Cybersecurity startup founders roundtable

Most advice about starting a company collapses into a checklist: validate the idea, hire well, raise money, stand out. This roundtable, moderated by LimaCharlie co-founder Christopher Luft, did something more useful by accident. It put three founders in a room (Corey White of Cyvatar, Roselle Safran of KeyCaliber, and LimaCharlie's Maxime Lamothe-Brassard) and surfaced the places where they flatly disagree. The disagreements are the interesting part, because they reveal that the early-stage decisions everyone treats as settled best practices are actually bets, and which bet is right depends on who you are and what you are building.

The market does not have a single right answer, and pretending it does is the trap

The clearest fault line ran through the question of how a young company stands out when, as Luft put it, there are thousands and thousands of security vendors. Roselle's view was disciplined and almost conservative. The market is already drowning in noise, made worse by investor dollars propping up companies that would otherwise have fallen by the wayside, so a small startup cannot afford to invent a new product category. The cost of educating buyers into a category that does not exist yet is more than a tiny company can sustain. Her answer was to fit into a category buyers already understand, asset management, and win on a sharp twist inside it, in her case layering a risk and impact view onto an automated asset inventory so customers can act on what matters most instead of staring at a flat list.

Corey took the opposite bet and said so directly. He could not get away from creating a new category, and he built a brand around his own personality to do it, peace-love-Cyvatar marketing and a South by Southwest talk titled "love versus fear" rather than another booth shouting about its MDR solution. He was candid that this path requires getting the word out far more aggressively, but he argued social media had lowered that cost, and that defining a new category gave him the standing to say the rest of the industry was solving the wrong problem. Cyvatar's pitch is that it solves root cause so customers do not get alerts, which only lands as a claim if you have refused to be a plus-one to everyone else.

Maxime sat between them, closer to Corey in spirit. His framing was the "sandbox": define the space you play in, hold a genuinely strong vision inside it, and accept that not everyone will adhere to that vision as long as the people who do adhere strongly. He has no strong opinion on areas outside his sandbox; he has a very strong one on security infrastructure and transparency into security posture, which is where LimaCharlie lives. The payoff he described is the one that matters most to a resource-constrained company. When the people who align with your vision spread the word for you, you reach more buyers without matching a competitor's marketing spend dollar for dollar.

For an MSSP or MDR leader deciding how to position a new service line, the lesson is not which founder was right. It is that the choice between fitting a known category and staking out a new one is a real strategic fork with different costs, and the comfortable, familiar option is not automatically the safe one.

Customers, not investors, decide what you build

Where the panel did converge, the agreement was sharp enough to be a warning. Opinions are free and paying customers are the only signal that counts. Roselle described talking to potential customers constantly, because your view of the world is rarely theirs, and the goal is to build something a plurality of people value enough to pay for. Maxime put the same idea in harder terms: until someone puts money down, you have an opinion, not a validated need. Corey treated it as continuous pivoting, and only after his first few customers and sales approaching a million did he decide the thing was real enough to raise against.

That consensus set up the panel's most pointed caution, which is that investors actively pull you away from this discipline. Corey was blunt that if he had listened to VCs and their advisors, he would not have solved a customer problem, because what a customer wants and what a VC will fund are often different things. He had to solve the customer problem first, then find investors who were already interested in funding that solution. Roselle sorted VCs into three buckets, neutral money, net-negative partners who impose their worldview and create friction, and genuine value-add partners who bring expertise and network. Corey added two unsentimental codas: do background checks on your VCs, asking for references and talking to their portfolio companies before you take their money, and accept that fundraising is like speed dating, many conversations to find one fit, where sometimes survival just means taking the money. The throughline is that customer-validated demand has to stay the anchor, and capital is a constraint you manage around it, not a substitute for it.

The quieter agreements: hire for adaptability, and earn the scars first

Beneath the disagreements were two pieces of hard-won alignment worth carrying into any operation. On hiring past the founding core, everyone leaned on the network first, then offered filters for when the network runs out. Maxime screens for people who can hold a different opinion and argue it constructively, because an early company is optimizing for 150 different variables at once and nothing will be perfect in every dimension. Roselle uses a three-month try-before-you-buy contract for key roles so both sides can see if it is a good fit, and asks candidates what they do when they do not know something. Corey wants people crazy enough to join a startup, the ones who would do the work even if it were not work.

On experience, Roselle's years on the operational side of security were, in her telling, crucial, because she had felt the pain points and heard peers confirm the gaps. Maxime extended it to company size, arguing that having worked at a large shop like IBM and at a small one gives you a feel for how differently people experience the same industry. For anyone running managed security today, that is the most direct takeaway in the session. The work of operating across many client environments is not just the job. It is the groundwork that makes whatever you build next credible.