👋 Welcome to Valley of Doubt, a free weekly newsletter that goes deep into founder stories from the early days of startups. 🚀

Vaughan Shanks is the founder and CEO of Cydarm, a case management system for security operations teams. Prior to this, Vaughan spent almost a decade at the Department of Defence of Australia, as well as 4 years at Palantir Technologies.

In this interview we cover off:

• Taking the risk to jump into entrepreneurship

• Setting milestones to understand whether it’s working or not

• Shitty behaviour from large competitors

• What it feels like to have to let staff go

SH
In a nutshell, who is Vaughan Shanks?

VS
I think at my core I am a builder. I like making things that people find useful. I've chosen to work in computing and in software engineering, but if computers weren’t around I would still be making things. I just think like an engineer.

I'm not really a materialistic person in the sense of trying to accrue stuff. I'm really here for the journey. I think of life as a set of experiences, and you know wealth and possessions can come and go, but your experiences just stay with you. There's something to be said about having that experiential wealth that can't be matched.

SH
You have dabbled in public service, private industry, and now entrepreneurship. Was it intentional to go from lowest to highest risk over your career?

VS
I think what is a risk and what isn't a risk depends on the context you're operating in. Growing up I definitely had some sense that one day I would be an entrepreneur, but no one in my family was an entrepreneur. I had no idea what it looked like. We're all salaried people, and going back a generation, you see tradies and farmers.

I decided to pursue a PhD after finishing my undergraduate studies. I had a scholarship to do the PhD, and I also had a scholarship in high school. Both those scholarships allowed me to pursue education I wouldn’t have been able to otherwise. At the end of the PhD I felt a strong sense of duty that I should contribute something back to the society that had raised me. Some of the people that funded my research were from the Department of Defence, and so I naturally approached them to see whether I could be of use.

I was motivated by a strong sense of civic duty, and I wanted to help contribute to the defence of Australia. You've got to remember this is 2004, and I was working right after the September 11 attacks and the Bali bombings. It really felt like a dark time. I thought I needed to do my bit.

When Smart People Solve Only Half the Problem

SH
Yeah I can see that sense of mission in you. Tell me how you went from the DoD to starting your own company. What pushed you to create Cydarm?

VS
I started to get itchy feet in the public service. I had an awesome career and got to do a variety of roles, most of which I don't think I can talk about for another 25 years or so. But I knew that my time there was coming to an end and I had to find something to do.

I thought about it for about five seconds and thought, you know what, she’s right! I really have no idea. I've had some jobs in the private sector, but I’ve never had any private sector job for long enough to know how the world works outside the Canberra bubble. So I got a job at Palantir instead.

I eventually found myself in a meeting room in Palo Alto, California and I was watching a demo that some really smart developers had put together. They were doing data analysis around a data breach. They had some beaconing activity, an infection on a user's machine, and were conducting graph analysis, following links, producing histograms and timelines, and creating a beautifully animated diagram that showed exactly how the threat actor gained access. At the end of it I said,

“That's great, but what happens next?”

The guy just looked at me blankly and said,

“What do you mean?”

I said,

“Well, you've just exposed this incident, what are you going to do with that information?”

He replied,

“Well, I guess you call someone and tell them we've had a cyber incident!”

No! You've only solved half the problem! You have to record this information in a system of record, and you've got to have accountability, because someone's going to have to take action on this. There will be decision points, reporting, and lessons learned. How do you apply everything you've learned from this incident to ensure that this doesn't happen again tomorrow?

At that point I had blank faces staring back at me. What's this guy talking about? I think that's when I realised that maybe there was something here. If these really smart people hadn't considered what happens after you perform the clever detection, then maybe this is a broader problem.

After that, I started connecting with former colleagues who now worked in security operations to ask them how they track the status of security incidents. The answer was not very well. They were using spreadsheets and ITSM tools, which were often clunky and ad-hoc. There's a lot of swivel chairing, a lot of cut and paste, and getting any sort of meaningful output or doing an incident post-mortem was really hard.

What if you could build a platform that specialises in helping people work in security operations? Help them perform better, but also move faster so they can do more and do it more quickly? So that was the dream.

SH
Did you have a discussion with your partner about how long you were going to give it? What was that discussion like?

VS
My wife has been very, very supportive. It's a wonderful thing to have someone who will let you pursue your dreams and put up with a very high level of personal financial risk. There was always a line in the sand though.

There were always little things that kept coming up that kept me going. There was an accelerator program with structured accountability and a very strong learning component throughout. There were the major household brands that had shown genuine interest in what I was building and really wanted to meet with me and talk about it. Then there was a term sheet from an investor that was just unbelievable. It just felt like the stars were aligning.

Of course, once you take that money you can't back out. I think the point of no return was taking funding from VC’s. That's where you are committed to doing your absolute best to see it through.

Brought to you by Murmar.

Why Small Teams Can Punch Above Their Weight

SH
There were already case management solutions available when you kicked off. What was your thesis for how you were going to win?

VS
My hypothesis was that a small team operating independently, focused on a very specific problem for a very specific audience, and having constant interaction with the individuals who would be using the platform, would be able to build a greenfield solution that would be much better adapted to the needs of those customers.

