THE 12 YEAR “START-UP”
TOP 5 LESSONS I LEARNED FROM MY ARXAN TECHNOLOGIES EXPERIENCE
BY ERIC DAVIS, Cofounder Arxan Technologies, Inc.
Lesson #1: The founding team is more important than the technology.
In early 2001, we were “surviving” the Dot Com bust at Copient Technologies with a smaller leaner team. My time was not being fully utilized at Copient so I started to look for another technology to incubate and run with. Since I had previously worked at Purdue’s Office of Technology Commercialization (OTC), I contacted my old colleagues at Purdue and said, “do you have anything that has promise.” Karen White, who was managing all of the software technologies for the Purdue Research Foundation, and I had lunch and she pitched a Dept. of Computer Science technology to me called “software guards.” I immediately knew what technology she was referring to, because two years earlier Mike Atallah and I had met when he originally disclosed the technology to the Office of Technology Commercialization, where I was working at the time as a technology manager.
Karen arranged a meeting between Mike Atallah, Hoi Chang, Tim Korb, John Rice and myself. Fortunately, for me the four of them had been talking about starting a company already, but didn’t feel any of them could really leave their positions at Purdue to invest the kind of time it required, and Hoi was not finished with his graduate work yet. Shortly after that meeting we formed Arxan Technologies, Inc. and set off to build a great company.
At the time, I had three children, and my wife Melanie was was still recovering from a terrible car/train accident that left her unable to work for a year, and no real income. I was also still involved with Copient Technologies, but had to go on an “unpaid founder” status in order to ensure we were able to bootstrap through the dot com chaos that was still playing out. Nonetheless, the founders of Arxan were excited and confident.
We only had a very rudimentary proof of concept. We didn’t even have a working prototype. However, we knew we needed some money. My family couldn’t go much longer without some income, and we didn’t have any money to build the prototype. I reached out to a friend of mine, Chad Barden that had just beat the bubble with a fantastic exit of Nuron, LLC to Intel for a big number. This was a Notre Dame start up. He introduced me to some “Irish Angels,” including Rich Earley. Shortly after the intro, Mike Atallah, Hoi Chang and I went to pitch Mr. Early. I expected him to be an old guy, but he was my age.
Rich was excited about the opportunity, and not only became our first investor, but became our CEO. He invested $200,000 in seed capital and we soon hired our first engineer, Susanto Irwan. Shortly after this we realized two things: how powerful the technology could be; and how difficult it was going to be to build. We knew we were not going to make progress without more engineers so we hired three more graduate students from the Computer Science department. They worked day and night to help us build a prototype, albeit a very crude one.
At that time, Rich and I knew the $200,000 was not going to last us very long so we started to “pitch” Arxan to the VC world. We flew to San Jose, and I got my first taste of the infamous “Sandhill Road” in Menlo Park, CA. We also visited Chicago, and Connecticut. Despite the tech heavy Nasdaq losing half of its value between the beginning of 2000 and mid 2001 we were determined to raise capital, and Rich had the right connections. We thought we had a better than average possibility (although average in 2001 was slim to none), because 9/11 had everyone interested in security, including cyber and software security.
We finally received a term sheet from Trident Capital for a $3 Million investment. The terms were a bit hard to swallow at the time, but we knew we were not going to make it without capital. Mike Atallah and Hoi Chang were absolutely brilliant in the due diligence. Trident hired the best and brightest they could find to beat up on the technology and concept, and each time Mike and Hoi shined. We learned a valuable lesson that would later pay off many times: Mike and Hoi were our secret weapons whenever the other side wanted to see how smart we were. They didn’t have a chance as long as Mike and Hoi were with us. This was one of the smartest founding teams that I have ever been a part of (excluding me), and genuinely nice people. We had a lot of faith in each other.
Lesson #2: Stay Relevant — Always!
