March 11, 2024
Portfolio
Unusual

Material Security's product-market fit journey

Sandhya Hegde
No items found.
Material Security's product-market fit journeyMaterial Security's product-market fit journey
All posts
Editor's note: 

SFG 42: Material Security's CEO Abhishek Agrawal on securing enterprise workspaces

Material Security, an email security company that protects an organization's users and data, particularly across Microsoft 365 and Google Workspace. Last valued at $1.1B, Material has over 100 enterprise customers including Doordash, Lyft, and Fox.

In this episode, Sandhya Hegde and Wei Lien Dang chat with Abhishek Agrawal, CEO and co-founder of Material Security.

Be sure to check out more Startup Field Guide Podcast episodes on Spotify, Apple, and Youtube. Hosted by Unusual Ventures General Partner Sandhya Hegde (former EVP at Amplitude), the SFG podcast uncovers how the top unicorn founders of today really found product-market fit.

Episode transcript

Sandhya Hegde

Welcome to the Startup Field Guide, where we learn from successful founders of unicorn startups, how their companies truly found product market fit. I'm your host Sandhya Hegde. Joining me today is my partner Wei Lien Dang, and today we'll be diving into the story of Material Security. Material is an email security company that protects organizations, users, and data, especially across surfaces like Microsoft365 and Google Workspace. Last valued at over 1 billion,they have over a hundred enterprise customers, including DoorDash, Lyft, and Fox. Joining today is Abhishek Agrawal, CEO and co founder of Material. Welcome to the Field Guide, Abhishek. Wei and I are excited for this conversation. So we want to take you back all the way to 2017. You started Material, I think, with your early colleagues from Dropbox. What was that process like? How did you go from kind of storage and Dropbox to starting an email security company?

Abhishek Agrawal

Yeah. It's a fun story. That's right. My two co-founders, Ryan and Chris, all three of us met at Dropbox. I was an early PM there, joined the company, let's see in 2013 when it was about 250, 300 people. And then Chris and Ryan actually joined through an acquisition that Dropbox made, which was Ryan's last company. And after that acquisition, we actually all ended up on the same team. So we worked together for about a year on the same team and then did different things at Dropbox. And so that's how we originally met. And it was just one of those things where immediately got along, saw a lot of things eye-to-eye.

And knew that we wanted to work together in the future. Fast forward to kind of 2016, I'd been at Dropbox for quite a while, the company was pretty different, It'd gone from 200 something to 3000 something people, the PM team have gone from five or six people to a hundred plus. And so it was just a different company. I was definitely getting the itch to go do something else. And starting a company was top of mind. And Ryan had actually left Dropbox already and taking a little bit of a break. He had done his first startup, Dropbox had acquired it, and then he was taking some time off.

And so this was in 2016 and we started chatting about working together on and potentially building something new, but it was very much, no specific idea, no. No, like any particular space, even more just Hey, it would be cool to do something. And let's brainstorm. Around that time, the 2016 election cycle was going on. And what specifically led to the idea that would eventually become Material Security was actually those election hacks that affected the Hillary Clinton campaign. And Ryan, actually, while he was abroad, while he was taking a break and he, had some time and was like thinking about specifically that one election hack that happened to John Podesta, who was the Hillary campaign chairman, and it triggered a bunch of thoughts that would eventually, as we develop them more, lead to the idea, but it was very much a team first, more starting from, Hey, want to work together perspective. And then the spark for the email security company came from that event. As far as the switch from kind of storage productivity to do that. Yeah, it was an interesting transition. All three of us hadn't really worked professionally in security before we had been been in the data space. I got my start at Microsoft Research on the productivity software engineering side as well. Really not direct, formal security experience. But, and we can talk about this more, I feel like that actually ended up being a bit of a blessing because it gave a pretty fresh perspective on the problem.

And in security in particular, it turns out a lot of the difficult problems end up being data problems, which we had a ton of expertise from Dropbox. So, definitely, now in retrospect, it seems trivial, but at the time definitely had a lot of thoughts about Hey, what are we three guys doing in the security world? This is not like our bread and butter historically.

Wei Lien Dang 

Abhishek, I love that we're having this conversation about the origin story of Material because I remember going back to 2017, I remember sitting with you and Ryan and Chris, I think we were in a park in Mountain View, it was raining and you were at the very beginning, like you were ideating, you were brainstorming, you were thinking about, you were actually exploring a bunch of different ideas at the time.

And I'm really curious because email security was not a new category. And I actually think that because you didn't come from security backgrounds, like you weren't necessarily jaded. And you didn't have assumptions about how things had been done before, but it was a new category.

You had these several incumbents that had been around for a while and you referenced this whole thing that happened around election hacks. Like I'm curious if you could elaborate, like what was the gap with existing solutions in being able to address that type of problem? We always think at the beginning stage of a company there has to be a compelling enough, why now?

I'm curious, like where you guys saw an opening to go rethink, reimagine that category.

Abhishek Agrawal

Yeah, totally. That's a great question. Answer that, I'll actually describe a little bit, a few of the different ideas we were pursuing, because as you mentioned it wasn't this linear thing of, Oh, election hack happened. This is clearly a great idea. Let's go build a company. It's almost never like that. So in reality, what was happening was in those very early days, we had a few different ideas that we were exploring and they were pretty different. They weren't even all in security. One or two of them were related to security. One was actually like an HR analytics idea.

The other was like a knowledge base management idea. So they were all pretty different. And I think that in particular is important to know, because for us, we really were, like I said, very team first and we wanted to just explore a few different spaces and see what would resonate and the thing that was in common though, about all of them was that at Dropbox, we had front row seats to how fast the enterprise was adopting cloud productivity suites, which sounds really obvious in retrospect. Of course, everyone's on Microsoft 365 and Google workspace, but, in 2016, 2017, it wasn't so obvious that Goldman Sachs is going to be using like cloud email or Bank of America is going to be using cloud email.

And what happened with this move to cloud was that all of a sudden you have APIs that are available to connect to these massive organizations. And you can now start doing things with the data. So what was common between all of our ideas was, they all relied on syncing or having access to this amount of data that just wasn't possible before.

And then utilizing that data in different ways, security being one of them. But like I said, there were a couple other ideas with email security in particular, I think it's exactly what you said, there was a little bit of almost naivety, because we were like, we weren't thinking in terms of categories, we weren't thinking in terms of incumbents, we just saw problems, and we were like, hey, there's a way to solve this problem, and it doesn't seem like anybody else is solving this problem and in particular, if you remember the John Podesta hack, the thing that we were really obsessed with is, someone broke into his personal Gmail and then they downloaded all of the contents in the archive, years and years of email and posted them on the internet. And that just led to all these bad things because the internet kind of went through his entire email and there's things that are embarrassing. There's things that are like borderline illegal. There's things that are just straight up things you just wouldn't want the internet to see. And it had an impact on elections. And so we were like no one's solving this problem. I don't care if you're an email security vendor or not, like this specific problem of I have all this data in my archive and unlike a lot of other data sets, there aren't really any security controls on it.

That just was a problem no one was solving. So for us, it wasn't so much is there a new kind of opportunity in email security or not? It was more like, this is clearly this big problem. It clearly affects any company that, or person that is using cloud email, which is basically everyone. And yeah, when we started doing research on it, obviously, we did look into kind of what incumbents in the category were doing, but the original spark didn't come from like a, oh, we think the time is now for a new thing.

It was more like it starts with a problem. And that's actually how we went about validating it too. In the early days, before we even had mocks or slides or anything, we would just go talk to anybody who would listen in our network that was vaguely related to security and just be like, Hey, here's a few problems we see, we're not from this industry historically, is there something we're missing? Like we think that we could have this approach and you expect to be told like, Oh, that's a cute adorable little idea you have, but here's the seven reasons it's not going to work For us, when we started hearing over and over again Oh, actually that's. that's a good idea.

