The Future of Product-Led Growth Might Be Hiding Where You Least Expect It
April 28, 2022
Product-led growth (PLG) is an end-user-focused model that relies on the product itself as the primary driver of customer acquisition, conversion, and expansion.
Many of the fastest-growing B2B software companies employ product-led growth as their core go-to-market motion in order to accelerate growth efficiently. This phenomenon is most commonly seen in a few markets: productivity tools (think Calendly, Notion, Zapier, or Airtable) and developer tools (think Datadog, Twilio, or Atlassian).
Often, these types of approaches look different from the standard SaaS because they have a free component, like a free trial or a free or open-source tool—and loads of happy, vocal customers on social media and in specialized communities like GitHub.
One market where this phenomenon used to be less common is within the infosec/cyber security space. Since the investment team at OpenView is always on the lookout for product-led businesses, we started to wonder why none of the security software companies we spoke to had pursued a PLG go-to-market motion.
After chatting with a few players in the industry, we came up with a few hypotheses:
- It’s hard to prove value quickly or have an “aha” moment with a freemium product or even in a free trial. Ideally, a cybersecurity tool runs quietly in the background, covering for the CISO and ensuring there are no weaknesses. Andrew Morris from GreyNoise commented, “There’s no concept of ‘user touch’ in existing security products. You don’t have touch with the user like you might in other tools.” Because of this, infosec/security companies are forced to play the long game, waiting for the bad guys of the internet to prove their worth long after someone makes a purchase.
- The security space is a small, elite group of experts. The key to success is already being well-known in the space and having the ear of influencers. In the past, these experts were told what to use by a CIO or CISO who had been sold a product based on fear of the unknown and followed the “nobody ever got fired for hiring IBM” psychology (I’m looking at your Norton). In some organizations, these experts are finally free from having products selected for them, but this change is still unfolding. Haroon Meer from Thinkst Canary summed it up best when he noted that this space has “traditionally not been a productive environment for a bottoms-up GTM motion.”
- Any true self-serve motion where you spin up an account, load your data, and then swipe a credit card goes against the grain for any end user who is trained in proper risk management and compliance (aka any security buyer). That buyer is unlikely to have admin access rights to actually deploy any of these tools, either. This righteous skepticism makes onboarding, easy-to-navigate UIs, and quick implementation timelines less important in the space.
So we decided to take a look at a few companies we felt are headed in a product-led direction—companies that are outliers in the infosec/security space—and test our hypotheses against them.
The original outliers
When we thought about outliers, two companies immediately came to mind: Duo and Okta.
Both companies did things differently than the infosec norm (at the time of their founding and at the present), and this in large part catapulted their growth.
While researching this article, I saw Duo named multiple times as the “Most Loved Company in Security”—so beloved that Cisco paid $2.65 billion for the company, in cash. Impressive.
View this post on Instagram
Duo has been the security space’s hottest company for some time: doubling ARR from 2015 to 2016 and bringing in talent from companies like Facebook, Etsy, and more. How did they achieve such tremendous growth?
Duo’s founder Dug Song was an “insider” of sorts in the industry but founded his own business because he had the drive to solve a specific problem he encountered in his work. While Dug had experience in the industry, I feel he disproves my second hypothesis (the space is made up of industry insiders who market in a tried-and-true way) because Duo never used fear-based marketing, which seems to be the most commonly used tool in a security marketer’s toolbox.
In fact, to ensure that Duo could delight prospects, they developed a 15-second demo in their early days, which disproves my first hypothesis (that it’s challenging to create an aha moment).
Now the tool has a simple free trial for anyone who visits the website (in turn disproving my third hypothesis). Over time, Duo has built a community of customers who absolutely love the product and act as evangelists, one of the core drivers of product-led growth.
Like Duo, Okta also has a free trial (disproving my third hypothesis regarding self-serve) but the similarities end there.
Okta has some advantages to other outliers in my list because you can show the value of SSO and IT-managed identity pretty quickly, enabling that aha moment and providing value to your prospect long before your trial expires. The trick for Okta is driving enough engagement that a user can get to that point. But don’t worry, the team has quite a bit of expertise.
Okta blows my second hypothesis out of the water. Okta’s founders came from a totally different sector and brought a fresh perspective to their GTM approach. This approach focused more on a bottoms-up, user-led mechanism of adoption, and for good reason: They’d created Okta on the heels of their tenure at Salesforce, where they helped their largest customers roll out the CRM across their organizations.
