Selling Cybersecurity: The SaaS Approach to Deep Tech Challenges
Cyber Builders must understand that cybersecurity has both SaaS and deep tech characteristics. Thinking that you would build a technology for years and it will magically sell is a fantasy.
Hello Cyber Builders 🖖,
I’m continuing our series "Cybersecurity by the Numbers," where I discuss the state of cybersecurity markets, investment, and M&A.
In this post, I compare cyber and other markets, such as SaaS and Deep Tech.
Aurélie, my cofounder, has a saying that always sticks with me:
"When an entrepreneur or a wannabe founder says—'Look, you don’t understand, for us it’s different'—it's a red flag."
She’s right. That phrase is often a defense mechanism. It’s what founders say when they don’t want to face inconvenient truths—like market realities, business fundamentals, or the brutal trade-offs of scaling a cybersecurity company.
But I’ll admit it: I’ve been guilty of this, too.
Cybersecurity: SaaS or Deeptech? (Or Both?)
Before I call out others, let me shame myself first. I’ve caught myself saying, “Cybersecurity is different!”—only to realize I resisted a helpful comparison.
So, let’s get this straight: Is cybersecurity like SaaS? Yes. The go-to-market (GTM) motions, enterprise sales cycles, and scaling challenges are incredibly similar. Is it Deep Tech? Also yes. There are genuine R&D risks, intellectual property (IP) moats, and defensibility factors more common in-depth than average B2B SaaS startups.
In other words, cybersecurity startups must embrace the best of both worlds:
✅ The scalability playbook of SaaS
✅ The innovation intensity of Deep Tech
That’s what I wanted to share today.
Key Takeaways
1️⃣ "It’s different for us” is usually an excuse—cybersecurity startups face the same core business realities as SaaS and deep tech companies.
2️⃣ Cybersecurity combines SaaS scalability with Deep Tech innovation. You can’t ignore either side of the equation.
3️⃣ Market risk kills more cybersecurity startups than technology risk. A strong GTM strategy beats a “perfect” product every time.
Market Risk vs. Technology Risk: What Kills Cybersecurity Startups?
When a cybersecurity startup fails, what’s the real cause? Is it the Tech that didn’t work? Or the market that didn’t care?
Technology Risk: Can We Build It?
This is the Deep Tech side of cybersecurity. Some startups are pushing the boundaries, such as new Web3 / Cryptography applications (like Zero Knowledge Proof or Secure Multiparty computation) or AI-driven WhatYouLike.
Deep Tech refers to creating technology founded on genuine scientific advancements that effectively "sells itself" due to its high performance.
To understand this, let’s compare it to biotech:
A biotech startup inventing a new drug has to tackle biological risks—does the molecule even work in the human body? Are you effective against the threat?
Then, they face pharmacology risks—can they manufacture and deliver it safely and effectively? Are you efficient against the threat? Is it worth taking the pill versus all the collateral effects?
Cybersecurity startups face a similar technology risk:
Security risk: Does the cryptographic model work under real-world conditions? Does the AI detection model detect all the threat vectors?
Engineering risk: Can it be implemented at scale without breaking performance, usability, or compliance? Would it generate tons of false positives?
If they can’t solve these, the product dies in its infancy. But here’s the twist—this isn’t the main reason most cybersecurity startups fail.
That’s where market risk comes in.
Market Risk: Can We Sell It?
By 2024, the worldwide SaaS market is expected to reach $282.2 billion, indicating robust growth. (Statista Market Insights, 2023) (and additional statistics)
The market risk is the SaaS side of cybersecurity. The biggest challenge isn’t building excellent Tech—it’s selling it.
Can you convince CISOs to take a chance on you?
Can you break through crowded markets where incumbents already own customer mindshare?
How do you reach the end customer? What are your channel partners?
Can you turn initial interest into long-term adoption and revenue?
Is there a real channel between the vendor company and the end user? Can you sell directly to thousands of customers?
Most cybersecurity startups die from market risk, not technology risk. The tech might be good, but it doesn't matter if no one buys it, it doesn’t matter.
Cybersecurity Is Like SaaS—More Than Just a Sales Strategy
We’ve already established that cybersecurity is very close to an Enterprise SaaS business, especially regarding sales strategy and execution. But the similarities don’t stop there.
Cybersecurity companies that embrace SaaS principles—beyond just selling subscriptions—position themselves for more substantial growth, faster adoption, and better customer retention.
