The Decibel Podcast: Founders Helping Founders

Haroon Meer, Founder of Thinkst Canary: VC Money Won’t Solve All Your Problems

Episode Summary

Haroon Meer is the Founder of Thinkst Canary, a fast growing cybersecurity company that enables companies to put “honeypots” on their network to catch attackers in minutes. On today’s episode, Jon Sakoda speaks with Haroon Meer about how growing up during the tail end of Apartheid influenced his leadership style and how he bootstrapped Thinkst Canary to success.

Episode Notes

Haroon Meer is the Founder of Thinkst Canary, a fast growing cybersecurity company that enables companies to put “honeypots” on their network to catch attackers in minutes. On today’s episode, Jon Sakoda speaks with Haroon Meer about how growing up during the tail end of Apartheid influenced his leadership style and how he bootstrapped Thinkst Canary to success.

  1. You Need to Build a Better Mousetrap [9:09 - 12:27] - After spending 10 years in consulting, Haroon was itching to start a product company. Many cybersecurity consultants need to learn how to incorporate highly opinionated customer feedback into their product design. Listen to his philosophy of shifting away from being the “expert” in the room and his humble approach when listening to customers.
  2. Find Ideas In Unexpected Places [13:05 - 16:29] - Haroon decided he wanted to build a product and told his colleagues he was shifting away from consulting. When one colleague kept asking for his services, Haroon realized he found a huge problem to solve and founded Thinkst Canary. Listen to learn how tapping into the need of friendly customers can be the inspiration for your next startup idea.
  3. Don’t Forget Who Pays the Bills [26:26 - 31:59] - When founders start raising VC funding, Haroon thinks it is easy to lose sight of the most important priorities. Some founders lose focus on making customers successful when trying to appease future investors. Listen to learn why bootstrapping your startup might be the best route in the beginning of a company’s journey.

Follow Jon Sakoda https://twitter.com/jonsakoda

Follow Haroon Meer https://twitter.com/haroonmeer

Follow Decibel https://twitter.com/DecibelVC

Episode Transcription

HAROON MEER: One of the things that I think people need to understand is that VC funding solves very few of the problems that you actually have early on.

JON SAKODA: Welcome to the Decibel podcast. I am excited to welcome Haroon Meer, founder and CEO of Thinkst Canary to the show. Haroon has been a great friend to Decibel, and he is one of the few founders who has bootstrapped himself to success. I know many founders are curious about what it takes to experience high growth without venture capital, and it’s great to have a chance to have him tell his unique story here on the show. Haroon, please say hi to everyone, and welcome to the podcast.

HAROON MEER: Hi, everybody. Super excited to be here.

JON SAKODA: Now, remind me, where are you these days?

HAROON MEER: I’m in Cape Town, South Africa.

JON SAKODA: I feel like the last time I saw you, were we at RSA together back in 2020? Is that the last time we saw each other?

HAROON MEER: Yeah. Back when humans could meet each other.

JON SAKODA: Oh, that’s awesome. And so, I did not know that you were out there listening to our podcast, so I was excited to see you on Twitter. I was excited that you enjoyed some of the shows. And I’m thrilled to have you on.

HAROON MEER: Oh, I’m a huge fan of the show. Like, I’ve learnt tons from it. I’m happy to be here. I’m super glad that you had me on.

JON SAKODA: The timing of this show is important. Many people know you in the cybersecurity industry, but most people don’t yet know your story. I think it is one of the great untold stories in bootstrap success. You are the founder of now a wildly successful company that has found a way to get to tens of millions of revenue, and has done so without raising any venture capital.

If it’s okay with you, I am very excited to get into all the details of your story, but could we start at the very beginning? Tell me a little bit about your life growing up and what eventually led you to finding computers and become a founder.

HAROON MEER: So, born in South Africa, and in Durban, which is like the lesser known coastal part of South Africa. So, you have Cape Town, which is super famous, and Johannesburg, which is the epicenter of commerce. And Durban is like kind of a sleepier version of it all. And I was born at the tail end of Apartheid, which was pretty cool. I got to see the end of Apartheid, and I got to see it without feeling too much of the brunt of Apartheid in a fairly political family. So, my family was pretty politically active, which was good, I think, because it made me more aware of stuff that was going on.

