🎧🍌 Lessons Scaling Zero to $40M ARR in Two Years | Dan Lorenc, Chainguard
How a malware attack almost took down the internet, learning to love sales as a technical founder, lessons from Frank Slootman, and the future of open source, the software supply chain, and AI
The internet runs on free, open source software. But as its risen in popularity, this “software supply chain” has become the latest attack point targeted by hackers and nation states.
This newest episode of The Peel features the first ever returning guest, Chainguard Co-founder & CEO Dan Lorenc. We get into the history of open source software, the evolution of cloud computing, how Linux works, the software supply chain, how AI will impact it, and what the next big cyber attack will look like.
Dan's an engineer, but he also loves sales and go-to-market. We go inside how Chainguard scaled from zero to 150 customers and $40 million ARR in two years.
Chainguard just announced a $350 million Series D led by Kleiner Perkins and IVP, and Dan unpacks the round, plus shares his secret methodology for valuing the company.
Disclosure: I am an investor in Chainguard, and this conversation is not investment advice.
A big thanks to Dan's co-founder Kim Lewandowski, Clay Fisher @ Spark Capital, Bogomil Balkansky & Andrew Reed @ Sequoia Capital, and Tom Loverro @ IVP for their help brainstorming topics for Dan.
Support this Episode’s Sponsors
Numeral is the end-to-end platform for sales tax and compliance.
They work with 1,000+ customers, handling registrations, on-going filings, and their API provides sales tax rates wherever you need them, with all the integrations you need.
They pride themselves on white glove, high-touch customer service, and they guarantee their work on any difference if they mess up.
Support the show and and put your sales tax on auto-pilot here.
Inquire about sponsoring future episodes here.
Timestamps to jump in:
3:26 A safe source for open source
4:57 The software supply chain
7:19 Can you trust open source code with contributors in Russia?
9:43 Malware attack that almost took down the entire internet
12:40 What the next big cyber attack will look like
15:12 How will AI impact the software supply chain
17:53 The history of cloud computing
21:42 Why all cloud computing runs on Linux
23:16 How Linux + Linux distros work
29:28 Automating open source security
32:43 Chainguard roadmap: Libraries and VMs
36:40 Focusing on FedRAMP
42:44 Impact of DOGE
44:06 Zero to $40m ARR in two years
45:40 Learning to love sales as a technical founder
47:24 Lessons from Frank Slootman
51:15 How to create urgency in sales
53:16 How to build a sales team
58:23 Hiring Ryan Carlson from Wiz & Okta
1:01:45 Inside Chainguard’s $350m Series D
1:07:41 Vibe coding + Dan’s software stack
1:09:51 Cutting his hair in front of the entire company
1:10:27 Wearing a different suit to each board meeting
1:12:32 Bogomil, world’s best SDR
Referenced:
Check out Chainguard
Jobs at Chainguard
Prior episode with Dan
Linux origin email
Julius, AI data analysis
Bogomil, the World’s Best SDR
2025 Chainguard Assemble Keynote
Find Dan on X / Twitter and LinkedIn
👉 Find on Apple, Spotify, and YouTube
Transcript - (read on Rev)
Find transcripts of all prior episodes here.
Turner Novak:
Dan, how's it going? Welcome to the show.
Dan Lorenc:
Thanks for having me.
Turner Novak:
You're the first returning guest. Never had a returning guest before.
Dan Lorenc:
That is such an honor.
Turner Novak:
Yeah, I'm not sure if it's a good or a bad thing that no one else has come on.
Dan Lorenc:
I assume it's because I'm the first one you've invited back and not the first one that's accepted.
Turner Novak:
Yeah, that's true. Well, so I guess we'll maybe talk about why we invited you back, and actually, people listening to the intro to this will know why we invited you back, but can you just real quick, what is Chainguard for people who are not familiar?
Dan Lorenc:
Sure. At Chainguard, we're building a safe source for open source software. Open source software is this unique phenomenon that's happened in software development where, for some reason, a bunch of people on the internet just decide to post all of the software that they spend their time writing for free for anyone to use without having to pay. And it's been around for a long time, but it's recently ballooned into ubiquity where everyone is using it for any form of software development out there by line of code and most measures and studies show it's 90 to 98% of all of the software that people are using and building their applications on top of, pretty much across any sector, both from people vibe coding, slop apps on the internet out to critical systems.
The stuff is running in fighter jets, healthcare systems, critical infrastructure. It's everywhere. And there's so much of it and it's awesome because you can leverage that before writing your applications. It's why people can go so much faster. There's all this code they can reuse. But it's also terrifying because it's just written by strangers and anonymous people on the internet. And if you spent more than 10 minutes on social media, you'd probably realize that not everyone on the internet is a nice person. There's a lot of bad people on there too. And because it's reached this point of ubiquity, attackers have started to notice and try to put malware or exploits in that open source component, which is a critical part of everyone's software supply chain.
Turner Novak:
Yeah. So you just mentioned the software supply chain. So can we just explain that really quick for someone who's never heard that before?
Dan Lorenc:
Yeah, it's just like a physical supply chain, but for software. When you're writing code, you're depending on thousands of other pieces of code that have been written before you. That whole standing on the shoulders of giants thing, that's what people are doing, but they're relying on software that's been written by other people. It's tools, it's compilers, it's frameworks, it's libraries, it's even the operating system that you're using today as a part of that software supply chain. And it's incredibly complicated, but a vulnerability or an exploit in any one of those components can affect the security of the final application.
Turner Novak:
So that usually plays out like there's whatever software you might be using, like your accounting software or something like that, that might use code from something else, and that software uses code from something else, and there's 10 layers of just different people using different people's code. And at a certain point, you just don't really know what's underneath.
Dan Lorenc:
Yeah. And because it's free, people don't really keep careful track of it. Right? If you're an enterprise, you keep careful track of how many licenses you have for a particular piece of software mostly and you know where stuff is getting used because there's billing associated with it, and contracts, and stuff like that. Because this is free, people haven't necessarily paid as careful attention to where it's being used, if it's updated, what you're using, and that problem has ballooned over the last couple of years.
Turner Novak:
And you talked about how there's just a lot of people just on the internet, they just make code for free. I think you maybe call them contributors, is that one way to-
Dan Lorenc:
Yeah. People contribute to projects, people maintain projects. Yeah.
Turner Novak:
So can we rely on those people to keep things secure? Couldn't you just say like, "Hey, there's a thing needs to be fixed," and they fix it?
Dan Lorenc:
Yeah, it's unexplainable how well this system has worked over the last 30 years. Linux is the most used operating system in the world. It runs on phones, it runs everywhere, and it's just no one gets paid to work on it. It's just people that do it. It got started by one guy, 25 or 30 years ago now, just as a side project and it's turned into the most critical piece of software on the internet. And people fix bugs, they find bugs. It all just has worked out for the most part. It's those edge cases that now start to pop up.
Turner Novak:
And can you rely on just the community to keep things secure or-
Dan Lorenc:
Yes and no. By every metric, open source is more secure than any alternative.
Turner Novak:
How so?
Dan Lorenc:
Yeah, the transparency helps a lot, right? You can see every line of code. If you're using some closed source piece of software, no one can look at it and find these bugs. And all code has bugs. If I write code, it has bugs. If some anonymous person on the internet writes code, it has bugs. But that transparency helps a lot because more eyeballs can find more of those bugs and get them fixed faster. But at the same time, if you're some big enterprise depending on this piece of software and you run into a bug that only you hit, you can't just go demand that they fix it for you. But because it is open source, you have the tools yourself to go fix it. And that's what that freedom is a part of what's led to this ubiquity.
Turner Novak:
And you had a really interesting comment on LinkedIn a while back about trusting open source contributors from certain parts of the world. Can you trust people from certain parts of the world?
Dan Lorenc:
You can trust people from certain parts of the world as much as you can trust people that are your neighbors. The challenges, what you're talking about, I think is this recent drama around Russian contributors to projects, like the Linux kernel and things like this. I think trust in individuals is separate from some of the geopolitical challenges going on now. The US government has put sanctions on a lot of... And not just the US government, lots of governments put sanctions on a whole bunch of Russian entities and you're not allowed to do business with companies under those sanctions. And it turns out that taking code or discussing technical contributions on a mailing list, that is IP changing hands. If somebody is giving you code, that code has value attached to it, even if you're then going to give it away for free. And it turns out that, yeah, that violates a lot of really scary US sanctions laws. So that's made the lives of open source contributors and maintainers a lot harder because now you have to worry about sanctions laws and complying with really scary international policies.
