Snyk, from first check to leader in dev-friendly open source security

We are thrilled to announce our investment in Snyk, which is a developer-first security solution that helps companies use open source code and stay secure. We couldn’t be more excited to be leading this new round of capital again with Canaan Partners and including Heavybit, FundFire, and Peter Mckay (Co-CEO of Veeam) (see Techcrunch for more coverage).

Our initial journey goes way back as we were investors in Guy Podjarny’s previous company, Blaze.io, which sold to Akamai in 2012. For the next few years we collaborated on several co-investments and what ultimately attracted us to Guy’s new company (along with co-founders Danny Grander and Assaf Hefetz), was their bold vision to create a new platform for securing open source components with a dev-first focus. At the time we seeded Snyk in late 2015, open source library usage was growing significantly and solutions were either security first which slowed down dev or dev first but not with enough security built in. With the movement towards continuous integration and deployment, it was clear a new solution was needed.

In a little over two years, Snyk has gone from “founder market fit” to “product market fit” and this new round will allow the company to build out is product offering and expand its Fortune 500 customer base.

With over 120,000 developers using the platform, 100,000 projects protected, 350,000 downloads per month, and notable partnerships with Heroku, JFrog and Microsoft Sonar, Snyk has proven it can get developers to fully adopt a security solution, and the importance of having the strongest database of known vulnerabilities in open source

Funding rounds are always a great opportunity to look back and see how the company’s initial thesis has held up and what has improved or changed. See below for Snyk’s initial vision from late 2015, much of which remains the same today; developer velocity increasing, security isn’t dev-friendly, how do you bridge the gap, esp. in open source world where much of it is third party code.

There have clearly been some tweaks to the model since then, but what is most exciting for us is watching Snyk go from idea and vision in a non-existent market to one where the question of how developers are securing open source components is becoming mainstream. And given some high profile security breaches like Equifax in Sept. 2017 where it was due to unpatched open source vulnerabilities, you can see why the interest in solutions like Snyk’s are gaining rapid adoption.

While the need for dev-friendly open source security may seem obvious today, especially with the stats above, how did we frame our initial investment? Here‘s what got us excited back then, much of which has come to fruition in the 2 years since:

  1. Solving a huge pain point in an emerging but potentially massive market — we were witnessing the move to continuous integration and deployment spreading to the enterprise combined with the growth of open source and third party components; the thinking was that if you could make it dev-friendly then it could be a massive business
  2. Dev first business model with budget from security — we love bottom up, organic models but always question where the bigger budgets are coming from, and what we saw in Snyk was an opportunity to go bottom up with developers and then access the security budget for bigger dollars.
  3. Founder-market fit — GuyPod previously was Chief Architect at Sanctum/Watchfire Security, developers of one of the first web-app firewalls, ultimately sold to IBM. Danny Grander had significant security engineering experience starting in the IDF where he met Guy and into Skybox Security and as CTO of Gita Technologies. Assaf had a Sr Research role at Skycure which Symantec bought last year. This team had the technical and product skills and understanding to go after this opportunity.
  4. Repeat founders — we are always thrilled when founders we backed previously give us thefirst shot to invest in their new company. In this case, we had backed Guy before when he co-founded Blaze.io which was sold to Akamai. He eventually became CTO of the Web Experience Unit at Akamai.
  5. We like to work with founders well before they leave their current roleand start a new company. In Guy’s case we had regular dialogue over a couple year timeframe to both brainstorm and also vet the idea with our Fortune 500 relationships. We also introduced Guy to fellow founders like Tom Preston-Werner from Github (see blog post on Snyk) to help refine the story.
  6. Time to value — incredibly easy to get up and running, authenticate via github, bitbucket and Snyk starts scanning, monitoring, and suggesting fixes
  7. We love being able to help accelerate time from “founder-market fit” to “product-market fit” to which we accomplished by helping Snyk secure some of their early on-prem Fortune 500 customers.
  8. We are purpose built to double and triple-down in our portfolio as they hit milestones and scale their GTM team.

Once again, we couldn’t be more excited about leading this new round of funding and look forward to continued success for the team.

Also on Medium

 

Blurring lines in enterprise SaaS; the race to own customer data

I’ve written before about the competitive nature of SaaS and the amount of entrants in every category.

Lately after every conversation, I feel like the world is being divided into two camps and there is a massive battle going on in terms of who is going to own them and how. To oversimplify, I’ll call it pre-customer and post-customer domination. And there are companies looking to blur both of those categories as well.