And I got to computing in standard eight. So, in high school, computer science became a subject in class, and I ended up being a pretty natural programmer. But for the most part, computers were still expensive, and we were pretty poor growing up. So, I did programming in school. But for the most part, our high schools were not really tailored to getting the best out of their students. And then I met the internet when I went to university. And one of the things that I always say I was super lucky for is

like, I got to university in like ‘94, which was around the time that Mosaic was out, Netscape was out. And so, one of the hidden benefits is, just as I hit university, the worldwide web as we know it was taking off. And one of the hidden benefits for that is that not too many people were doing it much longer than we were though. Even though I got to it late, it was a brand new thing, they just released the spec for putting tables in HTML. And so, you could have it at the same time Microsoft had it.

And so, I started at university. My first year was disastrous in computer science, because I played more pool than I attended lectures.

JON SAKODA: Now, take us back in time. I mean, because I think maybe you and I are now dating ourselves.

HAROON MEER: Sure.

JON SAKODA: We maybe both discovered the internet in college both around the same time. But I believe, you know, Netscape was becoming the browser du jour, right?

HAROON MEER: Right.

JON SAKODA: They went public in ‘95. We all used Telnet. So, what was the language du jour back in ‘95 when you first started taking computer science?

HAROON MEER: Yeah. So, computer science, at that point, you were still learning Pascal or Object Pascal. And so, we did Pascal in school. And it’s actually kind of funny because after I had that disastrous first semester, I had to convince my parents that I wasn’t a complete write-off. And so, I took a job working at the university’s computer services division. And then I worked there for 10 years after that. And as a result, my studies were free. So, effectively, it paid for my university. But the other benefit is, it gave me this huge computing landscape to play with. So like, working at a university, you just get to run their Unix systems, and run their firewalls, and run their NetWare servers.

And so, I ended up being the Unix system administrator because nobody else was doing it. And at the same time, you were aware that the guys at the Loft were doing stuff. You’d read about stuff that Loft was doing. I think everyone else, you downloaded the Anarchist Cookbook because it was one of the first things you did on the internet. And so, there was this rising awareness of computer security and hacking as cool and fun things to do. And for the most part, I just had tons of systems that I could learn on without breaking into anything. And so, I got to have my curiosity satiated without going to jail.

JON SAKODA: You just mentioned that you grew up in the 1990s at the end of Apartheid in South Africa, and that your parents were very involved in politics. For those that may not be aware, South Africa was on the global stage and famously ended segregation at this time. Nelson Mandela was freed after 25 years in prison. It was a very prominent moment, very similar to the Black Lives Matter moment that we had in 2020 in a much different era. I’m curious, how did that experience ultimately shape you as a founder? How did it shape you as a leader, as a CEO? And what was it like to start a company in South Africa at that time?

HAROON MEER: Yeah. It’s a super good question. Certainly, growing up, we were super aware. So, the term’s abused nowadays, but of social justice and social inequality. And I’m not sure it affected my career choice, but it certainly affects how we run the company and how we deal with people, or try to

deal with people. And we could have easily left South Africa many times. So, we had lots of offers many times. And we were pretty determined from the start not to. And we were pretty aware of the responsibility we have to South Africa—that if everyone who can leaves, then it just becomes this massive drain. And instead, we always felt that if we could do it right, we could encourage people to stay and hopefully show people that you can stay and still do cool stuff in the world. And so, most of us are still pretty fiercely patriotic that way. And yeah, it’s probably why we’ve all stayed in South Africa as long as we have.

JON SAKODA: I suspect that starting a company in South Africa introduced very different values and principles than perhaps we see elsewhere in the world. Talk to me about your first sort of experience since Post. If I recall, this was your first company in the cybersecurity space.

HAROON MEER: So, I actually joined SensePost when they were—so, they started the company for under a year. And so, SensePost was saying, “Listen, we’re gonna be doing security assessments and penetration testing.” And in 2000, 2001, that was still pretty unusual. And at the time, in truth, I wasn’t looking to be an entrepreneur. I was looking to be the best security researcher I could. And what was interesting was, SensePost was tiny, and so we got a chance to grow. I was at SensePost for 10 years. I was their technical director. And we did tons of cool research and tons of cool talks. But fundamentally, it was a consulting business. And we had a few tries, like most consulting businesses, at building products, which we never got to escape velocity with. And we sold SensePost in 2007. And what I really wanted to do was build a product company next.

