Episode No. 9
Securing the 99% with Kyle Hanslovan
Kyle Hanslovan is the CEO and Co-Founder of Huntress Labs and has over 20 years of cybersecurity experience in the U.S. Intelligence Community and tech industry.
Kyle learned to build a successful business by being coachable and establishing a feedback loop to push past failures and make progress. He candidly shares difficult lessons learned along the way. His insights are invaluable for entrepreneurs and cybersecurity leaders alike.
“Team matters. Do whatever you can to bring in ‘A’ players at the right time, be transparent, and set them up for success. Have achievable goals that keep morale high and go from one goal to the next, have good entrepreneurs giving you feedback, and be coachable. If you are not going to level up, you will have to level out as a founder.”Kyle Hanslovan
About Kyle Hanslovan
Kyle Hanslovan has over 20 years of cybersecurity experience across public and private sectors. He began his career supporting offensive and defensive cyber operations as a counterintelligence expert in the U.S. Intelligence Community for the Air Force. He also served as a cyber warfare operator under the NSA for the Maryland Air National Guard.
As CEO and Co-Founder of Huntress Labs, Kyle has grown the company to protect over 100,000 businesses and 2.3 million endpoints as a leading Managed Security Platform for the 99%- SMBs (small and mid-sized businesses). Huntress has successfully raised over $160 million in funding and now has more than 300 employees and 4,000 channel partners.
Kyle has been recognized in Baltimore Business Journal’s 40 under 40 and is a former winner of Def Con’s CTF competition.
Ernie Bio [EB]
Welcome to the Forgecast. I’m your host Ernie Bio. I’m pleased to have with me my good friend co-founder and CEO of Huntress Labs, Kyle Hanslovan. Kyle, welcome.
Kyle Hanslovan [KH]
I appreciate you having me.
0:41 Kyle’s Background in U.S. Intelligence
For those who don’t know, Kyle spent a decent amount of time in the U.S. Air Force, in the Air National Guard, and within the intelligence community doing both defensive and offensive cyber operations. Then one day eight or nine years ago he decided he was going to start a company. And here we are today. Why don’t we jump right in? I have a lot of questions. We have a lot to talk about here. Kyle let’s start from that 17-year-old kid enlisting in the Air Force. What was going through your mind and how did that transition into being a cyber operator?
Yeah, don’t pick on me too hard, Ernie. I had opportunities- I did Navy Junior ROTC, I had plans and expectations to go to the Naval Academy. Then on my 17th birthday, I was like, I am getting in way too much trouble. I just need to get out of Dodge. I enlisted and ended up in the Air Force. If you think about that timeframe of the early, early 2000s, the word cyber was like something you did in a chat room, kind of dirty. It definitely didn’t mean what it means now. But what was nice is that coming in right at that cusp, my initial jobs got to build on some of the early AOL hacking skills that I had and pivoted into some of the very first cyber warfare operations on the Air Force side. It’s kind of like right place, right time.
Excellent. Once you were deep into your career as an offensive operator, what was it like? There’s this mystique you see in movies and everything. Describe to the audience what it was like essentially being a nation-state hacker. Was it a glamorous job or were you in a dark room by yourself with five screens in front of you?
What’s funny about this is all the Hollywood stuff that makes it so sexy and so quick is about the exact opposite of what it’s like to actually sit at the nation-state level. You’re in a room. It’s a SCIF- for those people who have never been in the classified world, that means Secure Compartmented Information Facility. Another way to say it is no phones, no digital watches, no access to all the fun things that make you good. We might have had three or four monitors at any one time, but it’s kind of a lonely job. Most of that time is just mastering the basics- learning how to get into systems quickly and efficiently, learning how to clean up behind you. Most importantly, maybe the biggest thing I pulled away from my time supporting offense was that your job depended on delivering valuable outcomes. What I mean by that is if you messed up your job in the counterterrorism world, you could have somebody that loses their life. In the foreign intelligence world, if you didn’t get our congressmen or women the actual intel they needed, we weren’t able to make the big national security decisions we needed to play at the world stage. For me, that was one of those things that I realize only now looking back to eight years ago- all of that work and the expectation of delivering valuable outcomes was paving the way for future success.
4:05 Insights on Dispersed Teams and Remote Work
Interesting. On that same note, we both have similar overlap in our networks. When we were looking to invest in Huntress, one of the things I heard from former commanders and colleagues of yours was that you demonstrated leadership early on. As an airman, you had teams dispersed around the world- remote, if you will. How did those leadership lessons and abilities translate into being an entrepreneur?
