Scotland’s Quorum Cyber Bringing AI, Microsoft Security Skills To The US
‘You'll see us talk quite a lot more about how we're doing AI threat detection, how we're starting to see breaches as threat actors focus on attacking AI models, and how we are collecting probably the deepest threat intelligence around those techniques and how we detect them and contain them before they cause a breach,’ says Quorum Cyber CEO and founder Fede Charosky.
Quorum Cyber has big plans. The Scotland-based company, with deep roots in the Microsoft cybersecurity business, used private equity funding to recently make two acquisitions in the U.S., and is using those acquisitions as a base for a major international expansion.
The company, according to Quorum Cyber CEO and founder Fede Charosky, has also invested heavily in AI-focused security in a move to differentiate itself from other security-focused and AI-focused services providers.
Quorum’s expansion into the U.S. was not intentional at the start, but came as the company found it was doing well in the market, Charosky told CRN in an interview.
[Related: Panelists Weigh In On AI, Security: ‘They’re Really Perfectly Intertwined’]
“The data coming from America showed there's clearly a need,” he said. “What could we do if we actually put some effort behind this? How much could we make the company grow? That prompted organic investment first where we deployed a couple of teams in the region to start drumming up business. And then as we started to validate the strategy and confirmed the interest, the market side, our fit in region, we started an investment project that resulted in us on May 24 taking capital investment from Charlesbank.”
However, Charosky said, Quorum Cyber is not just banking on security for success.
“What we really want to do is enable customers to adopt AI faster and protect that adoption so they don't suffer the next breach by having moved too fast and without the right security in effect,” he said.
There’s a lot going on at Quorum Cyber and its quest to build an international security and AI business. Here’s more of CRN’s conversation with Charosky, which has been lightly edited for clarity.
Define Quorum.
We're a threat management company. Our job is to help customers increase resilience and get about their business while we take care of the bad guys. We identify as a service provider. We're not a vendor. We don't do licenses. We don't want to be considered as a software vendor. We are purely an outcomes provider.
Where's the company based?
The company was started in Scotland. I'm relocating to Boston in about six weeks. So the company is expanding quite a lot internationally. Our global HQ, if you want to call it such, will always stay in Edinburgh for effective reasons. But we have also offices in London, Boston, Toronto, and Dubai. So we're starting to grow quite a lot.
Why are you expanding into the U.S. at this point?
It wasn't necessarily on purpose. At the beginning, we started seeing success in the U.S. without really trying starting about two years ago. Gartner and Microsoft and word of mouth were showing us new customers and opportunities in North America. And when we started looking at our company strategy and where we wanted to go next and invest time and research and focus, the data coming from America showed there's clearly a need. What could we do if we actually put some effort behind this? How much could we make the company grow? That prompted organic investment first where we deployed a couple of teams in the region to start drumming up business. And then as we started to validate the strategy and confirmed the interest, the market side, our fit in region, we started an investment project that resulted in us on May 24 taking capital investment from Charlesbank, an American private equity firm. The sole focus of that investment was getting us a partner with bigger firepower that could help us expand into North America.
Is Charlesbank your sole investor?
It's our majority. We still have investment from Livingbridge, our mid-market U.K. prior investor. Livingbridge sold the majority of their stake to Charlesbank. When Charlesbank took a position in us, Livingbridge became a minority shareholder.
Did Charlesbank invest in Quorum with the express purpose of helping you expand into North America?
Correct. Organically and inorganically. We did the deal with Charlesbank last May, and then pretty quickly came out swinging. We did two acquisitions almost back-to-back. The first, in August, was a company servicing both Canada and the U.S. called Difenda. And then on December 31, so it still counts as 2024, we closed our second acquisition, Kivu, which says it's located in California but in reality is in 22 states in the U.S.
Did you have to make a lot of changes to your services to make them more acceptable to U.S. customers?
No, thankfully. I think that's partly why we were winning before the acquisitions. There was a really good fit for the way we deliver services and the outcomes that exactly met the market size and market niche we were working towards. We knew the need for local resources. If you really want to be in a region, you need to be able to work with the community around that region. So our acquisition of Difenda in particular was specifically aimed at getting the best talent quickly. Difenda has talent in spades. So that was a very logical step. But it wasn't a change in services as much as it was just getting capability and geography that is time zone- appropriate and language-appropriate. But the service delivery model is identical. We haven't changed it even 1 percent.
How about dealing with different regulations when opening in the U.S.?
It doesn't change the service. We work across all regions with regulated customers with specific requirements that are generally based around where the people and data are located. Our model doesn't move data from the customer premises no matter where the customer is. So for customers in Australia, the Middle East, Europe, and America, their data stays always within their environment and tenancy. That's one of our differentiators. We can easily have one central nervous system, potentially in the U.K., and then cater to customers everywhere. When expanding into a region, it's nice to have people there and to be able to satisfy local regulatory requirements, but it wasn't required. We are also very conscious about where we don't hunt for business. For instance, we are not trying to do Federal government business at the moment. We know about FedRAMP (Federal Risk and Authorization Management Program) regulations and CMMC (Cybersecurity Maturity Model Certification). We also know that if we want to expand our customer profile, we might have to invest in other areas. We've been very selective about where we want to go.
Does Quorum offer managed services?
