PortSwigger, the company behind the Burp Suite of security testing tools, swallows $112M

Sometimes the most successful startup ideas come from people building tools to solve their own needs. Such was the case with Dafydd Stuttard, a security expert who goes by Daf.

Nearly two decades ago, living in the small market town of Knutsford in Cheshire in the northwest of England, Daf was working as a security consultant for different clients.

On the side, he built apps that he could use himself to speed up some of the more routine parts of his work. He would give each tool a random name, use it for a while and move on; sometimes he would tell others in his community about the tools in case they were useful. (Daf already had a reputation as an ethical hacker and author in the security community so there was a ready audience for that.)

One day, tooling that he built to assist with penetration testing -- named Burp for no specific reason at all -- was one of his creations that he shared with others. It caught on, fast, and Daf decided to see how much further he could take it.

Fast-forward to today and you can see the fruits of Daf’s instincts on the value of the tool.

Burp is now Burp Suite, which is the centerpiece of a startup called -- playing on the drinking theme -- PortSwigger. It has more than 20,000 organizations as customers across 170 countries, with 80,000 individuals and “well over” 1,000 enterprises and organizations using its paid enterprise edition. (The enterprises include Microsoft, Amazon, FedEx, Salesforce and more.) Another operation under the PortSwigger umbrella, an educational platform called Web Security Academy, has more than 1 million users. And yes, there are now dozens more employees besides Daf.

PortSwigger, at 17 years old, has been bootstrapped and profitable from the start. Now, for the first time, Daf has decided to take on a substantial outside investment of $112 million to take the company to the next level. Brighton Park Capital from the U.S. is the sole investor.

“We need more expertise to achieve our ambition,” Daf said in an interview. “The market is getting bigger and more complicated and our customers’ needs are getting bigger."

"But capital wasn’t the biggest driver since we are cash-flow positive, and we had our pick of firms to work with,” he continued. That inbound interest came not just from investors but potential acquirers.

The company owes some of its success to Daf’s own reputation and modest accessibility.

(“Got an email from Daffyd Stuttard @portswigger today in response to a question about burp extender,” someone noted once on Twitter, now known as X. “Kinda feel like god just sent me an eml.”

But its rise also comes at the same time that cybersecurity has taken on a much bigger profile.

There are a number of point solutions provided by vendors across a vast, complex and rapidly evolving security landscape -- a landscape that has been formed out of the fact that security breaches and vulnerabilities are rising at record rates and causing more damage than ever before, not least because of the injection of AI into the equation -- and that has led to the creation of yet more applications and approaches to tackle that.

But one constant in that mix has been the role of individuals with deep area expertise: ethical hackers and human testers continue to play a major role in how problems get identified and fixed.

But these individuals need assistance and tooling, and that is where a company like PortSwigger comes in.

There are others like HackerOne and Bugcrowd that have aimed to productize the role of individual white hat hackers in security operations. Daf notes that these are not competitors to PortSwigger: they partner and his startup provides tooling to those platforms and others like them, which in turn get used by their users.

Longer term, it will be interesting to see what impact newer technologies and architectures will have on the role of individuals in tackling and solving security problems.

Although you might assume that a newer innovation like AI might present a threat in that regard, that is not the case, at least for now. Daf notes that there are a number of repetitive actions that penetration testers might perform that can be improved with automation.

Its sole investor agrees.

“We believe that despite automation, pen testers are still going to be required,” Tim Drager, a partner at Brighton Park, said in an interview. “Experts really understand. The attack surface has grown massively, and APIs have become prime targets, but when you couple that with the shortage of cyber professionals who have deep domain expertise… that’s why you need tools to help those who know what to do be more efficient. We see this as a prime area for growth. PortSwigger gives them super powers.”