Recently, I sat down with Merav Ben Avi, VP of Marketing at YL Ventures, one of the most active seed-stage investors in cybersecurity. Merav’s path to the role is genuinely unusual: she grew up moving between countries as the daughter of a Foreign Service officer, worked in defense and foreign relations at the Israeli Ministry of Defense, and only transitioned into cybersecurity marketing five years ago. That background gives her a perspective on the industry that most people in it simply don’t have.

In this conversation, we talk about what CISOs evaluate now versus five years ago, how YL Ventures thinks about marketing from the moment a term sheet is signed, and why the best tech in the room almost never wins on its own.

You didn’t come up through traditional marketing. How did you end up where you are?

Not at all. I grew up moving because my father was in the Foreign Service. China, Liberia, Germany, the States. I wanted to follow in his footsteps, so I started a career at the Israeli Ministry of Defense in foreign relations. External facing, always. If you want to stretch it, you could say I was marketing Israel before I was marketing cybersecurity.

Five years ago, I transitioned into the industry in a content marketing role at YL Ventures. I’d never written about cybersecurity before, but what got me was watching founders talk about their work. The excitement, the problem they were solving, and how they were working with CISOs. You don’t need a product manager’s technical depth to tell that story well. You just need to see it. I got swept up quickly, and for the past two years I’ve been VP of Marketing at the firm.

What that means in practice is doing marketing for YL Ventures itself, but also working closely with our portfolio founders at the earliest stages, helping them find their positioning, their differentiation, and understand what they want to be known for.

In five years at YL Ventures, what’s the biggest shift you’ve seen in how buyers evaluate vendors?

The tech still matters. Product still matters enormously. But there’s no comparison between what this market looked like when I started and what it looks like now. The sheer noise and competition in cybersecurity is astounding. You have multiple vendors per buyer problem, not even per buyer.

So CISOs have moved. They’re not just evaluating technical fit anymore. They want to know if you’re going to be there in five years. They want credibility and longevity from a vendor, two things that are increasingly hard to demonstrate in a saturated market. Brand has become proportionally more important because of the noise.

Then there’s the peer dimension, which was always there but has become more acute. CISOs talk to each other, lots. They count on peer validation and peer evaluation more than they did before. A polished deck and a slick demo don’t cut through the same way they used to. Buyers want to be in the room where the problem gets talked about honestly, and to hear what other people like them say.

AI is obviously part of this too. We’ve quickly gone from “you need an AI story”, to CISOs rolling their eyes every time someone says AI. The first wave of AI cybersecurity startups has already been acquired. So it’s not enough anymore to say you’re going to secure their AI use. You need depth, whether that’s AI in how you build the product, or how you secure AI systems. The shallow framework doesn’t land anymore.

What channels and tactics are working for early-stage companies reaching their ICP?

The first thing I push founders on is precision in ICP definition. Not just who has the budget, but who owns the problem and who makes the decision. That shapes everything downstream. You might be building something developers use daily, but the AI security team holds the budget. Those are different channels, different messages, different communities.

For early-stage specifically, partner programs are critical. CISOs talk to each other, so you need three to five marquee CISOs who become evangelists once the product delivers real value to them. That network effect is worth more than most paid channels at that stage.

Events have also become incredible lead generation engines post-COVID, in a way I don’t think the industry has fully processed yet. People want human connection. CISOs want to feel you understand them before anything else. Small, curated dinners and roundtables consistently outperform traditional conference sponsorships for that reason. You don’t even need a marketer to start doing this as a founder. Get speaking opportunities, go to the relevant events in your category, be in those rooms.

I had a founder contact me this morning about their RSA budget. Before we talked numbers I asked: what’s the goal? Is this a brand exercise, or do you need CISOs in the room? Those are two different objectives, and the smart allocation looks different depending on which one you’re after.

How should early-stage marketers be using AI, and where do you draw the line?

When I’m interviewing candidates for a first marketing role at one of our portfolio companies, if they can’t show me they know how to use AI tools for various tasks, that’s a problem. You’re potentially the only marketer in the company for six to twelve months. You cannot be efficient without AI. That’s just the reality now.

But the real story isn’t content generation. CISOs are discerning. They will recognise generic AI-generated content immediately, and they are not impressed by it. So don’t show me you can generate a blog post from a prompt. That’s not the win.

