Herndon, MD - March 27: G.Mark Hardy, (front L), Sven Brueckner, (front R), Al Seifert, (rear L to R), Sam Small, Nick Duan and Joe Klein, Cybersecurity entrepreneurs at MACH 37, an accelerator/incubator for security start-ups. The program is a 90 day intensive tech bootcamp and each team gets an investment of $50,000 when selected. (Evy Mages/For The Washington Post)

For the five cybersecurity start-ups working together in a single Herndon office, developing the software is the easy part.

The bigger challenge, many of them say, is finding a viable business model.

These start-ups — and several others before them — joined MACH37, a so-called business accelerator aimed at helping them to learn to sell their cybersecurity software products to both public- and private-sector customers. Born out of Northern Virginia’s Center for Innovative Technology and funded in part by the state of Virginia, MACH37’s mission is to help these fledgling companies get ready to take their business to market. In addition to a 90-day business course, each start-up receives a $50,000 investment — meaning that MACH37 takes a small stake in each company it accepts.

Here are the five start-ups in MACH37’s spring class:

Axon Ghost Sentinel: Harrisonburg, Va.

Spun off from tech start-up Axon Connected, Axon Ghost Sentinel uses software that mimics patterns found in nature — the way birds flock together, for instance — to defend against intrusions.

Axon Ghost Sentinel’s software creates virtual, autonomous “ghosts” to swarm toward intrusions on a network, chief executive Ravi Gupta explained. A user might see a visual display of all of the devices connected to a network and a cluster of ghosts near one device, indicating an intrusion.

“We learn from abnormal behavior to classify that [intrusion], then they provide warnings to the administrator — ‘Here’s what’s going on in your network, here are the things you need to focus on,’ ” Gupta said.

Eventually, Gupta hopes to sell the software to large corporations, especially those that have “bring your own device” policies for employees, allowing them to use personal cellphones, tablets or laptops for work. “You’ve got a company, how do you make sure if your employee goes to Starbucks and uses his iPhone there, and goes back to your network, it doesn’t bring something malicious to your WiFi?”

Disrupt6: Herndon

Joe Klein’s mission is to protect Internet users’ identities — especially information that can be gleaned from a user’s unique Internet address.

Disrupt6 is software that Klein claims could prevent just that.

Klein, who is funding the project himself, said he is working out the business model at MACH37. He initially thought he could sell the product directly to consumers, but he has since decided that service providers might represent a more lucrative and accessible market.

CardKill: Largo, Fla.

CardKill processes analytics about credit card and debit card transactions to thwart major fraud, according to chief executive Mark Hardy — signs that banks and credit card companies might miss.

“Your card might be stolen from Target in November, but it’s still working its way through the underground food chain” months later, he said.

Some banks might not pick up on the fraud until the card is used in a Zip code that appears to have little connection to the card holder, he argued — but CardKill aims to identify the small fraudulent purchases that thieves might make before they max out a stolen card, he said.

The software is being tested in one major bank, though Hardy declined to identify it.

Fast Orientation: Menlo Park, Calif.

Sam Small, a cybersecurity consultant, found that many of his clients could not answer simple questions about which employees were responsible for which tasks in large organizations.

“We might want to know immediately who is running this particular application, or this version of the application,” he said, so administrators can trace issues to a particular employee.

So Small is building a product that can help businesses answer these kinds of questions using natural language queries — an administrator can type in a question, and the software would mine data about the company’s work flow to produce an answer.

IDentia: Herndon

President and chief executive Nick Duan is building technology that businesses could use to control employee access to sensitive information.

Initially funded by a Small Business Innovation Research grant issued by the Defense Department, Duan has been developing IDentia for the past couple of years. The software can automatically evaluate a company’s security policy against each user attempting to access information, determining if the user has the necessary clearances or qualifications.

Though he is figuring out a pricing model, Duan said the company might use traditional licensing, selling the software to large organizations and charging per user.

Duan said he hopes MACH37 can help him pitch IDentia to clients outside of the government. “We want the commercial customer to realize they face the same security challenges that the [Defense Department] and federal government is facing.”