The Gili Ra’anan model: Questions emerging from Cyberstarts’ remarkable success


The numbers of the venture capital fund Cyberstarts are phenomenal. The fund that specializes in cyber companies and was founded by Gili Ra’anan only six years ago is a remarkable phenomenon that mercilessly outperforms its older competitors. It has a portfolio of only 22 companies whose combined value is $35 billion. Five of these companies are unicorns, first and foremost Wiz, which seems to be breaking all the rules of growth and success and setting new standards in the industry. Four of them were sold in the last 12 months, during most of which there was a severe war in Israel, for a total amount of $1.5 billion. In the last three months, Cyberstarts’ portfolio companies have raised no less than $1.8 billion despite all the antisemitic sentiment in the world. In all three of his funds, Ra’anan shows an internal rate of return of more than 100%, an unusual figure even for the best funds in the world. No portfolio company has been closed to date. In fact, Cyberstarts is today ranked in the top five of all venture capital funds in the world due to its unprecedented achievements.

3 View gallery

Gili Ra’anan.

(Photo: Ron Shelef)

Ra’anan, 54, an alumnus of the elite Israeli military intelligence unit 8200, who has behind him impressive personal exits worth hundreds of millions of dollars and the invention of the CAPTCHA method to prevent fraud, is considered a genius. This is indisputable and is pretty much a consensus in the Israeli and even global cyber industry. He founded his first company, Sanctum, which developed a firewall for internet applications, back in 1997 and it was sold for $40 million in 2004. After that, he founded NLayers which was sold to EMC. In 2009, he joined the American Sequoia venture capital fund and as a partner there he led the investments in Adallom, the first company set up by the Wiz founders that was sold to Microsoft, and the investment in Armis, in which he later also invested through Cyberstarts.

Along with the admiration for Ra’anan in the local and global high-tech industry and his Midas touch, an alternative explanation for the extraordinary successes and their unprecedented rate has recently emerged with increasing frequency. It is referred to as the “Gili Ra’anan model” and it is causing more and more discomfort not only among its Israeli competitors and their portfolio companies (all of which are jealous for obvious reasons), but it has also reached the U.S. where company executives, who are purchasing cyber solutions at an increasing rate as the threats and attacks multiply, feel that their managers of cyber systems, known as CISOs (chief information security officers), are as committed to Gili Ra’anan as they are to the organization that pays them, sometimes even more.

A CISO is often the most senior figure in an organization responsible for building its defense system and preventing cyber attacks. They report directly to the CEO and sometimes even to the board of directors and are in charge of budgets of hundreds of thousands of dollars per year in smaller companies in American terms, and in large organizations, this can also reach many millions per year.

The CISO’s budget has to be divided between dozens of solutions from companies that compete for his or her attention and also for the organization’s dollars. According to recent data from cyber company Palo Alto Networks, which is considered the largest in the industry today both in terms of sales and market capitalization, the average organization has approximately 75 different cyber solutions and the number is not decreasing. That’s why CISOs have become the most sought-after figures in the organization: their decisions will shape the destinies of not only customers and employees in their organization regarding cybersecurity but also which startups will succeed and which will fail. This is also where the returns of venture capital funds that specialize in cyber are determined.

Because of the importance and also because it is a technological expert role, CISOs are generously compensated and their average salary in the U.S. is around half a million dollars. But Ra’anan offers them the big dream of the world of employees – shares in a venture capital fund with exposure to the glittering world of unicorns and IPOs. And here, as the critics claim, the conflict of interests begins.

Ra’anan did not invent the format; all funds that specialize in cyber go after CISOs and entice them with dinners, conferences, and some also offer them holdings in the fund. However, according to evidence collected by Calcalist from CEOs of large companies, CIOs in organizations, entrepreneurs of startup companies, as well as other venture capital funds, he perfected it to a completely different level. The format he built allows him to put his startups on steroids, to grow them faster. According to several sources, he promises teams of fresh graduates from the technological units not only investment and support in establishing a startup but also “initial revenues of $2 million per year”. This is usually the startup’s first year of sales, which is intended to dramatically boost it above the competitors who started from the same point and guarantee it a large round of funding from additional funds, which are not only funds specializing in cyber but the big names.

3 View gallery

Cyberstarts General Partners Lior Simon and Emily Heath.

