A

When you sell a cybersecurity product, you hear a lot of like, devs will never care. They don't care about security. And I'm like, actually, if you build tools that work in their tool chain with DevOps principles, they do in fact care, and they will use them.

B

Welcome back to another episode of Builders. As always, this show is brought to you by Frontlines IO, Silicon Valley's leading B2B podcast production studio. If you're bringing technology to market and want to learn from your peers, we have a library of more than 1200 interviews with Venture backed founders and marketers where they talk all things to market. Of course, if you want to launch your own podcast, we offer podcasts as a service to more than 80 tech startups. The idea there is very simple. You show up and host and we do everything else. Now, with all that said, let's jump into today's episode. Today our guest is Joanie Clippert, CEO and founder of Stackhawk. Joni, welcome to the show.

A

Thank you for having me, Brett.

B

Of course. Looking forward to this conversation. Let's go ahead and jump right in. What problem is your technology solving?

A

Yeah, so Stackhawk was built to help application security teams understand their evolving threat landscape, which is particularly important right now between APIs and LLMs and web applications. And ultimately we were built to help software engineers find and fix security vulnerabilities before they ever deploy that code to production.

B

Now, I know you've spent a lot of time in this world of cybersecurity. What was it about this problem specifically that made you say, yep, that's it? Because if you're like other cybersecurity founders, I know there's a whole like, list of problems that you can go after, and there's many, many problems that need to be solved. Why this one?

A

Yeah, actually my background is in DevOps, so I built and helped scale two different companies in the DevOps ecosystem, very focused on digital transformation. And this is my first foray into cybersecurity, looking at the problems. When we were at VictorOps growing and scaling that company, I'd spend time at conferences like DevOps Days Enterprise, and I started running into more security teams who were so frustrated with the pace of software delivery, they knew that they couldn't keep up, but they had this mentality that they had to be a gate to releasing software. And for me it was like, why are we not automating this type of testing as part of software delivery, much like we automate other things? So my co founder, Scott Gerlach, built His career in cybersecurity. So as a practitioner, 10 years at GoDaddy. Then he was the CISO at SendGrid through acquisition by Twilio. And when we met he both had a lot of appreciation for software engineering and supporting developers. And I came at it from this very process perspective of we have to make this more efficient so we're shipping more secure code to production.

B

And what did the first let's say 90 days look like for you?

A

Let's see, we raised money on an idea and a team. So the first 90 days was what are we actually going to build? And doing a ton of research on the dynamic application security testing space. That's where we really wanted to focus on. There were a lot of companies popping up doing more static code analysis type testing. And for us this runtime testing that really simulated how an attacker would attack the application and putting that earlier in pipeline was the problem that we wanted to solve. So for the first 90 days it was seeing what tools were out there. There were open source tools available for this problem and for me when there's open source I'm always very curious about why it hasn't been adapted to the kind of process that we were talking about. So we focused a lot on the scanning engine itself, which was a very difficult thing to actually configure and deploy. And that was the long pole in people being able to use this technology and use it at scale. So it started with reimagining how this tech would work. In the CICD toolchain, the first big

B

enterprise customer that you were able to land, you don't have to tell us who it was, but what was that like? How'd you land that first enterprise customer?

A

God, I kind of went kicking and screaming into enterprise like we had built this very PLG business. That's what I knew how to build in out of the DevOps ecosystem. So easy to try and buy land and expand. Our product was built for the software engineer. It was configured as code, easy to scale if you were a software engineer. And we started getting inbound from the enterprise and I'm like, I don't know man, I don't know if they're gonna wanna use this technology and actually deploy it like full on for software engineers. And our first big logo is a very large beverage company. And they came to us having kind of re architected how they built software, really consolidating their CICD toolchain and then with the mission to build paved roads so that it was easy to have these automated security checks as part of software delivery. So they were all in on this notion of shift left from the very beginning. And when we won that logo, I'm trying to remember what it even felt like. Like it was, I remember I ordered one of their beverages on an airplane because that's when I learned that we closed the deal. Not a big soda girl. But I was that day and it was just like, wow. You know, when I built this company, I really thought it was going to be like an SMB mid market play. And when you start closing logos that are household names, it's something to be celebrated and it's just, it's really exciting. I was kind of beside myself, honestly.

