A Deep Dive into Hexadite’s Founding, Growth, and Acquisition by Microsoft

Microsoft just announced it has acquired Hexadite, an Israeli startup founded by Eran Barak, Idan Levin, and Barak Klinghofer, a trio of talented cybersecurity entrepreneurs. These three built an incredible product and assembled a top-notch team around them, both in Israel and in the United States, and they deserve every bit of the success that has come their way.

Our firm, YL Ventures, was the first investor in Hexadite, so we got to see their journey from start to finish. Except this isn’t really the finish line, because Microsoft has big plans for Hexadite’s team and technology, so we believe that these guys are just getting started. (More on that below.)

Since we were there from the earliest days, we’d like to share some anecdotes and insights that show how special this team is. We also want to share this story so other entrepreneurs can see more of what goes on behind the scenes at a successful enterprise technology startup. Starting a company can be a long journey filled with challenges of all kinds. It helps to understand what is really happening, not just what gets written about in the news after a funding round or an acquisition closes.

First contact

Eran, Idan, and Barak were first-time entrepreneurs, but they were also very experienced. They had been working together for years on cutting-edge cybersecurity projects at Elbit Systems, and before that in the Israeli Defense Forces’ 8200 Intelligence Unit — the Israeli equivalent of the NSA — which Business Insider once called “the best tech school on Earth.” They also had a wise founding advisor in Pinchas Buchris, a retired brigadier general who had previously led the 8200 unit.

So when this trio came up with an idea for automating responses to cybersecurity intrusions, it should be clear that they knew exactly what they were doing. These were not just some kids in a garage: They had a relevant track record and impressive support already.

They were also working on a problem that had become a pressing need (and a rapidly growing market) for many enterprises: How to do incident response (IR) more quickly, more effectively, and with less expense. At the time, ABI Research estimated that the IR market would grow from $9 billion in 2014 to $14.79 billion in 2017. (Note: ABI is now saying that this market together with the network security market will be $59 billion in 2021!)

Hexadite had plans to integrate its product with popular intrusion detection systems and other security software, and collect relevant information via non-intrusive methods. They had a threat analysis engine that utilized unique methodologies and algorithms. And they planned to deploy several mitigation techniques for near-real-time threat control. Following each incident, Hexadite also planned to provide summary reports on the success of its mitigation and other details.

Over time, Hexadite would deliver on all these promises. But when I first heard about them, in a conversation over lunch with the CISO (chief information security officer) of an Israeli company, they hadn’t delivered on much of anything yet. They were still just three guys with big plans, and they hadn’t even incorporated. Their company’s working name was made up of the first letters of the founders’ first names: BIESecure (catchy, right?).

Still, I recognized that the team had potential and that they were working on something very interesting. This was during the RSA Conference (the security industry’s biggest gathering) in San Francisco in February 2014. I wasted no time: As soon as my lunch was over, I went to the startup’s website. At the time it had nothing on it but an email address, so I fired off a message.

The next morning I heard back from Eran, and within a couple of hours we were talking on the phone. A couple of phone conversations later, and we knew it was something we needed to follow up on.

Due diligence

My partner Ofer Schreiber had just returned from his honeymoon in Sri Lanka and the Maldives, but he got on the phone with the founders and arranged for a face to face meeting over beers in Tel Aviv the next day — Saturday evening. They didn’t even talk about the technology very much at that meeting. Ofer wanted to form a personal connection, because that kind of face to face time is irreplaceable when you’re considering entering into a relationship that might get very intense over the coming years.

The Tel Aviv meeting went very well, so we started our due diligence process.

The YL Ventures approach to diligence focuses on setting up introductory meetings for the startup with relevant industry experts and potential customers in the U.S. We get a huge amount of information from these meetings: They serve as reality checks on the startup’s technology and team. They also benefit the startups, because whether we invest or not, the founders gain introductions to potential customers and key analysts, as well as valuable feedback.

Among our close relationships that we introduced to Hexadite during the due diligence process were senior executives at Wells Fargo, J.P. Morgan, U.S. Bank, The Priceline Group, Nike, Graham Holdings (formerly Washington Post Company) and 451 Research.

In 2014, automated incident response still seemed like a pretty audacious idea, and it was unproven. We didn’t know if enterprises would really trust machines to perform the sensitive, manual labor of security analysts. But we had a good hunch, based on our years of experience investing in cybersecurity companies, and the Hexadite founders knew the market first-hand. The market opportunity was big, and growing. The reference calls we conducted were the final validation.

By the end of March, we had closed a seed round investment of up to $2.5M (we invested $2M in the first quarter of 2014, and another $300K the next quarter alongside veteran investor Moshe Lichtman of Israel Growth Partners). The company renamed itself from BIESecure to Hexadite, we joined the board (I joined as director and Ofer as observer), and we got right to work with them.

Turning on the turbojets

We invested in Hexadite on the strength of its founding team and the compelling, innovative idea they had, to do security incident response orchestration in a highly automated way. The company still had no product, no customers, and not even a technical proof of concept — but we believed in them, and they now had a small war chest to work with. So now it was time to get busy.

