Cybersecurity GTM: 37 Lessons From 37 Founders

Name the Pain Your ICP Already Feels But Can't Articulate

When SecurityPal introduced “customer assurance” as a category, Pukar discovered the market didn’t need education on the problem itself — they needed language for it. “The market already understands that this is a problem,” he explains. “It’s just that they haven’t been able to put a word on it.” The validation came immediately when speaking to sophisticated buyers: “I just went in front of the leader of a incredibly successful company, right. A $30 billion company, american software company, in the databases space. And when I talked to her about this problem, she got it right away. She was like, yep, like, this is exactly correct.” Category creation isn’t about inventing pain — it’s about articulating what your ICP experiences daily but lacks the vocabulary to request. When the words land, “it is indeed resonating. That’s the feedback that we receive.” – Pukar

Brand Against Your Category to Break Through Market Noise

Cybersecurity branding follows a formula: black-and-purple color schemes, shadowy imagery, and what Spencer calls “spooky” messaging about threats. Prelude deliberately broke this pattern by building what looks like “a science company” with open source transparency and aesthetic choices that confuse buyers. “People say this looks nothing like a cybersecurity company. In fact, they probably are confused whether we actually do cybersecurity,” Spencer explains. The confusion is strategic: it creates “a breath of fresh air” in a market where “you can get exhausted with” vendors who all look identical. Spencer’s team even uses “weird art that we use that I personally love. Like we have a joke internally. We have this fish coming out of a rock we’ve ended up using internally in a lot of our materials because we just think it’s really interesting and funny and has nothing to do with anything.” When every competitor zigs with fear-based branding, zagging with radical differentiation makes you memorable and different. – Spencer Thompson

CISOs Reject Marketing Speak: Sell Like a Practitioner

Security buyers operate differently than other enterprise segments, and your outreach should reflect that. Paul spent years as a CISO before founding Viso Trust and learned that security professionals “don’t want kind of dumb outreach, they don’t want marketing speak, they don’t want kind of fluff.” The skepticism runs deeper than other buyers: “They’re very skeptical of solutions, they’re skeptical of new technologies.” Paul contrasts this with other enterprise segments where “folks are certainly less skeptical and maybe a little more accustomed to more salesy outreach than security professionals are comfortable with.” 

The tactical shift: focus on “making sure that you appeal to that mindset and make sure to give them really valuable experiences. Right. That are really informative.” Your entire GTM motion, from first touch to close, needs to respect this fundamental difference in how CISOs want to be engaged. – Paul Valente

Category Creators Sell Outcomes When Budget Doesn't Exist

Creating a new category means walking into organizations where budget doesn’t exist for what you’re selling. Ayal explains the contrast: “If you’re doing something slightly better, faster, cheaper, then you kind of walk in and there’s a budget align, right.” But with Anjuna, “usually we walk in and there’s no budget allocated for confidential computing.” The sales motion becomes fundamentally different: “We have to kind of go and convince people, say that there’s this new thing, but it is going to make everything easier for you. It’s going to enable things that you weren’t able to do before.” Once buyers grasp the value, “it becomes conversation with very senior people very quickly and it’s just a great conversation to have without all the possibilities this opens up.” The tradeoff is clear: “It is a much more difficult sell cycle than just walking into a category that’s already there and that the budget is approved.” – Ayal

Stand Out with Design That is Totally Differen

Monad made a deliberate choice to break away from how security products typically look and feel. “We want the product to look the way we’re designing it, even like how it looks. It looks more like a segment or a stripe and less than a typical security product,” Christian explains. This isn’t just aesthetic preference, it’s positioning strategy. By designing the UX to resemble modern SaaS infrastructure tools rather than traditional security platforms, Monad signals they’re a data company that happens to focus on security rather than a security vendor trying to do data. The design choice reinforces their message that they want to “make it available to really any security engineer who wants to get more value out of the current tools they use” with a self-serve motion that feels approachable, not intimidating. – Christian Almenar

Build Top-of-Funnel Brand When Budgets Freeze

When the 2022 market correction hit, Chainguard made a contrarian bet on brand over demand gen. Dan recognized that “nobody was really going to be buying anything, nobody was really going to be spending money that year and no one had any budgets.” Rather than chase impossible conversions, “our strategy was basically to emerge from that year as the most well known, the leaders, the most trusted folks in the space.” The success metric shifted entirely: “if you ask a CISO who the best supply chain security company is, we want them to say us, even if they don’t know what we’re doing or what our products are.” This required “a lot of really far out top of funnel work, the traditional brand marketing awareness, ER, style stuff” that’s “hard, that’s expensive. It takes a while to really see results from it, but we’re still seeing dividends paying themselves back today.” When buyers can’t buy, own the mindshare for when budgets return. – Dan

