Ready to build your own Founder-Led Growth engine? Book a Strategy Call
Frontlines.io | Where B2B Founders Talk GTM.
Strategic Communications Advisory For Visionary Founders
Actionable
Takeaways
A low ACV in PLG isn't always a product problem — it's often an ICP signal.:
StackHawk's early PLG motion worked. About 60% of their first-year logos were engineering-led. But Joni recognized the structural ceiling: when a head of engineering is the buyer, they likely don't have a dedicated security team. That caps deal size by definition. The lesson isn't that PLG failed — it's that the buyer StackHawk was converting wasn't the economic buyer for a real AppSec investment. Before you conclude your PLG motion isn't working, audit who is actually converting and whether they have the budget authority to grow with you.
Let inbound pull you into segments you didn't design for:
Joni built StackHawk as an SMB/mid-market play, deliberately. When enterprises started showing up inbound, her instinct was skepticism — she wasn't sure they'd want to adopt a developer-native, config-as-code tool at scale. She was wrong. A major beverage company became their first large enterprise logo, having already re-architected their CI/CD toolchain with a "paved roads" philosophy for automated security checks. The buyer was already bought in on shift-left before StackHawk ever engaged. The takeaway: if enterprise buyers are finding you without an outbound motion, something in your positioning is resonating. Understand why before you dismiss the segment as a poor fit.
Revisit your segment assumptions at every macro inflection point:
When the market tightened, SMB fintech and health tech customers stopped prioritizing AppSec — they were focused on survival. Joni didn't try to hold the segment. StackHawk rotated toward upper mid-market and enterprise, where security budgets are structurally more resilient. This isn't a pivot — it's active portfolio management of your customer segments. Founders should pressure-test their ICP against current budget cycles, not just product-market fit.
Understand second-order GTM effects of AI, not just product effects:
Joni's team has 8x'd software delivery in the last six months through AI-assisted development. Her most senior engineers haven't written a line of code manually in months — it's pure prompting. That velocity creates a math problem for static analysis tools: the volume of findings is now too high to triage manually, and many aren't actually reachable or exploitable. Runtime testing — proving a vulnerability is reachable in a live application — becomes the only way to separate signal from noise. The GTM implication: StackHawk's positioning shifted from "the second or third AppSec tool you buy" to the one that proves whether the other tools' findings actually matter. That's a different conversation with a different urgency. When AI reshapes your customer's workflow, ask what problem gets worse for them — then position there.
Build a bridge product for buyers who believe in your vision but can't execute it yet:
StackHawk's core product assumes a DevOps-mature organization: config-as-code, automated testing in CI/CD, close collaboration between AppSec and engineering. A lot of enterprise AppSec teams want that but aren't there operationally. Rather than excluding them, StackHawk built capabilities that surface familiar interfaces — tools that look and feel like what these teams have used before — while AI handles the complex configuration on the backend. It meets buyers where they are and puts them on a path to the full platform. This is both a product decision and a sales motion: it converts aspiration into usage without waiting for organizational change to happen first.
Own your category narrative in the language of the problem, not the analyst taxonomy:
StackHawk has never fit cleanly into a single analyst category. AppSec vendors and API security vendors have different definitions, and StackHawk sits at the intersection. Joni's working definition: "APIs are what we test. DAST is how we test." That framing is immediately useful to a buyer. As LLMs and MCP servers expand the attack surface — any running asset that needs to be tested — the category is evolving again, and the analyst reports are still catching up. Founders in emerging or cross-category spaces should invest in a precise, problem-anchored narrative they can own, rather than waiting for an analyst to define the box they'll be compared in.
Conversation
Highlights
From DevOps to AppSec: How Joni Klippert Built StackHawk by Solving the Problem Security Teams Didn’t Know How to Ask For
At DevOps Days Enterprise, a pattern kept repeating itself.
Security teams would pull Joni Klippert aside — frustrated, overwhelmed, defensive. They knew software was shipping faster than they could review it. They knew they were becoming a bottleneck. But their only available move was to act as a gate, slowing releases down rather than finding a way to keep up.
