HashiCorp's IPO, Bottom-up Adoption, and Layering

A deeper look into the unique ingredients that made HashiCorp into a special company and propelled it to an IPO.
HashiCorp's IPO, Bottom-up Adoption, and Layering

HashiCorp ($HCP) IPO'ed on Thursday, December 9, 2021 — another company with a heavy stake in cybersecurity to go public during a busy year for IPOs in the industry. Their nine year journey as a company is an interesting one to follow. HashiCorp is unique in the truest and best sense of the word.

Their uniqueness stems from several attributes about HashiCorp as a company, including their leadership and culture, products and focus on open source, and growth via unwavering focus on developers. In this article, we'll study these characteristics in more detail along with the company's future growth prospects as a public company.

Beginnings and Entry Into Cybersecurity

It's hard to place HashiCorp cleanly within a single industry segment. They've been a multi-product company since the very beginning. And they continue to enter new, adjacent markets every year.

Before HashiCorp was formally founded as a company, co-founder Mitchell Hashimoto created Vagrant, an open source product that creates and manages virtual development environments.

Vagrant launched in 2010 and gained so much traction by 2012 that HashiCorp was formed to formally support it. A fun time capsule from 2012 shows the roots of HashiCorp's open source beginnings:

Packer was launched shortly after, and they've been launching new products ever since.

HashiCorp is unique in that it's more focused on themes than specific technologies. The Tao of HashiCorp (an interesting and thoughtful document in its own right) defines the company's focus on workflows:

Workflows, not technologies

The HashiCorp approach is to focus on the end goal and workflow, rather than the underlying technologies. Software and hardware will evolve and improve, and it is our goal to make adoption of new tooling simple, while still providing the most streamlined user experience possible. Product design starts with an envisioned workflow to achieve a set goal. We then identify existing tools that simplify the workflow. If a sufficient tool does not exist, we step in to build it.

Opportunistically building around developer workflows is how HashiCorp ended up with products in multiple different industry segments. They see problems and build tools to fix them. There's a common theme, for sure. In HashiCorp's own words, their products are:

...critical processes involved in delivering applications in the cloud: infrastructure provisioning, security, networking, and application deployment.

The unique part is intentionally focusing on workflows and building from there. As we'll explore more later, focusing on workflows is just one of many unique beliefs HashiCorp holds as a company.

In terms of the cybersecurity ecosystem, HashiCorp fits into the category of a "hybrid" company — one with significant cybersecurity product offerings and revenue combined with other non-cybersecurity products and revenue. From my Cybersecurity is Going Public article:

Some companies are "hybrids" — a combination of two or more traditional industries. This type of company is debatably part of the cohort of public cybersecurity companies. Opinions vary, sometimes based on financial data, and sometimes based on perception and beliefs.

A few examples are Cloudflare, Sumo Logic, and Splunk. Cloudflare is a combination of networking and cybersecurity. Sumo Logic and Splunk are a combination of application monitoring and security operations. Significant parts of their product portfolio and revenue come from cybersecurity, and part comes from other industries.

HashiCorp entered the cybersecurity ecosystem in 2015 with the launch of an open source version of Vault, followed by an enterprise version in 2016. They added Boundary in 2020.

What's more unique is the way their adjacent products enable security. A brief case study from from the S-1:

Our products can be adopted individually and are also designed to work together as a stack in order to solve larger, more complex challenges. For instance, deploying Vault and Consul is the basis for a complete Zero Trust security architecture with identity-driven controls, offering a full range of authentication, authorization, and access management for human users or machines, like servers or applications.

This example is representative of a larger technology trend: the line between security and other foundational technology tools is being blurred.

HashiCorp is connecting the dots between infrastructure and security, similar to how Cloudflare connected the dots between networking and security. New technologies have security intentionally built in and enable the security outcomes companies want by default.

Even though HashiCorp only classifies two of its products as pure security offerings, all of their products support security in important ways. That's the type of future we want — one where security is an inherent part of how we build and deliver tech, not an afterthought.

Philosophy, Leadership, and Culture

HashiCorp is one of the rare cases where a company's underlying philosophy is truly a differentiator. I would argue their philosophy the most unique and critical differentiator they have — especially because of the way it drives everything they do.

