Alper Memis — Co-Founder & CEO, Picus Security $80M Total Funding Raised Series C: $45M — September 2024 Simulated 1 Billion Cyberattacks Pioneer of Breach & Attack Simulation 500+ Enterprise Customers 98% Gartner Recommendation Rate Mastercard · Visa · Vodafone · ING CFA Charterholder · MBA · Mathematics Three Mathematicians. One Category. Ankara to San Francisco. Alper Memis — Co-Founder & CEO, Picus Security $80M Total Funding Raised Series C: $45M — September 2024 Simulated 1 Billion Cyberattacks Pioneer of Breach & Attack Simulation 500+ Enterprise Customers 98% Gartner Recommendation Rate Mastercard · Visa · Vodafone · ING CFA Charterholder · MBA · Mathematics Three Mathematicians. One Category. Ankara to San Francisco.
Alper Memis, Co-Founder and CEO of Picus Security
Co-Founder & CEO  /  Picus Security

Alper
Memis

Founder · Executive · Cybersecurity Pioneer

The mathematician who spent a decade managing Turkey's sovereign debt portfolio before co-founding the company that invented Breach and Attack Simulation - and raised $80M to prove the point.

BAS Pioneer $80M Raised CFA Picus Security Series C 1B Attacks Simulated
$80M Total Funding
1B+ Attacks Simulated
500+ Enterprise Customers
98% Gartner Recommend Rate
Profile

The Breach That Started Everything

Picture it: Ankara, 2013. A cybersecurity consultant finishes a large infrastructure project. Everything looks locked down. A month later, the organization gets breached anyway. The consultant — Volkan Ertürk, who would go on to co-found Picus Security — relays the story to his old university friend Süleyman Özarslan, who says the quiet part loud: the only way to defend a non-static system is to test it continuously. Ertürk calls a third math classmate from Middle East Technical University. That call reaches H. Alper Memis, who at the time is a Senior Associate at Turkey's treasury, structuring sovereign debt management strategy and running public-finance models for a government.

Memis doesn't have a background in cybersecurity. He has something arguably more valuable: more than a decade of understanding how risk works when the stakes are national. He knows what happens when you assume a system is safe without measuring it. He understands that the gap between theoretical security and operational resilience is where catastrophic losses live. And he has a CFA charter, an MBA with a Finance concentration from Boston University's Questrom School, and eleven years of government-level financial modeling.

In 2013, these three mathematicians incorporated Picus Security. They named it after the Eurasian green woodpecker - picus in Latin - known for methodically drilling through bark to find what's hidden underneath. The metaphor was not accidental.

"In 2013, we recognized that most organizations were making critical security decisions without knowing how effective their defenses were."

- H. Alper Memis, Co-Founder and CEO, Picus Security

The founding insight seems obvious in retrospect. Traditional security testing was episodic: a consultant would come in, run a penetration test, issue a report, and leave. The organization would fix some findings, consider itself patched, and wait a year. Meanwhile, the threat landscape moved daily. New attack vectors emerged. Configurations drifted. The test results expired within weeks of delivery.

Picus built a platform that simulates real-world cyberattacks continuously - not annually. It runs attacks against an organization's own security controls and tells defenders exactly what their firewalls, SIEMs, and endpoint tools can and cannot stop. Rather than generating lists of theoretical vulnerabilities, it generates evidence. The distinction is the product. Memis framed it cleanly: "Rather than bombarding teams with theoretical vulnerabilities, we let them know what weaknesses they should be most concerned about, given their unique environment."

Quick Profile

H. Alper Memis

Full Name Hamdi Alper Memis
Current Role Co-Founder & CEO, Picus Security
Nationality Turkish
Credentials CFA Charterholder, MBA (Finance)
HQ Location San Francisco, CA (est. Ankara, Turkey)
Co-Founders Volkan Ertürk (CTO), Dr. Süleyman Özarslan
Company Size 290 employees, 5+ global offices
Investors Riverwood Capital, Earlybird, Turkven, Mastercard
Education

Three Mathematicians, One Category

All three Picus co-founders studied mathematics together at METU - the same cohort, the same discipline, a lifelong friendship that became a startup twenty years later.

