1 00:00:00,160 --> 00:00:03,840 I think it's become a vanity metric to raise a lot of money. The real 2 00:00:04,340 --> 00:00:07,560 purpose of a seed stage startup is to find PMF. It's not fundraising. 3 00:00:07,720 --> 00:00:11,040 Fundraising is a cost of doing business. I'm joined today by my 4 00:00:11,540 --> 00:00:15,360 friend Ahmad, the founder of Corgea, which is an 5 00:00:15,860 --> 00:00:19,080 app security startup. We talk about why you don't need to 6 00:00:19,580 --> 00:00:22,640 raise more than $2.5 million in order to get Product Market Fit, 7 00:00:23,140 --> 00:00:26,640 Corgea's journey to Product Market Fit, what they were actually doing on a tactical 8 00:00:27,140 --> 00:00:30,520 level, and we talk about why he doesn't believe in design partnerships. Enjoy the 9 00:00:31,020 --> 00:00:35,760 episode. Product Market Fit. Tell us why you 10 00:00:36,260 --> 00:00:39,920 don't need a lot of money to actually find it. Yeah, I think, 11 00:00:40,800 --> 00:00:44,520 you know, this came from when you and I were chatting and we 12 00:00:45,020 --> 00:00:48,320 were talking about topics and I put this post on LinkedIn and, 13 00:00:48,480 --> 00:00:51,040 you know, usually the story is it goes viral. It did not go viral. 14 00:00:51,540 --> 00:00:55,280 I think I got a lot of like friction from it, but my hypothesis is 15 00:00:55,360 --> 00:00:59,250 that You don't need a lot of money to find PMF. 16 00:00:59,330 --> 00:01:01,850 And what I mean by a lot of money is like now you see round 17 00:01:02,350 --> 00:01:05,391 sizes being like, you know, seed rounds being 5, 10, 18 00:01:05,482 --> 00:01:08,650 20, maybe even 30 million in some cases. 19 00:01:09,150 --> 00:01:12,770 Like we're in cybersecurity. And so those rounds in the seed round are like 20 00:01:13,270 --> 00:01:16,930 ludicrous sometimes. And so, um, you know, I put, you don't 21 00:01:17,430 --> 00:01:21,250 need more than $2.5 million to achieve PMF, which is, you know, give or take 22 00:01:21,750 --> 00:01:24,070 a little bit. And I think a lot of people didn't like that. 23 00:01:25,270 --> 00:01:28,630 Why? I think it's become a vanity 24 00:01:29,130 --> 00:01:32,550 metric to raise a lot of money. I think people kind 25 00:01:33,050 --> 00:01:36,790 of show, think that they can show market validation through that. 26 00:01:37,430 --> 00:01:40,870 I also think it's optimizing for the wrong kinds of things 27 00:01:41,370 --> 00:01:45,150 that you're trying to do. I think the real purpose of a seed stage 28 00:01:45,650 --> 00:01:49,430 startup is to find PMF. It's not fundraising and fundraising is a cost of doing 29 00:01:49,930 --> 00:01:52,640 business. It takes a lot of time, energy, and effort to fundraise, 30 00:01:53,280 --> 00:01:55,840 which is not the primary goal. 31 00:01:56,960 --> 00:02:00,480 And then I think it also incentivizes bad behavior, 32 00:02:00,960 --> 00:02:02,960 right? Overhiring, 33 00:02:04,480 --> 00:02:08,280 throwing bodies at the problem. I remember having a 34 00:02:08,780 --> 00:02:12,640 meeting with one of our RYC partners, Diana, and we were talking about, 35 00:02:13,040 --> 00:02:15,400 as we were fundraising and all of that, and she's like, if you don't need 36 00:02:15,900 --> 00:02:19,050 more money, don't take it. Money doesn't solve your problems. 37 00:02:20,170 --> 00:02:24,650 Money doesn't solve Product Market Fit. Money doesn't solve your go-to-market strategy. 38 00:02:26,330 --> 00:02:29,730 Those things you as a founder and your team have to figure out and solve. 39 00:02:30,230 --> 00:02:32,850 And you can do that. And you see a lot of companies, I'm not saying 40 00:02:33,350 --> 00:02:37,570 go bootstrap, but you see a lot of great companies that are bootstrapped or raised 41 00:02:38,070 --> 00:02:41,450 very little. Like people forget about Stripe and Airbnb and 42 00:02:41,950 --> 00:02:46,080 Ubers, like seed rounds were much smaller than today's standard. 43 00:02:46,160 --> 00:02:49,600 They had worse dilution. And on 44 00:02:50,100 --> 00:02:53,320 top of that, like they had a harder job, like cloud computing wasn't a thing 45 00:02:53,820 --> 00:02:56,560 when Airbnb was like kind of doing its thing, right? Like they had to like 46 00:02:56,800 --> 00:03:00,400 run physical servers and buy those machines and do all kinds 47 00:03:00,900 --> 00:03:04,680 of stuff. Right. And so that's kind of my opinion on it is like staying 48 00:03:05,180 --> 00:03:09,040 lean. And I think even Paul Graham talks about it. Like he even talks about 49 00:03:09,540 --> 00:03:12,680 some of this stuff is like, you always want to surprise people by how lean 50 00:03:13,180 --> 00:03:17,080 you are, because that's actually a stronger signal of Product Market Fit. A small 51 00:03:17,580 --> 00:03:20,960 team has achieved something so visceral and so strong that 52 00:03:21,460 --> 00:03:26,920 it shows really strong signs of Product Market Fit and go-to-market strategy. And I see 53 00:03:27,420 --> 00:03:31,360 a lot of startups raise these large rounds, hire an army of salespeople 54 00:03:31,860 --> 00:03:35,000 that can't feed because their go-to-market strategy sucks. 55 00:03:35,890 --> 00:03:39,530 Their product kind of sucks and they end up having to let go people 56 00:03:40,030 --> 00:03:42,850 or pivot or sell the company and everyone kind of celebrates, oh my God, 57 00:03:43,350 --> 00:03:45,730 we got an exit and acquisition, but it really was pennies on the dollar. 58 00:03:45,810 --> 00:03:49,890 And I've seen this time in and time out. What is a seed 59 00:03:50,450 --> 00:03:53,930 small lean team? What does that typically look like? And what 60 00:03:54,430 --> 00:03:57,810 is it? What's an example of not a lean team? 61 00:03:57,890 --> 00:04:02,150 Yeah, that's a good question. I mean, you have to really assess it for your 62 00:04:02,650 --> 00:04:05,830 use case in your industry. So like whenever I say these things, people shit, 63 00:04:06,330 --> 00:04:08,350 oh, but hardware is different and biotech is different. 64 00:04:09,150 --> 00:04:12,350 100%. They're different. They are fundamentally 65 00:04:12,850 --> 00:04:16,670 different spaces and you should raise according to those spaces, right? I believe 66 00:04:17,170 --> 00:04:20,990 for the most part, like most companies, $2 to $4 million raised 67 00:04:21,490 --> 00:04:25,310 should give you roughly like 2 years, 2 and a half years of runway to 68 00:04:25,810 --> 00:04:28,110 figure shit out. That's, that's what you really need., 69 00:04:29,950 --> 00:04:33,710 right? And that's Bay Area money. Like I'm talking, you're hiring in the Bay Area, 70 00:04:34,210 --> 00:04:37,630 you're keeping it very local, the most expensive talent on the 71 00:04:38,130 --> 00:04:41,630 planet. Like I'm not talking, you know, you go to start a startup in Thailand, 72 00:04:42,130 --> 00:04:45,470 like as a digital nomad, that's going to be very different fundraising. Right. And I 73 00:04:45,970 --> 00:04:50,150 really think you can accomplish a lot on a team of 3 to 5 people. 74 00:04:50,650 --> 00:04:54,110 I really think maybe if you stretch it a bit, but like under 75 00:04:54,910 --> 00:04:58,310 10. You should really find early signs of Product Market Fit and a go-to-market strategy 76 00:04:58,810 --> 00:05:02,070 that works. Above that, I really 77 00:05:02,570 --> 00:05:05,870 start to question if you're really, if you're overhiring. Like I sometimes 78 00:05:06,370 --> 00:05:10,270 see these startups with like a chief of staff and like an 79 00:05:10,349 --> 00:05:13,870 operations person being added and all these things. And they just came out 80 00:05:14,370 --> 00:05:17,670 of like stealth or just announced their seed round. And I'm like, what are you 81 00:05:18,170 --> 00:05:21,920 doing? Like, do you really need that many bodies? To like run your 82 00:05:22,420 --> 00:05:25,600 operation. And then, then they're like, you know, I like to be very cheap on 83 00:05:26,100 --> 00:05:29,200 tools too, or like very cost efficient on tools. Then they're 84 00:05:29,440 --> 00:05:32,680 like doing their SOC 2 and they don't even have customers yet and an 85 00:05:33,180 --> 00:05:36,880 ISO 27001. And then suddenly they're like listing jobs on 86 00:05:37,380 --> 00:05:41,240 Ashby and nothing wrong with these tools, but it feels like 87 00:05:41,740 --> 00:05:45,880 you're putting the cart before the horse, even before like PMF or seeing early 88 00:05:46,380 --> 00:05:49,860 signs or really strong signs of PMF. Right. We punted on a lot 89 00:05:50,360 --> 00:05:54,060 of that kind of stuff. Like we did SOC 2 much later till 90 00:05:54,560 --> 00:05:57,860 it became like a hard requirement for some of our deals. Right. 