So verkaufen Sie Ihre SaaS auf sichere Weise an Unternehmen

Aman: In this episode, you will learn how to sell your SaaS compliantly to enterprise. This is relevant for developers or founders considering going up market. My name is Aman and I am the head of growth at Nuoptima. I’m excited to be joined by Deepak, co founder and CEO of BoxyHQ. BoxyHQ is revolutionizing how SaaS businesses integrate enterprise compliance and security features, making it incredibly easy with just a few lines of code.

We’ll cover Boxy’s founding story, the hidden costs of building bespoke security solutions, understanding compliance and security requirements from enterprise buyers, future trends, and how Boxy is marketing with a market leading PLG motion. But enough of this intro, let’s get started.

Welcome to this episode of SaaS Minds. I’m joined by Deepak, co founder and CEO of BoxyHQ. Boxy helps SaaS businesses enable enterprise compliance and security features with a few lines of code. Deepak comes from a technical developer background and was the founder, sorry, was the CTO of RedZift, a cyber startup.

Deepak, danke, dass du bei uns bist. 

Deepak: Thanks. I’m thrilled to be here. 

Aman: Awesome. So, Deepak, let’s kick it off. I would love to know who is Boxy. What is Boxy? What do they do? 

Deepak: Ja, absolut. Wir bieten also Sicherheitsbausteine speziell für Entwickler an. Wir kommen aus dieser Art von Hintergrund und lösen dieses Problem.

One of the issues is developers always lack the security mindset or the skill set but the tend to be you know, thrown tasks that have to build the plug these into their product. So that’s where we kind of come and give them ready to use off the shelf building blocks that get Integrated directly into the products, giving them features like enterprise single sign on, directory sync, audit logging, and very soon a privacy wallet that helps them safeguard sensitive data.

Aman: Fantastisch. Und können Sie uns eine Vorstellung davon geben, wie groß die Boxen sind, also wie weit Sie schon sind? 

Deepak: Absolutely. It was, was still quite early. It’s been about two plus years since we started. And you know, it’s pretty much a category creation here, so it’s still very early days, but we’re seeing some very interesting fraction from the market.

Even with the downturn kind of happened which is quite interesting because you know, the COVID has kind of accelerated the whole digital transformation phase. And what that has meant is, you know, software aiding the world, security still kind of catching up. So, you know, very early days for developer driven security as well, or what we call typically the, you know, the shift left in security, where security is coming more towards the developers, where it’s becoming their, you know, their responsibility, so to speak, and not just purely the security teams.

So yeah, so we’ve been in business for about two and a half years. We’ve raised a seed round, so we’re venture backed. Our go to market strategy has always been open source from day one, which is also quite interesting. There’s a few reasons for that, which we can discuss later. But you know, that’s, that’s in a nutshell, we’re about six people today.

Das Team ist also sehr klein, sehr schnelllebig, sehr schnelllebig. 

Aman: Amazing. Amazing. And I can’t imagine that someone wakes up and goes, I want to, you know, when they’re in a university because I want to build out security features for enterprise as a child. So, I mean, how did you even get into this field? What was that founding story like?

Deepak: Yeah, no, absolutely. I think what you said is spot on, right? Nobody wakes up to build security features. It kind of just comes along as you’re building your core product. And that’s exactly what’s happened to me. Not just once, but you know, multiple times in my career. But most recently I was a CTO at a cyber security scale up where, you know, I spent seven years there and we went through this classic journey.

finding product market fit with SMBs that are fast moving. So, you know, you can get them to adopt your product way quickly. But then once we started to move up market, we realized that that’s a very different ball game, right? You’ve got to go through procurement you know info sec teams RFPs, security questionnaires before.

You know, before even your product is used by someone that so it’s a, it’s a way different mindset that you would get used to with an enterprise sale. And having done that and seeing the headaches there, of course, it’s quite multifaceted, right? It’s not just the technology there, but, how you’re able to champion someone there, you know, what kind of problems you’re solving there, what is the risk perception of the larger company adopting you.

Aber mir wurde klar, dass wir einen großen Teil unserer Entwicklungszeit mit - wie ich es nenne - sehr undifferenzierten und nicht zum Kern gehörenden Funktionen verbrachten, also mit Dingen wie Authentifizierung, Autorisierung, Protokollierung von Audits, und das alles, um vor allem die Compliance zu gewährleisten, d. h. man muss den Anforderungen des Unternehmens gerecht werden.

But they become key features and you need to maintain it. So that’s kind of been my background and looking at that, you know, I sat down and thought, you know, why isn’t there a Stripe like approach to all of this? And that was kind of the genesis of BoxeHQ with my core. Cool. 

Aman: I mean, and to like clarify, like the size of the problem how painful was it for you to have done this bespoke at the last company, and I assume you’ve done it bespoke several times before.

Wie schmerzhaft ist das? Was kostet das? Und wie könnte sich das auswirken? Ein Start-up, das sich auf dem Markt etablieren will. 

Deepak: Absolutely. So it, it, it just comes down to, you know, the, your time to market there, right? So you figured out you wanna move up market. One of course, you know, you are you’re kind of dabbling with convincing the enterprises that you know they should adopt you.

