Startup Field Guide Episode 1

‍

In this episode of the Startup Field Guide podcast, Sandhya Hegde chats with Snyk's co-founder and president, Guy Podjarny. Started in 2015, Snyk took an open-source, product-led approach to security — offering developers tools to scan and fix vulnerabilities in their code as they developed applications. Today, these tools have been used by more than 2.5M developers. Snyk was last valued at $8.5B with over 1,300 paying customers. 

‍

Snyk’s success is a testament to the value of conviction and clarity in a startup. In the detailed blog post below, we have included our key learnings from our conversation with Guy Podjarny, including answers to the following questions:
‍

• What gave Snyk conviction to go developer-first and how did they do it? 
• How did Snyk get developer attention when they launched? 
• What were some early drivers of their growth from 0 to 5,000 “registered” developers in ~12 months of starting Snyk? 
• What was the early pricing and monetization strategy once free product adoption took off? 
• When did they start building awareness with the CISO community — the eventual “Buyer” persona for their software in company-wide deployments? 

‍

If you are a SaaS founder committed to a self-serve motion here are some resources we hope you find helpful:

• Unusual Insights for founders building a self-service motion
• Introduction to product-led growth (PLG)
• Nail your self-serve MVP product
• How PLG companies find product-market fit: a masterclass on Snyk, Webflow, and Nextdoor

‍

Be sure to check out more Startup Field Guide Podcast episodes on Spotify, Apple, and Youtube. Hosted by Unusual Ventures General Partner Sandhya Hegde (former EVP at Amplitude), the SFG podcast uncovers how the top unicorn founders of today really found product-market fit.

‍

“I think a company is a product of its mistakes just as much as of its successes.” 

— Guy Podjarny, Founder and President, Snyk

‍

Cybersecurity meets Modern GTM 

Dozens of new unicorns have been minted in the cybersecurity market, including Arctic Wolf Networks, which recently 10 years old. Companies are having to protect increasingly complex software deployments from a growing number of threats. This has prompted sustained innovation in cybersecurity over the past decade, particularly with cloud-native approaches.  One of the hottest companies to emerge from this whirlwind has been Snyk.

‍

Snyk’s story fascinates me because security software has always been sold exclusively top-down to the CISO. Conventional wisdom at the time was that most developers didn’t want to talk about security let alone getting involved in a purchase process. As I have said before, when it comes to choosing product-led growth (PLG) as your strategy, it’s hard to execute on if your end users are not looking for solutions to the problem you solve. 

‍

So how did Snyk find product-market fit? How did the London-based startup first take off and how does it continue to grow its free product adoption so rapidly? These were all the questions that prompted me to interview Snyk’s Founder & President, Guy Podjarny, as well as their former Head of Product Growth (VP Product, Developer Journeys) Ben Williams to learn about the evolution of their business. 

‍

‍

‍

Eureka! The DevOps inspiration

After working for a decade in the application security industry selling software to security professionals, Guy, and his co-founders Assaf and Danny, knew the status quo — low developer adoption. This was despite the fact that it was “100 times cheaper”, said Guy, to find a problem in development rather than in production.

‍

However, by 2015, the web performance market was being disrupted by the emergence of DevOps (developer operations). DevOps embraced “shift-left testing” for web and application performance, wherein software was tested continuously and as early as possible with more onus on developers than dedicated testing/IT teams. “DevOps was our eureka moment. We saw that and said Security needed to come along for this ride,” said Guy. 

‍

As they started Snyk, their role models were companies like New Relic, Github, Heroku, and later Datadog, which developers love because the tools were built for them, with their workflows in mind. The Snyk founders believed developers would care about securing their code — they just needed less friction in the way cybersecurity products worked for them. Snyk embraced the dev tools playbooks entirely instead of those prevalent in the security industry. “We wanted to look like them, sound like them, and go-to-market like them,” said Guy.

‍

Beta launch: first 1,000 users with dependencies as the Trojan horse 

“Developers like depth. If I am a JS developer, I don’t care whether you support PhP or not.” Guy had seen dev tool companies like New Relic built around specific developer communities — in their case, Ruby. Snyk picked the open-source community around Node.js. They then picked a problem that they knew developers were very uncomfortable with — tracking dependencies. 

‍

NPM is the default package manager for the JavaScript runtime environment node.js. The dependency management features were frequently brought up as inadequate by the community. It was a good niche — big enough for consistent methodologies, conferences, and enterprise adoption but small enough that Snyk could become an influencer.  

‍

In October 2015, a few months after starting Snyk, the team “launched” their beta product at Velocity Amsterdam. Snyk Stranger was a free, downloadable tool with a command-line interface (CLI) to graph dependencies and find vulnerabilities in any third-party/open-source code being used by node.js developers. By December, ~1,000 developers had downloaded the tool but Snyk didn’t know who they were because they had no registration flow. They relied on Twitter for feedback. 