Analysts Define Categories But They Often Get it Wrong

David’s assessment of analyst firms is direct: “the categories are really defined by the analysts, and the analysts really don’t know what they’re doing.” This created real work for Mayhem’s technical team, as “me and actually most of the faculty had to spend quite a few weeks trying to figure out what analysts were calling different sectors. Like the terms they were using didn’t correspond to what they thought they corresponded to.” Rather than ignoring analysts entirely, ForAllSecure engages them strategically to “educate on what are the real differences between the tech out there and why one might succeed and one might not.” The reality: analysts control category definitions and influence buyer consideration sets, but they often lack technical depth to properly categorize novel approaches. Your job is to educate them without expecting them to lead.

Annual Original Research Reports Create Category Authority

Strata’s “State of Multicloud” survey evolved from customer development into evergreen content. Starting manually in 2020, they now partner with research firms to survey 500-600 respondents annually. The power: “we do it every year, and that allows us to show the evolution of this problem over time for a longitudinal analysis.” This shows trends like “what was last year not as important is now the most important” and delivers “dozens of that downloaded from a lead gen standpoint now every week.”

Cold Calling Works Outside the SF/NY Tech Bubble

Anagram dismissed cold calling until they tested it and got results. “I was shocked. I didn’t think we would get a single meeting booked from cold calls. But shockingly, it still seems to bear fruit,” Harley admits. The key insight: buyer behavior differs dramatically by geography and company type. “I think we maybe live in a bit of a bubble in the New York, San Francisco ecosystem, where we’re so used to it that it just immediately turns us off. But there’s a lot of people out there, and we’ve seen a surprising amount of traction from it.” Anagram’s targets (Pfizer, Johnson & Johnson) operate differently than tech-native companies, and “there’s a lot of CISOs and a lot of directors who do answer cold calls.” When selling to traditional enterprises, don’t let coastal tech assumptions dictate your outbound strategy.

Lead Marketing with a Practitioner POV

Ian rejects traditional marketing approaches in favor of raw authenticity rooted in his CISO background. “I would call it sort of, I don’t know, in your face realistic. My language, no BS. This is what we do and this is what we don’t do,” he explains. Rather than softening his message for broader appeal, he doubles down on specificity: “I’m very adamant about saying or kind of framing the context in which we operate. I refuse to try to become a jack of all trades. We’re going to solve all your problems.” The strategy works because “the marketing is really very much aligned with my personal story and the story of a lot of my peers that are experiencing that pain.” When your founder has deep practitioner credibility, don’t hire marketers to dilute it. Your unpolished industry voice is the differentiator, not something to be smoothed over by marketing consultants.

Define Event Goals First: Brand Awareness vs. Pipeline

Many book conference booths without clarity on what they’re optimizing for, leading to misallocated budgets. Itzik’s framework starts with one question: “what is your goal coming into that event?” He distinguishes between event types based on outcomes: “the big boots…are great for brand awareness and for positioning” like Black Hat, but “I’m not sure if they are very helpful in terms of…legion and creating new leads and creating pipelines.” Conversely, “some other…events are the other way around. They are great for pipeline creation but not that great for brand awareness.” Once you’ve defined the goal, “then…you can align the other stuff like the size of the boot on which people to bring in and what to do over there.” Stop justifying booth spend with vague ROI. Pick brand or pipeline, then resource accordingly. – Itzik

Reject Fear-Based Branding: Make Security Products Fun

Permiso deliberately broke from cybersecurity’s FUD playbook because “we don’t like about security…is the fear, uncertainty and doubt, like playing on the fear of a potential customer.” Instead, they borrowed from consumer brands: “security is a serious business, but we don’t take ourselves seriously…bringing that things that we enjoyed from other brands that are not in security or adjacent to security, bringing that in was super important to us.” The execution gets specific: they hide “Easter eggs…on our website” and are “working on a super fun little cloud security pixel game.” Jason’s philosophy: “treat your users like people and create an experience for them…You can win minds, but if you can win hearts too, you’ll just have a great company.” When every competitor uses dark colors and scary imagery, playful branding makes you memorable in a sea of sameness.

