This is a guest post from a friend, Alex Chantavy, who is the co-founder & CEO of SubImage. Alex went through Y Combinator, and I have been asking him (or, as he rightfully calls it, nagging him) to share his story. Many people are familiar with the story of Vanta, which also participated in YC, but Vanta is unique because it actually sells to startups, so Y Combinator was also a great distribution channel for them. Most security companies don’t get to sell to other startups, so their YC experience is going to be very different.

We’ve spoken about this at BSides before and have been nagged (thanks Ross) to put it into written form, so here it is.

Kunaal and I got into Y Combinator in January of 2025 to create SubImage, and these first 17 months of the journey have been crazy. This is our story as a YC-backed security company, showing what worked for us and what we’d do differently knowing what we know now. If you work in information security and have ever dreamed about quitting your corporate job to become an entrepreneur, this post is for you.

Our main takeaways are that a YC batch is built to help you raise your seed round as fast as possible, and that the YC playbook and the security startup playbook pull in almost opposite directions. It can work, but most of the job is reconciling the two.

A little bit about us

I’ve worked in infosec for over 15 years (By YC standards, I’m very old). I started my career at the NSA, eventually moving to Microsoft on the Azure Red Team, and then Lyft’s security team, where I met Kunaal and open sourced a tool called Cartography that grew a real community with dozens of companies using it. Kunaal left Lyft at some point to join a little startup called Anthropic.

I knew I wanted to keep working on Cartography, and Matt Klein, creator of Envoy, gave me the advice that my options were to stay at Lyft, go somewhere else that used it, or build my own company. Kunaal was my first and only pick for a cofounder because I knew what it was like to build something huge with him (Lyft’s vuln mgmt program).

A little bit about the company

This explanation took us a very long time to come to, and it still needs improvement. But! SubImage makes maps of your infrastructure so that you can better secure it; you can think of us as an open-core alternative to Wiz.

We were the only company that didn’t use the word “LLM” in our pitch

We applied to YC mostly as an exercise to gain clarity on what we wanted to do. Fast forward, we got a video interview with Gustaf where he asked me a very simple question: “So, what are you building?” I absolutely fumbled it. It was a mix of nerves and being in the weeds with Cartography for 6+ years that made it difficult for me to have a crisp answer. I mumbled something about cloud security and open source. I honestly don’t remember much of what happened in that call, but Kunaal kept it together and helped me keep some semblance of composure.

We had a follow-up call the next morning, where Gustaf said “I just have one question: Kunaal, you live in New York City. Are you willing to move to San Francisco and do YC?” There was also a fun tidbit where Gustaf said “You’re the first company we’ve accepted that did not use the word ‘LLM’ in their pitch”. Go us.

We were absolutely beside ourselves. This was the best Christmas present I could have imagined. Not to be too cheesy, but that night I went to dinner and drove home, and I’m pretty damn sure I saw a shooting star driving on I-80. Anyways.

The batch began

in January of 2025. We received YC’s $500k investment, and it was 12 weeks until Demo Day. We needed to get real customers to show the best investors in Silicon Valley that our company was worth investing in.

We immediately looked around for other companies in our batch building in security. We found two: one doing workflows, another building an AI reverser (I thought it was super cool). At various points, they both pivoted to, get this, commercial real estate. Nothing against that (I love you guys, you know who you are but I gotta roast you a bit <3). I’m just upset because it left us lonely in YC.

This is because building in security as a startup is very hard.

Companies don’t need security until they are much more mature. In particular, lots of other YC companies in areas like dev tools or agent tools can almost immediately sell these smaller $100/month or $1,000/month contracts. They were talking about self-serve products, or landing dozens of customers at a few hundred dollars per month. We were mapping out org charts up and down from decision-makers to champions, procurement, compliance reviews. It felt like a completely different sport.

YC is just 12 weeks long and you have to show traction in the form of committed spend. Enterprise contracts take 6-12 months to close so you’ve got your work cut out for you.

Security is a fundamentally trust-based business

and the person who actually buys, a CISO or head of security, is usually a few steps removed from the practitioner who will use your tool day to day. That means you are always selling to two audiences at once: the extremely technical engineer who has to love using it, and the executive who has to sign for it. This gap is the reason the standard playbook for security startups looks nothing like the YC one.

