How Snyk proved that focusing on developers is the new road map for application security

Cybersecurity has yet to embrace freemium in a major way. But investors say Snyk's success is starting to change that.

Laptop with code

Snyk set out to make developer tools rather than security tools.

Photo: Christina Morillo/Pexels

By the summer of 2017, two years after its launch, Snyk was gaining steam, helping software development teams find and fix vulnerabilities in code; more than 10,000 developers were using its free tool.

But the company was not making much money: At the time, co-founder Guy Podjarny recalled, despite that level of activity, Snyk was generating just $100,000 in annual recurring revenue. "That's not awesome," Podjarny said.

At least not for a typical cybersecurity vendor. Snyk had different aspirations.

From its early days, the company set out to make developer tools rather than security tools. And to create a business around tools for developers, Podjarny knew the key would be to build a devoted user base and then use that as a springboard to close deals over time for additional features such as unlimited code security tests and reporting.

As a result, Snyk launched in an unusual fashion for a security vendor when it began offering a free, self-service version of its product in 2015.

In doing so, Snyk was following an enterprise software playbook known as "product-led growth.” In comparison to the traditional cybersecurity sales model, it “takes perseverance” to go this route, Podjarny said. "That delays getting a quick buck."

But it was this freemium, bottom-up approach that led to the company's eventual growth surge, he told Protocol. Snyk is now generating $150 million in ARR, up 150% from a year ago, the company disclosed on July 13.

In other words, the perseverance paid off. Among the company's 2,000 customers, 70% had a Snyk user on its dev team prior to writing a check for the product, Podjarny said. Snyk now employs 1,300 and ranks No. 2 among the most-valuable privately held cybersecurity vendors, according to CB Insights, with its latest valuation of $8.6 billion.

Now, some venture investors see Snyk’s approach as the go-to model for the next generation of companies in application security. And maybe even beyond.

While Atlassian, Snowflake and Twilio are just a few of the enterprise software success stories to pursue what’s known as “product-led growth,” that strategy "really hasn't hit security yet," said Rama Sekhar, partner at Norwest Venture Partners. Snyk is the most prominent company in cybersecurity that’s figured it out, but the potential for others to do the same is immense, Sekhar said.

Product-led growth, he said, is "what I'm looking for next in security startups."

Snyk codeSnyk followed an enterprise software playbook known as "product-led growth.”Image: Snyk

So far in the cybersecurity industry, this approach is seeing the broadest adoption in application security, industry experts said.

That's in no small part because, for many enterprises, getting buy-in from developers on tools to help improve code security is something most leaders would welcome. With critical threats such as software supply chain attacks and rampant exploits of software bugs, there's a growing urgency around improving the security of both open-source and proprietary code.

But a bottom-up approach makes sense from the developer vantage point too. In many organizations, "developers get frustrated with the fact that application security is pushed on them," said Janet Worthington, a senior analyst at Forrester.

Having a free, self-service option for a code security tool is ideal because developers like to experiment with different tools and choose the ones that meet their needs, Worthington said.

Developers "don't want to talk to a sales rep," she said. "They just want to be able to try it."

And when it comes to application security tooling, the final decision is increasingly shifting to the development team rather than the CISO or CIO, Worthington said, the same progression that evolved in enterprise software over the last decade. In 37% of organizations, the development team now holds the budget for application security tools — up from 27% last year, she said, citing a Forrester survey.

Beyond DevOps

The truly developer-friendly shift to security may be a bottom-up movement, similar to what happened with DevOps, Worthington said.

But this approach upends the typical top-down sales model for enterprise security vendors, and it's not necessarily an easy pivot for companies that didn't start that way.

However, many providers of code security tools now "know they have to do this — and some of them have been trying," Worthington said.

A review of vendor pricing by Protocol found that many application security vendors are offering free versions or free trials of their developer tools. For instance, Contrast Security announced a free, self-service code-scanning tool in June.

The makers of many popular software development tools — including GitHub and GitLab — have also integrated security features directly into the workflow. "That has a lot of traction," Worthington said.

