The Founder Formula

Every passing moment, a tech startup disrupts life as it was. In humanity’s pursuit of faster, better, and higher capacity, fresh companies are tackling old problems and modern complexities, all while pushing the bounds of the future.

The Founder Formula brings you in—behind the curtains and inside the minds of executives at Start-ups that have traditionally only been found in Silicon Valley—and the Venture Capital Firms that fund them.

All Episodes

The Founder Formula

Guy Podjarny - Founder of Snyk

October 27, 2022 • Trace3 • Episode 38

Security teams sometimes need to tackle big transformations as they keep up with today’s threat landscape. This two-time Founder set out to make that transformation less intimidating.

In this episode, our co-hosts Todd Gallina and Sandy Salty interview Guy Podjarny, the Founder and President of Snyk. The three of them discuss how Guy was able to overcome a catastrophic failure, the importance of winning over a user, and rethinking the way security teams defeat threats.

Listen to this and all of The Founder Formula episodes through your favorite podcast platform or Trace3.com.

Outro: 0:00

The founder formula brings you in behind the curtains and inside the minds of today's brave executives at the most future leaning startups. Each interview will feature a transformative leader who's behind the wheel at a fast paced and innovative tech firm. They'll give you an insider's look at how companies are envisioned, created and scaled. We hope you're ready. Let's get into the show.

Todd Gallina: 0:31

Hey, everybody. Welcome back to another episode of the Founder Formula. This is the podcast that focuses exclusively on founders and their journey. My name is Todd Galena, and with me today is the CMO at Trace3, Sandy Salty.

Sandy Salty: 0:47

Hi, Todd. How are you?

Todd Gallina: 0:49

You know what? I am doing great. As you know, there's a big exhale going on.

Sandy Salty: 0:53

Big exhale, yeah. And I feel like it's a big exhale and a lot of luster at the same time, right?

Todd Gallina: 1:01

Yeah. Yeah, yeah.

Sandy Salty: 1:02

Post-event luster.

Todd Gallina: 1:04

Yeah.

Sandy Salty: 1:05

We just had our Big Evolve conference.

Todd Gallina: 1:07

Yes, so for our listeners who might not be familiar, Trace3 has historically put on a massive technology and leadership conference where we've had folks like Wozniak speak. We took two years off due to COVID, but we were back and packed. The house was packed. I just want to talk a little bit about your involvement. Obviously, your fingerprints are all over this event, but you... Yours

Sandy Salty: 1:28

too, by

Todd Gallina: 1:29

the way. Thanks. And of course, Stephanie Hanna, the executive producer of the entire show and her whole events team. You were the host of our Outlier Awards and for the first time ever, you were part of a pretty massive, a massive magic trick. I mean.

Sandy Salty: 1:46

Yeah. Well, so you, I mean, we've talked about the Outlier Awards before and this desire to outdo ourselves every single year, right? With everything we do, marketing, Trace 3, but specifically anything related to Evolve, we always just want to get like bigger and better. As you know, the last time we held Outlier was in 2019 We talked about this where I essentially drove on to the stage in a sports car. It was a big wow moment because nobody expects to see a sports car. Funny enough, it belongs to one of the guitarists of Guns N' Roses. So that's a side story. Anyway, in one of the Founder Formula episodes, you and I talked about, gosh, you drove out in a sports car. big wow moment, like how are you gonna outdo that? And I said, you know, we're working on that as we speak. Well, this year we decided that I was going to magically appear on stage via helicopter.

Todd Gallina: 2:47

Right, which sounds super easy.

Sandy Salty: 2:49

Sounds super easy. And frankly, when you get to see behind the curtains of a magic trick or magic in general, you realize that it's actually Don't hate me, all the magicianaut listeners that we have out there. It's actually so much simpler when you kind of see the mechanics of what happens. Right. And so suffice to say that the audience was super wowed because they saw this like helicopter,

Todd Gallina: 3:18

quote unquote, appear on stage. Yeah, it came right. It was an empty box. Yeah. The box closed. And when the box opened up again, there was a helicopter.

Sandy Salty: 3:26

And I was in it. Yeah.

Todd Gallina: 3:28

How is that simple? I mean, I saw the whole thing. There was an empty box. I know. She won't tell me. everybody.

Sandy Salty: 3:33

She knows. I can't tell you. I'd have to kill you. I mean, I can probably tell you. I'll tell you off audio, but I would feel horrible ruining it for our amazing magician who was also my co-host, Jason Bird. And so we did this helicopter trick. I think people got a total kick out of it. And then to boot, my co-host was a magician, which is not something, you know, you've been at Trace as long as I've taught and you've hosted You've co-hosted Outlier with me, one of my favorite years ever on On Stage Together. But, you know, we've never really played with this idea of, like, a professional Vegas act as part of the Outlier show. And we did it this year. I thought it was super fun. Who knows what we'll do the next time, you know?

