How Snyk proved that focusing on developers is the new road map for application security

Cybersecurity has yet to embrace freemium in a major way. But investors say Snyk's success is starting to change that.

Laptop with code

Snyk set out to make developer tools rather than security tools.

Photo: Christina Morillo/Pexels

By the summer of 2017, two years after its launch, Snyk was gaining steam, helping software development teams find and fix vulnerabilities in code; more than 10,000 developers were using its free tool.

But the company was not making much money: At the time, co-founder Guy Podjarny recalled, despite that level of activity, Snyk was generating just $100,000 in annual recurring revenue. "That's not awesome," Podjarny said.

At least not for a typical cybersecurity vendor. Snyk had different aspirations.

From its early days, the company set out to make developer tools rather than security tools. And to create a business around tools for developers, Podjarny knew the key would be to build a devoted user base and then use that as a springboard to close deals over time for additional features such as unlimited code security tests and reporting.

As a result, Snyk launched in an unusual fashion for a security vendor when it began offering a free, self-service version of its product in 2015.

In doing so, Snyk was following an enterprise software playbook known as "product-led growth.” In comparison to the traditional cybersecurity sales model, it “takes perseverance” to go this route, Podjarny said. "That delays getting a quick buck."

But it was this freemium, bottom-up approach that led to the company's eventual growth surge, he told Protocol. Snyk is now generating $150 million in ARR, up 150% from a year ago, the company disclosed on July 13.

In other words, the perseverance paid off. Among the company's 2,000 customers, 70% had a Snyk user on its dev team prior to writing a check for the product, Podjarny said. Snyk now employs 1,300 and ranks No. 2 among the most-valuable privately held cybersecurity vendors, according to CB Insights, with its latest valuation of $8.6 billion.

Now, some venture investors see Snyk’s approach as the go-to model for the next generation of companies in application security. And maybe even beyond.

While Atlassian, Snowflake and Twilio are just a few of the enterprise software success stories to pursue what’s known as “product-led growth,” that strategy "really hasn't hit security yet," said Rama Sekhar, partner at Norwest Venture Partners. Snyk is the most prominent company in cybersecurity that’s figured it out, but the potential for others to do the same is immense, Sekhar said.

Product-led growth, he said, is "what I'm looking for next in security startups."

Snyk code Snyk followed an enterprise software playbook known as "product-led growth.”Image: Snyk

So far in the cybersecurity industry, this approach is seeing the broadest adoption in application security, industry experts said.

That's in no small part because, for many enterprises, getting buy-in from developers on tools to help improve code security is something most leaders would welcome. With critical threats such as software supply chain attacks and rampant exploits of software bugs, there's a growing urgency around improving the security of both open-source and proprietary code.

But a bottom-up approach makes sense from the developer vantage point too. In many organizations, "developers get frustrated with the fact that application security is pushed on them," said Janet Worthington, a senior analyst at Forrester.

Having a free, self-service option for a code security tool is ideal because developers like to experiment with different tools and choose the ones that meet their needs, Worthington said.

Developers "don't want to talk to a sales rep," she said. "They just want to be able to try it."

And when it comes to application security tooling, the final decision is increasingly shifting to the development team rather than the CISO or CIO, Worthington said, the same progression that evolved in enterprise software over the last decade. In 37% of organizations, the development team now holds the budget for application security tools — up from 27% last year, she said, citing a Forrester survey.

Beyond DevOps

The truly developer-friendly shift to security may be a bottom-up movement, similar to what happened with DevOps, Worthington said.

But this approach upends the typical top-down sales model for enterprise security vendors, and it's not necessarily an easy pivot for companies that didn't start that way.

However, many providers of code security tools now "know they have to do this — and some of them have been trying," Worthington said.

A review of vendor pricing by Protocol found that many application security vendors are offering free versions or free trials of their developer tools. For instance, Contrast Security announced a free, self-service code-scanning tool in June.

The makers of many popular software development tools — including GitHub and GitLab — have also integrated security features directly into the workflow. "That has a lot of traction," Worthington said.

Meanwhile, a number of developer security startups have embraced the freemium model from their inception, emulating Snyk.