In true open source spirit, HashiCorp's company philosophy has been publicly available for years. It's implemented across three different pieces, all written by the founders:

HashiCorp isn't the first company to make some or all of these aspects of their culture public. However, what they've done is one of the best implementations I've seen. Everything they do has a level of intentionality, cohesion, and polish that's unique for any company — much less a company with exclusively open source products. HashiCorp has a unique aura that simultaneously captures and shapes the zeitgeist of our times.

The company and its philosophy are unique because of its founders. Mitchell Hashimoto and Armon Dadgar founded the company as students at the University of Washington...sort of. Incredibly, the company eventually known as HashiCorp almost failed before it started. This is Mitchell Hashimoto's recap of the timeline and sequence of events:

And it was a learning experience as we went through bad idea after bad idea. Ultimately, we ended up abandoning it and both moved to San Francisco and working at the same mobile ad company.

It was only moving back to the Bay area and being surrounded by a bunch of tech companies that we realized like, "Wow, a lot of these people are hitting the problems that we hit like four or five years ago."

I wrote down the notes for that retro in a moleskin notebook, and I still have it. And it was like four years later that I opened that notebook and I was like, "Yeah, we wrote all these down. We should try to solve these."

Patience stands out in the story of HashiCorp. After graduating, the founders didn't race out to raise a pile of venture capital money to fuel their search for problems and solutions. Even after agreeing to start a company during college, they toiled away at Silicon Valley tech companies for years. These years gave them a true understanding of the emergent problems in cloud infrastructure they were uniquely suited to solve.

Another unique twist to the story is Mitchell Hashimoto's principled decision to step down as an executive and remain with the company in an individual contributor role:

He further expanded on his rationale and personal philosophy in in a tweet and subsequent Q&A in the comments the next day:

Mitchell Hashimoto is special.

Most people don't become founders and executives of multi-billion dollar startups in the first place. The few who do rarely have the self-awareness to introspect and understand the work they truly enjoy. And then, there's ego. Founders who aren't doing what they enjoy rarely step down — especially not to individual contributor roles while remaining with the company.

HashiCorp reflects the best qualities of both Hashimoto and Armon Dadgar. That's why it's valuable.

Products, Open Source, and Layering

HashiCorp's product strategy is unique because of the number of products they've developed from scratch and their process of incubating products from free open source tools into commercial enterprise offerings.

One of the biggest challenges for tech companies is continuing growth after demand for their initial product plateaus. Andreessen-Horowitz Managing Partner Jeff Jordan described the problem like this in his now famous article:

Virtually all businesses, even hyper-growth ones, inevitably experience slower growth as they get larger, with their growth rates falling relentlessly back down to Earth over time. I call this effect “gravity” and it will weigh down even the most promising of companies—unless a CEO can find a way to accelerate growth and positively change the long-term growth trajectory of the business.

Based on his experience at eBay, Jordan argues the solution to this problem is a strategy called "layering":

I came to call this process of layering in new innovations on top of the core business “adding layers to the cake”. Much of the natural effort in the organization is spent on chasing optimization of the core business. This makes sense, as small improvements in a big business can have a meaningful impact. But there is huge potential leverage to adding layers of new, complementary businesses on top of the core (aka “cake”).

Since the beginning of the company, HashiCorp has developed layers of products that continuously add complimentary revenue and new market segments on top of its existing business. This visual from the S-1 filing clearly shows the layering strategy at work:

The best part about HashiCorp is that their layering of products appears to be an intrinsic and innate behavior of the company. They build new products because they find new needs that need to be addressed and only then start generating revenue from products that already have traction. It's a much more fluid and organic process than saying "oh, $&#@, we need more revenue so let's build or buy a product."

It's also worth noting that HashiCorp's product hits keep getting bigger. Many successful companies are like one-hit wonders: the original product they build is great, and every product after fails to match the success of the first.

HashiCorp is a consistent hit machine. Their original Vagrant product was wildly successful among developers. Subsequent launches of Packer, Consul, Terraform, and Vault were all successes in their own domains. HashiCorp's path to sustainable growth rests on their continued production of hit products — something they've already proven to be capable of multiple times over.

Their layering strategy works because of open source. HashiCorp is steadfastly committed to the model of building open source products first, then adding enterprise-specific features on top of them. From the S-1:

We have deliberately built our products using an open-core software development model. All of our products are developed as open source projects, with large communities of users, contributors, and partners collaborating on their development. We sell proprietary, commercial software that builds on our open source products with additional enterprise capabilities.