Todd Gallina: 4:20

Up the stakes?

Sandy Salty: 4:22

A rocket

Todd Gallina: 4:22

ship, maybe?

Sandy Salty: 4:22

Rocket ship, maybe a jet pack. I fly in from the ceiling. I don't know.

Todd Gallina: 4:27

Wait, so do we have commitment that you're coming back? No, no, no. I thought we just had that, like,

Sandy Salty: 4:33

recording. Let's not get ahead of ourselves. I think that this year was my outlier retirement.

Todd Gallina: 4:38

Oh, no. No.

Sandy Salty: 4:40

You might need to, we might need to bring Galena back on the circuit.

Todd Gallina: 4:43

Nobody wants to see me on stage, especially if anyone who's ever seen Sandy on stage would agree with me. Okay, so, but we did have a couple of other awesome, amazing speakers. We had Chris Voss, who is an FBI negotiator.

Sandy Salty: 4:56

Yes, master negotiator. In fact, some of you may have seen or heard his master class. He's incredible. He's just super good at what he does and he has incredible sort of principles around the art of negotiation that he shared with the audience. I think that everyone got such a kick out of that.

Todd Gallina: 5:14

It was great. Everyone was trying to use them the rest of the show.

Sandy Salty: 5:17

Totally. And then of course the big headliner, which you played a part obviously in bringing to the show.

Todd Gallina: 5:25

Yeah, Derek Jeter. Hall of Fame shortstop for the Yankees. Great. Learned a lot from him and just a fan favorite

Sandy Salty: 5:31

such such an impressive athlete and honestly I think the biggest surprise of all was not was not necessarily his like incredible repertoire of accomplishment as much as it was how humble and gracious he is in person like just one of the nicest people I've ever met and as we do with most Evolve shows after the headliner presents he typically he typically goes to another location to take pictures with our audience members and And he just, I mean, I was watching him and he shook every single person's hand with like enthusiasm and looked them right in the eyes. And it's literally as if we were walking into his home and he was hosting us for dinner. Incredible guy.

Todd Gallina: 6:19

Stayed until, shook every single hand, met every person who waited to meet him, which was great. We had some people in the audience who were born in the same town as him and some who went to the same high school. So there were some really, really great moments.

Sandy Salty: 6:31

Great moments, great dialogue.

Todd Gallina: 6:33

He was good. And then we also had a little bit of We had a couple of founders from this podcast who were on the main stage. Vikram from Lacework and Mohit from Symmetry Systems.

Sandy Salty: 6:44

both brilliant individuals, also incredibly humble. We also had, you know, along that theme of just like really great technical thought leadership, we had a fan favorite, Peter Hinson.

Todd Gallina: 6:55

Oh, yeah.

Sandy Salty: 6:56

Who continues to be a fan favorite. That guy gets like a standing ovation every time. He's so good.

Todd Gallina: 7:00

He's a futurist. He's awesome. And unfortunately, for our listeners to be able to see his stuff, you got to come to one of our shows. But the rest of the stuff we've talked about is available online. If you want to check it out, you can go to Trace3 and click the link there to see some videos I'm excited about our guest that's coming up right now me

Sandy Salty: 7:19

too but I will can I make one request before we close out

Todd Gallina: 7:22

please

Sandy Salty: 7:23

can we eat more on this show can we do another outro where we just eat and subject our poor audience to our bad chewing sounds

Todd Gallina: 7:34

I think Italy sales went through the roof after that episode right

Sandy Salty: 7:39

everybody knows what Italy is now

Todd Gallina: 7:43

alright ready to get to

Sandy Salty: 7:43

Let's roll.

Todd Gallina: 7:47

Okay, our guest is a two-time founder, public speaker, O'Reilly author, and active early stage angel investor. He's a former CTO at Akamai, and prior to that, co-founded Blaze.io. Today, he is the founder of Snyk, a leading developer security platform, helping developers secure as they build. He's coming to us live from London, England. Please allow me to introduce Guy Pajarni. Thanks for having me, Todd. Looking forward to it.

Sandy Salty: 8:13

Guy, thanks for being here. Tell us about sneak.io and why you started it.

