Why We Invested in Eclypsium
One interesting dimension of the widely acknowledged adage that “software is eating the world” (originally voiced by Marc Andreessen of existing Eclypsium investor Andreessen-Horowitz in 2011) is how this has evolved to a current state of a componentized, interdependent, and continuously shipping software ecosystem. This ecosystem is highly complex, an arrangement offering ever-increased speed and efficiency – but at the same time introducing new vulnerabilities versus previously controlled and isolated environments. Because of this, one of the most significant potential attack vectors for companies today is not caused by an error in their own security stack but rather due to a dependency and “pass-through” vulnerability via someone it has partnered with. While it can result from what seems to be a small “hole” in the entire stack, the potential for damage can be catastrophic: one of the most famous examples in the last few years is the SolarWinds attack in 2020. So while it is true software has eaten the world, it has left behind an opposing force – if you will, a massive stomachache. And a big part of the root cause of this pain is an insecure technology supply chain.
This complex and growing attack vector occurs when malicious actors compromise hardware and software other companies use or purchase. Malicious actors can also act against a particular kind of software called firmware. This code controls a device’s low-level hardware functions and is increasingly important in a “smart device” world, controlling our medical devices, critical infrastructure, transportation, satellite, and many other technologies. If a supply chain attack compromises firmware, a device can be vulnerable as soon as it is built – and at risk every time it updates. For enterprises, laptops, desktops, notebooks, tablets, servers, and network devices are at constant risk. From our vantage as longtime cybersecurity entrepreneurs and investors, this is a substantial and growing problem in the cybersecurity landscape and has not been adequately addressed by legacy technology by incumbent vendors.
That is why we are thrilled to announce our newest investment in Eclypsium. At a time when an answer to the growing problem of insecure devices via firmware attacks is desperately needed, Eclypsium is solving the problem with a targeted approach that offers a better answer to protecting and ensuring the safety of the software supply chain. The company is also a global leader in supply chain threat intelligence and research, continuously identifying major supply chain vulnerabilities in firmware and devices, giving the company a large advantage as the partner of choice to enterprises needing to stay on the cutting edge of potential attacks.
Without Eclypsium, most companies can only attempt to track their device inventory and firmware versions manually. They have no way of comprehensively understanding the exposure they face from potential malware inserted via supply chain attacks in their devices’ firmware. Companies using Eclypsium save time and money, are more secure with an expert source of truth on their potential risk, and can use Eclypsium’s platform to fortify any vulnerabilities.
The Eclypsium team has the right experience to operate across all layers of the impacted ecosystem, developing impactful and easy-to-use solutions. Founder Yuriy Bulygin comes from Intel, where he saw the implications of supply chain and firmware attacks firsthand as Chief Threat Researcher and Senior Principal Engineer. Before founding Eclypsium, Yuriy founded and was a lead developer of CHIPSEC, an open-source framework for analyzing the security of PC platforms, including hardware, system firmware (BIOS/UEFI), and platform components. These meaningful formative experiences indicate to us that he is in a unique position to solve this vital problem in cybersecurity.
To do so, he has built a strong team at Eclypsium to help him bring the company’s platform to enterprises worldwide. The company’s growth has been impressive, doubling its customer base in the last six months of 2021, with 40% of new customers coming from the Fortune 500. Current customers include global enterprises across multiple verticals, including several of the world’s largest financial services firms, technology and infrastructure providers, equipment manufacturers, and oil and gas providers. We are also encouraged by the worldwide traction that the company has had. The company also has significant success providing solutions alongside government agencies, including being named to the Cybersecurity and Infrastructure Security Agency’s (CISA) Continuous Diagnostics and Mitigation (CDM) Approved Products List (APL).
We are pleased to be joined in this round by new investors of the highest caliber, including Global Brain and J-Ventures, and existing investors, including A16z, Madrona Venture Group, Intel Capital, AV8, Alumni Venture Group, Ridgeline, Mindset, Ubiquity, Translink Capital, and Oregon Venture Fund. Eclypsium’s answer to identifying, verifying, and fortifying firmware in laptops, servers, network gear, and connected devices is timely and critically important to the state of cybersecurity globally. We are proud to support them in their mission and look forward to all we can do to support them going forward.