Eclypsium lands $25M to secure the device supply chain

As the enterprise device supply chain grows increasingly global and fragmented, it’s becoming more challenging for organizations to secure their hardware and software from suppliers. According to the European Union Agency for Cybersecurity, the EU agency that contributes to the bloc’s cyber policy, 66% of cyberattacks focused on a supplier’s code as of 2021.

Combating these attacks is no easy feat — but Yuriy Bulygin is making a go of it. He’s the founder of Eclypsium, a cloud platform that provides protection against device hardware, firmware and software exploits in corporate environments and public sector environments.

In a reflection of investor confidence — or perhaps simply the demand for supply chain security solutions — Eclypsium today closed a $25 million Series B round led by Ten Eleven Ventures with participation from Global Brain’s KDDI Open Innovation Fund and J Ventures, bringing the company’s war chest to $50 million. Bulygin says that the capital will be put toward expanding Eclypsium’s product capabilities, supporting current sales efforts and expanding headcount from around 80 people to over 100 by the end of the year.

“A few macro-level trends are driving demand for Eclypsium’s solution, and therefore made this the right time to raise funding to enable accelerated growth,” Bulygin told TechCrunch in an email interview. “The global supply chain is increasingly complex, which means that finished devices may have hardware and firmware components sourced from vendors around the world — all of whom add to the risk and complexity of securing a device. Moreover, the White House’s continued focus on … creating resiliency in America’s supply chains has brought a new focus to the risks inherent in a global economy, and has also driven increased demand from government agencies in Eclypsium’s solutions.”

Prior to launching Eclypsium, Bulygin spent nearly a decade at Intel, where he led security threat analysis and directed research on software and hardware vulnerabilities and exploits. Bulygin went on to become the senior director of advanced threat research at McAfee before founding CHIPSEC, an open source platform security assessment framework.

In founding Eclypsium, Bulygin sought to build a service that — in his own words — helps companies avoid “falling into the trap” of relying on equipment manufacturers and more traditional endpoint security management tools. While some startups, like Finite State, provide firmware-based supply chain security for connected devices, Bulygin argues that this level of protection is an afterthought where it concerns most cybersecurity vendors.


Eclypsium’s cloud management dashboard Image Credits: Eclypsium

The assertion has to be taken with a grain of salt — Bulygin has a product to sell, obviously. But all else being equal, it’s true that supply chain attacks are on the rise globally. According to a 2022 survey by Venafi, a machine identity management firm, 82% of chief information officers believe that their organizations are vulnerable to cyberattacks targeting supply chains. The report suggests the shift to cloud-native development, along with the increased speed brought by DevOps processes, made the challenges associated with securing supply chains significantly more complex.

“The sheer number and complexity of modern devices requires highly specialized understanding and expertise in equipment built by various manufacturers — with all firmware and software shipped with these devices — and requires a unique set of capabilities to detect compromised devices and protect from further compromise,” Bulygin said. “Because firmware plays such a critical role in enabling and defending our technology supply chains, many traditional security vendors have opportunistically added ‘firmware-specific features’ to their products. However, firmware security is not an add-on.”

Eclypsium supports hardware, including PCs and Macs, servers, “enterprise-grade” networking equipment and Internet of Things devices. Using the platform, organizations can see and control fleets of devices as well as networking infrastructure without having to install client software. Firmware orchestration capabilities allow security teams to go one step further, tapping Eclypsium to discover, analyze and deploy firmware updates published by device manufacturers to spot “unexpected” — and potentially malicious — software modules embedded in the hardware.

“Organizations are increasingly turning to zero trust principles to defend their device fleets and operations. As such, the default position is to avoid trusting systems and users until explicitly verified … [yet] each device represents a complex system of computers with their own embedded code and operating systems — each built by many suppliers,” Bulygin said. “Organizations need to understand all layers of hardware and software code for device verification to be truly successful, from all of the code embedded into devices and supplied by manufacturers to operating systems and applications. Software and firmware code embedded into devices is the most fundamental and privileged software running on each device.”

Bulygin was coy when asked about the size of Eclypsium’s customer base, and he declined to reveal any specific revenue figures. But Bulygin did volunteer that a third of the company’s customers are Fortune 2000 firms and that Eclypsium has a number of U.S. federal government contracts.

The pandemic shifted many organizations to a remote-first, work-from-anywhere, bring-your-own-device environment, accelerating the need to adopt defensive models and principles which don’t rely on perimeter defenses. The most notable shift is the move to zero trust principles, both at the application and the device level. This growing recognition of the need to provide multi-layered defense for devices, including at the operating system, embedded software and firmware, and hardware layers, has increased interest in supply chain … solutions for devices, like those from Eclypsium.

As funding rounds like Eclypsium’s shows, the cybersecurity bubble might be starting to deflate — but it hasn’t burst. Data from Momentum Cyber, a financial advisory firm, showed that cybersecurity startups raised a record-shattering $29.5 billion in venture capital in 2021, more than doubling the $12 billion raised in 2020, while a record number were minted as unicorns. And according to Crunchbase, venture dollars invested into cyber startups hit almost $6 billion in Q1 2022.

Eclypsium lands $25M to secure the device supply chain by Kyle Wiggers originally published on TechCrunch

A former Bessemer Venture Partners principal just closed his own $30 million fund, and here’s how

Sunil Nagaraj, who’d studied computer science as an undergrad at UNC Chapel Hill, landed a pretty nice gig after deciding to pursue an MBA at Harvard Business School. He wound up working as a principal for Bessemer Venture Partners, a top-tier venture firm with locations around the world.

Nagaraj helped source a number of deals at the firm over the next six years, too, investments that made him proud, like bets on the identity platform AuthO and the online dating site Zoosk, for example. But he was itching to meet with even younger companies, and he was itching to strike out on his own. So in the summer of 2017, he did, and now, 18 months of so later, Nagaraj says he has finally closed his debut fund with $30 million.

The name of the firm is Ubiquity Ventures, and its focus is on “software beyond the screen,” says Nagaraj, pointing to one investment, New Zealand-based Halter, as an example of what he means. How it works: with the help of a solar-powered, GPS-enabled neck band for cows, Halter’s app allows farmers to remotely guide their herds when it’s time for the animals to milked. Its software also keep the cows out of rivers and drains by creating virtual fences and can detect when cows are in heat or about to give birth, among other things.

We asked Nagaraj last night about leaving Bessemer, and what he has learned that other aspiring VCs – – as well as current VCs who aspire to leave their firms — might learn from his path. Our chat has been edited for length.

TC: You had a plum gig at Bessemer. Why leave it?

SN: I learned everything I know about venture investing from the team at Bessemer, especially from working alongside [partner] David Cowan . . But even though Bessemer’s large fund size and robust team provide enormous support and rigorous processes, that can be the wrong fit for very early seed capital and nascent technical sectors with uncertain outcomes. There are certain things I treasure about my new role that wouldn’t have been possible within any large firm, including spending one day each week coding and nerding out on new technologies.

TC: What gave you the confidence to bounce?

SN: There’s never a moment where it feels comfortable or rational to jump. Every founder of a startup or VC firm rolls their eyes when they hear someone say “I would jump for the right opportunity” or “I would jump if it made sense.” For me, I was in the midst of uncovering my inner nerd and beginning to see some of my investments take off  and those things, combined with some inspiration from the OG wave of single GP firms — and Manu Kumar at K9 Ventures in particular — got the ball rolling.

TC: Who wrote your first check who was not a family member?

SN: David Cowan. Next was John Hollar, CEO of the Computer History Museum for the last 10 years. (He stepped down last year.) We’ve known each other since 2009, when I arrived in the Valley and launched the Computer History Museum NextGen Board. He was a reference for VCs when I raised venture capital as an entrepreneur in 2010, and his confidence in Ubiquity was critical jump start.

TC: What was the hardest check to land?

SN The hardest capital to raise was institutional capital. Institutional investors like universities and pension funds tend to be savvier and have their pick of the litter, so I feel fortunate to have both categories of investors in my debut fund. Understandably, there are many hurdles to clear on track record, references, and portfolio construction for an institutional investor to commit to a new fund.

TC: You’ve already made nine investments, so presumably you were investing as you were getting your capital commitments. How much of the fund is left?

SN:  Yes, I have been investing since my first closing at the end of September 2017. I can’t say exact numbers, but Ubiquity is on schedule with capital deployment. Levl, which prevents the spoofing of wireless devices, and Eclypsium, which protects software in the real world from malware, were my first two investments; I made both in October 2017.

TC: How many companies do you anticipate funding altogether with this first fund?

SN: 20

TC: What happens if a company like Halter takes off and you want to continue funding it? Is the plan to use SPVs? AngelList?

SN: I have a healthy capital reserve for follow-on funding. After that, my priority is to ensure my LPs have access, likely via SPVs.

TC: Does Ubiquity have a geographic focus?

SN: Two portfolio companies are in the Pacific Northwest, another splits its time between Palo Alto and Israel, three more are in Palo Alto, and two are in Pasadena. Then there’s Halter in New Zealand. It’s not a total accident that zero are in San Francisco itself. My focus on software beyond the screen, deeply technical founders, and reasonable valuations hasn’t uncovered any SF investments so far.

TC: Are you price sensitive? What did you learn about this at Bessemer?

SN: Price matters to anyone buying anything. There’s a pervasive belief that a few companies make up all the returns in the Valley, so you shouldn’t worry about price if you have a winner. This may be true when looking retrospectively, but it’s sloppy thinking to apply when it is impossible to know if your current deal will be one of the massive winners. Also, high prices and pricing a deal to perfection too often results in down rounds and a messy aftermath for founders. My time at Bessemer allowed me to see so many good and bad startup outcomes, where price discipline only helps.

TC: How much traction does a startup need to have to get a check from you?

SN: Zero. I’m looking to back founders who are technical, know their problem space cold, and are going after a problem that fits tightly with Ubiquity’s thesis of software leaping off the screen and into the real world around us. I meet technical experts pre-idea, as well as founders with early products. My investments rarely have revenue when I invest,  but they should by the end of their seed runway.

TC: How much of an ownership stake are you targeting?

SN: Ten to twenty percent.

TC: What’s harder about starting your own firm than you anticipated would be the case?

SN: I wrongly believed that launching a venture firm would be similar to launching a startup. In startup fundraising, VCs are evaluating a specific product/market/customer. They have a very compressed time frame to decide. And they have monthly board meetings to provide regular input and even trigger changes.

With VC firm fundraising, their own investors have no concrete data about the future investments that will eventually populate the fund.  They’re on the receiving end of quarterly updates. And they’re called “limited” partners because they exercise no authority over investment decisions. The two worlds couldn’t be more different. As a result, LPs are charged with a much trickier decision and have a much deeper diligence process to make what amounts to a 10-year commitment.

TC: Anything easier than you’d guessed it would be, striking out on your own?

SN: Having no overhead allows me to focus 100 percent of my time on startups. It is more wonderful than I imagined.