Gili Raanan led the seed round into Wiz in 2020. On 11 March 2026, Google closed its $32bn acquisition of Wiz, the largest buyout of a venture-backed startup ever recorded and the biggest deal in Google's history. Raanan did not learn to spot that shape in a partner meeting. He built the web application firewall category himself, sold his company Sanctum for $40M, spent nine years as a general partner at Sequoia, then went out on his own and wrote the check that made the record book.
That is the pattern worth naming: the checks that define cybersecurity venture were mostly written by people who used to be the ones needing the check. The best cyber VCs were operators first. They ran the product, commanded the intelligence unit, signed the purchase order as a CISO, or took a company to exit before they ever managed a fund. Their edge is not a spreadsheet. It is having lived the exact go-to-market a founder is now pitching.
This site already has a full roster of the most active cybersecurity VCs, ranked by deal count, check size, and fund size. That page tells you who is writing and how much. This one is different. It argues a single causal claim, using verified operator biographies as the evidence: operator DNA at the general-partner level changes what gets funded and how founders get helped. For the full list of active checks, use the roster. Read on for why the checks that actually matter come from people who have run the company being pitched. I have sat on both sides of that table, as an operator and an investor, and the difference in the room is not subtle.
The four kinds of operator credential
Not all operator pedigree is the same, and grouping these funds alphabetically or by AUM hides the useful part. The credential that matters is what the partner actually did before they invested. Four types recur, and each one changes the kind of founder the fund is built to help.
| Credential type | What they did before investing | Funds in this piece |
|---|---|---|
| Built and sold the product | Founded, built, or ran a security product to exit | Cyberstarts (Raanan), Ten Eleven (Doll), Ballistic (Meftah, Thornton) |
| Commanded the talent pipeline | Ran the military or intelligence units that produce security founders | Team8 (Zafrir), DataTribe (Janke, Witt, Joyce) |
| Signed the purchase orders | Sat in the CISO seat deciding what to buy | SYN Ventures (Leek, Heim) |
| Compounded multiple exits | Serial CEO who ran several security companies to exit | NightDragon (DeWalt), Ballistic (Mandia), Forgepoint (Yepez) |
The builders who sold the product
Start with the people who built the thing. This is the most direct version of the credential: a founder pitching an application-security or threat-intel product is pitching someone who shipped exactly that, sold it, and knows where the go-to-market bodies are buried.
Gili Raanan, Cyberstarts
Raanan founded Sanctum in 1997, built AppShield (the web application firewall) and the AppScan pen-testing tool, and is widely credited with inventing CAPTCHA. Sanctum sold for $40M in 2004. He founded a second company, nLayers, acquired by EMC, then ran strategy there. He spent roughly nine years as a general partner at Sequoia Capital before founding Cyberstarts in 2018 and leading the Wiz seed round. The Google-Wiz close was $32bn. A partner who built a security category himself is unusually good at recognising when a founder is building the next one rather than a feature.
Alex Doll, Ten Eleven Ventures
Doll co-founded PGP Corporation in 2002, served as its founding board member and CFO, then became COO before Symantec acquired PGP in 2010. In 2014 he founded Ten Eleven Ventures, the first venture fund dedicated solely to cybersecurity. The firm says it has since raised over $1bn across three funds and invested in more than 70 cybersecurity companies across 13 countries. Its well-documented individual wins include Darktrace (IPO), Cylance (acquired by BlackBerry), and Hexadite (acquired by Microsoft). Doll turned an operator's read on encryption and enterprise security into the template every later cyber-specialist fund copied.
Barmak Meftah and Roger Thornton, Ballistic Ventures
This is the strongest same-company pairing in the whole set, and it is worth slowing down on. Thornton founded Fortify Software in 2002, backed by Kleiner Perkins, and moved application security from perimeter defense to source-code analysis. HP acquired Fortify in 2010. Meftah was Fortify's chief products officer and moved into HP's enterprise security unit on the same acquisition. Then both went to AlienVault: Meftah as CEO from 2012, Thornton as CTO. When AT&T bought AlienVault in 2018, Meftah became president of AT&T Cybersecurity (Ballistic's own bio credits his leadership with making it one of the world's five largest MSSPs) and Thornton ran products and technology. In December 2021 the two of them co-founded Ballistic Ventures together.
Sit with that. Two partners who ran product and CEO functions at the same two companies, in sequence, before becoming co-general-partners at the same fund. A founder building an app-sec or threat-intel product at Ballistic is not pitching generalists pattern-matching from a distance. They are pitching two people who lived that precise go-to-market twice.
The operators who came out of government cyber
The second credential is rarer and harder to fake: partners who came out of the military and intelligence institutions that produce many cyber founders. Zafrir ran one of those institutions outright; the DataTribe founders worked inside them.
