Sponsored: Haroon Meer's secret to business success is… love - Risky Bulletin

Summary4 min read

Risky Bulletin: Sponsored Episode Summary Title: Sponsored: Haroon Meer's Secret to Business Success is… Love Host: Casey Ellis Guest: Harun Meir, Founder of thinkst Applied Release Date: July 20, 2025

1. Introduction

In this special sponsored episode of Risky Bulletin, host Casey Ellis engages in an insightful conversation with Harun Meir, the founder of thinkst Applied. The discussion centers around Harun's unconventional approach to building a successful, bootstrapped cybersecurity company over the past decade. The episode delves into business growth strategies, product-focused development, challenges in the infosec industry, and the future integration of AI in cybersecurity solutions.

2. Achieving Milestones: TechCrunch Coverage

Key Topics:

Celebrating 10 Years in Business
Reaching $20 Million in Annual Recurring Revenue (ARR)
Unique Business Strategies

Notable Quote:

"[Harun] says, 'We've hit 20 million in ARR, which is pretty unusual for a bootstrapped company... we rally around getting successful detections and inventing new ones that work.'" [00:38]

Harun highlights the recent TechCrunch article celebrating thinkst Applied’s 10-year anniversary and the significant milestone of reaching $20 million in ARR without external venture funding. Unlike many startups that emphasize revenue targets and sales numbers, Harun's company focuses internally on product excellence—specifically, developing effective detection mechanisms. This customer-centric approach has fostered long-term client relationships, with 60% of their original customers remaining loyal after a decade.

3. Bootstrapping vs. Venture Funding

Key Topics:

Steady, Profitable Growth
Avoiding the Pressure Cooker of VC
Building an Investable Company

Notable Quote:

"Our growth's been pretty great. We focused on building what works and giving the market something valuable." [05:32]

Harun contrasts bootstrapping with the high-pressure environment faced by venture-backed companies. By maintaining profitability from the outset and scaling in line with their sales growth, thinkst Applied has avoided the relentless push for rapid expansion typical of VC-funded startups. This disciplined approach has allowed the company to prioritize product quality and customer satisfaction over aggressive market capture.

4. Product-Focused Development in Cybersecurity

Key Topics:

Importance of Solving Real Problems
Design and User Experience
Avoiding Feature Overload

Notable Quote:

"Do you have a product and does it do what the product says on the tin is sadly forgotten." [08:47]

Casey and Harun discuss the critical need for cybersecurity startups to remain focused on genuinely solving security problems rather than chasing trends or superficial metrics. Harun emphasizes that building a product that works as promised is paramount, especially in the infosec sector where the efficacy of solutions can directly impact an organization's security posture. This philosophy ensures that the company remains dedicated to delivering real value to its customers.

5. Navigating Challenges in the Infosec Startup Landscape

Key Topics:

Market Saturation and Information Overload
The Reality of Security Solutions
The Pitfall of Acquisitions for Market Presence

Notable Quote:

"Build a product that solves the problem because almost everyone in the chain gets rewarded except the end users." [12:21]

Harun articulates the challenges faced by genuine cybersecurity solutions in a market often driven by acquisitions and funding rather than actual problem-solving. He criticizes the trend of large infosec companies acquiring startups to appear innovative without necessarily integrating effective solutions. This disconnect results in end-users bearing the brunt, as real security improvements are sidelined for market optics. Harun urges founders to stay true to solving real problems and not get distracted by the allure of quick exits or market validation through acquisitions.

6. Advice for Founders: Building What Matters

Key Topics:

Focus on Product-Market Fit
Choose Challenges Wisely
Prioritize Customer Love Over Revenue Targets

Notable Quote:

"The guiding light should be building a product that customers want because it just solves everything." [15:54]

Responding to the complexities of competing against venture-backed companies, Harun advises founders to prioritize building products that genuinely meet customer needs. By concentrating on product-market fit and ensuring customer satisfaction, startups can organically grow their user base and achieve sustainable success. This approach not only fosters loyalty but also naturally attracts investment when the time is right.