It turns out that since you have to work in small, compartmented teams that are geographically separated- that’s how most of NSA operations worked at that time- you really have to be a master in your role. You have to truly be able to own that role. It also taught you to work asynchronously, meaning you didn’t all have to be on the clock, or on the webcam or VTC (video teleconference) at the same time. Oddly enough, back in 2015 when we founded the company, I remember when we started to meet each other a couple of years later and I mentioned our team was fully remote. We didn’t all work in one office, and we were geographically separated before COVID happened. It gave us a leg up by being able to hire the top talent, not just the talent that’s in your local area. It had extra complexities- we pay taxes in 40-plus states now. But I would say that single small difference of learning to work asynchronously with experts helped set us on a trajectory to quickly go where most startups don’t get to.
It’s interesting because when we invested, you had 19 people fully remote. That was an outlier for startups. We closed the Series A at RSA Conference in February 2020 and we went into lockdown two weeks later- and all of a sudden everyone was remote. You guys were just thinking well ahead of the game. At this point you have 300 people plus. There’s one public company I know that’s still fully remote- GitLab- that has over 2,000. For you, what are some of the challenges of being fully remote? You mentioned some of the pros just now. Do you see Huntress staying fully remote in the future?
You nailed it. We were ahead of the curve before COVID. I remember one of the Series A term sheets- I won’t say the fund- where I remember them saying if we didn’t headquarter in Baltimore and centralize everybody there wouldn’t be a term sheet opportunity for us. Post-COVID I did a polite call follow-up and just said “Hey, what are your thoughts on remote work?” Obviously, we both got a good laugh out of it. None of us could have seen this coming.
But you’re right, it’s not all gravy. To be honest, you have to be very, very deliberate if you decide to work fully remote. What I mean by that is I personally believe you can have fully in the office or fully remote. I see breakdowns happen when someone loses their identity and tries to do a hybrid model. If you’re predominantly physical, the people in the office get all the water cooler talk, etcetera. And the opposite- if you’re predominantly remote, you sometimes leave out people- you’re not communicating to everybody. Sometimes the people that are on site can get left out. For us, there is no headquarters. We might have a place where we store hardware and have mail sent. But that’s given us both some really hard lessons to learn. We weren’t always this deliberate. Your physical location is the virtual world. For us, communicating efficiently with Zoom and Slack is really important. As I alluded to it earlier, even just for sales tax purposes, having 40 different nexuses where you have to do independent sales tax- it’s not for the faint of heart. So, while many people say you’re benefiting because you don’t have an office to pay for, we have to take every dime that we would spend on somebody in the office and reinvest it into purposeful gatherings to all bring us together a couple of times a year, and also to pay for the extra overhead that comes with being in so many different states.
8:59 Co-Founding Huntress to Protect SMBs
Yeah, absolutely. So, there are probably folks listening who are currently serving in the government- whether it’s DOD, the intelligence community, you name it- and who are veterans that have left the military and are trying to decide what to do. What made you leave that world and jump right into founding a cybersecurity startup from t0?
There’s probably some level of foolishness- I wanted to do better and I might not have realized how hard it was going to be. Scaling was my number one goal. I thought I could make a bigger difference. I had played with services work, contracting back to the government one body at a time. But I wanted to make global change.
For us it was all about protecting most of the companies that are ignored. Think about those small and mid-sized businesses that will never be considered a Fortune 500. They’re probably not even Fortune 5000. If I was going to reach that many businesses- 30 million plus in the US alone- I was going to have to use software. I was going to have to build a SaaS model. That’s very different than the one-off model in government. But one thing I learned at NSA was how very small, compartmented teams can leverage tons of automation to deliver valuable freaking outcomes. Those three things together got me over the hurdle. I realized if I could find a niche that had a need and was willing to pay for it, we could build automation- all my expertise canned in software- and we had a real opportunity. That’s eight years plus in the making now and we’re still figuring out how to do it better.
Talk more about the problem you were initially solving and how you’re solving it now.
Thinking about those early days, my mom has always been my biggest champion. She is one of those moms that would be there supporting me no matter what. But she was kind of disappointed after I just had this great career at NSA. I had spent 13 plus years on that side of the offensive mission, and she was like “Wait, you could be supporting Fortune 10 businesses. Kyle. We won the World Series of Hacking. Why are you doing that?” My mom is a small business owner and thought her type of business wasn’t important enough. I had to remind her about Walmart: Walmart doesn’t serve the biggest companies in the world, but they are the Fortune 1. They’re the biggest company in the Fortune 500 because they understand that if you support the small businesses, there’s a lot of need there and also a lot of opportunity to build a company of consequence.
