By the summer of 2017, two years after its launch, Snyk was gaining steam, helping software development teams find and fix vulnerabilities in code; more than 10,000 developers were using its free tool.
But the company was not making much money: At the time, co-founder Guy Podjarny recalled, despite that level of activity, Snyk was generating just $100,000 in annual recurring revenue. "That's not awesome," Podjarny said.
At least not for a typical cybersecurity vendor. Snyk had different aspirations.
From its early days, the company set out to make developer tools rather than security tools. And to create a business around tools for developers, Podjarny knew the key would be to build a devoted user base and then use that as a springboard to close deals over time for additional features such as unlimited code security tests and reporting.
As a result, Snyk launched in an unusual fashion for a security vendor when it began offering a free, self-service version of its product in 2015.
In doing so, Snyk was following an enterprise software playbook known as "product-led growth.” In comparison to the traditional cybersecurity sales model, it “takes perseverance” to go this route, Podjarny said. "That delays getting a quick buck."
But it was this freemium, bottom-up approach that led to the company's eventual growth surge, he told Protocol. Snyk is now generating $150 million in ARR, up 150% from a year ago, the company disclosed on July 13.
In other words, the perseverance paid off. Among the company's 2,000 customers, 70% had a Snyk user on its dev team prior to writing a check for the product, Podjarny said. Snyk now employs 1,300 and ranks No. 2 among the most-valuable privately held cybersecurity vendors, according to CB Insights, with its latest valuation of $8.6 billion.
Now, some venture investors see Snyk’s approach as the go-to model for the next generation of companies in application security. And maybe even beyond.
While Atlassian, Snowflake and Twilio are just a few of the enterprise software success stories to pursue what’s known as “product-led growth,” that strategy "really hasn't hit security yet," said Rama Sekhar, partner at Norwest Venture Partners. Snyk is the most prominent company in cybersecurity that’s figured it out, but the potential for others to do the same is immense, Sekhar said.
Product-led growth, he said, is "what I'm looking for next in security startups."
Snyk followed an enterprise software playbook known as "product-led growth.”Image: Snyk
So far in the cybersecurity industry, this approach is seeing the broadest adoption in application security, industry experts said.
That's in no small part because, for many enterprises, getting buy-in from developers on tools to help improve code security is something most leaders would welcome. With critical threats such as software supply chain attacks and rampant exploits of software bugs, there's a growing urgency around improving the security of both open-source and proprietary code.
But a bottom-up approach makes sense from the developer vantage point too. In many organizations, "developers get frustrated with the fact that application security is pushed on them," said Janet Worthington, a senior analyst at Forrester.
Having a free, self-service option for a code security tool is ideal because developers like to experiment with different tools and choose the ones that meet their needs, Worthington said.
Developers "don't want to talk to a sales rep," she said. "They just want to be able to try it."
And when it comes to application security tooling, the final decision is increasingly shifting to the development team rather than the CISO or CIO, Worthington said, the same progression that evolved in enterprise software over the last decade. In 37% of organizations, the development team now holds the budget for application security tools — up from 27% last year, she said, citing a Forrester survey.
The truly developer-friendly shift to security may be a bottom-up movement, similar to what happened with DevOps, Worthington said.
But this approach upends the typical top-down sales model for enterprise security vendors, and it's not necessarily an easy pivot for companies that didn't start that way.
However, many providers of code security tools now "know they have to do this — and some of them have been trying," Worthington said.
A review of vendor pricing by Protocol found that many application security vendors are offering free versions or free trials of their developer tools. For instance, Contrast Security announced a free, self-service code-scanning tool in June.
The makers of many popular software development tools — including GitHub and GitLab — have also integrated security features directly into the workflow. "That has a lot of traction," Worthington said.
Meanwhile, a number of developer security startups have embraced the freemium model from their inception, emulating Snyk.
For instance, Slim.AI offers a tool that aims to simplify the removal of vulnerabilities from container images. Jit enables developers to automate the implementation of a “minimum viable security” plan for software products. CloudQuery looks to provide developers with greater visibility into cloud assets for improving security and compliance. All three tools are free for developers to try, and in most cases the goal is to eventually offer paid plans with more features.
It's no coincidence that those three startups are all backed by Boldstart Ventures, which invested in Snyk's seed funding round and led the company's series A. Ed Sim, the founder and managing partner of the VC firm, said Snyk paved the way for the developer-oriented application security companies that are now emerging. Others include code analysis startup r2c and Kubernetes security startup Armo.
"The whole idea of taking anything that is top-down, and shifting it to developer-first — I think it's a huge growth opportunity," Sim said. "I think it's still very early in the maturity and adoption cycle."
Abby Kearns, who was formerly the CTO of Puppet and CEO of the Cloud Foundry Foundation, said she also believes this is where the application security market is going. Kearns recently became an adviser to Jit.
"Developers are not going to be won over with marketing language," she said. "It has to be a grassroots-adopted tool."
Better software security
The benefits for security aren’t hard to appreciate: If developers actually like a tool and it fits seamlessly into their usual workflow, they're more likely to use it, experts said. If a tool slows them down, they'll tend to choose speed over security.
A plethora of application security vendors are now touting capabilities to help customers "shift left," bringing security closer to the beginning of the software development process, and embrace "DevSecOps" — an evolution of DevOps that treats development, security and operations as unified. But without developer-focused tools, Podjarny contended, “you can't get true developer adoption.”
Ultimately, product-led growth is a big adjustment not just for the established vendors, but also for the typical startup mindset, according to Snyk CEO Peter McKay.
For most venture-backed companies, it’s all about growing fast, McKay said. "Being patient, building a community, getting the feedback, optimizing based on the feedback — that's really time-consuming."
For years, Snyk was preoccupied with improving the developer experience for its tool rather than focusing on what the corporate buyer might want, he said. And there are no shortcuts to succeeding at that sort of thing, McKay said: "It just takes time."
In all likelihood, so will wider adoption of the developer-oriented mindset in security. But Norwest's Sekhar said he sees the potential for security tools used by people besides developers, such as security operations center analysts, to be delivered via a freemium model. "It's bigger than just developer [security] tools," he said.
But even for developer security alone, the arrival of product-led growth is a major turning point.
Given the pace of software development today, “nobody outside that sequence can really keep up. And security has remained outside,” Podjarny said. “You have to make security a part of the [development] team's work to keep up.”