Sometimes the most successful startup ideas come from people building tools to solve their own needs. That was the case with Dafydd Stuttard, a security expert Daf says.
Almost two decades ago, living in the small market town of Knutsford in Cheshire in North West England, Daf was working as a security consultant for different clients.
On the side, he built apps that he could use himself to speed up some of the more mundane parts of his job. He would give each tool a random name, use it for a while, and move on. Sometimes he would tell others in his community about the tools in case they were useful. (Daf already had a reputation as an ethical hacker and writer in the security community, so there was a ready audience for this.)
One day, the tool he built to help with penetration testing—called Burp for no particular reason—was one of his creations that he shared with others. It caught on, quickly, and Duff decided to see how much further he could take it.
Fast forward to today and you can see the fruits of Daf’s instincts about the value of the tool.
Burp is now Burp Suitewhich is the centerpiece of a startup called — playing on the drink theme — PortSwigger. It has more than 20,000 organizations as customers in 170 countries, with 80,000 people and “well over” 1,000 businesses and organizations using paid corporate version. (Businesses include Microsoft, Amazon, FedEx, Salesforce, and more.) Another business under the PortSwigger umbrella, an education platform called Web Security Academy, has more than 1 million users. And yes, there are now dozens of other employees besides Daf.
PortSwigger, aged 17, was profitable from the start. Now, for the first time, Daf has decided to take on a major external investment of $112 million to take the company to the next level. Brighton Park Capital from the US is the sole investor.
“We need more expertise to achieve our ambition,” Duff said in an interview. “The market is getting bigger and more complex, and our customers’ needs are getting bigger.”
“But the capital was not the biggest driver since we are cash flow positive and we had the choice of companies to work with,” he continued. This inbound interest came not only from investors but from potential buyers.
The company owes part of its success to Daf’s reputation and modest accessibility.
(“I received an email from Daffyd Stuttard @portswigger today in response to a question about burping, someone noted once on Twitternow known as X. “I feel like God just sent me an eml.”
But its rise also comes at the same time that cybersecurity has gained a much higher profile.
There are a number of solutions provided by vendors in a vast, complex, and rapidly evolving security landscape — a landscape shaped by the increasing number of security breaches and vulnerabilities in record rates and it’s doing more damage than ever, largely because of injecting AI into the equation — and that’s led to even more apps and approaches being created to deal with it.
But one constant in this mix has been the role of people with deep expertise: ethical hackers and human testers continue to play an important role in how problems are identified and fixed.
But these people need help and tools, and that’s where a company like PortSwigger comes in.
There are others, such as HackerOne and Bugcrowd, which aimed to produce the role of individual white hat hackers in security operations. Daf notes that these are not competitors to PortSwigger: they collaborate, and his startup provides tools to these platforms and others like them, which in turn are used by their users.
In the long term, it will be interesting to see what impact newer technologies and architectures will have on the role of individuals in addressing and solving security problems.
While you might assume that a newer innovation like artificial intelligence might pose a threat in this regard, this is not the case, at least for now. Daf notes that there are a number of repetitive actions that penetration testers may perform that can be improved with automation.
Her sole investor agrees.
“We believe that despite the automation, there is still a need for pen testers,” Tim Drager, a partner at Brighton Park, said in an interview. “The experts really understand. The attack surface has grown massively and APIs have become prime targets, but when you combine that with a lack of cyber professionals with deep domain expertise… that’s why you need tools to help those who know what to do be more effective. We see this as a primary area of growth. PortSwigger gives them super powers.”