7. Future Outlook: AI Integration and Innovation

Key Topics:

Leveraging AI for Enhanced Solutions
Tackling Persistent Infosec Problems
Balancing AI Advancements Between Defense and Attack

Notable Quote:

"There's new technology and there's new potential, and maybe we can just add that little spark of delight for someone." [17:35]

Looking ahead, Harun expresses enthusiasm for integrating AI into thinkst Applied’s offerings. He shares an example where AI is used to customize user interfaces, enhancing user experience through intelligent design adjustments based on user intent. Harun acknowledges the dual-use nature of AI in cybersecurity, where both defenders and attackers can leverage advancements. Nonetheless, he remains optimistic about the potential for AI to empower innovative defense mechanisms and improve overall security solutions.

8. Conclusion

The episode concludes with mutual appreciation between Casey and Harun. Harun reflects on the company’s growth and future aspirations, emphasizing that thinkst Applied is just getting started in addressing complex security challenges. The conversation underscores the importance of passion, product excellence, and customer-centric strategies in building a resilient and impactful cybersecurity business.

Final Quote:

"I think we, we're just getting started and hopefully there'll be more goodness." [16:20]

Summary

In this engaging episode of Risky Bulletin, Harun Meir of thinkst Applied shares his journey of building a successful, bootstrapped cybersecurity company by prioritizing product quality and customer satisfaction over traditional growth metrics and venture funding pressures. The discussion offers valuable insights for founders on maintaining focus, solving real-world problems, and leveraging technology like AI to drive innovation in the infosec landscape. Harun’s philosophy of fostering "love" for the product and customers has not only ensured sustained growth but also set a positive example in an industry often dominated by fleeting trends and superficial metrics.

