The Product Person - Snyk: Shift left security
Snyk: Shift left securityCatching the shift-left security wave and building a generational security platformHello again! We’re back with another profile on a security company. This time, we’re talking about Snyk - one of the pioneers of building venture-scale software security platforms. On a side note, I’m currently building a content agency - if you enjoy our writing and would like to see it applied to your or a friend’s company, please reach out to us! Snyk is a $7.4 billion startup that helps developers find and fix vulnerabilities in their open-source code before it goes into production. Well, to be fair they do quite a bit more than that today. Synk's products include:
This is their story. FundingFunding amounts include secondary sales Founding StoryIn 2015, Guy Podjarny was serving as the CTO of Akamai’s Web Performance business line. He had been in the role for 3 years after Akamai acquired his company, Blaze.io (a startup that helped businesses optimize web front end performance). At Akamai, Podjarnay saw the rise of shift-left testing, pushing testing toward the early stages of software development. Until then, most companies had a waterfall development model. Separate teams would plan, build, and test the product. With testing placed at the end, companies would often rush to ship out software that was still defective or vulnerable to attacks. Podjarnay realized that shift left testing had broader implications than just early testing in the development cycle. To fulfill his vision, he recruited Assaf Hefetz and Danny Grander as cofounders. Like Podjarnay, both were technical and had served in the Israeli Defense Force. Together, the trio started Snyk in July 2015 with the bet that developers would also start to take on security. To tackle the opportunity, the three cofounders signed on four other engineers to join them. Just 3 months later, Podjarny and Hefetz flew out to Amsterdam and presented the first version of Snyk at Velocity Amsterdam. [0] In their 13 minute presentation titled Stranger Danger, Podjarny showcased Snyk's command-line interface (CLI) tool that found vulnerabilities in projects and offered a quick For example, Back in 2015, this multi-layer dependency problem was starting to become an issue. With the rise in open-source software, more companies were adopting third-party open-source components in their products which in turn had their own second or third level dependencies. Snyk’s product was the continuation of a process known as static application security testing (SAST). Most SAST tools were built and maintained by security companies that acted as consultants rather than software service providers. Unlike legacy security companies, Snyk was in the right place at the right time. A year before Snyk was founded, two major bugs on open-source libraries came to light. The first, Heartbleed, was a serious flaw in OpenSSL, encryption software that powers secure communications on the web. The second, Shellshock, allowed attackers to execute commands with higher privileges on vulnerable versions of Bash. Both bugs shined a new light on the open-source ecosystem. The need for security software that could detect and patch vulnerabilities was more important than ever. In late 2015, Snyk raised a $3 million seed round led by Boldstart Ventures. Product Market FitAfter their demonstration in Amsterdam, Snyk went live on December 2015. The first Snyk product focused on Node.js projects, inspired by New Relic’s focus on the Ruby developer base. Early pitches for Snyk featured the tagline, “New Relic for security”. New Relic’s first product, a Rails Performance Management package, found a quick audience with Ruby companies such as 37signals and Github. Podjarny hoped that Snyk could replicate that success in the Node.js space. At the time, Node was rapidly growing in popularity. Its speed and the flexibility to use Javascript for both client-side and server-side code had developers adopting the technology in droves. A side effect of increased developer adoption was an explosion of new third-party packages for Node. Compared to the presentation back in October, Snyk added a wizard command which made looking through vulnerabilities far easier. At launch, the Snyk product had four key commands:
To celebrate the launch, the Snyk team released a database of npm vulnerabilities and created a badge for open-source package creators to showcase packages free of security issues. Snyk’s tools saw rapid adoption. In June 2016, there were over 5,000 developers using Snyk. Combined, they requested over 343,000 security tests, used Snyk patches 71,000 times, and saw over 4,500 emails alerts to newly disclosed vulnerabilities. With solid usage, the Snyk team felt confident about monetization. They came out of beta with a pricing plan starting at $19/month, scaling up to $100/month per developer. Snyk was making another bet as well: their go-to-market (GTM) strategy was a bottom-up, developer-focused approach. Traditionally, security companies prospected Chief Information Security Officers (CISO), CIOs, and compliance teams. In part, this is because security contracts were big ticket items with six to seven figure annual contract values (ACV). To find the right champion, security companies had to aim high - it was unlikely that a single developer could unilaterally approve a seven figure expense for the whole company. The other reason for pitching CISOs was the idea that developers didn’t care about security. With