Adam Markowitz

Foreign.

Omar Khan

Welcome to another episode of the SaaS podcast. I'm your host Omar Khan and this is a show where I interview proven founders and industry experts who share their stories, strategies and insights to help you build, launch and grow your SaaS business. In this episode I talk to Adam Markowitz, the co founder and CEO of Drata, a trust management platform that helps companies automate compliance, security assurance and third party risk management. Adam never planned to be a founder. As a kid he wanted to be an astronaut and that led him to aerospace engineering and in 2008 he landed his dream job working on NASA's space shuttle program. Three years later, NASA retired the program, so he taught himself to code and built Portfolium, a platform that helps students prove their skills with real project work instead of resume bullet points. It took years, but eventually he got IT into over 500 universities and the company was acquired for $43 million. But it was during those long university sales cycles that something stuck with him. A CIO at the largest four year public university system in the country asked Adam to prove his company's security posture. He couldn't do it. His entire company was built on the idea of proving things with evidence, and here he was asking a customer just to take his word for it. That bothered him enough that his team built internal tools to monitor their own compliance continuously. After the acquisition, they saw their new parent company doing the same thing manually. And it seems so was every other company they Talked to. In 2020, Adam got the band back together. The same co founders, same early engineering team. They spent six months building the first version of Drata. Then they did something most founders wouldn't. They refused to sell to anyone until they used their own product to get SoC2 compliant first. When they launched, they signed 100 customers in six weeks and 1,000 within the first year. But everything kept breaking. Lead, routing, org structure, onboarding. They were building the plane while flying it. But Adam had spent seven years selling a nice to have in edtech. He knew how rare it was to have customers lining up for something they actually needed. So instead of slowing down, the team leaned in harder and Adam had no idea if the company could keep scaling without things falling apart completely. Today, Drata has over 8,000 customers across 60 countries, more than 600 employees, and crossed 100 million in ARR before its fourth birthday. The company has also raised over $300 million. In this episode, you'll learn how give before you take approach to the AWS Partnership made Drata a top five IT fee in the marketplace in under two years. Why Adam deliberately built an aggressive sales culture from day one, and what he said when prospective customers started calling to complain how talking to dozens of companies and auditors before writing any code shaped exactly where Drata was focused. First we talk about what it was like going from selling something nobody wanted to a product customers were lining up for, and why Adam told his earliest investors that Drata would never be the most important thing in his life and and how he's still raised over $300 million, so I hope you enjoy it. If you're building or investing in a SaaS company, you already know security isn't optional. One breach and everything you've built can be at risk. That's where ThreatLocker comes in. Imagine having the power to decide exactly what's allowed to run in your environment and blocking everything else by default. No guessing. No hoping your existing solutions catch it. Real enforceable control. ThreatLocker is a zero trust platform that locks down your environment without disrupting operations, gives you total visibility, and stops unauthorized applications before they become a problem. If you want stronger security and tighter control, visit threatlocker.com that's threatlocker.com you're putting in the hours, but your SaaS isn't growing. It's not your product, it's not your pricing. It's the way you're wired as a founder. And once you see it, everything changes. Every founder has a blind spot. The builder ships great code but forgets to sell. The visionary chases big ideas but can't execute. The optimizer tweaks endlessly. Instead of finding customers. Which one are you? I created a free quiz that identifies your founder archetype and gives you a specific playbook to fix what's holding you back. Take the quiz at sasclub IO Quiz. That's sasclub IO quiz. You've built the product, you've got a few customers, but 10k in MRR still feels miles away and you're not sure what to do next. That's the hardest part of the early stage. Not building, figuring out what actually moves the needle. SaaS club launch gives you a clear plan, weekly coaching, and direct access to me. So you're not guessing anymore. Apply@SASClubIO launch. That's SASClub IO launch. Adam, welcome to the show.

Adam Markowitz

Thanks for having me.

Omar Khan

It's my pleasure. Do you have a favorite quote that you can share with us?

Adam Markowitz

A favorite quote? I'm not a big quote guy, but I do actually have one written on the wall over here. If I could turn my monitor you'll be able to see it. It says, may you always remember to enjoy the road, especially when it's a hard one. I think it's very appropriate for founders, entrepreneurs. And it was Kobe Bryant who actually said it.

Omar Khan

Oh, love it. That's a good one. So tell us about Drata. What does the product do, who's it for and what's the main problem you're helping to solve?

Adam Markowitz

Yeah, Drata is a five year old company. It's a trust management platform with multiple products that solve number of use cases, from compliance automation to security assurance and third party risk management. About five years ago when we started, we saw a pretty big problem. We lived the problem ourselves and it was around how trust frankly was being earned and maintained. Business to business. Trust is foundational to our company, to our vision, our mission. And for me personally, just in life, I would say outside of time, trust is one of our most precious assets. And we saw trust being earned in these point in time, take my word for it type moments, whether it was point in time audits, point in time questionnaires or assessments between companies. And fundamentally that felt broken and we lived that ourselves. And so it's been five years of delivering now multiple products within this platform. A trust management platform to help companies earn and maintain trust as they scale. Great.

Omar Khan

And give us a sense of the size of the business. Where are you in terms of revenue, customers, size of team?

Adam Markowitz

Yeah, about again, we're turning five in a couple of weeks, so it'll be a fun birthday. But over 8,000 global customers now across more than 60 countries. We've got over 600 employees. Those 8,000 customers range from small startups pursuing compliance frameworks like SoC2 and ISO 27001 for the very first time, all the way to the Fortune 100. So it's been a story of rapid hyper growth for sure, over five years.

Omar Khan

Right. And revenue.

Adam Markowitz

We crossed 100 million before our fourth birthday, so almost a year ago.

Omar Khan

That's pretty amazing growth.

Adam Markowitz

Quite the ride and still very much getting started.

