NUOPTIMA > SaaS Podcast > How to Sell Your SaaS into Enterprise Compliantly

How to Sell Your SaaS into Enterprise Compliantly

April 5, 2024

Meet Deepak Prabhakara

Deepak Prabhakara is the Co-Founder and CEO of BoxyHQ, a SaaS company that started two and a half years ago that provides security building blocks specifically for developers. These off-the-shelf, ready-to-use building blocks integrate into products firsthand, offering features such as Directory Sync, audit logging, and Enterprise Single Sign-On. 

He has a rich background as a developer, which is what compelled him to create the company and come up with this useful solution. Prior to starting BoxyHQ, Deepak worked for seven years as CTO for Red Sift, a cybersecurity scaleup that offers an online platform supplying products that stop cyber attacks.

Deepak is an expert in the architecture, design, and development of complicated software products across a variety of mobile and SaaS platforms. He also possesses unique experience as he has worked in both large businesses as well as startups across Asia and Europe. Deepak possesses numerous impressive qualifications, including a Computer Engineering BEng Hons and a Security and Mobile Computing MSc. 

Summary

In this episode with Deepak Prabhakara, you’ll learn:

  • What BoxyHQ is, what they do, where they are at in terms of scaling, and their founding story.
  • The challenges and pain points he experienced in his previous job moving upmarket to an enterprise sale compared to SMBs and how this led Deepak to create BoxyHQ.
  • The hidden costs of building bespoke security solutions.
  • Why having compliance features is a no-brainer for enterprise sales, such as ISO 27001 and SOC 2.
  • A checklist of standards you need for enterprise sales, like ISO 27001 and SOC 2 frameworks and Enterprise Single Sign-On.
  • How Deepak sees compliance and security trending in the future.
  • How Boxy found their first few customers.
  • How BoxyHQ navigates being a concierge service and an API.
  • BoxyHQ’s marketing strategy for 2024.
  • Deepak’s top tips for developers looking to become CEOs and advice to SaaS founders regarding security.
  • Deepak’s favorite recent read, the entrepreneur or business leader he admires the most, and the best piece of advice he has ever received.

Aman: In this episode, you will learn how to sell your SaaS compliantly to enterprise. This is relevant for developers or founders considering going up market. My name is Aman and I am the head of growth at Nuoptima. I’m excited to be joined by Deepak, co founder and CEO of BoxyHQ. BoxyHQ is revolutionizing how SaaS businesses integrate enterprise compliance and security features, making it incredibly easy with just a few lines of code.

We’ll cover Boxy’s founding story, the hidden costs of building bespoke security solutions, understanding compliance and security requirements from enterprise buyers, future trends, and how Boxy is marketing with a market leading PLG motion. But enough of this intro, let’s get started.

Welcome to this episode of SaaS Minds. I’m joined by Deepak, co founder and CEO of BoxyHQ. Boxy helps SaaS businesses enable enterprise compliance and security features with a few lines of code. Deepak comes from a technical developer background and was the founder, sorry, was the CTO of RedZift, a cyber startup.

Deepak, thank you for joining us. 

Deepak: Thanks. I’m thrilled to be here. 

Aman: Awesome. So, Deepak, let’s kick it off. I would love to know who is Boxy. What is Boxy? What do they do? 

Deepak: Yeah, absolutely. So we, we provide security building blocks specifically for developers. Having come from, you know, that kind of background and solve that problem.

One of the issues is developers always lack the security mindset or the skill set but the tend to be you know, thrown tasks that have to build the plug these into their product. So that’s where we kind of come and give them ready to use off the shelf building blocks that get Integrated directly into the products, giving them features like enterprise single sign on, directory sync, audit logging, and very soon a privacy wallet that helps them safeguard sensitive data.

Aman: Awesome. And can you give us like an idea of The scale that boxes out, like how far are you guys along? 

Deepak: Absolutely. It was, was still quite early. It’s been about two plus years since we started. And you know, it’s pretty much a category creation here, so it’s still very early days, but we’re seeing some very interesting fraction from the market.

Even with the downturn kind of happened which is quite interesting because you know, the COVID has kind of accelerated the whole digital transformation phase. And what that has meant is, you know, software aiding the world, security still kind of catching up. So, you know, very early days for developer driven security as well, or what we call typically the, you know, the shift left in security, where security is coming more towards the developers, where it’s becoming their, you know, their responsibility, so to speak, and not just purely the security teams.

So yeah, so we’ve been in business for about two and a half years. We’ve raised a seed round, so we’re venture backed. Our go to market strategy has always been open source from day one, which is also quite interesting. There’s a few reasons for that, which we can discuss later. But you know, that’s, that’s in a nutshell, we’re about six people today.

So very small team, very fast moving, very fast paced. 

Aman: Amazing. Amazing. And I can’t imagine that someone wakes up and goes, I want to, you know, when they’re in a university because I want to build out security features for enterprise as a child. So, I mean, how did you even get into this field? What was that founding story like?

