Since we Last Spoke: StackHawk’s CEO Joni Klippert on Helping Developers Secure Code as They Write It
Last month, Sapphire invested in StackHawk, a cybersecurity startup that’s revolutionizing how developers secure their code. In short, StackHawk brings together DevOps and cybersecurity in the open-source world, and is taking a brand new approach to an existing sector of security called Dynamic Application Security Testing (DAST). With its platform, StackHawk enables software developers to make sure that the software code they’re producing is secure as they’re writing it, and prior to release.
The way StackHawk attracts customers is also unique. As a product-led growth company, they’ve been able to show value to users in just 15 minutes, which is challenging and rare to do in the security space, which is often complex, time consuming and expensive.
I’ve had the opportunity to speak with StackHawk founder and CEO Joni Klippert many times during the past year. I find her story to be especially interesting, so I sat down with her recently for a quick Q&A. Here’s more on why Joni decided to start StackHawk, the company’s journey to date and details on the company’s new Free Plan that’s helping lowering the “Security Poverty Line.”
Why did you decide to start StackHawk?
I’ve spent my entire career grooming to be ready to start a company (whatever “ready” means).
After completing my MBA program, I launched a career working at various technology companies with a focus on customer development and product for early stage startups. At each of those companies, I was focused on making a part of the software delivery lifecycle more efficient–building tools for software engineers. Over the years, I amassed a great deal of DevOps industry knowledge.
That experience brought me to VictorOps, a startup I joined at the seed stage. As I helped build the business from the ground up, I knew I wanted to do it again. But next time as the founder and CEO. After VictorOps was acquired by Splunk in 2018, I was in a position to take on the personal risk of starting a company.
After the VictorOps acquisition, I spent a couple of months interviewing industry experts to find the right market opportunity. A mentor told me “leverage your unfair advantage.” That meant using my knowledge of DevOps to address a gap in the market. I wanted to further create efficiency in modern software delivery and build a product that focused on the end-user (developer) first.
During my many conversations, I started to zero-in on the challenge of automating security in the development process. Interview after interview I heard the same thing–annual security audits were not enough in a world where we deploy software to production many times per day. People were no longer satisfied with point-in-time value for their security solutions. The market needed something that was easy to automate into CICD and that checked for security bugs with every release.
I set out to build exactly that: A tool that would “shift application security left” by giving developers the power to test for vulnerabilities before production.
What is going on in the industry right now that’s driving demand for a solution like StackHawk?
DevOps has fundamentally changed how we build software. In 2009, when Flickr announced that it was deploying software 10 times per day, that seemed like insanity. But now, it’s the norm and DevOps is no longer cutting edge.
But when it comes to security, DevOps hasn’t kept up. Today, most software in the security market seems unaware of modern software delivery and is still driven by manual, infrequent processes like penetration testing (pen testing) and audits. There is no way for manual security processes to meet the speed of DevOps–no matter how many job openings we post, or teams we create. Manual testing will always be the bottleneck in an otherwise automated software delivery lifecycle.
Both users and end-customers deserve better.
Can you talk a little bit about your journey since starting StackHawk?
My journey since starting StackHawk has been focused on three key areas: team, tech and customers.
Team: I have been building relationships with the investment community since I started working in tech in 2010. I am fortunate to have a strong syndicate of investors that supported StackHawk’s first Seed Round in July 2019, and our most recent addition, Sapphire Ventures, who led our Series A in October of this year
Scott’s experience building security organizations at companies like GoDaddy and SendGrid has given him the ability to approach AppSec understanding developers and security teams. His ability to reconcile two different points of view is invaluable as we build out our platform.
I worked with Ryan previously at VictorOps, where he rose through the ranks of data and analytics to eventually run all of marketing. He is a positive, upbeat work-horse who is a key reason we have been able to scale our go-to-markets effort so quickly.
As we’ve grown, we have assembled an experienced, hardworking, dedicated (and unbelievably funny) team. It’s great to see everyone learning from one another and having a great time building out this product!
Tech: When it came time to build a product that would shift security left, we quickly realized that Dynamic Application Security Testing (DAST) was a gaping hole in the market that needed to evolve.
We set out to build a DAST platform that would:
- Be dead simple to configure and run
- Handle modern applications
- Have clear, prioritized, highly actionable output
- Integrate into an existing CICD workflow
We realized we could bring a product to market much faster if we relied on available open source tools as the underlying scanning technology for our platform. We chose OWASP ZAP as our underlying technology and built enhancements that streamlined ease of use. Shortly after we began working with ZAP, we met the project’s founder, Simon Bennetts who went on to join our team.
Since we released our first Beta, we have been relentlessly executing against our initial vision. We have been cutting new releases every week including a GA in September of 2020. We also just launched a Free Tier of our platform. Now any engineer can quickly test the security of their application or underlying microservice without spending a dime.
