Europe’s cybersecurity talent gap isn’t just a technical problem. It’s a human capital problem — and one that became dramatically more urgent in 2025, when geopolitical shifts quietly pulled the financial rug out from under the continent’s most active cybersecurity community builder.

Anett Mádi-Nátor, President of the Women for Cyber Foundation and Managing Partner at CyEx.hu, joined Scaling Cyber to discuss what it takes to build and sustain an 80,000-member community across 35 countries — and how the foundation navigated its most challenging strategic pivot to date.

The Journey: From COVID Startup to European NGO Unicorn

Women for Cyber launched in 2019 — just before COVID — with a diverse portfolio of community initiatives. Rather than dictating what the community needed, the team ran what Anett describes as a form of “targeted market research”: launching multiple programs, watching what resonated, and doubling down accordingly.

The answer was clear: education, training, and mentorship. Not advocacy. Not events alone. Practical, bottom-up capacity building.

Today, Women for Cyber manages 2,500 active mentees through a structured six-month matching program — run by just 1.5 staff members, supported by digital platforms. Fewer than 15 people run the entire foundation.

The Market Shift: When US Funding Disappeared Almost Overnight

In 2025, a seismic shift hit Women for Cyber’s funding model. With new US political priorities deprioritizing DEI globally, American corporate donations — which had made up 95%+ of W4C’s income — collapsed to below 50% within months.

The foundation’s response was not to scale back. It was to restructure.

New European corporate partners stepped in. And in doing so, Women for Cyber’s funding crisis became a microcosm of a much larger story: Europe realizing it needs to build its own cybersecurity capacity — independently, urgently, and at scale.

“When one door closes, another opens,” Anett notes. “And for Europe, that door is opening now.”

Why This Matters Beyond Diversity

The conversation reframes the “women in cyber” issue entirely. This isn’t a fairness argument — it’s a strategic one.

With cybersecurity talent demand outpacing supply across Europe, excluding 50% of the potential workforce isn’t just inequitable. It’s a security risk. Women for Cyber’s model — inclusive, bottom-up, non-profit — has proven more effective at community building than well-funded institutional programs precisely because it operates without corporate compliance constraints and channels everything back into the mission.

Anett also challenges assumptions about where the gender gap actually lives. It’s not primarily in entry-level roles or even founders — it’s in corporate boards and C-suites, where cybersecurity leadership (regardless of gender) is still underrepresented at the highest decision-making levels.

What’s Next: Cyber Resilience, AI, and Going Local

For 2026, Women for Cyber is pivoting its portfolio toward two new frontiers: cyber resilience (a broader, more operational frame than traditional cybersecurity) and AI-enabled capacity building.

The foundation is also leaning harder into local chapter activation — recognizing that physical, local communities are now stronger than purely digital ones in a post-COVID world.

The next annual conference will be held in Brussels in September 2026 — a symbolic move to the heart of European institutions.

Key Takeaways for Cyber Founders & Leaders

* Community-led beats consultant-led. W4C never hired external consultants. Everything came from internal teams and the community — and that’s why it scaled.

* The DEI funding shift is a cybersecurity story. The pullback of US support for diversity initiatives has direct, material consequences for European cyber capacity.

* The real gap is in boards, not entry-level. For leaders focused on inclusion, the most impactful change happens at the top of established organizations.

* Local chapters > central programs. European companies should connect with their national Women for Cyber chapter first — local community building has the highest ROI.

* Operational efficiency is a competitive advantage. 2,500 mentees, 1.5 staff. The model is replicable and worth studying.

* Cybersecurity is never a one-person show. Anett’s closing line: “It’s always a team effort.”

About the Guest

Anett Mádi-Nátor is President of the Women for Cyber Foundation, Europe’s largest cybersecurity community with 80,000+ members and 35 national chapters. She is also Managing Partner at CyEx, a CEE-based cybersecurity company. A recognized leader in European cyber policy and capacity building, Anett is driving Women for Cyber’s strategic pivot toward cyber resilience and AI-enabled education for 2026.

About Scaling Cyber

Europe’s cybersecurity talent gap isn’t just a technical problem. It’s a human capital problem — and one that became dramatically more urgent in 2025, when geopolitical shifts quietly pulled the financial rug out from under the continent’s most active cybersecurity community builder.

Anett Mádi-Nátor, President of the Women for Cyber Foundation and Managing Partner at CyEx, joined Scaling Cyber to discuss what it takes to build and sustain an 80,000-member community across 35 countries — and how the foundation navigated its most challenging strategic pivot to date.

Subscribe: Substack | Spotify | Apple Podcasts | YouTube

This is a public episode. If you would like to discuss this with other subscribers or get access to bonus episodes, visit scalingcyber.substack.com

Most cybersecurity founders obsess over their product. Mateusz Wepa obsesses over something else entirely: the channel.

And in less than two years, that obsession helped him build IITD’s Polish operation from 5 people to 12, a growing network of dedicated partners, and a reputation for being the most responsive distributor in the market.

Guest Journey

Mateusz Wepa came up through the world of technology sales and distribution — from his early days at Dagma, where a senior mentor taught him that every email gets answered within two hours, to managing teams across multiple European countries. That discipline — consistency as a form of trust — became the foundation of everything he’d later build at IITD.

When IITD decided to enter Poland, they made an unconventional bet: instead of placing one or two business developers to see what happens, they launched with five people from day one — a sales lead, a technical expert, a marketing specialist, and a product manager. The goal was to be fully local, fully committed, and fully capable from the start.