Middle East Technical University

B.Sc. Mathematics
Where Memis, Ertürk, and Özarslan first met

Boston University — Questrom School of Business

MBA, Concentration in Finance
Financial strategy and capital markets

CFA Institute

Chartered Financial Analyst (CFA)
One of the rarest credentials held by a cybersecurity CEO
The Bootstrap Years

Five Years Before Raising a Dollar

Picus Security went from founding in 2013 to its first outside investment in 2018 - five years of building without venture capital. That's an unusual timeline for a B2B SaaS company that would eventually raise $80M, and it shaped everything about how Memis runs the business.

Bootstrapping forces product discipline. You can't paper over weak retention with growth marketing spend. You can't hire your way out of technical debt. The five-year runway before external funding meant that by the time Picus took its first $1.7M seed in 2018, it had real enterprise customers, a real product, and real feedback loops from security operations teams who actually used the platform daily.

It also meant Memis spent those years in two parallel careers: he was Director of Treasury Operations and Financial Risk Management at Limak Group of Companies while simultaneously building Picus. Two full-time jobs; one mathematical background; zero shortcuts.

Picus Funding Journey
2018 — Seed $1.7M
2019 — Series A $5M
2021 — Series B $24-27M
2024 — Series C $45M
Total Capital Raised
$80M
Career Arc

From Sovereign Debt to Security Validation

~2002
Graduates from Middle East Technical University with a B.Sc. in Mathematics. Meets lifelong friends and future Picus co-founders Volkan Ertürk and Süleyman Özarslan.
2002
Joins the Turkish Treasury as a Senior Associate. Spends 11 years analyzing financial markets, building sovereign debt management decision tools, and modeling public-private partnership financial implications.
2013
Co-founds Picus Security in Ankara with Ertürk and Özarslan - in response to a real breach that exposed the limits of static, one-time security assessments. Also joins Limak Group as Director of Treasury Operations and Financial Risk Management.
2013-18
Bootstraps Picus Security for five years with no outside investment. Builds the product, secures early enterprise customers, and operates in parallel with his corporate finance role.
2018
Picus Security closes $1.7M seed round. The first external validation of a category Memis and his co-founders had essentially invented: Breach and Attack Simulation.
2019
Series A: $5M led by Bek Capital/Earlybird. Picus begins international expansion.
2021
Series B: $24-27M led by Turkven, with participation from Mastercard. A notable detail: a payments giant is backing a security validation company - because Mastercard is itself a customer.
2024
Series C: $45M led by Riverwood Capital. Picus announces it has simulated over one billion cyberattacks. Total company funding reaches $80M. Gartner names Picus a Customers' Choice for BAS tools with a 95% recommendation rate.
2025
Picus earns a 98% Gartner Peer Insights recommendation rate and a 4.8/5 score for Adversarial Exposure Validation - the category that evolved from BAS and is now the broader market Picus helps define.
The Core Idea

Replacing Assumptions with Evidence

Memis has a precise diagnosis for what's wrong with enterprise security. Organizations spend millions on firewalls, SIEMs, endpoint detection, and threat intelligence - and then assume those investments work. They get an annual penetration test that confirms some findings. They patch. They move on.

What they don't get is continuous proof. They don't know whether their Palo Alto firewall is actually blocking the attack techniques described in the latest MITRE ATT&CK framework update. They don't know whether their SOC team's detection rules fire on the specific malware variant currently trending in the threat landscape. They assume. The breach statistics suggest the assumptions are frequently wrong.

Picus changes the model: it runs automated, safe simulations of real adversary behaviors against live security infrastructure, then tells the team exactly what passed through undetected - and often provides a one-click mitigation. The company has processed over one billion attack simulations for customers across financial services, healthcare, government, and critical infrastructure.

Memis frames this not as a technology product but as an epistemological shift: from security based on confidence to security based on data. His CFA background probably helps here. An investment thesis requires evidence, not assertions. A security posture should be no different.

"While cybersecurity is often framed as a technical topic, it's about trust at its core. Trust from customers, employees, and partners that organizations will protect their data."

- H. Alper Memis

The company's expansion from BAS into Adversarial Exposure Validation (AEV) reflects this evolution. AEV is the broader discipline of continuously probing the attack surface, validating every control, and prioritizing remediation by actual risk rather than theoretical severity scores. Gartner tracks it as a separate and growing market - one Picus helped build the intellectual foundation for.

In His Words

Alper Memis on Security, Risk & Building

"Traditional testing methods provided only limited, one-off snapshots that quickly became outdated."

"Enterprises are looking for a more effective approach than their legacy vulnerability management practices, and are planning on implementing new exposure management technologies."

"After more than 20 years in business and finance, I appreciated how risk and resilience shape organizations."