As I was telling my mom about this, I was having to explain to her not only the need and opportunity, but also that I had to figure out crazy hard things. I’m a hacker, I write code, I spent all my time at NSA. I didn’t know go-to-market. I didn’t know sales. The hardest hurdles for me weren’t actually technical ones and building software. They were things like if I’m going to go after this market that nobody else felt was important enough, how do I get to them? That’s where you have to put your technical hat down sometimes and think through go-to-market. You heard my earliest pitches- they weren’t as crisp as they are now, but I knew I had to have some method to go from one of me at Huntress to many of these small businesses in between, and our go-to-market used channel partners. I know that’s not the sexy thing that most technical founders want to talk about. But you could build the sexiest, coolest cybersecurity tech and if you can’t bring it to your target audience, you’re never going to make the difference you want. Of all the things in the beginning, figuring out go-to-market was the most challenging for me, especially to convince partners. That’s one thing that you guys at Forgepoint did, you understood that we were doing something different, and you understood the potential. If I could give advice to anybody who listens to this, it’s that when they find a partner, especially a capital partner, make sure they have belief in you and your vision. I’m not saying it has to be blind faith, but belief is what separates capital and a true partner. You guys brought that and that’s why we chose you.
We appreciate that. When you go back to the founding, I always think having the right co-founders is super important. You don’t want three Kyles or four Kyles. You want a mix. With you, Chris, and John, how did you think about that? What’s the right number? What’s the right background, technical mix, et cetera?
I have a handful of startup books in front of me for convenience. One of them is Start with Why. Another one is Good Strategy Bad Strategy. If you get a little bit later High Growth Handbook is pretty neat too. All three of these books say the single most important thing you do is the team that you build. The advice I want to give potential founders is that early on you don’t realize how much your founding team is going to matter. For instance, John, Chris and I had all worked with each other at NSA, but it’s only in the last year that we started realizing why we complemented each other. I’m going to give very specific examples. I was learning to talk a little bit better than most technical founders. So was Chris, because we were both teaching hacking classes at Blackhat. I knew to be a CEO, I would have to present and be articulate like on this podcast. What I didn’t know is there’s different levels of technical presentations. For instance, having Chris as my CTO who could talk at the technical level to rally engineers. The way that technical people want to be motivated is very different than me having to learn how to speak financial acumen and articulating how metrics and KPIs matter. That is something where we went seven years not realizing how we were complementing each other.
There are also other personality differences. I am by default almost overly optimistic. Chris rotates heavier on the pessimism side. John is just methodical and takes his time before he forms any opinions. By me being blindly optimistic and chasing all the reasons why we can win, Chris focusing on what could take us down, and John who can be a tiebreaker help figure things out- three was the right dynamic. I think that there are some ways that you could do it with two, but I sometimes reach entrepreneurs say they’re going to solo found something and that could be the biggest mistake anybody would make. Technical skills, business skills, sales skills- all of those have to be represented by your founding team. Then, more important as you scale, you have to hand these off to your new leaders. Most founders I meet are unprepared to have all the skills they need just as founders. I think if people spent more time really thinking that through, they would have better chances of succeeding. We largely got lucky.
17:28 Raising Capital as a Silicon Valley Outsider
That’s great advice. When you think back to raising your early rounds- go back to Seed and Series A- what are some of the trials and tribulations the founding team went through? You were a security company out of Maryland with no Silicon Valley presence. A lot has been democratized with talent and capital, but pre-2019 it was a little different. You guys had a little bit of an uphill battle- you weren’t out here in Silicon Valley. Talk about some of those trials and tribulations and how you overcame to raise somewhere around 160 million in aggregate.
Yeah, if you throw venture debt on there, it’s probably a little bit more. The audience listening to the audio version of this wouldn’t know, but I’ve been head-nodding throughout Ernie’s entire comment. The experience was similar to how a lot of times you don’t realize what you’re getting for free when you have biases or privilege. For instance, I thought that starting a company in Maryland, which I felt was the cybersecurity capital of the U.S. with NSA, Cyber Command, DISA, and CISA there- there’s just talent everywhere- was going to have a very clear story because cybersecurity was already hot in the enterprise and Silicon Valley. I didn’t realize the impact of not speaking with the same twang, accent, or jargon. I didn’t realize that sometimes in the early days I was pitching things that sounded so much like services that I was turning people off. Even though I meant I was going to create a recurring revenue model that was predominantly built on very high margin, repeatable technology with a little bit of human services. Because I used the wrong language, especially the further out of Maryland I got and the closer I got to Silicon Valley, a lot of times I was turning people off. That’s my fault. That’s not Silicon Valley’s fault or anybody else’s.
I also didn’t think about that since all of the founders came from government services and NSA, that if I didn’t round out my team sometimes I was projecting a group of founders that didn’t have the knowledge in SaaS. Again, my fault for not presenting to match the patterns that a lot of investors use. Being in Maryland was an uphill battle.
