How to Spot a Fake Cybersecurity Startup: Red Flags Guide
Updated July 17, 202624 min read

Scam Cybersecurity Startups: Red Flags Every Job Seeker Must Know

A practical due diligence checklist to protect your career from fraudulent cybersecurity companies and fake job offers

What you’ll learn in this article…

  • Employment scams cost job seekers $363 million in 2025.
  • Verify founders: Burkman and Wohl, convicted felons, ran IRIS C2.
  • Always request a company's legal business registration before applying.

How can a cybersecurity startup that promises millions for zero-day exploits and racks up thousands of Twitter followers actually be a front for convicted felons? In July 2026, IRIS C2 made headlines after it was exposed as the latest venture of Jack Burkman and Jacob Wohl, two men with histories of fraud, voter suppression schemes, and securities violations.1 Their operation looked credible on the surface, demonstrating just how easily scammers can dress up a criminal record as a legitimate offensive security firm.

For cybersecurity job seekers, this case isn't an outlier; it's a warning. The industry's explosive growth and startup culture create a perfect environment for fraud. Urgent hiring needs and a fog of technical jargon can pressure candidates into skipping background checks, while the allure of high pay and cutting-edge work clouds judgment. Understanding what cybersecurity is and why it matters is a good first step, but knowing how to vet a potential employer is equally essential. When trust is your currency, taking a role with a sham company doesn't just waste your time; it can tarnish your reputation before your career gets off the ground.

Why Cybersecurity Startups Are a Prime Target for Scammers

The cybersecurity industry's urgent need for talent often pits speed against safety: accept an exciting startup role quickly, or risk losing out while you verify the company's legitimacy. This tension is especially acute in offensive security, where scammers exploit the very norms that protect legitimate operations.

The Secrecy Shield: How Norms Enable Fraud

Offensive security firms routinely handle sensitive information. Non-disclosure agreements, penetration testing engagements under pseudonyms, and classified government contracts are standard practice. For a job candidate, these provide plausible cover stories for a fraudulent startup. A fake company can claim NDAs prevent it from disclosing client names or can point to a mysterious government project as the reason for a sparse online presence. Because silence is expected, a scammer's silence rarely triggers immediate suspicion.

By the Numbers: The Staggering Cost of Job Scams

The scale of employment fraud makes the risk impossible to ignore. The FBI's 2025 Internet Crime Report, released in 2026, recorded over one million complaints and $20.8 billion in total cybercrime losses.1 Employment scams alone cost victims $362.9 million last year, a 400% jump from 2023.1 The Federal Trade Commission paints a similarly dire picture: job scam losses reached $501 million in 2024, with reports more than tripling since 2020.2 Even task-based job scams, where victims pay upfront for "assignments," raked in $220 million in the first half of 2024 alone.3

Urgency Overrides Skepticism

Cybersecurity careers face a persistent talent shortage; there are simply more open roles than qualified professionals. This creates a seller's market where offers appear fast, and candidates often leap before they look. When a startup dangles a senior role, equity, or a niche offensive security position, the fear of missing out can short-circuit due diligence. Scammers know this and design pitches that press on that urgency: limited-time offers, immediate start dates, or claims that a government clearance is "in process."

A Real-World Example: The IRIS C2 Case

A 2026 investigation by KrebsOnSecurity brought these dangers into sharp focus.4 IRIS C2, a self-described cybersecurity company offering bounties of $10,000 to $7 million for zero-day exploits, was founded by Jack Burkman and Jacob Wohl. Both are convicted felons: Wohl pleaded guilty in 2019 to selling unregistered securities, and the duo was sentenced to probation in late 2025 for a robocall scheme that suppressed voting. Their company, operating as Calvexa Group LLC, lists an Arlington, Va., address that doubles as Burkman's lobbying firm. Despite this, the startup gained thousands of social media followers and cultivated an aura of government connections. For entry-level cybersecurity job seekers who later discovered the truth, the reputational damage could be severe. IRIS C2's story underscores why even a polished website and a flashy pitch demand skeptical scrutiny.

