This VC Built A Cybersecurity Unicorn Machine. Then Came His Conflict Of Interest Mess.

   Gili Raanan’s VC firm Cyberstarts perfected the playbook for launching multi-billion-dollar security startups like Wiz. But questions about a profit-sharing program with industry execs have threatened his kingmaker reputation. By Iain Martin, Alex Konrad and Thomas Brewster, Forbes Staff For years, security executives at some of America’s largest corporations — Freddie Mac, Kraft Heinz, Colgate-Palmolive and Fidelity, to name a few — were happy to hear from Gili Raanan, the founder of a boutique Israeli venture capital firm called Cyberstarts. As participants in Cyberstarts’ adviser network, called Sunrise, they were used to taking introductions from the firm to meet with its three or four new startup investments each year. The startups could receive product feedback and gain insight into what potential large-sized buyers needed. For the executives, mostly chief information security officers, or CISOs, the startup founders gave them the inside track on new technologies emerging from Israel’s elite hacking units. But for some executives, there was more to it: compensation, potentially quite lucrative, in the form of profits from Cyberstarts’ blue chip early-stage funds. The execs who participated in Sunrise had the option to share in a pool of 4% of Cyberstarts’ own earmarked profits, known as carried interest, provided they took those calls and provided meaningful help, as determined by Cyberstarts. Cyberstarts had written early checks to standout security companies including Wiz, the cloud security startup that recently turned down a $23 billion acquisition offer by Google; $8 billion-valued crypto security startup Fireblocks; $3 billion-valued enterprise browser business Island; and $1.4 billion-valued data security startup Cyera. Over the lifetime of one of the firm’s funds, participants could expect to see payouts of as much as $250,000, an internal presentation viewed by Forbes claimed. When Raanan wrote Sunrise’s 75 or so active advisers on June 27, however, it was to let them know Cyberstarts was suspending the compensation part of the program, effective immediately. “Cynical allegations” about ethical problems with Sunrise’s profit-sharing system had forced the firm’s hand. “To be perfectly clear, the Sunrise program is not going anywhere,” Raanan wrote. “It’s one of our proudest achievements to connect practitioners at leading companies with up-and-coming startups. This is an easy change.” Logistically easy, perhaps. But the move was a major reversal for Raanan and his firm, which for years have maintained that Cyberstarts’ adviser program was neither unusual nor ethically fraught. Inside the swanky The Soho Hotel in central London in June, just weeks before suddenly shutting down the payments system, Raanan had struck a defiant tone. “We are very, very proud of our practice and our business model,” he told Forbes. The Sunrise program was not substantively different, Raanan argued, than other programs offered by rival firms. But many fellow investors, entrepreneurs and security executives suggested to Forbes that Sunrise had a baked-in conflict of interest that made it unique, even in a close-knit security community. “The grasp that Gili has had on the market is ridiculous.” A security-focused investor The executives who participated typically oversaw massive software and security budgets. Their organizations had the power to award exactly the type of large-sized contracts that could boost a fledgling startup’s financials and position it for success. In other words, Sunrise advisors were in position to steer their company’s business to startups whose success would benefit their own. At worst, their own financial interests might cloud their judgment, or conflict with the best interests of their employer. Even if they recused themselves, employees might feel incentives to select a vendor affiliated with their boss. Intentional or not, the potential for conflict of interest was inherent in the relationship. Allegations of conflicts have dogged Cyberstarts for years. A 2022 profile of Raanan by The Information alluded to competitors’ accusations that his firm blurred ethical lines. More recently, the unusual overlap between big companies affiliated with Sunrise and the Cyberstarts portfolio — fast casual Mexican food giant Chipotle, for example, has signed contracts with at least eight of them — has become a popular topic of industry gossip at conferences like RSA and Black Hat. “The grasp that Gili has had on the market is ridiculous,” said a security-focused investor who claimed that some startups with Cyberstarts-backed competitors no longer even attempted to sell to corporations whose executives had Sunrise affiliations. “But you come at the king, you best not miss.” They, like several dozen other founders, investors and