Deepak: Yeah, no, absolutely. I think what you said is spot on, right? Nobody wakes up to build security features. It kind of just comes along as you’re building your core product. And that’s exactly what’s happened to me. Not just once, but you know, multiple times in my career. But most recently I was a CTO at a cyber security scale up where, you know, I spent seven years there and we went through this classic journey.

finding product market fit with SMBs that are fast moving. So, you know, you can get them to adopt your product way quickly. But then once we started to move up market, we realized that that’s a very different ball game, right? You’ve got to go through procurement you know info sec teams RFPs, security questionnaires before.

You know, before even your product is used by someone that so it’s a, it’s a way different mindset that you would get used to with an enterprise sale. And having done that and seeing the headaches there, of course, it’s quite multifaceted, right? It’s not just the technology there, but, how you’re able to champion someone there, you know, what kind of problems you’re solving there, what is the risk perception of the larger company adopting you.

But I realized that, you know, we were spending a lot of our engineering time on what I call highly undifferentiated and non core features, things like, you know, authentication, authorization audit logging, all for the purposes of, you know predominantly compliance, you know, you have to be compliant with what the enterprise wants.

But they become key features and you need to maintain it. So that’s kind of been my background and looking at that, you know, I sat down and thought, you know, why isn’t there a Stripe like approach to all of this? And that was kind of the genesis of BoxeHQ with my core. Cool. 

Aman: I mean, and to like clarify, like the size of the problem how painful was it for you to have done this bespoke at the last company, and I assume you’ve done it bespoke several times before.

Like how painful is that? What does that cost? And how might that set back? A startup thinking to go, you know, up market. 

Deepak: Absolutely. So it, it, it just comes down to, you know, the, your time to market there, right? So you figured out you wanna move up market. One of course, you know, you are you’re kind of dabbling with convincing the enterprises that you know they should adopt you.

But at the same time, until you have these. I, you know, I call them table stakes features now because what used to be you know, enterprise only features before are now, you know, everybody kind of demands that, right? You kind of need to have that from almost day one. I would say you no longer can kind of wait around.

So that’s, you know, that kind of puts you in. In a place where you know, you’ve got to first think about what the requirements are around this, how that gets integrated into your product. So there’s a lot of development time, then maintenance, and then, you know, keeping up to date with all the security while they’re able to so.

It’s kind of the, it’s your classic software development life cycle, you know, all the costs there in terms of, you know, development hours, maintenance hours, testing and then more importantly, customer support on the back of all this, you run into issues how do you sort them out? So that’s kind of the big ball of wax.

We’re. Combining together as a product and you get, you know, off the shelf solutions there to plug in and get going. So your go to market of, you know, a few weeks, even months kind of get reduced to a few days. 

Aman: Amazing. And I’m guessing that as a developer who’s been told, okay, you need to go to the store, this security solution.

And it’s probably the sales guy saying, look, I need you to do this. Otherwise I can’t sell this, you know, a hundred KACV contract. And suddenly all the pressure goes from, Hey, sales team to like, Hey, dev team, why didn’t you do this earlier? Like what, what is that dynamic? Like for the, for the developing team or for the, whoever the, I’m assuming it’s the developer that has to deal with this problem 

Deepak: internally.

Yeah, absolutely. So as an early stage company, you know, developers kind of wear multiple hats. Because you don’t really have specialized teams, you know, catering to specific things. You’ll have an engineering team, which is also kind of a product team because you don’t typically have specialized product folks, unless, you know, let’s say the co founder, one of the founders is comes from a product background.

And then you got the sales team that’s going out and, you know, You know, selling your, your product. So there’s obviously the classic conflict between what sell sales or promises to, you know, what you have to deliver as a development team. So that’s kind of where typically this kind of arises, right?

The sales team goes to a bigger client. They say, you know, you don’t have single sign on. And they say, Oh, we’ll build it in, you know, two months. And then, you know, you come back and you talk to the engineering team and they’re like, Oh, we’ve got so many other things to do, we can’t get this done. So then there’s a classic battle of how do you prioritize this?

You know, what else do you not do? Because you need to do single sign on now. So that becomes the classic problem for the technical team where they’re balancing, you know, core features with non core features like this. And of course, there’s always things like, you know things breaking in between customer support kind of hounding you with things that that went wrong.

So it becomes a classic delicate balance of when do you do it? When do you kind of put in the resources behind it, then going and figuring out, you know, what you need to do around this. So, so sales, I mean, sales, product and engineering, right? It’s a classic tussle between the three to get this done.

And that’s why it’s, it’s crucial for all three teams there because your sales wants to obviously have this in their tool set to go and sell. A lot of times if you’re in an existing category. Everyone else has this, so you just cannot afford to not have it. And if it’s a category creation, it also becomes a competitive advantage for you because if your competitors don’t have it yet.

Then, you know, you can go and say, Hey, I’ve got an enterprise ready product for you to adopt. So that kind of mitigates a huge amount of risk for the enterprise. 

Aman: So I’m guessing now, like say previously back in when, when you were the CTR, that scale up, the flow was you go out to sell to enterprise and then you build the compliance features afterwards when you, you know, have an inkling of there’s a deal coming, are you suggesting now that you build those compliance features in advance because let’s say, quote unquote, they’re cheaper or they’re easier to build, and then you can go out and not have that.

