Santiago Bassett is a Spanish-born cyber security engineer who has been working in open source cybersecurity for twenty years. In 2015, he realised that the open source security software he was working on was used by some 20,000 companies. Without ever having started a company before and without even an MBA or VC funding, and against all odds for success, he set out to start his own open source cybersecurity company.
“I realised that we had as many users as some of the largest players in the market. So why don’t we build a business around it and start providing services and start a company around this product,” says Bassett. He’s the CEO and founder of the San Jose California-based Wazuh, an open-source cybersecurity platform. This founder’s journey story is based on my interview with Bassett.
Wazuh is a free, open source and enterprise-ready security monitoring solution for threat detection, integrity monitoring, incident response and compliance. According to Bassett, he came up with the unusual name for the company after surveying friends and family. He settled on “Wazuh,” which doesn’t have any other meaning, but thought the name was distinctive enough to differentiate it from the legions of other cybersecurity companies.
The main thesis of the value of open-source cybersecurity software, which seems like an oxymoron, is that it’s open to everyone, its more transparent, and with potentially thousands of users looking at the software, they’ll detect challenges to the open source sooner than proprietary solutions.
The company is part of the exponential growth in cybersecurity solution spending. According to a report by McKinsey, damage from cyberattacks could reach $10 trillion by 2025. As a result, organizations spent around $150 billion in 2021 on cybersecurity. As large as the market is today, the total potential addressable market could reach $1.5 trillion to $2.0 trillion. Some 80% of all organisations are using an open-source solution of some type, according to research from Enterprise Strategy Group.
Bassett had moved to Silicon Valley from Spain to follow the company he was working for at the time. But with no past entrepreneurial or business experience, he left his job to go out on his own to found Wazuh. “I started by myself with no funding. I took a little bit of personal risk. But then I was very, very lucky because at the very beginning, one of the largest companies in the world reached out to me and asked me to manage their cyber security infrastructure,” says Bassett. He declined the job offer but asked them to become a customer of his fledgling business, which they did.
“Our goal to make this free to anyone and to increase the cybersecurity position of every company because I feel like I am betraying my users by charging them for a feature,” says Bassett. He feels that transparency is the key to his success. And in 2020 he began offering a cloud solution so that customers wouldn’t have to spend on hardware or worry about software upgrades. “We deliver upgrades automatically, and run health checks automatically. And the customer doesn’t have to worry about maintaining the infrastructure or provisioning infrastructure, saving operational costs,” says Bassett. So how does Wazuh make money?
Wazuh charges for services and support, with 50% of revenue from their relatively new SaaS service solution, with the balance coming from professional services from legacy customers who have an on-premise solution. “We don’t charge for the software licence. We are doing business around services and software-as-a-service,” says Bassett.
The formula seems to be working. Today, Wazuh is nearing 200 employees and has some 100,000 users in companies of all sizes of its free software, with more than 700 paying customers of its subscription-based professional services. These customers include blue-chip enterprises like Salesforce, Walgreens, Verifone, NASA and PWC.
“We’ve been growing organically and are cashflow positive. It’s been eight years and we have had no need for VC money to grow. We’re growing at about a 40% pace year-over-year in revenue. I am lucky to have a good team,” says Bassett. The company has teams across the globe, but now has a significant presence in Argentina.
“We have 90 people in Argentina, because there was a huge opportunity for us to hire good talent in in Cordoba, Argentina. We identified situations where developers were being fired so that companies could move those jobs to India. They had a lot of experience in what we’re doing. So we ended up hiring a lot of people in Argentina,” says Bassett.
Bassett grew up in Madrid, Spain and studied to be an industrial engineer, but never got his degree or worked in that field. “I ended up working in cybersecurity for a small company just because my dad had a friend who told me this could be an interesting experience for me,” says Bassett. He then worked as a cybersecurity engineer for a succession of companies in Spain before moving to the U.S., becoming Director of Professional Services at the San Mateo, California-based AlienVault, before striking out on his own to found Wazuh in 2015.
While Wazuh is successful and growing fast, it hasn’t been easy. “With no previous experience, this has been very hard, very tough. I have had to learn on the job. And I’m sure I’ve done and am doing a lot of things wrong. Was I wrong about the VC strategy? Should I be raising money like others are doing? Or should I keep growing organically and bootstrapping the company? That’s my biggest concern. I think if I had more experience, maybe I would have raised money earlier. But I haven’t done that. And it seems to be working out,” says Bassett.
As for the future? Bassett aims to make Wazuh the world’s largest open-source security platform. “I think we have an opportunity in the future in five or seven years from now, depending on how much we accelerate, for an IPO. That’s what we’d like to do,” concludes Bassett. It would place Wazuh in rarified territory of companies that went public without VC funding.