Insights

The Best Cyber VCs Were Operators First

Cyberstarts, Team8, Ballistic, SYN: cybersecurity's top VCs were founded or led by ex-CEOs, ex-CISOs and Unit 8200 alumni. Why that operator DNA wins.

By Alexej Pikovsky  ·  Updated

Gili Raanan led the seed round into Wiz in 2020. On 11 March 2026, Google closed its $32bn acquisition of Wiz, the largest buyout of a venture-backed startup ever recorded and the biggest deal in Google's history. Raanan did not learn to spot that shape in a partner meeting. He built the web application firewall category himself, sold his company Sanctum for $40M, spent nine years as a general partner at Sequoia, then went out on his own and wrote the check that made the record book.

That is the pattern worth naming: the checks that define cybersecurity venture were mostly written by people who used to be the ones needing the check. The best cyber VCs were operators first. They ran the product, commanded the intelligence unit, signed the purchase order as a CISO, or took a company to exit before they ever managed a fund. Their edge is not a spreadsheet. It is having lived the exact go-to-market a founder is now pitching.

This site already has a full roster of the most active cybersecurity VCs, ranked by deal count, check size, and fund size. That page tells you who is writing and how much. This one is different. It argues a single causal claim, using verified operator biographies as the evidence: operator DNA at the general-partner level changes what gets funded and how founders get helped. For the full list of active checks, use the roster. Read on for why the checks that actually matter come from people who have run the company being pitched. I have sat on both sides of that table, as an operator and an investor, and the difference in the room is not subtle.

The four kinds of operator credential

Not all operator pedigree is the same, and grouping these funds alphabetically or by AUM hides the useful part. The credential that matters is what the partner actually did before they invested. Four types recur, and each one changes the kind of founder the fund is built to help.

The operator credential behind the fund
Credential typeWhat they did before investingFunds in this piece
Built and sold the productFounded, built, or ran a security product to exitCyberstarts (Raanan), Ten Eleven (Doll), Ballistic (Meftah, Thornton)
Commanded the talent pipelineRan the military or intelligence units that produce security foundersTeam8 (Zafrir), DataTribe (Janke, Witt, Joyce)
Signed the purchase ordersSat in the CISO seat deciding what to buySYN Ventures (Leek, Heim)
Compounded multiple exitsSerial CEO who ran several security companies to exitNightDragon (DeWalt), Ballistic (Mandia), Forgepoint (Yepez)

The builders who sold the product

Start with the people who built the thing. This is the most direct version of the credential: a founder pitching an application-security or threat-intel product is pitching someone who shipped exactly that, sold it, and knows where the go-to-market bodies are buried.

Gili Raanan, Cyberstarts

Raanan founded Sanctum in 1997, built AppShield (the web application firewall) and the AppScan pen-testing tool, and is widely credited with inventing CAPTCHA. Sanctum sold for $40M in 2004. He founded a second company, nLayers, acquired by EMC, then ran strategy there. He spent roughly nine years as a general partner at Sequoia Capital before founding Cyberstarts in 2018 and leading the Wiz seed round. The Google-Wiz close was $32bn. A partner who built a security category himself is unusually good at recognising when a founder is building the next one rather than a feature.

Alex Doll, Ten Eleven Ventures

Doll co-founded PGP Corporation in 2002, served as its founding board member and CFO, then became COO before Symantec acquired PGP in 2010. In 2014 he founded Ten Eleven Ventures, the first venture fund dedicated solely to cybersecurity. The firm says it has since raised over $1bn across three funds and invested in more than 70 cybersecurity companies across 13 countries. Its well-documented individual wins include Darktrace (IPO), Cylance (acquired by BlackBerry), and Hexadite (acquired by Microsoft). Doll turned an operator's read on encryption and enterprise security into the template every later cyber-specialist fund copied.

Barmak Meftah and Roger Thornton, Ballistic Ventures

This is the strongest same-company pairing in the whole set, and it is worth slowing down on. Thornton founded Fortify Software in 2002, backed by Kleiner Perkins, and moved application security from perimeter defense to source-code analysis. HP acquired Fortify in 2010. Meftah was Fortify's chief products officer and moved into HP's enterprise security unit on the same acquisition. Then both went to AlienVault: Meftah as CEO from 2012, Thornton as CTO. When AT&T bought AlienVault in 2018, Meftah became president of AT&T Cybersecurity (Ballistic's own bio credits his leadership with making it one of the world's five largest MSSPs) and Thornton ran products and technology. In December 2021 the two of them co-founded Ballistic Ventures together.

Sit with that. Two partners who ran product and CEO functions at the same two companies, in sequence, before becoming co-general-partners at the same fund. A founder building an app-sec or threat-intel product at Ballistic is not pitching generalists pattern-matching from a distance. They are pitching two people who lived that precise go-to-market twice.

The operators who came out of government cyber

The second credential is rarer and harder to fake: partners who came out of the military and intelligence institutions that produce many cyber founders. Zafrir ran one of those institutions outright; the DataTribe founders worked inside them.