"Rather than bombarding teams with theoretical vulnerabilities, we let them know what weaknesses they should be most concerned about, given their unique environment."

"Help organizations validate their defenses against real-world threats on an ongoing basis, replacing assumptions with clarity and evidence."

"As the pioneer of Breach and Attack Simulation, and now a leader in Adversarial Exposure Validation, we are very pleased to help our customers improve their security posture."

Track Record

What Picus Has Built

🏆

BAS Category Pioneer

Picus Security invented the Breach and Attack Simulation category - now a recognized Gartner Magic Quadrant market segment tracked by analysts and adopted by enterprises globally.

98% Gartner Recommendation

2025 Gartner Peer Insights Customers' Choice for Adversarial Exposure Validation, with a 4.8/5 star rating - one of the highest recommendation rates in enterprise cybersecurity.

📈

100% YoY Growth (Twice)

Picus delivered 100% year-over-year revenue growth for two consecutive years, reflecting strong product-market fit and enterprise demand for continuous security validation.

🌍

500+ Enterprise Customers

Customers span financial services, healthcare, government, and critical infrastructure - including Mastercard, Visa, Vodafone, and ING banking. A Mastercard entity is also an investor.

🔒

1 Billion Attacks Simulated

As of 2024, Picus has processed over one billion simulated cyberattacks across customer environments - a scale that provides unique threat intelligence and benchmark data.

🥇

Cybersecurity Excellence Awards

2026 Gold Award winner in both Breach and Attack Simulation (BAS) and Continuous Threat Exposure Management (CTEM) categories at the Cybersecurity Excellence Awards.

Background

The Treasury Years

Alper Memis's career prior to Picus is not a footnote - it's the operating system. From 2002 to 2013, he was a Senior Associate at the Turkish Treasury, one of the more demanding analytical environments in public finance. His work there included formulating medium and long-term debt management strategy, building financial models for sovereign decision-making, analyzing the financial implications of public-private partnerships, and running sustainability and sensitivity analyses on the government's debt stock.

Translate that into cybersecurity language and you get: modeling complex systems under uncertainty, identifying which risks are acceptable versus which require immediate mitigation, building decision frameworks for stakeholders who need clarity rather than data overload, and quantifying the cost of inaction. These are exactly the intellectual skills that differentiate a security validation platform from a vulnerability scanner.

After the treasury, he moved to Limak Group - a major Turkish conglomerate - as Director of Treasury Operations and Financial Risk Management, advising the chairperson directly. He was already a Picus co-founder by then. The discipline of managing two high-stakes roles simultaneously, one inside a large organization and one building from scratch, is probably the most underrated part of his story.

The CFA in the Room

  • The CFA (Chartered Financial Analyst) is one of the most demanding professional credentials in global finance - typically requiring 1,000+ hours of study across three rigorous exams
  • Fewer than 200,000 professionals worldwide hold the designation
  • Memis holds it, making him almost certainly one of the very few cybersecurity CEOs in the world with a CFA charter
  • The credential emphasizes risk analysis, financial modeling, and evidence-based decision-making - skills that map directly onto Picus's core product thesis
  • His background forced him to ask the question most security vendors avoid: how do you actually measure whether a defense investment is working?
Latest Updates

What's Happening Now

Jan 2025
Picus Security named 2025 Gartner Peer Insights Customers' Choice for Adversarial Exposure Validation - 98% recommendation rate, 4.8/5 star rating.
Sep 2024
Picus closes $45M Series C led by Riverwood Capital, with participation from Earlybird Digital East Fund. Total funding reaches $80M. Series C to fund product innovation and global expansion.
Sep 2024
Picus Security announces milestone: over 1 billion cyberattacks simulated across customer environments.
2024
Named 2024 Gartner Peer Insights Customers' Choice for BAS tools with a 95% recommendation rate. Alper Memis speaks at MENAISC 2024.
2026
Picus wins Gold Award in both Breach and Attack Simulation (BAS) and Continuous Threat Exposure Management (CTEM) at the Cybersecurity Excellence Awards.
Connections

Find Alper Memis Online

🌐 Picus Security — Official Website 💼 LinkedIn Profile 🐦 Twitter / X — @hamemis ✍️ Security Boulevard — Articles 📝 Picus Security — Blog Posts 🗞️ Citybiz Q&A Interview 🎙️ Pulse2 Interview 🚀 TechCrunch — Series C Coverage
Share This Profile