Netsparker is a web application security company that started in 2009 and reached 5k customers over the past 10 years while also raising $40M. The dynamic application security testing company has most of its development operations in Turkey but has targeted the US market since the start.
Although giants like HP and IBM already had products in the market, Netsparker focused on the growth of the application security space which was a newly emerging, very virgin market. In these blue ocean markets, the only strategy is to focus on selling to early adopters with large enterprise budgets.
Given his vast experience since 2003, Ferruh (the founder) was aware that Turkey was far away from being the best market for Netsparker. Ferruh was a guest in the 13th episode of Glocal Podcast where we discussed how Netsparker became a leader in the space over the past 10 years.
Geo-arbitrage and tech export opportunity
Turkey is heaven to find high-quality talent at a much cheaper rate than in mature markets. Ferruh further suggests that the raw tech talent in Turkey is top-notch but companies must put the effort to cultivate it. We started 500 Istanbul with the firm belief that talent is definitely here and will create global success stories when given the right resources.
However, from Kazakhstan to Pakistan, every nation has a similar claim of high quality but cheap talent. Obviously developer costs are lower than the US anywhere outside the US… The availability of cheap but high-quality talent is not enough by itself to create the successes that we all aspire to.
As we developed our investment thesis at 500 Istanbul, we believed that we can fully take timing and market maturity risks, by investing more in new emerging markets. The lower costs in Turkey enable companies to reach break-even much faster than their US competitors. While investing in such blue ocean companies, we bet that if they can sustain in the market, they will be best positioned when the market is mature enough.
For an entrepreneur starting in the US, the right timing is critical. Otherwise, just to sustain in the market for 3-5 years until it matures, would take $Ms. This is not the case in countries like Turkey. By entering the market too early and reaching break-even, our companies not only stay in the market but also conduct serial iterations and pivots that increase their chances of reaching product-market-fit.
Netsparker’s strategy over the past 10 years and the evolving market dynamics is a good testament to this thesis. The main advantage of cheap talent is not selling a product in an established market at a lower price, but the leverage that comes with entering an immature market very very early on and becoming the leader.
Markets overlooked by the competitors
During his years as a security consultant, Ferruh prepared custom reports using a variety of products. Netsparkers scanners, reporting security gaps end to end, wasn’t in a market with no competition. Companies like IBM, HP, and Acunetix were already leading the space.
“No one got fired for buying IBM” This was our main obstacle for years. We were trying to sell security around the globe, through our office in Turkey. It took us 5 years to beat that saying - Ferruh
Netsparker bootstrapped for a very long time and even tried to convince customers by releasing a free version, although the company was obviously lacking resources. There were a bunch of network security companies in the market as well. However, none of them focused on web application security, while Netsparker was closely monitoring the changes in cloud, API economy and mobile.
In fact, not many competitors emerged over the past 10 years
In the past 10 years, only 1 large competitor, solely focused on web application security emerged. Ferruh’s reasoning is the high technical barrier of the product and the customer’s expectations of 100% accurate end-to-end security.
There were dinosaurs in the industry but it was impossible for them to reach a good product in these emerging areas. - Ferruh
Why should such enterprise software companies target the US?
Ferruh was well aware of the immaturity of the application security market in Turkey and the limited enterprise budgets. Although he used his connections to ripen the product and demos, he had to target the American market at the end of the day for sales.
Apart from the enterprise tech market in general, the focus on security and high budgets put the US above all other markets for Netsparker. Companies wandering in the blue ocean need early adopters who will support product development. In many b2b verticals, the US stands out as the market with the largest early customer base. On top of that, it is the largest unified market which is why a lot of the b2b companies stay domestic for years until they dominate.
America is still far ahead in terms of security technology needs and budgets. Being able to address a huge market through a single language and culture is also a great advantage. - Ferruh
Web application security space continued to grow
Companies like Netsparker, who navigate in upcoming industries with not that many competitors, that a big market maturity risk. As we invest in such companies, our big worry is not the competition but rather how fast the market will reach the desired maturity.
The market progressed even better than what Ferruh envisioned in 2009. Considering all API services, cloud adoption, microservices and the explosion of mobile, companies now have a lot of web applications. There isn’t a proper report that clearly demonstrates the size of the application security market today, but my guess is a few billion dollars and it is growing very fast.
When we first started, we were impressed when we saw a customer with 100 websites. It has been 10 years and a mid-sized company now has 500 websites. Our large customers have 20-30k different websites! - Ferruh
Tough to sell in immature markets
Ferruh was personally responsible for sales for the first 5 years of Netsparker. Without any sales or marketing team, the company grew profitably through his own connections and efforts. Although he successfully came out of large corporate sales cycles, a direct sales team and a channel strategy were essential to get to the next stage.
This is something we see very often. For highly technical products, especially in the security space, the founder is involved in almost every sale until a certain time. The buyer, usually also sophisticated in the space, wants to deal with someone who knows even more; but this becomes the main bottleneck on the company’s growth. Although a lot of companies pursue a channel strategy, along with direct sales efforts, the immaturity of the market makes it impossible to run this ROI positive early on.
I see that many startups in our area think that they will reach growth through the channel. Unfortunately, this is a very, very challenging process. After 10 years and $40M investment, we still haven't been able to fully build it. - Ferruh
Doubling down to seize the opportunity
Whilst Netsparker continued to grow profitably, Ferruh decided to go down the venture path after realizing the large market opportunity. Netsparker had accumulated profits for the past couple of years and Ferruh pursued smart money which will bring more strategy and connections that are necessary for the next level.
Ferruh especially looked for a fund with high operational experience and landed $40M from Turn/River Capital. Helping to launch the US office months after the investment, Turn/River also recruited top talent from places like Linkedin and Google.
The application security market is at a very different point from 2009. 10 years ago, network security companies were potential acquirers, but given Netsparker’s size today, cloud giants like Google or Amazon surface as potential buyers.