Don’t Take the Burn to the Next Milestone​​ ⦨ Rezilion Co-founder & CEO Liran Tancman ⦨ Midstage Institute

“Don’t Take the Burn to the Next Milestone”

Rezilion Co-founder & CEO Liran Tancman

Show Notes

Software security is more important than ever, and its importance for both software companies and their customers is only going to grow. In theory, that’s going to force developers to spend more time working on security. But that’s not the case with a startup like Rezilion. They are helping companies to deliver safe software while also reducing the amount of time being spent on security, freeing up developers to do what they do best.

Rezilion co-founder and CEO Liran Tancman joined startup coach Roland Siebelink on the newest episode of the Midstage Startup Momentum Podcast to talk about how Rezilion is changing software security. He also talked about all of his experiences as an entrepreneur from the perspective of someone who is now leading his second startup.

  • The art of a startup finding its first 10 customers and developing a sales playbook.
  • How Rezilion takes a different approach with companies of different sizes.
  • The things that matter most when a startup is hiring its first few salespeople.
  • How Rezilion determines if a salesperson is a good fit or not.
  • Why it can be helpful to wait when it comes to scaling up the go-to-market.
  • The internal roadblocks that startups face after their Series A.
  • Why it’s important to be careful with the advice offered by investors.


Roland Siebelink: Hello and welcome to the Midstage Startup Momentum Podcast. My name is Roland Siebelink and I’m a founder and ally for the founders of the best, fastest-growing startup companies all around the world. And one of them is in our studio today, it’s Liran Tancman of Rezilion. Hello, Liran.

Liran Tancman: Hello, Roland.

Roland Siebelink: It’s so good to have you.

Let’s talk about that startup that’s growing so fast. Rezilion. What do you guys do? Who do you target? And what difference are you making in the world?

Liran Tancman: At Rezilion, what we do is we automatically help companies deliver secured software, whether it is as a service, SaaS, or software they ship. And what it means is with something called a dynamic software bill of materials - we’ll talk about it in a minute - it allows us to in five minutes, detect all the software you have in your applications, on your servers, on your host, from development to production, understand what vulnerabilities, what software risk is associated with it, and really focus on what matters. What we usually see is that 85% of the vulnerabilities people are fixing are not really attackable, they’re not exploitable, they’re a waste of time. We help people not only understand what they have but focus on the 15% that matter. And then we help them automatically fix those 15%.

The value is that you’re going to deliver secure software but you’re going to do it in a fraction of the time and effort of your other tools. And our tagline is “It’s about time” because what we do is we take time from attackers because now you’re remediating risk much faster if they have less time to react. And we’re giving you back your developers because no developers went to college to fix software vulnerabilities. People want to build things. If we can take the time spent on security and reduce it to a fraction, they have more time to be innovative. And that’s also our impact on the world. The impact is that people no longer have to choose between being secure and being productive and innovative. We allow people to accelerate their innovation by making security automated and easier.

Roland Siebelink: Exactly. Cut the drudge work out so that people can focus on where they’re really making a difference. Okay, very good. It sounds like your target customer is software developers. Can you expand on that a little bit?

Liran Tancman: Actually, the buyer is usually the security team. So you think of application security teams, information security officers, vulnerability management, product security, because our usual customers will be people in regulated industries. Software vendors, banks, IoT are pretty large. There are people in the organizations that are responsible and they’re accountable for the security of the software and service they deliver. Those people have to work with developers.

We sell to the security team. But almost always, in the second meeting, there is someone from the DevOps team or developers team that would be involved. In large enterprises where you have big security and development teams, we start with the security team. In smaller organizations, sometimes we just sell to the VP of engineering, CTO that also owns security. Then it’s easier.

Roland Siebelink: In terms of the organizations you target, do you have a sweet spot? Is it smaller organizations and then growing with them? Or is it better to have a certain critical mass where your solution starts to pay off?

Liran Tancman: I would say our pipeline is half-half. But it’s a different story for each. For a small organization, the first tools they buy - they didn’t buy a lot of scanners, so they don’t even scan for open source issues, software issues, et cetera. What I give them is two in one. Instead of buying a scanner that would plod them with issues, we give them the scanner for free because we can also act as a scanner. And we give them prioritization and remediation. The idea is to do it right from Day One. Instead of buying multiple scanners and then buying more tools to prioritize and more tools for remediating, just buying one tool is better.

In large enterprises, they already have multiple tools. They have a scanner for the open source code, for the containers, for the host. And there what we do is if you like your scanner, we can just pull data from there and we will help you prioritize and remediate and take action. It’s a different sale.

