This is where the presence of your salesperson, they need to be able to capture the attention of the person on the other end of the line, to understand the challenges they have and how they can help them remove the pain from their day to day job. Right?
Jack BridgerHi, everyone. You're listening to scaling DevTools. I'm joined today by Vivienne Dufour, who is the founder and CEO of Matarian, a company that specializes in open source dependency management. Vivian, thank you so much for joining.
Thank you, Jack, for having me. I'm not a sole founder. So I just wanna clarify. Co founder. But, yeah, I'm half of the the founding company. My co founder, Bria Boswell, is a CTO and inventor. Yeah, really delighted to be here. Thank you so much for having you.
Jack BridgerYeah. And so we're gonna dig into kind of, like, enterprise sales, how you hire salespeople, and all the stuff that you've learned along the way. But first, could you tell us a bit about the origin story of Matarian and a bit more about what you do? Yeah.
I'd love to. So, so I'm product developer or product manager by trade and, the work in product development for most of my career. And I met my cofounder at an educational firm. And our remit was to take a software app viral in, in schools across across Europe and the world eventually. And, I said, wow.
Well, it's gonna be in the classrooms and teachers and students. That's that's a pretty, you know, it can be a pretty tense situation that there's like a cyber attack or somebody takes over the session in the app. So I said, could we do a, you know, check on this security of the application? And the immediate response from management was, oh, no, no, no. Don't worry about that.
Just go viral first thing. We'll figure out security later. And I said, well, the reputational risk is really too high because of it. You figure out later, it's kinda too late. So I did ask my CTO on the team, which is Bruno at the time, to do, they say, a quick and dirty check.
And I said, yeah, you know, take half a day or a day what you need so you get that summary. And then in less than an hour, he came back to me and said, oh, go check your your account. And he had actually found a backdoor to open source vulnerability. And they say compromise my account and, you know, had the messages like, you've been hacked, moved around some image content that I had, I had that, you know, curated in my in my account. And it just showed me how how easy it is to do.
And I knew there were these cross site scripting vulnerabilities, SQL injection, but I I didn't realize that, okay, if you know what effect is, then it is really that easy. It's just minutes. So that opened my eyes. And when the opportunity came up to, you know, help him out with the business, then I jumped on it. So now we're like, you know, several years later and we has we have a successful business at Traction, and we're almost self sustainable.
Jack BridgerYeah. That that's amazing. And and kind of what what made you go from, like, okay. This is kind of a problem to, like, I want to, you know, dedicate all my time and energy to solving that.
Well, I think I was quite frustrated that the industry was starting to have so many hacks on cyber breaches announced on on the news, and so many people were affected. Personally, I was affected in the Equifax breach. That was back in 2,008 17. That was due to a open source vulnerability in the Apache Struts module, that was not patched even though there was a patch available that could be applied. And, unfortunately, I was one of those users who got this mysterious letter in the posts from Equifax saying that my my data was compromised.
So it it led me to a lot of doubts in, the trust of all these large corporations that are holding our data. And then in the news, many companies, you know, McAfee, LinkedIn, Yahoo. So I said, this is this is my kids. Like, we we've built a great service in terms of putting all information online, making it convenient to transact. And we, you know, we really changed the industry to to have people try new ways of doing things to be more productive.
But at a at a cost of risk that I think now it's becoming too high. So when this opportunity left, I felt I felt quite mission oriented, and it was something that I can really get behind. I use my skills to contribute to, to the solution rather than just sit as a innocent bystander.
Jack BridgerYeah. That's it. It's definitely a real big mission, compared to a lot of things. Right? That's very important. And do you find that most of the companies you're working with are doing anything around this, or are you kind of differentiating yourself against, like, alternatives?
Oh, the it's a established market. So there are many incumbents, that had been around, like, legacy players at Black Duck, Vericode, come to mind. And more recently the more recent companies, of course, is the Unicorn Snee. GitHub, GitLab also have a flavor of, software dependency management that they include in their DevOps, suite of tools for developers. So there's you know, it's not a small market.
But we differentiate because we provide a comprehensive risk visibility specifically on open source to NMCs. We also have very good, automation. It's very smart and intelligently sense that we, remove duplicates. We, minimize the amount of noise so that developers are not overwhelmed with false positives. So these are definitely verified open source vulnerabilities that have been embedded in the fields.