Joni wasn’t a security person. She was a DevOps founder who had joined VictorOps as the first non-engineering hire and helped bring the product to market. She had spent years automating the messy, manual parts of software delivery. Watching security teams struggle with a process problem she recognized immediately, she had a simple question: why isn’t this being automated like everything else?
That question became StackHawk.
The Co-Founder Who Completed the Thesis
Joni’s instinct was process-driven. But building a security company required someone who had lived inside security organizations. She found that in Scott Gerlach — a decade as a practitioner at GoDaddy, then CISO at SendGrid through its acquisition by Twilio.
The combination mattered. Joni came at the problem from an engineering efficiency angle: security testing should live in the CI/CD pipeline, automated, the same way unit tests do. Scott brought practitioner credibility and a deep understanding of what AppSec teams needed to trust that shift.
Together, they built StackHawk around dynamic application security testing — runtime testing that simulates how an attacker would approach an application, deployed earlier in the development pipeline where engineers can act on findings before code ever reaches production.
The Structural Problem Hiding Inside PLG Traction
The original go-to-market was deliberate. Build a PLG business — easy to try, easy to buy, land and expand — targeted at developers already thinking about security as part of their workflow. Early signals were strong. About 60% of StackHawk’s early logos were engineering-led.
Then Joni looked more carefully at what that actually meant.
When a head of engineering is buying an AppSec product, they probably don’t have a dedicated security team yet. High conversion, low ACV, limited expansion path. As Joni put it: “That just wasn’t going to be a way to scale.”
This is a distinction worth sitting with. The problem wasn’t product-market fit — developers were adopting the tool. The problem was buyer-market fit. StackHawk was converting enthusiastic champions who didn’t control the budgets required for deals to grow. Volume without ACV expansion potential isn’t a foundation; it’s a ceiling.
The Enterprise Buyer Who Arrived Ready
While Joni was working through that ceiling, enterprises started finding StackHawk without being targeted. Her instinct was skepticism — a developer-native, configuration-as-code product didn’t feel like an obvious fit for large, complex organizations.
Then came the beverage company.
A Fortune 500 organization arrived having already done the hard internal work. They’d re-architected their entire CI/CD toolchain and were on a mission to build what they called “paved roads” — automated security checks embedded into software delivery as an organizational default. They weren’t evaluating whether to adopt this model. They’d decided. They needed the tooling to execute it.
“When you start closing logos that are household names,” Joni said, “it’s something to be celebrated… I was kind of beside myself honestly.”
What made this significant wasn’t just the logo. It was the profile of the buyer: already philosophically aligned, already invested in the infrastructure, already past the hardest internal debates. StackHawk’s developer-native approach — the thing Joni worried would create friction with enterprise buyers — was exactly what the most progressive security organizations were looking for. The inbound came because the positioning was working on buyers StackHawk hadn’t designed for.
Rotating Segments When the Market Told Them To
The enterprise pull arrived at a useful moment. As macro conditions tightened, SMB customers in fintech and health tech — strong early targets — started deprioritizing security spend. Survival mode doesn’t leave room for new tooling.
StackHawk didn’t resist the signal. They rotated toward upper mid-market and enterprise, where security budgets are structurally more durable. This wasn’t a pivot — it was active segment management in response to real market conditions.
But not every enterprise buyer was operationally ready for StackHawk’s full vision. Many AppSec teams wanted to shift left and automate testing in the pipeline — they just weren’t there yet. Their relationship with engineering was still fragile. Their processes were still largely manual.
StackHawk’s answer was a bridge product: capabilities that surface familiar interfaces — tools that feel like the legacy software these teams already know — while AI handles the complex configuration on the backend. The goal is to convert aspiration into active usage without requiring organizational transformation as a prerequisite. It’s both a product decision and a sales motion: get them using it now, on a path to the full platform.
The Math Problem AI Created for the Competition
The most consequential shift in StackHawk’s go-to-market story isn’t the enterprise rotation. It’s what AI-accelerated development is doing to the broader AppSec market.
