👋 Welcome to Valley of Doubt, a free weekly newsletter that goes deep into founder stories from the early days of startups. 🚀

Michael Gianarakis is a hacker, founder and entrepreneur from Queensland, Australia. Together with his cofounder Shubs, they bootstrapped Assetnote from nothing into a $100m+ exit.

In this interview we cover off:

• Getting started in an apartment in Brisbane

• Receiving a term sheet on the back of a beer coaster

• Making the decision to bootstrap

• Knocking back an $80m acquisition offer

The Origin Story: From Bug Bounties to Business

Scott Handsaker (SH): Tell me who Michael is in 30 seconds or less.

Michael Gianarakis (MG): I'm one of the co-founders of Assetnote, an attack surface management company. I've been working in cybersecurity for almost 20 years now, mostly in defensive security. I'm married, have three kids and enjoy playing the guitar. I joke sometimes that I'm a full-time guitarist, part-time CEO on the side!

SH: Let's go back to the early days of AssetNote. How'd you come up with the idea?

MG: My co-founder Shubs and I were both involved in the bug bounty scene pretty early on. He was doing full-time bug bounties and had built some tooling. Not exactly Assetnote, but a lot of the DNA of what became Assetnote was in that tool. He released an open source version at BSides Canberra years ago.

There were folks using it who really loved it and encouraged him to keep building. We'd known each other for years. We met at Crikeycon in Brisbane where I was doing a talk on runtime hacking for iOS apps, and he came up to me talking about his voicemail hacking techniques.

The breakthrough moment came when we found a vulnerability in Slack using this approach. It was described by Slack at the time as the biggest vulnerability ever found externally. That really got Shubs thinking there was something there.

For me, it was hearing from companies who'd say, "Hey, you keep rinsing our bounties. We spend all this money on pentesting, source code review, all these tools, but you still keep finding crazy stuff. How do you do it?" When we'd explain our approach, these really big companies would say, "If you were selling this, we'd buy it."

SH: What was the moment you decided to actually do it?

MG: We'd been talking about it for a while. I was working at Trustwave running the SpiderLabs team, and Shubs was about to move to Thailand for six months to work from there. When you're doing full-time bug bounties, you have a lot of flexibility.

Shubs wanted to know what it would take for me to jump. He was like, “Is it money? Is it something else?”

I told him, "Look, I'm really keen, but I can't bum around Thailand. I've got a wife, two kids at the time, a mortgage." He was in Brisbane before he moved, and one weekend after our conversations, he just texted me:

I just responded, "I'm in." That was it. I quit my job, Shubs moved to Brisbane, and we started working on it.

The Bootstrap Philosophy

SH: I assume it's just the two of you in the early days. Were you working out of your bedrooms?

MG: Shubs moved to Brisbane and got an apartment in the city. It was a really nice apartment, way up high with great views of the river. I would just come in each day and we would work together in that location. I remember we had floor to ceiling windows, and we would use that as a makeshift whiteboard. It was just all over the place. When Shubs would have the cleaners come in, he'd say “don't rub any of this off!”

It was pretty hectic in those early days. Shubs was living with a roommate called Pat, who ultimately became our first employee. He caught the vibe and really got excited by what we were doing. So in the early days it was the three of us. We grew to about five people pretty quickly, but we stayed there for a long time.

SH: You guys were bootstrapped the entire way through to exit, right?

MG: Bootstrapped the entire way. Not a single dollar of external capital or debt funding. When I talk about bootstrapping with other founders, I think there's a perception that we're anti-VC. We're not. We're more pro "it's your business." VC funding is just one way to fund your business.

I remember we started sketching out the first product. We started writing it all down and I just threw it out to Shubs,

And he's like, "No, no, no. We can totally do this in like six weeks. Six weeks tops."

I can tell you it didn't take six weeks! He even wrote that date in his notebook, and we still have a photo of that. It didn't take six weeks, but we managed to get it off the ground without VC.

We had VCs hitting us up early on. I remember Accel Partners reached out. Obviously a big name in VC, particularly in security. I remember Shubs and I agreed to take the meeting. After we got off the call I said, "What did you think?", and Shubs said,

And I'm like, "Dude, they're finance guys. They're all going to be like that. What did you expect?"