The security startup playbook is to start in ‘stealth’ and operate that way before you’ve launched, at least that’s what I’m told. And then you find companies to act as design partners that you give the product away for free to in exchange for learning.

This is completely counter to YC’s advice of no, don’t be in stealth. Launch something crappy, get out there. Use that negative feedback (or even lack of feedback) as learning and motivation to move forward. Design partners don’t have any skin in the game because they’re not paying you, so their feedback may be well intentioned but it’s not aligned with what you need. Further, with such a short time to show progress, you don’t have time to spend with tire-kicking design partners, so charge real prices.

I agree in principle, but with a grain of salt. Early on, we met with over 30 CISOs, and a few agreed to work with us, but only in the capacity of a design partner. When we quoted them full enterprise prices, they balked and seemed insulted and we were laughed out of several (Zoom) boardrooms.

It stung because a good number of these were former colleagues we deeply respected, and we had to reconcile this with the mentoring and the constraints we faced with YC. I’m not sure what the right way was. Should we have operated in stealth, getting unpaid design partnerships with prominent companies in our network, or was our way of looking for paid contracts (even when our product was at its weakest) the right play? We ultimately did the latter, so it’s not useful to ruminate over, but it’s an interesting question and I imagine that other security founders are facing this too.

If I could do this over again, I’d probably do both: look for those willing to pay, and also take in the tire-kicking design partners. Now that I know the game and the framing, I think we could make both of those things work and we’d be in a stronger position.

We did have a small advantage going into YC

in that Cartography has a thriving community, and we got one of our first paying customers here. We aren’t able to name them directly, but they were thrilled to find out that we were building a company around Cartography because that meant they could focus on fixing security problems instead of maintaining data infra pipelines. From the very beginning, we gave a demo to our champion and the CISO, and they loved it. This was going to be a six figure deal. We thought, oh this whole business thing is going to be easy!

Spoiler: it wasn’t and it still isn’t.

Although in week 1 of 12 we got strong intent to purchase, it would take the entirety of the batch to close this deal. Gustaf was impressed with how fast we moved a deal to “contracting” status, but Week 10 rolled around and YC switched to fundraising prep mode where they started teaching us how to do pitch calls.

In fundraising prep

Gustaf grabbed us saying “hey, so that deal, where is it”. It was stuck in procurement. His demeanor toward us changed completely. He told us “I need to be clear with you. If this deal does not close, your fundraise is at risk.” It didn’t help either that in these pitch prep sessions, it felt like I was bombing. I did pitch prep with 3 different YC partners to varying degrees of success and still was missing aspects of storytelling and selling the exciting parts of the business.

The week before demo day, investors tend to reach out to you for calls so that if they like you they get to fund you before everyone meets you on Demo Day. We were fortunate in that we had 70 calls that week. Yup: seven, zero. My calendar was this:

Practically speaking, this meant back-to-back 30 minute calls where I was skipping lunch half the days because I didn’t think ahead to block that out (rookie mistake). We even had some spillover on to the Sunday before that Hell Week.

Sunday afternoon Kunaal and I head into the office and start some of the calls. It goes poorly. I’m learning how to do the storytelling, and I’m learning to listen and answer the question behind the question.

Monday and Tuesday pass and the calls are not landing. Kunaal and I are nervous. We are 40% of the way in with no strong leads, we don’t have that deal signed, the storytelling doesn’t feel like it’s getting easier, and we’re tense. If we don’t get this done, our company is at risk. Sure, we can use YC’s funding to keep going but the game of a startup is to preserve that momentum, and when you’re in it, you have to act with urgency.

Kunaal is working the contract and figuring out last minute logistics for the deal to land. Finally, by 12:05am Wednesday, we get this in our inbox

They signed the deal. After 12 weeks of being in business, we had signed our first six figure annual contract. Woooooooo

Wednesday morning calls begin, I enter the calls full of confidence. Many of the investors don’t know much about cybersecurity, but they know what six figures in 12 weeks means. I’m happy, I’m having fun, I’m telling our story, I’m proud as hell. It changes the demeanor of everything. I had to take the calls at home one day and my wife in the other room told me at one point “I gotta get out the house, at this point I think I can give your pitch better than you”.