Turner Novak:
What's been some of the big things that have been happening in maybe open source or software just over the past couple years, maybe since we last talked? I'll throw the link to the last episode in the description if people want to listen to that. But anything new that's been developing over the last two years or so?
Dan Lorenc:
I mean, there's more and more of it. It's growing dramatically. I think from the scary side, there was this really scary attack that happened a little over a year ago today on this core library. It's one of those pieces of the software supply chain we talked about that no one looks at, but it's everywhere. It's this compression library. So if you're downloading songs or music or big files across the internet and that stuff gets compressed and decompressed. And there's a couple popular algorithms, but for each one, there's really only one or two libraries that implement them. And this one library was just maintained by one person on the internet for the last 20 years, and he had just been doing it in his spare time.
And then a couple years ago, somebody just decided to start helping and they just jumped in and they helped a lot, and they fixed a bunch of bugs, and they did a bunch of good work. And then that first person just got sick of it and said he wasn't going to work on it anymore, but somebody else had stepped up. So he handed the whole project over to this other person. It turned out that other person was just a pseudonym and was not a real person. And within six months of getting control of the project, they put in this carefully orchestrated set of malware into it that was really hard to detect and no one noticed. And because it was so widely used, the exploit would've basically given that person remote access to any computer running that piece of software, which was basically everything.
Turner Novak:
Wow.
Dan Lorenc:
But then on the good side, because we talked about that transparency earlier, some random engineer just happened to be running some benchmarks on a weekend and saw that that program was a little bit slower than it used to be. And right before this thing got widely deployed, noticed that slowness saw that it was making some weird cryptographic operation to check something, dug in, and he had discovered that there was a backdoor put in.
Turner Novak:
Holy shit.
Dan Lorenc:
Yeah. So it was the closest thing to full-blown internet crisis ever. And they still have no idea who did it. It was just an anonymous email account. No one ever traced it back to an individual.
Turner Novak:
Oh, wow. So it was somebody who obviously wanted a backdoor into every computer and almost got away with it.
Dan Lorenc:
Well, and they got away. Yeah, they didn't get away with the backdoor, but we still have no idea who it was.
Turner Novak:
Oh, wow. Okay.
Dan Lorenc:
And that's the long game. This person spent years just doing good work.
Turner Novak:
Yeah. And they convinced somebody who'd been the trusted community steward for 20 years to just hand the reins over. That's wild. How often does that happen? For somebody who's hearing this for the first time, and is that a thing that happens across a lot of different pieces of open source code or-
Dan Lorenc:
That's the first one of that scale that we've noticed. I'm a bit pessimistic here, but I doubt it's the first time it's happened and I could guarantee it's not the last time it's going to happen. But that's the first time anyone's noticed it at that scale.
Turner Novak:
Dang, that's crazy. Well, speaking of that, attacks, what do you think maybe one of the next big attacks could look like?
Dan Lorenc:
There's a couple different classes of these things that happen that get the major news. One of them is that kind. The malicious... Somebody dedicates a lot of time and resources to putting an attack like that one together. One of the other big ones like that was the attack on SolarWinds three or four years ago now. Somebody put a backdoor in a build system and compromised the tool that was used and used that tool to put backdoors and all the tools that came out of it kind of thing. So there's those malicious ones. The other big category is just those accidental bugs. All software has bugs. Some of those bugs lead to security consequences.
And one big example there was Log4j. The attack was called Log4Shell, but it was just this complete accident that had been put into one of the most widely used libraries and one of the most widely used programming languages in the world. And it had been around for a decade until someone found it. And it was similar consequences. You get remote access to pretty much any system running that software. And that was a whole panic moment. So there's these accidental ones, and then the intentional ones. And they both lead to the same thing in the end. And one of the complicating factors is that people haven't kept careful track of what versions of what code are running everywhere because it's so easy to use. And so that was a big panic moment because everyone knew that vulnerability was there, but nobody had any idea where they were running that code in their systems.
Turner Novak:
Oh, wow.
Dan Lorenc:
Yeah. So I guess you have more of both of those.
Turner Novak:
And do you think companies or people are ready for it?
Dan Lorenc:
It's yes and no again. There's no perfect answer to any of this stuff. And defense in depth is always one of those pieces of wisdom that you're told. And even if that thing had been exploited, there are other layers you could have protected yourself at. And a lot of companies have huge security budgets and might have not been affected because of other things they put in place, lots of others don't. So if you look at it at company by company level, and, yeah, maybe if you look at it a global level, then definitely not.
Turner Novak:
Yeah, I guess it just all depends on your unique stack and what resources you have and what specific software you are or are not using.
Dan Lorenc:
Yeah. And one of the harder parts too is just how interconnected companies are. Even if your software is secure, you're probably storing data somewhere else or relying on other systems and SaaS tools, and you just have to hope and trust that everyone is doing the same thing you are.
Turner Novak:
So I guess this is a podcast and we're too tech bros, so we have to talk about AI.
Dan Lorenc:
Plus you're a VC, you're contractually obligated to, right?
Turner Novak:
Yeah, exactly. We're... What was it? 12 and a half minutes into the recording and we haven't yet, so I'm behind schedule. But so how do you think AI is going to change and impact the software supply chain?
Dan Lorenc:
I think what we're seeing today is more people can write code with AI and you can write code faster with AI. If you already know how to write code, you can write code faster. If you don't know how to write code and maybe you can start. And so it's just cranking up the volume on all of these things. Either experienced people writing more code or more inexperienced people getting to that point where they can write code. It hasn't really changed the way code is written yet.
I mean, yeah, there's the whole vibe coding thing, but you're still using the same tools, writing the same code in the end, using the same libraries and frameworks. So in the short term, it's just 10 or 100 times as much code being written that needs to be as secure. I don't know if we'll start to see new programming languages developed that are model-friendly, and model-native, and stuff like that and get to a point where people don't have to be able to read this stuff anymore if AI gets good enough, but, yeah, in the short term, definitely just a lot more of the same stuff happening.
Turner Novak:
Yeah, that's an interesting dynamic of the languages we currently are using, maybe inefficient for AI making software. Maybe AI will come up with an AI-native programming language that makes it better. That'd be scary. That's when we really have to worry about AGI and the robots taking over.
Dan Lorenc:
But, yeah, I mean, it's scary even in some ways today. Most of this trust stuff is based on someone else reviewing your code. That's really the only way we know how to protect against stuff like that, that malware. Two different people reviewing each other's work and looking for things like that. But, if all of a sudden, you're tasked with reviewing 10 times as much, then it turns into there's legal disclaimers at the bottom of every website. Nobody has time to read all of that stuff. And so with that, also tools that can scale that second element, even just the volume makes things a lot worse.
Turner Novak:
Do you think that people are thinking about that in the right way yet or is it still we're going to wait for a hack to happen, and then they start to care?
Dan Lorenc:
I've seen some stuff. I think some people are thinking about it. I think, like all new trends, it's going to get worse before it gets better.
Turner Novak:
Yeah, fair. We'll need a SolarWind-esque-scale AI software supply chain breach. One thing I want to do though is also take a step back and just ask you a little bit about cloud computing. How does cloud computing work? I saw you had a little bit of a reaction to that question, but just explain to me just how it works. I actually truly probably don't know to the extent that I should explain it to you-
Dan Lorenc:
I was going to ask you to go first. What's your explanation?
Turner Novak:
It's AWS. You click a button and it works for you.
Dan Lorenc:
Wasn't Salesforce the one that really coined the term?
Turner Novak:
I'm not sure.
Dan Lorenc:
Depending on how you look at it. Yeah. I mean, the way software used to work was you'd go to CompUSA and you would buy a piece of software and it would come in a box with a CD, or later on, a DVD.
Turner Novak:
Yep. I had so many games as a kid, like Civilization III.
Dan Lorenc:
Yeah. Yeah, it was fun. And then there'd be the books, and the used software, and stuff like that. And you'd install it and you would run it. And if you were an enterprise, then, yeah, you'd get a different version of it and you'd install that on all of your own computers, and you had a team to run it, and everybody would log into those computers. Cloud computing in both from the SaaS side, the Salesforce side, and then also the AWS hyperscaler side was putting that somewhere central. So instead of you going to CompUSA and buying Salesforce, and installing it on your server, and giving everyone access, and updating it, and backing it up, and all of that stuff, it was... What if instead you paid some other company every month to run that for you? And they can do it centrally, they can update it, they can do all of that work for you on the SaaS side.