Joni’s engineering team has 8x’d software delivery in the last six months. Her most senior engineers haven’t written a line of code in five or six months — it’s pure prompting. That velocity is being demanded across organizations everywhere, driven from the top down.
The downstream effect on security tooling is structural. Static analysis tools — historically the first AppSec purchase, with dynamic testing tools like StackHawk coming second or third — are now generating volumes of findings that no team can manually triage. Many of those findings aren’t reachable or exploitable in a live application.
“There are so many static code analysis findings you can’t possibly weed through them,” Joni said. “And the type of testing we do proves that it’s actually reachable and exploitable.”
Runtime testing moved from a secondary purchase to a primary requirement. The category Joni built for is now the category the market urgently needs. That’s not luck — it’s what happens when a product is built around a mechanism (runtime proof of exploitability) rather than a trend (shift-left, DevSecOps) that can be replicated by incumbents.
Owning the Narrative When Analysts Can’t Agree
Through the PLG ceiling, the enterprise rotation, and the AI tailwind, one challenge has been consistent: category definition. StackHawk has never fit cleanly into AppSec or API security as analysts have traditionally defined them. As the attack surface expands to include LLMs and MCP servers, the definitions keep shifting.
Joni’s response has been to stop waiting for the right quadrant and own the language of the problem directly.
“APIs are what we test. DAST is how we test.”
That sentence does more work than any analyst placement. It’s precise, buyer-legible, and flexible enough to evolve as the attack surface does. For founders operating in categories that analysts are still trying to define — or redefine — it’s the sharper play: anchor to the mechanism, not the label.
Joni Klippert joined us on a recent episode of BUILDERS. Listen to the full conversation at FrontLines.io.
Recommended Founder
Interviews
David Brumley
CEO of Mayhem
David Brumley, CEO of Mayhem: $38 Million Raised to Build the Future of Security Testing
Jason Martin
Co-Founder and Co-CEO of Permiso Security
Jason Martin, Co-Founder and Co-CEO of Permiso Security: $10 Million Raised to Build the Future of Cloud Security
Christian Almenar
CEO & Co-Founder of Monad
Christian Almenar, CEO of Monad: $19 Million Raised to Solve the Cybersecurity Big Data Problem
Russell Spitler
CEO & Co-Founder of Nudge Security
Russell Spitler, CEO & Co-Founder of Nudge Security: $17 Million Raised to Build the Future of SaaS Security
Ani Chaudhuri
CEO & Co-Founder of Dasera
Ani Chaudhuri, CEO & Co-Founder of Dasera: $21 Million Raised to Build the Future of Data Security
Stephen de Vries
CEO and Co-Founder of IriusRisk
Stephen de Vries, CEO and Co-Founder of IriusRisk: $40 Million Raised to Build the Future of Threat Modeling
Matteo Bogana
CEO and Co-Founder of Cleafy
Matteo Bogana, CEO & Co-Founder of Cleafy: $12 Million Raised to Build the Future of Online Fraud Prevention
Denny LeCompte
CEO of Portnox
Why Portnox’s CEO refuses to measure Net Promoter Score | Denny LeCompte
Aurelie Guerrieri
Chief Marketing & Alliances Officer of DataDome
Aurelie Guerrieri, Chief Marketing & Alliances Officer at DataDome: 20 Years in Silicon Valley – Insights on the Evolving Tech Landscape
Adam Cecchetti
CEO & Co-Founder of Staris AI