Aber zur gleichen Zeit, bis Sie diese haben. Ich nenne sie jetzt "Table Stakes"-Funktionen, weil das, was früher die einzigen Unternehmensfunktionen waren, jetzt von allen verlangt wird, oder? Man muss sie fast vom ersten Tag an haben. Ich würde sagen, man kann nicht länger warten.

So that’s, you know, that kind of puts you in. In a place where you know, you’ve got to first think about what the requirements are around this, how that gets integrated into your product. So there’s a lot of development time, then maintenance, and then, you know, keeping up to date with all the security while they’re able to so.

It’s kind of the, it’s your classic software development life cycle, you know, all the costs there in terms of, you know, development hours, maintenance hours, testing and then more importantly, customer support on the back of all this, you run into issues how do you sort them out? So that’s kind of the big ball of wax.

We’re. Combining together as a product and you get, you know, off the shelf solutions there to plug in and get going. So your go to market of, you know, a few weeks, even months kind of get reduced to a few days. 

Aman: Amazing. And I’m guessing that as a developer who’s been told, okay, you need to go to the store, this security solution.

And it’s probably the sales guy saying, look, I need you to do this. Otherwise I can’t sell this, you know, a hundred KACV contract. And suddenly all the pressure goes from, Hey, sales team to like, Hey, dev team, why didn’t you do this earlier? Like what, what is that dynamic? Like for the, for the developing team or for the, whoever the, I’m assuming it’s the developer that has to deal with this problem 

Deepak: innerlich.

Yeah, absolutely. So as an early stage company, you know, developers kind of wear multiple hats. Because you don’t really have specialized teams, you know, catering to specific things. You’ll have an engineering team, which is also kind of a product team because you don’t typically have specialized product folks, unless, you know, let’s say the co founder, one of the founders is comes from a product background.

And then you got the sales team that’s going out and, you know, You know, selling your, your product. So there’s obviously the classic conflict between what sell sales or promises to, you know, what you have to deliver as a development team. So that’s kind of where typically this kind of arises, right?

The sales team goes to a bigger client. They say, you know, you don’t have single sign on. And they say, Oh, we’ll build it in, you know, two months. And then, you know, you come back and you talk to the engineering team and they’re like, Oh, we’ve got so many other things to do, we can’t get this done. So then there’s a classic battle of how do you prioritize this?

You know, what else do you not do? Because you need to do single sign on now. So that becomes the classic problem for the technical team where they’re balancing, you know, core features with non core features like this. And of course, there’s always things like, you know things breaking in between customer support kind of hounding you with things that that went wrong.

So it becomes a classic delicate balance of when do you do it? When do you kind of put in the resources behind it, then going and figuring out, you know, what you need to do around this. So, so sales, I mean, sales, product and engineering, right? It’s a classic tussle between the three to get this done.

And that’s why it’s, it’s crucial for all three teams there because your sales wants to obviously have this in their tool set to go and sell. A lot of times if you’re in an existing category. Everyone else has this, so you just cannot afford to not have it. And if it’s a category creation, it also becomes a competitive advantage for you because if your competitors don’t have it yet.

Then, you know, you can go and say, Hey, I’ve got an enterprise ready product for you to adopt. So that kind of mitigates a huge amount of risk for the enterprise. 

Aman: So I’m guessing now, like say previously back in when, when you were the CTR, that scale up, the flow was you go out to sell to enterprise and then you build the compliance features afterwards when you, you know, have an inkling of there’s a deal coming, are you suggesting now that you build those compliance features in advance because let’s say, quote unquote, they’re cheaper or they’re easier to build, and then you can go out and not have that.

Deepak: Exactly. It’s a, it’s, it’s a tricky, this one, right? It depends on how you encounter it. So for us, it was very much having to learn on the fly. So, you know, we went out there you know, larger companies and said, Hey, have you spoken to our procurement team? And then you get this long list of, you know, 22, 23 pages of RFPs to fill.

And that’s when you truly think about, you know, compliance, why they’re doing it. How do you think about your own security internally? Until then, you know, you kind of. Focused on making things work and now your mind set kind of shifts to, okay, I need to think about security a bit more, but then again, how much, right?

Because it’s a, it’s a wide spectrum. So for us, it was a classic this one of, you know, having gone out there, encountered these objections, come back and say, okay, now, is it the right time to kind of address these or should we wait a bit? So it’s anDeepak then, you know, they weren’t these kind of ready to use tools.

So that meant, you know, my team had to go out and figure it out, cobbled together a bunch of things. You had to understand in detail, you know, how that thing works. Which then obviously takes time, then you’re, you know solving all the various problems there, making sure the integration works.

So that is what becomes, you know, time consuming at the same time, you’re blocking everything else in the core product that you could have done in the meantime. So now I think, you know, it’s, it’s given how competitive things are and how you know, the market just assumes these things, right? You’ve got to have these, otherwise why are you even talking to us?

So they’re becoming more and more table stakes. The good thing is you can get in with one of these features, I mean, predominantly enterprise single sign on because that’s how. Enterprises access your product, and once you do that, you know, it buys you a lot of time, right? Once you’re in there, once you get the deal and you know, it takes time for you to onboard them as well.

