GitGuardian CEO Jérémy Thomas talks with FrenchWeb about recent capital raise and automating secrets detection for Threat Intelligence and Data Loss Prevention
GitGuardian, the French company specialized in cybersecurity, raised 12 million dollars with Balderton Capital. The company’s CEO, Jérémy Thomas, is with FrenchWeb to tell us more.
See the english transcript below.
Patrick Bertrand - Hello Jérémy.
Jeremy Thomas - Hello Patrick.
PB. Welcome to FrenchWeb.
JT. Thank you.
PB. You founded GitGuardian in 2017 with Eric Fourrier to search for publicly available confidential information, hidden in companies’ code. What were the initial insights that triggered the creation of GitGuardian?
JT. My co-founder and I are both engineers by education and I think we stepped into the security industry from a data perspective. We handled large amounts of data on a daily basis and in the beginning, GitHub was an amazing playground for us. The general public isn’t very familiar with the GitHub platform, even though there are 40 million developers producing 2.5 million public pieces of code a day. These are called “commits”. And the initial insight we had is that these pieces of code contain extremely sensitive information. What I mean by extremely sensitive is that some of the vulnerabilities that we detect can potentially cause dozens of millions of dollars in damage for certain companies.
PB. And these pieces of code are generally found by hackers, or red hats, I believe is the term?
JT. They are called black hats actually - hackers with malicious intentions.
PB. Your solution operates through a combination of algorithms. Without revealing the secret sauce, unless you want to, in a few words, how does your technology work?
JT. Of course, my pleasure. In a way, we are competing with these black hats that we spoke about. On one side, we are competing on the speed of detection - today, we detect an exposed vulnerability in 4 seconds on average. It is a very, very fast reaction time. The industry is more used to detection times of roughly around 100 days. That is the first point. Secondly, we also compete with these black hat hackers on the intelligence side, meaning being able to detect a large scope of vulnerabilities. To this date, we have sent over 400,000 alerts in 2 years and we send around 1,000 alerts every day. These alerts are labelled by our users and our clients, who give us feedback on whether it is a real or false alert. We then reinject this information in our algorithms and this is how we become better every day.
PB. And that is how you help your clients save dozens of millions of euros or dollars. Your clients, who are mostly American, with three fourths of your client base in the USA and the rest in Europe.
JT. Yes, that is right. This was a strategic choice since the very beginning of the company. The intuition we had behind it is that, as a software-developing company, succeeding in the American market was essential in order to conquer the global market. We don’t have the time to start in France, to then expand in Europe and finally to spread in the USA - an American competitor could potentially beat us to it. So we have a sales team made up of Americans that talk to prospective clients from France, sometimes with the time difference, sometimes late at night for the West Coast. And we have also built a product that has no geographical boundaries.
PB. Without bad-mouthing French companies, how was a French company able to do so well in the USA, a country where this kind of technology is already very successful?
JT. Yes, it is true that there is a disproportion between the size of the issues we address, since we’re talking about leaks that can cost several dozens of millions of dollars, and the size of our company, and the fact that we are a French company in the American market. We are the first ones in this market and we have found something rather counterintuitive, so we are definitely expecting to have emerging competitors.
PB. And that is the reason why you have raised 11 million euros, almost 12 million dollars. Can you tell us a bit more about the behind-the-scenes of this fundraising with Balderton Capital?
JT. Balderton is a VC firm that has been closely following our growth for about a year now. It is a fund made up of entrepreneurs and therefore they understand the everyday problems we face, specifically in two big aspects. The first is the American aspect - they proved that they were capable to take companies like ours to the States and accompany them, like they did with Aircall, which has now established itself there; like they did with Talend, which launched its IPO on the NASDAQ. The second aspect is that of cybersecurity, which is a very particular industry and one that Balderton knows very well. One of the companies in their portfolio is Tessian, a British email security company that also operates in the US. And they sold RecordedFuture for $780 million.
PB. Indeed, one of the most prestigious VC firms in Europe. They also have Citymapper, GoCardless, Revolut, VestiaireCollective in their portfolio at this time. What does Balderton ask of you and what are they looking for in your company?
JT. I believe that they were mostly enticed by the American aspect, the desire to conquer the United States very early. Our roadmap is now very clear. As of today, we are 18 and we plan to hire 25 people every year for the next two years. One part of the sales hires will be in the USA, and the technical teams will stay in France. We are still relatively alone in the segment so far. We have the advantage of time on our side because we are the first in a market that can almost seem counterintuitive at first. Our main goal is to continue to widen the gap with future competitors by developing our current product offering and by continuing to create customer loyalty.
PB. The highest valuations we have in Europe are in the UK, Scandinavia and Benelux. In your case, it is different because you are starting by attacking the American market instead of the French one. Do you think investments like this will help push up the valuations of other companies in Europe, that are similar to yours, and further boost French companies’ exits? Let me know if the question is clear.
JT. Well, the American market definitely opens up more capital and you can be sure that the next VC firm that joins GitGuardian for our next fundraising round will be an American fund. Having already established ourselves there will help us raise much more capital than what we could have raised if we had stayed solely in Europe.
PB. Your clients are currently based between the United States and Europe. Will your next objective be to develop these two markets, or seek new ones in the next months or years?
JT. For the time being we will stay focused on Europe and the USA. Our typical customers are large American corporations with many developers, but we are also working with companies like Datadog, Algolia, Dashlane, that are very well-known tech companies.
PB. And whose data is very crucial.
JT. Yes, very sensitive data. However, the security industry is very secretive and that is why I cannot reveal the names of all of our clients.
PB. If I understood, your solution is free for developers, but works on a subscription basis for companies. What is the average deal size for your paying customers?
JT. It depends on the size of the client. The size is based on the number of publicly active developers for our “Public” solution, or the total number of developers for our “Private” solution. The deals can go from $40,000 to several hundred thousand dollars per year.
PB. What kind of changes have you noticed in companies’ data management strategies after the GDPR was implemented in May 2018?
JT. The GDPR and the CCPA, its Californian equivalent, are top of mind for our customers. Something to note is that we do not extract data. However, within the sensitive information we detect, we can find usernames or access keys which give access to systems filled with personally identifiable information. Companies are very concerned about this because the regulators have shown their willingness to impose colossal fines. They did it with Uber. In 2016, Uber got hacked after a credential was left exposed on GitHub in a repository that was not sufficiently secured. This credential gave access to more than 50 million personal records of the platform’s users. So the regulators gave them a fine of over $150 million to settle this case.
Which is quite a lot when you know that it comes from one line of code mistakenly left unattended.
PB. Thank you very much for your insight, Jérémy.
JT. Thank you, FrenchWeb.