

Discover more from The Split
🎧🍌 Fortifying Open Source Software with Dan Lorenc, Co-founder & CEO of Chainguard
Raising $61M to secure the software supply chain, the history of open source software, all things meme marketing, how to get quoted in major publications, and optimizing content for the group chat
🔥 If you want to help spread the word, like and reply to the video here on Twitter 🔥
Dan Lorenc is the Co-founder and CEO of Chainguard, the best way to secure your open source software. Dan and his co-founders Kim, Matt, and Ville started the company in 2021 after spending a decade working together at Google on all things open source and software security.
They’ve since raised $116 million from investors, including a Series B led by Spark Capital announced yesterday, a Series A led by Sequoia, a Seed led by Amplify, and are supported by other investors like The Chainsmoker’s Mantis VC, Banana Capital, and dozens of angels in the cyber security and open source communities.
Tune in to hear us discuss:
What is the “software supply chain”?
How the SolarWinds breach created the software supply chain security market
The history of open source software
Why open source software makes software supply chain’s even less secure
The moment Dan and his co-founders decided to start Chainguard
Why they started selling consulting services before even building a product
The reason their first two products solved completely different problems [top-down and bottoms-up], and how the one that didn’t work at first is now their main business
Chainguard’s non-traditional approach to communications and marketing
How Dan gets quoted in major media publications as an early stage startup founder
Why Chainguard uses memes for marketing
Why Dan thinks B2B startups should “make content optimized for the group chat”
How they raised their Seed round from Amplify a week after leaving Google
Raising a Series A led by Sequoia as the market started collapsing in Spring of 2022
Dan’s advice for founders on dealing with investor inbound when not fundraising
Why he wishes he hired sales reps sooner
Raising a Series B led by Spark Capital to accelerate their enterprise sales process
Follow Dan and his security memes on Twitter and LinkedIn.
🙏 Thanks to Zac and Xavier at Supermix for help with production and distribution.
Transcript
Find transcripts of prior episodes here.
Turner: Dan, how's it going?
Dan: Good, how are you?
Turner: I'm doing pretty well. I think I was telling you, I'm a little bit tired getting over being sick.
Dan: I think everybody in the world got sick this week, it sounded like.
Turner: you are building a business in a super interesting space. Can you kind of explain what is software supply chain security?
Dan: software supply chain is just like a physical supply chain, except for software. It's exactly what it sounds like in that extent, but it's completely different in that software does not have anything that is close to a physical supply chain. We don't have trucks shipping stuff across the world.
There's no massive aircraft flying around that Flexport CEO, but our world looks nothing like that. Early on, a lot of investors would get it confused, actually, and they'd send us long, Pitch emails about how they have LPs that own the most freight ships in the world and they can add value that way because they thought we were building software for physical supply chains, but this is the opposite of that.
A software supply chain is all of the steps that go into getting software from a developer's keyboard all the way out to production where it adds value to users. There's tons of different types of software, right? There's SAS stuff where you just consume through a browser and the process of getting that deployed and shipped is completely different from, say, an iPhone app or something that you download or ship into a client site.
So there's a lot of different shapes of software supply chain, but the problems all look relatively the same. these systems are all kind of held together with duct tape and bailing wire. Um, and they're kind of like the last thing you think about when you're building your software. You think about the software itself, you think about, how it's going to get to where it needs to go.
and unfortunately, attackers and bad people and nation states in some cases attack those gaps, so they're not attacking or hacking the software itself. That's general software security, but they're attacking the way that it gets to users and tampering with it or putting in malware or exploiting vulnerabilities that way.
So it's a relatively new field in cyber security. Um, but the problem has been around for a very long time.
Turner: what are some of these vulnerabilities or, why do they exist? and it's because you might have a vendor that you work with, you use their product. To build your own software and that vendor uses other software that might be vulnerable or that software uses other software and part of their stack that might be vulnerable.
So there's like 3, 4 levels deep you have no control over, but it's vulnerable and they can attack you based on that.
Dan: Exactly. Like there's that saying it's turtles all the way down, like use software to build software, use software to operate software. all of those turtles can be vulnerable. So it's vulnerable turtles all the way down. there's this famous paper, written 1984 by this guy called Ken Thompson, who invented C and Unix and all sorts of other, you know, technologies that still power the modern world, called reflections on trusting trust.
And he kind of Pointed this flaw out. I guess, you know, 40 years ago almost now. and everybody kind of read it. He won this award everyone was kind of terrified and then they just blocked it out of their memories until the last couple of years.
Turner: They forgot about it?
Dan: Basically, that's sort of what it feels like.
Uh, it's not new by any regard. We've all known about this, but uh attackers only recently started looking at it and that's kind of how cyber security works. It's whack a mole. Um, you don't get any value out of securing something that no one's Spending time attacking. so the industry kind of plays this cat and mouse game chasing around and trying to protect whatever attackers are currently focused on.
Turner: So if I'm an attacker, how do I decide what to focus on? Like, how do I find a vulnerability?
Dan: Attackers are people too, and they're lazy, so they usually just go after, um, you know, the easiest thing that they can find, the weakest link. so I think, you know, the shift to software supply chain attacks and software supply chain in general is actually kind of a good thing for the industry. It shows that we've gotten good enough at securing other basic, you know, attack vectors.
There's 2 factor authentication and stuff like, keys that people use to protect their passwords. So if you use the same password across your bank in your netflix account, that's not going to get you compromised as easily as it used to websites. Use HTTPS. Now, It's pretty ubiquitous.
It's pretty common. Like every website uses it. You don't get those little red X's and chrome when you hit a website anymore. But five or 10 years ago, that was it, like 50 or 60 percent of the Internet. Now it's at 98%. So there's been a huge increase in security, which is something we should all pat ourselves on the backs about.
But it just means the attackers are trying new things, and we need to come up with new techniques to defend against them. They have infinite patience and in some cases infinite money when they're funded by large nation states.
Turner: what have been some of the changes, I guess, that have been kind of happening over the last, 10 years, five years, three years.
Dan: Yeah, this whole space kind of rocketed into popularity and public discourse, I guess, after the huge breach on the SolarWinds Corporation
Turner: Can you explain that really quick?
Dan: Yeah, so SolarWinds is a company that sells a lot of software. Some of it was, you know, security software and one of their largest customers was the US government, the Department of Defense, intelligence community.
Solar Winds got attacked, by a nation state, instead of just compromising solar winds, like a lot of these attacks would do when you hack a company, you can steal their data. You could do all sorts of stuff that way. That's bad. And you know, everyone knows about, instead of doing that, they actually attacked the solar winds software delivery system.
So instead of just stealing the data from solar winds directly, they put a backdoor in the product.
when they published the new release of the product and everyone downloaded it and brought it into these, secure environments, they brought that back door along with it. Um, that back door is then used to steal a bunch of data, actual trade things, and it hit a lot of sensitive government, agencies in ways that, you know, you normally can't do.
It sort of reminds me of those, like, you know, those movies when somebody wants to break into jail and you can't just. Cut through the fence or the gates or something like that. And you hide in the food delivery truck, right? That kind of trope from from movies. if you can't get in the hard way, then you just trick somebody else into taking you in.
And that's kind of how that supply chain attack worked. It was so bad. The government had to take action and security. That's kind of sadly, the way that you get folks to make changes, wait until something bad enough happens that gets enough attention to force action. so shortly after that, the Biden administration had this executive order on improving it.
Yeah. Software supply chain security for the nation, which instructed a bunch of other agencies to do a bunch of different things and pass all these new laws. Some of which makes sense. Some of which were clearly written by 75 year olds in Washington, D. C. that don't really use computers. You can kind of tell from reading them, so it's just led to a whole bunch of churn and chaos and excitement and opportunity in the industry.
Turner: were there other attacks that have happened or been happening or is that the only one?
Dan: That was the biggest one, right? That was the biggest one that kind of kicked it off at the start. there have been plenty of others. one year later, like, to the day, uh, was another massive one called, uh, Log4Shell. Um, it was a completely different attack, so it shows how complex the overall space is.
It's not like one single thing, like, popping in an MFA token into your laptop can prevent your password from being stolen. It's not that easy, because they're very different. but that Log4Shell, attack, it wasn't even really an attack that way. Um, it was just a... An accidental vulnerability in an open source component. most software vulnerabilities are accidental, right? Uh, people write lots of code. I write lots of code. All code has bugs. the more code you write, the more bugs there are. And some of those bugs have a chance at having a, you know, huge security impact. and this was kind of like a worst case scenario bug, where The library was the most commonly used library.
It did logging. That's something every program needs to do, in the most commonly used programming language, which is java. and it was, you know, the easiest thing to possibly exploit with the most severe circumstances. So it's kind of like a worst case scenario. Perfect storm vulnerability. it had been introduced like close to 10 years before, too.
So the industry had a decade to roll out this vulnerability, and then had to figure out all the places it had made it to and how to patch it over the course of basically a weekend as attackers were trying to exploit it.
there were some tweets like they're bragging that, uh, that library was used on the Mars Rover.
So this is like the first interplanetary, software vulnerability that I know about. Um, that's how widely used this code was, and so it's also a supply chain attack. Um, that was accidentally there, but it was a component in people's supply chains that was then used, to exploit them.
Turner: how does that typically work? There's a vulnerability that's discovered, which is basically someone's made an attack and people realize there's a way to reach through all the hackers immediately go. Did the bad people say, let's try to exploit this. And then the good guys immediately say, we need to figure out how long this has been open for.
And all the vulnerabilities exist. We have to close that man. We have to do it.
Dan: Basically. Yeah. there's this whole, uh, responsible disclosure thing. It's called when, uh, security researchers, they're called like, you know, good guys that are going around looking for these bugs. When they find something and they're not, you know, bad people on the Internet, there are plenty of those too.
But when, you know, researchers find it, there's this whole system and protocol that, you know, gets debated all the time. but exactly how that works, but they, you know, will privately disclose that vulnerability to the maintainers, whoever is going to apply the fix. They usually get some amount of time to do the fix in private rollout without causing this big panic and maybe without tipping off attackers at the same time.