So in the meantime, you have enough time to say actually, you know, let’s now get directory sync or audit logging sorted in the meantime. So that’s how we’re seeing this now. There’s a lot more awareness of this. You know, if you’re a second time, third time founder, you know, because you’ve experienced this.

So you’re almost thinking about this from day one. For the others, it’s it’s the learning process, right? They quickly realized that, okay I’ve got to do compliance. And if you think about, you know, frameworks like ISO 27, 001, SOC 2, very important again for enterprise sales, because if you are compliant and have the certification there that’s as good as, you know, filling up their RFPs, right?

You know, in fact, some of them now say, just send us a report. You don’t even have to fill up an RFP. So it’s. For an enterprise deal, this is, you know, it’s, it’s a no brainer now to have these compliance features, the compliance certification itself it takes away a whole bunch of, you know, the, the stress out of the enterprise sales.

Aman: Yeah. So like for anyone listening now, I’m sure like they’ve some, maybe they are, they know half the words that you’ve said and they get what the, you know, the ISO specifications are, and maybe someone like, oh crap, that’s a new word entirely. Like for someone listening right now, could you like rattle off a checklist of like, you need to have this and you probably should have this in about three months time, for 

Deepak: Beispiel?

Yeah. So the ISO 27001 framework SOC 2 there, what you would broadly classify as a information security compliance framework. So what that effectively means is it’s, it’s less rules, right? It’s more a framework where you’re saying, this is what I do. And these are all the risks that, you know, come with the business.

Predominantly for a digital company. That’s how do you protect your data right at the end of the day, you’re collecting data from your customer. All the bad folks are after that. So that’s what you, you know, the crown jewels, right? You’re trying to protect that at the end of the day. So the framework kind of tries to establish, you know, a baseline for you to say.

You know, how do I store this? Where do I store this? How is it being used? How am I protecting it? Then you start to think about, you know, if I’m, I was breached, then how do I get things back up and running? Then you start to think about, you know am I backing up things correctly? If I lose everything today, can I restore everything?

You know, how quickly can I restore? One service availability and to all the data that I’ve collected. So that’s broadly, you know, these compliance frameworks, they forced you to kind of think about what could go wrong and what are the measures you put in place to kind of mitigate every risk there. So that is, I think, a more long term you know goal for for a startup because you’re always battling that product market fit.

with being truly compliant and ready to kind of, you know, scale. So those compliance frameworks kind of come matter a lot when you start to scale because, you know, you’re not dealing with one or two enterprise customers, but tens, maybe even hundreds of requests coming in. So that’s, you know, the broader, what I would classify as a security process that you need to think about.

But a subset of that is What you would call enterprise readiness, and that’s kind of just thinking about what your product needs in order to kind of, you know, get into the procurement of a larger company. Their table stakes are today, you know, enterprise single sign on. That’s effectively. You know, you have identity providers like Okta, very well known today Azure, which is Microsoft’s active directory solution.

And these are places where you maintain, like, an employee directory. You’re a large company, you know, Deepak CEO, you know, you know, someone else is head of sales. So all of that information is what you know, enterprises want to use to get into a SaaS app, because the IT team then has. Much better control over, you know, saying, okay, should Deepak have access to XYZ app?

So Enterprise Single Sign On kind of gives you that and you know, that I think as a minimum, you know, most startups should have today that are selling or looking to sell into the enterprise. You know, they already have some kind of authentication in place. It’s a question of now extending that to say, we support, you know, Okta, Azure Active Directory, and there’s about 20 other providers there.

So enterprising will sign on. Then you’re thinking about, you know, directory sync, much larger companies, making it easy for them to because people enter, people leave companies that you want to do the same, reflect that into your application because, you know, leaving access behind for somebody who’s left is always a security concern.

Dann Audit-Protokolle. Denn Sie müssen über alle Ereignisse nachdenken, die innerhalb des Produkts passieren, man kann es fast als Forensik bezeichnen, oder? Wenn etwas schief gehen sollte, wollen Sie zurückgehen und sehen, was Deepak in den letzten zwei Wochen getan hat, das etwas verursacht haben könnte.

Or you might need evidence for the compliance frameworks I mentioned earlier. And you can pull that off audit logs saying, okay access control, only admins have. ability to change something and here’s proof that, you know, that’s, that’s the case. So that’s, you know, that’s kind of the broadly the feature set that you typically think about when you start off.

And then over time, things like, you know, the privacy ward becomes interesting because you’re you know, your data regulations kind of come into picture, data residency, data regulations. GDPR, of course, is, you know, the poster child that are kind of leading the way every other data regulation kind of follows that quite closely.

So you’re thinking about as a much larger company with more responsibility around my data as I’m scaling, what do I have to do to safeguard? So those are broadly, you know, the. The enterprise readiness features that you would encounter. And this is obviously focused on security, the undifferentiated features.

But as a core product, you’re also thinking about, you know, other things that make it useful for your larger customers. So there are very soft things like, you know, having the ability to invite teams and Make it easier for teams to use your product. That’s very much an enterprise feature because smaller ones, you know, they, they don’t have many people, right?

