BSidesNYC 0x05 - What It’s Like Being the Only Security Startup in... (Alex Chantavy & Kunaal Sikka)

Hello. Hi. Hi. The title we're talking is called What's being the only security company in your YC batch. My name is Alex. Show of hands. Who over here works a corporate job? A good number. And then keep your uh who is here has dreamed of starting your own company? Perfect. Perfect. Well, you're in the right place. Um this one's a little niche. Who has started a semisuccessful open-source project? Well, maybe not yet. [laughter] >> Non zero. The that was us. So, our background, we're two of us. We are both former staff engineers at Lyft's security team. We built a tool called cgraphy back in 2019 if you've heard of that. Basically, we take infrastructure assets, map it out, show your attack

paths. Who here has heard of ctography? >> Oh, that's so awesome. All right. And yeah, so now we're making a commercial version of it. We had talked about this for years and that was the getting into it. So our two sentence summary, our company's name is sub image and we good morning everybody. It is west coast time. I'm I'm [laughter] exhausted. So we build security software that maps your infrastructure and our open source library is in use by over 70 companies and you can think about us as an open core alternative to whiz. So all this to say that that is really hard to do and we've been working on it for over 10 months. I still clearly have some more

work to do on it. Um you go to start this entire entrepreneurship journey, communication, storytelling, that is everything. Now let's get into like why we applied. You know there's lots of personal reasons for becoming an entrepreneur. As I mentioned earlier, like the practical reasons where we were building cartgraphy and then we saw that lots of people had loved it and then we thought, oh, you know, we want to see like what could it be to turn this into our own thing. But it's there's a lot more to being an entrepreneur than that. For myself, I had always wanted to see this through. I had always wanted to see what it was like to make my own thing and

venture out. And for me, it was somewhat similar. I always wanted to make my own thing, try my hand at it. And then the other thing was I saw the value that our software provided. Every single new job that I went to, I wanted to use cryptography. Somebody would ask me something simple like is our Kubernetes API server open to the internet? And like eight people would have a discussion. I'm like why is this a discussion? Let's just let's just get a map and um yeah company around. This is where it all began. So last September we uh it started off with a text message. Uh me and Kunal wei worked at so while we were at Lyft we

bootstrapped their vulnerability management program that took it from zero to one and building cryptography like as sort of the bedrock around that it all began YC apps are due in a little bit. Let's do this together. Yeah, we called it the million to one shot where we got together, put the application together, and the nuts and bolts of it with YC, if you're not familiar, you fill out a form, you make a video, the video's got to be 1 minute long, and we took at least 23 takes for our video, just stumbling over all words, all the ums and everything. >> Well, can anybody guess what the hardest question in the form is? Just shout out any random any random.

>> Why? >> These are good answers. These are good answers. >> Tell me what else. >> That's like I uh they make you choose a name for your company right then and there. [laughter] We spend like hours actually hours like >> Yeah. And sub image. It's a little bit of a lift inside joke talking about like container images. So ties back to our time there. And we got an interview like the very next day we got an interview. So we're just losing our minds over this. [laughter] Yeah. [snorts] The interview itself, this is a knees weak, arms are heavy moment because it is intense. And it's intense in the sense that you have exactly 10 minutes, not a second over.

So come time for it. Why see the interview the questions are not hard. We get up in there. They're very straightforward. The first question that Gustaf asked us, so what are you building? I froze. I went nonverbal [laughter] and then the the which goes Kunal kept it together though which is why like getting the right co-founder in the room for the whole you know emotional support and everything on this entire journey. I would not do this solo. So uh first thing like if you're thinking about joining out this journey find a good co-founder. >> Yeah likewise. Um we actually found out kind of later in the process that YC does not like solo founders. Like if you

apply by yourself like your chances of getting in like go down by like 90%. They know that psychologically people like it takes at least two if not three to have like a good founding game. >> And we got this. So a little bit of background here. So well we do the interview. We're like okay well. And then we hear we look up online. We're looking at all those stories like if you hear by 7:00 p.m. that if you will hear like by 7:00 p.m. we did it here by 7:00 p.m. 8:00 rolls around. We start feeling sad. Our email came at 12:01 in the morning. Kunal loses his mind and we're like, "Okay, what could it be?" You

