Judy Redacted Investment Memo
Provided here is our redacted investment memorandum, detailing our rationale for investing in Judy at their Seed Stage in 2019.
Judy (formerly AaDya) is a cybersecurity platform designed to secure devices and protect sensitive data specifically for small and medium businesses. Founded by Raffaele Mautone, who was previously the Chief Information Officer of Duo Security ($2.4B acquisition by Cisco), Judy creates a single security platform with multiple offerings rather than builds an endpoint solution.
COMPANY OVERVIEW
AaDya Security is a cybersecurity company going after the small businesses, mid-market companies and consumers. Rather than building an endpoint solution, they are going to create a single security platform with multiple offerings. Users will interface with the platform through Judy, an AI assistant that will help them sort through security alerts, suggest actions, etc. This is currently done by IT staff, but not all companies can afford them on payroll, especially small businesses.
Some cybersecurity companies have used Managed Security Service Providers (MSSP) as channel partners to drive adoption of their software. AaDya will cut this loop and instead offer a MSSP service directly. They will be able to handle incident response and manage security services that might not integrate with AaDya. These more hands-on interactions will also be used as a customer research tool, giving them a chance to surface usage patterns and build more tools to automate them.
KEY HIGHLIGHTS
Prominent Highlights
- Experienced Security Team. Raffaele has an extensive background in security. He worked at Duo Security for 3 and a half years, where he became Chief Information Office. Previously, he was at FireEye, McAfee and Dell. In a short period of time, he has also recruited multiple people from Duo Security to join him at AaDya.
- Large Market Opportunity. The small-medium businesses security space is very large and underserved. With 3,500,000 addressable businesses, the market opportunity could be above $10B depending on pricing structure and amount of features offered. This doesn’t even account for the markets they could expand into, like individual consumers and mid-market enterprises.
- Untapped Talent Pool Opportunity. The company is based in Detroit and will have the chance to tap into the region’s talent pool. There’s multiple companies with high quality engineering teams, such as Duo Security, Google, LinkedIn, StockX, along with some of the best cybersecurity programs in the US with Eastern Michigan University and the University of Michigan.
INDUSTRY OVERVIEW
Small businesses (SMBs) have had a hard time protecting themselves from cybersecurity threats. This is due to various reasons:
- Lack of resources. SMBs don’t have the resources to attract and hire high quality security talent to add to their IT staff. This leaves them with either low quality or no talent at all.
- Difficulty in managing services. The cybersecurity market is filled with endpoint, best of breed solutions. LastPass for password management, Duo Security for Single Sign On, CrowdStrike for endpoint security. It’s very hard for SMBs to manage them and reconcile information they get from each one of them.
- Lack of training. SMBs don’t have a budget for security training. Even if they have some tools, they might not be up to date on how to respond to them, which security features to enable on their devices, etc.
To address these problems, SMBs have been using Managed Security Service Providers (MSSPs). Due to the increased focus on cybersecurity, the MSSPs market has seen a CAGR of 16%, and is projected to reach $40B in 2022.
MSSPs operate in two ways, Fully-Managed Security Services or Co-Managed. In the first case, the MSSPs decide which technologies to use, they monitor and have security analyst keep track of anomalies or breaches. In the Co-Managed case, they’d help you analyze results from security tools you already have in use.
Companies trying to target this market have had very large exits; a couple examples are Cisco’s acquisition of Duo Security for $2.4B and CrowdStrike’s IPO at a $4B market cap.
THE NEW AGE
MSSPs are constrained by the fact that in order to scale your customer base, you need to also employee more security analysts to manage those relationships. This has created a very fragmented market with multiple large companies, but no market leader.
As machine learning and artificial intelligence capabilities improve, there’s going to be a chance to automate a lot of what security analysts do today, especially at the threat detection and assessment level. Tenable (NASDAQ: TENB) offers some of these capabilities as an endpoint enterprise solution, but they don’t go after the SMB market.
AaDya wants to build a security platform that manages all facets of your security needs, from password management to device security, and uses AI to automatically surface anomalies, rather than having a human monitor it manually.
MARKET SIZING
The first target market for AaDya Security is small businesses in the sub-500 employees range, which is 5,900,000 businesses in the US. To seize the market, we have taken 67% of that (3,953,000), which is the percentage of SMBs that suffer a security or data breach each year. They are the most likely ones to go to market and be receptive to sales offerings.
There’s a couple market tailwinds that can help AaDya expand the market:
- Privacy regulations like GDPR and CCPA will put more pressure on companies to have a basic security stance. For most SMB, hiring an MSSP or an in-house security specialist is out of budget. This creates a large opportunity for AaDya to rise as a low-cost solution with minimal friction.
- As more and more security breaches are covered in mainstream media, businesses will have higher standards for their vendors and partners. Compliance checks are expensive, and AaDya could automate a lot of it with their Judy AI assistant.
At the moment this market is captured by “watered down enterprise solutions”; SMBs use products built by McAfee, Symantec, and the likes, but those products aren’t built with SMBs in mind, leading to subpar user experience. AaDya has a chance to convert a meaningful percentage of their business to their products. Symantec alone generates $1.66B of revenue from “Consumer Digital Safety”, which includes consumers and small businesses.
TEAM OVERVIEW
Raffaele Mautone is the founder and CEO of the company. He’s been in cybersecurity/IT his whole career, starting as a sales rep at Dell, and then going on to become the Chief Information Officer of Duo Security (Acquired by Cisco for $2.4B in October 2018). In between those two roles, he spent 11 years at McAfee, where he became Vice President of Worldwide Sales & Marketing Operations, and two at FireEye, as VP of ISS Applications and Operations.
TEAM STRENGTHS
Raffaele has shown great ability to recruit so far, bringing on people from his previous company, Duo Security, which is helping him put together a team with a deep security background. Edward Maurer, Director of Customer Services, joined AaDya after 3 years at Duo Security (then Cisco). Kendra Cooley, InfoSec Lead, was at Jackson for 7 years before joining Duo Security and then Mailchimp. We have heard from our reference that a lot of people are looking to move away from Duo after the acquisition, which gives AaDya an edge.
The whole team seems very passionate about building this and has purity of motivation. Raffaele wants to build a great company in Detroit and do it long term. This will make it easier for them to become a brand name in the city and attract top talent.