Ship first, secure later

Summary

Throughout internet, mobile, and cloud eras, platform leaders always Shipped First and Secured Later. Windows 95 didn't require you to have a password. AWS buckets were "public" by default. The financial incentive to prioritize adoption over security has enabled venture capital firms to get the bag twice: Fund the platform and Fund the security solution.

Below, I explore how this cycle played out in each era and begin to think about implications for the current LLM shift:

The Early Internet: Giving a loaded gun to a five year old

“You stupid fucks pay Bill Gates to beta test his crappy software”

A hacker’s sentiments towards Microsoft in 1995.

At the time, internet use was growing rapidly through a combination of privatization, deregulation and standardization of protocols, creating a perfect storm for broad consumer adoption. The technology was moving from a niche academic tool to a global utility. And Microsoft, with its user-friendly services like email and search, had a dominant market share. All it had to do was keep shipping.

While hackers might flag a few security flaws out of a thousand, word of those rarely reached the average computer user. Television commercials, partially funded by venture capital, hyped the amazing online world. No one in mainstream media covered cybersecurity full-time, and those who dabbled were under pressure to write about the great advances in computing, not the complicated potential security flaws that their editors couldn’t quite grasp.

Yet, as the Netscape browser and Windows 95 brought internet to the masses for the first time, everyone was now at risk.

“There was essentially no security at all. Anyone who used a Windows machine to read email or browse the web could easily lose control of their machine to a stranger. Just about any software would run on the system, and it could be made invisible to the user by those who knew what they were doing…it was like giving a loaded gun to a five year old”

Adoption was outpacing security.

To raise awareness, “hacktivist” groups released code for viruses that anybody could download, read instructions and send to victims. Within months people had downloaded hundreds of thousands of copies of the cheekily named “Back Orifice” and took control of machines across the US. While the economic damage was minimal, it pushed media to cover “insecure-by-default” architecture for the first time. It also forced Microsoft to release Windows NT, a system that, on paper, offered a comprehensive set of security features, but in practice also sucked at protecting users.

In response to the continued security risks of Microsoft and others, venture capital began funding solutions that would amalgamate into security giants like Symantec. 

Founded in 1982 and funded by Sequoia, Symantec originally focused on Natural Language Processing applications. Yet, seeing the massive gaps in security caused by MSFT DOS and Windows, the VC Firm encouraged Symantec to pivot to building security tools. Post IPO, the Fund stayed on the Board and supported an aggressive acquisition strategy that led to security dominance during Internet 1.0.

Thus began a cycle of recursive monetization.

VC’s Recursive Monetization

1. VC funds the platform shift 🛠️ (Internet, Mobile, Cloud, LLMs)

2. Adoption outpaces security 🧨 (New risks surface: malware, identity sprawl, cloud misconfigs, AI leakage)

3. VC funds the security layer 🛡️ (Firewalls, SSO, CSPM, LLM firewalls, etc.)

4. VC get the bag twice 💰 (Offense and defense — platform and protection)

This cycle was to be repeated through Mobile, Cloud, and now, potentially LLM, technology shifts.

Mobile’s “Bring your own Device” Nightmare 

Apple has rarely been criticized for a lack of security. In fact, the company uses Security as the dominant justification for maintaining a closed garden ecosystem and a monopoly toll on any app that hopes to get on its users’ smartphones.

Yet, at the time its first iteration in 2007, the iPhone had pretty poor security. Traditional endpoint protection didn’t apply to phones the same way it applied to computers. There were no firewalls or antivirus layers for phones. At first, Apple’s App Store was unvetted for security risks. Sensitive corporate data could be accessed on personal devices and then shared via insecure third party apps. Even within highly regulated industries like Finance, the transition from Blackberry to BYOD (Bring Your Own Device) created serious concerns for security teams.

