Product-led growth is one one of the most discussed topics in the startup world, as the market capitalization of public companies using the growth tactic has skyrocketed in recent years.
It is no different in the cybersecurity space. Why? To find out, I analyzed over 800 products from over 600 vendors using information from open sources, including Google, Gartner, CB Insights, and startup/vendor lists from various sources.
The focus was on security products, not service providers, except for those companies that have “productized” their services, that is, they offer them as a bundle of products, priced transparently per user, with the ability to to register online, etc.
Of the 824 products reviewed, 151 can be described as product driven.
The following map summarizes the state of product-driven growth in the cybersecurity industry.
The categories are intentionally broad; explanation of what was included in each category is provided below. Some companies have product offerings that fall into multiple categories; I have also tried to reflect them on the map.
The companies featured here are at various levels of PLG maturity: while some have followed a product-driven growth strategy from inception, others have changed or are still in the process of changing from being sales-driven to PLG.
Companies that do not embrace ideas of openness and transparency will be pushed out of the market.
Trends that define the adoption of PLG
What is pushing cybersecurity companies to adopt product-driven growth? I observed several PLG-related trends in the cybersecurity space while preparing this market map.
Traditional sales channels have become inaccessible for startups
Chief Information Security Officers (CISOs), leadership teams, and middle managers have been bombarded with marketing and sales pitches from security vendors. Selling to the highest levels of security leadership requires a large network, introductions, and a large budget for events, dinners, and other invitation-only entertainment.
These top-down product launches are not only expensive, they’re ineffective. Hundreds and thousands of vendors trying to showcase security tools and solutions to security leaders can lead to “vendor overload.”
Security startups have limited resources and can’t afford “eat and drink” CISOs, and don’t have the brand recognition to cut through the noise of vendor overload. With this, entrepreneurs are forced to find new ways to acquire customers that allow them to build businesses with reasonable economic units and the ability to grow. PLG enables companies to lower the cost of customer acquisition, bringing the total cost of revenue as close to zero as possible, enabling hockey stick growth.
Value is a factor that defines whether a certain segment can be targeted by products.
Not all product categories in cybersecurity have the same opportunity to benefit from the unitary economics and growth potential that PLG enables.
The factors that ultimately define whether a given segment can be targeted by products are how tangible the value of the product is and how long it takes for a user to fully realize the value a product in question brings (“time to value”).
First, the value of the product must be well defined and easy to understand. In other words, a person using the product should be able to easily tell the difference between “before” and “after”.
Developer-focused products and tools for technical security professionals have a clear advantage here, as they solve very specific problems in their users’ experience, as opposed to segments like endpoint detection and response (EDR) that sell “security “in a broad sense. Being able to see the value of the product is not enough; speed matters so much. For example, if it takes months to see that the product has staved off ransomware, people are unlikely to upgrade to the paid version after 30 days.
One way to communicate the value of the product is to visualize the metrics that best describe it. For example, an antivirus might send a daily notification of the number of viruses removed, while a compliance management tool might provide a dashboard of the number of compliance violations detected during the week.