In December 2021, the UK Government published the National Cyber Strategy, which outlines the UK’s efforts to maintain its position as a Cyber Power through to 2030. To benchmark the UK’s progress against the 2030 strategy, the Department for Digital, Culture, Media & Sport (DCMS) recently released its annual sectoral analysis.

Wavestone’s UK Cyber Radar is back to provide its own perspective of the emerging themes and trends arising in the UK Cyber Sector and to take the pulse of the UK’s Cyber Security ecosystem.

To ensure our analysis was comparable to our previous start-up radars, such as the recent France Cyber Security Start Up Radar, and the 2019 UK Radar, the criteria for cyber security companies to be included in the Radar was that they were established in the past 7 years, had a maximum of 35 FTE’s (Full Time Employees), and were domiciled and operating in the UK.

With help from ScotlandIS, Northern Ireland’s cyber security cluster and Plexal, we reached out to some of the most promising cybersecurity start-ups across the cyber innovation ecosystem. 57 start-up companies kindly dedicated their time to engage in first-hand interviews, which formed the basis of our analysis.

However, we know there are many more cyber start-ups in the UK ecosystem that we need to hear from! If you are interested in being involved in the next edition, please get in touch.


Start Up Interviews

The 7 Key Takeaways from the 2022 UK Cyber Security Radar

  1. ‘Micro’ start-ups secure less investment despite dominating the UK’s cyber security sector

  2. More start-ups are building their headquarters outside of London but investment is still concentrated in the capital

  3. Start-ups require support translating their international relationships into international business

  4. Incubators and accelerators need to help start-ups attract the right talent

  5. The UK’s cyber security sector could benefit from initiatives that increase female representation in cyber entrepreneurship

  6. Start-ups are positioning themselves as role models of good security practice

  7. UK start-ups are reinventing traditional security products and challenging the status quo

  8.  Now is the time to engage in ‘a Whole of Society’ Approach to a ‘Wicked Problem’

1. ‘Micro’ Start-Ups secure less investment despite dominating the UK’s Cyber Security Sector

According to the recent annual sector report, most start-ups operating in the UK are categorised as ‘micro’, consisting of less than 10 employees. Our analysis supports these findings, with the majority of Wavestone affiliated start-ups also consisting of less than 10 employees.

Micro start-ups typically adopt agile or lean approaches, meaning they are more readily able to respond to evolving threats. As organisations begin to seek innovative solutions to emerging threats, demand for Micro start-ups’ products will grow. However, these start-ups are usually in the early stages of development, and most are still attempting to define their product market fit, business model, or are operating in nascent markets.

Percentage of Start-Ups by Size

Micro < 10 Employees 70%
Micro < 10 employees 53%
Small (10-15 employees) 30%
Small (10-15 employees) 47%

Relative to their stage of development, micro and small start-ups are receiving less investment compared to medium and large start-ups. So, although Micro start-ups require the most support, they receive a disproportionately lower amount of investment.

Investors also recognised that smaller, early-stage start-ups are developing products at the forefront of innovation, but these companies are less able to reliably evidence potential growth or validate their business models or products, which tend to make them less attractive to investors, and slow their growth.

2. More Start-Ups are building their headquarters outside of London but investment is still concentrated in the capital

In previous years, start-ups have chosen to build their headquarters in London, hoping for improved access to investment, clients, accelerators and incubators. However, operating costs can be much higher in the city, which can impact early-stage successes. DCMS recognised that having a London-centric cyber innovation ecosystem may lead to regional imbalances in cyber security capabilities across the UK. For the UK to maintain its position as a cyber power, the ‘whole of society’ should have equal access to the cyber innovation ecosystem.

However, despite the increase in start-ups headquartered outside of London, and a record year of investment rising from £814m in 2020 to £1013m in 2021, reports show that nearly all investment is still going to companies located in London or the South East.

3. Start Ups require support translating their International relationships into International business

During 2021, 16% of start-ups headquartered both inside and outside of the UK, had developed an international presence, either through international exports or engagement in international markets, particularly in the EU and US.

When we broadened our analysis to include all international relationships, we found that this 63% of start-ups reported having an international presence concentrated in the EU and US.