B

How did that change the go to market strategy then? Are you all in on enterprise now? Are you going after both? And most importantly, have you stopped drinking soda? Did you have to continue on to be supportive of your customer?

A

No. Here's the deal. We could start with soda. So when I go in the office, we got those baby soda cans.

B

Yeah.

A

And I'll have one. And now it's dangerous because I'm like craving it again and I haven't had soda since I was a kid. So anyway.

B

And you can wrap it around customer success. Right?

A

It's like exactly.

B

You tell yourself a dangerous story there of like you got to do it. If you're customer first, you have to.

A

We have a few of those logos and I wish I could say who they were because they're very, you know, I made my investors eat fast food one day. We all sent pictures eating fast food for another logo that we closed. But it's a lot of fun also to see some of these organizations that you don't think about as totally tech first.

B

Yeah.

A

That are investing a lot in technology and it's great. It's the household names. It's not your typical, you know, Silicon Valley startups. So to the go to market motion. Like I mentioned, we started the business as easy to try and land and expand PLG very focused on devs and we were getting a lot. There was kind of two things that happened in the first, you know, two years of the business that informed a couple of things. So thing one, about 60% of our logos in the first couple of years were led by engineering leadership. And I loved that because when you sell a cybersecurity product you hear a lot of like, devs will never care. They don't care about security. And I'm like actually if you build tools that work in their tool chain with DevOps principles, they do. In fact care and they will use them. But what it also meant was our deals were pretty small, right? If a head of engineering is buying an AppSec product, they probably don't have a security team at their organization yet. And that just wasn't going to be a way to scale. So that it was kind of fortuitous that we were getting inbound and pulled into the enterprise at the same time. And then with the market, you know, SMBs and health tech, fintech, if it helps them go to market faster and sell deals faster and they handle sensitive data, then they're a potential customer for Stackhawk. But when the market is hard, cybersecurity is not the first thing that you're thinking about. You're thinking about how to survive as a company. And so we really rotated more toward that upper mid market enterprise play and have been doing really well there.

B

This show is brought to you by Frontlines Media Podcast production studio that helps B2B founders launch, manage and grow their own podcast. Now, if you're a founder, you may be thinking, I don't have time to host a podcast. I've got a company to build. Well, that's exactly what we built our service to do. You show up and host and we handle literally everything else. To set up a call to discuss launching your own podcast, visit Frontlines I.O. podcast. Now back to today's episode. In terms of growth, what are you focusing on right now? What's really working and then what's not working? Is there anything that you had tried, experimented with and have since stopped doing?

A

I think the thing that's really working for us right now is this tailwind that we have from AI and the foundation models and seeing things like, you know, good old anthropic and Claude code like, I am so excited about. I mean we are all in. We are so excited about everything they're releasing. They love to do it on Friday afternoons, which is really fun. I have to like respond to a hot take at 4pm on a Friday. But they are instrumenting, they're adding so many AppSec capabilities into their native tooling. And where Stackhawk is is we're a runtime testing capability. So it's really disrupting a lot of that static analysis market. But it is a tailwind for Stackhawk because at the end of the day you have to run your application to prove that these vulnerabilities are actually fixed. So there's this new ATT on runtime and on dynamic application security testing. And because of AI, it's so much easier to use these tools. Now, like we played second fiddle to a lot of the static code analysis tools. It was like the second or third thing you would buy was Dast and that was because it was hard to instrument, whereas you could just kind of turn on static code analysis in your systems. But with AI and the pace of software delivery at this point you got a math problem. Like there are so many static code analysis findings you can't possibly weed through them. And the type of testing we do proves that it's actually reachable and exploitable. So there's a lot more attention coming to runtime right now, which is pretty exciting.

B

What areas are you not focusing on right now? Or are there any areas that you experimented with, you put money and resources into and just had them not really work out?

