19 plus one traction channels for growing a cybersecurity startup: a founder’s guide (part 1 of 3)
Ways to grow your cybersecurity startup, 100 questions to ask yourself and 100 metrics to keep in mind
Welcome to Venture in Security! Before we begin, do me a favor and make sure you hit the “Subscribe” button. Subscriptions let me know that you care and keep me motivated to write more. Thanks folks!
The startup hustle
When you are a startup founder, there are millions of things you need to pay attention to. Depending on what article you are reading or what podcast you are tuning in to at the moment, you might be hearing that “product/finance/customer success/marketing/sales/technology/intellectual property/you name it is everything”.
The harsh truth is that you do need a lot to succeed. And, getting distribution channels right is one of the most critical tasks. No matter how great your product is, how much you pride yourself in offering superior customer support, or how innovative your IP might be — unless you can figure out the distribution for your product, it will die.
“Most businesses actually get zero distribution channels to work. Poor distribution — not product — is the number one cause of failure.”
— Peter Thiel, PayPal co-founder and investor.
It feels like you have millions of options, and it’s tempting to try everything — what if something works. Enter the chaotic growth efforts where people try everything under the sun, falling into the trap we often call “throw it and see what sticks”. At an early stage, you also have limited resources, so unless you find a way to focus, you’ll inevitably stretch yourself too thin and misuse your time — the most precious resource of all.
While some hustlers try everything and anything, others fall into the trap on the opposite side of the spectrum: they do nothing in the area of growth. This is especially common among cybersecurity companies where all founders are coming from engineering or security backgrounds. It’s common for these teams to focus all of their efforts and attention on building great products that solve the problems they’ve experienced really well. Once the first version is built, they move on to perfect it — after all, they know that there is so much they can do to make it even better! The problem is, as they perfect the product, they often forget that you only have a business if someone is using what you build. In other words, they fall in the “build it and they will come trap”.
To avoid both of these traps, the Bullseye framework comes in handy.
The Bullseye framework: introduction & how it works
Back in 2015, serial entrepreneurs Gabriel Weinberg and Justin Mares published a book Traction: How Any Startup Can Achieve Explosive Customer Growth where they outline ways startups can achieve explosive growth. I cannot recommend this book enough to anyone looking to launch their startup, or working in product, growth, marketing, and adjacent areas.
Using the Bullseye framework to find what growth channels will work for your cybersecurity startup is a process consisting of five steps: brainstorm, rank, prioritize, test, and focus on what works.
Before we discuss the details, I would encourage you to spend time refining who your target market is. Document your hypothesis, and make sure you understand the difference between the buyer and the user for your product, their needs, and what makes them buy/use your product. When you develop a deep understanding of the pains people in your market have, you should get closer to understanding your target market.
It’s tempting to say “we target small companies” but it doesn’t give you enough to work with. A better way to segment your customers would be to say “we target companies where security is a responsibility of a small IT team of under ~10 people, with no dedicated full-time head of security, and before they hire a technical security engineer or architect because they don’t have enough resources to do X”. This gives you much more focus and context to work with.
Let’s now discuss the five steps in the Bullseye framework.
Step 1: Brainstorm
The Bullseye framework offers 19 traction channels each startup can potentially use to achieve explosive growth. The goal of the brainstorming is to list a few examples of how you would implement this channel for your company if you were to go ahead and try it. It helps everyone in the room to put aside their preconceived opinions about specific channels (i.e., you ask “what would we do if we were to attend a conference” despite your idea that “there is no point in going to the conference”).
Before brainstorming, it’s helpful to research and reflect on what other cybersecurity companies did that has worked well, as well as what failed. It’s also important to be open-minded and look beyond cybersecurity as well — there are many great ideas you can bring into the space.
As the outcome of this step, you want to have at least three to five ideas for each traction channel.
Step 2: Rank
Before moving to the next step, make sure to have a high-level discussion around each traction channel to get a shared understanding of how each one could work for your company.
After that is done, rank all traction channels by splitting them into three buckets:
What channels seem the most promising right now?
What channels could potentially work?
What channels don’t seem like a good fit for now?
Step 3: Prioritize
Now, it’s time to be ruthless. Go over the three groups you’ve created, and
Pick the top 3 channels as the most promising
Pick other 6 channels as “could work”
All the remaining channels go in the “not now” segment
Sometimes it feels like you can just pick one channel and run with it, but testing a few options in parallel is helpful because it both shortens the time needed to validate the assumptions on a few different fronts, and also enables you to see a comparative performance of the channel. It’s great if channel A brought you five customers, but if you got 25 from channel B — that tells you a different thing compared to you getting no customers from channel B. Everything is relative.
