← Back to browse

Security Scorecard

by Alex HeidLaunched 2015via Nathan Latka Podcast
ARR$100.0M
Growthproduct led growth
Pricingsubscription
The Spark

About 11 years ago, Alex Heid was hired as Chief Security Officer at Guild Group, a rapidly growing e-commerce fashion startup scaling from hundreds to 2,000 people. His boss, Kevin Ryan (founder of Business Insider and MongoDB), challenged him with a blunt critique: "You're not doing a good job. I don't hear enough people complaining about you." This feedback—that impact requires visible friction—became foundational to Heid's thinking. More importantly, it sparked a realization: cybersecurity was the only industry with zero KPIs. You could invest a million dollars in security technology but couldn't answer whether you'd become 1%, 2%, or 10% safer. As companies became interconnected, the problem worsened—65% of data breaches were caused by negligent third parties outside a company's control. This gap became the seed for Security Scorecard's vision: create a "security score" like credit scores, reducing non-intrusive data points into a single, actionable metric for any company globally.

Building the First Version

The journey wasn't obvious. When Heid and his business partner approached prospective customers as a two-person team with zero revenue, they received a lukewarm reception—a critical lesson. The idea wasn't obvious to the market, which paradoxically meant it was timely. Over nine years, the company evolved to 600 employees in 46 countries, but early decisions revealed surprising truths. In 2015, Heid spent four months and millions on a "bridge multiplier" feature using Kolmogorov-Smirnov complexity to compute portfolio similarity—a mathematically elegant solution that flopped because only Heid could pitch it. His sales team couldn't understand it. Meanwhile, a developer named Josh coded a simple widget on a weekend without being asked: put the security scores on a website, let people request their score by email, and follow up with marketing. This unasked-for experiment became the company's number-one lead generation tool—still delivering results today. The lesson: cheap, quick experimentation beats great ideas; constraints breed creativity.

Finding the First Customers

Security Scorecard's early traction came from recognizing what jobs customers were actually trying to do. Rather than thinking product-first ("we have security scores"), Heid adopted a jobs-to-be-done lens. Customers didn't buy scores to own a metric—they bought them to justify budgets, convince boards they were doing their jobs, or decide whether to trust a vendor. This reframing expanded the company's aperture. The simple widget that Josh built became the Trojan horse: prospects could instantly see their score, creating both a lead magnet and proof of value. Over time, the company learned to embed its solution so deeply into customer workflows that it became indispensable—a system of record, integrations, and brand loyalty all reinforced by relentless customer obsession.

What Worked (and What Didn't)

Heid's largest structural innovation was embedding customer obsession into company culture. Every executive meeting started with 20 minutes of customer stories before discussing OKRs or roadblocks. Every executive was mandated to talk to customers—not optional. The most important chair was an empty one, representing the customer. The company hired, fired, and promoted based on customer engagement. When a smart, talented executive showed a weak customer calendar, Heid moved her to a different role despite the short-term disruption cost. This ruthlessness paid off: it signaled that customer obsession wasn't PR, it was operational reality.

The other critical insight: the "deadliest competitor" isn't other startups or adjacent solutions—it's doing nothing. Before Security Scorecard, enterprises survived without quantified cyber risk. The company had to transform customers into believers in security scoring. This meant making the intangible tangible. Heid recently released Cyber Risk Quantification, which expresses risk in dollar terms. Product-centric teams see a number. Job-centric teams see a budget justification tool or board proof point. This mindset shift unlocked customer transformation and deeper stickiness.

Where They Are Now

Nine years after launch, Security Scorecard has scaled to 600 employees across 46 countries, serving thousands of companies including 9 of the top 10 pharmaceutical firms, leading banks, and all top insurance companies. The company exceeded $100M in annual run rate last year and is projected to grow by at least 50% this year. Heid credits this success to three principles: (1) betting on people who take risks and have a healthy disregard for the impossible (he's now an angel investor in Josh, his original developer, who founded a customer success startup); (2) building a culture where cheap experiments trump grand ideas; and (3) relentlessly focusing on the jobs customers need done, not the features being built. Heid's parting wisdom: "Your most unhappy customers are your greatest source of learning."

Similar Companies

Active Campaign

$4.2M/mo

Active Campaign started in 2003 as an on-premise email marketing solution built by Jason Vanderboom to fund his fine arts degree. After 10 years and 8 employees generating a couple million in revenue, he transitioned to a SaaS model starting at $9/month. The company now has over 60,000 customers generating over $50 million annually and employs 330 people, growing primarily through organic adoption, partnerships, and focus on the SMB market despite pressure to move upmarket.

Ahrefs

$3.3M/mo

Ahrefs is a bootstrapped SaaS company providing SEO and backlink analysis tools, currently generating over $40M ARR with 45 employees. After joining in 2015, Tim Solo transformed the blog from 15,000 to 250,000+ monthly Google visitors by shifting from publishing what they wanted to write about to targeting keywords people actually search for, creating high-quality content with direct product integration, and continuously updating articles to accumulate backlinks. The company breaks conventional marketing wisdom by not using customer personas, growth hacks, or detailed analytics—instead focusing entirely on product quality and audience education through blog content.

NutriSense

$3.3M/mo

NutriSense is a direct-to-consumer metabolic health platform that pairs continuous glucose monitoring devices with proprietary software analytics and dietitian coaching. Launched in September 2019 with pre-sales in keto and Oura Ring Facebook groups, the company grew from under $1M MRR a year ago to $3.3M MRR today (3x growth), with 15,000-16,000 active paying customers and 170 employees. The business has raised $32M in funding across multiple rounds since a $250K seed in early 2020.

Solides

$2.6M/mo

Solides is the leading HR tech platform for small and medium companies in Brazil, providing talent management software for hiring, development, and retention. Founded in 2010 but pivoted to a subscription model in 2015, the company achieved $31.2M ARR as of March 2023 (100% growth YoY) with 20,000 paying customers managing close to 2 million employees. Alessandro Garcia raised a $100M Series B at an $800M valuation in 2022 and is targeting a $60M run rate by end of 2023, with plans to IPO once reaching $200M in revenue.

Calendly

$2.5M/mo

Tope Awotona founded Calendly after three failed startups taught him the importance of solving real problems rather than chasing money. He spent six months validating the scheduling tool idea by studying competitors' products and user forums, then went all-in by emptying his bank account and hiring engineers in Ukraine. Calendly achieved product-market fit through a freemium model that optimized for invitee experience, growing to 4 million users and $30M ARR largely through organic viral growth and word-of-mouth.

Related Guides