Once we took on the Series A investment from Trident they (Trident) wanted to make some changes. I was the COO, CFO, and pretty much everything in between. They did not feel we could find the “right kind of talent” in West Lafayette, and moved our entire engineering team to San Francisco, 700 Market Street. I was told that it would be best for my career for me to also move. Rich was honest with me and said that if I didn’t continue to find a way to stay relevant, the VC’s would eventually move me out. However, the compensation difference between West Lafayette and San Francisco just didn’t work, and I was already taking an extraordinary amount of risk, so I decided to stay behind. My wife’s and my families were also here, and leaving them just didn’t seem right. I was confident that I and the other founders could find a way to “stay relevant.”
Lesson #3: Success feeds success.
In an effort to encourage commercial software vendors to consider utilizing Arxan’s technology our professional services group began to offer “Red Team” services. Basically a Red Team was a group of very good hackers. We would tell a potential customer, “give us your code and we will break it.” In one particular case we travelled out to the west coast to talk with a very large software vendor that was supporting a digital rights management solution that was being utilized by many of the music download companies. They were very confident in themselves and downright condescending to us. Believing that there was no way a bunch of “kids” from Indiana could be smarter about security than they were.
It was good timing because they needed to get a third party to try to attack their system and report back. We talked them into a six figure services contract and the conditions were that we would get the executable code and that was it. We had to attack the code just as any other hacker would. They thought the best we would be able to do is exploit known vulnerabilities in these systems and copy music as it was playing, thereby creating a new copy of one song at a time. This attack was known, and they did not view it as a significant threat. They really didn’t think we would be able to automate much due to the protections they had in place.
However, what they were very concerned about was a “BORE” (Break Once Run Everywhere) attack. This would be an attack that could be automated and distributed so that anyone (without hacking skill) could run a program and get an unprotected copy of a song. We were given three weeks, and were to give them an update on a weekly basis.
After the first week we really had not made much progress that was tangible. Our team was not going for the easy hack. We wanted to destroy the protection. The goal was to completely reverse engineer the protection and dismantle the entire thing. However, this was a very big challenge given the size of the code and the level of protection. In our first meeting with the team from the software company they were condescending and even suggested that we were incompetent because we weren’t going for the “easy” score. We said we are trying to develop a BORE attack. It was a pretty ugly meeting, however, our team was more energized than ever to break the code. A few people, Jim Vaught & Eric Bryant in particular, I don’t think went home for the next two weeks. They lived and breathed this task. It was almost like a scene out of a spy movie. Our guys were using very sophisticated tools and skills to break the code.
In the end, we distributed a tool to our client, complete with a User Interface. The tool’s name was “UN ProtectIT” and it would automate the removal of the digital rights management protection of an entire library of music or videos, in a matter of a few seconds, without any loss of quality.
The next morning we had our weekly conference call, and the clients team had a completely different tone. A few years later I talked to someone from the client and they said that our team was “legendary” among that group within their company. We were able to accomplish what no one else in the world had done. This tool was destroyed after the contract, but had the potential to really harm the client, and they had a newly gained respect for us. This was a great confidence booster for us, and really helped push us into a new direction. We started to realize that we were able to do what no one in the world had done. We all realized just how special the team we were building was — now we just had to find a market that was ready for our talent and technology.
To celebrate we took the entire team from this effort to Las Vegas for the “Black Hat” conference. A good time was had by all.
Lesson # 4: Find a market that is ready for you.
We all initially thought that software guards were THE cure to software piracy, which by all accounts was costing the software industry billions annually. We had all the contacts in the big software companies and thought once we explained what we could do for them we would be an instant success. Our entire business plan and model was based on protecting software and music from piracy.
We were flying all over the country and even one international trip to Tokyo to pitch Sony. Even though I didn’t have a software or engineering background, I picked up on much of the technology, because Mike Atallah was a great teacher. However, whenever the prospect would bring in the “big brains” we would bring in ours: Mike, Hoi, John and Tim, and it was always a slam dunk.