Sie können also mit nur wenigen Konten auskommen. Innerhalb dieser Konten kann man dann Rollen einrichten, z.B. wer Zugriff auf die Abrechnung hat, wer Zugriff auf alles hat, wer einladen und wer verwalten kann. Die App, aber dann wollen Sie wahrscheinlich, dass jemand anderes nur eine Teilmenge davon sieht, also wie Sie sehen können, ein ziemlich großes Spektrum, ziemlich viele Dinge, über die man nachdenken muss, wenn man sie aufbaut.

Aber sie beziehen sich alle irgendwie auf die Betreuung von, Sie wissen schon, viel größeren Unternehmen. Ja, 

Aman: Das klingt nach einem Unterfangen für sich. 

Deepak: Yeah, yeah. But at the same time, an opportunity, right? Because you, these are the hard things that get you those deals. Even before you can then, you know, then showcase the true ability of your core product and then you’re starting to think about, you know, how, how can I be more competitive within the core product itself?

Sie wollen also so wenig Zeit wie möglich auf die undifferenzierten Teile und so viel Zeit wie möglich auf Ihr Kernprodukt verwenden. Und 

Aman: how do you see this trending in the future? So you mentioned compliance and security interchangeably almost. Is, do you see, how does that move in the next, let’s say, year and then the next, say, five years?

Deepak: So, historically, and even, you know, in the future So compliance is often misunderstood as security. I would say that, you know, they’re, they’re like the two sides of a coin, right? You, you typically will not think about security unless somebody is, you know, kind of making you do it, right? Like, like everything in, in, in business or life.

So compliance, that’s why compliance frameworks exist because, you know, they’re kind of forcing you to think about these things. But having compliance doesn’t necessarily mean you’re secure because, you know, you could have a very badly built, you know, infrastructure product, which kind of negates everything, right?

Because there’s no hundred percent, it’s a process. So that’s, that’s pretty much what you’re following. And you’re saying, you can you know, I’ve had it for the last 10 years, but doesn’t mean, you know, you don’t necessarily get breached. So compliance security kind of go hand in hand as a, as a, you know, growing company, you think about security only because, you know, you have to, but then you also quickly realize, you know, what, actually, this is, this is what I should have been doing because you know, imagine getting breached, right?

Reputational damage, you know, you kind of your brand takes a hit, you’ve got to convince your existing customers that, you know, your. This is not going to happen again, you know, what have you done to kind of mitigate this? What actually happened to the data that went out? So it’s, it’s, it starts to get very tricky.

And then you, you know, you’ve got to deal with reporting this. Now there’s fines. If you’re not taking all the measures to kind of, you know, mitigate the attack, then you’re effectively liable. for huge fines. So, so, you know, that’s, that’s kind of that’s kind of where it’s trending today. It’s very easy for someone to kind of attack you.

The cost to attack you is quite low, right? Versus the cost to actually safeguard yourself. So there’s that huge differential between the cost to attack versus cost to defend. And I think that’s, only getting worse right now with the AI, you know, it’s, it’s. It’s going to get even more even harder and you’re constantly playing a cat and mouse game, right?

Catching up because as a growing company, you don’t necessarily have the right security resources to kind of tackle this. But at the same time, the tooling is improving as well on both sides. So I think the market trend that we are seeing is security is now kind of top of mind, right? For everyone, they know it’s, it’s crucial.

They know as they get popular, they will get attacked. So you kind of want to preempt that. And there’s, you know, great companies out there that give you all the tooling. For example, CloudFlare. You want to front your app, web app with CloudFlare and you get a whole bunch of you know, network security related features that you possibly cannot build yourself today.

So as you know, as we’re seeing the market kind of mature and erupt these things, we see that there’s a lot more tooling for security. And it’s very layered, right? So you’ve got to think about, you know, infrastructure, you’ve got to think about network, you’re thinking about your product itself, you’re thinking about your, the way you build software, you know, where security can play a role in that.

Are you actually thinking about, you know, attacks as you’re building things and not later? So this is what, you know, the industry, industry typically calls the shift left. So you kind of build a product and you say, now it’s the security team’s responsibility, but it doesn’t quite work. I mean, they, they, they of course have to do a bunch of things, but they don’t know the product well.

So there’s a classic balance between, you know, how much should the developer be doing versus the security team. So a lot of that is kind of moving back in the sense that in the process. So, you know, developers and security teams are now saying let’s think about, you know, threat modeling as you’re building a feature.

And not after. So that mindset of I will get breached. So how can I be more secure is kind of maturing quite a bit. You know, as we see it should be a top of mind and it’s kind of becoming one. Once you make things work, you’re now starting to say, okay, now let me see how to make things secure. So that’s, you know, that’s how we see the cyber security industry.

Sehr vielschichtig. Sie können keinen 100-prozentigen Schutz bieten, aber Sie machen es so schwer wie möglich, in Ihre Systeme einzudringen. Und dann, als letzte Maßnahme, gehen Sie davon aus, dass die Leute in Ihr System eindringen können, und dann denken Sie über die interne Sicherheit nach, was sind die Stellen, an denen Sie das tun, was man klassischerweise als Privilegieneskalation bezeichnet, richtig?

You get in somewhere. And you realize you now have access to a system which can give you more like, for example, giving access to, you know, your infrastructure where bulk of the damage can be done. So, so that’s what, you know, companies are truly focused on now, compliance on one side, but bridging that, you know, that mismatch between compliance and security and truly thinking, you know, is, is, is the cybersecurity solution really going to offer me that, you know, that better security?

