Breaking all rules: Bit Discovery’s journey of designing a perfect acquisition target and exiting in 3 years
And all that - while solving an impactful problem for security leaders and practitioners
Regular readers of Venture in Security know that I typically talk about building ambitious, massive-scale companies to tackle large, systemic problems with high potential to reshape an industry and the way it operates. They also know that I am a huge fan of business, venture, and economic models, especially those that do not fit into the traditional definitions of things. In the past, I discussed a unique model of Gula Tech Adventures - an impact hub that simultaneously plays the roles of a venture capital firm, a charitable foundation, and an advocacy group, to name some. All the components of Gula Tech Adventures are designed to work together and amplify one another to transform the cybersecurity industry in a way no other institution can.
In this piece, I am talking about the model of Bit Discovery, a company built to solve an impactful problem, and purposefully designed to be acquired. In one of the previous articles, I shared some thoughts about the chances of a cybersecurity startup going public, and how founders can be more thoughtful when thinking about exits. I have also talked about the shortage of cybersecurity founders building companies, not features or products. In this story, I am doing a 180-degree shift and looking to answer a simple question: “If a founder were to optimize for a single outcome, a successful acquisition, what would be the best ways to make it happen?”.
A huge thanks to Jeremiah Grossman, founder of WhiteHat Security & Bit Discovery and now Managing Director at Grossman Ventures for sharing his learnings.
Welcome to Venture in Security! Before we begin, do me a favor and make sure you hit the “Subscribe” button. Subscriptions let me know that you care and keep me motivated to write more. Thanks folks!
Over 2,750 copies of my best selling book “Cyber for Builders: The Essential Guide to Building a Cybersecurity Startup” have been distributed to the readers so far. Jeremiah Grossman, founder of WhiteHat Security & Bit Discovery who contributed to this piece also written a foreword to the book. This book is unique as it talks about building cybersecurity startups. It is intended for current and aspiring cybersecurity startup founders, security practitioners, marketing and sales teams, product managers, investors, software developers, industry analysts, and others who are building the future of cybersecurity or interested in learning how to do it.
Bit Discovery: goals, origins, and final outcome
Bit Discovery, a company started by world-renowned white hat hacker Jeremiah Grossman, is a good example of a success story in several different ways.
First and foremost, the startup tackled an important and at the time, unsolved challenge of asset discovery. The company’s old LinkedIn page describes both the problem and the solution quite succinctly:
“It may sound strange but companies have little idea which Internet assets – such as websites and mail servers - they own, and this problem is compounded as their business grows. As marketing ramps up, third party vendors and test servers are added, mergers and acquisitions take place - and more - it becomes extremely difficult for IT organizations to know what a corporate network environment looks like over time. Bit Discovery has amassed enormous amounts of Internet data and can show companies what they own almost instantly. What would once take days or weeks to discover manually, is now down to seconds using Bit Discovery. Bit Discovery finds the old, the neglected, and the redundant servers and helps companies to organize and to take action on the infrastructure and assets they may not have even known they owned. This leads to cost savings in IT consolidation, risk reduction, improved compliance, and better overall IT hygiene”.
Bit Discovery was also a success in the financial sense: the company raised $4.5 million, and got acquired for a total purchase price of $44.5 million in cash after 3 years; not a unicorn, but a quick and profitable acquisition for everyone involved - investors, founders, and the team.
What makes Bit Discovery worth taking a closer look at wasn’t the acquisition multiple itself but the fact that the way in which the company’s destiny unfolded was designed and engineered from day one. When Jeremiah & the team started the company, the decision was to find an important problem around which they could build a business. The plan was to exit within 3 to 5 years in a way that would make everyone on the team financially independent. On the path to making it happen, the company broke all rules. It didn’t have an in-house development team, spent no more than $5,000 total on marketing over the three years, didn’t invest in any team-building or employee retention, and at the time of the acquisition, the startup had just seven employees.