Guy Podjarny: 8:17

Sure. So Snyk is what we call a developer-first security company. Really kind of the premise or the insight to creating it was that, you know, we're trying to secure software from the outside. And, you know, to begin with, you know, that's probably not a great idea, but specifically with the adoption of DevOps and sort of agile developments in the cloud, the pace of software development has really grown and everything around kind of DevOps models and such has really builds around these independent teams that are able to run fast and not need to stop for other people. And that really drives the problem of trying to secure from the outside. The security team just fundamentally can't keep up. And unfortunately, the security industry as a whole hasn't really gotten the memo, hasn't sort of adapted to this reality. And we've sort of repeatedly failed to get developers to actually embrace security solutions and actually secure what they build, which is what we need to scale. And our kind of light bulb moment, which sounds simple when you say it, is that if you want to break that mold, if you want to get developers to embrace security and actually embrace it into their practices, we need to build a developer tooling company. We need to build a company that puts the developer first, you know, it really designs the whole company, the brand of it, they go to market, the approach to users and community, and of course, of course, the product UX, to first and foremost, think about how to get the developer to embrace it, that kind of walks and talks and quacks like a dev tool, right? So the feels at home with the other tools the developer might embrace, might use. And that was kind of the, I don't know if it's secret sauce, but the aha moment. And that's what we set out to do. And over time, there's been a lot of learnings, and we can talk about those. But over time, that is really the core of the company. I like to say it's the thing we can't pivot out of, is this developer-first security. Today, we're talking about developer security platform. And we've sort of evolved it to a variety of platforms. products and threats that we tackle under that mantle. And they sort of span, they will continue to expand, but they already span aspects of application security. You're scanning your code, SaaS solution, and your open source component, SDA. We generally started, and at our cores, all these concerns around supply chain security, which again is like SNIC open source, SNIC container, and knowing which open source components you're using. Are they any good? Do they have known vulnerabilities helping you fix those, et cetera, et cetera, and all the way to cloud. And we can dig into that more if we want, but we kind of built an appreciation that in the world of cloud, there's a whole bunch of kind of IT security concerns that are moving into the developer world right in a in a pre-cloud surrounding if a developer wanted to say like provision a machine and run something on it they might open a ticket someone in a team might provision that machine make sure it's properly configured it's properly patched and give that back what i described right now is a dependency you know that is not you know it's kind of counter to that sort of agility and devops speed that we aspire to in the world of cloud that goes away a developer clicks a couple of buttons or makes an api call and they get a machine that's running, lo and behold, now that machine that is running, it's depending on the developer's actions, whether that is properly patched, properly configured, and developers to do that, they need developer security solutions, not IT security solutions. Thank

Sandy Salty: 12:03

you. That's such a great description of the problem space and specifically what Snyk addresses and this concept of, well, I guess for the less technical audience, you know, a traditional security approach is one that is very, very gated, right? That proverbial sort of gated approach obviously slows down the development process, which in turn slows down speed to market, which of course in turn kind of weakens a company's competitive advantage or competitive posture. So the permeating effects of kind of that traditional security approach are very real and they're very measurable to a degree in terms of how it slows down a business. I love the paradigm shift guy of building a developer tooling company versus a security company. I once heard you say that the future of security depends on developer adoption. Can you elaborate on that? Why is that the case from your perspective?

Guy Podjarny: 13:09

Yeah, I think fundamentally, It's just impossible to secure software from outside. The pace of development, as you point out, will continue to increase because that is what the business demands. You know, you need to be fast to be competitive. You need to adapt. And that would continue to be the case. And so, you know, the most secure thing you can do is just unplug from the internet and then, you know, you'll be secure all the way to bankruptcy, right? Like there's no real other option for the business except moving fast. And if you move fast... it's a lost cause to think that security can keep up. And so I think our future as a world, as a society, is digital and increasingly dependent on digital. And to be able to secure the digital world, we have to make security run at the pace of development, at the pace of digital creation. And the only way that that happens is if we equip the developers, equip those building managers the solutions with the right tools so that they can make the secure decisions when they're making them. Because that's really what we need is we need to move security to be where the decision is made.

Sandy Salty: 14:21

And does the concept of putting app security in the hands of developers scare organizations?

