It’s been almost I month after I started working on Magehash
This is my first cybersecurity product I’ve ever developed so I decided to share what I learned so far!
1) Selling Pain Points
We can divide products into three different groups: candies, painkillers and vitamins.
We don’t want to have much to do with candies.
Vitamins are interesting.
We love Painkillers.
For Cyber security software it’s hard to be a painkiller as what we’re generally trying to do is prevent attacks. Generally these kinds of products are like vitamins, they make us stronger, but we don’t really notice the effect they have on our health.
Businesses think in terms of revenue growth, so it’s easy to pitch something that increases revenue.
It’s much harder to convince someone that they have a possible security problem and that they should try to address it. Managers don’t care and unless it isn’t a common security practice companies are skeptical.
So Magehash is like a superfood, if it becomes trendy it’s something like Goji Berries, if it fails it becomes something like Cordyceps Extracts (a superfood nobody eats).
When companies spend money on Cyber security they are interested in the following aspects:
- Does this save us money?
- Does this increase our margins?
- Are we really forced to address this problem?
So the solutions that can sell are either substitutes to existing products or bug bounty programs.
Bug bounty programs are extremely interesting to analyse as they’re a cheap way to only pay to get many eyes on your website. At the same time every expense is justified and much cheaper than getting exploited.
2) Content Marketing & Ads
A way of getting in touch with leads is getting them to come to you by starting conversations on communities around the internet.
To do this you have to instill some deep fear of being vulnerable. The more the attack sounds practical and imminent the easier it is to sell a solution, as there is urgency to act.
Ads are usually a terrible idea for enterprise products unless you buy a stand in some cybersecurity conference or anyways something really targeted.
3) Cold Emailing
Magehash’s main application is to protect websites from credit card skimmers.
One thing I’m trying to gather data for is what threat monitoring dashboards companies are using.
The problem is that when you ask people “What platform are you using to host your videos?” it sounds innocuous.
When you ask “How are you protecting yourself from x attacks?” or “What is your Security Information and Event Management (SIEM) system?” people get suspicious.
It’s perfectly acceptable for possible leads to be skeptical when receiving this kind of emails.
The only way I’ve seen cold emailing work for this kind of products is with introductions.
Introductions are awesome because they help you establish trust.
Cybersecurity products are not really about security, but about trust and transparency. And the best way to gain trust is to be transparent and honest about your product capabilities and gain the respect of other professionals through your work.
If your product is good enough for people to feel like introducing you to possible clients you’re doing this right!
Enjoyed this post? Got any content to suggest?
My articles are always a work in progress, and almost never complete so if you have any suggestions of how I can improve hit me up at hi[at]ferrucc[dot].io or DM me on Twitter