The Veracode journey — origin and introspection

Maria Cirino, Christien Rioux, Bob Brennan, Chris Wysopal, and Jeff Fagnan

By Jeff Fagnan, Founding Partner, Accomplice

Today, CA Technologies announced it had acquired Veracode for north of $600m. Veracode stands as the undisputed leader in the Sisyphean challenge of securing the world’s software. The phrase “software is eating the world” emerged in 2011, and it has only accelerated with the rise of mobile apps, cloud-based delivery, and Internet of Things. Everything and everywhere today is software, and Veracode has been there every step of the way securing applications for thousands of customers and software vendors including the majority of the Fortune 100. But like many technology stories, Veracode had both a humble and auspicious beginning.

2005: roots

Veracode founders Christien Rioux and Chris Wysopal today

In 2005, both Babak Nivi (founder of AngelList) and Eugene Kuznetsov (founder of DataPower) introduced me to Christien Rioux (AKA DilDog), heralding him as the smartest developer hacker they knew. Christien and Chris Wysopal (AKA WeldPond) were at Symantec at that time via the @Stake acquisition the previous year. Christien and Chris were originally part of L0pht, a MIT hacker collective in the late 90s and probably the world’s first viable hacklab.

Dil and Weld wanted to spin out some of the tech and IP developed at @Stake from Symantec. The tech was essentially an automated solution for identifying security vulnerabilities in software applications that looked beneath traditional source code analysis to identify the root cause of security flaws.

The spinout from Symantec was a long, nuanced, and trying process. It took almost eighteen months start to finish. I led the charge on the spinout negotiations and had over 20 meetings with Symantec corp dev. We fought over IP, royalties, key personnel, MFN, right of first refusal, and more. I was unwilling to compromise on anything that could potentially hurt the company later. While we weren’t negotiating, we were building the original vision for a cloud based security offering focused on application assurance and certification. Early on we partnered with Maria Cirino, who joined the guys as their sherpa and guardian angel. Funny enough, Maria had competed against Chris/Christien previously when she was CEO and Founder of Guardent and neither side was initially very excited about meeting, never mind working together on an actual company.

At the time, Maria was in process of starting a venture capital firm (now .406 Ventures), and she and I had an ironclad social contract: she gets Veracode off the ground as founder and the initial CEO; in return, she has first rights at investing in Veracode and I help her in her VC efforts in any way I could. Veracode wouldn’t be around without Maria’s patient leadership and vision and she remains my favorite co-investor today.

2017: lessons

Sam King, Veracode CSO

We started Veracode when I was a young partner at Atlas, and ten years later I couldn’t be more thankful for the journey. We took on a very hard technology project (something that some, like Harvard Dean of Computer Science Mike Smith, deemed impossible) that had tangible benefits to society.

A few of the lessons from the expedition have served me well:

1. It’s never a straight line.

Startups are all about embracing change. Committing to a specific long term solution is impossible; it’s more important to commit to the problem area. Software development and software itself have changed a lot since we started Veracode. We had to revise the original tech platform many times and have also had to do the same with our go-to-market leadership and approach.

2. Stick with your individual conviction.

Barry Fidelman, Partner Emeritus at Atlas/Accomplice, solely focuses on people and big market problem areas. Once Barry has these things in an investment, he is “Steady Eddie” on the controls. Veracode definitely had its challenges: the tech took three times longer to develop than we anticipated, and the market adoption was initially slow as customers had to work very hard to be customers. When one of the original venture firms decided they had enough and stopped funding the company, Maria and I simply looked at the market opportunity and the substrate of the team and wrote the next check (increasing our ownership significantly).

3. The bigger they are, the harder they are to grow

I used to think everything was easy peasy once a startup achieved $100m in revenue. I have the good fortune today of sitting on the board of six companies that are greater than $100m topline run rate (I was on the board of all them pre-revenue). It’s a complex endeavor to try and grow a $100m company at the same trajectory when it was $10m. It’s a tough challenge to go from 200 to 500 employees and keep the same special culture when you were scaling 20 to 50. Furthermore, each new entrant in the market is trying to knock you off your lofty perch. Each phase has its unique challenges and own set of startup laws of physics.

Today is bittersweet for me. I enjoy building and growing companies and don’t necessarily enjoy selling them. I was pulling for Veracode to go public and be a standalone flagship in the New England tech ecosystem. But I know I romanticize the venture craft too much and want every one of our companies to be big, beautiful, and sustainable.

Today is a great outcome for everyone involved. I would like to personally thank Christien, Chris, Maria, Bob Brennan, Sam King, and Ed Goldfinger for their tireless efforts and resilient leadership. So many others deserve huge props, thanks, and attribution. The list is very long and I could never do everyone justice, but a few special ones to me are Sim Simeonov (original co-investor from Polaris), James Socas (head of corp dev at Symantec at the time), Matt Moynahan (first CEO), and Jim Cash (independent board member). Thank you.