Job Scam Losses at a Glance

Employment scams are surging, with the FBI's Internet Crime Complaint Center recording $363 million in losses in 2025 alone. As cybersecurity talent remains in high demand, scammers are targeting job seekers with fake startup opportunities.

In 2025, employment scams caused $363 million in losses from 24,688 complaints, with an average loss of $14,700 per victim, while the global cybersecurity workforce gap reached 4.8 million in 2024.

Red Flags in Cybersecurity Startup Job Postings

Scammers know cybersecurity talent is in high demand, so they craft job postings that look enticing but hide warning signs. Learning to spot these clues early can save you from wasting time on a fake opportunity or, worse, becoming entangled in a fraudulent operation.

Vague Descriptions Loaded with Buzzwords

A legitimate cybersecurity job posting gets specific. It names tools, frameworks, and day-to-day tasks. When a startup listing leans heavily on buzzwords like APT, zero-day, or red team without explaining how you would actually work with those concepts, treat it as a red flag. Real offensive security roles detail whether you will be reverse-engineering malware, writing custom exploits, or conducting threat hunting. If the description sounds like it was copied from a hype reel, dig deeper before you apply. Candidates who have completed a cybersecurity degree program know what genuine role requirements look like, which makes vague postings easier to recognize.

Compensation That Sounds Too Good (or Too Strange) to Be True

Scam startups often dangle unrealistic pay to hook job seekers. Watch for equity-only offers with no base salary, payment entirely in cryptocurrency, or entry-level salaries that rival senior architect roles. The recent IRIS C2 case is instructive: they publicized a bounty range of $10,000 to $7 million for zero-day exploits, numbers so implausible for an unknown firm that they should have triggered immediate skepticism.1 Legitimate companies, especially early-stage ones, may offer equity but they also provide a market-rate salary and clear compensation structure. Researching cybersecurity certifications that pay six figures gives you a solid baseline for what credentialed professionals actually earn.

Requests for Upfront Payments or Unpaid 'Trials'

A classic job scam tactic is asking you to pay for your own equipment, software, or background check before you are hired. Some fake startups go further, requiring candidates to complete unpaid trial projects that turn out to be real client work. Cybersecurity firms that demand a skills test involving hours of free penetration testing or vulnerability research are likely exploiting your labor. Legitimate employers either pay for trial work or limit assessments to short, structured scenarios that do not generate direct business value.

Structural Clues That Something Is Off

Look at the mechanics of the posting itself. A missing hiring manager name, a generic contact email from Gmail or ProtonMail instead of a corporate domain, and job ads that appear only on social media platforms rather than established job boards all signal a potential scam. If you are still exploring the field, resources covering entry-level cybersecurity jobs can show you what a normal hiring process looks like and set expectations for legitimate employer behavior. Real startups may have a limited web presence, but they almost always use a company domain for official communication. If you cannot verify that the posting originated from a real company representative, consider it a red flag until proven otherwise.

How to Research a Cybersecurity Startup Before You Apply

Vetting a cybersecurity startup before you apply is not optional. It is a safeguard against getting tangled in fraudulent operations. A structured approach exposes empty claims before you commit your career.

Start with Basic Business Legitimacy Checks

Begin by verifying the company actually exists as a legal entity. Use a WHOIS lookup tool to check the domain's creation date; if the site is less than a year old but touts multi-million-dollar contracts or a long track record, treat that as a red flag. Next, search the state business registry where the startup claims to be headquartered, for example the Virginia SCC or Delaware Division of Corporations. Look for the LLC or corporation filing date, registered agent, and current status. If the startup says it has raised venture funding, search the SEC's EDGAR database for Form D filings, which legitimate fundraising rounds often trigger.