Of course, developers themselves have to check, if if it is applicable to their own application depending on how the logic of their application is is used. Because many of these dependencies, I hate you as familiar with is that they have, they're all nested. So they, they include other dependent open source components. So therefore, you have to also analyze the the transitive dependencies. We make it very easy to use so developers don't have to have, extensive security knowledge.
They just need to, be synodly with, you know, updating packages and applying patches to your code. And I think the trickier part for developers is they often have to do a lot of heavy lifting and integrating tools, within their work environment. Right? It's, how does it work with the code management system? How does it work with the the CICD pipeline?
And how does it sit in with our other test scripts? How we basically do DevOps internally? So those are the few areas that I would say in terms of usability and our richness of information and precision that we differ from our competitors. But above all, our customers love our amazing customer support, because we have engineers working on it who are very familiar with the product, very familiar with the problem space. And also understand the the pains and, you know, the joys of actually solving those pains for for the developers.
Jack BridgerYeah. And but how how do you kinda get in front of them and, you know, share that with them?
So, yeah, I think networking field is really important going out to meet, customers where they might be. So in the beginning, Russ, we went through cyber accelerated program called Cylon. It was very specialized. So we met a lot of CSOs and CTOs, as other mentors. And we it just leveraged the pitch opportunities to set up a lot of pitching events.
And then the fine usually, many of these accelerated programs also have a, a final showcase or demo day, and they try to fill up the audience with a lot of prospective investors as well as, customers. So it was through these kind of intros that I would just ask, you know, they would be interested in exploring our product to improve their security or knowing that, of course, they have a product in place looking at at this particular area. What I just suggest is why don't why don't you try a side by side test so that you can get some extra assurance and independent evaluator. And then if it if it works, then you can consider that if you want to replace your existing solution. Alternatively, it's, you know, the way for them is more assurance that they know that product that they have in place is good.
And then for us as the the vendor, we get customer feedback. Right? If it's not good enough, then what do we need to improve so that we can be, we can take that product market fit?
Jack BridgerYeah. That's that's a really interesting approach. I've not seen people try that or or or, like, talk about doing that for, not necessarily, like, bring us in. Just let us like, let's test. Right?
Yeah. So but we had to we had to make our product very easy to test. So I think with enterprise software, that's another that's another key selling point for us is the integration is very easy. So because we're just basically thin client, a script, that can be inserted into the continuous integration pipeline, it was easy to convince, the prospect customers that it would be relatively easy to test as long as they could identify somebody in the organization who would have that capability to do that. So we said, we just need a developer or, you know, half an hour and hour of their time.
So half an hour, we demo. And then the rest of the hour, they can play with the tool and you you do much feedback.
Jack BridgerInteresting. And I guess they don't might like, there's no you don't even make you, like, check loads of compliance boxes before they'll do that or anything?
It will depend from organization to organization. So, we're fine with, you know, doing that demo on test projects that we have. If they want to test it on their own premise, they can either set up a virtual machine that has the environment that they like, or they just decide that, you know, they have a little sandbox on a particular developer's wish name. And then there's some, yeah, there are some enterprises that would say, oh, before we even do any pilot, you have to go through, vendor assessment.
Jack BridgerYeah. Because do they get very protective over, like because I guess you have to have access to their code base. Some of them are protective over that, like, make you sign sign your Oh,
for them, we sign NDAs, and then we assure that, you know, they can they can check the clients. So we don't we don't force them to to run it on their premise. But if they want to run on their premise, they have to tell us what they need in terms you know, if if they want us to to fulfill certain vendor assessment criteria, then we ask what they are and then evaluate that's that's what it in terms of time, any expense fee as, you know, at the end in the beginning, we really wanted to to close as many deals as quickly as possible, and you make sure we were spending the right amount of time to assess if they were really interested in the tool. So that's our one, we had to make it very easy to use. So that's why, it works very easily with GitHub, GitLab, Bitbucket, you know, and a vanilla installation.
For Azure DevOps, it's a bit more complicated. It will it will sometimes it's very easy. We have managed to to do that in in, yeah, 30 minute demo call with their, you know, their lead tech or or DevOps person. But sometimes it's more complicated simply because the way it's set up by the the customer, how they use it is is more complicated. Like, it's not straightforward.
So we need to sit with them, or, like, I need to have we need to sit with them and work through that. But, overall, the feedback isn't it's extremely easy to use. So we've even it's very rare that I see a developer smile. I don't know about you, but, I've seen developer or, any DevOps folks smiles. Oh, it's so easy. I wish our internal tools were.