Nadav Zafrir, Team8
Zafrir established the IDF's Cyber Command and served as commander of Unit 8200, Israel's signals-intelligence agency often compared to the NSA, retiring as a brigadier general. He co-founded Team8 in 2014 with two other 8200 alumni. Team8 states $1.5bn in AUM on its own site, and its portfolio includes Claroty, which became Team8's first unicorn in 2021 and effectively defined the operational-technology security category. In December 2024, Zafrir left day-to-day Team8 leadership to become CEO of Check Point, which is itself a data point for the thesis: at this level the boundary between operator and investor barely exists. He went from commanding an intelligence unit, to building a venture studio, back to running a public security company.
DataTribe: the studio built out of the Beltway
DataTribe is a venture studio rather than a standard fund, co-founded in the mid-2010s by Mike Janke (former Navy SEAL Team 6 and founder of Silent Circle), Steven Witt (former CIA IT officer), and Bob Ackerman (founder of Allegis Capital, one of the original cyber-only funds). A studio co-builds companies from the earliest stage rather than just writing checks into existing ones. Dragos became DataTribe's first unicorn in 2021, five years after DataTribe became founder Robert Lee's first institutional partner. In January 2025 the studio added Rob Joyce, former NSA director of cybersecurity, as a venture partner after 34 years of government service.
One honest note, because this piece is not a highlight reel. Not every DataTribe-linked name is a clean win. ZeroFox went public via a $1.4bn SPAC merger in 2022, then was taken private at roughly $350M in 2024, about a 75 percent decline. Operator pedigree improves the odds. It does not repeal them.
The buyers who used to sign the cheques
The third credential is the one founders underrate most: partners who were the customer. In enterprise security, the hard part of the sale is rarely the technology. It is getting a CISO to commit budget. A fund run by former CISOs shortcuts exactly that.
SYN Ventures is the clean example. Jay Leek was chief information security officer at Blackstone. Patrick Heim was head of security at Dropbox and chief trust officer at Salesforce. They co-founded SYN Ventures in 2021, and the fund is explicitly built around a network of practicing CISOs used to source and validate deals, not just a partner rolodex. The confirmed fund history is a $165M debut, a roughly $300M second fund, and a third fund reported at $206.1M+ toward a $300M target. Portfolio wins include the unicorns Halcyon and Transmit Security, plus eight acquisitions, most recently SquareX, acquired by Zscaler in early 2026.
Here is my operator read, labeled as judgment rather than data. If the technologist is the hard part of your company, a builder-led fund is the better room. If the buyer is the hard part, a CISO-led fund like SYN can warm-intro you past a nine-month enterprise sales cycle, because the person making the introduction used to be the person you are trying to reach.
The serial CEOs who compounded exits
The fourth credential is accumulation: partners who ran several security companies to exit and folded the pattern-recognition into a fund.
Dave DeWalt is the archetype, a four-time CEO across Documentum, McAfee (through Intel's acquisition), and FireEye. His firm NightDragon, founded in 2012, closed a $750M growth fund. Kevin Mandia founded Mandiant, ran it as CEO through Google's acquisition, then was named a general partner at Ballistic Ventures. Mandia then went back to full-time operating as CEO of Armadin, a new AI-focused cybersecurity company, while still a Ballistic GP. That is operator DNA that does not switch off. Alberto YƩpez ran enCommerce and Thor Technologies to exits, and served as Co-CEO of Entrust, later acquired by Thoma Bravo, before co-founding Forgepoint Capital, now over $1bn in AUM.
Ted Schlein is the deliberate exception in this group, and worth flagging for accuracy. Schlein spent nearly three decades at Kleiner Perkins as one of mainstream venture's earliest dedicated cybersecurity investors, backing 30-plus founders to exit including ArcSight, Fortify, and IronNet. He is a career VC, not a former CEO. His role at Ballistic is the one who assembled the operator team, launching the firm's $300M debut fund in 2022 and an oversubscribed $360M second fund in 2024. The tell is that even the pure investor built his fund by recruiting operators around him.
