From Beginnings to Breakthroughs: The Cymulate Story

By: Avihai Ben-Yossef

Last Updated: December 31, 2024

Cymulate was founded in 2016, but the idea behind it dates back much further than that. When we first began seriously discussing the possibility of starting a company, my co-founder Eyal Wachsman and I were working for Avnet Cyber & Information Security. I was a penetration tester at the time, conducting security assessments for a wide range of customers. While pen testing is important, it quickly became apparent that the job was repetitive and mostly involved running the same types of security assessments that businesses have been conducting for decades. It made me remember something I was taught on day one of computer science: if you’re doing the same thing over and over without getting results, you’re probably doing it wrong.

Eyal was the vice president of sales and business development at the time, and together we began considering whether there was a better way to accomplish the same goal. We started wondering whether we could create a product that would be able to automate these repetitive activities in a way that would make them more accessible to day-to-day users, which would allow organizations to conduct in-house security assessments on a continuous basis. That would be a major step forward for security validation—and we wanted to be first.

Is There an App for That?

Having both come from the world of pen testing, Eyal and I understood the limitations and inefficiencies of traditional methods. One of the biggest problems with pen testing is that the humans conducting the assessment can only do so much. It isn’t feasible for a small security team to conduct ongoing pen tests all day every day—and even if they could, they would inevitably miss things. That’s not a knock against security teams—even the most talented professionals aren’t perfect. “Human error” isn’t something you can wish away. It’s an unavoidable challenge that needs to be accounted for.

Cymulate was founded with one basic drive: to overcome that challenge by automating the process of pen testing. Traditional, manual pen testing needs to be carefully scoped according to how much human testers can feasibly accomplish. That means a given pen test might only cover a small number of systems, provided a limited view of the vulnerabilities that might be affecting the organization. We wanted our solution to be truly scopeless. And that could only be accomplished via automation. After all, by relying on machines, we could move beyond traditional human limitations. An automated pen testing solution would be able to conduct tests across the entire network much more efficiently than even the largest security teams.

Embracing automation also allowed us to give our customers a way to move past point-in-time assessments and gain a more holistic, real-time view of their security posture. That was a big deal—the threat landscape was starting to evolve at an increasingly rapid pace, environments and attack surfaces were constantly evolving, and point-in-time assessments were becoming less and less useful. If we could enable organizations to conduct their own automated assessments, they would be able to evaluate their security posture on a continuous, dynamic basis and stay ahead of threats as they emerged. Instead of hoping a security assessment from six months ago was still accurate, they would always have access to up-to-date information.

Early Success and Finding the Right Market

Of course, the process of starting a business isn’t always smooth. Eyal and I were first-time business leaders—we didn’t always know what we were doing! Fortunately, we met our third partner, Eyal Gruner. Gruner had already co-founded two security companies (Cynet and Versafe), which made him the perfect person to help us through the process. Like me and Eyal, he began his career at an early age. When he was just 15 years old, Gruner hacked the ATM of a local bank and proudly walked inside to inform management about the weaknesses in their security. It’s safe to say that all three of us have cybersecurity in our blood.

Like most startups, the early days were chaotic—everyone was doing a little bit of everything. Fortunately, our idea was a modular one. We knew we could start by automating different elements of pen testing, rather than feeling like we had to do everything at once. We knew email security was a major problem for organizations at the time, so that was something we prioritized from the earliest days of the business. In fact, that’s what landed us our first customers: we could literally walk into a meeting and show a potential customer the sort of malicious emails getting through their security filters and walk them through exactly how we could stop it. We didn’t even have a user interface yet—but the ability to show customers firsthand what we could do was a major selling point.

In those early days, we generally worked with large enterprises. But the more we grew, and the more pen testing features we were able to automate, the more we realized that smaller enterprises were facing the same issues. Before long, we were scaling down to work with more mid-sized businesses because we could see that the value props to them were largely the same. By automating the pen testing and security validation process, we were helping businesses of all sizes accomplish something that was previously outside the realm of possibility for them: real-time security validation across every part of their digital environment. We could help them evaluate their security posture better and more efficiently than ever before—and we could do it on a continuous basis.

Embracing Exposure Management and Beyond

As the industry has evolved, so has our business. The freewheeling days of Cymulate’s startup period are gone—and as fun as they were, that’s probably a good thing! It was great to be able to experiment with different approaches and solutions, but today Cymulate has a much more concrete idea of what we want to accomplish and how we want to do it. As we’ve grown, we’ve improved our ability to specialize, and we’re proud to have some of the best designers, developers, and product testers in the business. We rigorously test every new feature and solution well before it hits the market—and our customers know that when we put our stamp of approval on a product, we mean it.

That has also allowed us to safely branch out when we see an opportunity to explore what we predict our customers will need next, and that’s why we’re focusing our efforts on the emerging need for full-context exposure management. We’ve been in the security posture arena for almost eight years now, and it’s a crowded market. Different companies have solutions that cover specific areas of security posture management and automated pen testing, but Cymulate is uniquely able to provide a truly comprehensive view of both exposure discovery and validation. Because Cymulate’s platform integrates with a wide range of security platforms, cloud security posture management (CSPM) platforms, attack path management platforms, and other security solutions, we can provide a holistic view of vulnerabilities across the entire network in a way other providers simply cannot.

And from this broad vantage point, we have a pretty strong opinion on remediation: The worst threats – the ones you need to prioritize – are the ones that can get past your defenses. The ones that are specifically exploitable to your security infrastructure and environments. This made the decision to embrace exposure management an easy one. Cymulate’s attack simulation solution can bring in data points from all of the individual solutions and platforms in use—and because Cymulate includes security validation, it allows organizations to understand which exposures are exploitable and which are not. This is crucial context other exposure management solutions in the market simply don’t provide. By empowering customers to effectively prioritize their exposures with full context, they can save crucial time and resources while improving prevention, detection, and response. And we’re not stopping there—as Cymulate continues to evolve, we’ll be adding even more domains to our coverage, helping customers identify and prioritize their exposures no matter where they live.

Putting More Tools in the Hands of Our Customers

When we were just getting started back in 2016 and 2017, we knew we were onto something big but could never have predicted how quickly Cymulate would grow. We’re proud of what we’ve accomplished, and even more bullish about what’s ahead. Cymulate today offers cyber teams an unprecedented level of control over their security posture. And as the threat landscape gets more complex and we move deeper into the exposure management space, we’ll continue putting more capabilities than ever in the hands of today’s organizations.

Subscribe