For instance, Slim.AI offers a tool that aims to simplify the removal of vulnerabilities from container images. Jit enables developers to automate the implementation of a “minimum viable security” plan for software products. CloudQuery looks to provide developers with greater visibility into cloud assets for improving security and compliance. All three tools are free for developers to try, and in most cases the goal is to eventually offer paid plans with more features.

It's no coincidence that those three startups are all backed by Boldstart Ventures, which invested in Snyk's seed funding round and led the company's series A. Ed Sim, the founder and managing partner of the VC firm, said Snyk paved the way for the developer-oriented application security companies that are now emerging. Others include code analysis startup r2c and Kubernetes security startup Armo.

"The whole idea of taking anything that is top-down, and shifting it to developer-first — I think it's a huge growth opportunity," Sim said. "I think it's still very early in the maturity and adoption cycle."

Abby Kearns, who was formerly the CTO of Puppet and CEO of the Cloud Foundry Foundation, said she also believes this is where the application security market is going. Kearns recently became an adviser to Jit.

"Developers are not going to be won over with marketing language," she said. "It has to be a grassroots-adopted tool."

Better software security

The benefits for security aren’t hard to appreciate: If developers actually like a tool and it fits seamlessly into their usual workflow, they're more likely to use it, experts said. If a tool slows them down, they'll tend to choose speed over security.

A plethora of application security vendors are now touting capabilities to help customers "shift left," bringing security closer to the beginning of the software development process, and embrace "DevSecOps" — an evolution of DevOps that treats development, security and operations as unified. But without developer-focused tools, Podjarny contended, “you can't get true developer adoption.”

Ultimately, product-led growth is a big adjustment not just for the established vendors, but also for the typical startup mindset, according to Snyk CEO Peter McKay.

For most venture-backed companies, it’s all about growing fast, McKay said. "Being patient, building a community, getting the feedback, optimizing based on the feedback — that's really time-consuming."

For years, Snyk was preoccupied with improving the developer experience for its tool rather than focusing on what the corporate buyer might want, he said. And there are no shortcuts to succeeding at that sort of thing, McKay said: "It just takes time."

In all likelihood, so will wider adoption of the developer-oriented mindset in security. But Norwest's Sekhar said he sees the potential for security tools used by people besides developers, such as security operations center analysts, to be delivered via a freemium model. "It's bigger than just developer [security] tools," he said.

But even for developer security alone, the arrival of product-led growth is a major turning point.

Given the pace of software development today, “nobody outside that sequence can really keep up. And security has remained outside,” Podjarny said. “You have to make security a part of the [development] team's work to keep up.”


Upstart has a new plan to sell Wall Street on its loans

The AI-powered lender will hold some loans on its balance sheet as it seeks partners for long-term capital.

Despite the current struggles, Upstart views the marketplace model as the best way to write to keep its loan business growing.

Photo: Upstart

After a revenue drop its CEO called “unacceptable,” the leadership at fintech lender Upstart is making a bet on the strength of its ability to underwrite loans with AI.

The San Mateo company is planning to leave some loans on its balance sheet that investors do not want to buy, as concerns about the economy shift Wall Street away from backing riskier consumer debt. Rather than pull back on its lending in response, the company said it will hold some loans as it seeks longer-term capital partners.

Keep Reading Show less
Ryan Deffenbaugh
Ryan Deffenbaugh is a reporter at Protocol focused on fintech. Before joining Protocol, he reported on New York's technology industry for Crain's New York Business. He is based in New York and can be reached at rdeffenbaugh@protocol.com.
Sponsored Content

How cybercrime is going small time

Blockbuster hacks are no longer the norm – causing problems for companies trying to track down small-scale crime

Cybercrime is often thought of on a relatively large scale. Massive breaches lead to painful financial losses, bankrupting companies and causing untold embarrassment, splashed across the front pages of news websites worldwide. That’s unsurprising: cyber events typically cost businesses around $200,000, according to cybersecurity firm the Cyentia Institute. One in 10 of those victims suffer losses of more than $20 million, with some reaching $100 million or more.

