CyberSecurity Pitchfest uncovers local gems

As part of this year’s Spark Festival in Sydney, local success story Atlassian hosted the first CyberSecurity pitch fest. A committee comprising of cybersec leaders and luminaries from across the country reviewed a long list of local start-ups trying to make a name for themselves, whittling that down to just nine finalists.

Each for the nine finalists was given just five minutes to pitch their start-up to a panel of judges. The audience of about 100 people were given the opportunity to vote on their favourite start-up with the top three place-getters scoring mentoring with some of the country’s top venture capitalists.

Here are the nine finalists. We’ve kept the top three for the end of the list. The others are listed in the order they pitched their start-up.

The Security Artist

Andrew Bycroft has had over two decades in the cybersec business. His idea is a framework that he is working to build into a system fro properly assign threats and vulnerabilities. He says this is needed as money is not solving cybercrime and the current vision, processes and output are broken.

Part of the problem, he says is IT should not have been made accountable for cyber security. That created vision that tech would be our saviour but the reality is technology and data-centric process have failed. We need a new vision, process and output and a culture for managing cybercrime risk appetite.

His framework is based on a detailed and systematic Assessment of vulnerabilities, threats, attacks, breaches and ,impacts. It’s been tested with 4 ASX companies. Bycroft says it has saved them tens of millions of dollars.


Data61’s Adnene Guabtni told the audience there’s a problem with cloud. Data privacy is compromised as all the control is woith service providers. And, even though many encrypt data, they retain copies of the encryption keys so your data is never entirely under your control.

IOKeeper puts data privacy controls in the hands of users and not the service providers. It is a piece of middleware that sits between the user and cloud storage provider. Data is encrypted before it gets to the cloud provider seamlessly and without any intervention on the part of the user.

Data can still be shared and it works with existing services. Guabtni says IOKeeper is already being used by 1500 professional photographers through and is extending its reach to other SMEs, with Data 61 looking at consumers as well.


Perhaps the most technical pitch of the night, FASSKey’s Dai-Kyu Kim discussed his framework for building solutions that need secure messaging, authentication and authorisation. FASSKey delivers end to end security by purpose.

It uses eight main cryptographic ciphers and another six extensions. He says the solution uses “trustless keys” so there’s no front end security overhead.

Data sent using the FASSKey framework is encrypted in a crypto-hardened package. It can then be pushed across open internet and only accessed by designated devices.

Kim says the plan is for the software to be licensed and white-labelled by resellers for a fee.

He is already talking to a mid-size IoT platform for use of FASSKey in a micropayments platform and recently signed a Korean bank.


Elttam co-founder Pedram Hayati says "One day, something happened. Security became cybersecurity".

The company has a focus on services and boasts over 30 Australian clients. He says the cyber security industry suffers from a number of problems. There’s buyer confusion, a skills shortage, many vendors take a band aid approach, and security assessment processes are poor.

The company provides services such as threat modelling, acting as a trusted advisor, gray box assessment, and security training. They are currently building and expanding their research lab and expect to detect more zero days in the next year as well as looking at delivering a security SaaS.


Cyber insurance is one of the most under-utilised products in the market. Augmentor’s Dougal Hawkes say most SMEs currently self insure, with only 3% of companies insuring against cyber. By comparison, health insurance for pets has 15% market penetration.

The challenges are that it is hard for insurers to sell, insurers struggle to measure risk making it hard for vendors to sell security products, and customers don’t understand their exposure.

Augmentor has designed a proof of concept for a cyber insurance advisory tool that can give vendors qualified leads, provide security fitness assessment for SMEs (what he calls a "fitbit for security"), allow insurers can price risks and assist brokers with targeting products.

Hawkes as developed cost models based on providing fitness assessments, commissions on insurance sales and lead generation that project a market opportunity with millions of dollars in Austrlaia alone.


Kemarto’s founder Edward Farrell is a security professional who was looking for ways to make the work he was doing easier. As a penetration tester and consultant, he was used to use tools to analyse networks and systems and gather large amounts of information.

He says the current processes and the data are fractured, and that Security Assurance is inaccessible because of cost and poor information. In addition we weren't addressing issues of complexity.

The problem is people are throwing tools and money at infosec. The customer Kemarto is focused on is SMEs who can't afford professional services or have their own security team

Kemarto offers a subscription service that gives businesses ongoing assurance, actionable advice, effective information delivery, and value for money. It is currently in pilot stage.

BankVault (3rd place)

Theft from bank accounts is a big deal. The impact on market is massive - perhaps as much as $17B in Australia and over $500B globally. BankVault’s Graeme Speak says banks have tried two-factor authentication but it’s either bypassed or hacked.

BankVault works by creating a new virtual machine on a remote server when a user connects to their online banking service. Their connection to the bank is handled on that server which is spun up almost instantly and operated in a highly secure environment. When the banking session is complete, the virtual machine is destroyed.

As well as logical authentication, BankVault uses a USB dongle for physical authentication. A consumer version of the service uses a web service rather than a physical key.

Access to BankVault will be subscription-based with pricing plans ranging from $10 to $1000s per month depending on the size of the business. They are currently partnering with businesses associations (eg real estate agents) and channel partners to sell the service.

CryptoPhoto (2nd Place)

CryptoPhoto’s Chris Drake says "It's cyber-armageddon out there right now".

One of the problems is that none of us are really comfortable with authentication.

CryptoPhoto employs software that integrates with other authentication systems. When a user is challenged to log-in, they see an image on the screen. As that image appears, a collage of images appears on the screen of their smartphone. When thy choose the matching image on the smartphone, they are authenticated on their computer.

Drake says this is more than two-factor authentication – it is mutual authentication. Both the computer and smartphone are authenticated.

The application’s revenue model is simple – each tap is $0.01 of revenue.

The solution is already in use with some banks and the company has already received $1M accelerated commercial funding. They also have an agreement with Tata for use of CryptoPhoto with their core banking platform (which accounts for 20% of world's banking transactions),and recently signed major French hosting company.

Kasada (Winner)

Kasada’s Sam Crowther presented the winning pitch for his company’s product Polyform.

Malicious bots are responsible for 20% of all web traffic he says. It’s used in fraud, spam, DoS, and many other attacks. He noted that this technique was done against Sony and cost them over $170M to recover from.

The challenge is that bots can be easily purchased and deployed.

Ployform sits as a reverse proxy between user and web host and works at the application layer, blocking bots that attack website forms and other points of online interaction. By changes he economy of attack to make it much harder for the bad guys.

The application is broad. Financial services, online retail, and online ticketing are fans and, unlike tools such as Captcha, Polyform doesn’t impact users.

At the moment, the go to market strategy is direct but the longer term plan is to work with channel partners.