“Don’t Take the Burn to the Next Milestone”
Software security is more important than ever, and its importance for both
software companies and their customers is only going to grow. In theory, that’s
going to force developers to spend more time working on security. But that’s not
the case with a startup like Rezilion. They are helping companies to deliver
safe software while also reducing the amount of time being spent on security,
freeing up developers to do what they do best.
Rezilion co-founder and CEO Liran Tancman joined startup coach Roland Siebelink
on the newest episode of the Midstage Startup Momentum Podcast to talk about how
Rezilion is changing software security. He also talked about all of his
experiences as an entrepreneur from the perspective of someone who is now
leading his second startup.
- The art of a startup finding its first 10 customers and developing a sales playbook.
- How Rezilion takes a different approach with companies of different sizes.
- The things that matter most when a startup is hiring its first few salespeople.
- How Rezilion determines if a salesperson is a good fit or not.
- Why it can be helpful to wait when it comes to scaling up the go-to-market.
- The internal roadblocks that startups face after their Series A.
- Why it’s important to be careful with the advice offered by investors.
Roland Siebelink: Hello and welcome to the Midstage Startup Momentum
Podcast. My name is Roland Siebelink and I’m a founder and ally for the founders
of the best, fastest-growing startup companies all around the world. And one of
them is in our studio today, it’s Liran Tancman of Rezilion. Hello, Liran.
Liran Tancman: Hello, Roland.
Roland Siebelink: It’s so good to have you.
Let’s talk about that startup that’s growing so fast. Rezilion. What do you guys
do? Who do you target? And what difference are you making in the world?
Liran Tancman: At Rezilion, what we do is we automatically help companies
deliver secured software, whether it is as a service, SaaS, or software they
ship. And what it means is with something called a dynamic software bill of
materials - we’ll talk about it in a minute - it allows us to in five minutes,
detect all the software you have in your applications, on your servers, on your
host, from development to production, understand what vulnerabilities, what
software risk is associated with it, and really focus on what matters. What we
usually see is that 85% of the vulnerabilities people are fixing are not really
attackable, they’re not exploitable, they’re a waste of time. We help people not
only understand what they have but focus on the 15% that matter. And then we
help them automatically fix those 15%.
The value is that you’re going to deliver secure software but you’re going to do
it in a fraction of the time and effort of your other tools. And our tagline is
“It’s about time” because what we do is we take time from attackers because now
you’re remediating risk much faster if they have less time to react. And we’re
giving you back your developers because no developers went to college to fix
software vulnerabilities. People want to build things. If we can take the time
spent on security and reduce it to a fraction, they have more time to be
innovative. And that’s also our impact on the world. The impact is that people
no longer have to choose between being secure and being productive and
innovative. We allow people to accelerate their innovation by making security
automated and easier.
Roland Siebelink: Exactly. Cut the drudge work out so that people can focus
on where they’re really making a difference. Okay, very good. It sounds like
your target customer is software developers. Can you expand on that a little
Liran Tancman: Actually, the buyer is usually the security team. So you
think of application security teams, information security officers,
vulnerability management, product security, because our usual customers will be
people in regulated industries. Software vendors, banks, IoT are pretty large.
There are people in the organizations that are responsible and they’re
accountable for the security of the software and service they deliver. Those
people have to work with developers.
We sell to the security team. But almost always, in the second meeting, there is
someone from the DevOps team or developers team that would be involved. In large
enterprises where you have big security and development teams, we start with the
security team. In smaller organizations, sometimes we just sell to the VP of
engineering, CTO that also owns security. Then it’s easier.
Roland Siebelink: In terms of the organizations you target, do you have a
sweet spot? Is it smaller organizations and then growing with them? Or is it
better to have a certain critical mass where your solution starts to pay off?
Liran Tancman: I would say our pipeline is half-half. But it’s a different
story for each. For a small organization, the first tools they buy - they didn’t
buy a lot of scanners, so they don’t even scan for open source issues, software
issues, et cetera. What I give them is two in one. Instead of buying a scanner
that would plod them with issues, we give them the scanner for free because we
can also act as a scanner. And we give them prioritization and remediation. The
idea is to do it right from Day One. Instead of buying multiple scanners and
then buying more tools to prioritize and more tools for remediating, just buying
one tool is better.
In large enterprises, they already have multiple tools. They have a scanner for
the open source code, for the containers, for the host. And there what we do is
if you like your scanner, we can just pull data from there and we will help you
prioritize and remediate and take action. It’s a different sale.