Jack BridgerThat's cool. And and when when it goes well, what happens after? Is it kind of like, okay, easy from there, or is it like you still have a lot of work to do to get a deal?
Well, there's always a lot of work to get a deal. I think it's important to have the right pace and, try to establish that commitment with the customer upfront. So before going into the trial, you know, really understanding, you know, what's their tech stack. So we always ask, you know, what are the tools and languages we want this to work for so that we can be sure that the demo we give is spelled within the setup that we when you run through the trial, is meaningful to them. And we also wanna make sure that they understand how to use our reports.
Like, we don't want them just to install it, run it, and then be as what they call shopware. We really wanna make sure that they understand the reports. So, for example, like, their code users, especially developers, they're not familiar with the output that comes out. It's very hard to understand. It's very hard to act upon.
Yeah. You you have 40 pays and ports. And then if you're lucky and you you you resolve the one that makes 20 pages disappear, that kind of experience. But, we walk them through the report. This is the format.
And, you know, here it just shows this is how you can remediate this particular vulnerability. So it's just a one step auto remediation, or they can automate that. And, yeah, just giving them the tools and the confidence to be able to use it, and share the information within the tune. So it could be project manager or quality assurance team, could be legal counsel, getting a software billing materials or a list of all the licenses that are being used to make sure that, the open source licenses are are being followed, per the license terms. So there's a lot to to cover, but, you know, we have it down as a checklist.
And then making sure that they are happy and comfortable with moving to the next step. So we try to make sure that customers would, yes. So we we lay out upfront. This is what we're gonna do in the in the trial, and you wanna make sure that you're happy with these steps that works with your code management system. It works with the continuous integration system.
You understand the reports, and you see value in it. And you you discuss with your colleagues, that everyone understands how to how to use it. So we get upfront agreements that they are happy with that, exceptions criteria. And then at the end, we review back and say, okay, this is what we've done. We achieved this.
This is this. If and what they run into the problem, of course, we note it as a, you know, a bug or an issue to look into on how we can resolve. Sometimes, it is a bug on our side. Sometimes, it's a configuration or network issue that we run into that's actually on the customer side. So we just follow-up with that and then continue the next day.
We try to we try to close that as quickly as possible within the week so that you can move forward to the next step. And the next step would be, okay, you've seen you've seen the the product replay on your own projects. You've downloaded it on, open source projects that you can see, for the different languages. So, usually, after they accrue the net or one language, they don't really need to see it for another language unless there's a a unique, case that they they find that, you know, other competitors don't cover that. Yeah.
Pearl for a particular package type of C plus plus for a particular package type. And then usually, at that point, they would ask for the quotes. And then we review it and we encourage them to decide. So if they decide quickly, you know, there's a more advantageous price sometimes. Otherwise, if they commit for a longer period, we'll also give discounting on longer term contracts.
Jack BridgerKind of stepping out of the sales process and more into, like, kind of the management, I know that you have, 2 2 salespeople currently in your team.
Yes. That's right.
Jack BridgerCould you talk a bit about what it's like to kind of bring in a salesperson? Like, how you find them and kind of identify who is potentially a good salesperson?
Yeah. So I think best way to find salesperson is to talk to other salespeople.
Jack BridgerInteresting. Yeah. I see that. Because they know who's good.
Yeah. They know who's good, and they well, they're in the same flock. Right? They're always talking to each other. Just like if you wanna find a good dev, probably you talk to your dev friends. You know, hang out and you do similar kinds of activities.
Jack BridgerThat's that's such a that's such a good point. Like, I feel like everyone, if you ask a dev at a company, they know who they would hire themselves.
Yeah. You know who your your favorite superstars are. So for us finding the salespeople, it was it was challenging because neither my cofounder know I had any sales experience. So we've come a long way. And, yeah, we did try we did try different sales folks, and the way we hired as well, eventually, we found someone who was quite experienced with sales.
He he had built sales team from the ground up. He, you know, he was a salesperson from the ground up himself, so self taught and also, you know, picked up a lot of tools of the trade and learn from the states. So he could help us select. And so he helped. So I drafted a job description.
He, you know, he also embellished it, and then he got to a final version. We posted it on LinkedIn and the different job boards, that all these startups use. And then I started collecting CVs that I shortlist. I said, okay. I picked the CV, you said. That I think you should the candidates that we should we should interview based on the CV. And and then he said, yeah. I well, we'll see when we have the the person who said, book the first interview. I made my little scorecard of,
Jack Bridgeryou
know, capabilities and criteria that I would look out for in the interview. And I have to say that first interview of meeting, you know, it was the first screening was online interview. And the second one, we would meet in person, if there was a good fit on the the chat. And even just the 1st online, meeting was would tell a lot and even the than the follow-up, phone calls. So in my experience, hiring for other roles, CVs were like product manager or product engineering or project manager roles.