Or Oh, that, that makes sense. There's something new here. That's a refreshing take. That was our very early sign that, okay, there's maybe an opening here. So long story short, I think it was the, why now was like big infrastructure shift happening from on premise email to cloud email, which was not just about email, but about the productivity suite. And then that opened up all these like technical capabilities that didn't exist before.

Sandhya Hegde

I'm curious, Abhishek, when you were validating kind of the thesis, you mentioned talking to people in security. Was that like, security buyers? Could you give us a little more detail around who did you reach out to? And what was it you were trying to validate in terms of the next level detail of the problem? Is there a budget for this or who would create a budget for it? Or what type of company would be most eager to buy, et cetera.

Yeah, no, it's a great question. Um, you know, the funny thing is like a lot of these questions that you're asking,

Abhishek Agrawal: 

Like I still think about, like with our product, like who's the right buyer? At what level should we engage? Where's budget going to come from? These are things that actually matter even more, I would say, in like the scaling days, which we're obviously in now. Early on we weren't even sophisticated enough to be thinking about all those questions. We were just honestly trying to figure out, hey, is this a problem people care about? Is this a problem that people agree hasn't really been solved well? Do they agree that if we did what we are saying we would do, that it would solve the problem?

And frankly, is there just like excitement around it? Is there an appetite to lean in? And to suss that out you don't need to necessarily go find your buyer or anything like that in the beginning, because frankly, in the very beginning, you don't even know who your buyer will be. It might be that your product takes like a slightly different turn. And all of a sudden there's a very different profile or a different ICP or a different segment. In the early days, I remember viscerally doing this, like all three of us, we would open up LinkedIn, we would type the word security, we would go to the people tab and anyone that was a first, second or third degree connection that had like anything to do with security, we would just try to get a coffee with and share this with. And all of those conversations you were learning, whether they were the buyer or not, whether they were even related to corporate security or enterprise security, as long as they were broadly interested in the security topic, we wanted to talk to them.

And yeah, then you start seeing patterns, right? You start seeing, okay, everybody keeps telling me that this would be like a Corpsec person problem or within Corpsec, email is owned by these three people, or this is like the thing that I always get compared to. So you start seeing the patterns and then that helps you identify who else you should talk to. But we're talking about the phase that was almost like pre selling. And more just like validating, is there even a there, is there even a thing to be worked on here? What I think the trick is that once you start seeing those early signs, how do you then switch from that to an actual early sales motion?

And then yes, in the early sales motion, absolutely, you have to start thinking about, okay, who is like the buyer that I'm going to talk to? What are the kind of specific individuals that are related to this? Where does budget come from? That stuff comes a little later, but in the very beginning, it's talk to anyone who will talk to you. And one other thing I'll say about this is, as I mentioned, we were also thinking about some other ideas at the time in HR analytics or in knowledge management, like I mentioned, just the act of going to LinkedIn and trying to find people who would care was a huge signal that some of those ideas weren't going to be as useful as this one that we ended up pursuing. Because if you're struggling to even find someone who you think you should talk to that's not a problem that's going to go away. That's only going to get worse. Cause someday like your sales reps will have to solve that same problem. So if there is no, if you're trying to do a B2B company or a B2B product, but you can't identify whose job in a company it is to care about the thing you're building, that's probably one of the biggest first red flags that there might not be clarity there yet. Just going through the motion of trying to find people to talk to was step one. And then, develop more and more from there.

Wei Lien Dang

 I think what struck me from our conversations, Abhishek, was that the three of you were very scrappy and also very methodical about going about this discovery, talking to people. That was even the basis and substance of our conversations which I would like to point out, I think I tried to politely dissuade you from the HR analytics idea as well as I think maybe you floated something like security for SMBs, but, I'm really curious because, like you said, you had a lot of first principles thinking, like, you tried to identify this problem and you oriented around this stuff. John Podesta hack as an example. And, but then for any startup, you have to then focus, like you were the person on the team who held the technical insight and vision, how that tied into product, like, how did you think about going from, okay, I've identified this problem to what are you going to focus on building first? What was the first kind of feature or how did you think about the initial MVP that you needed to build, and how did you align that with an ICP?

Abhishek Agrawal

 Yeah. I think this is something that not a lot of folks talk about in those early days, but I think there's a lot of, discussion around iterating on the product, showing people certain problems or solutions, seeing if it resonates, iterating. I think actually one of the, again, for a B2B founder in particular, I I think one of the most important things in those early days, before you've written a line of code, is to start doing product marketing. And what I mean by product marketing is specifically positioning and messaging. Like we used to iterate a lot on our positioning and messaging to then get validation in those conversations before we really built a lot of a product. So for example, to your point, we would literally do this, we would have a big list of bullets, like literally bullets in like a notes app. And each bullet was like a problem that we thought existed and a suspicion of a solution that could help. And we would just go to folks like Wei or other folks that are happy to talk to us and we just go through the list of bullets and be like, is this actually a problem? And could this solution actually work?

And like first, there were even bullets on there where we only knew the problem, but no solution. There were even bullets on there where we had an idea of a solution or a capability where we were not exactly sure what problem this would help with, but it's a cool capability. So you just got a lot of this kind of raw material. And this would be all over the place to your point. So how do you now start like molding that into an initial product that you actually want to take to market? That exercise of which capabilities am I going to package together and how am I going to describe them? How am I going to say that these are the three things that fit together, but this fourth thing doesn't?

If you think about it, that is product marketing, that's positioning, right? And you're really like trying to think about how are you going to explain to someone what is different about you, what capabilities you have that they don't have today, what problems you solve for them. These are product marketing questions. These are part of marketing problems. And so to your point, I used to open up Figma and try to design like mock landing pages like instead of mocks for our software, we designed mocks for our landing pages because the mocks for our landing pages, they really pressure tested, like how are you going to describe this to someone? What's your headline going to be at the very top? It forces you to think about that. Are you going to say it's email security? Or are you going to say it's data protection? Are you going to say it's something else, and those landing pages weren't mocks that we were actually planning to build and put on our website and measure traffic on or anything like that.

That wasn't the point. The point was that it was basically a product marketing exercise. And we then showed those to our kind of early conversations and got some feedback there. I think having said that though, maybe on a more pragmatic level, we made the sort of decision early on, which was we got some advice that was like, hey, if you have a bunch of different things that you're planning on doing, some of them are going to be really novel and like very unique and differentiated and others are going to be more like similar to things that are already out there that you're like filling out your product with, you really want to start with the thing that is very different. And see if that is like the, we used to call it like a hot knife through butter, because if that part isn't resonating, if that part isn't going to make the difference, then nothing else will really matter.

 Bringing that back to our specific product, like we had this idea that sensitive content in your mailbox could be behind another MFA factor. And that was this really unique thing. And that was the very first thing we wanted to build and demo and prototype because it was the most unique part of our product. Things that came later were more of the standard features that were still useful, but maybe it would have been seen as more kind of table stakes.

Wei Lien Dang

 And was it intentional to focus on the enterprise from the beginning, Abhishek, or is that something that came later? Like you expanded into the enterprise over time and you started with maybe a smaller profile of customer. Like how did that change over time?

Abhishek Agrawal

Yeah, we were actually pretty focused on, first of all, a B2B product for sure, from the beginning, we didn't really want to do a consumer sale, especially in security. On, as far as, which segment I think that we had two hypotheses, as you've mentioned, like there was the large companies that my co-founders and I, for whatever reason, like a lot of technical founders are like allergic to sales or a little bit nervous about it. That wasn't the case with us. We enjoyed it. We saw like why it's such an important part of any business.