Turner Novak:
And you would generally save money and time probably by having them do it and you might even get a better product? That's the pitch of why you might do it?
Dan Lorenc:
Yeah. But I don't know if you've seen a Salesforce bill. They add up pretty quick.
Turner Novak:
Fair. Yeah.
Dan Lorenc:
Yeah. Yeah, that's the idea. Not every company in the world should have to go hire some IT administrator that knows how to stand up servers, and install, and manage that software. And so that was the SaaS or cloud wave. There were a lot of vendors that were used to selling on-prem and licensing that way. And if they move this way, you control the update cadence. You can deploy a new version every day and keep pushing new features and add new SKUs and fix bugs faster instead of waiting three years for the next copy of the CD to get burned and shipped to all of your customers.
On the cloud side, the hyperscaler side, it's like that, but a layer down. If you wanted to get your own servers, you had to go buy them and put them in a rack somewhere, and plug in the power, and deal with the heating and cooling. And if something broke, you'd have to go in and fix it. And getting servers was expensive and hard, and you had to have a whole team. And then Amazon said, "What if we put an API on top of all of that? What if you make it so you can just run a command and we give you a server, and then you can log in and still do all that same stuff?"
Turner Novak:
It's a virtual server, right? Literally, you can rent a machine or part of a server to run on?
Dan Lorenc:
Yeah. And if you want one, you get one. If you want 100, you get 100 tomorrow... Or instantly, not even tomorrow. First, having to order them, and set them up, and deal with all of those updates and stuff yourself. And, yeah, ideally, it's cheaper. But we've seen a lot of companies now going back and saying, "Hey, what if we did manage that ourselves with a team of three or four people?" DHH is big on this now, getting off of Amazon and standing up their own servers and they're saving a ton of money, he claims.
Turner Novak:
He claims? Is that a key line there?
Dan Lorenc:
I mean, I believe he is, right? It's still hard though. It's something you're paying attention to. And not everyone, when you're scaling a business, wants to pay attention to that thing. If, all of a sudden, you have to go from 1 to 1,000 tomorrow, then you're not going to be able to do that with physical servers. But if you know your business is stable and predictable, and you know you're not going to need 1,000 of something tomorrow where you had 1 or 10 today, then, yeah, you probably could save money if you want to stand up that operations team.
Turner Novak:
And then how does Linux play in all that? What is Linux? You described it a little earlier, but-
Dan Lorenc:
Yeah, Linux is that free operating system all of this relies on. No one is using Windows in the cloud. About a decade ago, even Azure, Microsoft's cloud business realized that wasn't going to work and they standardized on Linux too. It was that free hobby project. There's a hilarious email you can look up. It's named after Linus. Linus Torvalds is the guy that wrote it. He just emailed this list one day saying he had a toy project that would never be anything serious and anybody could poke around at it and help. And it escalated from there.
Turner Novak:
I'm pulling it up right now. I think I found it.
Dan Lorenc:
Yeah. Was it 1993? Something like that?
Turner Novak:
August of '91, maybe?
Dan Lorenc:
'91. Okay. Yeah, that sounds right.
Turner Novak:
It's just a white thing, and there's some old school deep DOS font.
Dan Lorenc:
Yeah.
Turner Novak:
Yeah. I'll throw a link in the description for people to check it out.
Dan Lorenc:
Yeah. It runs on your Android phone. Pretty much every server running in the cloud is running this operating system. And operating system, you think Windows, Mac, you might have those on your personal devices, but there's hundreds or thousands of times more of these other servers running around and they're all running Linux.
Turner Novak:
And so how does Chainguard and the Chainguard product now thinking about intersecting with all this stuff? How are you thinking about it?
Dan Lorenc:
That's a big question.
Turner Novak:
Yeah. And, I mean, maybe we need to get the evolution of the product. Maybe it's... I don't know the best way to talk about this, but...
Dan Lorenc:
Yeah. So Linux has been around for a long time. Right? It's this open source piece of software. In the early days of it, that's what it was, source code. But anyone could see it, you can modify it, but you can't run source code. You have to compile it into something runnable and bootable. But because you have the source code, you can change any part of it you want. And that's really cool and people like that, and you get this flexibility, but it's also really hard. You're not going to compile your own Linux server, Turner. Probably not, maybe you are.
Turner Novak:
So what makes it so hard?
Dan Lorenc:
Engineers can do it, but not even every engineer has done this, compiled their own. It's hard, it's esoteric. You have to read a whole bunch of documentation. Nobody reads the docs. If you spend a weekend, you could probably figure it out, but I probably guess fewer than 1 in 10 software engineers has compiled their own Linux kernel. But in the early days, that's what it was. It was hobbyists trying to do this stuff and tweak it and get it working on new machines and esoteric CPUs and stuff like that. But it was hard to use.
And then once you got that, you just got a little terminal and there were no applications, and you couldn't even really do anything on it. So then all this software appeared that would run on Linux and people wrote their own and it was great, and you could get your own free machine where everything was free in open source. But all of it, you still had to compile yourself. And then in the early days, these people started to put together what they called Linux distributions. The term now is just distros, and you'll see people talking about what distros they use. There's a meme, it's like, "I use Arch, bro." That's one of the distros people use.
Turner Novak:
So what's a Linux distro?
Dan Lorenc:
Yeah. So it's a system where it has all the software ready to install and run. It's a distribution of Linux, and then all of the related software that you might want to run, like a text editor, package manager where you can install all this stuff. And they've tested all of this and made sure it's all ready to go so you don't have to compile it yourself.
Turner Novak:
So it's like if I buy a new laptop, a new Windows or a MacBook, and I just turn it on and it has macOS and 100 apps and it's just ready to go? Is it that type of thing for a Linux?
Dan Lorenc:
Yeah, like macOS plus an app store, but everything is free.
Turner Novak:
Everything in Linux is free?
Dan Lorenc:
Yeah. Yeah. So imagine macOS, but every app you ever want to install is in the app store and it's free. I mean, so that's the Linux distro. And they appeared and there's a whole bunch of different ones, and they pick different desktop layouts and different tools, and everybody gets super opinionated about which one they want to use. But they took it to the next generation of people that weren't going to compile stuff themselves, but still wanted to use all of this free software. And they did all this work to test and make sure everything worked against each other, and if you installed these two things, they wouldn't break each other and stuff like that. And they had this important role in open source because they made it usable to more people than the ones that could figure out how to compile all of this stuff or just didn't feel like it. But then programming kept going even faster. And there's all these new programming languages and things like Python, and Java, and Node.js, and... There's probably a new one this week.
And you get those and you have to write code and you need to install stuff there too, those libraries and stuff you want. And they were like, "Hey, these distros have a cool interface. You can just run this command to install anything you want," and so they all built their own package managers to install these libraries. But they made this different decision... I don't want to call it a mistake. But they made a different decision where with these distros, it's a couple people that just do all this work for some reason of testing everything, and making sure it's secure, and updating it. They made a different decision where anybody could just upload anything they wanted. And so they blew up. A Linux system might have 10,000 packages, the one for Node.js has 10 million, because anybody can just update stuff whenever they want to. And so it looks and feels the same. You can get any library you want to to run in your Node.js app, which is then going to run on Linux, but there's none of the same quality controls or checks or trust in any of those elements.
Turner Novak:
So if I were to go and pick one of the Linux distros to spin my Linux environment up, I might get a million different apps or code bases, libraries, things that I could use. And I didn't pick any of them. It was just you could add one that just goes on every single person that spins one up with that distro?
Dan Lorenc:
So, no. A little bit backwards. So pretend you use Debian, that's one of the oldest ones, and it's been around for a long time and they have a great security team and they test all this stuff. It'll have a bunch of software. Right? You could get a text editor, you could get a Microsoft Word clone or something like that, you can get a browser, you can get all this stuff. But if you want to start writing code yourself, you're going to go get maybe Python from them. They have Python. They'll give you Python. But if you're going to write a real Python app, you need hundreds or thousands of Python libraries. You can't get those from those people anymore.