This is usually cross country, international, cross company. And so, like, the results of that vary because keeping secrets is hard. And like the very first rule of secrets is that people love to gossip about them. So these things almost always leak after some amount of time. and the log for shell one was, um, no different, right?
A bunch of companies were in this embargo program where they got advanced notice. And then, I believe cloud flare. It was, uh, who, you know. monitors a lot of internet traffic, I think within hours of the private disclosure started detecting attackers trying to exploit this. And so it leaked very quickly and people were, bad people were trying to exploit it very, very quickly over the course of this.
So the whole process usually ends up getting very rushed for very severe ones, um, and it causes a big panic. It ruined a lot of people's weekends that, uh, that year.
Turner: why is it a big deal if your software is vulnerable or if a hacker gets through your system?
Dan: so in this case with log4j, right? It varies depending on all of these, right? The impact can vary. In this case, um, the way it worked was, uh, if you could trick the program into logging something specific, right? And that happens all the time. then you can get full takeover. Like, you could do anything you wanted to that system.
You could execute whatever code you wanted and do anything you wanted.
Turner: you're literally an admin of the system.
Dan: Yeah, and so some of the exploits were as simple as, like, if you type something specific into the password field of your bank, now you have full admin permissions at the entire bank, stuff like that. That's how easy it was to exploit.
Turner: Yeah, so you could, like, control Goldman Sachs, basically.
Dan: yeah, just by typing something into like the username field.
Turner: Wow, that's insane.
Dan: not all of them are that bad. Some of them are more subtle and attackers are incredibly sophisticated and we'll find like 17 different ones that move them incrementally in different directions and chain them all together and end up with something similar.
But this was like anybody on the internet could just copy paste something and start attacking surfers.
Turner: going back a little bit to something I think we touched on earlier was open source software. What is it and then why is it kind of a big topic related to security?
Dan: yeah, so open source, uh, is there's a bunch of different ways to describe this. it's this fascinating phenomenon. It's really hard to explain to people that aren't in the software industry on why it works and why it exists. But it does. it's this massive community collection of shared code that anybody can just use freely for anything they want.
Um, even, you know, to build companies on top of. and the collection is so large that the modern application stack, if you're going to go start building a startup or a proprietary application or something that you want to sell, 90 to 98 percent of your code is going to be open source. You're only going to write the tiny 2 percent on the top.
And that's just stuff that people put on the Internet and gave away for free. It's like a very hippie-esque commune style system where people contribute to it. They release stuff. there's a bunch of reasons to do it. There are a bunch of startups that do it too. And then everyone else is just able to kind of share that and build a bigger digital commons and a bigger, set of goods and move a lot faster and innovate a lot faster.
Turner: You kind of take the public code and you maybe fork it and create your own version of it and you just tweak it slightly to to solve whatever issue you're working on.
Dan: Yeah. Or you just use it directly, right? If you're gonna write an app in no J s, that's one of the most common languages for writing, you know, adapts for your server. And, you start out by installing some framework, and that framework is gonna pull in thousands or tens of thousands of other libraries before you even start writing your code.
So all of the basics, all of the stuff that isn't really critical and core to your business logic. There's open source components for already, um, and they're just maintained by the kindness of people's hearts and, uh, people doing it for free on the Internet. Um, the main website that hosts a lot of this is get hub, probably like 90 percent of the open source code out there is hosted there and people can just look at it, contribute fixes back to it, find security issues, fix security issues, and kind of constantly iterate to make it better over time.
Turner: how did it grow so big? Is it because it's free and just very easy to use?
Dan: It's it's been kind of a long ride, right? Open source has been around for the better part of 30 or 40 years. The main operating system used in server side computing is called Linux. The Linux kernel that's open source and just turned 30 years old recently, or 25 years old, something like that. Um, and it just started on mailing list.
People publishing code, getting feedback and then reusing it. Email lists before there was like the Internet because open source powers the Internet.
Turner: Yeah. It was like the original newsletter writers.
Dan: Basically, yeah. there were books people used to buy that had code. In them, and you would like type that code into your computer, so you didn't have to write it yourself before the Internet.
There's a lot of legal complexities there, too, because when you just put code on the Internet, there's copyright issues and trademark issues, and it took a while before people and lawyers and companies really got comfortable using that and making sure they weren't going to violate someone's copyright or get sued or have to buy some expensive license later.
The 90s, early 2000s, kind of going into the mid 2000s were kind of, A lot of churn in the licensing aspect. You'll find tons of forums and flame wars over which licenses are best, but eventually that kind of settled down. Uh, and companies got comfortable knowing which licenses they were allowed to use.
And then it became basically frictionless developers that anywhere from banks to defense contractors, even the government are just allowed to use these pieces of code without having to get approval. So that's how it grew so fast when that friction kind of disappeared. But now there's kind of this security hangover is sort of how I describe it.
You know, for the last decade or so, there was this licensing worry. Um, but as that got resolved, people grabbed open source and put it in tons of places without really thinking about the security implications. And that's sort of what we're suffering with now.
Turner: And then there's this concept of zero trust software. Is that related to open source?
Dan: Somewhat. Um, yeah, zero trust is a, you know, Instead of frameworks for operating systems securely, there's a bunch of open source tools and frameworks that allow you to do that. Ironically, open source itself right is not zero trust. You have to trust a lot of people in order to use it. And that's one of the problems here with the security.
You're getting code from strangers on the Internet and just kind of trusting that they are good and nice people not out to get you. Unfortunately, most of it is that way. Most of the stuff is written by people with good intentions, but not all of it right. Um, There are mean people on the Internet. I've said that a couple times.
But yeah, and they do bad things with this open source. and some of it's accidental, right? Some people will publish a project, forget about it, or maybe move on or get some job or get busy and then they don't have time to keep fixing it or keep improving it. and that has a lot of problems when critical systems are built on it and bugs get found.
Turner: So zero trust software is almost the opposite of open source in the sense of, you know, you just assume every single piece is vulnerable and you have to secure all of it.
Dan: You could say that. Yeah. Um, yeah, you have to, like, you're trusting a lot of people when you use open source. Yeah, zero trust kind of got pivoted into some of my hesitation there as your trust kind of got pivoted into this marketing buzzword that you'll see at security conferences and everybody slaps it on their boots.
So it doesn't really have a meeting outside of like a very specific set of security products these days. But philosophically, I would completely agree with you.
Turner: In terms of just this whole problem with supply chain, like the software supply chain, do people understand how big the problem is?
Or was there a moment where people suddenly started to realize how big the problem was? Was it solar winds or are we still underappreciating the severity of it?
Dan: There's a general understanding now that the problem is very big. I don't know exactly how big it is, right? You know, there's a lot of good analogs here to like VCs kind of just guessing at what the TAM is of something, right? You can say it's pretty big, but is it, you know, billions or trillions? I don't know.
What's underappreciated to some extent is how hard it's going to be to solve. Still, so everybody's now saying, all right, we have this huge problem. Um, this is a giant mess. Let's go fix it. think in some ways this is actually a lot closer to like hard tech than people realize there's not going to be a magic answer.
You can just use the paper over and fix security. Um, it's just not going to work that way. So I think there's going to be, need to be a lot of new stuff invented and a lot of new techniques and we have to change the way that people build software to really address this. So I think that part is definitely underappreciated.
Turner: Changing how people develop software. That maybe starts to get us a little bit into what you're doing at ChainGuard. and maybe we go back even a little bit further.
You didn't even go to school for software engineering. you went to school for mechanical engineering. Can you talk about that really quick?
Dan: Sure. Yeah, I started in mechanical engineering. I used to build and fix and race stock cars all through high school, and that's what I love doing, building things. So that's what I studied in college. I got into software that way. We had to take some classes and learn MATLAB, which is this stuff. Yeah. God awful programming language that you have to do for like writing simulations and doing modeling of like mechanical systems and stuff like that.
And I started to like it and got into it and then kind of taught myself the rest of programming through school. I decided I liked that a lot more than mechanical engineering. You still got to build things, but it was a lot faster. You didn't have to order these parts from China and build them in a machine shop and reserve time on these like massive CNC systems and stuff.
Anywhere with a laptop, you could just build things. So I kind of got hooked that way.
Turner: And then you probably finished school. I think you didn't, switch your major, but you just started working as a software engineer immediately right out of school.
Dan: Yeah. Switched over that way. It was kind of late through school. So it would have been too hard to switch majors. So I just finished got a job at Microsoft work there for a couple of years. I got a job in another small startup for a little bit, and then spent most of my career at Google before starting chain guard.
Turner: It feels like based on our previous conversations, that's where you really got very deep into the security space. Can you just kind of, Enlighten us of the things that you've learned and kind of built while you're at Google.
Dan: Yeah, I started at Google. I think it was in 2012 and, uh, you know, I didn't know much about security and never really worked on it or thought about it too much. and that time at Google was pretty interesting. The 2012 2013 years. it turns out like similar things were happening at all the big hyper scalers and massive tech companies at the same time.
But a lot of us kind of kept secret until recently, but that's when stuff like the, the Snowden papers and, uh, you know, other large nation state attacks started happening, in my career up until then, we kind of just. Assumed everybody at the company was good and like, a lot of doors were left unlocked and you could trust your engineers because if you couldn't do that, then, you know, what were they doing there?
You just kind of trusted your team because that that's what made sense. But then these large companies kind of found, that, you know, if you have Thousands or tens of thousands of engineers. There's probably a pretty good chance. Uh, you know, low to mid single digit number of them are actually working for, you know, some foreign country that wants to do bad things.
That's easier than pass at some point, passing the interview process and getting a job and getting handed a laptop is easier than trying to hack it from outside. And that was happening. And that was kind of like this massive mindset change and how you have to operate. Large systems that have people's private information in them that you want to take seriously.
Everyone kind of noticed it at that time. Uh, and that forced, you know, these large companies to completely re architect that the way the way that they build software and the way that they operated software securely so that engineers couldn't just hop onto the prod server and check the logs when there was a bug.