Loading summary

Transcript18 lines

[00:00]
Casey Ellis
Foreign. This is Casey Ellis. I'm here with Harun Meir on the Risky Business News podcast. This is a sponsored interview and it's fantastic to be with Harun again. This is, this is a guy I've known and loved and learned a lot from, from, from an industry, just a personal and leadership standpoint for better part of 12 years now, I want to say. And yeah, just kicking off, you know, we're going to talk today a little bit about the announcement or the bit of press that things just got from TechCrunch around kind of your progress as a business and how unusual some of those pathways that you've taken are. Do you want to kick us off with the TechCrunch stuff?
[00:39]
Harun Meir
Yeah. So TechCrunch ran this thing like we just hit 10 years and part of the thing that they spoke about was that we've hit 20 million in ARR, which is pretty unusual for bootstrapped company, but there's a few interesting things about it and one of them that's sometimes unusual for other founders that we speak to is that internally as a company, we almost never discuss numbers like, like I know there's a normal startup thing where they have a dashboard and everyone in the company sees the ARR and targets like that. One of the things is we don't have external sales teams, right? So, so we don't motivate and rally around a sales number at all. So people in the company rally around like getting successful detections. We rally around inventing new detections that work. And it's one of the things that I think more startups should do. Like a little while back I gave this talk on how companies should focus more on love. And it's not just me being Triton, being, being all hand wavy. Like I genuinely think all of it is hard if you're going to pick a target. Instead of making the target a revenue target, like you make the target making customers who love you, the company rallies around that and the score kind of takes care of itself. And so it's one of the things that we did differently. And from the article, one of the things we proud of is like we hit 10 years this year. Like 60% of our customers from year one are still customers. And some of that early on we really didn't know what we were doing, but somehow customers forgave it. And yeah, for the most part we feel like we're just getting started and so we can't wait.
[02:38]
Casey Ellis
That's super cool. I'm interested just in some more of that journey because you're talking about 20 million in ARR. So annualized revenue and kind of that growth period. The difference, I guess, when you think about taking venture funding early on versus bootstrapping in the way that you guys did, is that with VC backing, you kind of almost immediately thrown into the pressure cooker and you got to run like crazy. Like in Bug Crowd's case, we did that on purpose because we knew that we were trying to create a category and change minds in a market. But it's not necessarily always the right way to do things. Not that there is such a thing. I guess I'm interested in terms of the. The growth side of things. What did that trajectory look like? Was it kind of steady or was it kind of. Were there bumps in it, like that kind of thing?
[03:25]
Harun Meir
It's a good question, and I'm going to give you a terrible answer again, mostly because we don't track it that much. So I'll tell you. We've always had steady growth. And one of the things that was really important to us from the start is that we were profitable. So we are profitable. And in part just because we needed it for survival, right? So we grew the company as we sold more, and as we sold more, we grew the company more as much as we needed. And so from year one, we were profitable because of course back then there were just six of us, and even at 20 million, we just over 40 people. But for us, the main thing was like, initially, if I'm honest, our take was like, would people pay for this? And when we got the first customers, it was like, can we make them still love us enough to renew? And we've kind of been on that journey from the start, like, and so now we get like Fortune tens or Fortune 20s that buy suddenly, like, oh my God, like, this is awesome. Can we make them love us? Like, can we make sure we work for them? And so for the most part, that's been our thing. Our growth's been pretty great. So one of the things we've always felt strongly about is making sure that even though we kind of almost always knew we weren't looking for investors, we wanted to be investable. And so the thinking was always that we should build a sort of company where we'd have options so we could get money if we wanted or we could sell if we wanted. But. But for the most part, our aim has been pretty solidly locked on. Can we build what we think works? Can we give the market something that. And like, it's, it's. It's a soapbox of mine that I think more companies should be doing. Like, like focusing on the product and the rest of it sorts itself.
[05:32]
Casey Ellis
Yeah. So you want to talk about that a little bit more because I think you and I have kind of traded rants on Twitter and X LinkedIn and God knows what else over the years on this subject. The idea of really problem focused product development, the role of design and making secure easy and making insecure obvious in customer growth, even the role of marketing. Do you want to go into that a little bit more? Because I definitely agree there's a lot of startups, you know, there's kind of startup funding and people doing new things in cyber security is sort of back at a bit of a fever pitch at the moment. I think it's a really good time to actually share some of that advice.
[06:10]
Harun Meir