Guy Podjarny: 14:27

At times it does. There's maybe a couple of concepts we can touch on in here, which is, you know, one is decentralization and the other is the notion of depth versus breadth. So maybe I'll start with the latter. So as you dig into developer tooling company that tackles security and what that means, then you quickly come across the problem that developers like depth while security needs breadth. If I'm a JavaScript developer, I couldn't care less if a product supports PHP or not. And it's not because I'm narrow-minded or I don't sort of... think big enough, it's because it doesn't affect my daily lives. I'm developing in this language and this IDE and this CI system. And that's what affects me. And it just has no bearings on me if another language or stack is supported or not. But it better be amazing in the surrounding because that's the way tools in my world work. And dev tooling playbooks very much say, pick a stack, pick an area, and win them over the other stacks with weight. Security, on the other hand, needs breadth because it's just very impractical for a security leader to have seven different directors of engineering use four different tools to secure their use of open source. It's very hard as it is to govern security. There are so many threats. It has its own fragmentation. And if you start multiplying that by that type of decentralization, it's scary. It's very, very scary. And it's just not feasible. And so security wants breadth. And that depth versus breadth is a constant struggle. At Snyk, we're depth first, so we are depth first. We make sure that for the stacks that we support, we go deep enough, we understand the developer use case, we win them over. They feel like we built the product only for their environment, but nobody bought the product until we built enough breadth to actually kind of cover the majority of your applications for a security person. That's kind of one lens, if that makes sense. In Snyk, we always think about that. We launch new products with a depth-first approach. We make sure that we are very, very good for the applications that we support, and then we broaden so that we always ship products we're proud of and the developers will adopt. That's our promise to our customer. And we expand. We have the benefit now that we have a lot of great products, so those products might be rolled out all the way, and it could be that some new product will only be deployed for some subset of the development teams. Does that make sense so far? That's kind of one lens on the contention.

Sandy Salty: 17:07

Yeah, I mean, it's like it's an and proposition. It's breadth and depth versus or, right?

Guy Podjarny: 17:14

I think you have to get both done, but you have to also understand which one do you prioritize, and if you need to win developers over, then you have to I guess part of my French, not ship crap. It has to be quality. It has to be depth. Otherwise, you'll have this great product, but if developers don't use it, it's no good for you. The other piece that scares security teams sometimes is just the transformation they need to go through. And look, it's important to remember that digital transformation, we call it transformation for a reason. When you think about the delta between waterfall transformation on-prem development versus DevOps, agile, continuous development on the cloud. It's night and day. And there's no reason why security wouldn't change that way. That's scary. That's a big change. That requires different changes in maybe skills, changes in mindset, changes in culture. And I think fundamentally, people may be focused sometimes around, hey, they need to learn what containers are or how to use AWS. But I think the big difference is that security teams need to become platform teams. They need to become teams that don't succeed because they can audit and assess an application, but rather because they can build a platform that audits and assesses an application for developers as they run. They succeed not because they were the heroes that found a vulnerability and dealt with it, but rather because they built the platform that allowed developers to do that, which is very, very akin to what happened in DevOps. It sort of went from the ops person being amazing because they tackled some big outage to the ops person that is best being the one that builds a platform that developers then use. It's a scary transition and it requires all sorts of changes of skills. You need to maybe deprioritize some audit skills in favor of development skills. You need to change the mindset from more of a controller to more maybe of a service provider, right? You're providing a platform. Your developers are your customers. So those are big changes. I guess what I like to remind people they need to keep in mind is that in the DevOps world, sysadmins have become SREs. You know, they've become these sort of system reliability engineers. They're paid double. You know, they're far more respected by the business. You know, they're more... They're seen... as contributors to the top line, not just as risk reducers. And there's now proven data that shows how teams that have great SRE teams, great DevOps platforms teams, do better as a business. And we're starting to see that data for security as well. And so it's scary, but there's a very bright light at the end of the tunnel here.

Sandy Salty: 19:59

Yeah, I think this concept of security IT organizations becoming enablers and empowers, if that's a word. Is empowers a word? Versus regulators and mitigators is really like a broader theme for the IT community as a whole. Well, thank you for that. That's fantastic education for us and our audience. I want to switch gears a little bit and talk to you about the founding of companies. Neek is your second startup. How soon after the sale of Blaze.io, your first company, did you know that you'd be starting a second company?

Guy Podjarny: 20:42

Very good question. I don't know when I exactly knew it. I ended up leaving after three and a half years, leaving Akamai. And I think the Akamai journey was incredibly valuable. I've made a lot of good friends. I learned a lot. And I got a chance to... really learn a new role, right? How to be a leader and executive, you know, be the CTO of a $700 million a year business, which is about half the fact am I. And so I think it was very, very insightful. At the same time, I think I always knew that it's not a forever home for me. I don't know that I had an exact timeline. And so I came in with the intent of at least doing the sort of the three years unless I'm suffering. And I ended up staying for three and a half. I definitely wasn't suffering. But also once I got the itch to do another, it was hard to let go. I will say that I intended to take a year off after leaving Akamai. When I decided to resign, it was a year. By the time I resigned, I said, well, maybe I'll take six months. And by the time I actually left the company, six days later, I incorporated.

Todd Gallina: 21:50

So I'm not very good at taking time off. I think that sheds a lot of light. into what it's like for someone like you to sell their company, sell their baby. And we always imagine, you mentioned this, that it's kind of like purgatory to be stuck at the company. But it's amazing to hear that you learned a ton while you were there and you stayed a little bit longer. So an additional win, not only having your company acquired, but then getting that additional education, it's a cool journey.