Customers: It’s one thing to have a vision and execute on a product. It’s another to see your customers believe in and use the product as you had intended. At StackHawk, most of our customers are running our technology on every pull request/merge. They check for AppSec bugs in the pipeline, on microservices. This means new bugs are easy to identify and fix, and critical bugs never make it into production.
As our Beta testers have been converting to paid users and inbound interest continues to grow, we feel confident that the platform we have built truly serves the needs of developers.
When a developer starts a trial of StackHawk, they average about 15 minutes from signup to first completed scan of their application. This time-to-value is unheard of when it comes to security products. We’re excited to continue to invest in product-led-growth and offer customers quick value in a world of bloated, over-priced security products that take months of managed services engagements to roll out.
What are you looking forward to as you move into your next phase of growth?
We are laser-focused on going to market with a strong product and value proposition.
Seeing that come to life so far has been amazing. We are excited to iterate and improve as we build a product with unparalleled value in the CICD pipeline. We look forward to continuous improvement of our scanner’s capabilities and providing more integrations for development teams. It’s our goal that the platform will fit seamlessly into any pipeline.
As we build out the StackHawk platform, we have also been working to assemble the right pieces for our go-to-market engine. We are refining messaging and targeting, as well as building out our sales and marketing teams. But we know driving adoption doesn’t stop there! As a company, we are embracing product-led growth. Our entire organization–from marketing, to sales, to support, to development–has to work together to delight our users and drive conversion.
Lastly, we look forward to investing in and growing the ZAP community. With Simon on board, we have a direct link between our two organizations and finding ways to leverage this is a big focus for us going forward. Whether it is through direct contributions back to the open source or helping teams scale ZAP utilization by layering in StackHawk, we know there is so much opportunity to work together.
Why are you excited to partner with Sapphire Ventures?
There are so many reasons to be excited about partnering with Sapphire Ventures!
Sapphire has amazing experience in working with many security developer-focused companies. Current investments like Auth0, Uptycs and InfluxData, as well as exited companies like JFrog (NASDAQ: FROG) and Sumo Logic (NASDAQ: SUMO) show Sapphire knows the industry, and knows it well.
And with that expertise comes knowledge of the right partners. We have only been in the Sapphire portfolio for two months, and the firm has connected us with incredible people. From other founders, to press contacts to later stage investors, Sapphire gives access to people who provide incredible value to our business.
Last but not least, Sapphire is made up of some of the kindest people in the VC community. From the partners to the portfolio growth staff and the operations team, I feel lucky to have such a warm, welcoming, supportive team helping StackHawk reach our goals.
Are you doing anything to help companies get started with StackHawk given the current economy/these unusual times?
Part of our goal with StackHawk is to “lower the Security Poverty Line,” no matter the circumstance. Beginning a security program has traditionally meant hiring a leader of the function, having them build out a team and investing in enterprise security tools that are out of the reach of most companies.
At StackHawk, we just announced a Free Plan that allows companies to get started with application security testing for a single application. From there, we offer really friendly pricing that supports the idea of an entire engineering team using the product (10 seats for a single team) and up to 10 applications as most of our customers are modern development teams that want to be scanning microservices rather than parent domains.
We also offer a deep discount for startups. Companies need to meet the criteria, but then it’s only $79 per month for a single team plan. There is no excuse to not start scanning your apps for security vulnerabilities at that price! And as always, we are free for open source projects.
We want all of our customers to feel that StackHawk is here to support them. For early stage companies, we want to help them in shoring up the security of their applications. Established companies that may be using an incumbent vendor have the opportunity to substantially save on their annual spend.
Disclaimer: Nothing presented within this article is intended to constitute investment advice, and under no circumstances should any information provided herein be used or considered as an offer to sell or a solicitation of an offer to buy an interest in any investment fund managed by Sapphire Ventures, LLC (“Sapphire”). Information provided reflects Sapphires’ views as of a time, whereby such views are subject to change at any point and Sapphire shall not be obligated to provide notice of any change. Nothing contained in this article may be relied upon as a guarantee or assurance as to the future success of any particular company. Companies mentioned in this article are a representative sample of portfolio companies in which Sapphire has invested in which the author believes such companies fit the objective criteria stated in commentary, which do not reflect all investments made by Sapphire. A complete alphabetical list of Sapphires’ investments made by its direct growth and sports investing strategies is available here. Various content and views contained within this article represent those of third party guests, which do not necessarily reflect the views of Sapphire. Such views are subject to change at any point and do not in any way represent official statements by Sapphire. Various statements made by third party guests about Sapphire relate to the nature and type of management services provided by Sapphire and do not constitute testimonials to Sapphires’ investment advisory services and no inference to the contrary should be made. Sapphire does not solicit or make its services available to the public and none of the funds are currently open to new investors. While the Sapphire has used reasonable efforts to obtain information from reliable sources, we make no representations or warranties as to the accuracy, reliability, or completeness of third-party information presented herein, which is subject to change. Past performance is not indicative of future results.