Verify Funding and Investor Claims

Funding announcements are easy to fabricate. Cross-check them on Crunchbase, where you can view a startup's profile, funding rounds, and investor list without logging in.1 A claimed Series A with no corresponding investor record or press coverage is a major warning sign. Crunchbase profiles also list founders and team members with linked profiles, so a completely unclaimed page lacking social authentication suggests the company may not actively manage its business identity.2 For deeper validation, use PitchBook (limited free access available) to compare the stated round size and participants. Look for inconsistencies across platforms; genuine deals are typically announced by both the startup and the venture firms.

Validate Security Credentials and Certifications

Offensive security firms often advertise SOC 2, CREST, or ISO 27001 certifications. Ask for a SOC 2 Type II report number and verify the attestation through the issuing CPA firm's directory. For penetration testing claims, check the CREST member directory online; accredited companies are listed with their testing scope. If the startup displays an ISO 27001 certification, visit the accreditation body's registry, such as ANAB's directory, and confirm the certificate is current and matches the company name and scope. Unwillingness to share report numbers or vague references to "partner certifications" should prompt immediate caution. Understanding how credentials work is also useful background; the Cybersecurity Degree vs. Certifications comparison breaks down which credentials carry real industry weight.

Look for a Public Technical Footprint

Legitimate offensive security firms almost always leave a public code trail. Search GitHub for the company's repositories, tool releases, or employee projects. Use a CVE database to see if their researchers have published vulnerabilities under the company name. A startup claiming cutting-edge exploit development with no public CVEs, zero GitHub activity, and no conference talks suggests a ghost operation. Genuine experts build reputations that extend well beyond a slick website. If you are new to the field and want to understand what a credible career path looks like, reviewing the security analyst education and career path can help you benchmark what real expertise looks like at reputable organizations.

Verifying Founders and Leadership Teams

The proliferation of cybersecurity startups has turned founder vetting into a non-negotiable first step for savvy job seekers. While flashy websites and bold promises can be seductive, the true measure of a company is the integrity and competence of its leaders. This section walks you through concrete, free methods to verify credentials and uncover legal skeletons before you sign on.

Verify Cybersecurity Certifications Directly

Industry gold standards like CISSP, OSCP, and CREST certifications are easy to claim and just as easy to check. For CISSP holders, the (ISC)² member directory lets you search by name or credential ID; if a founder's name doesn't appear, they don't hold the certification. Offensive Security provides a verification page for OSCP and OSCE where you input a candidate's unique certificate ID. CREST maintains a public certified individual lookup to confirm penetration testing and threat intelligence credentials. Don't rely on a LinkedIn badge or a PDF attached to a resume , always go to the issuing body's official database. Before you even start this process, it helps to know which cybersecurity certifications carry real industry weight and which don't. If a founder touts a certification you've never heard of, verify that the issuing organization is legitimate and recognized by cybersecurity professional bodies.

Dig into Legal and Regulatory History

A founder's criminal or civil record can be a dealbreaker, and public databases make this check straightforward. Use PACER (Public Access to Court Electronic Records) to search federal court cases for fraud, securities violations, or other charges. It costs a few cents per search, but the results are invaluable. The SEC's EDGAR database reveals enforcement actions like cease-and-desist orders or settlements related to securities law. For telecom or privacy violations, the FCC and FTC fine databases list penalties for robocalls, data breaches, or deceptive practices. These sources are free and searchable by name or company. While a minor infraction years ago may not disqualify a leader, a pattern of fraudulent behavior or unresolved regulatory fines demands extreme caution.

Cross-Reference Education and Experience

Claims of advanced degrees or high-profile prior roles are common, and many are fabricated. Confirm educational credentials through official school websites, alumni directories, or third-party verification services. Reach out to university registrars if you have doubts; most will confirm dates of attendance and degrees earned without sharing grades. For past employment, professional association rosters , like those from ISACA, ISC2, or local security meetups , can validate claims of leadership or speaking engagements. If you're evaluating a founder who claims a background in government security work, resources on how to become a cybersecurity professional can help you benchmark realistic career trajectories. While founders often exaggerate, outright lies about a master's degree or a senior role at a government agency should raise immediate red flags.