If you can do that, you can also do a lot of other bad things. Um, and that was happening. So it made it a lot harder to develop software, but it required people to build a lot of new technologies and invent new ways to do all of that, while still being productive and efficient, but also preserving users data and doing that in a serious way that is hardened against kind of these insider nation state attacks. then a couple years later, I started working more in open sources that was kind of growing and saw that all of that fun security technology that we had just built and rolled out because it was very important. Just didn't exist. There. people weren't doing any of that. Um, and it was kind of like, stepping back a decade.
It felt like, and all the security stuff that we had just been told was very important for very good reason. and then it just wasn't there anymore. So that kind of terrified me and got me thinking about this whole space. Okay.
Turner: At Google, you figured out how to solve some of these, supply chain type attack or an insider type sabotage situation. And then when you looked at the landscape of open source, you're like, Oh my God, it's almost worse.
Dan: Yeah, I wouldn't say I was the one that figured it out at Google. You know, other smart people did, but I got to see it and realize how scary it was and why we needed this stuff. and then, yeah, I realized it was missing and it was a massive mess. Some of the shift that happened in that decade, I guess, you know, from 2012 up to 2020 and 2022 was if you weren't Google, Amazon, Microsoft, Facebook, one of these massive companies that had, it's.
Tons of private data. You probably didn't have to worry about some foreign country sending spies at you. If you're a 30 person startup and you're worrying about that, you're not going to make it.
Turner: Yeah. You've got,
Dan: You have other things to worry about, like paying bills. And, you know, for the most part, they weren't attacking companies like that because they didn't have enough data and all that stuff.
But then kind of what happened with SolarWinds was people realized that, hey, you don't actually need to be one of those companies with that data. You need to be someone that sells software to someone that sells software to someone that sells software to somebody that has all of that data and the attackers could still exploit that.
So you didn't have to worry about that until all of a sudden you did when a nation states did start attacking these smaller companies. And that's where this massive change and improvement to security is going to have to come from.
Turner: And probably the larger companies were really the only ones that almost had the resources 10 years ago to even do anything. About it, or at least be able to react the fastest or smartest.
Dan: Yeah, it's not gonna be cheap. It's not gonna be easy. There's gonna have to be a lot of new technology built. People are gonna have to spend a lot of money to fix this. Um, that's where the government is stepping in. nobody wants to, you know, willingly spend a ton of engineering time or money on the security stuff that they didn't have to budget for yesterday.
But the regulations coming from, um, Washington, D. C. In the U. S. Europe, the UK, Australia, kind of all these countries are now rolling out their own form of regulations to really influence and require a lot of this stuff to be baked into the software development process.
Turner: So what all is the government doing and how is it being, mandated if that's a way to describe it.
Dan: Yeah, a lot of this is still rolling out now. this is moving actually really fast for the government over these last couple of years, but also like glacial speed for tech industry and startups. but overall, it's it's still moving along pretty quickly. It started with this executive order from, The Biden administration, I think in May 2021, something like that, after that SolarWinds breach.
And you can't just have an executive order that says all software must be secure. It doesn't quite work that way. instead they directed a bunch of government agencies to go talk to companies that had a lot of experience in that space, start distilling that down into best practices, publishing those as standards.
And then the big one is using those standards and best practices in government contracts. So the government is the largest buyer of software in the world. They spend the most money on software every year.
Turner: This is the US federal government?
Dan: Yeah, and so they can't really just legislate the way you write software. They can't throw you in jail.
If you had a vulnerability, it doesn't quite work that way. Uh, instead, what they can say is we're not going to buy your software unless you meet these standards and follow all of these best practices and harden your software in a certain way. Um, that's a pretty big hammer. If you want to continue to sell software to the government and you know, every large company in the world does and needs to, because they're one of the largest customers, then you've got to, you've got to play the game.
And so that's kind of the stage right now. a bunch of different government agencies are starting to roll this out into contracting vehicles and mandating it that way. there's also this kind of fun catch to it where, if you're a vendor selling software to the government, you have to do all of this stuff, but then you also have to go recursively require all of the people you buy software from to do it as well.
If you're thinking, “Hey, I don't sell software, the government, I'm fine. I can keep going along”. Uh, maybe for a little bit, but it's going to quickly spiral to the whole industry because you sell software to someone. Um, and at some point in the chain, somebody is going to be selling software, the government, and you're going to start getting required to do this.
Turner: So is it each, country or government has different things that they're kind of mandating?
Dan: Course, um, and I've seen all those memes of like, you know, the U. S. is competing in a I with China and Europe is leading in regulation. That kind of thing is playing out again here. there's this, uh, a lot of these are hot topics going on right now. So if you're listening and you don't want to comment, you can still do that today, both in the US and in Europe.
But Europe has this version of it called the Cyber Resiliency Act, the CRA and I joked before that you can't just mandate that all software is secure. It doesn't work, but Europe is trying, um, this bill is basically like effectively banning open source software and telling people that if there's vulnerabilities, you're liable no matter what.
it's terrifying, honestly. I don't think it, it soft, it'll change software completely. It's kind of like that cookie button that pops up everywhere now because of Europe. Um, except like, yeah, even weirder because, this stuff just doesn't make sense. Uh, one of the most controversial aspects of it is.
With open source actually. so if you write open source code, publish it on GitHub, um, like a lot of people do and some company in Europe grabs that code and uses it. They don't have to pay you. They don't even have to tell you they did that. You have no relationship with them. and then they get compromised because of something in that code.
You're now liable as the original person that wrote it. Even though they paid you nothing for it, you didn't sign some contract. There's no indemnity clauses anywhere. and people are now like wondering whether they have to just ban the use of that in Europe, to avoid getting fined or even worse because of unintentional consequences.
So it's kind of scary the way some of the regulation is shaking out. The U. S. has a much more thoughtful approach, which I never thought I'd say
Turner: It's interesting because just generally in any kind of business. Regulation usually benefits incumbents. And when I'm thinking through how this plays out, you're a startup And you suddenly get sued for a hundred million dollars because of some breach in Europe, it kills your company versus if you're, I don't know, just say a massive company conglomerate, you have a legal team of 20 people that can just kind of take care of it, or you absorb the fine
Dan: There's definitely that too big to fail aspect of this where, you know, the biggest companies also get breached the most and good luck ripping out, you know, Microsoft from all of your systems. you know, there's just no way to do that. And so, uh, the regulations just kind of don't play out the way that you think in a lot of these cases, they definitely hurt the smaller companies.
Turner: Going back to time at Google, that's, is that where you met all of your co founders?
Dan: Yeah. I worked with them for a long time at Google on almost the same stuff over and over again. And eventually enough people care because these attacks that the space kind of took off and it seemed like a good time to try to start a company.
Turner: How did you figure out they were the right people to start a company with just for other founders listening, like anything that you went through or anything, any conversations you guys had or experiences where y'all decided. we're a good team. We know we're going to work well together.
Dan: Yeah, I think it was easy just having worked together for years, on different things, uh, both in this space and not in this space. Um, I can't imagine trying to start a company with people that, you know, you haven't actually worked with in, you know, these contexts, uh, for a very long time. I've heard of like the founder speed dating kind of setups where people introduce you to other folks.
Um, even if you have common interests, maybe in some cases it works out, but I'm not actually having spent years with somebody is, is really terrifying in my, my opinion.
Turner: So what are some of the things that you value in terms of what you would look for in a co founder relationship or even in somebody that works at Chainguard?
Dan: Startups are hard, not getting discouraged, just keep going and roll with the punches and deal with, uh, deal with it when stuff goes wrong. I think is, you know, the biggest thing, especially for people starting at a company starting a company. That's tiny. if you're at a seed stage or precede or, you know, whatever they call it company, you've got to be ready to deal with that change.
You can't get hung up on it. You've got to be fine with stuff going wrong and just moving on and looking forward.
Turner: How did you guys decide to start chain guard? Like what was kind of, was there a moment or a certain idea where just the flip switched and you guys made the jump to do it
Dan: Yeah, there's no crazy planned out intentional story or anything. My co founder, Matt, you know, he's one of the best engineers I ever worked with. Uh, he took a break during covid. He didn't have a job. He quit. He just got this, uh, you know, one of those Komodo Joe barbecue grills and a bunch of barbecue cookbooks and just spent a bunch of time making brisket.
And I kept trying to get him to come back and, you know, work on my team and work on all this fun security stuff.
Turner: at Google?
Dan: Yeah. And he just kept saying, no, no, no, I'm not ready to work. You just send me pictures of brisket every couple of weeks. And I just kept texting him and eventually 1 day. He said, all right, I'm ready to come back to work.
But, uh, instead of me coming back to Google, how about we start a company? Um, and I was like, oh, that doesn't seem like a good idea. So I went, bought a laptop the next day, figured out how to incorporate. Um, and that was pretty much it.
Turner: What was the very first problem that you guys decided was worth solving? Because everything we just talked about. There's a lot going on. Where do you even start?
Dan: That was kind of the first problem, I guess. Um, you know, we knew this whole problem space was very messy and there's no single answer for it. And every week there's a new startup. It feels like that, you know, announces on tech crunch that they're doing software supply chain security. and so, you know, we knew kind of that first year was going to be.
Figuring out what, the best problem to solve is going to be, because not all of it is tractable. You have to balance like the fun technical stuff with the real hard problems with stuff that companies are actually willing to pay for. And those don't always go hand in hand. so that was the first problem was let's go figure out which problem we want to solve first and which problem people actually want us to solve for them first.
Turner: How did you navigate that?
Dan: Lots of conversations with, you know, prospective customers, organizations, that kind of thing. You know, we have this unfair advantage that there is an executive order, um, that every company was panicking about, in this space. And so incredibly easy to go get a conversation with, you know, the CISO, you know, basically the chief security officer, any public company, cause they were all panicking about this.
They had maybe heard our names and they just wanted to know what they were supposed to do. and so, you know, it wasn't like we were just, you know, closing huge deals on day one. We Uh, people were willing to talk to us and hear our opinion on what they thought they should do and have a two way conversation to we could hear what they were actually worried about and how they were seeing the space.
Um, it took a while to go from that initial panic of the executive order out to people actually willing to make changes and spend money and make improvements. so a lot of patients was involved there, but the kind of past that inflection point, and people are buying stuff. It's great.
Turner: You kind of took like a consultant ish approach where it was just, tell us your problems. We'll tell you how to fix them. And it almost started productizing it in a way.
Dan: Yeah, we started that way. It was easy to get relationships set up that way. you know, when you're just giving people free advice and doing work for free, it's always hard to tell if they actually like it and value it. so starting with services, uh, it's risky. A lot of startups do that and kind of get trapped in that, you know, services area.
The money was there just to really kind of prove out that there was a real relationship and value. It wasn't like we weren't booking that as ARR and pumping up numbers and all that stuff. That was going right into the fund budget. But it was really just there to make sure, yeah, people were willing to actually spend time and work with us too.
Turner: How do you tell when you're doing customer discovery that it's even Worthwhile products to continue building and developing.
Dan: There's a lot of methods. I don't know that we did this right or anything. Um, this is my 1st time doing enterprise sales at all. I had no idea how any of that worked. Um, I found, you know, in a lot of cases, it was pretty easy to find buyers, find decision makers and also frameworks. You can read, but then actually navigating that whole enterprise sales process.
Uh, Is so much different than, you know, actually finding somebody that sees value in the product. These things take 3 to 6 months to go from somebody in a large company saying they want something to actually getting a purchase order cut, layoffs were happening, you know, team reorders, all of that stuff slows these things down.
And so speed is your best friend, but also these deals just take a long time.
Turner: And you guys incorporated the company and just kind of going back a little bit. It was the fall of 2020.
Dan: Uh, 2021.
Yeah. So just over 2 years ago, we just had our 2 year anniversary. Um, it was October 1st, 2021 is when we incorporated.
Turner: Amazing. Congratulations on the anniversary. what was then the actual first product that you sold that you actually people were using and you made money from?
Dan: Yeah, we had this amazing strategy where the space was super messy, and we decided to try two products at once, and we kind of drew the whole software supply chain space on like this line, and we said, we don't know what people are going to want to buy first. It's complicated. So let's try two things.
One on each side of the line. And then, like, we had this slide. It was like, what's your long term strategy? And it's like, we're going to fill in the middle. Like, we're investors laughing at that. But, um, it was, you know, it was, Kind of made sense to us at the time. and yeah, so those 2 products, uh, their names are chain guard and force and chain guard images.
And they're kind of coming at the software supply chain space from completely different directions because we didn't really know it was going to resonate what people are we're going to scale. You know, we had a couple early design partners and people that had paid for each, but going from those 1st, 2 people pay money for something out to.
You know, massive demand, uh, something that's scalable and repeatable. Um, took a while.
Turner: So can you explain that spectrum and what those two products were and how they solved different problems?
Dan: So changer and force was this kind of like exact level, single pane of glass policy system, or if you're a security officer, you can get your developers to install this and then. See all the stuff they're using and tell them what they can and can't use and enforce rules and kind of ratchet up your security.
That way. the other product, it's called chain yard images. That's, uh, kind of us building a trusted supply chain for you is sort of the way I think about it. When we talked about that open source thing before, where people just grab these open source components off of the Internet, a lot of problems can go wrong there.
People can put bad stuff in there. They can screw up the way they publish things. They can forget to update it. so this product is basically just get all that open source stuff from us. We have S. L. A. S. We think vulnerabilities in it when they're found, you know, you're getting it from a trusted source.
If something goes wrong, you can come yell at us about it.
Turner: So Enforce is almost a top down. Exacts could see what was happening and then images was a bottom up you would actually build the whole stack almost in a way and give them visibility that way.
Dan: That's what I mean by them being very different. And then we're gonna fill in the middle.
Turner: Yeah, I mean, that sounds like a absolutely terrible idea. Like if I was somebody giving advice to a startup founder, I'm like pick one. Don't do both at the same time,
Dan: Yeah, we got a lot of that.
Turner: I mean, it's an interesting kind of concept to think about because. No specific fortune cookie advice is the best advice.
It's like you figure out what is the problem that you're going after? What is the market, the industry, and you got to figure out what's going to work. And I guess if you have the resources and the expertise to attack certain problems or solve certain problems from different angles, you have the right kind of relationships.
It's like, why not? you're, you're just testing and trying to just solve problems for customers. That's really all it is.
Dan: Yeah, I mean, the early days was like, you know, we didn't spend a ton of time building these things before talking about it, right? Like, we got canvas set up and we made these 2 brochures and we just started showing them to people. you know, different people were interested in both. And so we were, like, hoping to get more clear signal early, but people like, no, these both sound cool.
And so, you know, it was a good problem in some ways, but it also meant we had to spend a lot more time figuring out what was really going to scale.
Turner: Yeah. And it wasn't like you guys were entering a brand new industry where you had no connections, right? Like you guys had done a lot of work in sort of the open source security community, and you were pretty well known from what I remember when I kind of first met you guys.
Dan: Yeah, we had a lot of advantages that way. We were somewhat well known. And then there was just so much attention to the overall space that made the discovery process pretty easy.
Turner: So then you also have this product called SIGstore or this community that you're kind of working on called SIGstore. Can you explain what SIGstore
Dan: Yeah. So it's this big open source project. kind of this open source community to help kind of secure that open source part of the ecosystem. Um, our early strategy was really centered around that. I'm trying to figure out ways to make products, try to get adoption of open source and then figure out how to sell that stuff later.
It's kind of not that core to our product stuff anymore. The open source is still great. We all still work on it. It's fun. You know, we get to do good stuff by helping secure open source, um, and all these free projects and everything. but yeah, it addresses this gap in open source and in software development.
A lot of folks don't realize exists, but it's this big supply chain problem where I mentioned, like, all that source code is up on get home. Anybody can just go kind of look at that and read it and. Use it. But then when people actually go to use it, they don't get that code from GitHub anymore. They go get something completely different from some other place.
There's this link that not everybody knows exists where, like, you can see the source code and everybody thinks, oh, I reviewed the source code. I didn't see any bugs. I'm good. tattoo. All right, I'm just gonna go grab this, like, dot exe file that somebody kind of pinky swore came from that source code.
You can't really check that. You can't verify that it actually came from the source code. You can't verify that somebody didn't kind of tamper with it in the middle there. and it's just kind of been like, I guess this is fine. You know, that means like everything on fire, um, for the last couple of decades.
I guess this is fine. Um, and that's just how software does it. They all work. but yeah, so storage kind of this technology to actually let you prove that that stuff that you're downloading actually came from the source code, so it prevents whole classes of attacks and all sorts of open source ecosystems.
You're using it and baking it in. So it's been a huge success. We never really figured out how to charge people for it, but it's still this kind of fun project that I think has had a really large impact on the industry.
Turner: Yeah, it's probably good from just a broad marketing perspective. Just having people trust the Chainguard name and know that you exist and, establish you as a, like a thought leader, I guess. I hate that word, but puts you at the forefront.
Dan: that on my LinkedIn bio.
Turner: Yeah, open source security thought leader. Well, I mean, on that note, you, you kind of are, I think you, you'll always send me, like, you'll be quoted in a Wall Street Journal article.
And like, how do you, how do you pull that off as a early stage startup founder?
Dan: Yeah, it's surprising how low the bar is to get quarters from these major publications.
Turner: Well, so how do you do it?
Dan: we've done a lot of that and you know, our comms team is amazing. Um, and that was kind of our, this is probably something that I've read books that say don't do this, but, um, we focus on comms more than, you know, direct marketing early on.
We knew that the space was so confusing. Nobody really wanted to spend money yet. They were just out for awareness. They just wanted to know, you know, what they should be doing in the next couple of years, putting stuff on their roadmap. Um, and so we didn't think marketing was going to be that effective and no one had a budget yet.
No one wanted to actually make any changes. and then every day there were like new startups getting announced all kind of competing over the same space. And so our strategy was more like, let's just get our name out there. So next year or in 18 months, when it all shifts and people are ready to spend money, um, all the buyers and all these large companies know us more than everybody else.
And so we put a lot of time into that. We do these kind of like rapid response things where a major news event happens and we'll just put statements out there. And then when reporters are trying to find somebody to quote, like they come and use us or they'll come and talk to. you know, somebody at our company and it's a big advantage startups have that, you know, the massive tech companies, don't where, you know, if you want to put out a statement for the Wall Street Journal at Google, like you probably need like 37 different people to approve that.
Um, and by that time, the story already ran and the reporters moved on to something else. and so just being able to React quickly. It doesn't even cost anything, right? You don't have to pay for it. You just have to follow the news and get stuff out quickly. And eventually it kind of builds and people even come to you for your opinion on something you haven't even read yet.
I love that one when it's like, oh, what's your opinion on this? I don't have one because I don't know anything about it, but I can just make something up.
Turner: Hopefully you don't do that. Or if you do, it's a, it's not actually made up. It's a, it's a qualified opinion. That's been, uh, you've spent some time on
Dan: Yes, some times…
Turner: And you guys have done a lot of memes too, right? do you think a good strategy for B2B startup marketing, these memes?
Dan: It's worked for us. I don't know how repeatable it is. It's kind of. Crazy how many, you know, leads we get and, customers and prospects we're working with that, you know, tell our team they first heard about us through meetings. Um, I know you do it too. I've taken a lot of inspiration from, you know, your approach to getting awareness of banana capital.
Um, but it's worked pretty well. It's, you know, security is kind of an interesting industry too, where. it's really scary, right? There's like real world consequences and hackers stopping all the time and people lose their jobs over, you know, making mistakes. And so it's a high stress industry. And I think a lot of the security community likes to kind of have that flip side and kick back and make light of the situation a lot of times too.
I don't know how well this would work in other industries, but you know, the industry, Love is a good joke every time when bad stuff happens. And so I know our stuff gets reshared inside companies and all of that. So I think we get a lot of support that way.