So early on we explored VC, but there was an interesting kind of vibe with it. I don’t think they really understood us. They were attracted to the logos that we were signing up, and the revenue and the traction, so they knew that there was something there. But they didn't really get it.

We did receive a term sheet from one of the large Australian VCs, but it had some crazy terms in it, and we pushed back. You could tell they wanted to invest, because they started negotiating against themselves! It played out over the course of a year, and eventually we met up with them in Brisbane at a pub. The VC picked up a beer coaster, and on the back of it, he wrote an amount. He added “information rights” and then he asked us to pick a valuation that was reasonable. Then he signed it and said “That’s a legitimate offer”.

SH: Are you serious?

MG: Yep.

The thing that finally turned us off was the mentality. Early VCs would say, "You take this money, that gets you to this headcount, then you do your Series A and that gets you to this headcount." I'm like, "Are we going to talk about sales, product, or profitability?" It felt like an all-or-nothing, hamster wheel approach.

Building a growing, sustainable company felt like we were maximizing optionality. If it was going well, growing and profitable, we'd always have investment and acquisition interest. Even if we had neither, we could keep going and extract profits as owners.

Early Customer Success

SH: Atlassian was your first customer. Do you remember what you charged them?

MG: $150k a year USD. It was an amazing first customer - not just the contract value, but they were really engaged with the idea. The feedback we got was really practical because they were security buyers, not compliance buyers.

Security buyers don't care about your logo or team size. They care whether it solves a problem. They're proactively trying to improve security. Compliance buyers are just trying to tick boxes. In the early days, you really want to target security buyers, and Atlassian was perfect for that.

SH: Where were you deployed?

MG: We were originally on GCP because Shubs had a few credits that he was able to get. But we had built a port scanning module, and we started to get you all these automated messages from Google that they were going to shut us down. They thought we had been compromised. We explained that it was all legitimate, but they let us know they couldn’t turn off the emails.

But the emails were very threatening! They were going to shut down our account. I said to Shubs, “If we miss an email because we're traveling, that could be existential to the business?”

So we started shopping around. We ended up on AWS and managed to secure $100,000 in AWS credits, which we managed to make last for a full year.

The Lean Years

SH: How long did it take until you and Shubs started paying yourselves a salary?

MG: About two years before we took anything, and even then we were the lowest paid people in Assetnote. We made a commitment to our early employees that they'd get all the raises first until it got reasonable, and we wouldn't hire externally at higher rates than what they were on.

We didn't take market-rate salaries for probably another two years after that. We kept everything in the business. We had over 50% EBITDA margins and 90% gross margins. We were highly profitable and cash was piling up. It was kind of stupid in hindsight, but we weren't taking that out. We were focused on growing the business.

SH: What did headcount look like through the journey?

MG: At acquisition, we were around 16-17 people including Shubs and myself. As we were building we stayed at about five people for a very long time. We were very considered with hiring. We strongly believe headcount can become a vanity metric. VCs ask about target headcount, and I'm like, "That's stupid. Is there a need or not?"

We'd stretch things further than we should have sometimes, but that was because of how good and capable the team was. Most of our headcount came in the last three years of AssetNote. We had very little churn and we've never fired anybody.

Crisis Management and Culture

SH: What's the biggest crisis you went through at AssetNote?

MG: Probably our React migration in the early days. We were migrating from AngularJS and it kept dragging on. We had pressure from customers wanting things, but we didn't want to update the Angular frontend because it would add to the React scope.

We pushed for a particular date, but it wasn't quite ready. There was also a separate OAuth service migration to Okta that got linked in weird ways. When we deployed, it was a nightmare - bugs everywhere, and every vulnerability in our platform was firing for literally every customer.

Shubs was away at the time, so it was all hands on deck. We were checking in every three hours around the clock for a week. Even our salesperson was joining calls at 3 AM in solidarity. It taught us we needed better development processes and planning.

Co-founder Dynamics

SH: How did your co-founding relationship work? Any challenging moments?

MG: Everything was 50/50 from the get-go, including equity and decision-making. I was CEO and he was CTO,. Someone had to be he spreadsheet guy and I guess I drew the short straw! But it made sense as he is a better hacker and coder than me. Even with those titles though, we never had an instance where either of us pulled rank. If I couldn't convince Shubs something was a good idea, maybe it wasn't, and vice versa.

