In 2007 Marc Andreessen, co-founder of Netscape as well as the VC firm Andreessen Horowitz, published a blog article titled “The only thing that matters”. You can still read it today. It is considered to be the driver that pushed the concept of Product-Market Fit into the spotlight for tech startups.
The idea of Product-Market Fit was originally coined by Andy Rachleff, a VC and startup CEO, who Andreessen quotes in his article:
Rachleff’s Corollary of Startup Success:
The only thing that matters is getting to product/market fit.
Rachleff started out in VC when tech startups were hardware focused – making a disk that was 10x faster or a router with 1/10 the latency. The challenge for hardware startups was always could they actually build the hardware that delivered the numbers they were promising. If they did, customers would throw money at them. These hardware startups had a high technical risk, but a very low market risk. A 10x improvement in anything would sell itself.
With the rise of the internet, software companies began to dominate the startup scene, but they had the opposite problems of hardware startups – very low technical risk and very high market risk. A software startup, and their investors, could have high confidence that they would be able to deliver the product – it was just coding, not wrestling with physics or manufacturing – but no way to be sure if anyone would buy it.
This had an interesting effect on startup investment, splitting the market into seed investors who were willing to shoulder the risk to help startups launch and, once their market was proven, traditional venture capital who would pay a premium to buy-in at later rounds.
So, product/market fit is important, it’s valuable, and it’s essential if a startup wants to grow into a unicorn.
So what is Product-Market Fit? Isn’t it obvious?
Product/Market Fit sounds a lot like making sure a product is right for a market. That it “fits”. And it seems obvious. This gives too much emphasis on the market and misses that Product-Market Fit is a two piece puzzle for the startup. It needs both pieces.
The market needs to also fit the product. It needs to want the product. It needs to want the product badly enough to pay a good price for the product. And it needs to be big enough to buy lots of the product. You can’t build a business on a great product that everyone in the market wants and loves if the market has only a handful of customers.
Perhaps it should really be Product & Market Fit.
Exploring Product-Market Fit with Vanta
To explore Product-Market Fit we’re going to look at the example of Vanta, a certification compliance tool provider, and their journey to product-market fit and how, in creating their product, they created a market everyone else had overlooked or underestimated.
Vanta helps businesses achieve and maintain certification for a variety of standards. Initially they focused on SOC 2, a US-centric standard but often held by non-US companies who want to do business with US organisations. They have since expanded into ISO27001, HIPAA, GDPR and other certifications.
They use a subscription-based model, and given the importance of certification and the huge amount of time it takes to obtain, monitor and maintain it, they can charge 4,5, and even 6 figure annual subscription fees depending on the size of the client and the certifications they require. And the clients are happy to pay them because they understand how much money Vanta is saving them.
So Vanta is in a nice spot (ignoring competition for the moment). But it took a while to get there. The founder and CEO, Christina Cacioppo, persisted through 4 major stages of product experience over the 5 years it took for her to go from starting to create products to finding and developing the idea that would lead to Vanta.
The first steps on the road to Vanta
Cacioppo got her start working as an analyst for Union Square Ventures in New York, where she spent her time evaluating companies seeking investment and meeting with their founders.
Regular meetings with founders through her role gave her the confidence to start her own company:
“I got to the point where I said, ‘I do want to go start a company.’ But I wanted it to be a software company, and I didn’t know how to code. And I knew a lot of non-programmers started companies, but I didn’t want to go that route. So I resigned, took my bonus and taught myself to code and build products,” she says.
The products she built were not successful. They included a book tracking website, a video messaging app for Android and a startup job board. While none of her ideas grew into sustainable businesses, they did teach her that she needed product development experience. So for the next stage in the Vanta product path she joined Dropbox in 2014 and worked for two years as a product manager on their Paper product.
First glimpses of the future market
It was here that she got her first exposure to security and compliance. As a product manager on Paper, she wanted Dropbox to push it to new accounts when they signed up for Dropbox’s file sharing service. Dropbox’s legal department shut that down, telling her that Dropbox was SOC 2 compliant and Paper wasn’t, bundling Paper would invalidate contracts requiring compliance, and that it would take 18 months to make Paper SOC 2 compliant. For Cacioppo that was the end of bundling Paper with Dropbox.
In 2016, after two years at Dropbox, Cacioppo left to try again at starting her own company. Following trends at the time – speech was big, Amazon Alexa was exciting – she pursued several product ideas.
Finding a Product without a Market
First was an AWS drop shipping solution for e-commerce merchants. Next was an AI tool for transcribing meetings. Another was a microphone that transcribed notes into Slack. Part of the problem was that speech-to-text AI wasn’t really there yet, and the other was that these products were generic “business tools” that no-one really wanted..
She then took a step back and tried to find a use case for the speech tech they had spent so much time with. She found that use case in biologists doing lab work.
“They’re doing things with their hands, they have gloves, they’re working with chemicals. Imagine trying to type out notes while you’re cooking a complicated meal,” Cacioppo explains.
The biologists loved the microphone and iPad app Cacioppo and her team built for them. She had product fit. But there was a problem – “…the market for this was the size of my thumb…,” Cacioppo explains.
There was no market fit. She had a great product, but not one that a sustainable business could be built around.
Trying again – Lean Startup style
At this point Cacioppa and her team stopped relying on brainstorming product ideas and took a leaf from the Lean Startup playbook and began a process of customer discovery.
“We decided we weren’t allowed to build anything at all. We had to just talk to people—and talk to them until we had a lot of confidence and a mental model of customers, their jobs, the problems they might have and how we might solve them.”
