Learn how Guy Podjarny and his co-founders built Snyk by pioneering a go-to-market motion that coupled product-led growth for developers with enterprise sales targeted at security leaders.
This case study is written by Wei Lien Dang (General Partner at Unusual). Wei leads invesments in security and infrastructure software, and developer tools.
In October 2015, at the Velocity conference in Amsterdam, Guy Podjarny and Assaf Hefetz posed the above question to their audience. Guy explained that while usage of open-source software had exploded, it was also “less tested for security compared to in-house software.” At the time, there was a false assumption that because there were “more eyes” on open-source software, it was less vulnerable to attacks, but as Guy put it, open source doesn’t “equal secure.”
Developers of open-source software typically lacked security expertise. On the flip side, consumers of open-source code didn’t always prioritize testing it for vulnerabilities. Both these factors led to the rise of high-impact attacks on open-source software such as Heartbleed. During their presentation, Guy and Assaf launched Snyk Stranger, a free tool that used a command-line interface (CLI) to graph dependencies and find vulnerabilities in any third-party/open-source code being used by developers working in Node.js only. As Guy recalled during a conversation in 2022, the initial open beta version was “a crappy little product. It was nothing glamorous — it could patch vulnerabilities but there were no patches in the database. And we didn’t ask anybody to pay for it.”
The intention behind launching the product was to get feedback so that the Snyk team could start learning and iterating. “If you don’t get feedback,” Guy explains, “and you’re in your cave and you work on something wondrous and try to come out with it a year later, that’s a year of lost feedback.” Snyk’s hypothesis was that security had to “shift left” and help developers secure their own software as they were building it, to prevent vulnerabilities from making it into production. To test whether this hypothesis resonated with developers they built what Guy calls the “narrowest version of their product.” This first “crappy” MVP version of Snyk would lead to key learnings that would help the team improve upon their product and eventually grow the company to more than 1,300 paying customers with a valuation of $3.3 billion as of July 2023.
For Guy (or Guypo, as he is often called), Snyk was “the culmination of two journeys.” He had spent nearly a decade in the application security world, and as he recalls, even as early as 2002, the “shift left” philosophy had been taking hold in security circles. However, it was “really a cost optimization exercise” to convince security professionals that it was cheaper to fix vulnerabilities in development rather than in production. Guy had founded a company called Blaze which was sold to Akamai — he worked as the CTO for Akamai’s web performance business for several years, and then “got the itch to found another startup. Having founded what I felt was a great company and had a great outcome at Blaze, but fairly short, I saw something that was a bit more shooting for the skies, trying something pretty big.”
Around the same time, the DevOps movement had been gaining momentum, and Guy saw how “DevOps had turned the way we sort of build software upside down or sort of maybe top to bottom… we need independent teams that can run with the ball from one end of the court to the the other repeatedly.” However, security had “not gotten the memo that it needed to undergo a similar type of transformation.” Guy saw that there was a need in the market to get developers to embrace security because it was quickly becoming a “must-have” from a cost perspective. The DevOps movement had provided a “playbook to successfully build products that developers would embrace.” These developments helped Guy come up with the insight to build a company that would empower developers to address security.
Snyk wanted to answer the key question: “If I am a developer, and I want to tackle a security problem, what do I need to be successful?” In other words, Guy and his team recognized that developer-first security presented a massive opportunity if they could convince developers to take more ownership of security. But they also faced a major challenge: no one had pulled off selling security software to developers. Yet. Snyk decided to go all in. “You have to pick what matters most,” says Guy. “And what mattered most was demonstrating that if you build the right tools that tuned themselves to developers, and made it fun to build secure software, developers will actually embrace it.”
In July 2015, Assaf Hefetz, a mobile security domain expert, joined Guy and they started Snyk. Along with their first engineer and co-founder, Danny Grander, they built their early product and documentation in stealth for 4 months with 10 design partners (engineers in their own network). The Snyk team would launch this version of their product at Velocity Amsterdam. Assaf would later become Snyk’s CTO, and Danny would become their in-house head of security research.
Guy saw developer-first security as a shift that absolutely needed to happen because the status quo was unsustainable. The company put “blinders on and focused only on developers.” They were initially not interested in selling to security leaders. All their early user research was with developers and understanding this core persona’s needs. Early outreach to the developer community happened on Twitter and through conferences and meetups. They networked with influential developers and got open-source maintainers to try the product. To build a product-led approach, Guy advocates for continuous community outreach, especially through friends and colleagues in the initial stages.
Guy had a keen understanding of developers’ mindset with regard to security. It wasn’t that developers didn’t care about security, but that they lacked security expertise and existing security tools weren’t designed for them. Snyk began by asking: “What’s the ideal product for a developer who wants to build secure software?”
As a company, Snyk bet its entire company on product-led growth. To drive user adoption, they needed to ensure that developers could successfully implement Snyk and experience an a-ha! moment quickly. Guy is a firm believer that when it comes to product-led growth, companies need to “optimize for feedback.” As he puts it, “Time is your most precious asset, and so you need to tune your activity to learn the right things as fast as you can.” If you want your product to be “self-serve, adopted, and used, you need to put it out there, and see if people actually start using it and are successful.”
With this approach in mind, Snyk was eager to see how their product would be used in the few months after the Velocity conference. Snyk had 1,000 users within the first four or five months. When a user implemented the product, they would get a Snyk badge on GitHub as a way to “tell the world you care about security and are addressing it, and that they should too.” This helped drive awareness and more downloads. Both positive and critical feedback began to trickle in via channels like Twitter, which the team used to improve the product. Based on this early feedback, Snyk built a “wizard” to enable developers to easily fix the vulnerabilities they had discovered with Snyk.
