Conversation
Highlights

Against the Grain: How Cleafy Built a Cybersecurity Company by Breaking Traditional GTM Rules

Most cybersecurity startups follow a predictable playbook: raise big early, expand aggressively in the US market, and scale the team rapidly. Cleafy took the opposite approach – and it worked.

When Matteo Bogana and his co-founders launched Cleafy in 2014, they faced immediate skepticism. Their technology challenged conventional wisdom about what was possible in fraud prevention. “Everybody was telling us, you are trying to fix a problem that is not actually technological complex, but scientifically impossible to do,” Matteo recalls in a recent Category Visionaries episode. “There have been ten years of research in this topic between universities and corporations, and so you will not do it.”

But they did it. Cleafy developed real-time web content tampering detection without contextual information – a breakthrough that positioned them at the intersection of application security and fraud management.

The early days tested their resolve. With just four founders, they spent two years struggling to land their first customer. The challenge wasn’t just technical execution – it was market timing and trust-building. As Matteo explains, “We are mixing together actually cybersecurity and the fraud in the same context and in the same solution. So people were not actually very willing to discuss and to open up their problems when were presenting because were not IBM, were not a consolidated company.”

Their response was strategic patience. Instead of raising large rounds to fuel aggressive expansion, Cleafy grew organically after a small seed investment. “If I would have collected plenty of investments at the very beginning, probably I would have failed,” Matteo reflects, “because the capability of the company to have market and very aggressive and the hypergrowth space at the beginning was not there.”

Perhaps their most contrarian move was avoiding the US market initially. While peers rushed to establish US beachheads, Cleafy focused on Europe. “The most important GTM decision that I made has been not to start in the United States,” Matteo states. This choice proved prescient – European Central Bank regulations and financial institution requirements created more complex fraud challenges than the US market, allowing Cleafy to build deeper expertise.

Their go-to-market strategy evolved to address different buyer personas. With established banks, they navigate organizational silos between fraud and security teams. Fintechs, however, grasp their value proposition immediately because they “already have in place a mindset in which there are no silos and no barriers. There is no difference between cybersecurity, application security, fraud management and integrated financial risk.”

Rather than leading with product pitches, Cleafy built credibility through threat intelligence sharing via Cleafy Labs. Their team now presents at closed-door NATO, Interpol, and FBI events, establishing trust with decision-makers. “We prefer to have a market in which we create trust, describe into the market what we are able to see, to identify and to manage in a very neutral way,” Matteo explains.

Looking ahead, Matteo sees AI transforming both attack vectors and defense mechanisms. While AI will automate routine tasks, he emphasizes that human expertise remains crucial for complex threats: “You cannot imagine that there’s going to be an automatic system capable to all the job on its own.”

Cleafy’s journey offers a masterclass in strategic patience and market understanding. By challenging conventional wisdom about fundraising, market entry, and sales approach, they’ve built a sustainable business positioned for long-term success in the evolving fraud prevention landscape.