Omar Khan

Yeah. And you've raised what, just over, was it 300 million to date?

Adam Markowitz

Yeah, just over 300 million over those five years.

Omar Khan

We'll talk about the story of how you built Drata, but you've got an interesting background. Very interesting background actually. And so I want to talk a little bit about that because then it will make sense in terms of your previous startup and how that led you to building drata. But before that, the first question I have for you is like, did you want to be an Astronaut when you were a kid.

Adam Markowitz

Still do. Yeah. Who doesn't? Yeah, I think I was maybe like 4 years old when I realized that was a pretty cool dream to have. And yeah, I don't think I've ever truly grown out of it. And that, that definitely led me down an educational journey in aerospace and astronautics and now still a side passion of my own.

Omar Khan

Yeah. So the reason I asked that is because you, you worked on the space shuttle project, Right. You were working for a contractor who was working with, with NASA at the time.

Adam Markowitz

Yeah. Right out of undergrad, I landed my dream job working on NASA space shuttle program. This is in 2008. And I worked in the program, the main engine team, for three, three and a half years, right up until NASA retired the whole program, the space shuttle program. And so that was a dream come true because that growing up in the 80s 90s, that was the very program that inspired me to want to be an astronaut in the first place. And so getting a chance to work on it, I didn't realize it was going to be the tail end of the program when I started working on it, but hindsight 20 20, it's incredibly proud that I got the chance to do that. Really special.

Omar Khan

Yeah. Because we were talking earlier and I said when I was doing research for this interview, I was like, how does somebody working on the space shuttle go to building? Becoming a startup founder? So it's sort of an interesting journey. But before you started Drata, you, you built and sold another startup called Portfolium, right?

Adam Markowitz

Yeah. And so, you know, I again, growing up, I was on that aerospace track. And so, you know, I talked to other founders who are just like, from, from the moment they were 4 years old, they wanted to build companies, they wanted to. And that just was not ever in my mind. It's almost like an accidental entrepreneur. And so, but there is a kind of a method to the madness here, Right? So I landed that dream job working on the space shuttle program by doing something that ultimately became the light bulb moment for starting that company, Portfolium. So I brought a portfolio into my job interviews in 2008 to try to stand out and basically prove everything that an interviewer would find on my resume with evidence. You know, coming out of undergrad, I look around the room and all of the interviewees, myself included, we all took the same classes, we had similar GPAs, we went to a great school, and yet we're interviewing for this company. Like, what's going to make me stand out? How can I take that bullet point on the resume and prove it give you like the assurance that there's. There's more than just, you know, the word leadership on the resume. And so it worked. I landed my dream job. Right. I stood out and it was this light bulb moment that there's something here, there's something to this. And after NASA retired the space shuttle program, I found myself wanting to take that passion project and turn it into something like a company and so forth turned into a product and so learned to code and enough to be dangerous. And this is back in 2013 now, so before even there was like coding boot camps and stuff. So a lot of YouTube videos, time on Stack Overflow and got to a point where I had something that I could put in front of students that was kind of like a LinkedIn centered around a E portfolio instead of a resume or a profile, given the ability to upload and showcase evidence of their skills. So projects, papers, presentations. And that was the initial phase, I guess the MVP of what ultimately became a company called Portfolio.

Omar Khan

What did you build the product with? What was the tech stack? Oof,

Adam Markowitz

a PHP in MySQL. But.

Omar Khan

And you taught yourself how to put.

Adam Markowitz

I have no ego whatsoever. And the code that I was writing back then was held together with, you know, sticks and bubble gum. So I knew, you know, day one, I had to obviously find myself a technical co founder. And I lucked out because I was able to join incubator startup incubator program here in San Diego called Evo Nexus, where on the very first day I met Daniel Marashlin who ended up becoming our co founder CTO and took everything I wrote and rewrote it from scratch. And I think he said he still saved the code somewhere so we could look back on it and laugh one day. But there was, I think he appreciated one, the humility to know what I'm building here is this is an mvp. I need to prove this out. And also just the relentless competitive drive to figure out whatever it was going to take to get this into the hands and prove that I had something here.

Omar Khan

The thing with Portfolium is that you eventually went on to sell this business for 43 million and you had how many over? I had a number somewhere here, but what was like over 5 million students on the platform. And you had sold this to a bunch of universities, right?

Adam Markowitz

Yeah. And so obviously it was a long journey in a very difficult space. Right. Education technology, ed tech is notorious for a lot of good reasons, but it was a long path of product market fit for portfolio. Obviously I experienced the pain and then a solution. But went through a really interesting process of validating that and you know, nothing by the book in terms of, you know, a lean startup or anything like that. In a lot of ways it was a solution in search of a problem. And it wasn't until we started selling into partnering with them and selling into universities to where we could really get this in the place where it's. I called it even a company rather than just a product because in order to eventually have a business model where we're charging employers to recruit students in recent grads, we had to have millions of students. The chicken or egg problem of a two sided marketplace, we need that supply. And so just boots on the ground trying to get students to use something like Portfolium. We did a decent job. I mean within 12 months we had about 30,000 students using the platform. It's nowhere near enough. And so we started getting, partnering with and selling into universities and learned a lot in that process. But the beauty is the university got to help their students with the provide them a tool to help them land great careers and also be able to prove that the education they're receiving actually does lead to valuable careers because of the data on the back end allowed them to at least in aggregate showcase that where their students are landing great jobs and what industry is based on what majors. And so chicken and egg problem was pretty much solved at that point. We sold into over 500 universities in a two and a half year period. And that then brought in millions of students and recent grads into this network that then jump started things.

Omar Khan

So when you started out these. Well, first of all you said you went through this really unusual way of sort of validating the product. Tell me a little bit more about that.