These professions, if you call the candidate, they call you back or they email. And then what you see on the the CV is, you know, it's most of the time, it's mostly there. You know, maybe there are always some candidates that that don't that are that's, fucked about the CV. But in the case of this interviewing these, sales development reps, many of the CVs were like, oh, wow. It's so great.
And then when we get on the call, it's like, oh, it's such a different impression. And I think it's because of the proliferation of digital CDs online with the search engines. So it's very easy to to copy paste and create these excellent CDs. So to to weed them out, you yes. You have to meet them at least online and then in person.
Jack BridgerDo you think there's any attributes that you really look for that you think are extremely important in salespeople?
Oh, yeah. So definitely, I feel like there needs to be a certain kind of, yeah, professionalism in presenting your your company or brand. That will be, like, the first face that that the customer will encounter. The first face or even the first voice because often and in our case, we were using, outbound calls to to find customers. So we have, you know, that list. And then, a sales rep would actually call. And it
Jack BridgerAnd and it works. Yeah. Because then I feel like people always say that in developer tools that you can't call call people. But
I it's worked for us.
Jack BridgerYeah. I I believe that.
I think you can call call for anything. I get cold call for all the time for so many things now.
Jack BridgerYeah. How many cold calls like this sorry. It's a diverse, but that's actually quite interesting. Like, how do you have any tips on some like, if someone's gonna who like, they cold call, like, the kind of decision maker, I guess, more like senior people?
Yeah. I mean, yeah, we can call CTOs, CSOs.
Jack BridgerI just think, like, I I hear it all the time that it just people just say it doesn't work, and it obviously does work. I don't know.
Oh, they just point blank say it doesn't work.
Jack BridgerPeople say call people say call emailing doesn't work, and so they definitely say cold calls don't work in developer tool space. But I guess you're not calling developers usually. It's more like
There's some developer. We, yeah, we we have called developers before as well. I think it works because you seize the moment, and this is where the presence of your salesperson, they need to be able to capture the attention of the person on the other end of the line in the way that is not going to basically wrap them the long way.
Jack BridgerYeah.
And I think given that, you know, a lot of time is spent online, in front of the computer. Like, when you're on the computer, you're by working on document. You're in a meeting. So calling someone is if they pick up the phone, it means they're open to an interruption. So when you're in focus on your work and maybe you're less likely to. You know? Mhmm. Like, with email, maybe now we get so many emails. People are scanning their emails. And they, you know, they still allow them to just skip it.
Yeah. So that's that's why, like, in email campaign, and so you have to write, engaging copy to grab the attention in the subject line. Right? They they say how many characters, the 2 verbals, and then you have to use the light words to get people's attention. So it applies also in in cold calling.
So just back to the traits of this salesperson, I would say, yeah, how they present themselves. So even audio wise, the voice has to be clear. You know, if somebody mumbles, they're not gonna understand what they say. The volume has to be good. Probably has to be interesting interesting voice to listen to.
And, you know, there's a that's a subjective call. So for some people, you know, for some people, maybe they prefer my voice over your voice and vice versa. So that's that's another reason why it's good to have a diverse team. Right? You
Jack BridgerSo so below.
Right? Like, maybe 1 one salesperson didn't manage to catch that customer and then assign it to somebody else, they go, oh, well, I I got that one.
Jack BridgerI like this person. Yeah. So so So true.
Yeah. We're all different and it's Yeah. But there there definitely are some common traits, which is, yeah, you have to be clear. You have to be well represented present yourself well. Sorry.
And then I I think you I think good salespeople have a genuine desire to help the customer. To help the person on the other line, to understand the challenges they have and how they can help them remove the pain from their day to day job. Right? So just give you an example. I spoke to, CISO and head of engineer. So head of software engineering. Yeah. Software EA. And they they said, oh, wow. I'm I mean, so many meetings all the time.
And I said, well, what what kind of need? So like security review meetings, you know, looking at pen test results and then deciding what we do next and how we derisk. I said, okay. Well, I mean, we're not in pen testing, but we identify risks that your developers could catch early on as they're developing the code. So it will reduce the amount of maintenance that you would need because we have fewer issues popping up further downstream.
