How Two Hackers Turned Their Passion Into a B2B Business and Crushed It
Their sales pitch to me was badass.
Martin here. Welcome to another edition of Founders’ Hustle!
I write about the “hustle” of entrepreneurship and startup building frameworks.
Today I’m sharing how ethical hackers Mathieu Huysman and Tim De Wachter turned their childhood passion into a market-leading cybersecurity business!
Why I found their sales pitch badass. 😎
How they acquired their first customers and created a unique selling point in a competitive market. 🎯
A key growth mistake made, and how they fixed it. 📈
Not subscribed? Let’s change that 😉👇
I know firsthand how frustrating it is to be a victim of commercial cybercrime.
Both emotionally from watching your livelihood attacked, and, financially from losing a ton of money as a result of business disruption.
Cybercrime has affected me since the first company I founded with friends, just over ten years ago. We built a website that became highly trafficked, reaching the top 1,000 most visited sites globally within 1.5 years of going live.
One day, a few months after launch—which happened to be the exact day I quit my 9–5 banking job to focus on growing the website full-time—it was the target of a DDoS attack.
The timing was perfect.
Literally, as I said goodbye to my financial colleagues and walked out through the lobby of HSBC’s global headquarters building in London, my cofounder called me and immediately uttered the words “we’re under attack!”.
Our website and entire business was down and out of action.
Virtually all revenue disappeared overnight. Crisis mode was implemented with our clients and users. The technical battle to overcome the attack went on for days. We did everything we could to survive.
Thanks to our incredible CTO, we pulled through. But, we lost a ton of money in the process and were left gravely concerned about long-lasting reputational damage from existing and potential clients.
Ever since that event I have viewed cybercrime differently. The costs became quantifiable and not just something I read about happening to others. Any company can become a target given sufficient vulnerabilities, which is often the case.
These days, DDoS attacks are less of a concern for fledgling startups due to services like Cloudflare. But, other forms of cybercrime are growing precipitously, and approaches used by criminals to extract value more numerous and creative in their scope.
Companies outside obvious industries of attack, like finance, are increasingly finding themselves targets since their security measures are often relatively weaker. This is partly why research firm Cybersecurity Ventures expects cybercrime to cost the world $10.5 trillion annually by 2025.
Vulnerabilities can enable hackers to get hold of sensitive data. Shut down or compromise services. Steal digital assets and intellectual property. Hijack accounts. Generally, cause a business significant pain.
One of the major industries facing ever-increasing attention from cyber-criminals is gaming.
Due to a combination of the insane growth of the market over the last 10-15 years, game prizes and assets that have material value, and more time spent playing online competitively, it has become an attractive target to exploit.
Since I have entered this industry with my latest business venture, Well Plaid, when I received a cold message from gaming cybersecurity expert Mathieu Huysman at the last major industry conference I attended pre-lockdown, I responded.
And, I’m glad I did.
Outside of learning how his company, Cyrex, could help make our gaming application more secure by running penetration tests that expose hacking vulnerabilities, I developed an admiration for Mathieu and his business partner Tim De Wachter’s entrepreneurial spirit, execution, and energy.
Next, I’ll share their unique sales pitch to me and how they built and exited Cyrex from scratch within a few years of leaving university.
Their Sales Pitch
My initial meeting with Mathieu and Tim turned out to be one of the most engaging sales pitches I’ve ever been on the receiving end of. High energy. Fluid. Unconventional.
The pair both instantly impressed me with their knowledge and passion. It was clear they lived and breathed hacking culture.
This made me feel energized to pummel them with questions and probe further about the hidden underworld of commercial hacking, and, their approach to building Cyrex.
It’s fair to say Mathieu and Tim have a different view of the virtual world than most.
Whereas many companies feel relatively digitally secure, they see abundant vulnerability waiting to be exploited—like an infinite amount of digital Achille’s heels.
To demonstrate this, right there and then—during the meeting—they opened up a laptop and used the conference owner’s official mobile app as a real-time case study.
Within minutes, they had found a vulnerability that enabled access to the contact details of over 10,000 conference attendees!
Wow. This was no illusion. And, disturbingly easy.
Plus, way more engaging than usual sales meeting formats—PowerPoint presentations and dashboard walkthroughs!
