For 26-year-old Saket Modi, trustworthiness is a defining trait. Companies—from airlines and banks to restaurant chains—have been flocking to his six-year-old cyber security firm Lucideus Labs, giving it access to their IT systems. They want Lucideus to scan their IT networks for security vulnerabilities, and suggest remedial measures. Even the National Payments Council of India (NPCI), India’s umbrella organisation for all retail payment systems, has reposed its trust in Modi to hack into their systems and look for threats.
At a time when securing data has become paramount, this is an onerous task. “I am not in the business of monotony,” says Modi. “We are an industry where we don’t know the output… You have to think like a hacker and find ways to penetrate a software or server that is designed to withstand hacking.”
Lucideus, which Saket started as a college student in 2012, currently has over 100 employees. Last year, it launched a new product, Safe (Security Assessment Framework for Enterprise), which makes it possible for a client company to view the real-time status of its IT framework on a smartphone and monitor potential threats. Companies can then upgrade the safety of their networks.
“Two weeks back [late March], a big health care provider approached us to look for malware in their IT systems,” Modi says. “Not only were we able to hack into their system and access millions of health care records, we could even change a patient’s health record.” Modi informed the company and they are now working on finding a solution to ensure that the data is safe. In another instance, Saket and his team demonstrated to a global bank how they could steal money from the bank even as they were launching a smartphone app.
Safe, Modi reckons is revolutionary, particularly since he claims it is the first of its kind in the world. “We have built a product that is ground breaking,” he says. “We have made a new category of cybersecurity product and there is not a single competitor that we have here. The product de-jargonises the cybersecurity threats for a company, helps create a scorecard for the IT systems and helps a CEO make informed decisions and choices. It’s like a blood test report, and based on the report, one can take decisions on their cybersecurity.”
Lucideus is soon planning to launch the Safe app, on Android and iOS, for individual consumers to detect data privacy issues on their devices and warn them against apps that compromise their privacy. The company trains students in areas such as network vulnerability scanning, and defending networks and web servers from attacks. “We are the world’s largest rated cybersecurity trainer on Google,” says Modi.Modi, whose father runs a franchise of Arena Animation—a training school that offers job-oriented courses in animation, multimedia and web designing—grew up in Kolkata. As a school student in 2008, Modi hacked into his school’s IT systems to access a chemistry question paper before his exam. A moral reckoning ensued and he realised that he can use his skills for social good.
“I refer to hacking as a lifestyle. Hacking means seeing things that other people miss, and you do something that wasn’t supposed to be done in that way,” says Modi. “For instance, using a toothbrush to clean a mirror is a hack.”
Modi moved from Kolkata to study at the LNM Institute of Information Technology, Jaipur. While still in college, he gave tutorials on ethical hacking at most of the Indian Institutes of Management for a fee. Modi also shot to national prominence by demonstrating how he can hack into a smartphone in 20 seconds, giving him access to call logs, text messages and photo galleries.
Modi started Lucideus while in the fourth year of college. The name Lucideus was suggested by his friend: ‘Luci’ for Lucifer and ‘deus’ for God. Two other friends, Vidit Baxi and Rahul Tyagi also came in as co-founders and the trio operated with capital from family and personal savings.
The company, set up in 2012, was later incubated at IIT Bombay’s startup incubator, Society for Innovation & Entrepreneur (Sine), which has a 2 percent stake in the company. In 2013, Lucideus set up its first office in New Delhi. Since then, it has been growing rapidly and currently boasts a clientele that includes ICICI Bank, HDFC Bank, IndiGo airlines, Havells and Pizza Hut.
“The product [safe] is like a blood test report, and based on the report, one can take decisions on their cybersecurity.”
Along the way, it also received funding from angel investors such as former Flipkart CFO Sanjay Baweja; Anand Chandrasekaran, head of platform and product partnerships (Messenger) at Facebook; and Amit Chaudhary, director, Motilal Oswal Private Equity.
“We don’t have any institutional funding, and therefore we have no external pressure,” says Modi. “The pressure that we have is internal because we feel the responsibility to do things. Last year, my [company’s] turnover went up by 230 percent, which was on the lower side. For years, the average was 400 to 500 percent, and we are once again looking at growth with Safe, since we have a scalable product.”
Modi’s faith in the scalability of Safe is based on facts. In 2016, data from more than 3.2 million debit cards in India were stolen, according to NPCI. Singapore-based research firm Canalys says the country has emerged as the world’s second-largest smartphone market, hence securing private data is a major concern. And with the government pushing digital payments, the cybersecurity industry in India is estimated to reach $38 billion by 2025, according to Nasscom.
“Cybersecurity today is a board-level topic and companies need to proactively ensure security,” says Sanchit Vir Gogia, chief analyst and CEO at research and advisory firm Greyhound Research. “Lucideus may not have the scale and depth of an IBM or an Accenture, but they have been doing a remarkable job, and have taken the cybersecurity space by storm with their expertise in the area.”
Last year, consultancy firm KPMG said that 79 percent of the companies in India it surveyed identified cybersecurity as one of their top five business risks, with 58 percent including it in their boardroom agenda. The report adds that more than 51 percent of the firms have seen a rise in their cybersecurity budget.
This March, network security firm Sophos said that for companies hit by ransomware last year, the median cost of the attack was $133,000, whereas for Indian companies it was $1.17 million, the highest.
“What companies need to know is not whether they will be hacked or not, but when. In a place like that, we play a crucial role.” Modi is only too convinced of the premise on which his company is built.