Yeah. So because of us being around for a while, like I get pitched by young startup founders quite often like, like folks saying, hey, like I've built the next AI SaaS tool or built this, like what do you think? Like how do I get funding or where do I go next? And it's almost weird how often my questions to them are like, well, does the product do what you say it does? Have you solved it? Because for me, normally there's a thing that says have you chosen to solve something worth solving? That's the first part of it. And then the second part is if you chose something non stupid, can you do it? And it's almost funny how often the question throws people. And fairly recently a seasoned founder, like he's already had one exit, he's working on his next company. And I had this question with him that says like, okay, have you solved it? Can you do what you say? And he told me I was his fifth call. But the first person who asked him that and he genuinely stopped and at the end of the day the thought, he says no, actually we don't have it solved. I'm like, well then maybe go solve it and if you've solved it, then you've got a thing and if you haven't solved it, you don't. But I think there was a while in the early 2000s where we didn't have information on startups like Pyc. Part of the challenge was you into the unknown. And I think we've kind of gone so far around from that that now there's so much information that people can start companies in hot categories without thinking about the product. Like you know how to pitch and you know how to raise and you know how to do all that stuff. And like, people forget that the point is to bring a product that works to the market. And I think that, like, you can argue about the specifics of the product afterwards, but, but like, I think that fundamental thing that says do you have a product and does it do what the product says on the tin is sadly forgotten. And, and I think in infosec we do it a little more than, than some of the other segments because we get carried for a little longer. And yeah, I'm, I'm hoping to fight that.
[08:48]
Casey Ellis
Yeah, it's interesting with that one as well, because I feel like that's probably more common in infosec and cybersecurity than other categories. Partly because of what you just said, we get carried for longer, but also because it is somewhat of a nebulous black box that you can't actually really necessarily prove that your thing is working or not. And I think there are exceptions to that. I think your product's actually a really good example of that. But the whole idea of, oh, we've delayed, we've delayed a breach by X number of days and saved the company Y amount of dollars. It's like, okay, where's the proof?
[09:22]
Harun Meir
Yeah, it's a terrible sounding thing, but in my younger, cockier, fresh off pen testing red teaming days, like, I remember chatting to someone on the floor at RSA and saying, like, all of these companies, like, we've been pen testing for 10 years. Like, almost none of them would make a material difference to us as an attacker. And when you look at it and go, like, I wonder if everyone here knows that there's so many people here and so much money here, and as an attacker, it doesn't feature. And there's part of the question that goes like, well, do people know the stuff's not adding value or do they not know? And probably one of the distressing takes is that possibly they don't care because there's this whole alternate game that says, build a company, get a company funded, exit a company. And almost nowhere in that discussion is build something that dents the problem. And recently, like, the last time I chatted to Pat, I was talking to him about, and again, this is old people depressing themselves. But I was saying to him, there's even a sadder take on build a product that nobody needs and take it to market. Because you find out that the large infosec companies often make acquisitions to please the market. And so even if nobody there truly believes that this solves the problem, like, if you take the current AI hype, like, at some point there's going to be pressure on the big names to say, well, what are you doing in the space? And if they haven't done anything meaningful in the space, they're going to say, well, who can we buy in the space?
[11:25]
Casey Ellis
We need to go shopping. Yeah.
[11:26]
Harun Meir
And they're going to go snap up someone, not because they've got a product necessarily that they think is going to help their customers, but because the market's going to judge them on have they bought the forerunner in the space? And so almost everyone in that chain gets rewarded except the end users because they just happen to be a sideshow to this acquisition thing. And for the most part, the thing that I always say to young founders is like, if you want to do that, just go pick what category and you've got a better shot doing that. And in cyber, in infosec, lots of us got into it because we hear about the space and want to fix a problem. And if that's what you're getting into it for, then you need to not get distracted by that other silliness.
[12:22]
Casey Ellis
I fully agree with that. Like, one of my. One of my favorite definitions of founder is someone who gets irrationally pissed off about a problem that they think they can solve. And it's like that, that drive, it's like, I'm really annoyed that this is still a thing, so I want to go off and make the thing a thing. Anymore part of what you're saying there just in terms of like, does the market care at this point in time? Does it really matter? Because obviously the end user does when they get breached and the bad guys do, depending on how easy or harder difficult a time we give them. I guess my question there would be in terms of advice for founders thinking through how to actually put wheels on that notion, because I firmly and strongly agree with what you just said. But I do see the challenges. When you're trying to build and you're competing now against someone that's venture backed. It's all these different sort of dynamics that exist in terms of the early stage piece of the process that didn't really exist in the same way when we kicked off. Right.
[13:21]
Harun Meir
