Their sales pitch was truly impressive.

I have experienced the frustration of being a victim of cybercrime firsthand. The emotional toll of witnessing the threat to your livelihood, combined with the financial losses due to business interruptions, is overwhelming.

My journey with cybercrime began over a decade ago, when I co-founded my first company with friends. We developed a highly visited website, which ranked among the top 1,000 sites globally within just 1.5 years of launching. However, shortly after I decided to leave my banking job to focus on the site full-time, we faced a DDoS attack on the very day I transitioned.

The timing was nothing short of uncanny.

As I departed from the HSBC headquarters in London, my cofounder urgently informed me, “we’re under attack!” Our website and business operations were rendered inoperative, leading to an overnight loss of revenue. We entered crisis mode, striving to regain control while dealing with clients and users. The technical fight lasted several days, and we did everything possible to survive.

Fortunately, with the help of our exceptional CTO, we managed to pull through. Nevertheless, we incurred significant financial losses and were left deeply concerned about potential long-term reputational damage with existing and prospective clients.

This experience fundamentally changed my perception of cybercrime. The costs became tangible rather than abstract news stories. Any organization can become a target if sufficient vulnerabilities exist, which is often the case.

Today, while DDoS attacks pose less of a threat for emerging startups thanks to services like Cloudflare, other forms of cybercrime are on the rise, with criminals employing increasingly innovative methods to extract value.

Companies in less obvious sectors, such as gaming, are becoming targets as their security protocols are often weaker. This vulnerability contributes to Cybersecurity Ventures' prediction that cybercrime could cost the global economy $10.5 trillion annually by 2025.

These vulnerabilities can allow hackers to access sensitive information, disrupt services, steal digital assets, hijack accounts, and create substantial challenges for businesses.

The gaming industry is now a major focus for cybercriminals. The sector has exploded in growth over the past 10-15 years, with valuable game assets and increased online competition making it a prime target for exploitation.

When I entered this field with my latest venture, Well Plaid, I was delighted to receive a message from cybersecurity expert Mathieu Huysman at a major industry conference before the pandemic.

I was pleased to engage with him.

Beyond learning how his company, Cyrex, could enhance the security of our gaming application through penetration testing, I was inspired by the entrepreneurial spirit and energy of Mathieu and his partner, Tim De Wachter.

Next, I will recount their unique sales pitch and the journey they undertook to build and exit Cyrex from the ground up shortly after graduating.

Their Sales Pitch

My first meeting with Mathieu and Tim turned out to be one of the most dynamic sales presentations I’ve ever experienced. Their energy was infectious, and their approach was anything but conventional.

I was struck by their expertise and enthusiasm. It was evident they were deeply immersed in hacking culture, which encouraged me to ask probing questions about the hidden world of commercial hacking and their method of building Cyrex.

Mathieu and Tim possess a distinct perspective on the digital landscape. While many companies feel secure, they see countless vulnerabilities ripe for exploitation—like an endless array of digital Achilles' heels.

To illustrate, during our meeting, they opened a laptop and utilized the conference’s official app as a live case study. Within moments, they identified a vulnerability that granted access to the contact information of over 10,000 attendees!

This was no illusion—it was alarmingly easy.

Their demonstration was far more engaging than typical sales presentations filled with PowerPoint slides.

Seconds later, with my consent, they displayed my contact information on the laptop screen. Thankfully, as ethical hackers, Mathieu and Tim reported the vulnerability to the conference organizers. However, had they chosen otherwise, this data could have been misused or sold for profit.

This experience is merely the beginning of a much larger issue. Numerous applications and systems harbor critical vulnerabilities that may already be exploited unbeknownst to their owners.

In their spare time, Mathieu and Tim participate in bounty programs for major corporations like Apple, identifying security vulnerabilities in exchange for generous rewards.

Eagerly, we spent the next hour discussing their ethical hacking methods and how they could safeguard my business.

Then, the conversation shifted to their journey in establishing Cyrex. I admired their determination and wanted to learn more.

The Origin Story

So, how did Mathieu and Tim successfully launch a cybersecurity firm from scratch?

One might assume they worked for an established cybersecurity company, leveraging their network to start their own. However, that’s not the case!

In a video interview for this newsletter, Mathieu revealed he has been exploring online business ideas and "hacking and testing software" since he was "14 or 15 years old," making the combination of these interests into a business a natural progression.

At university, Mathieu met Tim, where they studied various aspects of cybersecurity—network infrastructure, forensic analysis, malware analysis, and more. However, it was their mutual passion for hacking that truly excited them about collaborating.

“Discovering where developers have erred and figuring out how to exploit those mistakes gives us a massive adrenaline rush!” Mathieu stated.

Despite the thrill, they were committed to ethical practices. They opted to use their skills to help organizations enhance their digital security rather than exploiting vulnerabilities for malicious purposes.

