Back to Blog
Company

Selling to CISOs When You Are Two Founders and a Laptop

· 5 min read · By Ruchika Sharma

I want to be honest about something that most enterprise startup founders do not talk about publicly: selling security software to CISOs when you have no brand, no case studies, no SOC 2 badge, and no sales team is one of the hardest things I have ever done. And I have done hard things. I led two exits before this. Sliderule was acquired by Block. Neustar was acquired by TransUnion. I spent 14 years scaling B2B companies across fraud, risk, identity, and security.

None of that prepared me for the first cold outreach as a two-person startup trying to sell enterprise security.

The Problem Nobody Warns You About

Enterprise security buyers are, by professional necessity, the most skeptical people in any organization. Their entire job is assessing risk. And a startup with no track record, no production deployments, and no third-party audits is, by any rational measure, a risk.

Here is what the first few months looked like. We would get a meeting, often through a warm intro from someone I had worked with in a previous life. The CISO would be polite, sometimes genuinely interested. They would ask about our architecture, and Raj would walk them through BYODb and the detection engine. They would nod. They would say it sounded promising.

Then they would ask for customer references. Case studies. A SOC 2 Type II report. A security questionnaire with 300 line items filled in. And the conversation would stall, because we did not have any of that. We had a product. We had conviction. We did not have proof.

The Guarantee That Changed Everything

After the third conversation that died in procurement limbo, Raj and I sat down and asked a simple question: what if we removed every reason to say no?

We built what we call the risk-free deployment model. The pitch is simple: we deploy. You do not pay until we deliver. If we do not measurably reduce your SOC effort, you owe nothing. No credit card. No commitment. No purchase order. No contract until you have seen the results with your own data in your own environment.

It sounds aggressive. It is aggressive. But when you are two founders and a laptop competing against vendors with billion-dollar market caps and 500-person sales teams, you need an asymmetric advantage. Our advantage was that we were willing to bet on our own product in a way that incumbent vendors never would.

Closing the First Three Pilots

The guarantee changed the dynamic completely. Instead of asking CISOs to trust us, we were asking them to let us prove it. The risk was entirely on our side.

We closed our first three pilots by leading with the guarantee. The conversations shifted from "convince me you are legitimate" to "okay, show me what you can do." That is a fundamentally different conversation. One is about credentials. The other is about capability.

Here is what we learned from those first deployments:

  • Deploy fast or lose momentum. We committed to getting into production within two weeks. If deployment takes months, the champion who brought you in will lose internal credibility and move on to other priorities.
  • Show value on day one. We instrumented everything so the CISO could see hours saved, incidents automated, and false positives eliminated from the first day of the pilot. No waiting for a quarterly business review to demonstrate ROI.
  • Full transparency, always. Every metric is visible in the dashboard. Hours saved. Incidents automated. ROI delivered. If the numbers do not look good, we want to know first so we can fix it. Hiding behind vague "value delivered" language is what incumbents do when their product is not performing.

Proof in the Numbers

The best validation came from our healthcare deployment. The results were concrete: $2.1M in savings, 340% ROI, and a 4-month payback period. Those are not projections. Those are actuals from a production environment running against real security telemetry.

When you have numbers like that from even one customer, the sales conversation transforms. You go from "trust us" to "here is what we did for an organization like yours, and here is how we are going to prove we can do the same for you."

We are now in pilot with enterprise security teams across technology, financial services, healthcare, and government agencies. Every single one started with the same guarantee: you do not pay until we deliver.

What Did Not Work

I want to be equally honest about what did not work, because the founder narrative that everything went perfectly is never true.

Cold outreach to CISOs we had no connection to had a near-zero response rate. Enterprise security leaders get pitched constantly, and an email from a startup they have never heard of goes straight to the archive. The warm intros from my network were essential for getting the first meetings. Without those relationships from 14 years in the industry, I do not know how we would have gotten in the door.

Content marketing took longer to produce results than I expected. We wrote good technical content, but it took months before it generated inbound interest. If you are a pre-seed startup counting on blog posts to fill your pipeline, you will run out of runway first.

We also underestimated how long procurement takes even when the CISO is sold. Security teams buying security software still have to go through vendor risk assessments, legal review, and budget approval. The guarantee shortened the evaluation cycle, but it did not eliminate the procurement process entirely.

The Playbook Going Forward

What I have learned is that early-stage enterprise sales is not about having the perfect pitch deck or the most polished demo. It is about removing friction and proving value before you ask for money.

The guarantee is not a gimmick. It is a structural advantage. It forces us to build a product that delivers measurable results because our business model depends on it. If our platform does not save time, reduce incidents, and demonstrate clear ROI, we do not get paid. That alignment between our incentives and our customers' outcomes is something no incumbent can replicate, because their business model is built on contracts, not on results.

"We deploy. You do not pay until we deliver. If we do not measurably reduce your SOC effort, you owe nothing."

If you are a CISO who is tired of evaluating vendors through slide decks and reference calls, let us prove it in your environment. No commitment. No risk. Just results.

Zero risk. We deploy. You decide.

Start a Risk-Free Pilot
ZT

Ruchika Sharma

Co-founder & CEO
Stanford GSB and Georgetown economics. 14+ years scaling B2B companies across fraud, risk, identity, and security. Led two exits: Sliderule (acquired by Block) and Neustar (acquired by TransUnion).