Optimizing for the acquisition from day one: the Bit Discovery model
Building the company from the first principles
Instead of moving on autopilot and doing what everyone else was doing, the Bit Discovery team decided to think from the first principles. The team established several pillars that underpinned everything it did, namely:
Making customers a part of problem-solving and involving them in every stage of building the product
Finding an investor aligned with the company’s exit path, both philosophically and financially
Building a highly capital-efficient operation and running as lean as humanly possible
Making decisions that maximize the chances of an acquisition within 3-5 years
Avoid spending wherever necessary - including keeping the company fully-remote.
Each of these pillars translated into very specific parts of the model.
Assembling the team and establishing internal processes
What makes early-stage companies succeed or fail isn’t an idea or a product; the number one factor that defines the final outcome is the team.
The team composition is the first factor that made Bit Discovery different. The company was incredibly small: it started with a core team of five, and when it was acquired, the whole team counted seven employees at the end after losing one person. The original five people were all connected: some have worked with Jeremiah and one another for nearly ten years, while others went back as many as two decades. The founding team composition was as follows:
Jeremiah Grossman, CEO. CEO who owned the business and go-to-market strategies, and was in charge of making final decisions. The mindset was that while the best ideas should win, disagreement is inevitable, and it is the role of the CEO to make a final call.
Robert Hansen, Chief Technology Officer. A technical leader who was in charge of solving hard technical problems and prototyping extremely complex high-scale solutions. He was the brains behind the backend data-lake.
Llana Grossman, Product Management. A head of product whose job was to turn the prototypes into product specifications that would cover implementation details and user experience.
Lex Arquette, VP of Product. He used his design and management skills to make the front-end fast, flexible and offered lots of value via lots of use cases and helping build product and user experience.
Heather Konold, Chief of Staff / Chief Operating Officer (COO) who ran all the back office operations, payroll, accounting, bookkeeping, and the like. She later helped get the company acquired.
After founding, the company hired its first sales executive. Lastly, rounding out the team came two cloud engineers from White Hat Security (a company Jeremiah sold before starting Bit Discovery). Their roles were scanning and back-end specific. Llana left the company, leaving the end team a total of 7 strong.
Bit Discovery started in 2019, at the beginning of the global pandemic, and was acquired in 2022, right around the time it ended. The team only met in person once or twice in the company’s existence; since the team was fully remote and distributed all over the US. Real-time comms were via Wickr Pro, and all meetings were held on Zoom, and only when necessary, judiciously canceling when unneeded to keep the team focused. The CEO had one weekly 1:1 with every employee; aside from that, everyone knew what they were hired to do, and extra motivation wasn’t necessary. The team felt empowered to go fast in their own swim lanes and act professionally.
Bit Discovery decided from day one that they needed to put the salary question aside so that the team could focus on doing the work. In the beginning, everyone was asked what salary would cover their living expenses, and enable them to not think about cash. The salaries, once established, stayed the same until the company got acquired: everyone got paid just enough that the money issue was off the table; there were no bonuses outside of sales, no raises, and no promotions. Furthermore, being such a small team, Bit Discovery avoided the overhead of formal processes, human resources, or team-building activities.
Finding the problem to solve, deciding what a good product should look like, and letting others build it
The Bit Discovery team came together to build a successful business and exit it within 3-5 years; the number one project was to decide what problem the company should be solving. In Jeremiah’s previous startup, WhiteHat Security, the team experienced the attack surface management problem for years, and since the problem remained unsolved, they decided it was worth a deeper exploration.
Instead of jumping into building the solution founders envisioned on their own, Jeremiah and the team started by reaching out to over 50 CISOs and security practitioners to learn about the problem, how security leaders saw it, and what they pictured an ideal solution to look like. The Bit Discovery team would take the learnings, do some prototyping, and show what they built to CISOs. They would then take away their working solution and repeat the process. At a certain point, following many iterations, security leaders started objecting when their access to the product was being revoked saying “Don’t take it away, I am using it”. This is when it became clear that what Bit Discovery has built is a viable solution to the attack surface management problem. There were no internal arguments about what worked and what didn’t; there were ideas about what the product should look like, and what the customers were willing to buy, and the latter settled any disagreements. The customer came first.