When they were in their final year at university, they decided, “Hey, why don’t we start something together?” They were uninterested in working as employees; they wanted to build their own venture.

Thus, they began establishing a cybersecurity business part-time while still studying, allowing them to learn about entrepreneurship and what it takes to build a company without the pressure of failure.

Mathieu and Tim initiated small side projects that they scaled up over the next few years as their network expanded and they could hire more staff.

Acquiring Customers

Since acquiring customers is vital in the origin story of any B2B company, I inquired how they secured their first clients. After all, they lacked a professional network.

“Our university provided us with initial leads and contacts. We are incredibly grateful for that,” Mathieu explained.

The results were impressive. “The value we delivered was astonishing!”

Once those leads were exhausted, I asked how they grew their customer base in a competitive penetration testing market.

Early on, they experimented with various lead generation techniques, some of which involved identifying security weaknesses in companies that hadn’t solicited help, using ethical disclosure practices.

This approach yielded mixed results, with some companies reacting “very negatively,” prompting them to abandon it due to concerns about their market reputation.

However, the principle of providing upfront value is a solid foundation for lead generation. Unfortunately, the nature of their service—highlighting security vulnerabilities—initially caused apprehension for potential clients.

Their breakthrough in lead generation emerged from a shared passion for gaming.

While developing their cybersecurity business, Tim took on a part-time role as a Community Manager for Gameforge, a game developer. Eventually, he suggested testing their systems for vulnerabilities on a bug bounty basis, which Gameforge eagerly accepted.

“We discovered numerous issues and reported them. They were thrilled and awarded us bounties—2,000 to 3,000 euros each time,” Mathieu recounted.

“Gameforge was pivotal in introducing us to the gaming sector. They encouraged us to pursue our passion, and they began recommending us to other industry contacts.”

Crucially, this connection provided Mathieu and Tim with a unique selling proposition. Unlike other sectors that were saturated with penetration testing services, gaming was (and still is) underserved.

“There’s a significant lack of awareness surrounding security in the gaming industry compared to finance,” they noted.

As dedicated gamers, they possessed valuable insights into the motivations and tactics employed by both gamers and hackers to exploit security weaknesses.

Recognizing the unique risks and attack vectors specific to gaming, they believed developers would be better served by seeking their specialized expertise over their competitors—who tended to be generalists or focused on other sectors.

Their instincts were correct.

As their gaming clientele grew, so did their practical expertise, establishing a competitive edge.

I inquired about the lessons they learned regarding customer growth:

“Sales are just as crucial as operations and service quality. We learned this the hard way!” Mathieu admitted.

“For the first two years, we concentrated on perfecting our service and delivering excellence. We were intensely focused on that but neglected to prioritize sales. While we had a great service, demand was low because we didn’t actively promote it.”

“Both of us were technically oriented, and sales felt outside our comfort zone. Eventually, we realized that if we wanted to continue doing what we loved, we needed to start selling.”

Mathieu embraced the challenge and became the primary sales advocate for Cyrex.

Currently, a significant portion of their leads originates from cold outreach—“LinkedIn has been and continues to be our top lead generation platform… it’s truly a goldmine.”

To enhance LinkedIn outreach, consider tools like Expandi, which automate lead generation. Clients typically secure 50 sales meetings monthly!

Given Mathieu's lack of natural sales skills, I asked how he transitioned into the role and developed the necessary skills to generate leads and close deals.

“I don’t sell; I narrate our story and share our mission and vision, which resonates with our partners,” he explained.

He prefers to reach out to potential clients when he knows they have an upcoming game launch, initiating conversations about security and player protection.

This approach fosters discussions around the client’s interests, enabling him to demonstrate value rather than diving straight into a product pitch.

Looking ahead, Mathieu believes that distributing video content on LinkedIn will be the most effective method for customer acquisition, whether through informational videos, webinars, or personalized pre-recorded messages.

His recent experiments with this strategy have already produced positive results.

Mathieu noted that incorporating branded personalized videos significantly increases response rates for cold outreach messages. He uses Vidyard to create and host these videos, which take “around 10 minutes” to produce and are both professional and engaging.

Additionally, their upcoming webinar, “The Art of Online Game Hacking,” has nearly 200 attendees registered.

Acquisition

Mathieu and Tim's distinctive talents have not gone unnoticed.

Recently, Cyrex was acquired by MoGi Group, a company that offers various services to game developers.

I inquired what made this opportunity appealing.

“Joining the MoGi Group has significantly contributed to our growth and success. They have been entrenched in the gaming industry for 15-20 years and possess extensive contacts. For us, this was a gateway to numerous opportunities,” Mathieu explained.

“Importantly, we retain autonomy in our decisions. We do what we believe is best. We collaborate with a board that provides guidance, asking questions like, is this strategy effective? Is this approach suitable?”

“Our relationship feels more like a family than a typical investment. We have people who are genuinely passionate about our work and offer support.”