The Key Insights

Trust is a mathematical equation. Mateusz defines trust simply: consistency over time. Partners don’t need you to be perfect, they need you to be predictable. Pick up the phone. Answer emails. Show up. Do it long enough, and you earn a place in their comfort zone.

You don’t need the best product. You need the best channel. He uses his experience with ESET as the example: not the best endpoint product in the world, but the best-distributed one in Poland. The market share follows. Channel excellence consistently beats technology excellence in the mid-market.

Identity is the new front line. CrowdStrike’s own data shows that over 80% of attacks use no malware at all. Threat actors don’t hack in, they log in. This is reshaping the conversation around identity protection, Active Directory security, phishing simulation, and AI data exposure.

American vendors struggle to let go. Most US vendors have never needed distribution at home. When they try to scale to markets that don’t speak English, they face a paradox: they need to hand over control to a local partner, but struggle to trust one. The ones that figure it out scale. The ones that don’t stall.

Why It Matters

Poland is the sixth-largest economy in the EU. The Baltics are fast-growing, cyber-aware markets. And Central and Eastern Europe represents a significant untapped opportunity for cybersecurity vendors, if they’re willing to invest properly.

IITD’s model — small team, deep expertise, total local commitment — is a blueprint for how to enter these markets the right way.

Scaling Lessons

* Start with local presence, not remote support. Language, culture, and in-person relationships define trust in CEE markets.

* Don’t fall in love with your technology. The market will tell you where the value actually is.

* Pick a smaller, committed distributor over a large one that won’t prioritize you.

* Identity security is the most pressing emerging category in the Polish market right now.

* Consistency — in response times, follow-through, and partner enablement — is your most durable competitive advantage.

Key Takeaways for Cyber Founders & Leaders

* Channel > Product. A good product with a great channel will outperform a great product with an average channel, every time.

* Trust = Consistency over Time. Be predictable. Be responsive. Be there.

* Invest in the market, not just in a contract. A distribution agreement is not an investment. MDFs, events, enablement, and local presence, that’s investment.

* Don’t assume size equals commitment. A large distributor with 50 products won’t fight for yours. A focused one with 10 will.

About the Guest

Mateusz Wepa is Country Manager Poland at IITD (Intelligent IT Distribution), a cybersecurity value-added distributor operating in Poland and the Baltics. With a career spanning technology sales, channel management, and multi-country team leadership, he has spent the last two years building one of Poland’s most focused and fastest-growing cybersecurity distribution operations.

About Scaling Cyber

Scaling Cyber spotlights cybersecurity founders and ecosystem leaders outside the traditional US/Israel hubs, surfacing the real stories behind building global cyber companies.

Subscribe: Substack | Spotify | Apple Podcasts | YouTube

This is a public episode. If you would like to discuss this with other subscribers or get access to bonus episodes, visit scalingcyber.substack.com

Most companies assume their data is safe because it lives in the cloud. Most engineering teams assume their source code is protected because it’s on GitHub. Most CISOs don’t think about DevOps data until an auditor asks — or until something goes wrong.

Lukasz Jesis thought about it before most people did. And it led him to build two of the most focused data protection companies coming out of Europe today.

Founder Journey

Xopero was founded in 2010 in Gorzów Wielkopolski, Poland — a mid-sized industrial city far from any traditional tech hub. The ambition from day one was to build a Polish product company that sold globally in cybersecurity, at a time when almost no one in Poland was doing it.

Lukasz and his team grew Xopero deliberately: targeting the mid-market sweet spot (500–1,000 employees), building a flexible platform that works across hardware appliances, SaaS, and software — all with the same experience. No specialist required to deploy it.

The real turning point came from an internal question. What would happen if Xopero lost its own source code? The team said it was “protected somehow.” That answer wasn’t good enough. Digging deeper revealed a gap no one was properly addressing: the backup and security of DevOps ecosystems — GitHub repositories, Azure DevOps pipelines, CI/CD metadata, intellectual property.

GitProtect was born.

The Key Insights

SaaS ≠ Security. Cloud vendors provide services, not data protection guarantees. The shared responsibility model puts full accountability for data recovery on the customer — but most organizations haven’t internalized this. GitProtect exists to close that gap.

Category creation requires education. When GitProtect launched, the market didn’t know it needed the product. Early conversations were met with “why would I back up GitHub?” Today, the inbound has flipped: customers arrive already convinced, looking for the best solution — not a reason to buy.

Two products, two strategies. Xopero competes in a known market (backup and recovery) against funded giants like Veeam and Acronis — as a disciplined challenger focused on European mid-market. GitProtect creates a niche and leads it globally, with the US as the primary growth market. Both lines are growing at 100%+ year over year.

Certifications are GTM accelerators. ISO 27001, SOC 2, and similar attestations are not just compliance exercises. They shorten procurement cycles — especially in the US — and signal that a cybersecurity vendor can be trusted to protect others.

Why It Matters

Poland’s IT market spends over $50 billion annually. Almost none of it goes to Polish companies. Lukasz calls this “the trap” — a market large enough to seed serious growth, but historically captured almost entirely by US vendors.

That’s changing. Digital sovereignty awareness is rising across Europe. And companies like Xopero and GitProtect are proving that innovation in cybersecurity doesn’t require a Silicon Valley zip code or a Tel Aviv address.

Scaling Lessons

* Define your target group precisely. You cannot build the best product for everyone. Win on the battlefield you define.

* Follow your customers, not the full market. Xopero protects 80–90% of critical assets — at the highest possible quality — rather than chasing 100% coverage at lower depth.