(Photo: Ron Shelef)

The first sales come from the loyal CISOs who work with the fund. Although it may be considered “small money”, the jumps between the first stages of fundraising are the most difficult. “Until a ‘regular’ startup company reaches sales of $2-10 million it grinds itself to a pulp, but with Gili Ra’anan, this happens in the first year of sales. He creates a mechanism that is difficult to compete against because his companies immediately jump to a valuation of $100-200 million, raise more money, and then also have more resources to compete later,” a partner in an Israeli venture capital fund tells Calcalist. “With a seemingly small purchase of $100,000-$200,000, a CISO increases a startup’s value by dozens of times.”

Calcalist reveals in this investigation what is known in the cyber industry as the “Gili Ra’anan model”. This has become the talk of the day at conferences and events of the global cyber industry and was one of the topics discussed at the annual RSA conference held about a month ago in the U.S.

“I recruited a new CISO for a financial organization that I managed out of a desire to refresh the cyber defense system. I gave him a free hand because I trusted him and I see this position as a position of trust. Six months later, I noticed that, surprisingly, almost all of the new logos that the CISO introduced were portfolio companies of Cyberstarts,” describes a former senior executive at a large financial institution in the U.S. “It’s not that these were necessarily bad solutions, but that some of them were a very low priority for us or solved problems that were not particularly urgent. After I confronted the CISO on the subject, he admitted that he is on the list of advisers of Cyberstarts and receives a percentage of the funds from them. Shortly after this, he left the company and immediately upon the appointment of a new CISO, I asked him to inform me if he was contacted by Cyberstarts. Within a few weeks, he had already received an email from them with a description of their kind of ‘loyalty program’ that details exactly what he will receive the more he works with the fund.” The letter, signed by Ra’anan himself and coming from his email box, also contains a sentence that refers to the amount of future compensation: “It is difficult to predict the performance of the fund, but according to our forecast, the points you have accumulated so far are valued at X dollars. You can expect additional allocations in these funds in the coming years and in the new funds we will raise later.”

Cyberspace’s frequent flier

The steps in the Cyberstarts points program are as follows: the first is a meeting to present the portfolio, something all funds do; the second step is a meeting with portfolio companies. Calcalist saw several such letters that Ra’anan sent to CISOs. Contrary to the claims made by many in the cyber market, there is no direct promise of any reward for purchases from his portfolio companies, but all the recipients of the letters we spoke with testify that the mutual oral understanding is that the progress in accumulating points also involves purchases and not only meetings, consultation hours, or answering questions by email. Cyberstarts vehemently denies the last stage and claims that CISOs were never remunerated for purchasing the products of the portfolio companies.

This “loyalty program” – which encourages deepening the relationship between the CISO and a party other than his employer – is seen by many in the industry as a red line crossed by Ra’anan and Cyberstarts. This is what has been generating the incessant buzz around the issue for months now. Some will say that this is somewhat reminiscent of the nature of the compensation that investment houses give to insurance agents who market their products and have received a lot of criticism over the years for “pushing” customers not necessarily the best products, but those of companies that gave them the most pampering benefits.

There was also a similar phenomenon in the field of pharmaceuticals for many years, until the Medical Association explicitly stated in the ethics code that “a doctor will not accept and a pharmaceutical company will not give a doctor any personal benefit, except for gifts of marginal value only”. It is certainly relevant to compare the work of the CISO to a doctor who is responsible for purchasing drugs for his organization, and as such, he should not be rewarded by the large shareholders in the pharmaceutical companies.

Cyberstarts does not hide the existence of the compensation plan for CISOs, but they are worried about it being leaked as they consider it a “trade secret”. Some time ago, when the skeptical voices surrounding the fund’s methods of operation became louder, it published an explanation of the plan on the fund’s website to calm the rumors and gossip. But the question is, of course, what was not written there.