know, do they want to have more questions? Do I got to prepare a demo? I didn't have the demo. Do I got to cook something up right now? [snorts] And we we got in we got in and so like the next step was basically had to quit or oh actually let me get into this. So the acceptance call the acceptance call was quite interesting because Gustaf gets on there. He has a couple of follow-ups and then the first follow-up is will Kunal I know that you live in New York. Will you move to San Francisco? I said, "Sure." [laughter] >> And then the next I guess the other cool the other um fun tidbit here was you're

the first company that we have interviewed that did not use the word LLM in your pitch. >> We'll get into that more in a second, but we are a little different. Um we'll get to that. >> Yeah. Transition, you moved. You're upending your life. Um filling business paperwork really easy. If that's stopping you, don't let that stop you from making a company. Chapter two, this is where we're at. You have a plan and then like we have an expectation of what YC is going to be. It did not hit that expectation. It's a was very different. So, a little bit of YC 101 just to kind of lay the groundwork. They invest $500,000 in your

company. There are a thou 100 companies in a batch uh one for every season, so four batches per year. And at it culminates in a demo day after 12 weeks. So you get up there, you build your company, try to get as much revenue as possible, some to show real genuine interest that what you're building is something people want. And the goal of all this is the demo day, all the investors in the valley come over and then hopefully by the end of all this, you will raise your seed round and then you can hire a team and then take your business to the moon, so to speak. We got in and then we started YC. We

immediately realized that we are different. This is a very very different vibe. We're going to get into like some of the details here. Live with your co-founder. That like literally the first item on like the YC manual says you should live with your co-founder and then you build your startup like in your apartment. No man, I have I have a four-year-old son, so that's not going to work for the two of us. Um here he is helping me build product like he calls it super spider. It's excellent. And then >> they're very different. The average company in YC is like four 19 year olds building like AI vacuums, you know, like like literally it's like like we build

agents for your agents dog walking agent like how they knock back office processes so we can sell them to private equity. It's >> all right. So who here wants to be the founder in security? >> Brave. >> Okay. Um, it's not easy and it's even less easy. Well, YC helps, but it's not easy. It's not straightforward. So, all right. In YC, there's a specific hard part about being a security startup. And that is YC batchmates. So, the people in your cohort, all the other companies working with you, they are not your customers. Whereas, if you were, say, a dev tools company, an AI coding agent or something like that, you can very readily find somebody else that's going

to use you and be like, "Oh, I'll charge you $10 a month or something like great." You know, it's a YC discount. >> It's actually almost like a joke in YC that like, "Oh, if I pay you $10,000 and you pay me $11, we both have $10,000 monthly revenue. We couldn't do that." >> Not not fraud. Yeah. >> Also, early companies don't need security. You don't need security. like you need product market fit. what that's their number one and so they're looking for it's probably not until about maybe $1 billion uh valuation or maybe a series D and after that they're even thinking about having any security tools which is what we were building and this

is uh this is enterprise so YC batch this is a 12week cycle to go and get a big big contract whereas a real enterprise sales cycle I mean gosh like that takes 6 to 12 months for a lot of these deals This matters a lot when you're in YC because the investors, they'll like nod and shake their head with pretty much anything until it comes to revenue. They need to see pen on paper, which was the realization that we we found out kind of the hard way, >> right? It's a grind the dayto day of starting a startup and getting in their daily selfdoubt what it goes into. But it comes down to just two things like you're either

talking to customers or you're writing code. Most technical founders, ourselves included, need to spend more time doing one. You need to spend time verifying that the thing that you are building is something that someone will actually pay for. Well, let someone actually want your beautiful system. Why are you scaling if nobody even knows? [snorts] Lots of I can go on a tangent there for a really really long time. So, we we took this in consideration. This is what my git commit history looks like. So, during the YC batch, I barely wrote any code. Um only recently we started trying to like like turn out more uh get the product into a state that it needs to

