Starting a startup is every geek’s dream. Admit it, we all want a “company” of our own. It’s like a brand we build for ourselves, just like every fashion designer dreams of their private label or every waiter dreams of his own restaurant.
Dreaming isn’t bad – unless we have a dream, there’s no worth living. But dreams have to be backed up with execution, and when we go to execute, we find out how naive that dream is.
The decision to shift to cybersecurity
Before BUGSKAN I was running a software development company with a small team of 5. However, I was always interested in security. In fact, I started by career by “cleaning” viruses from computers while I was still at college. I also used to manage servers on AWS and Azure for our customers and I knew security was the big thing in the next decade or so. Later, I moved to software development.
Running a software company was difficult then (and it is even more difficult at this moment, but more on this later), and honestly, I was getting bored. I wanted a new career. So, I created a poll titled “What do you think I am good at?” and messaged the link to about 20 people who knew me for the last 5-10 years. The most popular options were “Security” and “Teaching”. Since my financial calculation for running a training center did not turn out so well, I decided to go with Security – it was my passion and I was also pursuing my PhD in this area.
I had previous experience
In 2015, when I was going through this process, I was actually working at a Deep-Tech startup as a CTO and the pay was good. But the CEO/Founder was a brute. He was a bachelor and used to eat-sleep-whatever in the office. I was “just married” and I needed family time. Plus, we had creative differences. At one point of time in the investor meeting, the investor asked when they will see ROI or even any revenue. We were building something related to storage performance optimization and the code was supposed to be done in native C/C++ but I had no clue how to get it working (in fact it still isn’t working) so I suggested that while we figure out our main product, we can start selling “optimized VPS” and get revenues coming.
The investor was okay with it but the CEO was not. And that created a gap between him and me. I rarely received any credit for the suggestions I made, even if they were actually implemented. One day the CEO asked me for a 1-1 and said I was too slow for the company. At that point, I knew I had to quit.
During this short stint, I learned about product planning, management, investor relations, and many other concepts which I may have never learned in my software development consultancy.
The return to consulting
Just when I had left the previous company, one of my friends, who was now a CTO of a US-based product company, had a security incident. I reached out to him and offered him some help, and did a basic security audit for free. The next thing I remember is signing an NDA and a contract with the company for a security audit. I was ready to roll! I loved talking to their developers since I was one of them, and knowledge of security made me a great combo. At that time, I was also watching Mr. Robot. The company in Mr. Robot was “All Safe Systems” and I was really inspired by the operations of the company.
I took that as an inspiration and borrowing branding concepts from by customer, I registered “bugskan.com”.
Soon, I started taking “Dev Sec” sessions (DevSecOps was still not a thing yet) and enjoyed the attention I received. But there was a problem – the US office of my first client stopped renewing my contract. I got to know that “periodic audits are expensive”. The fact was, they were rapidly growing and the list of endpoints were growing so they needed a “fix-price annual contract”.
I looked at the problem – the entire security audit industry worked in “man-hour” pricing which was retrospectively priced to suit the customer budget. This made security audits for small companies unaffordable.
I decided to put an end to this – a Security-as-a-service platform with fixed monthly cost per application. That’s what BUGSKAN was going to be!
The launch
We created the first version and launched it online. Our platform allowed website owners to scan their web applications for security vulnerabilities. The basic free report checked for OWASP Top 10 vulnerabilities and a deep scan required paid service. At that time, I was competing with Tinfoil Security, Detectify, and so on.
The project was selected as a case study for using open-source technologies on Azure and I was invited to showcase the same at Microsoft Openness Days, Hyderabad. I got feedback from senior tech architects and developers who were also facing similar problems in their daily routines. I was excited – finally, I had the product market fit, I thought.
At one point, we had about 30 daily free scans. Despite that, we were not seeing any takes for the paid product and the company was surviving from my consulting revenue only.
The Pivot
I was frantically looking for insights, and for some platform that does not have large user interaction, it meant I needed to reach out to my users personally instead of running an analytics script. One of the users for Mahendra Sharma, CTO of Matrubharti – India’s largest ebook platform. After training their development team I was sitting with Mahendra Sharma and he told me the golden words:
You send us a report but our developers will never fix each bug. I want something automatic that I can control
This got my head spinning and I went to the whiteboard AGAIN. This was December 2016, almost a year after I started BUGSKAN. If we are doing something, and not getting results, we are doing something wrong, I thought. I remembered my research on ModSecurity in 2011 while I was teaching – ModSecurity has something called “Virtual Patching” that allows a quick fix for the vulnerability.
The VP is not a solution, it is just a bandage to stop infection while the wound is healing, but it happens at the click of a button so – this seemed a perfect addition to our arsenal.
So we registered bugshield.io domain and started working on a WAF-as-a-service platform with vulnerability scanning and automatic virtual patching. This meant more time in research and development. This also meant, less time for consulting.
In all, this pivot turned out to be really expensive… but how? I will share in the next part. Thanks for reading!