The year was 2020, and while I’m reluctant to call things “normal”, the impending pandemic had yet to make its mark. Like most B2B SaaS orgs at the time, Vicarius had a small army of SDRs, supplemented by automated outreach – hell-bent on ensuring every prospect received a touchpoint. Our over-simplified process likely looks familiar:

• Track website activity and identify which companies were visiting.
• Filter activity to identify the right person in the org (CISO, Security, IT) using LinkedIn Sales Navigator and similar tools.
• Initiate automated LinkedIn activity and email sequences (profile view, connection request, automated messaging, etc.)

We mastered this outbound automation, but were underwhelmed with the results. Our SDR team was performing poorly, and our brute-force LinkedIn strategy nearly had us blacklisted from the platform. As time went on, I grew concerned that we were not only destroying our brand perception, but we were failing to crack our user acquisition strategy. 2020 was off to a bad start.

Dejected, my co-founder, Roi, and I returned from RSA 2020 as the world around us began to shutter. COVID was here. While we hadn’t yet grasped the magnitude, we took this new reality as an opportunity to step back and re-evaluate our go-to-market strategy.

A New Perspective

I never understood why security companies were hesitant to offer their product for self-testing and qualification. Was it a fear of being seen as “cheap” or premature to market? Or did the “blackbox” approach allow them to wrangle a Fortune 100 customer and raise a huge round before anyone asked the tough questions? Realizing that there will be no more face-to-face meetings – or even worse, no whiskey night-outs with random CISOs – I questioned how on Earth security companies will survive. Beyond the schmoozing, how can orgs perform a non-physical on-site implementation, professional services, etc.? Reality had changed, and we needed to adapt.

With this in mind, we took the next quarter to focus on a self-serve platform that required zero human interaction… because who wants to talk face-to-face with human’s when doing so can kill you? We quickly recognized some low-hanging fruit for brand awareness:

1. Our Research Center, which pushed vulnerability data to our website with a Google-index-friendly structure, had led to tremendous organic exposure and user value.
2. We began focusing on Google Ads, with distinctive long-tail terms that our ideal customer would search for, but perhaps lacked traditional high volume.

So, we doubled down. We focused our teams on adding organic value through CVE research and sought to engage new prospects through deeply targeted ad strategies (shout-out to Lior). At the same time, our product team focused on making trials and onboarding as low-touch as possible – funneling new users to find value as quickly as possible. And… it worked. Our qualified leads and close rate started to double – and then triple – maybe we were onto something?

Embracing Product Led Growth

The initial decision to build a self-serve engine and lead with the product was not something we did with “PLG” in mind. It’s not even something we consulted advisors on – it was a gut-feeling amongst founders.

If you’re unfamiliar with the concept, product-led growth is a go-to-market strategy that delineates the solution as the central vehicle for growth. Unlike a sales-led approach, where volume and touch-points reign supreme, a product-led approach gives prospects the tools to solve problems on their own and derive as much value as possible at every interaction with the product. These interactions eventually lead to a seamless upgrade for continued value.

Today, ‘product led growth’ is an expanding focus in broader SaaS markets, while adoption in security has been slow – largely due to over-complicated solutions and reluctance to focus on the user. I find myself consulting other CEO’s and exchanging opinions with CMO’s that implemented similar PLG strategies. Throughout this transition, I’ve developed two philosophies I feel are worth sharing:

• Organic is King. I have a deep appreciation for marketing and growth teams, particularly how difficult their job is today. The formula for success is an ever-moving target and the “easy” strategy is throwing money at vendors/programs to acquire leads. That approach is lazy, fleeting, and often unsustainable. Organic growth is valuable because it’s hard and few are doing it… paid-marketing doesn’t buy you sustained traction, especially as a start-up. Growth hacking, content strategy, and search optimization takes time, but the results are long-lasting and compounding.
• Give Users the Keys. The buyer is changing – and this is as much a generational transformation as it is an industrial one. Millennials and Gen Z are moving more-and-more into buyer / decision-maker roles, and these generations were raised on instant downloads and self-research. “Talking to Sales” is an inconvenience at best, and a deal-breaker at worst. Giving these buyers the self-guided path to identifying top use-cases and recognizing the quickest time-to-value is more important than ever. No one wants to talk to sales until they know the solution will work for them.

That last point is also a benefit to the sales org… and probably important that I point out: PLG does not replace sales – it makes their job easier. A product-led MQL/SQL, or even better, a PQL (product qualified lead), results in more predictable forecasting, less awkward discovery calls, and a significantly shorter sales cycle. It’s the embodiment of ‘quality over quantity’. Beyond sales prospecting, investors are also picking up on the PLG momentum, with product-led orgs receiving higher multipliers (Axonius, Snyk, Datadog) on their revenue, even while operating in less sexy security markets. After all, investors love accurate forecasting.

The PLG Reverse Triangle

I spent much time building on this product-led strategy before realizing I had not, in fact, invented it. There’s currently a wealth of resources and enablement vendors focused specifically on PLG (PLG123, and productled.org to name a few). My contribution to this concept is the reverse-triangle, which structures organic user activity on the path from open-source tool, to product usage, to community involvement, with each segment building upon the next.

 As it relates to us…

• Community. Vicarius is enabling the broader security community to leverage the power of the collective, sharing insights and expertise through vsociety. vsociety is a social community for security professionals to collaborate on vulnerability solutions, share remediation insights, and network with security peers. The platform allows members to contribute to TOPIA, while gaining access to timely security research and bidirectional scripts from Vicairus and the broader user-base. The platform provides networking opportunities with industry peers, while enabling thought-leadership growth for community users. vsociety is free of charge, while allowing contributors to be paid for their insights.
• Open-Source. Vicarius now seamlessly integrates with Nmap, one of the most ubiquitous and versatile scanning tools in the open market. Users can now visualize Nmap scans like never before, turning Nmap XML’s into vibrant dashboards inside the Vicarius TOPIA platform. Users receive the latest CVE results, consolidated vulnerability feeds, and can track scans historically, completely free of charge. Meanwhile, this opens a new user pool of potential full-featured users for Vicarius, enabling a two-way benefit.
• Product. Each of the above is optimized inside the TOPIA platform, providing a seamless user experience, utilizing open-source tools as a force-multiplier, while leveraging the user community for insights and growth. Both free users and Vicarius customers can benefit from these crowd-sourced solutions at every turn of the triangle, with each arm communicating with the next.

With each point of the PLG reverse-triangle feeding into the next, there’s an important nucleus built at the center: the free user. Even if they never convert into new ARR, a non-paying user who derives legitimate value from your ecosystem becomes a solution evangelist, spreading word of your brand and growing your solution footprint. An organic, human recommendation will always trump a paid advertisement. And with the mutual benefit of a free platform to share information about vulnerabilities and targeted content, everyone benefits. 

At the end of the day…

Our “accidental” foray into product-led growth has been fascinating, fruitful, and focused us on the progression of our solution. We’ve gained a deep understanding of our user and how they derive value from our tool, leading us to develop a hyper-empathetic focus on our users and how they want our tool to evolve with their needs, while always providing intrinsic value to the community. We couldn't imagine growing our tool any other way.

If you're interested in participating in the vsociety community, you can sign up to be a pioneer today.