Another thing that is becoming important over the last year is - I don’t know if
you heard about software bill of materials, SBOM. It’s really being pushed by
the government. But like many other things in cybersecurity, things that start
from a federal level are quickly being adopted across industries. And SBOM is
now becoming a requirement. It means that you need to be able to show the people
who buy yourself or your service what it is made of. And our solution offers
what we call a dynamic software bill of materials. In five minutes, being able
to provide that and to keep it up to date and to show your auditors and your
customers not only what you have but the real risk, so they don’t think you’re
irresponsible. You’re showing them actually your risk is smaller. An SBOM has
become a use case that drives business for us over the last year, for both small
and big, on both sides.
Roland Siebelink: It does sound like the buyers, the organizations that you
target are mostly in regulated industries where those requirements are really
important. How did you enter those regulated industries? How did you even find
the first customers? What was your initial go-to-market looking like?
Liran Tancman: I have a friend that says the older I get the better I was.
What that means is that when you tell a story retroactively, it always makes
sense. But the reality is that when you think about the first five customers,
the first 10 customers, everything is different. One of them came because they
were friends. Another one heard from another customer.
The art of the first 10 customers is to find the common use cases. And the art
of building a repeatable sale is finding a common playbook. The first customer
is just very opportunistic. Where we are as a company now and where we spent the
last year after our Series A is taking the initial product-market-fit and making
it a repeatable sales cycle, and we could talk more about that.
Roland Siebelink: Exactly. That also aligns very closely to what you often
hear that the first sales have to be the founders themselves doing the sales.
Figuring out what is that common use case, as you mentioned, and how to
ultimately turn this into a repeatable playbook. Then what’s the next step in
your experience? On the people side, when do you start hiring your sales people
and what kind of salespeople do you start with?
Liran Tancman: For us, the first salesperson you bring is very different
than what you do afterward. For us, before the A, we had someone to lead sales
and their job was to find the product-market-fit with the product team. Yes,
it’s the founder who sells, but sometimes founders are not as good as
salespeople at listening. Having someone who tells the founder, They’re telling
you it’s interesting but they can’t really buy it,” is very important.
I would actually bring a third salesperson as early as possible - and it needs
to be someone very special. It’s more about figuring out the product-market-fit.
And then what happens next is almost the opposite. What happens next is that all
those things that are great in the artistic phase of a startup’s life, which is
getting the first customers, figuring out the use case, et cetera, are actually
now becoming a problem. It’s almost like you’re moving from the right hemisphere
to the left hemisphere of the brain. Now it’s all about metrics and playbooks
The sales people you bring - I’ll say a few things that we learned in the
process. You need people with a startup background. We talked about the first
salesperson. The first real salesperson, it’s all about listening and being
creative and understanding how to sell it. Now you’re raising your A round
because you have a few customers and you’re bigger, and now you need to create
repeatability because that’s what you’re going to raise your B round on, a
repeatable sales cycle. You do that and now you need to start hiring more
salespeople. The first thing I will say is that if they don’t have experience in
that stage - A round - it’s gonna be very difficult. I think very often sales
people who work in large enterprises are used to having their meat hunted for
them. They just have to do the last thing.
You need someone who can hunt and prospect. Because marketing takes nine to 12
months to start producing inbounds. It means that the first year, sales reps are
going to need to bring their own food. Getting someone who has startup
experience, who has done that, and who won’t be shocked when people don’t take
his call and you actually have to chase them multiple times, that’s very
When to hire, I think the right thing to do is this - you have a VP of sales,
and then you’re hiring your first rep. Hopefully, by the time you hire the next
rep after the VP of sales, you need to have an enablement plan. I strongly
recommend that in the enablement plan, you have checks that are going to tell
you early if the rep is a fit or not.
For example, one of the things we did is that when a rep joins, there is a plan
with checked boxes that we’re monitoring in Salesforce. I did this, I saw this
video, I read this playbook. And then the second and third week are simulations
with other people in the company. And part of what we’re trying to see is are
they coming prepared to the simulations. Reps sometimes turn so quickly between
companies, it’s really difficult. Just to be honest, sales reps are very good at
interviewing because it’s their job to sell. But once they’re on board, just
having those checkpoints inside during the second or third week of the company
that the person is engaged, they can learn, they’re coming prepared to the
meetings, maybe sales will work. By the time you hire your first rep, have an
enablement plan ready for them. It doesn’t have to be perfect. You can tweak it.
But you must have an enablement plan.
The second thing is that you must have an initial playbook. And my
recommendation is have a playbook, optimize to some degree - don’t overdo it -
and then see how it works. I do one iteration, give it a few months, and I say -
every company has different leading indicators. For us, the most important
leading indicator is the POV schedule. Once a company schedules the POV driver
solution, usually there’s a good likelihood there’ll be a deal there because the
product self sells. You use it, a lot of work disappears, and you’re not going
to go back to the old way.