So we weren't dissuaded from there. And then frankly like I mentioned at Dropbox, we were seeing all these really large companies moving over and that's where we saw the opportunity. So it was always B2B focused and whether it was like small B2B or large, that just became really clear quickly because, in terms of the dollars and the willingness to pay and try out new solutions, that's obviously going to be like slightly higher end of the market than a pure SMB. Also the specific security product that we ended up deciding to build is just something that is a little bit later on the security maturity curve, right? It's not the very first thing that I would advise like a 50 person company to, buy if they're trying to get their security in place. It's something that you would do after you've handled the very basics. And so that also suggested the segment that we should be targeting.

Sandhya Hegde

Makes sense. And maybe digging into that a little bit more, Abhishek, what did go-to-market look like for your first million in ARR? What was your process? Was it all still just founder selling? And how did you think about that trade off, which is, it's only the bigger companies that truly have this problem, but they also are more difficult to reach and close a sales process with?

Abhishek Agrawal

So like I mentioned, we were three co-founders and that gave us the luxury of having one or two of us being able to be like, pretty internally focused, whereas one or two of us at any given time being external. So a lot of the early sales were just yeah, pure founder selling, just like you would expect.

We didn't, obviously we didn't have any full-time sales inside the company and it really was based on network. I think, it wasn't directly like friends and family kind of stuff, but it was folks that we had met through our initial conversations and going back to that conversation we were having about validation and the earliest kind of, is there even a thing here versus like now starting a sales motion, that line is very blurry.

And I think, when I talk to a lot of early founders these days. I see a lot of confusion there because, it's not so black and white. It's not one day you're like, I'm just validating. I'm just doing research. And then the next day you're like selling. The reality is that those two activities are on the same spectrum.

You're always selling, right? Every time I'm getting feedback or research, I'm still pitching something I'm trying to sell. It's just that I maybe don't have a concrete ask yet. I don't have a specific thing that I'm I'm showing. And then you mature that more and more.

So for us, now, in retrospect, when I think about it, that kind of like research, just having like early conversations, trying to gauge excitement. That turned into sales gradually over the course of the first six months to a year that we were talking to people and the way that gradually turned into sales was, in the very beginning, you're showing a bunch of bullet points and you're asking for Hey, validation. Soon you're showing some mocks. Soon you're showing maybe a little bit more and all of a sudden someone goes oh, okay like when can I try it, like is this available and then you start hearing that a couple times and you're like, oh shit okay, like maybe there's like a thing here and next time someone asked that we should just say, yeah, we actually have an early access program or a waitlist Like would you want to be on it?

But the key is that you're doing sales the whole time It's just that the thing you're selling, it becomes a little different And it's maturing. So the first, million in ARR, like that was the path. It's just selling to folks that we had originally met during the validation phase, but then as we developed, they were following the journey.

And then It compounds, because you meet someone, you show them a cool product especially if they're early adopters, they know other early adopters, and so the other thing for us that we were able to do very well, I think, in the early days was take our early adopters and turn them into evangelists. That then helped us grow into others. But it was all network-based. It's definitely like founder-led selling at that stage.

Sandhya Hegde

And what was the kind of the profile of your early adopters? Like how big were the companies, were they startups or were they bigger companies and who typically ended up being like your champion internally?

Abhishek Agrawal

 Yeah. We would sell to the CISO org, so definitely like going with the C level and again, we were like, when we were first having a conversation, it would normally be with either the CISO themselves or a director of security. At the time, those conversations were again, mostly sourced through the network.

Just, folks who knew each other. And one thing about security that is very unique in some ways is that there's actually a lot of appetite to learn about new technology. I know that if you go on LinkedIn, you'll see frustration about people being like berated by salespeople all the time.

And that's valid, but the average kind of security leader in my experience at least is very curious about new tech because by definition, security is this kind of pretty dynamic space and they realize that they should be up to date with the latest and greatest, even if they're not necessarily buying anything right now.

So we were very lucky and got a lot of folks, especially in the Bay Area. To answer your question, it was a lot of Bay Area mid market tech companies, for sure, in the beginning, especially if you think about where we were coming from, right? Dropbox. So a lot of like the network we had was similar companies and that was a tight knit network.

And so we were able to go from one to another. And so that early profile was what you would expect like early adopters were like sophisticated security teams that weren't going to just go buy like the incumbents. They understood that there was an opportunity to do more with APIs.

Although I will say there's no perfect rules of thumb here. Like one of our first customers remains one of our largest customers to date. And they bought us before we even had a public website, it was crazy. Like they were just this really fantastic security team. This is at Mars.

They understood that this was like the future. They really were big champions for us. They also were really great about knowing that where they're purchasing from a startup that is still going to be developing certain capabilities like customer success and support. And that's a 200,000-person company.

 And you wouldn't expect them to be an early adopter. They're a 200 year old company. That's 200, 000 people, but they were an early adopter. And so I think I would caution folks about any given rule of thumb. You just have to explore and find out. I will say the one thing that was definitely an easy way to suss out who was and wasn't going to be an early adopter is just if they were working with other startups which is something that you can pretty quickly see. You can suss that out pretty quickly.

Wei Lien Dang

 And Abhishek, if you consider your outlook from here on out, I'm curious how do you see the product vision evolving going forward and, what do you think the impact of some of the major trends and tailwinds in security right now will be like, consider AI, consider just the general shift around consolidation or platform expansion by a lot of the incumbents. How do you think that impacts a company like yours, if at all? And, how do you think about things?

Abhishek Agrawal

Yeah, it absolutely impacts it. I think from the very beginning, we used to joke that we called ourselves like Material Security, not like email guard or something, because we always wanted to expand beyond email. And we just saw email as like this big hair on fire, like unstructured data set that no one else was really looking at.

But it was always clear that the same APIs that in the same way that these APIs help you do more with email, it's absolutely true for example, your files. For your chat applications. So this general trend is something that is not email specific. And so first and foremost, a lot of our vision, where we're going next is really thinking about what other problems in the productivity suite we can solve beyond just email.

And within email itself, there's a couple of different things. There's like a data angle, there's an inbound email security angle. There's like a lateral movement angle with identity. And we've addressed some of those over the years with our products. I think, andwe'll continue to do so.

I think a big sort of like interesting area for us though, is now, how do you apply some of the same learnings to the broader suite? And that's interesting for us because, I was talking to the CISO recently and they mentioned something that has stuck with me, which is If you think about this productivity suite, like Microsoft 365 or Google Workspace, he said this thing, which is it's the first app that every employee gets when they join, and it's the last app that's taken away when they leave.

It's also the only application that every single user in the enterprise has. Like every single one gets a license, maybe there's a couple others like a slack or something But by and large, it's one of the most and so what that really means is that basically for every company, this is like a really critical piece of infrastructure but unlike other critical pieces of infrastructure like your endpoints or your network or your cloud workloads, there hasn't really been one product or one company that is helping you secure this piece of critical infrastructure.

So there's no CrowdStrike, but for your productivity suite. And so we think there's an opportunity there. I think like it's a pretty big surface. It's ubiquitous like every company in the world has it. And I think it's far from a solved problem. So that's the longer term vision.

Obviously email itself is a pretty big problem space too. So this is definitely not like Oh, we're done and now time to move on to the next thing. But that's the longer term vision as far as, and, and so you mentioned some trends I think that's absolutely in line with consolidation, I think, especially in these kinds of macro climates, like I think gone are the days where people are going to be buying like tons and tons of point solutions that only do one thing for them. I think folks are looking for ways to consolidate. I think they're looking for more value out of every dollar they spend.