Another thing that is becoming important over the last year is - I don’t know if you heard about software bill of materials, SBOM. It’s really being pushed by the government. But like many other things in cybersecurity, things that start from a federal level are quickly being adopted across industries. And SBOM is now becoming a requirement. It means that you need to be able to show the people who buy yourself or your service what it is made of. And our solution offers what we call a dynamic software bill of materials. In five minutes, being able to provide that and to keep it up to date and to show your auditors and your customers not only what you have but the real risk, so they don’t think you’re irresponsible. You’re showing them actually your risk is smaller. An SBOM has become a use case that drives business for us over the last year, for both small and big, on both sides.

Roland Siebelink: It does sound like the buyers, the organizations that you target are mostly in regulated industries where those requirements are really important. How did you enter those regulated industries? How did you even find the first customers? What was your initial go-to-market looking like?

Liran Tancman: I have a friend that says the older I get the better I was. What that means is that when you tell a story retroactively, it always makes sense. But the reality is that when you think about the first five customers, the first 10 customers, everything is different. One of them came because they were friends. Another one heard from another customer.

The art of the first 10 customers is to find the common use cases. And the art of building a repeatable sale is finding a common playbook. The first customer is just very opportunistic. Where we are as a company now and where we spent the last year after our Series A is taking the initial product-market-fit and making it a repeatable sales cycle, and we could talk more about that.

Roland Siebelink: Exactly. That also aligns very closely to what you often hear that the first sales have to be the founders themselves doing the sales. Figuring out what is that common use case, as you mentioned, and how to ultimately turn this into a repeatable playbook. Then what’s the next step in your experience? On the people side, when do you start hiring your sales people and what kind of salespeople do you start with?

Liran Tancman: For us, the first salesperson you bring is very different than what you do afterward. For us, before the A, we had someone to lead sales and their job was to find the product-market-fit with the product team. Yes, it’s the founder who sells, but sometimes founders are not as good as salespeople at listening. Having someone who tells the founder, They’re telling you it’s interesting but they can’t really buy it,” is very important.

I would actually bring a third salesperson as early as possible - and it needs to be someone very special. It’s more about figuring out the product-market-fit. And then what happens next is almost the opposite. What happens next is that all those things that are great in the artistic phase of a startup’s life, which is getting the first customers, figuring out the use case, et cetera, are actually now becoming a problem. It’s almost like you’re moving from the right hemisphere to the left hemisphere of the brain. Now it’s all about metrics and playbooks and processes.

The sales people you bring - I’ll say a few things that we learned in the process. You need people with a startup background. We talked about the first salesperson. The first real salesperson, it’s all about listening and being creative and understanding how to sell it. Now you’re raising your A round because you have a few customers and you’re bigger, and now you need to create repeatability because that’s what you’re going to raise your B round on, a repeatable sales cycle. You do that and now you need to start hiring more salespeople. The first thing I will say is that if they don’t have experience in that stage - A round - it’s gonna be very difficult. I think very often sales people who work in large enterprises are used to having their meat hunted for them. They just have to do the last thing.

You need someone who can hunt and prospect. Because marketing takes nine to 12 months to start producing inbounds. It means that the first year, sales reps are going to need to bring their own food. Getting someone who has startup experience, who has done that, and who won’t be shocked when people don’t take his call and you actually have to chase them multiple times, that’s very important.

When to hire, I think the right thing to do is this - you have a VP of sales, and then you’re hiring your first rep. Hopefully, by the time you hire the next rep after the VP of sales, you need to have an enablement plan. I strongly recommend that in the enablement plan, you have checks that are going to tell you early if the rep is a fit or not.

For example, one of the things we did is that when a rep joins, there is a plan with checked boxes that we’re monitoring in Salesforce. I did this, I saw this video, I read this playbook. And then the second and third week are simulations with other people in the company. And part of what we’re trying to see is are they coming prepared to the simulations. Reps sometimes turn so quickly between companies, it’s really difficult. Just to be honest, sales reps are very good at interviewing because it’s their job to sell. But once they’re on board, just having those checkpoints inside during the second or third week of the company that the person is engaged, they can learn, they’re coming prepared to the meetings, maybe sales will work. By the time you hire your first rep, have an enablement plan ready for them. It doesn’t have to be perfect. You can tweak it. But you must have an enablement plan.

The second thing is that you must have an initial playbook. And my recommendation is have a playbook, optimize to some degree - don’t overdo it - and then see how it works. I do one iteration, give it a few months, and I say - every company has different leading indicators. For us, the most important leading indicator is the POV schedule. Once a company schedules the POV driver solution, usually there’s a good likelihood there’ll be a deal there because the product self sells. You use it, a lot of work disappears, and you’re not going to go back to the old way.

