The Peel with Turner Novak

Episode: How Duo Security went Zero to $1B ARR in Ann Arbor | Doug Song, Jon Oberheide

Date: February 5, 2026
Guests: Doug Song & Jon Oberheide (Co-founders, Duo Security)

Episode Overview

This episode is a deep dive into Duo Security's journey—from its hacker roots in Michigan to becoming one of the world’s most admired and capital-efficient SaaS stories. Doug Song and Jon Oberheide share the founding narrative, how a customer-obsessed culture and product design philosophy propelled their growth in a seemingly saturated cybersecurity market, and the advantages of building a billion-dollar tech company in Ann Arbor, Michigan rather than Silicon Valley. The conversation provides playbooks for founders, inside stories from cybersecurity’s wild west days, and reflections on navigating high-stakes growth, acquisition by Cisco, and the Ann Arbor/Michigan ecosystem.

Key Discussion Points & Insights

1. Origins in Hacking and Early Security Culture

[03:39–10:47]

Doug and Jon discuss their formative years in the 90s hacking subculture, swapping stories ranging from DIY email “marketing” as teenagers to open honeypots for catching would-be attackers.
- “Hackers, when they first meet, they already know each other … It's very rare that you have hackers who have spent any time building stuff they don’t already have sort of a perspective on who each other are.” — Doug Song [07:13]
Early hacker ethic was rooted in curiosity, puzzle-solving, and counterculture (“hippie cypherpunk libertarian movement”), rather than commercial or geopolitical motives.
- “It was more of the sort of intellectual pursuit of information, solving these really complicated puzzles, understanding how these systems work.” — Jon Oberheide [10:10]
Legacies from these communities include Linux, BSD, and foundational work by now legendary figures (Sean Parker, Jan Koum, Sean Fanning).

2. The Michigan Advantage and Staying Outside Silicon Valley

[14:49–28:36]

The University of Michigan’s research prowess and technical culture created a fertile ground for startups (major alumni include Twilio, Arbor Networks, and more).
- “Michigan is a powerhouse… The birthplace of the Internet actually was here.” — Doug Song [16:31]
Doug and Jon defied pressure to move to the Valley, instead leveraging Ann Arbor’s world-class but underappreciated talent base, cost-of-living, and support networks.
- “There’s something strategic about any place… The alchemy of turning that into some unfair advantage for us, that was Michigan, right, in Ann Arbor.” — Doug Song [22:32]
Staying in Michigan led to stability and low churn—employees stayed and grew as the company scaled, compared to high turnover cycles seen in SF.
Their deliberate choice to hire talent outside the typical security background injected first-principles thinking, product and design savvy, and novelty.
- “If we went out and hired all the folks from Symantec and McAfee… we would have built the same shitty company those companies were.” — John Oberheide [26:44]

3. Building the Company—Culture, Leadership & Customer Focus

[28:39–43:55]

Reluctant, humble leadership was central: Doug considered quitting the CEO role, and both maintained a “never delegate product, culture, or brand” principle.
- “For me, it's always been more about... the soul of the business. That's what cannot be replaced.” — Doug Song [34:16]
They prioritized teaching and “obsoleting themselves” as leaders, pushing ownership and decision-making down to every level.
- “...our job is simply to understand: what do they want to do and how do our needs present as opportunities for them?” — Doug Song [41:56]
Open source and academic team traditions shaped a “blameless”, learning-focused, and highly autonomous environment.
- Memorable Cultural Moment:
  “Anyone good in security does both, you have to build and break.” — Doug Song [08:28]
Commitment to employee growth was realized through Individual Development Plans (IDPs), personal progression roadmaps, and open conversations about career arcs.
- “My hope is that Duo is like the springboard. When you're looking back… that was the role where I learned the most, we grew the fastest...” — John Oberheide [41:13]

4. Duo’s Product Philosophy—Design for Users, Serve Non-Consumption

[44:00–61:17]

Product: Duo provides secure, seamless access (MFA, SSO, etc.) to corporate apps, but their distinctiveness was designing for end users, not just security teams.
- “We make it easier to do things, not harder. Where most security is about putting up hurdles...” — Doug Song [44:41]
They flipped the norm by targeting non-consumption—making security accessible for SMBs and mid-market, who had been neglected.
- “Our slogan early on was like, security sucks. Who has time for this?” — John Oberheide [45:21]
Instead of starting with large enterprises, they built for small orgs first, gradually scaling “up market”. Their first clients were a regional healthcare group, Facebook, and the Sioux tribe of Michigan.
- “How do you build sophisticated technology, power tools that your 3-year-old can use?” — Jon Oberheide [54:13]
Freemium experiences, self-serve signups, and consumer-inspired design were radical in security at the time.
- “We were solving the problem of non-consumption of security.” — Doug Song [59:14]