So you know the Python you got came from a bunch of people you trust, but then if you want to write Python code yourself, you're going to go get these Python libraries and you're going to get those... If you have 100 of them, they're going to come from 100 different people, maybe even more. And they don't guarantee any of that same stuff that the Debian team guarantees. So they got you a machine that booted up, they got you Python, and that's all secure. But then as soon as you take that next step of getting stuff not from them... Because they don't have everything, it's one small team, they can't give you every piece of software out there. Now it looks and feels the same and you don't even necessarily realize it's different, but now you've opened up your software supply chain from this core group of people that's been doing this for 30 years that everyone knows and trusts to strangers on the internet.
And software's worked that way for the last 15 years where that space has grown much faster than those distros because there are no checks or quality controls or gates or anything really. And so I think it's probably shifted in the last 10 years from a majority of the code is coming from distros to now a majority of it is coming from strangers on the internet. Yeah, and that's the piece that we're trying to solve where we want to make all of that same software available. So all of that open source that you might be using with those same guarantees you get from a distro.
Turner Novak:
How does it work? If I want to use it-
Dan Lorenc:
There's no magic. Yeah. How do we build it or how do you use it?
Turner Novak:
Yeah, how do I use it? Or maybe both, but-
Dan Lorenc:
Yeah, you contact our sales team. Yeah.
Turner Novak:
Fair.
Dan Lorenc:
Yeah, we have a great sales team. They're nice people that... Reach out, we'll get you in touch and, yeah, we'll figure out what you want to use and get you great versions of this that you can trust and build on. But how does it work? It's just a lot of hard work. There's no magic. Today, we have something like 1,400 different pieces of software packaged up that you can use, but that by itself turns into probably about 100,000 different libraries and stuff that make those 1,400 different pieces of software in the end. And we're doing all that hard work of testing it, and building it, and patching all the vulnerabilities and watching out for new ones, and trying our hardest to spot malware and all of that other stuff in the supply chain.
Turner Novak:
Yeah. How does that usually work? So you have a bunch of people on the team that have built, and then now, when a new vulnerability is announced or someone becomes aware of it, Chainguard's immediately... Minutes later, going in, patching it, pushing it to all your customers? Is that how it works?
Dan Lorenc:
Basically, yeah. We have a ton of automation to look for the known vulnerabilities, see when they're found and reported, and where the fixes are, and build it, test it, get it out to our customers, but there's no single piece of automation that can do all of that. We have a whole bunch of different small pieces of automation depending on the programming language, and the application, and how it's written, and how the package managers work. And a lot of it's still manual in the end. The automation handles as much as it can, and we have this whole system and team that looks at the pieces the automation couldn't handle and they do it manually. And we have another team that looks and sees all the reasons the automation couldn't handle something and thinks of ways to make new pieces of automation that can start to handle those in the future. Because we're constantly adding more software and the maintenance keeps going up and up and up, and we have to keep looking at ways to make it faster.
Turner Novak:
So with automation, is this AI? Are you using Cursor or some vibe coding, automates it all, or how does that work?
Dan Lorenc:
Engineers use a lot of that stuff. We've tried everything out there and we've set up a ton of infrastructure and tooling to look for it. We haven't gotten amazing results yet. I wish this stuff worked a lot better, but I think we've put a lot of pieces in place where maybe the next GPT-7... I can't figure out the naming scheme. Sometimes it goes up, sometimes it goes down where if the models keep getting better than our tooling, we'll keep getting better there too. But, again, if we still rely on humans in the end to watch what the AI is doing, it's more like an assistant for people today than self-autonomous patching machine that's going to take over all of our lives.
Turner Novak:
Just thinking a little bit more about product roadmap over the longer term, I think what you just described was Chainguard Libraries? Is that the name of the product?
Dan Lorenc:
Chainguard images or containers. Yeah. Chainguard container images. Yeah.
Turner Novak:
And then Chainguard Libraries, and I think there's Chainguard VMs is another big thing, what exactly are those?
Dan Lorenc:
I talk about a roadmap, we want to be the safe source for open source. So our roadmap is more safety. We invest a ton in security for our own infrastructure. The more of the stuff we package, the more people that use it, the more of an attack point we become. And we invest a ton in security to make that even harder as we keep going. More sources, so that's, like I said, we started with our Chainguard container images product. Container images are hugely popular.
Turner Novak:
What is a container image? You've mentioned this a couple of times, just for people who don't know.
Dan Lorenc:
Yeah. Docker pioneered this concept about a decade ago now, and it's just this popular packaging vehicle for software on Linux systems. You could put a whole system together and everything is installed and checked at that same version and you can ship it around and everything will work the same on every machine you run one of these container images on. And so when I talked about those 1,400 different pieces of software, those are different individual container images you can run that do different things. We have databases, web servers, compilers, proxies, programming languages, all of these different things as individual container images.
If you ever install one piece of software on your system and it breaks because something else isn't updated, that's the problem container images solve. Everything is frozen together and you can test and deploy all of it together. So we started with that product and, yeah, we've recently added two more. So Chainguard VMs, that's the same thing as Chainguard container images, except it's for VM images. Virtual machines, they're those virtual servers you talked about earlier with Amazon when you say, "Hey, give me a computer," nobody's standing up walking over plugging in a new computer for you. They have a big computer, and that big computer pretends to be 1,000 small computers and they just give you access to one of those small computers inside that big computer. And then inside one of those, you might have 100 different container images running. So it's just like a Russian nesting egg doll thing.
I talked about distros earlier, right? Linux distros? For a container images product, it looks and feels like a Linux distro, except we had everything but Linux inside of it. So we couldn't call it a Linux distro because containers run on Linux, but they don't bring their own Linux because they rely on somebody else having a Linux set up. So we called it an undistro in the beginning. But for virtual machines, we had to add Linux back. So it's not an undistro anymore now we have our own Linux. So we put the distro back in undistro. And then libraries is that last piece we talked about earlier where it's the Python stuff. There's millions of Python libraries people use. And so we have our own versions of all of those.
Turner Novak:
And a library is collection pieces of code that could be used within something else?
Dan Lorenc:
Yeah. It could be one line, it could be hundreds of thousands of lines of software. They do different things. And, yeah, we're working on that for all of these different programming languages and their own individual ecosystems, and they all take different pieces of automation and different ways to build all that.
Turner Novak:
And I guess maybe wrapping up just some of thinking through all the product and stuff, what was probably one of the biggest or hardest product decision that you guys had to make over the past couple years? I think you're two years into this now.
Dan Lorenc:
Yeah, probably the hardest one was focusing. There's so much stuff out there. We want to eventually be that safe source for all open source. And containers are one small part of that, not getting distracted and not trying to do too many things too early on was probably one of the hardest.
Turner Novak:
Don't you want a big TAM or don't you want to solve a ton of problems for customers?
Dan Lorenc:
Yeah, yeah. Just if you try to do too many things at once, you tend to screw most of them up.
Turner Novak:
Yeah, fair. Well, how did you decide that that was the one that was worth focusing on?
Dan Lorenc:
I go back and forth on whether it was the right decision or not, but they're everywhere today, containers, the TAM is already pretty big, the way they're deployed is pretty standard. So with that, we could have addressed a lot of different customer pain. So we started there. We couldn't have really started with virtual machines because virtual machines are the same thing, but with more work. So we would've already had to do the container work to get to that point. But every once in a while, we go back and forth on whether we should have done libraries first.
But in security, it's this game of chasing around where attackers are spending most of their time. You have to solve an important pain point at the time people are actually trying to solve it. Security is funny that way. You can talk to probably 100 different security companies and they all have a great product and every single one will improve your security. But at the end of the day, if you're a CISO of this massive company, you can only do one or two things a year really that are going to move a needle somewhere. And so it's not good enough to just have a product that improves security. You have to have a product that both will improve their security and happens to be one of the three things they care about right now in this year.
Turner Novak:
And I think the big one for you guys to kick things off was FedRAMP. I actually don't even know what that stands for specifically, but can you-
Dan Lorenc:
I have no idea what it stands for either, to be honest.
Turner Novak:
Okay, fair. Can you just explain what is that and how does Chainguard intersect with that?
Dan Lorenc:
FedRAMP is this program run by the US government and it's got thousands of different components inside of it. But, basically, if you want to sell SaaS software... So, again, no more CompUSA stuff. If you want to sell software as a service to the US government, what they call you is a cloud service provider. Because if you're selling boxed software CompUSA-style to them, they understand how to run it, they know how to secure it, they probably put it on some fancy internet that doesn't have access to the outside internet and those things.