Enterprise Sales Doesn’t Have to be Harder than SMB

Ken learned this lesson the hard way through his first company, which sold via MSPs to SMBs. “It sounds fantastic, right? All these other people are selling on your behalf…But it’s actually the appreciation for what you do is missing,” he explains. Despite building “incredibly complex things in that email security product and detect all sorts of things that other people couldn’t,” customers didn’t understand the value. After FireEye acquired them and they reached enterprise buyers, the contrast was stark: “people calling us in…these enormous companies, how the hell are you guys managing to stop this? You know, no one can stop this stuff and go, oh my God, we just wasted so much time in our lives selling to the wrong people.” His conclusion: “it is just as easy to sell to the largest company in the world as the smallest.” The difficulty isn’t enterprise versus SMB, it’s whether your ICP actually values what you’ve built. – Ken

Help Partners See How Your Product Buys Them a Boat

Kyle’s partner Toby gave him the economics lesson that changed everything. “He said, Kyle, I love what you’re doing but I think you’re forgetting like cybersecurity isn’t just about delivering value. I have to make money on it.” Then Toby hit him with the real question: “When spring rolls around, I’m going to buy a boat. But if I buy your product, Kyle, you’re taking the money away from my boat. How do I buy your product and still afford a boat?” This forced Kyle to build a three-part business case: reduce partner COGS (protect bottom line), free their best talent for revenue projects (grow top line), and trade his CAC for partner margin. “I could tell him, Toby, if you could own all of my sales…I’m going to give you up to 50% of our margin. It wasn’t free margin…I looked at my cost of acquisition and said I would have to do this anyways.” The result: “Toby is buying a boat this spring” and Kyle has 97% retention because “if they get rid of me, it makes their business worse.”

Position Between Categories When Neither Box Fits

Marina didn’t force Tamnoon into an existing category. “We are on the crossroads between the MDRs and Cnaps. I think we are merging two categories into one. On the one hand we are providing managed synapse, and on the other hand, it’s a solution that involves experts.” When pressed on category fit, she’s clear about where they lean: “If I’m talking about which category I’m falling into, I’m more on the managed side. Managed technologies or tech enabled managed services.” Straddling two established categories lets you own a unique position instead of competing directly in an overcrowded space where your differentiation gets lost.

Sell Employee Security Tools as Benefits, Not Mandates

Mykolas positions Hush as a benefit to employees, not another IT mandate. “The first thing we do is talk about the process, the journey. We talk about the carrot, and the carrot, if you will. Yes, this benefits the company, but the most likely risk that an employee is going to face is identity theft. Right? One out of 17 Americans a year.” The communication framework helps buyers sell internally: “We help them with the communication to say, hey, we’re doing this for the company’s benefit, but we’re also doing it for our employees…Because the last thing employees want is yet another thing…pushed down from IT that they’ve got to deal with.” When your product needs employee cooperation to work, position it as solving their personal problem first, not the company’s security gap.

Ship Fast If You Want to Make PLG Work in Cybersecurity

Philippe proves PLG works in cybersecurity when you’re small enough to iterate fast. “PLG is comfortable when you’re a small company. I don’t know how doable it is when you’re a larger one.” The core requirement: “It’s all about listening constantly to your user and modify the product only based on your user feedback. And that takes a lot of time.” Even security incumbents who try can’t match startup velocity: “If you’re a Cisco and you have like 10,000 different products. It’s just not possible. And even at places like CrowdStrike or Sophos…it’s going to take months.” Your advantage isn’t just being small, it’s shipping changes next week based on user feedback while incumbents take quarters. Use that speed window before you lose it.

Set Brand Awareness Goals Around Sales Team Recognition Rates

Robert’s marketing KPI focuses on making outbound easier. “Here’s what my goal is. If twelve months from now, one out of three, and I have no idea if that number, by the way, is a good ratio or not, but one out of three times that, our SDRs make a phone call and say, hey, this is Joe from Elastiflow. I want the person on the other side of the phone to go, oh, I know who y’all are. I just read this blog, saw this video.” His reasoning: “If we can have that kind of recognition, then our sales motion, our pipeline building, is going to be much more effective and efficient.” Don’t measure brand awareness in abstract metrics—measure it by how often prospects recognize your company name on cold outbound calls. – Robert Cowart

Invest Early in Sales Enablement to Align Your Sales Team Around the Same Narrative

Guy solved category consistency through systematic sales enablement, not sales training. “I’ve got a terrific COO, co founder who makes sure of exactly that” when it comes to keeping the entire team aligned on narrative. His approach: “We work with solutions like Gong IO and Outreach in order to make sure that everything is as mechanized as possible. So that…the pitch at the end of the entire sales process is the same across the board, in every single sell, as much as you possibly can.” The ownership model: “My COO…owns, among other things, sales enablement and training. And the entire playbook of how we do sales belongs to him.” The balance: “Obviously every account executive takes it to their niche, their personality and so on and so forth. But…if you want to build a big company, you need to start at operations and sales enablement and making sure that everything moves at the right pace and with the right playbook and sounds exactly the same.” Category creation requires mechanized enablement systems with dedicated ownership, not one-time training sessions.