There were some large incumbents, and I think what I've learned since then is that they often abuse their market power. They bundle and discount and force their way into situations where they can squeeze out a smaller player. And yet, despite all that, you can disrupt these industries because the incentive structures are just different. Most of the cyber case management solutions I've seen are bolt-ons. They're being built onto an existing SOAR platform, and they initially started with an automation platform. As a result, it doesn't feel like anyone truly cares about case management. It might have very similar features to what we do, but it's just not lovable.

Whenever I feel a bit downhearted about the competition we're up against, I remember that even in a company of 30,000 employees, the team working on the specific thing we do might be smaller than ours. And they don't operate with free license like we do. They have to get permission from their bosses to work on their roadmap, and they might get deprioritised or moved on at any time. They're probably not on an employee share option plan. They don't have a strong vested interest in what happens with the thing they build.

SH
What kind of shitty competitor behaviour have you seen?

VS
We've seen people who knew what we were quoting come in just under our price, when we know that they usually charge four times that. If they can kill us, then they can bait and switch the customer into a higher plan next year.

We have prospects approach us sometimes with scepticism about what we do. They tell us the way they've been treated by other vendors, where the vendor promises they can do this and that, and then they find out that actually the features are quite weak. So sometimes the claims are exaggerated.

Then we also see strong-arm tactics with bundling or discounts. They'll come in over the heads of the people who use the software to someone completely unrelated and do a deal where they bundle. They bundle a product that competes with us at no cost or a very minimal cost. And it seems like a waste to buy a best-of-breed solution when you can settle for a mediocre one because it's almost free. It’s frustrating.

SH
I'm interested in how you found your co-founder and how useful it has been to have someone else to lean on?

VS
Yeah really good. Certainly investors like to have at least two founders in a business for continuity. If you get called away for an unexpected emergency, there's someone who knows the business intimately that you completely trust who can carry on.

I met my cofounder Ben at an (ISC)2 event. He'd come from a high-growth business that he'd just exited, where he was employee number one. So he'd had a taste of the entrepreneurial journey and was keen to try it again.

There are a few things Ben and I do agree on, and number one is integrity. We also both firmly believe that cyber is built on trust. If you share the same core values, then I think you can make a business together.

SH
Have there been any particularly intense moments during the development of Cydarm that stand out?

VS
There's been many intense moments. The thing that stands out the most is when we were in a situation where we had no choice but to make several roles redundant. That is the most painful and awful thing. You've hand-picked these people. This is a cast of rock stars you put together.

When you read about a Roman centurion who loses a battle, and they have to decimate their soldiers. So they walk along the aqueduct and push every tenth soldier off to fall to their death. That's what it feels like. They haven't done anything wrong, but as the leader of the unit, you know you screwed up. Just even thinking about it makes my hands shake and I feel a bit sick.

SH
Ahh man that is always tough. Lets swing back to the brighter side of startups and tell me, what gets you really buzzed?

VS
The thing I like the most is when users appreciate something we built.

I remember presenting a demo at an ASX50 organisation to the SOC team, and there was silence all through the demo. At the end of the demo there was this sort of pregnant pause, and then finally someone spoke. The person who spoke was a feisty and plucky sort of person, so he was the first one to speak up. He said,

I got this sense of relief. Like I've got one one true believer. Then everyone else started nodding. That was really exciting, and I felt like all the months and months of work we'd ploughed into it, all the money we'd spent, was worth it. There's been a few of those kind of special moments. It is just so motivating.

SH
If you could go back in time and tell a younger Vaughan a few things that might help him throughout the journey, what advice would you give to better prepare for what's coming?

VS
It’s hard to tell which advice to heed because you get so much advice from so many people and most of them are wrong, but I have a particular advisor who I'm very grateful to for so much good advice. One piece of advice he gave me was around my product. He said,

“Now that you've managed to raise venture funding, you should take that prototype that you've built, put it in a bag, tie a brick to it and chuck it off a bridge.”

I was like no way! It's not a prototype, it's a beautiful product that I've built! I'm going to build on top of it.

That was 2018, and now I think maybe I should have started building all over again. Maybe we wouldn't have made any better progress, but I think I probably should have taken a bit more time to think things through. There are just so many things about software architecture that you don't know. I'm quite an experienced software developer, but until you build something from scratch, you don’t realise you have blind spots in your knowledge. Sometimes I think you have to slow down a little bit and make more considered decisions.

SH
Okay we always finish off with 3 lighter questions. What’s a book we should all read?

VS
The Great CEO Within, by Matt Mochary. I think there were parts of that book where he gives you a shortcut, and you can see you have spent years learning the same thing the hard way.

SH
What’s a band or artist we should all listen to?

VS
Oh wow that's a hard one. I'll probably be revealing my extremely eclectic taste in music. If I was to give you one, it would be Girl and Girl. They're an Aussie punk band.

SH
What’s a podcast we should all listen to?

VS
The Startup Podcast with Yaniv Bernstein and Chris Saad. It is a really, really good podcast for learning about startups. These guys have great discussions and great guests, as well as really good news and market analysis. I can't recommend it enough.

SH
Thanks so much for your time Vaughan.