A year into the company, Snyk had grown to 6,000 users and the founders started to turn their attention to monetizing the product. The team decided to pursue a freemium model. Snyk would remain free for open-source project owners and small teams, but once a developer crossed a certain threshold of tests per month they would hit a paywall. In July 2016, Snyk put up a paywall, hoping to create a $100/month/dev paid tier targeted at engineering teams. “We waited for the floodgates to open,” Guy says, “and a trickle came out and nobody purchased.” Thousands of developers were using Snyk, but they didn’t have ownership of the security strategy and budget within their companies. Security leaders still held the purchasing power. The Snyk team realized that they would need to deepen their understanding of this buyer persona and adjust their go-to-market approach.
While Snyk had achieved a form of product-market fit (PMF) with their free tools, reaching PMF for their commercial product required a different set of strategies. Snyk learned that their end users — developers — didn’t have purchasing power. The budget for security products was controlled by the head of security — a very different persona.
Snyk’s conviction in the developer-first approach remained strong, but they needed to address the buyer’s needs in order to generate revenue. Guy reflects that there were three types of features that a product needs for it to be sold successfully: “There are features that you need to get into POC, there are features you need to get through POC successfully, and then there are features you need to make a customer successful post-acquisition.” While there is overlap between these stages, they are not the same. Snyk worked through each stage and eventually, a cloud-native company purchased their product in March 2017 — roughly a year and a half after the company launched. They began acquiring more enterprise customers and slowly reached $100,000 in annual recurring revenue (ARR). In the beginning, selling required a lot of outbound networking, but the company’s reputation in the developer community helped them establish credibility. A lot of Snyk’s early sales required “high touch” strategies to close deals.
In the Unusual Ventures Field Guide, we offer an overview of product-led growth strategies of a number of companies depending on the degree of commitment needed to try the product and the number of stakeholders involved in making the purchase decision. We categorize these strategies into 3 modes: fast-working, habit-forming, and paradigm-shifting.
The fast-working mode requires a low number of stakeholders and low commitment to start trying out a product — it shows ROI immediately and convinces the initial few stakeholders that the product deserves to be championed by more people. Snyk is an example of a product that found success in this mode. Its product provided value right away to developers who were interested in securing their software. This focus on developers meant that initially, Snyk built a product that had a lot of depth but without the breadth of solutions that a Chief Information Security Officer (CISO) or a Head of Security would have wanted.
Snyk's core innovation was making a security solution that was product-led. Historically, this had not been done — security software was typically sold to the CISO. Eventually, it was pushed down the company to be implemented and used by developers which would lead to a huge lag in implementation. The software was also never built to be developer-friendly. Snyk realized that traditional security product development and implementation had too many stakeholders, and required too much commitment. So they decided to build a low-commitment MVP to focus on a single stakeholder (developers) — this helped them build a fast-working PLG strategy.
However, this focus on developers meant that security buyers had never heard of Snyk, even though thousands of developers were using the product. Snyk still needed to figure out how they could layer in the security buyer persona into their customer journey since this persona held the budget for security tools. Snyk created a parallel process to reach out to security buyers. While they found some of these buyers through accounts where developers had already tried the product on their own, most of their other customers were acquired through a cold outbound process. To convince security buyers, Guy and his team also published several timely thought pieces in third-party publications. For instance, Guy published an article in 2018 on the Equifax breach that was aimed at the security buyer persona around why companies need to act against known vulnerabilities in their code.
At Snyk, the entire company was initially oriented around driving developer adoption. In order to reach their buyer persona, they had to layer on enterprise features that appealed to security leaders. They set up a dedicated team to focus on monetization and the enterprise experience. As they layered in their enterprise buyer motion, they found they often had competing priorities between the needs of both the free users (developers) and their enterprise buyers (security teams). They remained committed to their growing user base of developers and decided to establish dedicated leadership to focus solely on this community and the free experience.
As the company scaled rapidly, Snyk never lost sight of developers as its core user persona. They continued to focus new product development on solutions where the “shift left” approach had the greatest impact on security outcomes and fit most seamlessly into developers’ workflows. Following the success of their initial product focused on enabling developers to identify and fix vulnerabilities in their open-source dependencies, Snyk launched a developer-first container security product. The growth of cloud-native application development meant that more and more organizations were building containerized applications, and container images became another vector for introducing vulnerabilities into an organization. By enabling developers to easily scan container images and fix vulnerabilities Snyk could prevent more vulnerabilities from getting into production. Subsequently, the company launched new products for code security and infrastructure-as-code security, all with a developer-first approach.
Snyk’s platform expansion continued to increase its appeal to security leaders, who valued the breadth of coverage from a single solution. The rise in software supply chain attacks also provided a tailwind for Snyk with security buyers who were increasingly aware of the risks lurking in open-source software. The most notable incident was Log4shell, a critical vulnerability in the popular open-source logging library Log4j. Snyk’s products helped companies like Atlassian find and remediate vulnerable instances of Log4j and prevent new Log4shell vulnerabilities from making it to production.
In addition to expanding its platform, Snyk has continued to find ways to improve existing products and make security even more seamless for developers. An example is Snyk’s AI-powered fix suggestions, which uses generative AI to automatically suggest code fixes to vulnerabilities that Snyk discovers, right in the developer’s IDE. Looking forward, the Snyk team plans to expand the use of AI within the product for use cases like code querying in natural language.
While Snyk has continuously evolved its product to expand coverage over new attack surfaces and incorporate new technologies, its founding belief in developer-first security has remained strong. This insight enabled them to grow and navigate a go-to-market and separate buyer persona without losing sight of their overall vision. By pioneering a go-to-market motion that coupled product-led growth for developers with enterprise sales targeted at security leaders, Snyk has created a roadmap for other “shift-left” security companies to grow their communities and monetize their products.