Build ROI Models That Show Cost Reduction, Not Just Risk Mitigation

Dave’s breakthrough came from quantifying operational savings, not security value. “The ability to really create here an ROI model because the migration to this domain, making devices to this domain and adding more and more use cases is really a manual process…we also enable a lot of automation to onboard new use case with the right compliance, with the right security procedures.” This economic case opens multiple budget sources: “There is a security that’s receiving their security stack. We have the IT that we have simplified their life. We have the digital and innovation team that have the eager to push this domain forward and we have the economic buyer and this really see the value in the cost reduction as once the product is being deployed.” Security products die on compliance arguments. Security products with ROI models showing “cost reduction” win budget from economic buyers who control larger purse strings than CISOs. – Dave Mor

Position Security as Growth Enabler, Not Risk Insurance

Mollie rejects FUD in a market saturated with fear tactics. “A lot of those colors, those darker colors, reflect a larger trend that we’re hearing from clients they’re kind of tired of, which is selling based on fear…over promising, under delivering.” Her counter-positioning: “We really want to make cyber…help the CISO, help them position cyber as something that can overall grow the organization and do everything better. Not just be a cost center, not just sort of be an insurance policy, but also help them be able to accelerate their ability to adopt new technologies or their ability to make their operations more efficient.” The problem with fear-based selling: “It’s really hard to show value often, because how do you show the value of something that didn’t happen?” When competitors sell ransomware nightmares, sell innovation velocity and operational acceleration instead.

Make Vendor Consolidation Your Differentiation Strategy

Justin wins by eliminating the multi-vendor coordination nightmare. “A more typical relationship would be, hey, we have a technology vendor that, you know, we’re kind of storing some data on around compliance. And then we have a consultant that’s helping us and we have an auditor. So we have these. And we have a penetration testing team. So we have these three or four vendor relationships that I have to coordinate to get this one thing accomplished.” Strike Graph provides the compliance software, consulting, auditing, and pen testing through one vendor. The GTM advantage isn’t just cost savings—it’s removing the operational burden of managing multiple relationships to achieve one outcome. – strike graph

Prioritize Expansion Revenue Over New Logo Acquisition

Stephen obsesses over expansion as the primary growth metric because it proves customers found real value, not demo-stage promises. “A lot of the growth came from expansion…For me [expansion] is the most satisfying growth that we can have. Because it’s not essentially a customer who has gone through a demo in a POV and they maybe see, you know, through rose colored glasses, this is going to be a great solution. And we buy a license. When they expand, they’ve been using it, you know, they’ve been rolling it out, they’ve been seeing value and then they choose to, you know, increase their usage of the product.” New logos buy based on pitch decks. Expansion means they deployed your product, used it in production, and decided to pay more. If growth comes primarily from new customer acquisition rather than expansion, you might have problem-market fit—buyers desperate to solve pain—instead of product-market fit. – Steph De vries – IrusRisk

Win Over End Users, Not Just Economic Buyers

Arie refused to close deals without security operations team buy-in, even when CISOs were ready to purchase. “Most of our customers today. We started from the CISO angle and then we only evolved to the security operation team. But never a deal would happen without having the bind from the security operators, from the security operation teams. That needs to love the product before any company would really be able to purchase.” Executive sponsorship unlocked budget and got him through procurement, but if the analysts and engineers using the product daily didn’t love it, he was building on a retention time bomb. CISO enthusiasm didn’t prevent churn when the SOC team circumvented the tool because it made their job harder.

Define Your Anti-Persona as Rigorously as Your ICP

Nadav spent equal time defining who NOT to partner with as defining ideal partners, preventing months of wasted effort. “Spend as much time defining your borders. You do not pass lines. A wrong partner, somebody you should definitely not spend time trying to partner up with at least as much as you should on your IPP, because most of the failures we had and most of the time wasted was on things that, again, if you look back, we pretty much knew that a month or two or three in, but you keep trying, and promises are made and stories are told.” Without clear disqualification criteria, his team chased partners making empty promises because they lacked confidence to walk away. Most founders obsess over ideal customer profiles but never codify the red flags that should trigger immediate disqualification.

