Meet Stephen de Vries, CEO and Founder at Automated Threat Modeling Platform: IriusRisk

Stephen-de-Vries CEO and founder of IriusRisk

IriusRisk specialises in automated threat modeling and secure design so that organisations can “start left” – meaning they build security measures in from the beginning of the software development lifecycle. This means that our platform allows engineers, security specialists, and solution architects to easily identify and build in their security requirements before they begin writing any code.

Based on an architectural diagram of their product, it automatically generates associated threats and countermeasures, which not only helps predict the problems that could be found during testing but also tells teams how to mitigate them – stopping them from happening in the first place. It’s estimated that 50% of software security vulnerabilities are caused by design flaws, so solving the issue at an early stage is the most cost-effective way of building security within the software you’re developing.

We are also helping to drive behavioural change in organisations, putting security into the hands of engineers who want to build secure software and removing security as a bottleneck to create collaborative, cross-functional development teams. We are helping organisations to deliver more secure, resilient software that protects their assets, reputation and, most importantly, their customers.


How did you come up with the idea for the company?

We’re founded out of Spain and, in terms of our company name, the idea came from our surroundings. Operating in Huesca, our window view was the famous vineyard ‘Irius’ and, just as a vine grows when watered, we were determined to nurture and scale our business. The Risk element pertained to what we help clients prevent.
We started off as a consultancy in 2008.

My background is on the technical side of doing pen tests and training developers in secure design and development. From there, we started building the threat modeling product in 2014. We sold our first license that was big enough for us to stop consulting a year later in 2015, and subsequently started to grow our customer base and make new hires.


How has the company evolved during the pandemic?

The past year has been incredibly significant for the evolution of IriusRisk. The pandemic has presented more opportunity for cyber criminals to attack because of surging online connectivity. As such, there’s a rising demand amongst application security teams to ‘shift left’, which means moving security to the earliest possible point in the software development lifecycle, reducing security design flaws and their associated costs.

In September 2020, we received a $6.7m Series A investment from Paladin Capital, 360 Capital Partners and existing investors, which we’ve used to expand our product roadmap and grow our sales and marketing teams in the US and UK. With some of the world’s largest Fortune 500 financial, industrial and consumer groups among our customer base, we’re unwavering in our efforts to continue expanding in these sectors and other industries.

What can we hope to see from IriusRisk in the future?

A value we’ve retained from starting off as a consultancy is keeping our customers close, recognising pain points and solving them. Come what may, this is integral to our offering and will remain key for the future. This element of support isn’t just important for customer retention; applying their feedback into the product is invaluable as our suite of solutions is enhanced.

Though we have always been a remote-first company, we have four official offices in Huesca, Madrid, London, and Atlanta – and we continue to grow. We’re continuing to make new strategic hires, the most recent of which saw us bring in a VP of Marketing and the more that team leads are introduced means more opportunity for me to go to the beach and relax. I jest, of course, but providing staff with autonomy is crucial and it translates into our broader philosophy of ensuring our customers feel empowered too.

What will always remain important to us is the wider cybersecurity and application security communities, where we believe we can play a crucial part to help people understand the value of secure design, learn how to threat model effectively, and promote the security it provides in the face of existing, new, and emerging threats.