Interview

September 2, 2024

Cybersecurity unicorn Nord Security on its journey from bootstrapping to IPO readiness

The Lithuanian unicorn is on a mission to become “the largest cybersecurity company in the world”


Zosia Wanat

7 min read

Eimantas Sabaliauskas and Tom Okman, cofounders and co-CEO of NordSecurity

Over the last 12 years, Lithuanian cybersecurity company Nord Security has grown to almost 1,700 staff based in five different European cities, attracted 15m users worldwide and become a unicorn. It's now preparing for a potential IPO — and has achieved all despite raising its first external investment just two years ago. 

The company is best-known for its VPN service, NordVPN — a proxy server that allows users to avoid content geoblocking and protect their communications against data profiling, frauds and scams. But over the years it’s expanded to offer a whole array of cyber protection services, both for individuals and small businesses.

The goal? Become “the largest cybersecurity company in the world”.

Unicorn valuation at first raise

Nord Security was bootstrapped for a decade but in 2022 and 2023 raised two growth rounds, at $100m each, from investors including Warburg Pincus, the US-based private equity firm, German VC Burda Principal Investments and US VC General Catalyst. It reached a $1.6bn valuation at the first round, and a $3bn valuation at the second — and gained access to its investors’ expertise and network. 

Advertisement

But the company’s founders say they never actually needed investors’ money — they stress that they had to convince Warburg Pincus to write them a much lower cheque than it usually does. 

“We didn't spend any [investors’] money,” says Tomas Okmanas, cofounder and co-CEO. But the investors' links to banks, and the best governance experts and managers, has been helpful in organising the company's internal processes, and in preparing for its potential future IPO, he says.

Okmanas and Eimantas Sabaliauskas, his cofounder and co-CEO, tell Sifted that the scaleup is “technically almost IPO-ready” and if they decided to do so, it would want to be able to go public within a six-month window. 

We don't need another investor — the public markets — to deal with

Although, with those external investors owning less than 10% of the company, the founders don’t feel any pressure to go public.

“We just want to be ready if it happens, and if it strategically makes sense,” says Okmanas. “We have all of the paperwork, finances, reports; everything's done, but we have no plans to do it. We don't need another investor — the public markets — to deal with. It would take us a lot of time, and we would rather go and check products that we can do, build new things, or research the competition.”

“We really don't want to sell and go to the Bahamas,” he adds.

The beginnings

It’s not like the founders didn’t like the idea of getting VC money — but when they started the company, back in 2012, there was simply no funding available for tech startups in tiny Lithuania (population: 2.8m). 

“We had no Skype as a success story, like Estonia; there was practically no VC money here. So everyone had to be funded by their users,” says Sabaliauskas. 

Both Okmanas and Sabaliauskas had full-time jobs in IT. They met after work, walked around the block, and kept talking about things they would want to build in the future: apps, programmes, websites. In the evenings, at home, they built more than 30 different IT products to see if and how they’d work.  

“On the same walk around the block, we decided that we should do something with cybersecurity,” says Sabaliauskas. 

Since they started — in a 12 sq m office — the company has recorded “crazy growth,” he says. “We could not even stop and evaluate the success of what we have achieved, because it was constantly growing. We changed offices four or five times a year. And suddenly you have 200 people and you still don't have HR,” he adds.

Advertisement

“We tried to raise capital,” says Okmanas. “But in Lithuania, back in the days, the biggest fund size was $6m total. And no one believed in us — we reached out to a couple [of] folks, no one saw this as a good category. It was really tough for us to reach [not just] the Sequoias of the world, but [also] big payment companies, like Stripe or PayPal, to get good deals or at least [get] a contract.”

Since the company had no external funding, it came up with a pricing strategy that helped it survive, says Okmanas. “We were the first to start selling long-term, two-three year plans, meaning that we collected money upfront,” he adds. “We used that money to fund the growth, employees and everything, because we knew that we're going to create a great product… We don’t call it bootstrapped — we call it a customer-funded business.” 

In the early days, we accidentally clicked the wrong button and we spent hundreds of thousands on Google ads in one hour

It wasn’t all rosy though — Okmanas says that while he never thought of giving up, they had some “very tough days”. “There were many hard mistakes and mis-hires,” he says. 

“In the early days, we accidentally clicked the wrong button and we spent hundreds of thousands on Google ads in one hour. There were tough days when our payments stopped working, the website was not working,” he says. “We slept very little over the years.”

Nord Security's headquarters in Vilnius

Largest cybersecurity company in the world

Today, the times of hectic bootstrapping and working from a tiny room are long gone. Nord Security has its own office building, in a renovated sock factory, located in front of Lithuania’s other unicorn, Vinted. It’s a part of the impressive Vilnius Cyber City, a complex for cybersecurity startups. 

Its offices look as if they were taken from a Silicon Valley startup magazine: the employees have access to a gym, free snacks (and ice cream!), a roof terrace and a playroom for their kids if they have to bring them to work — all in the highest quality design. The company is now constructing another building, as it’s hoping to hire more employees in the upcoming months. 

With more than 90% of revenue from B2C sales, Nord now sells full packages of cybersecurity products, including: VPN, which blocks scams, viruses and phishing attempts for users; the encrypted cloud infrastructure for storing company’s files; dark web monitoring in case users’ data gets leaked in data breaches; cyber threats insurance; and, most recently, eSIM cards for mobile phones which will soon have some extra cybersecurity components. The US accounts for half of its sales, while Europe makes up for another 30-40%. 

“VPN was at first, some kind of a geeky, nerdy thing — and then it’s become the ultimate security tool,” says Okmanas.

Given the bootstrapped nature of the company, it has always been profitable on a cash-flow basis. Since last year, it’s also been EBITDA-positive — and will continue this trend this year. 

Vilnius' Cyber City

Acquiring startups 

The founders are now pursuing more acquisitions — recently Nord bought a small US competitor, IronWall. “We're having active talks,” says Okmanas, adding that they’re mostly looking at startups in the US, but also in Europe. “If we see that to build a feature it would take us two, three years, and there’s a small company [that works on this feature], we're gonna buy that company,” he says. He also wants to make acquisitions that will help Nord offer a bigger portfolio of services or products. 

“It's still a superpower that we need to unlock,” adds Sabaliauskas. “Now we're still early-stage buyers.”

“We're not M&A guys that know how to glue five, six companies. We need to see how the cultures fit, where the people fit. We don't want to fire anyone,” Okmanas adds. 

Did they ever think that their business idea would grow to this scale? “Not in my biggest dreams,” Okmanas says. 

We really see that we can make an impact on the economy of Lithuania

“When we just started, we set a goal to become the largest tech company in Lithuania, or to become the biggest VPN provider,” says Sabaliauskas. "It took a year to reach one goal, then another year to reach another goal, and suddenly you are out of your goals. Now we have a goal to become the largest cybersecurity company — it might take more years, but we are increasing those goals as time goes and we achieve those checkpoints.”

“We never dreamed of sitting here, on the top floor and having thousands of people here on this campus,” adds Okmanas. “It's very motivating to push harder because we really see that we can make an impact or change in the economy of Lithuania or how Vilnius is developing — and we can make it a more beautiful city for everyone.”

Zosia Wanat

Zosia Wanat is a senior reporter at Sifted. She covers the CEE region and policy. Follow her on X and LinkedIn