Step 4: Test
Now it’s time to test your top three picks. Focus on getting this done as quickly as possible and as inexpensively as possible. One or two conferences, two to three blogs, and two to three events should be enough to get an idea if it’s worth your time; you don’t need 10 of each. The goal isn’t to be precise, it is to identify growth channels you want to double down on, and to do it without wasting precious resources (time, effort, and money).
Step 5: Focus
Once you have found the channel that works the best, double down your efforts on that channel. Having one clear channel to focus on is ideal, and realistically you don’t need more to build a successful company. Keep in mind that traction channels change with the stages of the company: you can get to product-market fit by getting attention via speaking engagements, but to grow you will want to build community and focus on social ads (as an example).
The Bullseye framework is not a magic pill but it is invaluable for structuring the growth efforts and taking a scientific approach to identifying what works.
Foreword & Disclaimer
In this article, I have summarized the 19 channels for growing a cybersecurity startup based on the book by Gabriel Weinberg and Justin Mares. I have added one more channel as I think the book needs updating given the tremendous opportunities product-led growth (PLG) unlocks for cybersecurity companies.
In the section that follows, you will find a summary of each channel, along with some questions to ask yourself and metrics you may want to pay attention to when testing that channel. Note that while the listed 19 channels are based on the book, most of the explanations, examples, and comments are my own and may or may not align with those provided in the book. This isn’t a book summary; I have tried to combine what I’ve learned from the Traction with my own experiences and observations, and to make it relevant to cybersecurity startups.
19 plus one traction channels for growing a cybersecurity startup
Product-led Growth
Before we discuss the growth channels discussed in Traction, I would like to briefly highlight the channel I am a big proponent of, namely product-led growth (PLG).
Product-led growth (often abbreviated as PLG) is a “company mindset in a broad sense and a go-to-market strategy that defines a product as the main vehicle for business growth. Unlike the traditional, sales-led approach where the goal is to “close the deal” (get the customer to buy/upgrade the product by taking them through different stages of the sales cycle), PLG involves giving customers the ability to solve their problems and get as much value as possible, at every interaction with the product. They get so much value that upgrading to a higher tier becomes a no-brainer”.
You can read about it in-depth in my other articles such as this general overview as well as this in-depth deep dive and a cybersecurity PLG market map. The power of taking this approach is tremendous, and I most definitely encourage you to familiarize yourself with it.
Five questions to ask yourself if you are considering or pursuing PLG:
Can a new user visiting your website or looking at our product easily understand what problem it solves, how & for whom?
Can a new user get started with your product without having to talk to a salesperson or anyone else?
Can a new user start solving the problems they came to solve within minutes, without spending long hours to understand how your solution works?
Can a user upgrade or downgrade their product usage self-serve, without having to contact anyone & go through a heavy process?
Can a user share the value they experience using your product by inviting others or sharing artifacts of their usage?
Five metrics to track if you are pursuing PLG:
Time to Value (TTV) — the amount of time it takes new users to realize the value of your product (so-called “Aha moment”)
Virality — number of new customers each of your existing customers brings on board
Daily Active Users (DAU), Weekly Active Users (WAU), and Monthly Active Users (MAU) — number of users that engage with your product in a meaningful way in a given time
Net Promoter Score (NPS) — a percentage of users having a positive experience and willing to recommend your product to others
Free-to-Paid Conversion Rate — a percentage of users that become paid customers
With this out of the way, let’s discuss the 19 growth channels outlined in Traction.
Traditional PR
Traditional PR is exactly what it sounds like — getting coverage in traditional print newspapers, magazines, and on television. This growth channel is helpful to build a brand image; it tends to generate short-term interest as opposed to sustainable long-term growth.
There are two directions a cybersecurity startup can explore when thinking about PR: targeting general media and targeting cybersecurity-specific media. General media can be a good option for B2C companies looking to get exposure for, say, a password manager or a hardware security key. For those in the B2B space, industry-specific TV and newsletters can be a better option.
Traction was published in 2015; while it is as relevant as before, some time has passed and we live in an ever more digital world. In recent years, several studio-run podcasts and YouTube channels have become popular, including Security Weekly and The PC Security Channel which could be a good fit for startups looking to get in front of security professionals. Similarly, there is a growing list of cybersecurity newspapers and magazines which includes:
Different media have different requirements for the content they publish, but in general, coverage-worthy news includes funding rounds, acquisitions, PR stunts, and new product launches. Traditional PR tends to be overly saturated and expensive, which, combined with the vendor overload in the industry, make it not suited for long-term growth.