* Go where your talent leads you. Lukasz’s first international hire for the DACH region was an experienced, hungry leader — someone whose drive matched the company’s pace.

* Build culture before scale demands it. At 120 people growing toward 170, the hardest challenge is not product or sales — it’s transmitting core values through layers of new hires.

* Governance is the next frontier. Auditors are no longer asking “do you have backups?” They’re asking which data is backed up, how, and who verified it.

Key Takeaways for Cyber Founders & Leaders

* SaaS services are not data protection. The shared responsibility model places full ownership of data recovery on the customer.

* Category creation requires patience. GitProtect spent years educating the market before inbound demand flipped.

* Certifications (ISO, SOC 2) are not just compliance — they are competitive advantages in enterprise procurement, especially in the US.

* The fastest deals often come after incidents. Be ready to move quickly when a customer has a live problem.

* Poland and Central Europe are serious cybersecurity markets — both as talent pools and as emerging ecosystems worth watching.

About the Guest

Lukasz Jesis is Co-Founder and CEO of Xopero Software and GitProtect.io, headquartered in Gorzów Wielkopolski, Poland. Xopero is a unified backup and disaster recovery platform for mid-market enterprises, and GitProtect is the leading DevOps data protection platform focused on source code, repositories, and the broader engineering ecosystem.

About Scaling Cyber

Scaling Cyber spotlights cybersecurity founders and ecosystem leaders outside the traditional US/Israel hubs — surfacing the real stories behind building global cyber companies.

Subscribe: Substack | Spotify | Apple Podcasts | YouTube

This is a public episode. If you would like to discuss this with other subscribers or get access to bonus episodes, visit scalingcyber.substack.com

Most security operations centers collapse under their own complexity. They promise to support every vendor, every SIEM, every workflow. They chase features instead of focusing on what actually matters: operational efficiency.

Federico Meiners learned this the hard way. After a failed attempt to build a SOC in the United States, he joined Nynox (now ACEN) in Belgium and spent five years discovering what it really takes to build and scale managed detection and response services in Europe’s fragmented market.

In this episode of Scaling Cyber, Federico (also known as "Fede") shares the operational playbook behind ASIN’s growth from 5 to more than 50 monitored customers, and why most MDR providers get it completely wrong.

From Network Security to Security Operations

Federico’s path into security operations wasn’t linear. He started in network security, spending more time troubleshooting VPNs and latency issues than actually doing cybersecurity. His first SOC attempt—setting up operations in the US market—failed despite significant investment in vendors, infrastructure, and marketing.

“Setting up a SOC is expensive. You need a lot of foundations to start delivering the service. We invested a lot... and it was really hard to get traction.”

That failure became the foundation for everything that came next.

The Operational Efficiency Mandate

When Federico joined ACEN, he discovered the biggest pitfall of security operations: trying to support everything.

The trap most MDR providers fall into:

* “Bring your own SIEM”

* “We support every vendor”

* “Unlimited integrations”

* “Custom workflows for every customer”

It sounds good in sales calls. It’s impossible to maintain in production.

ACEN’s contrarian approach:

* Standardize on a specific stack

* Choose the 20% that delivers 80% impact

* Commit to specific technologies

* Pick your market and optimize relentlessly

“You really need to pick your market. I mainly work with construction, healthcare, government. They don’t have a SOC, they don’t have a SIEM. So they’re not going to tell me they want their Sentinel integrated. And if they do, I show them the operational efficiency increase on their side when they come to us.”

This focus on standardization became ACEN’s scaling engine.

Thanks for reading Scaling Cyber! Subscribe for free to receive new posts and support my work.

Automation: From Skepticism to Scale

One of the most revealing parts of the conversation is Federico’s automation journey.

In 2021-2022, customers started asking: “Federico, why doesn’t your SOC do machine learning? Where’s the automation?”

ACEN built their first fully autonomous playbook for Microsoft 365 alerts. The system worked. Less than 1% error rate. Clear visibility into failures.

Customer reaction? “I want humans in the process.”

“Our generation—people 35 and onwards—we still want to see humans. And to this day, we automate a lot of alerts, and sometimes customers say: I want the human checking this alert.”

But the reality is stark: ACEN scaled from 5 to nearly 50 customers because of automation.

Federico’s golden metrics for SOC efficiency:

* Customer-facing: How many alerts can you handle without contacting the customer?

* Internal: How many of those alerts were solved without your analyst?

The ratio between these two numbers determines whether a SOC can scale or not.

The European Cybersecurity Paradox

Federico offers one of the most candid assessments of Europe’s cybersecurity market:

“We really like laws. It’s all about compliance and regulations. Sometimes I think Europe wants that to be the competitive advantage against the world. But speak with any MDR vendor in Europe, and 80% of their stack is probably from the United States.”

The structural challenges:

* Market fragmentation (language, culture, local requirements)

* Smaller addressable market per country

* Slower sales cycles (3-6 month POCs, 12-month buying processes)

* Strong local markets (Germany, France) but limited cross-border scaling

* Work-life balance culture vs. startup intensity required for breakthroughs

What actually drives SOC adoption in Europe:

* Breaches (the strongest driver, despite being fear-based)

* Outsourcing (companies separating IT from security vendors)

* Curiosity (30% of leads are now genuine interest—a new trend)

Compliance matters, but it’s not the primary driver Federico sees in the field.