Meanwhile, a number of developer security startups have embraced the freemium model from their inception, emulating Snyk.

For instance, Slim.AI offers a tool that aims to simplify the removal of vulnerabilities from container images. Jit enables developers to automate the implementation of a “minimum viable security” plan for software products. CloudQuery looks to provide developers with greater visibility into cloud assets for improving security and compliance. All three tools are free for developers to try, and in most cases the goal is to eventually offer paid plans with more features.

It's no coincidence that those three startups are all backed by Boldstart Ventures, which invested in Snyk's seed funding round and led the company's series A. Ed Sim, the founder and managing partner of the VC firm, said Snyk paved the way for the developer-oriented application security companies that are now emerging. Others include code analysis startup r2c and Kubernetes security startup Armo.

"The whole idea of taking anything that is top-down, and shifting it to developer-first — I think it's a huge growth opportunity," Sim said. "I think it's still very early in the maturity and adoption cycle."

Abby Kearns, who was formerly the CTO of Puppet and CEO of the Cloud Foundry Foundation, said she also believes this is where the application security market is going. Kearns recently became an adviser to Jit.

"Developers are not going to be won over with marketing language," she said. "It has to be a grassroots-adopted tool."

Better software security

The benefits for security aren’t hard to appreciate: If developers actually like a tool and it fits seamlessly into their usual workflow, they're more likely to use it, experts said. If a tool slows them down, they'll tend to choose speed over security.

A plethora of application security vendors are now touting capabilities to help customers "shift left," bringing security closer to the beginning of the software development process, and embrace "DevSecOps" — an evolution of DevOps that treats development, security and operations as unified. But without developer-focused tools, Podjarny contended, “you can't get true developer adoption.”

Ultimately, product-led growth is a big adjustment not just for the established vendors, but also for the typical startup mindset, according to Snyk CEO Peter McKay.

For most venture-backed companies, it’s all about growing fast, McKay said. "Being patient, building a community, getting the feedback, optimizing based on the feedback — that's really time-consuming."

For years, Snyk was preoccupied with improving the developer experience for its tool rather than focusing on what the corporate buyer might want, he said. And there are no shortcuts to succeeding at that sort of thing, McKay said: "It just takes time."

In all likelihood, so will wider adoption of the developer-oriented mindset in security. But Norwest's Sekhar said he sees the potential for security tools used by people besides developers, such as security operations center analysts, to be delivered via a freemium model. "It's bigger than just developer [security] tools," he said.

But even for developer security alone, the arrival of product-led growth is a major turning point.

Given the pace of software development today, “nobody outside that sequence can really keep up. And security has remained outside,” Podjarny said. “You have to make security a part of the [development] team's work to keep up.”


Judge Zia Faruqui is trying to teach you crypto, one ‘SNL’ reference at a time

His decisions on major cryptocurrency cases have quoted "The Big Lebowski," "SNL," and "Dr. Strangelove." That’s because he wants you — yes, you — to read them.

The ways Zia Faruqui (right) has weighed on cases that have come before him can give lawyers clues as to what legal frameworks will pass muster.

Photo: Carolyn Van Houten/The Washington Post via Getty Images

“Cryptocurrency and related software analytics tools are ‘The wave of the future, Dude. One hundred percent electronic.’”

That’s not a quote from "The Big Lebowski" — at least, not directly. It’s a quote from a Washington, D.C., district court memorandum opinion on the role cryptocurrency analytics tools can play in government investigations. The author is Magistrate Judge Zia Faruqui.

Keep ReadingShow less
Veronica Irwin

Veronica Irwin (@vronirwin) is a San Francisco-based reporter at Protocol covering fintech. Previously she was at the San Francisco Examiner, covering tech from a hyper-local angle. Before that, her byline was featured in SF Weekly, The Nation, Techworker, Ms. Magazine and The Frisc.

The financial technology transformation is driving competition, creating consumer choice, and shaping the future of finance. Hear from seven fintech leaders who are reshaping the future of finance, and join the inaugural Financial Technology Association Fintech Summit to learn more.