We do not identify as an MSP, and we're quite adamant about that. We on purpose want to create a bit of distance between your traditional MSP model and what we're trying to do. And a lot of the difference stems from, look, if you are looking to outsource a process and partner with somebody that runs that process, go to an MSP. They're great at that. If you're looking for an outcome, you come to us. We determine the process, and we bring the technology, because we know, better than anyone, how to make Microsoft technology zing to help you fight bad guys. We're really focused on exactly where we win. We know exactly where we have the most value. We don't want to be a generalist house that just says yes to anything. We're very happy to tell a customer we're not the best fit. But if you want to build a business, and if you want to maximize the value of what you can do with Microsoft technologies in cyber, we’re your guys.
Is what you do specific only to Microsoft?
Yes. We're very agnostic about what technologies customers have. We have customers that are multi-cloud or hybrid on-prem, that may use CrowdStrike or Palo Alto. We don't particularly care what they have. We just bring the Microsoft technologies to do our job.
What are some of the key Microsoft products and services you provide?
If you look at Microsoft’s security stack, it's quite a quite a comprehensive beast. Sentinel and Defender was where our DNA started. We've been working with Sentinel, Microsoft’s SIEM (security information and event management) and SOAR (security orchestration, automation, and response) technology set, since before it was called Sentinel. We were part of the partnership team that helped develop the product. We started with it when Microsoft started it. And the Microsoft Defender stack—the entire XDR stack with a massive collection of acronyms underneath it: Defender for Identity, Defender for Office 365, Defender for whatever you want—is bolted right at the heart of what we do. And over the last couple of years, we've extended to the other parts of the security stack. We're probably the lead partner globally for Microsoft's deployment of Purview. We're leading in the implementation of the Entra suite security of products. We're leading in their operational technologies and their CyberX. We work with their threat intelligence platform and their RiskIQ. Literally, we probably have the largest collection of security experts in a Microsoft partner.
Is Quorum a profitable company?
We've been at break even for the last couple of months. May is an important date for us internally where we're doing a whole bunch of re-strategizing. We're probably going to go into a small burn for about six to nine months to continue working on our platform. But we're aiming towards 20-percent EBITDA within the next two years.
After Quorum acquired Difenda and Kivu, did those companies operate under the Quorum name or do they keep their own names?
The ‘Difenda’ name’s last day was actually early last week. The brand is now fully retired. Kivu will continue to operate as ‘Kivu owned by Quorum Cyber,’ but the name ‘Kivu’ has strategic advantages in the markets we operate in, in insurance and legal, and we don't want to lose that equity for now. We're still thinking beyond the next nine to 12 months and how we evolve the brand. But for the immediate future, the plan is no change. People love the brand.
Do you plan more acquisitions going forward?
Not at the moment. I don't want to burn the team. We'll be reactive if something if an opportunity appears. But at the moment, we think we have all the ingredients we need to build the quadrant leader we have planned in threat management, but if somebody appears with something too good to pass, we'll always look at it. It's nice that we took our time with our first acquisition. It was years of waiting until we thought we were ready. We then did two, not one, and it's so far been really successful. We’re proving we can integrate them well. I need to land those planes and prove to my board, to myself, to our executive team, that we can do this at scale. So for the moment, we're good, but we'll be reactive if anything comes up.
What are your strategic priorities for 2025?
There are four key strategic priorities. We've done the acquisitions, so the integration of those acquisitions is a key part. But outside of that, the additional investment muscles we're really testing are around fueling the go-to-market machine, from marketing to business development to account sales to account managers to sales engineers. That team is going to get a huge injection. Getting that sales operating model working well across the globe is a key focus for us right now. The second focus is expanding our portfolio. We are really good at taking existing customers on new journeys, and that requires us to be always adding to the portfolio. We've added three or four products over the last 18 months. We're adding another three or four products over the next 18 months. Continuing to cater to customers’ needs and journeys is super important. We’re focused on everything cyber. We know our lane. We know what we're good at. I don't want to become a data center migration guy or applications and database guy. Cyber is all we do. Number three is expanding our own platform, called Clarity, which is how we deliver all of these services at scale across the globe. That's how we achieve the efficiencies we have and the kind of quality of service we have. It's also how the customer experiences our service. A priority investment here is important for us to achieve customer retention. We want to keep growing that. The last is the international expansion while also focusing on our U.K. dominance. We want to make sure that in pursuing new markets we don't forget about our strength in the home base.
What have you done on the AI front?
We're doing quite a lot of work here. Everybody is trying to do AI implementation, almost like a me-too: ‘We have it too. Hey, we put AI in our SOC (security operations center), isn’t our SOC better.’ That didn't feel like the true value of AI for us. We decided to take a different approach in how we protect our customers’ adoption of AI. Pretty much all our customers are building their first large language models with their business data and their first agents. They're starting to adopt this at a business level. We decided to use our skills to protect their adoption of AI. We call this AI MDR (managed detection and response). The idea is, how do we help protect LLMs and the data repositories that these customers are building? How do we detect breaches or injection attacks? And that's a very different tactic from what we're seeing in the market where everybody's saying, ‘Hey, I have AI myself.’ We do that too, but we've always done that. I don't particularly care, and I don't think differentiating on a feature is important. What we really want to do is enable customers to adopt AI faster and protect that adoption so they don't suffer the next breach by having moved too fast and without the right security in effect. I think Microsoft particularly likes that approach, because it's helping everybody drive their AI journey that Microsoft [is pushing and] probably needs to see a return of investment on. If we can help with that journey, we have a real chance to add value. So you'll see us talk quite a lot more about how we're doing AI threat detection, how we're starting to see breaches as threat actors focus on attacking AI models, and how we are collecting probably the deepest threat intelligence around those techniques and how we detect them and contain them before they cause a breach.
