Duo Security might be one of the most underrated software stories of all-time.

Started in 2010 by Dug Song and Jon Oberheide, they burned only $14 million to hit $100m in ARR, were acquired by Cisco for $2.35 billion in 2018, and now rumored to be doing over $1 billion in ARR inside Cisco 16 years later.

We talk about how they built one of the most capital efficient SaaS companies ever from Ann Arbor, Michigan, and how their focus on the customer and company culture helped them win in a crowded cybersecurity market.

We talk growing up in the early hacking culture of the 90s, why most security tools are painful to use, sizing their market, solving for non-consumption of a product, and how Duo flipped the traditional playbook at the time by designing for end users instead of security teams.

We break down the mechanics of scaling from zero to $100 million in ARR, everything they learned integrating with Cisco, and why more founders should build outside of San Francisco.

A quick thank you ex-Duo employees Zack Urlocker, Ash Devata, and Katie Kilroy for their help brainstorming topics for the conversation.

Support this Episode’s Sponsors

Numeral: The end-to-end platform for sales tax and compliance.

Flex: Sign-up for Flex Elite with code TURNER, get $1,000. Apply here.

To inquire about sponsoring future episodes, click here.

👉 Stream on Spotify and Apple

Timestamps to jump in:

• 4:49 Meeting from Dug’s Wi-Fi honeypot

• 7:33 90’s hacking culture and cybersecurity’s wild west

• 14:49 How the internet was born in Ann Arbor

• 18:58 Staying in Michigan instead of moving to Silicon Valley

• 31:20 Philosophy on leadership and team building

• 39:48 What makes a good engineering leader

• 44:01 Starting Duo to make security easier

• 45:22 Why most security products suck

• 48:36 How fixing account takeover became a $1B ARR company

• 59:10 TAM, competition, fixing the non-consumption of security

• 1:04:04 Being a radical advocate for the customer

• 1:08:35 Duo’s pizza sales play

• 1:12:45 Branding lessons from Anthropic, Tesla, Cliff Bar

• 1:17:47 When to say no to customers

• 1:21:27 Importance of culture when scaling

• 1:27:56 Duo’s role in uncovering the SolarWinds breach

• 1:31:29 Scaling to $100M ARR on $14M burned

• 1:39:30 Inside the $2.35B Cisco acquisition

• 1:44:02 What big companies get wrong about customers

• 1:51:53 Building Michigan’s startup ecosystem

Referenced:

• Duo Security

• Cisco

• University of Michigan

Follow Dug on X / Twitter and LinkedIn

Follow Jon on X / Twitter and LinkedIn

Related Episodes

🎧🍌 Lessons Scaling Zero to $40M ARR in Two Years | Dan Lorenc, Chainguard

Turner Novak 🍌🧢

·

April 28, 2025

Read full story

👉 Stream on YouTube, Spotify, and Apple

Transcript

Find transcripts of all prior episodes here.

Dug Song:

I call him Dr. Jon for what it’s worth. He’s earned it.

Jon Oberheide:

The only reason I finished my PhD was because of Dug.

Turner Novak:

Oh, you actually got a PhD?

Jon Oberheide:

Why not?

Turner Novak:

That’s why I used it, man.

Jon Oberheide:

Come on. This isn’t Dr. Pepper here. I actually ...

Turner Novak:

Is this on your LinkedIn? Is it... You’ve got to write PhD?

Jon Oberheide:

I was a self-loathing academic and I never really wanted to go into academia or grad school, but then I was finishing the PhD when we were starting the company and Dug’s like, “No, you need to finish. We need to have someone with a doctor on their business card.” I think I actually put PhD on the business card, which was completely against all of my beliefs.

Dug Song:

Well, again, like I said, you earned the paper, you deserve it, but it was also his old advisor, Farnam Jahanian, now president of Carnegie Mellon was the co-founder and first president of Arbor Networks, where I cut my teeth where we had first met each other. And so I committed to Farnam, “I’ll make sure he gets done, Farnam.”

Jon Oberheide:

It was more for Farnam. He had invested a lot-

Dug Song:

In you.

Jon Oberheide:

I had to check the box for him.

Turner Novak:

No, this is a famous story, how you guys first met originally.

Jon Oberheide:

Unofficially met.

Turner Novak:

Or unofficially, yes.

Dug Song:

Weren’t actually introduced, but a business in high school. So I had the entrepreneurship bug very early. And as part of that business, we did, I would say, very innovative email marketing, if I can put it that way.

Turner Novak:

Good way to doctor it up.

Jon Oberheide:

It was very aggressive outbound email marketing. And my partner in the business and I would drive to Ann Arbor and send massive amounts of email. And we do that from coffee shop, WiFi, Starbucks, Ann Arbor. And one of the times we saw an open access point for Arbor Networks. And Dug is an absolute legend in the cybersecurity space. We’re like, “Oh my gosh, Arbor Networks. It’s a company started by Dug Song. He wrote DSNF.” All these accolades of your past life on the offensive side of things. And we’re like, “Why would they have open access point?” So we hopped on there, we’re poking around, we crept up the back stairwell of the building in order to get a better signal.

Turner Novak:

Really?

Jon Oberheide:

And... Yeah, we’re just teenagers, with our laptops, hacker hoodies on. And Dug walked out down the stairwell and gave us the side eye. And we found out later, supposedly, that that was an open honeypot that Dug set up to catch people that were poking around, catch young enterprising hackers.

Dug Song:

My best man, Niels Provos, who, if you look at your SSH man page and with technical, he’s an author there along with me, he had written something called Honeydee, which was honeypot kind of demon, but software to basically simulate networks or environments in which attackers would rattle doorknobs, you could catch them. And so it was part of our playground to experiment with that and see... Universities are great places to play with stuff like that.

Turner Novak:

So did you actually notice that you got a notification almost and just walked outside and were like, “Oh, interesting. Okay.”

Jon Oberheide:

Ended up working with Dug at Arbor Networks at that same company and we got to know each other there, worked on some open source projects together. And then it was late 2009 when the stars were aligning. I was late in the PhD program. Dug was finishing up, I think Barracuda at that time. He had done Arbor, Barracuda, Zattoo, another startup and the stars aligned to go try to build something together.

Dug Song:

But the reality is hackers, when they first meet, they already know each other. They know of each other. It’s very rare that you have hackers who have spent any time building stuff, that don’t already have a perspective on who each other are and all those things. So Jon was already well known as a student doing all the work he was doing for being a great hacker.

Jon Oberheide:

That was the fun times. Dug was deep in the hacking scene in the late ‘90s. I was a little bit later.

Dug Song:

Jon was breaching the Chinese continent firewall.

Turner Novak:

So what stuff did you do? You alluded to you were on the other side per se. So what was the extent of the hacking that you guys did when you were younger?

Dug Song:

Well, my dad had a liquor store in West Baltimore. He had a very early IBM PC80 in the XT. And so basic all that stuff. But my dad had an early computer to run the store and that’s how I did data entry since I was eight. And so that was my first introduction, pre-internet. BBSs and all that stuff around the time. Where I grew up was within shot of the NSA. So a lot of those BBSs were about mass security or they had all these crazy nuclear themes as the 80s presented. And then a lot of folks, BBS found their way to X25, it was all telephony, but the first packet-switching networks pre-internet were things like X25, which connected all the banks for bank interchange and all that stuff. So that’s where a lot of the boards were, that’s where a lot of hackers were and that’s how I learned.

But coming to college, it was amazing. I have a twenty-four seven always on ethernet connection. That just was crazy and so it was a drug. I think I barely left my dorm room my freshman year. I was glued to this thing because otherwise it was all dial up prior and I fell into some interesting hacking crews. One was called Woo Woo, one that was actually global in nature, founded in the US, but heavy European and some Russian and mostly French influence otherwise. But a lot of those hackers became real interesting people. So Sean Parker was in it for a bit. The president of Facebook, John Fanning who started Napster, which was a project of Woo Woo to share MP3s and files and Jan Koum... We knew Jan when he was technically on food stamps with his mom, but he’d just gotten a job in security at Yahoo and ultimately built WhatsApp.

So anyway, it’s a long history of some interesting people, a part of that crew that built and broke stuff. And I think anyone good in security does both, you have to. And that’s how we tracked Jono. Jono was building cool stuff and doing good work as a PhD student, but had also done all this other stuff that was really cool.

Jon Oberheide:

I think that was the magic of the late 90s and early 2000s in the cybersecurity world at the time. It wasn’t really commercialized and it certainly wasn’t at the extent of geopolitical conflict like in the modern day. It was more of the intellectual pursuit of information, solving these really complicated puzzles, understanding how these systems work. And it was almost like a hippie cypherpunk libertarian movement of freedom of information and I want control over these systems and a lot of freedom exchange of information on mailing lists and IRC channels.

Dug Song:

The early open source movement, Linux and Linus Torvalds has been a dictator for life for that, all came out of response to things like the BSD source code. It was technically open source, technically Berkeley shared it and all that kind of thing. And there were projects like FreeBSD and NetBSD that were organizing developer communities around it. They didn’t have open CBS servers. It was still very gate kept in a way that open source after Linux was quite different. And so... And Richard Stallman from the GNU project, NMIT rewriting all the tools in the modern Unix system that would be the other side of what Linux was as a free operating system. These are all open source hippies and software communists basically and I count myself as part of that. There was lots of that stuff that I was really deeply into, but those early days were Wild West.

And in security, I remember it was our friends who built a company called ISS, Internet Security Systems in Atlanta was really the first internet security company, but it was all from... And again, I’ll go on record on this, this stolen source code from a bunch of hackers. The hackers who wrote all this stuff saw their work rounded up in a corporate entity that really never asked for permission or licensed it or anything else. And so it’s funny, again, I don’t mean to beat up on the ISS guys because they’re friends and I love them, but you go and you saw the history of the company on the ground floor of their headquarters and it’s a completely revisionist history of how that happened because it was a bunch of hackers who wrote all the tools that got rounded up as part of that initial suite of security testing tools and never saw anything from it.

And so in security it has always been this really difficult love, hate relationship with the industry and security, which is why you have so many people that come into it with a chip on their shoulder looking to prove them wrong. And also because when you’re finding these vulnerabilities like Jono did in all these different systems, many of the vendors would just deny it.

Really?

Jon Oberheide:

They’d threaten you or sue you or work with law enforcement. It was not a bug bounty, friendly version of today where vendors will pay you for reporting bugs to them.

Turner Novak:

They would sue you. So how did you approach that then? Did you just not publicly disclose the bugs or share with them?

Jon Oberheide:

That was some of the reason why I ended up in academia. A lot of the research I was doing was independent offensive security research just pointing out vulnerabilities in various systems. And in some ways, the university provided a umbrella or a veil of-

Turner Novak:

Of protection.

Jon Oberheide:

Of protection, both from the outside world but also from the university itself. And I was never in it to become professor to stay in academia, but it was more of a holding pattern of being able to continue the research that I love to do, have that in some vein of research of publishing, but more so, our lab at the University of Michigan was more of a startup incubator than anything else. It was a bunch of people sitting around who are really smart. They’re on the bleeding edge of their little sliver of the world and you’re sitting around all hours of the day saying, “What are we doing with our lives? Why are we wasting our time publishing these papers? We should be going out building products, solving interesting problems.”

And that research group, it spawned Arbor Networks, which is a great cybersecurity company. It spawned Twilio, Evan Cooke, who’s the CTO and founder there, Jeff Lawson, who was from UM as well, it ended up creating a lot of interesting startups that sprung out of just the same room.

Dug Song:

It’s one of those things wonderful about a place like University of Michigan, Ann Arbor, really, because of the University of Michigan, which has the largest research expenditure of any university next to Hopkins. So Hopkins is three billion. University of Michigan is about 2.5.

Turner Novak:

What? Second in the country?

Dug Song:

Yeah.

Turner Novak:

Wow.

Dug Song:

It’s the largest research expenditure in the nation. And actually first, public or private, if you were to back out APL from Johns Hopkins, because I don’t think that’s really fair.

Turner Novak:

What is APL?

Dug Song:

It’s Applied Physics Lab.

Turner Novak:

Is it a government federal funded type? Okay.

Dug Song:

And so I think the reality is that Michigan is a powerhouse of this stuff. And though I was not a good student, I barely got out of-

Turner Novak:

Undergraduate life. No PhD.

Dug Song:

I think I got a degree. I tell people all the time, stay in school because whether the paper really matters or not, and I think it does, your parents are probably paying for it, it’s the access to resources. And that’s what led me here, because I was going to go to school somewhere in the East Coast, but when I explored the University of Michigan network from afar, realized that actually there was this... It was a stunning. Even at that time, the early ‘90s, had a network that looked like NASA Ames, the broadest concentration of... Broadest diversity of commercial Unix systems I’d ever seen. They had super computers. They had Craze, they had a supercomputing cluster. I was like, “What even is this? Is this available to students?” And so that’s actually what led me here.

Jon Oberheide:

Some people picked their school by the academics or the party scene. Doug was, “What has the coolest computers?” I’m going there and I already have access to all of them.

Dug Song:

And so I think we get overlooked for that sometimes because everyone’s, “Stanford, MIT, Harvard.” But actually the ARPANET, which everyone says, it was the first place internet, and schools were involved. It was actually the NSFNET, which Michigan was responsible for actually building. We won... The state of Michigan, University of Michigan won the award to build a National Science Foundation network that didn’t just connect 10 schools like the ARPANET did, but 400 research universities across the country. And that backbone of research networks and computing merged with ARPANET to become the internet. So the birthplace of the internet actually was here. And that’s why the North American Network Operators Group is here, governing all inter domain routing and how networks actually join the internet. That was all governed here, that’s why Internet2 was here. There’s a long and deep history of that, plus all the systems research.