Turner Novak:
A government-only internet, you're saying?
Dan Lorenc:
Yeah. But if they're going to connect to your system and use your SaaS software, they need to make sure it's as secure as the one that they were going to run it on. And so it's a whole bunch of requirements and controls and processes you have to go through to prove that. Some of them involve your ops team, the people with access to the servers, all have to be US citizens in the US, stuff like that. They're not going to go use a SaaS system operated by Russia as one example. And others come down to vulnerability patching. And if you're a vendor writing software, then, yeah, you have to fix vulnerabilities in your own software.
But the hard part then is when 90 to 98% of that software you're using, it wasn't written by you, how are you going to go patch all of those vulnerabilities? So it's forced people to really take ownership and think about all of that other software they've brought into their environments, and then they're going to resell to the government in effect. And just because you didn't write it doesn't mean you don't have to patch it or keep it up to date. And so FedRAMP has some pretty tight requirements around all of this. And so, yeah, a lot of our customers that buy our product today do it to meet those requirements.
Turner Novak:
So to make sure I'm understanding it, to say it back, if you want to sell software to the government, they want to make sure that, with the issue we talked about, there's multiple levels of people using different people's software, they want to guarantee essentially that you're not going to have a vulnerability that impacts the US government in some way.
Dan Lorenc:
Yeah. And they just draw a line around all of it. You're selling all of that software to us, we're using all of it. You have to keep it all secure, not just the part you write at the top.
Turner Novak:
Yeah. So if 8, 9, 10 layers deep, basically you have to be able to guarantee that there's no vulnerabilities there.
Dan Lorenc:
Yeah.
Turner Novak:
Interesting. Yeah. I mean, to the point where we talked earlier, hard thing to solve for if you don't actually know.
Dan Lorenc:
Yeah. And it's hard enough to keep your own application vulnerability for you, but there's tons of tools and applications to help developers and there's AI tools to help them spot common vulnerabilities in the stuff you are writing. That's hard enough. But then when you're relying on, yeah, 10 layers of other people's software that you don't even understand, how do you keep that vulnerability-free?
Turner Novak:
So did you notice that customers or potential customers were talking about it, or was it they were issuing some statements, and guidelines, and stuff, and did you realize like, "We can probably help this initial wave of customers get in the market with this problem"?
Dan Lorenc:
Yeah, when I was at Google, we worked with a lot of teams that were trying to get FedRAMP-certified for their products, and we saw that with the way people were building applications with containers and non-public cloud, that it was really, really, really hard to guarantee that. So that was one of the original ideas for... It was, "Hey, we know this is a problem. We know the government's buying a lot of software. They're the largest purchaser of software in the world. We know a lot of companies are trying to get FedRAMP-certified," and we think this is the only way they could possibly do it. So we built a product for that originally and didn't realize how big that market was beyond just that segment. I think, today, it's about a third of our business. It's a big TAM. It's growing. Even with Doge and stuff like that, the government's trying to buy more software instead of writing it themselves.
The way government buys software today is, instead of buying software, they'll pay 100 people to develop a custom version of it. And for a long time, it made sense. The government had very different requirements. Some commercial out-of-the-box piece of software wasn't going to run in their networks and meet their requirements and stuff like that, so they had their own ecosystem built, but it was mostly contracting stuff where people would build custom pieces of software for specific government teams. It wouldn't even work for a different government team. But the whole software industry has gotten to a point where a lot of big corporations are as big as government agencies today, and those requirements aren't as esoteric. And a lot of companies want to tap into that market of like, "Why can't you sell your software to the largest buyer of software in the world?"
Turner Novak:
Yeah. Well, I was going to say, so how is Doge changing the way that the government's doing all this stuff?
Dan Lorenc:
It's definitely adding a lot of chaos in the short term as people figure it out. Just budgets up and down, nobody knows who can sign for a piece of software today. And some of that's Doge, some of that happens every administration change, just a lot of old people out, a lot of new people in. But long-term, I think what we do is very directionally aligned. It's rely on big software vendors that do this for a living instead of writing your own software over and over and over again, 10 times across the government.
Turner Novak:
Yeah. Do you think is it going to get tamer or going to calm down a little bit or is it getting more chaotic, if that's an okay way to describe it?
Dan Lorenc:
Lots of portions of it I think are getting tamer. I think a lot of it is really just any administration change introduces a lot of uncertainty. You still need budgets to get passed, but even now we're still seeing talk of the largest defense budget we've ever passed and stuff like that. And software is a critical component of the defense industry here and in every country. Everything is connected to the internet.
Turner Novak:
Yeah, fair. And one thing you mentioned was with FedRAMP, it was the good initial go-to-market, grew pretty fast, big part of business. What's the current state of Chainguard? And maybe we can talk about the fundraise that you just did, but you guys have gotten pretty big pretty quickly. What's the current state of things that you're just sharing publicly?
Dan Lorenc:
We had a great year last year. We screwed up on planning a lot.
Turner Novak:
You would always text me updates.
Dan Lorenc:
We just ended last year at 40 million in ARR. Our original plan was 20. So we were off by a little bit there. We're shooting for over 100 this year. That scaling is expensive. I think a lot of early founders, especially engineering ones like myself, don't really understand how enterprise go-to-market works, especially with SaaS and stuff like this. But, yeah, scaling sales is expensive and you have to hire a lot of people to do it. It's all top-down sales. It's hard. It takes a lot of conversations to get a yield on even when somebody needs your piece of software in the end. And so we're really scaling our go-to-market this year.
Turner Novak:
Okay. I want to ask you about that, but I first want to talk a little bit more about just maybe the biggest thing that you've learned just about company building or about yourself as a person just over the past couple of years, going from... I don't know what the public number was, but to 40 million in ARR. I think the public number I saw was you grew it from 30 to 150 customers in 2024. So rough math, that's 5X. Those are pretty big change. What have you learned the most over the past year?
Dan Lorenc:
About myself? I think I've learned that I really like the sales stuff. It was one of those things going in. I was an engineer. I think my only experience with sales people was all the voicemails you get of people trying to sell you term life insurance or an extended car warranty for a car you don't even own anymore.
Turner Novak:
Or recruiters just being like, "Hey, you want to get a job at insert whatever-
Dan Lorenc:
I still get those. There's this recruiter of Facebook that really wants me for an engineering manager job. I get those in my work address.
Turner Novak:
That's awesome.
Dan Lorenc:
Yeah.
Turner Novak:
"Hey, Dan, we came across your resume and I thought you'd be a good fit."
Dan Lorenc:
Yeah. "You'd be a good fit here." Keep trying, Meta. Maybe someday. Sales is fun, honestly. It's hard. There's a lot of rejection, a lot of it doesn't work. But if you have a product you know truly solves a problem for someone, then it's rewarding. It's fun. You're not just scamming them with extended car warranties. You're solving a real problem people have. If you're doing it right and you're pricing your product right and stuff, they're getting a lot more value out of it than you're charging for it too.
Turner Novak:
So that's how you should think about it. Then if I'm somebody who thinks, "Sales, that doesn't sound fun. I don't get energized by that," is a good way to think about it, is more about solving problems that people will pay you to fix?
Dan Lorenc:
Yeah. And if it all works out, yeah, they're getting a lot more value out of it than you're charging them. It's a win-win for both people. I've got this sitting here, but, yeah, one of the best books I've read, and I wish I read it a lot earlier, this one here, The Qualified Sales Leader. If you don't know anything about how sales works, you should grab this one. It's amazing.
Turner Novak:
I'll throw a link in the description for people.
Dan Lorenc:
Yeah, David Schneider from Coatue recommended this one. Thank you, David.
Turner Novak:
So I guess if I'm a founder coming to you and... I don't know, I just don't have a sales team, haven't really thought about this much, what would be the high level qualifying things that I should think about just to frame up, how to think about making a go-to-market motion, at least just from your perspective, from what you've learned?
Dan Lorenc:
Yeah, there's all this advice and talk you here about founder-led sales until some certain milestone, and then you can hire a sales team or a VP sales or something like that. And I think a lot of that advice probably comes from VCs pattern matching against technical founders who think that they could just sit in a room and build something cool, and then eventually hire somebody that wears a suit to sell it for them. And you can't do that. Talking to customers, talking to prospects, it's critical. You have to understand what their problems actually are to make sure that you're building solves those problems for them. And it's never a binary thing. You never flip a switch and say, "Now I'm not doing founder-led sales anymore. Ignore me. I'm going to go back to doing other cool stuff." You're still always involved.