executives, asked to speak anonymously for fear of retaliation by Raanan and Cyberstarts. Multiple Sunrise advisers who have previously not spoken to the press told Forbes that they shared the same ethical concerns as the program’s doubters on the outside. Two said they resigned from Sunrise over those perceptions. “I walked away because it started to be more aggressive,” one former participant said. “Where it crossed the line for me was where CISOs started to influence decision-making within their own firms to promote products,” a second claimed. Still more have wiped any mention of Cyberstarts from their LinkedIn profiles; of 54 advisers named on Cyberstarts’ own website in May, one-third have since been scrubbed. “Nobody buys software because they’re doing someone a favor.” Cyberstarts founder Gili Raanan Others who praised its efficacy claimed they drew the line at Sunrise’s profit-sharing, which they called misguided or naive at best. Multiple investors, CEOs and CISOs spoke to Forbes at Cyberstarts’ request to defend the program. But several who said that they backed the program and liked its benefits, such as access to portfolio CEOs like Wiz’s Assaf Rappaport, still voiced disquiet with its now-defunct payment plan. “I don’t think Gili and the team’s intent is nefarious, but there is just too much gray for my personal integrity, and too much potential conflict,” one said. Two security executives told Forbes they rejected overtures from Raanan’s team after hearing about the firm’s “menu” of compensation. “I was completely aghast. It was against my principles,” one said. In an October interview, Raanan disputed these claims — “Nobody buys software because they’re doing someone a favor,” he retorted. Plus, he pointed out, many of its advisers didn’t take the money at all. In June, he’d told Forbes that about half of Sunrise’s advisers had opted into payments. But in October, he said the number was really only 20%, or about 15 people. Only a small handful of advisers had left the program since, he added, while a few others had joined. Raanan said he’d ended the compensation component of the Sunrise program because of “a massive wave of calls into employers.” Several outlets were investigating at this time, including Forbes and Israeli publication CTech, which published a story on Sunrise in mid-June. The “industry standard” payment mechanism that Cyberstarts had long defended was not so important, actually, he now argued. “At the point I started to get more and more signals that there was a perception issue, I removed the issue,” Raanan said. Last week, the firm announced its fourth seed fund, a $60 million vehicle bringing its total assets under management to $720 million. At least one limited partner investor in Cyberstarts’ funds said they had pulled their money from the recent raise over the bad optics, Forbes learned. Cyberstarts called such a claim categorically false. The firm was oversubscribed with interest for its new fund, Raanan recently said. As Cyberstarts’ crown jewel Wiz eyes a banner public offering and other portfolio companies like Cyera start making acquisitions of their own, Cyberstarts’ industry influence will only increase. So long as the firm continues to operate Sunrise, the questions the program has raised about ethical red lines in startup sales, and the incentives used to gain an early advantage, aren’t likely to go away. As one security CEO observed: “An unfair advantage for certain startups damages the broader ecosystem.” Raanan started his first company, a security business called Sanctum, in 1997. A native Israeli who had served in Unit 8200, the elite cyber division of the Israeli Defense Force that has produced many of the country’s leading tech entrepreneurs, Raanan learned firsthand that technology alone didn’t lead to market traction. “We never managed to find a business model for it,” Raanan told Forbes. “It is quite amazing that you can build such a successful technology and never be able to monetize it.” After cofounding and selling another startup, nLayers, to IT giant EMC (itself later acquired by Dell), Raanan joined Sequoia Israel, the local outpost of global VC firm Sequoia Capital. After Sequoia’s Israel arm wound down in 2016, Raanan struck out on his own, launching Cyberstarts two years later in Mikhmoret, on the country’s central coast. In the years since, it’s become a rite of passage for many Israeli security founders to make the hour’s drive north from Tel Aviv to meet with Raanan poolside at his home. For some founders from the right pedigree — veterans of Israel’s cyber Unit 8200 or its secretive counterpart Unit 81, or with experience at one of Israel’s other leading security shops — Cyberstarts will invest without a clear business or product, on purpose. Doing so, Raanan said in October, helps ensure the firm isn’t working with startups that end up building “shelfware,” tools purchased but never used by customers, then ultimately dropped. “Entrepreneurs were building solutions in a vacuum. They fell in love with their technology, built it and then retrofitted it in terms of the problem, the pricing and the right [sales] channel,” Raanan said. “And security practitioners were used to meeting vendors only when they had products to sell.” Sunrise, with its program for dozens of early speculative calls with potential customers, was Cyberstarts’ solution. Offering them compensation in the form of profit-sharing, Raanan said, seemed a natural trade in order to get strangers to give up their time. While other funds offered annual retainers of $25,000 to experts to provide similar feedback, Raanan couldn’t afford to do so, he claimed. Cyberstarts’ first fund collected no management fees, he added; Raanan still doesn’t draw a salary himself: “We are still a small fund today, relatively speaking, so that was the only main way I could compensate,” he said. From a performance perspective, Raanan’s tactics appeared to work. Seed-stage startups often structure their portfolios with bets made so early, and at such low prices, that one or two outsized winners can more than account for a number of others that never pan out. Since 2018, Raanan and Cyberstarts have achieved five exits, worth a combined $1.6 billion, without a single public flameout. Even in the case of a less than ideal outcome, such as the sale of NoName Security to Akamai for $450 million in June, less than its previous private valuation of $1 billion, Cyberstarts’ early buy-in meant that it still came out ahead. Founders at Wiz, reported to be considering secondary sale at a $20 billion valuation, leveraged Cyberstarts' adviser network to help decide on a product direction early on. Avishag Shaar-Yashuv for Wiz The Sunrise program has proven invaluable in early days for many Cyberstarts portfolio companies. For a 2023 cover story, early executives at Wiz told Forbes about making dozens of calls to security executives before zeroing in on cloud security. At NoName, CEO Oz Golan recounted that even before Cyberstarts invested, Golan and his cofounder had shared a one-pager of their startup’s premise — security for automated interactions via application programming interfaces, or APIs — with Raanan to circulate with some advisers for feedback. After Cyberstarts’ investment, NoName’s founders went on a meeting tour with Sunrise’s executives to determine how their product could best help corporate giants. “The biggest company I’d ever worked for was maybe 1,000 employees,” Golan said. “Hearing from the platform executive responsible for the largest companies in the world was eye opening.” NoName reportedly reached annual recurring revenue (ARR) of at least $40 million before selling to Akamai for about half its peak valuation earlier this year. Other Cyberstarts companies have reached major revenue milestones of their own: Wiz claimed to have reached $500 million in ARR prior to spurning Google’s offer, while Fireblocks passed $100 million in ARR in 2022. Cyera, meanwhile, was able to make a $162 million acquisition earlier in October. Outsiders questioned why corporations would sign six- and seven-figure contracts with startups as small as some of Cyberstarts’ portfolio companies. “Gili and Cyberstarts have a proven track record around identifying the best cyber startups for founders in Israel,” said security investor Asheem Chandna, a general partner at Greylock who co-invested with Cyberstarts in cloud security firm Dazz, reportedly valued at $400 million. “They have also demonstrated a unique ability to shepherd these founders through their company journey.” On the other side of the table, a number of corporations have proven reliable purchasers of the Cyberstarts portfolio’s software. In addition to Chipotle, with its eight identified contracts, Forbes identified five contracts each signed with Cyberstarts startups at real estate giant Jones Lang LaSalle and pharmaceutical multinational Takeda, both of which have employed current or former Sunrise advisers. Mortgage lender New American Funding, security unicorn Armis and BNY Mellon, the world’s largest custodian bank, appeared to have signed contracts with four. Chipotle, New American, Armis and BNY Mellon all said in statements that their executives had received no compensation from Cyberstarts; Takeda said that it had robust compliance policies and declined further comment. JLL declined to comment. To some outsiders, such concentrations have appeared suspicious: They questioned why corporations would sign six- and seven-figure contracts with startups as small as some of Cyberstarts’ portfolio companies if the relevant CISOs recused themselves and their Sunrise status bore no influence on procurement decisions, as Cyberstarts and defenders have claimed. “There is a Cyberstarts