Simulation. From there, we have pushed the limits, evolved BAS for our customers, and added Automated Penetration Testing and Detection Rule Validation to our suite of capabilities. Now, we are excited to lead Adversarial Exposure Validation and work toward building an ecosystem that offers a comprehensive Exposure Management solution.

More Data, But Not More Secure

The cybersecurity industry, once in its adolescence, is maturing into the next era of security AI, increased automation, and technological self-awareness. This next phase of security is marked by acceleration, transforming how adversaries operate and broadening the attack surface - making it more difficult to protect organizations. Vulnerability management alone is no longer enough to handle the pace of change, and today, organizations are facing three major threat areas:

• The exponentially expanding attack surface: No longer confined to port and protocol, each connected device or log-in credential is now a potential attacker’s entry point. Migration to the cloud, more remote workers and devices, and a steady stream of new applications offer adversaries many new ways to infiltrate systems. As you build more complex systems, your attack surface grows too, creating an overwhelming volume of vulnerabilities that security teams are incapable of sifting through. At the same time, our time to respond to incidents is shrinking.
• Legacy prioritization is not enough: Scoring vulnerabilities was once a clear way to fix the biggest risk first. CVSS scores and EPSS scores provide rankings but do not consider intelligence from other toolsets or context from critical business units.  In addition, many vulnerabilities may be theoretical due to deployed compensating controls, or lack of context.  While vulnerability scoring does provide some prioritization, it does not shorten the length of your team’s to-do list.  Essentially, traditional approaches are flawed and fail to consider the organization’s context.
  
• Automation and AI are increasing the speed: Attackers are moving faster than ever. In the past, they could linger in systems for months or years before acting. Today, they are working more quickly and stealthily, leveraging AI and automation. 
  

Each of these challenges is related to one another. Over the years, organizations have invested in several tools to manage their attack surface. In addition to Vulnerability Management tools, they deploy EASM, BAS, PTA, and CAASM-like offerings in an attempt to address these problems. These technologies help organizations with some visibility, yet multiply the workload of security practitioners by introducing reporting and prioritization complications due to the islands of information inherent in stand-alone toolsets.

How cybersecurity teams build their ecosystem, connect their data, and enable timely remediation are more important than ever.

Exposure Validation: A Cornerstone of Exposure Management

As detection and response capabilities have become a mainstay in the cybersecurity tech stack, it was known that perimeter security was no longer enough. Teams rightfully embraced Zero Trust, and knew it was not if, but when, a breach would occur. We have found that this continues to be true, even with added defenses. As a community, cybersecurity is taking the stance that we must “assume breach,” and validate our own defenses regularly. The time has come to challenge what we think we know, and assume we are not protecting it all. 

A single platform for cybersecurity seems like a distant dream, but an ecosystem where different cybersecurity data and technologies work together to provide a better outcome for organizations is within our reach. At Picus, we believe in a future where you can bring your exposure data together in one open platform that integrates with best-of-breed technologies. To achieve this future we’re partnering to bring validation to technologies focusing on Continuous Threat Exposure Management (CTEM).  

Addressing key challenges in recent cybersecurity frameworks is a priority for the Picus team. As we build to bring new capabilities to market, we’re guided by the following tenants:

• Combine and correlate exposure data: Continuously bringing together all exposures (such as vulnerabilities and misconfigurations) is a critical starting point we cannot ignore. Vulnerabilities can often look different to different tools. Bringing them together so you can deduplicate, normalize, and correlate exposures will improve operational efficiency.  By leveraging integrations and automation we can start making the attack surface less overwhelming and more manageable.
• Validate and Prioritize Continuously: Consolidated exposures can now be prioritized based on severity, asset criticality, likelihood of exploitation and the context of security controls. In addition to severity-based prioritization, teams must incorporate exposure validation (such as, compensating control effectiveness and attack paths) to shrink down the to-do list — this leaves only the biggest issues remaining which must be addressed in real-time. This should also be done continuously as part of your exposure management program rather than as a linear next step.
• Streamlined Remediation: Once you’ve identified the most material risks to the organization, modern tools must give teams clear next steps for mobilizing fixes whether via remediation or compensating controls. With integrations and tools that automate the heavy lifting, teams can address vulnerabilities faster.
  

Closing Thoughts

Together with co-founders Volkan Ertürk and ​​Süleyman Özarslan, we set out to address a critical gap in the cybersecurity market. In the summer of 2012, Volkan was advising a company that suffered a data breach after a substantial security investment. Volkan had a realization – cybersecurity is based on the premise that services will offer protection; however, complexity requires a new approach. Volkan, ​​Süleyman, and I knew we wanted to address the influx of new threats, and so, Picus was born. 

Today, we are a globally connected team of innovation drivers building for the future with purpose, perseverance, and pride. We set our sights on the future as we share our Series C announcement. This funding round marks a significant milestone in our journey, and the beginning of our next phase. The creation of the Adversarial Exposure Management category stems from the widespread understanding of cybersecurity and the need for a new framework for managing cybersecurity risk in enterprise organizations, Continuous Threat and Exposure Management (CTEM). CTEM has given rise to an offensive view of cybersecurity, which we believe deserves acknowledgment.

We have sought out – and will continue looking for top-tier talent and investing in our Picus team members. With this week’s milestone, there is no better time to get on board. Our success is entirely a team effort, and we take pride in working tirelessly to protect our customers around the world. 

At Picus, we shed light on the unknown. We help organizations navigate the complexities of cybersecurity by demystifying uncertainties and making them manageable. Our Series C funding is a testament to our investors' confidence in our team’s vision for the future. We’re proud to be continuously innovating, pioneering the growth of cybersecurity defenses, and will continue to lead the market in exposure management capabilities to be a light for cybersecurity teams when all other lights go out.

CEO & Co-founder, Picus Security