Consult Multiple Authoritative Sources

No single database captures every sin, so triangulate your findings. Combine a PACER search with a deep dive into regulatory fines and a check of professional directories. News archives and reputable cybersecurity blogs can uncover controversies that haven't reached the courts. If something feels off, trust that instinct and dig deeper. In a field built on trust and technical rigor, the people behind a startup should withstand honest scrutiny.

Interview Red Flags: Questions to Ask and Warning Signs to Watch

The interview process is a two-way street. While the company evaluates your skills, you should be quietly gathering signals about their legitimacy. The questions you ask, and the answers you don't get, can reveal more than any online search.

Specific Questions to Vet a Cybersecurity Startup

  • Who are your current clients? A real startup should be able to name referenceable clients or at least describe the types of organizations they serve, even under non-disclosure agreements.
  • Can you describe the team structure? Ask about the size of the security team, reporting lines, and how your role fits. Vagueness is a warning.
  • What compliance frameworks do you follow? Legitimate cybersecurity firms adhere to standards like SOC 2, ISO 27001, or NIST. If they can't name any, that's a problem.
  • Where is the company incorporated? The answer should match public records. A mismatch or hesitation can indicate a shell operation.
  • Can I speak with a current employee? A refusal to allow peer conversations is a serious red flag. Even early-stage startups can arrange a brief chat.

Behavioral Red Flags During the Interview

  • The interviewer cannot answer fundamental operational questions, such as how they bill clients or what tooling they use day-to-day.
  • You feel pressure to accept an offer on the spot or within a very short window, with no time to verify details.
  • You are asked to pay for anything upfront, whether equipment, a background check, or training materials. A legitimate employer covers these costs.
  • The entire interview process happens over messaging apps (like Telegram or WhatsApp) with no video call. A video interview at some stage is essential to confirm you are interacting with real people.

Beware of Credential-Harvesting 'Assessment' Traps

Some scams disguise information theft as a technical challenge. Stop immediately if a 'take-home test' asks you to build real exploits against live systems, configure network infrastructure, or provide personal documents for a 'security clearance pre-check.' Legitimate assessments use sandboxed environments or hypothetical scenarios. Never share passwords, social security numbers, or scans of your ID before you have verified the company and received a formal offer letter. Candidates who have followed a structured CompTIA cybersecurity career pathway will recognize these manipulative tactics for what they are.

Healthy Startups Welcome Scrutiny

A genuine startup will appreciate your diligence. Understanding what cybersecurity is and why it matters helps you ask sharper questions about a company's actual mission and methods. If you encounter evasion, hostility, or defensiveness when you ask about the basics, such as incorporation, clients, or team structure, the interview itself has given you the clearest answer. Trust that signal and move on.

Common Scam Tactics Targeting Cybersecurity Job Seekers

As cybercrime evolves, scammers now tailor their schemes to cybersecurity professionals, exploiting the very skills job seekers list on their resumes. Understanding the most common tactics helps you spot a fraudulent offer before you hand over money, free labor, or sensitive data.

