(+1) 9784800910, (+44) 020 3097 1639 I Full Escrow Payment [email protected]

OVERVIEW

We have included major competitors, industry gaps that indicate opportunities, the identified market size for cybersecurity solutions and bug bounty programs, industry forces, etc. The primary focus of this research involves bug bounty but we have also included aspects of the overall cybersecurity industry. We have found that bug bounty programs are still at an early stage and there is significant room for growth. Also, the pandemic has accelerated online adaption which in turn will increase the demand pace for cybersecurity solutions.

MARKET SIZE

  • TAM (Total Addressable Market) size: in case of TAM we have considered the global market size for cybersecurity solutions. The global cybersecurity market size for 2021 is around $200 billion (Statista) . It is expected to reach almost $250 billion by 2023. The market has grown at an average rate of 10% for the period of 2017-21.
  • SAM (Serviceable Addressable Market) size: in case of SAM we have considered the global market size for bug bounty hunting programs. The global market size is $223.1 million as of 2020 and it is projected to reach almost $5.5 billion by 2027 (Alltheresearch). So the forecasted CAGR for the period of 2020 to 2027 is 54.4%.

INDUSTRY GAPS

94% of Forbes Global 2000 do not have known Vulnerability Disclosure Policies (VDPs). Only 8% of the Airlines, 10% of auto & truck manufacturers and around 15% of consumer financial services have VDPs. This indicates growth potential for the bug bounty industry.  It is estimated that by 2022 Crowdsourced Security Testing Platform products and services will be employed by more than half of the enterprises (Bugcrowd). 

COMPETITIVE ANALYSIS

For the competitive analysis, we only included platforms which facilitate bug bounty hunting programs. We have highlighted solutions offered by them, their pricing, earnings, number of participants, etc.