We would always leave with a strong sense of accomplishment, but there remained skepticism and reluctance in the commercial market for many years, in part because our solution was very difficult to use and integrate into the established software development lifecycle. Also, everything that had been tried before by our prospective customers was always quickly defeated by the pirates. We needed another vertical market. The commercial market would end up taking nearly 10 years to grow, and it was really only after the mobile market exploded that “app security” became Arxan’s commercial niche.
The founding team, including myself, were relatively busy after the move to San Francisco, engaging with prospective customers and venture capitalists. We took on more of a Business Development role. However, I could not forget the “stay relevant” advice given to us early on in our funding process. One day we came across an article that talked about the Defense industry’s need for “anti-tamper.” The story was about an aircraft that went down in China in the mid 90’s, and how China was able to reverse engineer the entire plane and acquire many of its secrets. Following that incident the federal government established standards for all critical systems. These systems needed to resist these types of reverse engineering attempts.
After discussing this with the “big brains” we felt that Arxan’s technology was a perfect fit. We submitted a proposal for an Air Force Broad Agency Announcement (BAA). We won our very first attempt at a federal contract. We later found out that this is highly unusual. Our first project was simply to collect data on how hackers attack software. We hired Computer Science students at Purdue and then assessed their ability to reverse engineer software. We called the initial test “HAT” for Hackers’ Aptitude Test. Once we identified a core group of about six we gave them access to various hacker tools and observed them. What we learned was provided to the Air Force, but more importantly we identified our future employees in these students and hired nearly all of them. We also learned many new software attack scenarios that proved invaluable in designing our future product line.
The Air Force was ecstatic with our work and gave us another contract. We then started to grow our Defense vertical. Since we needed access to Mike Atallah, Tim Korb and John Rice (the “Big Brains”) we were able to convince the Board of Directors that we could grow a small team in West Lafayette. Our success continued. The anti-tamper guidelines became a mandate and we were able to begin to penetrate the big Defense vendors. Within a few years we were able to count Boeing, Lockheed Martin, Northrop Grumman, the Air Force, OSD, and many others as our customers. We grew our team in West Lafayette from just me to nearly 50, mostly software engineers. While the company wasn’t profitable, the West Lafayette Defense team was producing over several million dollars per year in profit by 2006. At this point, we definitely felt we were “relevant.” Rich Early and Robert Moriarty, an early Arxan employee and Army veteran, were spending most of their time courting large defense contractors. When it came time to raise our next round of capital Rich was able to pull in Paladin Capital, and get Ret. Gen. Kenneth Minnihan, former director of the National Security Agency to serve on our Board of Directors. Any question about our relevance to the Defense sector was now answered.
Our work for the Defense industry continued to grow during this time. The Defense industry did not like our “dual purpose” engineering efforts and strongly encouraged us to separate our defense efforts from our commercial efforts. Sometime around 2005 or 2006 we started Arxan Defense Systems, a wholly owned subsidiary of Arxan Technologies. All the employees of Arxan Defense Systems were required to go through appropriate background checks. We were becoming a big player in the Anti-tamper world, and felt we could continue to grow the business. The best part of this was that we proved the VC’s wrong. Our Purdue team was now bigger than our San Francisco team, and certainly as productive, and of course much cheaper. We certainly had some very talented people in San Francisco, but our West Lafayette team was beginning to develop the reputation as the world’s best.
Lesson #5: Keep at it, eventually the luck will turn in your favor — The 12 year old startup.
Despite the success in the Defense market, we were not having similar success in the commercial sector. Our product was deemed too hard to use, not available on all the necessary platforms, and it was very hard to change the mindset of large software vendors like Microsoft, Apple, etc. who thought that they were the smartest people on the planet.
Every time we would meet with a potential customer we would realize another chipset, compiler, or operating system we would have to support, and while our sales were not growing our sales force and commercial engineering teams were. Even though we were producing nearly $3M per year in profit from our Defense market efforts, the company was still losing a lot of money. By 2006 our total staff was over 75 and rising. Our Defense market success could not keep up with our growth in expenses, and we needed to either cut or raise money.