Key Takeaways for Cyber Founders & Leaders

On operational efficiency:

* Standardization beats flexibility when scaling security operations

* Commit to a specific stack and optimize deeply rather than supporting everything superficially

* Operational efficiency is your competitive moat, not feature lists

On automation:

* Automation is the only path to scaling SOC operations

* Balance automation with human oversight to maintain customer trust

* The golden metric: alerts handled without analyst intervention

On detection engineering:

* Out-of-the-box rules are making a comeback (detection engineering is expensive)

* Focus on the 20% of technologies that cover 80% of your customer base

* Patterns emerge when you standardize—use them to your advantage

On European scaling:

* Market fragmentation is real, but specialization can overcome it

* Language and culture matter more in mid-market than enterprise

* European founders need to balance work-life culture with the intensity required for breakthroughs

On the future:

* Abstraction layers will eventually handle most alert workflows

* The analyst’s role will shift to ensuring the machine runs properly

* Vendors will increasingly embed AI into platforms—choice will disappear

About Federico Meiners

Federico Meiners is a Security Operations Leader at ACEN (formerly Nynox), where he has spent five years building and scaling managed detection and response services across Belgium and Europe. Originally from Argentina, Federico brings a global perspective to European cybersecurity challenges.

About Scaling Cyber

Scaling Cyber is a founder-led cybersecurity podcast spotlighting companies and leaders building outside the US and Israel. Hosted by Ignacio Sbampato, the show focuses on real GTM lessons, operational challenges, and global scaling strategies.

Subscribe: Substack | Spotify | Apple Podcasts | YouTube

This is a public episode. If you would like to discuss this with other subscribers or get access to bonus episodes, visit scalingcyber.substack.com

For years, the cybersecurity industry has operated on a false premise: that you must choose between speed and values, between aggressive American scaling and thoughtful European principles.

Cody Barrow, CEO of EclecticIQ, is proving that’s wrong.

From Intelligence Officer to CEO

Cody spent over 20 years in intelligence, half of that in the US federal government. He wasn’t just a practitioner; he was a buyer. He purchased, deployed, and ultimately churned through multiple threat intelligence platforms.

When he joined EclecticIQ six and a half years ago, first as VP of Intelligence, then Chief Strategy Officer, and finally as CEO in February 2024, he brought something rare: he had been the customer.

That perspective shapes everything — from product roadmap decisions to understanding why prospects ask for specific integrations. When a customer requests a feature, Cody doesn’t have to reverse-engineer their thinking. He already knows the “why” because he lived it.

The Market Shift: From Data Hoarding to Decision Enablement

For too long, threat intelligence platforms promised one thing and delivered another.

Organizations bought CTI tools expecting a system of record. Something that would help them understand who was targeting them and why, so they could prevent incidents. What they got instead was noise: massive data feeds, irrelevant threat actor profiles, and platforms that encouraged “Pokémon-style collection” of indicators without context.

Cody calls this out bluntly: “I bought so many TIPs. I churned through them. It hadn’t been done. The original promise of threat intelligence platforms hadn’t been fulfilled.”

EclecticIQ’s response? Intelligence Compass, an AI-powered feature that contextualizes threat data based on your actual infrastructure. If you run entirely on Microsoft, you don’t need endless alerts about Linux kernel exploits. Relevance over volume. Insight over collection.

This isn’t about adding AI for the sake of AI. It’s about solving the fundamental problem threat intelligence was supposed to solve from the beginning.

Why Being European Matters

EclecticIQ is fully European-backed and European-owned. That positioning matters more than ever.

As digital sovereignty becomes a priority - especially for governments and critical infrastructure - customers increasingly care about jurisdiction, long-term control, and trust.

Cody is clear: “We’re not just serving Europeans. We’re serving anyone who thinks about that level of trust.”

It’s a positioning that reflects a broader European reawakening: the recognition that Europe needs to move faster, not by copying Silicon Valley’s “move fast and break things” ethos, but by removing obstacles while preserving what makes European companies trustworthy.

Scaling Lessons: Talent, Remote Work, and Velocity

The European Talent Problem

One of the hardest challenges facing European cybersecurity companies is talent: not on the technical side (Europe has world-class engineers), but on the business and domain expertise side.

In the US, 50-60% of cybersecurity professionals come from national security backgrounds. They bring discipline, strategic thinking, and deep domain knowledge from day one. In Europe? That pipeline barely exists outside the UK.

Cody’s solution: Go fully remote.

Today, EclecticIQ’s workforce is roughly 40% Netherlands, 25% UK, 25% India. By removing geographic constraints, they’ve unlocked access to talent pools that would otherwise be unreachable.

This is the same playbook being used by other high-velocity European cyber companies like BforeAI and Whalebone — and it’s working.

American Velocity, European Values

Cody flattened EclecticIQ’s hierarchy early, removing management layers that slowed decision-making. But he didn’t adopt the startup grind culture. The team doesn’t work 60-hour weeks unless absolutely necessary.

Instead, velocity comes from efficiency: fewer layers, faster decisions, transparent communication, and a deep respect for work-life balance.

It’s not Silicon Valley. It’s not Brussels bureaucracy. It’s something new.

Key Takeaways for Cyber Founders & Leaders

* Domain expertise is a competitive moat. If your team has actually lived the customer’s problems, product decisions become clearer and faster.

* Remote-first solves Europe’s talent gap. Don’t limit yourself to your home country when you can access global expertise.

* Relevance beats volume. In threat intelligence (and probably in every category), contextual insight is worth more than raw data.

* Integrations > all-in-one platforms. Customers want best-of-breed tools that work together, not forced ecosystems.

* Positioning matters. Being European isn’t a liability but a trust signal, as long as you combine it with the velocity to compete globally.