So if a platform can help them with not just an email security use case, but also a files use case, but also a chat use case, like that's going to be better. And so consolidation really matters. And I think not just from a, like a value and dollars perspective, but also from a security perspective, because the other big trend in security that it's obvious, it's finally coming to light is that everybody's realizing that security products don't work that well when they're siloed, like they work better when you can combine signals from all of them.And so I think that's the other reason driving consolidation, because if you can take a signal from email security and combine it with a signal from your Google Drive and combine it with another signal from your CrowdStrike that'll actually lead to a better outcome than if you're only looking at them in silos. So consolidation, I think, is really important. And as I mentioned, I think the way that it impacts us is to broaden some of the sets of things we want to do. 

Look, AI, there's no question that is basically having a big impact on security. I'm probably in the minority a little bit here, but I actually don't agree with a lot of the fear-mongering around AI and security. I think a lot of people are really worried that it totally will change the security, like attacking landscape. Like I'm sure it will, there's absolutely new ways to abuse things. Now there's new types of risks teams have to worry about, no question about it. But by and large, I think it's like a much, much bigger impact on the defensive side.

I was reading this post recently by Phil Venables over at Google and, he brings up this great point, which is like depends on data and normally defenders have more data than attackers, which I think is like spot on. We're leveraging it a ton, obviously in our product. So is the rest of the industry. I think it really takes away a lot of the tedious work. I think it like allows the learning curve of domain expertise to be erased. There's a lot you can very quickly ramp up on. So there's a big kind of talent implication. But what I think it doesn't change is that at the end of the day, like, these products need to have good controls that act regardless of whether an attack was like AI generated or human generated. At the end of the day, like good controls are attack agnostic. And so those are the parts that I think it doesn't change, but no question about it, big change in the industry.

And I think it's also, you always go through that first paradigm shift of like people adopted as a technology where they're using it as a lens on how to improve their current operations. But I think like normally what we've seen is that's phase one. Phase two is when there's entire new operations that you didn't even envision before. That's the really exciting stuff that we're starting to see as well.

Sandhya Hegde

Makes sense. Abhishek, I really love your very thoughtful and methodical articulation of kind of the process of going from an intention to start a company to like having someone like Mars be one of your early adopter customers and how much gray there is, how little of that process is black and white, which I think it's what kind of makes it so magical when it works out. And I'm curious, what advice do you have for founders starting companies in 2024? It's a pretty dynamic environment to say the least, lots of pessimism in terms of like general capital markets, especially in venture, but same time, lots of maybe too much optimism when it comes to new trends like AI.

I'm curious what your advice would be to, enterprise software founders starting up right now.

Abhishek Agrawal

 Yeah, that's a great question. Two things come to mind. The first is that I actually think it's a great time because when things are constrained, when wallets are tight, you're going to cut through the BS, right? People aren't going to lead you along and tell you like, yeah, there's something here and like only nine months later do you find out actually no one's going to pay for this.

Like you want to find that out as fast as possible in the early days and you want to get to value as fast as possible because even when you're at the stage we are at, that's the theme, right? Hey, are you building something that's valuable? Are you going to be able to attract spend?

 Are you solving a problem that's important enough that someone is going to spend time and effort on? And the thing is in the early days in a very bubbly market like we used to have, you can get confusing signals because there's a lot of discretionary spend. There's a lot of science projects. And you can almost trick yourself into thinking you have something and then realize later that, Oh, actually it didn't actually solve this real problem. I just managed to convince a few people. And that's the thing that really keeps everybody up at night when they're early stage. They're like, Hey, is there really a pattern here?

Or have I just found like the three people who really like me, and I think, when you have tight wallets, like you can just get to that faster. People are just going to be telling you like, Hey, yes, this is cool, but there's no way I would ever pay for this, and whereas if they are saying, Oh yeah, this is really interesting. And I would do something about this. That is an incredible signal, right? It's wow, like things are so tight. And even in that situation, you're finding this to be a valuable enough thing. Imagine how it's going to be when things are not as tight. So I think it's a great time to validate. I think you just have to be careful to seek the validation in a way that people aren't going to give you feedback on user research.

They're giving you feedback on sales. So if you're a B2B founder, biggest advice is start selling early before you have anything, we were selling bullet points in a notepad. Like you can sell it, you have to sell from the beginning because if you ask people for feedback on your idea, like you'll get mixed signals. If you ask them to buy something, you'll get very strong signals. So that's number one. I think this market is actually conducive to getting that validation quickly. I think the other thing is people talk a lot about pivots in the early days. And one thing that we learned is you absolutely should be changing your mind and adapting and learning as you're taking in more information.

But one of the things that we tried to hold constant was our buyer or like the audience that we're selling to. And the reason for that is because if you have a customer and a problem, you can iterate through different problems for that customer, but if you start iterating through different types of customers, what happens is every time you switch, all the learning from the last customer type, you abandon. And you're almost starting from scratch. Whereas if you're talking to a security team, and yesterday you were selling them kind of an email security thing, but now you're selling them this slightly different security operations thing. All of the context, all of the learnings you've had by talking to security teams for the last six months, you can still take with you. And pivoting is not bad, obviously, you shouldn't keep banging your head on something that's not working. Be careful to pick a customer that you wanna talk to wisely in the early days because it's much, much harder to change the audience you are selling to than what you are selling to them.

And also a related point, that audience is someone you're gonna be talking to day in, day out for 10 years if you're doing a B2B SaaS company. So you better enjoy it. In the early days, when we were talking to, as I mentioned, like there was an HR analytics product that we were exploring, we just didn't enjoy the conversations.Personally, like we just weren't fired up ourselves at pitching them as much as we were when we were talking to the security. And like I said, I didn't even come from a security background, but I just found it more interesting. And that's important also as an early stage founder, like you have to be honest with yourself.

If you're pitching something that you yourself are not excited to talk to that profile of person day in, day out, then it's going to be really hard to have the stamina to keep going when like things get tough and because what gets you going through those is your kind of inherent interest in the space. And this itself is also tricky because obviously some of that interest builds from the validation you get. Like the more you kind of work on the problem, the more interested you get in it. But I think the litmus test should be like, are you at least enjoying having conversations with people in that role? Because if you're not really enjoying it, if it doesn't feel like an engaging conversation, then it's probably a sign that you should pick a different audience to sell to.

Sandhya Hegde

I'm hearing you say Wei should get a lot of credit for steering in the security direction away from these other things.

Abhishek Agrawal

Honestly, that's maybe ... you didn't ask me for a third, but that would maybe be my third piece of advice, which is be really careful who you talk to in the early days, because these ideas are, they're like preemies, you know, they need to be nurtured. And if you expose yourself to folks that are gonna more just be interested in shooting down, then you could very accidentally kill something that actually should have been nurtured and grown up.

So we were really lucky. We had a lot of folks around us that were, they were just like intellectually interested in pushing things forward, seeing what new things can arise. And even where they gave constructive feedback, it was more yeah, tweak this or do that, but not nah, that's been done or this doesn't work. You need some of that. Sometimes you need the reality check, but also you need some nurturing.

Download
This is some text inside of a div block.
Download

All posts

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Suspendisse varius enim in eros elementum tristique. Duis cursus, mi quis viverra ornare, eros dolor interdum nulla, ut commodo diam libero vitae erat. Aenean faucibus nibh et justo cursus id rutrum lorem imperdiet. Nunc ut sem vitae risus tristique posuere.

All posts
March 11, 2024
Portfolio
Unusual

Material Security's product-market fit journey

Sandhya Hegde
Sandhya Hegde
No items found.
Material Security's product-market fit journeyMaterial Security's product-market fit journey
Editor's note: 

SFG 42: Material Security's CEO Abhishek Agrawal on securing enterprise workspaces

Material Security, an email security company that protects an organization's users and data, particularly across Microsoft 365 and Google Workspace. Last valued at $1.1B, Material has over 100 enterprise customers including Doordash, Lyft, and Fox.