  • Hacker One: Hackerone is one of the largest platforms for connecting white hat hackers with organizations. Their estimated annual revenue is $58 million (Zoominfo) and to date they have raised around $110.4 million (Crunchbase). The payout to the hackers depend on the severity. For example bounty for low level vulnerabilities can offer $100 whereas the average bounty on the platform is around $3.6K. To date $100K is the highest individual bounty earned for a critical vulnerability on Hackerone. Hackerone does not charge hackers who use their platform; rather they charge enterprises a processing fee of 20% of the bounty amount awarded in addition to an annual subscription fee(Hackerone) . Also, on cash bounty payouts enterprises have to pay a 5% payment processing fee (Hackerone). The hackers receive payments through bounties, swags and bonuses. Till 2020 hackers on the platform made around $100 million and over 170K vulnerabilities have been uncovered through 2K customer programs (Businesswire) . Their Major strength involves large and diverse collection of ethical hackers on their platform.
  • Bugcrowd:  it is also a leading platform. The number of VDPs (Vulnerability Disclosure Program) submissions on the platform increased by 50% during the pandemic (Bugcrowd).  Enterprises first define the attack surface they wish to harden then depending on the type of program an enterprise can either publish or engage a more limited set of researchers in a private invite only program. In 2018, Bugcrowd launched Bugcrowd University which provides free security training to researchers. To date they have raised close to $79 million (Crunchbase) and their revenue is estimated to be $127 million (Zoominfo). Bugcrowd pays 100% of the bounties earned to the researchers and generates revenue from Enterprises. Their solutions are relatively customizable and prices are quoted after providing details on requirements. 
  • Intigriti: they claim to be Europe’s No. 1 ethical hacking and bug bounty platform. To date they raised $4.7 million (Crunchbase) and their estimated annual revenue is $7 million (Zoominfo). They offer agile security testing to help prevent security breaches. Companies can either publish bug bounty program or handpick researchers. Intrigriti platform comes with a measurable built-in process to follow up on all the vulnerabilities. An enterprise will have access to over 30K independent researchers across the globe on this platform.
  • YesWeHack: they have two programs; Private and Public. In case of Private mode enterprises select researchers using invites and in Public mode the task is posted which can be accessed by researchers on the platform. It is reported that they have received $4.7 million(Crunchbase) and their annual revenue is estimated to be $6 million (Zoominfo). Only researchers who submitted the first valid report are rewarded. Researchers are rewarded according to the level of severity. The positive aspect of Yeswehack is that they support companies to set up VDPs by helping to craft the contents, create a VDP webpage and set up structured form for submitted reports. In turn, companies benefit from higher quality reports on their security vulnerabilities and spend less time on irrelevant reports and internal vulnerability management. 
  • Synack:  they boast for recruiting qualified veterans to the team and empower them with the right tools and deploy them. Their payouts depend on the nature and severity of the vulnerability detected. For example- checking for default passwords will earn $25 to $50, while an ad-hoc mission can exceed $100 payouts. On an average vulnerability payments range between $600 to $900. Synack publishes a list of minimums and high payments for vulnerabilities. There’s a minimum qualifications requirement that must be met by a researcher to remain active. It’s estimated annual revenue is $42 million (Zoominfo) and to date they have raised around $107.5 million in funding. (Crunchbase).
  • Yogosha: this is a crowd sourced cyber security platform enabling collaboration with talented hackers to detect and fix vulnerabilities on critical systems. More than 100 companies secure their system applications with Yogosha. Yogosha’s total funding to date stands at $3.9 million (crunchbase) while their estimated annual revenue is $3 million (zoominfo).
  • Cobalt:  it provides penetration testing as a service (PtaaS) platform. It is a cyber security platform that connects human penetration testers with companies looking to test their software. Cobalt has more than 500 clients and around 300 penetration testers on its platform. Cobalt’s estimated funding to date is $37 million (Crunchbase) and has an estimated annual revenue of around $42 million (Zoominfo).
  • HackenProof: it is a bug bounty and vulnerability coordination platform that connects white hat hackers to companies and helps them uncover security vulnerabilities before exploitation. The platform has more than 4.6K researchers who have reported more than 750 bugs and have been paid more than $300K in bounty. Hackenproof’s estimated annual revenue is $4 million (Zoominfo).
  • HackTrophy: in cooperation with ethical hackers, Hacktrophy works to identify security vulnerabilities to protect sensitive data from black hat hackers. Their solutions include Short Term Project, Long Term Subscription, Corporate Program and Tailored for You Program (Hacktrophy). In their first year of operations more than 200 vulnerabilities were reported. They have more than 450 white hat hackers on their platform.  It’s reported revenue is $4 million (Zoominfo).
  • Zerocopter: this is an invite only and relatively closed platform for security researchers who work on finding vulnerabilities. Clients annual subscription is based on the number of projects. Starter Package costs  €1 per month for up to 3 projects, Professional Package costs €2.5 euros per month for up to 10 projects and the Enterprise Package costs €5 per month for up to 25 projects (Zerocopter). Researchers are paid depending on the severity of the bug reported. Low vulnerability bugs are paid between €50 to €150, while critical vulnerability bugs can generate between €1.5K to €5K. Their total funding amount to date is $1.5 million (Crunchbase) and generates an estimated annual revenue of $4 million(Zoominfo).
  • SafeHats:  they host skilled personnel in their ethical hacking team. According to Zoominfo their annual revenue is $3 million.  Their Enterprise Bug Bounty Program is divided into 3 segments-  Walk, Run and Fly. The Walk Program is designed for relatively small enterprises who are just willing to start improving their system security. On the other hand their Run Program is designed for mid-sized enterprises who already know their security objectives but wish for outsourcing the activity.  In case of the Fly Program enterprises have more control as they have access to verified researchers.  Their reported revenue is $3 million (Zoominfo).