If you look up any Unix programming book, Richard Stevens wrote, “It’s all dedicated to Michigan internal system because it’s one of the first timeshare computing platforms in the country.” And that’s because back in the 40s and 50s, as we’re in Bushy Park on their side of the pond, the Brits were breaking U-boat codes and Germans and ciphers and all that kind of stuff. Here, we were computing bomb trajectories. All that was black budget stuff that people didn’t know about. And being Michigan, we never talk about. We’re like, “Oh, we’re just too humble.” We built all that stuff here.

Turner Novak:

That’s crazy. I live here. I didn’t even know that.

Dug Song:

The arsenal democracy people hear about, “Oh, we built the first tank plan. We built all the bomber, all that kind of stuff.” But on the other side is all the research. We invented small operator Doppler radar, holography, all these things that back in the day were all black budget research programs, but... Even all the AI stuff, classic AI, modern AI being what I actually would call them... But classic AI, all those folks from John Laird and his time and Marvin Minsky and all these folks MIT, they built all the first computational model of cognition here. So the SOAR model and some of the early companies like SoarTech that since the ‘80s have been doing stuff with the intelligence community and DOD. We’ve been doing this stuff here forever and we just never get the credit for it. And so folks like Jono has the lineage of that stuff and we just never really get to do.

Turner Novak:

So is that why you guys always wanted to stay here? Did you realize how powerful it was maybe before anyone else did or maybe it was a subconscious thing? There’s no other choice? Those are just the place?

Jon Oberheide:

I think it was a little bit of chip on the shoulder to prove that we could do it.

Dug Song:

Jon was a Michigander, so he has a little more feel for the place. To be honest, my first 15 years in Michigan never had gone beyond Ann Arbor and Detroit, just go to shows there. I’d never even been to West Michigan, which has some of the most gorgeous beaches in the world. And we have more coastline than Florida and almost as much as Alaska. So people don’t realize Michigan has a lot to offer. I didn’t know that. I just learned about this stuff. And what happened was I just met through... I got caught hacking when I was a freshman. I ended up plea bargaining into a long-term role with university as a security administrator on probation, basically, to work for the university.

But through it, I met all these grey beards, all these hackers, like Marcus Watts, who built all the Kerberos stuff when he was at MIT and then adapted to AFS here. There’s so many of these deep folks, Nathaniel Borenstein who invented MIME. MIME is the basic protocol encapsulating documents for the web and for email or, I don’t know, some of the most famous... I don’t know, famous is not right the word, but the-

Jon Oberheide:

X509, radio, all these core protocols.

Dug Song:

Right. X509, LDAP. LDAP was invented by Tim Howes when he worked at the same research lab as me at the city, and he was Ben Horowitz’s co-founder for LoudCloud. Ben Horowitz’s notable experience with LoudCloud and HP. And before that, I guess with Netscape technically and AOL, that came from having worked with Tim Howes as a co-founder from Michigan. And so anyway, all this stuff, there’s all these connections too, but-

Jon Oberheide:

It just wasn’t really negotiable for us though. We were starting the company here, we’re building here, we’re hiring here. We certainly had challenges in the seed round of investor interest or I guess investor questions about why are you staying there? Is this going to be a disadvantage?

Turner Novak:

Because the non-negotiable is if you’re starting a tech company and you’re raising venture capital, you should just move to San Francisco. It’s almost part of the term sheet, right? They just make you do it.

Dug Song:

But here’s what I’ll say about that, because we definitely struggled with the initial raise as we’re going out and figuring out what we’re doing. And we did one Sand Hill roadshow where my computer ate it halfway through and so we-

Turner Novak:

Wait, ate it?

Dug Song:

This drive basically died halfway as we’re sitting in the parking lot at the new Andreessen Horowitz which had just been set up.

Jon Oberheide:

Dug is a perfectionist. So we’re making last minute slides, edits on the way in the car and pulling up to meet Frank Chen at Andreessen our first VC pitch ever, at least in SF. And the hard drive dies and there’s no... We didn’t have Google Cloud back then or Google Drive. And so we just rolled into the meeting and actually, I think it worked really well. We could still do a demo. I had some terrible Linux laptop, so I couldn’t even open the slides.

Dug Song:

Bill O’Reilly did whatever.

Jon Oberheide:

We’ll do it live.

Dug Song:

We’ll do it live.

Jon Oberheide:

It’s going to be fine.

Dug Song:

Whiteboard and Jono.

Jon Oberheide:

We did get a term sheet, some interest from Andreessen, but it was very much, “We would expect you to be out here.”

Dug Song:

In fact, we would have been their early investments. And this I’ll go on the record for as well, because I just want to give some confidence to other founders to follow their own journey and path and heart. There’s something strategic about any place that you’ll be and set up, whether you know how to tap into it or not and make the most of that. And that’s your job as an entrepreneur. Take the best of what’s around you and really the alchemy of turning that into some unfair advantage. For us, that was Michigan, Ann Arbor because between Jon and I, I built a bunch of companies here. He built all this amazing globally impactful work, but with, again, a research group that had all been cranking on this stuff in some university lab somewhere. And by the time that we got to Andreessen, they were, “I want a final partner meeting.”

They were like, “But then any great technology company has... You can start in Michigan, but any great technology company has to be in the Valley.” And this is after, quite frankly, Ben had tried to recruit me twice, once to Netscape days, pre AOL and second came back with Tim Howes to try to recruit me for LoudCloud and picked up my friend instead. And I just never believed that. I just saw all this technical excellence around me. Folks had changed the world and created all this amazing value from here. And I was like, “I just don’t think that’s true.” And I also don’t... I’ll be honest with you, I really didn’t like the vibe out there. In fact, when we did Arbor Networks, I had gone to try to open an office in Berkeley.

We looked at the East Bay, maybe stupidly, but thinking that it felt most like Ann Arbor, but that’s a problem. It was too much like Ann Arbor. It was like, “Okay, this is great, but it feels like it’s dirtier. It’s a dirtier Ann Arbor, much less convenient, much more socially stratified.” And why would we go through all that trouble when we could just live in Ann Arbor and continue doing it? But that was a consideration for Arbor Networks because we got the company funded just at the height of the bubble. It was February 2000, just before the bubble burst in March.

Turner Novak:

Oh wow, that’d been weeks before.

Dug Song:

So it was 10 million, 11 million in Series A. And then there’s the echo boom of the global telecom market imploding and so that all had to happen. But in between, I tried to figure out, could we go and build more of a business in the West Coast? When the telecom market imploded, I just moved to New York with my then girlfriend, now wife, and we got a lot of business spun up with the banks because the banks always have money. And so we pivoted from doing telecom security to then internal behavioral anomaly detection for banks and that was very successful.

And then we played both into what Arbor ultimately did. But at that time, even then, everyone was still looking... Even if that bubble had burst, everyone was waiting for the other shoe to drop when rents would fall in the valley. It never really happened. And again, just the thing I didn’t like about it, that place was... And again, I love the Valley, it’s great to visit, it’s great, but it’s just only about tech. It’s tech, tech, tech, blah, blah, blah. And I’m just not about that.

Jon Oberheide:

I think there’s a healthy allergy to the Silicon Valley scene. Yes, there’s great businesses being built and a great ecosystem for sure, but there’s a lot of folks that we’d see that are playing startup. They’re so busy-

Dug Song:

In San Francisco, you mean?

Jon Oberheide:

So busy, happy hours, doing panels, doing all tech week parties, accessories to the startup role as opposed to being focused on building their business.

Dug Song:

Wantrepreneurs on the startup beauty pageant, doing all these things. And I’m like, “I don’t know, man. I’d much rather find the folks that are building things. That’s what I saw in Jono, he was building shit and it’s amazing. I’m like, “Dude, there’s so many people like that here, just heads down, creating and aren’t subject to that shiny object syndrome that happens in the Valley where everyone’s, “Oh, what are you doing? What are you doing?” Jumping every eight months to something else.

Jon Oberheide:

I like that. So it might have started with the chip on our shoulder, but it led to... I think maybe we backed into the right talent strategy for the business. One is that we had employees that would really... We would invest in them and their growth and development and they would invest back in the company and their loyalty and their tenure at the company where they’re not getting their one-year investing cliff and then jumping to the next company. They’re staying there four, five, six, seven, eight years and growing with the company’s needs. And it was also the case that we were trying to build a very different company in the cybersecurity space. So if we went out and we hired all the folks from Symantec and McAfee and all of the legacy security companies, we would’ve built the same shitty company those companies were.

Instead, we’re, “Let’s hire people with a blank slate that aren’t disillusioned by decades with the cybersecurity space like we had been.” And guess what? They’re going to come at it from first principles. They’re going to talk to customers. They’re going to design things and build things in a way that haven’t been done before because they don’t have that preconceived notion of how things should be done in the cybersecurity space.

Dug Song:

They’ll bring a different toolbox, expand our toolbox with other things and perspectives, solve problems from...

Jon Oberheide:

Look a lot of the great cybersecurity founders, a lot of them aren’t from cybersecurity space. I’m thinking of Christina from Vanta. She was a PM at Dropbox and she understood the value of design and good user experience. And you can learn security. That’s not hard to do. You don’t need the decades of cybersecurity experience to solve cybersecurity problems. So when I look at founders now from the investing side, I’m like, “Are you a good product person?” I don’t care if you’re an expert in quantum cryptography or you did threat hunting at Mandiant, that doesn’t mean anything to me. Can you build?

Dug Song:

But that does mean something to you, Jon. But it’s almost table stakes. You need some technical grounding in something, but again, it’s just those same skill sets are not the same ones that will build a company.

Jon Oberheide:

We already had enough of that nerdery between the two of us that we needed great folks that could do design well, that could build amazing products that would work nine to five and go home to their families and friends and hobbies and weren’t... Sure we were working long hours, but it was not the same as the traditional lean startup Valley scene.

Turner Novak:

996, I think is what they call it.

Jon Oberheide:

There are a lot of people that worked a lot and we worked a lot because we loved it, but that expectation wasn’t shared across the team.

Dug Song:

Someone else came from ... I thankfully had some prior experience having built these other companies with Arbor and so forth to refute that position from folks like Andreessen who were, “Oh, you can only build...” I was like, “Actually, we built Arbor Networks here just fine.” In fact, the one mistake we made was that we decided that we’d follow our investors to Boston. For a company called Arbor Networks after Ann Arbor, obviously, we ended up headquartering in fucking Waltham, Massachusetts, Route 128 out there, it was miserable. It was miserable. And I’ll just say this, in front of my Arbor colleagues, I’m sorry, but at the end of the day, we built a business that was successful, but a culture that was so painful that even I didn’t want to be part of it. And I was the first one to leave my day job. I think as first time founders, we didn’t know what we were doing, we had not raised venture capital, we had not built an executives team.

So we followed the lead of Battery Ventures and Cisco was also an investor, but again, ended up hiring a rotating door of hired gun and CEOs and go to market folks and all the rest. Go to market’s a little harder not to have that happen at some level, but CEO was very painful, but that whole experience just led me to realize that you don’t have to do it this way. In fact, the compact that John and I had, and then others, even our CFO when we really started to build the company out, was that we’re only going to work with people we want to work with because life is short. And so much we saw of how these companies went wrong is when founders didn’t really, one, trust their instincts, build the kind of teams and also really focus on building sustainable cultures like team cultures and teamwork that would actually survive the stress of hyper scale. But the other is that you need to grow as founders.

Turner Novak:

How did you know when to trust your instinct when you were building Duo? Was there a check you guys had or was it an instinct on when to trust your instinct versus the playbooks?

Dug Song:

I think, and I don’t want to speak for Jono, but I was a very reluctant CEO. I think at one point Jon and I were figuring out who should be, but there were some pretty sad moments where I was... I can remember the call I had with one CEO who just, before Cloudera, I think Tom had basically exited his prior one. What was it called? The Arc... I’m trying to figure out all the name of these companies now. ArcSight. But anyway, he was jumping ... It was sad so I basically was begging him, “Please come, will you be my mommy?”

Turner Novak:

You were trying to convince him to come and be the CEO.

Dug Song:

Because I was, “I’m just tired. I don’t think I’m right.”

Jon Oberheide:

Dug is a very humble CEO. We would go into every board meeting, private session and Doug would just be, “I don’t think we’re doing a good job. I don’t think I’m doing a good job. If you guys need to replace me, let me know.” And the board would be, “You guys are crushing it. You just tripled again and you’re cashflow positive and... What? No, no, no, you’re doing great.” But I think almost that attitude is a really healthy one for the company.

Dug Song:

And in general, now as an investor on the other side, I don’t know, Jon if you feel the same way, but I prefer reluctant leadership. It’s a hard job. It’s a terrible job, frankly. It’s not particularly fun. When people ask me, “Follow your passions, what do you do for fun?” I’m like, “I don’t know, I’m Asian.” I understand how to fulfill my duty and responsibility to my family, my children, my society, whatever. But for me, it’s more I get gratification of delivering the work. But again, there’s always that, and I think for both of us, we’re trying to figure out are we... And we would coach our own team through that too. We need to work to our best and highest purpose by doing the jobs that at each turn we’re best and uniquely suited to do, and that changes as the company grows and every six months you look around and half the team is new. And so-

Jon Oberheide:

I think it was consistent that we were always trying to figure out how do we obsolete ourselves? How do we delegate more? How do we hang on to the things that we think are really important to hang onto? Dug would always say we’re never going to delegate product culture or brand, the product strategy of what we’re building, the culture of what we’re trying to build internally as a team, and the brand is kind of that external promise to customers. And people talk about founder mode and should I keep everything myself? Should I delegate everything and be a professional manager? And that’s just like a misnomer.