Going after the SMB in 2019 was not sexy. The biggest businesses in the world tend to be built in the Fortune 100 or very, very large B2C businesses- think of Uber, Airbnb, selling an iPhone from Apple B2C style. I wasn’t either of those. The three of us were services government founders who happened to be outside of Silicon Valley, didn’t speak the right words, and were going after the SMB through channel partners- it was not a winning story. Sometimes you need somebody to slap you around and say your story doesn’t make sense- it’s one of the hardest lessons learned. I probably failed raising seed rounds and Series A, and 30 to 40% of my conversations were just absolutely terrible because I did not realize I wasn’t speaking the right jargon. It was a terribly hard lesson to learn as a technically competent founder that meant all these things, but I just wasn’t saying it right.
I was on the other side of the table. By the time we talked, I think you had smoothed out the vision and the talking points. When I think of startups, there are humans involved. You’re creating something out of nothing and it’s an emotional roller coaster. You have some days- think back to Year 1 and 2- when you’re on top of the world, and other days you’re saying you should probably just go back to the NSA or do something else. Talk about some of the early milestones where you, Chris, and John realized you were gaining traction, and your vision was actually becoming reality.
I can think of two real cases that are very different than each other. I’m a technical founder so I’m going to start with the technical one. I didn’t realize how much sex appeal came with coming from places with mystique. A lot of Israeli technical founders talk about Unit 8200. A lot of US founders drop NSA, Cyber Command, and CIA just as often. That’s great, but remember even janitors get employed at NSA, so that doesn’t guarantee you success. What I didn’t realize is I needed a place to show my product worked. So, when we were early, way before we had ever started charging, I took a very, very pre-MVP version of our product and was able to use my NSA connections to test my software at the largest offensive cybersecurity exercise- this cyber flag exercise. I got to test my software across hundreds of systems. What was neat is at the end of this, I got the feedback loop and was aware of 36 computers that were compromised out of hundreds. They came back and originally said “You have 36 of 36” and I think the number even grew to 63 of 63. That validation was real and tangible- I had emails, I had examples of people saying like how we truly found something that everybody else missed. I was able to get past my terrible pitch and into actually showing proof. I could say I went to an NSA exercise where the world’s greatest hackers went against the world’s greatest defense, and I got to play on both sides. My technology that was tested here found 36 of 36 at the time, and that was real. People listened because they knew there was something there. If I didn’t have that early success, I wouldn’t have caught people’s eyes or ears. If you pair that the fact that I had just won DEFCON’s Capture the Flag, plus I had access to places most people don’t, and I had verified credibility, people knew I was on to something and that might have got me to second meetings.
The next one was one of those early guys who came to me and said “Kyle, your pitch sucks.” He actually brought me to tacos in Silicon Valley and told me it was crap. On the spot, he and my co-founders reworked my pitch over tacos and he said: “I would have written you a term sheet if you told this to me in the first place and pitched my partnership.” I don’t know if that was true or not, but the fact that he was giving me that validation gave me the motivation to go out and raise again. All of a sudden, we started getting verbals, and verbals turned into term sheets.
Notice that those are two very different points of validation. One was technical validation. One was from talking to somebody.
The last one I didn’t mention is customer validation. It was us going to customers and testing for free- don’t go in with the slick pitches, just say “Let me show you value.” To actually have them come back and say, “I see the value,” that type of validation is important.
Those three independent validations are important. If you’re raising money, you need to be able to show the technology works. That can happen through cute NSA hacking things or customer validation- I had both. Then, I had somebody I was pitching who was a friendly, a true VC who took time with me in their busy schedule to get my pitch right. Only when I had that trifecta of validation was I able to tell my story confidently. I think I failed to raise over a year. Even my first term sheets were turned down in Series A and we came back, raised the bridge round and had to come back a year later to raise a proper Series A. I just hope that gives confidence to the people that listen to this. You can have success on the outside, but nobody hears all the failure internally that comes way before that brief moment of congratulations when Forgepoint writes you a term sheet. There was so much more failure that happened behind the scenes. Although it looked great externally, internally there were a lot more valleys than there were peaks.
26:43 Building Team Culture
Yeah. To sum that up, it’s a repetitive process, there’s going to be failures, but the net result is success, coachability, and being able to learn. That’s what you proved.
Let’s move forward now to the present day. When we first met in September of 2019, it was clear you had a vision. Go-to-market was working. You had 18 employees. This was pre-Marcos- he was the 19th employee. You had maybe $4 million of ARR, which was a good amount for a pre-Series A company. Fast forward to today. You’ve raised over $160 million, have 300 employees and 4000 plus channel partners, and over 100,000 supported small business and medium businesses. You’re protecting somewhere around 2.3 or 2.5 million endpoints. Amazing overnight success in eight years, amazing traction. One of the things I’ve had a front row seat on is seeing how the execution has been implemented to a very high degree and how the culture of the company has grown and become very unique. I spent three days with you this summer and the entire team down in L.A. at your All-Hands–
The Summer Summit.
Yeah, the Summer Summit. Talk about the execution and building a culture. Put all the technical components aside- talk about how important those are and how you build those.