Adam Markowitz

Unusual in the sense that yeah, first time founding an accidental entrepreneur hadn't really even read a book or been surrounded by, you know, any other SaaS company doing anything really. And so learning a lot of things the hard way unfortunately. But it served us well going forward. I was obsessed with iterating on that user experience, the actual student in this case, it was a free product for them. And so getting in the room with them and letting them tell me what they want and how they want it and then quickly delivering like there was great lessons in all of that. So that by the time we actually had a sustainable business model selling into universities, we got to show the university before we even sold them anything that hey, your students are already using this. What other edtech product can say that on the very in the Very first meeting, showcase the fact that you're not going to have to really push your students into this. They're already using it. So we're just going to increase that adoption by actually partnering and making it official. But that was again, a very, very long path versus had we just started from day one saying, this is an edtech company, we're going to go and sell this to these universities. That would have been very different. I don't know if it would have been better, frankly, when I look back on it, only because I do think the beauty was in that iterative process in the beginning, working with students, even though they weren't the buyer, if that makes sense.

Omar Khan

Yeah, yeah. So what was the business model like? What were the universities paying for if this product is already available free to students?

Adam Markowitz

So we layered on top of this just kind of social professional network where the students got this value and we're connecting with employers and showcasing their skills. Universities historically had adopted eportfolios to do learning outcomes assessment for accreditation purposes. So that was all of a sudden a true need that universities had. And so we layered on tooling that allowed the universities to do that and do it in a much more efficient way. And so there was now real tangible benefit, real ROI for the university, not just in helping their students land jobs and being able to report on that, that was great. But there wasn't like a line item in the budget for something like that. There definitely was for learning outcomes assessment. Again, historically, that's why they would adopt something like an eportfolio. So there was some explaining to do as to, hey, yes, this is an eportfolio to do that, but it's also an eportfolio to help your students launch their careers. And so by bringing both those together, it definitely helped us differentiate and became part of how we sold.

Omar Khan

I've talked to several founders who are in the edtech space, and one thing that they all share is the complaints about trying to sell to universities. Whether it's trying to figure out how to figure out who the ideal buyer is, who has the budget, the long sales cycles. When you look back at your experience, what's one thing that you learned from that? If you had known when you started out, might have made things a little easier.

Adam Markowitz

That's a good question. Like I said, we were three years into this journey before we started actually building those learning outcome assessment modules. That's too long. We could have gotten to that realization sooner. That's one thing of making sure it's tied to a budgeted line item universities. Each one has various initiatives. The good thing is at least the public universities are, it's all public information and it's showcased proudly across their websites and materials, including ownership, accountability across different departments at university. And so, you know, grass is always greener. I mean there's a lot of good things actually about selling into edtech too, like that being one of them. You could, yes, it's a long sales cycle, but understanding what the initiatives are for, for the year, for that set of years and who's ultimately responsible is going to care, you start recognizing those patterns. For us it was, you know, offices of student success started forming more and more across these different universities. I will say the hardest, one of the hardest parts was getting those first, let's say five handful of universities to ultimately become customers, which can be said for any startup, right? Those first customers typically the hardest, maybe in ed tech more than other spaces. You know, no one wants to be first, but no one wants to be last either. And so there's a bit of a snowball effect. Once handful of universities are now on board showcasing evidence of success and then getting on a webinar, providing case studies, success stories, well then you get that, you get that flywheel going. But those early days were brutal.

Omar Khan

So let's talk about Drata. You eventually sold Portfolium and I think it was a couple of years, a year or two later before you started Drata. And one of the reasons for it was some of the pains that you experienced at portfolium with SoC2 compliance.

Adam Markowitz

Yeah, it's funny, I will say Portfolium was bought or it was acquired, it wasn't sold. And the difference really just being like we weren't out trying to sell the company. We finally hit this nice inflection point. We actually had true product market fit again, millions of students, hundreds of paying universities and we hadn't even truly unlocked the employer revenue which was ultimately going to be the real driver. When one of our partners who we were tightly integrated with a learning management system, canvas their parent company and structure, they basically had a front row seat to the traction and saw the students across all their universities adopting this. And so that was how that ended up happening the way it did and as quickly as it did. But I, I'll never forget it, you know, selling into universities, trying to get a repeatable motion that wasn't just founder led sales motion and understanding during these long sales cycles and the various stages of them, one being the security review process. Portfolium, as I said, was a product that Helps students prove their skills with evidence. It was a fundamental core belief and a whole philosophy of the company. Earn trust by proving you deserve it. Don't take my word for it. Don't take a bullet point on my resume as the evidence. I'll provide you the actual evidence. And so none of us, myself and the other co founders, we'll never forget when we were selling into the Cal State University system, the largest four year public system in the country. Game changing opportunity on the table to bring in millions of students into this network or almost a million students and very long sales cycle. And it was the CIO at the tail end of it who rightfully challenged us and was asking for assurance evidence of our security posture. This tool is going to help our students prove their skills. Can you prove your security posture to us in those exact words in a medium? Because the short answer was no. And that wasn't okay for us. Obviously it wasn't okay for them either, but it wasn't okay for us. Knowing again full well this is what our whole mission and vision is for for Portfolium, we have to walk the walk here. We can't just say take our word for it. That goes against everything we, we believe. And so we experienced that problem and then Building Solutions 1, making sure we had the proper compliance posture so we could prove that we were going to do the right thing by the student data and then being able to prove that like any day of the year. And so we started building tools in house at portfolio to help us do that out of necessity again because it was core to what we believe it was going to be core to how we sell into universities and basically prove that we were going to do the things we said we were going to do and should be doing to protect their student data because they were handing over sensitive student data to launch these portfolios for their students. So that that was obviously one of those light bulb moments. That wasn't a light bulb moment in the moment. It was after the fact, after the company was acquired where now we saw how this large public company at the time was maintaining their own security and compliance posture. And it was very manual. We had built tools that necessity to streamline and automate it. And so that's a year after the acquisition where we kind of picked our heads up and said this is the same core problem around trust. Earning trust or proving you deserve it. Obviously in a different space. It's not just edtech and it's something that every company, especially in the cloud era, needed to prove. So that was the impetus, lived the problem, ourselves, had a solution and it rang true to again, I'm just core belief system. So it was more of a mission oriented kind of startup company.