Dug Song:

Yeah. When people talk about founder mode, whatever, I don’t know, I’m pretty skeptical. They like to talk about 996 or just the operational kind of behavioral profile, but I don’t think that’s it. For me, it’s always been more about versus the math of the business, the soul of the business, that’s what cannot be replaced when founders move on. Very hard to sort of recenter and kind of root the company because founders have more of an intuitive sense of why are you doing this at all, why this exists and what problem you need to solve. And sometimes we’re often more empathy with the customer because they have some other kind of connection to that where some experience that’s led them to solving this suite of problems that then gives them the right for those customers to go solve the adjacencies.

Turner Novak:

That’s one way I’ve heard people, when you get into the nuances of founder mode, it’s that the founder has so much just earned knowledge over time that they just kind of know what the right decision is.

Jon Oberheide:

But you also got to teach that. If you want to grow, you do have to scale and delegate, there’s no getting around that. So if you want to be the bottleneck for your entire organization, good luck with that, but if you want to 3X, 5X, 10X, the company, you’re not going to survive.

Dug Song:

Yeah. But for me, founder mode also is part of how we thought about working with the broader team that weren’t... Obviously not everyone’s going to be a founder, but everyone’s going to be at least some kind of owner through their equity, but how then do you push decision making down so that people actually behave and are able to act and solve problems as owners? And again, we hired a COO who came from Zendesk and MySQL before, and he had a nice way to put it, Zack Urlocker, who’s now gone on to do multiple more unicorns before and after us, but he used to talk about pushing decision making down. I’m the CEO, I’m the janitor. So is everyone in the company. And so you have your scope or responsibility, but you have your broader sphere of influence, and so any good executive I’ve ever worked with is strategic about much more than just their function, how they work with others.

But if you push that kind of thinking down to every employee in the company, then you’re not having to say, oh, if a director or manager or an IC has to run something up the chain to manager, director, VP, C-level to be run back down the other side of it in some other department, but instead they can just work peer to peer, sales, marketing, figure out kind of the demand gen, strategy, get it done. Then all of a sudden you have everyone in the business innovating in every part of it.

Jon Oberheide:

Remember one of the lowest moments in tenure at Duo was when I heard through, not a grapevine, but I heard through a secondhand source that someone had said that Dug and Jon wanted to be this way. And I was like, that is so toxic. First of all, it was completely false. Second of all, to rely on a higher power of authority for making a decision is like the complete inverse of what we wanted to do. We wanted people closest to the work making those decisions, and that was one thing that Zack was really good at. We’d be having a conversation and meeting and someone would be like, “Well, we could do this, we could do this. “ And Zack would sit there and say, “What should we do?” And the person’s like, “Me?” I’m going to make the decision. “What do you think we should do?” They’d say, “We should do A.” “We’re going to do A, let’s do it.”

Dug Song:

Yeah, but that’s how we end up building... Well, to do that, we also had to build what we call a culture of learning together, where you sort of blameless these decisions and not about who was right, but what was right, and so it’s all this kind of work we did on building a team was that. A lot of it came from the kind of culture that Jon and I came from, of like open source or academia where it’s not about pulling a rank on somebody.

Turner Novak:

Yeah, it’s like a high school kid could make a contribution that makes the project better and making it just works.

Dug Song:

Yeah. And actually, and nobody has time to say, “You were wrong.” It’s like, “Well, yeah, I know. I tried, it didn’t work.”

Jon Oberheide:

But it’s like what are you going to do about it?

Dug Song:

Yeah. And in academia, no one’s doing that. “Oh, you were wrong about that research result.” You’re just figuring it out. And so in academia, open source, the same thing, and so it was really important. So that’s, I think probably for both of us, as we think about the kind of companies we back or founders, if there’s any wisdom that we try to impart, it’s just that you have to focus on that. And a technology business is still a people business ultimately, and so I see the kind of weird escalation of like the founder as God mode or whatever in these kind of discussions. Recently it’s just like really bad. It’s not really how you can achieve scale, I think.

Turner Novak:

One thing that came up when I was talking to people, just kind of doing some research for this, one thing I thought was interesting, this might not be interesting, but everyone had kind of a personal development plan, kind of like a path to get promoted. Was that an intentional thing of just like-

Jon Oberheide:

Yeah, everyone should know where they’re at and what’s next for them. And sometimes the desires and the growth of an employee matches the needs of the company and that’s spectacular, sometimes it doesn’t. So we had more of kind of your tour of duty, I think, talent philosophy where it’s like, you can work here for a few years and we hope you grow with the company, and it was so spectacular to see even some of our executives that started. Chester started as our engineering architect, first engineering manager, first engineering director, and then VP of engineering for kind of the full history of the company.

Dug Song:

And one of the best engineering executive I’ve ever met, right? He just killed it.

Turner Novak:

So what makes a good engineering executive?

Dug Song:

I mean, there’s the basic... Well, I’ll let you answer, Jon, because you managed him.

Jon Oberheide:

Our VP of engineering, Chester, he built a leadership factory. So he was producing managers, directors that can be VPs of eng at any company out there. And team culture, performance, the happiness was always like top of any function in our organization. And a lot of the practices that he put in place in terms of his managerial culture ended up being adopted by other parts of our organization as well. So it wasn’t like, he’s not leading the product vision, got enough of that between the two of us, he wasn’t on stage rallying customers, on front lines of the sales team, but he built incredible sort of delivery platform for our product ambitions.

Dug Song:

Unlocking the full human potential of every person in the team in a fractal way just carries through, and that’s a remarkable thing where you sort of have built kind of a winning franchise that as U of M likes to say, individual performance leads to team performance leads to program performance, right? But if you’re able to really build that kind of culture, that’s what carries, and he did a great job at that.

Jon Oberheide:

I think those IDPs were just one manifestation or one artifact of a healthy organization. Of if you want to go be a VP of Eng, we’ve got Chester, it’s probably not going to be here, but we’re going to help you find your next job. If it’s not a fit here at Duo, we’re going to make sure you’re successful in your next thing. And when I would try to recruit people, I would say Duo’s an amazing place to work, but my hope is that Duo is like the springboard. When you’re looking back on your career 20, 30, 40 years from now, you look back and you say, “That was the role where I learned the most, we grew the fastest, I worked with the best people, I had some amazing experience that allowed me to jump to the next thing, like a new sort of inflection point in my career arc.”

Dug Song:

We want to be the best company to be from, right? The way that like Jon O and U of M and all this stuff, there’s a heritage, there’s legacy, something means to be from Michigan in this way. But also, from the open source community, where everyone’s a volunteer, you can’t tell them what to do, it’s sort of like, well, how do you manage teams, distributed teams? And something where like, again, you can’t tell people what to do, you sort of have to inspire their work and alignment to accomplish something larger than themselves without the command and control, sort of orchestration, because that doesn’t scale anyway.

That’s also not how you get the best work out of people. You need them to come up with their own agency. And so yeah, I think a lot of that just, at a very corporate level, at a very executive level, it’s like most CEOs with their executives will have something of a career contract. Come join me for the next two to four years. What are the kind of things you’re trying to accomplish in your life or career? I want to do this, I want to have a family, I want to learn how to be a CMO, I want to make $40 million. And all these things were things that we had to fulfill for folks at Duo, but it goes down the line. Personally, as a open source kind of hippie guy, growing up in those kind of teams, I was like, “I don’t know how to motivate anybody to do anything.” I think people have their own intrinsic motivations for life for a career, and as leaders, our job is simply understand that. Like What do they want to do? And then how do our needs present as opportunities for them?

Because if they can fulfill those kind of at our organization, then we’re both getting what we want until such time as we diverge. And when that happens, that’s fine. We’ve had people who we hired I think three times.

Jon Oberheide:

A lot of boomerangs, yeah.

Dug Song:

As they started other companies, as they made fortunes in Bitcoin, and still came back to work for us, it was funny. We had all kinds of folks that were so loyal to the program and so invested in kind of how we’re operating. Proudest of the fact that we have so many duo folks that have gone on and recombined to get start their own companies and their own journeys that way.

Jon Oberheide:

Or still there within Cisco.

Dug Song:

Yeah, that’s... Yep.

Turner Novak:

Actually, it might be interesting, I don’t know if you’ve actually like, what is Duo for just someone who’s just been listening to us for like an hour? What are you talking about?

Jon Oberheide:

In the cybersecurity space, we love our acronyms, right? We love TLAs. So there’s like MFA, multifactor authentication, SSO, single sign-on. We come up with new words like Zero Trust or BeyondCorp. But Duo fundamentally, we allow end users, mostly employees to get access to their corporate applications that they need in a safe, secure, usable way, that’s kind of the end user value. And then we do that via all this industry journey, making sure that you are who you say you are, making sure you can have a secure device to access those applications and so on.

Dug Song:

But critically, we do it by making it easier to do things, not harder. Were most securities do it by putting hurdles in front of people to jump through, and of course, most people understand Duo as like two factor, which is like, oh, there’s a second thing to do, but also there’s a password list, there’s the things that we have really pioneered with a lot of folks to do. So you don’t have to really worry about logging in but maybe once a month, and we would be able to enable organizations to do that with even untrusted devices, but maybe trustworthy if we can kind of verify them, but again, make access easier and simplify that for organizations.

Jon Oberheide:

Our slogan early on was like, “Security sucks. Who has time for this?”

Dug Song:

Yeah, we never really used that as marketing, but internally.

Jon Oberheide:

When you’ve used security products sometime in your life, when has that ever been a good experience?

Turner Novak:

I think of it as being a nuisance-

Jon Oberheide:

Pass, pass-

Turner Novak:

That I have to figure out this secure thing to be more secure and I’ll figure it out next week.

Jon Oberheide:

Has there ever been a security product that is like, “Turner, you’re doing a good job.” No, it’s like, “Turner, you’re terrible at computing, don’t click those links. Don’t open that attachment. Why did you do that? “ And you’re like, “I don’t know. I’m just trying to use the computer. I’m trying to browse the internet and it’s telling me I’m a bad person.” And that was most people’s end users’ experience with security it’s always telling them when they’re doing something wrong or unsafe or putting something at risk. And so we had that challenge and opportunity of like, how do we make security not so painful that maybe it could be a semi-positive experience? Because the reason why Duos logo is green, it’s like, we want to let you in. We want to get out of your way.

Turner Novak:

Green means go.

Jon Oberheide:

As quick as we can so you can do your job. No one wants to jump through the hoops, they just want to share a file or they just want to log into Slack or whatever it might be.

Turner Novak:

Like 99.999% of the people that are logging in are just like trying to do the thing that needs to be done and then there’s just a small -

Jon Oberheide:

Trying to be good employees, yeah, good employees, but then you got to plan for the worst case when it’s a bad guy that’s trying to get in.

Dug Song:

So kind of a key insight for us was, and this is kind of trite or cliche in the wake of Steve Jobs and Apple, but you know better security by design. And the way we thought about this was really that security engineering and design engineering are just two sides of the same coin. How do you make the right things happen by default? Where typically people think of security and design as being opposite, designing by saying yes, security by saying no, and we’re like, no, actually there’s an intersection of this where between people and technology, proper design and security engineering can actually streamline things to make things safe, easier, more effective. And so that was always our goal, and our mission as a company was to make security easy and effective for everybody.

Jon Oberheide:

I think typically the cybersecurity startup in the world, they’d raise some money, their first go to-market hires would be like three enterprise AEs in New York and they’d sell to a bunch of banks and Fortune 500, and that would be it. And we started the exact opposite. We’re like, we are starting down market with VSB and SMB and we’re going to work our way up over time with product maturity. And that’s unusual to have a product and offering that meets a market need and can be consumed, purchased, deployed, managed, used by companies that are like a mom and pop coffee shop that have a PCI compliance burden because they accept credit cards, all the way to your Fortune 50, federal government, your most sophisticated and sizable customers.

Turner Novak:

So why did you-

Jon Oberheide:

They find the same thing, they’re using the same product.

Turner Novak:

Yeah. Well, so why did you start there? Because the 101 would be like, oh, hire these, go to New York, sell to banks?

Dug Song:

Well, so to put a fact, we didn’t actually start there, but we did end up there.

Turner Novak:

Yeah. So what was the seeds of Duo getting started? I know there was a document you showed me of all these ideas you had of when you first started it.

Dug Song:

Right, right, right. Because I think we had seen the shift in MO of attackers. Security had become everyone’s problem, is kind of the internet, particularly via SaaS had kind of widened the attack service for many more organizations. And we were seeing not just the banks, hospitals, governments being attacked, but smaller businesses. Autobody shops getting fleece for three million, all that kind of stuff, and their banks actually disavowing kind of any responsibility like, “Well, we’re really sorry you got hacked and that’s not our fault.” And in point of fact, there’s a case here in Michigan called Experi-Metal vs Comerica where that’s what happened. And the customer had an RSA token, two factor authentication hardware token, used it, but of course the attacker, they captured the first password, but they were in line, could capture the second one and to replay that in the same timeframe. And so the bank was doing all the things that they could do in the market to solve that problem, and yet the customer still got hacked, so whose fault was it? And so we looked at this thing, and quite frankly, by that time I had left Security, I’d gone to go to internet TV and that was-

Turner Novak:

Oh yeah, was that Zattoo?