91 00:05:58,360 --> 00:06:01,940 And so I feel like those are like, in my opinion, bad signs is when 92 00:06:02,440 --> 00:06:06,380 I see really bloated companies without 93 00:06:06,880 --> 00:06:10,420 that level of traction to back them. I can give examples actually of 94 00:06:10,920 --> 00:06:14,310 other companies I've literally seen sell for like pennies on the dollar. 95 00:06:14,810 --> 00:06:18,370 Because of this. 96 00:06:18,870 --> 00:06:21,190 Um, I don't know. Do we want that? Do we want to say that? 97 00:06:21,350 --> 00:06:24,310 Probably, probably not. Probably not. Just, 98 00:06:24,810 --> 00:06:28,470 I won't name them. Okay. Yeah. Let's go. Okay. Yeah. Let's, let's do it without 99 00:06:28,790 --> 00:06:32,910 naming. Yeah, we can do it without naming. I mean, there's one competitor 100 00:06:33,410 --> 00:06:36,550 that I observed, you know, raised, I won't give the exact 101 00:06:36,870 --> 00:06:39,790 numbers so that I don't get into trouble for like doing this, but I know 102 00:06:40,290 --> 00:06:43,790 this from credible sources of their investors. They raised anywhere from 103 00:06:43,950 --> 00:06:47,430 like $50 to $80 million and only 104 00:06:47,930 --> 00:06:51,150 netted about, you know, $4 to $7 million of revenue 105 00:06:51,650 --> 00:06:55,750 after raising all that money and could no longer, and ran out of money eventually, 106 00:06:56,250 --> 00:07:00,110 ran out of money eventually and got acquired by a much larger 107 00:07:00,190 --> 00:07:03,790 company for half, a little bit less 108 00:07:04,290 --> 00:07:08,750 than half of what the investors put in and all the investors 109 00:07:09,250 --> 00:07:12,630 and all the companies celebrated, look, we got acquired, we're such 110 00:07:13,130 --> 00:07:16,230 a valuable company. But then when you go talk to their investors, they're like, 111 00:07:16,730 --> 00:07:20,430 that was actually like a really bad outcome for us. So bad, 112 00:07:20,930 --> 00:07:24,629 it actually, they don't want to invest in that space anymore. Scaling DevTools is sponsored 113 00:07:25,129 --> 00:07:28,510 by WorkOS. If things start going well, some of your customers are going 114 00:07:29,010 --> 00:07:32,750 to start asking for enterprise features. Things like SSO, 115 00:07:33,250 --> 00:07:36,540 SCIM provisioning, role-based access control. These things are hard 116 00:07:37,040 --> 00:07:40,820 to build and you could get stuck spending all your time doing that instead of 117 00:07:41,320 --> 00:07:44,700 actually making a great devtool. That's why WorkOS exists. They help you with 118 00:07:45,200 --> 00:07:48,460 all of those enterprise features and they're trusted by OpenAI, 119 00:07:48,960 --> 00:07:53,100 Vercel, and Perplexity. Here's what Kyle from Deepo has to say about WorkOS. 120 00:07:53,600 --> 00:07:56,980 We use WorkOS to effectively add all of the SSO and 121 00:07:57,480 --> 00:08:00,980 SCIM to Deepo. So for us, we can effectively offer SSO and SCIM 122 00:08:01,480 --> 00:08:04,330 and it's like 2 clicks of a button and we don't ever have to think 123 00:08:04,830 --> 00:08:08,650 about it. It's like one of the best features that we can add to Deepo 124 00:08:09,150 --> 00:08:12,610 and it's super affordable, which effectively allows us to like break the 125 00:08:12,690 --> 00:08:16,010 SSO tax joke and essentially say like 126 00:08:16,510 --> 00:08:19,570 you can have SSO and SCIM as like an add-on onto your monthly plan. 127 00:08:20,070 --> 00:08:24,130 So it really allows smaller startups to essentially offer like that enterprise feature 128 00:08:24,450 --> 00:08:28,030 without a huge engineering investment behind it. Like it's literally, 129 00:08:28,530 --> 00:08:32,150 we can just use a tool behind the scenes and our life is exponentially easier. 130 00:08:32,650 --> 00:08:36,390 Thanks again, WorkOS. Back to the episode. So was the mistake raising the 131 00:08:36,890 --> 00:08:40,350 money or the mistake was spending it on like the wrong things 132 00:08:40,850 --> 00:08:44,070 or like spending it prematurely or? No, I mean, the YC 133 00:08:44,570 --> 00:08:47,870 thing is always competition doesn't kill you. It's often competition doesn't kill you. 134 00:08:48,370 --> 00:08:52,190 It's death by suicide. Right. And it's death by 135 00:08:52,690 --> 00:08:56,110 suicide. You end up burning too much money too quickly, 136 00:08:56,610 --> 00:09:00,190 making bad decisions because now you're like burning through runway 137 00:09:00,430 --> 00:09:03,390 and you end up running out of money and, 138 00:09:03,890 --> 00:09:07,190 you know, it becomes a very difficult position to be in. I know Paul Graham 139 00:09:07,690 --> 00:09:10,990 has written about this called the, I think it's called the Fatal 140 00:09:11,490 --> 00:09:14,630 Pinch. Yeah, it's called the Fatal Pinch. There's a whole article that startups end up 141 00:09:15,130 --> 00:09:18,310 not realizing that they're about to die 6 months before the end of their runway 142 00:09:18,810 --> 00:09:22,250 and they don't have enough money in the bank to keep going. So it's too, 143 00:09:22,750 --> 00:09:26,530 too short to pivot. Like they don't have enough runway to pivot now. 144 00:09:27,030 --> 00:09:29,770 And now they're burning through money and they potentially could have like a little bit 145 00:09:30,270 --> 00:09:33,610 of customers, but not enough to keep the company alive by default or default alive. 146 00:09:34,010 --> 00:09:37,210 Right. And that's a really dangerous place to be in, especially because you do not 147 00:09:37,710 --> 00:09:41,010 know the like macroeconomic factors. Like I bet you a bunch 148 00:09:41,510 --> 00:09:44,890 of companies around the world were super eager to like, you know, 149 00:09:45,390 --> 00:09:48,730 raise money and COVID happens. Right. And now you're in 150 00:09:49,230 --> 00:09:52,370 a very difficult position. You maybe have to pivot or change your business 151 00:09:52,870 --> 00:09:56,470 model or do something else to account for that, like you kind of always want 152 00:09:56,550 --> 00:10:00,950 to play to the worst hand because startups are really risky. 153 00:10:01,350 --> 00:10:04,750 Yeah. Okay. And so let's say I 154 00:10:05,250 --> 00:10:09,390 hypothetically came out of YC and it was like raised to, 155 00:10:09,890 --> 00:10:14,190 let's say $4 million and, uh, to be on the upper end. 156 00:10:14,690 --> 00:10:18,110 And then I'm like, okay, so I'm going to hire, 157 00:10:18,610 --> 00:10:21,960 if I'm going to start counting, How many till you're like, whoa, jump again. 158 00:10:22,460 --> 00:10:26,280 I'm like, I'm going to hire one engineer. No, I'm going to hire two 159 00:10:26,760 --> 00:10:30,040 engineers, three engineers, four engineers, 160 00:10:30,540 --> 00:10:33,400 five engineers. What point are you coming in and being like, whoa, 161 00:10:33,900 --> 00:10:36,880 one second, like, let's have a think. I think, look, 162 00:10:37,380 --> 00:10:41,040 I think like it depends what you're building and 163 00:10:41,540 --> 00:10:45,000 what you need those people for to get to Product Market Fit. 164 00:10:45,400 --> 00:10:48,530 And you're maybe, maybe let's even start from the beginning. Like you're, 165 00:10:49,030 --> 00:10:53,030 you're going into YC, maybe you're a solo founder or two founders or three 166 00:10:53,530 --> 00:10:57,390 founders, right? How do you get your initial set of customers? That's all it 167 00:10:57,890 --> 00:11:01,190 takes. That's the fundamental question behind everything. We made the 168 00:11:01,270 --> 00:11:04,510 mistake. We made big mistakes at Corgea very early on in our journey. 