After the dust settles and a startup fails, there’s an odd period of self reflection to figure out what went wrong. It’s usually fairly obvious and you wonder why you didn’t see it earlier — or why you ignored the elephant in the room for so long. I have to remind myself that “startup” as a term is a misnomer— they should be called “shutdowns” just to set the right expectation level.
I’ve been around the tech startup scene long enough to have the hardened shell and morbid sense of humor needed to survive the whole thing. Even so, after witnessing so many startup misfires, my most recent failure was still eye-opening even for a cynical, seasoned veteran. What happened?
“A really good idea”
We build software solutions for other companies in our day jobs, and we started this venture on the side. It was a simple idea — our product makes WordPress websites unhackable, scalable and very fast.
Like many startup ideas, this arrived on our laps by accident. In every client project there’s always a website at the end, and it’s always WordPress. The client usually has an agency or a template they want to use and we help them set up a server somewhere as a final deliverable. It’s the last push over the finish line.
If you don’t know, WordPress is the outdated disaster behind most of the world’s websites and it’s a toxic wasteland from a security perspective. There’s really little you can do to solve the problem from within the WordPress platform, though that’s where most of the existing security and performance products live. Our product took a different approach, putting a nuclear bunker around your WordPress install and handling the site delivery separately.
Update: more details at Building Sandcastles and Securing WordPress.
The implementation was simple. As a AWS-based company, we use enterprise-grade, reliable tools all the time, so for this we employed WAF, DDoS and edge services to do the heavy-lifting and take your ticking-timebomb WordPress server off completely the Internet. It’s pretty easy really.
WordPress doesn’t scale horizontally like a modern application and it has no real security baked in. If you can imagine all the apps on your phone had the ability to take over the hardware and do anything, that’s how WordPress is designed — Apple and Google would be dealing with phones bursting into flames everywhere. It’s awful. We built this as a safety wrapper and deployed it to client sites automatically without really telling anyone, just to avoid the embarrassment of clients getting hacked or their sites falling over because a product is successful.
Within a few weeks we had 10 websites running on this solution.The clients loved it, the sites were blisteringly fast, and every security expert we engaged was a little mystified that there were no servers to hack and all the classic WordPress issues were mitigated. Once installed, the product worked just fine and I had a whole product roadmap of future features and improvements to target ecommerce, other CMS systems and the broader website ecosystem. I mean, I really had a good plan because who doesn’t want their website to be faster and unhackable?
By August we started to dedicate much more time to this project and my partners developed business plans, go-to-market strategies, slide decks and all the other fun stuff that makes you a legit startup.
The day you are a paper millionaire
Within very little time, we had a fully working product, a dozen websites and my co-founder was doing amazing work at raising interest levels among VCs, angel investors and other business influencers she knew. By the end of September we had verbal offers of investment from a simple pitch deck and were meeting with some significant people every couple of days. My diary was filled with pitches, demos and Q&A sessions.
If you’ve worked at any startup, you’ve likely had a day when some Valuation Black Magic (VBM) happens and you end up being comfortably rich. That day happened when an investor casually offered $150,000 for a 10% stake of a company with no revenue. That made my part worth $750,000 in just the first round and we all know what happens in subsequent investment rounds.
We excitedly started planning elaborate financial spreadsheets, incorporation documents and legal agreements. Who knew that we could strike it out of the park on the first hit? But every meeting had gone well — everyone liked the idea, loved the solution and showed interest. For the first time in any startup I had seen, we hadn’t been told to get out of an office or that the idea was a total waste of anyone’s time. It seemed like all the pieces were in place.
The financial offerings were contingent on finding a handful of paying customers, which seemed a small hurdle. We researched the competitive landscape and believed most companies would be willing to pay $50-$100 a month for something that would secure and permanently accelerate their websites with no configuration or ongoing management.
This also coincided with daily news about WordPress hacks, major security breaches and hackers everywhere. The general push for SSL on every website, the crippling fear of GDPR and its implications for websites, and Google’s push for greater speed for mobile users — these all played into our hands and emphasized the need for our product.
The first paying customer
My co-founder had found a promising seam of willing target clients who were a perfect fit. The first was a large web agency that managed dozens of client websites and had serious SSL certificate installation problems on their own client sites. The product demo’d well with their CTO and CEO, and they were eager to try it out.
I provided the setup instructions, which only required a DNS change to authorize the new SSL certificate and to point the domain name at our infrastructure. The change itself took minutes, but then days went by, emails were ignored and calls went to voicemail.*Crickets*
But not to worry — we had others. One security company showed interest and their CEO said ‘yes, yes, yes’ to everything, wanting to get the product online yesterday. We hurriedly prepared the ‘pre’ report showing the speed and security issues of their site, and sent along the DNS changes needed. *Crickets*
And this kept happening. We figured there was some resistance to DNS modifications so we tweaked the product to eliminate any downtime and to create a staging site where the client could see the new-and-improved site, for comparing speed and security metrics. *Crickets*
Why is nobody answering our calls?