Dug Song:

Zattoo, yeah.

Turner Novak:

Okay.

Dug Song:

And maybe the only thing more ill-advised at the time was Security, but with the rise of YouTube and all, Zattoo was fine, it’s a great company, doing well, and all kinds of interesting things, but it was a peer-to-peer video company trying to atone for my sins with what we had done with Woo and Napster. But that all said, we kind of came hesitated because when we started the company and I was telling Jon, “Hey, let’s go build the next great security company.” He said, “Well, what are we going to do?” I was like, “I don’t know, but what I do know is that there’s something happening that we need to go talk to customers and other folks about.” So actually one of our very first meetings, we drove, I think, to New York City and we met with my old customers at Goldman Sachs and Citibank to have them tell us, Byron Collie who leads FSISAC, the financial services industry incident sharing and analysis center, what they were seeing.

And the messaging was consistent across all these banks and also big tech-account takeover. They just couldn’t deal with the flood of compromised accounts that was happening because attackers had figured out rather than trying to penetrate the firewall, rather than trying to hack this machine or compromise the application, they just phished the user.

Turner Novak:

And then you could do anything once you got inside.

Dug Song:

Yeah. It’s like the Oceans 11, wherever you wear the janitors uniform and, now you’re just roaming the casino like you’re supposed to be there. Because

Turner Novak:

You just look like a normal user like, “Oh, this guy Jimmy from accounting is just full access to whatever they should have.”

Dug Song:

And you bypass all the security investment that was made too slow them down because you’re the user, you’re the employee.

Turner Novak:

And it probably got even worse. I think you were telling me a couple of months ago at the event at Michigan, it was like the cloud was kind of accelerating this, mobile, everyone had a phone, so this was all just like exponentially getting worse.

Jon Oberheide:

This was late 2009. So iPhone had been released in 2007, first Android phone in 2008. AWS was a thing, but it was just EC2 and S3 and still pretty immature, I think Office 365 was in beta still at that time. And so there was this explosion of cloud and mobility that happened over that next decade and Duo was a benefactor of that, both from leveraging those technologies to deploy a cloud delivered mobile first authentication experience, but more so, solving those security problems that were introduced by this proliferation of SaaS applications and BYOD devices through an organization.

Dug Song:

But what wasn’t obvious at the time. 2009, when we were there and we’re sleeping on my friend Jenny’s floor in Brooklyn and going to Jersey City to go meet all these folks and all this stuff, I didn’t have an iPhone. I was like, “I think it’s a fad.” And I don’t know if someone’s going to buy that thing, I’m not using it. I’m in security, I’m a paranoid, I don’t trust that thing.

Jon Oberheide:

You had your Razor flip phone.

Dug Song:

Yeah, forever.

Jon Oberheide:

Forever. I held out, yeah.

Dug Song:

But Jon O, part of his PhD had been in security for cloud delivered security. He’d hacked all these other kind of things, right? You find the papers now, it’s not private, but he hacked all these cloud antivirus systems at Barracuda, my old employer, had done all this stuff. And so seeing all that and knowing that he was actually doing a bunch of mobile security research and all this kind of stuff, I was like, “Huh, interesting.” And of course, there are a lot of points along the way where we really got challenged on the delivery of that because we’re like, “Well, should we start with upmarket?” And then, because based on security, it’s hard. If you have even halfway decent technology or product, it’s hard not to get to like $10 million in revenue. Maybe it’s overstating it, but banks, the banks will pay for all kinds of paid pilots and security for-

Jon Oberheide:

Maybe 100K to run a paid pilot.

Dug Song:

Yeah. And so it was maybe the easiest sledding for us to go, but we sort of had a different discipline to say, “Well, no, no, no. We really want to solve for a different end of the market.” And my experience from Arbor had been, if we only work with those kind of large enterprise customers, we’re going to end up building a Citibank product, a Goldman Sachs product, because I did that at Arbor. We ended up with an AT&T product, a Deutsche Telecom product, Bridge Telecom product, and I was like, “We just can’t do that. We need to build something different to achieve sort of mass markets or adoption.”

Jon Oberheide:

It’s like how do you build sophisticated technology, how do you build power tools that your three-year-old can use? It has to work. It has to be sophisticated, but the kids got to be able to use it, and our first few customers were spanning that spectrum. It was COPCP, Central Ohio Primary Care Physicians, very-

Turner Novak:

Yeah, that was the first customer, right?

Jon Oberheide:

Yeah. A bunch of doctors that, I think the CISO over there said the doctors, their desired technology experience is for them to walk up to a computer and have it recognize how important they are. Yeah, you could not piss them off or get in their way of patient care, that’s what they live for. Second customer I think was Facebook, which was the whole other end of the sophisticated spectrum. And the third customer was the Soo Tribe of Michigan.

Turner Novak:

So it’s like the three opposite direction.

Jon Oberheide:

But it was an interesting set.

Dug Song:

Yeah, I’m not sure if Facebook was a second, but-

Jon Oberheide:

They were early.

Dug Song:

They were early. It was a sort of funny experience trying to build more of a bottom up motion like I’d seen some other companies do, because I come from Barracuda where they had worked at democratized security in a different way, selling a $2,500 kind of email appliance versus $25,000 whatever blue code or whatever, and so they had kind of built a very different model downstream. And by the way, I’ll give Barracuda the credit for all this because before then there were no tech billboards or airport advertisements. Barracuda were like these small ISP guys who just figured out, and so they were doing funny things. They were taking out radio spots, they were driving around cars. When I worked for them, I would drive a car that they had, a wrapped car like I’m working for Molly Maid.

Turner Novak:

So like...

Dug Song:

It’s so funny, but it worked because they knew their customer, they knew the small kind of ISP kind of customer. And so anyway, so these were all things we’re sort of taking into our strategy implicitly for Duo as we thought about how we go about it and who we wanted to serve. But long story short, probably the most important thing that rooted us in our work, even in those early days, our North Star was who we wanted to serve. That we knew that yes, we will have to serve enterprise customer and all the rest, but at the end of the day, if we couldn’t innovate security in the end of the market where no one really had and around the mid-market and prickly SMB, we weren’t solving the problem, because that’s what attackers were doing.

Turner Novak:

Yeah. It almost seems like your customer wasn’t actually the security team or your end user. Maybe the security team paid for it, but the user was like just-

Jon Oberheide:

Normal employees. Yeah, just wat to get in and out. And that’s what we had to design for. It was not for the SIS admin or the security director, it was for the people that just want to log in and be productive. And that was all the things that, as we started down market, that forced us to build the power tool for the three-year-old and make it really seamless, easy for the end user. Every employee, whether you’re in a small organization or big organization is going to appreciate that, so it was much easier to kind of go upstream with a product that might have started downmarket. It adds some bells and whistles, but this was also the era of consumerization of SaaS where the way people found and tried and procured software dramatically changed from traditional enterprise procurement to, “I want to go kick the tires on box trial or something like that.” So having that freemium trial experience where people could just sign up off the website, they don’t have to talk to a sales rep. If they want to buy it, they can plug in a credit card. That was not new in the SaaS world, but that was brand new in security. Security had not been sort of delivered and sold in that way.

Dug Song:

Even by the time we sold eight years later to Cisco, Cisco security still wasn’t really able to accept a credit card, to accept it for product purchase online and that the... Actually, I don’t know if I should be sharing this, but anyway ...

Turner Novak:

No one’s listening anymore, we’re an hour in people, no one’s going to hear this.

Dug Song:

Yeah. But turning up a new customer for a signup for Cisco’s other SaaS security products online meant that someone from accounting was sending a spreadsheet over to the engineering team with a list of accounts to again turn up. I’m like, “This is insane. What even is this? How is it your assets and entitlements and all the kind of spin up this manual process and passing on Microsoft documents?” This antithesis of like SaaS, right? Which is why we ended up spending so much time replatforming Cisco on our SaaS kind of stuff. But I’ll say this, that commitment to sort of being thoughtful about how to solve not just the actual technology problem we’re solving, but the broader business problem. The actual problem we’re solving was the non-consumption of security.

Turner Novak:

Oh, by just getting your average employees just care about it to use it?

Dug Song:

Yeah, or giving smaller businesses or organizations or a bit organization at scale. It was kind of funny, but healthcare was our first customer, but our other largest verticals early for many years were opted on the spectrum. It was high-tech like Facebook, Twitter, Uber, these kind of companies, and higher ed, universities. In both cases, they have large pools of users and stuff they deploy security to. Not simply effectively fast, but in one case, particularly the higher ed case, they don’t have the budget to do it. They’re not going to staff out like security teams, all that stuff. How do you empower those kind of organizations to do this stuff at scale? But it was really trying to think about how do we reshape the opportunity in the market for security to be actually bought and sold for organizations that don’t buy security?

Jon Oberheide:

Which is why all the traditional early stage startup TAM calculations are nonsensical because the TAM that existed was like mostly RSA and it was mostly large enterprise customers. It didn’t take into account that this need existed throughout the entire sort of spectrum of SMB mid-market enterprise. There was just never a product that could be built and designed that is amenable to deployment in those small organizations. They were certainly getting attacked and phished and ...

Turner Novak:

Would you remember what the TAM number was then in that pitch deck, that first deck you had?

Dug Song:

It was smaller than what we sold Duo for.

Jon Oberheide:

I think it was around $2 billion, yeah.

Dug Song:

Yeah.

Turner Novak:

Wow.

Dug Song:

But I guess what I say is this, that’s where now as investors on their side where we probably will look at this, but I don’t know, I just feel like those business school exercises of estimating the TAM and SAM for these brand new businesses is like, if you’re building something really of value, you’re either reshaping or you’re creating the market for it in some way. It’s inevitable if you’re doing something that’s really different that no one’s done before, otherwise, it’s just incremental and someone else is just a product feature set for something else somebody else are doing.

Jon Oberheide:

And if you see a pitch deck, you know, you don’t need to see a TAM side, you know whether it’s a big crazy opportunity or if it’s like this is feature, not a company. It’s clear from the pitch that this is a small market, you don’t need to size it for me.

Turner Novak:

Well, so maybe that’s an interesting question because didn’t Microsoft kind of have like a identity login thing? Couldn’t someone say, “Oh, Duo, this is just like a feature of Microsoft.”

Jon Oberheide:

Microsoft bought one of our competitors, PhoneFactor and baked it into their sort of Azure MFA platform. We had a lot of that over the years. Google Authenticator was released by Google for login to your Google account, but also any.

Turner Novak:

I actually use that app, yeah.

Jon Oberheide:

Yeah.

Turner Novak:

Can I use the Duo app for that also?

Jon Oberheide:

Yeah, yeah, yeah.

Dug Song:

Okay. And that app was written by our friend Steve Weiss at Google, who we later pulled out to go to his company with other friends of ours from WooHoo that they sold to Facebook. So there’s all these kind of things that are happening where all of our friends who have been building these, it’s like these aren’t new ideas. The big difference is that it’s not about the idea, it’s about can you actually build and execute, again, a go to-market motion, build kind of an onboarding, build a kind of product experience that leads those customers to be successful? Doing this almost in spite of themselves and in spite of, certainly inspired the leasing market, because none of the security, the technology that were out there, this is an old idea, two factor and all these things that existed for like 30 years.

Jon Oberheide:

Even our amazing innovations, our world changing patent innovations, we built a mobile app that has a green button and a red button. You log in, it sends a notification to your phone, you tap the green button to log in. Not exactly-

Turner Novak:

And you tap red if it’s not you?

Jon Oberheide:

Yeah, not exactly rocket surgery.

Dug Song:

It was funny to say by the author of our hundred plus patents, but it’s true. Underneath there’s a lot of-

Jon Oberheide:

I can clog code that up in 10 minutes today. It’s not the software components that made us successful or not, but it was the delivery, design.

Dug Song:

And empathy for the customer and the culture we built for a team that’s solving every problem for them from that perspective.

Jon Oberheide:

Remember at the time we launched that app and we were really careful about it? We were worried someone’s going to see it and copy it and we’re like, okay, it probably gives us six months of a headstart on our competitors. And in true sort of incumbent startup fashion, it took RSA, which was our primary competitor at the time, it took them six years to build an equivalent app and it was still a way worse experience. They’re locked into legacy architectures and just business processes that couldn’t adapt, so it was a good reminder. And going into Cisco, you see how the Mega Corps work and why the startup ecosystem delivers as it does.

Dug Song:

Yeah. But being radical advocates for your customer really. Every employee, every engineer at Duo had been in some customer call, because we had a whole system by which you could sign up and join on a customer call, a sales call that’s happening. But everyone had their favorite customer stories. We had customers at every event we were doing. Every all hands or kickoff we’re doing, we had customers there. That’s the only thing that matters. I just think people lose sight of what it means to build a business sometimes when there’s so much money floating around and everyone’s figuring out like, what do I do with this kind of crazy technology or capability? When really you have customers who have real pain and real budgets to solve and they need a solution that you could see as engineers, we can solve anything. It’s just a matter of figuring out, can we organize ourselves and teams to go after it?

Jon Oberheide:

I think that was the Michigan advantage of we were heads down in Michigan outside of the noise of the valley where we could focus on building great product, great company, great customer experience, and just not as many distractions. We could really, as Dug would say, “Get big before we got loud.” Like prove out the business, show our metrics before making a big deal about it externally. We were a little under the radar.