JON SAKODA: I was gonna say, when you think back on the SensePost journey, the company was bootstrapped, correct?

HAROON MEER: Yep. It was.

JON SAKODA: And you mentioned you were one of the first employees. How big was the company when you joined, and eventually, how big was it when you guys were acquired?

HAROON MEER: So, I was the sixth person when I joined. And when I left, there were 40. But I suspect now, there’s hundreds. It still exists as a company, and it’s part of Orange Cyberdefense.

JON SAKODA: Yeah. So, walk me through the journey after the acquisition of Sense Post, and then what eventually led you to Thinkst?

HAROON MEER: So, one of the regrets that I have about SensePost is that we didn’t get into building products sooner. And in a way, it’s almost because we didn’t really know we could. So, we started building products, but we were super slow with it. We built Remote Vulnerability Scanner, and we sold it to all of the banks in South Africa. But we never went after it the way Qualis went after theirs, or any of the other players went after theirs. And so, we’d always do like, here’s a cool idea. But largely, we made our money consulting, and so, we always fell back to consulting.

So, we were bought by a local South African company that was pretty cool. And the good thing about being bought was, I ended up with a little bit of money, and a good reputation and a good career. And so, you kind of leave with a bit of confidence that you can try something else, and it’ll probably work out.

JON SAKODA: Looking back, you mentioned that there was a difference between being a consulting company and being a product company. And in particular, if you’re talking to a founder today who has a consulting business, and he’s thinking about becoming a product company, what kind of advice would you give him or her?

HAROON MEER: There are so many people who have this, right? I think more people fail to make the jump than manage to make the jump. And there’s tons of reasons for it. When I started Thinkst, we made very deliberate decisions that said, well, we won’t have anyone do consulting, to pay the bills until this product takes off. And it’s—in some ways, having a successful consulting career makes that really hard, right? Because I stopped pen testing and security consulting right at the peak. I could command really good gigs, get really good money. And if you stop that to start working on a product, essentially, your opportunity cost is as high as it gets, because you could be earning all that money. And for a really long time, those two things were not equalized. For a really long time, you could’ve been making more doing the consulting than you would be building your product.

And so, that’s one of the things that make that jump really hard. So, something I mention to other people, one of the things that is a more subtle thing tied to the founder’s ego, when you’re consulting, specifically security consulting, you kind of get used to being, even if it’s false, to think you are the smartest person in the room, right? You walk into a security engagement, and nobody gets to tell you no, because here’s your CEO’s email. And whatever they say, you just own them.

And so, with consulting, it’s really easy—you get really used to being the authority. And so, the first time you build a product and want someone to buy it, the entry-level person who you’re selling to thinks that your button should be blue and not red. And you stand there and take it. And I think lots of founders or lots of consultants find it hard to make that jump, because your role in the recipient org changes. And I think that pinch is hard for lots of people to swallow.

JON SAKODA: SensePost eventually gets successfully acquired by Orange. You stay on for several years. The company grows and becomes even more successful. And then ultimately, you decide to leave and start another company. Let’s transition to the Thinkst Canary story. When did you know you wanted to do another startup?

HAROON MEER: Right. So, I wanted to build products but didn’t know what the product would be. And at the time, I didn’t want to take VC company. Well, at that point, I didn’t think I’d get VC money, but genuinely, I didn’t plan on it. I had some money. I was feeling confident. And so, what I said was, I’d do consulting for a few companies, but specifically in terms of saying, “Hey, I think you’ve got this problem. Let me build a product for you to solve this problem. And if I build it for you, I’m gonna sell it to other people.” So, that was the pitch that I made.

And so, at that point, Thinkst was just me. And there was a brief diversion that a friend of mine was working at Al Jazeera, the media organization. And Al Jazeera wanted to build their own WikiLeaks. And so, he reached out to me and said, “Hey, we’ve built something. Can you help check it out?” And I was like, “Hey, I’m really trying to start this product company. I don’t want to do consulting.” I checked it out as a favor to him, and it was terrible. WikiLeaks at the time had done all this work to anonymize stuff. They’re done thinking about it. And effectively, Jazeera was just saying, “Upload your documents here.” And so, I saw it and I said, “Listen. If you do this, you’re gonna get real people hurt. Here’s the problems with it.”