5. Go-to-Market, Branding, and Empathy

[61:19–77:46]

They challenged standard TAM (Total Addressable Market) frameworks, as the real opportunity was in creating new markets by serving overlooked customers.
- "If you’re building something of real value, you’re either reshaping or creating the market." — Doug Song [60:50]
Branding: Duo’s green logo (vs. typical red/black security tones) symbolized an “open door”, frictionless experience for the user.
- “Everything’s like red and black and scary... we’re like, this is nonsense. It’s super defeatist and negative.” — John Oberheide [68:55]
Memorable Marketing Play: During customer security breaches, when competitors cold-called with sales pitches, Duo would send pizzas and Red Bull with a supportive note.
- “That doesn’t happen unless you truly understand what’s happening…” — John Oberheide [70:05]
Duo’s customer persona work included every touchpoint—even legal processes were shaped for the optimal end user experience.

6. Scaling, Global Expansion, and Say-No Discipline

[77:47–87:47]

International expansion was rocky; European sales models, cultural transfer, and highly fragmented markets made localization tough.
- “The culture and institutional knowledge transfer is so huge. That’s a place where we missed.” — John Oberheide [81:32]
Deliberate resistance to lucrative distractions (like on-prem “Duo-in-a-Box” sales) preserved the company’s cloud-first vision.
- “Say no to DOPE (Duo On Prem Enterprise).” — Jon Oberheide [87:28]
Instead, their US and Austin expansion was orchestrated by transplanting small, full-function “pods” to replicate Ann Arbor’s ethos.
When scaling, autonomy at the team level (pods, “two-pizza teams”) enabled rapid, independent execution.

7. Capital Efficiency & Playbooks for Growth

[91:28–103:59]

Duo reached $100M ARR on just $14M of burn, and was often cash flow positive—unheard of for a high-growth SaaS business.
- “We burnt 8 million of capital to get to a hundred and maybe burned like 20 million at the time of exit. Overall.” — Jon Oberheide [92:45]
Growth was not blindly maximal—deliberate, sustainable growth was prioritized over chasing vanity metrics.
- “We were trying to grow responsibly without doing a bunch of dumb stuff.” — John Oberheide [94:44]
Open financials and frequent, transparent internal reporting helped align and engage the entire company in operational metrics.

Notable Metric Callout:

“Tamash Senguz wrote about this early... we claimed we were the best SaaS metrics he’d ever seen.” — Doug Song [92:28]

8. Acquisition by Cisco and Lessons from Integration

[99:42–111:30]

Cisco’s acquisition process was lengthy, competitive (Workday made an offer first), and eventually resulted in a $2.35B deal that was among the highest multiples ever for a private SaaS.
- “They made a bid and we're like, no, that number is not even in the zip code.” — Doug Song [100:52]
- “Matt [Kohler] said: You’re not worth 800M, you’re worth at least 2B… 12, 18 months later, we came back with an offer from Cisco at 2.2B, 2.4B.” — John Oberheide [102:29]
Integration with Cisco “wasn’t our way or their way, but a third way”—Duo’s leaders consciously influenced broader Cisco culture and design practices.
Post-acquisition lessons centered on the risks of losing customer proximity, and the inertia large hardware-driven orgs face transitioning to SaaS/software motion.
- “So much of time is dedicated to: are you managing within 5% of your monthly OPEX envelope?... you just kind of lose that sense of what are we doing every single day that’s building value for the customers.” — John Oberheide [104:55]

9. The Michigan Tech Ecosystem & Giving Back

[111:53–126:31]

Both co-founders are deeply invested in the regional ecosystem: Doug focuses on community-building, cross-sector investment (tech, media, real estate), and growing Michigan’s social capital and founder density.
- “We have to create the kind of place and product Detroit needs to create the product for scaling companies…” — Doug Song [120:49]
Reflecting on Ann Arbor’s “sleeper” status—46 known unicorn founders from U of M, a string of multi-billion-dollar local exits, and a vast, under-celebrated alumni pipeline ripe for nurturing.
- “Only three of those [U of M unicorn companies] actually stayed. We were the first.” — Doug Song [114:46]
Both challenge the notion that a world-class tech company needs to be born in SF. Their message: leverage the “strange unfair advantages” your location provides and cultivate optionality.