A

Gosh, we're almost doing the opposite right now. It's investing in more. I think this is a short term problem. But in AppSec, when you think about focusing on mid market and enterprise, such a wide range of sophistication of the customer and a lot of them have desire to shift left and do more automation, but they're just learning how to do that process and maybe they don't have a great relationship with the software engineering team. And so we actually have built some capabilities that they're kind of cool, like the Stackhawk way of doing this that look and feel like kind of legacy technology, like things they've used before. But on the back end AI is like figuring out the configuration as code so that they can then go use that when they're ready to shift left and test in earlier environments. So we're really trying to bridge that gap for the people who are aspirational of doing more of this automation but haven't quite figured out as an organization how they're going to do that yet.

B

In terms of your market category, where do you sit? And I worked with years ago, not years ago, 2021, I was working with a company called Tromso that was, I think they were acquired recently. I know that was their big debate of where do they sit. I think they went after aspm. Yeah, that was kind of the emerging category. Then they changed it to Product Security Posture Management. And I don't think they ever found a home for their category. They said it was just very, very difficult. Where do you sit? How do you think about category?

A

It's hard. Stackhawk has never fit squarely, I think into just one category. And it's been hard because the analysts have had such firm, you know, requirements for what makes you an appsec vendor and what makes you an API security vendor. And so when I talk about Stackhawk, I often say that APIs are what we test and dast is how we test. So we do API security testing at the runtime, but now that we have kind of net new Attack Surface, so things like LLMs and MCP servers, any place you have an asset that turns into a running piece of code that needs to be tested with runtime testing is sort of the category that we're focused on. So it's a smaller piece of the broader AppSec category. But as I mentioned, I think that's being wildly disrupted right now about what's going to be native in our AI code gen assistance. And then there's another piece of technology that we have which is API and application discovery. So Attack Surface discovery, which used to happen only in runtime by like sitting on the gateway and waiting for traffic, and your team didn't even know that an API was in production. Intella was getting attacked, pretty much was like, oh, look, it's going through the gateway and we're seeing nefarious behavior. We have an API, but that's so disconnected from the person who owns it or is working on that API. So we took a completely different approach and we connect to source code and we are doing discovery, leveraging AI from source code so we can see which repositories turn into running assets before they're ever even deployed to production that need to be tested with something like stackhawk. So we just like to think about it as the identification of what it is you need to test and then providing the tooling to actually test it is where we live now. What quadrant that goes in, that's another question. But that's what we're doubling down on at this time. This show is brought to you by the global talent company, a marketing leader's best friend. In these times of budget cuts and efficient growth, we help marketing leaders find, hire, vet and manage amazing marketing talent for 50 to 70% less than their US and European counterparts. To book a free consultation, visit GlobalTalent

B

co. And given your focus on enterprise, is that a top priority? To really shape how Gartner understands what you're doing and understands the category, I talk with some founders who say, like, yes, like Gartner still really, really matters. That's everything. And others say, like, no. Buyer behavior is changing so much now in this age of AI that they're not as relevant as they once were. Do you have an opinion on either side? Somewhere in the middle, we have a

A

Couple of analysts that are sort of just like a little smaller than like the Gardeners and the Forresters. We have great relationships with them. And you know, it isn't always the case that your analyst is awesome. But what I would say in our category, there's actually a lot of really cool women at Forrester that are running AppSec and they are very smart and totally on top of trends. You know, the analysts have kind of turn over on the Gartner side, but there are some more mid market firms. I mean we are in the midst of, you know, working with them on a couple of reports again about DAST and the emergence and importance of runtime testing in the age of AI and another about sort of the AI supported dlc. Right. We used to think about CICD as kind of this first that was a shift left as you went is like I'm going to test on a pull request, just like where I would test for integration tests and unit tests and that's where you would run Stackhawk. But now it's we are in Claude, we are in cursor. How do we run this technology and run agentic loops to actually fix these issues really early on, which is a place we are very focused. But I love seeing the analysts asking us questions, even just like a touch before the market's totally there. So it's been fun working with them and I think that space is getting better.

B

Let's talk about the research reports a little bit. So I saw that you recently released one, if I remember right, I think was 250 AppSec leaders that you surveyed. Talk to us about that process and talk to us about the impact of doing something like that as a marketing lever or as a growth leverage.