Building and releasing smaller open source products for free — and many years before turning them into commercial enterprise offerings — allows them to iteratively test and refine until they've built something people truly want.

Monetization aside, the open source model is clearly working. The S-1 includes two mind-bending stats about HashiCorp's open source adoption. First, their open source products have millions of downloads:

Companies of all sizes and industries use our products, which have been downloaded approximately 100 million times during the fiscal year ended January 31, 2021, or fiscal 2021.

And second, they have a high number of GitHub stars (favorites or likes from other developers) for each of their products:

Today, HashiCorp is one of the highest rated software technologies for practitioners, as evidenced by over 219,000 stars on our GitHub repositories. Our GitHub community includes thousands of contributors beyond our employees, including hundreds of partners.

We don't have the data to break down the exact number of downloads by product, it's worth noting that the number of GitHub stars for each product is a relatively even distribution (e.g. one product isn't driving the statistics):

Numbers like this aren't surprising for, say, a small and ubiquitous open source package used by many developers. However, enterprise-grade infrastructure and security products are much bigger and much less exciting. The only conclusion you can draw is that HashiCorp's products are effective, and developers love them.

Developers and Bottom-up Adoption

HashiCorp is one of the only cybersecurity companies that has grown with a bottom-up adoption strategy. Bottom-up adoption for enterprise products is a relatively new and novel concept, originally made famous by Slack.

Andreessen-Horowitz put some formal definition around the approach when partners Martin Casado and Andrew Chen started talking publicly about the topic in late 2018:

Casado elaborated on the phenomenon in an a16z podcast episode:

So traditionally in the enterprise, you’d build a product, and that product would be informed by your knowledge of the market. And then once that product was ready, you’d go ahead and sell it by hiring salespeople and the salespeople would go directly engage. You’d probably do some sales-led marketing where maybe the salespeople would go find the customers or you’d have some basic marketing to do it. But the majority of the go-to-market effort in the early days was this kind of direct sale.

And we’re seeing kind of this huge shift, especially in SaaS and in open source where companies establish massive market presence and brand and growth using these kind of more traditional consumer-ish growth motions. And then that very seamlessly leads into sales, and often a very different type of sale. And so I think a lot of people in the industry are on their heels, both investors and people that have started companies in the enterprise before, they’re trying to understand exactly what’s going on.

In the case of HashiCorp, they get hands-on users (practitioners, in their words) within companies to adopt their open source products for free. Once usages grows to a point where the company wants to buy an enterprise subscription, HashiCorp has a new paying customer.

HashiCorp's unique approach to sales and marketing matters because it's the recipe for their rapid, exponential growth. Martin Casado describes the distinction between traditional enterprise sales and successful bottom-up adoption like this:

On the other hand, we see companies that will just do sales. And for them, it’s actually very difficult to grow quickly because they don’t have the type of funnel that you’d get from the growth metrics. And the ones that seemed to have figured it out the best, what they’ll do is they’ll create kind of a brand phenomenon. They’ll get this growth, they’ll get that engine working and then they do kind of tack on some sort of sales on the backend and then those two motions work in tandem.

HashiCorp created a phenomenon that drove organic growth, then added enterprise sales to monetize the adoption. More impressively, they accomplished this at least four times — once for each of their flagship commercial products.

The S-1 filing describes HashiCorp's product and sales strategy in a nutshell. It's exactly in line with a bottom-up adoption strategy:

At HashiCorp, we've always built tools we want to use ourselves. When practitioners succeed with our products, we win the right to be considered a commercial partner to their organizations.

All of this matters because establishing a balanced bottom-up and top-down growth engine is an incredibly valuable asset. The growth engine HashiCorp has built is the envy of every company with a traditional enterprise sales model — including nearly all of the publicly traded cybersecurity companies.

HashiCorp's point of view on developers as their end users is also distinct from their industry peers. From the S-1 filing:

Practitioners, rather than executives, have become the decision makers for adopting modern enterprise products, making it imperative that we focus on these end users.