It’s so how and not just because, you know, the market trend says I should have X, Y, and Z and, you know, we truly believe that developers will play a big role in this because they’re building the product, they know the ins and outs, and even though they don’t necessarily, you know, have that the security necessarily the security skill set, but that combined with, you know, a security team can do a lot more than just, you know, each one working isolated on their own set of tasks.

It’s super 

Aman: interesting. And I’m like, I think that whole piece around how to sell into enterprise is like very valuable for any, let’s say, early stage founder, who’s just making the move into upmarket or someone that’s, you know, done their first deals and it’s like, something’s blocking me and this is the thing that’s blocking 

Deepak: sie, 

Aman: so that’s awesome.

Ich möchte den Chat jetzt ein bisschen drehen, um mich wirklich auf Boxy als Unternehmen zu konzentrieren. Also, wie habt ihr eure ersten, ihr wisst schon, ein, zwei, drei Kunden gefunden? 

Deepak: Yeah. So so when we started, this was August 21 right in the middle of pandemic. So, you know, we’ve also kind of built the team in a distributed fashion.

This was, you know about a year before we started, we kind of started validating. You know, is this a problem? How big is it? You know, who would face it? How do we reach these folks? So we had kind of assembled design partners, so to speak. So, you know, folks that we knew had this problem, wanted to solve it because it’s always a timing issue, right?

You want. Sometimes a problem is there, but doesn’t necessarily need to be solved immediately. So we want to make sure that there was that alignment in their urgency to solve it. So that we could shape our product, shape the way we kind of built it. So our first kind of, you know, 10, 20 customers were on the back of us.

Reaching out to folks and then are asking within our network to say, can we get introduced to typically CTOs because, you know, we knew and we focused on the enterprise readiness use case and, you know, early, you know, seed to series a stage companies. That was kind of our initial focus. Because having come from there, we knew that, you know, they’ll.

usually have that problem unless they’re only selling to SMBs, in which case, you know, they can kind of delay it a bit more. So that was how really we, you know, got our first, you know, 10, 20 customers very much kind of hand selected to the point that, you know, we also helped them integrate the product because, you know, we were building the API is the developer experience.

Wir wollten also sicherstellen, dass sich das gut einfügt. Und dann, als das ausgereift war, haben wir sie dazu gebracht, es zu tun und alle Reibungen herauszufinden, auf die sie gestoßen sind. Dann halfen wir ihren Unternehmenskunden, an Bord zu kommen. Dann sahen wir all die Probleme mit dem Kundensupport, die sich daraus ergaben, und überlegten, was wir innerhalb des Produkts tun könnten, um dies nahtloser zu gestalten.

So that’s kind of how we did that initial product building very much. You know, picking up feedback from customers who were using it live and it was crucial for them to kind of, you know, get that piece out. Was there an experiment to ignore? 

Aman: Gab es ein externes Signal, das Ihnen sagte: "Hey, diese Leute sind jetzt auf dem Markt, um unternehmensfähig zu werden?

Wait, like, did you see like sudden logos appear on their website? Like, what was the sign for you guys externally? Be like, Oh, this guy’s worth reaching out to now. 

Deepak: Yeah, so initially it was just about, you know, talking to them. And you know, we, we almost, it was a discovery phase, right? And in the process, by the end of that call, we would know, you know, what, what stage they’re at, how far away are they from, you know, needing something like that.

Aber wie Sie schon sagten, fingen wir langsam an, diese Signale wahrzunehmen, richtig? Denn das Timing ist wichtig. Oft müssen wir erst von uns hören und dann, Sie wissen schon, zweitens, müssen sie in einem Stadium sein, in dem sie unser Produkt tatsächlich nutzen können. Für uns war es also wirklich so, dass wir diese Phase gewählt haben, oder?

Wir wussten in dieser Phase und die anderen weichen Signale, oder? Sie haben vielleicht etwas angekündigt. Das ist typischerweise ein Signal dafür, dass man über die nächste Phase nachdenkt, die typischerweise mit der Suche nach größeren Geschäften einhergeht, was sie automatisch auf den Markt bringt.

Die Produkt-Markt-Fit-Sache ist natürlich ein breites Spektrum, aber sie haben ein gewisses Gespür für PMF und denken gleichzeitig darüber nach oder haben begonnen, diese Anfragen zu erhalten. Viele unserer potenziellen Kunden, mit denen wir gesprochen haben, erhielten diese Anfragen von größeren Unternehmen, die sagten: "Uns gefällt, was wir sehen, wir haben von Ihnen gehört, wir möchten Sie nutzen.

So that is then a clear indication that, you know. They should do this at some point. And then the conversation quickly changed to when do you want to get this done? And obviously they were interested in how quickly they can get it done as well. At the same time, we had a lot of, you know, prospects come in who said, I’ve got to sign a pilot.

So can we get going? So that’s, that’s kind of the spectrum we dealt with. And those are the signals, right? That they have some interest from enterprises or they’re preempting it sometimes. Or, you know, they had some pilots going, so that was kind of our way easy to spot signals. Right. 

