Finding the Problem Worth Solving
Every successful security company starts with a problem that the founder understands deeply - usually because they lived it. The challenge is distinguishing problems worth building a company around from problems that are merely annoying. Not every security pain point supports a venture-scale business.
This chapter tells the story of how I identified the CIAM opportunity, the pattern recognition framework I use for evaluating security startup ideas, and the validation process that separates real opportunities from wishful thinking.
How I Found CIAM Before It Had a Name
In 2013, I was working on consumer-facing applications and repeatedly hitting the same wall. Every application needed user registration, login, password reset, social login, and profile management. Every development team was building these capabilities from scratch - and building them badly.
The security implications were serious. Homegrown authentication systems had predictable vulnerabilities: passwords stored in plaintext or with weak hashing, no brute force protection, no account lockout, no multi-factor authentication, and no compliance with any standard. Every new application was creating a new attack surface.
But here is what made it a company-sized opportunity rather than just a development annoyance:
-
Scale was coming. Mobile apps were exploding. IoT was emerging. The number of consumer-facing digital identities was about to go from millions to billions. Authentication at that scale would break every homegrown solution.
-
Regulation was coming. GDPR was already being discussed in European policy circles. Consumer data privacy was going to become a legal requirement, not just a best practice.
-
The buy-vs-build math was shifting. As authentication requirements grew more complex - social login, passwordless, adaptive MFA, consent management - the cost of building in-house was becoming prohibitive.
-
No one owned the category. Enterprise IAM vendors like Okta and Ping focused on workforce identity. Consumer identity was an afterthought. There was no dedicated category for customer-facing identity.
The term "CIAM" - Customer Identity and Access Management - did not exist as a recognized category in 2013. We were building a solution for a problem that did not have a name yet. That is both the risk and the opportunity of category creation.
The best time to start a security company is when you can see a problem growing but the market has not yet named it. If analysts have already defined the category, published Magic Quadrants, and identified leaders - you are late. You want to be the company that the analysts eventually study, not the company responding to their reports.
Pattern Recognition for Security Founders
After building LoginRadius and working with dozens of security startups, I have identified patterns that consistently signal a viable security company opportunity. Not every opportunity will have all of these patterns, but strong opportunities typically have four or more.
The Seven Signals Framework
| Signal | What to Look For | Example (CIAM) |
|---|---|---|
| 1. Growing attack surface | A new technology or trend creating new vulnerabilities | Consumer apps, mobile, IoT creating billions of new identity attack surfaces |
| 2. Regulatory pressure | New or upcoming regulations that mandate solutions | GDPR, CCPA, consent management requirements |
| 3. Build-vs-buy shift | Increasing complexity making in-house solutions impractical | Social login, MFA, passwordless, consent - too much for dev teams to build |
| 4. Category vacuum | No established vendor owns the space | Enterprise IAM vendors did not serve consumer identity needs |
| 5. Scale inflection | A fundamental change in the scale of the problem | From millions to billions of consumer digital identities |
| 6. Budget availability | Clear budget holder who can authorize purchase | DevOps, product teams, or CISO - depending on the company structure |
| 7. Pain visibility | The problem is visible to decision-makers, not just practitioners | Breaches from poor authentication making headlines, boards asking questions |
Applying the Framework Today
Let me walk through how you would apply this framework to identify opportunities in the current security landscape.
Example: AI Agent Security
| Signal | Assessment |
|---|---|
| Growing attack surface | AI agents accessing APIs, databases, and internal systems create new identity and authorization challenges |
| Regulatory pressure | AI governance regulations emerging globally, but still early |
| Build-vs-buy shift | Agent authorization is complex - session management, privilege escalation prevention, audit trails |
| Category vacuum | No established vendor owns "AI agent identity and authorization" |
| Scale inflection | Enterprise AI agent deployments growing from dozens to thousands per organization |
| Budget availability | CISOs have budget for AI security; some companies creating dedicated AI security roles |
| Pain visibility | High-profile AI-related security incidents increasing media attention |
Score: 6 out of 7 signals present. This looks like a strong opportunity.
Example: Password Manager for Small Business
| Signal | Assessment |
|---|---|
| Growing attack surface | Not really - passwords have been around forever |
| Regulatory pressure | Minimal for SMB specifically |
| Build-vs-buy shift | Many free/cheap options exist |
| Category vacuum | Crowded - 1Password, LastPass, Dashlane, Bitwarden |
| Scale inflection | No fundamental scale change |
| Budget availability | SMBs have minimal security budgets |
| Pain visibility | Password problems are known but not generating new urgency |
Score: 1 out of 7. This is not a good opportunity for a new venture.