As an early-stage entrepreneur, when you wrote me my very first Series A term sheet, Ernie, I would not have heard something that you just said. I want to double down on being coachable and establishing a feedback loop where you constantly fail into success. Ideally, though, don’t fail into success, succeed. What I mean by that is everybody says fail fast, fail often. If you spend all day failing, you’re not going to spend time executing. So for me, it’s about coaching, getting great founders, great external voices, and at the same time knowing when to put your earmuffs on and not listen- sometimes people have bad advice and that’s hard to find out. I look at it as a corkscrew because it’s not just a circle. If you’re not progressing forward in that corkscrew, you will not make it.
For example, the team of me, Chris and John as founders- we were strong, but I had no clue that the whole team would actually be the steel thread that ran through our execution. You dropped the name earlier- Marcos Torres. I pitched this guy on LinkedIn. I needed a finance and operations leader. I wouldn’t realize that he would play a role in the last five years that was so significant it’s on par with an early-stage founder. He’s been that critical. You just don’t know what happens when you actually hire great people. I’m not saying I’ve got the recipe for great people- Steve Jobs used that A player, B player model- I still don’t know what the recipe for that is, but when you find an A player who can grow with you, you’ll play off each other’s strengths and complement each other’s weaknesses.
Ernie, you just threw out some of the coolest KPIs and I was grinning from ear to ear- but we had to earn every single one of those. It’s about having achievable goals and being able to keep yourself- half of this game as a founder or being on an executive leadership team is not burning yourself out and keeping your mind healthy. I just recently penned on how my CEO role has been both the most fulfilling and lonely job I’ve ever had. What keeps me from going over the edge has been reminding myself that there are great people who will pick up the slack when I can’t. You can’t operate at 110% all the time. You’ll burn out. It’s about hiring those great early players. The first one, Marcos, was offered a director of finance role. He came on board as a VP of finance and operations. He grew into that all the way to now being the CFO. Marcos of 2024 is not the same Marcos of 2020. It’s not even the same guy. You couldn’t even recognize him- he had to grow too.
Sometimes, the biggest thing in operations, getting alignment, and making a process to set achievable goals and keep morale high is a culture that acknowledges not everybody can make it to the finish line. If you’re not having that hard conversation with somebody when you hire them- telling somebody about their future potential termination when you hire them- you’re going to really struggle to up level. My most consequential sales leader in the entire company turned out to be my first VP of sales who I didn’t have that conversation with. He brought me my first million dollars, which was so much harder than the next. It turned out, even though he was the most consequential sales leader, I didn’t have the conversation that one day he might be hired over. The most effective sales leader I hired was my second VP of sales. When the first guy got that demotion and had to become something underneath the next VP of sales, he left. It hurt his ego. He wasn’t prepared for it. I failed as a CEO by not preparing him that one day somebody might have to step over him. Obviously, it’s worked out and our most influential or consequential sales leader Andrew is still with me today. We’ve been on this journey five plus years and he’s brought me from $1.5 million in revenue to over $70 million in revenue, even hiring his own boss. The reason he’s still here making a difference five years later is because I started, and I had a process, and we were aligned.
Team matters. Do whatever you can to truly bring in A players, bring them in at the right time, be transparent and set them up for success, and then have achievable goals that keep morale high. Go from one goal to the next to the next to the next, have good entrepreneurs giving you feedback, and be coachable. If you are not going to level up, you will have to level out as a founder, and that’s just real.
33:33 Scaling Up from a Point Solution to a Robust Platform
Great advice. Switching gears a little, within cybersecurity we have point solutions and platforms. They play different parts in the ecosystem. When we invested, your vision was clearly to build a platform and multiple SKUs. But the reality is it was a point solution in the beginning. Fast forward to today, it is a robust platform. As someone building it, talk about some of the nuances and some of the difficulties in building multiple SKUs and scaling a platform where you can go to a customer and say, “We’re going to sign you up with this SKU, but we want you to expand to these three, four, five other SKUs.”
The general rule of thumb from all high scale entrepreneurs I know that make it past $50 million in recurring revenue or above $100 million is if you try to go for the SMB, you are going to be capped somewhere at about $100 million in recurring revenue on one single product, which is a lot. Let’s be real- that’s a lot of revenue. Most people never see that. But if you think about what’s at risk for a company like Huntress, I have millions of small and mid-sized businesses who need me to deliver world class cybersecurity expertise for the price of a product- and they need me to figure out where to start first. Where I see most entrepreneurs get it wrong is they try to build a platform too early. One thing that helped in my pitch in my opinion, especially when it came to Series B and Series C, is that I was pitching it would be a platform or it is a platform, and where it could go. I think sometimes founders forget you have to start somewhere. Huntress is started as a single capability. Most would have called it a feature. We found somebody who was willing to pay for it to get started. Then, I built many capabilities into what I would call a product. Then, I raised my prices 40% because it made sense. We were able to retain the vast majority of our partners because I delivered so much value- and my gross margin was hurting. Once you have one product, you start listening to customers and they will literally tell you if they need more product. Sometimes you have to be able to hear what they say and interpret it. From the beginning, you have to think “How does this get bigger?” If you want to go beyond $100 million in revenue, assuming you can even get there, you probably need multiple products.