Deepak: Exactly. It’s a, it’s, it’s a tricky, this one, right? It depends on how you encounter it. So for us, it was very much having to learn on the fly. So, you know, we went out there you know, larger companies and said, Hey, have you spoken to our procurement team? And then you get this long list of, you know, 22, 23 pages of RFPs to fill.

And that’s when you truly think about, you know, compliance, why they’re doing it. How do you think about your own security internally? Until then, you know, you kind of. Focused on making things work and now your mind set kind of shifts to, okay, I need to think about security a bit more, but then again, how much, right?

Because it’s a, it’s a wide spectrum. So for us, it was a classic this one of, you know, having gone out there, encountered these objections, come back and say, okay, now, is it the right time to kind of address these or should we wait a bit? So it’s anDeepak then, you know, they weren’t these kind of ready to use tools.

So that meant, you know, my team had to go out and figure it out, cobbled together a bunch of things. You had to understand in detail, you know, how that thing works. Which then obviously takes time, then you’re, you know solving all the various problems there, making sure the integration works.

So that is what becomes, you know, time consuming at the same time, you’re blocking everything else in the core product that you could have done in the meantime. So now I think, you know, it’s, it’s given how competitive things are and how you know, the market just assumes these things, right? You’ve got to have these, otherwise why are you even talking to us?

So they’re becoming more and more table stakes. The good thing is you can get in with one of these features, I mean, predominantly enterprise single sign on because that’s how. Enterprises access your product, and once you do that, you know, it buys you a lot of time, right? Once you’re in there, once you get the deal and you know, it takes time for you to onboard them as well.

So in the meantime, you have enough time to say actually, you know, let’s now get directory sync or audit logging sorted in the meantime. So that’s how we’re seeing this now. There’s a lot more awareness of this. You know, if you’re a second time, third time founder, you know, because you’ve experienced this.

So you’re almost thinking about this from day one. For the others, it’s it’s the learning process, right? They quickly realized that, okay I’ve got to do compliance. And if you think about, you know, frameworks like ISO 27, 001, SOC 2, very important again for enterprise sales, because if you are compliant and have the certification there that’s as good as, you know, filling up their RFPs, right?

You know, in fact, some of them now say, just send us a report. You don’t even have to fill up an RFP. So it’s. For an enterprise deal, this is, you know, it’s, it’s a no brainer now to have these compliance features, the compliance certification itself it takes away a whole bunch of, you know, the, the stress out of the enterprise sales.

Aman: Yeah. So like for anyone listening now, I’m sure like they’ve some, maybe they are, they know half the words that you’ve said and they get what the, you know, the ISO specifications are, and maybe someone like, oh crap, that’s a new word entirely. Like for someone listening right now, could you like rattle off a checklist of like, you need to have this and you probably should have this in about three months time, for 

Deepak: example?

Yeah. So the ISO 27001 framework SOC 2 there, what you would broadly classify as a information security compliance framework. So what that effectively means is it’s, it’s less rules, right? It’s more a framework where you’re saying, this is what I do. And these are all the risks that, you know, come with the business.

Predominantly for a digital company. That’s how do you protect your data right at the end of the day, you’re collecting data from your customer. All the bad folks are after that. So that’s what you, you know, the crown jewels, right? You’re trying to protect that at the end of the day. So the framework kind of tries to establish, you know, a baseline for you to say.

You know, how do I store this? Where do I store this? How is it being used? How am I protecting it? Then you start to think about, you know, if I’m, I was breached, then how do I get things back up and running? Then you start to think about, you know am I backing up things correctly? If I lose everything today, can I restore everything?

You know, how quickly can I restore? One service availability and to all the data that I’ve collected. So that’s broadly, you know, these compliance frameworks, they forced you to kind of think about what could go wrong and what are the measures you put in place to kind of mitigate every risk there. So that is, I think, a more long term you know goal for for a startup because you’re always battling that product market fit.

with being truly compliant and ready to kind of, you know, scale. So those compliance frameworks kind of come matter a lot when you start to scale because, you know, you’re not dealing with one or two enterprise customers, but tens, maybe even hundreds of requests coming in. So that’s, you know, the broader, what I would classify as a security process that you need to think about.

But a subset of that is What you would call enterprise readiness, and that’s kind of just thinking about what your product needs in order to kind of, you know, get into the procurement of a larger company. Their table stakes are today, you know, enterprise single sign on. That’s effectively. You know, you have identity providers like Okta, very well known today Azure, which is Microsoft’s active directory solution.

And these are places where you maintain, like, an employee directory. You’re a large company, you know, Deepak CEO, you know, you know, someone else is head of sales. So all of that information is what you know, enterprises want to use to get into a SaaS app, because the IT team then has. Much better control over, you know, saying, okay, should Deepak have access to XYZ app?

So Enterprise Single Sign On kind of gives you that and you know, that I think as a minimum, you know, most startups should have today that are selling or looking to sell into the enterprise. You know, they already have some kind of authentication in place. It’s a question of now extending that to say, we support, you know, Okta, Azure Active Directory, and there’s about 20 other providers there.