This is where Caciopppo’s time at Union Square Ventures and Dropbox paid dividends. She had a network of potential customers she could talk to, including coworkers who themselves had moved onto to found their own startups.
But when you talk to your potential customers, who can have widely different experiences, how do you know when you understand their common problem well enough to start building?
Her team had a nice heuristic for making this call – “…we decided we had to keep having these conversations until three-quarters of it was stuff we already knew”.
By sitting down with people and doing basic things like talking through their calendar with them – the highlights and the challenges – it did not take long to stumble onto security as an area of interest, and compliance as a challenge within that area.
Finding a Market and deciding on a Product
It did help that Cacioppo was aware of how many large security businesses there were. It wasn’t just a large market, it was enormous.
Drawing on her own difficulties with compliance working on Paper at Dropbox, Cacioppo and her co-founder at the time decided to focus on SOC 2 compliance.
SOC 2 ensures service providers handle their clients’ data securely and responsibly. It is detailed and covers security, integrity, availability, privacy and confidentiality of data. Which also covers just about every process in a business. They all touch data to deliver their services.
Doing things that don’t scale
An established strategy for founders early in their product ideation is to do things that don’t scale. One day their SaaS will be a software driven unicorn, but today, at the beginning, they need to do things manually, in person, to validate their product with their first customers. It’s hard work and people are reluctant to try it. Cacioppo wasn’t.
The first version of Vanta wasn’t even software. It was a consultation and a spreadsheet. Caciooppo interviewed the team at a startup called Segment and produced a gap assessment in spreadsheet form that they could use to guide Segment’s SOC 2 compliance.
Their next step was to ask the question, “Would this spreadsheet work as-is for anyone else?”. That is, was SOC 2 compliance standardisable? Could they productise it? And the answer, after the same spreadsheet was well-received by a second startup, was “Yes”.
Productising SOC 2 compliance
So, like many startups of the era, Vanta took a spreadsheet and built an SaaS around it. But initially there wasn’t much Software in their Service. There were forms where customers could enter AWS credentials, but behind the scenes Vanta employees, often Cacioppo in the early days, would pull the data by hand and enter it manually before returning the report to the customer. They told these early customers that their software “was slow”.
From that manual start they continued to build out the software to automate and integrate the compliance process with customers’ operations.
At this time Vanta was accepted into the Y Combinator startup accelerator program. This gave them access to hundreds of other startups who became a source of customers.
Creating the market
SOC 2 compliance is all about proving that you have all the necessary security controls and procedures in place to protect client data. Achieving compliance is time consuming and expensive. More so if you need to pay a consultant to guide you through the process.
By productising the SOC 2 compliance process – creating a user-friendly interface to the numerous checklists, developing integrations to third party service providers, providing progress tracking and team features like collaboration and task assignment – Vanta took a time-consuming process that required expertise and a huge amount of domain knowledge and reduced it to the point where it was almost a data entry task. And that task could be shared across an organisation instead of having one person, or a small team, devoted full time to carrying it out.
The outcome of this was an increase in the number of businesses achieving SOC 2 certification. And as a startup, why wouldn’t you? It was required for some industries, like financial services and healthcare, and it was required by enterprise clients who saw it as part of securing their supply chain. It made your business look good and at the same time increased your own security by forcing the adoption of best practices across all of your processes.
Those businesses achieving SOC 2 compliance were doing it through Vanta. Between their initial seed round with Y Combinator in 2018 for $3,000,000, when they had a handful of clients, and their series A round in May 2021, Vanta had grown to 1000+ customers and ARR of $10,000,000.
These numbers, along with their $50,000,000 Series A round at a pre-money valuation of $500,000,000, raised a lot of eyebrows and inspired competitors to jump into the market, including:
- Drata (a security and compliance automation platform),
- Kintent: (helps pass audits, manage risk, and complete security reviews),
- Secureframe (an automated security, privacy, and compliance platform),
- Ethyca (sensitive data monitoring, reporting, and analytics), and
- Soveren (detects unapproved or unlawful collection, usage, and sharing of sensitive data).
Despite the competition, the market continues to grow and Vanta grows with it. Vanta now has over 5,000 customers and their current valuation stands at $1.6 billion, a true unicorn in a market they helped create.
Lessons to learn from Vanta
A story like Vanta is great because we get to see the missteps and the delays, allowing us to skip straight to what works.
What works is customer discovery, validation, and having a network.
Customer discovery works. Talking to potential customers, as many as you can. Listening to them and understanding their problems and finding the commonalities that can point towards a product.
But customer discovery may not be straightforward. Cacioppo had distinct advantages when she started the process. Her time at Union Square Ventures gave her an insider’s knowledge of how venture capital and startups worked. Not just the process, but as an analyst she would have had access to information on business structures and budgets, etc. And she came away with the beginnings of a success-focused network.
Her time at Dropbox helped expand her network and gave her not just practical product experience, but also firsthand experience at the challenges businesses face as they execute. For her, it was the challenge of compliance.
Finally, validating your product works. Validating your product idea in the quickest and most immediate way possible, even if it is manual and hard to do. Better a week of long hours over the keyboard rather than months of coding to discover no-one cares.
Shorten that path
There is no predictable path from idea to unicorn, but hopefully this article pointed the way to shortening your path.
The lessons might save you a few years of development on your next product. Or you might now be thinking it’s time to get a job and build up experience and contacts in the industry you’re interested in. That could also save you a few years in the long run as you search for the perfect product.