Officially, the Cyberstarts program is called Sunrise and within it, the cyber managers of the largest and leading organizations in the world provide advice to the fund’s portfolio companies, sometimes even before there is even a company. One of the partners in the fund (Ra’anan has three other partners that he has added over the years – Lior Simon, Emily Heath who herself was CISO at United Airlines and DocuSign, and recently also added Hila Zigman, who was a senior executive in the portfolio company Noname) takes the emerging team, usually a group of fresh graduates from the elite Israeli military intelligence units 8200 or 81, for a meeting with the CISO to hear about their pain points and what solutions they lack. A CISO who enters the Cyberstarts program gives a few hours a month, quarter, or year for the benefit of this consultation. In exchange for the consultation, they accumulate points equal to percentages in the fund, when it is possible to accumulate points which provide carry in the fund, up to 4% of a GP. The holding means that whenever there is a liquidity event in the fund, such as the sale of a portfolio company or a secondary deal to sell shares to another entity, the CISO will receive cash. It is usually tens of thousands of dollars for the CISO, although not a life-changing amount for an employee who earns about half a million dollars on average, but still a nice bonus, especially when it is repeated with high frequency.

The CISO receives the payments from Cyberstarts to his personal bank account. Calcalist saw an Excel file with a list of 82 CISOs, the score of each one, the percentage of their holding in the fund, and the cumulative payments they received as a result of liquidation events in the fund.

Cyberstarts operates in a slightly different way than usual and does not charge a management fee at all (usually 2% of the fund), but instead charges a relatively high success fee of 25%-30% (instead of the standard 20%) and thus the CISO enjoys a larger share. In a calculation that is based on the yield of the Cyberstars funds, as the fund presents them, over the life of the fund, the cumulative compensation to the CISO may reach even a million dollars or more.

“What would you like them to solve for you?”

“It’s not that the CISOs are doing me a favor. On the contrary, I’m helping them,” Ra’anan tells Calcalist. “I tell them – I have a very smart team here that is going to spend $100 million in the next three years to solve one cyber-related problem. What would you like them to solve for you? If you had a wish list, what would you ask for? And so instead of the CISO doing me a favor with his consulting hours, I’m doing him a favor. Usually, when someone gives me $100 million, I listen to him, so I get a lot of attention.” This is how Ra’anan sees things.

In practice, this is a slightly different relationship, since he asks the CISO to work for him as well, and the evidence is the reward. Not just a reward, but a reward that increases the more the manager works with Cyberstarts. The heart of the matter is also in the definition of the word “works”. “My value in working with the CISO is not in the purchase of products, but in his advice,” Ra’anan explained in one of the conversations in response to the criticism directed at him in the industry, “even the portion of the fund, which is very small, is an optional offer and the CISO can waive it. More than half do not want or cannot receive compensation from me because the employer has forbidden them to receive anything. We also ask them to come forth with the employer regarding working with us and provide due disclosure,” he says, passing the responsibility on to the CISO. “As part of the Sunrise process, I want them to commit to at least two meetings – one meeting focused on understanding their ‘pain points’ and the other on understanding the solution. Each of our teams sets up more than 100 meetings with different CISOs, with the second round being more limited. So it ends up with me asking for 24 hours a year from each CISO, plus twice a quarter we hold Zoom meetings with them, and there is one more meeting before the RSA conference,” Ra’anan clarifies.

Here is the place to point out that almost every startup in the cyber field that rises to prominence in Israel has an almost identical twin that is financed by another venture capital fund. It is very easy to point out duos, which are, by the way, a regular feature of Israeli high-tech, which often instead of joining forces and becoming a larger company, burn precious resources competing against each other.

The most well-known case is Wiz against Orca, which is also coming to court these days as part of a war on patents, but alongside them, there is also Cyberstarts’ Island, which competes head-to-head against Team8’s Talon, which was recently sold to Palo Alto. Oasis is fighting against Astrix, and the list goes on. The buzz on the issue is starting to have the opposite effect – a number of entrepreneurs of successful cyber companies who spoke with Calcalist stated that Ra’anan offered to invest in them, but they refused so as not to be tainted by the “Ra’anan model”.

3 View gallery

Founders of Noname Security (bottom right), Oasis Security (top right) and Cyera.