Turner: Cause you have, things that flow through your Slack and you'll like send me a screenshot from Slack of like someone applying and they'll, they'll mention they saw a chain guardian meme or something. And it's like a very high individual at a, company that they probably got budget to spend on, on a product.
Dan: Yeah, we were doing a bunch of take talk stuff, too. We tried that early on. That didn't work terribly well, but because they start to talk started getting weird in the algorithm and banning like content about hacking and security and stuff because they don't want people to be sharing a lot of those instructions.
So we're getting flagged for that a lot, but that was working to people love the videos. Like one of my tick tock videos got. Quoted in like some BBC article at one point too, and I was like, this is so bizarre.
Turner: Well, I mean, I've run into the same thing where I had this weird thesis going into, building a venture firm that. It was maybe it was a similar setup where very serious industry, like you look at the content that is out there and it's, you think of it as a board member, someone in a suit giving you this serious advice on how to build and scale your company and all that kind of stuff.
And maybe you could say the same thing with security. It's a serious issue. All the content needs to be a certain way. And I guess I kind of had this hypothesis of like, what if I just do the opposite? And there's a, yeah. Like you almost think of it as a supply and demand thing within the industry. what do people want to read?
And, I remember seeing this stat, it was, it's probably like five or six or seven years old at this point, but meme related content on Instagram was shared seven times more than non meme related content. And that's free marketing, right? Like that's free top of funnel branding. So that was kind of my thesis going in is like, huh, if I just make stuff, that's funny, it pushes through the noise
Dan: I can totally see that. I, I don't know anything about marketing either, and I've been learning stuff as we go. But I remember seeing this video early on that kind of stuck with me about millennials and folks in the workforce now, and how, like, if you're trying to do B to B sales, they might not be the decision makers.
They might not be the buyers, but they certainly have a lot of authority. And if you're producing content, I can't remember the exact phrasing, but it was something like you can make content that you optimize for the group chat, and I've been in companies, and there's always those group chats where people just share funny stuff, and you can have a whole class of content that you make there that they share and get awareness that way, kind of support within a company, and then you still need those funny stuffy white papers that, uh, you know, they're gonna actually pass up to their, you know, Boss or director when they're actually getting ready to make the purchase.
So there's like two audiences you're optimizing for within companies. The, you know, the serious ones where you need to have ROI calculators and magic quadrants and, uh, those kinds of things. but it doesn't need to all be that. And then, you know, if you get support through, uh, you know, stuff that's optimized for those group chats that everyone knows exists, then, uh, you can kind of split it that way
Turner: Even companies where like teams is mandated, most of the engineering teams have a separate, their own Slack or like, we
Dan: Or they have the group DM where they pass on that stuff.
Turner: when I first kind of started doing content on the internet, it was all very serious stuff, and I started to experiment with memes and more humorous content, and one of my worries was, do you ruin your credibility or something?
And I just remember I had a friend who, he's like, dude, you write these like super dense 10, 000 word blog posts also,
Dan: I've read the 10, 000 word stuff later and they're awesome, but I didn't find that first, I found the memes.
Turner: it was an interesting, comment that I got from He's a founder of a public traded company guy that I met invested in my fund. And he said his kind of like one liner for it was come for the meme, stay for the memo,
Dan: Yeah, that's, that's a great way to put it.
Turner: Very succinct.
Dan: Not many memos go viral.
Turner: Yeah, exactly. I actually have never asked you this before. Why did you guys reach out to me when you were raising money?
Dan: It was the memes. I just liked the memes.
Turner: Yeah. Okay.
Dan: That was actually, yeah, there's the memes, and then I read the content, and it seemed awesome, and so, uh, yeah, I can't remember, we got some intro to you from somebody that, you know, we knew that knew you and you were the only investor that turned us down when we were raising our seed round.
I think you get a, you get a badge for that one.
Turner: Yes. That was my fault, but I did get to invest later. So.
Dan: You're so nice about it. You were like, this, this could be a good idea. I just don't know any of the words you explained, so I have no way to judge.
Turner: it's something I've been actually getting a lot better at as an investor. Like I, I do try to really understand the companies and industries in the spaces. And I used to just straight up, there's a couple of people that if you just go to, my DMS or my emails, it's like, they're like unicorns now.
And I just like didn't invest. It's like, I just don't get it. And I just almost had like a hard no on the industry.
Dan: Your anti-portfolio.
Turner: Yeah, my anti portfolio is pretty, pretty scary. I mean, if you think of like with certain companies, I have a couple where I like passed on the pre seed round, then I invested in the seed round.
One example, I just told him, I was like, this is an insane idea. This seems really smart, but I just don't think it's going to happen. And then they came back to me a couple months later and was like, we've got all these customer conversations and here's all these things.
And I'm like, holy shit. You guys were right. I'm an idiot. I should have invested.
Dan: Yeah. The investing landscape has changed so much. When we started this company, um, we're kind of reflecting on it for a two year birthday, uh, or two year anniversary. And we started in October of 2021. And you remember that there's been a big shift since then you kind of feel it, but that was like. Peak bubble.
I pulled up. Yeah, I pulled up some like tech crunch stuff. Um, and it was like, WeWork was that it's all time high that month. It was like $500 and something a share. And now it's like $4 a share. That was the all time high was like a week after we incorporated. FTX had just raised a $400 million Series B that month.
That was basically the top. I thought fundraising was going to be so much harder when we decided to start the company. And then, um, It was like people were ready to hand us term sheets, as soon as they heard that we were going to start a company without even asking what it was, um, and I was like, oh, wow, is starting a company always this easy?
And it turns out no, because the market changed so fast in that amount of time.
Turner: So I'm really interested. How did that go? Just, we can maybe talk through some of the funding rounds and then how they went. How did that first one play out?
Dan: Yeah, I, I mentioned, you know, Matt said, let's start a company. I was like, sure, let's go figure out a race funding, read a bunch of stuff. And then like, I remember cracking open my LinkedIn and just saw, I had a bunch of like DMs from investors that were like, let's chat. And I was like, all right, let's, let's chat.
And like, they were just ready to hand over term sheets when we said we were starting a company.
Turner: And did you, did you update your LinkedIn profile to like, you know, stealth founder or
Dan: I mean, that was later. yeah, we talked to folks, figured out what the whole process is going to be like, and, you know, incorporated and signed a term sheet a week later, but yeah. Talked to a bunch of great investors, just kind of. Took a little bit of time at that stage and figured out who we like the most and who we wanted to work with.
And that's how we made the decision.
Turner: How did you make that decision then? Because there was, like you said, a lot of demand, I guess there's a lot of capital that was trying to find a home, like find startups to invest in. What did you think about in prioritize in that very first round?
Dan: Yeah, we did a bunch of reference checks. You know, we talked to folks that had experience working with a lot of the investors, narrowed it down to folks that we just liked and could see ourselves working with for a long time and get along with, ended up making the decision that way.
Turner: It was amplify that led the Seed round?
Dan: Yeah, so they're incredibly good at that. Finding startups in the space that we're in, like, developer tools, infrastructure, and all of that, months or years before they're even, like, thinking of incorporating, um, and just kind of being that 1st investor that you've ever talked to. And so I think, you know, for us, like, It almost backfired where they were the first ones I talked to because they had just been like DMing me for a while, and I was like, cool, let's chat. and we got along really well, and I was like, what are the chances the first one I talked to is actually the best one? And I feel like I put them through more diligence than like I normally would have if they had been like the second or third I talked to.
But that's their whole MO. That's like, they're used to that just because they focus on stuff so early.
Turner: So they were actually proactively talking to you when you were still at Google.
Dan: They still do that and they're talking to people that might start companies years from now. So I think that's their strategy. And it takes a ton of work, but they do it really well.
Turner: Yeah. I mean, your returns will be way higher because you invest earlier versus somebody who's like, Oh, cool. you're doing so well, the company's this big, there's all these proof points, the market, like Bain has made a pitch deck with 60 slides on your market that explains it all to us, we'll invest, right?
Like, I mean, they probably have a 10x lower cost basis than the investors that do it that way. and their returns are probably way better.
Dan: Yeah.
Turner: So then, I unfortunately turned you down, which was a mistake in that very first round. I think it was. Oh, actually, if I'm remembering, I think it was the check size. Cause I was trying to make this transition to writing larger checks for my fund
Dan: And it was last minute too. I didn't blame you.
Turner: Retroactively I probably should have, right. That was my mistake, but yeah, I was, I was really trying to focus on, can I increase my check sizes? Because as an investor, you want to make sure the amount that you're investing in each company matches the strategy of the fund size that you have.
And I was really focused on, I just got to nail this and prove to people that I know what I'm doing. And it's learning when to make those exceptions is probably one of the trickiest parts about being a, being a VC.
Dan: I've seen the VC math stuff. It is hard. It is brutal. People think it's easy,
Turner: And I guess, just really quick explaining to people who don't know, you basically need to 3x return a fund. That's like baseline for probably staying in business. So if you raise $100 million dollars, you need to return $300 million to your investors and, and most investors expect closer to a 5x.
And, they will typically try to invest in funds that they think has a path to getting a 10x. So if you raise $100 million dollars, they think there's a chance that you'll give them $1 billion dollars back. If you have $1 billion fund, you need to be able to say you can give $10 billion back.
The bigger those funds get, it just gets harder.
Dan: Yeah, it's hard to find those opportunities while keeping your standards high and staying patient.
Turner: And then also being able to say, like, let's say I have $1 billion fund and I want to invest in chain guard your very first round, I think you guys raised $5 million, right? So I would need to make hundreds of investments, Chainguard equivalents.
And then also I probably don't even know what I'm investing in. And I can't even keep up to date with you. I don't even know how you're doing.
Dan: That’s called the Tiger strategy, right?
Turner: Yea, which I don't know. We'll, we'll see how it holds up for them…
So then what happened after you closed the Seed round? You guys had about $5 million in the bank. You felt like you had enough to start the company. What happened next?