be. Kunal did most of the code writing but even then though like we were just razor focused on finding a customer and hunting and learning new muscles that we did not have being resourceful. Yeah. Uh 500k is still like not a lot of money when you're building a security company. Uh those of you who have worked like security startups know this. So much money goes into marketing, taking people to nice dinners, flying people. So we were still trying to be quite resourceful and so uh we signed up for Delta Business Traveler, which is free. You get a free month of Industrious, which is a co-working space. And then our next started to hurt. So we found

some reams of paper and this was month one. >> Thanks um thank you Caitlyn for taking care of us and putting up with us. You have reams of paper. We couldn't afford. Anyway, we got a real office. Uh very very happy. It was a huge step up to have our own space where like we couldn't hear other people's companies and their conversations. People talk about crosspollination. Now, we needed to lock in. Um, all right. Starting sales, especially if you're of a technical background, um, if you're focused more like kind of me like me where you're focused on the what and the how and not the why or why someone would actually buy something, it's very

uncomfortable. And coming from open source, we had built an open source project and we're thinking about, okay, well, let's talk to open source users. In some ways, starting out like this, I felt really really bad. I felt like Jesse Pinkman. I felt like I'm here to sell you SAS, you know, that's that's what it was. But we we found our rhythm eventually. You know, open source ended up being more than just providing people free code. It was a marketing angle because people had heard of us before. And the it let us skip a couple of steps where we could get these in the room, get into the conversations with other companies that were either using

cartgraphy, heard of it, knew about the general family of problems that we were solving, professional networks that absolutely helped out over there and meeting people in person and we got ourselves into this rhythm where it was build something, post about it, see who is engaging, see who is talk wanting to talk about it, ask us questions and meet them in person. Repeat that over and over again and be like, "Okay, this is good. This is good. This is what's working for us." >> One thing I'll mention, meeting people in person, um, is way way more important than you could ever imagine. Why is this advice of like somebody wants to talk to you, just go fly to them, but like make

it chill. Oh, I happen to be in, you know, away tomorrow for this thing. You want to get dinner, but at the same time, it also like those meetings, the point is not to sell to them. It's actually just to build trust. Like most of these folks are being pitched to like we're an open core version of Whiz. They probably have seven whiz sales people showing up in suits, finding the nice dinners with this massive beautiful product and this demo. And the reason you build people meet people in person is just to build trust. Um, and that's what we did. The we solved the traveling salesman problem. That's what we did. The the picture on the

right that is uh Talon, Estonia. We've been there twice in four months. >> We [snorts] told our contact there we're going to be in Europe. uh we would love to meet up. You know that we're crossing the ocean already. We might as well come see you. And that was awesome. It's been awesome. Things that didn't work well with us. Okay, so YC has this uh sales conference and they teach you two different schools of thought and it feels a little contradictory and it is contradictory. I didn't like it very much. So number one is be like very tailor fit for all your customers. You know, you want to be really really like a flying to them, be

very personalized like what we did. And then on the other hand, like the talk right after this, here's how you can send 10,000 uh uh requests on um you know, email over and over again every single day. I'm like, that's not us. So, I guess the lesson here is be authentic to yourself. Find something that does work for you. Okay, remember things. remember, okay, we flew to Europe and then the flight we had the whole like the big reason to fly to Europe, we had a meeting booked in London with a client and we land in Paris. It's 2 days from now. I look at my phone, there is no invite. I forgot to hit send.

I I my heart dropped. I was scram. We we we got lucky. We got really lucky. Our contact over there was very flexible, able to squeeze us in. But my god, whatever system that you need to get in place like get reminders of everything. >> Yeah, it's it's different. I feel like when you're at a corporate job and you let something slip, typically you can say, "Oh, this will be done next week or this will be done two weeks from now." All companies demand way way more of vendors than of internal services and products. Um, and we we realize that like you should try to respond to 9 to5 should respond to things in 10 minutes.

Uh, we don't even communicate via like email for most of like uh like our technical context. Everything is a shared slack channel. We treat them like part of our team and we want them to treat us like part of our team. >> Always be selling. Uh again, you know, this this harping on that point like you're this mostly try to tell myself honestly you're not an engineer anymore. Your job is to sell software. The breakthrough now things we had got in our rhythm going on. We're starting to figure things out. We This is the story of landing our first customer and it was not straightforward. So in the very beginning of the batch actually they told us, "Oh, we actually really

like what you're doing. We believe in your product and your mission and everything that you're doing. We want to support you. We're going to buy you." However, getting through procurement is a bear in an enterprise organization. It takes long. You got to wait on approval after approval. And then so this is why the sales cycle is so long. Even when they want to purchase your software, you still got to wait. And so I felt just like a narcos. It was so sad. Yeah. And for context, uh, Vietnam is coming through the open source. Um, they agreed to buy like the CISO agreed to buy within a week. Um, and procurement took eight weeks. And we'll get to why that

was an issue in just a second. All right. Now, fundraising. This is probably top of mind for everybody who's wanting to start a startup. You know, the whole uh, do I want to say game? Like the whole dance of courting investors and then getting raising your round. So you got to work your way backwards. We had a plan where we to raise x amount of dollars to hire this many employees so that we can survive for this many years. Thankfully we had lots of inbound investor interest and a lot of that is due to YC. We're very grateful for that. And this was our hell week calendar leading up to demo day. This is 70 calls back to back to back to

back. And if you look at some some of them like I I skipped lunch and it was a lot of Celsius. It was awful. But, you know, getting into this Monday and Tuesday were demoralizing because our contract, this big enterprise deal had not been signed yet. We had just been telling our investors, "Oh, yeah, it is in contracting. It's almost there." And what does that mean? That does nothing. That means nothing to me. So once the sale went through, >> which was on Tuesday at 12:30 a.m., [snorts] >> like everything changed. Absolutely everything changed. So we we ra we raised and closed our $4.2 million C round right before demo day and it was led by Funders Club, Y

Cominator, and Transport Platform. And we're very very honored to have them as our supporters. And this was my gosh like one one final note on like the fundrise fundraising process. Um I think on a Wednesday or Thursday I decided to take my uh I decided to take my calls from home. My wife was in the other room and then like it was just so funny taking him over and over and over again and she stopped at lunch. She's like okay I got to get out of the house at this point. I think I can give you a pitch better than you can [laughter] back to work. I love YC's advice where it's just like, okay, fundraising, don't

do a big song and dance. Don't overengineer your fund raise. Overengineer things for your customers, not for like your investors. We have so much more to do. Customers are now pushing us. It feels really, really good. We're getting into a rhythm. For the first 10 months, it was just the two of us figuring everything out, building and selling. It's hard. And now we are we've grown our team. We've doubled our team in the past week, making that good momentum. hopefully going to uh building more things out do every single thing that we've wanted to do there. some well well uh some reflections that we like to share and then okay biggest surprise for me um one of the

biggest surprises that um YC actually encourages you to raise lots of money to go be competitive but they also make sure that they don't give too much to your company um like YC encourages most founders take like 15% or less dilution because the whole valley wants all operator all founders to own lots of their company so that they're actually incentivized to go growing that was very different than what we heard in Europe and even in Seattle. Seattle the number can be much much higher. So that was surprising to me. >> I'll do two surprises. So surprise one is how emotional this is. There are ups, there are downs, the downs are the lows are really low, the highs are really

high. And the second surprise well is the founder network support from other founders. They get it. And then like being able to meet other founders in that way and talk to them, be very real with them. That's one of the highlights of this entire journey. Um, oh sorry, a third one I'll I'll squeeze in is that uh running an open source project feels a lot like running a startup because you're talking to other people, you're doing outreach, you're learning what they need, you need to be proactive on that. A lot of the same muscles are there and then that was a really really pleasant surprise. So if you can do open source then that will give you a lot of

the skills and a lot of the motion. Um it'll feel really natural. Biggest downside. Um I mean obvious one money you know like the you know you're [snorts] starting out you only got 500k to start from YC. a lot of the time like if you're bootstrapping even less uh having savings but like not having a steady or stable compensation especially if you have a family um that is big big downside >> yeah I think we're in the same boat I think the other thing is most folks who are you know who want to start companies and go these ambitious things often times um there's a lot of need for you at prestigious companies too so you lose

some prestige you know you no longer work at meta or you kind of you know you tell people you're building a startup and they go okay Well, they're supportive. Yeah. But >> the biggest plus uh in my mind, the biggest plus you get to do anything you want. You know, it's a it cuts both ways. But, you know, if you're the right kind of person for that and then for myself, I I don't know. It's it's a huge huge plus. I have this very strong view of like what I want to be spending my day on and the products I want to be doing. Um being able to decide that that is so huge. For me, I think the big plus

is the amount of learning. You get to learn how to talk to executives and CISOs and then also debug the gnarliest problems that like customer like the the engineers just throw throwing you over the fence. Learning is like uh the pace of going is unmatched. >> Yeah. Even like engineering things, building the right system right now, throwing it away, building it again. >> Biggest lesson. There have been too many lessons to count. Too many lessons. But yeah, I think for me it's building the right thing at the right time. Uh in big companies, there's like a it kind of reminds me like when you're driving on the highway, you're going 7 miles an hour and you take the exit and now

you're driving 30 and it feels slow, but you're still driving 30 m hour. There's like this velocitation where if you're in big tech, you want to build something to last like three, five years. And now we typically need things that last like a month and then we can hire somebody and just scrap it and rebuild it because we are optimizing for speed and showing that we have the capabilities and then typically going >> for me I think um I mentioned this briefly earlier but it's about focusing on not just the how and the what but also the why. What is because a business leader or somebody anybody buying a product they're not buying the water or

the how or a solution they're buying an outcome like what if they're paying for you to eliminate something out of their day. So like to make they're paying you for time. Can you make what is your value proposition and raise your like honing in on that much early on. I think that if I had to go back and do this again, I would have like a very much more clearer mindset about getting to that sooner. Um, I think I think that's all we have. We have I believe we have a couple more minutes for questions. Um, we got like two minutes, but yeah, thank you so much. [applause]

Yeah. Any questions? Uh do you think uh Y Combinator is more for B2C and not enterprise? >> No, >> absolutely not. >> It's actually almost entirely enterprise. They have like a problem. They actually have very few customer. They're really big on AI right now and AI enterprise AI particularly >> but the sales cycles are so long and everything is so different in enterprise. >> Yes. >> Enterprise sales. That's what I mean. >> Yeah. Yeah, I think a lot of the wise companies were also selling to other startups or selling to smaller companies and they could do that because a lot of smaller companies want to use AI to like supercharge themselves. For us, we couldn't target them at all. If there

was a company, if there was a startup telling us, hey, we need your security. We were almost like why? Yeah, we couldn't survive qualified non buyers. Yeah. So I know you guys both came from do you guys think it it plays a big role or it's very important to kind of go to a big tech company before you venture into your own startup so you can see some of like the problems and your ideas from that or do you think that kind of translations? M uh the question is about is there an advantage in starting at a big company and going to a startup? For us there was especially if you are trying to sell to

an enterprise. Uh one question during our interview was do uh could you go and take it to go and sell to other similar size companies and then our question was our answer was absolutely yes. >> What was the motive behind sub image? The motive >> the motive was that there is a big opportunity right now I think that there's an opportunity right now for an open core synap and in particular I think there's a couple of angles here where if you use a big closed down platform you can't introspect into the problems into your environment and then also there's a the current state of the market is such that in order for a customer to get visibility into your

environment they can't get support of every single provider because there's a payto-play mechanism. All those other vendors you want to go and get coverage with them well they have to pay to get covered on this dashboard. We did not like that and so this is the angle we were going for. >> Yeah. And it's more meta level also you know we have we know a lot of CSOs before we even applied to IC we talked to like 20 CESOs large companies half of them were using whiz and they all picked up our call and they all wanted to chat with us and they all had more problems to throw at us. Um, so we figured even

if we are not building an exact replica like not building an exact open source, like there's just so much space to play here. Um, yeah, >> I think that we're getting yanked off, but they'll come. >> Yes. [applause]