(Photo: Oasis Security, Yossi Zeliger, Menesh Cohen)

The “Ra’anan model” is making waves in the US

The founder of an Israeli startup company in the cyber field describes to Calcalist the meeting with Ra’anan that took place about two and a half years ago when Ra’anan was interested in investing in the new company he founded: “We were sitting in Gili’s famous container in Mikhmoret (where Ra’anan lives and from where he manages the fund – S.S.), and he told us plainly, ‘Come with me, you have already closed the first million dollars in sales. I will do what I know how to do, and round A is also already guaranteed for you.’ We really looked into it and saw that the percentage of companies in Cyberstarts that reach round A is exceptional and stands at more than 90%. Of course, all the funds talk about the fact that they consult with CISOs in the industry and the relationship between them, but no one promises sales.” In response to the claims about the promise to close an A round, Ra’anan told Calcalist: “All Cyberstarts companies have so far successfully raised A rounds and reached impressive sales of millions of dollars from the moment they hit the market. We have a very high confidence that the teams that will work with us in the future will reach similar and even greater achievements.”

Ultimately, and despite the promises, that group of entrepreneurs decided to take an investment from another Israeli cyber fund, not necessarily because they did not feel comfortable with the promises, but because they felt that Ra’anan’s fund was more structured for very young entrepreneurs. “We are not a group that has just been released from Unit 8200, but are older. We were employees for a long period of time before, and Gili is more suitable for very young entrepreneurs because he also takes a very large share of the company compared to other funds, and we also felt that his hug was a little too tight,” adds the same entrepreneur.

The issue of inexperience also comes up in a conversation with the CEO of an American cyber company with Israeli roots: “I may be an outside observer, but as someone who has been working in the cyber industry for 30 years, I know everyone well, and of course, the Israeli companies and the funds. There are a number of very unusual things about Cyberstarts – most funds prefer to invest in seasoned and experienced entrepreneurs, and with Gili, it’s the other way around. With the exception of a few cases, he likes to take teams that are really young and lack business experience, and only have military experience (Ra’anan himself testifies that he prefers to take a team that doesn’t even have a cohesive idea and through the Sunrise process, lead them to the development of the winning product – this is the “Ra’anan model,” if you ask him). These are groups of kids who have never sold anything and never talked to a single CISO in their life, and suddenly they are selling in an amazing way already in the first year. It’s really a miracle,” explains the CEO.

“The second unusual thing is that at Sequoia, and I knew Gili when he was there, he was a good investor, but not amazing or unusual. Ultimately Sequoia closed the fund in Israel that was under his management. Somehow in Cyberstarts, he became the best investor in the world. The performance of the fund is exceptional; I have never heard of a fund that doesn’t fail before. The usual statistic is that one-third of the companies shut down, another third return their investment, and the best third returns all the money and generates the return. A typical return for a venture capital fund that specializes in early stages is a multiple of 5-7 times the money, but in Cyberstarts, they all return more than ten times the money.”

The same list of customers

One of the most talked-about examples in the cyber market is Cyera, which competes head-to-head with mainly Israeli companies in the DSPM market that were all founded around 2021: Eureka of the YL Fund founded by Palo Alto and Microsoft veterans, Sentra founded by a former 8200 commander, Dig of Team8, and Laminar, founded by 8200 alumni who previously worked at Medigate and Magic Leap and were considered the most prominent cyber researchers in the field. According to a cyber industry source familiar with the category, Cyera enjoys an annual sales rate of $20 million while all the others are still fighting for the first million dollars. Meanwhile, Eureka, Dig, and Laminar have given up on working independently and have been sold to Tenable, Palo Alto, and Rubric, respectively, in the past year, leaving only Cyera and Sentra in the game. Cyera, founded by two entrepreneurs immediately after their release from 8200, became a unicorn last April after raising $300 million at a valuation of $1.4 billion. Even before that, it completed an unusual B round in its speed and size of $100 million at a valuation of half a billion dollars. A look at the customer list of Cyera reveals the list of Cyberstarts’ consulting CISOs: ACV, CBOE, and Paramount. In the announcement of the company’s first funding round, Mike Towers, at the time CISO of the pharmaceutical company Takeda, who has since left the position, is cited as a satisfied customer but serves as a consultant to Cyberstarts. Since last April, when it became a unicorn, Cyera has also recruited its own CISO, Lamont Orange, who previously served in this position at the American company Netskope, which is noted as a satisfied customer in a case study of several Cyberstarts portfolio companies.

In the press release of the Cyberstarts portfolio companies, some customers’ names are often repeated. Thus, for example, JLL, an American company in the field of real estate, whose CISO was previously on the fund’s network, appears as a client of both Oasis and Dazz. Chipotle, the giant fast-food chain, is also a client of Oasis, a company that was established less than two years ago. Other clients of relatively young Cyberstarts companies whose CISOs are on the network of consultants include Emerson, Flex, Life Labs, and New American Funding (NAF).