In this episode, Sandhya Hegde and Wei Lien Dang chat with Abhishek Agrawal, CEO and co-founder of Material Security.

Be sure to check out more Startup Field Guide Podcast episodes on Spotify, Apple, and Youtube. Hosted by Unusual Ventures General Partner Sandhya Hegde (former EVP at Amplitude), the SFG podcast uncovers how the top unicorn founders of today really found product-market fit.

Episode transcript

Sandhya Hegde

Welcome to the Startup Field Guide, where we learn from successful founders of unicorn startups, how their companies truly found product market fit. I'm your host Sandhya Hegde. Joining me today is my partner Wei Lien Dang, and today we'll be diving into the story of Material Security. Material is an email security company that protects organizations, users, and data, especially across surfaces like Microsoft365 and Google Workspace. Last valued at over 1 billion,they have over a hundred enterprise customers, including DoorDash, Lyft, and Fox. Joining today is Abhishek Agrawal, CEO and co founder of Material. Welcome to the Field Guide, Abhishek. Wei and I are excited for this conversation. So we want to take you back all the way to 2017. You started Material, I think, with your early colleagues from Dropbox. What was that process like? How did you go from kind of storage and Dropbox to starting an email security company?

Abhishek Agrawal

Yeah. It's a fun story. That's right. My two co-founders, Ryan and Chris, all three of us met at Dropbox. I was an early PM there, joined the company, let's see in 2013 when it was about 250, 300 people. And then Chris and Ryan actually joined through an acquisition that Dropbox made, which was Ryan's last company. And after that acquisition, we actually all ended up on the same team. So we worked together for about a year on the same team and then did different things at Dropbox. And so that's how we originally met. And it was just one of those things where immediately got along, saw a lot of things eye-to-eye.

And knew that we wanted to work together in the future. Fast forward to kind of 2016, I'd been at Dropbox for quite a while, the company was pretty different, It'd gone from 200 something to 3000 something people, the PM team have gone from five or six people to a hundred plus. And so it was just a different company. I was definitely getting the itch to go do something else. And starting a company was top of mind. And Ryan had actually left Dropbox already and taking a little bit of a break. He had done his first startup, Dropbox had acquired it, and then he was taking some time off.

And so this was in 2016 and we started chatting about working together on and potentially building something new, but it was very much, no specific idea, no. No, like any particular space, even more just Hey, it would be cool to do something. And let's brainstorm. Around that time, the 2016 election cycle was going on. And what specifically led to the idea that would eventually become Material Security was actually those election hacks that affected the Hillary Clinton campaign. And Ryan, actually, while he was abroad, while he was taking a break and he, had some time and was like thinking about specifically that one election hack that happened to John Podesta, who was the Hillary campaign chairman, and it triggered a bunch of thoughts that would eventually, as we develop them more, lead to the idea, but it was very much a team first, more starting from, Hey, want to work together perspective. And then the spark for the email security company came from that event. As far as the switch from kind of storage productivity to do that. Yeah, it was an interesting transition. All three of us hadn't really worked professionally in security before we had been been in the data space. I got my start at Microsoft Research on the productivity software engineering side as well. Really not direct, formal security experience. But, and we can talk about this more, I feel like that actually ended up being a bit of a blessing because it gave a pretty fresh perspective on the problem.

And in security in particular, it turns out a lot of the difficult problems end up being data problems, which we had a ton of expertise from Dropbox. So, definitely, now in retrospect, it seems trivial, but at the time definitely had a lot of thoughts about Hey, what are we three guys doing in the security world? This is not like our bread and butter historically.

Wei Lien Dang 

Abhishek, I love that we're having this conversation about the origin story of Material because I remember going back to 2017, I remember sitting with you and Ryan and Chris, I think we were in a park in Mountain View, it was raining and you were at the very beginning, like you were ideating, you were brainstorming, you were thinking about, you were actually exploring a bunch of different ideas at the time.

And I'm really curious because email security was not a new category. And I actually think that because you didn't come from security backgrounds, like you weren't necessarily jaded. And you didn't have assumptions about how things had been done before, but it was a new category.

You had these several incumbents that had been around for a while and you referenced this whole thing that happened around election hacks. Like I'm curious if you could elaborate, like what was the gap with existing solutions in being able to address that type of problem? We always think at the beginning stage of a company there has to be a compelling enough, why now?

I'm curious, like where you guys saw an opening to go rethink, reimagine that category.

Abhishek Agrawal

Yeah, totally. That's a great question. Answer that, I'll actually describe a little bit, a few of the different ideas we were pursuing, because as you mentioned it wasn't this linear thing of, Oh, election hack happened. This is clearly a great idea. Let's go build a company. It's almost never like that. So in reality, what was happening was in those very early days, we had a few different ideas that we were exploring and they were pretty different. They weren't even all in security. One or two of them were related to security. One was actually like an HR analytics idea.

The other was like a knowledge base management idea. So they were all pretty different. And I think that in particular is important to know, because for us, we really were, like I said, very team first and we wanted to just explore a few different spaces and see what would resonate and the thing that was in common though, about all of them was that at Dropbox, we had front row seats to how fast the enterprise was adopting cloud productivity suites, which sounds really obvious in retrospect. Of course, everyone's on Microsoft 365 and Google workspace, but, in 2016, 2017, it wasn't so obvious that Goldman Sachs is going to be using like cloud email or Bank of America is going to be using cloud email.

And what happened with this move to cloud was that all of a sudden you have APIs that are available to connect to these massive organizations. And you can now start doing things with the data. So what was common between all of our ideas was, they all relied on syncing or having access to this amount of data that just wasn't possible before.

And then utilizing that data in different ways, security being one of them. But like I said, there were a couple other ideas with email security in particular, I think it's exactly what you said, there was a little bit of almost naivety, because we were like, we weren't thinking in terms of categories, we weren't thinking in terms of incumbents, we just saw problems, and we were like, hey, there's a way to solve this problem, and it doesn't seem like anybody else is solving this problem and in particular, if you remember the John Podesta hack, the thing that we were really obsessed with is, someone broke into his personal Gmail and then they downloaded all of the contents in the archive, years and years of email and posted them on the internet. And that just led to all these bad things because the internet kind of went through his entire email and there's things that are embarrassing. There's things that are like borderline illegal. There's things that are just straight up things you just wouldn't want the internet to see. And it had an impact on elections. And so we were like no one's solving this problem. I don't care if you're an email security vendor or not, like this specific problem of I have all this data in my archive and unlike a lot of other data sets, there aren't really any security controls on it.

That just was a problem no one was solving. So for us, it wasn't so much is there a new kind of opportunity in email security or not? It was more like, this is clearly this big problem. It clearly affects any company that, or person that is using cloud email, which is basically everyone. And yeah, when we started doing research on it, obviously, we did look into kind of what incumbents in the category were doing, but the original spark didn't come from like a, oh, we think the time is now for a new thing.

It was more like it starts with a problem. And that's actually how we went about validating it too. In the early days, before we even had mocks or slides or anything, we would just go talk to anybody who would listen in our network that was vaguely related to security and just be like, Hey, here's a few problems we see, we're not from this industry historically, is there something we're missing? Like we think that we could have this approach and you expect to be told like, Oh, that's a cute adorable little idea you have, but here's the seven reasons it's not going to work For us, when we started hearing over and over again Oh, actually that's. that's a good idea.

Or Oh, that, that makes sense. There's something new here. That's a refreshing take. That was our very early sign that, okay, there's maybe an opening here. So long story short, I think it was the, why now was like big infrastructure shift happening from on premise email to cloud email, which was not just about email, but about the productivity suite. And then that opened up all these like technical capabilities that didn't exist before.