Dug Song:

And for good reason also. Michigan was our secret weapon and we kept it secret actually for a while. We never really talked about the fact that we never had problems hiring engineers. I mean, obviously Jon O and John Chester and the team and did a lot of work to get really great people on board, but by and large, we hired whoever we wanted to in engineering and didn’t necessarily have to go to the engineers to find them. We have amazing talent here and there have been not just universities and so forth, but history of all these other startups before us that had some experience and so forth, and of course our networks from open source, from hacking and so forth. And so again, this was a wonderful place to build because when the average home price, and it climbed here, right, now it’s like we’re all, “Oh my God, it’s so expensive here.” $400,000, median home price, right, in Ann Arbor, which is the most expensive real estate market in Michigan. I mean, it’s flooring. My friends who were moving from Detroit setting up their companies with us here and so forth, they’re like, “Wait a second. I’m paying more for this giant mansion in my factory than I sold my tiny little ranch house right in Mountain View for...” And so there’s this real comparative advantage, right, in all this kind of thing. If you’re willing to get over sort of the buzzy, “You got to be here,” and blah, blah, blah. Because we said, we need to have a little bit of Silicon Valley in us, but we don’t need to be in Silicon Valley.

And our choice of investors reflected that. A little bit from true. Our seed investors, Google Ventures, Benchmark. These were all sort of our routes into talent, into perspective, and the value that would merge with our own but not supersede it.

Jon Oberheide:

I remember Matt Cohler, who was our board member from Benchmark, he came to a company kickoff and talked in front of the company and describing Benchmark like, “We invest only in Series A companies in San Francisco.” And then you’d be like, “Yeah, and Ann Arbor.”

Dug Song:

And the B round and duo.

Jon Oberheide:

Yeah. B round. Yeah. Yeah, yeah.

Turner Novak:

Maybe your B round was valued like an A.

Jon Oberheide:

No. I mean, I always tell founders nowadays, people are super dilution sensitive. They’re worried about post money and stuff. And I’m like, “We sold 25% of the company for a million dollars and then we sold another 25% of the company for $5 million. Then we sold another 25% of the company for $13 million.” Not that much but... Not me. It may be more like 20 option pool, whatever. But our first round, our seed round from True, and I give a lot of credit to Puneet for really taking the risk and making the bet. All the subsequent rounds were like you just show the graphs and things are going pretty great. They took the most risk, but it was a one-on-four post.

Dug Song:

Right.

Jon Oberheide:

Our B round is what normal seed rounds are.

Turner Novak:

And incubation.

Jon Oberheide:

Or now. Yeah.

Turner Novak:

You’re leaving the big corporation and.

Jon Oberheide:

And we had customers, we had some revenue, we had a product, but that was the market back in 2010, if you can believe that.

Turner Novak:

I think one thing that you guys definitely did a really good job was the brand and the marketing. What’s the importance of that? What all went into that? Because you said it was green logo. It makes me think of, I don’t know, maybe money, go.

Jon Oberheide:

More go than money.

Turner Novak:

I don’t know. I’m just thinking of green’s not a security color.

Jon Oberheide:

No, everything’s red and black and scary. And you go to the convention halls and there’s banners everywhere of... It’s not a matter of when. The attackers are already in, what are you going to do? And we’re like, “This is nonsense.” And it’s like super defeatist and negative. And I think it was deep customer empathy. We would tell the stories of our customers’ challenges and plights. And there’s one that we would tell in every onboarding that we called the Duo Pizza Play, where when there’s a breach that happens, a CISO is running around, their hair is on fire, they’re trying to respond to this breach, maybe it got leaked in the news and they’re dealing with PR response.

Turner Novak:

Flood of messages.

Jon Oberheide:

Yeah. Their executives are like, “What happened? What’s going on? What’s affected?” You know what happens in that situation? BDRs from every security startup find that CISO’s cell phone number and they call them and they say, “If only you had bought our product, this wouldn’t have happened.” And it’s like, is that what the CISO needs? Especially at that moment in time, it’s like, I don’t think so. That’s very obvious. You take half a second to think about it.

Turner Novak:

Yeah.

Jon Oberheide:

So one of our sales plays was we would send pizza to the company HQ. We just ordered pizzas, maybe some Red Bull or 5-hour Energy and say with a card that’s like, “So sorry, this is happening. I hope this is helpful. Give us a call when you come up for air.” And the love, the credibility that engendered where people were like, “This is the first time any vendor has actually done something remotely net positive for me in a crisis situation.” And that doesn’t happen unless you truly understand what’s happening.

Turner Novak:

What is your customer actually going-

Jon Oberheide:

No. Again, it’s not rocket science, but it’s just good fundamentals.

Dug Song:

People do tabletop exercises. But you know that you’re going to have pizza where you’re working late night, right, getting the stuff done and all this kind of stuff and just one less thing to think about, but it’s also Michigan’s a pizza state. So I’m sure that has something to do with it. Actually, one of our first sort of funny experiments with this stuff was a pizza, your pizza script drawn out-

Jon Oberheide:

Pizzabot.

Dug Song:

Calling up Domino’s Pizza using Twilio to order us pizza. But before Domino’s had their online ordering and stuff, we basically hacked their own.

Turner Novak:

Well, you made an online order because the bot would call and place it.

Dug Song:

Right.

Jon Oberheide:

Yeah. Not even online orders, on phone.

Turner Novak:

On phone. Okay.

Jon Oberheide:

Yeah. It was not very good. We did not have LLMs back then.

Dug Song:

But, yeah.

Jon Oberheide:

I remember we had an employee who worked at another company that had gotten breached and when he heard news of the breach, the first thing he did, he’s like, “I went and I bought a sleeping bag from Home Depot.” It was his first action. “I need to get a sleeping bag because I’m going to be responding to this at the office for the next three weeks straight and I’m going to be sleeping here, so I need a sleeping bag.” And if you understand the situation that customers or responders are in, you’ll do things different as a company. And as the company grows and we’re two, three, four, five, six, 700 people, it’s hard to scale that industry knowledge, that empathy.

But if we told a story like that in onboarding, every time there’s a new set of hires that came in, they heard that story, they didn’t know exactly how to operate when they cold-call a customer or when they’re on a CS renewal call, but they knew that story and they could kind of emulate like, “How should I be interacting with customers? How should I be treating them? They’re coming up for renewal and they missed a renewal date. Should I turn their service off?” No. No. Why would you do that? Give customers some grace. They’re working in complicated environments.

Dug Song:

So we had personas as many people will do for users rather product, but in our case, we had them for the customer. And just like in sales, people will do the kind of enterprise mapping of who can veto the deal versus who can prove it and all the kind of things. But in our case, and we had to think about who will operate this thing, what’s going to be the impact of, again, how security is actually managed, right, and how can we ultimately support all that, right, including some of the features that we had in the product that were overlapping, what would be other entire product suites. But because we could see every product that every device people were logging in with, we could show kind of full inventory of all that. Here’s all the devices, right, that are being used in your environment to log in and here’s what they’re running and here’s what their security profile looks like.

That was just kind of a whole set of IT asset management kind of capabilities that we could also round up as part of our product and have as the integrated context where people would normally have to figure out when they’re dealing with this kind of things, responding and so forth. And so anyway, at the end of the day, and Jon says, we worked really hard to build this kind of customer kind of culture, right, within the business, but to your point earlier about marketing and positioning, the green, the name Duo, none of that was from the start, right? We started with Red and Black. We started with a name called Scio Security, which is a terrible name, but I brought on board a friend who was first an advisor, later came in as our creative director, Pete Baker, who now did Anthropic, right? So he did all of Anthropic stuff. He does pretty good of all the AI platforms.

Turner Novak:

They had a good run.

Dug Song:

Yeah. It’s not bad. But he also did Tesla. He also did Clif Bar. He did some other things before Duo. And we specifically gave him the directive, Jon, right? Do not do anything with two, do not do anything with keys and shields, do nothing. And of course he proceeded to do those things early, but he also took us through the process of branding, thinking about this stuff in ways that would have a broader sort of PL, broader impact, more accessible. We’re like, “Please not know to anything and Scio Security means in Latin, I know security, but who cares? It doesn’t matter. And it was also based off of Scio Township outside of Ann Arbor, doesn’t matter.” And he was like, “No, no, Duo because dual factor authentication, all these kind of things.”

Turner Novak:

Oh yeah.

Dug Song:

But then also the duo or duality of security and design, this kind of things. So there’s all kinds of brand potential and all this stuff. But part of what was also for Jon and I having been at these other companies just not wanting to repeat all their mistakes. So I guess they were just not inspiring in a way that we needed to be inspired. One thing I appreciated about Jon O getting to know him better beyond his hacking was that he’s also a rap fan.

Jon Oberheide:

The East Coast hip hop.

Dug Song:

Yeah, good, good. And the ‘90s hip hop, which is the best, golden era of hip hop. And as a skateboarder, I was like, I told Pete, I want to build something that’s that sort of legacy brand and culture

Jon Oberheide:

I think your goal for Joe’s brand was be the best skateboard brand. That was an aspiration.

Dug Song:

And now we actually have a skateboard company.

Jon Oberheide:

If you could ask pretty much any employee at Duo, describe the customer journey, describe all the touch points, not just the end user perspective, but describe how they work through our sales team, through marketing, through procurement, through legal. And we had just interesting sort of experiences where there’s one point where our legal team instructed our engineering team to remove the Ula. We had to click through Ula, you install mobile app, there’s an end user license agreement and you click accept, right? And our legal team was like, “We should remove that from the mobile app.” And engineering team was like, “Why? This is a legal thing. It’s supposed to cover our ass if the app causes your phone to explode, whatever it might be.” Legal team’s like, “Well, first of all, these clickwrap agreements aren’t actually enforceable and it makes the user experience painful.” We know there’s support requests that come in where people are like, “I don’t want to accept this. I’m not going to use the app.” And to have a legal function that’s thinking about that customer user journey, it’s remarkable.

Turner Novak:

Legal would be the only department that knows you don’t actually need that.

Jon Oberheide:

Yeah. Everyone else like, “Oh, of course we need this.” Or how that legal team can design a customer contracting process that works for negotiating one-off customer paper agreements where they’ve got negotiating closed 10 enterprise deals per quarter but then also design a process that allows us to close 1,000 S&B customers per quarter. So every function in the organization had to figure out how to design and service both this low end of the market, high volume, transactional business as well as the more sort of typical market enterprise.

Turner Novak:

Speaking about legal, someone told me-

Jon Oberheide:

Oh boy.

Turner Novak:

... the first expansion into Europe in the Middle East, semi-related, maybe not-

Jon Oberheide:

Who told you that? Who told you it went bad? No, I’m kidding.

Turner Novak:

There’s actually two people that brought it up. So what was it like trying to expand into Europe and the Middle East?

Jon Oberheide:

I think there were a lot of things in our Duo experience where they went really well. And I always think of the late Daniel Kahneman who said, “Success is talent plus luck and great success is a little bit more talent and a lot more luck.” And as a business, we had so many tailwinds. I like to think that we built an amazing product, amazing SaaS transactional model, but we had the tailwinds of cloud adoption, of mobility, just these massive industry drivers that if we were bad at everything, we might’ve still done okay, but I think hopefully doing things better than bad made us more successful.

Dug Song:

Yeah. But we actually say with this, I mean, there was an incumbent market that was not very forward-thinking and never would’ve gotten, in my opinion, to some of the scale that we had because at the same time, we had to engineer our luck, right? There were points at which there was a customer who came at us in office just like a very... When we were very small, they were offering basically double our entire annual revenue with a single deal if we would put our product in a box and have it on premises.

Turner Novak:

Oh wow. Okay.

Jon Oberheide:

Gavin Belson, “Can you just put it in the box?”

Dug Song:

And we ran a whole exercise, quite frankly. We ran through a design treatment like, “Well, what would it look like?”

Jon Oberheide:

We built a beta.

Dug Song:

Yeah. We ran through this thing until we had sort of board meeting and our independent board member at the time, Stratton Sclavos, who was the former CEO of VeriSign, but also was on Intuit’s board and Juniper’s board, Salesforce’s board, and he left into his board, join ours, but he was like, “Wait, wait, wait, Dug, don’t do that.” And we’re like, “Wait, Stratton, but don’t we want to double the revenue of the company with big enterprise, referenceable...” He’s like, “You built this company with a vision and commitment and a vision of kind of leveraging Jon Os and security from the cloud. Why’d you just stick to your knitting?”

It was remarkable to me because he said, “The last guy to tell me to give him this story was Marc Benioff sitting in that same chair in his office.” They’re like, “Mark Benioff sent the same shit to me now. I need to put Salesforce on a box.” And he said the same thing at the time, “Do not do that.” So follow your gut, follow your intuition, have the conviction, right, to follow through and the courage to do something different because everyone’s seen that. You guys are just doing something different and you have customers that have demonstrated that it’s possible to build, deliver in that way.

Jon Oberheide:

That same customer also said, “We’re on Blackberry and we would never adopt the iPhone.” Morgan Stanley.

Dug Song:

Yeah. Yeah. And so Stratton’s advice was, again, “Skate to where the puck’s going.” So he said, “You are building the future. Don’t let the past hold you hostage.” And so it was, I mean, one of the most impactful things that Stratton had done for us, right, in sort of giving us the courage to go after that.