waterfall development, developers were isolated from security issues. As part of shift-left, Snyk made the assumption that developers would care about security and have the purchasing power for security tools. The first part of the assumption came true. The second part - well, not so much. Despite healthy adoption from developers, few opened their wallets to sign up for the paid plans. Snyk’s bottoms up approach had hit a roadblock. In the meantime, they kept building. In April, they launched a Github testing tool. Anyone could test a public Node.js Github repositories for vulnerabilities and receive a report with details on how the vulnerability was introduced into the package along with solutions to address it. In June, they deepened their integration with Github further. Snyk could now check a Pull Request (PR) before it was merged as part of the CI/CD process and auto-generate a PR to fix In November, they added Snyk support for Ruby projects. As part of their launch, they met Tom Preston-Werner, cofounder of Github and Ruby enthusiast, and found themselves the subject of a glowing review. [1] Preston-Werner described Snyk as, “an intelligent and proactive bodyguard for your entire codebase.” In early 2017, Snyk leveraged the trust they had established in the developer community to pursue enterprise accounts. Snyk hired its first Account Executive and aggressively went after CISOs. They shifted their tone as well, replacing blog posts like “Out of Beta, plus exciting new features” with “Snyk and Atlassian, Sitting in a Tree” and “Snyk for your Enterprise”. The Snyk team also spent most of 2017 adding features targeted towards enterprise buyers - license compliance, vulnerability reporting dashboards, on-premise support, and enterprise support. After closing their first contract in March 2017, Snyk raced to $100k ARR by August. By March 2018, Snyk had over 130 large commercial paying customers. That same month, Snyk closed a $7 million Series A round led by Boldstart Ventures and Canaan Partners. GrowthIn Snyk’s Series A announcement, Podjarny announced:
This core thesis would be incredibly prescient. By June 2016, over 5,000 developers were using Snyk. By March 2018, over 120,000 developers tried Snyk. 6 months later, in September 2018, Snyk had over 160,000 developers. By June 2016, over 5,000 developers were using Snyk. March 2018 - 120,000. September 2018 - 160,000. That same September, Snyk raised a $22 million Series B, led by Accel. While the Snyk GTM motion had swung towards enterprise, Snyk still kept it’s developer-first mentality. The best showcase for this was Guy Podjarny’s podcast, The Secure Developer. Publishing once a month, Podjarny interviewed guests such as Geoff Belknap, Chief Security Officer at Slack, on topics such as security org charts and bug bounty programs. Snyk’s content team continued publishing pieces on its blog, at a rate of 4-5 posts per month. Topics ranged from announcements such as “Snyk is Now Integrated with Chrome’s Lighthouse” to vulnerability explanations, “Attacking an FTP Client: MGETting more than you bargained for”, to general educational content, “Local Type Inference Cheat Sheet for Java 10 and beyond!” By setting up an organic motion, Snyk’s core developer growth kept climbing. Internally, Snyk’s north start metric was the number of active developers using their platform. Revenue was a second-order metric. They had pioneered an entirely new GTM strategy. In an interview, Podjarny said:
What we learned is that … in the world of security, there’s a certain threshold you have to reach to get the development team to use the product. When you want them to buy, they need a certain breadth. We needed to broaden the offering before we could sell it by adding the main languages and platforms support. We ended up collapsing our first paid tier into free and focused on the larger tier for monetization but at a much higher price by offering a much deeper offering. In essence, Snyk makes it easy for developers to get started. Their free tier is a giant cost center with the singular goal of helping developers understand and find value from Snyk’s core products. From there, as developers run into usage limits, Snyk gains powerful inbound prospects. Product-Led Growth (PLG) isn’t new. Dropbox, Slack, Figma, Spotify, Calendly, Zoom, and plenty of other companies have generous free tiers that then convert to enterprise deals. But Snyk was unique in that they were one of the first companies to utilize the PLG motion in enterprise security. In September 2019, Snyk raised a $70 million Series C led once again by Accel. From their announcement:
ExpansionShortly before Snyk’s Series C, Peter McKay replaced Podjarny as CEO. By this point, Snyk had grown to over 150 employees but despite a strong technical product, the path toward future growth was unclear. McKay was a natural choice. He was an early investor and board member of Snyk with previous experience as the SVP of VMware. McKay had also served on Blaze.io’s board (Podjarny’s previous company). He brought “extensive large-scale management experience, [and] experience with markets.” Podjarny became president and chairman of the board to focus on “product vision and community leadership”. Investors loved the move. In January 2020, Snyk raised another $150 million in their Series D led by Stripes. Just eight months later, they raised an E round led by Addition for $200 million. Then another, just three months later in March 2021, for $300 million at a $4.7 billion