Subscription & Service Model: Recurring Revenue Is the Rule
The days of selling one-off security appliances are over. Modern cybersecurity, like SaaS, is built on recurring revenue.
Customers don’t just buy a product; they subscribe to ongoing protection, updates, and support.
Renewal rates and upsells define long-term success.
Managed detection and response (MDR), endpoint protection, and cloud security follow the same playbook as SaaS: land, expand, retain.
Continuous, Behind-the-Scenes Updates: A Security Must-Have
Cyber threats evolve daily. Cybersecurity solutions need constant updates to remain effective, just as SaaS tools require frequent improvements to stay competitive.
Security teams expect real-time patching, updates, and evolving detection models—without downtime.
Complex Sales & Market Adoption: The CISO Sales Cycle Mirrors Enterprise SaaS
Cybersecurity buyers don’t make impulse purchases. Enterprise security and SaaS sales cycles share the same complexity:
Multi-stakeholder decisions—CISOs, IT, compliance, procurement, and even finance weigh in.
Long proof-of-concept phases—Enterprises need trials, integrations, and compliance approvals before committing.
ROI-driven sales—Success isn’t just about features; vendors must prove their security impact in financial and operational terms.
Like SaaS vendors sell productivity gains, cybersecurity vendors must quantify risk reduction and compliance benefits.
User Experience & Integration: If No One Uses It, It Doesn’t Work
One of the biggest problems in cybersecurity adoption is “dashboard fatigue.” Many security teams already have too many screens, logs, and alerts.
If your security product isn’t intuitive, no one will use it.
Automation is crucial. Security teams don’t need more alerts; they need actionable insights.
Integration matters. As SaaS tools must work within enterprise workflows, cybersecurity solutions must seamlessly connect to SIEMs, DevOps tools, and cloud environments.
If no one is looking at the security screen, the solution isn’t solving the problem.
Cybersecurity Is Like Deep Tech—Solving Hard Problems With Science
While cybersecurity behaves like SaaS in its business model, its core technology aligns with deep Tech.
Extended Development and Testing Cycles
Deep Tech isn’t built overnight. Cybersecurity products require rigorous testing and iteration before they can be deployed.
Threat actors constantly evolve, meaning cybersecurity solutions must outpace attackers.
Many cybersecurity tools require validation in real-world attack scenarios before being trusted.
Compliance and regulation (SOC 2, ISO 27001, GDPR) add complexity, extending product development timelines.
Unlike consumer SaaS, you can’t “move fast and break things” in security.
High Technical Risk and Complexity
Cybersecurity isn’t just about writing code but solving unpredictable, complex challenges.
Cryptography innovations (Zero-Knowledge Proofs, Secure Multiparty Computation) come from years of academic research.
AI-based threat detection requires large-scale data science and behavioral analysis. It must also avoid false positives and adversarial AI manipulation.
Cybersecurity must address nation-state attacks, advanced persistent threats (APTs), and constantly shifting threat landscapes.
Deep tech startups face unknowns in their R&D process—and cybersecurity is no different.
Substantial Capital and Resource Needs
Like deep Tech, cybersecurity startups require a heavy upfront investment.
Talent is scarce. The best security engineers, cryptographers, and AI experts demand high salaries.
Infrastructure costs add up. Cloud-based security tools process vast amounts of data.
Go-to-market takes time. Selling to enterprises means navigating long procurement cycles, compliance barriers, and competitive pricing pressures.
Global from Day 1. The most successful companies initiate their international journey swiftly. This approach fosters their success rather than the other way around.
Raising capital isn’t just about growth—it’s about surviving long R&D cycles before revenue scales.
Interdisciplinary Collaboration: Security Isn’t Just a Tech Problem
Cybersecurity isn’t just about engineering but people, policy, and behavior.
Cryptography blends mathematics, computer science, and hardware engineering.
Threat detection requires AI, psychology (social engineering), and legal considerations.
Regulatory compliance shapes product development as much as technology does.
Like Deep Tech ventures combine physics, biotech, and engineering, cybersecurity demands cross-disciplinary expertise to solve modern threats.
Conclusion - Cybersecurity Needs Both SaaS and Deep Tech Mindsets
Cybersecurity is at the intersection of SaaS business models and Deep Tech innovation. If either is ignored, success becomes much more complex.
SaaS thinking helps cybersecurity startups scale, sell, and retain customers.
Deep tech thinking ensures they build defensible, cutting-edge solutions.
What do you think on your end? Could you drop me a comment below?
Laurent 💚