Disclaimer: Opinions expressed are solely my own and do not express the views or opinions of my employer or any other entities with which I am affiliated.

I’m continuing my series on how certain security companies fail. I’ve mostly talked about public companies, such as Crowdstrike, Zscaler, Okta, etc., but I haven’t talked much about startups partially because startups are more likely the fail. Therefore, the arguments might be obvious or plain boring, e.g. the company struggles to scale, or some other generic argument that leads to most startup failures.
Given the recent startup shakeups and “bubble,” there are mature startups that have stood out in the noise. Most notably, they were startups that had commanding positions in their spaces and managed to continue to grow despite macroeconomic conditions. One of the companies is Snyk, which is in the application security space. They have dominated in recent years, truly one of the more developer-focused tools, shifting alerts and remediation closer to development where issues are cheaper and easier to fix. The key is that they made application security part of the development process, especially with the rise of agile and more frequent deployments, rather than an afterthought or a checkbox.
Honestly, it’s hard to imagine what would happen to security if Snyk were to fail. That’s why I believe this is an interesting intellectual exercise. For disclosure, I’m a huge fan of Snyk. I use it in my current role, and I’ve used it in my previous role. I’ve even evaluated other products, but Snyk has always made its way into my stack. I’ll explain more later. With that said, I believe Snyk will do well, but with all startups, failure is always possible.
What is Snyk?
Snyk is an application security product meant to help developers fix security issues more quickly. It runs in your CI/CD so that it can detect issues before they reach production.
Their first and core product is the software composition analysis (SCA) tool, which is key for compliance. An SCA tool helps detect vulnerabilities in dependencies and issues with open-source licenses. A key innovation is that they are able to do these scans quickly whereas more “legacy” products took much longer, and also, they have their own in-house research teams that help provide more context to make alerts easier to prioritize and subsequently fix.
Of course, the market for SCA is not large enough to justify Snyk’s valuation, and many companies have tried to expand in the application security market, only to sell to larger platforms, e.g. Veracode changed hands many times and WhiteHat sold to NTT and then Synopsys. (Synopsys is an acquirer of many application security companies.)
Given the large market share for application security, Snyk decided to take the standalone approach and expand into other product areas, including container scanning, SAST, infrastructure as code scanning, and more recently cloud configuration scanning (the space where Wiz and Lacework started). They are building a platform off their access to a company’s codebase, which is a core security concern and valuable asset. The argument is that they are already connected to your repositories and code, so they can scan for more types of issues and/or scan more of your code and repositories. This is a clever approach and makes it a security platform play, which is hard to achieve.
Land and expand fuels growth
Snyk’s platform play is a traditional land and expand play. They start with SCA, their original and most mature product, and they slowly replace other legacy players that a company has in SAST, container security, etc. Not only does Snyk expand as the number of developers in the company expands, but it also can replace existing products. As a result, they can provide discounts and help consolidate products, which is a great strategy, especially since the primary market is developer-focused, which prefers platforms over best-of-breed point products for easier management. Moreover, product consolidation and cost reduction are key as companies look to increase efficiency, especially in areas like security, which tends to be operations-heavy.
This growth story sounds amazing. They have found a new GTM motion that many previous application security companies missed — targeting developers. On top of that, the product actually helps with fixing security issues in code and leads to fewer vulnerabilities and risks in production. They are also displacing other legacy players in adjacent areas that don’t have developer love and have struggled to keep up with new development trends. Buying Snyk is a win for both security and developers.
Competition ramps up
However, trouble starts to brew, and we are already starting to see early signs of this. Snyk was successful early because the incumbent players couldn’t adapt to the changing development practices. Unfortunately, this advantage slowly fades as Snyk faces pressure from multiple sides: the incumbent players, startups, and existing innovative companies looking to expand.
The incumbent players will try to keep their customer base through moderate innovation and aggressive GTM motions. They will ramp sales and marketing, causing Snyk to expend substantial resources to acquire customers in those markets.
As Snyk expands, it will enter areas with existing competitors. For example, Snyk is expanding into infrastructure as code (iac) and container scanning. The cloud security players, such as Wiz and Lacework, are already in this space, and it’s logical that they own this space rather than Snyk because the developers rectifying the security issues are DevOps rather than ordinary developers. It seems more natural to be product expansion of the cloud security products than Snyk, so Snyk will battle for customer mindshare there.
Finally, what I believe to be the biggest existential threat are existing innovative players, namely the code platforms, specifically GitHub and GitLab (JFrog to a smaller extent). Their core product is managing code, but it’s not hard to see how they expand their code platform to handle securing that code. In fact, GitHub has already made moves by offering Dependabot (an acquisition) for free and having an Advanced Security package that includes secret scanning, SAST, and dependency management for a small additional price. This makes adding security easy because an organization doesn’t have to go through a separate procurement process. It’s easy to try and turn on. For most organizations, they don’t need the best application security because that’s not their biggest risk. Most importantly, GitHub has basically unlimited resources to improve this product as part of Microsoft.
The downfall
Snyk’s most mature product, SCA, is still its best product. However, they have been spending less time and effort on it in order to expand their platform. The competition they face is stiff, which causes them to continue to lose focus and spread themselves too thin. Existing innovative companies like GitHub improve their product with their massive resources, making it very close in quality to Snyk. In an effort to consolidate, companies ditch Snyk’s core product SCA. Companies stick to the cloud security players because infrastructure security is a bigger risk and use their iac and container security products instead of Snyk. Snyk continues to spend resources to battle on various fronts, which is increasing their costs to acquire new business, and it continues to be an uphill battle. Maybe, they even try to take on GitHub and JFrog and deal with repository hosting to make their platform stickier.
Eventually, the board steps in and tells them to focus on SCA, but it’s too late. There only remains a set of loyal legacy customers, who hold on for nostalgia and convenience. They end up like all the other application security companies, just hanging around waiting for a buy-out by private equity or a larger platform like Synopys or GitHub.
Takeaway
I’m a strong believer in Snyk, and they have changed security for the better by building a product that empowers developers to fix security issues. Battling for market share and to justify their lofty valuation, they risk losing focus and letting others with more resources take away their product advantage, especially around SCA. Regardless, they will be remembered as the security product that started the trend toward security engineering, and I hope they will continue to succeed.
On one hand, you state that, “Snyk’s primary market is developer-focused, which prefers platforms over best-of-breed point products for easier management.”
On the other hand, you state that, “Snyk has lost focus on their SCA core and is distracted by their efforts to develop a portfolio of products on top of a singular platform”.
When it comes to the argument of “focus on best of breed versus build a platform” -- what’s your conclusion? Are vendors damned if they do? And damned if they don’t?