Adam Cecchetti, CEO & Co-Founder of Staris AI: $5.7 Million Raised to Build Total Context Security for Application Protection
Neil Serebryany
CEO and Co-Founder of CalypsoAI
Neil Serebryany, CEO & Co-Founder of CalypsoAI: $38 Million Raised to Power the Future of AI Security
Austin Gadient
CTO & Co-Founder of Vali Cyber
Austin Gadient, CTO & Co-Founder of Vali Cyber: $15 Million Raised to Build the Future of Linux Security
Jean Le Bouthillier
CEO of Qohash
Jean Le Bouthillier, CEO of Qohash: $20 Million Raised to Build the Future of Data Security
Joe Levy
CEO of Sophos
Joe Levy, CEO of Sophos: $1.5 Billion ARR and the Future of Cybersecurity at Scale
Tony Lombardo
VP of Marketing of ThreatModeler Software
Why 99% of Cybersecurity Marketers Are Doing Demand Gen Wrong
Peter Dvorak
Founder & CEO of Wultra
How Wultra built category leadership as the only post-quantum provider for banking digital identity | Peter Dvorak
Ori Eisen
CEO & Founder of Trusona
Ori Eisen, CEO & Founder of Trusona: $38 Million Raised to Power the Future of Account Takeover Prevention
Tiffany Ricks
CEO and Founder of HacWare
Tiffany Ricks, CEO and Founder of HacWare: $2.6 Million Raised to Build the Future of Security Awareness
Josh Shaul
CEO of Allure Security
Josh Shaul, CEO of Allure Security: $6 Million Raised to Help Businesses Win the Battle Against Online Scammers
Mike Janke
Co-Founder of Data Tribe
Funding the Future: Mike Janke, Co-Founder of Data Tribe
Eddie DeCurtis
Co-Founder and CEO of Shush
How Shush differentiated against competitors by solving business operations, not just deploying technology | Eddie DeCurtis, Co-Founder & CEO of Shush Inc.
Itzik Alvas
CEO & Co-Founder of Entro Security
Itzik Alvas, CEO & Co-Founder of Entro Security: $24 Million Raised to Build the Future of Non-Human Identity Management
Dave Mor
CEO and Co-Founder of OneLayer
Dave Mor, CEO and Co-Founder of OneLayer: $15 Million Raised to Protect Private Cellular Networks
Sebastian Stranieri
CEO & Founder of VU Security
Sebastian Stranieri, CEO & Founder of VU Security: $24 Million Raised to Build the Future of Digital Identity & Fraud Prevention
Umaimah Khan
CEO and Co-Founder of Opal Security
Umaimah Khan, CEO & Co-Founder of Opal Security: $32 Million Raised to Build the Future of Identity Security
Mykolas Rambus
CEO & Co-Founder of Hush
Mykolas Rambus, CEO & Co-Founder of Hush: $7.5 Million Raised to Build the Future of Data Privacy
Oren Kaniel
CEO & Co-Founder of AppsFlyer
Oren Kaniel: The GTM Story of AppsFlyer ($2 Billion Valuation)
Tony Scott
CEO & President of Intrusion
How the ex-White House CIO turned around a failing cybersecurity company by fixing the product first | Tony Scott
Bill Moore
CEO and Founder of XONA
Bill Moore, CEO and Founder of XONA: $30 Million Raised to Build the Future of OT User Access
Paul Valente
CEO and Co-Founder of VISO Trust
Paul Valente, CEO and Co-Founder of VISO Trust: $17 Million Raised to Build the Future of Third-Party Cyber Risk Management
Sivan Tehila
Founder and CEO of Onyxia
Sivan Tehila, Founder and CEO of Onyxia: $5 Million Raised to Build the Future of Cybersecurity Performance Management
Philippe Humeau
CEO of CrowdSec
Philippe Humeau, CEO of CrowdSec: $21 Million Raised to Build the Future of Cyber Threat Intelligence
Matthew Howard
SVP & CMO of Virtru
How to Time Analyst Relations for Maximum Category Impact
David Etue
CEO of Nisos
David Etue, CEO of Nisos: $33 Million Raised to Build the Future of Managed Intelligence
Justin Beals
