How Mycroft scaled to over 100 customers without a playbook

For Mycroft co-founder and CEO Mike Kim, building a cybersecurity startup in Canada often begins without much shared experience to lean on. “There just aren’t enough battle scars in the cybersecurity ecosystem, especially in Canada,” Kim said. “You can read a lot about how to build a successful SaaS startup, but a lot of that advice may not be applicable to you, especially if you’re in cybersecurity.” “There just aren’t enough battle scars in the cybersecurity ecosystem, especially in Canada.” Mike Kim, Mycroft Kim came to that understanding after years spent within organizations such as KPMG, EY, FreshBooks, and PartnerStack, where he held various security and compliance roles and saw firsthand that cybersecurity remained deeply human-driven.

He has seen teams struggle to configure tools, build reports, and interpret signals across ever-expanding software stacks.

As companies layered on more security products, the burden of managing them grew alongside the risk they were meant to mitigate.

So in 2024, Kim founded Mycroft in response to the growing complexity of modern security environments and the strain placed on the teams running them. “The inspiration really for Mycroft was, ‘if I could code myself ten times, what kind of technology could I build?’” he said.

Mycroft’s product is built around AI agents designed to operate and optimize a company’s existing security stack, guided by human oversight and specialized expertise.

Mycroft aims to function as what Kim calls a virtual chief information security officer.

The platform’s AI agents assess an organization’s security posture, enforce policies, detect vulnerabilities within a company’s security stack, and remediate security gaps automatically. “There are a lot of tools that tell you what’s wrong, but not that many that tell you what you should do about it,” Kim added. “That’s the gap we’re really trying to focus on.” As Mycroft began to grow, so did Kim’s awareness of how different cybersecurity companies scale compared to conventional SaaS startups.

Cybersecurity firms face longer sales cycles, higher buyer expectations, and tighter risk tolerance than most typical software firms.

Young cybersecurity companies are also asked to provide enterprise-level credibility much earlier than other traditional SaaS startups.

Kim said founders in more traditional SaaS firms might be encouraged to build directly around user feedback, but the same logic doesn’t always translate cleanly to security startups. “The problem with cyber is that sometimes the customer doesn’t know best,” Kim added. “Your product might be disruptive to their workflow, but it protects them.

That balance is incredibly hard.” The sheer complexity makes it difficult for entrepreneurs like Kim to rely on instinct alone.

Without a deep bench of collective knowledge to draw from, he said the early work of building Mycroft often involved seeking out perspectives beyond Mycroft’s immediate network.

The Cyber Challenge offered Mycroft access to that wider view.

Delivered by Rogers Cybersecure Catalyst in partnership with the Canadian Cyber Threat Exchange (CCTX) and supported in part by the Government of Ontario, the Cyber Challenge connects Ontario-based startups with sector experts and potential customers.

The program covers seven critical sectors — automotive, smart infrastructure, mining, law enforcement, agri-food, advanced manufacturing, and life sciences — with the goal of helping young cybersecurity companies move from early ideas to market-ready solutions.

The appeal of the program for Kim was that it could allow his company to support decisions with lessons from others building in cybersecurity.

He was initially surprised at the diversity of companies in the cohort. “I was expecting that everybody in the program would be very technical, but I think we found a pretty wide range of expertise,” he said.

Within the program, companies were rarely solving the same problems in the same ways, which also gave Kim a clearer idea of where Mycroft’s product could fit.