For every company, this indicator can be different. Because you don’t want to
wait too long - until the first revenue, it can take six to nine months for an
enterprise sales cycle. But you also don’t want to go too quickly because then
you are going to have to redo it and it’s very expensive. That’s how we think
Roland Siebelink: At Rezilion, what would you say is now the typical
timeframe in which you can determine if a sales person’s a good fit or not?
Liran Tancman: It’s much easier to determine if someone’s not a good fit
than if he or she is a good fit. And what I mean by that is if someone is just
not very engaged and the work habits are unusual, we’ll know in week two because
they’ll come unprepared to the simulation.
Three to five months down the road, if they didn’t schedule even one proof of
value, that’s a red flag. And then I would say seven to nine months, if they
didn’t really create revenue from the first deal they prospected - it’s not
something that was handed to them, they have to be there from start to finish.
Two weeks for work ethic, three to five months for being able to get the most
important thing, which is the POV, and then if they did it by then, then there
is a good chance they’re fine.
Roland Siebelink: For now, we’ve talked primarily about the go-to-market,
which is the big focus area after you raise your series A. How has the product
and engineering team been developing along and how much are you investing in
that? What is their focus? How has it shifted since you moved beyond series A
and are preparing for a B?
Liran Tancman: You raise your series A when you understand the use case
you’re going to fix. You don’t necessarily know the repeatable sales cycle, but
you do know what you’re selling and to who. I strongly urge companies when they
get ready for their series A, don’t go and dramatically increase your
go-to-market spending too quickly. Take the time to rethink the infrastructure
of the product. What’s missing for the product to be sales ready. And I think
that’s one thing we did. Looking back, I would probably wait more with scaling
the sales team until the refactor was done. Because once it was done, everything
became much easier.
The second thing is that as you zero to one of the concept, a lot of the
features become about enterprise readiness like monitoring, logging, better UI,
more reporting, more integrations. It’s less about the core. You continue to add
core functionalities. It’s about taking the MVP and making GA for the
enterprise, which can be big. There are a lot of things to integrate.
Roland Siebelink: Liran, how big can you see Rezilion become over the years?
Liran Tancman: That’s a big question. I’ll tell you what I think the
potential is. This cliche that software is eating the world. Vulnerability is
eating software and risk is eating software, meaning there’s so much risk and
what’s happening if you think about the big security revolutions over the last
few years, it used to be the classic firewall and then cloud security became a
big thing. Now you see huge companies like Palo Alto or the newcomers becoming
very big, very quickly because cloud is a thing. Now the same thing is happening
for software. We have regulators asking you to provide your software development
materials. Everyone is afraid about the software supply chain and open source.
How big is the market? Just to give you a sense, Gartner predicts that by 2026,
60% of the buyers will require companies to give them - their the vendors to
present a software bill of materials and to disclose vulnerability. It means
everyone will have to do that. It’s one of those two. There will be 30 million
developers in the world by 2026. Everyone will need that. If you look at the
price just to give you visibility - not even prioritization, remediation - the
cheapest you would buy in the market today is $600 per year per developer. The
floor is somewhere around a $20 billion market size that is largely untapped and
is going to grow between now and 2026. There are really strong tailwinds from
regulators, and also unfortunately, by attackers; they’re exploiting software
now and the software supply chain. The answer is it can get as big as software
Roland Siebelink: Exactly. What’s the next roadblock you have to get out of
the way in order to be a winner in that space?
Liran Tancman: That’s a very good question. They’re internal and external. I
think when a company goes from A to B - the famous death valley of startups - a
lot of those roadblocks are actually internal. You need to put sales operations
in place, playbooks, processes, all those things that make a company a company.
Honestly, that’s been my main focus since the A round and I think we’ve cleared
it out the way. It was very hard. There are a lot of playbooks around the world
that tell you - a lot of literature on what’s a good self organization, what’s a
good culture. No one is really telling you how to get there. Maybe this podcast
is a good thing.
How do you take something - people will say, “You need to have a CAP repay
within 12 months.” Okay, great. I know the benchmark. How do I even get to a
point where it can talk about CAP repay? It is something that can be optimized.
Getting the nebula into a structure, so that then you can start optimizing it.
That’s I think the hardest part. We have developed our own framework that allows
us to converge the organization into something that can be optimized and
repeated, and I’m happy to talk more about that. But this is the hardest part,
and I think we’ve done that.
Roland Siebelink: Larin, you already mentioned before the older I get the
better I was. I think it was a quote from your best friend. As we have many
first-time founders listening, their startup may be close to getting to
product-market-fit, are just looking at what’s next, what’s your one point
advice you would give to founders in general?