Jon Oberheide:

Which was not trivial. Our organization’s going to outsource their most sensitive from a security and availability perspective authentication process to a third party cloud service. The cloud was not proven and this was a high risk bet. But I preface that with Duo did a lot of things well. We had a lot of success.

Even the things that did not go as great as we hoped there, you kind of rose-tinted glasses in hindsight, you’re like, “Well, it didn’t sink the company, but we certainly could have done a better job.” And I think our EMEA expansion, now when I work with companies that are considering international expansion, I always encourage them, the culture and institutional knowledge transfer is so huge. And I think that’s a place where we missed. We spun up teams in EMEA that had no experience with Duo, no connection. You’re literally across the ocean. That made it more challenging.

Turner Novak:

So it was just like a mercenary like, “Go sell this”?

Dug Song:

Well, not quite that bad, but we did have a guy who went there for a year, Patrick Garrity, who was about as much of a culture carrier as you can imagine.

Jon Oberheide:

That was helpful. We needed to transplant that extra knowledge.

Dug Song:

But there were things that didn’t translate, right, because the US market for security is not sold the same way as in Europe, right? Europe is basically all through distributors, right, resellers. US has a lot of resellers as well, but there it’s more of a two-tier distribution system. And so again, there’s more things and it’s a highly fragmented market and all this other stuff and it requires localization in certain markets. And from the cloud, there’s even more sort of regulatory stuff. So there’s just a lot to work through and it just took us longer to kind of get through it all. But ultimately, we had-

Jon Oberheide:

Slower start. New line of business, new region, and the rest of the business just kicking butt. The rest of the business is 200%, 300% year-over-year growth. You start this new thing and you’re like, “All right, we expect it to at least keep up with the same growth rate. It’s smaller, it should grow.” And it’s like sometimes your expectations are misplaced and it takes longer for that ramp to start.

Dug Song:

But I think one way to rationalize and think about that is the overlapping kind of S-curves of growth because where we’re at kind of scale, right, from startup to growth to scale mode, was there different sort of behavioral profiles, operating profiles, things to do. We were at scale with our US direct inside SaaS business, right, inbound marketing, all that. Where we hadn’t kind of figured this out was Europe, enterprise, certainly federal, right, more public sector folks.

Jon Oberheide:

Outbound channels were all new investments.

Dug Song:

Yeah. And so there was a layering of that stuff we need to do, but there was also this reflection of one of the ways that we would do that would be to... There’s a lot of routes to success for startup talent, for people in the company. Sometimes they’ll go through the linear sort of like, IC manager, director, VP, whatever, executive. But sometimes it’s sort of like working across because often startup folks who are really happy dealing with the chaos. So we got to start the journeys that great at that stage but not great as operators. Just doing incremental stuff or optimizing a later or managing sort of large teams or through first and second and third line management. And so again, one of the big bets that we did make was to send this fellow Patrick over there because he’s a startup buyer and through. He will always be the zero to one. And he was a good culture booster as we carried over to Europe, it’s just that he himself was sort of unprepared because I think it was the first time in Europe living there.

Turner Novak:

It was like a double culture shock of important culture, clashing culture, different culture.

Jon Oberheide:

But founders are always like, “Hey, I’ve got this early team and they’re not making it to the next level. I feel like they’re getting left behind. Do I fire them? What do I do?” And it’s like you just have to find new projects for them to work on. You got to find the new initiatives that are that zero to one where they’re awesome at that. And you can’t always expect them to grow to the kind of scaler or growth spaces.

Dug Song:

So different place where the expansion went really, I mean, much better than we ever would have imagined was actually Austin as we kind of outscaled Ann Arbor’s available commercial real estate or even it’s residential, we needed to figure out where else to expand. And so we opened that office in Austin but sending a bunch of people. It was like a whole crew, like a welcome crew from Duo here, down there who liked kind of that early kind of build and could be the sort of microcosm, right, of all the functions represented because we didn’t really think of these offices as a sales office, whatever.

Turner Novak:

Like the everything office, all functions.

Dug Song:

And so that’s what that was. And I remember when we opened up what was a 30 person office there during Austin startup week for an open house, right, for people, companies, 3,000 people came through. It was crazy. And in large part, we had these cultural ambassadors, just a good job kind of finding, rooting itself in the community, really being great, not just brand ambassadors but helping to build... Jon had been doing all these tech talks here in all the community, and that translated very well down in Austin. So anyway, I think the important thing here is that when you build something to scale, it doesn’t have to just be that you’re now this grant corporate entity, but you can be sort of fractal, right, in this kind of startup way where you have pods and teams and engineering team was managed the same way where you have pods that were also cross function of a designer, a security engineer, developers, a product manager.

And so in Jon O role when product and engineering, they were kind of creating kind of like whole engineering, whole teams kind of unto themselves. They could operate independently. They didn’t have to raise something up through the leadership team to get something done, they could just actually execute. It kind of gives us this two piece of rule or whatever, I guess.

Turner Novak:

Yeah, I was going to say, that’s what it reminds me of is just like the small team. And actually, I think I might know what this means, but I don’t know for sure. There’s a saying, say no to dope.

Jon Oberheide:

Say no to dope was what we described with the on-premise. Duo On Premise Enterprise was our acronym for Duo in a box.

Turner Novak:

So you just say no to on-prem is basically that’s where that’s comes from.

Jon Oberheide:

That’s where it ended up. Yeah. We said maybe at first and then Stratton to help clarify, you should say no.

Turner Novak:

Okay. Maybe I guess I missed the timing on that question, but I just thought that was hilarious that that’s a-

Jon Oberheide:

Don’t do dope.

Turner Novak:

... great line. Yeah. And then you played a role sort of in the SolarWinds, the very high-profile SolarWinds. What was Duo’s kind of relation?

Jon Oberheide:

Yeah, I don’t think that was ever fully disclosed on the internet.

Turner Novak:

Yeah, I couldn’t find it. I was looking around.

Jon Oberheide:

The company, SolarWinds, they sell network management products and there was this very, probably one of the most significant breaches in history of a supposedly Russian state actor broke into SolarWinds, backdoored their product, and then all of these SolarWind deployments across the internet, federal government, enterprises with a backdoor into those networks.

Turner Novak:

And SolarWinds was a security company, right?

Jon Oberheide:

Yeah. Security, network management.

Dug Song:

SolarWinds, we had some earlier kind of connection too, because Kenny Van Zant, who was the president and CEO at the time, who later went on to become the president, CEO of-

Jon Oberheide:

Asana?

Dug Song:

... Asana, I think. Asana. I mean, he was growth backer kind of fellow, but he was one of the guys we also sort of took some cues from is when SolarWinds built their product, they’re focused on what do you call the, was it the wow moment or something? Ah, The Golden Motion, he called it. So the tipping point between marketing and sales, where again, it’s the product kind of value that leads you through it. And so when they showed up at trade shows, they would just have demo booths and pull people in say, “Hey, you want to see something?” I was like, “Well, what?” “No, no, come. Just put your hand on the mouse, check this out.”

And then within 30 seconds of them sort of playing with the product, like, “Whoa, this is actually really interesting. Tell me more.” That insight was a large part of it and also some of the things that we actually did with Duo. Our trade shows kind of had similar demo booths with not a lot of marketing around them and all that kind of thing. So we felt bad when that happened at SolarWinds because we knew Kenny, we knew the journey they’d been on.

Jon Oberheide:

This was like worst case incident was like Russia was in US Treasury, email systems, was in...

Dug Song:

Yeah, yeah. Careful what you say Jono…

Jon Oberheide:

...everything. Everything across highly sensitive organizations and they also were going after security companies. So they had compromised Mandiant, which is a kind of security incident response company that eventually got bought by Google. While the attackers were sort of exploring, trying to move laterally within... Mandiant’s network was a Duo customer. They logged into an account that was protected with Duo, which set off some red flags within Mandiant. Mandiant ended up catching that intruder, tracing it back to the SolarWinds software, discovering that SolarWinds was backdoored and then exposed this sort of worldwide compromise.

Dug Song:

This was the point of some of the interaction that Jon O and team had designed into the Duo app, which is that you could report fraud, right? If it wasn’t you logging in, it’s like, “No, that’s not me.” That becomes positive signal, right, to a security team saying like, “Actually, wait a second, our entire user base, which has basically been deputized, right, as security monitors personnel for our organization, see something, say something.” And that’s what happened. And so again, there were a number of incidents like that where Duo was sort of the canary in the coal mine, the bellwether for kind of what would happen, uncovering some larger breaches. But yeah, that happened a lot, but maybe not at the scale that SolarWinds was at.

Jon Oberheide:

Yeah.

Turner Novak:

And I think I saw that you burned only $14 million to get to 100 million there.

Dug Song:

We overraised.

Jon Oberheide:

Yeah. Yeah, yeah, yeah, yeah, we raised more money than we needed. Should have done a stock buyback. I mean, we thought we were growing quickly. We did a T3D2, triple three times and doubled twice, and that was really good.

Turner Novak:

That was really good.

Jon Oberheide:

The other side of the story was we were doing that while being close to... We were cashflow positive for a couple of years of that. And so I think even now that T3D2 is like, oh, that’s cute in the world of AI.”

Turner Novak:

VCs will get on and be like, “I triple every month.”

Jon Oberheide:

Yeah. You haven’t gone from zero to 100 in less than 12 months and you’re not a real company anymore. But if you look at the other side, so the bottom line efficiency, I think that’s a place where we were really special in terms of the sort of net burn to get to a hundred million.

Dug Song:

I think [inaudible] wrote about this early about Redpoint, but we were claiming we were the best SaaS metrics we’d ever seen.

Turner Novak:

Oh, really?

Dug Song:

Yeah. Yeah.

Turner Novak:

What were the metrics? I think you sent in an email, I guess, summary, what was the general-

Jon Oberheide:

I mean, in the growth, we had that T3D2. I think once we burned eight million of capital, we get to a hundred, and maybe burned 20 million at the time of exit overall.

Dug Song:

Yeah. It was like one, three, 10, 30, 75, 140 something, 200 something in our ARR, but the burn ultimately was very low. I think it was about 14 to get to by the time we were about a hundred.

Jon Oberheide:

But you weren’t trying to be cashflow positive in those years. It was our own fault. We grew faster than we expected. We couldn’t hire fast enough to hit our hiring plans.

Dug Song:

Yeah. Our plans were always to actually-

Jon Oberheide:

Burn more.

Dug Song:

... spend more. Yeah. But the other part of it is, part of that was we raised later rounds with Lead Edge Capital, Meritech, the growth investors kind of as a mezzanine to what we’ve been in our IPO. And some of that was because strategically we had been doing things internally in the team looking at, well, what could we do to do inorganic growth because we have friends who had great companies and we were... So we even had a target company we were looking to buy. And I remember having this conversation with Jeff Lawson who was very helpful from Twilio about what he had done en route to their IPO, which is tank up 100 million cash on the balance sheet to go experiment and gain some experience doing this before you try to acquire the public eye, right, as a public company.

And so those were lessons we had taken because we had well over a hundred million cash on the balance sheet when we exited, which is to say that we didn’t need to raise that additional money. We never touched it, but it’s fine because it was also cheaper.

Jon Oberheide:

It’s always that balance of we would walk into the board meetings and we’d have done our three acts or we’d overachieve our first half plan or something like that. And of course, as board members would say, “Why can’t you grow faster?” And we’d sit there and we’re like, “I don’t think we can.” And I remember Zach, our COO, had a slide with a rollercoaster loop to loop and people falling out of the rollercoaster and that’s how it felt. We were trying to grow responsibly without doing a bunch of dumb stuff. We certainly could have pulled more marketing levers, but we didn’t have ones that we didn’t think were wildly inefficient.

Dug Song:

I mean, we were pretty explicit with the team because the team would ask these questions too, and we were also open book, right, about all this stuff. Some of our management systems were sort of funny, but we had a board report we did before every board meeting, before every mid-quarter board call where every one of our VPs would write three to five paragraphs of plans, progress, and problems of their function and write sort of a preamble about the kind of story of the business in that timeframe. And we shared that with the board for comment and also calibration. At very board meetings, so we don’t spend the time just doing the weather report off the slides but really focus on the two or three topic of strategic concern that we had and they had, but also we’d share it with the entire company.

And so they all knew kind of how we were investing the money, where growth was coming from, what our big bets were and why. And some of our most insightful questions... Our CFO thought it was so funny that some of our most insightful SaaS metric questions would come from guys like Martin Thorburn, one of our video engineers and all this stuff.

Jon Oberheide:

If like a software engineer, it’s like, “Paul, can you tell us why the CAC ratio changed for their in market segment last quarter?” Paul would be like, “I’m so glad you asked.”

Dug Song:

It was kind of ridiculous. I mean, we loved it that people were sort of deep that way. But at the end of the day as we’re kind of building us all out and together with a team and kind of looking at all this kind of things, the one thing we said we would never break would be our culture. The governing factor kind of limiting our growth was cultural coherence. And not that we were having to hire for people for cultural fit, because we always talk about hiring people for cultural contribution, all the kind of things, but what we weren’t willing to risk was the worst outcome that I’d ever seen of startups when you have people running around not knowing what they’re supposed to be doing.

Turner Novak:

Oh, okay. So just causing chaos probably.

Jon Oberheide:

The loss. There’s no one to point them in the right direction. Hopefully all of your employees are roughly pointed in the right direction. Obviously, there’s some natural variation.

