While its not in YC - there are a few SAAS type security startups aimed at SME's - such as https://intruder.io/ who I am a very happy customer of. This to me looks to be high growth.
There are dozens of these SaaS vulnerability scanning companies, with very little differentiation between them - they basically all run Nessus. It's difficult to see how they could make serious money, certainly not enough to interest VCs.
The only way is to make them free and build a marketplace of accredited and vetted pen testers who you charge to be on the platform. Still how the hell you vet these people is a huge issue.
I think that's what bug bounty companies are doing by changing the model from paying for time spent to paying for (accepted) findings.
Personally I don't think any serious pentester will spend considerable time in this model though.
That said, I also think that one of the main challenges for buyers of pentest services these days is to evaluate the quality of a report or of the work done. Thoughts on how to improve that are most welcome.
