This post by François Dufour is part of our series on Product-Led Growth and Marketing Playbooks. There, we share insights and advice from leaders who have built successful PLG businesses marketing and selling technical products to technical audiences.
“Orian and his GitGuardian Growth team drive a ton of developer signups with a unique GitHub hack. You should talk to him, François”. After hearing this from Jeremy Goillot, founder of a large Growth community in France, I immediately asked for an intro to Orian. I was not disappointed. Orian Roturier, Head of Growth and Demand Generation at GitGuardian, a fast-growing French cybersecurity startup, kindly agreed to unpack their growth playbook and learnings.
A data engineer by training and with deep expertise in analytics and performance marketing, Orian has led the company's Growth playbooks since 2020. During his 3+ years at GitGuardian, he has scaled and optimized their growth and demand gen.
He revealed the details of GitGuardian's unique Github "hack", how they use data and industry-based content to connect their PLG and Sales-led motions, and how they "newsjack" some security breaches while providing value. He also explained how they structured their growth teams.
Let's explore GitGuardian's growth playbook:
We offer a SaaS platform for secrets management and code security. As the leader in secrets detection, we serve mid-market to large enterprises with engineering teams above 200 developers. Our products monitor public and private source code repositories, detecting exposed API keys, tokens, certificates, and other secrets. With over 350+ different secret detectors, they scan code commits across all major code hosting platforms.
The main users of our platform are application security engineers. But we believe in putting the developer "in the loop" to reduce the remediation workload. Since developers are at the source of security incidents with leaked secrets, they can often resolve them the fastest.
While the CISO makes the final purchasing decision, there are, on average 10-15 people involved in an enterprise deal's buying committee. We target everyone from hands-on appsec practitioners up to CISOs, including engineering managers, DevOps/DevSecOps, red teams, and even SOC team members. Navigating this complex web of stakeholders is key to selling our enterprise product.
80% of our customers are based in the United States.
We acquire users through both bottom-up product-led growth (PLG) and customers with top-down sales-led motions, fed by our PLG, Demand Gen programs, and an Industry-Based Marketing (IBM) approach.
Our Github "Good Samaritan" growth hack (which we'll unpack next) is the best example of our developer-led PLG approach. We provide value and utility first before any hard selling occurs. In addition to that hack, we also offer developers lots of free tools (“lead magnets”) to complete our bottom-up go-to-market motion. Some may not necessarily rival our GitHub hack in reach, but are great for surfacing the right intent.
For instance, we just launched: Has my secret leaked?, so one can check whether a secret was leaked on GitHub. This is a pure brand awareness play; we don’t even ask for an email. We also do Programmatic SEO and generate pages using the same template to handle low-volume but specific questions. We do that with our docs and go in-depth on how to remediate secrets.
All in, we acquired 400k+ users since January 2020 when we started running these playbooks.
For larger enterprises, we use a more traditional sales-led approach, leveraging third-party data, security events, and an IBM playbook. SDRs/BDRs and Account executives target security professionals and technology leaders as the primary buyers.
Here are our key lead sources:
For inquiries and demo requests:
This program proactively detects and notifies developers when their secrets get exposed publicly on GitHub. Here is how it works:
Our platform continuously scrapes public GitHub repositories looking for exposed API keys, access tokens, certificates, and other secrets that were committed accidentally.
When leaked secrets are found that pose a security risk, we immediately email the developer who owns that repository - typically within 5 minutes of detection.
These "Good Samaritan" emails notify developers of the potential credential leak, but contain no sales pitch or call to action. They simply alert developers to the risk, so they can promptly revoke or rotate those secrets. To avoid being spammy, we give the full context and the click takes developers to a “sign-up with GitHub” page -optimized for that flow - to go and remediate this specific problem.
We detect around 500,000 compromised API keys every month, translating to >10 million keys annually. Each month we notify over 120,000 developers about leaks specific to their projects.
And all that only costs us $90 per year to send these emails with a Mailgun account.
10% of developers receiving these notifications resolve their issue and sign up for GitGuardian.
For developers, having exposed secrets can be embarrassing and even detrimental to their careers. By handling notifications with care and empathy, we turn an unpleasant situation into a positive brand experience. Instead of a vendor selling services, we establish trust and credibility as a partner who has the developer's back. Initially, we turned that into social proof on Twitter but now have also fed a full-blown review program on G2, Peerspot, etc
This is a good reminder that, with developer-focused products, growth and revenue may follow value, but should not precede it.