But there's also a huge difference, especially with enterprise sales, from selling the value and convincing someone, understanding their pain, understanding that your product will deliver value to them, and then the actual enterprise sales process. This is slow, it's painful, it takes a long time. It takes dozens of meetings. There's procurement teams whose whole job is to ruin your quarter and get the most discounts they can inside of every one of these companies. You go to war with these people. And there's a lot of skill involved with both of those, and so you're never really going to get out of it, but the only way you can scale is to eventually build that sales team, but you're still going to be involved every day. You never get out of that. I got to meet Frank Slootman last year.
Turner Novak:
I was going to ask.
Dan Lorenc:
Yeah, I got to go to his ranch. It was incredible. But even he was talking about one of the last big deals he closed at Snowflake, it was a month before he retired and it was some eight-figure deal, and he was still involved day to day, right? You never get out of this, even as a CEO or a founder of any size company. You're always going to be involved in closing deals.
Turner Novak:
So then why do you hire a sales team? Shouldn't you just do it all yourself if that's... Is that what you're telling me to do, or no?
Dan Lorenc:
No, you've got to do it to yourself to a certain point, but my advice isn't some revenue milestone, like, "First founder-led sales have to get to this revenue milestone," or something like that. I think it's when you can afford to and when you're confident the thing is going to sell. Because they really just give you leverage, right? All that stuff, all those meetings, all those battles, that takes time. And at some point, you don't have enough time to do 100 of those all at once. You can't. So, yeah, I don't think it's really about some milestone. You probably want some proof yourself, but whenever you have your own conviction that it's repeatable and you could train somebody else to do what you're doing, then you're just buying leverage by scaling that team out.
Turner Novak:
So then how do you approach identifying what one of those spots would be? Do you measure your time that you spend on certain things and figure out where the bottleneck is and that's where you hire?
Dan Lorenc:
Yeah, it's when you can afford it and when you have conviction. I think every person's going to get to that point a different way. And, yeah, just because you sold it once doesn't necessarily mean 10 more customers are going to buy or 100 more customers are going to buy or somebody that's not you is going to be able to sell it. But, yeah, you need to figure that one out on your own. I look back on it and wish we did it a little bit earlier, because there's just so much in the enterprise sales process that I didn't know a lot... If I had read this book, maybe I would've known earlier. But, yeah, getting through that and once you have a champion and somebody that has budget and wants to use it, still getting from there to a signed contract is a lot more meaning, is a lot more weeks, a lot more painful stuff that you need to scale and people know how to do that.
Turner Novak:
I don't want to dilute this down to a hack or a life hack thing, but is there anything that you've found that really... I don't know, moved the needle for you the most on just a certain framing of that third meeting of trying to get them to just finally sign the thing? Is there a certain thing where you're like, "Ah, I adapted this mindset and it made it so much easier"?
Dan Lorenc:
Not really on a mindset basis, but I think from a process perspective. And, again, this book talks about it a bit, but we were doing it earlier. When you're selling something for money, people want to know what value they're going to get back for it. And you need some way to quantify that like, "Why does this six-figure price make any sense? Why isn't it 90% cheaper? Why isn't it two or three times more expensive?"
Turner Novak:
Yeah, because isn't software pricing just made up really at the end of the day? You can just pick a number, right?
Dan Lorenc:
Yeah, it is. It's like you have some list price that scales down with volume and all of this is... Most enterprise sales works this way. Everyone negotiates. But what the anchor is there is the value, and you need some way to quantify that value for whatever piece of software you're selling. And it's not crazy complicated. It's a spreadsheet model you put together of how do you explain what the value is. You can talk about it in a pitch deck, you can talk about it in a meeting, you can have customers back it up, but you need some way to turn that math into what that company is going to save, however they're going to save it. Are they going to get new revenue? Are they going to save money by increasing efficiency somewhere else?
And it's a whole bunch of numbers you multiply together that shows how much value they're going to get out of it and how much money they're losing by not buying it today. Something like that. Some reason people are going to spend money on your tool, your piece of software, they aren't going to do that without results. In that model, it's critical. It's how you maintain price in those negotiations. It's how you drive urgency in a deal like, "Why not wait until next quarter?" "Well, you just proved to yourself you're losing money by not buying this, right? So why not buy it today? Why wait in six more months? The spreadsheet shows, sure, if you want to wait, you're going to lose all this money by not doing it today." And it's how those made-up numbers actually get backed up by whatever you're going to charge for this thing in the end.
Turner Novak:
And you mentioned doing sales capacity planning. I think you mentioned that's why you raise money, so you could basically do that or play that out. How should I do sales capacity planning and what does that even mean? Because it sounds like a very big fancy concept.
Dan Lorenc:
Yeah. No, it's just multiplying more numbers in spreadsheets, right? Once you get a repeatable sales motion, that's you know you can hire someone, train them, and then they can go find customers on the internet and sell them your software. Once you get that to that point, then you have a model again, how much software can one person sell. And a lot of that goes into setting their quotas, and commissions, and the sales plans, and how much money they're going to make as they sell software. But it also ties into your hiring plans. If you know that if you hire one person, they're going to sell just making up numbers... A million dollars of software in a year. Well then if your revenue target is going from X to Y, you can divide that out and figure out how many people you have to hire. But then there's also a training period. You can't just take someone off the street, put them in a suit and expect them to-
Turner Novak:
Immediate million-dollar deal. Yeah.
Dan Lorenc:
Yeah, it doesn't work that way. You have to train them on your product. They have to develop that pipeline. You give them a computer on the internet and tell them, "Hey, here are the zip codes you can go sell to." It takes a while to develop that pipeline, find the customers, much they know even if you have a product for them. And so you have to figure that out too. How long does it take somebody you hire to get to the point where they can sell all of that?
And then you can work backwards and forwards through time of if your revenue target is this, you need to have this many people trained and in seat today. And if you need those people trained and in seat today, you had to hire them three or six months ago. So then you start to look even farther forward of like, "Well, we only have this many people, so our revenue target can probably only be this. We should probably hire people today," and you have to balance all of that with marketing, and pipeline, and budget too, to make sure you don't run out of runway hiring these people before they start closing these deals.
Turner Novak:
You just talked about zip codes and stuff like that. How do you do territory planning?
Dan Lorenc:
Yeah, it's pretty regional, right? I mean, there's lots of different ways you can do this. There's no single right way. But, yeah, what's really important is that you have clear lines. Every sales rep needs to know what accounts are theirs. You don't want people fighting over that thing. So they just need clear rules of engagement. You can segment different ways like size of the customer, because selling to a Fortune 100 company is a lot different than selling to a 300-person startup. And so you can get people that specialize in both. And some deals move slower, some deals move faster. A lot of it's regional too. Sales still happens in person. Ed Sim always says, "All roads lead to steak dinners." This is a personal thing. People buy software from people they trust.
Bill McDermott, the CEO from ServiceNow says, "Trust is the only long-term moat you can have." People have to trust you and you have to build up those relationships you want. You need to get people in the regions that they're going to be selling software into. So you have to look at what regions your customers buying your software in, depending on what type of software you sell. Maybe you sell to oil and gas, you need a huge team in Texas. Maybe you're selling to doctors and they're everywhere. Maybe you're selling to software companies, and then you probably want the Bay Area and New York. You've got to focus on those regions and you need more people there than other places. That's a complicated process.
Turner Novak:
And then how do you design the compliance for everybody?
Dan Lorenc:
That's an art too. I mean, it's basically market based. It's like you can figure out how much software people are going to sell, but you're also trying to hire people against other companies that are also trying to hire those same people. You want to set it so people make money being there, but most of the money they make, it's going to come from selling the software. Incentive alignment there is important, but the way you set those ratios, and the percentages, and the commissions, a lot of that's just by what's going on in the market and what other people are offering. If somebody has to sell 10 times as much software at your company than another one of the same size, they're always going to pick the other one.
Turner Novak:
Maybe you just said it depends. What's a good benchmark?
Dan Lorenc:
It's super industry-specific. Yeah. There's all sorts of different comp plans and ways these are set up. But, yeah, find the five closest companies that you're trying to hire sales reps from or against and see what they're doing.
Turner Novak:
So then as the CEO of the company, how do you just stay on top of potential sales pipeline problems or issues or anything like that? What's the strategy for doing that?
Dan Lorenc:
There's a million different SaaS tools and dashboards that all display information at different points of it and, yeah, looking at it as fast as you can.
Turner Novak:
Do you have a favorite metric that you monitor just to stay on top of things?
Dan Lorenc:
Pipeline is super important. Pipeline you're generating, watching it progress through phases, seeing where stuff is getting stuck, making sure you're generating stuff far enough out for deals to close, to hit targets, trying to jump in and see why. Yeah.
Turner Novak:
And then you recruited someone, Ryan Carlson, who came in as the president of Chainguard. Can you just, I guess, explain what happened there?
Dan Lorenc:
Yeah. So his role, he runs all of go-to-market for us. Right? He runs sales, customer success, and marketing, and then a whole bunch of supporting functions to do all of that hard work, we just talked about it, making sure the territories are right, and the commission plans are right, and all of that stuff. We were pretty early on... When we started selling, we had two sales reps and they both reported to me. We got the sense that it was pretty repeatable. We needed to hire some more. Instead of hiring more, we hired a VP of sales, Chris Holmblad, he's awesome. And he built out the rest of the team. But then when you look at all those functions, they have to work together, sales, and marketing, and all of this stuff has to be running in lockstep.
And I just randomly met Ryan through one of our investors. We weren't looking to hire someone like that. A bunch of our investors said, "Don't do that," because they thought I would just completely stop paying attention if we hired somebody to run and go to market. Again, they're pattern matching to like, "I'm just going to hire somebody in a suit to run this thing and we'll stop paying attention to that." But I got to know him and it seemed like a great fit. He'd been CMO at Okta for a decade, worked in another security company for a while, running marketing there and super involved in the sales process and everything. And a couple of our team members had also worked with him at some of those companies. And so we brought him on and, yeah, he's really leveled up that whole go-to-market just by knowing what problems you're going to run into. Bogomil from Sequoia, he's one of our board members. He's told me two-thirds of his time is convincing first-time technical founders to not try to reinvent sales from first principles.
And it's the same stuff that's always worked and just don't try to mess with that and think you're going to solve sales in a different way. If you could do that, then that'd be a company in and of itself and you'd be worth a trillion dollars. So don't do that. Just do the basics and do them incredibly well and make tweaks here and there for your product. Right? Everything is different. You need different messaging. But, yeah, we've tried to avoid that mistake of thinking we're smarter than every other company that sells enterprise software in the world.
Turner Novak:
Yeah. And you mentioned it was just some other security company. That company was Wiz, wasn't it?
Dan Lorenc:
It was Wiz.
Turner Novak:
Yeah. Okay. You just skipped that a little bit. So then how do you stay in sync with him? Because someone might be a little... Even a founder might be nervous of like, "Even if I do want to stay on top of go-to market, but I'm hiring someone to do it," how do you guys stay on the same wavelength?
Dan Lorenc:
I try to learn as much as I can about it. I'm sure he's still probably forgotten more than I'll ever know about how go-to-market works, but I learn from him all the time. I ask questions. Yeah, he reports to me, but I try to be very clear on when I'm like, "Hey, I don't understand this," versus, "Hey, I think this is dumb." And, yeah, just watch the problems together. I see things from a different perspective across the company because you still have to align the product roadmap with what the sales reps are selling and making sure that everybody's talking about stuff the same way and he sees stuff in a lot lower detail than I do. So a lot of the problems that I see are already getting solved or aren't a problem because of some other reason.
Turner Novak:
Yeah, makes sense. So then I know we want to talk a little bit about the fundraise you guys just announced, I don't actually know all of the details because this isn't out there yet, but you raised $300 million-
Dan Lorenc:
350.
Turner Novak:
$350 million, $3.5 billion dollar valuation, and it was Kleiner that-
Dan Lorenc:
Yeah, Kleiner and IVP co-led it.
Turner Novak:
Kleiner and IVP co-led it. Okay.
Dan Lorenc:
IVP was already an investor, so, yeah, they doubled down, and then Kleiner came in new.
Turner Novak:
Nice. And so can you just take us inside how that happened? If people listen to some of the prior podcast and hear how you've thought about fundraising in prior round, but can you just take us inside, maybe you're doing some sales capacity planning, I think you maybe mentioned this to me when we caught up a year ago, just how you think through this stuff, but how did it all happen?
Dan Lorenc:
Every year, we put together an annual operating plan. It's part of board governance and show what budgets we plan to hit for the year, how much we plan to spend, what our revenue targets are, that thing. And, yeah, we wrapped up last year, our plan was completely wrong in almost every area, but we had one at the start of last year too. We're pulling together for this year and we had a Q4 board meeting but at the start of the first quarter of the year with our plan for everything and with the spend and everything, we didn't need to fundraise this year, but probably wanted to, right? You want to fundraise before you're desperate, before you're out of money, when numbers are looking good, all those things.
So we knew we were going to fundraise sometime this year and we just come off an amazing year and amazing quarter. And the question is, do we do it now? Do we wait? Weigh those pros and cons. And there's both, if you're waiting, there's execution risk. What if there's a bad quarter? There's macro risk. What if, all of a sudden, the multiples collapse and everybody stops investing again? And then the upside is like, "Well, what if we continue to outperform? Maybe we'd get a better valuation." You just have to weigh all those things and decide when to do it. And we decided to basically pull it forward, do it early.
Turner Novak:
So why'd you do that?
Dan Lorenc:
It's those trade-offs, right? At scale, just because you double or triple revenue doesn't mean your valuation is going to double or triple. Most investors are writing long-term investments anyway, another quarter, another year of execution is baked into all of these. And so waiting a couple quarters isn't really going to move the needle on valuation. So why not just do it early, get it out of the way, and set yourself up for a good year?
Turner Novak:
And this is actually a question from Andrew Reed, he said, "How did you decide what valuation to do?"
Dan Lorenc:
Andrew Reed told you to ask that?
Turner Novak:
He told me to ask this. There's a little smiley face after it.
Dan Lorenc:
Oh, that's incredible. Okay. Yeah.
Turner Novak:
Yeah.
Dan Lorenc:
The rule of thumb I have is that whenever we're going to fundraise, I ask Andrew Reed what valuation we should get, and then... Yeah.
Turner Novak:
That's really it? Okay, amazing.
Dan Lorenc:
Yeah. He thinks about it for a minute, and then he tells me, and then however the process works, it always lands at whatever Andrew Reed says. So, yeah. That's hilarious.
Turner Novak:
That's awesome.
Dan Lorenc:
Yeah. I love Andrew. He just crunches his math in his head, tells us what range to look for and what the trade-offs might be. Yeah. Thank you, Andrew.
Turner Novak:
Amazing. He said that I would like the answer. That was a good... So it's probably just like you look at market comps, how fast are you growing, what seems like a good price, and that's just what you do it at?
Dan Lorenc:
Yeah, market comps are usually the biggest one.
Turner Novak:
Yeah, that's fair. And then how did you decide who to take money with? Because... I don't know. And maybe not just this round, but over time, how do you prioritize, and then why did you decide to work with Mamoon and Kleiner?
Dan Lorenc:
If you're lucky, if you're in a competitive round and you get that choice, then I usually try to pick people that I like working with more than anything else. Assuming everything else equal, spend a lot of time with them in prior rounds, didn't end up getting to work together. Talked to a lot of people this round. Some people pass, not everyone wants to guess it, but in a competitive round of people that want to work with you and are going to put in an offer, it's who do you want to work with the most? Who do you want to spend most of your time with? And then the other element, which I didn't put that much weight on at first, it's around the history of the investor. Right?
And we have amazing investors already, so at first, I was like, "Why do you need more? What is the incremental brand of another great VC like Kleiner going to do?" But the way somebody else put it to me, which convinced me, was the main thing investors can do is pattern match, and not in a bad way. You can take that to mean they're just robots that pattern match. But you're a founder, you're an operator, you're running one company, you only know what your company looks like for the most part. Maybe you've had a couple of other jobs, but probably not more than three or four that are really relevant. But an investor gets to see dozens, hundreds of companies because that's how these venture capital firms work. And they can see and pattern match from what's going on with these other companies both today, in the past, see mistakes that get made, see things that have worked.