169 00:11:05,010 --> 00:11:07,710 We started building a product that we really didn't think there was like a big 170 00:11:08,210 --> 00:11:11,390 advantage in the market for. And four months into, you know, 171 00:11:11,890 --> 00:11:15,080 our YC experience, we pivoted. And that 172 00:11:15,580 --> 00:11:18,680 was the best decision we ever made. And we were completely correct about the market. 173 00:11:18,760 --> 00:11:21,080 Now we were able to do that. We were a very small key team. 174 00:11:21,580 --> 00:11:24,280 We were, I think, roughly 3 or 4 people. We were 4 people doing this. 175 00:11:24,780 --> 00:11:27,600 So we weren't like huge. And that allowed us to pivot very easily because I 176 00:11:28,100 --> 00:11:31,600 could just put all the people in the room and say, this isn't working. 177 00:11:32,100 --> 00:11:35,560 We need to find something else. I have an idea. Then we started 178 00:11:36,060 --> 00:11:39,720 building out what is current Corgea manifestation, but we didn't know about it. We started 179 00:11:40,220 --> 00:11:43,930 building like this initial wedge. I'm giving this example because I think it answers your, 180 00:11:44,250 --> 00:11:47,970 like, your question. And we didn't, in my opinion, 181 00:11:48,470 --> 00:11:51,691 build wide enough. We were kind of taking the advice 182 00:11:52,191 --> 00:11:54,851 of building a wedge, building a wedge, building a wedge. And we were kind of 183 00:11:55,351 --> 00:11:59,050 navigating through customer conversations. But every time we were shipping something, 184 00:11:59,550 --> 00:12:03,250 customer probability started increasing towards them wanting to buy, which was super interesting. 185 00:12:03,750 --> 00:12:07,450 So we were like, okay, there's a path here we see of like problems 186 00:12:07,950 --> 00:12:11,820 we started going after and we started selling into that. I think 187 00:12:12,320 --> 00:12:15,780 we sold like our first customer. We were like a 188 00:12:16,280 --> 00:12:20,360 company of like 3 people at the time. 189 00:12:20,860 --> 00:12:23,860 Hmm. Like, or 4 people. No, we were 4 people. We were 4 people when 190 00:12:24,360 --> 00:12:27,580 we sold our first set of customers and we grew a lot 191 00:12:28,080 --> 00:12:31,620 till we eventually added Alan on the go-to-market side. 192 00:12:32,100 --> 00:12:35,740 And we just kept growing from there. We became 5 and then we added our 193 00:12:36,100 --> 00:12:39,700 6th. But it was always justified towards the revenue being 194 00:12:39,780 --> 00:12:42,961 generated and we started feeling stronger signs of Product Market Product Market Fit and 195 00:12:43,461 --> 00:12:47,280 so on. And we still remain very lean, but it 196 00:12:48,240 --> 00:12:51,800 was, I don't think there's like a hard number per se. I think is what 197 00:12:52,300 --> 00:12:56,360 does it take to get to your Series A goals and your Series A 198 00:12:56,860 --> 00:12:59,840 goals should be, we have early signs of Product Market Fit. We have a reproducible 199 00:13:00,280 --> 00:13:03,680 go-to-market strategy and we have customers that like our products 200 00:13:04,180 --> 00:13:07,920 and are successful and are alive. Right. And that could be, you know, 201 00:13:08,570 --> 00:13:11,970 for a software company, which is like mostly 95% of companies you see 202 00:13:12,470 --> 00:13:15,770 these days. Don't quote me on that number. I just made it up, 203 00:13:16,270 --> 00:13:19,770 but it's like, that'll be like maybe 3 to 5 people. 204 00:13:20,270 --> 00:13:23,370 Hard tech, like my brother-in-law is into like hard tech, 205 00:13:23,870 --> 00:13:26,650 like hardware literally. And it's like, that takes a lot more energy and effort and 206 00:13:27,150 --> 00:13:30,330 they have a manufacturing component to what they do. Right. And that requires 207 00:13:30,830 --> 00:13:34,290 a different capital raise with different investors and different headcount and people and all that 208 00:13:34,790 --> 00:13:38,350 kind of stuff. Yeah, this makes sense. So it's just kind of trying 209 00:13:38,850 --> 00:13:42,710 to keep it as lean as you possibly can, 210 00:13:43,210 --> 00:13:46,990 doing it with the minimum that is possible because 211 00:13:47,490 --> 00:13:50,789 not only runway, but you said there, like you have to do 212 00:13:51,289 --> 00:13:55,350 a pivot, big pivot and get everyone in the room, get everyone on board 213 00:13:55,850 --> 00:13:59,430 really fast. Whereas if it's like, you know, we've felt it where like, 214 00:13:59,930 --> 00:14:02,720 it's like the more people you have in the room, like more people there are, 215 00:14:03,220 --> 00:14:07,040 like it's more nodes to like conversations and 216 00:14:07,540 --> 00:14:11,000 stuff, right? It's always harder. It's like, what is Jeff Bezos's like 217 00:14:11,500 --> 00:14:15,280 pizza thing? Like the pizza rule, don't have meetings that require more than an entire 218 00:14:16,400 --> 00:14:19,440 pizza. Like you can't feed everyone in a room one box or two boxes, 219 00:14:19,600 --> 00:14:23,120 some new rule. Yeah, I think it's two pizza rule or something. It's like, 220 00:14:23,620 --> 00:14:26,870 which I think I was always surprised like how few people could be. I don't 221 00:14:27,370 --> 00:14:30,260 know how few pieces would feed like that many people, to be honest. So I 222 00:14:30,760 --> 00:14:34,180 could eat like almost the whole one myself. Oh yeah. Beautiful piece. 223 00:14:34,680 --> 00:14:38,220 Yeah. Yeah. Yeah. But anyway, not many people. 224 00:14:38,720 --> 00:14:42,540 Something that I've been thinking a lot about and like done a couple of 225 00:14:43,040 --> 00:14:46,460 episodes on is, is Product Market Fit. How did you think about 226 00:14:46,540 --> 00:14:51,340 it and kind of apply that like to Corgea? 227 00:14:51,840 --> 00:14:56,160 It's a good question. I don't think Product Market Fit ever stops. 228 00:14:56,660 --> 00:15:01,000 I think it's an evolution of what you keep defining your product to be. 229 00:15:01,500 --> 00:15:05,640 My simplest measure of Product Market Fit is someone willing to pay you. 230 00:15:06,140 --> 00:15:09,120 Like, is there someone willing to pay you for this? And then the question after 231 00:15:09,620 --> 00:15:12,440 that, are there a lot of people willing to pay you for this? 232 00:15:12,760 --> 00:15:16,440 Right? And in cybersecurity, and maybe a lot 233 00:15:16,940 --> 00:15:20,840 of other dev tools, the advice you get is form design partnerships very early 234 00:15:22,550 --> 00:15:26,230 on. And we never did that, which is very antithesis to like the 235 00:15:26,730 --> 00:15:31,470 advice you see, because I would rather get a no than a maybe 236 00:15:31,970 --> 00:15:35,470 from customers. And so we always approached it like going for the 237 00:15:35,970 --> 00:15:39,830 jugular. Are you going to buy this or not? No. Why? Let's learn why 238 00:15:40,330 --> 00:15:43,510 you won't buy this today rather than, oh, let's build a design partnership and 239 00:15:44,010 --> 00:15:47,270 give you like work for free for the next 3 months and you help 240 00:15:47,770 --> 00:15:51,170 us design this and we come up to some like version and 241 00:15:51,670 --> 00:15:54,410 the problem is the quality of those, 242 00:15:54,910 --> 00:15:59,810 the quality of your product is dictated by the quality of your design partner, 243 00:16:00,310 --> 00:16:03,410 right? And so you end up like kind of locking yourself into this 244 00:16:03,910 --> 00:16:07,210 cohort of customers that might not be good customers in the long term. Maybe they're 245 00:16:07,710 --> 00:16:11,530 having you build some like really bespoke thing and you're like not getting good 246 00:16:12,330 --> 00:16:16,290 signal. And so you think, okay, now I have like these 3, 4 design 247 00:16:16,790 --> 00:16:19,690 partners. Let me hold onto them and let's go hunker down and go build this 248 00:16:21,240 --> 00:16:24,600 product. And our version of this was like, let's just go talk to like a 249 00:16:25,100 --> 00:16:28,120 lot of people and get a lot of nos to eventually figure out what the 250 00:16:28,620 --> 00:16:31,960 systematic pattern is in