The Rise of Practitioner-Turned-Sales Reps

Rohan built his sales team by hiring people who used to do the job his buyers do. “If you’re selling legal tech, you hire an actual lawyer to be a sales rep or to be a solutions engineer, or if you’re an HR tech, you hire actual recruiters to sell your product. Right. And so it’s the same idea in security, I think if you can hire practitioners, in our case former DLP security operations analysts to be part of the deal cycle in some way, be it an actual AE or be it a solutions architect.” Former practitioners understand buyer pain from years of living it, not from running discovery calls. They speak the technical language fluently and build instant credibility that career sales reps can’t replicate, no matter how well they’re trained.

Actually Show Your Tech Works, Don't Just Claim It Does

Alan converts deals by running one-week POCs that expose what incumbents miss, not by making claims about superiority. “Put us behind the technology that you say is the one that you have, and if we find stuff that’s concerning, in a week, you have a choice. Now, if we don’t find anything, I apologize for wasting your time, but I think you’re going to find stuff.” In one POC behind a top-three market leader, they found 80 advanced threats in a week. His conversion rates: 85% from first meeting to POC, 100% from POC to technical win. Every security vendor claims their technology is better—Alan’s POC proves it by catching real threats the incumbent solution missed. Let comparative results do the talking, not your pitch deck.

Focus on the Verb First, Name the Noun Later

Bob learned the hard way at MobileIron that waiting too long to name your category lets analysts define it poorly. “We waited too long to focus on the noun, and the noun got defined for us in a way that I think was disadvantageous…Gartner tagged it as Mobile Device Management MDM, and that’s where everybody became to know it. But it wasn’t actually a management thing. Customers didn’t buy MobileIron for management, they bought it for security.” His approach now: “Focusing on the verb first is definitely the right thing to do, but I think in that case, we waited too long to focus on the noun.” Start by solving the problem and letting customers articulate what you do. But once the market understands your value, actively shape the category name before Gartner picks one that misrepresents why customers actually buy.

Bet Big on Regulatory Shifts

Dimitri built BigID on the thesis that GDPR would force companies to allocate budget for data security. “We felt that there was going to be budget assigned…if you’re going to start from scratch in terms of a data security and compliance solution, what would you do?” He identifies three GTM strategies for new companies: ride a regulatory wave that creates new budget, take existing solutions cloud with better deployment models like Snowflake did with data warehousing, or use “the leech method of becoming a feature on platforms like CrowdStrike and Palo Alto did.” Novel solutions without existing budget categories need external forcing functions—regulations, compliance mandates, or platform shifts—that create urgency and unlock new spending.

Hire Go-to-Market Teams Like You Hire Engineers

Umaimah treats GTM hiring with the same rigor as systems engineering, not as a separate discipline requiring different principles. “Go to market is not actually that different from engineering. It’s not that dissimilar from systems engineering, and you’re working off certain assumptions. You’re thinking about scalability and robustness, and you also have to have a pretty high tolerance for experimentation and just trying things out.” For technical products, this means hiring early GTM team members who have high curiosity, willingness to experiment, and comfort with ambiguity rather than playbook executors. “Hiring for a team, an early team that is open to experimenting and is sort of like high curiosity, willing to run around the field, figure out what it needs to be done. That’s important in technical products.”

Build Community Before the Product Launch

Michael spent four months building a free community tool to gather his target buyers before launching his commercial product. “We took four months, we built a community product called Open MSP…it was a community product which was nothing salesy.” The result: 200 MSPs in their Slack community and 1,000 waitlist signups before product launch. He gave away genuinely useful functionality—showing MSPs which open source tools could replace their paid stack—without requiring them to become customers. Most founders launch their product then try to find buyers, burning cash on acquisition while building in a vacuum. Michael built his buyer community first, learned what they needed, then launched the product they were already waiting for.

Delay Marketing Until You Have a Repeatable Customer Value Story

Adam runs entirely on founder-led sales until he can prove repeatable customer value. “I do think in the next quarter you’re going to see a lot more things come out from us as we get our marketing story better. As we start to get that engine sort of rolling, however, it’s just been, we’ve been really laser like focused on building a great product, getting a good story for our customers, understanding what truly provides them value before we kind of went out and math broadcasted that message.” Current customer acquisition is “entirely founder led sales” leveraging the 200+ discovery conversations plus old customers and colleagues. Broadcasting a message before you can articulate what repeatedly drives value wastes budget and dilutes your positioning before you’ve earned the right to a clear market position.