Eran, Idan, and Barak went into high gear to develop a kick-ass product and to win the first proof-of-concept (POC) trials with customers. From day one, they had a fanatic focus on UI/UX. When they started talking to potential customers, they listened closely to what they were saying. The payoff: A product that’s incredibly easy to use (which helps it stand out in an enterprise cybersecurity market filled with hard-to-use tools), which has the right features, and which is well integrated into other enterprise security tools.

The Hexadite approach wasn’t about pretending that Hexadite was a one-stop security solution. It was about giving customers what they wanted, which was orchestration of their already complex security portfolios, providing automated rapid response, and doing it all through a seamless UI.

We worked hard with Hexadite from its first day to invest in marketing, creating brand awareness and market domination, particularly in such a nascent space where there was less competition and customers needed to be educated.

The company was finally ready to announce its seed funding that summer, and on July 1, 2014, with strong PR support from YL Ventures, Hexadite emerged from stealth with a bang. The company scored incredible coverage from top-notch enterprise writers and journalists that we know like Ben Kepes on Forbes, Ron Miller at TechCrunch, Lucian Constantin at CIO, Jonathan Vanian at GigaOm, and others. One of the things that worked in Hexadite’s favor: The massive security breach at Target was still fresh in reporters’ minds, and nearly every story mentioned how Hexadite could have helped Target. 451 Research, a respected analyst firm in the enterprise space, published a favorable report on the company, saying, “There is a growing need in the market to respond to incidents. With respectable backing and promising technology, the timing looks perfect for Hexadite if it can capitalize on the market opportunity.” Hexadite and YL Ventures couldn’t have executed the launch better.

During the week after launch, the company received overwhelming interest from venture capital firms, potential acquirers, potential hires, and many others. We helped the management team field and manage this organic inbound interest on a daily basis. That level of interest continued in a strong way, greatly helping Hexadite in its growth trajectory.

Additionally, the marketing work paid off through 2014 and beyond, with excellent press and analyst coverage, a popular whitepaper called “Redefining Incident Response,” and the launch of an insightful blog with posts that captured the industry’s attention.

Most important, however, is that the company focused intensely on product development throughout 2014, getting to the point where it was able to launch its first customer deployments of Hexadite AIRS ™ (Automated Incident Response Solution) in the fourth quarter of that year.

Building out the sales team

At the beginning of 2015, Hexadite formed a U.S. subsidiary and hired its first U.S. employee to head sales and business development. Eran relocated from Tel Aviv to Boston that year, too, doubling down on the company’s commitment to become a global concern.

By the middle of the year, a Fortune 500 company had deployed Hexadite to its production environment, covering almost 50,000 endpoints. Within 48 hours of deployment, the Hexadite system had investigated and remediated hundreds of alerts, including removing malware and Trojan horses.

Thanks to this and other successful customer stories, Hexadite was able to turn its incredible product into multiple six-figure sales that year.

Given all this momentum, the Hexadite management team knew that it was time to go into hyper-growth mode, and we agreed. But to do that, they needed more capital. We helped Hexadite identify potential investors and evaluate various offers, and we introduced them to the firm that ultimately led an $8M Series A round, TenEleven Ventures, aka 1011. (YL Ventures was the largest single investor in Hexadite, and the second-largest contributor to this A round.) In addition to leading the round, 1011’s Cofounder and General Partner Mark Hatfield’s value add was tremendous, including introducing Hexadite to Glenn Chisholm, the then-CTO of Cylance, who eventually became an independent board member. 1011 also introduced Hexadite to Jon Miller, the chief research officer of Cylance, who became an advisor and helped with strategic insight and introductions to security companies.

YL Ventures also helped connect Hexadite with Hewlett Packard Enterprise, which invested in their A round, and subsequently became a distributor of Hexadite software all over the world. HPE turned out to be a terrific corporate partner, integrating Hexadite with their own Security Information and Event Management (SIEM) software, ArcSight, and also putting Hexadite onstage at customer events all over the world.

Hyper-growth

The next year was a busy one for the Hexadite team. They announced their Series A funding in February 2016, leading to excellent coverage in business and technology publications, including Vator, Xconomy, PE Hub, and InfoSecurity Magazine. HPE continued to be very engaged with Hexadite, integrating AIRS with ArcSight and helping sell Hexadite’s technology to HPE customers. HPE even published a blog post expressing its enthusiasm, writing, “When HPE Security saw what Hexadite accomplished in such a short amount of time, we wanted to be a part of it.” In fact, HPE had a lot to do with Hexadite’s growth trajectory, thanks to the outstanding backing of Ray Schuder (someone you definitely want on your board), Sue Barsamian (check out Sue’s video announcement of HPE’s partnership with Hexadite), Meg Whitman and the rest of the awesome HPE team.

Hexadite added support for Mac and Linux endpoints (previously it had only supported Windows endpoints), helping ensure even more complete coverage for enterprises and giving Hexadite a firm competitive advantage.