the market. So I've probably spoken to like hundreds of 251 00:16:32,460 --> 00:16:35,840 security teams at this point to like nail down exactly the problem space and 252 00:16:36,340 --> 00:16:39,200 what we're building towards it. So we never went for the maybe, we went for 253 00:16:39,700 --> 00:16:42,840 the no, no, no, no, no. And then the no started becoming yes, yes, 254 00:16:43,480 --> 00:16:47,050 no, no, yes, yes. And then it. Started trending 255 00:16:47,550 --> 00:16:51,770 up. Yes, yes, yes, yes, yes. So to be clear what you did 256 00:16:52,270 --> 00:16:55,650 when you pivoted, you lined up conversations 257 00:16:55,730 --> 00:16:59,410 with a specific ICP, like you were like 258 00:16:59,970 --> 00:17:03,730 security engineers, application security engineers, 259 00:17:04,290 --> 00:17:09,010 100%. Okay. And we, anyone to talk to us. 260 00:17:10,370 --> 00:17:13,880 Okay. Anyone broadly within that. Okay. And then 261 00:17:14,380 --> 00:17:17,680 you would say, we've built this thing. Would you buy it? 262 00:17:18,180 --> 00:17:20,240 They'd be like, no. Or, okay, let's go back to the drawing board. They'd be 263 00:17:20,740 --> 00:17:24,520 like, this is interesting, but I don't have budget for this. Okay, let's go 264 00:17:25,020 --> 00:17:27,120 back to the drawing board and like try it again. And then they'd be like, 265 00:17:27,620 --> 00:17:29,840 oh yeah, now we want a POC. Or like you would go talk to a 266 00:17:30,340 --> 00:17:31,960 bunch of others and they would be like, oh, now we want a POC. 267 00:17:32,460 --> 00:17:36,200 This is pretty interesting. Oh, let's go into POC. Would you buy? No, not really. 268 00:17:36,700 --> 00:17:40,280 I now have to justify this with my like CISO. We don't have budget for 269 00:17:40,780 --> 00:17:44,180 this. It'll go to next year. Okay. That means what we built isn't valuable 270 00:17:44,680 --> 00:17:48,060 enough yet. Okay, let's go back to the drawing board and execute a little bit 271 00:17:48,560 --> 00:17:51,780 more and then just keep iterating very rapidly, 272 00:17:52,280 --> 00:17:55,420 very quickly. Like if you look at the Corgea changelogs, like we ship 2, 273 00:17:55,920 --> 00:17:59,540 3 releases a week because of that. And so like, 274 00:18:00,040 --> 00:18:03,220 you just have to like, just keep churning through like the problem, 275 00:18:03,720 --> 00:18:07,590 but you have to have a good signal that this is a problem worth pursuing. 276 00:18:08,090 --> 00:18:11,510 That your competition are doing a pretty shitty job or the alternatives to what the 277 00:18:12,010 --> 00:18:16,390 customer is doing is pretty shitty. How did you know that? 278 00:18:17,510 --> 00:18:20,990 Complaints. No one raves about their security tooling in AppSec. 279 00:18:21,490 --> 00:18:25,350 No one's like, oh my God, I love my tooling. 280 00:18:25,850 --> 00:18:28,990 I started asking this question to people, name one 281 00:18:29,490 --> 00:18:32,710 tool you deeply love. Like you deeply love 282 00:18:33,210 --> 00:18:36,740 and you're like, I can't live without this tool. And in AppSec, that doesn't exist. 283 00:18:36,900 --> 00:18:40,540 Like I'm simplifying, but like I didn't get 284 00:18:41,040 --> 00:18:44,300 like this visceral, I love this. So you talk to developers, they're like, oh, 285 00:18:44,800 --> 00:18:48,740 I love Supabase or I love PostHog or I love Cursor. 286 00:18:49,240 --> 00:18:52,500 You know what I mean? Like there's this sense of, 287 00:18:53,000 --> 00:18:54,420 I don't know, is there a tool that you love, 288 00:18:56,900 --> 00:19:00,820 Jack? Is there a tool that I love? You put me on the spot. 289 00:19:01,320 --> 00:19:04,960 I mean, right now. I mean, who doesn't love Claude, 290 00:19:05,440 --> 00:19:09,200 but yeah, right. Like Claude's amazing. Like super cool. 291 00:19:09,700 --> 00:19:13,400 I love Mintlify for docs. Like I've written like other CMS. 292 00:19:13,900 --> 00:19:16,160 Mintlify is great, especially for like developers. 293 00:19:18,159 --> 00:19:21,360 Right. Um, I don't know. There's like lately I've not liked GitHub. 294 00:19:21,520 --> 00:19:25,560 Like I'm really tired of GitHub and how slow like the pull request pages 295 00:19:26,060 --> 00:19:29,280 have gotten. Like, and developers are very opinionated. You've interviewed a 296 00:19:29,780 --> 00:19:33,720 ton of them. DevTools in AppSec, there aren't a lot of 297 00:19:34,220 --> 00:19:38,080 loved products where application security engineers are like, this is deeply 298 00:19:38,580 --> 00:19:41,720 thought through. I love it a lot. And so that's a sign that there's a 299 00:19:42,220 --> 00:19:44,880 lot of weakness in the market. And so we started interviewing people and I have 300 00:19:45,380 --> 00:19:49,120 a slide on one of my decks, 50 reasons people don't like their 301 00:19:49,620 --> 00:19:53,440 AppSec tools and we counted them all. 302 00:19:53,760 --> 00:19:57,040 And there is a ton of toil in application 303 00:19:57,540 --> 00:20:01,040 security because you have to understand something about AppSec. There's a 304 00:20:01,540 --> 00:20:05,040 1 to 100, 1 to 200 ratio of AppSec engineers to 305 00:20:05,540 --> 00:20:09,600 software engineers. Wow. Like for every 306 00:20:10,100 --> 00:20:16,080 application security engineer, you might have 100 developers they have to support. 307 00:20:16,640 --> 00:20:20,721 So it's a, it's a like firestorm going on this poor AppSec 308 00:20:21,221 --> 00:20:25,240 engineer or 2 or 3 of them. And they're struggling., 309 00:20:25,740 --> 00:20:28,840 right? So they're like having to do all the like compliance stuff, all the pen 310 00:20:29,340 --> 00:20:32,640 test stuff, like security vulnerabilities. You should have Shai 311 00:20:33,140 --> 00:20:36,320 Hulud coming out of nowhere, left field, like with 312 00:20:36,820 --> 00:20:40,120 NPM attacks and malware and like threat modeling. And they're 313 00:20:40,620 --> 00:20:43,320 like, then you get an incident and now they're having to triage the stuff. 314 00:20:43,820 --> 00:20:47,560 They have no stability, right? Like the development cycle is 315 00:20:48,060 --> 00:20:51,340 like, you have your sprints, you have bugs. That come 316 00:20:51,840 --> 00:20:56,580 out, but like most dev jobs are largely 317 00:20:57,080 --> 00:21:00,700 stable. AppSec is like, there's always something around the corner that's very threatening. 318 00:21:01,200 --> 00:21:04,620 So like they're looking for their tools to scale, 319 00:21:05,260 --> 00:21:08,100 right? And there isn't a lot of luck. So going back to like the early 320 00:21:08,600 --> 00:21:11,740 Product Market Fit, like conversation to go back to the arc, 321 00:21:12,240 --> 00:21:16,300 we, we, we weren't hearing that, like the tools that were 322 00:21:16,970 --> 00:21:20,210 largely liked. Solved for a lot of the old problems, but they still didn't resolve 323 00:21:20,710 --> 00:21:24,090 a lot of the root cause problems. And we kind of bucketed them into like 324 00:21:24,410 --> 00:21:28,290 3 categories. Happy to talk to you about them and how we like 325 00:21:28,790 --> 00:21:32,610 eventually bucketed them. But that was kind of 326 00:21:33,110 --> 00:21:37,290 the, um, aha moment was we started as we kept pulling on this thread, 327 00:21:37,790 --> 00:21:40,890 just discovering more and more systematic failures in 328 00:21:41,390 --> 00:21:44,010 the tooling. And as we kind of took a new novel approach with how to 329 00:21:44,440 --> 00:21:48,400 do this, we saw customer interest and conversions starting to 330 00:21:48,900 --> 00:21:52,080 grow. And I have this other kind of interesting 331 00:21:52,580 --> 00:21:55,640 rule that ties to this, like the majority of 332 00:21:55,720 --> 00:21:59,680 your first meetings should convert into a 333 00:22:00,180 --> 00:22:02,960 pilot. I would say maybe in 2 meetings, 334 00:22:03,460 --> 00:22:07,000 60 to 80% of your conversations should convert into some pilot 335 00:22:07,640 --> 00:22:11,920 or POC. And that's a very strong sign that you've built something like 336 00:22:12,420 --> 00:22:16,290 very viscerally important. I'm guessing not from the very, very beginning 337 00:22:16,790 --> 00:22:20,250 when you're just like, but this is, is this 338 00:22:20,750 --> 00:22:23,730 like, this should be the case at some point or is this, it should be 339 00:22:24,230 --> 00:22:27,170 the case from like day one? You know, I don't know. I mean, you see 340 00:22:27,670 --> 00:22:32,250 some projects that go like bonkers banana, like ClaudeBot for some 341 00:22:32,750 --> 00:22:35,970 reason on fire and you're like, I don't know why. I still don't 342 00:22:36,470 --> 00:22:39,370 understand it fully and I don't think anyone still like has a full grasp on 343 00:22:39,870 --> 00:22:43,130 it and maybe it's marketing, maybe it's Maybe it's Product Market Fit. 344 00:22:43,630 --> 00:22:46,850 I don't know yet, but at some point, I think in your journey, 345 00:22:47,350 --> 00:22:51,050 whether that's day one, like I once heard Paul Graham, someone asked him in the 346 00:22:51,130 --> 00:22:54,530 audience, like, when did you guys feel like you got PMF at 347 00:22:55,030 --> 00:22:58,490 YC? And he's like, day one, day one, we felt 348 00:22:58,990 --> 00:23:04,130 PMF. And the YC model evolved, but never really changed to its 349 00:23:04,630 --> 00:23:07,410 intent. It took us a while. Like I'll give you an example for Snyk, 350 00:23:07,910 --> 00:23:11,560 for example, really popular, like security tool. I read online and 351 00:23:12,060 --> 00:23:15,280 I think this is true, like it took them 18 months to get their first 352 00:23:15,780 --> 00:23:21,680 $100,000 of revenue. Figma took 4 353 00:23:22,180 --> 00:23:26,320 years. Some companies, first day. 354 00:23:26,820 --> 00:23:30,120 So if you don't have it from, what's the 355 00:23:30,360 --> 00:23:33,920 difference between, it's just not, I mean, I'm going to ask you an impossible question 356 00:23:34,420 --> 00:23:38,840 probably here, but what's the difference between me 357 00:23:39,340 --> 00:23:43,680 just slogging a dead horse 358 00:23:44,560 --> 00:23:50,280 versus me needs to keep persisting because it's going to work 359 00:23:50,780 --> 00:23:53,800 out. Is there any rules there or like? 360 00:23:54,300 --> 00:23:57,760 I think the number one rule is making sure you 361 00:23:59,280 --> 00:24:03,160 have optionality. Like you cannot predict the market. You cannot predict 362 00:24:03,660 --> 00:24:07,440 that you will get PMF. You have a hunch and you follow 363 00:24:07,760 --> 00:24:12,320 that hunch. Like a lot of, we started in 364 00:24:12,820 --> 00:24:16,120 mid-2023, 2024, we were kind of like still in this discovery mode, like kind of 365 00:24:16,620 --> 00:24:19,920 in beginning 2024 is when we really pivoted into what we're doing now. And we 366 00:24:20,420 --> 00:24:24,960 started going after deals, but nothing was clicking, but we saw very good signs of 367 00:24:25,520 --> 00:24:28,920 things. Now in 2025, everything like worked out. We started 368 00:24:29,420 --> 00:24:33,250 selling like crazy and like. You know, we grew month over 369 00:24:33,750 --> 00:24:37,010 month, like really good rates and we continued to grow on such a lean team 370 00:24:37,510 --> 00:24:40,730 and all of that kind of stuff. But I'll tell you something like that seems 371 00:24:41,230 --> 00:24:44,330 like, oh cool, Ahmad, you figured it out. You're such a smart guy. But like 372 00:24:44,830 --> 00:24:48,410 also AI adoption was in our favor. 2023 is 373 00:24:49,130 --> 00:24:52,530 when GPT-3.5 to 4 happened. And we're like, oh, this is now worth kind 374 00:24:53,030 --> 00:24:56,090 of looking into. 3.5 was like very 375 00:24:56,590 --> 00:24:59,610 hallucinogenic, like hallucinogenic friendly, if you want to use that term. Like if 376 00:25:00,110 --> 00:25:03,790 you ask about me, it tells you Ahmad's a filmmaker, 377 00:25:04,290 --> 00:25:07,590 like completely off its rocker, right? 4 came out and it's like, okay, now this 378 00:25:08,090 --> 00:25:11,510 is interesting. And I saw a lot of enterprises started testing it. 2025, 379 00:25:12,010 --> 00:25:15,510 we forget that was the year we coined vibe coding. That's when you 380 00:25:16,010 --> 00:25:19,590 really had developer adoption in AI. And that helped us on the security 381 00:25:19,670 --> 00:25:23,470 side because if developers are becoming more productive with AI, that means 382 00:25:23,970 --> 00:25:27,440 security now has to become more productive with AI, protect all that code. 383 00:25:27,760 --> 00:25:31,080 And so we survived long enough because we 384 00:25:31,580 --> 00:25:34,800 didn't burn through a lot of money and had optionality and 385 00:25:35,300 --> 00:25:38,400 kind of saw the writing on the wall. Like we had a thesis, 386 00:25:38,900 --> 00:25:42,480 like AI generated code is going to be a large contributing to codebases. 387 00:25:42,560 --> 00:25:45,720 Like we saw that in 2023 and we had a strong conviction that was going 388 00:25:46,220 --> 00:25:49,520 to be the case. And because of that hypothesis, we were 389 00:25:50,020 --> 00:25:52,520 like, we're just going to try and stick it out long enough and just keep 390 00:25:53,020 --> 00:25:56,190 building into this space. 391 00:25:56,690 --> 00:26:00,230 And we could have been completely wrong. The market could have taken another 3 392 00:26:00,730 --> 00:26:02,750 years to like get to where we are. We could have ran out of money 393 00:26:03,250 --> 00:26:06,270 in that meantime, right? And but throughout the entire 394 00:26:06,770 --> 00:26:09,030 way, we just kept trying to sell what we had. We built something, we tried 395 00:26:09,530 --> 00:26:11,310 to sell it, we got a no. We had something else, we tried to sell 396 00:26:11,810 --> 00:26:14,550 it, we got a no. And we just kept trying to build till we eventually 397 00:26:15,050 --> 00:26:18,590 started getting yeses. And those early customers have 398 00:26:19,080 --> 00:26:23,280 been amazing. Like amazing early champions of the product, 399 00:26:23,780 --> 00:26:27,480 like being referenceable customers. All of them have agreed to be reference 400 00:26:28,040 --> 00:26:30,760 customers. And that was kind of the seed that kicked us off. I don't know 401 00:26:31,260 --> 00:26:34,839 if that was the answer to the question you were— I think this 402 00:26:35,339 --> 00:26:38,640 is, so I think that's actually a really interesting path. 403 00:26:39,140 --> 00:26:42,720 And, you know, some, some like Adam Frankel has talked a lot 404 00:26:43,220 --> 00:26:46,200 about doing like technical advisory boards and stuff like that. Yeah. Yeah. 405 00:26:46,700 --> 00:26:49,600 I connected to the podcast. By the way. Oh yeah. 406 00:26:50,000 --> 00:26:53,240 Okay. Amazing. Yeah. He's a really cool dude. Okay. He is 407 00:26:53,740 --> 00:26:57,440 great. Then there's that whole like, you know, mom test stuff where 408 00:26:57,760 --> 00:27:01,520 it's like, what are you currently, you know, what, what talking about like 409 00:27:02,020 --> 00:27:05,760 what problems you had, like what, when did you last try and solve 410 00:27:06,260 --> 00:27:09,760 it? Like how much, how have you tried to solve this problem? Oh, 411 00:27:10,260 --> 00:27:13,760 you haven't. Okay. Interesting. But I feel like what you're 412 00:27:15,200 --> 00:27:19,560 saying is You had a kind of a strong hunch on what a 413 00:27:20,060 --> 00:27:23,400 problem, on a problem, I guess, from your own experience, conversations and 414 00:27:23,900 --> 00:27:28,720 stuff, and the fact you felt that the tooling was bad. It's like kind of 415 00:27:29,280 --> 00:27:33,040 your inherent founder belief. And then you validated 416 00:27:34,160 --> 00:27:38,400 it by just going and trying to build iterative 417 00:27:38,480 --> 00:27:42,340 versions and asking people if they'd pay for it. Is that Was that 418 00:27:42,840 --> 00:27:46,101 accurate? Kind of a good summary of it. And that, 419 00:27:46,601 --> 00:27:50,700 that it's ludicrous. It just feels like Sisyphus's plate. Like, are you— That's not ludicrous. 420 00:27:51,200 --> 00:27:53,700 Yeah. I don't know if it's Sisyphus's plate, you know, like just pushing the boulder 421 00:27:54,200 --> 00:27:58,044 up the hill and just keep strolling back. But that's 422 00:27:58,544 --> 00:28:02,340 what happened to us till we eventually got the yeses. Well, I'm guessing when 423 00:28:02,840 --> 00:28:05,900 they said no, they were telling you why, right? Like, so you're probably just trying 424 00:28:07,280 --> 00:28:10,360 to address— It was a wealth of data. It was a wealth of data. 425 00:28:10,860 --> 00:28:13,480 Like it was like, no, because we can't get budget for this or no, 426 00:28:13,980 --> 00:28:16,800 because, you know, I have to, I don't, I don't see the business value enough 427 00:28:17,040 --> 00:28:20,080 of this or no, because your competition is going to build 428 00:28:20,240 --> 00:28:23,600 this feature someday in the next year. They promised us that. And so 429 00:28:24,100 --> 00:28:27,320 we just kept digging into it. And we had this question at the bottom of 430 00:28:27,820 --> 00:28:30,960 our, like at the top of our minds, is this 431 00:28:31,040 --> 00:28:34,370 10x better than what they have today? Like, 432 00:28:34,870 --> 00:28:37,810 is this 10x better than what the market has? And it was kind of maybe 433 00:28:38,310 --> 00:28:41,210 like 2x better. And then we became 3x better and we became 5x better. 434 00:28:41,290 --> 00:28:44,970 And then just keep like chipping away at the problem till it 435 00:28:45,470 --> 00:28:48,130 became 10x better. And they were like, yeah, we want to convert. Now some customers 436 00:28:48,630 --> 00:28:51,890 converted at like 5x better. Right. 437 00:28:52,390 --> 00:28:55,210 And I always tell customers, this is the worst version of the product you're using 438 00:28:55,690 --> 00:28:59,610 right now. Right. Like we just keep like digging into it more 439 00:28:59,690 --> 00:29:02,690 and more and more and more. And they love it. 440 00:29:03,190 --> 00:29:07,450 Like they know sometimes we'll tell them like, look, this feature is half 441 00:29:07,950 --> 00:29:10,610 baked, but like we want you to try this half baked feature because no one's 442 00:29:11,110 --> 00:29:14,370 in the market has tried this. And we want you to give us really early 443 00:29:14,870 --> 00:29:16,930 feedback before we go invest into like 10 areas where we need to make it 444 00:29:17,430 --> 00:29:20,650 like a fully baked product. And customer was like, yeah, 445 00:29:21,150 --> 00:29:24,130 sure. Like just give me the version and like, I'll give you my honest opinions 446 00:29:24,290 --> 00:29:27,850 on this. And I feel like, you know, what is it 447 00:29:28,350 --> 00:29:31,681 Reid Hoffman that says? If you've, if you're not embarrassed by your first 448 00:29:32,181 --> 00:29:36,000 version, then you've shipped too late. Yeah. Yeah. And so there's that kind 449 00:29:36,500 --> 00:29:40,800 of attitude you have to have. Yeah. And actually one 450 00:29:41,300 --> 00:29:45,280 question on this, if they say, 451 00:29:45,780 --> 00:29:48,880 no, we wouldn't pay for that because I don't see the 452 00:29:49,380 --> 00:29:53,240 value. How are you reacting to that? I guess, is there a pattern? Do you 453 00:29:53,740 --> 00:29:56,640 see many people saying it's like, if you think about the diffusion of innovation curve, 454 00:29:57,140 --> 00:30:00,800 you know, that famous bell curve. What is it? I don't have 455 00:30:01,300 --> 00:30:04,600 the numbers off the top of my head. 1 point some percent or what is 456 00:30:05,100 --> 00:30:08,840 it? Yeah, some small amount is the early adopters or whatever, 457 00:30:09,340 --> 00:30:13,040 the innovators. And then here, let me even show 458 00:30:13,540 --> 00:30:17,040 you like diffusion of innovation curve, like 2.5% are the innovators 459 00:30:17,540 --> 00:30:21,000 and then the early adopters are roughly 13.5% of the market. 460 00:30:21,080 --> 00:30:26,760 So you kind of have a 25% 461 00:30:27,080 --> 00:30:30,160 chance. Around like hitting the nail on the head. Like when the early iPhone came 462 00:30:30,660 --> 00:30:34,520 out, the people who waited in line, the 2.5% were the 463 00:30:35,020 --> 00:30:38,280 people willing to wait in line for like 464 00:30:38,780 --> 00:30:42,200 today. We remember the iPhone 1 did not have copy paste. The camera was 465 00:30:42,700 --> 00:30:45,800 like a potato, but the early adopters were also 466 00:30:46,300 --> 00:30:48,880 interested. They're like, let me wait for the innovators to like just go get it 467 00:30:49,380 --> 00:30:52,500 and wait in line and I'll go pick it up maybe in like 3 months., 468 00:30:52,900 --> 00:30:56,620 right? Yeah. Yeah. But there was also like a very strong appetite for that market. 469 00:30:57,120 --> 00:31:01,100 So if you really think about like the diffusion of innovation curve, you roughly 470 00:31:01,600 --> 00:31:04,740 have a 25% hit rate of probability. If I have 10 conversations 471 00:31:05,240 --> 00:31:09,060 and all of them are the same systematic no, then that's a pretty 472 00:31:10,100 --> 00:31:13,140 strong signal that something is off here. 473 00:31:13,640 --> 00:31:16,860 Because even you must have hit at least one innovator, 474 00:31:17,360 --> 00:31:20,740 early adopter in that. List. And so, 475 00:31:21,240 --> 00:31:24,340 yeah, if you probably, if even they're not interested. Now, obviously you have to, 476 00:31:24,580 --> 00:31:27,060 you have to fit these people correctly. You're not going to go to your mom 477 00:31:27,560 --> 00:31:30,780 and tell her to buy a cybersecurity tool, right? Like, 478 00:31:31,280 --> 00:31:34,900 she's not part of that cohort of like the future of innovation, right? 479 00:31:35,400 --> 00:31:38,340 She will never buy. So like, there's an element of like, are you going to 480 00:31:38,840 --> 00:31:42,180 go to the federal government? Like with rare exceptions that happens, 481 00:31:42,680 --> 00:31:46,140 but go buy my like early stage cybersecurity product with no FedRAMP 482 00:31:46,640 --> 00:31:50,230 compliance. That's not a good fit, right? Yeah. So you were trying to 483 00:31:50,730 --> 00:31:54,510 go after people that could have been at 484 00:31:55,010 --> 00:31:57,630 least— Yeah. Okay. And then, but then I guess my question, the question I was 485 00:31:58,130 --> 00:32:01,750 trying to ask is like, how, like, 486 00:32:02,250 --> 00:32:06,910 you know, you're, you're iterating on this early 487 00:32:07,410 --> 00:32:11,270 product version. Are you using the reasons that they say no 488 00:32:11,770 --> 00:32:16,200 to like drive that? Or did you just have a very clear idea in your 489 00:32:16,700 --> 00:32:20,360 head, like the product roadmap of this version, 490 00:32:20,860 --> 00:32:24,800 and you're just testing it as you go? I think it's more art than 491 00:32:25,300 --> 00:32:29,200 science. I don't think we had like a hard roadmap. Like I think 492 00:32:30,080 --> 00:32:33,440 up to last year, 493 00:32:33,940 --> 00:32:39,760 like maybe Q3 and 4 is when we really started having a 494 00:32:40,260 --> 00:32:43,560 proper roadmap. And that's, we still interview customers through pain points, 495 00:32:44,060 --> 00:32:47,800 like even our current customers, we meet with them on a weekly basis for many 496 00:32:48,300 --> 00:32:50,960 of them. Like we will still meet our current customers who are alive to talk 497 00:32:51,460 --> 00:32:54,560 to them about their larger security problems. And so I 498 00:32:55,060 --> 00:32:59,000 don't think that ever ends. And I don't think your roadmap is like 499 00:32:59,500 --> 00:33:03,640 set in stone. I think you have big broad brushstrokes and you continue to 500 00:33:04,140 --> 00:33:07,120 peel this onion of problem space and. I'll even tell you, 501 00:33:07,620 --> 00:33:10,880 like, I was putting together some material lately and my whole 502 00:33:11,380 --> 00:33:15,160 positioning about what we are doing as a business and the product we're serving 503 00:33:15,660 --> 00:33:19,080 our customers with is a completely different problem set than 504 00:33:19,240 --> 00:33:23,520 I even imagined. Like, if you want, I can give you this like 505 00:33:24,020 --> 00:33:27,840 interesting, like, like aha moments I've had recently. I don't know 506 00:33:28,340 --> 00:33:34,090 if you're curious to dig into it because I think it talks about some of 507 00:33:34,590 --> 00:33:38,090 that journey. But yeah, I think like ultimately, like you have to take 508 00:33:38,590 --> 00:33:42,690 as much signal from customers and that 509 00:33:43,730 --> 00:33:47,410 signal never ends and you are building things 510 00:33:47,910 --> 00:33:49,610 sometimes. Like I was in the car the other day going to pick up my 511 00:33:50,110 --> 00:33:53,890 son and I had this like realization. I'm like, we're building patterns in application 512 00:33:54,390 --> 00:33:57,850 security no one has ever built. And so there is no 513 00:33:58,350 --> 00:34:01,690 copy paste. These are complete new. Expectations of things we're imagining for 514 00:34:02,190 --> 00:34:05,770 the first time to ever come into this. And it's not like we're the 515 00:34:06,270 --> 00:34:09,530 cool company that's like doing the cool thing, right? Like, no, these are 516 00:34:10,030 --> 00:34:13,570 problems that customers are having. And now we can apply whether AI or a 517 00:34:14,070 --> 00:34:17,210 new pattern or a new thing to kind of solve for that problem. And that's 518 00:34:17,710 --> 00:34:20,010 very cool. And so you can't just look at your competition and be like, 519 00:34:20,510 --> 00:34:23,450 let me just copy their homework. You're kind of like, the only way I can 520 00:34:23,950 --> 00:34:27,480 find out about this is through the quality conversations I have with my 521 00:34:27,980 --> 00:34:31,160 customers and picking your customers is really important. 522 00:34:31,660 --> 00:34:35,240 Yeah. How do you pick your customers? There's a really 523 00:34:35,740 --> 00:34:39,320 famous story about Coupa where I used to work. Coupa was one of the 524 00:34:39,820 --> 00:34:43,160 fastest growing SaaS companies until that measure is now broken by many 525 00:34:43,660 --> 00:34:47,800 other companies in the AI era. And there was a really cool 526 00:34:48,440 --> 00:34:51,960 thing in the former CEO's book that he 527 00:34:53,180 --> 00:34:57,060 talked about why They ended the relationship 528 00:34:57,560 --> 00:35:01,020 with Subway. So this company is like, and don't fact check me on 529 00:35:01,520 --> 00:35:04,780 this, but like, I think like post Series A, maybe before B, or maybe 530 00:35:05,280 --> 00:35:09,140 just raised the B, but they were desperate for customers. Like there wasn't like a, 531 00:35:09,640 --> 00:35:13,260 like aha moment where like this was like escape velocity. So Subway was 532 00:35:13,900 --> 00:35:17,660 their biggest customer. Yeah. Right. And they went and ended 533 00:35:18,160 --> 00:35:21,300 the relationship mutually with Subway because they couldn't deliver both on what Subway wanted, 534 00:35:21,800 --> 00:35:26,640 nor did they think what Subway wanted was the right pattern for 535 00:35:27,140 --> 00:35:29,640 the industry. Hmm. And so they had to end it because it was not a 536 00:35:30,140 --> 00:35:33,760 good direction that they were taking the company down. And so you have to be 537 00:35:34,260 --> 00:35:37,600 very careful about some of those customers. Like some, like we tell customers, no, 538 00:35:37,680 --> 00:35:41,000 we're not that kind of company for 539 00:35:41,500 --> 00:35:45,720 you. Like we will, we are like just 540 00:35:46,220 --> 00:35:50,000 last week, a customer asked us for a feature and I told them we 541 00:35:50,500 --> 00:35:53,740 will not build this. 542 00:35:54,240 --> 00:35:58,620 In a like customer-centric way for you. We will build this for all customers in 543 00:35:59,120 --> 00:36:03,180 a pattern. And it is our job to be custodians of what good 544 00:36:03,680 --> 00:36:06,900 practice is because product management is about seeing patterns in the 545 00:36:07,400 --> 00:36:11,140 market and building for best practice, not building for a one 546 00:36:11,640 --> 00:36:15,340 specific customer use case. Like you have to always ask this question, 547 00:36:15,840 --> 00:36:19,830 are they doing something wrong? 548 00:36:20,330 --> 00:36:23,990 And are trying to bend your will and the tool's will for 549 00:36:24,490 --> 00:36:28,230 the wrong process and practice, or are 550 00:36:28,730 --> 00:36:32,269 you uninformed and now learning something new that can scale to maybe a large 551 00:36:32,769 --> 00:36:36,510 cohort of your customers? Maybe not, maybe not all customers will need it, but maybe 552 00:36:37,010 --> 00:36:41,270 a significant portion, like 20, 30, 40, 50%, maybe 100% of customers will 553 00:36:41,770 --> 00:36:45,110 need it. And so if that customer is kind of like a one-off and they're 554 00:36:45,610 --> 00:36:49,480 like really asking for things you've never heard about either. They're doing something funky 555 00:36:49,980 --> 00:36:53,880 or they're onto something and you have to quickly validate through 556 00:36:54,380 --> 00:36:57,360 pattern recognition. Are all these other customers willing to join in or not? And I 557 00:36:58,080 --> 00:37:02,360 guess that's just, uh, is that also just like an art kind 558 00:37:02,860 --> 00:37:05,440 of thing? I think it comes back to like talking to a lot of people 559 00:37:05,940 --> 00:37:09,400 and having a decent enough memory to remember what they all talk to you about. 560 00:37:09,900 --> 00:37:12,720 But I think you start to see the patterns. I think you become an expert 561 00:37:13,220 --> 00:37:16,820 in customer problems and pains. Like we just had 562 00:37:17,320 --> 00:37:20,780 this really lovely like sales conversation where this customer opened this RFP. We don't know 563 00:37:21,280 --> 00:37:24,700 if we're going to get into it, right? We applied for this RFP. 564 00:37:24,780 --> 00:37:28,260 They invited us. We're one out of a dozen vendors, but a really good 565 00:37:28,760 --> 00:37:31,580 sign that the conversation went well is they booked an hour and a half with 566 00:37:32,080 --> 00:37:34,140 us. We spent 2 hours with them, 567 00:37:34,780 --> 00:37:38,660 major American company, conversation overflowed. We were always 568 00:37:39,160 --> 00:37:42,170 engaged talking about problems and how we're solving it and the why behind why 569 00:37:42,670 --> 00:37:45,690 we designed. There's this like very deep, I understand their pains. 570 00:37:45,770 --> 00:37:48,930 I really understand their pain. I see it day in and day out. Like I 571 00:37:49,430 --> 00:37:52,650 can, I can tell you if you're on a current tool, what pains on that 572 00:37:53,150 --> 00:37:56,250 current tool you're facing, I can even estimate how much you're paying for it and 573 00:37:56,750 --> 00:38:01,130 what your developers don't like about it. Like we've gotten 574 00:38:01,630 --> 00:38:04,490 that deep. Um, and I think you have to get into that deep. Like you 575 00:38:05,290 --> 00:38:08,530 have to enjoy understanding your customer's pain 576 00:38:09,030 --> 00:38:12,440 so much so that you can articulate it back at them and they're like, 577 00:38:12,940 --> 00:38:16,840 Yes, that's my pain. That's what I'm currently 578 00:38:17,340 --> 00:38:20,720 feeling. And you hit the nail on the head. Then it becomes, okay, what's your 579 00:38:21,220 --> 00:38:25,080 manifestation of solving that pain? Why are you 580 00:38:25,320 --> 00:38:28,480 10x better at solving this pain than my current 581 00:38:28,980 --> 00:38:32,800 offering? And then that becomes very interesting. And if your 582 00:38:33,300 --> 00:38:36,650 manifestation can live up to that expectation, you will have 583 00:38:37,150 --> 00:38:40,530 customer delight. And we confuse a lot of customers. We are beating 584 00:38:41,030 --> 00:38:45,770 competitors who are like making $300 million, $400 million 585 00:38:46,270 --> 00:38:50,090 in revenue, been around for 20 years, and we're this much smaller startup that's 586 00:38:50,410 --> 00:38:53,810 kicking them out. And one of them was so contentious, they tried to send a 587 00:38:54,310 --> 00:38:57,770 board member to our customer to meet with them because they lost 588 00:38:58,490 --> 00:39:01,850 the bake-off, right? And so it's interesting when you see that kind of stuff, 589 00:39:02,350 --> 00:39:06,390 that means you're doing something right. That's amazing. Okay. So you 590 00:39:07,510 --> 00:39:10,750 gotta be fluent in the problem and 591 00:39:11,250 --> 00:39:16,790 being able to talk about that, understand their problems, know it inside out. 592 00:39:16,910 --> 00:39:20,510 Last question. It's a big one. Startups are a 593 00:39:21,010 --> 00:39:24,710 mind and execution game, nothing else. That's a quote. 594 00:39:26,470 --> 00:39:29,640 That's your quote. Well, it's true. I mean, look again, 595 00:39:30,140 --> 00:39:33,800 companies die by suicide, not by competition. And so 596 00:39:34,300 --> 00:39:38,280 the quality of the founder's mindset really matters here. 597 00:39:38,780 --> 00:39:42,240 Like you have to be very honest with 598 00:39:42,740 --> 00:39:46,440 yourself and honest with your team. And you have to kill 599 00:39:46,940 --> 00:39:51,000 your ego in many ways. Like I came into it, oh my God, this is 600 00:39:51,500 --> 00:39:55,400 my third startup. I'm going to kick ass. Like I was 601 00:39:55,900 --> 00:39:59,640 like very like in my own head and then you get very 602 00:40:00,120 --> 00:40:03,040 humbled very quickly. And the fascinating thing about YC, 603 00:40:03,540 --> 00:40:07,240 like I'm 36 now and you see 604 00:40:07,740 --> 00:40:11,720 these 26-year-olds crushing it and you're like, there's a lot I need 605 00:40:12,600 --> 00:40:16,120 to learn. And you have to catch yourself because the lows of a 606 00:40:16,620 --> 00:40:20,360 startup are very low. Like you lose a big deal or you don't get 607 00:40:20,860 --> 00:40:24,730 selected or you, you spend a year with no PMF and you're going through pivot 608 00:40:25,230 --> 00:40:28,250 hell. Like we went through pivot hell. We talked to our friends who are doing 609 00:40:28,750 --> 00:40:32,970 companies that are going through pivot hell and pivot hell is not 610 00:40:33,470 --> 00:40:36,810 fun. Right. And it erodes your confidence in yourself in a 611 00:40:37,310 --> 00:40:39,850 lot of ways. Like a lot of times I was like, I don't think I 612 00:40:40,350 --> 00:40:44,090 can do this anymore. Like this is really, really, 613 00:40:44,590 --> 00:40:48,010 really hard. And luckily I have an amazing wife and a great support system 614 00:40:48,510 --> 00:40:51,800 and a lot of reasons to keep pushing on. And I know this for a 615 00:40:52,300 --> 00:40:56,320 fact, like just keep your head down and just keep executing and eventually you'll figure 616 00:40:57,600 --> 00:41:01,320 it out. Right. Maybe I mentioned Paul Graham a bit too much on this podcast, 617 00:41:01,820 --> 00:41:05,520 but he's, you know, after he's done what he's done has probably synthesized a lot 618 00:41:06,020 --> 00:41:09,920 of things. It's like a shark, like the cliché thing, like a shark needs to 619 00:41:10,420 --> 00:41:13,560 move to circulate blood through its entire system, 620 00:41:14,060 --> 00:41:17,390 right? It doesn't have a typical heart like we do. And so you have to 621 00:41:17,890 --> 00:41:20,990 be a shark, just constantly moving and trying the 622 00:41:22,190 --> 00:41:24,670 next thing because if you stop that, 623 00:41:26,390 --> 00:41:30,270 you know, you will never reach that either early signs of PMF 624 00:41:30,770 --> 00:41:34,270 or go-to-market fit. And that's the whole thing, right? Like it's a 625 00:41:34,770 --> 00:41:38,430 mindset and execution game. I think that's true. That's the more actually like, 626 00:41:38,990 --> 00:41:42,190 this is like denigrating my own podcast, but you know, 627 00:41:42,590 --> 00:41:46,110 the stuff that there is useful stuff out there and all this stuff is useful, 628 00:41:47,230 --> 00:41:50,830 but it's like, you got to do it. That's the, there's no substitute. 629 00:41:51,790 --> 00:41:56,190 And it's like, you're, you could ignore every single lesson I 630 00:41:56,270 --> 00:41:59,510 feel like and still succeed or follow it all and still 631 00:42:00,010 --> 00:42:02,910 fail. And it's just like, 632 00:42:03,150 --> 00:42:06,430 yeah, mindset and doing it. I don't 633 00:42:06,930 --> 00:42:10,600 know. It's, it, it's this. Yeah. So yeah, I think you're 634 00:42:11,100 --> 00:42:15,000 100% right. Your mindset, like if you think about it, the probabilities are 635 00:42:15,960 --> 00:42:19,000 against you. Like what, 1 out of 10 startups succeeds, 636 00:42:19,240 --> 00:42:23,120 whatever success means. So you have to have a really peachy view of 637 00:42:23,620 --> 00:42:27,001 the world to actually go through the effort 638 00:42:27,501 --> 00:42:31,200 of like needing to get there. And even if you don't, you kind of have 639 00:42:31,700 --> 00:42:34,850 to force yourself to be like, I'm going to figure this out. 640 00:42:35,350 --> 00:42:38,530 I have no option but to figure this out. The only way you 641 00:42:39,030 --> 00:42:42,530 figure it out is you just have a shit ton of conversations 642 00:42:43,030 --> 00:42:46,530 and just execute as fast as possible on trying things, right? 643 00:42:47,030 --> 00:42:50,530 Like give people your tool, even if it's half baked, like get 644 00:42:51,030 --> 00:42:54,170 the no, like there's no harm in getting the no. Honestly, that's just a wealth 645 00:42:54,670 --> 00:42:57,290 of information. I would rather get the no. This is the thing that kills me 646 00:42:57,790 --> 00:43:01,140 about VCs. Just give me the no and tell me why. Right. But instead 647 00:43:01,640 --> 00:43:05,020 of the maybe, I would rather call you up like, you know, 6 months later 648 00:43:05,520 --> 00:43:09,260 after we crush traction to prove you either wrong or right and 649 00:43:09,660 --> 00:43:14,740 tell you, hey, that no you gave me, here's how we validated against 650 00:43:15,240 --> 00:43:18,500 it. Right. And so that's the same thing with like startups is like get as 651 00:43:19,000 --> 00:43:23,100 many nos as possible and then you can move on to the 652 00:43:24,060 --> 00:43:27,770 next thing. Yeah. That's a. That's really good. 653 00:43:28,270 --> 00:43:32,010 I agree. I think, yeah, you want to push 654 00:43:32,490 --> 00:43:36,090 to know. Don't, yeah, get to know. Okay. I know 655 00:43:36,590 --> 00:43:40,090 you got to dash. So where can people learn 656 00:43:40,250 --> 00:43:44,450 more about Corgea? And also I 657 00:43:44,950 --> 00:43:48,330 should say, we won't maybe go into it, but I may or may 658 00:43:48,570 --> 00:43:52,820 not have had a security 659 00:43:53,940 --> 00:43:57,500 Instant on scalingdevtools.com. And Corgea may or 660 00:43:58,000 --> 00:44:02,340 may not have been very, very helpful for helping me 661 00:44:02,840 --> 00:44:05,980 patch those, which may or may not be protected by the time this 662 00:44:06,480 --> 00:44:10,660 comes out. Hopefully it will be. So yeah, it's a 663 00:44:11,160 --> 00:44:15,420 great tool. People should check it out. Yeah, just check out Corgea. 664 00:44:15,920 --> 00:44:19,260 So C-O-R-G-E-A. So we're the only cybersecurity company with a corgi as its 665 00:44:19,760 --> 00:44:23,500 name. So if you look for Corgi cybersecurity company, you'll most likely bump into us. 666 00:44:24,000 --> 00:44:26,460 Give it a try. We have a free tier and just honestly hit me up 667 00:44:26,960 --> 00:44:30,900 on LinkedIn. And if you guys want to ever chat, I'm always 668 00:44:31,380 --> 00:44:34,500 happy to. Yeah, I can vouch for 669 00:44:34,660 --> 00:44:39,140 your interest in security-related topics and 670 00:44:39,640 --> 00:44:42,820 digging into trying to find vulnerabilities. 671 00:44:43,380 --> 00:44:46,690 It's pretty amazing. Yeah. Thanks everyone for listening. Thanks for coming on. 672 00:44:47,190 --> 00:44:50,530 I was going to say also, the final point is that we 673 00:44:50,610 --> 00:44:53,730 had discussed that at some point, I'm just putting it out, 674 00:44:54,130 --> 00:44:57,570 a half-baked idea, DevTools people that like surfing 675 00:44:57,810 --> 00:45:02,490 should do something at some point because we both like it. I know there 676 00:45:02,990 --> 00:45:05,610 are others. I won't survive. I'm a terrible person at surfing, but we should do 677 00:45:06,110 --> 00:45:09,730 something maybe in SF next time. Yeah. Okay, 678 00:45:10,230 --> 00:45:10,960 cool. All right. Thanks everyone for listening.