Seconds later, after giving consent as an individual, my own contact details were retrieved and displayed on the laptop screen in front of me.
Fortunately, Mathieu and Tim are ethical hackers, so they reported the vulnerability to the conference organizers. But, if they weren't, this data could have been used or sold for financial gain.
This, alarmingly, is the tip of the iceberg.
Many applications and systems out there have critical vulnerabilities that can be exploited. Maybe they already are, unbeknownst to the owner.
In their ‘downtime’ Mathieu and Tim bounty hunt for major corporations, like Apple, and identify security vulnerabilities in return for a handsome reward.
Super engaged, we spent the next hour talking about their approach to ethical hacking and how they could help protect my business.
Then, the conversation turned to their journey building Cyrex. I liked their hustle and wanted to know more.
The Origin Story
So, how did Mathieu and Tim successfully build a cybersecurity business from scratch?
It’s reasonable to guess they previously worked for an already established cybersecurity company for many years and used their network to launch their own practice. But, that’s not the case!
In a video call interview for this newsletter, Mathieu said he’s been experimenting with online business ideas plus “hacking and testing software” since he was “14 or 15 years old”—so the marriage of the two interests into a company was natural.
Mathieu met Tim at university, where they studied all aspects of cybersecurity—network infrastructures, forensic analysis, malware analysis, etc. But, it was their shared passion for hacking that got them most excited about working together.
“Discovering where developers have made mistakes and identifying how we can abuse those mistakes and exploit those vulnerabilities gives us a huge adrenaline rush!”
Whilst it’s insane fun, they’re also good guys. So, offering their skills on the black market to digital criminals was not amongst their possible career choices!
Instead, they could hack ethically together and get paid for exposing vulnerabilities by companies wanting to improve their digital security.
And, there was nothing stopping them from starting right away.
“During university, we decided like, ‘Hey, why don't we start doing something together?’
We didn't want to go and work for a company as an employee, we wanted to build and do our own stuff.
So in our last year, we started building a cybersecurity business.
Of course, that was part-time since we still were studying. But it gave us the time to understand how does entrepreneurship work? How do you build a company? What does it entail?
It didn't matter if we fail or not, because hey, we were still at university!”
Mathieu and Tim started with small side projects, and gradually scaled up over the next few years as their network and ability to hire additional staff grew.
Since it’s so critical in the origin story of any B2B company, I asked how they got their first customers. After all, they had no professional network!
“Our university gave us the first leads and contacts. That really helped us a lot. We're very grateful for that.”
The results were very good. The value that we brought to the table for these companies was like, wow, this is insane!”
But, once those leads were exhausted, how did they scale up their client base and carve out market share? Penetration testing is a competitive market, and they were certainly not the first to do it.
Early on, they tried a bunch of different techniques for generating leads, to varying degrees of success. One of these involved identifying and highlighting security vulnerabilities to companies that hadn’t requested it, using an ethical disclosure methodology.
This was hit and miss activity. Some companies would respond “very negatively!”, Mathieu said, so they stopped due to concerns about market reputation.
The underlying approach there, providing upfront value, is a solid lead generation practice intrinsically. So, the pro-activeness to do that was sound.
It just seems the nature of the service they were providing, identifying security vulnerabilities, just freaked some people out as the first point of contact.
The lead generation breakthrough came via another passion the pair both shared—gaming.
Whilst building their cybersecurity business, Tim became a part-time Community Manager for Gameforge, a game developer.
After a while, he proposed the idea of testing their systems for security vulnerabilities on a bug bounty basis. Gameforge gladly accepted.
“We found a lot of stuff and reported it. They were super happy and gave us bounties—2,000 to 3,000 euros per occasion'“ Mathieu said.
“This is how we got into the gaming industry. It's because of Gameforge that we discovered what we want to do the rest of our lives. They started to recommend us to other companies or colleagues they knew in the gaming industry and the ball started rolling.”
Critically, this gave Mathieu and Tim a unique selling point. Unlike other industries where penetration testing services are abundant, gaming was (and still is) underserved.
“There’s just not a lot of awareness around security in the gaming industry. If you compare it with the financial industry, there's a huge gap.”