Keep ReadingShow less
The Financial Technology Association (FTA) represents industry leaders shaping the future of finance. We champion the power of technology-centered financial services and advocate for the modernization of financial regulation to support inclusion and responsible innovation.

AWS CEO: The cloud isn’t just about technology

As AWS preps for its annual re:Invent conference, Adam Selipsky talks product strategy, support for hybrid environments, and the value of the cloud in uncertain economic times.

Photo: Noah Berger/Getty Images for Amazon Web Services

AWS is gearing up for re:Invent, its annual cloud computing conference where announcements this year are expected to focus on its end-to-end data strategy and delivering new industry-specific services.

It will be the second re:Invent with CEO Adam Selipsky as leader of the industry’s largest cloud provider after his return last year to AWS from data visualization company Tableau Software.

Keep ReadingShow less
Donna Goodison

Donna Goodison (@dgoodison) is Protocol's senior reporter focusing on enterprise infrastructure technology, from the 'Big 3' cloud computing providers to data centers. She previously covered the public cloud at CRN after 15 years as a business reporter for the Boston Herald. Based in Massachusetts, she also has worked as a Boston Globe freelancer, business reporter at the Boston Business Journal and real estate reporter at Banker & Tradesman after toiling at weekly newspapers.

Image: Protocol

We launched Protocol in February 2020 to cover the evolving power center of tech. It is with deep sadness that just under three years later, we are winding down the publication.

As of today, we will not publish any more stories. All of our newsletters, apart from our flagship, Source Code, will no longer be sent. Source Code will be published and sent for the next few weeks, but it will also close down in December.

Keep ReadingShow less
Bennett Richardson

Bennett Richardson ( @bennettrich) is the president of Protocol. Prior to joining Protocol in 2019, Bennett was executive director of global strategic partnerships at POLITICO, where he led strategic growth efforts including POLITICO's European expansion in Brussels and POLITICO's creative agency POLITICO Focus during his six years with the company. Prior to POLITICO, Bennett was co-founder and CMO of Hinge, the mobile dating company recently acquired by Match Group. Bennett began his career in digital and social brand marketing working with major brands across tech, energy, and health care at leading marketing and communications agencies including Edelman and GMMB. Bennett is originally from Portland, Maine, and received his bachelor's degree from Colgate University.


Why large enterprises struggle to find suitable platforms for MLops

As companies expand their use of AI beyond running just a few machine learning models, and as larger enterprises go from deploying hundreds of models to thousands and even millions of models, ML practitioners say that they have yet to find what they need from prepackaged MLops systems.

As companies expand their use of AI beyond running just a few machine learning models, ML practitioners say that they have yet to find what they need from prepackaged MLops systems.

Photo: artpartner-images via Getty Images

On any given day, Lily AI runs hundreds of machine learning models using computer vision and natural language processing that are customized for its retail and ecommerce clients to make website product recommendations, forecast demand, and plan merchandising. But this spring when the company was in the market for a machine learning operations platform to manage its expanding model roster, it wasn’t easy to find a suitable off-the-shelf system that could handle such a large number of models in deployment while also meeting other criteria.

Some MLops platforms are not well-suited for maintaining even more than 10 machine learning models when it comes to keeping track of data, navigating their user interfaces, or reporting capabilities, Matthew Nokleby, machine learning manager for Lily AI’s product intelligence team, told Protocol earlier this year. “The duct tape starts to show,” he said.

Keep ReadingShow less
Kate Kaye

Kate Kaye is an award-winning multimedia reporter digging deep and telling print, digital and audio stories. She covers AI and data for Protocol. Her reporting on AI and tech ethics issues has been published in OneZero, Fast Company, MIT Technology Review, CityLab, Ad Age and Digiday and heard on NPR. Kate is the creator of RedTailMedia.org and is the author of "Campaign '08: A Turning Point for Digital Media," a book about how the 2008 presidential campaigns used digital media and data.

Latest Stories