Customer implementations started to produce some excellent case studies, and word about Hexadite got around. Two of these stories stand out in particular (thank you Michael Shaulov, serial cybersecurity entrepreneur and key Hexadite adviser, for your help with customers):

Nuance: Doug Graham, the VP and CISO for this natural language processing company, talked about how Hexadite helped the company address its incredibly time-consuming security incident response processes. “Fast remediation and security is the key to everything,” Graham said. “It’s not only an efficiency and cost thing, it’s an effectiveness thing.” He went on to note that Hexadite AIRS was delivering a 90-95 percent automation rate in security incident response at Nuance. “Without Hexadite, we’d simply either be adding more people to the problem, or doing less in other areas of security.”

IDT: This was actually Hexadite’s first paying customer, and it continued to maintain a strong relationship with the company due to the value that Hexadite provides. Golan Ben-Oni, Global CIO for IDT, said, “You have to be as good or better than your adversary, and the only way to do it is through automation.” He noted that Hexadite helps the company manage 100 or 150 fully automated investigations in about a minute apiece — work that would take a human six or more hours. “Not only does this reduce cost, but it increases the value of your people,” Ben-Oni said.

In June, Eran sat down with the editor-in-chief of CSO Online for a six-minute explainer video on how Hexadite works and how its automated response system helps security professionals avoid alert fatigue — the “Boy Who Cried Wolf” scenario. And in September, Eran described Hexadite’s distribution alliance with HPE in an exclusive video interview with CRN.

Meanwhile, Hexadite’s sales and marketing team continued to close six-figure deals and keep the pipeline of potential new customers full. By the end of the year, the company had doubled in size from 16 to 33 employees. Ofer and I were then fortunate to work with such remarkable talents as VP of Engineering Maxim Braitmaiere, VP of Marketing Nathan Burke and VP of Sales Aaron Cote.

And in November, HPE CEO Meg Whitman introduced Eran onstage at the HPE Discover event in London. In front of an audience of 10,000 customers and partners, Whitman told Eran, “What you’ve done in two years is sort of amazing!”

Microsoft acquisition

In early 2017, Hexadite AIRS achieved an impressive milestone: One million automated cyber investigations. The company estimated that number is equivalent to 800,000 man hours, saving its customers nearly $39 million.

Around the same time, Microsoft grew more excited about Hexadite’s technology. The Redmond, Washington-based software giant had first connected with Hexadite over a year before, and had long been interested in Hexadite’s potential to automatically investigate and remediate security issues on Windows-based desktops, laptops, and servers. As the Microsoft relationship developed, it became clear that people in Redmond and elsewhere, from junior engineers working directly with Hexadite’s technology all the way up to the highest levels of executives, were genuinely enthusiastic about Hexadite.

Eventually, that interest blossomed into an acquisition offer. After deliberation among the founders and the board, Hexadite decided that Microsoft offered both a good financial outcome as well as an excellent future for Hexadite’s people and technologies, and we all opted to take the deal.

Microsoft Windows is the most widely-deployed operating system in the world (Windows 10 alone now runs on 500 million active devices), and as such it’s an enormous target for hackers of all kinds (‘WannaCry’ being one of the latest examples). The possibility of integrating an automated security response system into Windows is a fantastic one for Microsoft, as it could help lock down the OS from its many attackers.

For Hexadite, this is an incredible win too: The team suddenly has access to a vast pool of resources and an enormous installed base of customers. Hexadite’s engineers will now be able to lead Windows into a new era of increased security, potentially benefitting the lives and work of billions of people — a dream come true for cybersecurity engineers.

Microsoft has clearly been placing security high on its priority list, as evidenced by many recent cybersecurity acquisitions. So it’s clear that the company values what Hexadite does and has big plans for it. This is a brilliant place for Hexadite’s people, its technology, and its product to flourish.

Needless to say, YL Ventures’ investors are also delighted by the outcome of Hexadite’s journey, partly because the payoff was so large that Hexadite single-handedly returned our entire fund. And we’ve been blessed by a string of other good news. In the past few weeks, in addition to the Hexadite acquisition, YL Ventures closed a new $75M fund, and our portfolio company Twistlock just raised a $17M Series B led by Polaris Ventures, bringing its total funding raised to date to $30M and setting them up well for massive growth in the coming years. (YL Ventures was the second-largest contributor to this B round.) We also co-led, with Fontinalis Partners, a $12M Series B round in our portfolio company Karamba Security, also well-positioned for the long haul. With the surge of interest in effective cybersecurity solutions, we’re confident that these companies are going to be incredibly successful.

Hexadite’s acquisition by Microsoft is entirely due to the enormous talent, vision, and hard work of Eran, Idan, Barak, and their team. We feel privileged to have played a part in their journey. And we congratulate them on a job well done.

There’s no doubt in our mind that these three are just getting started, and Ofer and I wish them much success at Microsoft and beyond. Meanwhile, the investment team at YL Ventures is going to look for more great cybersecurity startups like Hexadite to back!

Investor & Board Member Yoav Leitersdorf, left, and Cofounder & CEO Eran Barak in San Francisco discussing the final terms of Hexadite’s acquisition (May 2017)