Ernie, I’m going to be real with your audience- getting one great product and capturing lightning in a bottle is almost impossible. Capturing lightning in a bottle multiple times sounds crazy, but what happens is you learn from your earlier lessons to build a product. For us, I had to think things through where a platform meant being able to have multiple products. Remember, small and mid-sized businesses have many cybersecurity problems. Now, because I built from the beginning with infrastructure that allows these products to correlate data, talk together, and work together where one plus one equals more than two, it’s a really compelling pitch for a customer to say, “I can just give you a couple bucks more and now I get way more value and I don’t have to hire people.” It’s a big win.
To this day- even after crossing $70 million in revenue- we actually grow more in expansion through cross-selling and growing with our partners than we do in new logos. They still pace each other fairly close, but the point is the platform gives you more opportunities to succeed. The lessons you learned from the hardest days of the company- going from a seed company to an A company to a B- they tend to become different and in many ways it’s easier to capture lightning multiple times. If you want to truly be an independent company of consequence, you probably will have to become a platform or ecosystem. If you don’t start thinking about those years ahead at the time, one, you’re not going to get credit from customers, people you’re trying to hire, or VCs that you have a big vision. Two, if you come to that conclusion that you need a platform too late, someone will beat you to it. It’s very hard to start and work backwards to build a platform.
Having the vision in the beginning but achieving small bite sized pieces, just like you eat an elephant one bite at a time, helped me grow into this point now where we have a very robust platform and we’re talking about going from three products to what could be ten in the next handful of years. That doesn’t happen overnight.
I think that’s a great example of having a vision and executing against it through multiple years, multiple iterations. When we invested in 2019, supporting and protecting the SMB wasn’t obvious. It was obvious to you, Chris, and John, but to the rest of the world it wasn’t obvious even with the increase in ransomware. With the obviousness of the market comes more competition. How do you think about competition? How do you think about that addressable market? You’re protecting the 99%. There are a lot of small businesses, whether it’s in the U.S., North America, Europe, Asia, you name it. How do you think about competition in your overall TAM?
Total Addressable Market for any market should be very, very big. If not, why are you building a SaaS platform for it? Let’s call that out. Knowing where to start and where to get what I would call a beachhead- or as a hacker from NSA, I’d probably say foothold into the market- sometimes means you might have big, lofty platform ambitions. If you don’t carve out that beachhead, someone is going to displace you, whether it’s an incumbent vendor that has the customer base already and can build something like yours or, like in our case, enterprise companies trying to come downwards. I think one of the successful things that we did was we started narrow. We went after North American service providers which are often MSPs, MSSPs, Value Added Resellers, telcos, things like that. By staying very narrow on that vertical and going after those customers and building something they wanted that made them money and was only on the endpoint, I was able to build my credibility and build their trust. That’s what’s called first- mover advantage. I was first and I was early, and it was really hard, but I built trust.
The problem is second-mover advantage is also a thing and people can come on and say, “I do everything Huntress does plus this.” Even if it’s not accurate, if you don’t have deeply rooted trust, there’s a big advantage. If you’re thinking about building a company, there are benefits of being second. If you look at Apple, especially the iPhone, in many cases Samsung will build things for their phones in the Galaxy series and then Apple comes in with their second version of it that usually is a bit more stable, a bit more friendly. As a result, iPhone still rules the market.
We had to do both. In some places we had to figure out where we wanted to be first mover to build trust. That’s how it happens, being that mover and shaker. But we were also very deliberate in some cases and said “Let’s watch this develop a little bit further. Let’s keep it in mind with small R&D efforts on the technical side. As we’re learning about other people having success, let’s consider being a very close second mover.” Meaning we’re almost like a 1.5 mover, where we weren’t the first but we didn’t wait for everybody else to catch up. That’s helped us keep very lean and ahead of the pack. But I will be honest, Ernie, you’re seeing it with me in the boardrooms: everybody now wants to come after the small and mid-sized businesses. The small vendors in cybersecurity are trying to go upmarket. The enterprise players are trying to come down. The incumbents who did nothing related to cybersecurity are trying to come over. If I didn’t have that foothold, if I didn’t have that trust, and if I didn’t show them that I could move quick and be a second mover when needed, I think Huntress would be probably acquired already. We wouldn’t have had success and we would have been like most companies that aren’t able to become public companies of consequence.