What becomes obvious when one looks closer at Bit Discovery’s team composition is that the company didn’t build its product in-house. Instead, it embraced the mindset that the startup’s role was to learn and decide what makes a good product; the actual work of building software can be done by someone else. Bit Discovery worked with an offshore team in Hungary and treated development cost as a budget line item that can be adjusted (toggled up or down) as needed. The product development process worked as follows:
The CEO with the help of sales would interview tens of security leaders, ask questions, and learn what problems were important to be solved
The CTO would prototype the solution, find the best way to engineer a new capability, and have the VP of product plan user experience and interactions, and create mockups along with product specifications
Product requirements were sent to the offshore team, who provided their cost and time estimates
Based on the feedback, and to keep development within the budget, the Bit Discovery team would adjust the scope of the desired solution and provide final sign-off for it to be built
When the company needed more engineering work, it would spend more; if there was a need to preserve the budget, it would slow down product development. Taking this approach allowed Bit Discovery to avoid raising more capital, thus preserving equity. When the time came for the acquisition, an outsourced team was a topic for discussion but not a concern (on the contrary, for the buyer it just meant that there were fewer employees to onboard).
Building a highly capital-efficient company and keeping an artificially low valuation
From the very beginning, the founding team understood that to make Bit Discovery an attractive acquisition target, it needed to keep the valuation low. That is what the founders of the company did: Bit Discovery raised a total of $4.5 million over the course of three years at a modest valuation.
There are two notable downsides of raising a little capital on a low valuation. First, the founders and employees can get diluted because an inventor is buying a chunk of the company for a relatively small amount of money. For example, a company raising $10 million at the $50 million post-money valuation is essentially selling 20% of the startup for $10 million; the same company raising $2 million on a $10 million valuation is also giving away 20% of the business but for only $2 million. The way the math works encourages founders to seek higher valuations, but that’s just one side of the medal. For investors to be on board with an acquisition, they need to be able to make a certain level of returns. While the actual target multiples are highly dependent on the individual VC’s portfolio construction strategy, what matters for this discussion is that the more money the company raises, and the higher the valuation, the higher the acquisition price will have to be for investors to sign the paperwork and let the founder sell the startup.
Since Bit Discovery was intentionally raising little capital and keeping the valuation low, it had to find a way to stretch the money it got as long as possible. Jeremiah and the team built a highly capital-efficient company:
Embracing the software as a service (SaaS) model, without having to rely on people modifying the capabilities behind the scenes
Minimal in-house development team
Flat salaries (no bonuses outside of sales or raises)
No office space, which was especially wise given the pandemic
A maximum of $5,000 per year marketing budget, which it never came close to using
Low spending across all other categories
Making the startup so capital-efficient allowed Bit Discovery to avoid unnecessary dilution while building a product customers love with little external investment. Controlled dilution meant that everyone in the company was going to make a good amount of money when the startup was acquired. The company did all this while keeping the valuation extremely low, which naturally made it attractive for prospective buyers. There are a finite amount of buyers out there and the further you drive the price up the fewer of those buyers exist.
Finding an investor that is willing to bet on the model
Not every investor is willing to bet on the founder looking to build a capital-efficient business and exit within a few years. It comes down to the VC’s thesis, approach to portfolio construction, preferences around founders and their backgrounds, and a multitude of other factors.
Jeremiah needed to find an investor who specialized in the model he was going for; after getting introductions to three different firms and receiving three term sheets, he chose one of them. The VC partner Bit Discovery took a check from specialized in working with tried-and-true teams and investing in capital-efficient companies that scale well and don’t need a lot of money to grow.
