This year Thinkst Canary crossed the line to $11M in ARR. That number is reasonably significant in the startup world, where Lemkin refers to it as “initial scale”. For us; it’s a happy reminder of Canary’s spread into the market. $11M ARR certainly isn’t our end goal, but it provides the fuel for us to keep building the company we want to work at.
We got here without raising a dime in capital, shipping a hardware/SaaS hybrid, sitting way outside Silicon Valley. That’s different enough from many startups that we figured it was worth a post with some thoughts on how we got here¹.
To be clear, we’re not anti-VCs. From the beginning though, we wanted to try bootstrapping. In the past we’ve spoken on how founder ego can nudge you towards building VC-backed companies (and why you might not need to), but that’s less focused on VCs and more aimed at founders.
Canary launched in mid-2015, after we worked on it privately for about a year. Our thesis was that security honeypots deployed internally would allow customers to discover when they are breached (without them having to be informed by third parties some 300 days later).
The key was that deployment and management needed to be dead-simple.
Honeypots have a long history in the security world (pre-dating Canary by decades), but were always painful to install and run. Removing this pain became our North Star. At launch we demoed for Ars Technica who wrote an early article on us.
That one article was about the extent of the international press coverage we received, despite actively pitching to a bunch of publications. What’s interesting here is that funded (now defunct) competitors did not seem to have the same trouble getting press. After digging into this, the answer we received from one journalist was forthright: funding is a positive signal for journalists. They have funding, and they’ll get the coverage.
I mention it because, while it was disheartening at the time, it turns out we didn’t really need launch coverage. The product found its market without lots of press, by being something people want (to butcher pg’s maxim). For bootstrapped startups, worry less about the coverage and more about whether your product does what you promise.
Customers who love you
The Canary pitch makes two key promises:
We promise we will be super easy to deploy (v1 used to take 4 minutes and now we are down to almost half that);
We promise we won’t drown you in alerts.
We knew that Canaries worked, but also knew how much of a leap of faith it takes to buy a $7,5k security tool over the Internet. We were so crazily grateful for the early customers who took a chance on us, that all 5 of us worked like crazy to make sure we never dropped a promise. This take on being genuinely grateful for our customers and working hard to keep our promises is still baked into everything we do and still guides all our product decisions.
Being grateful to our customers guides all our decisions, so our sales will never be spammy, and our legal documents try hard to be in simple English and gotcha-free.
Promises are funny things. It’s easy to make one and sounds good when you do, but the test only comes up later. In a broken organisation one group makes promises which another must deliver on (and often can’t). We recognise that sometimes we make mistakes; perhaps a customer hit a bug, or we sent a poorly worded reply to a customer query, or a service was offline. The key for us is that the promises we make are known through the company, and it’s everyone’s job to hold us to them. Anyone in sales, support, or success can raise issues with engineering; Sales folks never promise delivery on requests unless confirmed with the product team. Everyone is aligned on this key point: we exist to give our customers the right alert when it matters. Anything which gets in the way of this must go…
We sweat every detail of the product to make sure it’s simple, does what it says on the tin, and then gets out of the user’s way. We don’t have trackers around every page-load and aren’t trying to maximize users time in-app. Is it the simplest it could be? Of course not! We’re still sweating those details.
Customer focus is the main reason that almost all of our customers from year-1 are still customers today (specific shoutout to Bill from San Diego, you know who you are!). In that time we’ve never raised our prices, but our customers increased their spend with us (more than 10x in some cases).
With that focus on customers, a feedback loop is necessary to judge whether you’re doing things right. Our last NPS run came in at 80 (and we once had a customer write us a song). We’re also pretty active on Twitter and love interacting with customers or potential customers there. All of this becomes part of our Canary brand, which aims to be low-key, earnest, kinda-humorous, and effective.