* Bold voices stand out. European founders who engage with analysts, share strong opinions, and show up consistently (like Cody does) break through the noise.

About Cody Barrow

Cody Barrow is the CEO of EclecticIQ, a global cyber threat intelligence platform serving governments, critical infrastructure, and the largest enterprises worldwide. With over 20 years in intelligence - including service in the US federal government - Cody brings a unique customer-first perspective to building security products. He’s also a vocal advocate for European cybersecurity sovereignty and building high-velocity teams without sacrificing values.

About Scaling Cyber

Scaling Cyber is a founder-led cybersecurity podcast highlighting companies and leaders building outside the US and Israel. Hosted by Ignacio Sbampato — former Chief Business Officer at ESET and founder of BridgerWise — the show explores the real challenges of global expansion, category creation, and building in competitive markets.

Subscribe: Substack | Spotify | Apple Podcasts | YouTube

This is a public episode. If you would like to discuss this with other subscribers or get access to bonus episodes, visit scalingcyber.substack.com

For decades, Europe has talked about digital sovereignty and cyber resilience. But talking isn’t building.

And according to Petri Kuivala — a veteran CISO who helped secure Nokia, Microsoft, and NXP, and now advises European cybersecurity startups including HoxHunt — the problem isn’t just political. It’s cultural, strategic, and deeply rooted in how European CISOs approach security itself.

In this episode of Scaling Cyber, Petri doesn’t hold back. He challenges the regulation-first mindset that dominates European cybersecurity, explains why most CISOs drown in noise instead of focusing on real risk, and lays out exactly what Europe needs to do if it wants to stop being a follower in the digital age.

From Corporate CISO to Startup Advisor

Petri’s career spans three decades and some of the biggest technology companies in the world. But about 10 years ago, he made a deliberate shift: instead of just defending organizations, he started helping European cybersecurity startups scale.

The reason? Simple: “If I stay still, I will become an old fart, and I don’t want to be one.”

That shift gave him a unique vantage point. He’s seen what works at enterprise scale. He’s watched 20+ European startups try to grow — some succeeding, most failing. And he’s identified the patterns that separate winners from those that never make it.

One of those patterns? Diverse founding teams with honest, challenging conversations about strategy and vision. Solo founders can be Steve Jobs for a while, but very few can sustain that for long.

Another? Access to market… and CISOs willing to work with startups. Without that early validation and support, even the best technology stays lonely in its corner.

The Brutal Truth About European Cyber Sovereignty

Europe loves to talk about cyber sovereignty. But Petri sees a uncomfortable gap between rhetoric and reality:

“We are not willing to seek the real European solutions and believe in them. Every time we use a US-based solution, we build competence in some other country or region.”

Europe remains industrially focused while the US leads in digital innovation. That structural difference shapes everything—including how CISOs are perceived. In digitally-driven companies, security is central. In industrial companies, it’s often an afterthought.

But the bigger issue? European CISOs are afraid to work with European startups. They see vendors as upselling machines, not partners. That distrust kills the innovation pipeline before it even starts.

Petri’s call to action is clear: CISOs need to give European startups a seat at the table. Not because they’re European, but because competition drives quality—and Europe won’t build world-class cybersecurity vendors without access to European customers.

Focus, Focus, Focus: The One Strategy That Actually Works

If there’s one theme that runs through Petri’s entire career, it’s this: Most CISOs are drowning because they’re trying to do everything at once.

He’s seen it everywhere: CISOs overwhelmed by alerts, stakeholders pulling them in a hundred directions, and security teams spread so thin they can’t execute on anything meaningful.

His solution? Prioritize ruthlessly. Focus on the red corner — the highest-impact, highest-risk area — and stay there until it’s nearly perfect. Then move downstream.

“I needed to bring the COO and CTO into the room and have the conversation: which one of you will be the priority? Because I cannot serve both of you at the same time.”

That level of clarity is rare. But it’s also what separates effective security leaders from those who burn out trying to please everyone.

Process and execution matter more than tools. And the ability to say “no” until you’re ready is a superpower.

Crowdsourced Security: The 20% Advantage Most CISOs Ignore

One of the most underestimated security capabilities? Your own employees.

Petri makes a compelling case: if 60% of a 60,000-person organization actively reports suspicious activity, you can detect intrusion attempts in less than two minutes, with high accuracy.

But most CISOs don’t believe it’s possible. They’re technology-driven, not psychology-driven. They underestimate the power of positive reinforcement and gamification.

At HoxHunt, Petri has seen this play out firsthand. When you treat security awareness as a behavioral challenge - not a compliance checkbox - people engage. They become an active defense layer.

“If you’re capable of taking 20% out of your breach likelihood, that is a huge thing.”

It’s not a silver bullet. But it’s a massively underutilized capability sitting right in front of most organizations.

Key Takeaways for Cyber Founders & Leaders

🔹 Strategy means saying no. Focus on high-impact areas and stay there until you’ve truly addressed the risk. Spreading thin kills execution.

🔹 Regulation-first security makes you an obstacle, not a partner. Lead with business risk, not compliance checklists.

🔹 Europe won’t build cyber sovereignty by talking about it. CISOs must actively support European startups—not because they’re local, but because competition drives quality.

🔹 Crowdsourced intelligence is a 20% advantage most ignore. Engage employees with positive psychology, and they become your fastest threat detection layer.

🔹 Winning startups have diverse teams with honest, challenging conversations. Solo founders rarely sustain long-term success.

🔹 CISOs can make or break startups. When CISOs open doors for each other, European vendors finally get access to the market they need to scale.