Nadav Zafrir, Team8

Zafrir established the IDF's Cyber Command and served as commander of Unit 8200, Israel's signals-intelligence agency often compared to the NSA, retiring as a brigadier general. He co-founded Team8 in 2014 with two other 8200 alumni. Team8 states $1.5bn in AUM on its own site, and its portfolio includes Claroty, which became Team8's first unicorn in 2021 and effectively defined the operational-technology security category. In December 2024, Zafrir left day-to-day Team8 leadership to become CEO of Check Point, which is itself a data point for the thesis: at this level the boundary between operator and investor barely exists. He went from commanding an intelligence unit, to building a venture studio, back to running a public security company.

DataTribe: the studio built out of the Beltway

DataTribe is a venture studio rather than a standard fund, co-founded in the mid-2010s by Mike Janke (former Navy SEAL Team 6 and founder of Silent Circle), Steven Witt (former CIA IT officer), and Bob Ackerman (founder of Allegis Capital, one of the original cyber-only funds). A studio co-builds companies from the earliest stage rather than just writing checks into existing ones. Dragos became DataTribe's first unicorn in 2021, five years after DataTribe became founder Robert Lee's first institutional partner. In January 2025 the studio added Rob Joyce, former NSA director of cybersecurity, as a venture partner after 34 years of government service.

One honest note, because this piece is not a highlight reel. Not every DataTribe-linked name is a clean win. ZeroFox went public via a $1.4bn SPAC merger in 2022, then was taken private at roughly $350M in 2024, about a 75 percent decline. Operator pedigree improves the odds. It does not repeal them.

The buyers who used to sign the cheques

The third credential is the one founders underrate most: partners who were the customer. In enterprise security, the hard part of the sale is rarely the technology. It is getting a CISO to commit budget. A fund run by former CISOs shortcuts exactly that.

SYN Ventures is the clean example. Jay Leek was chief information security officer at Blackstone. Patrick Heim was head of security at Dropbox and chief trust officer at Salesforce. They co-founded SYN Ventures in 2021, and the fund is explicitly built around a network of practicing CISOs used to source and validate deals, not just a partner rolodex. The confirmed fund history is a $165M debut, a roughly $300M second fund, and a third fund reported at $206.1M+ toward a $300M target. Portfolio wins include the unicorns Halcyon and Transmit Security, plus eight acquisitions, most recently SquareX, acquired by Zscaler in early 2026.

Here is my operator read, labeled as judgment rather than data. If the technologist is the hard part of your company, a builder-led fund is the better room. If the buyer is the hard part, a CISO-led fund like SYN can warm-intro you past a nine-month enterprise sales cycle, because the person making the introduction used to be the person you are trying to reach.

The serial CEOs who compounded exits

The fourth credential is accumulation: partners who ran several security companies to exit and folded the pattern-recognition into a fund.

Dave DeWalt is the archetype, a four-time CEO across Documentum, McAfee (through Intel's acquisition), and FireEye. His firm NightDragon, founded in 2012, closed a $750M growth fund. Kevin Mandia founded Mandiant, ran it as CEO through Google's acquisition, then was named a general partner at Ballistic Ventures. Mandia then went back to full-time operating as CEO of Armadin, a new AI-focused cybersecurity company, while still a Ballistic GP. That is operator DNA that does not switch off. Alberto YƩpez ran enCommerce and Thor Technologies to exits, and served as Co-CEO of Entrust, later acquired by Thoma Bravo, before co-founding Forgepoint Capital, now over $1bn in AUM.

Ted Schlein is the deliberate exception in this group, and worth flagging for accuracy. Schlein spent nearly three decades at Kleiner Perkins as one of mainstream venture's earliest dedicated cybersecurity investors, backing 30-plus founders to exit including ArcSight, Fortify, and IronNet. He is a career VC, not a former CEO. His role at Ballistic is the one who assembled the operator team, launching the firm's $300M debut fund in 2022 and an oversubscribed $360M second fund in 2024. The tell is that even the pure investor built his fund by recruiting operators around him.

What this means if you are raising

The practical read for a founder is that fund size and operator depth are different variables, and you should optimise for the second at seed. NightDragon's $750M growth fund and Forgepoint's $1bn-plus AUM are larger than most of the founder-led seed funds here, but stage and check size are what the active-VC roster is for. This piece is about who you actually get in the room. Match the operator credential to your hardest problem.