That’s big money – but there’s plenty of loot out there for cybercriminals willing to aim lower. In 2021, the Internet Crime Complaint Center (IC3) received 847,376 complaints – reports by cybercrime victims – totaling losses of $6.9 billion. Averaged out, each victim lost $8,143.

Keep Reading Show less
Chris Stokel-Walker

Chris Stokel-Walker is a freelance technology and culture journalist and author of "YouTubers: How YouTube Shook Up TV and Created a New Generation of Stars." His work has been published in The New York Times, The Guardian and Wired.


Does your boss sound a little funny? It might be an audio deepfake

Voice deepfake attacks against enterprises, often aimed at tricking corporate employees into transferring money to the attackers, are on the rise. And at least in some cases, they’re succeeding.

Audio deepfakes are a new spin on the impersonation tactics that have long been used in social engineering and phishing attacks, but most people aren’t trained to disbelieve their ears.

Illustration: Christopher T. Fong/Protocol

As a cyberattack investigator, Nick Giacopuzzi’s work now includes responding to growing attacks against businesses that involve deepfaked voices — and has ultimately left him convinced that in today's world, "we need to question everything."

In particular, Giacopuzzi has investigated multiple incidents where an attacker deployed fabricated audio, created with the help of AI, that purported to be an executive or a manager at a company. You can guess how it went: The fake boss asked an employee to urgently transfer funds. And in some cases, it’s worked, he said.

Keep Reading Show less
Kyle Alspach

Kyle Alspach ( @KyleAlspach) is a senior reporter at Protocol, focused on cybersecurity. He has covered the tech industry since 2010 for outlets including VentureBeat, CRN and the Boston Globe. He lives in Portland, Oregon, and can be reached at kalspach@protocol.com.


Binance’s co-founder could remake its crypto deal-making

Yi He is overseeing a $7.5 billion portfolio, with more investments to come, making her one of the most powerful investors in the industry.

Binance co-founder Yi He will oversee $7.5 billion in assets.

Photo: Binance

Binance co-founder Yi He isn’t as well known as the crypto giant’s colorful and controversial CEO, Changpeng “CZ” Zhao.

That could soon change. The 35-year-old executive is taking on a new, higher-profile role at the world’s largest crypto exchange as head of Binance Labs, the company’s venture capital arm. With $7.5 billion in assets to oversee, that instantly makes her one of the most powerful VC investors in crypto.

Keep Reading Show less
Benjamin Pimentel

Benjamin Pimentel ( @benpimentel) covers crypto and fintech from San Francisco. He has reported on many of the biggest tech stories over the past 20 years for the San Francisco Chronicle, Dow Jones MarketWatch and Business Insider, from the dot-com crash, the rise of cloud computing, social networking and AI to the impact of the Great Recession and the COVID crisis on Silicon Valley and beyond. He can be reached at bpimentel@protocol.com or via Google Voice at (925) 307-9342.


Trump ordered social media visa screening. Biden's defending it.

The Knight First Amendment Institute just lost a battle to force the Biden administration to provide a report on the collection of social media handles from millions of visa applicants every year.

Visa applicants have to give up any of their social media handles from the past five years.

Photo: belterz/Getty Images

Would you feel comfortable if a U.S. immigration official reviewed all that you post on Facebook, Reddit, Snapchat, Twitter or even YouTube? Would it change what you decide to post or whom you talk to online? Perhaps you’ve said something critical of the U.S. government. Perhaps you’ve jokingly threatened to whack someone.

If you’ve applied for a U.S. visa, there’s a chance your online missives have been subjected to this kind of scrutiny, all in the name of keeping America safe. But three years after the Trump administration ordered enhanced vetting of visa applications, the Biden White House has not only continued the program, but is defending it — despite refusing to say if it’s had any impact.

Keep Reading Show less
Anna Kramer

Anna Kramer is a reporter at Protocol (Twitter: @ anna_c_kramer, email: akramer@protocol.com), where she writes about labor and workplace issues. Prior to joining the team, she covered tech and small business for the San Francisco Chronicle and privacy for Bloomberg Law. She is a recent graduate of Brown University, where she studied International Relations and Arabic and wrote her senior thesis about surveillance tools and technological development in the Middle East.

Latest Stories