It's an interesting point of view because HashiCorp is one of the first companies to call out this trend so explicitly. You'd expect to hear something like this from an early stage startup pitching to VCs, not a company at the point of an IPO. This rhetoric is also more common for pure dev tools companies than enterprise cybersecurity companies.

This vision of the future isn't fully realized yet (plenty of executives still consider themselves the decision makers, thank you very much!). However, the trend is in motion. HashiCorp is a recent case study reinforcing that organic growth through bottom-up sales is a viable growth strategy. More importantly for us, HashiCorp proves this approach is possible for cybersecurity companies.

HashiCorp's Future as a Public Company

First, the elephant in the room: HashiCorp is losing a lot of money. From the S-1:

We incurred net losses of $53.4 million and $83.5 million for fiscal 2020 and 2021, respectively, and $76.6 million and $62.4 million for the nine months ended October 31, 2020 and 2021, respectively. We expect we will incur net losses for the foreseeable future as we continue to invest into the market opportunity ahead of us.

HashiCorp's products are used by millions of people and over 340 of the Forbes Global 2000 companies. However, the concern many investors have is how much value they can capture and monetize. Martin Casado described the tension around monetization for this type of company in the a16z podcast:

At the highest level, I think there actually are a lot of conflicts in these motions and in a number of areas. And the most obvious one and this is something that’s so prevalent in open source is, a good way to get organic growth is to give something away for free. And if you give it away for free, it may be hard to monetize it because a lot of the assumptions here are predicated on organic growth, there’s always an open question of how much do you give away versus how do you monetize it? Enterprise really is all about monetization because there is no conversion between eyeballs and dollars like you do in kind of more advertising-like domains. And so there’s a real tension there.

As Casado noted, the ongoing tension for HashiCorp will be how much to give away versus how much to monetize. HashiCorp faces this problem at both the micro and macro level because they're a multi-product company. At a micro level, the tension is about which features and services to include in the open source product versus an enterprise offering. At a macro level, some products are highly monetizable (for example, their four current commercial products), and others are useful but may never become profitable.

In business, people (especially investors) want a predictable and linear path towards profitable growth. HashiCorp doesn't have that, and the reason is simultaneously frustrating and exciting. This is the tension Casado characterized so well.

HashiCorp's losses are a delicate cycle. R&D investments drive innovation and new product development, which attracts developers and creates fans. Attracting developers drives the bottom-up adoption that eventually converts to paying enterprise customers.

If HashiCorp stunts the R&D process to reduce spending, it risks a cascading effect that causes developers to lose interest and the bottom-up entry into enterprises to slow. They can't kill their growth engine. So, their only option is to keep investing and do their best to continue fueling organic growth.

They have the attention of developers, a precious and valuable asset to command. However, the downside risk of building your company around developers is real. HashiCorp faces many of the same challenges as Auth0, another developer-focused company. I said this when analyzing Auth0's acquisition by Okta:

Developers are a notoriously finicky bunch with little tolerance for hiccups or other inconveniences.

The upside of building and nurturing developer attention and support is more exciting than it is risky. Amazing things can happen when developers are behind your company. It's the closest thing to viral growth that's possible in an enterprise setting. And it's one of the only ways explosive growth numbers like these are possible:

Our revenue was $121.3 million and $211.9 million for the fiscal year ended January 31, 2020, or fiscal 2020, and 2021, respectively, representing year-over-year growth of 75%. Our revenue was $150.0 million and $224.2 million for the nine months ended October 31, 2020 and 2021, respectively, representing period-over-period growth of 49%.

When developers can adopt your products, you find a way into the largest companies in the world without the toil and frustration of long enterprise sales cycles. Competitors with top-down enterprise sales approaches often spend thousands of dollars and years of time to close a sale.

All too often, their efforts are unsuccessful because an appealing product with self-service adoption circumvents the regular enterprise procurement channels. By then, it's too late to turn back — the product is already implemented, and people love it. HashiCorp is one such example, and a rare one in cybersecurity.

Ultimately, the promise of HashiCorp is its uniqueness: philosophy, products, and community. The upside is tremendous if they can keep building upon these unique characteristics in the years to come.

You’ve successfully signed up.
Welcome back! You've successfully signed in.
You've successfully subscribed to Strategy of Security.
Your link has expired.
Success! Check your email for magic link to sign-in.
Success! Your billing info has been updated.
Your billing was not updated.