A

The reason we thought that that report was really important to run is, you know, in our space, I would say even nine months ago, but we could anchor on 12 months ago we were introducing AI features and in AppSec there was nervousness around AI and it was we're going to have to run this through a council and get approval. And fast forward six months from that period, customers were asking, what is your AI roadmap? We're all in on AI and all of our vendors need to be too. So it was a wild swing. So we ran that report to really understand sort of where the attention was going, how mature people were in this AI adoption lifecycle where they were putting their attention. And it was pretty validating as to where we were focused and how deep we were going in on AI.

B

And if you just look ahead where do you see this category going? Where do you see all of this going in the next few years? It sounds like with AI, everything's going to be changing. There's a way bigger attack surface. Like, what's your other view or what other views do you have on where this all goes?

A

Yeah, I mean, engineering as a discipline has fundamentally changed and I think that will be very solidified in 2026. So my most senior software engineers haven't had written a line of code in five months, six months. It's just pure prompting. We've 8x'd software delivery in the last six months. And that speed, which is demanded and praised right. By higher ups in all organizations, this is happening everywhere. To remain competitive is putting a lot of pressure on other parts of the organization. And the next just most important domino that needs to fall is we're putting all this code into prod code that we understand way less than had we written it ourselves. And the AppSec team has to completely retool how they do their job. I mean, the days of waiting till production and scanning and making JIRA tickets, it's like absurd. There's no way you can keep up and you just couldn't hire enough human beings to do it. So the need for, you know, this is just one function, but really all of our functions. But for AppSec teams to understand how software is built better than they ever had. And this is changing very fast, becoming very familiar with the tooling, familiar with the goals of their engineering counterparts. I can't tell you how often there's a huge, even today, huge disconnect where I know as a CEO and everyone else I'm talking to, you're pushing your VP of eng to 5x10x software delivery with the team that you have. And if their counterpart in security is not aware of that goal and in line with that goal, that organization is having a bigger problem. So I think it's super important that they are aligned on what the objective is and that our security team members become enablers to that pace. And that's going to require a lot of change to the job.

B

And final question, we always like to end with a fun vision question. So paint a picture for us of what your company looks like here and I don't know how far you want to go. 3 years, 5 years, 10 years? What's the big picture vision?

A

That's a hard question these days. I mean, you wake up, there's a new announcement and you're like, whoa. I mean, the SaaS apocalypse is happening right in front of us. So do I know in three years what we will be? I do not know. Things I do know the attack surface continues to change. And as a security person, it is your job to understand what is out there that I need to protect. Am I running the right tools to protect it? No matter where those tools come from? Right? It could be native to a code gen assistant, it could be a SaaS product, it could be anything. And am I fixing the right things? And that problem is only going to get worse before it gets better because this massive proliferation of tooling. So where we are focused is on solving that problem. We provide the runtime tooling which we think is the most important in the age of AI. But we build that bridge and provide a lot of insights for those who are responsible for the security of their applications. And I can see that evolving also as how we build software continues to evolve. For the next couple of years, we're going to be right in lockstep with those changes.

B

Amazing. I love the vision. Really had a fun time with this conversation. Before we wrap, for those listening in who are following along, where should we send them? Where should they go?

A

If you are interested in the technology that we provide, you can go to stackhawk.com and check it out. Otherwise, myself, my co founder Scott Gerlach, we're pretty active on LinkedIn, talking a lot about current trends and some amazing customer stories as people are really changing how they build and secure software. So I encourage you to connect with us there.

B

Amazing. Well, thanks so much.

A

Thank you.

B

Well, that's all for today's episode of Builders, brought to you, by the way, Frontlines. If you want more amazing content like this, visit Frontlines IO where you'll find the library of more than 1500 interviews with founders, marketers and other GTM leaders, where we unpack the tactical lessons from their journey. And of course, as always, if you do want to launch your own podcast, we'd love to have a conversation with you. Visit Frontlines IO Podcast as a service. Mention that you listen, mention you love the show, and we'll give you a 10% discount. Thanks for listening. We'll catch you on the next episode.

A

It.