So enterprising will sign on. Then you’re thinking about, you know, directory sync, much larger companies, making it easy for them to because people enter, people leave companies that you want to do the same, reflect that into your application because, you know, leaving access behind for somebody who’s left is always a security concern.

Then audit logs. Because you need to think about anything, you know, all the events that happen within the product for you can almost think of it as, you know, forensics, right? If something were to go wrong, you want to go back and see what did Deepak do in the last two weeks that might have caused something.

Or you might need evidence for the compliance frameworks I mentioned earlier. And you can pull that off audit logs saying, okay access control, only admins have. ability to change something and here’s proof that, you know, that’s, that’s the case. So that’s, you know, that’s kind of the broadly the feature set that you typically think about when you start off.

And then over time, things like, you know, the privacy ward becomes interesting because you’re you know, your data regulations kind of come into picture, data residency, data regulations. GDPR, of course, is, you know, the poster child that are kind of leading the way every other data regulation kind of follows that quite closely.

So you’re thinking about as a much larger company with more responsibility around my data as I’m scaling, what do I have to do to safeguard? So those are broadly, you know, the. The enterprise readiness features that you would encounter. And this is obviously focused on security, the undifferentiated features.

But as a core product, you’re also thinking about, you know, other things that make it useful for your larger customers. So there are very soft things like, you know, having the ability to invite teams and Make it easier for teams to use your product. That’s very much an enterprise feature because smaller ones, you know, they, they don’t have many people, right?

So you can get away with just a few accounts. So then providing roles within that, you know, authorization who has access to billing, you know, who has access to everything, who can invite, who can manage. The app, but then you probably want somebody else to kind of only see a subset of so as you can see, quite a large spectrum, quite a lot of things to think about as you build it.

But they all kind of pertain to serving, you know, much larger companies. Yeah, 

Aman: it sounds like an endeavor in itself. 

Deepak: Yeah, yeah. But at the same time, an opportunity, right? Because you, these are the hard things that get you those deals. Even before you can then, you know, then showcase the true ability of your core product and then you’re starting to think about, you know, how, how can I be more competitive within the core product itself?

So you want to spend as little time on the undifferentiated pieces and as much as time as possible on your core product. And 

Aman: how do you see this trending in the future? So you mentioned compliance and security interchangeably almost. Is, do you see, how does that move in the next, let’s say, year and then the next, say, five years?

Deepak: So, historically, and even, you know, in the future So compliance is often misunderstood as security. I would say that, you know, they’re, they’re like the two sides of a coin, right? You, you typically will not think about security unless somebody is, you know, kind of making you do it, right? Like, like everything in, in, in business or life.

So compliance, that’s why compliance frameworks exist because, you know, they’re kind of forcing you to think about these things. But having compliance doesn’t necessarily mean you’re secure because, you know, you could have a very badly built, you know, infrastructure product, which kind of negates everything, right?

Because there’s no hundred percent, it’s a process. So that’s, that’s pretty much what you’re following. And you’re saying, you can you know, I’ve had it for the last 10 years, but doesn’t mean, you know, you don’t necessarily get breached. So compliance security kind of go hand in hand as a, as a, you know, growing company, you think about security only because, you know, you have to, but then you also quickly realize, you know, what, actually, this is, this is what I should have been doing because you know, imagine getting breached, right?

Reputational damage, you know, you kind of your brand takes a hit, you’ve got to convince your existing customers that, you know, your. This is not going to happen again, you know, what have you done to kind of mitigate this? What actually happened to the data that went out? So it’s, it’s, it starts to get very tricky.

And then you, you know, you’ve got to deal with reporting this. Now there’s fines. If you’re not taking all the measures to kind of, you know, mitigate the attack, then you’re effectively liable. for huge fines. So, so, you know, that’s, that’s kind of that’s kind of where it’s trending today. It’s very easy for someone to kind of attack you.

The cost to attack you is quite low, right? Versus the cost to actually safeguard yourself. So there’s that huge differential between the cost to attack versus cost to defend. And I think that’s, only getting worse right now with the AI, you know, it’s, it’s. It’s going to get even more even harder and you’re constantly playing a cat and mouse game, right?

Catching up because as a growing company, you don’t necessarily have the right security resources to kind of tackle this. But at the same time, the tooling is improving as well on both sides. So I think the market trend that we are seeing is security is now kind of top of mind, right? For everyone, they know it’s, it’s crucial.

They know as they get popular, they will get attacked. So you kind of want to preempt that. And there’s, you know, great companies out there that give you all the tooling. For example, CloudFlare. You want to front your app, web app with CloudFlare and you get a whole bunch of you know, network security related features that you possibly cannot build yourself today.

So as you know, as we’re seeing the market kind of mature and erupt these things, we see that there’s a lot more tooling for security. And it’s very layered, right? So you’ve got to think about, you know, infrastructure, you’ve got to think about network, you’re thinking about your product itself, you’re thinking about your, the way you build software, you know, where security can play a role in that.