Aman: Ja, ja, ja. Ja, ja, ja.

And then you mentioned like in that journey, you said you had a concierge service where you helped them install it. Then you, Hey, look, here’s the API. Here’s the documentation. Go use it yourself. Then it was like, it will help your enterprise customers use it. You’re kind of doing both. You’re like this concierge service and this API, like that’s almost two different models going on.

Wie haben Sie das als Team und in Zukunft in Ihrem Unternehmen gemeistert? 

Deepak: Yeah. So so that is very much I mean the APIs are almost kind of, you could say polished on the back of that, right? Because the journey is. Like today, if you see, we have documentation and people, you know, we’ll try, try it out even without us knowing, because, you know, it’s a very it’s an open source self hosted model.

But back in the days, you know, the product was getting built that was changing very quickly. So without the concierge service, it would leave our customers quite confused. Certainly not so much about the API chain, more about what is actually happening underneath. So it was a very intentional almost like, you know, like you hear the classic adage do things that don’t scale because you’re kind of understanding the process, you’re understanding the friction points, and you can kind of go back as a team and focus on those pieces.

So for us, the concierge service was a way for us to say. What are the things we’ve done badly so that we can go back and polish that up for the next customer? So that’s how we kind of treated this, right? Because for an API driven product, developer experience is crucial. And that developer experience can only come by, you know, observing usage of your, your product.

So we’re practically sitting with them and saying, you know, that now let’s go through it. You know, what is your tech stack? What is your authentication stack? Here’s how we can plug it in. And we would give them, you know, all the snippets needed to make that happen. Or we would go out and build an example and send a link to the example.

And then, you know, they would use that to kind of build their. The integration and come back and say, I’ve done it up to this point. Now I’m stuck. I don’t understand what’s going on. And you go back and, you know so, and then, you know, it helped us think about the content, you know, you’ll see a lot of our blogs.

It’s for us, a lot of the sort of, you know, let’s say the, the, the marketing, the the go to market strategy has always been about content. How do we give them useful content? Less about BoxeHQ, right? More about the problem they’re solving. For example, if you think about the SAML protocol in Enterprise Single Sign On.

Quite a complex one, you know, it’s based on XML from, you know, about 18 20 years ago. A lot of the modern developers have never seen that, you know, necessarily or have dealt with that. In detail. So then kind of breaking down that flow for them and helping them understand that without going, you know, too much into detail because they don’t need to know a lot of those details.

Das hilft also, herauszufinden. Wissen Sie, welche Art von Flussdiagrammen würde es einfacher machen? Wie können wir den Ablauf erklären? Manchmal telefonieren wir sogar mit ihnen und zeigen ihnen den Ablauf. Und sie sagten dann: "Oh ja, jetzt verstehe ich es. Das hat es ihnen sehr viel leichter gemacht, Dinge visuell darzustellen, die für sie sonst schwer zu begreifen gewesen wären.

So that was kind of, you know, the, the whole because you, you’re doing a lot of things, right? You’re building it, you’re documenting it, you’re thinking about, you know, content too. To be discovered effectively and then the onboarding journey itself, you know, once they come in, do they have enough steps to kind of, you know, progress at least to the next stage, not necessarily to the end.

And at the same time, you know, we were, we started building our community around it because that’s the place where folks come and talk to us. Especially when they have a problem sometimes you will come and tell us that we’ve integrated everything and we’re a great product, which is of course a great sign of that, you know, the developer experience that I just mentioned.

Das war also sozusagen unser ganzer Prozess. Wir haben eine Produktgemeinschaft gegründet und sichergestellt, dass das Problem so gelöst wird, wie der Markt es sieht, und nicht so sehr aus unserer eigenen Perspektive. Ja, 

Aman: cool. And then, so going into 2024, is content a big, still part of your marketing plan or what’s your marketing strategy now in 2024?

Deepak: Yeah, absolutely. So we, we’ve just launched our SAS product that the, you know, until now, everything was, you know, self hosted. We didn’t really have a hosted solution. That’s kind of now a month ago, we kind of, you know, soft launch that and what that is now meant is. So until now, marketing was purely organic, right?

We had to go out there and, you know, talk about ourselves, be useful. We would tap into conversations that were talking about single sign on. And just trying to suggest, Hey, you know, here’s an open source project. We’d love to get your feedback. Or, you know, help you solve this single sign on problem.

And, you know the classic content, not so much is, you know, very SEO driven, right? So far, very organic. We haven’t really spent a lot on paid marketing mainly because we had no funnel to capture folks. So now with the SAS product, we have a place where. People can sign up and, you know, that kind of gives us you know, moving ahead.

That’s, you know, one of the pillars for us, right? Just experimenting with paid marketing, the keywords out there. We’re organically coming up on Google, but, you know, we want to make sure that we’re there for the right keywords, the right set of the right intent there. So but content is still a very big strategy.

We see that working well, all the enterprise customers, you know, coming to us have discovered us on the back of, you know, either content or the examples we have out there. So that kind of, we, you know, we continue to double up on that. That’s a mixture of, you know, for us, content is also about, you know, free tooling around this.