Despite Cyberstarts’ denials, checking the list of clients of the companies in which the fund invests reveals an interesting overlap with the list of CISOs who advise the fund. The most prominent case is Colgate-Palmolive, which is mentioned as a client and even as a “Case Study” on both the Wiz website and the Armis website. The same CIO is no longer employed by the retail giant, and in the newer companies in Cyberstarts’ portfolio, Colgate no longer appears on the client list. Also, on the website of Island, one of Cyberstarts’ successful and rapidly growing portfolio companies, there is a large case study of a company called Ashland, whose CISO’s picture is proudly emblazoned on the fund’s list of consultants. Alternatively, an Israeli CISO of an American high-tech company (who requested to remain anonymous) was forced to part ways with Cyberstarts after the fund discovered that he was also purchasing software from its competitors’ companies, as he advises both Glilot and YL. On the information website Crunchbase, you can still see the Cyberstarts logo next to the name of that CISO, but his name has already been removed from the fund’s website.

In the weeks since Calcalist started working on the investigation, several changes were made to the Cyberstarts website when several CISOs in leading organizations asked to remove their names from it. Among these are the incumbents in the financial giants J.P. Morgan (Gleb Reznik) and Fidelity (Adam Ely).

In Israel, the issue is less talked about, but in the U.S., the discourse on loyalties and conflicts of interest of CISOs has become central, resulting in some executives in these positions being pushed out. In corporate America, of course, the honor of the executives is maintained, but also in the case of Cyberstarts, there are some events that provoke concern. For example, Curtis Simpson, CISO of a large American company called Sysco, which operates in the field of food transportation, was appointed to the position after climbing the corporate ladder for a decade. Sysco employs 70,000 people and is traded on Wall Street at a valuation of $36 billion. However, after only eight months, he found himself out of the position. In August 2019, a few months after his departure, Simpson was appointed CISO of Armis, in which Ra’anan invested, which at the time had sales of a few million dollars and employed several dozen employees. Another coincidence is Karl Mattson, CISO at PennyMac, the American company, who, a few weeks after his quick departure from the American company, was appointed CISO of Noname, a portfolio company of Cyberstarts, which was at the beginning of its journey at the time.

Noname is, by the way, also an example of exceptionally fast growth by a Cyberstarts portfolio company – it became a unicorn in December 2021, only a year and a half after its establishment. From the first moment, quite a few eyebrows were raised in view of the raising of $135 million at a valuation of $1 billion, but Cyberstarts talked about high initial sales that grew quickly. However, later on, after the first steroid boost, the company was unable to take off on its own, and a month ago, it was sold to Akamai for only $450 million. Sources close to Noname say the company reached sales of $35 million thanks to “excellent” employees.

Unfair competition against competing startups

Working closely with the CISO is not unique only to Cyberstarts, and the websites of most fund’s list dozens of names on the advisory committee. Every fund that specializes in cyber, both Israeli and American, has such an array of advisors. Often, there is also overlap, and the same CISO works with several funds. The difference is in the reward model. In Israel, alongside Cyberstarts, there are three other venture capital funds with a similar profile – Glilot Capital founded by Kobi Samborsky and Arik Kleinstein, YL founded by Yoav Leitersdorf who operates from the U.S., and Team8 founded by Nadav Zafarir. All of them are connected in Israel, most of them are Unit 8200 alums themselves, and they helped create an assembly line of cyber successes.

Glilot and Team8 do not have a compensation mechanism for the CISO, and the work is based more on a professional relationship, as well as pricey dinners as is also customary in the American funds. In the case of Team8, thanks to Zafrir’s connections and shining image, a former commander of Unit 8200 who also served in Sayeret Matkal (General Staff Reconnaissance Unit), he usually “seduces” the CISO through meetings with him and also with “security” figures such as Yossi Cohen, the former head of the Mossad, or Danny Gold, who headed the development of the Iron Dome missile defense system.