90%+ of our bottom-up acquisition necessitates a Sales touchpoint, i.e. we rarely see full self-serve deals because the platform is a significant investment.
To scale beyond developers to large enterprises, we enrich signals from product usage to identify promising sales targets (using enrichment cascades via Clay for instance).
Our data team maintains a unified customer data platform (CDP) on Snowflake, joining behavioral usage data with our target account list and buyer profiles. The strongest usage signals like high-risk secret scans, frequent logins, and regular activity. We track and pipe that into Snowflake. There, our data team joins activity records to the accounts list and calculates “fit scores and likelihood to buy scores" to quantify sales-readiness.
Some examples of strong signals include:
These enriched account records then flow into our CRM and various go-to-market systems - including customer.io - to empower sales and marketing.
When high-value usage signals indicate interest from a target account, we employ orchestrated multi-channel campaigns to connect with the right stakeholders.
Instead of cold outreach, we leverage the product usage as a warmer intro to security champions. Contextual messaging based on the prospect's activity demonstrates our understanding of their needs.
IBM and Industry-specific content and messaging further accelerate these sales conversations by addressing the buyer's unique pain points. For example, metrics on IoT vulnerabilities resonate strongly with manufacturing accounts.
To scale this process, we recently established a business development team under marketing. This outbound team focuses on re-engaging marketing qualified leads (MQLs) that previously went cold. The BDRs prioritize event attendees, content downloaders, and product trialists who meet target account criteria.
Our product-led and sales-led motions are complementary. There are always some offline interactions and signals that are challenging to track.
From our data, only about 10% of closed deals had active product usage before sales discussions. However, I'm convinced our free trial and transparent pricing work tremendously in our favor, even if not tracked. People try our product with personal emails or developers hear from peers who've used it.
Selling to technical users, making sure we are transparent (we publish our pricing), and giving open access to information and our product - without requiring signing NDAs to take to sales first - are essential for building trust.
When major security incidents occur, the companies impacted need to disclose them. If the source code was made public, we immediately use our product to scan and see if secrets were exposed. Then we bring a lot of value to the reporter. We work with a PR agency in the US & EMEA.
Our security researchers quickly publish detailed breach analyses, establishing us as an authority on emerging threats.
These newsjacking campaigns generate significant website traffic, backlinks, and brand lift - converting media attention into growth.
But we avoid sensationalizing issues, aiming to provide genuine value through thoughtful analysis.
The keys to success with this technique are having:
We also create an annual State of Secrets Sprawl report. It highlights the growing problem of secrets sprawl and how organizations can address it.
We produce this in a three-month collaboration between our content, R&D, and data science teams. Our data engineers analyze usage statistics from our product for proprietary insights, and from public GitHub leaks. We also commission a third-party polling service to incorporate survey-based perspectives from security practitioners.
The final report synthesizes trends on the expanding scale of secrets management issues, top challenges teams face, and emerging best practices for detection and remediation. This campaign has become a keystone of our thought leadership.
Sponsoring industry events remains a pillar of our strategy, but we try to have a smart and low-cost approach to them with careful tracking and targeting.
Here are some keys to our event formula:
For us, RSA provides better results than Black Hat based on attendee profiles: we find more application security engineers there.
Our marketing team counts around 20 people structured into four teams:
This team includes technical writers, usually former developers, who create educational articles, guides, and documentation, and developer advocates who turn them into social media posts, conference tech talks, webinars and more. Their content powers marketing campaigns across the funnel.
They enable sales and drive product launches. They craft positioning and messaging and also started a tech partnership program
With one in-house website integrator (a Webflow expert) and a designer.
With about 10 people, it includes:
They are responsible for:
They manage our local events, our presence at large security trade shows such as RSA or Black Hat and events from associations such as OWASP. They also support customer marketing with the CSM team and Channel marketing with the Channel Sales rep.
Our inbound-focused BDRs nurture and convert marketing-qualified leads through multi-touch outbound campaigns.
Everybody in marketing has the same true north target = the dollar amount of new opportunities created. This shared goal is great for tight collaboration and shared goals.
For growth-focused marketers looking to step up their game, I recommend these resources: