Snyk - Shift left security
2639 words, 16199 characters
Snyk is a $7.4 billion startup that helps developers find and fix vulnerabilities in their open-source code before it goes into production.
Well, to be fair they do quite a bit more than that today. Synk’s products include:
- Snyk Code - security checks on proprietary codebases with AI
- Snyk Container - detect vulnerabilities in base image and Kubernetes workloads
- Snyk Infrastructure as Code (IaC) - scan and fix IaC security and compliance
- Snyk Cloud - ensure cloud infrastructure is secure post-deployment
This is their story.
Funding
| Round | Date | Amount | Narrative | Lead Investor |
|---|---|---|---|---|
| Seed | Jan 2016 | $3m | Experienced founders | Boldstart Ventures |
| Series A | Mar 2018 | $7m | Early sales traction | Boldstart Ventures, Canaan Partners |
| Series B | Sep 2018 | $22m | Large developer growth | Accel |
| Series C | Sep 2019 | $70m | Accelerating dev growth | Accel |
| Series D | Jan 2020 | $150m | New CEO | Stripes |
| Series D (2) | Sep 2020 | $200m | Corporate partnerships | Addition |
| Series E | Mar 2021 | $300m | Leadership team | Accel & Tiger Global |
| Series F | Sep 2021 | $530m | Acquisitions | Sands Capital, Tiger Global |
| Series F (2) | Sep 2021 | $75m | Strategic capital | Atlassian, Salesforce Ventures |
| Series G | Dec 2022 | $197m | Growth + Platform | Qatar Investment Authority |
| Series G (2) | Jan 2023 | $25m | Strategic investor | ServiceNow |
Funding amounts include secondary sales
Founding Story
In 2015, Guy Podjarny was serving as the CTO of Akamai’s Web Performance business line. He had been in the role for 3 years after Akamai acquired his company, Blaze.io (a startup that helped businesses optimize web front end performance).
At Akamai, Podjarnay saw the rise of shift-left testing, pushing testing toward the early stages of software development. Until then, most companies had a waterfall development model. Separate teams would plan, build, and test the product. With testing placed at the end, companies would often rush to ship out software that was still defective or vulnerable to attacks.
Podjarnay realized that shift left testing had broader implications than just early testing in the development cycle.
To fulfill his vision, he recruited Assaf Hefetz and Danny Grander as cofounders.
Like Podjarnay, both were technical and had served in the Israeli Defense Force. Together, the trio started Snyk in July 2015 with the bet that developers would also start to take on security.
To tackle the opportunity, the three cofounders signed on four other engineers to join them. Just 3 months later, Podjarny and Hefetz flew out to Amsterdam and presented the first version of Snyk at Velocity Amsterdam. [0]
In their 13 minute presentation titled Stranger Danger, Podjarny showcased Snyk’s command-line interface (CLI) tool that found vulnerabilities in projects and offered a quick snyk protect -i command to patch them.
For example, read-installed, a third-party library, doesn’t contain any vulnerabilities within its code. However, read-installed calls upon semver, another third-party library, that does have published vulnerabilities. It’s impossible for developers to find and track these third-party vulnerabilities that are multiple layers deep - which is where Snyk comes in.
Back in 2015, this multi-layer dependency problem was starting to become an issue. With the rise in open-source software, more companies were adopting third-party open-source components in their products which in turn had their own second or third level dependencies.
Snyk’s product was the continuation of a process known as static application security testing (SAST). Most SAST tools were built and maintained by security companies that acted as consultants rather than software service providers. Unlike legacy security companies, Snyk was in the right place at the right time.
A year before Snyk was founded, two major bugs on open-source libraries came to light.
The first, Heartbleed, was a serious flaw in OpenSSL, encryption software that powers secure communications on the web. The second, Shellshock, allowed attackers to execute commands with higher privileges on vulnerable versions of Bash.
Both bugs shined a new light on the open-source ecosystem. The need for security software that could detect and patch vulnerabilities was more important than ever.
In late 2015, Snyk raised a $3 million seed round led by Boldstart Ventures.
Product Market Fit
After their demonstration in Amsterdam, Snyk went live on December 2015.
The first Snyk product focused on Node.js projects, inspired by New Relic’s focus on the Ruby developer base. Early pitches for Snyk featured the tagline, “New Relic for security”.
New Relic’s first product, a Rails Performance Management package, found a quick audience with Ruby companies such as 37signals and Github. Podjarny hoped that Snyk could replicate that success in the Node.js space.
At the time, Node was rapidly growing in popularity. Its speed and the flexibility to use Javascript for both client-side and server-side code had developers adopting the technology in droves. A side effect of increased developer adoption was an explosion of new third-party packages for Node.