The value is operational capacity. AI is what lets a team of one run a lean, fast marketing machine. Demand generation tools, content production operations, budget modelling, research. At seed and Series A, every hour of a marketer’s time is expensive. AI cuts both time and cost in ways that change what’s possible for a small team. That’s what I want to see candidates understand, and it’s why we’ve been running workshops for our portfolio teams specifically on how to use these tools across demand gen, content production, and budget planning.

You push for marketing from day one after a term sheet. What does that look like in practice?

It’s something unusual about how YL Ventures operates. We sign a term sheet, and we don’t let go. The day after, the founders are meeting the team, and I’m asking when we start thinking about the marketing hire. Because it’s that important.

At the seed stage, it’s founder-led marketing all the way. The founder is the face of the company. But that doesn’t mean the founder can ignore someone leading the strategy. One of the biggest mistakes I see is founders thinking they need to do everything themselves from day one, especially marketing. They’re brilliant at building technology. They’re often not equipped to articulate differentiation, and they’ll tell me they do A, B, and C. Which is fine. Except I can Google right now and find ten other companies saying exactly the same thing. Teasing out what’s genuinely different requires a marketing professional.

There are also two separate engines that need to run from almost day one. Stealth marketing has become its own playbook in a way that didn’t exist three or four years ago. If you were in stealth, nobody knew about you. Today, that’s not how it works. How you show yourself at conferences, how you start a LinkedIn presence strategically, how you control your narrative before you’re ready to go public with everything, these require thought and someone to lead them. You can’t just start writing LinkedIn posts as a founder and hope for the best.

What should that first marketing hire look like?

Someone who’s hungry to build from nothing. That quality matters more to me than a cybersecurity background. I’ve seen strong marketers without industry experience come in and build extraordinary go-to-market engines because they understood what building from a blank page requires.

What I want to see in an interview is someone who already has a roster of vendors they’d bring in and can articulate a 30-60-90-day plan for pipeline coverage and top-of-funnel metrics. Someone who’s thinking backward from ARR.

The other thing that’s non-negotiable: the marketing lead has to own the strategy, not execute the founder’s ideas. If a founder is dictating strategy to their first marketing hire, that’s not a relationship I’m excited about. I tell our founders directly: if you’re telling your marketing lead what to do, that person isn’t in the right role. Let them come in, tell you what it’s going to look like, and trust them to build it.

What about specialist agencies versus building headcount?

I’m a big proponent of agencies, especially at the earliest stages. When you’ve just signed a term sheet and have two or three founders and nothing else, starting to hire when you don’t even know what you need yet isn’t smart.

Part of what I do as VP of Marketing at YL Ventures is spend roughly thirty percent of my time meeting vendors so I can connect the right ones to our portfolio. When a founder has no graphic language and thinks they need to hire a designer, I can point them to someone who’ll build their first deck with a complete visual identity in a week. That just cuts time on everything else.

PR agencies are genuinely crucial, even in stealth. There’s enormous value in starting to build your name before you’re ready to go fully public. And for specific deliverables, like messaging and brand, design, content execution, specialist agencies deliver speed and quality that in-house headcount can’t match early on.

That said, there are real limits. After Series A, you need a marketing lead in place, and some agencies start to show their generic edge. You want your marketing team speaking your specific language and building your specific brand at that point. The goal post-Series A is to move beyond the generic and differentiate. Agencies help you get there faster. They’re not a permanent substitute for a team that owns your voice.

What’s the uncomfortable truth about the cybersecurity market vendors won’t say out loud?

Nobody cares about your cool technology.

I know that sounds harsh. But that’s not what gets you signed on as a vendor. You need to provide value beyond the tech. When a CISO looks at what you’re offering, the question is, what do you bring besides the solution? 

The best tech doesn’t win. We’ve seen it. These are saturated categories full of extraordinary founders building innovative products. Innovation is everywhere. What wins is a strong go-to-market engine. If you can’t build that, if you don’t bring in the people who know how to build it, the technology on its own won’t be enough.

Merav Ben Avi is VP of Marketing at YL Ventures, a seed-stage venture capital firm focused on Israeli cybersecurity startups. She previously served in foreign relations at the Israeli Ministry of Defense.

About Bora

We’re Bora. We work with security companies to turn complex technical capabilities into clear, credible market narratives.

Get in touch for a free 30 minute consultation. If we’re not the right fit, we’ll help find someone who is.