The original founders, including Rich Early proposed a bold plan to make cuts, and live off our defense revenue (get to cash-flow break-even) in order to let the commercial market mature. Unfortunately, we were out voted in this effort and our Board of Directors decided to push the pedal down even more and go after the commercial market. They (Board of Directors) brought on a commercially focused CEO, and we took on an additional ~ $13M in capital. The Board of Directors was fully focused on the commercial market. Shortly after this, I decided to once again begin a new venture and left Arxan in 2007 to start Kylin Therapeutics, another Purdue start-up.
Unfortunately, the founders were right about the commercial market taking time to mature. By late 2009 Arxan was again running out of money — this time the market conditions were much, much worse for raising capital. Additionally, by focusing so much on the commercial market the defense market was neglected and sales began to fall. To raise more capital, Arxan sold off Arxan Defense to Microsemi, a necessary move, but not at an optimal value. This was hard for many of the West Lafayette team to take, but fortunately, Microsemi has kept all of those employees in West Lafayette, and they have since grown and are doing great. This was now the 2nd recession that Arxan would ultimately survive.
By 2010 things were getting pretty tough financially, but Arxan had now mostly completed the long and very expensive effort to make the technology available on a large number of platforms, including all of the major mobile platforms. With the rise in use of mobile devices for business applications, security soon became a chief concern for executives of enterprise companies, and Arxan finally started to gain some traction. By 2012 Arxan’s technology had been deployed on more than 300 Million devices. It took over 11 years for the commercial market to really take off and for the company as a whole to become profitable. Many of the founders really lost hope that Arxan would be able to sustain long enough to make a real go at the commercial market, but the mobile market was really blowing up. Arxan was ready with the right product. With interest rates still at historical lows, private equity firms began to really start acquiring profitable companies that had the potential to produce good income and growth. With Arxan being profitable it was good timing to get picked up, and our investors were certainly ready, with some, like Trident, being in since nearly the beginning. In September of 2013, TA Associates acquired Arxan for a much larger sum than I ever thought possible. After 12 years the “exit” was finally here. Since the sales price was not disclosed the event had very little press coverage, including locally. If you have really smart people they will figure out a way to become successful — or perhaps keep trying until the luck turns in their favor.
Thank you
I am so grateful for all of the experiences I gained, and most importantly for the friends I made along the way. I am constantly reminded of just how special that group was/is. They really were the “best in the world.” I have no doubt about that. I hope we all get to work together again sometime in the future.
ARXAN OVERVIEW
Arxan Technologies sold to TA Associates on September 17th, 2013, in an undisclosed private sale. TA Associates is one of the oldest and largest private equity firms in the world with over $16B under management. Arxan will continue to operate all of its current locations in: Bethesda, San Francisco, West Lafayette, London and Tokyo.
Arxan Technologies, Inc. was co-founded in 2001 by Mike Atallah, Ph.D., Tim Korb, Ph.D., John Rice Ph.D, Hoi Chang, Ph.D. and Eric Davis. The technology pioneered by Arxan originated out of joint research of Atallah and his former Ph.D. student Hoi Chang. The technical core of the approach was developed in the late 1990s, and was later published in the paper:
Hoi Chang and Mikhail Atallah, Protecting Software Code by Guards, Proceedings of the ACM Workshop on Security and Privacy in Digital Rights Management, Philadelphia, Pennsylvania, 2001, pp. 160-175.
The technique consists of automatically injecting in software self-protective mechanisms (“guards”) that make it difficult to tamper with the software and to maliciously modify it. In a trusted and non-compromised computing environment, this task of integrity-protection is done with digital signatures, but in many situations the computing environment cannot be relied on for this protection and can itself become a source of mischief, possibly because of a remote break-in through the network, or a malware infection, or because the computing device is under the physical control of the adversary. In such situations Arxan’s approach offers a powerful alternative: A software that can protect itself from a compromised environment. Other attractive features of the Arxan approach is that the protection mechanism is lightweight and does not cause undue slowdown or increase the size of the protected software.