Sandhya Hegde

I'm curious, Abhishek, when you were validating kind of the thesis, you mentioned talking to people in security. Was that like, security buyers? Could you give us a little more detail around who did you reach out to? And what was it you were trying to validate in terms of the next level detail of the problem? Is there a budget for this or who would create a budget for it? Or what type of company would be most eager to buy, et cetera.

Yeah, no, it's a great question. Um, you know, the funny thing is like a lot of these questions that you're asking,

Abhishek Agrawal: 

Like I still think about, like with our product, like who's the right buyer? At what level should we engage? Where's budget going to come from? These are things that actually matter even more, I would say, in like the scaling days, which we're obviously in now. Early on we weren't even sophisticated enough to be thinking about all those questions. We were just honestly trying to figure out, hey, is this a problem people care about? Is this a problem that people agree hasn't really been solved well? Do they agree that if we did what we are saying we would do, that it would solve the problem?

And frankly, is there just like excitement around it? Is there an appetite to lean in? And to suss that out you don't need to necessarily go find your buyer or anything like that in the beginning, because frankly, in the very beginning, you don't even know who your buyer will be. It might be that your product takes like a slightly different turn. And all of a sudden there's a very different profile or a different ICP or a different segment. In the early days, I remember viscerally doing this, like all three of us, we would open up LinkedIn, we would type the word security, we would go to the people tab and anyone that was a first, second or third degree connection that had like anything to do with security, we would just try to get a coffee with and share this with. And all of those conversations you were learning, whether they were the buyer or not, whether they were even related to corporate security or enterprise security, as long as they were broadly interested in the security topic, we wanted to talk to them.

And yeah, then you start seeing patterns, right? You start seeing, okay, everybody keeps telling me that this would be like a Corpsec person problem or within Corpsec, email is owned by these three people, or this is like the thing that I always get compared to. So you start seeing the patterns and then that helps you identify who else you should talk to. But we're talking about the phase that was almost like pre selling. And more just like validating, is there even a there, is there even a thing to be worked on here? What I think the trick is that once you start seeing those early signs, how do you then switch from that to an actual early sales motion?

And then yes, in the early sales motion, absolutely, you have to start thinking about, okay, who is like the buyer that I'm going to talk to? What are the kind of specific individuals that are related to this? Where does budget come from? That stuff comes a little later, but in the very beginning, it's talk to anyone who will talk to you. And one other thing I'll say about this is, as I mentioned, we were also thinking about some other ideas at the time in HR analytics or in knowledge management, like I mentioned, just the act of going to LinkedIn and trying to find people who would care was a huge signal that some of those ideas weren't going to be as useful as this one that we ended up pursuing. Because if you're struggling to even find someone who you think you should talk to that's not a problem that's going to go away. That's only going to get worse. Cause someday like your sales reps will have to solve that same problem. So if there is no, if you're trying to do a B2B company or a B2B product, but you can't identify whose job in a company it is to care about the thing you're building, that's probably one of the biggest first red flags that there might not be clarity there yet. Just going through the motion of trying to find people to talk to was step one. And then, develop more and more from there.

Wei Lien Dang

 I think what struck me from our conversations, Abhishek, was that the three of you were very scrappy and also very methodical about going about this discovery, talking to people. That was even the basis and substance of our conversations which I would like to point out, I think I tried to politely dissuade you from the HR analytics idea as well as I think maybe you floated something like security for SMBs, but, I'm really curious because, like you said, you had a lot of first principles thinking, like, you tried to identify this problem and you oriented around this stuff. John Podesta hack as an example. And, but then for any startup, you have to then focus, like you were the person on the team who held the technical insight and vision, how that tied into product, like, how did you think about going from, okay, I've identified this problem to what are you going to focus on building first? What was the first kind of feature or how did you think about the initial MVP that you needed to build, and how did you align that with an ICP?

Abhishek Agrawal

 Yeah. I think this is something that not a lot of folks talk about in those early days, but I think there's a lot of, discussion around iterating on the product, showing people certain problems or solutions, seeing if it resonates, iterating. I think actually one of the, again, for a B2B founder in particular, I I think one of the most important things in those early days, before you've written a line of code, is to start doing product marketing. And what I mean by product marketing is specifically positioning and messaging. Like we used to iterate a lot on our positioning and messaging to then get validation in those conversations before we really built a lot of a product. So for example, to your point, we would literally do this, we would have a big list of bullets, like literally bullets in like a notes app. And each bullet was like a problem that we thought existed and a suspicion of a solution that could help. And we would just go to folks like Wei or other folks that are happy to talk to us and we just go through the list of bullets and be like, is this actually a problem? And could this solution actually work?

And like first, there were even bullets on there where we only knew the problem, but no solution. There were even bullets on there where we had an idea of a solution or a capability where we were not exactly sure what problem this would help with, but it's a cool capability. So you just got a lot of this kind of raw material. And this would be all over the place to your point. So how do you now start like molding that into an initial product that you actually want to take to market? That exercise of which capabilities am I going to package together and how am I going to describe them? How am I going to say that these are the three things that fit together, but this fourth thing doesn't?

If you think about it, that is product marketing, that's positioning, right? And you're really like trying to think about how are you going to explain to someone what is different about you, what capabilities you have that they don't have today, what problems you solve for them. These are product marketing questions. These are part of marketing problems. And so to your point, I used to open up Figma and try to design like mock landing pages like instead of mocks for our software, we designed mocks for our landing pages because the mocks for our landing pages, they really pressure tested, like how are you going to describe this to someone? What's your headline going to be at the very top? It forces you to think about that. Are you going to say it's email security? Or are you going to say it's data protection? Are you going to say it's something else, and those landing pages weren't mocks that we were actually planning to build and put on our website and measure traffic on or anything like that.

That wasn't the point. The point was that it was basically a product marketing exercise. And we then showed those to our kind of early conversations and got some feedback there. I think having said that though, maybe on a more pragmatic level, we made the sort of decision early on, which was we got some advice that was like, hey, if you have a bunch of different things that you're planning on doing, some of them are going to be really novel and like very unique and differentiated and others are going to be more like similar to things that are already out there that you're like filling out your product with, you really want to start with the thing that is very different. And see if that is like the, we used to call it like a hot knife through butter, because if that part isn't resonating, if that part isn't going to make the difference, then nothing else will really matter.

 Bringing that back to our specific product, like we had this idea that sensitive content in your mailbox could be behind another MFA factor. And that was this really unique thing. And that was the very first thing we wanted to build and demo and prototype because it was the most unique part of our product. Things that came later were more of the standard features that were still useful, but maybe it would have been seen as more kind of table stakes.

Wei Lien Dang

 And was it intentional to focus on the enterprise from the beginning, Abhishek, or is that something that came later? Like you expanded into the enterprise over time and you started with maybe a smaller profile of customer. Like how did that change over time?

Abhishek Agrawal

Yeah, we were actually pretty focused on, first of all, a B2B product for sure, from the beginning, we didn't really want to do a consumer sale, especially in security. On, as far as, which segment I think that we had two hypotheses, as you've mentioned, like there was the large companies that my co-founders and I, for whatever reason, like a lot of technical founders are like allergic to sales or a little bit nervous about it. That wasn't the case with us. We enjoyed it. We saw like why it's such an important part of any business.

