Embed Size (px)
Citation preview
Automatically assess, prioritize and track software security risks
from development through deployment.
2009DHS SBIR TOPIC NUMBER H-SB09.2-004Software Testing and Vulnerability AnalysisDevelop services and capabilities to rigorously and routinely build, test, and analyze source and binary forms of software in realistic conditions representative of operational environments in Federal Government and other critical infrastructures.
Proposal “SwaVis: Software Assurance and Visual Analytics”
Phase I March 2009
Phase II June 2010
How it started
2013DHS SBIR TOPIC NUMBER H-SB13.1-002Software Assurance, Penetration Testing, Vulnerability Management, Risk ManagementDevelop a risk management framework and standards to bridge mappings between static and dynamic software analysis tools for improved vulnerability detection.
Proposal “CodeRay: Software Assurance Risk Management Framework for Hybrid Analysis Mapping”
Phase I January 2013
Phase II February 2014, Phase II Plus-up 2015
How it started
Never lose sight of commercialization objectivesSBIR program success is measured largely on commercialization
Transition Find operational users within the government.
Commercialize Find users and customers in industry.
Productize Treat your technology as if it was a product, and others will too. Branding helps.
Transition & Commercialization
SwaVis
There’s more available than just your Phase II funds:Related programs Broad Agency Announcements; Related SBIRs.
Doesn’t need to be just from DHS.
Matching funds The SBIR program encourages you to find other funding by offering limited matching funds.
Alternative Sources of Funding
DHS BAA
CodeRayDHS SBIR DHS BAA
SBIR rules allow you to retain IP ownership. Negotiate that into all other funding relationships.
Build relationships; build an effective teamGovernment Program ManagersYour success is your PM’s success. Nurture that relationship and build a network within government.
Referrals, PI meetings, and other opportunities.
Separate Research and Commercialization/Transition TeamsR&D and commercialization are different mindsets. Build your team accordingly; look for people with specific commercialization experience.
Consider a Co-PI structure to address both disciplines.
Teamwork
When the time is right, leave the nestCreate a separate entity Research-oriented companies are not known for, or associated with, products. A spin-out gives focus, and develops market presence. Transfer IP to the spinoff while parent company provides the services. Take investment into the spin-out to focus use of funds.
Migrate your team• When the time is right, move key people into the spin-out.• Grow the team around that core.
Organization
What comes after government funding?Seed funding The SBIR program is your angel investor. Seed funding takes you to the next step: an A-round of venture funding. Seek out boutique investors who understand government research.
Private Sector Funding & Venture Capital
Code Dx was funded by DataTribe, a boutique investment firm and incubator specializing in cyber security products arising from government research. Winner of the 2019 DataTribe Challenge.https://datatribe.com/challenge/
Milestones Spun out C-Corp from Applied Visions, Inc. (AVI) to commercialize $2M from DHS-funded R&D received by AVI’s Secure Decisions division. $75K in sales.
Product MVP of Standard and Enterprise Editions. Automatically runs 15 open-source tools. Correlates results of < 10 commercial tools
Payroll 0 paid staff. All staff funded by DHS research or AVI investment.
2015
Milestones $248K in sales. Another $1M from DHS-funded R&D to mature product for commercial use. Transfer IP from AVI over to Code Dx, Inc.
Product Associates AppSec results with HIPAA and PCI-DSS compliance. Integrates with DevOps solutions and 20 commercial tools.
Payroll 0 paid staff. All staff funded by internal AVI investment or DHS R&D funds awarded to AVI-Secure Decisions.
2016
Milestones $650K in sales. First full-time sales representative starts selling. Another $2M from DHS R&D funding.
Product Major Hybrid Analysis release. Integrates with issue trackers plus 40+ AppSec tools.
Payroll 1: First full-time sales representative. All other staff funded by internal AVI investment or DHS funds.
2017
Milestones $1.2M in sales. Deprecated Standard edition. Revised pricing model. Set bottom price at $35K.
Product Management dashboard. Integrates with 50+ tools.
Payroll 3: Sales representative, Sales Engineer, Sales Coordinator. All other staff funded by internal AVI investment or DHS research.
2018
Milestones $2M in sales. DHS funding finished. Received $2M in seed funding from DataTribe.
Product Correlates Network Security vulnerabilities with AppSec vulnerabilities. Integrates with 70+ tools.
Payroll 13: CEO, CTO, 5 developers, 2 testers, 2 sales representatives, 1 Sales Engineer, 1 Sales Operations.
2019
From spin-out to todayMay 2020 Heading towards $3.5M in sales Product – Major new releases in Q2 and Q3 19 staff – CEO, CTO, 7 engineers, 8 sales, 1 marketing, 1 customer success Prepping for a Series A round of investment
Suggested reading
D’Amico, A., O’Brien, B., & Larkin, M. (2013)
Building a bridge across the transition chasm.IEEE Security & Privacy, 11(2), 24-33.
https://securedecisions.com/wp-content/uploads/2015/01/Building-a-Bridge-IEEE-Damico.pdf