Which operator fund fits which founder
Your hardest problemCredential you want in the roomExample
Building a genuinely new security categoryIntelligence-pedigree category creatorsCyberstarts, Team8
Nailing app-sec or threat-intel go-to-marketBuilders who shipped that exact productBallistic (Meftah, Thornton)
Getting past the enterprise buyerFormer CISOs who signed the POsSYN Ventures
Co-building from zero with a small teamA venture studio, not just a checkDataTribe
Scaling a proven company toward exitSerial CEOs with growth capitalNightDragon, Forgepoint

Two more things I would tell any founder. First, pitch the operator, not just the fund; the value is the specific person's lived go-to-market, so know whose portfolio you would sit in before you take the meeting. Second, verify self-published fund figures before you trust them in a pitch-deck comparison. Several of these firms' own AUM numbers do not reconcile cleanly across sources, so ask a fund directly for its current dry powder rather than trusting a marketing page. This is the same discipline that separates early-stage operator VC from the later-stage buyers in private equity's move into cybersecurity, and it is why the analyst Ross Haleliuk has built a following writing about exactly these go-to-market dynamics in his Venture in Security newsletter and his book Cyber for Builders.

If you want the full list of who is writing checks and how big, that lives in the active cybersecurity VC roster. If you are trying to understand where the categories these funds chase actually sit, I mapped that in the cybersecurity market map. And if you own a company these operators might one day fund or buy, the same operator-versus-financial-buyer logic runs through everything I write about the market. I spent a decade in investment banking and private equity before I ran growth for cyber and MSP firms, and the single most reliable signal I have found is this: the people who write the checks that matter are usually the people who once needed one.

Frequently asked questions

Why do so many top cybersecurity VCs come from operating roles instead of finance?

Because security buyers and security founders both respond to lived credibility. A partner who built and sold a web application firewall, commanded an intelligence unit, or signed purchase orders as a CISO can judge a founder's go-to-market from experience rather than a spreadsheet, and can open doors a career financier cannot. Gili Raanan built Sanctum before founding Cyberstarts and leading the Wiz seed. Barmak Meftah and Roger Thornton ran the same two companies before co-founding Ballistic. The pattern repeats because operator credibility is the scarce input in a market where the technology is complex and the buyer is hard to reach.

What is the difference between a CISO-led fund like SYN Ventures and a founder-led fund like Cyberstarts?

They solve different halves of the sale. SYN Ventures was co-founded by Jay Leek, former CISO at Blackstone, and Patrick Heim, former head of security at Dropbox and chief trust officer at Salesforce, and is built around a network of practicing CISOs who source and validate deals. It is the right fit when the hard part of your company is getting the enterprise buyer to commit budget. Cyberstarts, founded by former Unit 8200 operator Gili Raanan, is built around category creation and is the better fit when you are inventing a new security category rather than selling into an established buying process.

Is Team8 still an active cybersecurity investor now that Nadav Zafrir is CEO of Check Point?

Yes. Zafrir stepped away from day-to-day Team8 leadership in December 2024 to become CEO of Check Point, but Team8 continues as an active investor and studio with its other co-founders. Zafrir remains a co-founder of the firm. His move from investor back to operating CEO actually reinforces the point that at this level the line between operator and investor is thin: he ran Unit 8200, built a venture studio, and is now running a public security company.

How much did Google pay for Wiz, and who backed it early?

Google completed its acquisition of Wiz for $32bn on 11 March 2026, the largest acquisition in Google's history and the largest-ever buyout of a venture-backed startup. Gili Raanan of Cyberstarts led the seed round into Wiz in 2020. The deal was announced in March 2025, cleared by the DOJ in November 2025 and the EU in February 2026, and closed in March 2026. It is the single clearest example in the market of an operator-turned-investor writing the defining check of a cycle.

What is DataTribe, and how is a venture studio different from a normal VC fund?

DataTribe is a cybersecurity venture studio co-founded by Mike Janke (former Navy SEAL Team 6), Steven Witt (former CIA IT officer), and Bob Ackerman (founder of Allegis Capital). A studio co-builds companies from the earliest stage, often as a founder's first institutional partner, rather than only writing checks into companies that already exist. DataTribe was Dragos founder Robert Lee's first institutional partner, and Dragos became its first unicorn in 2021. Former NSA cybersecurity director Rob Joyce joined as a venture partner in 2025. Not every outcome is a win: DataTribe-linked ZeroFox went public then was taken private at a large discount.

What should a cybersecurity founder look for in an investor beyond check size?

Look for the specific operator credential that maps to your hardest problem, and remember you are pitching a person more than a fund. If category creation is the challenge, an intelligence-pedigree fund like Cyberstarts or Team8 fits. If app-sec go-to-market is the challenge, builders like Ballistic's Meftah and Thornton lived it. If the enterprise buyer is the challenge, a CISO-led fund like SYN can warm-intro you past the sales cycle. Separately, verify a fund's self-published AUM before using it as a comparison, because several firms' own figures do not reconcile across sources.

Which cyber VC firms were founded by former NSA or Unit 8200 personnel?

Cyberstarts was founded by Gili Raanan, who served roughly a decade in Israel's Unit 8200. Team8 was co-founded by Nadav Zafrir, who commanded Unit 8200 and established the IDF's Cyber Command. DataTribe was co-founded by a former Navy SEAL and a former CIA officer and later added Rob Joyce, the former NSA director of cybersecurity, as a venture partner. These intelligence-pedigree funds tend to cluster around genuinely new security categories rather than feature-level products.