Towards realization despite adversity?
Last year marked the beginning of the French cybersecurity startups ecosystem transformation. This year, many questions are being asked: has the momentum continued despite the health crisis? How has the ecosystem responded? What actions would support it towards scaling up?
A dynamic ecosystem where some startups are reaching maturity
An ever-changing panorama of startups
Our radar now lists 152 cybersecurity startups, which represents 18 more startups than in June 2019, representing a 13% growth. Regarding their size, there has been a sharp increase (73%) in the number of “medium-sized companies”, while the number of “very small companies” and “small companies” remains stable, which is a sign that the market is becoming stronger. In total, startups represent more than 1,400 employees, 17% more than last year, a figure that has increased for the 4th year in a row.
In terms of geographical distribution, the findings are is quite similar to 2019: Paris remains the main hub (more than 60% of the radar startups have headquarters there). Rennes region comes in second position and continues to grow in volume to reach 10% of representativeness. Bordeaux region comes third, with 4% of startups.
Still promising startup creations
The radar shows 16 young startups created between early 2019 and August 2020. Among these startups, we can see that:
- More than a quarter focus on data protection topics: Olvid, Protected, Pineapple Technology, BusterAI
- Nearly another quarter on vulnerability management and operational security activities: Patrowl, V6Protect, Purplemet.
- Endpoint protection (Nucleon Security, Glimps) completes the podium of the main themes addressed by these new startups.
We want to raise your attention to Malizen, a startup which is positioned on threat hunting and assistance to investigations by incident response teams, a topic that is still little represented in today’s ecosystem. Moabi’s position on firmware security auditing (embedded software) is also interesting in terms of connected objects security.
These new startups most often originate from the identification of a gap in the market by one of the founders during a previous professional experience. This year, however, two companies, Malizen and CryptoNext, have emerged from research projects. This is a small but interesting figure compared to previous years, especially in a French context where the world of research and that of cybersecurity are still too separate.
Only 38% of French startups position themselves on emerging themes
The startups relationship to innovation remains stable compared to previous years. 30% of startups are disruptive and create new security solutions and 8% secure new uses (IoT, Cloud, etc.). However, the majority (62%) of startups reinvent existing solutions by proposing improvements. Despite the lack of direct innovation, these startups can be very successful if they demonstrate business agility. A perfect example is Egerie Software, which quickly tackled the issue of digitizing the Ebios Risk Manager risk analysis method developed by ANSSI.
In terms of innovation, we can emphasize cryptography, as current encryption methods are threatened by quantum computing. This is precisely the aim of Cryptonext, a startup committed to providing robust encryption solutions in the face of these new threats, as it is focusing on post-quantum cryptography. Another startup, Cosmian, is focusing on the “confidential computing” trend, which makes it possible to encrypt data stored in the cloud using a homomorphic encryption algorithm, and then use encrypted data in the cloud without having to entrust the key to the service provider. Scille is another one to follow, as it introduced the CYOK concept (Create and Control Your Own Key) through its Parsec solution, that makes the user workstation the only trusted entity that automatically generates encryption keys.
Still at the center of the CISO’s concerns, the user is offered new innovative means of being made aware of security, with Cyberzen’s augmented reality, or HIA Secure’s new authentication methods using “human intelligence”, where the user himself generates single-use codes after solving challenges consisting of a sequence of symbols and characters.
With the generalization of teleworking for all employees, the health crisis of Covid-19 has also reinforced the need to secure the terminals. New French Endpoint Detection and Response (EDR) solutions continue to emerge, such as the Nucléon startup. Some are even going further regarding innovation, such as Glimps (created by four former DGA – the French Defence Procurement Agency – employees), which is trying to revolutionize malware detection and analysis by conceptualizing the compiled code, which allows them to free themselves from the modifications induced by the compilation, the target architecture and thus detect unknown threats on non-standard systems.
Many companies want to democratize the use of agile methodologies, while integrating security into these processes remains a real challenge in most cases. Intuitem tries to remedy this by providing the necessary tools to monitor their Agile Security Framework.
Finally, with the emergence of connected objects, the need for a secure IoT platform is more important than ever, this is what Tarides proposes through its OSMOSE solution.