In response, companies like Airwatch pivoted from managing industrial barcode scanners to managing mobile devices for Enterprise. It hit the sweet spot: early mover, strong enterprise adoption, massive market need, and perfect timing for acquisition by VMware ($1.5BN in 2014), who needed an device management platform to compete with Microsoft and Citrix.

While AirWatch was the most successful pure-play mobile security startup, Okta was the most successful startup to emerge out of the broader mobile wave. The company, funded early by A16z, Floodgate and SV Angel, was solving a more foundational problem that iPhones helped surface: Identify Fragmentation.

Instead of chasing endpoint, firewall, or even full Zero Trust platforms, Okta focused exclusively on federating identity across all devices and platforms and owning the login experience. It was a low-friction integration that IT admins could deploy in hours. The Single Sign On (SSO) was a better experience for employees and IT admins loved the automated provisioning (and offboarding) by department. Born during the mobile wave, they would continue to see success through the cloud era, as architectures continue to fragment.

Cloud Misconfigurations

Amazon had been buying up cheap data centers to power its own retail business since the dot com bust, but it didn’t publicly launched its S3 (simple storage) product until 2006. Early iterations paid little attention to UI / UX. The default setting for user storage was “public” and many users accidentally left them so when storing sensitive information. Early versions of S3 also did not enable access logs, so companies could not do any type of forensics when a breach occurred.

While academic papers started flagging these misconfigurations as early as 2009, public attention came when Rapid7 technologies performed a mass scan of public buckets in 2013. They found 126 billion publicly accessible S3 files - many containing exposed source code, credentials, and private backups.

AWS wasn’t insecure by design — but it prioritized developer freedom over guardrails, which led to repeated misconfiguration disasters. The company dragged its feet on enhanced security because, the financial priority was to encourage adoption and adoption comes with ease of use.

Many former AWS engineers left the company to launch their own startups. Many go-to-market pitches for cloud native vendors doubled as critiques of Amazon:

“AWS gives you tools, we give you safety”

Companies like Evident.io and RedLock built considerable businesses. Both would be acquired by Palo Alto Networks in the late 2010s. (In fact Palo Alto is one of the few security companies to have thrived across all three platform shifts discussed).

But the most successful startup borne of vulnerabilities in cloud security is Wiz.

Wiz hit the market at a moment of “cloud panic meets cloud maturity.” High profile security breaches like the Capital One leak had reached board level visibility. At the same time, Enterprises were going all-in on multi-cloud storage solutions and CISOs were fed up with noisy legacy tools and half-baked CSPM (Cloud Security Posture Management) solutions.  

Founded by veterans of Microsoft’s cloud security group, the team had strong connections in enterprise security circles + tier 1 investor backing. CISOs already trusted the team and product scored incredibly high vs all existing solutions - Wiz offered API driven scans of cloud environments, a comprehensive risk graph and immediate threat mitigation. The company scaled to $100MM in revenue in two years (one of the fastest growing companies in startup history) and was recently acquired by Google for $32 Billion dollars.

LLM Security

We are still in the early innings of the generative AI wave. Platforms like OpenAI are following similar early trajectories to past platform leaders. While I will tackle specific areas of LLM security in a subsequent essay, a few observations from the chart above (and below) that are worth considering:

• While legacy “buy vs build” aggregators like Symantec did not thrive during subsequent platform shifts (note the S curve moderation in annual revenues), newer aggregators like Palo Alto networks have managed to accelerate revenue growth through multiple platform shifts. They are responding better to technology shifts and have become savvier acquirers

• While OpenAI’s revenue growth has been explosive by any measure, it is humbling to view the revenue levels in context to past platform shifts. We are still very early into the LLM era

• Furthermore, all of the past platform incumbents are alive and well. They have symbiotic relationships with the LLM leaders. Platform leaders are all addressing security gaps more quickly. If you are an early stage cyber startup, even ones like Wiz, you may be taken out before you reach the scale of past security leaders.

  *That being said, $32BN on a reported $500MM of revenue is not too shabby for any Founding team.