October 3, 2024 Portfolio

Bugcrowd Blueprints: How to Pitch VCs (and Improve Your Pitch) When You’re Not From Silicon Valley

BuilderOps Blueprints is a newsletter on company building foundations for early-stage startups by Costanoa Ventures, a VC firm that backs builders across data, dev, and fintech. Throughout this series, Costanoa’s BuilderOps team interviews founders and startup leaders, showcasing their superpowers and learnings on all things company building.


For our latest edition of BuilderOps Blueprints, we interviewed Casey Ellis, Founder, and Chief Strategy Officer of Bugcrowd, the leader in crowdsourced security. Bugcrowd recently acquired external attack surface management leader Informer and was chosen by Google as the payments platform for security researchers identifying bugs. Check out Bugcrowd’s open roles if you’re interested in novel approaches to cybersecurity.


We heard that back in the early days of Bugcrowd, you had a unique way of practicing your fundraising pitch – tell us about it!

To set the stage, after finishing the Startmate accelerator we’d had $1.6M committed in a Series Seed in Australia – but we knew we wanted to build Bugcrowd from the ground floor in Silicon Valley and wanted to raise institutional capital here as well. The U.S. market is very different to Australia and as a founder if you’re not prepared for this, it’s easy to fall over and skin your knees on the business, marketing, and cultural differences. I definitely did that the first seven or eight times I pitched to North American investors, and somewhere in the process I realized that it was pitching like I would as an Aussie in Australia – there, we tend to “bury the lede” and lead a pitch with vulnerability, as a way to build trust and credibility.

If you do that in the US, people switch off in the first seven seconds – it’s almost as though you’re speaking a different language. The expectation is that you’re coming in hot, almost ignoring the weaknesses and “to be completed” things that come with doing an early-stage company in preference to making sure nothing gets in the way of positioning the biggest possible version of your vision. And then very clearly connecting that pitch and your offering to the market. I knew I needed to adjust my approach to fit the market, so I came up with the Uber Pitch Drill: Every time I got into a rideshare, I set myself the goal of pitching Bugcrowd to the driver. The rules of the drill are simple: 30 seconds, no jargon (so if they needed clarification, that was a failure), and the bar for success was receiving a buying signal from the driver at the end of the pitch.

Why did this work for you?

When you pitch a rideshare driver, the pressure is off – they almost always ask “so, what do you do” which is a perfect opportunity for it, and you don’t have to be afraid of getting it wrong because you’ll probably never see them again. And this kind of practice reinforced what every founder should remember about pitching:

  •  Never assume you have a technical audience – speak simply and plainly. If you do it right, perfecting your pitch for the “lowest technical denominator” will translate to a more technical audience as well.
  • Lead with their problem, and draw a clear line to how your solution helps. The early days of the Uber Pitch Drill coincided with the Snowden disclosures and a bunch of other broad, early cybersecurity awareness, so I had a lot of loose interest available to work with when it came to concerns about getting hacked by the bad guys.

“Hack yourself before the bad guys do it for real” was a product of this exercise, and this turn of phrase is still used by Bugcrowd (and many others) today – It ended up being a great tool to refine our pitch.

Let’s switch gears – how did you first conceive of Bugcrowd? 

I grew up as a hacker in the 90s and 00s, worked in security for many years as pentester, and then shifted across into solutions architecture, sales and marketing, and other more “business-y” roles. I think this combination was ultimately the main precursor: I wanted to change the operating ecosystem for good-faith hacking, and believed this could be achieved by creating a new market that shifted the economics from defense to attack. The persona and the role of the hacker is to see around corners and build things that are relevant for the future. I think the need for this has never been more obvious than it is today. 

Cybersecurity is about creative problems that need to be solved before the bad guys solve them and create a bad outcome. Our platform occupies the space that’s right in the middle of all this creative security research, and helps businesses proactively secure their organizations, reputations, and customers against cyber attacks by connecting them with the intelligence of the good-faith variety..

If you could go back in time and give your first-time founder self the benefit of hindsight, what advice would you share?

The biggest things would be to trust others and delegate more quickly, but while still backing and believing in yourself.

As a first-time founder/CEO, it’s easy to start to listen to voices of doubt coming in from the outside, and allow them to impact your confidence. It’s a fine balance – you never want to be so proud or lacking in humility that you don’t listen to the experience and wisdom of others. You need to humble yourself enough to ask the stupid or obvious questions – it is a fundamental key to executive growth. But remember: you’re still driving the car, not handing the steering wheel to those you seek advice from. The goal is to understand the patterns  those you look up to have used to be successful. The reality is you will toss out 90% of what you’re told, integrate the 10%, and end up with something that is uniquely yours.