valuation - led by Accel and Tiger Global. In September 2021, Snyk added yet another $605 million at an $8.5 billion valuation. The round was split into two parts, the first $530 million was led by Sands Capital and Tiger Global while the second $75 million came from Atlassian Ventures and Salesforce Ventures. Since McKay stepped up as CEO, Snyk had raised over $1.325 billion from investors. Incredible. With the new capital, McKay went all-in growth. The Snyk team grew to 800+ employees worldwide in the span of two years. Many of the new hires went to sales. McKay transitioned the company from a tech-heavy team to one with a healthy balance of marketing, sales, and engineering. Another avenue for growth was acquisitions. Snyk acquired CloudSkiff, FossID, Manifold, DeepCode, and Fugue, bolstering its position as a leader in security and paving the way for new product lines such as Snyk Cloud. But the growth story finally reversed in 2022. The latest Snyk fundraise saw a valuation cut - $196.5 million at $7.4 billion in December 2022 led by the Qatar Investment Authority. In a TechCrunch article about the round:
Most security startups either grow into a platform or they get absorbed by one, and Snyk apparently wants to be a platform player at this point. In January 2023, Snyk added another $25 million in strategic investment from ServiceNow. ConclusionSnyk started from a core developer-first thesis. Over the past eight years, their growth has more than confirmed this core thesis. Snyk now has over 1,200 employees across offices spanning San Francisco, London, Singapore, and more. Customers include Atlassian, Twilio, AWS, and Salesforce. Today, the open-source security movement is stronger than ever and there’s even a term for the work that Snyk does, Supply Chain Security. I can’t wait to see what Snyk does next. Footnotes[0] Video of Snyk's launch at Velocity Amsterdam in 2015 [1] Tom Preston-Werner hasn’t written much about other companies. Snyk is one of the few companies that he talks about on his blog. Another fun fact is that Preston-Werner met his Github cofounder at a “I Can Has Ruby” meetup. [2] As detailed in a Snyk breakdown published by Unusual Ventures. Enjoyed this? Please share it with a friend or two. |
Older messages
Nirav Tolia on Growing Nextdoor and the Path to Monetization
Wednesday, January 4, 2023
Inside are 5 actionable insights from former CEO and co-founder of Nextdoor, Nirav Toilia
The Rise and Fall of FTX – Part Three
Monday, December 26, 2022
FTX's presidential tokens, FTX.US, Serum, Blockfolio, and Alameda's risky bets in 2020.
The Rise and Fall of FTX - Part Two
Tuesday, December 13, 2022
Building a crypto exchange, the early days of FTX, the magic beans token (FTT), and Binance vs FTX.
The Rise and Fall of FTX - Part 1
Thursday, December 1, 2022
A history of FTX, from inception to disgrace.
The Lean Startup
Thursday, August 25, 2022
Inside are 5 key insights from the New York Times Best-Selling Book, The Lean Startup.
You Might Also Like
Daily Coding Problem: Problem #1647 [Medium]
Tuesday, December 24, 2024
Daily Coding Problem Good morning! Here's your coding interview problem for today. This problem was asked by Square. In front of you is a row of N coins, with values v 1 , v 1 , ..., v n . You are
Sentiment Analysis, Topological Sort, Web Security, and More
Tuesday, December 24, 2024
Exploring Modern Sentiment Analysis Approaches in Python #661 – DECEMBER 24, 2024 VIEW IN BROWSER The PyCoder's Weekly Logo Exploring Modern Sentiment Analysis Approaches in Python What are the
🤫 Do Not Disturb Mode Is My Secret to Sanity — 8 Gadgets I Want To See Nintendo Make
Tuesday, December 24, 2024
Also: The Best Christmas Movies to Watch on Netflix, and More! How-To Geek Logo December 24, 2024 Did You Know Their association with the Christmas season might make you think poinsettias hail from a
😱 AzureEdge.net DNS Retiring Jan. 2025, 🚀 Microsoft Phi-4 AI Outperforms, 🔒 Microsoft Secure Future Initiative
Tuesday, December 24, 2024
Blog | Advertise | View Online Your trusted source for Cloud, AI and DevOps guidance with industry expert Chris Pietschmann! Phi-4: Microsoft's New Small Language Model Outperforms Giants in AI
Mapped | The Top Health Insurance Companies by State 🏥
Tuesday, December 24, 2024
In 13 US states, a single company dominates the health insurance market, holding at least half of the total market share. View Online | Subscribe | Download Our App Presented by: Global X ETFs Power
The Stanford Grad Who Forgot How To Think
Tuesday, December 24, 2024
Top Tech Content sent at Noon! Boost Your Article on HackerNoon for $159.99! Read this email in your browser How are you, @newsletterest1? 🪐 What's happening in tech today, December 24, 2024? The
The next big HDMI leap is coming
Tuesday, December 24, 2024
Sora side hustles; Casio's tiny watch comes to the US -- ZDNET ZDNET Tech Today - US December 24, 2024 Ecovacs Deebot T30S Combo robot vacuum and mop The next big HDMI leap is coming next month -
⚙️ Robo-suits
Tuesday, December 24, 2024
Plus: The data center energy surge
Apache Tomcat Vulnerability CVE-2024-56337 Exposes Servers to RCE Attacks
Tuesday, December 24, 2024
THN Daily Updates Newsletter cover The Data Science Handbook, 2nd Edition ($60.00 Value) FREE for a Limited Time Practical, accessible guide to becoming a data scientist, updated to include the latest
Edge 459: Quantization Plus Distillation
Tuesday, December 24, 2024
Some insights into quantized distillation ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