Sorenson Security Playbook: Three Paths to Product-Market Fit

Steve Jobs famously once said, “My philosophy is that everything starts with a great product,” and we couldn’t agree more. Achieving product-market fit represents a critical startup milestone that establishes the foundation for future growth and success.

However, as any experienced tech founder will tell you, finding product-market fit is almost always easier said than done. It’s a difficult process that requires a never-ending combination of experiments, data analysis, and iterations that can test even the most resilient startup teams.

Here, I’ll share three techniques that can help enterprise security companies expedite the process for achieving product-market fit. These approaches won’t guarantee success. They will, however, increase the speed at which companies can interact with and learn from the market to help define a tight product connection with target customers.

Quick Time to Value: The Story of Axonius

Axonius, the security asset management company, grew from less than $1 million ARR in 2019 to more than $100 million ARR in 2023 by providing the enterprise with a fast and simple way to monitor and understand its cybersecurity environment and asset security posture in a single, comprehensive view.

Before Axonius, there was no easy way for enterprises to monitor security gaps and prioritize vulnerabilities across increasingly complex enterprise environments that included cloud systems, network infrastructure, on-premise software, SaaS applications, and employee and IoT devices. Traditionally, companies had to rely on a variety of specialized security products, often from different vendors, that were each designed to monitor a single asset class. These specialized products had no ability to communicate across asset types to create a system-wide view into enterprise security posture.

Axonius took a different approach. Instead of requiring customers to install yet another agent, Axonius integrated with the most popular specialized asset monitoring products and aggregated and analyzed existing threat data from these different sources. In just a few hours, Axonius could provide security teams with a complete inventory of all assets, regardless of location, power state, or uptime. It could also detect security gaps, policy violations, and areas of risk; prioritize vulnerabilities; and reduce risk by automating response actions. The approach was ingenious for its simplicity and speed.

Customers were so impressed with Axonius’s quick time-to-value and ease-of-implementation that sales quickly followed. Axonius’s products rapidly spread from security teams to other departments like legal and IT, providing an additional boost to the company’s growth trajectory. Axonius is now one of the fastest growing cybersecurity startups of all time and has raised more than $600 million in venture funding as of October 2024.

Behind the Curtain: The Story of Crowdstrike

When Crowdstrike burst onto the endpoint detection and response (EDR) scene in 2012, desktop competitors like Symantec and McAfee dominated the market. The effectiveness of their traditional signature-based detection methods, however, had gradually decreased as hackers employed more sophisticated intrusion techniques across increasingly complex IT environments.

Crowdstrike, in contrast, offered a cloud-native architecture that incorporated AI and machine learning to ingest and analyze massive amounts of data from a wide variety of sources, including endpoints, process executions, network connections, registry changes, file modifications, and external sources. When taken together, Crowdstrike could significantly improve protection effectiveness and breadth.

Chief Information Security Officers (CISOs) and IT security teams loved Crowdstrike’s approach. The company’s promise to identify threats in real-time, while blocking intrusions before hackers could wreak havoc on employee desktops and broader enterprise systems was a game-changer in a stagnant market that was starved for innovation.

There was only one problem; Crowdstrike’s next-generation EDR platform wasn’t ready for customers. Crowdstrike had, in effect, engineered its own success trap. The company created demand that it couldn’t satisfy and faced an existential dilemma: If it delayed market entry until its product was finished, Crowdstrike risked missing out on the market opportunity it had already validated. Alternatively, if Crowdstrike started selling a half-baked offering, it risked burning customer relationships and irreparably damaging its reputation and future sales opportunities.

Crowdstrike decided it had to strike while the iron was hot. It created a hybrid strategy for early-adopter customers that relied on a combination of software and managed services to support product gaps for the areas that were still under development.

Crowdstrike’s leadership team bet that customers cared more about results than methods of protection. They believed that early-adopter customers would be willing to overlook lack of automation, productization, and efficiency in exchange for improved protection, a better security team experience, and the promise of additional capabilities – threat hunting, remote remediation, vulnerability management and prioritization, and network-wide patching – that were in development.

The bet paid off. Crowdstrike confirmed requirements through early-adopter implementations and gradually enhanced its software capabilities to minimize the amount of managed services and people involved in protecting enterprise customers.

The company went public in June 2019 and is expected to generate nearly $3 billion in revenue in 2024.

Build for How Customers Use and Buy: The Story of Snyk

As we wrote in our last Sorenson Security Playbook article, the most successful enterprise security companies understand not only how users use products but also how customers buy the products.

As they’ve discussed in interviews and conference presentations (my favorite one is here), the founders of Snyk, a company that helps developers build applications more securely, started their company based on a “shift-left” philosophy. By incorporating security best practices and tools into the application development process, Snyk believed that it could help enterprise customers reduce product vulnerabilities and prevent security issues that demanded huge amounts of post-breach attention and resources.

In an effort to gain critical mass quickly, Snyk followed the product-led growth (PLG) playbook of successful dev tools companies like Datadog and New Relic and focused early product efforts on the Node.js developer community. Snyk created a user following of thousands in less than a year by making it easy – and initially free – to secure applications and follow security best practices during the software development process.

When Snyk tried to monetize its initial product, however, it had few takers. Although Snyk’s Node.js developer community was highly engaged and actively using its product to secure server-side web applications, the group didn’t represent the buyer profile as Snyk had assumed. Snyk’s Node.js developers didn’t actually own security budgets, nor did they unilaterally make dev tools buying decisions, even for relatively low-cost products like Snyk (i.e., $100/month/developer).

Snyk’s early monetization failure led to an important realization: Product-user fit doesn’t necessarily equate to product-market fit in the enterprise space. As a result, Snyk realized it needed to expand its customer discussions to include topics such as buyer profile, purchase group composition and roles, and company buying behavior and process.

Snyk’s founders quickly realized they had mistakenly left the security buyer – CISOs and similar roles – out of the product-market fit equation. Snyk adapted its strategy and expanded its product capabilities to meet enterprise security leader buyer requirements, which differed considerably from their initial Node.js developer user group.

Specifically, security buyers wanted a platform that could help secure software across an application portfolio. They needed to manage teams and project portfolios, which required multi-language support, broad software stack coverage, and comprehensive management and oversight capabilities, including reporting, user and team administration, and risk monitoring for proprietary and open-source software.

Ultimately, Snyk learned that finding its product-market fit required a two-stage process. Once they adapted the product to accommodate developer users and security buyers, fast revenue growth followed. The private company is rumored to be expecting more than $300 million in 2024 ARR.

Summary of Lessons Learned

Although there’s no simple playbook to achieve product-market fit, there are ways to speed up the process for enterprise security companies. Key lessons from these successful startups include:

• Build a simple wedge: Deliver value quickly based on critical data around which you can expand your initial product into a more comprehensive and fully-featured platform.
• Focus on solving urgent problems: Identify and address your customers’ most pressing needs first, even if it requires a blend of product and supporting services.
• Understand the complete customer picture: Know both how your product is used and how it’s purchased.

Do you have any interesting techniques you’ve used to find product-market fit for your enterprise security company? Please feel free to reach out to me at kelefant@sorensoncap.com.