Compared to the presentation back in October, Snyk added a wizard command which made looking through vulnerabilities far easier. At launch, the Snyk product had four key commands:
- Snyk wizard - finds and explains vulnerabilities in a project
- Snyk test - catches vulnerabilities as part of CI/CD systems
- Snyk protect - patches said vulnerabilities (generally through updating packages)
- Snyk monitor - notifies users when a new relevant vulnerability is disclosed
To celebrate the launch, the Snyk team released a database of npm vulnerabilities and created a badge for open-source package creators to showcase packages free of security issues.
Snyk’s tools saw rapid adoption.
In June 2016, there were over 5,000 developers using Snyk. Combined, they requested over 343,000 security tests, used Snyk patches 71,000 times, and saw over 4,500 emails alerts to newly disclosed vulnerabilities.
With solid usage, the Snyk team felt confident about monetization. They came out of beta with a pricing plan starting at $19/month, scaling up to $100/month per developer.
Snyk was making another bet as well: their go-to-market (GTM) strategy was a bottom-up, developer-focused approach.
Traditionally, security companies prospected Chief Information Security Officers (CISO), CIOs, and compliance teams. In part, this is because security contracts were big ticket items with six to seven figure annual contract values (ACV). To find the right champion, security companies had to aim high - it was unlikely that a single developer could unilaterally approve a seven figure expense for the whole company.
The other reason for pitching CISOs was the idea that developers didn’t care about security. With waterfall development, developers were isolated from security issues.
As part of shift-left, Snyk made the assumption that developers would care about security and have the purchasing power for security tools.
The first part of the assumption came true. The second part - well, not so much.
Despite healthy adoption from developers, few opened their wallets to sign up for the paid plans. Snyk’s bottoms up approach had hit a roadblock.
In the meantime, they kept building.
In April, they launched a Github testing tool. Anyone could test a public Node.js Github repositories for vulnerabilities and receive a report with details on how the vulnerability was introduced into the package along with solutions to address it.
In June, they deepened their integration with Github further. Snyk could now check a Pull Request (PR) before it was merged as part of the CI/CD process and auto-generate a PR to fix any vulnerabilities.
In November, they added Snyk support for Ruby projects. As part of their launch, they met Tom Preston-Werner, cofounder of Github and Ruby enthusiast, and found themselves the subject of a glowing review. [1] Preston-Werner described Snyk as, “an intelligent and proactive bodyguard for your entire codebase.”
In early 2017, Snyk leveraged the trust they had established in the developer community to pursue enterprise accounts. Snyk hired its first Account Executive and aggressively went after CISOs. They shifted their tone as well, replacing blog posts like “Out of Beta, plus exciting new features” with “Snyk and Atlassian, Sitting in a Tree” and “Snyk for your Enterprise”.
The Snyk team also spent most of 2017 adding features targeted towards enterprise buyers - license compliance, vulnerability reporting dashboards, on-premise support, and enterprise support.
After closing their first contract in March 2017, Snyk raced to $100k ARR by August. By March 2018, Snyk had over 130 large commercial paying customers.
That same month, Snyk closed a $7 million Series A round led by Boldstart Ventures and Canaan Partners.
Growth
In Snyk’s Series A announcement, Podjarny announced:
All that said, our best achievement, hands down, is in helping developers embrace security. The vast majority of our users are developers who chose to use Snyk, without a security team or other forcing them to do so. This proves the core thesis that led us to found Snyk – that developers do care about security, and simply need the right tools to take it on.
This core thesis would be incredibly prescient.
By June 2016, over 5,000 developers were using Snyk. By March 2018, over 120,000 developers tried Snyk. 6 months later, in September 2018, Snyk had over 160,000 developers.
By June 2016, over 5,000 developers were using Snyk.
March 2018 - 120,000.
September 2018 - 160,000.
That same September, Snyk raised a $22 million Series B, led by Accel.
While the Snyk GTM motion had swung towards enterprise, Snyk still kept it’s developer-first mentality. The best showcase for this was Guy Podjarny’s podcast, The Secure Developer. Publishing once a month, Podjarny interviewed guests such as Geoff Belknap, Chief Security Officer at Slack, on topics such as security org charts and bug bounty programs.
Snyk’s content team continued publishing pieces on its blog, at a rate of 4-5 posts per month. Topics ranged from announcements such as “Snyk is Now Integrated with Chrome’s Lighthouse” to vulnerability explanations, “Attacking an FTP Client: MGETting more than you bargained for”, to general educational content, “Local Type Inference Cheat Sheet for Java 10 and beyond!”