And so, that person, who was the head of the digital newsroom, said, “Look, can you come here and help us with it?” And so, I went there and speced out a new system, which was pretty cool. I was pretty proud of it. And so, I end up there, and literally, it’s the week that Egypt has the Egyptian Revolution. And the newsroom was absolutely electric. For people who don’t remember what happened at the time, the world wasn’t sure if the military would win or if the people would come out in force and fight for their freedom. And at the time, the talk was that if the cameras were not rolling, the military would have squashed that revolution.

And so, I happened to be sitting on there working on this drop box at the time. And all of this is happening. And it’s just super electric. It feels like there’s something important happening here. And I ended up building Jazeera’s security team. So, at the time, they had no security team. And so, I hired their CISO and hired people around them, and then said, “Okay, I’m moving out of here.” And interestingly, I stopped my official consulting with them, except I’d periodically check in. And at some point when I checked in with them, they had a bunch of interns. And I said to them, “Listen, you’ve got this massive global network, and you’ve got interns who you want to train. And you don’t know if you’re being hacked in your office in Lebanon or in your office in India. Why don’t you get these interns to build honeypots on all these old machines and drop them on your distributed networks? Because if one of them gets hacked, you now know that you’ve got a problem in that country.”

And I left them, came back a little while later and asked them if they’d done it, and they hadn’t. And that happened again. Came back and asked them, and they hadn’t. And what was very clear was that even though honeypots were a really good idea, they were just never getting around to doing it. And so, one of the thoughts that I had was, “Hey, there’s something here. If we can make honeypots that are really easy to deploy, with them in mind, even these people will do it, then there’s something there.” And that became the start of Canary.

JON SAKODA: For the people that don’t really understand how this works, describe what a honeypot is and why it’s hard to deploy honeypots scalably and to manage them.

HAROON MEER: Sure. So, at its simplest, a honeypot is—what you want it to be is a system that looks like one of the regular systems on the network, but isn’t. And the hope is that when an actor lands on this network, she is looking around for resources, looking around for systems to attack, and reaches out and touches this honeypot. And one of the good things about deploying honeypots that way is that becomes a really high quality signal of badness, because if you’ve got this system on your network, your valid users shouldn’t be talking to it. And so, if you put down this fake system with interesting files on it or interesting data on it, then it becomes reasonable bait. And not so much—bait in the sense that, oh, attackers crawl out of the woodwork looking for it.

But one of the things that most people don’t know, and something that we were aware of for years of penetration testing, is attackers in most cases run like bulls in china shops when they compromise a network. We did pen testing for 10 years. And in 10 years, we only discovered—I’m not making this up—I’d say twice before a report was ever handed in. So, you own the network. You’re a domain admin. You’re reading everyone’s mail. You’re transferring money. You’re booking first-class flights. And nobody knows until the report goes in three months later. And that’s still the case today. And it’s one of the things that most people don’t know about computer security. But you can see it when you look at headlines, and they tell you like, “Target hacker was on the network for three months before being discovered.” And that’s why having something that tells you earlier on in the hack, but with a

very high degree of fidelity, “Hey, listen, nobody should be talking to me, and someone just connected to me and copied these files.” It becomes a real winner if you can make it easy enough to deploy.

And what we wanted to do was different. We wanted honeypots not on the internet, but on the corporate network. And largely, these things would be silent, except for when someone connected to them and tried to use them. And then we’d send off that message. So, interestingly, with Canary, what we did is, we decided, okay, there’s a thing here. We should try it. And I pinged a few of our old consulting customers and a few friends in the industry, saying, “Hey, listen, I think this would be cool. If I made it, would you buy it?” And interestingly, not everyone said yes. The majority of the people said, “I can make my own honeypots. I don’t need you to make them for me.” I thought they were wrong. For that one, at that point, we didn’t listen.

And so, we made them. And the first actual physical funny parts that we made were janky, 3D-printed, hand-soldered. We made about a dozen of them and sent them off to some really good customers and some top-tier Silicon Valley unicorns, like friends who had I working there. And I said, “Listen, if we sold for this $5k, would you buy it?” And before using it, most people said no. And after using it, almost all of them said yes. At $5k, they’d buy it. And so we said, “Okay, there’s certainly a thing here.” And we started making it better.