As some startups are becoming more mature, the first « scale-ups » are being identified
20 startups are leaving the radar this year, 6 less than last year. Of these exits, 5 are very fast growing (exceeding 35 employees in less than 7 years of existence) and 1 is due to a buyout. This continuity compared to last year demonstrates a growing capability of the French startup ecosystem, as some “scale-ups” are emerging in the cybersecurity field and can expect to attract the largest buyers or larger funds. As such, we are launching, together with BPI France, a first non-exhaustive monitoring of this category. The aim will be to complete the scale-ups list with the startups that will leave the radar in the coming years, due to very rapid growth.
A smaller proportion of startups are removed from the radar solely because of their seniority (20% this year compared to 37% in 2019). This year, we are seeing the first projects put “on hold” (20%, unrelated to the health crisis) and those shifting from cybersecurity to other fields (20%).
An ecosystem in full renewal
International: a growing reality for startups
The health crisis does not seem to have shaken the willingness of startups to internationalize: this year, nearly 63% of the startups say they have customers abroad compared to 50% one year ago and 13% of the startups are thinking about going abroad. Cybersecurity is indeed a global issue and going international may prove to be an opportunity for startups, with countries where cybersecurity market is more mature or important than in France.
Regarding startup expansion targets, 55% want to expand beyond European markets. The US market is the preferred target for a third of startups wishing to expand on an international scale, and some French gems like Sqreen or Alsid have already taken this direction.
However, the Asian market should not be forgotten, which, even if it is less successful (only 18% of startups interested), can prove to be promising. It is a large market, where a targeted approach is necessary. Indeed, it may be interesting to start by targeting the economic centers of Hong Kong and Singapore, known to be good bridges between Europe and Asia. Singapore is particularly dynamic in cybersecurity with a historic investor (SingTel) and incubation structures widely mobilized, such as ICE71 or the branch of the English incubator CylonLab. However, Hong Kong remains strong, with a significant number of acceleration programs such as Cyberport and the DIP (Design Incubation Program).
2019-2020: The Year of National Initiatives
The French cybersecurity ecosystem is in full renewal. Numerous initiatives were launched between 2019 and 2020.
In October 2019, the Ministry of the Armed Forces inaugurated the “Cyber Defense Factory“. It is a place for cross innovation between the civilian and military worlds. Based in Rennes, this facility enables startups, SMEs and academics to work together with DGA experts and military operational staff on cybersecurity issues. It will also provide access for selected companies to certain data from the government.
In addition, the Strategic Committee for the “Security Industries” sector has seen its strategic contract signed with the State. The latter includes a dedicated section for cybersecurity aimed at bringing out France’s potential in terms of cybersecurity by aligning and mobilizing the various players on policies for education, innovation and technological development. Concretely, it will promote the private/public relationships, as well as initiatives on the innovation front. The first major results are expected in 2021.
The Grands Défis initiative, which stems from Cédric Villani’s work on artificial intelligence, saw the publication of its cybersecurity roadmap in July 2020. With a 30-million-euros budget, it highlights key themes such as cybersecurity automation, SMEs security and IoT security. A call for applications has been opened by BPI France and will close in 2021. The roadmap also highlights the importance of cybersecurity, pushing for the creation of a dedicated structure to help entrepreneurs get started and support them as early as possible.
Finally, the Cyber Campus project has been validated at the highest level of the State. The creation of this emblematic site aims at bringing together the driving forces of French cybersecurity, obviously to better protect our country and its strategic assets, but also to develop its economy and promote France abroad on this theme. Innovation should be widely represented, with the presence of start-ups, demonstration areas and even initiatives to accelerate or incubate cybersecurity startups. It is scheduled to open in 2021.
This concludes the first part of our analysis of the dynamics of the cyber security startup ecosystem in France. The panorama of startups remains constant, with newly created startups already showing great promise. Others, with already several years of activity to their credit, have continued to grow, to the point that we have had to create a new category: scale-ups. However, this ecosystem is facing two major adversities, such as the current health crisis and the resulting slowdown in international trade. We will therefore see in a second part, what are the necessary evolutions for this startup ecosystem.