Dan: Yeah, uh, you know, the guidance at that time is, you know, raise something that's the last 12 to 18 months, you know, raise something later. Um, and so that's what the plan was, hiring went pretty well. We got our 1st, couple of hires and quickly. Um, awesome engineers were able to grow out the team pretty quickly.
Turner: And you guys hired a lot of really impressive people too.
Dan: Yeah, that was going really well. I actually thought hiring people because you know, at that time was also the big tech bubble and everybody was doing like the four day work weeks and nobody wanted to quit these huge cushy jobs. So I thought getting people out of, you know, these crazy high paying jobs is going to be harder than it was.
But hiring went went pretty well. And as a result of a lot of that amplify kind of offered us this like, kind of uncapped safe right after that of another 10 million dollars just to keep going and growing faster. So we took that, um, and that was gonna last us even longer.
Let us grow a little bit quicker into into the next year. As we were waiting stuff out and kind of in this land grab with all the other startups that were starting up in the space. Um, and everything's going great, and we were getting all these weird unsolicited offers from other investors to, like, pre series days and stuff.
And we were just kind of ignoring those. Until I think that spring when amplify, uh, said, Hey, uh, the market looks like it's going to get bad really quick. You should probably raise the series as fast as you can. and we're like, Oh wow, that sounds scary. And so we did that.
Turner: This was spring of 2022?
Dan: Yeah. and it was perfect timing. Like it felt crazy doing it at the time because all the startups were still going to the moon and like, you know, crypto was exploding and all that fun stuff. but we did and. It was like a closing around takes like four to five weeks. Like you've probably seen a lot of these price rounds, from like the day that we signed the term sheet, to like the time it actually closed.
I went from kind of regretting taking the dilution, to fingers crossed, praying this thing closed. Our investors even said at the end, they were like, you know, we would not do this round today. That's how quick the market changed in that four to five week period.
Turner: Wow. That is wild. So you guys had pretty, would you say strategic smart timing or would you say, was it just lucky.
Dan: That one was blind luck. Like, I know a lot of companies that, you know, if you waited one more month while all those valuations were rising and stuff like that, then like people lost out completely and, you know, really struggled to raise. That was like the summer where investors kind of just, you know, took the summer off and then never came back that fall.
In some ways, uh, it was like the, you know, the slowest year of investing on record. And, you know, a lot of folks are still feeling that pain.
Turner: Yeah, I mean, credit to Amplify for saying, you have to do this fast.
Dan: Yeah, it was great advice. and yeah, we. You know, we, we took a larger round than we normally would have to because the logic was, you know, if we're doing this is because we're worried about the next 18 months being a blood bath. So let's take more to make sure we're going to be okay. On the other side,
Turner: Yeah, and, and would you say, in retrospect, 12 months or 18 months of runway, probably too low. Like, do you think founders should probably raise more than that? Or -
Dan: I mean, at that time, yeah, I mean, a lot of companies had a huge markups quickly took less dilution, like, you know, in that 2019 to 2020 timeframe. now, I mean, it kind of depends on your level of risk tolerance, I guess, when market shifts quickly that fast the other way, because of inflation and interest rates.
You don't want to be caught with your pants down, I guess, taking a very tiny round at a very high valuation.
Turner: I guess what we can kind of explain to people a high valuation, basically no one wants our valuation to go down. It does happen. And it's a, it's a kind of a normal thing. but people are very, almost averse to it. No one likes it. It always is kind of stuck tough to stomach.
Uh, and then tiny dilution basically means you raised a little bit of capital. So it's like you don't have much in the balance sheet. You're going to need to raise a little bit. You're going to raise more cash sooner.
Dan: Yeah. These aren't public companies that trade it. You know, current revenue run rates, right? When, uh, investors invest in your startup, they're investing on future potential. And so, you know, when the market was really, really good for startups raising, they were willing to look farther into the future investors and give you these higher valuations.
But that meant you had this higher target you had to go achieve and grow into. and when you're raising money, a lot of folks probably. Don't understand this. Like you can't pick any dollar amount, right? There's ranges. Investors have ownership targets they want to achieve. Usually somewhere around 10 percent plus or minus, depending on the round, you know, 20 percent there, but no investor wants 50 percent of the company.
That's private equity. That's not venture capital.
Turner: Yeah. That's how venture worked in the nineties kind of. And people realize we're not doing that shit. we're going a little bit lower than that.
Dan: Yeah. And nobody wants like half a percent or something like that if you're a lead investor. and so there's kind of this fixed range, there's flexibility, but like, don't, it's not a perfect formula, but if you're going to raise around it, say, you know, 100, 000, 000 as your valuation, it's going to be somewhere around 10, 000, 000 plus or minus.
Um, nobody's going to write a lead around of 500 K at 100, 000, 000 or something like that. And that scales too. So if you're going to raise around at a 1, like a unicorn or something like that, and you raised say 70, 000, 000 on the dilution side, that's really, really low. And so you've set a really high target for yourself, but you might not have given yourself enough money to grow into that.
And so that's where it gets risky.
Turner: Yeah. And plus your investors might not be that bought in. let's say your biggest investor only owns 1 percent of the company. You really have no one who's aligned with you as a founder in some senses where you guys all own 20 percent or whatever the number ends up being. you could say maybe the investors don't care.
I don't know if that's fair to say, but there's just a little bit less urgency on their end, but also they may not have the fund size and all their portfolio construction to continue following on. Like, let's say you run into hard times. You probably want an investor who has told you, like, we reserve about 50 percent of our initial check or a hundred percent to follow on over time.
And if you know, you run into some struggles or you're still making a lot of progress, but you just need a little bit more money, we're there to give you another, you know, X dollars, whatever the percentages are, the number is, which is awesome as a founder to have that.
Dan: Yeah, it's like a cushion or safety.
Turner: So how did you guys decide who to go with for that series a, when it was, you know, kind of a crazy time?
Dan: Yeah, that process was like 36 hours. Total. Um, I just happened to have dinner with this partner at Sequoia booked like the next day. who I'd never met in person once. I think I like one zoom call a couple of months before and he was coming to town where I lived for some conference and we had dinner booked.
And yeah, I got that message from amplify and I was like, all right, we'll try to do it tomorrow. Then he's in town. and it's usually not that fast, but yeah, we. You know, did it that night, handshake on the term sheet the next morning, and wrapped it up quickly. So yeah, not much of a process because it was all expedited.
But, you know, it's quite an amazing partner. Bogomil who's on our board is amazing. it was a very rushed process. Um, I don't have any regrets. Uh, you know, we want a great brand and everything like that, but we didn't really. Take time on it because of the urgency and I'm glad we didn't,
Turner: One of the things that, I don't know if frustrating is a word to describe it, but. It's just really interesting how there's a lot of this like, Hey, you got to have this urgency and FOMO around this round.
And you know, you meet these people over the course of a week and then they're on your board for 10 years or 20 years. That's you can run into trouble that way.
Dan: Yeah. It's, it's tough. Um, like you see like the, you know, Paul Graham, my combinator guidance of like, never talk to investors unless you're raising. And then if you, if you actually follow that to the team and you have 1 week to get to know the person that you're going to be stuck with forever on your board.
And so it's also a super tempting, like, if you just open your email as a founder, you'll have hundreds of investors asking to meet. Like I saw. Yeah. There's some leaf chat earlier this year of like interns at insight and getting asked to do like 200 cold emails a day to founders trying to book meetings.
It is their job to take your time and get to know you and ask you questions. It's your job to grow a company. And so if you bounce too, too far to the other side, then you're going to spend all of your time talking to investors and not get stuff done. And it's an easy distraction to slip into because it, feels fun.
It feels like you're doing work, but it's not actually really moving the company along. So trying to get that balance of getting to know people without being too distracted.
Turner: How should you. handle that inbound from VCs? How do you suggest people deal with it or, you know, accept it or take it? And then as an investor, do you have any advice for like, how should you approach a founder? Like how should you message them?
What do you say? Should you just not say anything? Like what was the most appreciative on your end as a founder?
Dan: Yeah, as a founder, I think you kind of have to decide, like, what is your process for getting to know someone? It's almost like a job interview. Um, do you want to have dinner with them a couple of times? Get to know them in that setting? Do you want it to be a couple of, you know, more formal meetings, asking them questions?
You're going to do reference checks. You're going to talk to other founders. They've worked with get their opinion. it's kind of up to you to decide that level of comfort. Maybe you just don't care. Maybe you just want the money and to be left alone. and then you can kind of optimize that way and just not spend time getting to know the people.
But if, yeah, if you want to get 6 hours with the person before you sign on, these kind of investments in board seats are forever, right? It's not, you know, it's not like, uh, people you hire at the company, they can come and go, it's really, really, really hard to get out of a bad investment relationship.
Um, so you have to figure out that level of comfort and then you can back into the math that way of. Who am I going to talk to, you know, three or four or five firms, and I'm going to have to spend, you know, five or six hours with each one, getting to know them. And you can kind of plot out that time and figure out a way to do it in a way that best minimizes distractions for you.
For us, I kind of like to batch them up around conferences and stuff like that, where everyone's in one place. and, you know, usually before like a black hat or an RSA or a coupon or any of these big conferences, you'll get a million, like, Hey, can we meet up in person and like, yeah, you can just, you know, spend a couple hours doing coffee chats or something that way.
And in batches. So it's not a constant distraction for you.
Turner: So then as an investor, how would you recommend I or any investor Approach a founder who is maybe not quite raising, but you want to get to know them. That I really liked that approach. I like getting to know people. a while before I invest. Cause like you said, long journey.
So what kind of advice do you have for me?
Dan: Do we know that? Yeah, it's least distracting for them. But that's probably bad advice because it's gonna be different for each person. Somebody might want like, you know, just a quick Zoom call. Somebody else might want to grab coffee in an event you're already both gonna be at. but yeah, I mean that's the easiest.
Make it easy for them, but that's gonna be hard and varies depending on the person. It's Intermissive. I mean, it kind of depends on whether or not you actually get value out of those blind intros to, you know, execs and companies,
Turner: So then it's almost situational. Like you've got to figure out what the company needs, what the founder needs and adapt.
