Fund II closed at €72M in September 2022, with Martijn joining as General Partner to lead deployment. As we move into Fund III, it is worth recording what we got right, what we misjudged, and what we would do differently. Not for external positioning — this kind of reflection is primarily useful to ourselves and to the founders we work with — but because the security infrastructure market is moving fast enough that we should not assume our 2022 mental models remain current without testing them against what we have actually observed.
The pattern we got most consistently right in Fund II was the detection engineering thesis. Our conviction that the SOC tooling market was shifting from indicator-centric to behaviour-centric detection — and that the companies building detection infrastructure around behavioural baseline modelling would out-perform pure signature and rule-based approaches — played out across multiple portfolio investments. The operational technology integration investments, the cloud workload anomaly detection category, and the expansion of EASM from discovery to exploitation validation all reflected this view, and the market validation has been consistent. Enterprise security operations teams that invested in behavioural detection capabilities faced materially better outcomes against living-off-the-land and supply chain attack patterns than those that remained primarily rule-based. We backed this thesis across several Fund II investments, and the portfolio performance reflects it.
The area where we were too early was the European enterprise appetite for developer security tooling at the smaller end of the market. Our thesis that developer security platforms with strong shift-left integrations would achieve rapid adoption in European mid-market development teams under-estimated two friction factors. First, European enterprises in the 200-500 employee range often have relatively centralised development environments — fewer developers per organisation, less CI/CD sophistication — that make the pull-request-integrated security model less immediately applicable than it is in US-style fast-moving development teams. Second, the procurement cycle for security tooling in European mid-market companies is longer and involves more stakeholders than we modelled. Both factors slowed adoption curves and extended time-to-revenue for companies in this category more than our initial projections anticipated. Fund III incorporates this learning: for developer security in European mid-market, we are looking for companies with a clearer enterprise-first go-to-market from day one, rather than a bottoms-up developer adoption model that works better in markets with higher developer velocity.
The supply chain security category generated more significant deal activity than we initially planned for Fund II. The SolarWinds compromise in late 2020 and the Log4Shell vulnerability in late 2021 — both occurring during the Fund II investment period — crystallised an enterprise security concern that had been theoretical for most organisations. The consequences of third-party software supply chain compromise for security operations programmes, compliance postures, and incident response capabilities were made concrete and legible to a broad audience of enterprise security buyers. This accelerated the market for software composition analysis, build pipeline security, and software bill of materials (SBOM) tooling in ways that brought forward demand we had expected to take longer to develop. We benefited from this acceleration in our developer security investments, though the category also attracted competitive intensity that required our portfolio companies to sharpen their differentiation narrative faster than we had modelled.
Looking at Fund II as a whole: the investments we are most confident in are those where the founding teams had specific, operational depth in the problem they were solving — teams that had run production security systems, performed red team operations against real-enterprise targets, or shipped identity verification products at meaningful scale. The companies where we have less conviction are those where the founding team's expertise was more analytical than operational. Security infrastructure products built by teams that have operated in production environments have a different texture — in the user experience decisions, in the handling of adversarial edge cases, in the operational monitoring capabilities — than products built by teams approaching the problem from a software engineering perspective without that operational background. We have updated our diligence process for Fund III to weight operational depth more heavily in the founding team evaluation, particularly for detection and response categories where the gap between a technically correct product and a production-ready product is most consequential.