Hindsight is 20/20 but, looking back, I was actually right about many of the things I felt most uncertain about at the time. There have definitely been times where I’ve let that feedback erode some of my trust in myself, and as a leader this is something you should work to keep actively in check.

Thought leadership is a must-have for founders today. How do you think about doing it right?

There’s no shortage of ways to engage and be provocative – You have to pick the hills you’re willing to die on. Narrowing in on the right ones involves going back to your original mission and what you set out to do and asking the question: Why did you take this journey in the first place? Use that to inform your vision of the future, and that will clarify the areas you should focus on.

This infers that you also need to pick the hills you “won’t” die on – it seems like a logical instinct to just make a ton of noise, trendjack and try to be an “influencer” but if you don’t have clear priorities around engagement and what you’re doing it for, it can end up feeling like you’re cutting down a tree with the wrong side of the ax.

So what’s a better way?

One of the most effective strategies at Bugcrowd has been to build out and maintain your allies for a stronger and more purposeful network effect. In the early days, I was looking for folks who were broadly aligned with us and had enough crossover with the things I was interested in, like changing public policy and laws so they don’t chill good-faith hacking, for example, and we’re now seeing the fruits of these efforts with the Department of Justice as they change regulations around hacking.

I took a very deliberate approach to who I interacted with as I was building my initial network. It’s really thinking through who has enough adjacency and understanding of what you’re trying to do to carry your message to new audiences. If they carry it, will the next person listen and agree with them? It’s not the first-order audience, but the second order that matters most. 

If you reduce your thought leadership to how many social media followers you have, you’re missing out.

What’s one tactic you always deploy to drive that network effect?

Whenever there’s an opportunity to give value back, never pass it up. I’m a believer that everyone has something to teach us; we can learn from anyone. That’s true for you too – there’s usually something you can impart to offer as value. 

I’ve found that helping people solve problems, without the expectation of something in return and just because I can, is a powerful way to build trust. I’ve made so many friends and learned from so many peers like this – and that just continues to grow and build on itself. 

How about social media channels? Which ones are useful for first-time founders?

Our joke at Bugcrowd is that we were built on Twitter. In 2008, Twitter made it so easy to be part of this giant virtual yard party where you could go up to your heroes in security, ask them dumb stuff, learn from them, and even develop real relationships.

Today, I don’t think there’s a social media channel that serves as that one virtual watering hole equivalent, which means what you should use now depends on your goals. That said, I find a lot of the weird, fun, low-friction networking stuff that used to happen on Twitter now happens on LinkedIn, like shitposting for business.

Ok, how do you strategically shitpost?

There’s a definite trick to it. I often look like I’m shooting from the hip but when I shitpost, it’s designed to start a fight, but in a way that lets me step back without being too concerned about negative blowback. I’m really trying to open conversation by offering a point and counterpoint within the direction of the question I want people to be talking about. 

That’s what I would call “peacetime shitposting.” Wartime shitposting is different. That’s when you might get dragged into something and you need to decide whether or not to take a stand, and what your stand will be. An example of this happened to us when a spousal spyware company – which built tools consumers could use to spy on their partners – got breached. They named Bugcrowd as one of two companies they intended to get some help from. I said very clearly, “I’m going to tell them to go die in a fire if they call us up – That kind of tech shouldn’t exist.” I thought about my own ethical positions, and the young people looking to us as an example, and it felt like the right stand to take, even though it was provocative, polarizing, and unplanned.

Tell us an interesting thing we don’t know – or wouldn’t guess – about you.

I’ve been a performing musician since I was 14 years old and I draw a lot of how I think about leadership from that experience. My main instrument is drums, and as a drummer you can be the loudest instrument on stage – but that’s not what you’re there to do. You’re there to make good music together. There’s more than a few performing musicians who end up in security leadership, maybe because it’s a communication problem as well as a math and a leadership one. 

It’s just a good illustration that we should draw on all our experiences, whether they’re directly linked to our work or not. It all supports you.

One final productivity hack?

Stay hydrated and protect your sleep. Super simple yet super easy to forget. If I’m performing subpar, it’s usually because I forgot one of these two things so get back to these basics and go from there.

Thanks for chatting with us!


BuilderOps Blueprints is a newsletter created by the Costanoa BuilderOps team. Stay tuned for upcoming features!

Author

0 Shares

Written by

author

Katy Wiley