About Petri Kuivala

Petri Kuivala is a veteran CISO with 30 years of experience defending global organizations including Nokia, Microsoft, and NXP. For the past decade, he has been advising European cybersecurity startups, helping them navigate go-to-market challenges and scale globally. He currently serves as CISO Advisor at HoxHunt, a leading security awareness platform.

About Scaling Cyber

Scaling Cyber brings you authentic stories from cybersecurity founders and leaders building global companies outside the US and Israel. Hosted by Ignacio Sbampato—cybersecurity executive, former Chief Business Officer at ESET, and founder of BridgerWise—the show explores tactical growth lessons, strategic insights, and the real challenges of scaling in cybersecurity.

Subscribe: Substack | Spotify | Apple Podcasts | YouTube

This is a public episode. If you would like to discuss this with other subscribers or get access to bonus episodes, visit scalingcyber.substack.com

Europe imports 70% of the cybersecurity products it uses. That number isn’t just an economic statistic. It’s a strategic vulnerability.

And while the debate around digital sovereignty often stays at the policy level, a small group of builders in France is doing something different: writing a new playbook from scratch.

In this episode of Scaling Cyber, I sat down with Laurent Hausermann and Aurélie Clerc, co-founders of Cygo Entrepreneurs, a cybersecurity venture studio based in Lyon and Paris, to understand what it actually takes to build European cyber champions in 2026.

Who They Are

Laurent and Aurélie are not typical investors. They’ve both been founders. They’ve felt the gaps in the European ecosystem firsthand:

* the missing middle layer between early-stage startups and global champions,

* the fragmented market,

* the talent that too often ends up working for Symantec or McAfee rather than building something European.

Cygo was born from that frustration. Instead of deploying capital and stepping back, they co-build companies alongside founders:

* pairing technical co-founders with commercial co-founders,

* validating problems with practitioners before writing a single line of code,

* bringing in design partners who become customers.

The Key Insights

The European market is fragmented and that’s not going away. NIS2 is implemented differently in Germany, Belgium, and Spain. There’s no single 300-million-person market to dominate. Any playbook that ignores this is already broken.

The solution isn’t to copy the US, it’s to build for European reality. That means going international from day one (not after funding), building through channel partners and MSSPs rather than direct sales, and leveraging European regulatory complexity as a forcing function for differentiation.

Design partners beat POCs. Cygo portfolio companies like Glev and Harven built their first products with design partners: CISOs and security teams who co-built alongside them before the company was even incorporated. No POC theatre. Just real co-creation.

“Le Club” is the unfair advantage. Cygo’s private network of CISOs, MSSPs, system integrators, and VCs gives founders immediate access to the practitioners they need. Not after fundraising, but from day one.

Why It Matters

Europe has the talent. It has the regulatory momentum. What it’s been missing is a structured model for converting all of that into companies that actually scale. Cygo is one of the first attempts to build that infrastructure deliberately, and the early signals are positive.

Scaling Lessons

* Start with the market, not the technology. Validate pain before building product.

* Pair technical and commercial talent from the very beginning.

* Go European from day one. Not French, not German. European.

* Use indirect channels (MSSPs, system integrators) as your GTM engine, not an afterthought.

* Leverage AI — especially open-source and fine-tuned models — to scale security practices, not just to build security products.

Key Takeaways for Cyber Founders & Leaders

* Europe’s fragmentation is a challenge AND an opportunity if you design for it from the start.

* The design partner model eliminates the POC problem. Build with customers, not for them.

* Community is infrastructure. A CISO network isn’t a nice-to-have, it’s a GTM asset.

* “Made in Europe” can mean technical excellence, not just geopolitical preference.

* It’s never too late. The next wave of European cyber champions is being built right now.

About the Guests

Laurent Hausermann and Aurélie Clerc are co-founders of Cygo Entrepreneurs, a cybersecurity venture studio based in France. Laurent is a serial entrepreneur and one of Europe’s most vocal advocates for building a sovereign cybersecurity ecosystem. Aurélie brings deep expertise in market validation and founder support. Together, they lead a portfolio of companies co-built with “Le Club”, their private network of CISOs, MSSPs, and security practitioners.

🎙️ About Scaling Cyber

Scaling Cyber spotlights cybersecurity founders and ecosystem leaders outside the traditional US/Israel hubs — surfacing the real stories behind building global cyber companies.

If you’re a founder, investor, CISO, or partner looking beyond the obvious markets — this is your front-row seat.

Subscribe: Substack | Spotify | Apple Podcasts | YouTube

This is a public episode. If you would like to discuss this with other subscribers or get access to bonus episodes, visit scalingcyber.substack.com

The cybersecurity industry is often framed as a US and Israel story.

Silicon Valley drives category creation.Tel Aviv drives elite technical innovation.Europe? Fragmented, underfunded, slower to scale.

But what does the actual data say?

In this opening episode of Season 2 of Scaling Cyber, we sat down with Richard Stiennon, Founder of IT-Harvest — one of the most comprehensive cybersecurity market research firms in the world — to separate perception from reality.

And the reality is more nuanced.

Founder & Analyst Journey

Richard has spent decades tracking cybersecurity vendors globally.

IT-Harvest maintains a continuously updated database of thousands of cybersecurity companies, including those that were acquired, shut down, or disappeared quietly.

Unlike narrative-driven industry commentary, this dataset provides a structural view of the ecosystem:

• Vendor density by region• Category saturation• Acquisition velocity• Growth patterns• Funding disparities

It’s one of the few places where the entire cybersecurity market can be examined objectively.