Additionally, the company has greatly benefited from support of angel investors with great domain expertise and industry connections, including Alex Stamos (Chief of Information Security, Facebook), Jeff Moss (Founder, Black Hat and Defcon), Jim Manico (Founder, Manicode Security), and Brian Mulvey (Managing Partner, PeakSpan Capital).
The company board was structured as simply as everything else. It was composed of two people - Jeremiah and Bit Discovery’s investor. Board meetings were held every six to eight weeks, fully remotely.
Establishing the right business metrics
The team understood that to get acquired, Bit Discovery needed to show that there was demand for its offerings and that the team knew how to operate the business. The company tracked two metrics: spending and revenue.
Jeremiah and the team realized that as a startup, they cannot fully control its revenue: they can do their best, but fundamentally there is no guarantee that they will certainly reach their target. The factor that is fully under the company’s control is cost. Both Bit Discovery’s investor and CEO were incredibly strict about cost overruns; the company was never more than 2% off its cost target.
The second objective was to grow the revenue. The target growth rate was to at least double every year. Following an arbitrary goal of $300,000 ARR for year one, after year three Bit Discovery was doing $1.6 million in annual recurring revenue. Doubling its sales every year with a tiny team meant that if the startup ever decided to raise a lot of capital, it could do that easily, by leveraging its track record: if the company was doing nearly $2 million in ARR with the team of seven, only one of whom is fully dedicated to sales, it could easily do many times that with a larger sales force.
Staying top of mind for potential acquirers
To increase the chances of getting acquired, Jeremiah and the team identified a list of their likely buyers and ensured that every day, the small team would in some way, shape, or form get on their radar and avoid competitive business models that may make them unattractive. Methods to stay top of mind for potential acquirers ranged from social media posts that challenged the way companies in the industry did their work (“You have tools that scan assets but do they even know what these assets are? Go talk to your vendors about this”) to poaching customers, and getting in the way in the competitors’ sales process. The goal was simple: to ensure that when the potential acquirers moved into the market segment the company was in, Bit Discovery was known as one of the top vendors. Building a great product and growing revenue was important, but if nobody in the broader market knew what the company did, it would have been harder to get on the radar of corporate development teams at large acquisitive corporations.
Keeping the survivorship bias in mind
When I hear unique stories about successful founders, I always keep in mind that everything we know is subject to survivorship bias. We know Apple as the innovator and an inventor of the iPhone even though General Magic did it before Apple. Yet, because it was Apple who ultimately got the timing of the new invention right and succeeded in introducing the iPhone to the market, young people today are wearing t-shirts with the face of Steve Jobs, not Marc Porat. Survivorship bias impacts everything around us: although Google wasn’t the first search engine, Ford wasn’t the first car, and Amazon wasn’t the first e-commerce store, we will always remember those who succeeded, not those who failed. The same applies to listening to advice from accomplished founders: the same recipes that lead some to victories, completely crushed others.
Is it possible that Bit Discovery is just a one-off success story, and that it cannot be used as a model for others? What would happen to the company if it wasn’t acquired by Tenable?
I’ve spent a lot of time thinking about it, and the answer I keep arriving at is “Yes, this model can work for other founders as well”. There are a few key reasons why that is the case. First and foremost, the company was addressing a real problem - a painful, complex, well-understood, but not easy to solve. Second, it had real (and quite impressive!) traction: in year four, it was on the trajectory to double its revenue and get to $3.2 million ARR with less than 10 people on staff. At that rate, if it could sustain the same temps of growth, it was almost inevitable that some large player would buy it. Third, due to the nature of the problem Bit Discovery was solving, the list of potential buyers wasn’t short. Last but not least, even before the acquisition, the company was a success: with margins upwards of 90%, an average price of the contract of $75,000, and close to $250,000 ARR per employee ($1.6M ARR with 7 people on the team), it outperformed most of the several thousand cybersecurity startups.