Omar Khan

Building a SaaS company from the ground up is tough. Protecting your data and securing your environment shouldn't be. With Threat Locker you can deploy application control in days to weeks, not months to years and enable your IT team to decide exactly what's allowed to run and deny everything else by default. Lock down your environment without disrupting operations and operate with confidence. No guesswork, no reactive solutions, just true proactive control. ThreatLocker is a zero trust platform that mitigates the risk of downtime, reputational damage and cyber attacks, including ransomware and zero day exploits. If you want stronger security and tighter control, visit threatlocker.com that's threatlocker.com after the acquisition. It was about a year and a half before you founded Drata. You've sort of explained experiencing the pain firsthand and knowing that there was a solution for this. But I don't know anybody who goes through SOC 2 compliance and says, oh, let me do that again and let me do that as an all time thing. So what drove you to say, this is the problem that I really want to go and spend the next five, ten years on?

Adam Markowitz

Yeah, I mean the problem, the underlying problem was trust. How is trust going to be earned quickly and then maintained continuously? And so it made sense that in our case, a university or other company's cases, any large enterprise that they're trying to sell their software to, they're taking on risk when they have any vendor that they rely on that they're sharing data with, which is most vendors these days. And so they needed some minimum bar of assurance. Not to say like, hey, you have your SOC 2 report and it's a clean report and therefore you're trustworthy not having one that does actually tell us something. So that's what I mean. It became, we, we witnessed firsthand it becoming this minimum bar of assurance. And from there it was only going to get more and more stringent and, and rightfully so because there's more and more data breaches, they're happening more frequently and more costly and cloud proliferation. I mean we went from like having 100 vendors portfolio to, you know, we had almost 100 on day one at Drata. Right. So the risk landscape was changing pretty quick. And at the end of the day we went through our first Sock 2 audit. Or just hearing the word audit, it was almost like a. That sounds scary, but it's like wait, this is just the part where we prove we're doing the things we said we were doing. That's synonymous in our mind with how trust is earned. It's in your action. It's not what you say, it's what you do. And so the idea then that that was only being done at a single point in time, like once a year also didn't feel right. It's like there's tools, we built tools to continuously monitor these very things so we would sell to a university. It's like, here's your SoC2, here's your other thing, here's your other thing and here's a questionnaire that we're going to send you. And every university had their own unique questionnaire, sometimes 3, 400 line questionnaire about asking U.S. security questions. The again, just take our word for it. These answers like we, we're monitoring the very things that you're asking about continuously. You know, the, the trust that could be gained here and maintained, it could be so much stronger. And so that was all the writing was on the wall for. Hey, this is where the puck is going. It's something that's, you know, again, outside of time. I think trust is one of our most precious assets. This is what we want to spend. Yeah, our time waking up every morning and being excited to go solve and then just talking to other companies. I said we picked our heads up out of edtech. I mean every company we talked to was experiencing this problem. Big companies, small companies, the earliest stage companies all of a sudden needing to have certain compliance requirements when they're just trying to find product market fit. I mean it was across the board, those younger companies just didn't have the experience or resources to do it and was going to slow them down to do it the old fashioned way. The large companies couldn't keep throwing headcount as something that could be automated. So it wasn't a strategic use of their security team's time to be checking boxes and pushing paper. And so the hardest part was just saying okay, this problem is massive, which is great. How do we slice the lowest hanging fruit for product market fit and then evolve from there, iterate from there. And that happened very, very quickly for Drawn.

Omar Khan

So how did, how did you do that? Because you've lived the pain yourself, you've experienced that, but you still spent some time really trying to deeply understand the problem and figure out where you were going to focus your time. Right?

Adam Markowitz

Yeah. The first magic part of it was getting, getting the band back together. So same co founders Same early engineering team, even same early go to Market Team 1. There's a lot of muscle memory of having worked together for six, seven years, a lot of trust built up, a lot of resilience especially coming out of edtech. Sometimes I say like we went from selling a vitamin in ed tech like a nice to have to a painkiller a need to have in SaaS. And so the appreciation from day one and the perspective to know how, how special that was, it was, it was there from the beginning and that definitely fed our execution loop. So the first step is getting the team back together. Not just muscle memory having worked together, but muscle memory having built something like this ourselves in house, like I said, but lessons learned from the past. You know, cool. I experienced the whole problem of wanting to stand out in my job interviews. That wasn't enough. And so even though we experienced the problem of secured assurance, like we need to validate this. And so we spoke with dozens and dozens of people, companies that we were friendly with, some that we weren't, we just got connected to, to unpack this problem, make sure, validate it basically. And you know, every day coming back together as a group and sharing notes across these calls and seeing just such obvious patterns. I mean this is before you know, Claude or ChatGPT, but you just look at our Google Doc and it's the same exact words that we're hearing across these conversations and so got very, very granular with where we could cut off the smallest slice to bring something to market and add value and then go from there. And so we literally said on day one we're going to take an automation first approach to the C in GRC. So GRC's governance, risk and compliance space, that's been for decades. But the lowest hanging fruit problem that we could solve from our muscle memory and all the conversations was at C. We could automate the compliance piece and then use that as an opportunity to unlock the bigger opportunity around trust. I mean that was, that was the one liner automation first approach to the cngrc. Unlock the bigger opportunity around trust. But we also have the perspective and appreciation coming off of six, seven years in Ed tech to know that one liner is great, sounds good, but it's never going to go, it never goes the way you think it's going to go. And so we were prepared and resilient for the rapid iteration and learning that would have to happen if we were really going to do this and win.

