Madrid – Something unusual is happening in Spain’s tech scene. For years, cybersecurity felt like a field dominated by the same handful of global giants. But over the past two years, a new wave of Spanish startups leaner, sharper, and oddly fearless has begun to reshape how companies protect themselves from the rising tide of cybercrime. What makes this moment different isn’t just the technology. It’s the urgency behind it. Spanish companies have been hit hard by ransomware, industrial espionage, and supply-chain attacks. In some sectors energy, financial services, healthcare cybersecurity is no longer a technical problem but a strategic one.
And so, a new generation of founders is stepping up.
Zynap: The New Darling of Spanish Cyber Defenses
If there’s one startup investors can’t stop talking about, it’s Zynap. The company raised €5.7 million earlier this year, but money isn’t the most interesting part. What grabs attention is how Zynap talks about cyber defense: not as a shield, but almost like a chess match. Their platform uses generative AI to simulate attacks before they happen, the same way meteorologists model storms. One early client, a mid-sized Spanish logistics firm, told us privately that Zynap predicted a credential-stuffing attack three weeks before it began. Their security chief said it was the first time they felt “ahead of the hackers rather than continuously two steps behind.”
Whether Zynap can scale this approach globally remains to be seen, but for now, they’re setting the tone.
CounterCraft: Turning Hackers Into Unwitting Informants
San Sebastian-based CounterCraft takes a different route: instead of blocking intruders, they invite them in. Their deception-technology platform builds digital traps that mimic real servers, real credentials, real employee behaviors. Hackers think they’ve hit gold, but in reality, they’re wandering inside a controlled environment where their every move is recorded.
One of CounterCraft’s clients, a European telecom we can’t name, admitted they discovered a previously unknown threat group thanks to CounterCraft’s decoy systems. What could have been a catastrophic breach became a controlled, almost clinical observation exercise. The company walked away not only unharmed, but with intelligence that improved their entire security posture.
IriusRisk: The Security Architect Every Developer Wishes They Had
While some cybersecurity companies chase attackers, IriusRisk focuses on the people building software in the first place. Their platform helps development teams model threats before a line of code is written. A Spanish bank using Irius Risk revealed that this shift-left approach reduced security vulnerabilities by nearly 40% in one year. For an institution handling millions of daily transactions, that’s not a small number, it’s the difference between resilience and chaos.
Ironchip: When Your Location Becomes Your Password
Ironchip takes a creative swing at digital identity. Instead of relying on conventional passwords or even biometrics, their technology verifies users based on their physical location. It’s a strange idea at first until you see it in action. In one pilot with a critical-infrastructure operator, Ironchip’s system detected an attempted login that used the right credentials but came from a location the employee could not possibly be in. It wasn’t a dramatic Hollywood hack, but it stopped a real intrusion attempt quietly, automatically, and in real time.
8Layers: The Cloud-Security Watchdog
As Spanish enterprises move deeper into the cloud, 8Layers has emerged as the team that spots everything traditional security tools miss. Their focus is identity-based attacks, the subtle, slow-moving breaches that often go unnoticed for weeks. At a Barcelona fintech startup, 8Layers reportedly detected privilege escalation steps that had bypassed multiple layers of existing defenses. The fix was simple; catching it was not. Without 8Layers, the breach might have matured into a full-scale incident.
Nymiz: Protecting Data by Making It Invisible
Data anonymization rarely gets headlines, but Nymiz has found a way to make it compelling. Their AI-driven engine scrubs documents, customer records, and internal files of anything that could reveal personal information. A public-sector agency that adopted the platform said the transition was “quiet but revolutionary.” Instead of constantly worrying about accidental data leaks, they could focus on actual policy work. Sometimes cybersecurity doesn’t need to feel like cybersecurity and Nymiz understands that.
Chainloop: Guarding Software Supply Chains
Chainloop has built a system that tracks every step of the software-development lifecycle, essentially creating a tamper-proof timeline of how code moves from creation to production. It’s a simple idea with massive implications. A large e-commerce company credits Chainloop with preventing what could have been a damaging supply-chain breach. A suspicious code modification wasn’t flagged by antivirus or scanners but Chainloop spotted the inconsistency instantly. The malicious code never made it into production.
Smart Protection: Defending Brands in a Digital Wild West
Online piracy, counterfeit products, and digital impersonations are an underreported part of cybersecurity. Smart Protection has taken this challenge head-on, building a platform that tracks down unauthorized copies of products, images, and brand assets. For a Madrid-based fashion brand, Smart Protection reduced online brand abuse by 60% in six months. Not dramatic in a technical sense but transformative in business terms.
Dedge Security: Trust for a Web3 World
Web3 security still feels like the Wild West. Dedge Security works to bring some order, offering auditing and threat-detection solutions for decentralized systems. Last year, one Spanish blockchain startup credited Dedge with saving their token launch after discovering a smart-contract vulnerability that could have drained millions in seconds.
Secrets Vault: Preparing for a Post-Quantum Era
Secrets Vault is one of the quieter names on the list, but their work matters. They’re building quantum-resistant encryption tools, the kind of security foundations companies will need when quantum computers become powerful enough to break traditional cryptography. A health-tech company working with them said it best: “We don’t know when quantum attacks will become real. We just know we don’t want to be upgrading our security after it happens.”
A Turning Point for Spain’s Digital Future
What’s striking about all these startups is not just their innovation, but how grounded they are in real-world problems. There’s no flashy marketing, no unrealistic promises, just focused teams building solutions for a landscape that keeps shifting faster than most organizations can handle. Spain may not have set out to become a cybersecurity powerhouse, but the momentum is unmistakable. If this wave continues, the country won’t just protect itself it may soon become a go-to hub for companies across Europe seeking fresh, intelligent, and pragmatic defenses.