So we weren't dissuaded from there. And then frankly like I mentioned at Dropbox, we were seeing all these really large companies moving over and that's where we saw the opportunity. So it was always B2B focused and whether it was like small B2B or large, that just became really clear quickly because, in terms of the dollars and the willingness to pay and try out new solutions, that's obviously going to be like slightly higher end of the market than a pure SMB. Also the specific security product that we ended up deciding to build is just something that is a little bit later on the security maturity curve, right? It's not the very first thing that I would advise like a 50 person company to, buy if they're trying to get their security in place. It's something that you would do after you've handled the very basics. And so that also suggested the segment that we should be targeting.

Sandhya Hegde

Makes sense. And maybe digging into that a little bit more, Abhishek, what did go-to-market look like for your first million in ARR? What was your process? Was it all still just founder selling? And how did you think about that trade off, which is, it's only the bigger companies that truly have this problem, but they also are more difficult to reach and close a sales process with?

Abhishek Agrawal

So like I mentioned, we were three co-founders and that gave us the luxury of having one or two of us being able to be like, pretty internally focused, whereas one or two of us at any given time being external. So a lot of the early sales were just yeah, pure founder selling, just like you would expect.

We didn't, obviously we didn't have any full-time sales inside the company and it really was based on network. I think, it wasn't directly like friends and family kind of stuff, but it was folks that we had met through our initial conversations and going back to that conversation we were having about validation and the earliest kind of, is there even a thing here versus like now starting a sales motion, that line is very blurry.

And I think, when I talk to a lot of early founders these days. I see a lot of confusion there because, it's not so black and white. It's not one day you're like, I'm just validating. I'm just doing research. And then the next day you're like selling. The reality is that those two activities are on the same spectrum.

You're always selling, right? Every time I'm getting feedback or research, I'm still pitching something I'm trying to sell. It's just that I maybe don't have a concrete ask yet. I don't have a specific thing that I'm I'm showing. And then you mature that more and more.

So for us, now, in retrospect, when I think about it, that kind of like research, just having like early conversations, trying to gauge excitement. That turned into sales gradually over the course of the first six months to a year that we were talking to people and the way that gradually turned into sales was, in the very beginning, you're showing a bunch of bullet points and you're asking for Hey, validation. Soon you're showing some mocks. Soon you're showing maybe a little bit more and all of a sudden someone goes oh, okay like when can I try it, like is this available and then you start hearing that a couple times and you're like, oh shit okay, like maybe there's like a thing here and next time someone asked that we should just say, yeah, we actually have an early access program or a waitlist Like would you want to be on it?

But the key is that you're doing sales the whole time It's just that the thing you're selling, it becomes a little different And it's maturing. So the first, million in ARR, like that was the path. It's just selling to folks that we had originally met during the validation phase, but then as we developed, they were following the journey.

And then It compounds, because you meet someone, you show them a cool product especially if they're early adopters, they know other early adopters, and so the other thing for us that we were able to do very well, I think, in the early days was take our early adopters and turn them into evangelists. That then helped us grow into others. But it was all network-based. It's definitely like founder-led selling at that stage.

Sandhya Hegde

And what was the kind of the profile of your early adopters? Like how big were the companies, were they startups or were they bigger companies and who typically ended up being like your champion internally?

Abhishek Agrawal

 Yeah. We would sell to the CISO org, so definitely like going with the C level and again, we were like, when we were first having a conversation, it would normally be with either the CISO themselves or a director of security. At the time, those conversations were again, mostly sourced through the network.

Just, folks who knew each other. And one thing about security that is very unique in some ways is that there's actually a lot of appetite to learn about new technology. I know that if you go on LinkedIn, you'll see frustration about people being like berated by salespeople all the time.

And that's valid, but the average kind of security leader in my experience at least is very curious about new tech because by definition, security is this kind of pretty dynamic space and they realize that they should be up to date with the latest and greatest, even if they're not necessarily buying anything right now.

So we were very lucky and got a lot of folks, especially in the Bay Area. To answer your question, it was a lot of Bay Area mid market tech companies, for sure, in the beginning, especially if you think about where we were coming from, right? Dropbox. So a lot of like the network we had was similar companies and that was a tight knit network.

And so we were able to go from one to another. And so that early profile was what you would expect like early adopters were like sophisticated security teams that weren't going to just go buy like the incumbents. They understood that there was an opportunity to do more with APIs.

Although I will say there's no perfect rules of thumb here. Like one of our first customers remains one of our largest customers to date. And they bought us before we even had a public website, it was crazy. Like they were just this really fantastic security team. This is at Mars.

They understood that this was like the future. They really were big champions for us. They also were really great about knowing that where they're purchasing from a startup that is still going to be developing certain capabilities like customer success and support. And that's a 200,000-person company.

 And you wouldn't expect them to be an early adopter. They're a 200 year old company. That's 200, 000 people, but they were an early adopter. And so I think I would caution folks about any given rule of thumb. You just have to explore and find out. I will say the one thing that was definitely an easy way to suss out who was and wasn't going to be an early adopter is just if they were working with other startups which is something that you can pretty quickly see. You can suss that out pretty quickly.

Wei Lien Dang

 And Abhishek, if you consider your outlook from here on out, I'm curious how do you see the product vision evolving going forward and, what do you think the impact of some of the major trends and tailwinds in security right now will be like, consider AI, consider just the general shift around consolidation or platform expansion by a lot of the incumbents. How do you think that impacts a company like yours, if at all? And, how do you think about things?

Abhishek Agrawal

Yeah, it absolutely impacts it. I think from the very beginning, we used to joke that we called ourselves like Material Security, not like email guard or something, because we always wanted to expand beyond email. And we just saw email as like this big hair on fire, like unstructured data set that no one else was really looking at.

But it was always clear that the same APIs that in the same way that these APIs help you do more with email, it's absolutely true for example, your files. For your chat applications. So this general trend is something that is not email specific. And so first and foremost, a lot of our vision, where we're going next is really thinking about what other problems in the productivity suite we can solve beyond just email.

And within email itself, there's a couple of different things. There's like a data angle, there's an inbound email security angle. There's like a lateral movement angle with identity. And we've addressed some of those over the years with our products. I think, andwe'll continue to do so.

I think a big sort of like interesting area for us though, is now, how do you apply some of the same learnings to the broader suite? And that's interesting for us because, I was talking to the CISO recently and they mentioned something that has stuck with me, which is If you think about this productivity suite, like Microsoft 365 or Google Workspace, he said this thing, which is it's the first app that every employee gets when they join, and it's the last app that's taken away when they leave.

It's also the only application that every single user in the enterprise has. Like every single one gets a license, maybe there's a couple others like a slack or something But by and large, it's one of the most and so what that really means is that basically for every company, this is like a really critical piece of infrastructure but unlike other critical pieces of infrastructure like your endpoints or your network or your cloud workloads, there hasn't really been one product or one company that is helping you secure this piece of critical infrastructure.

So there's no CrowdStrike, but for your productivity suite. And so we think there's an opportunity there. I think like it's a pretty big surface. It's ubiquitous like every company in the world has it. And I think it's far from a solved problem. So that's the longer term vision.

Obviously email itself is a pretty big problem space too. So this is definitely not like Oh, we're done and now time to move on to the next thing. But that's the longer term vision as far as, and, and so you mentioned some trends I think that's absolutely in line with consolidation, I think, especially in these kinds of macro climates, like I think gone are the days where people are going to be buying like tons and tons of point solutions that only do one thing for them. I think folks are looking for ways to consolidate. I think they're looking for more value out of every dollar they spend.

So if a platform can help them with not just an email security use case, but also a files use case, but also a chat use case, like that's going to be better. And so consolidation really matters. And I think not just from a, like a value and dollars perspective, but also from a security perspective, because the other big trend in security that it's obvious, it's finally coming to light is that everybody's realizing that security products don't work that well when they're siloed, like they work better when you can combine signals from all of them.And so I think that's the other reason driving consolidation, because if you can take a signal from email security and combine it with a signal from your Google Drive and combine it with another signal from your CrowdStrike that'll actually lead to a better outcome than if you're only looking at them in silos. So consolidation, I think, is really important. And as I mentioned, I think the way that it impacts us is to broaden some of the sets of things we want to do. 