Omar Khan

Did I? Is it true that you used Drata or the first version of that product to get yourselves SOC2 compliant before you sold to your first customer.

Adam Markowitz

Yeah, it was. So we had again those dozens of conversations. Out of those dozens of conversations, there was at least 12, there was a dozen that were like stayed very close to us, not just sharing the problems with them as we were spent six months basically building in 2020. So the second half of 2020 we spent just building that first version from scratch, obviously. And they stayed close enough to where they were our first paying customers when we launched. But as torturous as it was, we held the line at the door, so to speak. Like we said, look, we're ready to launch. This thing's. Obviously you're watching us, we're demoing it, but we're not going to. We have to be our own first customer. One we were looking at in those six months. We watched dozens, I'm not exactly dozens of companies pop up in this category because we weren't the only ones. Obviously when there's the hair on fire problem out there, companies are going to form to solve it. And so we were like, well, this is one of our first opportunities to walk the walk again. That stung. I'll never forget again that CIO conversation. Do you have. Can. Can you prove your security posture? So like this was a moment where to launch a product and have it in the hands of our customers without us having our own SOC2 report or having used our own product to do it. Like that just seemed obviously wrong, like fundamentally philosophically wrong. And so we did, we used Jata. We got our own SOC2 report in hand and then opened up essentially the floodgates and we didn't realize just how massive the hair on fire problem was and how lightning in a bottle quick, the product market fit would be there. Again, we had those dozen lined up. They were first paying customers, but we brought, I mean that quickly grew to 100 within a month and a half, a thousand within the first year. And so it was. It was off to the races and then iterating very quickly right in front of the customer who was guiding us and guiding our roadmap. Um, and it hasn't slowed down for five years.

Omar Khan

How did you, how did you differentiate? I mean, it's. Yeah, you say it's a hair and fire problem, great. But you also have certainly a lot of competition around you. How did you differentiate Drata and how easy or hard was it to sell? Were people like, you know, buying the first solution or was it there was something special about draw to that that made it stand out?

Adam Markowitz

Yeah, I think there's lots of ways to differentiate. Obviously within the product is where most of us, myself included, it's the first place my mind goes. But also just the execution, how we bring it to market, how we sell, how we onboard, how we implement and all of it is an opportunity to differentiate. And I think we, across every dimension, we're differentiated. From a product standpoint, we didn't focus on checking a box for SoC2. Again, that's where we started. But because we had that bigger vision from the beginning of wanting to work with larger companies and unlocking the bigger opportunity on trust, it wasn't just about how quickly can I help a startup get SOC2 compliant? Obviously, if we do it well, it should be very quick. That's not going to be our core message. That's not going to be what we hang our hat on. It's we're going to deliver the most automation, but also we're going to scale with you. So when you need more than SoC2, which is going to happen when you're successful, we're right there with you. And so that affected how we built the product, of course. Right. So not just paint by numbers. As long as you stay within the lines and take everything off the shelf, you're going to get automation. You're going to get automation even when you actually bring in a CISO and a security team and you have your own experience here. Because we were working with larger companies pretty early who already had, you know, this isn't their first rodeo, this isn't their first SoC2 and let alone other frameworks. And so that changes the way you build the product for sure. And that helped us because companies were kind of graduating out of these point solutions that just helped them check a box. How we, you know, on, you know, the whole training mechanism, how we helped companies, again these earlier stage companies who had never done this before, like the, you know, our product leader came from Intuit, was working on TurboTax Live and, and the joke initially was if you can make doing your taxes somewhat enjoyable, like you can make compliance fun. But it was even a step beyond that because most people at least know what taxes are. Right. And so this was like companies and early stage startup founders don't, didn't even know what SOC T was, they just knew it was a barrier. So here's a tool that's going to help us automate as much of this process as we possibly can. But I don't even really know what it is. So I'm not just learning new software, I'm Learning the whole concept itself again goes into how we built the products, how we built the onboarding and training and all of that and then how we brought it to market. We started our partner program really early, deliberately, with great leadership there. But that became a key differentiator as well. Today, fast forward five years. A third of our pipeline is sourced through a partner, through a channel. Another third is influence. So two thirds overall is sourced or touched by partners, which is obviously a moat in itself.

Omar Khan

When you open, you said you opened the floodgates and acquired 100,000 customers very quickly. Where did they come from? Was it through the partner channel?

Adam Markowitz

Yeah, it's been a combination of inbound, so marketing, outbound sales and partner from, from, from the beginning. Those percentages have changed over the years across different segments as well. Right. We, we have startup segment, our commercial segment and our enterprise segment. So it varies across those and, and by region. Right. In, in different regions around the world, different partners are going to be responsible for sourcing more of that, that pipeline. But what, when, when I say floodgates my mind, I mean as soon as we launched our website, so for those first 12 customers, we didn't even have a public website. It was inbound immediately. And so in those six months of developing, because we got the band back together, that whole experience from the EdTech company, we had even from like an operational standpoint, like think just go to market ops, rev ops. I mean we had our inbound lead routing and round robin kind of routing mechanisms already set up to the point where I thought we might be over engineering it because we were kind of biased coming off of this longer journey in edtech. Hey, we don't have the startup mindset here at Drata, but it served us very well, especially in that first year. I don't think it would have been able to. Nothing slipped through the cracks. We touched all thousand of those prospects that turned into customers and it was essentially hand over fist bringing them on board, getting them successful, showcasing that to the world. So we got the flywheel going. And I think there again I always talk about the appreciation, right? We, we had hundreds of customers, hundreds of universities as customers at Portfolium, but it took years and years and years to get there. Like I said, those first five were the hardest. When we brought on a thousand customers at drought in our first year, the value and the feedback that we were getting and how maniacal we were about organizing it and prioritizing it in terms of that feedback loop in the product that I attribute so much of that early success too. And the appreciation like a thousand customers, how much value is in that feedback? That's also part of the SMB versus Enterprise SaaS value prop.