Dug Song:

But we saw that some of our customers, frankly, as they were hyper scaling, growing much faster than us. I remember we had a funny question during one of our board meetings from our team about on the firing of Travis Kolnick, right, from Uber by our board members, right?

Turner Novak:

Yeah. Oh, so there was concern is like, “Will you guys get fired”?

Dug Song:

Yeah, there’s a question. Going to point to me like, “So Doug, how do you feel about having an investor who just fired portfolio CEO?” Right. And I was like, “Well, I know them well. I know exactly what happened to the extent that they can share because the holder report at Uber never was published.” Thankful for them.

But as our board member, Matt Cohler got tagged in by Bill Gurley to go, “You deal with this with now.” And Matt, we would buy drinks for him after his board meetings. I was like, “I’m proud of the fact that we have an investor for whom...” I mean, there are more ways a company can fail than just financial but also moral and ethical. And so the fact that they’ve taken sort of care to kind of do this, because there were lots of reports of things that were really deeply disturbing that were happening at Uber that, again, move fast and break things, sure. But when you have some of the disclosures that were happening of sexual assault or abuse, all these things are like that’s never going to be on us. We’re never going to suffer that kind of thing. That’s not what we built an organization, right?

That’s never going to be on our conscious or our responsibility. We care for, again, the broader journeys that our people and teams have with us than just what happens at work. And so anyway, so I was proud of that fact that we had ethical investors and all that kind of thing. At the same time, I questioned, “So why are you guys invested in Snap when Evan’s like, ‘We’re never going to IPO or we’re never going to make a profit’?”

Jon Oberheide:

Yeah.

Dug Song:

Right? Anyway, they did.

Turner Novak:

I mean, on that note, I think probably the craziest line was... It was a couple years ago with OpenAI. Sam Altman did an interview. Journalist was like, “So how is this OpenAI nonprofit thing going to make money?” And I think he said, “The AI will figure out money or something.” And this was like five years ago or six years ago or something.

Jon Oberheide:

It’s always a great product pitch when you’re like, “If our products succeed, there won’t be a need for money.”

Dug Song:

Yeah.

Turner Novak:

Okay, yeah. So what is the scale of Duo today? I know if you look at Cisco’s earnings page, I think the security line is like 2.1 billion in revenue and like-

Jon Oberheide:

That might be quarterly.

Turner Novak:

Oh, it might be quarterly.

Dug Song:

Yeah. It’s more than that.

Turner Novak:

Maybe that was a quarter.

Jon Oberheide:

They don’t break out Duo, they don’t break out SaaS, but it’s a billion plus ARR now.

Dug Song:

Jon left, I think two years earlier than I did, for Cisco. But even that timeframe that I was there, we had doubled the global security business there, right?

Turner Novak:

Mm-hmm.

Dug Song:

But it was no surprise. And I think it was in all the earnings calls. I mean, Duo was the fastest growing business, not just in Cisco security, but in Cisco.

Turner Novak:

I saw that, yeah, fast growing.

Dug Song:

For all four years straight. And so we did a lot there, I would say.

Jon Oberheide:

Yeah. It’s kind of fun even though we’re both not involved anymore. There’s not that many SaaS companies that have reached the billion dollar ARR milestone. Maybe like, I don’t know, 30, 40. I’m not sure. But 100,000 customers across all industries, organization, shapes and sizes. It’s fun to see the company and the team succeed well beyond our individual tenures there.

Turner Novak:

And Cisco almost didn’t acquire you. There was some false starts.

Jon Oberheide:

Cisco almost acquired us and then almost didn’t acquire us. And then almost acquired us and almost didn’t.

Dug Song:

No, no, no. They didn’t really acquire us. They made a bid and we’re like, “No, that number is not even the zip code.” But they made overtures and so forth.

Jon Oberheide:

They had interest for a couple years at least.

Turner Novak:

And then they ended up paying like three times more than they originally...

Dug Song:

More than double.

Jon Oberheide:

We had corp dev exercise in 2016, 2017 and a bunch of folks around the table. But the price tag at that point was like seven, 800 million range. And we actually signed a LOI surprisingly with Workday, which is a little bit out there in terms of product strategy.

Turner Novak:

HR?

Jon Oberheide:

Your HRAS, which is really your ground truth of-

Turner Novak:

Identity.

Jon Oberheide:

... identity. And that flowing down into Duo to apply security controls. It was an interesting strategy. I don’t think the go to market would’ve worked given Workday’s heavy enterprise customer base and our broad market applicability. But that deal fell apart a couple days before we were supposed to sign the merger agreement and announce. And in hindsight, that was a really good thing because instead of selling for 750, 800, I don’t remember what the price tag was there.

Dug Song:

It started with a one. But even then it was something that our board was sort of like, “Why you have three now?” Because we were continuing to double the business, right? And that’s what happened between the year in which Cisco come and made the offer and then actually consummated one.

Jon Oberheide:

I give a lot of credit to Matt Kohler that when we first brought in one of the offers in that go round, Matt said, “You’re not worth 800, you’re worth at least 2 billion.” And we’re like, “Oh, that’s cute, Matt. Thanks for the feedback. We understand you’ve got this amazing portfolio with Uber and Snap and all these things. We only got one portfolio, one. And then sure enough, 12, 18 months later, we came back with an offer from Cisco that was around two plus and Matt said, “You’re not worth two billion, you’re worth 10.”

We’re like, “Matt, you were right last time, but this time I don’t think you’re right.” But in reality, if we’d kept going, especially in the height of 2021, the public markets-

Dug Song:

I don’t talk about it. I don’t talk about it. It was only a couple years ago that I finally put this one away, put it under my-

Jon Oberheide:

“No regrets” category.

Dug Song:

Yeah, I just got it on my site, but it’s fine. At the time, it’s the largest multiple ever paid for a private stock acquisition. The Catalyst folks would know. It also was followed by others that kind of superseded it, right?

Jon Oberheide:

GitHub, I think. MuleSoft. There were some big ones after that.

Dug Song:

Right.

Turner Novak:

It was like 2.1 billion. Is that the number? Am I remembering right?

Jon Oberheide:

2.3, 2.4. Depending on how you count it.

Dug Song:

2.35 was the way they liked to count it, but the total was more because we kept our cash.

Turner Novak:

Oh, got it. Okay. Makes sense. What all did you learn after the acquisition? I know you guys mentioned some things about enterprise go to market, people staying at Cisco. What was the lessons you guys learned?

Jon Oberheide:

I think you learned a lot of lessons of just things that we took for granted in terms of that staying close to the customer, that customer exposure. You go into Cisco mega corp, and I don’t want to pick on Cisco because it’s true of many large organizations, where you just don’t have the exposure to the customer. Your engineers are not on calls with customers. They’re not interfacing with the end users of your product, and just understanding why startups win so frequently, because they have that piece of innovation, that rapid decision making cycle.

Dug Song:

It’s also just a matter of scale too. I think just Cisco as being a hardware company really dominated, obviously, that market, right?

Jon Oberheide:

I think it was like there was so much effort put on when you’re inside an organization like that. There’s so much where you’re kind of working in the business as opposed to on the business with customers where so much of time is dedicated to, are you managing within 5% of your monthly OpEx envelope? Are you preparing for the QBR? Are you making the business case for your new asks for the next fiscal year? And you just kind of lose that sense of like, “What are we doing every single day that’s building value for the customers?” You can get insulated within the big organization.

On the plus side, Cisco is, the best description I heard is it’s a carrier strike fleet. It is slow. It is massive coordination across not an aircraft carrier, but an entire-

Dug Song:

Platoon.

Jon Oberheide:

... flotilla of boats. If you can move that and send it to the destination, craft it to your desires, you have unstoppable power. If you can take that massive go to-market machine of 300,000 sellers, both direct and through their channel, then you will just grind away at that market over time. But you have to invest for that long-term. It’s not like, “Hey, we make a decision and then we’re going to go do this tomorrow.”

It’s like, “How do we influence the system and organization to get the recurring offer component of the General AM’s comp plan for the next year to favor a SaaS product or favor a security product?” It’s those kind of long-term influence operators.

Turner Novak:

So they were probably all set up around just selling routers to people every whatever period and then you have to figure out like, “Okay. Well, there’s like some software that-”

Jon Oberheide:

You’re at Cisco AM and you wake up, you say, “What am I going to talk? I got 200 products. What am I going to talk about with my customer today?” They have a $10 million catalyst switch refresh that they need to buy. I’m going to focus on that.

This 200K Duo deal, maybe they need some MFA, but I’m going to close this $10 million deal. Maybe I’ll pack on some security along the way. And so those were sort of the structural challenges when you’re going into a bigger company and that’s not just a security company and that’s not just a SaaS or software company.

Dug Song:

And if you build other emotions and sometimes real understanding respect for the opportunity. I remember we had a later independent board member who recruited Hillary Koplow-McAdams, who was the president of Salesforce, but before that, she led the build of Oracle Direct and Oracle, something that Larry Ellison was like, “I don’t think this is going to work and I don’t know if I would even want to do this.” But it began like a third of his business, right?

Turner Novak:

What is it?

Dug Song:

Oracle Direct. Basically all their direct SaaS business and so forth and other-

Turner Novak:

So all the software?

Dug Song:

All the software. Sometimes what we learned is that our experience... And again, for any founders looking at a large company acquires to merge with, there’s three ways that goes. It’s either sometimes their way, right? As you assimilate it into the board, sometimes it’s your way where you’re so peculiar that they don’t know what to do with you and you stay in the business unit and they never really get the benefit of why they acquired you except everything is hard for everybody.

And then so the third way, which is what we pursued, which is, it’s truly an integration, right? It’s not our way, it’s not your way. It’s a third way we need to come up together. Right? And someone coming with fresh eyes, someone coming up with old eyes, experience, success, scale, but finding the intersection of that is a lot of work, but it’s very intensive in terms of people.

We spent so much of our time with our early journey and integration of having our leaders spend all this time with all of Cisco’s corresponding leaders to the point that our head of security became the head of security for all of Cisco and then later GitHub and now GM. But we spent a lot of time elevating our leaders, not forcefully into positions of a control or anything like that, but giving them the platform within the business, within broader Cisco to really have influence and help pull together and a shared platform of learning where a design community came out of Duo coming into Cisco, partnering with all the other design leadership, but then actually having, again, an established kind of culture of how we did this stuff that, again, other design leaders there could finally feel like they could plug into where we could build something larger for Cisco, from.

And so there were a lot of these kind of things that we were really proud to be able to contribute, but at the end of the day, once that all was done, I mean, like Jon says, “Our job was to obsolete ourselves.”

Jon Oberheide:

Yeah, we did. And there’s a lot of puts and takes with going into a big company like Cisco, but the people were excellent and we would come in and say... I remember walking in and being like, “Hey, so what’s Cisco’s zero trust strategy? This is what we’re doing. How do we fit in?” And the leaders were very open. They’re like, “We don’t have one. That’s why we bought you.” We paid 2.4 billion for zero trust rates.

Turner Novak:

Zero trust rates.

Jon Oberheide:

“You guys tell us what to do.” And that was certainly refreshing of coming in and not saying, “This is the way we do things,” but being open to how do we dualize Cisco in the right places and how do we Cisco adds Duo?

Turner Novak:

Were you able to suss that out ahead of time or is it just complete luck that it turned out that way? I

Jon Oberheide:

I don’t think we can suss that out.

Dug Song:

There’s no easy path to it. Once it was like day one or day zero, there was a lot of scrambling quickly. Like, “Let’s meet or let’s do all this stuff.”

Jon Oberheide:

Everyone wants to touch and feel the shiny new object and they get outreach from 70,000 employees.

Dug Song:

But they were very welcoming in that way and also different than what we see in other companies do. When Palo Alto acquires companies, they sort of just rip the face off of the products. They just slap them right behind Panorama. They have this force. I mean, they have a dedicated integration engineering team where it’s like, “Yes, you have engineers, but we have ours and we’re going to take your code and figure out how that’s just slotted into what we do.” And so there’s different ways different companies do it. Cisco just felt like more like welcome to the tribe kind of thing.

Jon Oberheide:

Yeah. Spend the time to understand our business and what makes us tick and us spend the time to figure out theirs. So in hindsight, I think it was the right home for the business for the long term.

Turner Novak:

Yeah. And I think long term, like, Dug, before we started recording, you’re talking a lot about, you’re really focused on Michigan now, really excited about doing stuff. What are you up to day to day now?

Dug Song:

Well, post Cisco, I was there for quite some time, but in the last three years I’ve been traveling to 22 countries, getting all this out of my system, not doing a lot in security. Jon has been doing a lot more in security, I think.

Turner Novak:

Yeah, you’re on some boards. You’re telling me about all these different products.

Dug Song:

But by and large, we’re trying to build a foundation, but we established a family office to try to help strengthen and serve the communities we’re part of mostly here in Southeast Michigan. So between Ann Arbor, Detroit, but up to Flint, but basically in a nutshell, it’s tech media and real estate, but in a way that we think we can combine. Because Michigan is so rich in all these forms of capital, like obviously intellectual capital, our own research universities, human capital. Just amazing kind of talent and then just work ethic and all this kind of stuff.

Physical capital, particularly in Detroit where you have all these amazing buildings and all this kind of stuff that’s been built for a city for two million people, but it has 600,000 left in it. I mean, a lot of financial capital, actually, Michigan is still one of the richest places in terms of individual. It’s a lot of old money that’s here from what had been the second wealthiest city in America and all this. And a lot of cultural capital, certainly, but this place represents from first place of punk rock with Iggy Pop in Ann Arbor to Detroit Rock City, and Motown, and techno, and jazz and all the things.