For every company, this indicator can be different. Because you don’t want to wait too long - until the first revenue, it can take six to nine months for an enterprise sales cycle. But you also don’t want to go too quickly because then you are going to have to redo it and it’s very expensive. That’s how we think about hiring.

Roland Siebelink: At Rezilion, what would you say is now the typical timeframe in which you can determine if a sales person’s a good fit or not?

Liran Tancman: It’s much easier to determine if someone’s not a good fit than if he or she is a good fit. And what I mean by that is if someone is just not very engaged and the work habits are unusual, we’ll know in week two because they’ll come unprepared to the simulation.

Three to five months down the road, if they didn’t schedule even one proof of value, that’s a red flag. And then I would say seven to nine months, if they didn’t really create revenue from the first deal they prospected - it’s not something that was handed to them, they have to be there from start to finish. Two weeks for work ethic, three to five months for being able to get the most important thing, which is the POV, and then if they did it by then, then there is a good chance they’re fine.

Roland Siebelink: For now, we’ve talked primarily about the go-to-market, which is the big focus area after you raise your series A. How has the product and engineering team been developing along and how much are you investing in that? What is their focus? How has it shifted since you moved beyond series A and are preparing for a B?

Liran Tancman: You raise your series A when you understand the use case you’re going to fix. You don’t necessarily know the repeatable sales cycle, but you do know what you’re selling and to who. I strongly urge companies when they get ready for their series A, don’t go and dramatically increase your go-to-market spending too quickly. Take the time to rethink the infrastructure of the product. What’s missing for the product to be sales ready. And I think that’s one thing we did. Looking back, I would probably wait more with scaling the sales team until the refactor was done. Because once it was done, everything became much easier.

The second thing is that as you zero to one of the concept, a lot of the features become about enterprise readiness like monitoring, logging, better UI, more reporting, more integrations. It’s less about the core. You continue to add core functionalities. It’s about taking the MVP and making GA for the enterprise, which can be big. There are a lot of things to integrate.

Roland Siebelink: Liran, how big can you see Rezilion become over the years?

Liran Tancman: That’s a big question. I’ll tell you what I think the potential is. This cliche that software is eating the world. Vulnerability is eating software and risk is eating software, meaning there’s so much risk and what’s happening if you think about the big security revolutions over the last few years, it used to be the classic firewall and then cloud security became a big thing. Now you see huge companies like Palo Alto or the newcomers becoming very big, very quickly because cloud is a thing. Now the same thing is happening for software. We have regulators asking you to provide your software development materials. Everyone is afraid about the software supply chain and open source.

How big is the market? Just to give you a sense, Gartner predicts that by 2026, 60% of the buyers will require companies to give them - their the vendors to present a software bill of materials and to disclose vulnerability. It means everyone will have to do that. It’s one of those two. There will be 30 million developers in the world by 2026. Everyone will need that. If you look at the price just to give you visibility - not even prioritization, remediation - the cheapest you would buy in the market today is $600 per year per developer. The floor is somewhere around a $20 billion market size that is largely untapped and is going to grow between now and 2026. There are really strong tailwinds from regulators, and also unfortunately, by attackers; they’re exploiting software now and the software supply chain. The answer is it can get as big as software gets.

Roland Siebelink: Exactly. What’s the next roadblock you have to get out of the way in order to be a winner in that space?

Liran Tancman: That’s a very good question. They’re internal and external. I think when a company goes from A to B - the famous death valley of startups - a lot of those roadblocks are actually internal. You need to put sales operations in place, playbooks, processes, all those things that make a company a company. Honestly, that’s been my main focus since the A round and I think we’ve cleared it out the way. It was very hard. There are a lot of playbooks around the world that tell you - a lot of literature on what’s a good self organization, what’s a good culture. No one is really telling you how to get there. Maybe this podcast is a good thing.

How do you take something - people will say, “You need to have a CAP repay within 12 months.” Okay, great. I know the benchmark. How do I even get to a point where it can talk about CAP repay? It is something that can be optimized. Getting the nebula into a structure, so that then you can start optimizing it. That’s I think the hardest part. We have developed our own framework that allows us to converge the organization into something that can be optimized and repeated, and I’m happy to talk more about that. But this is the hardest part, and I think we’ve done that.