Memorable Quotes & Moments

On humility as a CEO:
“Doug would just be like, I don’t think I’m doing a good job. You guys need to replace me, let me know.” — John Oberheide [32:16]
On customer empathy:
“Has there ever been a security product that’s like, Turner, you’re doing a good job? No, it’s like, Turner, you’re terrible at computing…” — John Oberheide [45:44]
On resisting bad growth opportunities:
“Say no to DOPE (Duo On Prem Enterprise).” — Jon Oberheide [87:28]
On market creation:
“If you’re building something really of value, you’re reshaping or creating the market for it in some way.” — Doug Song [60:50]

Timestamps for Key Segments

Early hacking culture & backgrounds: [03:39–13:15]
Michigan as a tech hub: [14:49–19:33]
Staying outside SF, talent/culture advantages: [21:01–28:36]
Product philosophy, customer-focused design: [44:00–61:17]
Branding, marketing, empathy, 'pizza play': [68:35–71:17]
Scaling, international expansion, avoiding on-prem: [77:46–87:41]
SolarWinds incident and product feedback loops: [87:54–91:28]
Growth metrics, openness, responsible scaling: [91:28–97:06]
Acquisition by Cisco, integration lessons: [99:42–111:30]
Post-exit, Michigan ecosystem, current focus: [111:53–126:31]

Takeaways for Founders and Operators

You can build world-class technology companies outside Bay Area power centers if you tap into unique local strengths and foster a purposeful, growth-minded culture.
Customer empathy—in product, process, and even crisis—can be a lasting moat.
Reluctant, humble leadership and deliberate growth can outperform blitzscaled, playbook-first approaches.
Redefining your market (and who your true customer is) can yield outlier outcomes.
Transparent internal communication and active talent development fuel sustainable scale.

For more inspiring founder journeys, check out the full back catalog of The Peel.
Subscribe to the Split newsletter for transcripts and recaps delivered weekly!

The Peel with Turner Novak

Episode: How Duo Security went Zero to $1B ARR in Ann Arbor | Doug Song, Jon Oberheide

Date: February 5, 2026
Guests: Doug Song & Jon Oberheide (Co-founders, Duo Security)

Episode Overview

Key Discussion Points & Insights

1. Origins in Hacking and Early Security Culture

[03:39–10:47]

Doug and Jon discuss their formative years in the 90s hacking subculture, swapping stories ranging from DIY email “marketing” as teenagers to open honeypots for catching would-be attackers.
- “Hackers, when they first meet, they already know each other … It's very rare that you have hackers who have spent any time building stuff they don’t already have sort of a perspective on who each other are.” — Doug Song [07:13]
Early hacker ethic was rooted in curiosity, puzzle-solving, and counterculture (“hippie cypherpunk libertarian movement”), rather than commercial or geopolitical motives.
- “It was more of the sort of intellectual pursuit of information, solving these really complicated puzzles, understanding how these systems work.” — Jon Oberheide [10:10]
Legacies from these communities include Linux, BSD, and foundational work by now legendary figures (Sean Parker, Jan Koum, Sean Fanning).

2. The Michigan Advantage and Staying Outside Silicon Valley

[14:49–28:36]

The University of Michigan’s research prowess and technical culture created a fertile ground for startups (major alumni include Twilio, Arbor Networks, and more).
- “Michigan is a powerhouse… The birthplace of the Internet actually was here.” — Doug Song [16:31]
Doug and Jon defied pressure to move to the Valley, instead leveraging Ann Arbor’s world-class but underappreciated talent base, cost-of-living, and support networks.
- “There’s something strategic about any place… The alchemy of turning that into some unfair advantage for us, that was Michigan, right, in Ann Arbor.” — Doug Song [22:32]
Staying in Michigan led to stability and low churn—employees stayed and grew as the company scaled, compared to high turnover cycles seen in SF.
Their deliberate choice to hire talent outside the typical security background injected first-principles thinking, product and design savvy, and novelty.
- “If we went out and hired all the folks from Symantec and McAfee… we would have built the same shitty company those companies were.” — John Oberheide [26:44]

3. Building the Company—Culture, Leadership & Customer Focus

[28:39–43:55]

Reluctant, humble leadership was central: Doug considered quitting the CEO role, and both maintained a “never delegate product, culture, or brand” principle.
- “For me, it's always been more about... the soul of the business. That's what cannot be replaced.” — Doug Song [34:16]
They prioritized teaching and “obsoleting themselves” as leaders, pushing ownership and decision-making down to every level.
- “...our job is simply to understand: what do they want to do and how do our needs present as opportunities for them?” — Doug Song [41:56]
Open source and academic team traditions shaped a “blameless”, learning-focused, and highly autonomous environment.
- Memorable Cultural Moment:
  “Anyone good in security does both, you have to build and break.” — Doug Song [08:28]
Commitment to employee growth was realized through Individual Development Plans (IDPs), personal progression roadmaps, and open conversations about career arcs.
- “My hope is that Duo is like the springboard. When you're looking back… that was the role where I learned the most, we grew the fastest...” — John Oberheide [41:13]