Validating Security Product Ideas
Having a promising signal pattern is not enough. You need to validate that real buyers will pay real money. Security validation is different from general SaaS validation because security buyers are harder to reach, slower to commit, and more skeptical of new vendors.
The Validation Stack
Security Product Validation Stack
====================================
Level 1: PROBLEM VALIDATION
- Can you find 20 people who have
this problem?
- Are they already spending money
or time solving it?
- Is the problem getting worse?
Level 2: SOLUTION VALIDATION
- Does your approach solve the
problem better than alternatives?
- Can you demonstrate it credibly?
- Does the buyer believe your team
can deliver it?
Level 3: MARKET VALIDATION
- Will buyers pay enough to support
a venture-scale business?
- Is the market large enough or
growing fast enough?
- Can you reach buyers efficiently?
Level 4: TRUST VALIDATION
- Will buyers trust a new vendor
with this specific security function?
- What trust signals do you need?
- How long will trust-building take?
Problem Validation Tactics That Work in Security
Talk to CISOs, not developers. Developers will tell you every security problem is worth solving. CISOs will tell you which ones they would actually spend budget on. Reach CISOs through ISSA/ISACA chapters, security conferences, and warm introductions.
Look for compensating controls. If companies are implementing workarounds - manual processes, scripts, or cobbled-together tool chains - that is evidence of real pain. Ask: "How are you handling X today?" If the answer involves duct tape, you have found a problem worth solving.
Quantify the cost of the status quo. In security, this often means quantifying risk. How many incidents has the current approach allowed? How much does the workaround cost in engineering time? What is the regulatory exposure?
Identify the buying trigger. What event would cause a company to actually purchase your product? If you cannot identify a clear trigger, the purchase will never be urgent enough to close.
The most dangerous validation mistake in security is confusing "this is a real problem" with "someone will pay to solve it." Security is full of real problems that companies choose to accept rather than address. Your job is to find the problems that buyers cannot accept - because of regulation, customer requirements, or existential risk.
Building for a Category That Does Not Exist Yet
When we started LoginRadius, we had to explain what CIAM was before we could sell it. This is the reality of category creation - you are selling a solution to a problem the buyer might not even know they have.
The Category Creation Playbook
-
Name the problem clearly. Give the problem a name and a definition that resonates with buyers. "Customer Identity and Access Management" eventually became the accepted term, but we tested several before it stuck.
-
Educate before you sell. Your first marketing motion is education, not demand generation. Blog posts, whitepapers, and conference talks that define the problem space and explain why existing approaches are insufficient.
-
Get analysts to adopt your framing. When Gartner, Forrester, or other analysts start using your terminology and publishing reports about your category, the market validates your vision. This takes time - often 2-3 years - but it transforms your sales process.
-
Build the community. Create the conversation around your category. Host events, publish research, bring together the people who share the problem. LoginRadius invested heavily in content marketing and community building before we invested in demand generation.
-
Be patient. Category creation takes longer than entering an existing category. Plan for 18-24 months before the market catches up to your vision. If you need revenue in 6 months, category creation is the wrong strategy.
The Risk of Being Early
Being early to a category is only an advantage if you can survive until the market arrives. I have seen talented founders build excellent products for real problems and fail because they were three years too early.
The mitigation is to find adjacent revenue while the category matures. At LoginRadius, we sold social login and user management to companies that did not yet think of themselves as needing CIAM. The product solved an immediate problem while we built toward the larger category vision.
Questions Every Security Founder Should Ask
Before committing to building a security company, honestly answer these questions:
| Question | Why It Matters |
|---|---|
| Have I personally experienced this security problem? | Lived experience creates authentic understanding and credibility |
| Would I trust a new vendor with this security function? | If you would not, your buyers will not either |
| Can I name 10 companies that would pay for this today? | Not "could benefit from" - would actually pay |
| Is this problem getting worse on its own? | Security problems driven by macro trends are better than static problems |
| Can I get SOC 2 certified within 12 months? | If your product cannot meet enterprise trust requirements, you cannot sell to enterprises |
| Am I prepared for 9-12 month sales cycles? | This is cash flow reality in security |
| Do I have the technical depth to earn buyer trust? | Security buyers will test you |
If you cannot answer "yes" to at least five of these, reconsider whether a security company is the right path. There are easier markets to build in. The ones who should build security companies are the ones who cannot imagine building anything else - because they understand the problem so deeply that they cannot let it go unsolved.
For more on the CIAM market landscape and how category creation played out, see CIAM Industry Research Report: M&A and Investment Analysis.
The next chapter tells the story of going from that validated idea to the first million in revenue - including the mistakes that nearly killed the company along the way.