Roland Siebelink: Larin, you already mentioned before the older I get the better I was. I think it was a quote from your best friend. As we have many first-time founders listening, their startup may be close to getting to product-market-fit, are just looking at what’s next, what’s your one point advice you would give to founders in general?

Liran Tancman: The one thing I will say is try to keep your burn in the place adequate to your current location in the maturity curve. What I mean by that, there is constant pressure on an entrepreneur to spend more. You need to hire your sales team quicker, you need to get a revenue number, you need to blah, blah, blah. And then obviously when money is running out, there’s an opposite pressure. It’s not healthy. And I think that the mistakes that I did in the past were to spend as if I was in a more mature place than I actually was.

I will give you an example. We talked about hiring sales reps. As soon as you do your Series A, an investor will say, “Hey, to meet the number, you need to hire five reps now.” I did it. It’s a terrible mistake. I did it in the past. You should not do that. You should see end-to-end, you’re getting one well before you hire more.

Another example is on product. There will be constant pressure. People raise their Series A after they get a handful of customers, their marquee customers. And then they’re pressured to go and sell it. What I’m saying is take another few months. Keep the burn low. Keep the burn and series-seed stage until you get the product sales ready. What I’m saying is that as you’re achieving one milestone, don’t take the burn to the next milestone burn. Make sure you can do on a small scale what’s expected for you.

Roland Siebelink: Yes. And maybe related to that, do not just go with whatever investors tell you to because they may have their own interests at heart sometimes.

Liran Tancman: I don’t think investors’ advice is corrupted because of their interests. I think it’s corrupted because of their position. What I mean by that - if you are an investor, you are likely to make decisions. And then something happens but you’re not necessarily involved in the weeds of it. The friction, the time they mentioned, the space dimensions, all those things that make the day-to-day life of an entrepreneur transparent to them. They don’t necessarily see all the connection between the decisions you make and the results and the time that factors into that.

You would see investors telling you one day do that and then it didn’t work, the next day do that. But the reality is - think of the enterprise sales cycle; it takes nine months. Listen to your investors - definitely listen to them because they have a lot of perspective. But take into account that they’re not there in the trenches and they haven’t been there for a while now. They don’t necessarily appreciate the time it takes to understand if you even made the right decision.

Roland Siebelink: Very wise interpretation. And yes. I think maybe the general point is to listen to a lot of people for advice but in the end realize it’s you that has to make the decision, not them.

Liran Tancman: Yes. And try to minimize the cost of your mistakes. Again, my biggest lesson and the biggest mistakes I have done in the past was - when you keep your burn low until you know something works, whatever it is, think of every expense in a startup, on the product, on the sales and marketing, then you can iterate until you figure out, and the price of every iteration is going to be low. Do you see what I’m saying? Assume that you’re going to evolve with iterations and trial and error, and for every decision you make, try to find a small version of it, iterate, and then spend the money.

Roland Siebelink: Exactly. I like that perspective of keeping the price of the iterations low. Do the iterations while you still can because it’s not gonna be with you forever.

Liran Tancman: Yeah. But it’s also for every stage. Because you can do this on the product. But also when you hire your first sales and also when you do your first channel, and when you’re going to do your first whatever expansion to another territory. In every life of a startup, there are big decisions. And I think what’s important is to try to iterate on them on a small scale before committing massive weight to it.

Roland Siebelink: Yes, absolutely. What Jim Collins calls bullets before cannonballs. Very good.

Liran, this was an amazing interview. I’m so glad you could make it. People that have made it all the way to the end of this podcast, how can they help Rezilion? What should they look for? Where should they go to figure out more?

Liran Tancman: If you watch this podcast, probably you are building some kind of software. As such, you probably want your software to be secured. You also need to be able to show your customers your software is secured. And by the fact you’re looking at this podcast, probably you do care about your resources because you’re in a startup. If you want to spend a lot of money and a lot of time to be secure, don’t call us. But if you want to have a tool that will help you to automatically be secure, reduce the time developers are spending on it but still be able to show your enterprise customers that you have top-notch security in your product, then call us and we’ll be very happy to help you.

Roland Siebelink: Okay, perfect. Can you remind us of the website?

Liran Tancman: Yes, R-E-Z-I-L-I-O-N dot com.

Roland Siebelink: Perfect. Okay. Thank you so much, Liran Tancman, CEO and founder of Rezilion, calling us from New York today. It was an absolute honor and pleasure to have you on the podcast.

Liran Tancman: Thank you very much. Thank you for those questions. It was a great pleasure.

Roland Siebelink: Thank you so much.

Roland Siebelink talks all things tech startup and bring you interviews with tech cofounders across the world.