Scam Tactics to Recognize

  • Tactic: Equipment Purchase Scam. How It Works: A fake employer sends you a check to buy a laptop, then asks you to forward the surplus to a "preferred vendor" that never ships. The check bounces, and you are liable for the full amount. Red Flag: Being asked to deposit a check and wire money anywhere before your first day.
  • Tactic: Unpaid Trial Work. How It Works: You complete a "test task" like a penetration test on a named company, only to realize later that your work fed a real ransomware campaign. Threat actors running what researchers call the Bastion Secure/FIN7 pattern have used exactly this approach, holding multi-stage interviews and assigning real intrusion tasks disguised as security exercises.2 You never get paid, and may be implicated in a crime. Red Flag: Trial assignments that target live organizations or lack a clear, written scope with timed payment.
  • Tactic: Equity-Only Compensation with No Vesting Schedule. How It Works: A startup promises significant equity in lieu of salary, but the offer letter lacks a vesting schedule or valuation. You work for months, then the company disappears or your shares are worthless. Red Flag: No cash salary, no signed equity agreement, and vague promises of a future payout.
  • Tactic: Crypto-Only Salary Payments. How It Works: The employer insists on paying solely in cryptocurrency, often to avoid government reporting or because the "company" operates overseas with no legal entity. Fake AI and cybersecurity gaming jobs startups have recruited via social-media DMs on X, Telegram, and Discord, promising crypto payment for beta testing before directing candidates to download credential-stealing malware.3 Payments can vanish instantly. Red Flag: No option for direct deposit or check, and an exclusive reliance on crypto wallets.
  • Tactic: Credential Harvesting via Fake Onboarding. How It Works: You fill out an onboarding packet with your Social Security number, driver's license, and bank details, then the job evaporates. AI-assisted phantom firms reinforce the illusion with fabricated LinkedIn profiles and requests to install internal tools or VPNs during onboarding.2 Scammers use that data for identity theft. Red Flag: Requests for highly sensitive personal information before an in-person or live video verification of the company's legitimacy.
  • Tactic: Fake Government Contract Claims. How It Works: A startup touts classified contracts or special access programs but can't provide a verifiable DUNS number, past performance, or any staff with clearances. IRIS C2, run by convicted felons Jack Burkman and Jacob Wohl, operated on social media as a government contractor despite having no verifiable track record in the offensive security space.1 The claim alone is used to lure candidates. Red Flag: Extraordinary claims of government work with zero public record or third-party validation.

These tactics often overlap. A role that pays only in crypto and demands a test task on a "live environment" should set off every alarm. Understanding what cybersecurity maturity model certification requires from legitimate contractors can help you benchmark whether a company's government-contract claims hold water. Always pause, verify, and walk away if the narrative feels too good to be true.

Case Study: The IRIS C2 Startup and What It Teaches Job Seekers

In July 2026, a cybersecurity startup called IRIS C2 made headlines for all the wrong reasons. The company promised payouts of up to $7 million for zero-day exploits, but behind the flashy claims were two convicted felons with a long history of fraud.1 This case is not just a news story; it is a practical demonstration of why every cybersecurity job seeker must thoroughly vet a potential employer before signing on.

A Startup with a Hidden Past

IRIS C2, operated by Calvexa Group LLC, presented itself as a boutique offensive security firm. However, investigative reporting by KrebsOnSecurity revealed that its founders, Jack Burkman (60) and Jacob Wohl (28), had been convicted on multiple felony counts for telecommunications fraud and other schemes.1 The company's corporate address traced back to Burkman's lobbying firm, and the website offered no verifiable leadership information, only anonymous handles. For job applicants, these were glaring red flags.

How to Protect Yourself: Lessons from IRIS C2

The IRIS C2 case shows what can happen when a startup's outward image masks a fraudulent core. Use these steps to avoid similar traps.

  • Search investigative security outlets. Before applying, check sites like KrebsOnSecurity, BleepingComputer, and Dark Reading for any exposés on the company. In IRIS C2's case, the Krebs investigation detailed undisclosed criminal histories that a simple news search would have uncovered.1
  • Cross-reference founder claims with public records. Use PACER to search federal court cases and your state's Secretary of State database to verify business filings. IRIS C2's founders had a trail of indictments and a registered address that didn't match its claimed office, both easy to spot with basic research.
  • Verify credentials directly. If a founder boasts a degree or cybersecurity certification, contact the issuing institution or professional body to confirm. Burkman and Wohl had previously run fake intelligence firms, but their academic claims were often exaggerated or unverifiable.
  • Monitor regulatory actions. Check the SEC's EDGAR system for enforcement actions and the FTC's press release page for fraud cases involving startups. A history of regulatory fines against founders, like the FCC's $5.1 million judgment against Burkman and Wohl, should be a clear deterrent.1

Building these checks into your job search routine is part of what cybersecurity is and why it matters, both for the organizations you protect and for your own career. By doing your homework, you can steer clear of startups that are more scam than substance.