The Market Shift: Europe vs US vs Israel

Here’s what the data shows:

* The US still produces the highest number of new vendors annually.

* Israel continues to punch above its weight because its companies must sell globally from day one.

* Europe has large vendor density in countries like Germany, France, and the UK, yet fewer breakout category leaders.

Why? Structure.

US companies benefit from:

* Deep, risk-tolerant venture capital

* A unified large domestic market

* Established M&A pipelines

* Immediate analyst and media visibility

Israel benefits from:

* Military-driven talent pipelines

* Export-first mindset

* Tight founder-investor networks

* Aggressive global ambition

Europe, by contrast:

* Is fragmented by language and regulation

* Has smaller, more conservative funding rounds

* Often builds product depth before category clarity

* Tends to underinvest in positioning and analyst relations

The result? Strong technology. Slower global category dominance.

Why It Matters

This isn’t just about national pride.

It affects:

• Investor returns• Founder ambition• Market consolidation• Buyer awareness• Ecosystem maturity

If Europe wants more category leaders, it must align capital, ambition, positioning, and ecosystem support.

Scaling Lessons

A few powerful insights from the conversation:

* Visibility is strategic, not optional.

* Analysts are not gatekeepers — they are amplifiers.

* Platform narratives often repeat historical mistakes.

* Venture capital scale influences global velocity.

* AI will reshape the vendor landscape faster than most expect.

Richard’s strongest warning?

AI-driven transformation will fundamentally alter cybersecurity within 12 months, and exponentially beyond that.

Founders who ignore this shift risk irrelevance.

Key Takeaways for Cyber Founders & Leaders

* Focus your category before expanding into adjacent products.

* Understand who your buyer actually is — and who they are not.

* Don’t assume technology alone will drive adoption.

* Engage analysts early to shape perception.

* Study structural advantages — and compensate strategically.

* If you’re building in Europe, think globally from day one.

About the Guest

Richard Stiennon is Founder & Chief Research Analyst at IT-Harvest, maintaining one of the most comprehensive global cybersecurity vendor databases. He is also author of Up and to the Right, a leading guide to analyst relations in cybersecurity.

🎙️ About Scaling Cyber

Scaling Cyber spotlights cybersecurity founders and ecosystem leaders outside the traditional US/Israel hubs — surfacing the real stories behind building global cyber companies.

If you’re a founder, investor, CISO, or partner looking beyond the obvious markets — this is your front-row seat.

Subscribe: Substack | Spotify | Apple Podcasts | YouTube

This is a public episode. If you would like to discuss this with other subscribers or get access to bonus episodes, visit scalingcyber.substack.com

Season 1 of Scaling Cyber showcased ambitious cybersecurity founders building outside the traditional US and Israel hubs.

Season 2 asks a harder question:

Why do some regions consistently produce global cybersecurity leaders while others struggle to scale beyond their borders?

This season moves beyond individual stories and into structural reality.

From Founder Stories to System Thinking

The first season proved something important:

Cyber innovation is global.

But innovation alone does not create global market leaders.

Season 2 shifts the lens toward:

* Capital formation

* Buyer dynamics

* Distribution leverage

* Talent pipelines

* Policy influence

* Operational execution

Because scaling is not accidental. It’s structural.

The Market Diagnosis

We begin with hard data on the global cybersecurity vendor landscape.

Who dominates?Why?What patterns repeat?

Then we challenge assumptions about how European cybersecurity companies are built, and where structural friction slows them down.

This season follows a deliberate arc:

Market Reality → Structural Diagnosis → Buyer Perspective → Operators → Founders → Channel → Ecosystem Future

It is a journey from symptoms to system.

Why This Matters Now

Cybersecurity has never been more strategic.

* Sovereignty.

* AI acceleration.

* Geopolitical fragmentation.

* Capital discipline.

Regions that understand how to align ecosystem power will define the next decade of global cybersecurity leadership.

Founders cannot scale alone.

Ecosystems either amplify you… or limit you.

Scaling Lessons Ahead

Season 2 brings:

* CISOs sharing how they actually evaluate vendors

* Founders scaling globally from Europe

* Distribution leaders shaping market access

* Ecosystem builders tackling the talent gap

* Data-driven perspectives on structural competitiveness

The focus is clear:

Execution > NarrativeStructure > HypeSystems > Individuals

Key Takeaways for Cyber Founders & Leaders

* Innovation is necessary but ecosystem alignment determines scale

* Buyers define reality, not founders

* Channel and capital are leverage multipliers

* Talent strategy is long-term competitive advantage

* Structural awareness separates local players from global leaders

About Ignacio Sbampato

Ignacio Sbampato is a cybersecurity executive, former Chief Business Officer at ESET, and founder of BridgerWise. With more than two decades building global markets, he now focuses on helping cybersecurity startups scale beyond their borders.

About Scaling Cyber

Scaling Cyber is a founder-led cybersecurity podcast highlighting global challengers and the systems behind their success.

If you believe the next generation of cyber leaders is already here — but underrepresented — this show is for you.

Subscribe: Substack | Spotify | Apple Podcasts | YouTube

This is a public episode. If you would like to discuss this with other subscribers or get access to bonus episodes, visit scalingcyber.substack.com

Email impersonation isn’t as flashy as other threat vectors.And yet, it’s one of the most abused attack vectors in the world.

In this episode of Scaling Cyber, I sat down with Sacha Matulovich, Co-Founder and Chief Strategy Officer of Sendmarc, to unpack how a company born in South Africa built a global business around one of cybersecurity’s most overlooked — and most critical — problems: email domain impersonation and DMARC compliance.