4. Duo’s Product Philosophy—Design for Users, Serve Non-Consumption

[44:00–61:17]

Product: Duo provides secure, seamless access (MFA, SSO, etc.) to corporate apps, but their distinctiveness was designing for end users, not just security teams.
- “We make it easier to do things, not harder. Where most security is about putting up hurdles...” — Doug Song [44:41]
They flipped the norm by targeting non-consumption—making security accessible for SMBs and mid-market, who had been neglected.
- “Our slogan early on was like, security sucks. Who has time for this?” — John Oberheide [45:21]
Instead of starting with large enterprises, they built for small orgs first, gradually scaling “up market”. Their first clients were a regional healthcare group, Facebook, and the Sioux tribe of Michigan.
- “How do you build sophisticated technology, power tools that your 3-year-old can use?” — Jon Oberheide [54:13]
Freemium experiences, self-serve signups, and consumer-inspired design were radical in security at the time.
- “We were solving the problem of non-consumption of security.” — Doug Song [59:14]

5. Go-to-Market, Branding, and Empathy

[61:19–77:46]

They challenged standard TAM (Total Addressable Market) frameworks, as the real opportunity was in creating new markets by serving overlooked customers.
- "If you’re building something of real value, you’re either reshaping or creating the market." — Doug Song [60:50]
Branding: Duo’s green logo (vs. typical red/black security tones) symbolized an “open door”, frictionless experience for the user.
- “Everything’s like red and black and scary... we’re like, this is nonsense. It’s super defeatist and negative.” — John Oberheide [68:55]
Memorable Marketing Play: During customer security breaches, when competitors cold-called with sales pitches, Duo would send pizzas and Red Bull with a supportive note.
- “That doesn’t happen unless you truly understand what’s happening…” — John Oberheide [70:05]
Duo’s customer persona work included every touchpoint—even legal processes were shaped for the optimal end user experience.

6. Scaling, Global Expansion, and Say-No Discipline

[77:47–87:47]

International expansion was rocky; European sales models, cultural transfer, and highly fragmented markets made localization tough.
- “The culture and institutional knowledge transfer is so huge. That’s a place where we missed.” — John Oberheide [81:32]
Deliberate resistance to lucrative distractions (like on-prem “Duo-in-a-Box” sales) preserved the company’s cloud-first vision.
- “Say no to DOPE (Duo On Prem Enterprise).” — Jon Oberheide [87:28]
Instead, their US and Austin expansion was orchestrated by transplanting small, full-function “pods” to replicate Ann Arbor’s ethos.
When scaling, autonomy at the team level (pods, “two-pizza teams”) enabled rapid, independent execution.

7. Capital Efficiency & Playbooks for Growth

[91:28–103:59]

Duo reached $100M ARR on just $14M of burn, and was often cash flow positive—unheard of for a high-growth SaaS business.
- “We burnt 8 million of capital to get to a hundred and maybe burned like 20 million at the time of exit. Overall.” — Jon Oberheide [92:45]
Growth was not blindly maximal—deliberate, sustainable growth was prioritized over chasing vanity metrics.
- “We were trying to grow responsibly without doing a bunch of dumb stuff.” — John Oberheide [94:44]
Open financials and frequent, transparent internal reporting helped align and engage the entire company in operational metrics.

Notable Metric Callout:

“Tamash Senguz wrote about this early... we claimed we were the best SaaS metrics he’d ever seen.” — Doug Song [92:28]

8. Acquisition by Cisco and Lessons from Integration

[99:42–111:30]

Cisco’s acquisition process was lengthy, competitive (Workday made an offer first), and eventually resulted in a $2.35B deal that was among the highest multiples ever for a private SaaS.
- “They made a bid and we're like, no, that number is not even in the zip code.” — Doug Song [100:52]
- “Matt [Kohler] said: You’re not worth 800M, you’re worth at least 2B… 12, 18 months later, we came back with an offer from Cisco at 2.2B, 2.4B.” — John Oberheide [102:29]
Integration with Cisco “wasn’t our way or their way, but a third way”—Duo’s leaders consciously influenced broader Cisco culture and design practices.
Post-acquisition lessons centered on the risks of losing customer proximity, and the inertia large hardware-driven orgs face transitioning to SaaS/software motion.
- “So much of time is dedicated to: are you managing within 5% of your monthly OPEX envelope?... you just kind of lose that sense of what are we doing every single day that’s building value for the customers.” — John Oberheide [104:55]