What this means if you are raising
The practical read for a founder is that fund size and operator depth are different variables, and you should optimise for the second at seed. NightDragon's $750M growth fund and Forgepoint's $1bn-plus AUM are larger than most of the founder-led seed funds here, but stage and check size are what the active-VC roster is for. This piece is about who you actually get in the room. Match the operator credential to your hardest problem.
| Your hardest problem | Credential you want in the room | Example |
|---|---|---|
| Building a genuinely new security category | Intelligence-pedigree category creators | Cyberstarts, Team8 |
| Nailing app-sec or threat-intel go-to-market | Builders who shipped that exact product | Ballistic (Meftah, Thornton) |
| Getting past the enterprise buyer | Former CISOs who signed the POs | SYN Ventures |
| Co-building from zero with a small team | A venture studio, not just a check | DataTribe |
| Scaling a proven company toward exit | Serial CEOs with growth capital | NightDragon, Forgepoint |
Two more things I would tell any founder. First, pitch the operator, not just the fund; the value is the specific person's lived go-to-market, so know whose portfolio you would sit in before you take the meeting. Second, verify self-published fund figures before you trust them in a pitch-deck comparison. Several of these firms' own AUM numbers do not reconcile cleanly across sources, so ask a fund directly for its current dry powder rather than trusting a marketing page. This is the same discipline that separates early-stage operator VC from the later-stage buyers in private equity's move into cybersecurity, and it is why the analyst Ross Haleliuk has built a following writing about exactly these go-to-market dynamics in his Venture in Security newsletter and his book Cyber for Builders.
If you want the full list of who is writing checks and how big, that lives in the active cybersecurity VC roster. If you are trying to understand where the categories these funds chase actually sit, I mapped that in the cybersecurity market map. And if you own a company these operators might one day fund or buy, the same operator-versus-financial-buyer logic runs through everything I write about the market. I spent a decade in investment banking and private equity before I ran growth for cyber and MSP firms, and the single most reliable signal I have found is this: the people who write the checks that matter are usually the people who once needed one.
Frequently asked questions
Because security buyers and security founders both respond to lived credibility. A partner who built and sold a web application firewall, commanded an intelligence unit, or signed purchase orders as a CISO can judge a founder's go-to-market from experience rather than a spreadsheet, and can open doors a career financier cannot. Gili Raanan built Sanctum before founding Cyberstarts and leading the Wiz seed. Barmak Meftah and Roger Thornton ran the same two companies before co-founding Ballistic. The pattern repeats because operator credibility is the scarce input in a market where the technology is complex and the buyer is hard to reach.
They solve different halves of the sale. SYN Ventures was co-founded by Jay Leek, former CISO at Blackstone, and Patrick Heim, former head of security at Dropbox and chief trust officer at Salesforce, and is built around a network of practicing CISOs who source and validate deals. It is the right fit when the hard part of your company is getting the enterprise buyer to commit budget. Cyberstarts, founded by former Unit 8200 operator Gili Raanan, is built around category creation and is the better fit when you are inventing a new security category rather than selling into an established buying process.
Yes. Zafrir stepped away from day-to-day Team8 leadership in December 2024 to become CEO of Check Point, but Team8 continues as an active investor and studio with its other co-founders. Zafrir remains a co-founder of the firm. His move from investor back to operating CEO actually reinforces the point that at this level the line between operator and investor is thin: he ran Unit 8200, built a venture studio, and is now running a public security company.
Google completed its acquisition of Wiz for $32bn on 11 March 2026, the largest acquisition in Google's history and the largest-ever buyout of a venture-backed startup. Gili Raanan of Cyberstarts led the seed round into Wiz in 2020. The deal was announced in March 2025, cleared by the DOJ in November 2025 and the EU in February 2026, and closed in March 2026. It is the single clearest example in the market of an operator-turned-investor writing the defining check of a cycle.
DataTribe is a cybersecurity venture studio co-founded by Mike Janke (former Navy SEAL Team 6), Steven Witt (former CIA IT officer), and Bob Ackerman (founder of Allegis Capital). A studio co-builds companies from the earliest stage, often as a founder's first institutional partner, rather than only writing checks into companies that already exist. DataTribe was Dragos founder Robert Lee's first institutional partner, and Dragos became its first unicorn in 2021. Former NSA cybersecurity director Rob Joyce joined as a venture partner in 2025. Not every outcome is a win: DataTribe-linked ZeroFox went public then was taken private at a large discount.
Look for the specific operator credential that maps to your hardest problem, and remember you are pitching a person more than a fund. If category creation is the challenge, an intelligence-pedigree fund like Cyberstarts or Team8 fits. If app-sec go-to-market is the challenge, builders like Ballistic's Meftah and Thornton lived it. If the enterprise buyer is the challenge, a CISO-led fund like SYN can warm-intro you past the sales cycle. Separately, verify a fund's self-published AUM before using it as a comparison, because several firms' own figures do not reconcile across sources.
Cyberstarts was founded by Gili Raanan, who served roughly a decade in Israel's Unit 8200. Team8 was co-founded by Nadav Zafrir, who commanded Unit 8200 and established the IDF's Cyber Command. DataTribe was co-founded by a former Navy SEAL and a former CIA officer and later added Rob Joyce, the former NSA director of cybersecurity, as a venture partner. These intelligence-pedigree funds tend to cluster around genuinely new security categories rather than feature-level products.