This conversation isn’t just about email security.It’s about distribution, go-to-market discipline, and what it really takes to scale a cybersecurity company from outside the usual power hubs.

🎧 Listen to the full conversation on Scaling Cyber: 👉 YouTube | Spotify | Apple Podcasts

From Email Marketing to Cyber Defense

Sendmarc didn’t start as a “cybersecurity idea” in the traditional sense.

Its founders came from the email marketing world, where delivering billions of legitimate emails forces you to deeply understand how email infrastructure actually works.

That background created a unique perspective:

If you truly understand how email is delivered, you also understand how it’s abused.

When Sacha’s co-founders discovered DMARC — the global standard that prevents email domain spoofing — they saw both a security gap and a market gap.

The problem?DMARC is powerful, but painfully complex.

“The world doesn’t need to understand all the acronyms,” Sacha explains.“They just need their domain to not be weaponized.”

That insight became Sendmarc’s core strategy:Do the dirty dishes so customers don’t have to.

Building from South Africa

Unlike many startups, Sendmarc didn’t begin with a grand vision of global domination.

They started local:

* Talking to customers they could meet face-to-face

* Selling on day two

* Getting immediate feedback on value, pricing, and pain

Only later did reality hit:This wasn’t a regional problem.

Within the first year, Sendmarc had customers in more than 10 countries.

“Whether we liked it or not, we had built a global business.”

South Africa, often seen as a disadvantage, became an unexpected strength:

* Founders used to solving hard problems

* Limited local market forcing early efficiency

* A global diaspora that helped open doors abroad

Education Before Enforcement

Sendmarc entered the market before DMARC became mandatory.

That meant years of:

* Explaining why the problem existed

* Proving that impersonation was real

* Convincing buyers before Google, Microsoft, and Yahoo forced compliance

One early GTM trick?They demonstrated the attack.

“If I can send an email pretending to be you — and it lands — the value becomes obvious immediately.”

Later, when big tech enforced DMARC, the conversation shifted:From education to execution.

And Sendmarc was ready.

Distribution as a Strategy

One of the most valuable parts of this conversation is Sendmarc’s channel journey.

They didn’t chase every route at once.

They layered it deliberately:

* Direct sales to validate value and pricing

* MSPs and resellers to scale reach

* Distributors — once GTM maturity existed

* OEM partnerships for massive distribution leverage

Crucially, Sendmarc made a hard decision early:They would be partner-first, even if it meant giving up margin.

“We chose trust over short-term revenue.”

That clarity allowed partners to invest confidently — and helped Sendmarc scale without building a massive direct sales force for a relatively low-ACV product.

Why Some Distributors Work — and Others Don’t

Sacha is refreshingly honest about distribution:

* Big distributors aren’t always the answer

* If you don’t matter to their revenue, you don’t matter at all

* Commitment must go both ways

One of Sendmarc’s most successful partnerships started with a simple rule:Skin in the game on both sides.

A funded head.A minimum commitment.Shared accountability.

The result?Focus, execution, and growth.

DMARC as a GTM Superpower

DMARC has a unique property most cybersecurity sectors don’t:Everything is visible in DNS.

That means Sendmarc (and its partners) can:

* See which domains are vulnerable

* Know which competitors are in place

* Track failures and history over time

This turns security telemetry into a go-to-market engine.

Instead of cold outreach:

“We can see your problem… and we can fix it.”

For Sendmarc, DMARC isn’t just a security control.It’s a sales accelerator.

OEM Partnerships and Earning a Seat at the Table

Landing OEM partnerships with global vendors — including Sophos — didn’t happen overnight.

Sacha’s explanation is simple, and brutally honest:

* They worked harder than competitors

* They were flexible

* They over-delivered

* They showed up in person

“What we lacked in brand, we made up for in effort.”

In cybersecurity, trust still happens face-to-face.Flights, conferences, awkward first meetings — all part of the cost of scale.

Focus Over Expansion

Despite growth, Sendmarc has resisted the temptation to become “everything email security.”

Their strategy is clear:

* Be the best in anti-email impersonation

* Expand carefully into adjacent problems

* Solve distribution, not just technology

As Sacha puts it:

“DMARC isn’t a technology problem anymore. It’s a distribution problem.”

The Real Lesson: Get Out of Your Comfort Zone

One of the most human moments in the episode comes when Sacha describes attending his first cyber conference in London.

No friends.No recognition.No shortcuts.

“It felt like standing alone at a bar, hoping someone would talk to you.”

Years later, those same conferences feel very different.

The lesson?Community matters.Relationships compound.And growth is uncomfortable — until it isn’t.

Final Takeaways for Cyber Founders

* Not all important problems are sexy but they can be massive

* Distribution is a strategy, not a checkbox

* Partner trust beats short-term margin

* Being early means educating; being ready means executing

* If you’re building outside the big hubs, effort is your unfair advantage

Thanks for reading Scaling Cyber! Subscribe for free to receive new posts and support my work.

🎙️ About the Episode This conversation is part of Season 1 of Scaling Cyber — the show where founders and leaders from outside the US and Israel share how they’re building global cybersecurity companies.

Host: Ignacio Sbampato — cybersecurity executive, former Chief Business Officer at ESET, and founder of BridgerWise. Guest: Sacha Matulovich, CEO & Co-Founder of BforeAI.

This is a public episode. If you would like to discuss this with other subscribers or get access to bonus episodes, visit scalingcyber.substack.com