And the benefit of working with the great investor that's had a great portfolio is that then they're pattern matching off of great companies and they know people at all these other companies that have seen or been at the high end of a lot of these growth trajectories and everything. And so, yeah, that was another one of the factors. I never really thought about it that way of like, "Yeah, having important investors is great, but it's not like Pokemon where you've got to catch them all. At some point, once you've got a couple of these, does another one really matter?" But, yeah, to that effect, it does. More pattern matching, more data from great companies.
Turner Novak:
Yeah. And to the point, it's probably just the casual introduction to Ryan who ended up being a great hire. They're just like, "Oh, you should just meet this guy. I just know him. You guys might have a good convo," and then just more of those opportunities because your investors just know those people. That can be helpful. What's your personal tool stack look like for running Chainguard?
Dan Lorenc:
What does my tool stack look like? Operationally? Google Drive, Slack.
Turner Novak:
Any spreadsheets you talk about a lot? Graphviz-
Dan Lorenc:
Yeah, Google Sheets. Yeah, we do Graphviz sometimes. I use VS Code when I get to write code.
Turner Novak:
So you don't use Cursor or Windsurf?
Dan Lorenc:
I've tried them. Yeah. No, I just like the VS Code IDE too much. I was trying Claude Code. I like that one because it just works in the terminal.
Turner Novak:
Are you a vibe coder?
Dan Lorenc:
I play around with it, yeah.
Turner Novak:
What was your latest vibe coding adventure.
Dan Lorenc:
I like using it for data analysis, so I'll just drop some unstructured JSON junk in and stuff that I could probably figure out, but it's going to take a long time and pull data out of that and generate crafts and stuff for me.
Turner Novak:
Have you tried Julius before?
Dan Lorenc:
No. What's that one?
Turner Novak:
Do you remember the guys that... The Ligma-Johnson prank, they got fired from Twitter? So Rahul is one of the guys. He started a company called Julius. He came on the show about a year ago, but it's ChatGPT-type UI just specifically for data analysis.
Dan Lorenc:
Oh, cool.
Turner Novak:
You can plug your team in just like you give it prompts, it does stuff for you. It's pretty cool. I believe I'm a paid subscriber. The last time I looked, I saw the statement hit my card. I use it every once in a while. I don't do a lot of data analysis. I'm a VC, so we don't really look at numbers that often.
Dan Lorenc:
Only the ones that do diligence.
Turner Novak:
No, you just look at what's the ARR, is it going up? Is this an AI company, yes or no? Well, speaking of AI, do you have a favorite AI tool?
Dan Lorenc:
Recently, Claude Code.
Turner Novak:
Claude Code? Okay. What is that compared to other things out there?
Dan Lorenc:
Yeah, it's one of the vibe coding things like Cursor, Windsor, but it runs into your terminal instead of an IDE. So you can still use whatever editor you want to use, but it's running in a terminal. Yeah, I just like the flow a lot more.
Turner Novak:
Interesting. Okay. Never heard of that one.
Dan Lorenc:
And then you only pay... It's for my Anthropic, it's free. You just pay for the tokens.
Turner Novak:
Okay. So you actually had to once cut your hair in front of the whole company?
Dan Lorenc:
I did. Yeah.
Turner Novak:
It looks like it's grown back at this point.
Dan Lorenc:
It has. This was last September, so it's been a while. Yeah.
Turner Novak:
So what happened?
Dan Lorenc:
I had a bet with a sales rep. I was happy to lose that bet, let's say,
Turner Novak:
Are you allowed to say what the bet was?
Dan Lorenc:
Oh, yeah. It was just getting some deal above a certain size and, yeah, he got to pick out my haircut was the bet.
Turner Novak:
What did he pick?
Dan Lorenc:
It was surprisingly not bad. I thought he was going to go crazy like a buzz cut or Mohawk or mullet or something. But he just gave me a nice trim. I think he remembered that I still had to be on calls with him.
Turner Novak:
Yeah.
Dan Lorenc:
That's why you shouldn't get out of founder-led sales.
Turner Novak:
So you mentioned to me, I remember, when you raised a series B, you casually mentioned like, "I bought a suit to raise a series B just to show that I was taking this serious," but what's your relationship like with suits now?
Dan Lorenc:
Yeah. So we were raising our series B and, Bogomil, our board member, gave me this lecture that we had to take the process more seriously this time. We had to put a real pitch deck together. He would help out. We had to take it seriously. And so I'm still terrible at making decks, I've never made a pitch deck, but I went out, I bought a couple suits. And I was doing the walk down Sandhill Road to all the firms and I was going to pitch them in my suit, but I was hanging out at the Sequoia office before just working from there before my first meeting or something because they're all on that same road.
And he saw me in the suit and was just like, "What the hell is this?" Because he'd only ever seen me in shorts and a T-shirt before that. I was like, "You told me to take this seriously." And he was like, "That's not what I meant." And I think it was actually Kleiner where I left and they called me after and they were like, "We're so impressed with the suit, warned everyone that you were just going to show up in shorts and a T-shirt and you didn't." We didn't end up working with them that round. But I've started wearing a suit to every board meeting now. So I get a new suit... Actually, where is it? Yeah, right here's the box. I've got my new one. I haven't opened it yet, but this is for our next board meeting coming up.
Turner Novak:
What is it? It's just a white box. What's-
Dan Lorenc:
I can't show it. Yeah, it's a surprise until I break it out.
Turner Novak:
Oh, it's a drop. A new suit drop on each board meeting. What have been some of the classics or some of the ones you've rolled out?
Dan Lorenc:
There's all different... There's this cowboy one I had where I had a bolo tie and a cowboy hat on and cowboy boots. I like that one. Yeah. Yeah, you got to mix them up. I probably have eight of them now and it's hard to find new ones.
Turner Novak:
Did you wear a yellow corduroy suit?
Dan Lorenc:
Yeah, the yellow corduroy was good. That was a good one. I really liked that suit.
Turner Novak:
I can't even visualize what that would look like, but that's crazy.
Dan Lorenc:
It was good. Everyone's laughing at me, but then Bogomil got there, and Bogomil's very into fashion, and he was like, "That's something I would wear," and then everyone had to stop making fun of me because we trust him. Yeah.
Turner Novak:
Yeah. And then I guess last question, what is your favorite thing to 3D print?
Dan Lorenc:
So much stuff. Yeah, I've got all these little desk things now just sitting around my desk that I make. They have phrases on them. Bogomil... We can find the link, but I sent him one that says, "World's Best SDR," because he does so many-
Turner Novak:
He actually just tweeted this couple hours ago. I just saw this. Yeah.
Dan Lorenc:
It was great. He sent us an email, some other company made him a little certificate thanking him for all the sales and stuff he did. So I made him one that said, "World's Best SDR." I've got all these phrases I mail to people on my team, they have them on their desks.
Turner Novak:
So what does Bogomil do as a SDR, but he's on the board? What's the-
Dan Lorenc:
Whenever the sales team wants intros to certain customers or different companies and stuff like that, they all add him on LinkedIn, and then they see who he's connected to, and then they have him write emails. And one day, he sent me a screenshot of his email inbox and it was just 25 emails in a row from our sales team asking him to send emails for them to introduce them to people.
Turner Novak:
That's amazing. So there's two ways to do automated sales nowadays. It's the AI, SDR, send a bunch of spam and slop, and then the other one is just have Bogomil send emails.
Dan Lorenc:
Yeah. He's great because he has so many LinkedIn connections connected to everyone, but some of them are people he's known for decades and I always get the emails when they respond and some are just random people, he doesn't know who they are, but he's connected. But he's just completely shameless emails them both the same and sometimes it's like, "Oh, we haven't talked in 10 years. Here's what I've been up to," and he sends pictures and stuff.
Turner Novak:
Oh, wow. That's smart though.
Dan Lorenc:
Yeah. Other times, it's like, "I don't even know who you are, but I'd want to put in a good word for this company."
Turner Novak:
Amazing. It's probably like if you just look him up, you're like, "Oh, this guy seems pretty legitimate," a lot of people probably heard of Sequoia, so it probably just helps just take the meeting and get them talking about Chainguard. Cool. Well, this is a lot of fun. Thanks for taking the time to do it.
Dan Lorenc:
Thanks for having me on.
Stream the full episode on Apple, Spotify, or YouTube.
Find transcripts of all other episodes here.