It’s pretty hard to create a new system of record these days as Salesforce, Marketo, Gainsight and the like are building tighter lock-in around their products. That’s not to say it can’t be done as those companies have larger fish to fry, mainly huge enterprise customers and $1mm + deals. Opportunities abound in the SME (small, medium enterprise), and we’ve seeded a number of founders going after that space.

Read More

boldstart in 2016, enterprise tech in 2017 year in review, outlook for enterprise tech in 2017

2016 was a banner year for boldstart, and we could not have achieved any of this without the amazing support of our boldstart family and the founders who have given us the opportunity to invest in and partner with them.

Before diving into the standard year-end predictions on the enterprise, I thought I would share some data on our firm and our founding teams from 2016:

  1. we welcomed 9 new enterprise founding teams to the portfolio including Workrails (started by venture partner Jeff Leventhal), BigID, Hypr, Init.ai, and 5 stealth companies
  2. Thematically our new investments include 5 infrastructure/dev platforms, 3 security, and 2 SaaS; 4 are using some form of AI or machine learning; geographically 4 are in NYC, 3 Bay Area, 1 Canada, 1 Chicago
  3. 8 of our portfolio companies raised follow on Series A rounds with > $70mm raised and an average size of almost $9mm — announced rounds include Kustomer, Robin, Emissary, Replicated and Front — geographically 2 in NYC, 3 Bay Area, 1 Canada, 1 LA, 1 Chicago
  4. 4 of our portfolio companies raised Series B financings with close to $70mm raised and an average financing size greater than $17mm — announced rounds include security scorecard, handshake, and wevr — geographically 2 in NYC, 1 LA, 1 Canada
  5. fund iii had an oversubscribed closing of $47mm

Read More

our journey to an oversubscribed fund iii for first check enterprise boldstart closes $47mm fund iii for first check, enterprise founders

 

This is a story about starting an enterprise seed fund called Boldstart in 2010 and our journey in enterprise since 1996. Despite our firm being a little over 6 years old, our individual stories go further back. We each independently fell in love with enterprise software 20+ years ago as seed investors (cos like gotomeeting/Citrix, greenplum/EMC, livperson/IPO LPSN) and founders (workmarket, onforce/Adecco, spinback/buddymedia/salesf0rce) and are now benefiting from the ecosystems, knowledge and network that we’ve collectively developed.

What seemed like a big bet in early 2010 was only us pursuing our passion. Our goal was to be the best first check partner for enterprise founders, bringing the value add of a VC firm while moving with the speed and conviction of an angel investor. We set out to build boldstart at the height of mobile app mania and viral growth and were faced with questions about our focus on enterprise and NYC. At the time there were only a handful of micro-VCs in existence, and despite going against the tide, we felt that the opportunity to build the first and best enterprise seed fund was a dream worth pursuing.

Today, we are super excited to announce our final close of $47mm for fund iii. This was oversubscribed from our initial target of $30mm

Read More

The 4 Kinds of Series A Rounds in Enterprise roadmap for understanding how to go from seed to Series A

A wise VC once told me when dinner is served, you eat. When it comes to fundraising, I’ve learned that if someone is trying to invest now, you should strike while the iron is hot. Given that the headwinds are getting stronger, we at boldstart have been advising all of our portfolio companies to raise as much as they can as soon as they can and to make sure that every dollar spent has a real ROI.

Related to this, the question I am often asked is “what metrics do I need to hit” to get that next round. While super important, I always like to understand where the business is in its lifecycle before answering. Having spent the last week in several meetings with startups going from seed to A, I thought I would break down the various types of A rounds and the major ??? to success:

The 4 kinds of A rounds:

  1. No A round. Sucks. — self explanatory
  2. Vision A round, super hard — raise on the promise and pre-launch, on the vision, huge market with the killer team that can build and scale. sometimes easier to raise on the promise and the expectations of amazing success than after the launch
  3. Metrics A round, easier — killer metrics, repeatable growth and predictable sales model, used to be $80–$100k MRR/$1mm ARR, the bar is raising…
  4. Hybrid A, toughest — this is where you are between 2 and 3 and the hardest to get done.

Read More

One VC’s take on NYC and Enterprise Tech enterprise tech in NYC on the rise!

When Willie Sutton, the prolific bank robber, was asked why he robbed banks, he answered, “because that’s where the money is.” When asked by investors in early 2010, why we were starting a seed fund focused on enterprise and leveraging NYC, I answered with Willie’s quip but also said, “because that’s where the customer-driven talent is.” One of the key criteria for successful enterprise investing besides team, product, and huge markets is ensuring that you invest in a “must-have” and not a “nice-to-have” solution. When companies are born out of real pain, more often than not this criteria is wholly satisfied!

I bring a unique perspective to this conversation having been a VC based out of NYC for the last 19 years (wow — am I dating myself!). While I have had my fair share of failures, I have also been a first round investor in many enterprise successes both in and outside of NYC, including leading or seeding the first round in LivePerson ( NYC, current market cap of $650mm), Greenplum (sold to EMC, now Pivotal), GoToMeeting (sold to Citrix, now Citrix Online doing over $600mm+ revenue), Divide (NYC, sold to Google), blaze.io (sold to Akamai), GoInstant (sold to Salesforce.com) and a few others.

Necessity is the mother of invention

As I think about common characteristics of great enterprise startups that I have had the pleasure to work with in NYC, I think about entrepreneurs building companies based on great pain, a deep understanding of the customer problem because they are customers themselves, and from that, using their computer science backgrounds to engineer a better and more scalable solution. Many of these great founders are simply hidden in larger companies, developing software for non-tech firms and functioning where tech is more of a support role versus front and center in terms of driving revenue growth. This is much different from entrepreneurs leaving established software vendors wanting to create a bigger, better, and cheaper mousetrap with a “great technology in search of a problem to solve.” While starting with a customer pain is great, the big question for many of these startups is whether or not this pain is a one-off or a market problem that is massive enough to attack.

Success Breeds Success

Divide

1 NIGdT5UjTHoG1GEtLB5GQw

When we first met Andrew Toy and Alex Trewby in mid-2010 they were VPs Wireless at Morgan Stanley and experiencing a huge pain point — employees were bringing in their iphones and android devices for personal use while still using their blackberrys for corporate purposes. Like any great entrepreneur, they asked the question, how do I solve this problem with software and allow companies to have the peace of mind and security policies needed for them while also allowing employees to use their existing devices. The challenge was to create a separate sandbox that could be easily used and understood. Rather than forking off android, Andrew and Alex built an App, something consumers could easily understand and yet make it easy for huge enterprises to deploy. The big bet in 2010 was that we would move to a BYOD world and that Android would become a dominant mobile platform (at that time, it was a big bet!) Hence Divide was born and 4 years later sold to Google and now branded as Android for Work with a stated goal of being on a billion devices. Pretty cool for two ex-technology execs at a financial services firm!

Security Scorecard

1 yyZnxDy2wAUnj5Yin0KuOA

We first met Alex Yampolskiy and Sam Kassoumeh in-mid 2013. They were both formerly Chief Security Officers at Gilt Groupe and were experiencing major pain in their day to day jobs. They were in charge of auditing the security of every vendor that touched the Gilt platform and all of it was done manually through intensive Q&A and when in doubt, via an expensive security audit from a consulting firm. As Alex and Sam spent many cycles on this method, they asked themselves if they could continuously scan the security of their partners in a non-intrusive way. It was already clear that software was moving to the cloud but less certain was the belief that a company is only as secure as its least secure partner and continuous monitoring would be imperative. From this, security scorecard was born. SecurityScorecard provides precise global threat intelligence and risk awareness continuously and non-intrusively so businesses and their partners can collaboratively predict and remediate data security issues. Fast forward 15 months from the initial seed round, and they have landed several large customers and closed a $12.5mm Series A with Sequoia Capital, founding investors in some phenomenal, multi-billion dollar security companies — netscreen, palo alto networks, and fireeye.

I could go on and on about many other great enterprise companies in NYC, but you get the point — find a massive pain that you are experiencing and living with first hand and create a software solution around this. It is this unique understanding of the customer that we will see time and time again as new enterprise-related startups in NYC are launched. It is also this deep domain expertise and understanding of the customer that will allow many enterprise startups in NYC to flourish, especially as we live in a cloud-based world where switching costs are not as high as they once were.

Bottom Line

The idea of NYC enterprise startups succeeding should no longer be a laughing matter. We have great entrepreneurs, companies, talent, and investors ready to capitalize on Willie Sutton’s vision — NYC is where the money is (see Jonathan Lehr’s great overview on NYC Enterprise Tech). We at boldstart ventures feel quite fortunate to be invested in a number of enterprise related startups in NYC like security scorecard, divide, truly wireless, handshake, yhat, and bowery.io and are excited about the future of enterprise tech in NYC. We have seen more success stories in the last 3 to 4 years versus the 10 years before that, and we expect this rapid innovation to continue. While many of these companies are engineers coming from large Fortune 1000 type companies here in NYC, we are also increasingly seeing founders leaving the more established tech companies like Google, OnDeck Capital, and Gilt to pursue their dreams.

As I write this I am wondering who the next entrepreneur will be that is hidden in the bowels of a more established company, feeling massive pain everyday, and ready to launch the next unicorn like MongoDb. Is that you?