Guy Podjarny: 22:20

Yeah, for sure. And I think it depends. Sometimes it's luck. And I would also say that if you are being acquired, then you should pay close attention to where you're landing, both role and company. I mean, I founded my first company, Blaze, because I was at IBM at a role that on paper, I could do all sorts of cool stuff and sort of think about new security innovations and such. But in practice, I felt like I wasn't having impact. It was just the distance where I was. from having an idea to actually being able to get it to market was just so vast that I was depressed. I ended up sort of founding my first company despite having had a child born three months prior. And it wasn't necessarily the wisest point in time in terms of my kind of life, but I was very bummed by it. So I kind of experienced both paths. So when I went into Akamai, I was very very verbose. I spoke a lot about what is it that I can do in the company and I came into it with a change agent mindset. And when you get acquired, you've got a bit of a halo in the acquiring company. You actually kind of have more mandates than maybe the typical person in the company to drive change. And I just leaned into that and I'm very happy with the learnings. A lot of failures in the process, but I don't think I really kind of led up too much at Akamai compared to what I did at Blaze. That's awesome.

Sandy Salty: 23:48

Yeah, this specific topic is fascinating to me and Todd because as a founder, your big milestone, sometimes your end goal, we hear is achieving some sort of exit event. We always wonder, though, if when that exit occurs, the founder who is a creator, in essence, feels somewhat handcuffed to this acquiring company and in some ways feels limited in sort of venturing into a new path and creating a new adventure for himself or herself. Is it limiting or is it equally satisfying in that the founder feels like he or she can still, you know, keep an eye on their baby, this baby that they've created, and make sure that it grows and evolves within this new context, within this bigger world, that acquiring company itself. And so we're always sort of interested in the psychology there of, hey, does the founder feel stuck? Or does the founder feel fulfilled, equally fulfilled in that they get to keep an eye on their baby?

Guy Podjarny: 25:07

Yeah. I think... Just sort of to comment is that I think it depends on the founder, but it also depends on the acquiring companies. And I think for me, what drives me is impact. And so it's not so much about just keeping my baby and maybe some founders come into that. It's more about growing the impact. If I got the same impact, I wouldn't sell. That's not the sort of intent. But for instance, at Snyk, we acquired six companies so far. So far, all of them have been successes. Some of them have been great successes. And the founders that have great impact within the company. And we take care when we acquire a company to have, you know, on one hand, of course, a clear business case of some specific aspect of it. You know, we acquired DeepCode. They brought in, you know, they're basically the engine for sort of sneak code or static analysis, but at the same time have another company-wide responsibility they would draw, you know, in that case. they became the core of machine learning in the company, right? And Manifold, they became the platform that made it extensible. You know, Topcode that we just acquired, building reporting, but they're also the data engineering level up. And because they have a company-wide mandate, they end up actually being able to grow personally and grow their impact to the scale of the acquiring company. And it drives them. It makes them more successful and it makes us more successful as a result. So, I think there's a lot of how to do it well and how not to do it well. And to an extent, we seek founders that look for that, that are hungry, that are still seeking to do more, not ones that are looking to rest and rest.

Sandy Salty: 26:45

And the fact that you were the acquired and now the acquiree or acquirer probably lends, it really probably influences how you do it well, right? At Sneak.

Todd Gallina: 27:02

Yeah. I mean, he mentioned where you land is important. So I imagine when you have, now you have seven founders in the building, you're landing seven planes. And so I'm sure you took great care in making sure they landed well and Maybe even provide a little bit of mentorship on what you're able to learn from Akamai while they're here with

Guy Podjarny: 27:20

you at Snyk. Yeah, 100%. And Peter, we have in the team a lot of experience in sort of doing that well. And Peter, alongside me, he's beyond the fact that he's acquired many companies. He's also kind of been the CEO of multiple sort of Series B and onwards companies that sold. And so I think we just have a lot of empathy to those. And, you know, so far we've been, you know, like leveraging that well to help both those companies that we buy succeed and help the whole kind of keep getting bigger. Yeah,

Todd Gallina: 27:53

I feel like we could do a whole podcast on, you know, acquisition. And you guys have done it seven times, but let's, which is a great topic. I've learned a ton just from this last segment, but let's talk about fundraising a little bit. You know, you obviously had to do it for Blaze.io. And then, you know, your second time here with Sneak, I imagine it was much easier. Was it easier because you also were walking away from the Akamai experience? Tell us a little bit about the difference in fundraising.