Dan: And I think the other 1 Is, I guess, kind of going back to some of our marketing strategy and everything to and what you talked about be someone they want to get to know, you know, if they don't, they've never heard of you, if you don't really. Put yourself out there. Uh, then, you know, people aren't, they're going to be way less likely to take a call.
If, if I've seen your means, if I, if I like the content that you write, then yeah, we already kind of have this relationship, even though we've never met and, you know, way more likely to take a meeting with somebody, um, even outside of investment context, like, oh, I talk to people all the time that wrote a blog.
I like, um, just to, you know, chat and talk about that one. So putting yourself out there helps.
Turner: For me, I just like having interesting conversations. It's fun to learn new things. sometimes I'll like, sometimes I mean, I don't really invest, you know, series C, series D stages I've done. I'll follow on occasionally sometimes, but sometimes I'll just meet a cool founder or somebody who's like, it's like a publicly traded company and just talk to them.
Like, I mean, that's sort podcast. You can kind of. Record these conversations, ask them questions of like, how did you do it? Like what's, what should I be following in your industry?
Dan: What's your ARR? What's your growth rate? Yeah. Okay.
Turner: what's your TAM? What's your, uh, who, who else is invested? Wellington, Vanguard, BlackRock. so dialing back to, to Chainguard, maybe I won't ask what's your ARR, but…
So you close the Series A. What happened after that?
Dan: Yeah, so that was spring, early summer of 2022. I remember like the, the, the very first week that closed Sequoia sent out that like famous email that got leaked about like the world ending and, you know, the crucible moments thing and like, don't ever spend another, they like have this big zoom call with all the founders of all these companies.
And it was like this message of like, Don't ever spend another dollar. Your company is doomed forever. Like that's how bad the economy is going to be. Um, and it was kind of sobering, I guess, to, you know, that massive shift from easy free money in 2021 to that doom thing. Um, you know, it didn't turn out being quite that bad for everybody, but I do think that was the message they had to send to kind of kick people out of that mode of like, Oh, sure.
I can double my valuation every six months without having to put much time into it. Um, why worry about burn rate, all of that fun stuff. so, yeah, it was a big shift in the company early on. We were focused on kind of that awareness. Open source piece. Monetization strategy would come later, to, oh, no, we have to, like, quickly figure out a scalable product and sales motion and revenue and shift over to that different, way of operating a company.
Turner: So what happened then? How did you figure out a business model?
Dan: Yeah. I mean, we, we had always been, you know, we were never like, oh, like, we'll just, you know, get these GitHub stars and memes and like, figure out how to monetize that later. But, you know, we did invest more heavily there and spend more time on actually trying to sell. Um, we brought on a couple, you know, sales reps, toward the end of that summer.
As we figured out the real enterprise sales motion, there's a lot of investor advice there of, uh, you know, like should founders do sales, founder led sales, all of that fun stuff. And you can listen to tons of podcasts and get advice both ways. And I have, uh, in retrospect, I probably would have done that earlier.
Um, like hired, hired sales reps earlier, like great ones that know how enterprise sales works. but I also get why VCs all say, you know, founders have to do all the sales. And I think. They're probably optimizing for that, stereotype of like the technical founder who just like locks the door and says, I'm going to build something cool and hire somebody in a suit to come figure out how to sell it later.
And I don't talk to customers, that kind of thing. Um, and that's a huge recipe for disaster. But I think, you know, for me anyway. I really love, I love sales now and I love being a part of that and everything, but there's a huge difference between like the value part of selling and finding somebody that you were actually unlocking value for in like a fortune 500 company that wants to give you money and has a real problem to then actually navigating this massive procurement machine of legal red lines and negotiation and contracts and all of that.
And that is a skill and salespeople are great at that. And as soon as we did that, it kind of accelerated our. Sales dramatically. Um, and so I think doing that earlier while still making sure you're involved in that, kind of that value selling and what is the specific value of your product and what are you adding to that company?
That's the important part for founders.
Turner: Yeah, that's kind of what I've learned too. I mean, I grew up just thinking sales, it's scary. It's, quote unquote networking. but yeah, it really just comes down to, you just talk to people, figure out their problems, figure out how to solve them. I quote unquote, add value or really create value and probably say they.
They spend X, you know, they pay you X and then you create 10 X more value for them. So it makes so much sense for them to pay you and you make a lot of money. You have a valuable business, but you make. So many, you unlock so many things for them from your product. and it's because you just understand your customer so much, you know, their pain points, you know, how to help them.
And it's almost like a, customer discovery, problem solving. That's kind of how I think about sales in a way. There's still like the outbound following up, all those kinds of things you can learn.
Dan: Yeah, there's that. There’s this quote our VP of sales said in our audience last week from Frank Slootman.
“Only governments can print money. The rest of us have to take it from, the rest of us have to take it from someone else.”
Turner: I love it.
Dan: It’s a lot of work. People don't love just giving up money.
Turner: What were some of the initial things and then you were able to sell to people? We talked about enforce, we talked about images. so what is actually working in terms of the product?
Dan: Early on, because we were, we're selling it to see. So, um, like early on, uh, we had a lot of traction on the enforced product because it was kind of designed for them in this top down mode. that growth kind of slow though installed. it's this card double sale that we have to do the sales motion where our product is used by developers.
But developers never spend money on software. They hate it. It's like in their blood. but security people love spending money on software. And so it's this double sale of like, you got the person that's gonna write the check, and then you've got the person that's gonna have to use this thing. and in retrospect, it sounds simple, but like, you know, the Enforce product, the whole point of it was to make it harder for developers to do their jobs because CISOs wanted to put rules in place.
And so they hated having to use this thing that somebody else was paying for. And so it made, implementation slow and hard. And speed kills all deals. That's just how sales works. Um, and so that, that slowed after the early, uh, the initial interest. but images, um, just started kind of blowing up earlier this year.
And so we're pretty much completely focused there now. Um, it solves a different problem, than the other, than enforced. It is easier for adoption developers actually like it. It saves them time. There's kind of this. nifty free peer aspect of it, where they can try it out before they even come and talk to us.
That makes the sales cycle faster. That makes the implementations faster. the sales calls like the inbounds we get in the initial meetings now shifted from like, tell me about the supply chain security space to like, what is the pricing?
And so like, it's, it's a lot closer to the, like taking orders rather than having to sell now, which feels a lot better.
Turner: What is the last, I guess, public progress number that you've put out? Just state of the business.
Dan: I don't know if we've ever done one. I mean, uh, we we're trying to figure out what to announce. Hey, our, our revenue has tripled in the last six months, so that's a, that's a good one. it's, it's good. It's enterprise sales are good because it's somewhat predictable, but like, you, you don't get surprised on the upside that much.
Right. If you have. Sales reps, like there's basic math you can pull in, like sales reps have a quote of, you know, somewhere between a million, 800 K 1. 5 for a year, something in that range. It's not 10 million. It's not a hundred K. And so if you're aiming for a certain amount of revenue, you know, roughly how many sales reps you need to have and have them onboarded by when, and you're never going to get one of those magic moments where the hockey stick goes from like a million dollars to a hundred million dollars overnight.
If that happens, it's because you're planning six and nine months ahead and hiring and onboarding folks and planning around it. yeah, you obviously have to have a product that has a market of that size, and there has to be awareness, but you're also in a lot more control of the growth.
Turner: It's working better than maybe than you initially thought. What do you think caused that? Was it just like macro industry stuff? Adoption was just quicker.
Dan: Yeah, uh, smoothing out the sales cycles, and, you know, we still have a lot of work to do there, making it even faster, getting through procurement faster, but getting value, demonstrating value earlier on. I think was the biggest shift. Um, and even in some cases before they've reached out to us, we still don't have public pricing and people still have to fill out a form that says contact sales.
And our sales team is great. I love them, but nobody ever wants to contact the salesperson. Um, and so like getting people to that point, getting enough value demonstrated before they actually take that leap to fill it out to go figure out what it's going to cost. Is a huge win.
Turner: And then I know we're announcing something right now. Do you want to talk about what you guys just announced?
Dan: Yeah, sure. So, we just raised a Series B. That was led by spark capital. we spent a long time this year working on the enterprise sales motion and growing scaling. It's working. So now it's time to lean in a little bit harder, pour some more gas on that sales motion and try to scale faster.
So the Series B, we raised $60 million. it's awesome. We're all very excited. It was so much harder doing it this time around than it was two years ago. We had to make a pitch deck this time. I bought a suit 0
Turner: Wow. I've never seen you in a suit before
Dan: Yeah, it was a big surprise.
Turner: So do you recommend if somebody is raising a Series B, like, do you have to wear a suit to those meetings or what?
Dan: I don't think you have to know, um, it, uh, more of a gimmick, but it worked. I think, you know, it showed we were taking the process seriously and, you know, we, we make a lot of lighthearted content and all of that. And so I did want to show that we're taking this company seriously and, um, it helped
Turner: So then what do you do with it? You got, you know, topped off the balance sheet. know, you probably, I guess you raised the 50 million a, about a year prior. So you probably had a decent amount.
Dan: Something like that. Yeah. We still had a decent amount left, but when you're setting those enterprise sales targets and hiring the sales team and ramping them all up, like you can kind of see that if we want to hit this revenue target, we have to spend this much money this year.
And it doesn't come back into the account until next year. That's just how recurring revenue works. And so, um, if you want to grow faster, you have to spend more this year, uh, in order to get it next year. So, even if you're not being that risky, you do still have to kind of fuel that growth.
Turner: What do you do on the product side? Is there new stuff coming? Are you able to talk about anything?
Dan: Yeah, it is boring heads down, just delivery of the product that we have now, right? You know, we're kind of in that situation where we got surprised by the amount of demand and just need to stay focused on, getting the product solid and satisfying the existing. Customers and inbounds and prospects.
So it's a great problem to have. But you know, we started on that scattered, doing a whole bunch of things approach to see what worked and now it's a shift to like, all right, one of these things is working really, really, really well. Let's spend a lot of time there until we get it perfect.