The stark difference between the number of start-us with international relationships versus the number of start-ups who report having an international presence, exports or engagement with overseas markets, indicates that start-ups are struggling to translate their international relationships into established business, sales or trade.

It is possible that start-ups are experiencing a number of barriers to navigating international exports and markets. For example, smaller start-ups may be ill-equipped to manage challenges associated with international law, regulations and frameworks, and talent shortages, or they may require help adapting their products and services to suit unfamiliar markets or customers outside of the EU and US.

4. Incubators and accelerators need to help start-ups attract the right talent

Start-ups stated that they expected incubators and accelerators to help them overcome challenges associated with uncertainty due to COVID-19, competing for cyber talent and insufficient scale to serve larger clients.

However, start-ups experienced limitations to the support provided by incubators and accelerators. For instance, the sectoral report found that while accelerators were valued for the support they provided with marketing, sales and networking, they were concentrated in London and offered a light touch approach.

To better understand the effectiveness of cyber incubators and accelerators, we asked companies to describe the challenges they were experiencing in growing their business. Most expressed difficulties ‘breaking through’ or ‘increasing their visibility’ in the market, as well as experiencing sales-related challenges, such as winning an audience with the right clients or attracting the right talent into the business. start-ups reported that accelerators did address their need for increasing visibility, but as reported previously, could do more to address their sales and marketing needs.

Notably, start-ups have consistently described challenges associated with attracting the right talent into their organisations. For many companies who are in the early stages of building the company, particularly those with less than five employees, a ‘bad hire’ can significantly impede business growth or impact operations. One start up told us that “We are competing with large businesses who are able to offer much larger salaries,” while another stated that “there are a lack of available skills.”

So, while incubators and accelerators are offering the right services by increasing visibility and providing sales and marketing support, start-ups are calling for more in-depth support and a greater emphasis on attracting the right talent.

Key Barriers to Growth

5. The UK’s Cyber Security sector could benefit from initiatives that increase female representation in cyber entrepreneurship

To better understand the culture of start-ups in the UK’s cyber security sector, we asked the companies about female representation in leadership positions and their diversity and inclusion policies.

We found that 22% of cyber innovators were founded by at least one woman. Our findings are similar to those of Beauhurst, who also found that 26% of high-growth UK companies have at least one female founder. A lack of female representation at the founder level, may indicate that women experience barriers or challenges associated with female entrepreneurship and leadership in the UK’s cyber innovation sector.

Representation of Women in Leadership Positions across Cyber Start-ups and High Growth Companies

Beauhurst 26%
Wavestone 22%

Although women are under-represented at the founder-level, 53% of our panel of start-ups reported having a diversity and inclusion policy in place, a plan to implement a policy when the company next recruits, or they had signed diversity pledges and charters. Some start-ups projected that they would need to grow to 30+ employees before they were able to begin implementing policies of this kind. High rates of commitment to diversity and inclusion at this early stage, may suggest that start-ups plan to address the underrepresentation of women in leadership positions through recruitment drives.

Incubators and accelerators could play a role in increasing the representation of women in cyber innovation. For instance, they could help start-ups break down barriers by increasing support for start-ups with diverse founders, or by helping existing start-ups to attract diverse talent. Wider initiatives that encourage female entrepreneurship in the cyber innovation sector may also prove successful, whereby increasing diversity and inclusion, not only for gender but equally for race and disability, is something that may need to be encouraged through greater outreach to minority groups and women.

UK Start Up

UK Start Up

Twenty to thirty employees is the estimated landmark where diversity will become a real concern

6. Start-ups are positioning themselves as Role Models of Good Security Practice

Compared to established security companies, start-ups have the benefit of a ‘clean slate’. To understand how this affects their approach to innovation, we asked founders about their pursuit of security certifications and implementation of security frameworks across their organisation.

While we expected start-ups to be more readily able to implement security frameworks and certifications, they outperformed our expectations. Founders demonstrated a significant commitment to building secure services and products for their customers. For instance, 34% of the start-ups interviewed were already Cyber Essentials certified. In comparison, only 1.3% of cyber companies in the UK are currently certified.

Cyber Essentials certifies that an organisation has the capability to guard against the most common cyber threats. Start-ups, then, are positioning themselves as role models within this space and are demonstrating their commitment to remaining cyber secure as providers of cyber security products. One Start Up told us that “[Cyber Essentials] really offers added value and it is quite useful to have when there are specific requirements from Corporations.”