“Moreover, we’ve gained opportunities to learn rapidly in areas like operations, sales, marketing, HR, and recruitment, which is invaluable. Having an exceptional CEO (Orad Elkayam) has accelerated my learning in sales and pitching our services.”

Being part of the MoGi Group has allowed us to grow rapidly in many areas that typically require years of trial and error.

Mathieu highlighted that the integration of Cyrex into MoGi Group exemplifies the benefits of a strong cultural alignment and shared goals.

“What have we achieved?” I asked regarding tangible changes and outcomes.

“We’ve quadrupled in size and revenue. We now have dedicated teams for marketing, HR, recruitment, content creation, and sales. The clients we serve are well-known in the gaming industry, and we are involved in AAA projects. Our reputation and trust have soared, thanks to this support.”

Product

Cyrex provides penetration testing services for organizations of various sizes, from startups to large corporations.

Their clientele spans multiple sectors, including fintech, healthcare, and cloud infrastructure, but their primary expertise lies in gaming.

Notable clients include Gameforge, Bethesda, Improbable, Sharkmob, and Mythical.

For those curious about how penetration testing works, they implement a three-phase system:

1. Passive Phase. This phase involves reconnaissance to define the project scope by analyzing the target system, its architecture, programming languages, and functionalities.
2. Active Phase. This entails a comprehensive manual penetration test of the target system to uncover vulnerabilities.
3. Reporting. Following the testing cycle, they provide detailed reports on all identified vulnerabilities, ranging from minor issues to critical security threats, along with potential risks and best practice solutions for remediation.

Their unique approach to penetration testing is pair hacking.

Pair hacking is a cost-effective, thorough, and efficient method for penetration testing. It involves two highly skilled ethical hackers collaborating to identify vulnerabilities. This teamwork maximizes results while maintaining a lean team size.

The business benefits from comprehensive insights that a single ethical hacker might not uncover without incurring the costs associated with larger organizations performing equivalent (or inferior) tests.

This method is most effective when both ethical hackers utilize different problem-solving strategies and possess a natural synergy in their collaborative approach.

With these factors combined, they engage in an intensive problem-solving loop, discovering multiple vulnerabilities until an extensive list of security issues is identified. This process is remarkably efficient.

Additionally, a “hacker mentality” is crucial. This mindset is inherently different from that of other programmers, whether ethical or not. Hackers thrive on the thrill of problem-solving, viewing applications as puzzles and vulnerabilities as rewards.

Anyone testing for weaknesses should think like a criminal hacker, adopting the latest techniques that real hackers exploit. Much of this knowledge circulates in exclusive groups accessible only to top-tier ethical hackers.

Furthermore, since Cyrex employs external pair hackers, they maintain objectivity, uncovering blind spots and challenging assumptions about system security.

Pair hacking employs a similar “box” framework as standard penetration testing—black, grey, and white box:

• Black box. Hacker perspective. No prior intelligence. Minimal permissions granted.
• Grey box. Quick reconnaissance. All permissions granted. Partial documentation provided.
• White box. Highest quality assurance. Full source code review. Complete documentation.

Given that pair hacking tests are typically conducted over short, intense periods, the grey and white box options are most effective, ensuring thorough vulnerability detection.

Consequently, penetration testing durations are halved, resulting in more vulnerabilities identified with improved cost efficiency relative to other testing scenarios.

Results undergo peer review, ensuring a rigorous process, and validated quality assurance loops yield comprehensive findings.

If you’re interested in learning more about penetration testing or cybersecurity in general, feel free to click here and share your email to connect with Mathieu and Tim.

Takeaway

Here’s a brief summary of Mathieu and Tim’s approach to building a B2B business:

• Transform a passion into a marketable service. Your enthusiasm will be contagious, and you’re likely to persist until it succeeds.
• Start risk-free. Launch your business while still a student or alongside a 9-5 job (as I did!). If it doesn’t work out, it’s not the end of the world.
• Leverage your network. Reach out to professors, colleagues, friends, or anyone who might introduce you to your first client.
• Charge based on success. Making your product or service attractive at the outset can be achieved by charging on a 'success' basis.
• Utilize referrals. Seek introductions from your initial clients to potential new customers.
• Identify a niche. Competition can be fierce. Find an underserved market segment and establish yourself as a specialist.
• Engage in proactive selling. Having a great product is useless if no one knows about it! Connect with target clients and share how you can assist them. Narrate your story and experiment with different channels and value propositions to discover what resonates.
• Focus on one sales channel. Concentrating your efforts on the most effective channel (like LinkedIn) is far more productive than spreading yourself thin across multiple platforms.
• Conduct memorable sales meetings. Most sales pitches blend together. Make yours stand out and be unforgettable by leaning into the intrinsic utility of your product to make it intuitive.

Building a business?

I’m in the same boat! I’ve established two companies from scratch that generated multimillion-dollar revenue. You can receive more insights into the hustle of entrepreneurship and startup building through my newsletter.