Are you actually thinking about, you know, attacks as you’re building things and not later? So this is what, you know, the industry, industry typically calls the shift left. So you kind of build a product and you say, now it’s the security team’s responsibility, but it doesn’t quite work. I mean, they, they, they of course have to do a bunch of things, but they don’t know the product well.

So there’s a classic balance between, you know, how much should the developer be doing versus the security team. So a lot of that is kind of moving back in the sense that in the process. So, you know, developers and security teams are now saying let’s think about, you know, threat modeling as you’re building a feature.

And not after. So that mindset of I will get breached. So how can I be more secure is kind of maturing quite a bit. You know, as we see it should be a top of mind and it’s kind of becoming one. Once you make things work, you’re now starting to say, okay, now let me see how to make things secure. So that’s, you know, that’s how we see the cyber security industry.

Very layered. You cannot have 100 percent protection, but You make it as hard as possible to kind of get into your systems. And then as a last, you know, measure, you assume that people can get into your system and then you think about, you know, internal security, what are the places where, you know, you what is classically known as privilege escalation, right?

You get in somewhere. And you realize you now have access to a system which can give you more like, for example, giving access to, you know, your infrastructure where bulk of the damage can be done. So, so that’s what, you know, companies are truly focused on now, compliance on one side, but bridging that, you know, that mismatch between compliance and security and truly thinking, you know, is, is, is the cybersecurity solution really going to offer me that, you know, that better security?

It’s so how and not just because, you know, the market trend says I should have X, Y, and Z and, you know, we truly believe that developers will play a big role in this because they’re building the product, they know the ins and outs, and even though they don’t necessarily, you know, have that the security necessarily the security skill set, but that combined with, you know, a security team can do a lot more than just, you know, each one working isolated on their own set of tasks.

It’s super 

Aman: interesting. And I’m like, I think that whole piece around how to sell into enterprise is like very valuable for any, let’s say, early stage founder, who’s just making the move into upmarket or someone that’s, you know, done their first deals and it’s like, something’s blocking me and this is the thing that’s blocking 

Deepak: them, 

Aman: so that’s awesome.

I want to pivot the chat a bit now, just to really focus on Boxy as a business. So, you know, how, how did you guys find you first find your, you know, one, two, three customers? 

Deepak: Yeah. So so when we started, this was August 21 right in the middle of pandemic. So, you know, we’ve also kind of built the team in a distributed fashion.

This was, you know about a year before we started, we kind of started validating. You know, is this a problem? How big is it? You know, who would face it? How do we reach these folks? So we had kind of assembled design partners, so to speak. So, you know, folks that we knew had this problem, wanted to solve it because it’s always a timing issue, right?

You want. Sometimes a problem is there, but doesn’t necessarily need to be solved immediately. So we want to make sure that there was that alignment in their urgency to solve it. So that we could shape our product, shape the way we kind of built it. So our first kind of, you know, 10, 20 customers were on the back of us.

Reaching out to folks and then are asking within our network to say, can we get introduced to typically CTOs because, you know, we knew and we focused on the enterprise readiness use case and, you know, early, you know, seed to series a stage companies. That was kind of our initial focus. Because having come from there, we knew that, you know, they’ll.

usually have that problem unless they’re only selling to SMBs, in which case, you know, they can kind of delay it a bit more. So that was how really we, you know, got our first, you know, 10, 20 customers very much kind of hand selected to the point that, you know, we also helped them integrate the product because, you know, we were building the API is the developer experience.

So we wanted to make sure that that kind of blends in well. And then, you know, as that matured, then, you know, we would we kind of would get them to do it and figure out, you know, all the friction that they kind of encountered. Then helping their, you know, enterprise customers on board. Then we saw, you know, all the customer support issues that kind of came on the back of that and then thinking about how, what we could do within the product to kind of make that more seamless.

So that’s kind of how we did that initial product building very much. You know, picking up feedback from customers who were using it live and it was crucial for them to kind of, you know, get that piece out. Was there an experiment to ignore? 

Aman: Was there an external signal that told you like, Hey, these guys are now in market to go enterprise ready?

Wait, like, did you see like sudden logos appear on their website? Like, what was the sign for you guys externally? Be like, Oh, this guy’s worth reaching out to now. 

Deepak: Yeah, so initially it was just about, you know, talking to them. And you know, we, we almost, it was a discovery phase, right? And in the process, by the end of that call, we would know, you know, what, what stage they’re at, how far away are they from, you know, needing something like that.

But like, as you said, we, we slowly started picking up those signals, right? Because the timing is important. A lot of the time we first have to hear about us and then, you know, second, they have to be in a place where, you know, they can actually utilize our product to value. So for us, it was really that that picking that stage, right?

We knew in that stage and the other soft signals, right? Like they might have announced around. That is typically a signal that, you know, the, the, the thinking about the next phase, which is, which typically comes with, you know having to find larger deals, which automatically moves them up market.

So you know, the product market fit thing is obviously a wide spectrum, but they have some sense of, you know, PMF and at the same time are thinking about or have started to receive those requests. So, for a lot of our prospects that we spoke to, they were receiving these requests from larger companies saying, you know, we like what we see, we heard about you, we want to use you.