Omar Khan

So what broke when you suddenly have a thousand customers, like almost overnight?

Adam Markowitz

It's like what didn't break? Everything breaks. That's been, you know what, it's what's up about resilience and how every startup, every you need it because you have a process or you build something that works for such a short window of time and then sometimes it doesn't even just bend before it breaks, it just snaps. That could be anything, an org structure, some flow that you've built for. Like I said, even the inbound lead routing, I mean we had to switch from round robin to territories to multi segment, multi region, like within such a short amount of time. One of our early revenue leaders came from a large public company, but was there for the whole ride. And it's a company that we all looked up to and admired. But even they said like, look at least at that company, we got to lay the track down before running the train. Down here you're laying the track as fast as you can. Building the plane while flying and you know, all the, all the sayings are true. So at the end of the day is making sure that people and the culture of the company understand like growth is change, change is uncomfortable. This is going to be a very uncomfortable place to work with. That's what makes it great. So let's not be frustrated by that. Let's not let that wear us down. Let's embrace it. Deliberately uncomfortable is what we would say.

Omar Khan

One of the things I thought you did, which was pretty smart, was to, to build relationships with auditors. You know, Drata could have been a threat to them, but you spent time building these relationships and eventually they became your partners selling the product. Tell me about like what that actually involved. Like how did you go about trying to find these people, recruit them and get them selling the product?

Adam Markowitz

Well, just to be clear, so the auditors actually don't sell the product. And that's pretty important because from day one, those dozens and dozens of conversations, those were with obviously companies that could be customers of ours, but it was also with the audit firms that they were already using or trying to use because I wanted to. They're a key stakeholder here. I drew the line, the parallel between our old life. We had the students, the employers, but also the university administrators. And they were obviously a key part of this. And they were the ones doing the assessing of learning outcomes on these portfolios. And so here the auditors are coming in and assessing two completely different spaces. But you can start to see there's a lot of parallels ironically. And so the feedback from those conversations was also really consistent. One, these audit firms are needing to do more, more conduct more audits than ever before. It's a services business. So the, the scaling of that is very headcount driven. So if there was a way for them to conduct audits faster without losing integrity, actually increasing the integrity because you've got continuous monitoring happening where obviously if you don't have that then it's a lot of just point in time kind of checks, then it's a win win across the board. And we wanted to make very clear from the beginning that we don't view ourselves as a threat. In fact, we never want to be considered an auditor or audit services firm ourselves. The independence of these audits and certifications or SOC2 reports is what gives them the weight that they should carry. You know, this is a deep, it's not us Drata, the vendor that's validating it. It's independent third party. And so again ideally in a perfect world we're able to bring our customers who don't have an audit firm just yet to these various auditors, help them conduct the audit faster with a very high bar for integrity on them. And again everyone wins. So that's the approach we've taken. It's been like a, you know, I called it a declaration of independence in terms of like we want to be independent from these auditors. The otters should be independent. And so again I think that served us well. That itself became differentiating because the market, not, not every player in the space took that approach. It was, you know, I think it's more philosophical and strategic in our, in our view of keeping it independent. But they're a great, a great. We call it the Auditor alliance program where any of our customers can use any audit firm they want. We would never like we're agnostic, we would never tell them not to use a certain audit firm. Obviously other there are certain audit firms that are going to be very, just very experienced in using Drata to conduct audits. And so those over time become even more streamlined. But that's, we never force a customer to use any specific auditor.

Omar Khan

AWS also turned out to be a great channel for you. Tell me about that.

Adam Markowitz

Yeah, it's a special one for sure. Within a, I think less than a two year stretch became a top five global ISV on AWS marketplace in terms of Transaction volume, which was a big deal. Again, hats off to our partnership team, to our whole go to market team who embraced this partner first approach, which, you know, it can be different for folks if they're not used to that. With aws, we took a like, with any, you know, very small to very large partner, you know, it's what can we do for you for a very long time before it's what's in it for us. That was, that was a good piece of advice. We, we had that from our prior experience, our partnerships leader had that from their experience. So it was a no brainer. But I talked to other founders, like, how, how do you go partner with like an aws? Like, well, it's day one. It's not what's in it for us, Drata, it's here's what we're going to be able to do for you. And we will do that for like a while before we expect anything in return. And so in this case, we were bringing customers to the AWS marketplace that had never transacted a marketplace, never heard of marketplace. And we were bringing volume. And so that got us on the radar to where we could obviously then get value in return. And so within again, those first couple years, there was thousands of transactions that we brought to marketplace and there was benefit for our customers to transact in marketplace as well. And up until that point, working with the partnership team at aws, most of the companies that were transacting a marketplace were larger enterprises that had committed spend. And here we were bringing companies that had no committed spend. They had never even heard of marketplace. So there was additional value in even introducing the concept of marketplace to them. And so again, that really helped us differentiate not just again the product, but how we brought it to market. And so it's still a great, great partnership we have there.

Omar Khan

First of all, I love that principle of just give before you take. And it seems so obvious in hindsight, but I guess when you're in the weeds and you're just trying to figure out how do I grow faster, how do I get that next customer? There's a sort of huge sense of urgency. Why did you feel that, like, was this an intentional thing that you were like, okay, eventually we want to work with aws, but if we try to do something today, it's not going to happen, so let's just kind of play the long game? Or was it more about, as it evolved over time, you were like, okay, there's more of an opportunity here.