42:57 Rethinking the Executive-Board Relationship
You alluded to the board. You’ve successfully raised money from top VCs- you have Forgepoint, you have Gula Tech, you have JMI, you have Sapphire, and the board’s gotten bigger. We just brought on Myrna Soto as an independent. Help some of the founders and the CEOs out there understand how you manage expectations for a board, and how you do it formally and informally.
I’m going to start with what could be bad advice, but it’s a dynamic I’ve discovered. I haven’t found a book on it, but I’m going to call it out anyway. In my experience, most boards and executive leadership teams have a more adversarial relationship than I personally believe is healthy. When I’m talking to my team about it, I think a lot of people carry old baggage from bad boards and by default, many executive leadership teams don’t feel comfortable oversharing and don’t feel comfortable with the board’s idea. I think that’s a toxic idea- I mean it wholeheartedly. When you and I got together, from the beginning I thought “Can I work with Ernie not only when things are good, but what is it like working with Ernie when things are at their worst?” Unlike a marriage where you can get a divorce and move away from your partner or spouse, you cannot move away from a partner when you take capital that way. We’re together. We’re in this together. Since we can’t just divorce, you better make sure you like that person when they’re in their darkest, gloomiest moments. For me, Ernie, I spent so much time not only learning about your background as a fighter pilot, but also that you were still hustling and growing in your career and that you could go on this journey with me. That meant a lot. Then it was about your fund and your firm. Making sure there’s enough money at Forgepoint. They had a good fund and I’m not going to have to worry that they are going to run out of money or go away. I did that same thing to JMI- we were the first money out of their fund 10. Casber and Sapphire, we were some of the very early money out of their billion dollar plus fund. All of this starts with if you can work with these people. I don’t mean just having a formal and informal conversation- do you want to work with them?
The other one, Ernie, and I think you’ve seen it with me, is that I believe in radical candor and transparency. The type of transparency that makes most founders and companies uncomfortable. Even to this day, Ernie, believe it or not, at my current stage I have some ELT that ask, “Are you sure you want to share that with your board?” Even now, with 300 employees, I have to even overcome that and say the board is only there to help us and we’re in this together. Your board dynamic should be bringing on people that are a lot like both friends and grandparent relationships. They are not there to be your parent. They are not an adversary. It’s different. If you have done a poor job, and sometimes you have if you need capital so desperately, you need to manage the expectation of when it’s friendship time and when it’s grandparent time. Sometimes there’s middle ground. That has allowed me to know when I need to be informal with you and I can say “This is where we screwed up or this is how we did it.” I can admit that. Usually you’re like “I’ve done something like this before. Let me tell you about this.” If you see me really mess up, you are able to connect me with resources. JMI and Sapphire have been excellent about getting me entrepreneurs that are later stage to help me learn these lessons. I don’t have to worry about if you are going to fire me- that’s not something I’ve ever worried about on my end, not one time. Even when things aren’t going well- you know, COVID was a really bad year when SMBs were crushed. I never worried about my job one time with you because I knew I had somebody that when I needed it could be a friend and when I needed it would hold me accountable like a grandparent. You’d be firm- Grandparents aren’t going to let their grandkids do silly stuff.
If you have those things that I mentioned and you truly interview your partners- and they’re interviewing you by the way- and you’re truly being upfront, you can have radical candor and transparency. I have to wear two hats sometimes with you Ernie, sometimes I am in a casual friend relationship and we’re talking like casual friends. When it comes time for us to vote, I’m calling our meeting to order am asking in the most formal ways who is in favor and who is opposed, and we have to get strict and responsible and are different people. I don’t think anybody thinks that far ahead. Once you propose and put a ring on somebody there’s no going back. My advice for entrepreneurs and investors is to interview your founders, interview your investors, and understand what you’re getting yourself into. If you’re not willing to go through the worst days with somebody, you’re making the wrong decision. I know that’s black and white, but our board is already the most functional board I’ve run across. I’m sure there are better ones- there is always something better. You guys have been great, and I hope I’ve been equally great by pushing the envelope and doing things differently than most entrepreneurs.
48:55 Digital Transformation, the Evolving Threat Landscape, and Generative AI
It’s a very functional board. I’ve not heard the friend grandparent analogy. I like that one.
Let’s move on to threat landscape. One of the things that has made Huntress very successful is the amount of automation John, Rodger, and others have brought to the team. The threat landscape has evolved- genAI is front and center. It can help defenders and can also help offenders. It’s another massive variable in the threat landscape. How are you guys thinking about that?
Let’s think about what small and mid-sized businesses have just gone through in three years. Now, everybody has some form of work from home- they’ve gone remote since 2020. At the same time, they’re on-premise- applications have now moved to SaaS applications, mass digital transformation. At the same time, generative AI- the Chat GPTs, the Open AIs, etcetera- is leveling up what was already great with machine learning and neural networks, and now we have another form of accessibility. The whole landscape has just changed out from under all midsize and small businesses. The ones that are thriving are the ones that are figuring out a way to adopt this, and the ones that are starting to go down are the people who are not. That’s the backdrop to this question.
