Cybersecurity startup IriusRisk has raised a $28.7m Series B round to meet a growing demand for its threat modelling software — which helps software engineers identify high-level vulnerabilities in their systems — after doubling its customer base in 2021. The company, headquartered in the northeastern Spanish town of Huesca, will use the funding to expand its teams in Spain, the UK and the US across engineering, customer success and customer support.
Founder Stephen de Vries says that, despite the economic slowdown, IriusRisk isn’t seeing a slowdown in interest from businesses. “I don't think cybersecurity is something people want to cut back on,” he tells Sifted.
Who’s invested in IriusRisk?
- Paladin Capital — The DC-based cybersecurity investor led the round (it also led IriusRisk’s Series A).
- 360 Capital — Paris-based firm that invests across deeptech, B2B SaaS and consumer products.
- Bright Pixel Capital — Based in Lisbon and formerly known as Sonae, the corporate VC firm is one of Portgual’s leading deeptech investors.
- Inveready — Barcelona-based firm that invests in early-stage startups across deeptech, life sciences, B2B SaaS and consumer tech.
- Swanlaab Venture Factory — Madrid-based investor with a company-building approach and a focus on deeptech in Southern Europe.
What does IriusRisk do?
IriusRisk’s threat modelling platform allows companies to improve the security of their products by identifying potential threats in software and system design, and then suggesting countermeasures to those threats.
Threat modelling is a separate activity to the work done by security testing tools that scan for bugs and vulnerabilities in code, De Vries explains, and is more about identifying flaws in the design of an application that takes into account a wider security context.
“For example, the threats that affect a user-registration form for an online bank are very different to those from an online dating site. Threat modelling helps to identify those threats and the appropriate controls for that security context,” he explains.
Threat modelling is something that has historically been done manually by specialist security teams, who give feedback to engineering teams in a back-and-forth process as a system or product is built. De Vries says that this process is time and cost intensive, and means that companies generally only apply threat modelling to around 5% of their application design process.
IriusRisk’s platform allows engineering teams to do the threat monitoring themselves, by providing automated feedback to developers as they design their systems, identifying possible problems and suggesting solutions. The tool allows companies to apply threat modelling to all of their system and product design.
What’s next for IriusRisk?
De Vries says that, until now, the vast majority of its clients have come from the financial services industry, but the company is now seeing increasing demand from fintechs, healthtechs and B2B software builders.
The IriusRisk founder says that around 60% of the company’s clients are from the US and he only expects interest in the country to increase. This is partly due to a recent executive order on cybersecurity from President Biden which includes threat modelling as a recommended standard in all software development, and a required step for any providers working with the US government.
“This [executive order] moves us from that top, security-critical niche and more into the mainstream,” says De Vries.
IriusRisk says it’s been doubling its revenues year-on-year since 2020 and the company will now be looking to expand its customer base in the Asia-Pacific region with the new injection of capital.
One big potential area for growth in threat modelling, according to De Vries, will be in Web3 and blockchain-based technologies. While he says it’s an industry that’s “still in its infancy”, he expects regulation and consumer demand for greater security to compel more Web3 developers to build threat modelling into their processes.
Sifted's take
IriusRisk’s sustained growth is evidence for the hypothesis that products like cyber security — which fall into the “mission critical” rather than the “nice to have” bucket of company spending — are more resilient to macroeconomic downturns.
Threat modelling is also likely to be a big growth area in the enterprise space, as financial attacks on systems like the Terra/Luna stablecoin serve as a high-profile reminder that business vulnerabilities can be more fundamental than simple coding bugs.
The company’s sustained growth and momentum also bolster southern Europe’s growing reputation for building successful deeptech companies, with all of IriusRisk’s engineering team being based in Spain.