Understanding Bit Discovery’s unfair advantages
Even though I think Bit Discovery would have become a success even if Tenable didn’t buy it in 2022, and its model could be used as an example by other founders, it would be a mistake to not highlight that Jeremiah and the founding team “cheated” their way to success. There are two ways in which they did it.
First, the Bit Discovery team were all world-class professionals with strong experience and many years, even decades, of working together. With that level of alignment, it is no surprise that the company could bypass a lot of the challenges that kill early-stage startups.
Second, Jeremiah was a second-time founder. Before starting Bit Discovery, he was a CTO and a co-founder, and later CEO of WhiteHat Security, a company that in 2022 got acquired by Synopsis for $330 million in cash. As an experienced entrepreneur, not only did he know how to run and scale a successful startup, but he also had credibility when approaching investors with the idea and a model he had in mind. Most importantly, Jeremiah had a well-established network of security leaders and practitioners willing to take a call and jump on a 30-minute meeting to ideate, talk about their challenges, and brainstorm potential solutions. Without the latter, the $5,000 per year in marketing budget would probably not be enough - not that they even spent that.
The Bit Discovery team used the resources they had available and maximized them to achieve the outcome they planned for.
The main reason this model can fail if replicated
I think that for this model to be successfully replicated, a founder would need to either have a solid network in the industry or have a way to meet people and build trust quickly. Moreover, they would need to be tackling a real problem - one that if solved correctly, can result in a working product and a strong demand from the enterprise buyers.
One of the reasons this model can fail is the adverse selection. Smart founders think about optionality, which means without being able to predict the future and without defining an exit path from day one, they are looking to achieve the best outcome - for themselves, their teams, their investors, and the industry in general. It takes a lot of effort to build a successful company, and the trouble is that many people, especially first-time founders, who from day one are thinking about a quick exit, are likely not ambitious enough to make it happen in the first place.
However, the main reason this model can fail if replicated is math. Some models show that in order for VCs to generate returns, they have no choice but to bet on high-risk, high-ambition teams going for no less than billion-dollar outcomes. For those interested in examining this side of the argument, I highly recommend this article. I must admit that I am not a mathematician and some part of Jerry Neumann’s argument went above my head. That said, I wonder if there is indeed a way to do what Bit Discovery has shown can be done - build highly capital-efficient cybersecurity companies that solve real problems and generate great returns for everyone involved; not by chance but by design.
Closing thoughts
Should founders be building companies designed for acquisition, or are we to encourage everyone to shoot for the moon and set their eyes on opportunities that have the potential for platform creation, and with that - an IPO? I think the answer is neither - we need entrepreneurs focused on solving problems, but realistic about the size of the problem they are tackling, and the kind of company that can be built around it.
When looking at what the industry is discussing, it’s easy to see that the vast majority of people assume that there are only two paths to building a cybersecurity venture: fully bootstrapping and building a company without taking in a single penny from investors, or the opposite - raising as much capital as possible to build a unicorn.
The reality is, that options are plenty, and these two may not be the best ones to pursue. It is hard to succeed when bootstrapping a product company in a market where most other players are well-funded and therefore can invest more in product development, sales, and marketing. For many companies, “go big or go home” may not be an ideal path either. Some startups operate in small markets where going big is simply not possible; others may simply be in a market that is too crowded. If a company doesn’t see a path for building a large platform and getting to the $200-300 million ARR and beyond, then becoming a unicorn can lead to its demise because being too expensive can mean being unacquirable.
The story of Bit Discovery is a great example that if founders are willing to break established patterns, they may very well be able to find a way to design their company intentionally and get to the exit they are looking for while solving an important problem and moving the industry forward.
For folks interested in understanding different models for building security companies, I recommend the following Venture in Security pieces:
Palo Alto isn’t going to buy everyone: the anatomy of cybersecurity startup exits
A shortage of cybersecurity founders building companies, not features or products