(reprinted from my post at Medium)

What founders can learn from Jeff Spicoli you don't have to have all of the answers

I know I may be dating myself here, but over the past few weeks I couldn’t help but think about the movie Fast Times at Ridgemont High and one of the standout characters, Jeff Spicoli.  When asked by Mr. Hand, his teacher, why he keeps coming late and wasting his time, Spicoli answers, “I don’t know.”

In several meetings with founders during the past few weeks, they would have been better off answering like Spicoli rather than giving me some hollow answer.  I want to make it very clear that I don’t expect founders to have all of the answers questions, especially in the early days as startups are a series of hypotheses that need to be tested.  In fact, many questions I have may not have an answer today so “I don’t know” will be the best answer. My one caveat is that the “I don’t know” is followed by a how might you figure out the answer or a when might you figure it out.  This line of questioning is really just another way to test how you think and determine how our working relationship might be were I to invest.  I would rather have the honest “I don’t know but I’ll figure it out” then a made-up answer that will never allow you or your investors to really understand what is driving your business.

Reflecting on passed investments important to look back and discover patterns on your decision making

Every 3 months I dig through my “passed company” folder to look at what investment opportunities we passed on and why.  Inevitably, there are a few companies that are near-misses, but we end up passing on for whatever reason.  Did we pass because we didn’t think the team was great or because we didn’t believe that they could get a product launched?  Did we pass because of lack of traction in the beta release or because of concerns on valuation?  Looking at my “passed company” folder gives me an opportunity to test our reasons on passing and to see 3 months later if the entrepreneurs could actually execute or prove our concerns wrong.

While many times I find doing this reflection further confirms our reasons for passing, I also find myself from time-to-time sending up a follow up note to check in on these near-misses or doing a quick Google search to see how the company has progressed since our last communication.  Inevitably, there will be a few that “got away” and seem to be doing quite well.  No one is perfect and looking back every quarter gives me an opportunity to better hone my investing acumen and further refine my understanding on what separates a potential winner from a loser.  Many times we are so busy that we can only look forward to the next new thing or next hot deal, but I encourage you to occasionally take a step back, look in the rear-view mirror, and learn from your past history.  I promise you that this reflection will only make you a better investor in the long run.

Standard investor update for startups great starting point on how to communicate with your investors

I remember when we hired a new CEO for one of our portfolio companies and my tip to him was to overcommunicate.  We had a few large VCs on the board and a number of high-profile angels that could also help in various ways.  His job was to keep everyone up-to-date but also to know how to get help when he needed it and from whom.  Given today’s excitement over seed investing it is not uncommon for many of today’s entrepreneurs to have 5-15 investors in any given round.  How you effectively communicate with your investors is an important priority that if done right will give you major value add while also not taking too much of your time.

In order to help our new CEO, I reached out to all of the other investors, and we all agreed that if we all spoke to him a few days a week about the same information that he would not have time to run his business.  In addition, this would be redundant for the CEO since most investors were asking for the same basic information.  In the spirit of streamlining information flow, we worked with the CEO to put together a weekly email to provide us with the key metrics the company tracked along with departmental updates on key high priority projects.  We weren’t asking the company to create something they shouldn’t already have (key metrics, departmental priorities, cash balance) but rather we just wanted the data shared on a timely basis.  Over time, we all found that when we did speak with the management team that we did not have to spend a half hour gathering information but rather we could get right to the point and actually discuss the whys or hows on certain sales numbers, metrics, or prospects.  In the end, we were all much happier and more productive since we had the same baseline of information and could focus our energy on productive and deeper conversation on the business stategy rather than gathering basic data.

Over the last 6 months I have made a number of seed investments and have shared the following company update with them. Each CEO has had their own minor tweak but this should give you a sense of what investors may be looking for and how it can help you streamline your communication and focus on how to extract value from your many investors.  If you choose to update weekly then obviously it will most likely be a shorter piece with maybe only the cash burned and current cash on hand as the financials.  If you choose to send out a report monthly then it may be more like the form I have uploaded on docstoc.

One other important note I forgot to highlight is that since many companies I invest in are web-based and therefore many of them have real-time metrics I can track.  Michael Robertson who started Mp3.com and Gizmo5 (sold to Google Voice) had one of the best real-time dashboards for tracking his business.  I could see number of downloads, minutes used, new paying customers, etc. whenever i wanted to by logging into the system.  Other companies have created an investor wiki or use status.net (full disclosure-a BOLDstart seed investment) or other communication platforms for investors to share ideas and information.  I only imagine this will even get only better in the future.

Anyway, enjoy and I hope to hear some feedback on what is missing or what may be too much information.