One of the big things Shubs and I share is ruthless pragmatism and no ego. There's no "it's my idea so it's good." We focus on outcomes. People sometimes think it's Shubs's company because he's more prominent in security research, but it never bothered me. It all evens out in the end.

The $80 Million Decision

SH: You knocked back a number of acquisition attempts. What's the highest price you turned down?

MG: $80 million US. We had acquisition offers right from the get-go, even pre-revenue. The very first was a $3 million acqui-hire before we even signed Atlassian.

The fundamental question we asked ourselves for all early offers was:

Shubs and I would immediately say no, because we had so much early momentum and traction.

What changed our perspective was meeting Zane from Signal Sciences at RSA. I asked him how he thinks about acquisition timing. He said, "The way you should think about acquisition is as the next phase of your business." That really shifted our thinking away from viewing it as just an end or liquidity event.

The Final Deal

SH: Walk me through the actual acquisition process.

MG: In 2024, we had multiple parties expressing interest, then one sent a term sheet out of the blue without us discussing expectations. It felt like the right time to start taking it seriously. We felt like we should at least see if anyone else was interested.

We decided to work with bankers and see what the market looked like. We ended up with five LOIs all broadly similar in scale and terms.

We were deciding between two companies, one of whom was SearchLight. The competing offer had edged them out on deal terms, but we thought SearchLight was a better fit for the next phase. We went through due diligence with the competing offer and I remember speaking to our bankers at 11pm at night. They said, “We just spoke to their lawyers, and we are expecting the draft definitive today”. So I thought great, I will wake up in the morning to an email with the final offer.

What I woke up to was an email that said "pencils down". The company that wanted to acquire us, was being acquired themselves! Lucky for us SearchLight came back and matched the deal, so we got everything in the end.

Building From Australia

SH: Did you ever feel like you had to move to the US?

MG: We wanted to create opportunity in Australia for people to work on interesting, difficult problems. A lot of folks in our community were going to America, not because they wanted to live there, but because that's where the interesting work was.

I remember being on a panel with VCs who said it doesn't matter how much traction you have in Australia. You have to move to America and at least one founder has to be there. I put my hand up and asked, "What if all your traction in Australia is international? They're all US companies." She couldn't really answer.

We had that pride and attitude of "No, that's bullshit. We can absolutely build an international company from Australia." We wanted to prove them wrong.

Key Lessons for Founders

SH: What did building this business cost you personally that you didn't expect?

MG: From a financial perspective, being bootstrapped and putting everything into the business made things very tight. But the trickier cost was managing that with family and relationships. Money became a very conscious thing in a way it wasn't before.

There was also a sense of disconnection from various circles. We didn't fit into the VC sphere because we were bootstrapped. We didn't fit into the hacking community because most are pentesters and consultants, not building businesses. We didn't fit into the corporate security scene either. We never really fit into one of those places.

Lightning Round

SH: What is a book we should all read?

MG: For cybersecurity startup founders specifically, "Cyber for Builders" by Ross Haleliuk. It has really good insights into how you need to think when you're starting, running, and growing a cyber company.

Cyber founders are very technical and focus on the product. There's this "build it and they will come" mentality that exists for cyber startups, and that book gives a better perspective on why that's not true.

Personally, the book that's had the biggest impact on my life was "Getting Things Done" by David Allen. It's a productivity book that really shifted how I approach work. Those concepts are so ingrained in my day-to-day now.

SH: What is a band or artist we should all listen to?

MG: I'm into so many different things, but I think when you pick up an instrument, it's to emulate bands you were into at the time. I got into guitar in the early 2000s with pop punk bands like Blink-182 and Green Day. Even as your tastes evolve, you always have a soft spot for that.

The band I'd recommend is The Paradox. They're a new band out of America that really does that style very well. I've been listening to them a lot on repeat. Maybe a little more obscure than some crazy big band, but they're worth checking out.

SH: What is a podcast we should all listen to?

MG: I would have said Surfacing Security, which is the AssetNote podcast, but we've been a bit slack on getting the next season out. Stay tuned for that!

I like "Acquired". Lots of stories about companies and those kinds of interviews.

Obviously, I've got to give a shout-out to Risky Biz. Pat's been a big supporter of AssetNote from the get-go, and in my opinion, when it comes to cybersecurity podcasts, it's the gold standard.