One of the things that I'm always retrospectively hopeful for is that we as a company end up being almost a positive example of a road not taken. Holy cow. That's a lot of mixed metaphors. Mainly it's to say that, like, I think our approach does work. Like, there's been a lot of talk of the other approach. Like the VC backed race for the world, raise money, grab as much land as you can is a well discussed path and mostly people say it as if it's an absolute truth. And we've always said look, let's get 10 customers and make sure they like us. And after we get 10 customers, we'll get the next 10. And one day you look up and you've got two and a half thousand customers who at least say they like you. And for example, if you take us right now, I see lots of companies that started in our cohort that went the other way that don't have two and a half thousand customers. And along the way they might have thought that we were slower but I'm pretty sure they'd trade places with us right now. And so there's a strong feeling that I have that says yeah, mainly the other approach doesn't have to be right, like it doesn't have to be a land grab if you're making something you believe in and customers are buying. And so mainly my take and the one other thing that I often say to startup founders is that the one like I've said lots of bad things about VC as an industry over the years. One of the things that I like about vc, it's very predictable. Like I've said before, you can stand up and urinate on a VC's desk today and if tomorrow you've got a product that's got product market fit, he'll invest in you because they pretty straightforward about what they want. Like they want successful companies. And so you can askew lots of the things that are traditional VC mantras as long as you're building something that customers want and customers want it. And so for me it's almost a no brainer that the guiding light should be building a product that customers want because it just solves everything.
[15:54]
Casey Ellis
That's super cool. It's awesome to hear, you know, congratulations on that milestone because it is like it's hard fought and to see you know, the like relentless pursuit of happiness and success on the customer side that you guys have really, you know, I think been an incredible example of in market since the beginning. It's like the larger version of that and actually demonstrating the fact that building things that matter works, it can actually work and there's proof to that.
[16:21]
Harun Meir
Thanks man. For the most part all companies are hard at some point but there's this thing that says choose your hard. And so yeah, it's been fun and genuinely we feel like we're just getting started for us at 40x people. We now have enough people to aim at some of the hairy problems that we didn't when there were six of us. And now we can throw. Like we started off and I did lots of the design and I was pretty font blind and now we've got real front end skills and we've got real designers and we can really focus on some of those things that we've always wanted to solve. So, yeah, I think we, we're just getting started and hopefully there'll be more goodness.
[17:13]
Casey Ellis
That's very, very cool. When you're talking about the big hairy problems that you see and kind of the way that AI is getting sprinkled on top of everything at this point in time, everything's accelerating, bad guys are getting better, all of that kind of stuff. Where do you see that all going? And I guess where do you see things and the Canary products fitting into that? What gets you excited, I guess is probably a better way to frame that question.
[17:35]
Harun Meir
Yeah, look, I think in terms of excitement, one of the things I'm really excited about and people sometimes say it, but we've got people much smarter than us now on the team and so we've got actual PhDs, we've got actual. And so we can aim them and they can help us come up with really good solutions to some problems. One of the things I spoke about, and it's late in the chat to dig this up, but at some point in the past we blogged about how many problems there are in infosec that are tackled but not solved. And some of them are really stupid, obvious things like if you're giving people notifications, how to not give them duplicate notifications, how to make SMS notifications not suck, because if you get 10 of them, you no longer paying attention. And I think lots of them require love. They require someone who's not going to end with we sent the sms, they're going to end with the customer knows what we wanted them to know. And almost everywhere you dig, there are problems like this that if you love it enough, you can solve. Like if you actually care about solving that problem. And one of the things I'm excited about is getting the chance to tackle some of them. You mentioned AI and everyone's doing something LLM, but. But recently one of our front end people and, and one of the designers had this idea that said, look, we can add custom icons on this one arcane part of the site, but that maybe we could use an LLM to figure out what this person intended when they created that flock. So that even if they know nothing else, like, if they were doing it geographically, we'll put up a Statue of Liberty. Or if they were doing it by job, by functional group, like, we'll put up a functional group. And so internally, we had this whole crack at, like, can we do these custom icons based on an LLM? And most customers are probably not even going to notice it. And for me, like, that's cool. Like, there's new technology and there's new potential, and maybe we can just add that little spark of delight for someone. And so I'm excited about that. I think your original question was, is the world going to melt down with AI, or does defense now win with AI? I think there's new tools for both sides to play with, and generally attck gets to use them quicker. And I think that will play out here, too. But it's an exciting time again. It's a fun time.
[20:29]
Casey Ellis
A lot of fun things to work on. All right, well, we'll wrap with that, so thank you so much, Harun. It's been a pleasure, as always, to catch up. This is Casey Ellis with the Risky Business News podcast. And that was a sponsored interview with Harun Meir from thinkst.
[20:42]
Harun Meir
Thanks so much, man.