CEO, Co-Founder of Strike Graph
Justin Beals, CEO of Strike Graph: $12 Million Raised to Build the Future of Automated Security and Compliance
Pukar Hamal
CEO and Founder of SecurityPal
Pukar Hamal, CEO and Founder of SecurityPal: $21 Million Raised to Power the Future of Customer Assurance
Dan Lowden
CMO of Blackbird.AI
How to Create a Category: Dan Lowden’s 8-Exit CMO Playbook
Harley Sugarman
Founder & CEO of Anagram
Harley Sugarman, Founder & CEO of Anagram: $10 Million Raised to Transform Human-Driven Security
Colby Proffitt
VP of Marketing of Shift5
From the Pentagon to B2B: Colby Proffitt’s Journey and ABM Insights
Ken Bagnall
CEO & Founder of Silent Push
Ken Bagnall, CEO & Founder of Silent Push: $22 Million Raised to Transform Threat Intelligence Through Adversary Infrastructure Monitoring
Carole Winqwist
CMO of GitGuardian
How to Win with Rapid Response: GitGuardian’s Media Playbook
Eric Olden
CEO and Founder of Strata Identity
Eric Olden, CEO and Founder of Strata Identity: $42 Million Raised to Build the Identity Orchestration Category
Scott McCrady
CEO of SolCyber
Scott McCrady, CEO of SolCyber: $20 Million Raised to Build the Future of Managed Security
Alan LeFort
CEO of StrongestLayer
How StrongestLayer achieved 85% meeting-to-POC and 100% POC-to-win rates using transparent one-week pilots | Alan LeFort
Mehul Revankar
Co-Founder & CPO of Quantro Security
AI vs. AI: why Quantro Security is building defense for the era of AI-native offense
Nadav Arbel
CEO & Co-Founder of Cyrebro
Nadav Arbel, CEO & Co-Founder of Cyrebro: $51 Million Raised to Build the Future of ML-Backed MDR
Dimitri Sirota
CEO & Co-Founder of BigID
Dimitri Sirota: The GTM Story of BigID ($1.25 Billion Valuation)
Arie Zilberstein
CEO and Co-Founder of Gem Security
Arie Zilberstein, CEO and Co-Founder of Gem Security: $34 Million Raised to Power the Future of Cloud Detection and Response
Marina Segal
CEO and Co-Founder of Tamnoon
Marina Segal, CEO & Co-Founder of Tamnoon: Over $5 Million Raised to Build the Future of Cloud Security
Michael Assraf
CEO & Co-Founder of Vicarius
Michael Assraf, CEO of Vicarius: $29 Million Raised to Build the Future of Vulnerability Prioritization
Mollie Breen
CEO and Co-Founder of Perygee
Mollie Breen, CEO and Co-Founder of Perygee: $6.4 Million Raised to Build the Future of IT/OT Security
Ryan Schonfeld
Founder & CEO of Hivewatch
Ryan Schonfeld, CEO of Hivewatch: $25 Million Raised to Build the OS of Physical Security
Dan Lorenc
CEO & Founder of Chainguard
Dan Lorenc, CEO & Founder of Chainguard: $250 Million Raised to Power the Future of Software Supply Chain Security
Jessica Pratt
Director of Marketing and Communications of Peak Metrics
How PeakMetrics Turns Product Data Into Marketing Gold
Paul Lewis
Founder and CEO of Calamu
Paul Lewis, CEO of Calamu: $20 Million Raised to Build the Cyber Storage Category
Michael Assraf
CEO & Founder of Flamingo
How Flamingo generated 1,000 waitlist signups before launching a product using a free community tool | Michael Assraf
Spencer Thompson
CEO and Co-Founder of Prelude
Spencer Thompson, CEO and Co-Founder of Prelude: Over $30 Million Raised to Build the Future of Continuous Security Testing
Rodrigo Leme
Marketing Director of Right-Hand Cybersecurity
Rodrigo Leme, Marketing Director at Right-Hand Cybersecurity: Standing Out in a Crowded Market – Niche Targeting and Customer-Centric Approach
John Milburn
CEO of Clear Skye
John Milburn, CEO of Clear Skye: More Than $20 Million Raised to Build the Future of Identity and Access Governance
