Sneak

In the early 2010s, application security was broken. Security was a centralized function run by CISOs and AppSec leaders—audit-driven, enforcement-focused, and deeply frustrating for developers. The tools available were slow, created friction, and were met with resistance. The founders—Guy, Danny, and Asaf—saw a fundamental mismatch: developers increasingly cared about code quality and performance, yet security tools treated them as obstacles rather than partners. They realized that the only sustainable path to better software security was to make developers the center of the security story, not an afterthought.

The market conditions aligned perfectly. DevOps was gaining momentum, Node.js was experiencing rapid adoption, and open source had become the foundation of modern software—with the npm registry hosting 200,000+ packages downloaded 2.5 billion times monthly. Yet open source software was a massive security vulnerability vector: a single zero-day in a popular dependency could be exploited across millions of applications. Developers knew this problem existed but had no good tools to solve it.

Sneak's initial product was deliberately narrow: a command-line tool for Node.js developers to identify known vulnerabilities in open source dependencies. This wasn't a technical constraint—it was a strategic choice. Rather than building a broad, generic security scanner, the founders doubled down on a single persona in a single context: Node.js developers concerned about open source security. This depth-first approach allowed them to validate product-market fit thoroughly before expanding.

The product itself was product-led from day one. It was free to use, solved a real problem in a uniquely differentiated way, and was designed to be pervasive. Critically, Sneak didn't require developers to change their workflows—it integrated into their existing tools like GitHub and CI/CD pipelines, meeting them where they already worked.

The founders didn't hire a sales team. Instead, they became fixtures in the Node.js community. They presented at conferences (notably unveiling Sneak at Velocity in Amsterdam), spoke at meetups, created content, and repeatedly asked a simple question: "Do you have known vulnerabilities in your apps?" They had an answer ready—Sneak.

This wasn't organic growth by accident; it was an intentional community-led strategy. By the time Sneak began attempts at monetization, they had roughly 5,000 free users—a powerful validation signal. The first 100 users came almost entirely from this community engagement.

What made this scalable was the product itself. When a developer signed up, connected their GitHub account, and ran Sneak, the tool would automatically create branded pull requests fixing vulnerabilities. Other developers in the repository would see these PRs, click through to learn about Sneak, and sign up themselves. This created a viral, company-generated content loop that operated 24/7 without manual outreach. It was both acquisition and engagement in one mechanic.

Sneak had a major early stumble: self-serve monetization didn't work. Despite having a valuable product, strong developer adoption, and excellent retention, early attempts to charge for the product via self-serve subscription saw traction only with individual developers ($100/month). Enterprise purchases didn't happen. This was a crisis moment—some early investors hesitated, doubting whether a product without proven monetization was viable.

But Ed Sim from Boldstart Ventures believed in the vision and provided runway. The team dug into the constraints and discovered the real problem: the product was solving a developer pain point, but enterprises needed more. CISOs and security leaders needed governance features—robust user management, reporting, compliance tooling—before they'd trust their organization's security to Sneak. Moreover, companies with diverse tech stacks needed support beyond Node.js; their security teams were held accountable for the entire application estate, not just JavaScript services.

So Sneak expanded its product scope, adding support for additional programming languages and ecosystems while building table-stakes governance features. The timing coincided with broader market shifts: DevSecOps was becoming mainstream, and more companies were asking developers to take ownership of security. This created room for Sneak to build relationships with security leaders.

It was also time to hire the first sales and marketing people—a pivotal moment. Self-serve had gotten Sneak through the crucial early phase of validation. But scaling monetization required a sales motion to navigate the buying center and build trust with security leaders who held budget authority.

Today, Sneak is one of the fastest-growing security startups. After Series F, the company reached an $8.6 billion valuation, securing the software of millions of developers across 2,000+ paying customers. The company has 1,300+ employees, with 500 in R&D and 70 in the product organization.

What's remarkable is how the company has evolved without abandoning its roots. While sales became critical for enterprise growth, Sneak's product-led approach remained core to the strategy. Ben Williams, VP of Product, formalized a developer growth group organized into cross-functional teams focused on acquisition, activation, monetization, and experimentation—all aligned around common metrics and objectives. Growth marketers sit alongside engineers and product managers, creating ideas and owning execution without siloing marketing away from product.

Sneak's growth loops have multiplied. The GitHub PR loop remains powerful. SneakAdvisor—a programmatically generated index of open source packages with security and health metadata—creates massive SEO value and drives top-of-funnel awareness. Free security education content, unsurveyed and accessible, builds trust and developer affinity. The company has learned that developers care deeply about staying in their flow state; Sneak succeeds by bringing security to them, not pulling them out of their workflows.

What's perhaps most impressive is that Sneak proved you could build a massive, well-funded security company on PLG principles in an industry historically driven by sales. It required patience to let free adoption compound, the product depth to make community engagement work, and the conviction to expand thoughtfully rather than chase every TAM expansion opportunity. The narrow initial focus—Node.js developers concerned about open source—became a beachhead for a global platform securing millions of developers.