playbook,” said one venture capitalist who has evaluated Cyberstarts-backed companies for potential investment. When assessing a Cyberstarts portfolio company’s sales pipeline, that investor said, their firm separated out Sunrise-affiliated revenue. “You have to figure out what’s force-fed.” Several of Cyberstarts’ portfolio founders disputed that Sunrise had helped them secure contracts they wouldn’t have otherwise. “Founders will never want to admit they lost a deal, fair and square,” said one. “They will always want to point to some sort of external excuse.” Avalor’s cofounder Raanan Raz praised Sunrise advisers for helping him focus on data security, but noted, “I never felt anyone was doing me a favor in order to gain anything on the other side.” (He is now also a limited partner investor in Cyberstarts.) Zscaler acquired Avalor for $350 million in March. Billionaire and former Sequoia managing partner Doug Leone, who previously invested in and worked alongside Raanan, said in a statement that Cyberstarts “managed to crack the code” on achieving early product market fit. (Sequoia has since backed five Cyberstarts unicorns: Cyera, Fireblocks, Island, Wiz and Zafran.) “As a result, these businesses are often able to scale faster than usual,” Leone wrote. But others pointed to firms that did not renew contracts with Cyberstarts portfolio companies after the departure of their Sunrise CISOs; in at least one instance, multiple contracts weren’t renewed following the turnover, two sources told Forbes. In that event, the departing CISO, now an entrepreneur, eventually circulated a letter signed by Raanan to former colleagues to confirm that they had received no compensation as part of Sunrise. Got a tip for us? Contact reporters Iain Martin at iain.martin@forbes.com, Alex Konrad at akonrad@forbes.com, and Thomas Brewster at tbrewster@forbes.com or +1 929-512-7964 on Signal Some discrepancies remain difficult to reconcile. In London in June, Raanan noted that Sunrise advisers bore the responsibility of following their own employers’ disclosure requirements and rules around compensation; none violated such policies, to Cyberstarts’ knowledge, he said. Three chief executives who employed current and former Sunrise advisers, however, told Forbes that they had not received any such disclosures around potential compensation. It’s possible that some company disclosure policies didn’t require informing their CEOs, Raanan responded. “All of them told us they were in compliance,” he said. Moving forward, Cyberstarts advisers who already received their compensation in the form of carry points will keep that upside in its funds, the firm confirmed; such upside continues to be disclosed to employers, a firm spokesperson added. And despite suspending any new compensation for Sunrise, Raanan has continued to insist that equivalent practices were widespread in the venture industry. “It’s all around us,” he said. “These are busy people, and assuming their employer is fine with it, that’s completely legitimate that they be compensated.” Forbes attempted to corroborate that claim with industry sources, but multiple large-sized U.S. funds denied paying any part-time advisers. Several fellow Israel-based funds, including Team8, YL Ventures and Glilot Partners, confirmed that they operated their own versions of CISO advisory boards. Only one of those, YL Ventures, said it offered an annual retainer to most advisers, as well as portions of fund profits to a small number who conducted due diligence on potential investments. None besides Cyberstarts said they have offered a portion of fund profits to advisers in exchange for their work with a fund’s existing portfolio. To hear Cyberstarts’ founder Raanan tell it, his firm continues to be unfairly singled out. Raanan’s supporters echo some version of that sentiment. As one VC collaborator argued to Forbes anonymously: “The market leader gets the gun pointed at them.” But even that person, a close confidant of Raanan’s, was incredulous that Cybertstarts had left itself so vulnerable to the potential fallout — deserved or not — from weaving financial ties between its startups and its adviser executives who control multi-million dollar budgets at some of America’s largest companies. “If they didn’t anticipate it, they were extremely naive,” the investor said. “Why raise the question?” Additional reporting by Kirk Ogunrinde and Jacob Wendler. MORE FROM FORBES ForbesNobody Beats Wiz: Meet The Hyper-Aggressive, $10 Billion Startup Shaking Up Cloud SecurityBy Alex KonradForbesRyan Breslow’s ‘Lead Investor’ Blindsided By $450 Million Bolt Fundraise: ‘We Were Never In This Deal’By Iain MartinForbesSaudi Arabia Is Investing Billions In AI. But Some Founders Are Still Waiting To Get Paid.By Iain MartinForbesHow A Former Palantir Exec Built A Google-Like Surveillance Tool For The PoliceBy Thomas Brewster