How we became Pioneers after our fourth try
Read Pioneer’s blog post announcing the SafeTalpa team as winners.
Just a year ago, my co-founder and I had the idea of starting a cybersecurity startup. He had just conducted some research on computer forensics and told me “static and dynamic analysis are outdated techniques to detect malware, we should build a machine learning-based anti-virus”. Despite the fact that I was doing my undergrad thesis and that I was working part-time as a software engineer at the time, we converted my dorm room into our office, consistently started working every Saturday, and eventually full-time.
A year, six iterations, and $49,000 USD in funding later; we have built something our users love. We’re simplifying financial fraud protection, with a Linux service that helps merchants maintain PCI compliance.
This would’ve not been possible without Pioneer, a community of creative people working on game-changing projects all over the world. It’s a social network for maximizing productivity. There are really good posts about other people sharing their experience playing Pioneer here, here and here.
We started playing in December 2018, right after our first iteration. Pioneer builds a really interesting feedback loop based around 2 premises: being crowdsourced and being anonymous on one side (when someone judges some project, they don’t know which person is behind such). Even if not everyone playing is a cybersecurity expert, this makes feedback really honest.
Here’s an example of the feedback we got when we were building an anti-cryptojacking desktop app (iteration #2 of SafeTalpa):
Then after repeating this exercise for 4 tournaments (that is 18 weeks playing), for over 7 months (because tournaments weren’t continuous before), listening to our advisors, and mostly listening to our customer base; we organically came up with this new concept.
Now let’s walk through the evolution of our product, and what the main driver to find the next iteration was.
Iteration #1
This is pre-Pioneer. Covering all threats that traditional anti-viruses already cover, just that with a new technique, wasn’t viable business-wise. That’s why we decided to change and focus on protecting SMEs from cryptojacking. We chose this because someone really close to me got cryptojacked and because it’s an emerging threat.
Iteration #2
This was after our first tournament. We had the insight that building the solution at the browser level, we would be able to analyze more variables and we would be able to build the ultimate anti-cryptojacking solution.
Iteration #3
Other Pioneer players were telling us in different forms, that we had some sort of product-market-model-fit issue. This made us have some doubts about our model so we decided to raise our pricing, but what happened is that we stopped selling. We made several hundreds of dollars in revenue with this iteration but we knew we didn’t have product-market fit in its greatest definition.
During our second tournament, we used Pioneer’s Board of Advisors to contact Guillermo Rauch, CEO at Zeit. He convinced us that the era of consumer-oriented cybersecurity was over and that we should build a developer tool. So we iterated to an anti-cryptojacking API.
Iteration #4
We started going to the cloud provider market with our solution and quickly found out that only a really specific set of cloud providers suffer from the consequences of cryptojacking. We still had doubts about our product.
We still thought that building a developer-oriented cybersecurity tool was a brilliant concept that would save engineering teams hundreds of thousands of dollars.
In the past, we have used platforms that have had financial data breaches, and we knew that these incidents happen because these platforms don’t do a good job maintaining PCI compliance. Because of this, we decided to build a PCI compliance maintenance API, focused on cloud providers. This way, the cloud provider would ensure that all the code deployed to their infrastructure would be PCI compliant.
Iteration #5
As our potential customers, cloud providers actually wanted to use our software to resell as an extra security feature that certain kinds of their customers would need. That’s why after our third tournament we said, “let’s go for the companies that actually suffer from not being PCI compliant”.
We started sending cold emails to merchants (companies who handle cardholder data directly) and got a 46% open rate and 10% response rate. Taking into account that the open rate average for the industry is 22% and that all the responses were really positive, this was an early sign of product-market-fit for us. We started getting feedback and kept building on top of that.
Iteration #6
We kept reaching out as many potential customers as we could, and we were having lots of success doing that with this new concept. Our latest change is based on conversations with this user base, which is kept the same in this iteration, but we’re not building an API anymore, we’re building a Linux service. It’s an easier solution to integrate and it has better security.
With all this progress, we were able to reach Level 6 and become Pioneers.
Pioneer is a great feedback loop
In the end, Pioneer isn’t a tool to validate product-market-fit (unless your user base is a big subset of Pioneer’s). However, it can tell you whether you’re on the right track or not. For instance, compare the feedback we got our first week, with this one:
When you repeat this exercise a lot of times, you end up with a really interesting product. Pioneer is great guidance for this process.
If you would like to learn more about our startup journey or just cope emotionally with us, please follow me on Twitter.
If you’re an online payments/cybersecurity expert and would like to give us some feedback, please email us at info@safetalpa.com
If you want to learn how your company can maintain PCI compliance in a cost-effective way, please email us at sales@safetalpa.com