Cyber Essentials is also a requirement for government contracts, meaning that start-ups’ commitment to remaining cyber secure sets them apart from their competition in this space. Outside of government contracts, start-ups can also provide greater assurance to organisations that their supply chains are secure, where their uncertified, established competitors cannot.

7. UK Start-Ups are reinventing traditional Security products and challenging the status quo

To investigate start-ups’ position on innovation, we asked founders about their products. We found that most companies were developing products that re-imagine existing security solutions or they are developing solutions that challenge traditional approaches.

We have highlight two of them this year, and it was not easy to choose just one!

A startup focusing on preventing attacks on AI algorithms. An example of such attack is fooling a face recognition software, using carefully crafted stickers placed on the attacker’s glasses. This sticker would look like a rainbowy pattern to humans, and you would clearly differentiate the attacker from the victim. But for the AI algorithm matching faces, the attacker would actually look like the victim, impersonating and unlocking the system. Advai act as a kind of “filter” to remove such attacks from inputs into the AI algorithm. In addition, Advai can provide robustness metrics of the AI algorithm it applies to, and can equally cover computer vision algorithm, natural language processing or OCR (character recognition).

AI algorithms have been buzzing in numerous products over the last few years, with very little focus on the security of those, while these algorithms automate more and more decisions every day. Advai could be a first step in AI algorithm protection and assurance?

Established in 2018, RKVST is a distributed ledger platform (i.e., blockchain technology) to establish trust between parties, and can be applied to many use-cases… One of them is the Software Bill of Material (SBoM), a US measure to improve software supply chain security, requiring detailing the composition of a software product.

This becomes complex quickly as any advanced software is composed of libraries from different sources or suppliers, themselves having their own set of sources and suppliers, and so on… RKVST consolidates these in a transparent and decentralised storage, to offer an independent and traceable generation of SBoM.

The requirement to produce SBoM, despite coming from a US administration executive order, will surely become an international requirement because of the dependency of suppliers globally. We can already see UK and EU based organisation in Healthcare, Energy, Automotive looking at producing SBoM for the software products they provide in their offers.

8. Now is the time to engage in ‘a Whole of Society’ Approach to a ‘Wicked Problem’

The UK’s Cyber Security sector is characterised by small, regional, early-stage start-ups. As these companies grow, they encounter barriers to attracting investment outside of London, recruiting the right, diverse talent, and navigating international markets and trade. Founders work tirelessly to breakdown these barriers with support from the cyber innovation ecosystem through accelerators, incubators and regional cyber innovation hubs.

Our analysis shows that the government’s efforts to regionalise innovation hubs and increase funding are driving the ecosystem in the right direction. However, cyber security is a ‘wicked problem’ that cannot be addressed by cyber innovators, security professionals and government support alone. A ‘whole of society’ approach is needed to progress the sector and maintain the UK’s position as a cyber power.

Individual customers, market leaders, investors, industry players and professional services organisations – to name a few – all play a pivotal role in helping start-ups to overcome these challenges. For instance, industry can work with early-stage start-ups to adapt their solutions, helping them to improve product market fit, and organisations with a global footprint could support piloting solutions abroad, helping them to translate their international relationships into international trade. Likewise, investors could embrace the regional shift and look for investment opportunities outside of the city. Meanwhile, professional services organisations, like Wavestone, can engage in pro-bono offerings to help support start-ups – we encourage our panel of start-ups to reach out for support!

Florian Pouchet

Florian Pouchet


Our research clearly shows that the UK innovation ecosystem is bringing many solutions to emerging challenges. This is translating into record investment for the overall ecosystem.  I am keeping a watchful eye on the development of the ‘whole of society approach’ detailed in the UK national strategy, in particular, the distribution of startups across the 4 UK nations and diversity and inclusion of its founders.

Organisations looking to innovate around their cyber problems can view the ‘whole of society’ approach as an opportunity. Choosing to engage with smaller, more innovative start-ups, rather than established competitors, could offer greater flexibility, agility and bespoke or tailored solutions that are designed to meet their organisation’s specific needs.

Reach out to our UK Radar Team