As someone who has led these massive rollouts, I completely understand the value of end-user engagement with the product to drive usage and retention. If you’ve rolled out a piece of software to an entire enterprise but only a handful of employees are using it (with even fewer advocating for it), you can kiss your renewal goodbye. Okta’s founders took these learnings with them when they started their own business.
- Both of these companies capitalized on solving for the pain of the end IT user, the need for control and compliance within large enterprises
- They didn’t go about this by selling to the CIO, but rather by positioning themselves to be discovered by this IT persona
The next generation of product-led growth security companies
The next generation of PLG security companies looks a bit more like what we’re used to when we think of being “product-led.”
This cohort of businesses took learnings from the B2D (business-to-developer) and open-source spaces and created a hybrid model. In these spaces, building a community is a keystone for thriving, as it creates a large pool of users who evolve into product advocates, suggesting what feature should be built, and eventual buyers for the tools when they take them to work.
Full disclosure: OpenView led Datadog’s $15M Series B in 2014.
Datadog wasn’t built with security as their main focus (and I’m sure that by mentioning them I’m offending some of the experts in the space), but they built security monitoring into their platform because “as developers and operations become responsible for securing their services, they need their monitoring platform to help surface possible threats.”
View this post on Instagram
Since Datadog built their platform for developers, they gained insight over time into tactics that worked in that market: developers tend to want everything to be self-serve, trying the product with a specific project they’re working on in mind, and asking questions about price, integrations, and more when they’re serious about buying.
Datadog learned that you only have a few moments to show this highly selective audience what’s valuable about your product—and they proved that they could do so, prior to moving into the security space.
By making that value evident for developers quickly, Datadog eliminates my first hypothesis about security being slow to show value. My first point about Datadog’s initial product offering catering to developers disproves the second hypothesis I laid out—Datadog’s team didn’t originate in the infosec/security space, nor did they really start out building products to service that need.
Finally—and I think this is one of the most attractive features of Datadog’s GTM motion—is the fact that typically buyers enter the platform using one of the company’s stand-alone products, see value in it, and then begin to expand organically over time into their other observability products (which I imagine led the team to build for security stakeholders in the first place).
This GTM motion is not only incredibly efficient (I highly recommend reading the S-1), but it also disproves my third hypothesis—if your organization is already using the product for log management or your data is already in the tool, it’s an easy leap for even the most discerning security professional to try out that security module and add it to the monthly bill.
This opportunity for account expansion is one of the key reasons that product-led growth is such an attractive go-to-market model. As long as Datadog keeps solving for the pain points of their existing customers and expanding the revenue coming from accounts with product offerings, their Natural Rate of Growth will continue to soar.
Snyk’s founders come from the security space (with some very intimidating experience in the Israeli Defense Force), but Snyk’s selling point is that it fits security into the development process.
In this way, Snyk has flipped my second hypothesis (industry knowledge and fear-based selling) on its head by democratizing security and making it part of the responsibilities and understanding of a larger percentage of engineers at any given software company.
The company offers an open-source tool, too (with a 400,000+ strong community of developers online). This free product allows prospects to see value and get that aha moment in the long term (disproving my first hypothesis about slow time-to-value) and builds enough trust as a result of being open-source that it essentially acts the same way a freemium tool would (disproving my third hypothesis around distrust of free products). By the time a company needs to pay for Snyk, it’s highly likely they’ve been using the open-source code for some time.
For Snyk, the open-source model helps them get around common GTM hurdles that infosec/cybersecurity businesses face when trying to be product-led, as it acts as free lead generation for their proprietary features and overall offering.
While they took different routes to get there, Datadog and Snyk struck gold by identifying where their security prospects were the easiest to engage.
- Open source: Snyk has taken an approach that’s yielded them a large following and top-of-funnel.They continue to lean into this superpower with community-sourced information like disclosed open-source vulnerabilities. It’s investments like this that help Snyk grow their discoverability among anyone worried about securing their code.
- Convergence of developer tools into security: Datadog has built a platform that slowly draws security professionals closer as the work they manage intersects with a developer’s day-to-day.