We still get tweets like this on a regular basis:
Twitter is amazing for unfiltered views and we saw lots of chatter about Canary. At some point (early on) we realised this was a kind of virtuous cycle: treat customers well, and they post unsolicited comments on Twitter, which helps us attract more customers. We started a page to highlight some of these unsolicited tweets about our birds and https://canary.love is probably our top sales person today. (This approach works well if customers actually like your product; it’s a nightmare if there’s negativity towards it. We’ve seen a few other young security startups try this approach too, with success).
RSAC and Trade-Shows
One of the joys of building a company “our way” is that we get to nibble at how things are traditionally done, and still get to add our spin on it. In 2017, we visited the RSA Conference for the first time as attendees and decided to hire a booth in 2018. But just because we were boothing, didn’t mean we had to go all the way into booth ridiculousness.
We did the show, and documented our experience (and our costs) extensively in a 5000 word blog post. If you are a young company considering a trade-show, it’s worth a read. (tl;dr: done right, the show was easily worth it for us). We’ve since met dozens of startups who told us that the info in that post convinced them to try trade shows too.
Trade shows are one place to spot companies that recently got funding; they make outsized splashes in terms of booth size, staffing levels, swag, and (it seems most importantly) the parties they throw.
In 2017 we attended a bunch of evening functions and most were not really our scene. So in 2018, we rented a venue about a kilometre from the madness for a little gathering of our own. While all the parties and bars were full and loud music was making sure nobody could hear anybody else, we had a quiet location where we bought drinks and pizza as Halvar Flake spoke about his experiences selling his first company to Google.
In 2019 we had the same deal with Jon Oberheide talking about how they scaled and sold Duo Security to Cisco.
The audience was mostly friends or customers, so this wasn’t a sales push. It was our take on an RSA conference event, a quiet collection of smart folks talking about security and how they built their security companies. It’s the thing we wanted but hadn’t seen: in a week where everyone is selling all the time, an opportunity to mingle without getting a badge scanned or a business card thrust in your face. Learning is one of the reasons we built our company, and if we’re going to be in SF during RSAC, we might as well learn from some of the smart people in town.
Like most young tech companies, we’ve cut our teeth on Open Source software. Although we make a living by selling Canary and Canarytokens, we give away Docker images of Canarytokens and build and support the BSD-licensed OpenCanary. (Aside from the time we put into it, our own free software is probably the “competitor” we bump into most in the marketplace, even if it’s not that often).
We also get to contribute monetarily. Supporting projects with the proceeds of our growth is a great pleasure, and we’ve either sponsored or donated to Twisted, OpenBSD, iTerm, Homebrew, Wireguard, and smaller projects. We’re also a USENIX benefactor. We don’t see these as advertising opportunities, but genuinely think they deserve it and we’re super glad (and proud) we can play a positive part in the ecosystem.
A nice place to work
The rush to market in our early days demanded long hours, but we’ve been able to grow our team over this time so we didn’t all have to be “on” constantly. Today, while still small by sprawling SV standards (we are 22 people all in) we get to work pretty normal hours. (It’s still totally normal to see people chatting on Slack in the wee hours of the morning, but this could just as easily be people commenting on recent NFT craziness as it is likely to be because of work.)
We get to focus on projects that reasonably stretch each other, we get to work on features we think are important, and we get a chance to ship stuff that doesn’t suck. (It’s a little bit surprising, but just committing to not sucking is surprisingly rare). Over time it means we get to build a team of smart people who enjoy what they do and enjoy how we do it.
We hate poor-quality swag. Walk around a typical tech (or security) conference and cheap gifts abound. T-shirts get handed out by the truckload, but often they’re the stiff, scratchy, and not from the supplier’s premium range. This is crazy. Uncomfortable apparel will simply not get worn, and gets repurposed as rags around the home. Those weird conference bags get turfed, and the plastic pens go to the bottom of a drawer. It’s genuinely strange how many companies dole out cheap-swag for marketing.
It’s such a huge thing to have someone willingly wear your logo. They’re publicly associating themselves with the Canary brand we’ve poured so much effort into building. It makes no sense to give them the cheapest T-shirt/hoodie possible. We spend time designing our gear and then spend time getting it just right because we can’t imagine doing it any other way.