And almost the Canary story from that point is just making Canary better. But we were really lucky, because we built version one. And it looked ugly, and the software was janky, but the people who used it got value in it for saying, “Hey, we can drop this, forget about it, and it works.” And then some of those people caught attackers on their network in the first few months and started telling other people about it. And I was always secretly worried that people were only buying the stuff because they liked me. I had a long career in InfoSec, and I was reasonably liked, or at least people said that to my face. And so, initially, that’s the worry, right? Are people just buying this because they like you?

And so then, after a while, you start selling to people who don’t know. I’d introduce myself to them, and they’d go like, “Yes, whatever. We don’t care. Just sell us the canaries.” And yeah, we grew from there.

JON SAKODA: So, you started to have a little success. Talk to me about the decision of how fast to grow. And a lot of people would say, “You should raise venture capital. You should try to scale this up and maybe build a big company.” But you chose a slightly different approach. So, walk me through that part of the journey, when you started to find product market fit. And how did you think about financing the company or growing it, and why did you choose the path that you took?

HAROON MEER: Yeah. So, when we started, when we launched Canary, there were five of us in the company. We built Canary. We had people paying for it from day one, so we announced it. At the time, I reached out to a bunch of tech reporters. And largely, that stuff was me starting to figure out how you do the tech press stuff. And fortunately, these days, there’s a lot of good content out there, right? Y Combinator’s been putting stuff out for years. Lots of the good VCs have been putting out podcasts like this. So, I think it’s a lot easier to be a founder these days in terms of knowledge. So, I’ve done my homework. And if you can reach out to the tech press, don’t just tell them, “Hey, here’s my thing.” They’re not there for product PR.

And so, I had worked with reporters previously when I was a security researcher. I had done stuff that was reported on. And so, I reached out to a few of them saying, “Hey, we’re this young South African

company. And everyone thinks that security is really hard and expensive. But we think it can be solved this way. And look, we’ve got these Silicon Valley unicorns that are using us.” And I thought it was a compelling story. And there was just crickets, right? Nobody responded. And then like two months later, somebody out of Y Combinator started a deception company. And they were covered all over. TechCrunch, everybody ran the story about how deception was going to solve cybersecurity. And that day, I was worried. And I pinged some of those reporters saying, “Hey, listen, I reached out to you two months ago with a story. Why didn’t you cover us, but you covered this person?” And I’ve still got the DMs where this reporter says, “Well, who funds you?” And I say, “Well, we’re not funded, but here’s our customers, A, B, C.” And the reporter says, “Look, we hear lots of stuff from lots of people. Like it or not, funding is a signal, and those people are funded and you’re not.”

And I remember that day going, “Well, if we’re gonna make it, we’re gonna have to go get funding. The way to do this is to go get funding.” And interestingly, one of the people I reached out to was Dug Song. And I said to Dug, “Hey, listen, I think I should get funding for this.” And Dug, who’s been amazing for lots of stuff—I’ve mentioned on other chats when talking about Dug, if I take all the advice that I’ve gotten from everyone in the world and the advice that I’ve gotten from Dug, Dug beats all of them. He’s always been amazing.

And so, Dug said, “Hey, listen. Make sure that’s actually what you want to do. You’ve got some paying customers. Check if that press is really worth anything.” And so, we didn’t raise at that point. We put our heads down and said, “Let’s keep making the product better. Let’s keep getting more customers. And what we saw shortly thereafter was that all of that press, which we thought mattered, really didn’t. And you started to see lots of those people really struggling to get a customer who’d say a nice thing about them. And at the same time, we were getting lots of customers, like going to Twitter to say, “Oh my god, just use this. This is amazing.”

We started to get people writing in to say, “I just got caught on a pen test by a Thinkst Canary.” And people would say nice things about us. And so, we started to become aware that actually, the VC backing hadn’t given those people that much of a head start. And it was super lucky, because at that point, I could’ve been convinced to take VC backing. I could’ve been told, “Hey, that’s the way to go, and you’re gonna lose without it.” But managing to weather that a little bit, as time went by, you started to get more confident, in part because the market was rewarding us. And yeah, shortly thereafter, lots of those companies didn’t make it.

