For Mycroft co-founder and CEO Mike Kim, building a cybersecurity startup in Canada often begins without much shared experience to lean on.
“There just aren’t enough battle scars in the cybersecurity ecosystem, especially in Canada,” Kim said. “You can read a lot about how to build a successful SaaS startup, but a lot of that advice may not be applicable to you, especially if you’re in cybersecurity.”
Mike Kim, Mycroft
“There just aren’t enough battle scars in the cybersecurity ecosystem, especially in Canada.”
Kim came to that understanding after years spent within organizations such as KPMG, EY, FreshBooks, and PartnerStack, where he held various security and compliance roles and saw firsthand that cybersecurity remained deeply human-driven.
He has seen teams struggle to configure tools, build reports, and interpret signals across ever-expanding software stacks. As companies layered on more security products, the burden of managing them grew alongside the risk they were meant to mitigate.
So in 2024, Kim founded Mycroft in response to the growing complexity of modern security environments and the strain placed on the teams running them.
“The inspiration really for Mycroft was, ‘if I could code myself ten times, what kind of technology could I build?’” he said. Mycroft’s product is built around AI agents designed to operate and optimize a company’s existing security stack, guided by human oversight and specialized expertise.
Mycroft aims to function as what Kim calls a virtual chief information security officer. The platform’s AI agents assess an organization’s security posture, enforce policies, detect vulnerabilities within a company’s security stack, and remediate security gaps automatically.
“There are a lot of tools that tell you what’s wrong, but not that many that tell you what you should do about it,” Kim added. “That’s the gap we’re really trying to focus on.”
As Mycroft began to grow, so did Kim’s awareness of how different cybersecurity companies scale compared to conventional SaaS startups. Cybersecurity firms face longer sales cycles, higher buyer expectations, and tighter risk tolerance than most typical software firms. Young cybersecurity companies are also asked to provide enterprise-level credibility much earlier than other traditional SaaS startups.
Kim said founders in more traditional SaaS firms might be encouraged to build directly around user feedback, but the same logic doesn’t always translate cleanly to security startups.
“The problem with cyber is that sometimes the customer doesn’t know best,” Kim added. “Your product might be disruptive to their workflow, but it protects them. That balance is incredibly hard.”
The sheer complexity makes it difficult for entrepreneurs like Kim to rely on instinct alone. Without a deep bench of collective knowledge to draw from, he said the early work of building Mycroft often involved seeking out perspectives beyond Mycroft’s immediate network.
The Cyber Challenge offered Mycroft access to that wider view.
Delivered by Rogers Cybersecure Catalyst in partnership with the Canadian Cyber Threat Exchange (CCTX) and supported in part by the Government of Ontario, the Cyber Challenge connects Ontario-based startups with sector experts and potential customers.
The program covers seven critical sectors — automotive, smart infrastructure, mining, law enforcement, agri-food, advanced manufacturing, and life sciences — with the goal of helping young cybersecurity companies move from early ideas to market-ready solutions.
The appeal of the program for Kim was that it could allow his company to support decisions with lessons from others building in cybersecurity. He was initially surprised at the diversity of companies in the cohort.
“I was expecting that everybody in the program would be very technical, but I think we found a pretty wide range of expertise,” he said.
Within the program, companies were rarely solving the same problems in the same ways, which also gave Kim a clearer idea of where Mycroft’s product could fit.
Through the Cyber Challenge, Mycroft connected with sector experts and potential customers in the automotive and mining sectors. According to Kim, those conversations surfaced constraints that his team had not yet accounted for.
“There were some really unique insights that I had no idea about,” Kim said. “There are a lot of things that automotive companies want to do around security, but because of the distribution model and the sales model, they don’t necessarily have a lot of control over it, which was surprising. It almost gave us pause on going into that market.”
Today, Mycroft is focused primarily on the B2B SaaS and enterprise markets, with a particular focus on financial services, FinTech, and healthtech.
Since completing the Cyber Challenge in December 2025, the company has grown to more than 100 customers and roughly 20 employees, with annual recurring revenue nearing $2 million CAD.
The startup is also well-financed, having raised a $3.5-million USD seed round last year, in addition to non-dilutive funding supplied by the Cyber Challenge. Other Cyber Challenge alumni have collectively raised nearly $3 million in cumulative investment since fall 2024.
Perhaps most importantly, Kim is now clear-eyed about what the learning curve looks like for many cybersecurity founders, thanks in large part to his experience in the Cyber Challenge.
“The program is awesome, it gives you a good foundation,” Kim said. But he is equally direct about what comes with that learning.
“Be prepared for a wake-up call,” he added. “There’s gonna be a lot of insights that you might learn throughout the program that might be discouraging, so you’ve got to have a thick skin.”
Those hard-earned insights can become reference points for future decisions, and over time, the battle scars that Kim believes will guide the next generation of cybersecurity founders.
PRESENTED BY
To learn more about the Cyber Challenge and innovation programming at the Catalyst, visit cybersecurecatalyst.ca.
Feature image courtesy Eric Yanofsky on LinkedIn.