I started to feel there was something seriously wrong in early October. Despite all the interest, the promising meetings, the fantastic demos and the glowing speed and security reports, nobody came back to us. From nearly two dozens hot leads, the road went nowhere.
We went through a phase of self-analysis that led to a number of questionable conclusions. Maybe it was the product name? Maybe it was confusing, poorly explained or too complicated? Maybe we lacked credibility? Maybe the product made too many claims and needed splitting up so customers could choose the features, instead of getting everything in one shot?
We explored each of these issues and created new decks, new landing pages, new content to the point where it becoming internally confusing what we offering on any given day. We finally had some compelling business cases where we could show a 15 second page-load on mobile reduced to 3 seconds, or a reduction in WordFence attacks from ~15,000 a month to zero. Still no interest.
Several people I’ve known for a long time had also stopped responding to me. Meetings were always planned for “next week” or postponed until“after the holidays” which I knew was always code for “never”. Even people who had reached out to me showing rabid initial interest went cold and it was clear they didn’t want to hear from us anymore.
After several weeks of spinning our wheels, I contacted all the leads with an anonymous survey to find out why none of them had taken action? Would anyone tell us honestly what the problem was? Still we got nothing back other than how great the idea is, and how it’s so smart, wonderful, advanced, yada yada whatever.
The day you can’t afford a cup of coffee
If you’ve worked at any startup, you’ve likely had a day where you realize you are dead. You are walking, breathing, looking around and suddenly notice that you a no longer in the land of the living. It’s a weird moment because it’s sudden, scary and tragic — and also strangely unavoidable.
For us that day came in early December. One of the early companies that showed interest responded to an email about making a DNS change. It had been two months but now they were ready.
We had lost all illusions about $50–100 a month and were examining the viability of the business at $20 a month. For $20, you even got a free SSL certificate! When we asked what they would be willing to pay for this service, their answer effectively ended the business:
“Oh, you mean we have to pay for it? We thought it was free.”
And they weren’t the only ones. We could never get to that first paying customer, so we could never realize the investor money, and my million-dollar valuation evaporated. While I probably never really believed it was worth a million dollars, I also didn’t think it was worth nothing.
After that, the VC meetings started to get into a weird territory. One wanted us to rewrite everything for Magento (while simultaneously fixing the their own WordPress site for free), while several concluded it “wasn’t investable” because we just needed to find customers.
The hard lessons learned
Our product was built and it worked. It solved a major problem with WordPress sites using enterprise infrastructure. It had a dozen happy businesses in the beta and it never failed, fell over, glitched or did anything but what it said on the box. I met with a few mentors to see what on earth we were doing wrong.
“Security products are impossible to sell,” said a seasoned software veteran who had worked for two large security startups. “People won’t pay for it, they don’t understand the problem and never think they’ll get hacked. It’s impossible.” His short 10-second explanation mirrored everything we had seen.
“Nobody cares about speed unless it’s ecommerce,” said another. “You can only charge for this if it saves 10 times the money somewhere else.” Again, this mirrored a question we’d had before about what companies now didn’t need if they used this product.
Another mentor said, “You should really target startups. Existing businesses will never change what they’re doing, and SMEs have no money. Give it to startups and see if one hits and becomes successful.” He was right of course — we see all the time that mid-cap companies have entrenched, old-school IT and large companies will never try anything new.
In the end, it wasn’t the DNS switch, the credibility or possibly even the money that killed the idea. The reality is that I had found a major problem — speed and security on WordPress— that customers didn’t care about. I had committed the cardinal sin of product management, solving a problem nobody has. And that’s the hardest part of all because I know the problem well and the solution was really elegant.
Fortunately, we didn’t waste anyone’s money, sign office contracts or hire developers whose families wouldn’t have an income by Christmas. We had only wasted our own time and about a thousand dollars between the three of us. Also, I was lucky that previous startup experience told me when to hit the kill switch.
But I have a nagging doubt this time I never had before. This product was working, I had the best team I had ever worked with, and received nothing but positive feedback in the demos. I saw firsthand how businesses are deluged by software sales every day and they are growing numb to the problems we claim to solve. There is an apathy in the marketplace, a devaluation of the monetary value of software generally, and although our next idea might be better, could it still be an insurmountable challenge for a team of three?
For now, we keep thinking of the next idea and we take these lessons forward. Are we solving a real customer problem? Is it a real need? Will somebody pay for the solution? We can only try to avoid the echo chambers of supportive comments from well-meaning people who ultimately don’t help. And we have to remind ourselves that most startups are shutdowns, but you have to keep trying anyway.
James Beswick is the Co-founder of Indevelo, which builds AWS solutions for clients.