So that is then a clear indication that, you know. They should do this at some point. And then the conversation quickly changed to when do you want to get this done? And obviously they were interested in how quickly they can get it done as well. At the same time, we had a lot of, you know, prospects come in who said, I’ve got to sign a pilot.

So can we get going? So that’s, that’s kind of the spectrum we dealt with. And those are the signals, right? That they have some interest from enterprises or they’re preempting it sometimes. Or, you know, they had some pilots going, so that was kind of our way easy to spot signals. Right. 

Aman: Yeah. Yeah.

And then you mentioned like in that journey, you said you had a concierge service where you helped them install it. Then you, Hey, look, here’s the API. Here’s the documentation. Go use it yourself. Then it was like, it will help your enterprise customers use it. You’re kind of doing both. You’re like this concierge service and this API, like that’s almost two different models going on.

So how do you, how did you navigate that as a team and, you know, in the future in your business? 

Deepak: Yeah. So so that is very much I mean the APIs are almost kind of, you could say polished on the back of that, right? Because the journey is. Like today, if you see, we have documentation and people, you know, we’ll try, try it out even without us knowing, because, you know, it’s a very it’s an open source self hosted model.

But back in the days, you know, the product was getting built that was changing very quickly. So without the concierge service, it would leave our customers quite confused. Certainly not so much about the API chain, more about what is actually happening underneath. So it was a very intentional almost like, you know, like you hear the classic adage do things that don’t scale because you’re kind of understanding the process, you’re understanding the friction points, and you can kind of go back as a team and focus on those pieces.

So for us, the concierge service was a way for us to say. What are the things we’ve done badly so that we can go back and polish that up for the next customer? So that’s how we kind of treated this, right? Because for an API driven product, developer experience is crucial. And that developer experience can only come by, you know, observing usage of your, your product.

So we’re practically sitting with them and saying, you know, that now let’s go through it. You know, what is your tech stack? What is your authentication stack? Here’s how we can plug it in. And we would give them, you know, all the snippets needed to make that happen. Or we would go out and build an example and send a link to the example.

And then, you know, they would use that to kind of build their. The integration and come back and say, I’ve done it up to this point. Now I’m stuck. I don’t understand what’s going on. And you go back and, you know so, and then, you know, it helped us think about the content, you know, you’ll see a lot of our blogs.

It’s for us, a lot of the sort of, you know, let’s say the, the, the marketing, the the go to market strategy has always been about content. How do we give them useful content? Less about BoxeHQ, right? More about the problem they’re solving. For example, if you think about the SAML protocol in Enterprise Single Sign On.

Quite a complex one, you know, it’s based on XML from, you know, about 18 20 years ago. A lot of the modern developers have never seen that, you know, necessarily or have dealt with that. In detail. So then kind of breaking down that flow for them and helping them understand that without going, you know, too much into detail because they don’t need to know a lot of those details.

So that kind of help does figure out. You know, what kind of flow diagrams would make it easier? How do we explain, you know, the flow? Sometimes we would actually get on a call with them and show them the flow. And they would be like, Oh yeah, now I get it. Then they would, you know, just go back and make, made it a whole lot easier for them to kind of sometimes visually show things that would otherwise have been hard for them to, to grasp.

So that was kind of, you know, the, the whole because you, you’re doing a lot of things, right? You’re building it, you’re documenting it, you’re thinking about, you know, content too. To be discovered effectively and then the onboarding journey itself, you know, once they come in, do they have enough steps to kind of, you know, progress at least to the next stage, not necessarily to the end.

And at the same time, you know, we were, we started building our community around it because that’s the place where folks come and talk to us. Especially when they have a problem sometimes you will come and tell us that we’ve integrated everything and we’re a great product, which is of course a great sign of that, you know, the developer experience that I just mentioned.

So that was kind of our whole process there. Very much seeding product community and making sure, you know, the problem was being solved as the market saw it and not so much, you know, from our own perspective. Yeah, 

Aman: cool. And then, so going into 2024, is content a big, still part of your marketing plan or what’s your marketing strategy now in 2024?

Deepak: Yeah, absolutely. So we, we’ve just launched our SAS product that the, you know, until now, everything was, you know, self hosted. We didn’t really have a hosted solution. That’s kind of now a month ago, we kind of, you know, soft launch that and what that is now meant is. So until now, marketing was purely organic, right?

We had to go out there and, you know, talk about ourselves, be useful. We would tap into conversations that were talking about single sign on. And just trying to suggest, Hey, you know, here’s an open source project. We’d love to get your feedback. Or, you know, help you solve this single sign on problem.

And, you know the classic content, not so much is, you know, very SEO driven, right? So far, very organic. We haven’t really spent a lot on paid marketing mainly because we had no funnel to capture folks. So now with the SAS product, we have a place where. People can sign up and, you know, that kind of gives us you know, moving ahead.

That’s, you know, one of the pillars for us, right? Just experimenting with paid marketing, the keywords out there. We’re organically coming up on Google, but, you know, we want to make sure that we’re there for the right keywords, the right set of the right intent there. So but content is still a very big strategy.