Adam Markowitz

I mean, we want to, we want to work with all the cloud platforms. So it's a key integration in how we deliver the value of that compliance automation solution. Obviously we integrate with your aws, your Google cloud, your Azure for continuous monitoring of your cloud controls. And so already it was a powerful integration. And then just by looking at our customer base and overwhelming majority of them being on aws, it made sense. And rather than spreading ourselves too thin upfront, we went all in with aws. And now today we work again with all the cloud platforms five years in. But again it was that mindset, the deliberate mindset of like, rather than spreading ourselves across the board, let's, let's really go all in and give, give, give, give that value before extracting anything out.

Omar Khan

I mean the thing that sort of strikes me here is that you went from basically 0 to 100 million in ARR in about four years and yet when we tell the story, everything seems to be about there. Wasn't that like, it wasn't like, okay, day one out of, you know, out of the thing, we're going to just go aggressive, we're going to go and sell, sell, sell. It was no, let's make sure we've got SOC 2 compliance for ourselves before we go and sell. Let's go and build partnerships, let's go and do this. When you sort of look back at that and the sort of the phenomenal growth of the business in those four years, what do you think are the big takeaways? Why do you think you were able to have that level of success so quickly?

Adam Markowitz

I should be clear because I think sometimes my personality could seem kind of laid back or super by the book, methodical versus kind of relentless, type A and there's a good mix. I think there's a very good balance, very mission driven company. We have our core values. Core values are just words. It's you actually putting those words into action. Behavior. That's what culture really is. And so we've been super deliberate from the beginning with that which is set kind of the tone. But there is a good balance with a go to market machine that was extremely aggressive and on purpose because the opportunity deserved it. That's our mindset. The market has this problem, we experience this problem, the problem's getting bigger, it's not being solved, we need to go solve it. And so I remember that first year especially I would get, you know, calls or slack messages from different CISO groups saying, you know, your sellers are aggressive, Adam. And I would say, I know, you're welcome. Right? I know why they were saying it But I much rather, and I would tell them, I much rather hear that than the opposite. Because in our view that's our expression of our appreciation for the opportunity to solve problems. Obviously there's a line there and aggressive can mean different things. And it was never done in a malicious, bad intent way. It was always like we want to help solve this problem. So we are going to, we're going to be following up, we're going to be relentless in this. But I go back to that again, day one, the appreciation for the opportunity that drove this execution mindset and that drove results very quickly. And those results give you this perspective again to go, wow, this is huge RT which drives the execution and just this virtuous cycle that has never stopped. I mean to this day we look around, we go that, that, that one liner is exactly what's happening. That never happens. Right? We took an automation first approach to the C and GRC and now we're unlocking this bigger opportunity around trust with multiple products that sit on top of a true trust management platform and these problems. We're getting lucky in a lot of ways. Obviously there's the execution is never lucky, but the timing of these different things. We didn't know the AI boom was about to happen. That's now driving even more demand for more frameworks, multi framework compliance, security assurance. To prove proactively you're doing the right things as you adopt AI. And then from a third party risk standpoint, all companies, ourselves included, needing to bring in more and more AI vendors that introduce a whole new set of risks and amplify risks that were already there. And so all the use cases that we are setting out to solve, fundamental to trust, are all getting these tailwinds now with AI. And so, you know, yeah, hopefully it's clear like the appreciation's always been there. And so I don't want to give the wrong idea that we were just, you know, buy the book Lean Startup and the success just happened. I mean it took a good mixture of relentless execution mindset and yes, taking lessons learned from the past to set certain things up from the beginning to give us a clearer path.

Omar Khan

Let's talk a little bit about AI going back from when Satya Nadella talked about who I think is an investor in Drata, right, talked about AI is going to have SaaS for breakfast or whatever. He'd said there's this constant thing going on. How do you, how do you think about AI? Obviously it creates a whole bunch of opportunities for you with this business, but what are the threats for you? And how are you thinking about the business? How do you see it evolving over the next few years?

Adam Markowitz

Yeah, what I love about trust is really our core, not just our core value, but the reason why our company exists. Like it's timeless. Okay? It's, it's the truly enduring. Because no matter what wave of technology or trend or anything like, I, I will always believe that trust is still going to be foundational, paramount for success. And so yeah, that's kind of the overarching statement. Now I mentioned some of the tailwinds that we're seeing across three different use cases that our products are solving for our customers and that's just fantastic. Again, it's kind of reinforcing the point that as these new technology waves emerge, trust just gets that much more important. It's more important than ever before. So in our world, when we have a multi framework compliance automation solution, it's one of our products. There are new AI specific frameworks emerging and going to continue to be there right around the next term that our customers have to comply with, ourselves included. And so that use case becomes even more valuable to then provide our customers and prospective customers with assurance around that compliance. That's another use case that only becomes more important. And the flip side of assurance is again, third party vendor risk. The very thing that kicked off the SoC2 craze, so to speak. Now I needed a new bar of assurance, a new set of risk criteria to evaluate my vendors and prospective vendors against when it comes to AI. Because I've got a set of hundreds of vendors right now that are all rightfully so, introducing AI components, co pilots, agents. So even though I evaluated them six months ago, a year ago, as soon as someone toggles on the, hopefully they have even a toggle to turn on the AI. It's not just by default, there's a whole new set of risk criteria that I need to evaluate them against and continuously do so. And so again, all three use cases, getting these AI tailwinds at Drada, introducing our own agents for all of those use cases, when we apply AI to a trust graph, which is ultimately what we're building here, ironically, very similar to like a social Graph or the LinkedIn Economic Graph. The value, the insights and patterns that we're able to glean even before AI, but now, especially as we apply AI, unlocks so much value for each new product that we deliver on top of the platform. So we introduced our iGenic TPRM solution, third party vendor risk. This is leveraging all of that data across this graph across thousands of companies that are transacting with one another to varying degrees of assurance, we're able to bring such differentiated value to each new product that we launch. If I fast forward a few years like everyone's trying to do, and no one has a crystal ball, but yeah, some kind of headless SaaS that's pure agents. I think that the data and the context within that graph are ultimately the moat. But obviously anything can happen.