Turner: Have you talked much about just how big some of these contracts are? Like, are these five digits? Six, seven, eight, nine, 10.
Dan: It's a big range. You know, we, we have, uh, I think our smallest is like five K and our biggest is like just under a million, something like that. So, yeah. Um, The ACVs are very large, and so it's nice because we get real relationships with customers they're bought into. I think that's one of the big ones. If somebody's paying you, there's kind of that old the meme of like, you know, the customer that wrote a 500 K check just says, thanks.
This is great. Um, when you ask for feedback, the customer that wrote the 5 K check files, like 80 percent of your support tickets, um, that definitely happens. We see that a lot. And so, you know, like closing, like, uh, 500 or K or mid six figure deal isn't 10 times harder than closing a 50 K or 20 K deal.
It's harder, but it's not 10 times harder. And then the relationship you get with the customer is just that much stronger.
Turner: I feel like there's probably been just some crazy stories or things that you guys have come across while building Chainguard over the last two years. Anything that really stands out that people might find interesting?
Dan: Open source is always full of fun. and that's where we do a lot of our work, right? It's just this massive, completely disorganized community of people contributing to source code. Some are good. Some are bad. and you'll run into this crazy stuff there of, Drama and attacks and vulnerabilities and gaps and stuff.
And so it's kind of hard to tell some of these stories in full context. But, um, you know, we've, we've seen some stuff there. That's just kind of scary, unlike the nation state side. So, one of the crazy ones without getting into specifics was, you know, some project that's incredibly widely used, basically just Getting taken over by a bunch of people with made up names from a country that the U.
So does not get along with very well, to start submitting code that would probably do bad things into it. And it's like, oh, wow, this is terrifying from a national security perspective. Let's go talk about that to the right people.
Turner: Are you in a position to help with that in a way?
Dan: Our company, Ken, yeah, it's It varies a bit, though, on, you know, like who's using this stuff, you know, that's one of the challenges and open sources stuff gets used in places that you have no idea a few years ago. Just to kind of put this into perspective a bit. The U. S. Air Force tweeted this, like, video, an article about how they upgraded the software on one of the spy planes while it was flying using this open source project called Kubernetes.
At the time, like, you can just pull up the stats to see who contributes to Kubernetes. And at the time they did this, like, the number 3 contributor contributing company was Huawei. And it was like, they're not allowed to sell anything to US companies that will get anywhere near airplanes. But because it's open source code, for some reason, that's just considered fine.
And it's just 1 of those, like, ffft. Terrifying cognitive dissonance moments.
Turner: And they said they updated it while it was flying.
Dan: Yeah, using, uh, using that project.
Turner: So a little bit of a different question. You actually touched on this a little bit throughout, but anything you would do differently, if you could go back, anything you'd change, whether it's from like a product perspective, company building, you know, anything.
Dan: Yeah, I think that 1 about sales, I think is, you know, something I changed differently, like, do that earlier. the rest of it. It's hard. I don't think too, too much about it, right? Like, it's, it's hard to repeat a lot of this. Like, I don't think we're ever going to be in an environment like this again, where you go from peak top zero interest rate phenomenon bubble to like, you know, bottom of, uh, the economy 6 months later because of like a pending world war 3 situation.
And so, yeah, it's like, there's a lot of, Cases like that of, like, had I known the economy was going to crash, I would have done things differently, but it's hard to make that generalizable advice or anything you can take forward to say, starting a company again in 5 or 6 years.
Turner: Oh, you want to move on to rapid fire?
Dan: Sure,
Turner: What is your favorite open source project?
Dan: It's this project called, uh, JQ. Um, and I posted about this on linkedin a little bit recently, but it's this really interesting project where, pretty much every developer uses it as part of their daily workflow, but it was written by 1 person as part of like a PhD thesis and just put on the Internet.
And then he, like, Doesn't even know about the project or isn't any contact with it at all anymore. Yeah. And so it's just like completely abandoned and everyone uses this thing all over the place. And then like, finally, a couple of people got concerned and somehow tracked this guy down over like months and got access to the project and have like started maintaining it again.
It had been like, I think five or six years since the last official release of it, because nobody could track it down, but, um, it's just this awesome ubiquitous thing that now has this happy.
Turner: Wow. That's crazy. And I guess from a security perspective, let's say somebody found a vulnerability in that kind of a project. There's no one there to fix it.
Dan: And then there's also cases like that where somebody takes a project over because it's abandoned and they're doing it with complete bad intentions. That happens all the time of just like an attacker is like, oh, you don't work on this anymore. I'll help you.
And they're like, sure, here's admin rights. And then they're like, spyware, crypto mining, something like that the very next day. So this is a happy ending. It was all done responsibly.
Turner: Do you have a certain founder or CEO or maybe business? And this can be current or historical that you get a lot of inspiration from, or that you've always really looked up to.
Dan: I look at a lot of them, right? I don't think I have like one company or CEO or something because every company is a little bit different. I love Frank Slootman. I love his book. I wish that he narrated the entire thing instead of just the intro because his voice and accent make it so much better.
I don't know if he did like the intro on the audio book and then I went to somebody else for the rest of it.
It's yeah, it's um, yeah, so probably him.
Turner: So what do you like about him?
Dan: He talks about tempo and pace and kind of that, like you got to move fast. This is a brutal world out there. And I think a lot of that was put into perspective to in the last year or two, you know, the big shift in the economy and focus and execution is important and you can't give that stuff up.
Turner: Last question kind of been asking people lately. Do you have any questions for me at all on anything?
Dan: Yeah. What is it like raising a VC fund right now? It's got to be even harder than a startup raising my mental model of it.
Turner: Yeah, it's definitely harder. it just depends. There's context. Um, thankfully, I'm not actively fundraising right now. I'm always talking to. LPs and limited partners in venture funds. I just try to stay up to date. Cause in a sense, you know, are they your customers? Are the founders, your customers?
I don't know. You can probably, you really have to serve both as a VC. Like you have to make everyone happy and you've got to do a good job. So it's just like, if you're a VC and you're not talking to founders, like there's going to be a real disconnect. the product or the service that you give them.
So in the same way, it's like, I'm always talking to LPs and just trying to understand what's going on in their head, what are they looking for? Because somebody, so you might really want like a cybersecurity exposure and they might want to fund that only does it. And obviously, and that's the only thing they're going to invest in.
And if I don't really do that, it's like, they're never going to invest in my funds. So it's kind of like a sales qualification, but then also I might learn a bunch from that. We can have like maybe a slightly more candid conversation because, they can tell me some of the stuff they might not say to somebody that they're maybe looking at investing in, in the next month or two.
I think that the challenge right now is that when you talk about the market pulling back, there's a lot less liquidity for some of these larger. Pools of capital. So let's say you've got a billion dollar portfolio or a 10 million portfolio. You're diversified across every asset class. 2022 had the worst year on record.
If you were to map like stock returns and bond returns and like a quadrant, if you map them like where both the returns were. It had the worst year for stocks and bonds in like 150 years is basically since they started tracking this stuff, like in, in America, right? Like in the U S most people, when they construct these big portfolios, they're having an equal split of equity and fixed income, like stocks and bonds and all these other asset classes.
Because they generally offset each other. And, you know, they keep your portfolio somewhat liquid and meet all the goals that you're trying to reach as a university endowment or hospital that needs to fund studies and patients and all that kind of stuff. it can get pretty challenging when all of a sudden their plan has been completely thrown off and they don't have any money to invest.
And then also you've got this venture capital, usually in their venture capital bucket. They take the distributions that come out and they just reinvest them because, you know, in theory, it compounds it, whatever the percentage is. I think in a normal time period, you probably would expect about 20 percent from your venture portfolio, which is pretty hard to do.
And now, suddenly you're just not getting those distributions. No, one's going public. You have no new money to invest in new funds. So it's kind of a supply and demand thing where. There's way people that are investing in funds and then there's way more funds that are trying to invest. It just gets a lot harder.
So the sales process, if you want to think about it that way, it just gets so much more challenging, stretched a lot harder.
So again, it's tough. And then when you're an emerging manager, you're someone like Turner that doesn't really have this long story track record, like a Sequoia or a Spark or an Amplify. It's harder.
Dan: Yeah, that's sort of what I was wondering because, you know, for a startup, even if you're new, you've got a last quarter's records, you've got, you know, sales from, you know, yesterday, you've got stuff that you can show tangible results today, but the investing horizon is 10 years. And so even if you had a great fund in 2021 for 2021, you don't get to show anybody that I don't know how you really explain it.
So it's all kind of. Unknown until you start to see some of those, you know, payouts on some of those strategies like we were talking about earlier.
Turner: Yeah. And most of these, institutional investors that are investing in these funds, they're, they're kind of re underwriting every fund where they're saying, Oh, we've been an investor in banana capital for 10, 20 years. And we've always just kind of keep participating, but a lot of them are kind of revisiting the relationship now and just saying, wait a second, he's actually not that good.
Or, you know, we actually, we don't think we're getting what we initially signed up for, or we just, we can't do it. We typically had 10 funds that we have a relationship with. We just don't have the money. Participate in all, but we need to do two or three. So there's kind of a lot of those hard conversations that are happening and it's not just for emerging managers It's kind of across the board for every fund.
So it's a just a tricky time I mean, I think you will see a lot of funds that just struggle and it's kind of normal you should not just like with startups You should not be able to just send an email and raise 200 million dollars. Like there should be a little bit more structure and there should be some rigid processes that go into that so
Dan: These are people's pensions. There should be a system for it. Yeah, it's
Turner: Yeah, it's other people's money. It's a lot of people, it's their livelihood, whether it's a, you know, a prominent family or it's a millions of teachers across the country, or, emergency responders, firemen who, you know, it's, it's their retirement and they work hard for this stuff. And then also it flows to the startups that are then like, you know, you're solving software supply chain security, but you're also helping funding some, some good causes.
So, On that note, this has been an awesome conversation.
Thank you for coming on.
Dan: Thanks for having me.
Stream the full episode on Apple, Spotify, or YouTube.
Find transcripts of other episodes here.