We see that working well, all the enterprise customers, you know, coming to us have discovered us on the back of, you know, either content or the examples we have out there. So that kind of, we, you know, we continue to double up on that. That’s a mixture of, you know, for us, content is also about, you know, free tooling around this.

So for example, we have a service that mimics, you know, what Octa and the other identity provided us that’s very useful for testing so that, you know, people sometimes discover us from there and then realize, Oh, we’ve got a full single sign on. Proxy solution on the other side. So that continues to be, you know, a big you know, key marketing effort for us.

We, we hired you know, a customer success engineer. It was kind of, you know, like the developer relations person as well. It’s, it’s again, you know, white spectrum, it’s, it’s a very confusing role. But you know, we now have a good sense of, you know, what this person should be doing, you know, predominantly helping our prospects.

And at the same time, you know, bringing back those lessons to say, we can write about this or, you know, we can integrate with this framework because that’s widely used up there. So that’s, that’s kind of a big the community driven. Marketing as well, right. For us being open source. So those are kind of, you know, largely the two sort of marketing efforts from, from, from our side.

One is, you know, community organic based on, you know, content, free tools. The other one is kind of more classic enterprise sales where, you know, my co founder and I kind of going out outbound campaigns. We have a good sense of, you know, who could use us at the larger companies, of course. So in many ways, our own enterprise readiness journey, right?

It’s, it’s a vicious circle, but we have, we have all the tooling for it. You know, it’s exactly, but it’s the other side of it, right? Like, how do we find them? Are they at the right time? What are the kind of collateral? The collateral is very different for decision makers versus you know, the developers who discover us.

We already have good content for the developers, but what are the decision makers looking at, you know, head of sales, as we spoke, they’re looking for this head of product sometimes security. So those are the three kind of, you know, important stakeholders for us who ultimately might have the power to make that decision 

Aman: from a marketing perspective.

I think you like nailed it on the head with like, because it’s all about timing with your, with your business, with your product specifically for developers. It makes developer marketing semi straightforward, where it’s like, you just need to appear at the right place at the right time, which kind of lends itself to, Hey, you need to be ranking high organically, or you need to be ranking and paying for that position.

Or you need to be on Reddit forums, educating people on the how to guides or the tutorials so they can learn that step before they need you. And then it’s like, Oh, Voxie is the perfect solution. Cause it’s just did everything that. It looked so painful to do, but in a couple of steps, Yeah, 

Deepak: exactly. It’s a, it’s what I call the, you know, it’s a classic marketing funnel.

Right. I mean, of course now people say it should be a flywheel, but ultimately it’s, you know, your, what is popularly known as tofu, mofu, bofu top of funnel, middle of funnel, bottom of funnel. You want to be top of funnel awareness, right? Somebody needs to know about us so that the next time they’re thinking about it, we pop back in around this.

We also, you know, obviously get into where our competitors are a few competitors were ahead of us and we kind of utilize that because we cannot compete with them either on a paid marketing level. We don’t have that kind of fundraise yet, but that allows us to be kind of, you know, quite smart and frugal about it, right?

We’re there. We’re making noise where they are so that when folks look at them, they’re also looking at us and, you know, kind of. Are at top of mind in, you know, where, because there’s always that selection process. So, you know, we want to make sure, especially with, at least in the mindset of the selection process.

Yeah, exactly. We’re trying 

Aman: to decide like who’s the cheap one, who’s the expensive one. What’s going to make me, what’s going to cost me more in maintenance time. I think it’s the main 

Deepak: thing they’re thinking about as well. Exactly. I mean, having been a developer myself, I never liked talking to salespeople, right?

So. That’s why, you know, our open source model that way is has that benefit as well because they don’t even need to speak to us. They come in, you know, they run the app on their laptop. They can try it out. They figured out whether it’s useful or not. And then, you know, the process starts after that right thing.

You know, either they will contact us for more detail or send someone in to say, what are your present plans? You know what do you offer? So what are the deployment models? So that kind of starts off that conversation for us. And by then they’ve already tried us in some form. Right? So. That’s kind of the, the big advantage we see with the open source model.

And that’s, I think the right way to sell to developers. Oh, well, not to sell to developers, the kind 

Aman: of. So given that you’ve been a developer yourself, like you’ve had a really interesting career path from, let’s say dev to CTO now to CEO, which I think that that last, that’s the kind of interesting one.

I mean, I’m sure there’s developers listening to this. Probably have this itch to do that journey, potentially any top tips for them. 

Deepak: Yeah. So I mean, being CEO is not all glamorous, right? I think most folks know that anyway because I don’t get to do the cool things anymore. Although, you know, still driving the product to kind of, you know, trying to code when I can.

But I think I see your, your mindset kind of changes. It’s quite drastically, right? You’re thinking about you’re balancing that old, you know, long term vision. You’ve got that vision, but you cannot you cannot see that vision through is so quickly. Right. And especially in the category creation, it takes that patience to kind of make that happen.

But then you’re also You also have to think about in the short term and midterm what do you need to focus on? So your mindset quickly changes from doing things to making sure everybody’s doing the, or at least the right set of things that is moving you in the right direction, right? So you’re setting that direction more than actually kind of, you know, executing or implementing it.