As hardcore gamers themselves, they already possessed a solid foundational understanding of the motivations and methodologies that gamers and hackers would use to exploit security vulnerabilities.
They figured with there being unique risks and attack vectors specific to gaming, developers would be better served seeking out their specialist expertise over the competition—who are either generalists or specialize in other verticals.
They were right.
As their gaming client base grew, so did their hands-on expertise, which has become a defensive moat.
I asked what lessons they learned from this time with regards to customer growth.
“Sales is equally important as the operations and the quality that you deliver. We learned the hard way!
For the first two years, we were very invested in getting everything perfect, right, and being able to deliver excellence. We were super focused on that.
But, we were not focused enough on actually selling. So we had a service that was great but the demand for the service was definitely not high, just because we were not pushing sales enough.
We were both very technical people. And sales was definitely not something that we were very comfortable with. It was out of our comfort zone.
At some point, we made a decision like, hey, if we want to be able to continue and do the things that we like to do, then we need to start selling.”
Today, a big chunk of their leads come from cold outbound outreach—“LinkedIn has been and still is our number one lead generation tool… that is really a goldmine.”
💡 To level up your LinkedIn outreach, check out Expandi, who provide an automated tool to generate leads. On average, their clients get 50 sales meetings per month!
Given selling did not come naturally, I asked Mathieu how he approached transitioning into the role and how he developed the skillset to generate leads and close.
“I don’t sell, I tell our story and share our mission/vision and somehow it resonates with our partners.”
His favored approach is reaching out to a target customer when he knows they have an upcoming game launch. Usually, starting a conversation around the game in terms of security and protecting players.
This initiates dialogue around the target customer’s interests, enabling the demonstration of value upfront, as opposed to going in straight away with a product pitch.
Going forward, Mathieu thinks distributing video content on LinkedIn will be the most effective medium to acquire customers. Either informational videos or webinars through the LinkedIn newsfeed, or, in personalized pre-recorded messages.
You can get a feel for their approach here.👇
Despite starting to experiment with this only recently, it’s already delivering results.
Mathieu reports that his cold outreach message response rates increase dramatically when a branded personalized video is included.
He uses Vidyard to create and host the personalized video messages, which take “around 10 minutes” each to produce, look professional, and feel engaging.
Additionally, an upcoming webinar they are hosting, The Art of Online Game Hacking, already has nearly 200 attendees registered.
Mathieu and Tim’s unique talent did not go unnoticed.
Recently, Cyrex was acquired by Mogi Group—a company that offers a variety of services to game developers.
I asked what made the proposition attractive.
“Part of our growth and success has been the path we took by joining the MoGi group.
They've been in the gaming industry for 15-20 years and have lots of contacts. For us, that was really a door opener, there was a lot of opportunities. They already had that existing network.
More importantly, there's no one telling us what to do. We make our own decisions. We do what we like and we do what we think is best.
Of course, we have a board that collaborates with us and asks questions like, is this the best strategy? Is this the best approach?
What we have here is really a family and it's very different. It's not an investor. It's not a business angel. It's people that love what we do and support us.
It also gave us more opportunities to grow and learn a lot faster with regards to operations, sales, marketing, HR, onboarding, recruitment, everything, like the whole package. And I think having that's priceless.
Having the greatest CEO (Orad Elkayam) and businessman I could ever imagine, has enabled me to learn how to sell and pitch our services at a very fast pace.
Being part of the MoGi Group enabled us to grow so fast on many different levels that normally would take years of trial and error.”
Mathieu reports his experience merging Cyrex into MoGi Group is a great example of “how one can benefit when there is a strong culture match and aligning goals.”
How so? I asked about material changes and results.
“What I can tell you is:
We quadrupled in size and revenue.
We now have dedicated marketing, HR and recruitment, content writers and sales teams.
The customers we now work with are very well known in the gaming industry and the projects we work on are AAA.
The level of reputation and trust has increased dramatically having this backbone.”
Cyrex provides penetration testing services to companies of varying sizes, from small startups all the way up to big corporations.
Today, their client base crosses multiple industries like fintech, healthcare, and cloud infrastructure, but their ‘bread and butter’ expertise is gaming.
Notable customers include Gameforge, Bethesda, Improbable, Sharkmob, and Mythical.