Stijn Vande Casteele
Founder of Sweepatic
Stijn Vande Casteele, Founder of Sweepatic: $4.4 Million Raised to Build the Future of External Attack Surface Management
Ryan Lasmaili
CEO & Co-Founder of Vaultree
Ryan Lasmaili, CEO of Vaultree: $16 Million Raised to Build the World’s First Fully Functional Data-in-Use Encryption
Danny Lopez
CEO of Glasswall
Danny Lopez CEO of Glasswall: $60+ Million Raised to Make the Content Disarm and Reconstruction (CDR) Category Mainstream
Kyle Hanslovan
CEO & Co-Founder of Huntress
Kyle Hanslovan, CEO of Huntress: $160 Million Raised to Build the Future of Managed Security
Ben Kliger
CEO and Co-Founder of Zenity
Ben Kliger, CEO and Co-Founder of Zenity: $21.5 Million Raised to Build the Future of Security and Governance for AI, Low-Code, and No-Code Development
Lisa O’Reilly
Vice President of Marketing of iVerify
How iVerify’s First Marketing Hire Built a Research-Driven Engine
Bob Tinker
CEO & Co-Founder of BlueRock
How BlueRock identified three distinct buyer personas by asking “How would you describe what we do to your peers?” | Bob Tinker
Kyle Hanslovan
CEO & Co-Founder of Huntress
What happens when you outgrow your messaging? w/ Huntress CEO Kyle Hanslovan
Tom Jermoluk
CEO of Beyond Identity
Tom “TJ” Jermoluk: The GTM Storyteller of Beyond Identity ($1.1 Billion Valuation)
Edward Wu
CEO and Founder of Dropzone AI
Edward Wu, CEO & Founder of Dropzone AI: $20 Million Raised to Build the Future of AI SOC Analysts
Dimitri Sirota
CEO & Co-Founder of BigID
Dimitri Sirota: The GTM Story of BigID ($1.25 Billion Valuation)
Tom Tovar
CEO and Co-Founder of AppDome
Tom Tovar, CEO of AppDome: Over $26 Million Raised to Build the Future of Mobile App Security
Tom Jermoluk
CEO of Beyond Identity
Tom “TJ” Jermoluk, CEO of Beyond Identity: $200 Million Raised to Build the Future of Multi-Factor Authentication
Rohan Sathe
Co-Founder & CEO of Nightfall AI
How Nightfall AI uses CISO dinners to generate pipeline | Rohan Sathe
Ian Amit
CEO and Founder of Gomboc
Ian Amit, CEO & Founder of Gomboc: $5 Million Raised to Build the Future of Cloud Security Remediation
Ben Levine
Senior Director of Product Management and Marketing of Axiado Corporation
Building Marketing Guidelines That Actually Stick Across Teams
Robert Cowart
CEO & Co-Founder of ElastiFlow
Robert Cowart, CEO & Co-Founder of ElastiFlow: $8 Million Raised to Power the Future of Network Performance and Security Analytics
Peter Prizio Jr
CEO of SnapAttack
Peter Prizio Jr, CEO of SnapAttack: $8 Million Raised to Power the Future of Threat Management
Arjun Bhatnagar
CEO & Co-Founder of Cloaked
Arjun Bhatnagar, CEO of Cloaked: $25 Million Raised to Build the Future of Data Privacy
Amit Gupta
Senior Director of Marketing Operations of Fortanix
Why Marketing Ops Should Be Your First GTM Hire
Joshua Motta
CEO & Co-Founder of Coalition
Joshua Motta: How Coalition Created the “Active Insurance” Category ($5B Valuation)
Idan Bar-Dov
CEO and Co-Founder of Heka Global
How Heka Global positioned web intelligence as a fourth fraud detection layer to avoid vendor comparison | Idan Bar-Dov
Ayal Yogev
CEO and Co-Founder of Anjuna
Ayal Yogev, CEO and Co-Founder of Anjuna: $42 Million to Build The Future of Confidential Computing
Julie Preiss
Chief Marketing Officer of Centripetal
Why Your Cybersecurity Brand Sounds Like Everyone Else
Diana Rabba
Head of Marketing of Exein
Long Game Marketing: Building Trust in High-Stakes B2B Sales