So, I think there’s lots of possible good things that come with VC funding. But I also think there’s a bunch of things that are not great that come with VC funding. And with the company that we were building, we were able to start making money and growing the company before we incurred these massive costs.

JON SAKODA: Is there generalizable advice that you can give to people out there today about whether or not you should try to bootstrap your company to success or whether you should try to raise venture capital? Can you maybe uniquely provide a perspective on which kinds of founders or which kinds of companies should take with paths?

HAROON MEER: Yeah. So, I certainly have opinions. One of the things that I think people need to understand is that VC funding solves very few of the problems that you actually have early on. And it certainly introduces a bunch of new ones. And I think it becomes the default part for lots of people because it’s the part that’s most often spoken about or written about. One of the things I dislike about

the process of taking VC money is that you can very easily be distracted and forget who your main audience or your main stakeholder is. Because once you start the fundraising game, you have to look attractive for investors. And sure, one of the ways you can do it is by finding customers and making customers happy. But there’s a subtle inversion there that says, you’re making customers happy because it makes your investors happy. And we make customers happy because if not, we die.

Jason Fried and the 37 Signals folks, when they used to argue in favor of bootstrapping, used to say that making money is like a muscle. So, if you’re a bootstrapped company, on day one, you start exercising the “how do I make money” muscle. And if you are a VC-backed company on day one, you start exercising the “how do I spend money” muscle. And that’s probably the wrong exercise to be getting.

But yeah, so I think a crazy focus on making your customers happy is not the same as looking good to investors. And one of the problems is—and this goes down a deeper rabbit hole—I think VC money can particularly hurt InfoSec companies. And I’ll tell you why. If VC money goes into two social media companies, the concept holds that says both these folks have an idea. You give them money. You see which one has users. Those that have users, you keep putting money into it. The company that has the more users gets the money and wins. One of the problems in InfoSec is that people can’t tell good products from bad products. And in the absence of being able to tell a good product from a bad product, funding becomes a really strong signal.

And so, that sounds okay. But the problem you now have is that even if a company doesn’t have a particularly good product, if it’s got good funding, it won’t get users. And those users get funding for another round, which gets more salespeople, more marketing people—it gets more users. But fundamentally, the investors wouldn’t want to be investing in a company without a real product. But that’s what happens. And that’s why the market is filled with products that people buy, but everybody hates. And fundamentally, we end up almost in a form of market collapse. So yeah, I think VC money is dangerous for that in InfoSec.

I think there’s some positives that come with VC money to balance that. And some of the positives, I think, are less talked about than most people know. One of the odd ones, I’ve found from experience, is that when VCs back you, they kind of give you permission to act grown up. When we built Canary, and it’s just the five of us, you’re not the CEO of anything. It’s you and four engineers, and you built a thing. And it doesn’t matter that you’ve got 100 customers. You still feel really raw. But at the same time, if you had $2 million in seed funding from a good VC, that changes, and you’re grown up.

And like that, one of the things that funding rounds do is they kind of punctuate companies’ growth, which is necessary. You’re at Series A, there’s certain expectations; or you’ve hit Series B, you kind of expect some management changes. And when you’re bootstrapped, even if you’re doing really well and hitting those milestones, you have to kind of do that deliberately. You have to say, “Well, we’re a different company today. We’ve got more customers today. This has to change.” And some of those things are hard, right? There are some people who joined the company when everything is discussed around the table, and now you’ve got 1,000 customers, and some customers have different privacy requirements. And your company has to grow. And VCs give you governance, and there’s funding rounds, and all of that stuff that actually is necessary and helps grow. And I don’t think you can’t do it without it. You just have to be very deliberate about it to make some of that stuff happen.

And I think VCs help when you want to exit. They kind of enter you in the beauty contest of companies like this. Am I making products that customers love? And then there’s almost a parallel beauty contest that happens where people want to acquire you. And I think if you’re in that race, you’re much better off with a VC in your corner than without one.

JON SAKODA: Do you feel like the world has changed even in cybersecurity, where now the customers maybe don’t care as much about how much money you’ve raised and care more about what the products do? Or do you think that uniquely, this is just a challenge in the industry that is gonna take a very, very, very long time to fix?