Look, AI, there's no question that is basically having a big impact on security. I'm probably in the minority a little bit here, but I actually don't agree with a lot of the fear-mongering around AI and security. I think a lot of people are really worried that it totally will change the security, like attacking landscape. Like I'm sure it will, there's absolutely new ways to abuse things. Now there's new types of risks teams have to worry about, no question about it. But by and large, I think it's like a much, much bigger impact on the defensive side.

I was reading this post recently by Phil Venables over at Google and, he brings up this great point, which is like depends on data and normally defenders have more data than attackers, which I think is like spot on. We're leveraging it a ton, obviously in our product. So is the rest of the industry. I think it really takes away a lot of the tedious work. I think it like allows the learning curve of domain expertise to be erased. There's a lot you can very quickly ramp up on. So there's a big kind of talent implication. But what I think it doesn't change is that at the end of the day, like, these products need to have good controls that act regardless of whether an attack was like AI generated or human generated. At the end of the day, like good controls are attack agnostic. And so those are the parts that I think it doesn't change, but no question about it, big change in the industry.

And I think it's also, you always go through that first paradigm shift of like people adopted as a technology where they're using it as a lens on how to improve their current operations. But I think like normally what we've seen is that's phase one. Phase two is when there's entire new operations that you didn't even envision before. That's the really exciting stuff that we're starting to see as well.

Sandhya Hegde

Makes sense. Abhishek, I really love your very thoughtful and methodical articulation of kind of the process of going from an intention to start a company to like having someone like Mars be one of your early adopter customers and how much gray there is, how little of that process is black and white, which I think it's what kind of makes it so magical when it works out. And I'm curious, what advice do you have for founders starting companies in 2024? It's a pretty dynamic environment to say the least, lots of pessimism in terms of like general capital markets, especially in venture, but same time, lots of maybe too much optimism when it comes to new trends like AI.

I'm curious what your advice would be to, enterprise software founders starting up right now.

Abhishek Agrawal

 Yeah, that's a great question. Two things come to mind. The first is that I actually think it's a great time because when things are constrained, when wallets are tight, you're going to cut through the BS, right? People aren't going to lead you along and tell you like, yeah, there's something here and like only nine months later do you find out actually no one's going to pay for this.

Like you want to find that out as fast as possible in the early days and you want to get to value as fast as possible because even when you're at the stage we are at, that's the theme, right? Hey, are you building something that's valuable? Are you going to be able to attract spend?

 Are you solving a problem that's important enough that someone is going to spend time and effort on? And the thing is in the early days in a very bubbly market like we used to have, you can get confusing signals because there's a lot of discretionary spend. There's a lot of science projects. And you can almost trick yourself into thinking you have something and then realize later that, Oh, actually it didn't actually solve this real problem. I just managed to convince a few people. And that's the thing that really keeps everybody up at night when they're early stage. They're like, Hey, is there really a pattern here?

Or have I just found like the three people who really like me, and I think, when you have tight wallets, like you can just get to that faster. People are just going to be telling you like, Hey, yes, this is cool, but there's no way I would ever pay for this, and whereas if they are saying, Oh yeah, this is really interesting. And I would do something about this. That is an incredible signal, right? It's wow, like things are so tight. And even in that situation, you're finding this to be a valuable enough thing. Imagine how it's going to be when things are not as tight. So I think it's a great time to validate. I think you just have to be careful to seek the validation in a way that people aren't going to give you feedback on user research.

They're giving you feedback on sales. So if you're a B2B founder, biggest advice is start selling early before you have anything, we were selling bullet points in a notepad. Like you can sell it, you have to sell from the beginning because if you ask people for feedback on your idea, like you'll get mixed signals. If you ask them to buy something, you'll get very strong signals. So that's number one. I think this market is actually conducive to getting that validation quickly. I think the other thing is people talk a lot about pivots in the early days. And one thing that we learned is you absolutely should be changing your mind and adapting and learning as you're taking in more information.

But one of the things that we tried to hold constant was our buyer or like the audience that we're selling to. And the reason for that is because if you have a customer and a problem, you can iterate through different problems for that customer, but if you start iterating through different types of customers, what happens is every time you switch, all the learning from the last customer type, you abandon. And you're almost starting from scratch. Whereas if you're talking to a security team, and yesterday you were selling them kind of an email security thing, but now you're selling them this slightly different security operations thing. All of the context, all of the learnings you've had by talking to security teams for the last six months, you can still take with you. And pivoting is not bad, obviously, you shouldn't keep banging your head on something that's not working. Be careful to pick a customer that you wanna talk to wisely in the early days because it's much, much harder to change the audience you are selling to than what you are selling to them.

And also a related point, that audience is someone you're gonna be talking to day in, day out for 10 years if you're doing a B2B SaaS company. So you better enjoy it. In the early days, when we were talking to, as I mentioned, like there was an HR analytics product that we were exploring, we just didn't enjoy the conversations.Personally, like we just weren't fired up ourselves at pitching them as much as we were when we were talking to the security. And like I said, I didn't even come from a security background, but I just found it more interesting. And that's important also as an early stage founder, like you have to be honest with yourself.

If you're pitching something that you yourself are not excited to talk to that profile of person day in, day out, then it's going to be really hard to have the stamina to keep going when like things get tough and because what gets you going through those is your kind of inherent interest in the space. And this itself is also tricky because obviously some of that interest builds from the validation you get. Like the more you kind of work on the problem, the more interested you get in it. But I think the litmus test should be like, are you at least enjoying having conversations with people in that role? Because if you're not really enjoying it, if it doesn't feel like an engaging conversation, then it's probably a sign that you should pick a different audience to sell to.

Sandhya Hegde

I'm hearing you say Wei should get a lot of credit for steering in the security direction away from these other things.

Abhishek Agrawal

Honestly, that's maybe ... you didn't ask me for a third, but that would maybe be my third piece of advice, which is be really careful who you talk to in the early days, because these ideas are, they're like preemies, you know, they need to be nurtured. And if you expose yourself to folks that are gonna more just be interested in shooting down, then you could very accidentally kill something that actually should have been nurtured and grown up.

So we were really lucky. We had a lot of folks around us that were, they were just like intellectually interested in pushing things forward, seeing what new things can arise. And even where they gave constructive feedback, it was more yeah, tweak this or do that, but not nah, that's been done or this doesn't work. You need some of that. Sometimes you need the reality check, but also you need some nurturing.

Download
This is some text inside of a div block.
Download

All posts

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Suspendisse varius enim in eros elementum tristique. Duis cursus, mi quis viverra ornare, eros dolor interdum nulla, ut commodo diam libero vitae erat. Aenean faucibus nibh et justo cursus id rutrum lorem imperdiet. Nunc ut sem vitae risus tristique posuere.

Other articles

Selling AI to big enterprises: A Conversation with Joel Hron at Thomson Reuters
April 23, 2024
Selling AI to big enterprises: A Conversation with Joel Hron at Thomson Reuters
Interview
Ryan Wexler
Read more
Everlaw's product-market fit journey
April 8, 2024
Everlaw's product-market fit journey
Startup stories
Read more
From sales skeptic to expert: 4 steps for new founders
April 4, 2024
From sales skeptic to expert: 4 steps for new founders
Startup stories
Jyoti Bansal
Read more
Deepgram's product-market fit journey
April 1, 2024
Deepgram's product-market fit journey
Startup stories
Sandhya Hegde
Read more
Related Content