Reading the model against the market
This stress-tests the base case against external benchmarks for boutique cybersecurity consultancies, IT/security services firms and cybersecurity software companies. It gives the board a second, more conservative reference point and names the execution risks that separate the two.
| Metric | Base case | External benchmark | Read |
|---|---|---|---|
| Revenue CAGR 2027–2032 | ~102% / yr | 30–60% is a realistic ceiling for organic growth at a talent-constrained boutique. | Aggressive |
| Gross margin 2032 | 71% | 55–70% typical services-led security firm; 70%+ needs productized low-touch revenue. | Reasonable, back-loaded |
| EBITDA margin 2032 | 25% | 15–25% is strong for scaled security consultancy; platform businesses can exceed. | Achievable if growth dialled back |
| Revenue per FTE 2032 | ~$405k | $180k–$300k typical in elite offensive security; higher needs large SaaS/IP share. | Requires SaaS/IP to hit target |
What we watch if execution slips
Slower ramp in US enterprise sales — closing takes 6–12 months longer than base case assumes.
Recurring revenue mix trails the base case by ~10 percentage points through 2030 as Portal and Shield adoption compounds later.
Gross margin caps at 65–67% because managed services and hosting drag on productization.
Revenue per FTE stays in the $250k–$320k band — closer to industry norms.
Injexion doesn't sell fear. It sells proof — that risk is real, and that risk has been removed. Every chapter of this plan compounds that one promise.