Incidentally, this is also slightly different from a typical customer acquisition cost where there’s a direct spend on non-customers. The biggest recipients of our swag are our existing customers. We don’t think it’s the reason they stay with us, but it does make us smile making our customers smile.
No doubt there are people who swing by the RSA booth and grab a T-shirt without knowing who we are, but I choke up when I see customers we love wearing our gear.
Last year we grew tired of swag-fulfilment companies messing up the last-mile of our gift deliveries and built our own https://gift.canary.tools/ to handle this end-to-end. It’s a tiny site, but gives us flexibility for easily sending anyone around the world a gift. Everyone at Thinkst is empowered to send gifts. Maybe it’s for a pull request on one of our Open Source projects, or a great idea, or a heads-up on typos in documentation, or even just a happy email. Customers in return love it, so for us, the whole thing is an absolute no brainer.
One of our core values at Thinkst is that we can do well by doing good. We sit in South Africa which ranks first in the world for income inequality. Last year we were able to cover tuition & accommodation for 3 University students, and over the past 2 years have managed to donate over a million dollars to local charities. We have some cool plans to do a little more in this space, but we will save those announcements for after we have more of those runs on the board.
The Product, the product, the product
If there’s one take-away from this post for young startups, let it be this:
The product absolutely matters.
Hot takes about how “better products don’t always win” might be able to find examples where it’s true, but a great product covers you from lots of other weaknesses. If you can combine a great product with a really low burn-rate you are in fantastic shape for the road ahead (that’s particularly true for entrepreneurs outside the Valley).
From day-1 we’ve focused relentlessly on making Canary better, easier to deploy and easier to manage. We constantly research and develop new Canarytokens that can be used to detect badness with high levels of certainty (for small deployment costs). As we’ve grown, we’ve been able to hire smarter people so we’ve been able to continually up our game, from the devices we ship to the infrastructure that makes it all possible.
We’ve given an entire talk as a keynote at VB2019 titled “The products we deserve” lamenting the current state of security products (but expressing why we are hopeful for a positive change).
What do you miss out on when you bootstrap?
It wouldn’t be fair to write this post without discussing things we missed out on when choosing to bootstrap. We’ve not been completely isolated from VCs; to the contrary we’ve had lots of open dialogue with a bunch of them. This gives us some insight into what we’ve missed.
Great VCs make good sounding boards for problems you might be having (but great VCs are pretty rare). So founders need to make really careful choices, especially if they’re looking for advisors in their VC.
As mentioned previously, early press is easier to come by for funded startups, but we also don’t think that that sort of press is super helpful.
The journalist who asked about our funding indirectly highlighted the key point: VCs give you credibility and in some ways give you permission to act grown up.
One of the challenges when you are tiny is trying to find your place in the world. Are you a CEO when it’s you and 4 friends building software? (You almost certainly are post a $15M A-Round). Aligned with that is a type of beauty contest; companies funded by tier 1 investors get to hobnob with other successful founders, and then get to act even more grown up. Does that have an impact on the company operations or product development? Tough to measure, but it almost certainly has benefits for exits.
Additional funding rounds often lead to more press, but I’m dubious of this benefit, at least for products like ours (with bottom-up sales), and it certainly won’t lead to more customer love.
For us, it’s absolutely business as usual. We know that we’re still judged by our next update. That all our previous customer interactions don’t matter if we screw up the next one. So we continue to work like hell keeping our promises, growing Canary by making even more customers happy. If that takes us to $100M ARR, we’ll blog again!
¹ Posts like these can sometimes feel prescriptive (“We got here because of these, so you should do likewise”), but that’s not our intention. We’re thrilled to cross that $11M ARR line, and there were many moments along the way. Even with hindsight it’s hard to know which of these were important, but they were fun. We’re not going to dive into numbers, but we’ve been profitable since year-1 and we continue to grow.