Sector tracker · One-engineer companies · Threshold-driven
Cybersecurity — the one-person unicorn lens.
The single-researcher security tool — fast iteration, hard moat, narrow surface.
Thresholds — Cybersecurity
What makes a Cybersecurityrepo “solo-founder” here
- Stars (floor)
- ≥ 400
- Commits (rolling 90d)
- ≥ 60
- Distinct contributors
- ≤ 2
- Top-contributor share
- ≥ 88%
Concentration window: rolling 90 days.
Why one founder, why this sector
The shape of one-engineer companies in Cybersecurity
Security tooling rewards a single technical author for the first 18 months because the customer trust signal is the author's name on the byline. Solo-founder security companies usually emerge from a researcher's CVE backlog: one engineer ships a tool that automates their own disclosure workflow, then quietly turns it into a paid scanner. The hiring lag is intentional — adding contributors dilutes the technical-authority signal that buyers are paying for.
Tooling footprint
What the codebase looks like
Go or Rust, a `SECURITY.md` that lists a single PGP key fingerprint, scanner-style CLI with `-target` and `-format` flags, GitHub-Sponsors-only funding (no VC mention in README), Trivy/Snyk/OWASP-style naming convention.
Pattern to watch
The observable acceleration shape
Commit clusters tied to a CVE disclosure cycle — vulnerability announced Tuesday, scanner shipped Thursday, paid tier announced the following Monday. Star growth tracks news-cycle attention, not organic developer adoption.
Most common false positive
What looks like solo-founder signal but isn’t
Penetration-tester individual brands look like solo-founder companies but resolve to consulting revenue rather than product revenue. Look for a `/pricing` page that isn't gated behind 'contact for quote' — that's the difference between a product company and a consulting brand.
Archetype (composite — not a real person)
The Cybersecurity solo-founder shape, in one sentence
Application-security researcher ships a CI scanner that catches a specific OWASP class better than the incumbents, sells it to three Fortune-500 security teams in month four, and is still the sole engineer at Series A.
Composite archetype. We don’t name founders publicly — that edge belongs to dashboard subscribers, not the open web.
Where the live Cybersecurity data lives
From this thesis to the working board
This page is the editorial lens. The live data feeds are next door. /predicted is the weekly all-stage bet. /startups-to-watch ranks this sector by acceleration. /firstlook is the paid Dashboard where the threshold filter actually runs.
Related sectors
Where else this archetype shows up
Last reviewed 2026-05-22. Sector entries reviewed monthly. Methodology: /methodology.