If you’re curious how penetration testing works, they use a three-phase system:
Passive Phase. Mostly reconnaissance. They determine the scope of the project by examining the target system, its architecture, programming languages, and functionalities.
Active Phase. This is the deep dive with a full, manual penetration test of the target system to probe for vulnerabilities.
Reporting. Once the full testing cycle has finished, they deliver extensive, no-holes-barred reports on all system vulnerabilities, from small insertion points to major security issues. They also outline fully the potential risks of each issue, how a malicious agent could exploit them, and provide creative best practice solutions to fix them.
Their ‘secret sauce’ for penetration testing is pair hacking.
Pair hacking is a highly efficient approach to penetration testing in terms of cost, thoroughness, and duration. Optimum for many scenarios.
The basic premise involves asking two highly-skilled ethical hackers, working together, to probe a system for vulnerabilities.
The process utilizes the power of collaboration to maximum effect with a lean headcount of two. The business gets fully comprehensive results that a sole ethical hacker can’t provide without the huge price tag that a larger organization conducting the test might charge to deliver equivalent (or inferior) results.
It works best when each of the ethical hackers has a mind that problem solves with different methodologies. They should also have an intuitive connection and harmony of hacking together that is mutually creative.
With these attributes combined, they’ll feed off each other collaboratively in an intense problem-solving loop with different approaches until they find a vulnerability — and, another, and, another — until there’s a long list of security issues identified. It’s a highly efficient process.
Also key is a “hacker mentality”. This can’t be overstated enough.
A true hackers' mind is just wired differently to other programmers, whether they are ethical or not. They hack because they get a thrill out of it. Applications are puzzles and their vulnerabilities the prize.
The people probing a system for weaknesses should think the same way real criminal hackers will attempt to do it.
Anyone testing a system for vulnerabilities should also be up to date with the latest techniques that hackers exploit. A lot of this information isn’t always easily accessible online and circulates in closed groups that world-class ethical hackers are privileged to.
Plus, because Cyrex provide external pair hackers, they’re not cognitively biased and are able to think more objectively. They see blind spots. They push the boundaries of a systems’ security. They spot vulnerabilities where businesses think they’re safe.
Pair hacking uses a similar “box” system to regular penetration testing. These are black, grey, and white box:
Black box. Hacker perspective. No intelligence provided. Minimal permissions required.
Grey box. Fast reconnaissance. All permissions granted. Partial documentation provided.
White box. Highest level of quality assurance. Full source code review. Full documentation provided.
Given pair hacking tests are usually orchestrated over a short intense period of time, the white or grey box options are optimum. These are the most thorough and likely to expose all system vulnerabilities.
The net result of all this means penetration testing times are cut in half. More vulnerabilities are identified with improved cost efficiencies compared to other penetration testing scenarios.
Results are peer-reviewed, so it’s a thorough process, and validated quality assurance loops yield in-depth results.
If you’d like to know more about penetration testing or cybersecurity in general, click here and drop your email to chat with Mathieu and Tim.
Here’s a quick recap on Mathieu and Tim’s approach to building a B2B business:
Turn a passion into a sellable service. Your energy will be contagious and you’ll most likely stick at it until it works.
Start risk-free. Launch your business as a student or on the side with a 9-5 job (like I did!). If it fails, no big deal. Try again.
Tap network. Talk to professors, colleagues, friends, or anyone in your network that may be able to introduce you to your first client.
Charge on success. To make using your product or service extra attractive in the beginning, charge on a ‘success’ basis.
Utilize referrals. Tap your first clients for warm introductions to new customers.
Carve out a niche. Competition is tough. Identify an underserved segment in the market and ‘own it’ as the specialist.
Actively sell. Having a great product is no good if nobody knows about it! Connect with target customers and share how you can help them. Tell your story and experiment with various channels and value propositions to figure out what works.
Focus on one sales channel. Spending your time on the one channel that delivers the best results (e.g. LinkedIn) is way more productive than spreading yourself thin over multiple channels.
Conduct memorable sales meetings. Most sales pitches blur into one. Make yours stand out and be worth remembering. Lean into the intrinsic utility of the product you are pitching to do that, so it’s intuitive.
Until next time!
To receive more newsletters like this, subscribe below. 👇