‍

GA launch: 5,000 users, a paywall, and the oh sh*t moment 

By January 2016, the Snyk team was six months in and hundreds of new developers had downloaded their CLI tool, which showed all their dependencies in a graph, which libraries were being used, which were vulnerable, etc. Based on early user feedback, Snyk built a “wizard” to fix the vulnerabilities in the most efficient way possible. 

‍

With some trepidation, Snyk implemented a registration flow where developers would need to log in with Github to access Snyk. They were concerned this would put developers off but it didn’t. Now they knew who their users were! 

‍

However, they still hadn’t created a “continuous relationship” with their users. They needed developers to “put Snyk into the build.” To make this easier, they launched a Git integration in March 2016. Snyk Stranger now worked in the CICD pipeline via a free login. 

‍

The core idea was that of a “security audit as code review.” The auditor’s job traditionally was to find and report security vulnerabilities. Snyk closed the loop for developers by opening a fix pull request and making it easy to keep their code secure. 

A moment of reckoning: the great paywall

‍

“We opened the floodgates and got a trickle.”  

— Guy Podjarny, Founder and President, Snyk

‍

By summer of 2016, a year into their startup, Snyk had crossed ~5,000 registered developer users and thought they had clarity on their freemium strategy. Snyk would be free for open-source project owners and small teams. Once a developer crossed a certain threshold of tests per month, they would hit a paywall. “It was very important to us that going up against test limits didn’t break the build. We would continue to offer the service while we bugged you to upgrade,” said Guy. 

‍

In July 2016, Snyk put up a paywall, hoping to create a ~$100/mo/dev paid tier for teams. Unfortunately, their self-serve paid plan failed spectacularly. Developers were using but not buying Snyk. But the team didn’t lose heart. They realized they hadn’t figured out their use case for purchase and kept going.

‍

 “I thought to myself, I would rather crash and burn than pivot out of this mission,”

— Guy Podjarny, Founder and President, Snyk

‍

First $100k ARR: knowing your buyer 

Throughout 2016, the Snyk team had put on “blinders” to focus on the developer experience — so much so that there was no way for a security professional to even register/log on to their website. The team invested heavily in creating visibility for Snyk in the node.js open-source community, releasing vulnerability databases that they would educate open source software (OSS) owners on. Snyk skipped attending security conferences in favor of developer meetups and continued to grow developer adoption for their free plan. 

‍

By early 2017, it was clear that the self-serve paid plan for developers was a failure. After hiring their first AE, Guy started figuring out their enterprise buyer: the CISO. 

‍

“We realized that the buyer’s use case was broad governance”, said Guy. The buyer — a CISO or head of platform, needed to know what’s going on across their entire stack — not just for node.js projects.  Snyk needed to support more languages and build functionality for reporting, user administration, etc. — everything that was status quo in the cybersecurity industry. 

‍

In March 2017, Snyk closed its first commercial contract. By August 2017, two years after starting the company, they hit their first $100k in ARR. 

‍

Scale-up: Growth as a function

Many teams set up a growth function after they launch, but Snyk did the opposite. Their core team was dev-first, focused on end-user experience and bottom-up growth. Their north star was the number of developers using the free plan, while revenue was a second-order metric. To this, they added an “enterprise” team focused on security professionals in 2017 that focused on revenue.

‍

“We even discussed how the homepage needed to be about the developer with an escape hatch for security professionals and enterprises”, said Guy. 

‍

Eventually, the pendulum swung the other way. By 2019, Snyk had multiple product teams that were resource-hungry and starting to build similar components for growth. To make sure that developer experience remained a priority, Snyk decided to create a dedicated growth team. After a long search, Ben Williams was hired as VP Product, Developer Journey to lead this team in February 2021 after a successful three-year run at Cloudbees.

‍

However, the Snyk leadership wanted to make sure that the growth team didn’t become isolated. Developer focus was the company’s true north and every team had to have some members dedicated to it. So growth was designed as a cross-functional organization with dedicated resources across engineering, marketing, and developer relations working in collaboration with Ben’s product team. 

‍

Wrap up: Founder DNA for product-led growth

As PLG continues to remain a buzzword in the enterprise software industry, what stood out to me was how much commitment it took to bottom-up adoption from the founders to make it happen at Snyk. 

1. It took them 2 years and many thousands (I would estimate as high as 50k registered users) to get to their first $100k of ARR. Most teams would shift focus to enterprise revenue after ~5k users instead of continuing to build the product for free adoption 
2. Despite the immediate and resounding failure of their self-serve developer plan, they continued to keep their website primarily focused on developers
3. Growth was never a bolt-on function. It was always a priority for the core team and a cross-functional focus. They had an early version of their bottom-up growth strategy in place as early as their beta launch in Oct 2015 
4. Their leadership hiring decisions doubled down on bottom-up experience in dev tools rather than enterprise security

‍

‍

‍