So that's part of the whole shift left movement that all the developers who are aware of security know about. So we we leveraged that value that we could bring. And then we also you're already saying that, you know, you're really excellent in what we do. We have excellent coverage. We had excellent, you know, deliver excellence in terms of ease of use so that the developers feel the least friction possible.
And then we yeah. That was proven when when they had to do the integration test. And we just we said, here are the instructions. We we did do a demo on a, you know, in a call half hour and we and it's okay here. Now you go try it on your own, and then we'll have a meeting. And you say, okay, we we're not we're busy this week. We'll have a meeting in 2 weeks. And then in that call, it was like 10 minutes. They said, yeah. We verified.
Actually, we use all three methods, and all three works smoothly. And then we had nothing else to discuss on the call. So he said, okay. Can you please let your you know, the manager could, sorry. There's a bird on the roof.
Sorry. There's a little skylight, so it made some noise. But the, yeah. So they they, their project manager another project, the sponsor was not able to attend the meeting. So I was saying, well, please let your sponsor know that everything is, you know, passive flying colors, free light all the way so that we can progress to, to complete the purchase. And and that would yeah. Very smoothly.
Jack BridgerAmazing. Amazing.
It happens. That
Jack Bridgeryeah. Yeah. And that was, I guess, largely because you were trying to help be helpful. Yeah. And then when you actually hire a salesperson and you bring them in to the team, and I guess they may or may not know about what you do, much about what you do, how do you get them, like, up and running really fast and, you know, doing a great job?
Well, so by now, we have a sales playbook. You know, kind of a a script and then different branches. And then we so we have our model, but then we ask each salesperson to study it and then adapt it to their own taste. Their own language, their own understanding of the product and how they would want to pitch it. So usually, that's the 1st week, and then they also spend time with, the tech team.
So definitely in the early days is with Bruno since he always been also doubling up on presales. And then, they can ask all the questions, like, always, you know, sometimes in cybersecurity, there's so many different products. Right? So they might say, oh, well, this tool does vulnerability management. How how are we different? You know, like a Tenable or, Coverity or some of these other tools that also do vulnerability scanning, but they cover a different area.
Jack BridgerSo I
think that's very important for salesperson to validate their understanding and talk directly to the tech team. But when you're starting from scratch, I think that's that's the hardest one. So the best is if founders have, you know, write the first version of how how we pitch. How do you do the creating, or how do you introduce the product? How do you get commitment for the first meeting?
Jack BridgerYeah. That's kind it feels like that's kind of the founder's job. The so one of the most important things, I guess, is to just figure that out. Like, what resonates? Yeah. It'd be hard to out kinda outsource that to, like Oh, yeah. You can't outsource. Someone coming in. No.
Because only you know their product. And then you hear directly what the customer say. They don't understand. They they if they appeal to them, they have to go back and edit your your pitch or your script. You know, I say script, but you can't read it like a script. It shouldn't be a hollow. Can take one minute of your time and
Jack BridgerYeah. And do you think that salespeople need to be able to code or to understand, like, to work to as developers in in your space?
We don't need to. No. I don't think they need to. If they if they have done that, of course, then either you have more material to connect with the the customer maybe later down in, you know, as you develop the discussions and relationship, you can methods that you have in common, but you don't need to. You don't need to have programs and, remedial vulnerabilities.
You just have to understand the problem and the pain and understand, you know, what the customer wants resolved. Like, do they have do they have this problem of pain? When when would they like it resolved by? Like, do they have budget to actually spend money on a tool to use all that? Do they care?
Jack BridgerYeah. That's, that makes sense. Yeah. Vivian, thanks so much for joining. Where can people learn more about you and about Materion?
Yeah. So definitely check us out, Materion dot I o. I'm on I'm on LinkedIn. My email is [email protected]. And, you know, we love to help you if you have security challenges in your open source dependencies and wanna have that level of excellence that just doesn't exist, in the market with the the defacto tools that you get for free and even some of the paid tools.
So we're loved by both, startups and enterprises. So if you'd like to raise that level of excellence for your own projects, in the organizations that you work in, then definitely check us out. For open source projects, we offer a free, free plan because we're helping the open source community Or of course, closed source projects. We are commercial tool and we do have paid plans. You have one free project allowed for a free scan and analysis, and you can have a quick chat on what other value we can bring to to you and and your organization.
So we'd love to help and just, yeah, reach out.
Jack BridgerAmazing. Well, thank you, Vivienne, and thanks everyone for listening.
Thank you, Jack.