The rising stars
For this piece, I spoke to a few companies that are just starting to see traction in the space while leveraging best practices from their product-led peers. One unifying thread I found in these rising stars was the fact that it’s difficult to tell from the beginning if they’re a community, an open-source/platform tool, or an actual software provider.
As the space becomes more complicated, I think that the lines will continue to blur as we solve for threats that are increasingly complicated.
Full disclosure: OpenView is an investor in Kolide.
Kolide takes an obsession with the end user to the next level, especially in the security space. The team at Kolide is passionate about making security a part of a company’s culture, not something you tack on later to pass compliance tests–a problem that only 1-2 people at an organization worry about. Kolide lives natively on a tool that most employees at security-conscious companies use today–Slack.
This quick and easy integration within a businesses’ core tool works to drive engagement—not only with the prospective buyer persona but with the entire organization. More importantly, security alerts provided to employees and end-users are not only flags and alerts, they also tell the user how to mitigate any security problem they might be causing–this comes in key in an era of notification overload.
It’s slick, micro-experiences like this that cause naysayers of PLG to believe that these tools are just vitamins–easily eliminated by a larger player with a stronger team. But, when you take a step back and think about what these small pings are doing–getting users to correct their actions–and the value they’re providing to security professionals—reducing the surface area of risk–it feels like Kolide would be extremely challenging to unseat.
I interviewed Thinkst founder Haroon Meer for this article, and he was instrumental in helping me to form the hypotheses we started with.
Funny enough, while Haroon is well-connected in the security space, I was struck by how much the company’s GTM disproves my second hypothesis—Thinkst Canary doesn’t feel like this elite, secretive tool at all—their community of experts are extremely willing and open to tell you about their tools and methods, and Thinkst does a great job of bringing them together.
Haroon noted that the best new tech in this space is coming out of social media giants and consumer offerings. And while that isn’t his background, I felt that reflected in Thinkst’s GTM. Unlike any of the other tools I evaluated, their website is incredibly easy for a novice to the security space to understand and navigate, and I appreciated the casual language to answer any and all product questions a prospect may have about purchasing Canaries.
Thinkst Canary solves for showing value to prospects (hypothesis number one) with something I hadn’t seen before: They use their huge and happy community to provide social proof to prospects that the tool will fit their needs.
Introducing our top salesperson (5th year running¹)
Our Customers ✊💚
“I have been telling all of my security friends how amazing the technology is”
“I already convinced my friend and former colleague to buy Canary.. He couldn’t be happier.”
¹ Still just 1 FT salesperson pic.twitter.com/LzlTnGTXF8
— Thinkst Canary (@ThinkstCanary) August 24, 2020
Thinkst Canary is Twitter famous—they have a ton of customer love. While the company doesn’t yet have a self-serve offering (they haven’t disproved my third hypothesis), they’re still scaling and they’re probably learning from every single customer interaction they have.
As Thinkst grows, I bet their self-serve capabilities will follow.
I also interviewed GreyNoise founder Andrew Morris for this piece and was impressed with how he thinks about the space.
GreyNoise’s website feels like a secret club you got invited to, but without the security scare tactics about imminent internet threats I outlined in hypothesis two. Instead, the product itself promises to tell users about what they shouldn’t be worried about—and for a highly anxious space, this must come as a relief.
GreyNoise of course has a product, but I was struck by how much of their offering they give away for free, quickly showing the value to me, a non-prospect with an interest in macro web security. GreyNoise users like the online UI where they can get quick insights on technical indicators and trends for free, like looking to see if an IP address is scanning/attacking everyone on the Internet or just themselves (limited at a very generous 50 searches/day).
Often, these types of tools have a hard time showing their value. GreyNoise’s trends page immediately demonstrated to me how much work the tool is doing behind the scenes in order to show malicious web anomalies across the world. I didn’t have to try out the product to understand its value, which disproves my first hypothesis.
These three rising stars taught me so much about how PLG best practices morph and change when faced with complicating factors. I believe that this space will take PLG and build on it—and we’ll start seeing the freshest tactics emerge from this market in particular.
Overall, I hope readers of this piece will take away the lesson that rules are made to be broken, especially in business. Our generation’s top innovators will hear things like “That’s not the way it’s done” and “No one will buy it if we do that,” and find ways to disprove those theories.
That’s how we ended up with product-led growth in the first place. And that’s how the practice will continue to evolve.