So for example, we have a service that mimics, you know, what Octa and the other identity provided us that’s very useful for testing so that, you know, people sometimes discover us from there and then realize, Oh, we’ve got a full single sign on. Proxy solution on the other side. So that continues to be, you know, a big you know, key marketing effort for us.

We, we hired you know, a customer success engineer. It was kind of, you know, like the developer relations person as well. It’s, it’s again, you know, white spectrum, it’s, it’s a very confusing role. But you know, we now have a good sense of, you know, what this person should be doing, you know, predominantly helping our prospects.

And at the same time, you know, bringing back those lessons to say, we can write about this or, you know, we can integrate with this framework because that’s widely used up there. So that’s, that’s kind of a big the community driven. Marketing as well, right. For us being open source. So those are kind of, you know, largely the two sort of marketing efforts from, from, from our side.

Die eine ist, Sie wissen schon, eine organische Community, die auf Inhalten und kostenlosen Tools basiert. Das andere ist eher ein klassischer Unternehmensverkauf, bei dem mein Mitgründer und ich Outbound-Kampagnen durchführen. Wir haben natürlich ein gutes Gespür dafür, wer uns in den größeren Unternehmen gebrauchen könnte. In vielerlei Hinsicht ist das also unsere eigene Reise zur Unternehmensreife, richtig?

It’s, it’s a vicious circle, but we have, we have all the tooling for it. You know, it’s exactly, but it’s the other side of it, right? Like, how do we find them? Are they at the right time? What are the kind of collateral? The collateral is very different for decision makers versus you know, the developers who discover us.

We already have good content for the developers, but what are the decision makers looking at, you know, head of sales, as we spoke, they’re looking for this head of product sometimes security. So those are the three kind of, you know, important stakeholders for us who ultimately might have the power to make that decision 

Aman: aus der Marketing-Perspektive.

I think you like nailed it on the head with like, because it’s all about timing with your, with your business, with your product specifically for developers. It makes developer marketing semi straightforward, where it’s like, you just need to appear at the right place at the right time, which kind of lends itself to, Hey, you need to be ranking high organically, or you need to be ranking and paying for that position.

Or you need to be on Reddit forums, educating people on the how to guides or the tutorials so they can learn that step before they need you. And then it’s like, Oh, Voxie is the perfect solution. Cause it’s just did everything that. It looked so painful to do, but in a couple of steps, Yeah, 

Deepak: exactly. It’s a, it’s what I call the, you know, it’s a classic marketing funnel.

Right. I mean, of course now people say it should be a flywheel, but ultimately it’s, you know, your, what is popularly known as tofu, mofu, bofu top of funnel, middle of funnel, bottom of funnel. You want to be top of funnel awareness, right? Somebody needs to know about us so that the next time they’re thinking about it, we pop back in around this.

We also, you know, obviously get into where our competitors are a few competitors were ahead of us and we kind of utilize that because we cannot compete with them either on a paid marketing level. We don’t have that kind of fundraise yet, but that allows us to be kind of, you know, quite smart and frugal about it, right?

We’re there. We’re making noise where they are so that when folks look at them, they’re also looking at us and, you know, kind of. Are at top of mind in, you know, where, because there’s always that selection process. So, you know, we want to make sure, especially with, at least in the mindset of the selection process.

Yeah, exactly. We’re trying 

Aman: to decide like who’s the cheap one, who’s the expensive one. What’s going to make me, what’s going to cost me more in maintenance time. I think it’s the main 

Deepak: thing they’re thinking about as well. Exactly. I mean, having been a developer myself, I never liked talking to salespeople, right?

So. That’s why, you know, our open source model that way is has that benefit as well because they don’t even need to speak to us. They come in, you know, they run the app on their laptop. They can try it out. They figured out whether it’s useful or not. And then, you know, the process starts after that right thing.

You know, either they will contact us for more detail or send someone in to say, what are your present plans? You know what do you offer? So what are the deployment models? So that kind of starts off that conversation for us. And by then they’ve already tried us in some form. Right? So. That’s kind of the, the big advantage we see with the open source model.

And that’s, I think the right way to sell to developers. Oh, well, not to sell to developers, the kind 

Aman: of. So given that you’ve been a developer yourself, like you’ve had a really interesting career path from, let’s say dev to CTO now to CEO, which I think that that last, that’s the kind of interesting one.

I mean, I’m sure there’s developers listening to this. Probably have this itch to do that journey, potentially any top tips for them. 

Deepak: Yeah. So I mean, being CEO is not all glamorous, right? I think most folks know that anyway because I don’t get to do the cool things anymore. Although, you know, still driving the product to kind of, you know, trying to code when I can.

But I think I see your, your mindset kind of changes. It’s quite drastically, right? You’re thinking about you’re balancing that old, you know, long term vision. You’ve got that vision, but you cannot you cannot see that vision through is so quickly. Right. And especially in the category creation, it takes that patience to kind of make that happen.

But then you’re also You also have to think about in the short term and midterm what do you need to focus on? So your mindset quickly changes from doing things to making sure everybody’s doing the, or at least the right set of things that is moving you in the right direction, right? So you’re setting that direction more than actually kind of, you know, executing or implementing it.

So it’s really about rallying the team around that common mission. You know, you’re defining your values and what kind of drives you because if you’re solving a very hard problem, it’s, it’s difficult, right? It says you have more hard days than, than good ones. So kind of trying to be stable around it is, is, is key.

