As the number of security incidents increases, a market is emerging for established and new providers of security measures. However, we lack an idea of the business models of cyber security start-ups, which are seen as innovation and security drivers, to protect the economy from existence-threatening incidents. Due to the intangible nature of the cyber threats that security solutions aim to address, previous research on business models cannot be fully transferred. We address this research gap by developing a taxonomy following Nickerson et al. (2013) based on 90 cyber security start-ups and performing a cluster analysis to understand the business activities of cyber security start-ups concerning the protection of critical infrastructures. Our taxonomy will benefit interested decision-makers such as CISOs who want to identify custom-fit cyber security solutions for their organizations. Furthermore, investors and cyber security providers understand the market holistically and can identify innovative product approaches to adopt themselves.