Five questions to ask yourself if you are considering or pursuing traditional PR:
Where do people in your target market get their news?
What media do people in your target market trust/are skeptical of?
What do you have in place to get the person who visited your website after seeing a press release or similar convert?
What type of content has the best chance to help achieve your goals?
How will you track if you have achieved your goals?
Five metrics to track if you are pursuing traditional PR:
Target Market — the number of people you can reach via select media that fit the definition of your target audience
Customer Acquisition Cost (CAC) — the amount of money it costs to acquire a customer
Conversion Rate — the percentage of people who were exposed to the material and took the action you want them to take after
Engagement — the number of shares, likes, and comments your media coverage receives
Customer Lifetime Value (CLV) — the value a company expects to capture from a customer during the amount of time it leverages its offerings (before churn)
Content Marketing
Content marketing is all about creating content that is helpful and valuable to your audience. It is not about selling or promoting your product — it is about adding value and building relationships with people in your audience.
Unlike ads which are only relevant at one point in time, videos, how-to guides, blog posts, infographics, market intelligence, and other content will be there years later generating organic traffic, engaging readers, positioning your company as a thought leader in the industry and improving your Google ranking.
Before starting on content creation, you will want to ensure you know your audience, what interests them, and what they find valuable.
Creating good content requires consistency. Ideally, you want to have someone doing this full-time. Finding people who are good at creating valuable content is hard; you can shortcut a lot of learnings by looking for folks who are already doing it on their social media. It is preferable to use your own blog instead of platforms like Medium so that the SEO gains achieved by consistent work can be fully captured by your company.
Cybersecurity is a fast-changing industry, so there is always an opportunity to create high-quality, relevant content. Companies in the space that realized that, have built great growth channels. Examples of this are the blogs by Cloudflare and Auth0 with their valuable, rich insights targeting both business and technical personas.
Five questions to ask yourself if you are considering or pursuing content marketing:
Who is the target market for your blog and what do they want to read about?
What is the purpose of starting a blog and is it achievable?
How much time and effort (resources) are we willing to invest in the blog?
How can we ensure consistency and long-term play?
How can we promote the blog?
Five metrics to track if you are pursuing content marketing:
Readership — the number of daily, weekly, and monthly views the blog gets
Engagement — the number of shares, likes, and comments your blog receives
Time Spent on Page — the amount of time users spend reading the blog
Traffic by Source — sources/channels that drive visitors to your blog
Conversion Rate — the percentage of blog readers who became customers after reading the blog
Targeting Blogs
Leveraging target market blogs as a growth channel works in the same way as running your own blog: content needs to be helpful and valuable to your audience. All other notes still apply with one solid bonus: publishing content on blogs people in your target market frequent allows you to expose a new audience to your product or service.
Guest blogging is a fantastic tool for cybersecurity startups looking to get their name out and start building the brand. To get started, Google what blogs are popular in the space you are looking to cover; a simple search like “the best cloud security blogs” or “best digital forensics blogs” should do the trick. You can also have a look at Medium publications open to featuring content from guest writers.
Once you have the list, read a few articles from these blogs to see how they are structured, or what angle they represent. Use these as an inspiration for your writing, not as a template. Armed with this understanding, start by reaching out to one or two smaller blogs with the context of why you are reaching out, what makes you interested in working with that specific blog, and what value you are ready to offer.
A few notes I would like to share as I’ve seen this reaction channel backfire:
Start by reaching out to smaller blogs; once you build your profile as a contributor, you can start approaching more known publications.
Don’t try to sell your company or your product. Instead, focus on creating content that people would be interested in reading. It’s very tempting to write “here is how company X revolutionizes the cybersecurity space” but ask yourself — how often do you read these kinds of articles? Unless you are willing to pay (which may not be the best idea for the early-stage startup), expect that the blog authors will strongly prefer expert-like content and will most likely toss in the trash anything that looks like a sales pitch.
Whenever possible, try to build a genuine relationship with the blog. It’s a small community so chances are you will cross paths with the same people over and over again. Most importantly — focusing on a relationship creates an opportunity to do something together, with “something” being of secondary importance. For example, some blogs do not publish guest contributors, so if you approach them from that perspective, you might simply hear a “no”. On the other hand, if you email the blog author, and mention which of their articles you found relevant and why, or how you were championing their approach at the X event, you can uncover an opportunity to do research or a panel talk at a Meetup together. Being open to different possibilities and focusing on relationships will get you a long way.
I can’t stress enough how important it is to do your research and only reach out to relevant blogs. If you are a startup selling to security leaders, don’t spam blogs focused on technical security problems, and vice versa. Know your audience and treat other people with respect (it’s a good idea to do this anyway, regardless of what your goals or aspirations are).
While Traction talks about blogs, I would encourage you to go broader and explore all kinds of media — blogs, podcasts, YouTube and Twitch channels, and more. There are some great creators on each of these platforms. Another way of engaging with them is through sponsorship. While not always scaleable or even available to resource-constrained startups, sponsoring creators allows you to talk about your product and the vision behind your company more directly which is not always possible otherwise (remember, nobody wants to be sold to).
Five questions to ask yourself if you are considering or pursuing target market blogs:
What content is your target audience consuming (blogs, podcasts, YouTube channels, etc)?
What are you looking to achieve by working with content creators known in the industry?
How much time and effort (resources) are we willing to invest into this?
How can we ensure consistency and long-term play?
How can we promote the media/creator?
Five metrics to track if you are pursuing target market blogs:
Readership — the number of daily, weekly, and monthly views the blog gets
Engagement — the number of shares, likes, and comments your blog receives
Time Spent on Page — the amount of time users spend reading the blog
Traffic by Source — sources/channels that drive visitors to your blog
Conversion Rate — the percentage of blog readers who became customers after reading the blog
Community Building
For early-stage startups, a community can be a strong (even the strongest) driver of growth. This is especially true for cybersecurity which is known for bringing together people looking to share, collaborate, work and learn together. Professionals in this industry tend to be very skeptical of mass marketing, but open and ready to get advice from their trusted peers which means that great communities can also amplify word of mouth.
Building a community is hard. For once, you have to be genuine and intentional, while putting away your desire to market or sell your product entirely. Good communities are about adding value and enabling people to exchange value amongst themselves.
A community is not about having a Slack workplace (I have an account with 80+ channels but most of them are dead). Many companies make the mistake of thinking something along the lines of “it would be great to have hundreds of people discussing how awesome our product is”, so they start a Slack channel or similar to build that magic place.
Many Slack workplaces I am a part of are dead but some are incredibly active. For example, the Cybersecurity Marketing Society has a very engaged community and a Slack channel for marketers in the industry; Atomic Red Team and Wazuh have great Slack workplaces as well while Black Hills Information Security built an incredible community on Discord. While open-source projects tend to use their community channel for support, startups & security companies who have succeeded in building great communities tend to have people on the team fully focused on this work.
If you think that creating yet another Discord or Slack channel is going to get people to flock to you, you are most likely wrong. For a community to thrive, it needs a strong why, a reason to exist, and something that will differentiate it from hundreds and thousands of other places people can choose to pay attention to. It needs to offer value to the participants (content promoting your product is not going to cut it).
While platform choice is important, what’s much more important is how the community is built:
Engage members in a conversation; discuss problem space and build a relationship
Keep it active at all times (the best way to make sure that no one will engage is to bring people into an empty channel with no messages in the past month)
Remember that the point of the community is to give value away, not extract it
Things like regular Meetup-style events, sending swag, having weekly calls, and highlighting community members can work well
Encourage people to ask questions and participate; create dedicated channels for different topics
Actively marketing your product or service will kill the community and drive people away; whoever will be interested will check what you offer and ask questions anyway
Five questions to ask yourself if you are considering or building a community:
In what ways would having a community add value to your product or service offering?
What value will you offer to the community members & will it be enough to attract people?
What value are you looking to capture from the community?
How much time are you willing to dedicate to growing the community consistently?
How much control are you looking to exercise over the community & what are the limits of what can be discussed? (Can people recommend competitors, etc?)
Five metrics to track if you are building a community:
Number of community members — number of people in the community
Member Growth — number of new members who joined the community in a given period
Daily Active Members, Weekly Active Members, Monthly Active Members — number of users that engage with your community in a meaningful way in a given period
Engagement — the number of shares, likes, comments, and posts by your community members in a given time
Conversion Rate — the percentage of community members who became customers
This is part 1 of 3 of the 19 plus one traction channels for growing a cybersecurity startup: a founder’s guide. Other traction channels will be covered in the subsequent articles — please subscribe to not miss them.