Product-led growth (PLG) has conquered SaaS, but cybersecurity remains stubbornly resistant. In a recent episode of Category Visionaries, Philippe Humeau, CEO of CrowdSec, explained why most cybersecurity vendors can’t crack the PLG code – and how his company succeeded where others failed.

The PLG Paradox in Cybersecurity

“PLG is comfortable when you’re a small company,” Philippe explains. “I don’t know how doable it is when you’re a larger one.” This observation cuts to the heart of why PLG struggles in cybersecurity: the industry’s success is its biggest obstacle to innovation.

Why Giants Can’t Pivot

Established cybersecurity companies face a crucial barrier to PLG adoption: they’re too busy succeeding. As Philippe notes, “For once they are overloaded. There is so much business around that they are very occupied.”

This success creates inertia. Even when larger companies try to embrace user feedback, their size works against them. Philippe illustrates this with an example: “Even at places like CrowdStrike or Sofos, they are listening to the feedback of their users. But if you can tell like, okay, it will be in the next release next week. No, come on, it’s going to take months.”

The problem isn’t desire – it’s physics. As Philippe explains, “It’s easier to do when you’re a startup and you’re creating a new product than when you’re a Cisco and you have like 10,000 different products. It’s just not possible.”

The Speed Requirements of PLG

What makes PLG so challenging for established players? According to Philippe, it’s about speed and responsiveness: “It’s all about listening constantly to your user and modify the product only based on your user feedback.”

This requirement for constant iteration creates an insurmountable barrier for large organizations with complex product portfolios and established release cycles.

How CrowdSec Made PLG Work

While others struggled, CrowdSec successfully implemented PLG in cybersecurity. “It’s absolutely PLG,” Philippe states. “Our clients are mainly in the first place, our users. We are an open source company, an editor.”

Their approach combines three elements:

1. Open source foundation
2. Free tier accessibility
3. Community-driven development

The results speak for themselves: “We rounded probably 110,000 installation in two years. And we are going toward a million,” Philippe shares.

The Network Effect Advantage

CrowdSec’s PLG success stems partly from their network effect strategy. As Philippe explains, their value proposition increases with each new user: “If they collaborate together, even though indirectly through us, they will all get better protection and somewhat for free.”

This creates a compelling reason for users to join and stay: “There is really a free tier that is exceedingly generous in our offer. So you can get protection for free just because you’re part of it.”

Building Value Before Revenue

Unlike traditional cybersecurity companies, CrowdSec prioritized network growth over immediate revenue. “We’re not even planning on making money at that stage,” Philippe recalls telling early investors. “We just plan on expanding our network exponentially and then we will make money because the value of the signal getting out from the network will be worth a tad.”

This approach required investor education. As Philippe notes, “Bringing an open source company to the market is not easy already because you’re telling the investors, guys, we are giving something for free. But trust me, we have a plan.”

Lessons for Cybersecurity Startups

CrowdSec’s experience offers valuable lessons for cybersecurity startups considering PLG:

1. Start with PLG – don’t try to retrofit it
2. Build network effects into your product architecture
3. Focus on rapid user feedback and iteration
4. Be prepared to delay monetization for growth
5. Find investors who understand network effects

The Future of PLG in Cybersecurity

While PLG may remain challenging for established cybersecurity vendors, CrowdSec demonstrates that it can work for startups willing to take an unconventional approach. The key is starting with PLG rather than trying to transition to it later.

For the cybersecurity industry, this suggests a potential bifurcation: established players will likely continue with traditional sales-led approaches, while a new generation of PLG-native security startups may emerge to challenge the status quo.

Success in this new paradigm requires more than just adopting PLG practices – it demands rethinking fundamental assumptions about how security products are built, distributed, and monetized. CrowdSec’s journey shows that while this path isn’t easy, it can lead to rapid growth and strong network effects in an industry traditionally resistant to both.