So as a developer, what you do is very different from, you know, having to do that at any, any kind of founder level, right? Because you’re dabbling with so many other things like, you know, admin and accounting and all those things come in as well, which is definitely not something you’re used to. So I think it’s just about that, right?

Knowing that there’s going to be a mindset shift, a change in role and being absolutely open about that, right? Because otherwise you get into this problem of you know, then maybe you’re better off as a CTO and not a CEO because then you can entirely focus on the technical aspects. So that I think is the biggest mind shift, you know, the, the change there as CEO, you’re effectively looking at everything else, right?

I mean, which, which at a startup is just product and distribution, but distribution is very different to building a product. So I think that’s the biggest mindset shift there, right? Being able to sell and not in the sense of, you know, having to be a good salesperson, but understanding the problem, understanding how to find the right.

You know, a set of people who are looking to solve that problem be always being in that discovery phase where you’re saying, okay, I have this thing in mind, but maybe it’s not the right thing, or maybe it needs to be approached in a different way. So that’s, I think the, the biggest mindset mindset shift for me that happened as a CEO.

And then you’re also thinking about, you know, fundraising keeping enough money in the bank and making sure, you know, you’re, you’re planning everything correctly for the next round. What are the milestones to get there? You know, how does the, how do the VCs think on the other side about the opportunity?

So the storytelling as well, right? That kind of has to come in over time. And as developers, you’re not natural at it, but you know, you learn over time. So it’s just that I think, you know, you got to be open to learning and, and doing boring things more so than. 

Aman: Nice. And then I’m mindful not to like alienate half people listening to this, like, so for the SaaS founders listening to this, who have been thinking about security, like, what’s the, what’s the top tip that you’d give to them?

Deepak: Yeah. So I mean this is, is what I would always say, right? Like obviously there’s a utopian things that you need to do, but as founders, we all know that. You know, you’ve got to approach it one at a time, right? So from a security perspective, think about, you know, when you need to start doing this and kind of as I say, do it only when the city right in the beginning, because.

You’re battling with also, you know, figuring out what works, so you don’t want to mix up and spend too much time on security. It’s a catch for you too, right? You have to do it early, but not so early that, you know, it blocks everything else because ultimately security does take you know, take up time and resources.

So it’s just like balancing that out, right? You, you know the enterprise opportunity is there. That’s a good time to start thinking about security. In many ways, the initial stepping stones of security is a larger customer, right? That’s, that’s kind of and they have, you know, enough standard guidelines to kind of get you there for the next, you know, 10 customers.

So so it’s just again, timing, right? You, you want to plan it. You probably want to have it on top of your mind, but do it exactly when, you know. You’re ready to go rather than, you know, saying you know, I’ll add everything in now, but make sure your product is there, you know, got your core differentiator in there.

And then you can think about this. Now, unless of course you’re selling to enterprise from day one, then, you know, it’s a no brainer, right? You’ve got to get a plug this in from day one

and it’s, it’s not as hard as it looks. So it’s, it’s, it’s just tedious. So, yeah. 

Aman: Cool. So like, I think we’re at the last, last bit of the section, which is the quick fire question. So I’ll ask you four questions and you can give me four. Insightful answers. So question number one is what’s the best book that you’ve read recently?

Deepak: Oh recently was predatory thinking by Dave Trott. Really interesting, but very short stories about his, you know he worked at Ogilvy advertising. So he has great stories about it pertains to marketing specifically, but, you know, doesn’t necessarily box you into that. It’s, it’s a way, interesting way to think about you know, marketing competition in general, you know, how do you out think someone who’s, you know, who has way more resources than you.

Cool. 

Aman: Welchen Unternehmer oder Wirtschaftsführer bewundern Sie am meisten? 

Deepak: For me, it’s always been Bill Gates and, you know, that kind of continues to, to be so 

Aman: what’s the best piece of advice you’ve ever received? 

Deepak: I mean, it’s, it’s for me, it’s always been about, I mean, there’s, there’s, there’s a lot of advice out there, right.

Aber einer, der sagte. Höre auf Ratschläge, aber denke auch über den Kontext nach, bevor du, du weißt schon, bevor du ihn annimmst, bevor du ihn vollständig annimmst. Genau. Das war ziemlich interessant, weil es einfach bedeutet, dass es vielleicht nicht auf Sie zutrifft oder auf eine andere Art und Weise. Es geht also nur darum, den Kontext zu bestimmen, was seltsamerweise eine Metasache ist, oder?

It’s an advice about, I 

Aman: think that’s a great piece of advice. It’s a very wise one. Cause once you start receiving so much advice, you start seeing that everything is contradictory and it’s all depending on what happened to that person. All that journey. 

Deepak: Ganz genau. 

Aman: Ich danke Ihnen vielmals für Ihre Zeit. Ich weiß es wirklich zu schätzen.

Und ich freue mich darauf, zu sehen, wie Boxy in Zukunft wachsen wird. 

Deepak: Thank you so much. It’s been a pleasure. Thanks for sticking around. If you want to see the show notes, please go to neoptima. com slash SAS podcast. Otherwise see you at the next episode. Bye.

​