Guy Podjarny: 28:21

I think it was easier to fundraise the second time around because if nothing else, pure statistics show that repeat founders are more likely to succeed. And that makes sense. And also through the years at Akamai, during that time, I've done some angel investment. I've built some relationships with VCs, notably Bold Starts that led the seed round for Snyk. And so by that time, you know them, they know you. And so there's kind of more familiarity. So both the network and the track record play a role. I will say that the counter to that is the ambition. And so I think with Blaze, It was a very concrete, in hindsight, feature that I was building. While here, we're looking to transform an industry. And we said, no, developers will embrace security. And there were a lot of VCs that said, good luck with that. And it doesn't really matter what your track record is. And so I think the first round, the seed round, was easier because I had an investor who believed in me and believed in the vision and saw the potential and leaned into it. About a year into it, I had a catastrophical failure in the fundraise in which everybody wanted to talk to me and nobody wanted to sign a check at the end because they saw that we managed to get developers to use the product, but we had no revenue because we, you know, we, a little bit, the depth versus breadth we discussed. And that, you know, it didn't matter, the track record. It was still, you know, you can't do it. And, you know, fortunately, you know, again, Boldstart as a believing investor, right, and sort of seeing it, helped us up in a very positive fashion, right on great terms and pulled us up. And by the time we were kind of back at the drawing table or back at the fundraising table, things were already curving in the right direction on the revenue side as well. And it was more about chasing investors away than getting them to come.

Todd Gallina: 30:20

Was the catastrophic failure that you burned through your first investment?

Guy Podjarny: 30:25

No, I made a mistake. So it's worth understanding that Snyk is a product-led growth company, a PLG company, bottom-up. And when you're a PLG company, revenue is a second-order measure. You need to build a great product, then you need to get users to use it, and then you need people to buy. And when you're sort of going directly to commercial, it's reversed. You build a product, you get people to buy it, and then you get users to actually use it. And so it takes longer. And for us, we were very tunnel visioned on saying our biggest challenge is to get developers to embrace security. And so we were entirely focused on that and entirely blind to all sorts of things we needed to get security, who's typically the buyer, to actually sign the check. And so the reality was that about a year and a half, this was about a year and a half in, maybe not quite. And you know, we had tens of thousands of developers using the product for free and practically nobody paying. I think we were in the hundreds of maybe thousands of ARR. And everybody from outside saw that we have all these users. They didn't know what the revenue was and they saw my track record. And so everybody wanted to talk about a preemptive round. And I, you know, I was naive and I just leaned into it. So I triggered everybody. I told everybody else that someone is trying to prevent it. Everybody wanted to talk to me. I was in, you know... Grayson and Sequoia and Battery and just everybody wants to talk to me. And literally nobody wanted to get a term sheet. And I eventually did get some offers and I got some offers from good investors and I got some good offers from others, but I didn't get the right offer from the right investor. And to top that off, at the same time, my father-in-law passed away. So I was like, literally, I got a I live in London, my family's in Israel, my wife's as well. So in the morning, I had a call with an investor who gave me a term sheet. And five hours later, we got a call from Israel that my wife's dad passed away and we jumped on a plane. And it was a crazy week and period, really. It was very challenging. And again, I can't say enough good things about Ed Sim at Boldstart because during that time, he stepped up. I had two great experiences with investors then. One is Tom Hume, and this is worth a shout out here. Tom Hume at GV, who I was talking to about potentially an investment. And literally, I had a call with him in the Shiva, in the sort of the seven days of sort of sitting after someone passes away. And I wasn't sure what to do. I was behind it. And I told him that at the beginning. And I said, Guy, don't talk to me right now. And I don't think you want to talk to any investors who wants to talk to you right now. No, settle down. Call me later. which I thought that was great, and Tom absolutely made it into this next round when that happened. And then the second was Ed, who a month later said, instead of coming back to all of that, we believe it, we see the path, we see the developer success. Why don't you take $3 million instead of a full round on the best terms that you've had in any of these offers and just keep going? And that's what we did, and it worked. It worked. A year later, we had curved. It took us another, I want to say, eight months after that to kind of crack the revenue target. And then, yeah, we sort of 7X'd in four months. And then we 7X'd again. We were at that point shy of 5 million by the end of the year after. So we were off to the races.

Sandy Salty: 34:03

Guy, this is a super interesting topic to us, and I don't think one that we've ventured into on Founder Formula before. We've interviewed like dozens of founders. This concept of obviously adoption versus revenue generation, you know, there is kind of this perception that mass adoption obviously comes with a certain valuation, right? Certainly a lot of the big names that we hear of today, particularly in kind of the social platform world, are wrapping, you know, have wrapped an investment thesis around a freemium model, just by virtue of it being adopted at mass scale. So why is kind of the world that you play in different? Did those companies not pave the way for that type of thinking and investment approach? This concept of, look, you're investing in a company that has a tremendous amount of potential because there's tremendous amount of adoption versus kind of that revenue piece. Yeah, the revenue mandate. Exactly.