TOP 5 MOST VULNERABLE SECTORS

  • Financial Institutions & Banks: banks lost $16.8 billion to cybercriminals in 2017 (Forbes).  In addition, almost 75% of financial institutions experienced increase in cybercrime (Businesswire). The industry is facing growing demand to adapt to changing consumer behavior towards online banking adoption which involves interacting through app and other online platforms. These changes further widens the vulnerabilities for banks and financial institutions. In addition to the financial losses they have to face adverse impact on their reputation.
  • Energy and Power Utilities: power plants and transmission lines are generally regarded as one of the most essential infrastructures. Hackers used to target Energy and Power Utility companies’ IT infrastructure, but more recently they’ve been attacking SCADA software which allows them to control critical physical assets such as power plants, substations, transmission and distribution networks. According to estimates, a cyber assault on the US electricity system may cost the country $1 trillion.
  • Telecom and Communications: according to GSMA, global carriers have inaaavested more than $1.3 trillion in their wireless networks since 2010 (Spratings). This sector includes satellite companies, internet providers, telephone corporations, etc. The industry creates and maintains sophisticated networks while also storing large quantities of sensitive data about people and businesses. These are some of the factors that make this sector more profitable for bad actors or hackers. The security vulnerabilities of telecom equipment have grown significantly over time and currently occupying a significant portion of the threat environment.
  • Government & Defense: the 2021 US Govt. budget for cyber security was $18.8 billion (Mordor Intelligence).  The adaption of various technology and online network based mechanism in the defense sector has made it more vulnerable to cyber attacks. Therefore it is one of the most vulnerable sectors for cyber attacks.
  • Healthcare: attacks on healthcare industry resulted in almost $21 billion worth of downtime during 2020 and hackers collected $2.1 million in ransom payments(Comparitech). It costs $1.4 million on an average to recover from cyber attacks in this sector (Health IT Security). In case of hospitals digital infrastructure spans all the way from the back office networks and patient record systems through to connected medical devices and IoT equipment.  A recent major incident included cyber attack on a major hospital chain– Universal Health Services. They faced issues across 400 locations regarding accessing patient info and similar activities. Shares of the health care provider fell around 4.2% following the incident and they faced $67 million worth of losses due to the attack (Healthcare IT News).

COVID-19 IMPACT on CYBERSECURITY

The spread of Covid has resulted in a number of changes in how we work: 47 percent of people fall for a phishing scam while working from home, and more than half a million people worldwide were affected by breaches in which personal data of video conferencing users were stolen and sold on the dark web between February and May 2020(Deloitte). 50% of enterprises were concerned about increased cyberattacks due to a shift in work patterns alone (Weforum).

INDUSTRY FORCES

Porter’s 5 Forces:

  • Competitive Rivalry: medium. There are close to 15 key competitors globally who are providing bug bounty related solutions. It is important to note that most of them do not offer incubator style program involving recruitment , training and grooming of young talents in one place. In addition there is no such program in Africa.
  • Bargaining Power of Talents: low. As of 2019 almost 44% of Nigerian population are within the age bracket of 0-14 years and almost 54% are within the age bracket of 15-64 years (Statista). This indicates a large pool of young individuals so there is ample supply of talents which in turn indicates lower bargaining power for them.
  • Bargaining Power of Target Market: medium. There are limited number of platforms which are offering similar services as mentioned in the competitive landscape analysis. Therefore bargaining power of our target market can be considered to be on a medium level.
  • Threat of Substitution: low. There is no alternative to manual bug hunting to date and it is highly unlikely to completely remove humans from the process. Therefore we believe that threat of substitute solutions is relatively low.
  •  Threat of New Entry: medium. It requires significant resources to setup training and grooming facilities for young talents. In addition it requires significant investment and time to build brand awareness and trust so that large organizations feel interested to work with a particular bug bounty platform. Therefore threat of new entrant is on a medium level.

PEST Analysis:

  • Political: the Pioneer Status Incentive in Nigeria can be a great boost for our startup. The unemployment rate in Nigeria is around 32.5% as of 2021 (Statista) and our startup can contribute to solving this issue which should make us eligible for Pioneer Status Incentive. We plan to train, provide necessary infrastructure for young individuals across Nigeria to improve their lives which in turn will create a positive image and help in terms of regulatory incentives.  Key benefits of the program include tax holiday for three years which can be extended to one or two additional years and tax free dividends.
  • Economic: as of 2019 the GDP of Nigeria is almost $450 billion and during the period growth rate was 2.2%. Around 98% of the funds raised by Nigerian startups are through FDI (Techpoint Africa). All these economic factors indicate that the current economic landscape in Nigeria is suitable for our startup.
  • Social: Nigeria has a high proportion of young population which is suitable for our business model. In addition, around one third of the population are unemployed so this will also make our talent sourcing process much easier and we can also source them at a relatively lower cost. It is important to note that talented young individuals across Nigeria are going astray by getting involved with scamming industry which has an adverse impact on the Country’s reputation. So if we can help young talents across Nigeria to develop their profession then it can act as a great PR booster for us and help us build a positive relation with the Govt. and regulatory bodies.
  • Technological: as of 2020 internet penetration rate across Nigeria is close to 50%. This figure is projected to cross 65% by 2025 (Statista). In addition Nigeria has the most number of startups in Africa which indicates that the Country has ample tech infrastructure to support our vision.

Related Articles