The Story of Opal Security: Building the Future of Identity Governance

The Story of Opal Security: Building the Future of Identity Governance

Some companies are born from crisis. Others emerge from frustration with broken tools. Opal Security started with a simpler observation: the identity problem in modern infrastructure wasn’t being solved because nobody was building for the people who actually felt the pain. In a recent episode of Category Visionaries, Umaimah Khan, CEO and Co-Founder of Opal Security, shared how that insight transformed into a $50 million ARR business that’s redefining identity governance.

The Problem Nobody Was Solving Correctly

The identity governance market wasn’t empty when Opal launched. Legacy vendors had dominated the space for years, selling expensive enterprise software to compliance teams. But Umaimah and her co-founders saw a disconnect. The people buying identity governance tools—compliance officers and security managers—weren’t the same people deploying and maintaining them. Engineers inherited clunky, inflexible systems that didn’t integrate with modern cloud infrastructure.

“We really focused on engineering led sales,” Umaimah explains. “So our ICP was companies who had an engineering culture, who are building technology.” This wasn’t just market positioning. It was a fundamental belief that identity governance would only work if it was built for the practitioners who lived with it daily.

The technical debt was obvious. Companies were managing access across dozens of systems—AWS, GitHub, Okta, Snowflake, internal tools—with a combination of spreadsheets, Slack messages, and manual reviews. Access requests took days. Nobody had visibility into who could access what. Standing privileges accumulated because deprovisioning was too operationally expensive.

Opal’s founding thesis was that modern identity governance needed to be API-first, cloud-native, and designed for engineering workflows. Not compliance software with an API bolted on. Not legacy tools rebranded for the cloud. Something built from scratch for how technical teams actually worked.

Building Product-Market Fit Through Technical Depth

The early product decisions reflected this engineering-first philosophy. Opal needed to integrate seamlessly with the infrastructure tools that engineers used daily. The product had to support just-in-time access, automated workflows, and programmatic control. Documentation needed to be comprehensive. APIs needed to be flexible.

“We found our best customers were those companies where an engineer discovered us, started using the free tier, then brought us into their organization,” Umaimah notes. This bottoms-up motion became Opal’s primary growth engine. Engineers had the problem. They found the solution. They became internal champions.

The strategy worked because it aligned incentives. When engineers chose Opal, they owned the implementation. They understood the value. They drove adoption across their teams. These weren’t compliance mandates imposed from above—they were tools that made engineers’ lives better.

But technical depth alone wasn’t enough to scale. As Opal grew, they faced a critical inflection point: staying mid-market with product-led growth or moving upmarket to enterprise. The decision would reshape everything about how the company operated.

The Inflection Point: Scaling to Enterprise

Moving upmarket revealed gaps in Opal’s go-to-market strategy. Technical buyers loved the product, but enterprise deals required executive buy-in. CISOs cared about risk frameworks. CFOs needed ROI justification. Boards wanted assurance that this wasn’t just another security tool adding complexity.

“When we started going upmarket and selling to Fortune 500 companies, we realized we needed to change our messaging,” Umaimah says. “We weren’t just selling to engineers anymore. We were selling to CISOs, to boards, to compliance teams.”

The pivot required more than new sales decks. Opal needed to develop entirely different narratives for different stakeholders while maintaining technical credibility. “We started talking about identity governance as a strategic initiative, not just a compliance checkbox,” Umaimah explains. The conversations shifted from technical architecture to business impact—how identity sprawl creates risk, how access creep increases attack surface, how manual reviews waste engineering time.

This translation challenge became a core competency. “We had to get really good at reading the room,” Umaimah says. “Sometimes you’re presenting to a mixed audience—CISO, CFO, and head of engineering all in the same meeting. You need to address everyone’s concerns without losing anyone.”

The ability to speak both technical and business languages fluently became Opal’s competitive advantage in enterprise sales.

Creating a Category While Building a Company

Beyond selling software, Opal was creating a new category. Cloud-native identity governance existed more as a concept than a defined market. Most companies didn’t realize they had the problem Opal solved.

“We spent a lot of time educating the market,” Umaimah explains. “Writing content, doing webinars, speaking at conferences—all focused on why identity governance needs to evolve for modern infrastructure.” This educational approach extended into sales conversations. “We often spent the first meeting just explaining the problem, not even talking about our solution,” Umaimah notes. “Many companies didn’t realize they had an identity governance problem until we showed them their own access data.”

Category creation is slower than competing in established markets. Sales cycles are longer. You’re selling the category and the product simultaneously. But it creates defensible positioning. By the time prospects understood they needed modern identity governance, they’d learned about it from Opal.

Professionalizing at Scale

Reaching $50 million ARR required building enterprise sales infrastructure from scratch. “We had to professionalize everything,” Umaimah says. “Hire experienced enterprise AEs, build out sales engineering, create proper deal review processes, implement Salesforce correctly—all the blocking and tackling of enterprise sales.”

The team invested heavily in enablement. “We created detailed battle cards, competitive positioning documents, ROI calculators, reference architectures,” Umaimah explains. “Our sales team needed to handle objections about budget, timing, competitive alternatives, and technical requirements—often all in the same deal.”

Compensation structures needed to align with strategic priorities. “We structured our sales comp to reward larger deals with better margins,” Umaimah notes. “We wanted our team focused on enterprise accounts, not churning through small deals.” The incentives worked. Sales teams invested time in strategic relationships and pursued deals that significantly moved revenue.

The Future: Beyond Identity Governance

Looking ahead, Umaimah sees Opal expanding beyond its identity governance roots. The infrastructure access problem extends far beyond managing user permissions. It touches API security, service-to-service authentication, secrets management, and infrastructure entitlements.

The vision is ambitious: becoming the control plane for all infrastructure access. As cloud environments grow more complex and zero-trust architectures become standard, the need for sophisticated access management intensifies. Opal’s engineering-first approach positions them to solve these increasingly technical problems.

The company that started by solving access management for engineering teams is now tackling the broader challenge of infrastructure security. With $50 million in ARR and strong enterprise momentum, Opal isn’t just building better identity governance tools. They’re defining what identity security means for cloud-native companies.