Guy Podjarny: 35:06

It's not always the case. Of course, sometimes it is. It's actually fairly common in developer tools. And generally, the reason or the impetus behind it is when there is a difference between the user and the buyer. So if the user is not the buyer, then increasingly in the world, there is an advantage to winning over the user because while they're not the ones signing the check, they are the ones that effectively say whether a product would be successful or not or

Sandy Salty: 35:39

use

Guy Podjarny: 35:40

it. You've seen that with tools like Slack. You're seeing that with tools like Miro. You're seeing that with Trello. And you're seeing a lot of those. And good luck to the CIO who sort of thinks that they can just sort of top-down, roll down a tool without consent from the users in the ranks. It's just no longer the case. Decisions are increasingly determined, or their success at least, by the bottom-up motion, by the users of the product. And so a bottom-up motion focuses on winning the users. From there, you kind of get a little bit into... the question of what's the distance between the user and the buyer and what's the sort of the minimum unit for which someone would purchase. And here we come back to the depth versus breadth problem because for a developer, the minimum unit of value is, you know, give me a product that helps me secure my code. It's very small. It's not dependent on anybody else. Download the Snyk CLI, integrate the IDE, maybe a little bit in the team, you can put it into a Git or a build. Then, you know, you run it and it helps you secure your code. You get the value, you fix the issues. It's all goodness. They don't do security governance. For us, typically, the tipping point, and today the world has evolved, but definitely at the beginning, you know, a tipping point for actual purchase was more security governance. And security governance is then at the security unit team level And it's hard to do it at something that is smaller than a business unit. And so because of that, the distance between what it takes to get a developer to use the product and what it takes to get a security person to purchase is quite big. And maybe even totally different needs. So it might not even be the same capabilities. There are a whole bunch of examples out in developer tools because what happens is a small team really likes it, but by the time they want to purchase, they get moved into something that requires that breadth. So that's kind of the exercise that we had here. We started developer tooling playbook, Node.js. We only picked one stack, JavaScript. We won that over. And developers in that ecosystem were entirely gung-ho on using Snyk. except nobody was only developing Node.js, or at least nobody, you know, not many. And security needed us to support Ruby and Java and more, Netlator and others. Today we support all of them, but at the time it was hard to add to those. And so I think not all products work that way. You know, if you look at the APM vendors like Datadog and such, they built a product-led approach, but in Datadog, the minimum unit is a team. It's okay if one team uses one APM solution and another team uses another. It's not optimal. It's better if everybody uses the same thing. But it's okay. You kind of get the value. So they charge in that fashion. So that's a concern. I'll add one more thing, which is important, I think, for security. Purchasing something is friction. And when you talk about getting developers to embrace security, we had to deal with a lot of friction to begin with. People didn't think that that can be done, that it's tools they might not want. We had to battle with a lot of things. And introducing a credit card into that process of the individual developer probably would have prevented them from actually using it. And so we believed, and I think that's correct then, and I think it's still correct today, that you can't do a bottom-up motion to developers for security and charge them right away. So that requires a freemium offering. Some other things that individual developers do... maybe they care enough about to pay right away. You can see like IntelliJ or certain IDEs that charge right away. And so all of these things are very context specific and they boil down to the difference between the user and the buyer, how much they care versus how hard it is, like what's the friction versus what's the demand and understanding kind of what are the deferring capabilities for the two audiences.

Sandy Salty: 39:58

Yeah, it's like you have to get them to love, not like love stage before you can introduce any type of friction, i.e. payment, charging, et cetera.

Guy Podjarny: 40:07

And in our case, even believe that it's possible, right? Like that there could actually be a security tool that as a developer, they will enjoy using. That was basically heresy.

Todd Gallina: 40:16

This is amazing. This thing has gone completely full circle when we went back down, went back to depth and breadth. And then there was also like, we're 30 minutes into this podcast. We had a birth and a death. in Guy's life. My gosh. It's like, you have to remember that these are real people with real lives. And wow, it's crazy. We are not going to have probably time to cover everything, but I do want to talk a little bit about thought leadership with you, with you, Guy, because, you know, you're an author of a couple of these O'Reilly books, author and co-author. And I remember a time when those types of books were, they were it. Like I would hop on a plane and And by the time I landed, I had read a whole O'Reilly book. I had developed a new skill set. And I came away from that looking at the authors as kind of like the gurus. I would follow them and reach out to them. That world has changed a little bit. I don't know how many people are still buying books or consuming, learning how to develop through a book. So how has the thought leadership world changed? How are people like you developing thought leadership outside of the authoring of books?