HAROON MEER: I do think it’s changed. And I am super grateful. I think if you built a product 20 years ago, you could not get it to market without a team of salespeople who were doing the whole multiple discussions at an organization, and taking people out for dinner, and getting your product past purchasing. And I think the Slacks and the GitHubs and that type of motion that allowed companies to move to the point where senior engineers could swipe a credit card to buy the first few seeds of a product, I think it’s a massive difference.

So, Duo, Rumble, with us, with Thinkst Canary, that’s literally how we’re going. We’ve still just got one person in our sales team. And a year-and-a-half ago, we cleared $11 million in ARR. And we could never do that with a traditional sales model. It works because companies contact us, customers upsell themselves. And I’m super hopeful, because I think the new model is fundamentally more value- focused. I think companies are better off with this, because companies pay while they like you. And if you start sucking or stop delivering value, they’ll stop paying you for it. I think it certainly enables people to build companies without as big an investment as was previously necessary.

Previously, I think you had to do a lot before you could show actual paying customers you can now get there with pretty low Amazon fees, pretty low costs. So, no, I’m hopeful. I think there is a change, and I think it’s good for everyone.

JON SAKODA: I want to maybe transition and take a moment to talk about the lessons learned along the way. And maybe you’ve had a chance to reflect on all the success that you’ve had and what got you here, but also maybe some of the lessons to your younger self.

HAROON MEER: Yeah. It’s super interesting. So, one of the things that I do regret is not building a product company earlier in SensePost. If you take the normal trajectory or the normal part that I talk about, which says you go in, you learn, you get better, you get good at it, I think 10 years in a consulting services business, I think I could have done half of that. I think five years in would have been a reasonable time to break out. And at the time, I didn’t know enough to do it. And it’s not a deep regret, but I think we could have.

In terms of advice, I think for new founders, trusted peers is—it’s necessary because I think you need someone to speak to who’s kind of at your stage. And when it comes to trusted peers, there’s an interesting thing, which is, almost everyone is also winging it. There’s lots of people who can give you advice, but not everyone is necessarily insightful. And so, finding peers who’ve been there is important. But finding peers who’ve been there and are insightful is surprisingly rare. And because of a survivorship bias, it’s kind of easy to find someone who built a product and exited. But that doesn’t mean that they’ve got the insight that can be helpful to you. And I think people have to try to figure out how to find those people and get that advice.

And one of the other things, so it’s something we talk about a lot at Thinkst. And it’s really hand- wavey. But we’re really fortunate, because for lots of the things that we’ve need up doing as a company, it really fits us. So, there are very few things that I can think of where we’re doing it just because it looks good. And I see lots of young companies kind of approach it with a, “So, what’s this hack that you’ve used? Oh, you went on Twitter. Will you retweet this for me?” It’s like, yeah, I could, but that’s not how we got a Twitter following. I think that stuff is slightly the wrong way around.

And to go back to authenticity, I think it’s just as hard to fake it as to find the stuff that genuinely aligns with your company. And the last thing, the luckiest things that happened to us as a company were getting great people early on. And I think the investment in people pays off in a way that nothing else does.

JON SAKODA: You have been one of the few founders to bootstrap a high-growth, successful cybersecurity company. What is the future for Thinkst Canary? Do you imagine that this will be your life’s work and you’ll grow this company forever? Do you think that there’s a logical point where you might consider an exit? Talk to us about what comes next.

HAROON MEER: We kind of ignored the topic for a long time because we just had our heads down. But fairly recently, we’ve had to discuss it, because we had a pretty eye-watering offer. In terms of the product, we feel like there’s a lot still for us to do. We’ve got happy customers at the two-man law firm level and way up at the nation state level. So, with such a broad spectrum, we feel pretty convinced that Canary works for most people. And so, right now, we’re having a lot of fun. And I think we can build something meaningful and significant here. And we’re not allergic to money. And someday, for the right partner and the right opportunities, we’d consider other options. But right now, it feels like we’re on to something good here, and it’s kind of what we want to do.

JON SAKODA: Haroon, this was an amazing conversation. I know there were a lot of founders that needed to hear a lot of the unconventional wisdom that you shared, so thank you so much for being here.

HAROON MEER: It’s been great. If anybody wants, they can find me on Twitter at @haroonmeer with open DMs. Drop me a note, and I’ll be happy to chat.