The fortress built by most large cybersecurity companies is crumbing. And the only people ready to man the frontlines are startups. 

Why? They’re seeing a shift in the landscape that others have missed.

For decades, companies built fortifications around their operating systems—firewalls, antivirus software, endpoint detection tools—all designed to keep bad actors from breaching the OS perimeter. The assumption was simple: control the operating system, control security.

But today that assumption is broken. Today’s security battleground has migrated from the OS to the application layer. 

It reflects a massive trend in software toward a constantly updating, fluid ecosystem. It’s been great for creativity, and we see more interesting ways of building software than ever before. But it also creates an entirely new security ecosystem that is largely uncharted or invisible.

This is an amazing area for startups to build meaningful solutions while incumbents struggle to catch up. 

We recently invested in Koi, a leading app-based security platform, for this reason. But there’s so much more to discover here. We are deeply excited about the next generation of cybersecurity companies. The space is dynamic, and constantly reinventing itself. 

Constant Evolution, Constant Opportunity 

Software has changed dramatically in the last few decades. In turn, cybersecurity has had to adapt even faster. With each new wave of software change, the “attack surface” for potential threats multiplies exponentially, and new companies are founded to take on the challenge. 

This symbiotic relationship between software evolution and cybersecurity innovation demonstrates the pattern.

In the early 1980s software was mostly on-premise and “single player.” The biggest threats were viruses that could copy themselves onto floppy disks, like the 1986 “Brain” virus. The surface area to protect was simple: the individual machine itself.

But as the internet proliferated in the late 80s and early 90s, hackers realized networks themselves were vulnerable. The 1988 “Morris Worm” was a huge wake-up call. Distributed via the internet and exploiting backdoors in mail systems, it spread from MIT to Berkeley within days, infecting thousands of computers. The pattern became clear: the more networked computers become, the greater the attack surface area. (It was such a big realization that the US created the first Computer Emergency Response Team after the attack.)

This spawned the first wave of major cybersecurity players like McAfee, Trend Micro and Symantec, which sold antivirus tools that could “bolt-on” security at the operating system level.

By the 1990s, email-borne viruses emerged, along with other viruses that could constantly change, evading detection. Companies responded by creating firewalls to protect networks. The pattern continued: more integration created more surface area for bad actors, spurring new protective technologies.

The internet boom of the 2000s sent this pattern into overdrive. The biggest shift was toward cloud computing and app-level security. Cloud computing fundamentally changed software creation and distribution. Applications were developed quickly with DevOps and tweaked on-the-fly. Data and workloads spread across virtual servers worldwide, increasing the attack surface exponentially.

Focusing on OS protection wasn’t enough anymore. We started baking security into the code itself (DevSecOps). This spawned companies like Palo Alto Networks (next-generation firewalls), Crowdstrike (cloud-managed endpoint security), Snyk (real-time code scanning), and Wiz (cloud-native security platform that became the fastest growing startup of all time).

We’re now entering another major change: the application layer is the new security battleground. Applications are entire ecosystems of code packages, plugins, extensions, AI models, and updates. Enterprises have little visibility or control over what software enters their organization.

One of the first companies to recognize this shift is Koi. Founder Amit Assaraf came to us with a key realization: legacy security systems haven’t recognized this change. They proved it by building a fake VSCode theme extension called “Darcula Official” that infected 300+ organizations worldwide, including a national court network, within a week.

We invested in them immediately because they fit the pattern we constantly see in cybersecurity: constant software evolution leads to inevitable new threats, creating practically endless opportunities for startups to act as software’s new guardians.

Why the Cybersecurity Tech Window is So Massive 

So what did this history lesson tell us? Think of it like an eternal arms race. Each time the “good guys” build software in a new way, the “bad guys” find new attack vectors. Then cybersecurity has to reinvent itself all over again.

This cycle creates massive opportunities for startups with fresh perspectives. In just the last five years, dozens of new cybersecurity companies have grown into billion-dollar players.

But standing out isn’t easy. The key is developing a unique insight about a problem that only you can solve.

Koi demonstrates this thinking perfectly. We invested in them because they spotted three critical shifts that incumbents were missing:

1. The shift from OS level threats, to app-level threats, is already here
2. Many of these threads come from non-binary code, which presents unique challenges for existing incumbents that were raised on creating binary-based security solutions. They have to re-learn the game. 
3. They know how app-first organizations think. They know security teams need visibility into whats actually on every computer in their org. They know teams needed the tools to act on that information, and they needed support in wading through the ever-growing library of new self-downloadable software, from AI models to extensions. 

The beauty (or terror, depending on your perspective) is that right now, a hacker somewhere is devising new ways to exploit modern software. The “vibe coding” world alone has created entirely new attack surfaces that barely existed two years ago.

If you can spot these emerging vulnerabilities before the incumbents do, you’re halfway to product-market fit. The results speak for themselves: Koi hit $1M ARR faster than Wiz, Snyk, Vanta, Figma, and Loom.

The appetite for real solutions in this space is simply that great.

The Startup Advantage in Security’s New Era

Koi’s rapid success illustrates another broader principle: when the battleground shifts, incumbents’ advantages become liabilities. Their scale, established customer base, and existing architecture all anchor them to the old paradigm.

Startups, meanwhile, can:

• Build for the current or future threat landscape
• Move faster without coordination overhead across massive organizations
• Attract talent that understands modern software ecosystems
• Demonstrate clear value on day 1 – if you can prove to your customer they’re vulnerable, you gain their trust, full stop.

In cybersecurity, being anchored to an old paradigm is toxic.

It’s great for startups, because incumbents in this space are more vulnerable than in other industries. 

Of course, this raises important questions about defensibility. What happens once you become the incumbent? This is why we constantly argue that defensibility can never be based on just one thing (unless you are a bio company and have IP, for example). 

Your “wedge” into the market – like Koi’s unique insight – can provide a head start. But you need to build more sustainable forms of defensibility over time, like network effects, brand, and embedding. 

We cover all of the above here. 

What This Means for Founders 

Paradigm shifts create windows where startups can outrun incumbents—but only if you see the shift early and build specifically for the new reality. Koi didn’t try to build a better EDR tool; they built the first true app-layer security platform.

Today, the new paradigm is application-layer defense. The space is wide open. Teams like Koi show us what’s possible when you find the right line of thinking and run with it. 

But in the future, it will be something else. The only constant in cybersecurity is change. And if you’re a startup, that only plays to your advantage.