9. The Michigan Tech Ecosystem & Giving Back

[111:53–126:31]

Both co-founders are deeply invested in the regional ecosystem: Doug focuses on community-building, cross-sector investment (tech, media, real estate), and growing Michigan’s social capital and founder density.
- “We have to create the kind of place and product Detroit needs to create the product for scaling companies…” — Doug Song [120:49]
Reflecting on Ann Arbor’s “sleeper” status—46 known unicorn founders from U of M, a string of multi-billion-dollar local exits, and a vast, under-celebrated alumni pipeline ripe for nurturing.
- “Only three of those [U of M unicorn companies] actually stayed. We were the first.” — Doug Song [114:46]
Both challenge the notion that a world-class tech company needs to be born in SF. Their message: leverage the “strange unfair advantages” your location provides and cultivate optionality.

Memorable Quotes & Moments

On humility as a CEO:
“Doug would just be like, I don’t think I’m doing a good job. You guys need to replace me, let me know.” — John Oberheide [32:16]
On customer empathy:
“Has there ever been a security product that’s like, Turner, you’re doing a good job? No, it’s like, Turner, you’re terrible at computing…” — John Oberheide [45:44]
On resisting bad growth opportunities:
“Say no to DOPE (Duo On Prem Enterprise).” — Jon Oberheide [87:28]
On market creation:
“If you’re building something really of value, you’re reshaping or creating the market for it in some way.” — Doug Song [60:50]

Timestamps for Key Segments

Early hacking culture & backgrounds: [03:39–13:15]
Michigan as a tech hub: [14:49–19:33]
Staying outside SF, talent/culture advantages: [21:01–28:36]
Product philosophy, customer-focused design: [44:00–61:17]
Branding, marketing, empathy, 'pizza play': [68:35–71:17]
Scaling, international expansion, avoiding on-prem: [77:46–87:41]
SolarWinds incident and product feedback loops: [87:54–91:28]
Growth metrics, openness, responsible scaling: [91:28–97:06]
Acquisition by Cisco, integration lessons: [99:42–111:30]
Post-exit, Michigan ecosystem, current focus: [111:53–126:31]

Takeaways for Founders and Operators

You can build world-class technology companies outside Bay Area power centers if you tap into unique local strengths and foster a purposeful, growth-minded culture.
Customer empathy—in product, process, and even crisis—can be a lasting moat.
Reluctant, humble leadership and deliberate growth can outperform blitzscaled, playbook-first approaches.
Redefining your market (and who your true customer is) can yield outlier outcomes.
Transparent internal communication and active talent development fuel sustainable scale.

For more inspiring founder journeys, check out the full back catalog of The Peel.
Subscribe to the Split newsletter for transcripts and recaps delivered weekly!

wavePod

How Duo Security went Zero to $1B ARR in Ann Arbor | Dug Song, Jon Oberheide

Summary

The Peel with Turner Novak

Episode: How Duo Security went Zero to $1B ARR in Ann Arbor | Doug Song, Jon Oberheide

Episode Overview

Key Discussion Points & Insights

1. Origins in Hacking and Early Security Culture

2. The Michigan Advantage and Staying Outside Silicon Valley

3. Building the Company—Culture, Leadership & Customer Focus

4. Duo’s Product Philosophy—Design for Users, Serve Non-Consumption

5. Go-to-Market, Branding, and Empathy

6. Scaling, Global Expansion, and Say-No Discipline

7. Capital Efficiency & Playbooks for Growth

Notable Metric Callout:

8. Acquisition by Cisco and Lessons from Integration

9. The Michigan Tech Ecosystem & Giving Back

Memorable Quotes & Moments

Timestamps for Key Segments

Takeaways for Founders and Operators

Summary

The Peel with Turner Novak

Episode: How Duo Security went Zero to $1B ARR in Ann Arbor | Doug Song, Jon Oberheide

Episode Overview

Key Discussion Points & Insights

1. Origins in Hacking and Early Security Culture

2. The Michigan Advantage and Staying Outside Silicon Valley

3. Building the Company—Culture, Leadership & Customer Focus

4. Duo’s Product Philosophy—Design for Users, Serve Non-Consumption

5. Go-to-Market, Branding, and Empathy

6. Scaling, Global Expansion, and Say-No Discipline

7. Capital Efficiency & Playbooks for Growth

Notable Metric Callout:

8. Acquisition by Cisco and Lessons from Integration

9. The Michigan Tech Ecosystem & Giving Back

Memorable Quotes & Moments

Timestamps for Key Segments

Takeaways for Founders and Operators