Guy Podjarny: 41:21

I think, so my kind of perspective is that teaching is a means of learning. And generally, when I talk about, you know, even before you go to books, right, when we think about messaging or sort of how do we communicate what the product does or, you know, or a concept to customers. I think people make the mistake of thinking that that is for the others. It's for the consumer, right? You're trying to simplify it. You already know all of that stuff. Now you're just trying to sort of simplify it for others. And I think that's the wrong view. I think when you need to explain it, then you learn to understand it better and you learn to reduce it to the things that matter. And in turn, once you for yourself understood the things that matter, you can think bigger. You've simplified that complexity into these things. Yes, you maybe are able to drill down, but once you've structured it in your mind, you can build on top of it better. And I think about that as messaging, whether it's inside the company, outside the company. And so I find public speaking and writing books, they're basically an excuse. They're a time-consuming excuse, but they're an excuse to get my thoughts in order, get... complicated topics like open source security or like responsive website performance which was no previous one or serverless security you know understand okay how do you how do you simplify it what really matters what models actually make sense and invariably every time i write one of those i end up learning i find what matters and what doesn't matter and that feeds our our thinking and you know when we talk about new products in the company and things like that We do the same exercise and I'm, you know, I'm probably an annoying reviewer because I'm very, very fussy about how was it presented? Not so much like, you know, if it was pink or green, you know, it's more about the what's the mental model, what's the structure. And so I think books today still carry a weight, you know, maybe not as much indeed taught as they used to. There's still time consuming to write. There's no doubt about that. And I think they're helpful for our understanding. They're helpful for internal alignment and they're helpful for aligning our conversations with our customers, right? They represent our view of a bigger world. And at the end of all of that, they're also, we're very big on community. We didn't get to talk about that too much, but, you know, in Snyk, we're very, you know, a big part of the ethos is to be, to help kind of lead this community of practice of DevSecOps. You know, how do we learn about it? And we do a lot. We acquired DevSecond, which is a conference that is vendor neutral and it's all around being a place to allow people to share security practices.

Todd Gallina: 44:14

You acquired an actual conference? Did I hear that right?

Guy Podjarny: 44:17

We acquired a conference. It had technically only two employees, but DevSecond was running for a while. It was a bit of a weird move. It's not one of the six that I mentioned before. And we don't make money off that. We try to run it at breakeven, and the pandemic got a bit in the way. But it was really just a great place to help drive and invest in the community, having thought leaders, having a space to share. I host a podcast called The Security Developer. I get to talk to smart security leaders and give them an opportunity to share their stories. And I think the books and the content we create, they're all a part of that same mix. It's around driving collaborations. When I founded Blaze, I became a part of the Velocity Programming Committee. which is one of the key originators of DevOps and where a lot of the seminal talks that drove DevOps adoption came up. We kept driving that through the Akamai days. One of the things I learned to appreciate from DevOps I learned a lot was that a big reason for the reason DevOps took off and a big change in the industry there was sharing and talking about failures and sharing about practices. I think security, know we're not very good at it you know definitely on the product security side we don't share enough we don't uh you know we don't talk about things we didn't get right it's scary and security um to do that but you know if we don't do that everybody needs to learn on their own and we advance a lot more slowly so a lot of what we do is is around promoting that and to me the books are a part of that a bit of a long-winded answer but uh i guess there's a broader

Todd Gallina: 46:06

picture It sounds like you're less into brand building and more into learning and building a community. If

Guy Podjarny: 46:16

you do that, the two become together, right? They go hand in hand. When you're doing a category creation, if you're just inventing a new mousetrap, maybe not all of these lessons apply to you. I'm not diminishing it too much. Sometimes you're trying to do the same thing, just better. In our case, we're doing it different, and different is hard.

Todd Gallina: 46:35

Okay, Guy, listen, we promised to... To keep this brief, but there's so many things that we didn't cover. And I know I speak for Sandy when I say, you know, we have just learned a ton.

Sandy Salty: 46:45

This is probably one of the most enlightening conversations we've ever had, candidly.

Todd Gallina: 46:50

Thank you so much for hopping on the podcast with Sandy and myself. We really appreciate it.

Sandy Salty: 46:55

It was a pleasure, Guy. Thank you.

Guy Podjarny: 46:57

My pleasure. Happy to share my own learning. Thank you.

Sandy Salty: 47:01

Trace3 is hyper-focused on helping IT leaders deliver business outcomes by providing a wide variety of data center solutions and consulting services. If you're looking for emerging technology to solve tried and true business problems, Trace3 is here to help. We believe all possibilities live in technology. You can learn more at trace3.com slash podcast. That's trace the number three dot com slash podcast. You've

Outro: 47:34

been listening to The Founder Formula, the podcast for all things startup from Silicon Valley to innovators across the country. If you wanna know what it takes to lead tomorrow's tech companies, subscribe to the show wherever you get your podcasts. Until next time.