So it’s really about rallying the team around that common mission. You know, you’re defining your values and what kind of drives you because if you’re solving a very hard problem, it’s, it’s difficult, right? It says you have more hard days than, than good ones. So kind of trying to be stable around it is, is, is key.

So as a developer, what you do is very different from, you know, having to do that at any, any kind of founder level, right? Because you’re dabbling with so many other things like, you know, admin and accounting and all those things come in as well, which is definitely not something you’re used to. So I think it’s just about that, right?

Knowing that there’s going to be a mindset shift, a change in role and being absolutely open about that, right? Because otherwise you get into this problem of you know, then maybe you’re better off as a CTO and not a CEO because then you can entirely focus on the technical aspects. So that I think is the biggest mind shift, you know, the, the change there as CEO, you’re effectively looking at everything else, right?

I mean, which, which at a startup is just product and distribution, but distribution is very different to building a product. So I think that’s the biggest mindset shift there, right? Being able to sell and not in the sense of, you know, having to be a good salesperson, but understanding the problem, understanding how to find the right.

You know, a set of people who are looking to solve that problem be always being in that discovery phase where you’re saying, okay, I have this thing in mind, but maybe it’s not the right thing, or maybe it needs to be approached in a different way. So that’s, I think the, the biggest mindset mindset shift for me that happened as a CEO.

And then you’re also thinking about, you know, fundraising keeping enough money in the bank and making sure, you know, you’re, you’re planning everything correctly for the next round. What are the milestones to get there? You know, how does the, how do the VCs think on the other side about the opportunity?

So the storytelling as well, right? That kind of has to come in over time. And as developers, you’re not natural at it, but you know, you learn over time. So it’s just that I think, you know, you got to be open to learning and, and doing boring things more so than. 

Aman: Nice. And then I’m mindful not to like alienate half people listening to this, like, so for the SaaS founders listening to this, who have been thinking about security, like, what’s the, what’s the top tip that you’d give to them?

Deepak: Yeah. So I mean this is, is what I would always say, right? Like obviously there’s a utopian things that you need to do, but as founders, we all know that. You know, you’ve got to approach it one at a time, right? So from a security perspective, think about, you know, when you need to start doing this and kind of as I say, do it only when the city right in the beginning, because.

You’re battling with also, you know, figuring out what works, so you don’t want to mix up and spend too much time on security. It’s a catch for you too, right? You have to do it early, but not so early that, you know, it blocks everything else because ultimately security does take you know, take up time and resources.

So it’s just like balancing that out, right? You, you know the enterprise opportunity is there. That’s a good time to start thinking about security. In many ways, the initial stepping stones of security is a larger customer, right? That’s, that’s kind of and they have, you know, enough standard guidelines to kind of get you there for the next, you know, 10 customers.

So so it’s just again, timing, right? You, you want to plan it. You probably want to have it on top of your mind, but do it exactly when, you know. You’re ready to go rather than, you know, saying you know, I’ll add everything in now, but make sure your product is there, you know, got your core differentiator in there.

And then you can think about this. Now, unless of course you’re selling to enterprise from day one, then, you know, it’s a no brainer, right? You’ve got to get a plug this in from day one

and it’s, it’s not as hard as it looks. So it’s, it’s, it’s just tedious. So, yeah. 

Aman: Cool. So like, I think we’re at the last, last bit of the section, which is the quick fire question. So I’ll ask you four questions and you can give me four. Insightful answers. So question number one is what’s the best book that you’ve read recently?

Deepak: Oh recently was predatory thinking by Dave Trott. Really interesting, but very short stories about his, you know he worked at Ogilvy advertising. So he has great stories about it pertains to marketing specifically, but, you know, doesn’t necessarily box you into that. It’s, it’s a way, interesting way to think about you know, marketing competition in general, you know, how do you out think someone who’s, you know, who has way more resources than you.

Cool. 

Aman: Which entrepreneur or business leader do you admire the most? 

Deepak: For me, it’s always been Bill Gates and, you know, that kind of continues to, to be so 

Aman: what’s the best piece of advice you’ve ever received? 

Deepak: I mean, it’s, it’s for me, it’s always been about, I mean, there’s, there’s, there’s a lot of advice out there, right.

But one that said. Listen to advice, but also think about context before you, you know, before you take it before you take it fully. Right. So that was quite interesting because it just means that, you know, it may not apply to you, may apply to you in a different way. So just kind of setting the context around it which is strangely a meta thing, right?

It’s an advice about, I 

Aman: think that’s a great piece of advice. It’s a very wise one. Cause once you start receiving so much advice, you start seeing that everything is contradictory and it’s all depending on what happened to that person. All that journey. 

Deepak: Exactly. 

Aman: Thank you so much for your time. Really appreciate it.

And I look forward to seeing how Boxy grows in the future. 

Deepak: Thank you so much. It’s been a pleasure. Thanks for sticking around. If you want to see the show notes, please go to neoptima. com slash SAS podcast. Otherwise see you at the next episode. Bye.

Book Recommendation

Growth Strategy Call

Book a call with one of our growth experts to discover the best way to grow your business

Contact Us