The YL fund uses a method closer to that of Cyberstarts, and it also offers a small carry in the fund’s general partner in exchange for advice, but it explicitly states that a CISO who will work with it will undertake to disqualify themselves from procurement decisions, meaning that they will only define the need but will not be part of the decision on which company’s solution to go for. Also, YL does not have the points model and loyalty program. “The consulting thing also happens in the American funds, it’s not an Israeli invention, but everyone behaves differently from Cyberstarts – no one rewards a purchase. We have reached a situation where CISOs who receive requests for consulting immediately ask what reward mechanism the fund provides,” says a senior official in the Israeli cyber industry.

The whole CISO advisory committee issue has gotten out of hand for corporate America. “Most of the executives in the organization do not understand the intricacies and therefore must trust the CISO, this is a first-class position of trust, like a CFO,” explains a former Israeli who serves in a senior position in an American company that dealt with the CISO’s loyalty issue. Beyond the unfair competition that the model generates for other startups, the issue raises questions regarding the management of investors’ funds in Ra’anan’s fund, the CISO who makes decisions not necessarily based on business considerations, and exposes the entire clientele of the organizations, from banks and insurance companies to automobile or food companies, to potential cyber vulnerabilities. The former Israeli adds: “Recently, there are quite a few places where trust is shaken, and in the end, this reflects negatively on Israel as well, certainly in a time like today when we are under focus. Israelis are very well known for their ability to think outside the box, but at some point, it comes to the fear of conflicts of interest, and that damages the very clean image of Israeli high-tech.”

Gili Ra’anan, founder of Cyberstarts, said in response to the Calcalist investigation: “There were rumors and there will probably continue to be rumors, it’s something that comes with success. I clearly say that we have never rewarded CISOs beyond the transparent model.

“No CISO has ever received compensation for purchasing products; the answer is simple and absolute. They receive 4% of the success fees of the general partner (GP) in the fund. The percentages are updated according to the level of participation, the more time you spend with early-stage entrepreneurs, and the more time you spend in feedback conversations with the fund. They are never related to a specific company, but only at the fund level.

“Do some of the consulting CISOs buy products of our companies? Absolutely yes, and each of our companies will have companies of the consultants on the client list. I am proud that in six years we have become one of the absolute best funds in the world. We achieved this by listening to customers. I hope and I am convinced that our companies build products that are better suited to the needs, to the pains that exist in the market, because we really invest a lot of time, compared to any other organization I know, not running and building a product, not running and building code, but simply sitting quietly and really listening to what the potential customers really want.”

Referring to the “Gili Ra’anan model”: “For me, Gili Ra’anan’s model, the method that works, is the questions I ask the teams of entrepreneurs who come to me. I don’t ask them about the unit they were in at 8200, nor about the technology, but about their lives and their path, about childhood and their mother. I’m not looking for the smartest, but rather I prefer to invest in an underdog, someone who has experienced something challenging in life. I’m proud of my ‘hit rate’: out of 15 such teams that I’ve invested in, five have become unicorns and subsequently maybe we will even reach 15 out of 15.”

On the removal of names of CISOs from the fund’s website: “Each CISO removed from the fund’s website is no longer a board member or has requested not to appear on the website.”

Regarding the recruitment of CISOs from large American companies to startups in the fund’s portfolio: “Many cyber companies in the growth phase have a CISO, usually to contribute knowledge about the need in the market, and help with product marketing.”

On the potential for a CISO’s reward from the fund’s performance, which can reach a million dollars over the years: “I wish. It depends on the fund’s success.”

Cyberstarts denies that they canceled the agreement with a CISO who also purchased products from other companies.

Cyera said in response: “Cyera is successful because it is fully focused on customers and their pains and is building the strongest team in the industry, in order to provide a simple and efficient answer to all their problems in the world of data security.

“The two entrepreneurs moved to New York a few years ago, from an early stage in the company’s life, in order to be in the market in the most organic way, and they spend an average of five days a week on flights to meet customers face-to-face all over America. The Cyberstarts platform allowed the entrepreneurs to rub shoulders with the leading factors in the market in a significant way and acquire the deepest and widest understanding of the customers’ problem and from that to build the most powerful product in the field.”

Armis said in response: “Curtis Simpson was a client of Armis from 2017 (Cyberstarts was established in 2018). He then left and worked for a consulting firm for several months. Only after that was he recruited to Armis.”

No response was received from Noname.



Fuente: https://www.calcalistech.com/ctechnews/article/b1a1jn00hc