On this end, we’ve always been about obsessive automation everywhere we can. I have to bring a $300,000 to $400,000 a year top quality cybersecurity researcher and deliver them for $2 to $3 per computer or $2 to $3 per identity per month. That is really hard. Huntress has found a way from the beginning to stay ahead of automation. Sometimes automation just means how you store your data, tag your data, and classify it. Sometimes you can use very, very fancy ML and K-Nearest Neighbors or whatever the fancy buzzword algorithm is today. Sometimes you can just get away with automating 80% of a problem and for the remaining 20% using a really smart human brain. For us, it’s been not just using endless automation- because automation can be expensive too- but how to use the right level of automation and complement it with humans.
What sucks is hackers are doing the exact same thing. On the offensive side, we see phishing emails become up-leveled overnight with better Chat GPT-type templates that are beautiful and sophisticated. We’re also seeing it in code. People aren’t becoming super hackers- I’m not seeing script kiddies become nation-state actors overnight- but I am now seeing some places where the world of creating offensive software has been democratized because they’re now having generative technology build them capabilities like keystroke loggers and capabilities to mass download or mass encrypt files. The bar is completely different. If we don’t keep ahead of that by taking an offensive approach to our defense and thinking like a hacker ahead of time, we will be caught off guard. Just like those SMBs who are not using digital transformation to their advantage, we will have the risk that in cybersecurity that we could be caught flat footed enough that it’s a risk to our business.
These new trends don’t happen every day, but they sure as heck are happening faster than they used to. With those three industry-changing things happening in the last three years alone, you can imagine that for companies like ours, we aren’t just reinvesting a little bit into R&D. I’ve had to raise capital specifically to fund my R&D to stay ahead of this and do it in an economical fashion. I couldn’t just blindly spend cash, but it takes money to make money and it takes money to protect. If you’re a founder who’s considering if you can bootstrap to the end, you better be using automation. If you’re going to keep that lead, you better have some financial coffers behind you to help you stay ahead. If not, you’ll be eclipsed by the changing tides.
53:48 The Path Forward for Huntress
We’re going to wrap this up- it has been a treasure trove of amazing advice for any founders out there listening. I want to end with one last question. I already alluded to when we first met and it was clear Kyle had a vision. It’s been hard work, execution, trials and tribulations over the years, but an amazing net outcome to where you are now. When you think two, three, five years into the future, where do you see Huntress?
The financial analysts usually ask me the question directly: “Are you going to IPO?” I always give them the answer that IPO, for me, is all about optionality. Think about what that means. I have 100 thousand plus businesses secured out of 30 plus million in the US alone. We’re nowhere close to completing our mission. For me, the next three years are about being a sustained independent company of consequence. By independent, I mean somebody that’s building for public shareholders. But that doesn’t mean I have to be public.
More specific than that, I’m more worried about how I secure SMBs. So, while in board meetings that you and I are in I tell you “Hey Ernie, here’s how I’m going to go from 70 million in revenue and grow no less than 60, 70% in the following year,” internally we rally behind how to protect more small and midsize businesses. Every KPI that we use internally is about measuring if we secure X-number of businesses, we will then have Y-number of revenue, and they directly align.
For me, the next three years are about how to build more product, how to deliver that product at a margin that makes sense for my small and mid-sized businesses and still allows me to grow. That’s a perpetual feedback loop. That’s the Huntress virtuous cycle. Deliver awesome things that make a difference to the SMB. With the revenue and profit that I make from that, reinvest in new technology that will then again secure SMBs, that then allow us to build new products, that then allow us to down hackers to make more money. It just feeds in and in. As I add more SMBs, I just get more effective. So, Ernie, the only thing on my mind from here for the next three years and beyond is how to secure the 99%: small and mid-sized businesses.
Well said. You have a mission that matters to you. Your mission from day one has been securing the SMB and that’s what you’ll continue to do. The cards will fall where they may. You articulated that very well.
You’ve got a shirt that says it right there. The front of your shirt says “Hackers Gonna Hack” and the back of the shirt says “Huntress Gonna Hunt.” That’s exactly what we’re going to do.
That’s the OODA Loop that keeps going. Kyle, thanks again for your friendship, your leadership, your commitment to protecting the SMB, and everything you’ve done for the community. Thanks for taking the time today and all the best to you, John, and Chris in the future.
Awesome man. Likewise. Thanks for believing us when no one else did. Thanks for growing on this journey with me. I think some people forget that if you want to go fast, go alone- if you want to go far, go together. Thanks for coming with me.
You bet. It’s been a blast. Thanks, Kyle.
Alright, brother. Talk to you soon.