Liran Tancman: The one thing I will say is try to keep your burn in the
place adequate to your current location in the maturity curve. What I mean by
that, there is constant pressure on an entrepreneur to spend more. You need to
hire your sales team quicker, you need to get a revenue number, you need to
blah, blah, blah. And then obviously when money is running out, there’s an
opposite pressure. It’s not healthy. And I think that the mistakes that I did in
the past were to spend as if I was in a more mature place than I actually was.
I will give you an example. We talked about hiring sales reps. As soon as you do
your Series A, an investor will say, “Hey, to meet the number, you need to hire
five reps now.” I did it. It’s a terrible mistake. I did it in the past. You
should not do that. You should see end-to-end, you’re getting one well before
you hire more.
Another example is on product. There will be constant pressure. People raise
their Series A after they get a handful of customers, their marquee customers.
And then they’re pressured to go and sell it. What I’m saying is take another
few months. Keep the burn low. Keep the burn and series-seed stage until you get
the product sales ready. What I’m saying is that as you’re achieving one
milestone, don’t take the burn to the next milestone burn. Make sure you can do
on a small scale what’s expected for you.
Roland Siebelink: Yes. And maybe related to that, do not just go with
whatever investors tell you to because they may have their own interests at
Liran Tancman: I don’t think investors’ advice is corrupted because of their
interests. I think it’s corrupted because of their position. What I mean by
that - if you are an investor, you are likely to make decisions. And then something
happens but you’re not necessarily involved in the weeds of it. The friction,
the time they mentioned, the space dimensions, all those things that make the
day-to-day life of an entrepreneur transparent to them. They don’t necessarily
see all the connection between the decisions you make and the results and the
time that factors into that.
You would see investors telling you one day do that and then it didn’t work, the
next day do that. But the reality is - think of the enterprise sales cycle; it
takes nine months. Listen to your investors - definitely listen to them because
they have a lot of perspective. But take into account that they’re not there in
the trenches and they haven’t been there for a while now. They don’t necessarily
appreciate the time it takes to understand if you even made the right decision.
Roland Siebelink: Very wise interpretation. And yes. I think maybe the
general point is to listen to a lot of people for advice but in the end realize
it’s you that has to make the decision, not them.
Liran Tancman: Yes. And try to minimize the cost of your mistakes. Again, my
biggest lesson and the biggest mistakes I have done in the past was - when you
keep your burn low until you know something works, whatever it is, think of
every expense in a startup, on the product, on the sales and marketing, then you
can iterate until you figure out, and the price of every iteration is going to
be low. Do you see what I’m saying? Assume that you’re going to evolve with
iterations and trial and error, and for every decision you make, try to find a
small version of it, iterate, and then spend the money.
Roland Siebelink: Exactly. I like that perspective of keeping the price of
the iterations low. Do the iterations while you still can because it’s not gonna
be with you forever.
Liran Tancman: Yeah. But it’s also for every stage. Because you can do this
on the product. But also when you hire your first sales and also when you do
your first channel, and when you’re going to do your first whatever expansion to
another territory. In every life of a startup, there are big decisions. And I
think what’s important is to try to iterate on them on a small scale before
committing massive weight to it.
Roland Siebelink: Yes, absolutely. What Jim Collins calls bullets before
cannonballs. Very good.
Liran, this was an amazing interview. I’m so glad you could make it. People that
have made it all the way to the end of this podcast, how can they help Rezilion?
What should they look for? Where should they go to figure out more?
Liran Tancman: If you watch this podcast, probably you are building some
kind of software. As such, you probably want your software to be secured. You
also need to be able to show your customers your software is secured. And by the
fact you’re looking at this podcast, probably you do care about your resources
because you’re in a startup. If you want to spend a lot of money and a lot of
time to be secure, don’t call us. But if you want to have a tool that will help
you to automatically be secure, reduce the time developers are spending on it
but still be able to show your enterprise customers that you have top-notch
security in your product, then call us and we’ll be very happy to help you.
Roland Siebelink: Okay, perfect. Can you remind us of the website?
Liran Tancman: Yes, www.rezilion.com. R-E-Z-I-L-I-O-N dot com.
Roland Siebelink: Perfect. Okay. Thank you so much, Liran Tancman, CEO and
founder of Rezilion, calling us from New York today. It was an absolute honor
and pleasure to have you on the podcast.
Liran Tancman: Thank you very much. Thank you for those questions. It was a
Roland Siebelink: Thank you so much.
Roland Siebelink talks all things tech startup and bring you interviews with
tech cofounders across the world.