By setting up an organic motion, Snyk’s core developer growth kept climbing. Internally, Snyk’s north start metric was the number of active developers using their platform. Revenue was a second-order metric. They had pioneered an entirely new GTM strategy.
In an interview, Podjarny said:
[A]t Snyk, we have this interesting combination of user and buyer. The two aren’t the same. The most important user of our product is the developer. However, the entity in the organization with the job of keeping the organization secure and the budget to accommodate for that is the security team. As we wanted a direct path to the user to ensure we would be providing the best user experience, we decided to go for a freemium model to lower the bar for developers to get started…
What we learned is that … in the world of security, there’s a certain threshold you have to reach to get the development team to use the product. When you want them to buy, they need a certain breadth. We needed to broaden the offering before we could sell it by adding the main languages and platforms support. We ended up collapsing our first paid tier into free and focused on the larger tier for monetization but at a much higher price by offering a much deeper offering.
In essence, Snyk makes it easy for developers to get started. Their free tier is a giant cost center with the singular goal of helping developers understand and find value from Snyk’s core products. From there, as developers run into usage limits, Snyk gains powerful inbound prospects.
Product-Led Growth (PLG) isn’t new. Dropbox, Slack, Figma, Spotify, Calendly, Zoom, and plenty of other companies have generous free tiers that then convert to enterprise deals. But ******Snyk was unique in that they were one of the first companies to utilize the PLG motion in enterprise security.
In September 2019, Snyk raised a $70 million Series C led once again by Accel. From their announcement:
The global user community has expanded to more than 300,000 developers worldwide, and Snyk’s customer base grew dramatically – by 200 percent in 2019. Added to this, more than 90 percent of Snyk’s customers originate from inbound and product-led opportunities.
Expansion
Shortly before Snyk’s Series C, Peter McKay replaced Podjarny as CEO.
By this point, Snyk had grown to over 150 employees but despite a strong technical product, the path toward future growth was unclear.
McKay was a natural choice. He was an early investor and board member of Snyk with previous experience as the SVP of VMware. McKay had also served on Blaze.io’s board (Podjarny’s previous company). He brought “extensive large-scale management experience, [and] experience with markets.” Podjarny became president and chairman of the board to focus on “product vision and community leadership”.
Investors loved the move.
In January 2020, Snyk raised another $150 million in their Series D led by Stripes. Just eight months later, they raised an E round led by Addition for $200 million. Then another, just three months later in March 2021, for $300 million at a $4.7 billion valuation - led by Accel and Tiger Global.
In September 2021, Snyk added yet another $605 million at an $8.5 billion valuation. The round was split into two parts, the first $530 million was led by Sands Capital and Tiger Global while the second $75 million came from Atlassian Ventures and Salesforce Ventures.
Since McKay stepped up as CEO, Snyk had raised over $1.325 billion from investors. Incredible.
With the new capital, McKay went all-in growth.
The Snyk team grew to 800+ employees worldwide in the span of two years. Many of the new hires went to sales. McKay transitioned the company from a tech-heavy team to one with a healthy balance of marketing, sales, and engineering.
Another avenue for growth was acquisitions.
Snyk acquired CloudSkiff, FossID, Manifold, DeepCode, and Fugue, bolstering its position as a leader in security and paving the way for new product lines such as Snyk Cloud.
But the growth story finally reversed in 2022. The latest Snyk fundraise saw a valuation cut - $196.5 million at $7.4 billion in December 2022 led by the Qatar Investment Authority. In a TechCrunch article about the round:
[McKay] sees that Snyk’s market around developer security remains fragmented, and he sees an opportunity to consolidate by buying companies when it makes sense and taking advantage of what he sees as a very large TAM…
Most security startups either grow into a platform or they get absorbed by one, and Snyk apparently wants to be a platform player at this point.
In January 2023, Snyk added another $25 million in strategic investment from ServiceNow.
Conclusion
Snyk started from a core developer-first thesis. Over the past eight years, their growth has more than confirmed this core thesis. Snyk now has over 1,200 employees across offices spanning San Francisco, London, Singapore, and more. Customers include Atlassian, Twilio, AWS, and Salesforce.
Today, the open-source security movement is stronger than ever and there’s even a term for the work that Snyk does, Supply Chain Security.
I can’t wait to see what Snyk does next.
Footnotes
[0] Video of Snyk’s launch at Velocity Amsterdam in 2015
[1] Tom Preston-Werner hasn’t written much about other companies. Snyk is one of the few companies that he talks about on his blog. Another fun fact is that Preston-Werner met his Github cofounder at a “I Can Has Ruby” meetup.
[2] As detailed in a Snyk breakdown published by Unusual Ventures.