How war shifted the plans of one Ukrainian cybersecurity entrepreneur

When tech entrepreneur Andrii Bezverkhyi and two of his Ukrainian colleagues launched their cybersecurity startup SOC Prime in 2015, they made sure to have a crisis plan in place.

“What we couldn't imagine was that we would have to implement it amid a full-scale invasion,” he said.

Although the company's headquarters are in Boston, most of its team — more than 80 people — worked from Ukraine until Russia invaded earlier this year. Many employees have since moved to a newly-opened office in Spain, but some, including Bezverkhyi, stayed behind.

The company rewards researchers for creating threat-detection algorithms, marketing itself as the Spotify of the cybersecurity world, drawing a parallel to how the Swedish audio streaming giant pays royalties to artists. It works with 600 freelance researchers globally. 

Bezverkhyi’s reasons for staying were personal, political – and in some ways circumstantial. Just before the war, he fell ill with Omicron and canceled a planned board meeting in Silicon Valley. His next flight to the U.S. was scheduled for noon on February 24, the same day Russia launched its attack, bombing two airports in Kyiv.

So, instead of flying to the U.S., Bezverkhyi and his wife moved to a village in western Ukraine, close to the Polish border. “We have high-speed internet here — all I need to work in cyber defense,” he told The Record. 

SOC Prime’s investors weren’t particularly happy with his decision to run his business from a war-torn country, and encouraged him to move to the U.S. Although SOC Prime had recently raised $11.5 million from investors — and plans to raise another round of funding to boost global growth, including in the U.S. — Bezverkhyi pushed back at their request. 

“Everything is fine, we are defending ourselves and we can continue doing business,” he said.

Even if he wanted to, Bezverkhyi can no longer leave Ukraine due to martial law, imposed in February, which prohibits Ukrainian men aged 18 to 60 from crossing the country's border without valid reasons. 

Working amid crisis

It wasn’t easy to get back to work as air raid alerts thundered across the country and rockets fell from the sky. Some of Bezverkhyi’s colleagues had to evacuate from Kyiv, the main Russian target at the beginning of the war.

Bezverkhyi thought one of his investors, the Israeli fund J-Ventures, might have insight into operating in the midst of war. But it was to no avail: what Ukraine was experiencing was unprecedented, they said. 

To adapt to the new reality, Bezverkhyi created hubs — groups of 5 to 10 people scattered across Ukraine. This made the work less centralized, with decisions made not only by the CEO, but also by the heads of the hubs. The change helped teams adjust as people in need of housing or food moved to different parts of the country.

To help Ukraine win the cyberwar, Bezverkhyi also announced that SOC Prime would provide Ukrainian companies and government agencies with free access to the platform.

“In Ukraine, we work for the state, while in other countries we continue to develop commercial business,” he said.

Before the war, SOC Prime had few customers in Ukraine — the country’s cyber defense market is still very small, Bezverkhyi said. About 40% of the firm’s revenue comes from U.S. customers, including banks, telecom companies, and government agencies, with the rest of its business mostly coming from customers in the U.K. and throughout the European Union.

When the firm started offering its services pro-bono to Ukrainian companies, its priority was to teach businesses to use the Sigma language, which allows cybersecurity professionals to describe cyber threats in a standardized format.

Among its fans, Sigma is called “the common language for cybersecurity.” It was invented in 2017 by cybersecurity experts Florian Roth and Thomas Patzke – two of SOC Prime’s advisors. One of the main advantages of Sigma is that it can be used with various Endpoint Detection and Response (EDR), as well as Security Information and Event Management (SIEM) systems, which analyze security alerts.

With the Sigma language, cybersecurity analysts can share detection rules with each other in a standardized format, rather than the one that is specific to a particular SIEM or EDR.

Sigma is the core of SOC Prime’s detection-as-code platform, as researchers must write their algorithms according to its rules. On a platform where specialists are from all over the world, sharing a lingua franca is in line with Bezverkhyi’s vision of a world where cybersecurity professionals work together globally to fight threats.

“We still have more threats than detection algorithms,” he said. “There are nearly 8,000 Sigma rules on our platform, while more than 10,000 software vulnerabilities are discovered every year.”

A “Spotify” for cybersecurity

In June, a 25-year-old Turkish cybersecurity specialist named Osman Demir was SOC Prime’s top contributor and received the highest payout. SOC Prime pays its freelance researchers an average bounty of $1,500 a month. Top researchers who write popular code get the biggest payouts — about $5,000 a month or more.

Since November 2019, Demir has written 559 Sigma rules, including those detecting hacker tactics such as defense evasion, credential access, lateral movement and exfiltration.

The most difficult to detect are zero-day exploits, according to Demir. During these attacks, hackers exploit the vulnerability before developers have a chance to fix it. For such attacks, threat hunters can only write predictive detection methods, he said.

The decision to work with independent researchers allowed the company to grow significantly faster than if it were writing algorithms in-house. “When we started writing the code ourselves, we produced nearly 100 rules a year,” Bezverkhyi said. “This year, we have 8,000 rules, and by the end of the year this figure may grow to 14,000.”

Demir, for one, seems to like the threat bounty program too. He said that it allows him to monetize his work and helps to maintain his “researcher identity.” Besides,“it is an honor to know that your rules help companies’ cybersecurity processes,” he said in an interview posted on the company’s website.

The majority of SOC Prime’s researchers come from Turkey, Indonesia, Singapore, Israel, France and Germany. Their resumes are validated by SOC Prime admins, who check to make sure they have proven security expertise, according to Alla Yurchenko, Threat Bounty Developer program manager. All researchers have their own internal rating, which is compiled based on the quality and popularity of the content they create.

Having an international team is an advantage, Bezverkhyi said. “Each person brings their local experience in cyber defense and it helps to better understand and identify cyber threats,” he said.

Working with international teams and clients from his office in Ukraine is not unusual for Bezverkhyi. Thousands of local tech specialists are doing the same. They usually outsource their work to tech giants like Samsung, Google, Oracle and Viber, which opened R&D offices in Ukraine, attracted by low prices and flexible legislation.

Although working with foreign investors and clients became more challenging during the war, Bezverkhyi is happy that he didn’t leave his home country and can fight on the digital frontline. “There was not a single day when I regretted staying in Ukraine," he told The Record.