6 Go-to-Market Lessons from Smallstep’s Journey in Democratizing Security Infrastructure
Building an enterprise security company is challenging enough. Building one that bridges traditional security with modern development practices while maintaining an open-core model? That’s a different game entirely. In a recent episode of Category Visionaries, Smallstep founder Mike Malone shared insights from their journey that reveal several crucial go-to-market lessons for technical founders.
- Solve Problems at the Intersection of Two Markets
The most compelling opportunities often exist where two different worlds collide. Smallstep identified the growing tension between modern development practices and traditional security infrastructure. As Mike explains, the challenge was “securing distributed systems in the context of modern software development… with Kanban and sort of that pace and scale of development, microservices like layering on security and having real strong security guarantees and compliance guarantees without breaking all of that sort of modern technology.”
- Rethink Category Definitions
Rather than fitting into existing market categories, sometimes you need to redefine them. Mike points out that traditional Certificate Lifecycle Management “does not really capture what we’re doing.” The difference isn’t just incremental – it’s “an order of magnitude difference in scale” where they’re “not talking about a dozen certificates that renew annually, we’re talking about a million certificates that renew hourly or every five minutes even.”
- Use Open Source Strategically, Not Just Tactically
While open source can be a powerful go-to-market tool, it needs careful strategic consideration. Mike reveals that it’s “a marketing asset and it’s a feature for some enterprise customers” that “derisks from sort of a vendor lock in perspective.” However, he cautions that “maintaining open source is sort of thankless work” and describes it as “crappy product led because it sort of has some of the same characteristics as SaaS, like freemium, but with none of the bi-directional relationship and data.”
- Let Content Marketing Be Authentic
Instead of tightly controlling messaging, Smallstep gave their team “really broad mandate to just write about what they’re passionate about that’s in this space.” The results were surprising: “it turns out when you give people that sort of purview, you get really high quality content that’s really interesting and informative and it gets shared and it gets searched and people find us that way.”
- Build a Flexible Commercial Model
Successful monetization requires a model that can serve different market segments. Smallstep built a range “from a free tier all the way up to a million dollars a year” with “over 100 customers taking advantage of various scale offerings.” This approach allows them to capture value across different customer segments while maintaining their open source commitment.
- Make Complex Technology Accessible
Sometimes the biggest market opportunity isn’t in creating new technology, but in making existing technology more accessible. Mike notes that “certificate asymmetric cryptography, all this security stuff seems like it’s an area that a lot of smart software engineers shy away from and maybe don’t specialize in. It feels very baroque and obscure, and a lot of the tooling hasn’t helped with that.”
These lessons from Smallstep’s journey illustrate a broader truth about modern enterprise software: success often comes not from building entirely new technologies, but from making complex technologies more accessible and aligned with how modern teams work. Their experience shows that by focusing on real user problems, building authentic connections with your community, and maintaining flexibility in your business model, you can successfully bridge the gap between traditional enterprise requirements and modern development practices.
The challenge now lies in scaling this approach. As Mike puts it, looking ahead means “pursuing product vision in that direction” of making “enterprises and large software systems and the Internet as a whole is more secure and safer for everybody.” For technical founders building complex products, Smallstep’s journey offers valuable insights into how to make sophisticated technology accessible without compromising its power.