What to Do if You've Been Scammed by a Fake Cybersecurity Company

Taking immediate, methodical steps is far more effective than panicking. Your finances, identity, and career can all be safeguarded with a structured response.

Immediate Steps to Limit Damage

If you provided personal details like your Social Security number or bank account information, act fast. Contact the three major credit bureaus (Equifax, Experian, and TransUnion) to initiate a fraud alert or security freeze. This blocks new accounts from being opened in your name. Change passwords for any accounts you accessed during onboarding, especially if you reused passwords across services. Use unique, strong passwords and enable multi-factor authentication everywhere possible. Document every communication: save emails, chat logs, and phone numbers, and take screenshots. This evidence is crucial for law enforcement and financial recovery.

Where to Report the Scam

Report the incident to the FBI's Internet Crime Complaint Center (IC3.gov), which specializes in cyber-enabled fraud. File a complaint with the Federal Trade Commission (ReportFraud.ftc.gov) for deceptive business practices, and alert your state Attorney General's consumer protection division , they often pursue fraudulent companies. If you suffered direct financial loss, contact your local police department with all evidence. Notify your bank of any unauthorized transactions or compromised accounts immediately. These reports not only help you but also protect others by giving authorities a trail to investigate.

Protecting Your Professional Reputation

Being targeted by scammers does not reflect poorly on your judgment or skills, but listing a fraudulent startup on your résumé can raise questions during background checks. Remove the company from your work history entirely. If a gap appears, handle it honestly in interviews: briefly state you explored an opportunity that turned out to be fraudulent and emphasize what you learned about vetting employers and cybersecurity startup red flags. Then pivot back to your qualifications. Recruiters respect candidates who turn a negative experience into a demonstration of due diligence and resilience. This moment can also be a prompt to explore accredited online cybersecurity programs that build verifiable credentials with reputable institutions.

Frequently Asked Questions About Cybersecurity Startup Scams

Spotting a fraudulent cybersecurity startup can be tricky, especially for newcomers eager to land a role. Below are straightforward answers to common questions that help you vet companies and protect your career.

Look up the company on state business registries, check its website for a real address and phone number, and search for news or SEC filings that confirm its claims. A professional LinkedIn presence and verifiable client list also signal legitimacy. If the founding team has no visible track record, proceed cautiously. Understanding what cybersecurity is and why it matters can also help you recognize whether a startup's stated mission is technically coherent.

Some early-stage startups genuinely offer equity, but be wary if a role promises only future shares with no salary. Legitimate companies typically provide a base wage. If you are asked to work for free or invest your own money, treat it as a major red flag and verify the business thoroughly.

Stop all communication. Real employers supply the hardware and software you need. Requests to purchase equipment, especially via gift cards or personal funds with a promise of reimbursement, are a classic scam tactic. Report the offer to job search platforms and local authorities. Grounding yourself in online cybersecurity programs from accredited institutions gives you benchmarks for what professional work environments actually look like.

Search public court databases like PACER for federal cases, and check state-level criminal records online. Look for SEC enforcement actions, FTC complaints, or news archives about past legal troubles. A simple web search with the founder's name plus "fraud" or "conviction" often surfaces useful information quickly. For deeper context on legal dimensions of the field, exploring a cybersecurity law degree online can sharpen your understanding of what constitutes enforceable misconduct.

Recent News

Recent Articles

In this article