Email security: Material raises $40 million to neuter Microsoft and Google hacks

While Ryan Noon was living in Berlin in 2016, the American engineer closely followed the heated presidential contest back home. One news story soon became an obsession for him—much as it did for the entire electorate: the hack and release of embarrassing emails from the Gmail inbox of John Podesta, Hillary Clinton’s then campaign manager.

Noon puzzled over the election-shaking breach, widely attributed to Russian intelligence services. How could something like this happen? he pondered. Of course, he knew full well how: Most hackers accomplish compromises through phishing, tricking people into divulging sensitive information or, generally, using social engineering to hijack people’s accounts.

Most existing email security products focus on keeping baddies out of one’s inbox. But once intruders get past the proverbial gates—a firewall, a phishing filter—it’s often game over. “Just because somebody got in my email, they shouldn’t get everything that’s there,” Noon says.

“You can let emails through or block them, or mangle them, or make them wear a yellow hat that says, ‘This is from an external sender!” Noon says of typical email cybersecurity tech. “Basically, it’s kind of like a doorman that sits in front of your building in New York, and it asks: Do you have any matches in your pocket? Do you have a lighter?”

A better system for preventing fires, like Podesta’s: Install a sprinkler system.

Putting out the fire

That’s the analogy Noon uses the describe the product he started building in 2016, an idea that would morph into the startup Material Security. He corralled two former engineering colleagues to join him: Abhishek Agrawal and Chris Park, both friends he met while working at Dropbox. (Noon left his job at the cloud storage business in 2016, two years after having sold an analytics startup to the company.)

Material’s products tap the plumbing of cloud email services—specifically, the application programming interfaces, or APIs, offered by Microsoft 365 and Google’s G Suite—to deliver beefed up inbox security. Its flagship product identifies and locks down potentially sensitive emails, such as invoices or password resets, through integrations with identity-protection products that specialize in two-factor authentication, such as Duo and Okta.

Material offers other tools too. Another provides a way for companies to achieve “herd immunity” by letting people within an organization flag suspicious emails. Coworkers receive a warning when they click a so-tagged message or link, creating a “speed bump” that provides security teams time to investigate. Many other services, such as Mimecast, typically quarantine emails, a process that can sideline legitimate emails and thereby jam up operations.

Material’s customers include DoorDash, Lyft, and Mars. Dane Stuckey, the chief information security officer of Palantir, a security-obsessed data-crunching firm, tells Fortune that Material’s “entire approach is to assume breach—seriously, the bad guy is in your inbox. Now how are you going to protect your crown jewels?” Material’s solution is “actionable and easy,” he says.

A universal ‘Wow’

After providing some “angel” investment to Material in 2017, Elad Gil, a former Google and Twitter executive who is now one of Silicon Valley’s most prolific investors, would occasionally introduce the startup to prospective customers.

“It was kind of a universal, ‘Wow, this is something we really need and we’re going to move quickly on that,’” Gil says of peoples’ reactions. “You usually don’t see that sort of response or feedback.”

That traction persuaded Gil to invest more. On Tuesday, Material is announcing that it has raised $40 million in new venture capital funding in a round led by Gil, Noon and Gil exclusively tell Fortune. The startup has raised a total of $66 million in funding to date.

“I don’t think there are that many security products that can become big standalone companies, and that’s one of the reasons I don’t do a ton of security investing,” Gil says. “But this really stood out to me is one that had potential.”

‘Cockroaches will be emailing each other’

The security market remains a hotbed for M&A. Oftentimes, cybersecurity startups are acquired by much bigger technology firms, such as Cisco or Microsoft. Proofpoint, one of the biggest email security firms, was recently snapped up for $12.3 billion in what is regarded as the largest-ever software-related private equity buyout.

For Martin Casado, a partner at Andreessen Horowitz who led an earlier, 2018 investment round in Material, the recent Proofpoint deal validates his view that an email security business can rack up a large valuation. Casado earlier sold a network security startup, Nicira, to VMware for more than $1 billion.

Even though there are plenty of email security startups out there, Material’s approach is fairly unique. The biggest risk may be if Microsoft or Google starts to offer similar features as a default service. But Noon believes that as long as the two tech titans are locked in competition as a “stable duopoly,” Material can find a comfortable market sitting between them. (Plus, the company has protected its particular approaches with patents.)

“Email is not going anywhere. It’s as old as the internet, and it’s baked into all sorts of things. After the apocalypse, the cockroaches will be emailing each other,” Noon says.