But I think the thing that we’re really focused on is the social capital. How do we intersect these things and build more opportunities for folks to come together to co-invest, to build upon these forms of capital so we create shared prosperity in a broader way? Because that’s a lot of what we saw coming past Duo. Ann Arbor is very successful. We were the first unicorn, we’re the first multi-billion dollar tech exit in Michigan. There’ve been 12 more since. In fact, my-

Turner Novak:

Wow. That’s way bigger than I would’ve thought.

Dug Song:

Yeah. In fact, my neighbor sold her company last fall. Just a couple of months ago, I walked my dog with her and run in the neighborhood. I didn’t know she had a company. She sold for 2.2 billion, HistoSonics, right? And I was like, “Zhen, you didn’t tell me you had a company.” And she’s like, “Well, I didn’t think you’d be interested. It’s like life science.” I’m like-

Turner Novak:

Come on.

Dug Song:

... “Are you kidding me?” But it’s a lot like that. And even beyond that, there’s so many more. You have just amongst its graduates that had 46 unicorn founders, but only three of them... So only three of those companies represented actually stayed, but we were the first.

Jon Oberheide:

PitchBook data is pretty crazy. U of M is the seventh or eighth biggest educational institution worldwide. We’re tied with Tel Aviv University for producing founders that go on to create venture backed tech startups.

Dug Song:

And so I just think this is not a missed opportunity, but it’s just tremendous opportunities. I still don’t like to talk. So I’ve been so quiet. You don’t see me doing a lot of stuff publicly because I’m just like, “This is great. There’s a lot of great companies and opportunities for us to get into.”

Jon Oberheide:

Only here exclusively for the appeal.

Turner Novak:

A lot of secrets exposed to here. I think I saw that Michigan has a top five business and engineering school and it’s like the only college... I mean, some of these rankings, who knows how they do them.

Jon Oberheide:

And it’s incredible. It’s like top 10 programs in a hundred plus.

Turner Novak:

Different schools like nursing or information systems, etc.

Jon Oberheide:

The breadth and diversity of excellence is wild.

Dug Song:

But we just have to do more because we’ve also realized that keeping it secret this way means that we stay more siloed, which means that there’s not the flywheel of reinvestment. We just had another fellow just last month. So James Scapa sold Altair Engineering for 10 billion in Troy, right? Jon’s hometown just a couple of months ago.

Turner Novak:

What was the company called? Altair Engineering? To that point, we have never heard of that. I don’t even...

Dug Song:

Any mechanical engineer in the world knows it. It’s dissemination software for aerospace, for automotive, or anything advanced manufacturing. Sold to Siemens, and I think he’s in Athens, California now, but he’s a University of Michigan tier born grad.

Jon Oberheide:

And was it OneStream that just, I think, went private for $6 billion?

Turner Novak:

It’s also kind of like HR software? Or accounting software? I have a friend who used to work there. It was owned by KKR. I think bought them out. Did they go public? Or-

Jon Oberheide:

I think they went public and they got taken private again.

Dug Song:

Tom Shea is a great heads down entrepreneur, but again, I’ve done one podcast with him and I haven’t seen him since. And it’s a lot of stuff is like that, where we have all this great things happening and now we need to talk more about it and connect more of the dots and stuff.

Jon Oberheide:

Especially the founders that are coming out of the university and just allow them to understand that there is a path if they want to stay here. I think of Ethan Gibbs from Embedder who was, I think a sophomore, junior, started it. I guess you’d call it cursor for embedded hardware developments, won a pitch competition in school, decided to move out to the Valley, got into YC, raised a great seed round. But the reason he left was, he’s like, “All of my customers are in San Francisco.” I guess software city, that’s why I would go there. And we need to show that there’s a paved path that if you do want to stay here, if you want to build a different kind of company, that you’re not taking on a huge other chunk of risk in addition to the risk inherent in building a startup.

Dug Song:

But also just part and part is also just selling the place. We invest another company in Jon’s hometown in Troy, Viscom, the AI, which is an automotive engineer who worked at Honda and his co-founder and he moved out to San Francisco for Nat Friedman’s thing, AI Grant. Did that whole thing and he’s like, “I like it out here. I’m going to thick it out.” And I’m like, “No.” His co-founder is like, “Yeah, Kaylee.” He’s like, “Yeah, I’m going to move out there too.” “I’m like, “No.” “Dude, why?” Because their customers are here. Their customers are automotive and all this.

And granted, they raised a 20 million seed round or whatever, so they’re great. But like I say, you need a little bit in silicon value in you, but you have to leverage with strategic about where you are. And I just think it’s kind of nuts to try to build... It’s hard to build optionality for companies, even in AI out in the valley when talent is expensive.

Turner Novak:

It’s crazy.

Dug Song:

And the valuations are so crazy. I don’t know. Our advice, I think both the founders always has been maintain optionality because like Jon said, “You have one portfolio company.”

Jon Oberheide:

Right. And all those rounds of financing, the one on four, the five on 20, we could have pushed more. We could have pushed for higher valuations and less dilution, but we didn’t want to paint ourselves into a corner.

Dug Song:

Yeah. Don’t ride over the top, right? Don’t block yourself out from the things that could happen next.

Jon Oberheide:

And if things go well, it’s not going to matter at the end.

Dug Song:

As you know, startups are binary outcomes, right?

Jon Oberheide:

I’m very jealous of Dug’s placemaking particularly here in Southeast Michigan, because my scope is all over the place working with startups in San Francisco, Austin, DC, London. Mostly through board service, like trying to work with... I think back in the different phases of Duo and that years of hypergrowth from 10 million ARR to a hundred was the most fun and chaotic. And that’s where I like to work with companies now. I’m not useful in zero to one. I’m not going to tell you what to build or how to build it, go talk to your customers.

One to 10 is interesting as you start some commercialization, distribution. But I think the fun, meaty, kind of softer challenges of 10 to 100 are where founders need to go from that. You can sell 10 million of anything and once you get to there, you got to throw out most of your practices, all the things you do that don’t scale to get you to 10 million. You got to figure out a set of different tactics for that next order of magnitude.

Dug Song:

And also level up as a leader, which is always...

Jon Oberheide:

That’s hard.

Dug Song:

Yeah. Founders need friends. And again, that’s one of the biggest challenges you have here is they don’t have enough density sometimes for folks like to feel like they belong. They see, founders want to be where founders are. And again, there’s not as many here, but that’s why we have Michigan Founders Fund, which has created a somewhat artificial, but geographically unbounded, community of those kind of founders here. But increasingly that’s why... To be honest with you, that’s why we’re doing real estate. I don’t really want to buy hotels or do neighborhoods out of nowhere, but-

Jon Oberheide:

Creates center gravity.

Dug Song:

Yeah. But we have to create the kind of place and product. Detroit needs to create a product for scaling companies want to be. The nice thing is that there’s a whole category of them that are all fighting to come here, which are all the re-industrial companies, right? Anyone building anything that needs a factory, they come here like, “Oh my God. You have factories come out of your ears and you have the talent for it, more importantly.”

And so that’s the thing that we need to pair up and see. And we have companies like Remora, like Paul Gross came here from YC and built this amazing business that has nine figures off day doing carbon capture out of trucks and trains. But he’s not from here. He’s like, “No, this is the best place to build my business.” He’s doing it here and there’s more of that coming.

So the other thing I’ll say is that also, whether it’s for direct investments and working with founders or where it’s with LPs, Michigan is also a sleeper kind of thing. Obviously, you need different kind of work to get either over the line here where sometimes people aren’t as oriented here, but there’s great family offices, great institutional LPs here. They’re great founders that just... But sometimes what they’re doing, I got to wrap my head around like, “You’re doing mushroom what?”

Turner Novak:

Whitewood is a mushroom. What’s the mushroom one?

Jon Oberheide:

Psychedelics?

Dug Song:

No.

Jon Oberheide:

No?

Dug Song:

No, it’s a cool one. There’s the one that’s doing... It’s actually a tech transfer. It’s not even from here, but out of University of Minnesota. They’re applying... And they have a SBIR with DOD for army based PFAS remediation, but they use fungi to do PFAS remediation.

Turner Novak:

Oh, interesting. Like in the ground, sucking it up out of the ground?

Dug Song:

Yeah. It’s cool stuff.

Turner Novak:

And PFAS is like that forever chemical that just gets in your body, never goes away.

Dug Song:

That’s now a part of our food pyramid, apparently. The way that we’re going.

Jon Oberheide:

Minimize your consumption, of course, right? I mean, the university environment is so much deep tech, climate tech, hard tech, pharma, medical devices. It’s incredible to see what comes out of there. It’s not a lot of SaaS because you don’t really need... If you want to build some software, just go build some software, but to see the pipeline reports coming out of University of Michigan and other universities, it’s awesome.

Dug Song:

Yeah. So I’m meeting people here, I’m like, “Wait a second,” because someone once told me, “I’ll just go invest in some Chinese biotech ETFs. It’ll be good. And then I looked and who’s doing them and I’m like, “Wait, there’s this dude here who is my friend has taken four of these companies public in Hong Kong. The most recent which is like four billion and delivering Ann Arbor.”

I’m like, “Wait a second. What are we doing here?” So I’m begging this guy, “Please get me into your company.” He’s like, “No, we’re finding it on our own, 20 million until we get to a point of a hundred million valuation. Then we’re going to go out.” I was like, “Please, please, please let me get in this damn thing.” And I’m trying to find every... I hired a guy who can do life sciences coming from a different family office and this stuff.

So for me, it’s been like all this. I like feeling like a beginner again, and learning all that stuff from the ground up and navigating it, but it’s been really fun because we have other things we have from our experiences and networks and access to bring to bear to them, but it’s really fun to do in the context of a community where we’re going to build together here and stuff.

Turner Novak:

Did you wish there was more of that in Ann Arbor or in Southeast Michigan? Or...

Dug Song:

We always did when we were doing it.

Turner Novak:

Yeah?

Dug Song:

Yeah. And that’s why this exists. We helped bamboo expand from Detroit here and then Grand Rapids, and Royal Oak and so forth. The coworking space that we’re sitting in, we’ve been doing real estate... we’re the real estate partner for. But you know, I’ve gotten comfort with and also a lot of interest in real estate particularly now is, “If it’s not gold, if it’s not crypto, you need some assets.”

Turner Novak:

Hard assets too.

Dug Song:

You need some hard assets right now.

Jon Oberheide:

We need more GPs. We need more emerging VCs and solo GPs like Turner Novak.

Turner Novak:

I got to convince more people. We all got to convince more people to move here.

Jon Oberheide:

We got Blake Roush today. Southeast Michigan with Hidden.

Dug Song:

Roger Ehrenberg back here.

Turner Novak:

Yeah, Game Changers. Starting a movement. Yeah.

Dug Song:

Yeah. There’s a lot.

Turner Novak:

Cool. Well, this was a lot of fun. Thanks for taking the time to do this.

Jon Oberheide:

Thanks, Turner.

Dug Song:

Thanks, Turner. Love what you’re doing and love that you are doing it here.

Turner Novak:

You almost need to find people who have a weird bias to Michigan of like my family is here or my customers are here. That’s specifically why I would stay here. Because for me it’s like-

Jon Oberheide:

You have some sort of ties, but then you still have to show them that it can be done. There’s supportive infrastructure around you. There’s a path, but there’s stories that you’ve heard.

Dug Song:

But it just depends. I remember when I met Alex Wong from Topiary Capital and realized that he’s been my neighbor for three years down the street, but not realizing he was managing director of Intel Capital, not realizing that he has all this money he’s raised from his time at 15 years he led DE Shaw and all the... The dude is here and he’s doing this stuff on his own and he’s only here because he wants to raise his kids here and thinks it’s a great place to do so, and all this kind of stuff. He has no connection to Michigan.

I’m like, “It’s just weird. There’s these sleeper folks throughout here.” As a founder we just talked about earlier, I’ll mention this because I don’t want anyone else going for him to invest in, but there’s some amazing world-class talent all just doing their thing and no one knows. And so it’s fun to uncover this way.

Jon Oberheide:

I think some of that is Ann Arbor’s such high sort of talent density, like super educated. Everyone is way overqualified for everything. And so you throw a rock and you hit 10 super qualified people and you might not know in depth what each of their areas of expertise are or what they might have done in the past.

Dug Song:

Yeah. So the open invitation will be that if there are any funds out there, they’re going to do this because we host this stuff all the time, tours of folks come through Ann Arbor and Detroit, whether it’s for tech investing, whether for art collecting, whether it’s for, I don’t know, other stuff. We’re happy to get people plugged into the ecosystem. That does exist here. And again, now increasingly there are going to be some places.

Again, I think we’re going to be at a point pretty soon where if any VC wants to have a temporary office, like if they want to work from Detroit, I’ve got multiple buildings they can do that from. So we can help set that up and just help create more of that opportunity.

Jon Oberheide:

There’s more like scout programs and incubators that are being set up, particularly around the university where there’s so much untapped pipeline that is not maybe fully exploring researched commercialization. So there’s some folks that are setting up programs here where they’re getting first looks at the pipeline coming out of the university, but it is more specialized expertise than just technology and software.

Turner Novak:

Nice. Well, this was a lot of fun. Thanks for coming.

Dug Song:

Thank you.

Jon Oberheide:

Yeah, thank you.

Stream the full episode on YouTube, Spotify, or Apple.

Find transcripts of all other episodes here.