SecurityScorecard

Alexander Yampolsky was serving as Chief Security Officer at the Guild Group when a critical vulnerability became the spark for SecurityScorecard. The company was integrating with a third-party fraud detection vendor that looked solid on paper—the contract and penetration test results all checked out. But when Alexander's team dug deeper into the actual systems, they discovered something horrifying: unencrypted credit card data floating in the vendor's infrastructure. "That was an oh shit moment for me because I realized I could lose my job as a chief security officer due to negligence of somebody else," he recalls. The experience crystallized a massive market gap: no one had a systematic way to measure security from the outside. There had to be a way to create objective metrics.

Alexander launched SecurityScorecard in early 2014 and spent most of that first year building the product. The core insight was ingenious: instead of trying to penetrate a company's defenses (the traditional approach), why not look for external signals that indicate their security maturity? The team developed hundreds of sophisticated indicators—from something simple like outdated copyright notices on websites (suggesting systems haven't been updated in years) to complex cryptographic and infrastructure assessments. This non-intrusive approach let them create a security "scorecard" (A-F ratings) for any company in the world, answering the fundamental question: how secure are the vendors you do business with?

The product resonated immediately. Big enterprises realized they had a massive blind spot: they were doing business with thousands of cloud vendors (Dropbox, Salesforce, etc.) with no visibility into those vendors' security practices. SecurityScorecard solved that problem. The company didn't rely on fear-based sales tactics; instead, they let the product speak for itself. Customers paid upfront annual subscriptions ($2,000 per year on average, though ranging from $20,000 to $1M+ for large enterprises) and discovered that the visibility SecurityScorecard provided was worth far more than the cost.

Two mechanics drove exceptional growth. First, **network effects**: when a large enterprise used SecurityScorecard to monitor 10,000+ suppliers, those suppliers naturally wanted to know their own ratings and how to improve them. This created viral adoption loops without traditional marketing spend. Second, **expansion revenue**: customers started finding new use cases—comparing themselves to competitors, proving security investments to boards, cyber insurance underwriting—which drove strong land-and-expand dynamics. By the interview date, the company had achieved remarkable unit economics: $80,000-$100,000 average contract value, under-12-month payback, LTV/CAC above 3, and critically, **net negative 15% revenue churn** (meaning they retained 115% of previous year's revenue through expansion).

Alexander and team invested heavily in product (roughly 50% of 130-person company) and events (>$1M annually), believing that great technology + great execution would win. They raised $60M+ across multiple rounds (Evolution Equity/Bold Start Ventures seed, Sequoia Series A, Google Ventures Series B, and $27.5M Series C from Nokia Growth Partners, Intel, AXA, and Moody's).

By the time of this interview, SecurityScorecard had 450+ customers including GE, McDonald's, and Pepsi. They were on track to hit $25-30M ARR in 2018, doubling year-over-year from roughly $12.5-13M the prior year. The company was operating with strong cash reserves and wasn't planning to raise again soon. Alexander's vision extended beyond product: he wanted to create a new language for cybersecurity, similar to how Henry Ford created a world of automobile drivers. He envisioned CFOs, chief risk officers, and board members baking minimum security scorecard requirements into vendor contracts—turning the metric into a standard of business, not just a tool.