I’m learning what our investors can provide to us, their style of interacting with their portfolio companies, their stories of being prior founders or leading large businesses. We looked for partners that could guide us along this journey.

We ended up raising $4.2M before Demo Day led by Funders Club, Y Combinator, Transpose Platform, Phosphor Capital, and angels. We’re grateful for their support.

Do we think YC is the right vehicle for a security company?

For us, it absolutely was. That said, the batch did not run our enterprise motion for us, and the 12-week clock is genuinely hostile to security sales cycles. But, if you walk in with an existing source of trust and accept that most of the job is reconciling the two playbooks and how they land with your prospects, what YC gives you in return is invaluable.

Security is all about credibility, and YC’s brand did help us get in the room with many companies. And to tell the truth, I would not have started SubImage if it wasn’t for YC. I have a family, and I would not have been able to tell them that dad is quitting his job to start a company completely bootstrapped without funding. Saying that the world’s best startup accelerator backed us was a huge thing.

This has been the career highlight of my life

As an engineer I was focused on the “what” and “how” of any problem, and now as a founder, I’m focused on “why would anyone care”. With SubImage, I’m not competing just against other vendors. I’m competing against (1) doing absolutely nothing, (2) a security team building the thing themselves, and then finally (3) other vendors.

My engineer instinct was always to take a question at face value and get to the precise, correct answer as fast as possible, but an investor asking “what other companies use this” is not just asking about a list of logos; they’re asking whether anyone they’ve heard of would pay for this. Going from Staff Engineer to a beginner at sales, storytelling, and eventually managing people was genuinely humbling, and I’m continually hitting moments where I realize I’m not good at something I’d assumed I’d be fine at. The only way through it was to keep doing the thing while I was still bad at it, which is incredibly uncomfortable.

Eventually I got comfortable being told “no”. In fact, as “Salesman in Chief”, it is my job to get to the “no” as quickly as possible so I don’t waste anyone’s time.

There definitely are low points. Parts of me thought this job was going to be glamorous (by nerd standards): working full time on open source, getting Cartography to “Graduated” status at the CNCF, doing security research, having people discover us and buy us immediately. Yeah, it doesn’t work that way.

A lot of the job is taking incremental, seemingly mediocre steps: improving the product, showing up to meetings that may go nowhere, being compared to competitors, hearing “no” (or getting ghosted) over and over, and doing mundane things like setting meeting invites. I still wouldn’t be doing anything else though.

If you’re thinking about doing this yourself

I’ll be honest: it’s f***ing hard. Startups are hard enough on their own, and security makes everything worse: you need to do enterprise sales from a position when you’re likely not ready at all. You need every unfair advantage you can get. Ours was Cartography with 6 years of prior work and 70+ companies already running it and a community of people who already trusted us. This is the only reason we had a six-figure contract to point to before Demo Day.

If you’ve read all that and still want to do this, then the most useful thing I can say is to start enterprise sales immediately and open as wide a funnel as you can. Have many, many conversations because volume is the only way to advance your company. If you run a genuinely wide funnel for a few months and nobody engages, you will have learned early that this isn’t going to work which is a far better outcome than discovering it after 2 years in stealth. Here’s what ours looked like in the first couple weeks of YC:

Each circle is a company, and the arrows follow each company through discovery, demo, terms, and procurement. All of this produced exactly one contract during the batch, and that contract was the difference between our fundraise and a very different blog post.

To close

I’ll leave you with the reasons I ultimately decided founder life was for me. I’m stubborn, and ownership is probably my strongest value. Early-career-me read that famous Paul Graham essay on how to get startup ideas and fell absolutely in love with the idea of being empowered to solve problems I’d encountered. If I build something, I need to see it through to the end.

I knew I wanted to be an entrepreneur, and decided that if I didn’t at least try then I’d spend the rest of my life wondering what could have happened. Starting a company isn’t rational - amortized for risk it is a bad bet compared to FAANG (famous Dan Luu post).

Entrepreneurship requires you to be comfortable giving things up and being bad at things for longer than you’d like. Seventeen months later though, I’m very glad we said yes.