Omar Khan

We should wrap up. Let's get on to the lightning round. I've got seven quick fire questions for you. Ready?

Adam Markowitz

Yeah.

Omar Khan

Okay. What's one of the best pieces of business advice you've received?

Adam Markowitz

I got a piece of advice from someone that said, don't take everyone's advice. And that one, of course, that just stuck with me because was a time there, especially at Portfolium, where I didn't know anything about anything. You never know what you don't know. But I was trying to apply everyone's advice immediately, and I was getting a lot of conflicting advice, so that didn't help. So don't take everyone's advice was a good one.

Omar Khan

What book would you recommend to our audience and why?

Adam Markowitz

It's different books at different stages. I'm trying to think of something that applies across all. Courage is Calling is a good one. I think stoicism is always, you know, resonates with. With founders. The hard thing about hard things is kind of like everyone's goto read that one before. Actually during Portfolium. It helps for sure. I like Scott Belsy's the Messy Middle, because there's a lot of books about the beginning and the end, but not a lot about the middle. Yeah. And then for all those sports fans out there, um, I love Relentless, which is the. I think it's Tim. Tim Grover. It's Kobe Bryant's trainer, Michael Jordan, and Kobe Bryant's personal trainer. Just to get into that, that mindset, that relentless mindset.

Omar Khan

What's one attribute or characteristic in your mind of a successful founder?

Adam Markowitz

Resilience.

Omar Khan

What's your favorite personal productivity tool or habit?

Adam Markowitz

Always trying new technology, you know, building agents. Now, of course, is whatever everyone's doing. And it's pretty amazing what you can unlock. I think there's other kind of habits that I've tried. I wake up early, I get a lot done. Like personally, physically, I jump in the cold plunge workout. I think that helps. It sets the stage for the day. Starting every day with a challenge, doing something you don't want to do. Again, getting that mindset, that resilience. Kind of mindset every single day I think has helped me a lot for sure.

Omar Khan

What's a new or crazy business idea you'd love to pursue if you had the time?

Adam Markowitz

I don't know. I feel like every creative thought I have goes right into Drata. Yeah, it's hard to even think beyond.

Omar Khan

We'll pass on that one. What's an interesting or fun fact about you that most people don't know?

Adam Markowitz

Most people don't know. I have the aerospace background when I meet them. I think also most people don't see maybe on the surface how competitive I am because I think I hold it pretty well under the surface. But it comes out in a lot of way. I mean just obviously once, once we get going, especially when it comes to anything with any activity, any physical activity, anything with a ball ball sports, it's good hand eye coordination.

Omar Khan

Finally, what's one of your most important passions outside of your work?

Adam Markowitz

Family. Outside of time Trasa and family always comes first. That was actually an interesting thing. I don't know if this is relevant to anybody, any of your listeners, but when we started Drata, myself and the co founders, we had this talk that was interesting. Family like Portfolium. I didn't have wife and kids. Let me start it. I lived in the office, I slept in the office. And obviously it was a successful, you know, outcome of that company. And there's a false positive. It's only successful because I, I, I, I did all those things. Whereas when we started draw, I even told early investors, I said no matter what, Dra will not be the most important thing in my life. Like is that okay? Is it going to can succeed in spite of that? Because I have kids now and it was fun. I think some of our earliest investors were like they would smile when they heard me say that and they said the fact that you're even thinking that way is why it will be successful. And that was really cool to hear.

Omar Khan

That's your quote. That's the thing you should go with. Love it. Well, listen, thank you for joining me. It's been an absolute pleasure. One of the really interesting things I've seen with your story is that I often talk to founders who are like looking for an idea and they're just looking all over the place. And with you both the ideas that have been successful for you have been about personal pains, something that you experience, something that you try to solve. And maybe it didn't happen immediately, maybe it was sort of a couple of years down the road. But there's definitely something there and maybe there's going to be a third act after Drata at some point and we'll see where that goes. If folks want to check out Drata, they can go to drata.com and if they want to get in touch with you, what's the best way for them to do that?

Adam Markowitz

LinkedIn probably the most the easiest.

Omar Khan

We'll include a link in the in the show notes. Great. Thanks man. It's been an absolute pleasure and I wish you and the team the best of success.

Adam Markowitz

Thanks so much and likewise.

Omar Khan

Cheers. SaaS companies move fast. Most teams are focused on building and optimizing, not thinking about vulnerabilities, ransomware or zero day attacks. But they can strike without warning and put your entire business at risk. With the ThreatLocker Zero Trust platform, you can get ahead of these attacks and stop them before they start. Instead of allowing everything and trying to spot the bad. Threat locker blocks everything unless you approve it, giving your IT team full visibility across your environment. The result is stronger security, control and your business keeps moving without interruption. Visit threatlocker.com that's threatlocker.com I've interviewed over 450 B2B SaaS founders on this podcast. Success leaves clues and I've been taking notes every week. I send out the shortcuts, the blind spots and the tactics that actually work so you don't have to learn everything the hard way. Over 5,000 founders read it. You probably should too. Sign up free at Sasclub I.O. newsletter that's Sasclub I.O. newsletter. The playbook that got you to six figures in ARR won't get you to seven figures. And at this stage you don't need another course, you don't need more content, you need clarity and you need people who get it. Because right now you're probably second guessing every decision, wondering if you're focused on the wrong things, working harder but watching revenue flatline. SaaS club mastermind is how you get there. A small group of founders all scaling to seven figures with Mastermind calls and direct access to me. Think of it as your board of directors without the drama. Apply at SasClub IOMastermind. That's SasClub I.O. mastermind.